Review for Security +
1
means execute
Ciphering
use cipher to scramblle a message.
Quantitative Risk Assessment
use numeric data in the analysis, resulting in assessments that allow the very straightforward prioritization of risks.
Vishing
Phishing attacks committed using telephone calls or VoIP systems.
Smishing
Phishing attacks committed using text messages (SMS).
Layer 1 of OSI
Physical Layer, Sends electrical impulses ex Cables NICS
Mantraps
Physical security method in that it creates a buffer zone to a secure area
Six Phases of Fagan Inspection
Planning, Overview, Prep, Meeting, Rework, Follow Up
Injection Vulnerabilities
Primary Mech attacker can use to break through a web app.
Kerberos users are composed of what 3 main elements/
Primary, (username) instance (which helps to differentiate similar primaries) and realms which consist of groups of users.
Control in windows to disable un needed services
Services.msc
Layer 5 of OSI
Session Layer, Authentication sessions permissions EX: API, Sockets
Three key security considerations with cloud storage
Set permissions properly, consider high availability and durability ops, use encryption to protect sensitive data.
nslookup
Simple readable response with IP's and DNS
How do Configuration Management tools work>
Start with baseline configs, which are then modified to fit the needs of the org.
2 types of firewalls
Stateless, Stateful
Self Signed Certificates
*Internal certificates don't need to be signed by a public CA* - Your company is the only one going to use it - No need to purchase trust for devices that already trust you Build your own CA Install the CA certificate/trusted chain on all devices
Hybrid warfare
- Combining conventional warfare with cyberwarfare
Biometric Factors
- Fingerprint scanner - Retinal scanner - Iris scanner - Voice recognition - Facial recognition - False acceptance rate - False rejection rate - Crossover error rate
Memory leaks
- application mismanages the memory - by not returning the allocated memory to the operating system, memory is exhausted. It also can result in objects that have been stored in memory becoming inaccessible to the application
Degaussing
Magnetically wipes data from magnetic media, does not work on SSDs flash media, optical media or paepr
Testing and Integration Phase
-when development stage is complete to make sure it conforms to previous requirements of SDLC
No Info Disclosure CVSS
.0
Impact Sub score ISS
1- (1-C) * 1-A * 1-I
CloudFormation
1. An easy way to create and manage a collection of related AWS resources 2. Provisioning and updating them in an orderly and predictable fashion 3. Can provision almost every AWS resources
The Incident Response Process
1. Preparation 2. Detection and Analysis (Identification) 3. Containment 4. Eradication 5. Recovery 6. Document/Lessons learned
Types of malware
1. Ransom ware 2. Trojans 3. Worms 4. Unwanted Programs 5. Fileless Viruses. 6. Bots and their Command and control systems. 7. Crypto malware (encrypts your data) 8. Logic Bombs 9. Spyware 10. Keyloggers 11. Remote Access Trojans 12. Rootkits 13. Backdoors
Risk Calculation
2 calculations, likelihood of corruence and magnitude of the impact
Two person integrity control schemes
2 people needed to access vault or safe or something else
How does Sec+ handle SAN?
2 ways, first as a means of replicating data, as a type of backup
Sha-224
224bit message using 512bit block size
What is the QoS Protocol for WIfi
802.11E
Shimming
A driver manipulation method. It uses additional code to modify the behavior of a driver.
Steganography
A field within cryptography; uses images to hide data.
Black-Hat
A hacker who exposes vulnerabilities for financial gain or for some malicious purpose.
Faraday cage
A metallic enclosure that prevents the entry or escape of an electromagnetic field.
Brute Force
A method for determining a solution to a problem by sequentially testing all possible solutions.
Spear Phishing
A phishing attack that targets only specific users.
Whaling
A phishing attack that targets only wealthy individuals.
Perfect Forward Secrecy
A property of public key cryptographic systems that ensures that any session key derived from a set of long-term keys cannot be compromised if one of the keys is compromised at a future date.
Advanced Encryption Standard AES
A symmetric cipher that was approved by the NIST in late 2000 as a replacement for DES.
Machine Learning
A type of artificial intelligence that leverages massive amounts of data so that computers can improve the accuracy of actions and predictions on their own without additional programming.
Race Conditions
A type of software development vulnerability that occurs when multiple processes or multiple threads within a process control or share access to a particular resource, and the correct handling of that resource depends on the proper ordering or timing of transactions
Service Account
A user account that is created explicitly to provide a security context for services running on a server.
Adversal Artificial Intelligence
AI used for bad.
Key Elements of Data Loss Prevention tools (DLP)
Ability to classify data so that orgs know which data should be protected, data labeling or tagging functions to support classification; policy management and enforcement functions used to manage data to the standards set by the org and monitoring and reporting capabilities.
Active/Active load balancing
Active/active load balancer designs distribute the load among multiple systems that are online and in use at the same time.
2 major Modes of operations for Load balancers
Active/active, Active/passive
Development phase
Actual Coding
Three Specific Layer 2 Attacks
Address Resolution Protocol Poisoning (ARPP), Media access control (MAC, not to be confused with Mandatory Access Control), (MAC Cloning)
MITRE ATT&CK Framework
Adversarial Tactics, Techniques and Common Knowledge. Most popular Attack Framework
Type 1 Hypervisor
Also known as a bare metal hypervisor it is a software program that acts as an operating system and also provides the ability to perform virtualization of other operating systems using the same computer. Most common as it is highly efficient
Rule-Based Access Control RuBAC
An access control model that based on a list of predefined rules that determine what accesses should be granted
Password Complexity
An account enforcement policy that determines passwords must meet complexity requirements.
Triple DES
An algorithm that is viewed as a replacement for DES and essentially puts plaintext blocks to the same type of encryption processes three distinct times; it uses three separate 56-bit keys.
Intialization Vector
An arbitrary number that can be used along with a secret key for data encryption.
Session Hijacking
An attack in which an attacker attempts to impersonate the user by using his session token.
Session Replay
An attack in which an attacker attempts to impersonate the user by using the user's session token.
Local File Inclusion
An attacker adds a file to the web app or website that already exists on the hosting server
Industrial Camouflage
An attempt to make the physical presence of a building as nondescript as possible so that to a casual viewer, the building does not look like it houses anything important.
Development environment
An environment used to create or modify IT services or applications.
logger
Append whatever info you provide as input to the /var/log/syslog file on the system. Logger can also be used to add info from other commands or file to the syslog file by calling that commands or file via logger.
Can beat Spyware by?
Antimalware tools
Defense to Trojans
Antimalware, dont downlaod untrusted software, and detect know malicous files.
Key Exchange
Any method by which cryptographic keys are transferred among users, thus enabling the use of a cryptographic algorithm.
Important Features a Mobile Device for an Org needs to have
Application management features are important to allow enterprise control of applications. These features may include deploying specific applications to all devices; limiting which applications can be installed; remotely adding, removing, or changing applications and settings for them; or monitoring application usage. Content management (sometimes called MCM, or mobile content management) ensures secure access and control of organizational files, including documents and media on mobile devices. A major concern for mobile device deployments is the combination of organizational data and personal data on BYOD and shared-use devices. Content management features lock away business data in a controlled space and then help manage access to that data. In many cases, this requires use of the MDM's application on the mobile device to access and use the data. Remote-wipe capabilities are used when a device is lost or stolen, or when the owner is no longer employed by the organization. It is important to understand the difference between a full device wipe and wiping tools that can wipe only the organizational data and applications that have been deployed to the device. In environments where individuals own the devices, remote wipe can create liability and other issues if it is used and wipes the device. At the same time, remote wipe with a confirmation process that lets you know when it has succeeded is a big part of helping protect organizational data. Geolocation and geofencing capabilities allow you to use the location of the phone to make decisions about its operation. Some organizations may only allow corporate tablets to be used inside corporate facilities to reduce the likelihood of theft or data access outside their buildings. Other organizations may want devices to wipe themselves if they leave a known area. Geolocation can also help locate lost devices, in addition to the many uses for geolocation that we are used to in our daily lives with mapping and similar tools. Screen locks, passwords, and PINs are all part of normal device security models to prevent unauthorized access. Screen lock time settings are one of the most frequently set security options for basic mobile device security. Much like desktops and laptops, mobile device management tools also set things like password length, complexity, and how often passwords or PINs must be changed. Biometrics are widely available on modern devices, with fingerprints and facial recognition the most broadly adopted and deployed. Biometrics can be integrated into mobile device management capabilities so that you can deploy biometric authentication for users to specific devices and leverage biometric factors for additional security or ease of use. Context-aware authentication goes beyond PINs, passwords, and biometrics to better reflect user behavior. Context may include things like location, hours of use, and a wide range of other behavioral elements that can determine whether a user should be able to log in. Containerization is an increasingly common solution to handling separation of work and personal-use contexts on devices. Using a secure container to run applications, store data, and otherwise keep the use of a device separate greatly reduces the risk of cross-contamination and exposure. In many MDM models, applications use wrappers to run them, helping keep them separate and secure. In others, a complete containerization environment is run as needed. Storage segmentation can be used to keep personal and business data separate as well. This may be separate volumes or even separate encrypted volumes that require specific applications, wrappers, or containers to access them. In fact, storage segmentation and containerization or wrapper technology are often combined to better implement application and separation. Full-device encryption (FDE) remains the best way to ensure that stolen or lost devices don't result in a data breach. When combined with remote-wipe capabilities and strong authentication requirements, FDE can provide the greatest chance of a device resisting data theft. Push notifications may seem like an odd inclusion here, but sending messages to devices can be useful in a number of scenarios. You may need to alert a user to an issue or ask them to perform an action. Or you may want to communicate with someone who found a lost device or tell a thief that the device is being tracked! Thus, having the ability to send messages from a central location can be a useful tool in an MDM or UEM system.
two goals of Digital Signature infrastructures
Assure recepient that the message truly came from the sender, and it was not altered.
chosen plain text attack
Attacker encrypts multiple plain text message in order to gain key
Why dont you want to be too Verbose in your Error Handling?
Attackers could find a way to exploit the code.
Trojans
Attempt to sneak in by masquerading as something they're not
Stored/Persistent XSS
Attempts to get data provided by the attacker to be saved on the web server by the victim
How to defend against social engineering?
Awareness, how to recognize and respond, spam filters, keyword and text matching.
Byod Implementation
BYOD places the control in the hands of the end user, since they select and manage their own device. In some BYOD models, the organization may use limited management capabilities such as the ability to remotely wipe email or specific applications, but BYOD's control and management model is heavily based on the user. This option provides far less security and oversight for the organization.
Virtualized Servers
Basic Building block of compute capacity in the cloud. Orgs may provision servers running against most common OS with the specific number of CPU cores, amount of Ram and storage capacity that is necessary to meet business reqs.
Low Privileges CVSS Score
Basic, .62
Why might you want to track versions and patch status?
Because third party updates can be a daunting task if you are trying to run it without tools.
Data Minimization (database)
Best defense, Orgs should not collect sensitive info they dont need.
What do data loss prevention systems do?
Block Data Exfiltration attempts.
Cloud Storage Resources
Block Storage, Object Storage,
Shared between Secured and measured boot
Boot integrity begins with the hardware root of trust.
How does broadcast domain work?
Broadcasts are sent to all machines on a network, so limiting the broadcast domain makes networks less noisy by limiting the number of devices that are able to broadcast to one another. Broadcasts don't cross boundaries between networks—if your computer sends a broadcast, only those systems in the same broadcast domain will see it.
Cloud COnsumers
Buys services from cloud service providers through service models
Example of gamifaction
CTF
How does Radius work?
By sending passwords that are obfuscated by a shared secret and md5 hash, meaning its pass secruity is not strong.
Elasticity in cloud
Capacity should expand and contract as needs change to optimize costs.
Different types of Connectivity for Embedded Systems
Cell Connectivity, Radio Frequency.
Methods of Connectivity
Cellular, Wi-Fi Bluetooth, RFID, USB, NFC, Infrared, GPS,
Certificate Revocation List
Certificate Revocation Lists, PKI component which lists digital certificates that have been revoked
Hardening (Security)
Changing settings to increase a system's overall level of security and reduce its vulnerability to attack.
hash of a drive can be used as a
Checksum to check if files were modified
Asymmetric Key Management
Choose a system thats been vetted. Be wary of Black box approach, select keys in appropriate manner (ie random, key length is good etc, keep private secret). Retire keys when done, Back up key
Stream Ciphers
Ciphers that operate on each character or bit of a message (or data stream) one character/bit at a time.
Terminal Access Controller Access-Control System Plus (TACACS+)
Cisco designed extension to TACACS the Terminal Access Controller Access Control System. Uses TCP traffic to provide AAA. Full packet encryption and granular command controls.
Error Handling
Coding methods to anticipate and deal with exceptions thrown during execution of a process. Attackers can exploit this and peforom something like an integer overflow attack.
Peer to peer botnet
Connect bots to each other, harder to take down.
Images
Complete copy of a system or server down to the bit level for a drive. Backup method of choice for servers.
Registration Authorities
Complete identity checking and submit CSRS
Cloud Infrastructure components
Compute Capacity, Storage and Netowrking
orgs use a variety of training techniques to make sure people are aware of security issue
Computer Based training, Role-based Training, Phishing Sims and CTF exercises
Purposes that certificates may be issued
Computers/Machines, Individual Users, Email Addresses, Developers
How to config scans?
Conduct config reviews to make sure it s good.
Several Goals of Cryptography
Confidentiality, Integrity, Auithenication, Nonrepudiation.
What are the 3 objectives of Cybersecurity?
Confidentiality, Integrity, Availability.
How to defend against powershell attacks?
Constrained Language mode, use APPlocker to validate script and turn on auditing.
CVSS score 9.0-10.0
Critical
Network Based DLP
DLP solutions frequently pair agents on systems with filtering capabilities at the network border, email servers, and other likely exfiltration points. When an organization has concerns about sensitive, proprietary, or other data being lost or exposed, a DLP solution is a common option. DLP systems can use pattern-matching capabilities or can rely on tagging, including the use of metadata to identify data that should be flagged. Actions taken by DLP systems can include blocking traffic, sending notifications, or forcing identified data to be encrypted or otherwise securely transferred rather than being sent by an unencrypted or unsecured mode.
What can get left behind from SSDS and other optical media after the use of DBAN or writing 1's and 0's to every bit location on drive?
Data Remnants.
How to decrypt Caesar Cipher
Decryption shifts each letter of the cipher text 3 places to the left.
Lighting
Discourage intruders and help staff feel safer.
Port 53 (TCP/UDP)
Domain Name Server (DNS)
5 Modes of operation for DES
Electronic Code Course (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB) and Counter (CTR).
What about Radius Traffic?
Encrypted using IPSEC tunnels
Measured Service in cloud
Everything you do in cloud is measured by the provider.
Unchanged Scope
Exploited vuln can only affect resources managed by the same authority.
Cross Site Request Forgery (XSRF)
Exploits the trust that a website has in a user's browser, which becomes compromised and transmits unauthorized commands to the website.
Shoulder Surfing
Gaining compromising information through observation (as in looking over someone's shoulder).
How to perform a digital signature
Generate a digest, encrypt ONLY the message digest using private key, appends encrypt to plaintext, then bob decripts it.
Port 80 (TCP)
HTTP
Port 443 (TCP)
HTTPS
Common ways to perform hardening
Hardening tools and scripts. CS and NSA have hardening guides.
CVSS Score 7.0-8.9
High
Burning,
High temp incinerator, for paper mostly, done off site, leaves no recoverable materials
High Frequency RFID
High-frequency RFID tags have a longer readable range at up to a meter under normal circumstances and can communicate more quickly. In fact, high-frequency RFID is used for near-field communication, and many tags support read-only, write-only, and rewritable tags.
3 Major types of Info Gathering tools
Honeypots, Honeynets, Honeyfiles
Network Defenses
Host Based Firewalls, or a Host Intrustion Prvention System. Host Based Detection System
Layers 4-7 of OSI
Host layers, ensure data transmission is reliable and other high end
Annualized Rate of occurence
How many times the risk will occur per year
Roles of Naming Conventions in security
ID system based on purpose, location, or other element. Make systems more anonytmous, Make scripting and management easier.
When to use Memdump
If you need simple memory and know the process ID
COPE Implementation
In a COPE model, the device is company-owned and -managed. COPE recognizes that users are unlikely to want to carry two phones and thus allows reasonable personal use on corporate devices. This model allows the organization to control the device more fully while still allowing personal use.
Baseband
Includes frequncies near 0
Vertical Cloud Scaling
Increase capacity of existing servers
Consequences of privacy breach
Individuals get exposed to ID theft, Business take rep damage, fines and loss of important intellectual property (IP)
Organizations commonly include these documents in their info security policy library,
Information security Policy, Acceptable use policy (AUP), Data Governance Policy, Data classification policy, Data Retention Policy, Credential management policy, Password Policy, Continuous monitoring policy, Code of COnduct, Change management and change control policies, Asset management.
What is a plus about reducing the amount of data you retain?
It is a great way to minimze your security risk.
Why is Poorly constructed rule logic bad>
It may miss events or cause false positives or overly broad detections. If the rule has an active response component, a mistriggered rule can cause an outage/
How should policy framework handle exceptions?
It should lay out the specific requirements for recieving an exception and the individual or committee with the authority to approve exceptions.
Point to point network
Link between two resources. Simplest for of a network. Limits how devices can communicate with each other
Process to Create a policy
Laborous and often needs approval from CEO.
Port 389 TCP/UDP
Lightweight Directory Access Protocol (LDAP)
False Rejection Rate (Type 1 Error/FRR)
Means legimiate biometric measure was presented and system rejected.
input whitelisting
Most important part of input validation. Dev Describes the exact type of input expected from user and verifies it is good before passing it. Difficult to performdue to the nature of many fields that allow user input.
Directory Services Protocol
Moved to LDAPS, a secure verson of LDAP
MFA
Multi-Factor Authentication
Tools for Network Vuln Scans
Nessus, Qualys, Nexpose, OpenVas
Virtual Lan
Networking and security professionals use VLAN to achieve segmentation.
Storage of Symmetric Keys
Never store on the same system where data is, have two individuals know split halves of the key
Continuous Validation
Ongoing approvals of code.
Slack space
Open space on a drive.
6
Read+write
RAID
Redundant Array of Independent Disks
Risks
Risks occur at the intersection of a vulnerability and a threat that might exploit that vulnerability.
SHA
Secure Hashing Algorithm
Self-Encrypting Drive (SED)
Storage device that performs whole disk encryption by using embedded hardware
Lateral Movement
The process by which an attacker is able to move from one part of a computing environment to another.
Lessons learned:
These are important to ensure that organizations improve and do not make the same mistakes again. They may be as simple as patching systems or as complex as needing to redesign permission structures and operational procedures. Lessons learned are then used to inform the preparation process, and the cycle continues.
What advantage do Hardware appliances have?
They are purpose built and allow very high speed traffic capabilities or others.
Secure Coding Practices
This ensures that quality assurance was assumed when writing out code and programmed with security in mind.
How effective is Signage?
Very GOod, But can remind auth personnel they are in a secure area and therefore others are not authorized should be reported if seen.
Sanitization
Wiping data or destroying media.
Can scripts be malicious?
Yes
Fuzzing
a technique of penetration testing that can include providing unexpected values as input to an application to make it crash
Cryptovariables
another name for cryptographic keys
in SaaS what are vendors responsible for
app OS Hardware Datacenter
Various data breach notification laws
describe the requirements that individual states place on organizations that suffer data breaches regarding notification of individuals affected by the breach.
Attack-Complexity Metric
describes difficulty of exploiting the vuln
Full Backup
exact copy of an entire database. Slow to recover and slow to backup
A memorandum of understanding (MOU)
is a letter written to document aspects of the relationship. MOUs are an informal mechanism that allows the parties to document their relationship to avoid future misunderstandings. MOUs are commonly used in cases where an internal service provider is offering a service to a customer that is in a different business unit of the same company.
Why arent long keys always best?
long keys might require more computational overhead than desired.
2
means write
Plain text message
message before encryption.
Software compliance/licensing risks
occur when an organization licenses software from a vendor and intentionally or accidentally runs afoul of usage limitations that expose the customer to financial and legal risk.
Cloud reference architecture
offers a high level of Taxonomy for Cloud Services
Inline CASB
physically or logically reside in the connection path between the user and the service. They may do this through a hardware applicance or an endpoint agent that routes requests through the CASB. This requires config of the network and or endpoint devices . it provides the advantage of seeing requests before they are sent to the cloudservice.
Monitoring Procedures
procedures that describe how the organization will perform security monitoring activities, including the possible use of continuous monitoring technology
4
read
Tape Robot
retrieves tape cartridges
scanless
scanless, a port scanner that uses third-party scanners to gather information. The scanless tool leverages port scanners like viewdns, yougetsignal, and spiderip. Scanless then uses those tools to run a port scan without exposing the system that you are running from as the source of the scans. The basic command line is simple and will return port scan data much like an nmap scan, with output depending on the scanning tool you have selected: scanless -s [chosen scanning site] -t target
Data Retention
standards that guide the end of the data lifecycle. Data should only be kept for as long as it remains necessary to fulfil the purpose for which it was originally collected. At the conclusion of its lifecycle, data should be securely destroyed.
how to replay packet capotures
tcp replay
Spam
unwanted e-mail (usually of a commercial nature sent out in bulk)
DES-EEE2
uses 2 keys -112 bit key length
Non repudiation
The security principle of providing proof that a transaction occurred between identified parties. Repudiation occurs when one party in a transaction denies that the transaction took place.
Waterfall Model
A series of steps in which a software system trickles down from analysis to design to implementation to testing, to deployment to maintenacne
Edge Computing
Method of optimizing cloud computing systems by performing some data processing on a set of linked servers at the edge of the network, near the source of the data.
Layer 3 of OSI
Network Layer, Physical Path decisions, addressing routing switching. Ex IP ICMP IPsec
Knowledge based Authentication (KBA)
This is used for fraud prevention. Consumers probably know this as the "secret question" users must answer before being granted access.
Two major forensic packages
FTK (The Forensic ToolKit from AccessData and EnCase)
FTP TCP 21 and 20
FTPS TCP 21 in explicit mode and 990 in implicit
FTPS
FTPS, which implements FTP using TLS, and SFTP, which leverages SSH as a channel to perform FTP-like file transfers
First Line of defense
Fences, bolalrds, Lighting
Deterrents
Fencing, Guards, Cameras
Personal Information Exchange
PFX
pro of tape
lowest cost per capacity
offboarding
terminated or resign
Sha 384
384
CVE 1999-1058
Buffer Overflow in Vermillion FTP Daemon
Password Attacks
Brute force, password spraying, dictionary attacks,
SSH keys
Cryptographic representation of ID's that store user name and password
Memdump
CLI tool that can capture linux memory using a simple command based on the process ID
Keyloggers
Capture Keystroke
4 types of Metadata
Email, Mobile, Web, File
Cloud Computing
the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.
Common phrase about locks
"Locks keep honest people honest"
Urgency
Create the feeling that action must be taken quickly`
Time of day policy
Users cannot access resources outside a set time
AWS Lambda
Allows ustomers to write in Python, Java, C++, PoweShell, Node.JS, Ruby, Go, and others then execute it.
Data Obfuscation
Data transformation that makes it difficult for a human to recognize the original data.
Cold Sites
Offsite office space awaiting occupancy, equipment, personnel, and utility service, allowing recovery within days.
Staging Environment
A "production like" environment to test installation, configuration and migration scripts. Performance testing, load testing, processes required by other teams, boundary partners, etc.
No availability impact
.0
CVSS score for physical
.20
ISO 27701
27701 contains standard guidance for managing privacy controls. ISO views this document as an extension to their ISO 27001 and ISO 27002 security standards.
Authentication
All kinds, verifies that users are who they say they are. Common one is Challenge Response which is used in key fobs for cars.
Rsyslog
Alternative 'fast' version of syslog
Diamond Model uses a number of specific terms
Core Features, Meta Features, Confidence Value
command and control
Core of a botnet. Help attackers steal data, conduct ddos and defend their botnet.
Vulnerability Mangement
Crucial in identifying prioritizing and remediating vulnerabilities in our environments. Use vulnerability scanning.
In IaaS what is the Customer responsible for
Data, app, OS.
Extensible Authentication Protocol (EAP)
Framwork that is common for wireless.
Two other specific types of Forenisc info acquisition
From a VM and Containers
Phone Call OTP
Have to press ab utton a connected phone call.
Unvalidated Redirects
If the app allows redirection to any url it could be bad.
OpenSSL
Implementation used for HTTPS traffic; any time traffic needs to be sent a cross a network in a protectway that isnt good ofr SSH or VPN Open SSL is god alternative.
Granular controls
Important part of a 0 trusrt design
LDAP UDP and TCP 389
LDAPS TCP 636
Narrowband
Less noise and better range.
Containment:
Once an incident has been identified, the incident response team needs to contain it to prevent further issues or damage. Containment can be challenging and may not be complete if elements of the incident are not identified in the initial identification efforts.
rkhunter
SHA-1 hashes of critical files to compare against system; must update db
SNMP UDP 161 and 162
SNMPv3 UDP 161 and 162
SOC 1 Engagements
SOC 1 engagements assess the organization's controls that might impact the accuracy of financial reporting.
RTP UDP 16384-32767
SRTP UDP 5004
DevSecOps
The philosophy of integrating security practices within the DevOps process.
When is using a standardized IP schema the most important?
When designing a datacenter or cloud and assigning IP's
Command Injection Attack
When input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server
Fast Flux Dns
a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies
Network Attached Storage (NAS)
a server that is placed on a network with the sole purpose of providing storage to users, computers, and devices attached to the network
polyalphabetic substitution
a substitution cipher that incorporates two or more alphabets in the encryption process
Permission Authorization
approval
SOC 2 engagements .
assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are confidential and are normally only shared outside the organization under an NDA
API Security
authentication, authorization , proper data scoping, rate limiting, input filtering and logging. Securing the endpoint is big too
What else can ICS and Scada be used to control?
control and manage facilities, particularly when the facility requires management of things like heating, ventilation, and air-conditioning (HVAC) systems to ensure that the processes or systems are at the proper temperature and humidity.
Counter Mode
counter mode changes block ciphers into a stream cipher by generating successive blocks in the stream using a nonrepeating counter.
Disaster Recovery Plans
define the processes and procedures that an organization will take when a disaster occurs. Unlike a business continuity plan, a DR plan focuses on natural and man-made disasters that may destroy facilities, infrastructure, or otherwise prevent an organization from functioning normally. A DR plan focuses on restoration or continuation of services despite a disaster.
Web metadata is
embedded into websites as part of the code of the website but is often invisible to everyday users. It can include metatags, headers, cookies, and other information that help with search engine optimization, website functionality, advertising, and tracking, or that may support specific functionality.
3
execute + write
SIEM Rules
hear of alarms, alerts and correlation engines is rules that drive components.
onboarding
hiring new employees
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)
implements certificate-based authentication as well as mutual authentication of the device and network. It uses certificates on both client and network device to generate keys that are then used for communication. EAP-TLS is used less frequently due to the certificate management challenges for deploying and managing certificates on large numbers of client devices.
Dump files
like the memory dump created when Windows experiences a blue screen of death, may not seem as if they'd be useful for incident response, but they can contain information that shows the state of memory and the system at the time of a crash. If the crash occurred because of an attacker or exploit, or if malware or attack tools were on the system, the dump file may contain those artifacts.
VoIP Logs call manager logs and Session Initiation Protocol (SIP)
logs can provide information about calls that were placed as well as other events on a VoIP system.
Isolation (in terms of broad action and config change)
moves a system into a protected space or network where it can be kept away from other systems. Isolation can be as simple as removing a system from the network or as technically complex as moving it to an isolation VLAN, or in the case of virtual machines or cloud infrastructure, it may require moving the system to an environment with security rules that will keep it isolated while allowing inspection and investigation.
Impact Score
multiplying the priority of each area by the impact the threat would have
Web application firewalls
provide strong protection for web servers. They protect against several different types of attacks, with a focus on web application attacks and can include load-balancing features.
Password history
remembers past passwords and prevents users from reusing passwords
Cipher
the generic term for a technique (or algorithm) that performs encryption
What is one key technology that can help make mobile device deployments more secure?
use of virtual desktop infrastructure (VDI) to allow relatively low-security devices to access a secured, managed environment. Using VDI allows device users to connect to the remote environment, perform actions, and then return to normal use of their device. Containerization tools can also help split devices between work and personal-use environments, allowing a work container or a personal container to be run on a device without mixing data and access
Spoilation of evidence
which means intentionally, recklessly, or negligently altering, destroying, fabricating, hiding, or withholding evidence relevant to legal matters. A legal hold gives an organization notice that they must preserve that data. Ignoring the notice or mishandling data after the notice has been received can be a negative blow against an organization in court. Thus, having a strong legal hold process is important for organizations before a hold shows up.
Account policies
A set of rules governing user security information, such as password expiration and uniqueness, which can be set globally.
Agile Development
A software development methodology that delivers functionality in rapid iterations, measured in weeks, requiring frequent communication, development, testing, and delivery.
Birthday Attack
A statistical phenomenon that makes finding collisions easier.
What do Security Practitioners need to do their job?
A strong understanding of the Org's risk tolerance, as well as awareness of what the others involved in the DevSecOps environemtn are doing.
ROT13
A substitution cipher that uses a key of 13. To encrypt a message, you would rotate each letter 13 spaces. To decrypt a message, you would rotate each letter 13 spaces.
Buffer Overflow
A technique for crashing by sending too much data to the buffer in a computer's memory
Data Sovereignty
A term that refers to the legal implications of data stored in different countries. It is primarily a concern related to backups stored in alternate locations via the cloud.
Role-Based Access Control (RBAC)
A "real-world" access control model in which access is based on a user's job function within the organization.
Common Vulnerability Scoring System (CVSS)
A SCAP specification for communicating the characteristics of vulnerabilities and measuring their relative severity.
Authentication technologies are used to secure systems and services.
A broad range of authentication technologies are in common use today. The Extensible Authentication Protocol (EAP) is designed to be modified just as its name suggests, meaning that EAP implementations are used in many environments. Kerberos, CHAP, TACACS , and 802.1x are all authentication protocols you are likely to encounter; PAP is no longer widely deployed. SAML, OAuth, and OpenID are important for websites and interoperation for authentication and authorization for cloud and Internet services and providers.
Transposition Ciphers
A cipher that rearranges the order of existing characters in a message in a certain way (e.g., a route cipher)
Cryptocurrency
A digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds.
What is reslience?
A element of Availability
Full Tunnel VPN
A full-tunnel VPN sends all network traffic through the VPN tunnel, keeping it secure as it goes to the remote trusted network. Great way to ensure traffic sent through an untrusted network like a coffee shop, hotel or others cannot be trusted.
Infrastructure as a Service (IaaS)
Allows customers to purchase and interact with the basic building blocks of a tech infrastructure. These include computing storage and networks, have flexibility to config and amange services. Dont need to wrry about management of hardware.
Grep
Allows you to search for patterns that match text or regular expressions. Grep is done by doing grep 'word' /file/location.
DES-EEE3, DES-EDE3, DES-EEE2, DES-EDE2.
Alternate modes for 3DES.
Core Concept of Zero Trust
Although many network designs used to presume that threats would come from outside of the security boundaries used to define network segments, the core concept of zero-trust networks is that nobody is trusted, regardless of whether they are an internal or an external person or system. Therefore, zero-trust networks should include security between systems as well as at security boundaries.
Integrity Metric
Attacker exploits vulnerabiulity
Black Box approach
Auditors test the reliability of computer-generated information by first calculating expected results from the transactions entered into the system. Then, the auditors compare these calculations to the processing or output results.
Audits and assessments monitor compliance with requirements.
Audits are externally commissioned, formal reviews of the capability of an organization to achieve its control objectives. Assessments are less rigorous reviews of security issues, often performed or commissioned by IT staff. Organizations providing services to other entities may wish to conduct a service organization controls (SOC) audit under SSAE 18.
Nearline backup
Back up that is not immediately available but can be retrieved quickly
Hard-Coded Credentials
Backdoor username/passwords left by programmers in production code
False Acceptance Rate (FAR/Type2 Error)
Biometric factor is accepted when it shouldnt be
How is block diff from object?
Block storage is preallocated, Object is not. Block is also more expensive.
Intimidation
Bullied, Victim will feel threatened and do what attacker wants.
Types of secure data destruction
Burning, Shredding, Pulping, Pulverizing, Degaussing
Shared Responsibility Model
Cloud customers must divide responsibilites between one or more service providers
Segmentation
Core concept of network security. Allows engineers to palce systems of diff security levels and functions on diff network subnets.
Corporate-Owned
Corporate-owned provides the greatest control but least flexibility.
Smartphones or Tables
Devices such as smartphones or tablets may contain data that can also be forensic targets
Refactoring (Driver Manipulation)
Driver source code modified to include malware, difficult to pull off but drivers have base OS level access so they can gain complete control if done right.
What are some common elements in design for redundnacy>?
Geographical dispersal of systems to ensure a single attack wont hurt. Seperation of servers. Use of multiple network paths, Firewalls, mult routers and intrusion systems help too
Enigma Machine
German secret code machine. The Allies managed to crack the code and read German messages.
What app uses TOTP?
Google Authenticator
IMAP TCP 143
IMAPS TCP 993
Internet relay chat
IRC, used to manage client server botnets in past
Forensic copy
Imporant to preserve data at the bit by bit level and thereby the exacte structure of the drive. Therefore Forensic copies are done differently.
Agile's 4 basic premises
Individuals and interactions are more important than processes and tools. Working software is preferable to comprehensive documentation. Customer collaboration replaces contract negotation. Responding to change is key rather than following a plan.
Frequency Analysis
Look at blocks to determine if any common patterns exist.
Issues with phone auth
Lower speed, hijacked calls, additional costs.
Specialized Hardware like smart cards can
Minimize Power Consumption
Routing and Switching protocols
Routing and switching protocol security can be complex, with protocols like Border Gateway Protocol (BGP) lacking built-in security features. Therefore, attacks such as BGP hijacking attacks and other routing attacks remain possible. Organizations cannot rely on a secure protocol in many cases and need to design around this lack.
Regulatory Requirements
Rules or laws that regulate conduct and that the enterprise must obey to become compliant.
SFTP
SFTP is frequently chosen because it can be easier to get through firewalls since it uses only the SSH port, whereas FTPS can require additional ports, depending on the configuration.
Key Element of TLS protocol
Provides for ephemeral RSA key exchange to create perfect forward secrecy. Convos can only be decrypted when the key is known. and temp key is generated as part of the start of comms between two systems. Thus using OpenSSL and TLS is an ideal solution. Websutes use TLS for this prupose all the time.
Counter Mode (CTR)
Similar to OFB but a counter value is used instead of an IV.
Cloud concerns must be dealt with before forensic response is needed.
Since cloud environments are typically hosted in third-party infrastructure, the ability to directly conduct forensics is frequently not available. Organizations may need to build in contractual capabilities, including right-to-audit clauses, regulatory and jurisdictional choices, and data breach notification requirements and timeframes.
Ransomware
Software that encrypts programs and data until a ransom is paid to remove it.
Atrributes for MFA
Somewhere you are (GPS), Something you can do (Gesture passwords), something you exhibit (behavior pattern), someone you know
network access control (NAC), sometimes called network admissions control,
NAC technologies focus on determining whether a system or device should be allowed to connect to a network. If it passes the requirements set for admission, NAC places it into an appropriate zone.
Many different authentication methods and technologies are used to ensure that users can claim an identity.
One-time passwords may use an algorithm based on iterative events via HOTP, or based on time in TOTP, both of which can be delivered via hardware tokens or software applications. One-time passwords are also frequently provided by SMS pushes. Biometrics, the "something you are" factor, are increasingly common in mobile devices and other systems where fingerprints and facial recognition have seen broad adoption. As a security professional, you need to be aware of the broad range of authentication factors, why you might choose or avoid each one in a given circumstance, and why multifactor authentication is a critical security control in many environments.
Privacy controls protect personal information.
Organizations handling sensitive personal information should develop privacy programs that protect that information from misuse and unauthorized disclosure. The plan should cover personally identifiable information (PII), protected health information (PHI), financial information, and other records maintained by the organization that might impact personal privacy.
Over the Shoulder
Pair of devs, requires dev who wrote code to explain it to another dev. Lower cost than pair programming and same results.
HTTP header
Part of HTTP that is composed of fields that contain the different characteristics of the data that is being transmitted.
Agility and flexibility in cloud
Sppeed to provison resources, and ability to use them for short periods
Fileless Viruses
Spread via spam email and malicious sites, exploit flaws in browser plug ins and web browsers themselves. Inject themselves into memory. Create registry entry to repeat code.
SCADA
Supervisory Control and Data Acquisition
What is RSA based on?
The complexity of factoring large prime numbers
Tier 3: Repeatable
The organization's risk management practices are formally approved and expressed as policy. There is an organizationwide approach to manage cybersecurity risk. The organization understands its role, dependencies, and dependents in the larger ecosystem and may contribute to the community's broader understanding of risks
Tokenization
The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.
Non Persistence
The property by which a computing environment is discarded once it has finished its assigned task.
Cryptographic Keys
Used in encrypting and decrypting information, there are private keys and public keys
Public Key Encryption
Used prevalently on the web, it allows for secure messages to be sent between parties without having to agree on, or share, a secret key. It uses an asymmetric encryption scheme in which the encryption key is made public, but the decryption key is kept private.
Attack Frameworks
Used to understand adversaries, document techniques and to categorize tactics.
PTZ Camera
Used within a CCTV system. It can pan, tilt, and zoom. Used to track people's movement in the data center
Principal
User
Object Detection
Using high-end video surveillance cameras that can identify a suspicious objective and sound an alert.
Motion Recognition
Using high-end video surveillance cameras that record when they detect movement.
single sign-on (SSO)
Using one authentication credential to access multiple accounts or applications.
Two Categories of DDOS
Volume Based and Protocol Based
Qualy's
Vulnerability scanner, SaaS
Weighted Algorithms
Weighted least, Fixed Weighted, Weighted Response time
File metadata
can be a powerful tool when reviewing when a file was created, how it was created, if and when it was modified, who modified it, the GPS location of the device that created it, and many other details.
OWASP's Top Proactive controls
1. Define Security Req's 2. Leverage Security frameworks and libraries. 3. Secure Database access. 4. Encode and Escape Data. 5. Validate All inputs 6. Implement Digital identity 7 .Enforce access controls. 8. Protect Data Everywhere. 9. Implement security logging and monitoring. 10. Handle all Errors and Exceptions.
Type 2 Hypervisor
App on top of an exisiting oS
How are security controls categorized?
By their mechanism of action and intent.
Incident Response PLans Subplans
Communication Plans, Stakeholder Management Plans, Business Continuity plans, Disaster Recovery Plans
How to detect botnets?
Check logs, log everything, use network monitoring tools.
Primary Responsibility of hypervisor
Enforcing Isolation
Cloud Service Providers
Firms that offer cloud computing to their customers.
4 Phases that are revisted during SPiral
Identification, Design, Build Evaluation
Locks
Most common physical control
How to remove a rootkit
Rebuild system or restore from a known good backup.
Certificate Revocation
The act of making a certificate invalid.
Insecure Direct Object references
User views info that exceeds their authority.
5
read +execute
SHA-512
An implementation of SHA-2 using a 512-bit hash.
Information Life Cycle
Data Minimization, then purpose limitation and data retention
How to Calculate Exposure Factor
% of capacity that would be consumed by the attack.
Credentialed Scanning
-credentialed scan is a scan that is performed by someone with administrative rights to the host being scanned -Operations are executed on the host itself rather than across the network. - There is a more definitive list of missing patches. - Client-side software vulnerabilities are uncovered. = A credentialed scan can read password policies, obtain a list of USB devices, check antivirus software configurations, and even enumerate Bluetooth devices attached to scanned hosts.
801.11n
600 MBPS 2.4ghz and 5ghz
802.11ac
6933 Mbit/s 5ghz
Exploitability score
8.22 * AV * AC * PR * UI
Hardware Security Module (HSM)
A device that can safely store and manage encryption keys. This can be used in servers, data transmission, protecting log files, etc. Often carry a third party security certification.
Smartcards
A device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing
Blockchain
A distributed and decentralized ledger that records and verifies transactions and ownership, making it difficult to tamper with or shut down.
Typosquatting
A form of cybersquatting that relies on mistakes, such as typographical errors, made by Internet users when inputting information into a Web browser.
Fagan Inspection
A formal code review process that relies on specified entry and exit criteria for each phase
White-Hat
A hacker who exposes security flaws in applications and operating systems so manufacturers can fix them before they become widespread problems.
Jump servers/Jump Box
A jump server is a secured and monitored system used to provide secure ops in security zones with different security levels. It is typically configured with the tools required for administrative work and is frequently accessed with SSH, RDP, or other remote desktop methods. Jump boxes should be configured to create and maintain a secure audit trail, with copies maintained in a separate environment to allow for incident and issue investigations.
What is key to remember about SCADA and ICS
A key thing to remember when securing complex systems like this is that they are often designed without security in mind. That means that adding security may interfere with their function or that security devices may not be practical to add to the environment. In some cases, isolating and protecting ICS, SCADA, and embedded systems is one of the most effective security models that you can adopt.
Hardware Root of Trust
A known secure starting point. TPMs have a private key burned into the hardware that provides a hardware root of trust..
Open Vulnerability and Assessment Language (OVAL)
A language for specifying low-level testing procedures used by checklists
Forensic Report includes
A summary of the forensic investigation and findings. An outline of the forensic process, including tools used and any assumptions that were made about the tools or process. A series of sections detailing the findings for each device or drive. Accuracy is critical when findings are shared, and conclusions must be backed up with evidence and appropriate detail. Recommendations or conclusions in more detail than the summary included.
Directory Services
A system that enables network resources to be viewed as objects stored in a database. This database can then be divided and distributed among different servers on the network. An example of directory services includes LDAP or Microsoft Active Directory
High Privileges CVSS Score
Admin rights, .270
Structured Threat Information eXpression (STIX)
An XML structured language for expressing and sharing threat intelligence. Originally Sponsored by the US Dept of Homeland Security.
De-Identification
An action that one takes to remove identifying characteristics from data. information that does not actually identify an individual. Some laws require specific identifiers to be removed (See HIPAA 165.514(b)(2)). Hashing is not enough.
File Inclusion attack
An application attack that adds an unexpected file to the running process of a web app
LDAP injection attack
An attack that constructs LDAP statements based on user input statements, allowing the attacker to retrieve information from the LDAP database or modify its content.
Impersonation
An attack that creates a fictitious character and then plays out the role of that person on a victim.
Supply chain attack
An attack that targets the end-to-end process of manufacturing, distributing, and handling goods and services.
XML injection attack
An attack which modifies how an XML application processes its data. Can be prevented through input and document schema validation.
Nation State Actor
An attacker commissioned by the governments to attack enemies' information systems
Remote File Inclusion
An attacker executes a script to inject a remote file into the web app or website
Hacktivist
An attacker who launches attacks as part of an activist movement or to further a cause.
All cryptographic attacks
Brute Force, Frequency Analysis, Known Plain Text, Chosen Plain Text, Related Key Attack, Birthday Attack, Downgrade Attack, Rainbow Tables, Exploting Weak Keys, Exploiting Human Error
How does Operating System Hardening work?
By using system settings to reduce the attack surface for your OS, that tools and standards exist to help with that process.
Certificate verification
Check CA's digital sig against public key ensure that the cert was not revoked through certificate revocation list or Online Certifivcate Status protocol. Once this is done you can assume it is authentic.
Validated Redirects
Check Redirection URLS against an approved list.
Considerations before deploying anti malware tools
Determine what threats youll face and where. Management deployment and monitoring is critical in enterprise, third the detection you deploy plays a major role in the deciison processes.
Access Control Schemes
Determine which users, services, and programs can access various files or other objects that they host
Retention Policy
Determines how long you keep data and how it will be disposed of.
Training and Transition Phase
End users trained on software and has entered general use.
Scan perspective
Each one of these conducts a vulnerability scan from a different location on the network, providing a different view into vulnerabilities.
Cipher Block Chaining MOde CBC
Each plaintext block is added to the previous cipher text block and then the result is encrypted with the key. Uses a initialization Vector to start the process
How can the process of preserving Electronic Info be made easier?
Electronic discovery and legal hold support tools exist that can help, with abilities to capture data for users or groups under a litigation hold. They often come with desktop, mobile device, and server agents that can gather data, track changes, and document appropriate handling of the data throughout the legal hold timeframe. In organizations that are frequently operating under legal holds, it is not uncommon for frequent litigation targets like CEOs, presidents, and others to be in a near-constant state of legal hold and discovery.
HTTP TCP 80
HTTPS TCP 443
In Iaas What is the vendor responsible for?
Hardware and Datacemter
Major weakness of Asymmetric
Its slow AF
What are actions orgs take to reduce the risk of fraud by a single employee?
Job Rotation and Mandatory Vacations
Types of Severity
Low medium high critical
Bright side to SQL injections
Many dont let attacker see the data outputted.
What is critical to success with DLP?
Mapping your orgs data and then applying appropriate controls based on a data classification system or policy.
CVSS score 4.0-6.9
Medium
Containers
Provide app level virtualization, package apps and allow them to be treated as units of virtualization that become portable across OS and hardware platforms.
Software as a Service (SaaS)
Provide customers with access to a fully managed application running in the cloud. Responsible for everything from the operation of the physcial datacenters to the performance management of the app itself. In SaaS the customer is only responsible for limited config of the app
Cloud deployment models
Public Cloud Private Cloud Community Cloud Hybrid Cloud
Supply chain Assessment
Risks that come with third party relations. You rely on vendors to protect CIA of data. Performing vendor due diligence is crucial in security.
What was one of the predominant principles in the early days of cryptography?
Security through Obscurity.
Simple Network Management Protocol version 3 (SNMPv3)
Simple Network Management Protocol, version 3 (SNMPv3) improves on previous versions of SNMP by providing authentication of message sources, message integrity validation, and confidentiality via encryption. It supports multiple security levels, but only the authPriv level uses encryption, meaning that insecure implementations of SNMPv3 are still possible. Simply using SNMPv3 does not automatically make SNMP information secure.
What is bad about improperly config'ed Qos?
Since it can allow important traffic through, it can be a threat if not config'd right.
Tor
The Onion Router
Memory Management
The act of keeping track of how and where programs are loaded in main memory
Blue Team
The defensive team in a penetration test or incident response exercise.
Key Length
The size of a key, usually measured in bits or bytes, which a cryptographic algorithm used in ciphering or deciphering protected information.
Identification:
This phase involves reviewing events to identify incidents. You must pay attention to indicators of compromise, use log analysis and security monitoring capabilities, and have a comprehensive awareness and reporting program for your staff.
Extended Validation
This type of certificate requires more extensive verification of the legitimacy of the business
Honeyfile
Used for intrusion Detection. an intentionally attractive file that contains unique, detectable data that is left in an area that an attacker is likely to visit if they succeed in their attacks. If the data contained in a honeyfile is detected leaving the network, or is later discovered outside of the network, the organization knows that the system was breached.
Identities are the foundation of authentication and authorization.
Users claim an identity through an authentication process. In addition to usernames, identities are often claimed through the use of certificates, tokens, SSH keys, or smartcards, each of which provide additional capabilities or features that can help with security or other useful functions. Identities use attributes to describe the user, with various attributes like job, title, or even personal traits stored as part of that user's identity.
Signature based dection
Uses a hash to identify files or components of the malware that have been previously observed. Usualy first line of defense.
Influence Campaigns
Using social engineering to sway attention and sympathy in a particular direction.
Supplementing Network Scans
Usually supplemented with Credentialed Scanning
Device Drivers
Utility software used by the operating system to communicate with peripheral devices.
Different implementations of EAP
Vendor specific and open like EAP-TLS, LEAP, and EAP TTLS
Governance and Auditing
Vetting vendors being considered, managing vendor relationships and monitoring for stability issues, overseeing an orgs portfolio of cloud activities.
Malicious Flash Drive Attacks
Victim plugs it in and malware is loaded on. However pen testers can use this to examine their security.
Data breaches have significant and diverse impacts on organizations.
When an organization suffers a data breach, the resulting data loss often results in both direct and indirect damages. The organization suffers immediate financial repercussions due to the costs associated with the incident response, as well as long-term financial consequences due to reputational damage. This reputational damage may be difficult to quantify, but it also may have a lasting impact. In some cases, organizations may suffer operational damage if they experience availability damages, preventing them from accessing their own information.
In a simplified SCADA System
You'll see that there are remote telemetry units (RTUs) that collect data from sensors and programmable logic controllers (PLCs) that control and collect data from industrial devices like machines or robots. Data is sent to the system control and monitoring controls, allowing operators to see what is going on and to manage the SCADA system. These capabilities mean that SCADA systems are in common use in industrial and manufacturing environments, as well as in the energy industry to monitor plants and even in the logistics industry tracking packages and complex sorting and handling systems.
HTML injection
__ is a type of injection issue that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.
Data Controllers
are the entities who determine the reasons for processing personal information and direct the methods of processing that data. This term is used primarily in European law and it serves as a substitute for the term data owner to avoid a presumption that anyone who collects data has an ownership interest in that data.
Business impact Analysis (BIA)
a formal process designed to identify the mission essential functions within an organization and facilitate the identification of the critical systems that support those functions.
What is it called when you copy a file or drive?
a logical copy.
Vigenere Cipher
a method of encrypting text by applying a series of Caesar ciphers based on the letters of a keyword.
Privilege Escalation
a network intrusion attack that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications
Attestation Process
a process that remotely uses a separate system to ensure data integrity when the system boots up
Data Masking
a program that protects privacy by replacing personal information with fake values
What else do MDM and UEM tools provide?
a rich set of controls for user behaviors. They can enable closed or managed third-party application stores or limit what your users can download and use from the application stores that are native to the operating system or device you have deployed. They can also monitor for firmware updates and versions, including whether firmware over-the-air (OTA) updates have been applied to ensure that patching occurs. Of course, users may try to get around those controls by rooting their devices, or jailbreaking them so that they can sideload (manually install from a microSD card or via a USB cable) programs or even a custom firmware on the device. MDM and UEM tools will detect these activities by checking for known good firmware and software, and they can apply allow or block lists to the applications that the devices have installed. Controlling which services and device capabilities can be used, and even where they can be used, is also a feature that many organizations rely on. Limiting or prohibiting use of cameras and microphones as well as SMS, MMS, and rich communication services (RCS) messages can help prevent data leakage from secure areas. Limiting the use of external media and USB on-the-go (OTG) functionality that allows devices to act as hosts for USB external devices like cameras or storage can also help limit the potential for misuse of devices. MDM and UEM tools also typically allow administrators to control GPS tagging for photos and other documents that may be able to embed GPS data about where they were taken or created. The ability to use location data can be a useful privacy control or may be required by the organization as part of documentation processes.
Multitenancy
a single instance of a system serves multiple customers
Advanced Persistent Threat (APT)
a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments
Phishing
a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent e-mail
Full Disk Encryption (FDE)
a technology that encrypts everything stored on a storage medium automatically, without any user interaction
hping
a tool used to assemble and analyze TCP/IP packets. Penetration testers and security analysts sometimes need to build a custom packet to test for an issue or a vulnerability, or to see if a firewall will respond properly. Analysis using hping can also provide information like OS fingerprinting or help guess at how long a system has been online based on packet details. It is available for both Linux and Windows, making it a useful tool in a variety of circumstances.
Scada is
a type of system architecture that combines data acquisition and control devices, computers, communications capabilities, and an interface to control and monitor the entire architecture. SCADA systems are commonly found running complex manufacturing and industrial processes, where the ability to monitor, adjust, and control the entire process is critical to success.
Proxy Servers
accept and forward requests, centralizing the requests and allowing actions to be taken on the requests and responses. They can filter or modify traffic and cache data, and since they centralize requests, they can be used to support access restrictions by IP address or similar requirements. There are two types of proxy servers:
Rogue Access Point
added to your network either intentionally or unintentionally. Once they are connected to your network, they can offer a point of entry to attackers or other unwanted users. Since many devices have built-in wireless connectivity and may show up as an accessible network, it is important to monitor your network and facilities for rogue access points. Most modern enterprise wireless controller systems have built-in functionality that allows them to detect new access points in areas where they are deployed. In addition, wireless intrusion detection systems or features can continuously scan for unknown access points and then determine if they are connected to your network by combining wireless network testing with wired network logs and traffic information. This helps separate out devices like mobile phones set up as hotspots and devices that may advertise a setup Wi-Fi network from devices that are plugged into your network and that may thus create a real threat.
Network Address Translation (NAT)
allows a pool of addresses to be translated to one or more external addresses. Typically, NAT is used to allow many private IP addresses to use a single public IP address to access the Internet. A NAT gateway is a device that provides the network address translation and tracks which packets should be sent to each device as they transit through it.
SOC 3 engagements
also assess the organization's controls that affect the security (confidentiality, integrity, and availability) and privacy of information stored in a system. However, SOC 3 audit results are intended for public disclosure.
NAT gateways
are a common network tool—in fact, they're in many homes in the form of the Internet router that provides a pool of private IP addresses and uses NAT to allow a single external public IP to serve many devices behind the router.
uninterruptible power supply (UPS)
an alternative power supply device that protects against the loss of power and fluctuations in the power level by using battery power to enable the system to operate long enough to back up critical data and safely shut down. Great for ensuring resilience
identity provider
an online service responsible for issuing identification information for users who would like to interact with the service - eg: facebook, google, amazon
Autopsy
an open source forensic suite with broad capabilities. Forensic activities with a tool like Autopsy will typically start creating a new case with information about the investigators, the case, and other details that are important to tracking investigations and then import files into the case.
Supply Chain Risk
any potential disruption that threatens the supply chain's efficient and effective operations
Layers 1-3 of OSI
are Media Layers
Multiparty risks
are those that impact more than one organization. For example, a power outage to a city block is a multiparty risk because it affects all of the buildings on that block. Similarly, the compromise of an SaaS provider's database is a multiparty risk because it compromises the information of many different customers of the SaaS provider.
Load Balancers
are used to distribute traffic to multiple systems, provide redundancy, and allow for ease of upgrades and patching. They are commonly used for web service infrastructures, but other types of load balancers can also be found in use throughout many networks. Load balancers typically present a virtual IP (VIP), which clients send service requests to on a service port. The load balancer then distributes those requests to servers in a pool or group.
Tabletop Exercises
are used to talk through processes. Team members are given a scenario and are asked questions about how they would respond, what issues might arise, and what they would need to do to accomplish the tasks they are assigned in the IR plan. Tabletop exercises can resemble a brainstorming session as team members think through a scenario and document improvements in their responses and the overall IR plan.
Bandwith Monitor/Network Flows
bandwidth monitor can provide trend information that can help spot both current problems and new behaviors. Network flows, either using Cisco's proprietary NetFlow protocol, which is a software-driven capability, or SFlow, which is broadly implemented on devices from many vendors, are an important tool in an incident responder's toolkit. In addition to NetFlow and SFlow, you may encounter IPFIX, an open standard based on NetFlow 9 that many vendors support.The hardware deployed in your environment is likely to drive the decision about which to use, with each option having advantages and disadvantages. Network flows are incredibly helpful when you are attempting to determine what traffic was sent on your network, where it went, or where it came from. Flows contain information such as the source and destination of traffic, how much traffic was sent, and when the traffic occurred. You can think of flow information like phone records—you know what number was called and how long the conversation took, but not what was said. Thus, although flows like those shown in the following graphic are useful hints, they may not contain all the information about an event.
VoIP systems
both backend servers as well as the VoIP phones and devices that are deployed to desks and work locations throughout an organization. The phones themselves are a form of embedded system, with an operating system that can be targeted and may be vulnerable to attack. Some phones also provide interfaces that allow direct remote login or management, making them vulnerable to attack from VoIP networks. Segmenting networks to protect potentially vulnerable VoIP devices, updating them regularly, and applying baseline security standards for the device help keep VoIP systems secure.
DNS poisoning
can be accomplished in multiple ways. One form is another form of the on-path attack where an attacker provides a DNS response while pretending to be an authoritative DNS server. Vulnerabilities in DNS protocols or implementations can also permit DNS poisoning, but they are rarer. DNS poisoning can also involve poisoning the DNS cache on systems. Once a malicious DNS entry is in a system's cache, it will continue to use that information until the cache is purged or updated. This means that DNS poisoning can have a longer-term impact, even if it is discovered and blocked by an IPS or other security device. DNS cache poisoning may be noticed by users or may be detected by network defenses like an IDS or IPS, but it can be difficult to detect if done well.
SSL Vpn
can either use a portal-based approach (typically using HTML5), where users access it via a web page and then access services through that connection, or they can offer a tunnel mode like IPSec VPNs. SSL VPNs are popular because they can be used without a client installed or specific endpoint configuration that is normally required for IPSec VPNs. SSL VPNs also provide the ability to segment application access, allowing them to be more granular without additional complex configuration to create security segments using different VPN names or hosts, as most IPSec VPN tools would require.
Simulations
can include a variety of types of event. Exercises may simulate individual functions or elements of the plan, or only target specific parts of an organization. They can also be done at full scale, involving the entire organization in the exercise. It is important to plan and execute simulations in a way that ensures that all participants know that they are engaged in an exercise so that no actions are taken outside of the exercise environment.
Network and Security device Logs
can include logs for routers and switches with configuration changes, traffic information, network flows, and data captured by packet analyzers like Wireshark.
Remote Access VPN
commonly used for traveling staff and other remote workers, and Remote-access VPNs are most frequently used in an as-needed mode, with remote workers turning on the VPN when they need to connect to specific resources or systems, or when they need a trusted network connection.
Information Security Policy Framework
contains a series of documents designed to describe the organization's cybersecurity program. The scope and complexity of these documents vary widely, depending on the nature of the organization and its information resources. These frameworks generally include four different types of document: Policies Standards Procedures Guidelines
Digital Certificates
data files used to establish the identity of users and electronic assets for protection of online transactions
Asset management that
describes the process that the organization will follow for accepting new assets (such as computers and mobile devices) into inventory, tracking those assets over their lifetime, and properly disposing of them at the end of their useful life.
The Attack matrices for MITRE include
detailed descriptions, definitions, and examples for the complete threat lifecycle from initial access through execution, persistence, privilege escalation, and exfiltration. At each level, it lists techniques and components, allowing threat assessment modeling to leverage common descriptions and knowledge.
Procedures are
detailed, step-by-step processes that individuals and organizations must follow in specific circumstances. Similar to checklists, procedures ensure a consistent process for achieving a security objective. Organizations may create procedures for building new systems, releasing code to production environments, responding to security incidents, and many other tasks. Compliance with procedures is mandatory.
Winhex
disk editing tool that can also acquire disk images in raw format, as well as its own dedicated WinHex format. WinHex is useful for directly reading and modifying data from a drive, memory, RAID arrays, and other filesystems.
Network Segmentation
divides a network up into logical or physical groupings that are frequently based on trust boundaries, functional requirements, or other reasons that help an organization apply controls or assist with functionality.
Why Do Arduinos have a reduced attack surface compared to the Raspberry PI?
do not have a wireless or wired network connection built into them, thus reducing their attack surface because they lack direct physical access.
APi Based CASb
do not interact directly with the user but rather interact directly with the cloud provider through the api. Provides direct access to cloud and reqs no device config. But does not allow casb to block requests that violate policy. They are limited to monitoring user activity and reporting on or correcting policy violations,.
The Order of Volatility
documents what data is most likely to be lost due to system operations or normal processes. Following this order, gives the Forensic Analyst greatest likelihood of capturing data intact.
BGP (Border Gateway Protocol)
does not have strong security built in. In fact, BGP routes are accepted by default, which occasionally leads to accidental or purposeful BGP hijacking, where a router advertises itself as a route and ends up redirecting Internet traffic through itself. When done purposefully, this means traffic may be intercepted by attackers. When done accidentally, it can disrupt large portions of the Internet, causing denial-of-service conditions and latency, among other issues.
Integrity Measurement
enables a system to verify the integrity of various pieces of software before they run or while they are running
Risk Identification Process
equires identifying the threats and vulnerabilities that exist in your operating environment. These risks may come from a wide variety of sources ranging from hackers to hurricanes.
Business partnership agreements (BPAs)
exist when two organizations agree to do business with each other in a partnership. For example, if two companies jointly develop and market a product, the BPA might specify each partner's responsibilities and the division of profits.
2 Key escrow methods
fair Cryptosystems, Escrowed Encryption Standard.
Dynamically Linked Libraries
system libraries that are linked to user programs when the programs are run
Risk Assessments
formalized approach to risk prioritization that allows organizations to conduct their reviews in a structured manner. Risk assessments follow two different analysis methodologies: Quantitative Risk Assessments Qualitative Risk Assessments
Email metadata includes
headers and other information found in an email. Email headers provide details about the sender, the recipient, the date and time the message was sent, whether the email had an attachment, which systems the email traveled through, and other header markup that systems may have added, including antispam and other information.
Policies
high-level statements of management intent. Compliance with policies is mandatory. An information security policy will generally contain broad statements about cybersecurity objectives, including the following: A statement of the importance of cybersecurity to the organization Requirements that all staff and contracts take measures to protect the confidentiality, integrity, and availability of information and information systems Statement on the ownership of information created and/or possessed by the organization Designation of the chief information security officer (CISO) or other individuals as the executive responsible for cybersecurity issues Delegation of authority granting the CISO the ability to create standards, procedures, and guidelines that implement the policy
The Health Insurance Portability and Accountability Act (HIPAA)
includes security and privacy rules that affect health-care providers, health insurers, and health information clearinghouses in the United States.
Hybrid Cloud
includes two or more private, public, or community clouds, but each cloud remains separate and is only linked by technology that enables data and application portability
Cellular conectivity
including both existing LTE and other fourth-generation technologies as well as newer 5G network connectivity, can provide high-bandwidth access to embedded systems in many locations where a Wi-Fi network wouldn't work. Since third-party cellular providers are responsible for connectivity, embedded systems that use cellular connectivity need to be secured so that the cellular network does not pose a threat to their operation. Ensuring that they do not expose vulnerable services or applications via their cellular connections is critical to their security. Building in protections to prevent network exploits from traversing internal security boundaries such as those between wireless connectivity and local control buses is also a needed design feature.
Medical systems,
including devices found in hospitals and at doctor offices, may be network connected or have embedded systems. pacemakers, insulin pumps, and other external or implantable systems can also be attacked, with exploits for pacemakers via Bluetooth already existing in the wild.
Difference between Separation of Duties and Two Person COntrol
instead of preventing the same person from holding two different privileges that are sensitive when used together, two-person control requires the participation of two people to perform a single sensitive action.
Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP)
introduced with WPA2. uses Advanced Encryption Standard (AES) encryption to provide confidentiality, delivering much stronger encryption than WEP or the wired equivalent privacy protocol used previously. In addition to confidentiality, CCMP provides authentication for the user and access control capabilities. You'll note that user authentication is provided but not network authentication—that is an important addition in WPA3.
Site Survey
involve moving throughout the entire facility or space to determine what existing networks are in place and to look at the physical structure for the location options for your access points. In new construction, network design is often included in the overall design for the facility. Since most deployments are in existing structures, however, walking through a site to conduct a survey is critical. Important part in setting up a wifi network. Site survey tools test wireless signal strength as you walk, allowing you to match location using GPS and physically marking your position on a floorplan or map as you go. They then show where wireless signal is, how strong it is, and what channel or channels each access point or device is on in the form of a heatmap.
Offline Distribution
involves physical exchange of key material, using paper, portable electronic devices (like USB's)
Identity Fraud
involves the unauthorized use of another person's personal data for illegal financial benefit
Flexible Authentication via Secure Tunneling Extensible Authentication Protocol (EAP-FAST)
is a Cisco-developed protocol that improved on vulnerabilities in the Lightweight Extensible Authentication Protocol (LEAP). EAP-FAST is focused on providing faster reauthentication while devices are roaming. EAP-FAST works around the public key exchanges that slow down PEAP and EAP-TLS by using a shared secret (symmetric) key for reauthentication. EAP-FAST can use either preshared keys or dynamic keys established using public key authentication.
Enhanced Interior Gateway Routing Protocol (EIGRP)
is a Cisco-proprietary protocol that provides authentication, helping to prevent attackers or others from sending falsified routing messages.
Secure Lightweight Directory Application Protocol (LDAPS)
is a TLS-protected version of LDAP that offers confidentiality and integrity protections.
Certificate Authorities
is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.
Chain of Custody
is simple sign-off and documentation forms, as shown in . Each time the drive, device, or artifact is accessed, transferred, or otherwise handled; it is documented
Containment
leaves the system in place but works to prevent further malicious actions or attacks. Network-level containment is frequently accomplished using firewall rules or similar capabilities to limit the traffic that the system can send or receive. System and application-level containment can be more difficult without shutting down the system or interfering with the functionality and state of the system, which can have an impact on forensic data. Therefore, the decisions you make about containment actions can have an impact on your future investigative work. Incident responders may have different goals than forensic analysts, and organizations may have to make quick choices about whether rapid response or forensic data is more important in some situations.
Surveillance systems
like camera systems and related devices that are used for security but that are also networked can provide attackers with a view of what is occurring inside a facility or organization. Cameras provide embedded interfaces that are commonly accessible via a web interface.
Once youve acquired data
make sure that you have a complete, accurate copy before you begin forensic analysis. At the same time, documenting the provenance of the data and ensuring that the data and process cannot be repudiated (nonrepudiation) are also important.
Hash Functions
mathematical algorithms that generate a message summary or digest (sometimes called a fingerprint) to confirm message identity and integrity
Drones and AV
may be controlled from the Internet or through wireless command channels. Encrypting their command-and-control channels and ensuring that they have appropriate controls if they are Internet or network connected are critical to their security.
Types of Specialized Systems
medical stystems, smart meters, things in vechiles, drones and Autonomous Vehicles, VoIP systems, printers, Survey Systems.
Evidence production
procedures that describe how the organization will respond to subpoenas, court orders, and other legitimate requests to produce digital evidence
dig
nslook up but more detail, also used more when you need more info as a more capable tool. Can also request all the name servers for a domain or perform a zone transfer
Fake Telemetry Data
part of deception efforts and provides additional targets for attackers. The concept of fake telemetry is much like a honeyfile—it provides a target for attackers that will either mislead them or will allow you to detect access to the information.
How does 802.1x use EAP
part of the authentication process when devices are authenticating to a RADIUS server. There are many EAP variants because EAP was designed to be extended, as the name implies.
Managing Authentication
password keys, devices that support OTP, public key crypto for security certs and carious security protocols.
Infrasturcture as Code (IAC)
process of automating the provisioning management and deprovisioning of infrastructure services through scripted code. Key enabling tech behind Dev Ops and key feature of AWS, Azure and Google cloud platform.
Information classification
programs organize data into categories based on the sensitivity of the information and the impact on the organization should the information be inadvertently disclosed. For example, the U.S. government uses the following four major classification categories: Top Secret, Secret, Confidential , Unclassified Businesses generally don't use the same terminology for their levels of classified information. Instead, they might use more friendly terms, such as Highly Sensitive, Sensitive, Internal, and Public.
DNS logs
provide details about DNS queries. This may seem less useful, but DNS logs can show attackers gathering information, provide information that shows what systems may be compromised based on their DNS requests, and show whether internal users are misusing organizational resources.
Service Providers
provide services to users whose identities have been attested to by an identity providrr.
WPA3-Enterprise
provides stronger encryption than WPA2, with an optional 192-bit mode, and adds authenticated encryption and additional controls for deriving and authenticating keys and encrypting network frames. WPA3 thus offers numerous security advantages over existing WPA2 networks
Escrowed Encryption Standard
provides the govt with a technological means to decrypt ciphertext. basis for Skipjack
International Organization for Standardization (ISO)
publishes a series of standards that offer best practices for cybersecurity and privacy. As you prepare for the Security exam, you should be familiar with four specific ISO standards: ISO 27001, ISO 27002, ISO 27701, and ISO 31000.
Vehicles
ranging from cars to aircraft and even ships at sea are now network connected, and frequently are directly Internet connected. If they are not properly secured, or if the backend servers and infrastructure that support them is vulnerable, attackers can take control, monitor, or otherwise seriously impact them.
7
read + write + execute
WPA-Enterprise
relies on a RADIUS authentication server as part of an 802.1x implementation for authentication. Users can thus have unique credentials and be individually identified.
Hardening endpoints
relies on configuration, settings, policies, and standards to ensure system security. Although tools and technology are important to protect endpoints, configuration and settings are also an important part of the process. Disabling unnecessary services, changing settings in the Windows registry or operating systems settings in Linux, and otherwise using built-in configuration options to match security configurations to the device's risk profile is critical. Organizations also use naming and IP addressing standards to manage, track, and control endpoints throughout their environments. Finally, patch management for the operating system and the applications installed on devices protects against known vulnerabilities and issues.
Authority
relies on people obeying someone who appears to be in charge. Attacker may claim to be a manger or someone else
Type 2 Soc reports
reports go further and also provide the auditor's opinion on the operating effectiveness of the controls. That is, the auditor actually confirms that the controls are functioning properly.
Type 1 SOC Report
reports provide the auditor's opinion on the description provided by management and the suitability of the design of the controls.
Privileged Access Management
request automatically or manually approved, logged and auditable
Advanced Backdoors
require a diff url under the existing web service and concealed traffic by tunneling out
NDA (Non-Disclosure Agreement)
require that employees protect any confidential information that they gain access to in the course of their employment. Organizations normally ask new employees to sign an NDA upon hire and periodically remind employees of their responsibilities under the NDA. Offboarding processes often involve exit interviews that include a final reminder of the employee's responsibility to abide by the terms of the NDA even after the end of their affiliation with the organization.
The Family Educational Rights and Privacy Act (FERPA)
requires that U.S. educational institutions implement security and privacy controls for student educational records.
Fair Cryptosystems
secret keys are divided into 2 or more pieces, and given to a 3rd party. -when govt obtains legal authority to access a key, it provides court order to 3rd party, gets keys, and reassembles the secret key
Qualitiative Risk Assessment Techniques
seek to overcome the limitations of quantitative techniques by substituting subjective judgment for objective data. Qualitative techniques still use the same probability and magnitude factors to evaluate the severity of a risk but do so using subjective categories.
How to check with services are running in Ubuntu Linux?
service -status-all
Domain Reputation
services and tools provide information about whether a domain is a trusted email sender or sends a lot of spam email. In addition, individual organizations may assign domain reputation scores for email senders using their own email security and antispam tools.
Password policy that
sets forth requirements for password length, complexity, reuse, and similar issues.
ipconfig and ifconfig
show the current TCP/IP network configuration for the host they are run on. This will include the interfaces that exist on the system, the IPv4 and IPv6 IP addresses, the MAC addresses associated with those interfaces, connection speeds, network masks, broadcast domains, and other details about the connections. Both commands can also be used to enable and disable interfaces, refresh or drop DHCP addresses, and control the network interfaces.
How to start or stop in Linux?
sudo service [service name] start or stop
Application Resilience
the application's ability to react to problems in one of its components while still functioning
Cryptography
the art of protecting information by transforming it into an unreadable format, called cipher text
What important elements of network performance does QoS consider?
the bandwidth available and in use, the latency of traffic, how much the latency varies (jitter), and the rate at which errors are occurring. These help provide QoS metrics, allowing traffic to be prioritized and managed according to QoS rules that apply based on applications, users, ports, protocols, or IP addresses.
redundancy
the inclusion of extra components so that a system can continue to work even if individual components fail, for example by having more than one path between any two connected devices in a network.
What is perhaps the most important and simultaneously most challenging requirement in this process?
the preservation of electronic information, particularly when data covered by a legal hold or discovery process is frequently used or modified by users in your organization.
Account audits
the regular or periodic activity of reviewing and assessing the user accounts of an IT environment.
WPA3
the replacement for WPA2, has been required to be supported in all Wi-Fi devices since the middle of 2018. WPA3 hasn't reached broad implementation in normal use due the numbers of unsupported devices in many organizations, but as devices are replaced, WPA3 deployments will become more common. WPA3 improves on WPA2 in a number of ways depending on whether it is used in Personal or Enterprise mode.
Public Key Infrastructure (PKI)
the system for issuing pairs of public and private keys and corresponding digital certificates
theHarvester
theHarvester is an open source intelligence gathering tool that can retrieve information like email accounts, domains, usernames, and other details using LinkedIn; search engines like Google, Bing, and Baidu; PGP servers; and other sources. theHarvester can be run from a command line and provided with a domain or URL and a search engine to use.
Last thing a load balancer needs
to establsih persistence
Critical difference between traceroute and tracert
traceroute behaves differently from tracert in one critical way: traceroute sends UDP packets, whereas tracert on Windows sends ICMP packets. This means that you may receive different responses from hosts along the route. The basic functionality of each testing process is the same, however: a time-to-live value is set starting at 1 and increasing with each packet sent. Routers decrease the TTL by 1, drop packets with a TTL of 0, and send back ICMP time-exceeded messages for those packets. That tells traceroute which router is at each step in the path. You'll also notice latency information shown, which can be useful to identify whether there is a slow or problematic link.
Command to Find where a system is on the internet and the route traffic takes between system.
tracert or traceroute
Stalkerware
type of spyware used to illicitly monitor partners in relationships
Global Positioning System (GPS)
unlike the other technologies described so far, is not used to create a network where devices transmit. Instead, it uses a constellation of satellites that send out GPS signals, which are received by a compatible GPS receiver. While the U.S. GPS system is most frequently referred to, other systems, including the Russian GLONASS system and smaller regional systems, also exist. GPS navigation can help position devices to within a foot of their actual position, allowing highly accurate placement for geofencing and other GPS uses. GPS also provides a consistent time signal, meaning that GPS receivers may be integrated into network time systems .Like other radio frequency-based systems, GPS signals can be jammed or spoofed, although attacks against GPS are uncommon in normal use. GPS jamming is illegal in the United States, but claims have been made that GPS spoofing has been used to target military drones, causing them to crash, and real-world proof-of-concept efforts have been demonstrated.
Near Field Communication (NFC)
used for very short-range communication between devices. You've likely seen NFC used for payment terminals using Apple Pay or Google Wallet with cell phones. NFC is limited to about 4 inches of range, meaning that it is not used to build networks of devices and instead is primarily used for low-bandwidth, device-to-device purposes. That doesn't mean that NFC can't be attacked, but it does mean that threats will typically be in close proximity to an NFC device. Intercepting NFC traffic, replay attacks, and spoofing attacks are all issues that NFC implementations need to account for. At the same time, NFC devices must ensure that they do not respond to queries except when desired so that an attacker cannot simply bring a receiver into range and activate an NFC transaction or response.
Account Lockouts
used to prevent an attack from being able to simply guess the correct password by attempting a large number of possibilities
DES-EDE2
uses 2 keys, and a decryption operation in the middle -112 bit key length
DES-EDE3
uses 3 keys but replaces the 2nd enc with a decryption
Authentication header (AH)
uses hashing and a shared secret key to ensure integrity of data and validates senders by authenticating the IP packets that are sent. AH can ensure that the IP payload and headers are protected.
Quantum Computing
uses the principles of quantum physics to represent data and perform operations on these data
How can windwos file permissions be set?
using the GUI, Linux uses CHMOD
Strength of Symmetric Key Cryptography
very very fast
Disaster Types
we often immediately conjure up images of hurricanes, floods, and other natural environmental disasters. However, disasters may be of man-made origin and may come as a result of forces external to the organization, as well as internal risks. From a disaster recovery planning perspective, a disaster is any event that has the potential to disrupt an organization's business. The occurrence of a disaster triggers the activation of the organization's disaster recovery plan. As part of the DRP process, organizations should conduct site risk assessments for each of their facilities. These risk assessments should seek to identify and prioritize the risks posed to the facilitate by a disaster, including both internal and external risks from both environmental and man-made disasters
Server-Side Request Forgery (SSRF)
web security vulnerability that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing
Serverless computing environments
what FaaS is basically.
When does a broadcast storm occur?
when a loop in a network causes traffic amplification to occur as switches attempt to figure out where traffic should be sent.
-A and -B options for Grep
when given a number will print that many lines after or before the pattern.
Federated Identity Deployments
where Id Providers are paired with relying providers which trust the id provider to handle auth and then rely on that auth to grant access.
Heatmap
where wireless signal is, how strong it is, and what channel or channels each access point or device is on
Meta-features
which are start and end timestamps, phase, result, direction, methodology, and resources, which are used to order events in a sequence known as an activity thread, as well as for grouping events based on their features
WPA-Personal
which uses a preshared key and is thus often called WPA-PSK. This allows clients to authenticate without an authentication server infrastructure.
Wi-Fi Enhanced Open certification,
which uses opportunistic wireless encryption (OWE) to provide encrypted Wi-Fi on open networks when possible—a major upgrade from the unencrypted open networks used with WPA2.
Jammers
will block all the traffic in the range or frequency it is conducted against. Since jamming is essentially wireless interference, jamming may not always be intentional—in fact, running into devices that are sending out signals in the same frequency range as Wi-Fi devices isn't uncommon.
Well Written Ir Policies
will identify the team and the authority that the team operates under. They will also require the creation and maintenance of incident handling and response procedures and practices, and they may define the overall IR process used by the organization. In some cases, they may also have specific communication or compliance requirements that are included in the overall policy based on organizational needs.
What else is used for packet capture besides tcpdump>
wireshark
Risk Managers
work their way through Risk Assessment and identify an appropriate management strategy for each risk included in the assessment. 4 choices to choose from ; Mitigaton, Avoidance, Transference and Acceptance
Code Reuse
writing the code to perform a task once and then reusing it each time you need to perform the task. Code is usually then put into a library for use later.
Is it true that as ML and AI continue to grow, the threat increases?
yes
How to choose a network appliance
you must consider more than just the functionality. If you're deploying a device, you also need to determine whether you need or want a hardware appliance or a software appliance that runs on an existing operating system, a virtual machine, or a cloud-based service or appliance. Drivers for that decision include the environment where you're deploying it, the capabilities you need, what your existing infrastructure is, upgradability, support, and the relative cost of the options. So, deciding that you need a DNS appliance isn't as simple as picking one off a vendor website! You should also consider if open source or proprietary commercial options are the right fit for your organization. Open source options may be less expensive or faster to acquire in organizations with procurement and licensing restrictions. Commercial offerings may offer better support, additional proprietary features, certifications, and training, or other desirable options as well. When you select a network appliance, make sure you take into account how you will deploy it—hardware, software, virtual, or cloud—and whether you want an open source or proprietary solution.
Threat Actors
▪ Advanced Persistent Threat (APT) ▪ Hacktivist ▪ Insider Threat ▪ Script Kiddies
ISO 27001
"Information technology—Security techniques—Information security management systems—Requirements." This standard includes control objectives covering 14 categories: Information security policies Organization of information security Human resource security Asset management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development, and maintenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance with internal requirements, such as policies, and with external requirements, such as laws The ISO 27001 standard was once the most commonly used information security standards, but it is declining in popularity outside of highly regulated industries that require ISO compliance. Organizations in those industries may choose to formally adopt ISO 27001 and pursue certification programs, where an external assessor validates their compliance with the standard and certifies them as operating in accordance with ISO 27001.
Certificate Enrollment
"The process of requesting, receiving, and installing a certificate."
Next Generation Firewalls
(NGFWS) network security devices that include additonal features beyond tradiitonal firewalling capabilities.
Major CA's
- Symantec - Thawte - GeoTrust - GlobalSign - Comodo Limited - Starfield Technologies - GoDaddy - DigiCert - Network Solutions, LLC - Entrust -AWS -Certrum * Browser authorities preconfigure browsers to trust the major CA's to avoid placing this burden on users.
There are many options for acquisition tools, and selecting the right tool combines technical needs and skillsets
. Image acquisition tools provide the ability to copy disks and volumes using a bit-by-bit method that will capture the complete image, including unused, or slack, space. Tools range in complexity from the built-in Linux dd utility to free tools like FTK's Imager that can handle both drives and memory acquisition. WinHex, a commercial tool, provides additional drive analysis features as well as acquisition capabilities. When network data needs to be acquired, Wireshark and other network analyzers play a role to capture and analyze data. Finally, specialized tools and practices may be required to acquire virtual machines and containers, and those practices and procedures need to be identified and practiced before a forensic examination becomes necessary to ensure the tools and capabilities are in place.
Low Availablity impact
.22
Low Info Disclosure
.22
Low Integrity Impact CVSS
.22
CVSS Score for High difficulty
.44
CVSS score for local
.55
High Availability Impact
.56
High Info disclosure
.56
High Integrity Impact
.56
CVSS score for Adjacent Network
.62
Other Human Required CVSS
.62
CVSS score for low difficulty
.77
CVSS score for Netowrk
.85
No Other Human involved CVSS
.85
No Privileges CVSS
.85
ICMP Flood
.Unlike UDP, ICMP is rate limited in many modern operating systems. ICMP floods, sometimes called ping floods, send massive numbers of ICMP packets, with each requesting a response. ICMP floods require more aggregate bandwidth on the side of the attacker than the defender has, which is why a distributed denial-of-service via ICMP may be attempted. Many organizations rate-limit or block ping at network ingress points to prevent this type of attack, and they may rate-limit ICMP between security zones as well. Much like UDP floods, detection rules on network security devices as well as manual detection can be used, but proactive defenses are relatively easy and quite common to deploy despite the fact that some ICMP traffic may be lost if the rate limit is hit.
No integrity impact CVSs
0
Order of Volatility Full list
1. Cpu Cache and Registers 2. Routing Table, ARP Cache, Process table, Kernel stats 3. System Memory -RAM 4. Temp Files and Swap Space 5. Data on the hard disk 6. Remote Logs 7. Backups
12 Principles of agile methodology.
1. Ensure Customer satisfaction via early and continuous delivery of the software. 2. Welcome changing reqs, even late in the dev proces. 3. Deliver working software frequently. 4. Projects sould be built around motivated individuals. 5. Ensure daily coop between devs and business people. 6. Face to Face convo are most efficient way to convey info. 7. Progrers is measured by having working software/ 8. Dev should be done at a sustainable pace. 9. Pay continuous attention to technical excellence and good design. 10. Simplicity- art of maximizing amt of work done is essential. 11. Best architectures, reqs and designs emerge from self organizing teams. 12. Teams should reflect on how to become more effectrive.
3 Specific Types of Embedded Systems for exam
1. Raspberry Pi 2. Arduinos 3. Field Programmable Gate Array (FPGA)
Restoration Order
1. Restore Network Connectivity and a bastion or shell host. 2. Restore network security devices. 3. Restore storage and database services. 4. Restore critical operations servers. 5. Restore logging and monitoring service. 6. Restore other services as possible.
Biometric Tech is based on 4 major measures
1. Type 1 errors or False Rejection Rate, Type II: False Acceptance Errors, where FAR and FRR meet is the cross over error rate. Relative operating Characteristic (ROC) comapres FRR to FAR and gets the CRR.
Certificates that conform to X.509 contain the following attributes:
1. Version of X.509 to which the certificate conforms. 2. Serial number 3. Signature Algorithm Identifier. 4. Issuer Name 5. Validity Period 6. Subject's Common Name 7. Certificates may optionally contain Subject Alternative Names 8. Subjects Public Key
802.11b
11 Mbps, 2.4 GHz
Difference between ISO 27701 and 27001
27001 covers cybersecurity controls
Cloud Forensics
3 high level concerns about the ability to preserve and produce data from cloud providers that orgs must consider. Right-to-audit clauses, Regulatory and Jurisdiction concerns, Data breach notifcation laws.
AES cipher allows how many key strengths>
3. 128 192 and 256 which require 10 rounds of enc, 12 rounds and 14 rounds respectivedly
FIDO alliance sets FRR threshold to what?
3/100.
802.11a
54 Mbps - 5 GHz
802.11g
54 Mbps, 2.4 GHz
Data Encryption Standard
64-bit block going in .... 56-bit secret key ... algorithm begins by sending a plaintext 64-bit string through an initial permutation; the algorithm then cycles through 16 rounds of substitutions, reductions, expansions, and permutations DES is a symmetric algorithm.
Diff Wifi Standards
802.11b, 802.11a, 802.11g, 801.11n, 802.11ac, 802.11ax
What is the QoS protocol for wired networks?
802.1Q (or Dot1Q)
802.11ax
9608 Mbit/s 2.4ghz and 5ghz
DNS Sinkhole
A DNS sinkhole is a DNS server that is configured to provide incorrect answers to specific DNS queries. This allows administrators to cause malicious and unwanted domains to resolve to a harmless address and can also allow logging of those queries to help identify infected or compromised systems.
SIEM Correlation
A SIEM can allow you to search and filter data based on multiple data points like these to narrow down the information related to an incident. Automated correlation and analysis is designed to match known events and indicators of compromise to build a complete dataset for an incident or event that can then be reviewed and analyzed. As you can see in the screenshots from the AlienVault SIEM, you can add tags and investigations to data. Although each SIEM tool may refer to these by slightly different terms, the basic concepts and capabilities remain the same.
virtual local area networks (VLANs).
A VLAN sets up a broadcast domain that is segmented at the Data Link layer. Switches or other devices are used to create a VLAN using VLAN tags, allowing different ports across multiple network devices like switches to all be part of the same VLAN without other systems plugged into those switches being in the same broadcast domain.
Lightweight cryptography
A category of cryptography that has fewer features and is less robust than normal cryptography. generally to reduce power or latency
Dynamic Code Analysis
A code analysis that is done using a running application
Privacy Enhanced Mail (PEM)
A common format for PKI certificates. It can use either CER (binary) or DER (ASCII) formats and can be used for almost any type of certificates.
Point to Multipoint
A communications arrangement in which one transmitter issues signals to multiple receivers. The receivers may be undefined, as in a broadcast transmission, or defined, as in a nonbroadcast transmission.
Allow list
A company set up controls to allow only a specific set of software and tools to install on workstations. A user navigates to a software library to make a selection.
DevOps (Development and Operations)
A cultural shift toward continuous collaboration between development teams and operations teams that brings highly responsive application updates.
OpenID
A decentralized open source federated identity management system that does not require specific software to be installed on the desktop.
Load Balancer
A dedicated network device that can direct requests to different servers based on a variety of factors.
Virtual Desktop Infrastructure (VDI)
A desktop operating system running within a virtual machine (VM) running on a server.
Tabletop Exercise
A discussion-based exercise where participants talk through an event while sitting at a table or in a conference room. It is often used to test business continuity plans.
Forensic suites provide features that make investigations easier and more complete.
A forensic suite like Autopsy provides tools to manage and organize investigations as well as a complete set of tools. Those tools typically include the ability to ingest, analyze, and automatically identify common forensic targets such as images, Office documents, text files, and similar artifacts. They also provide timelining capabilities, tools to assist with reporting and markup of the forensic data, and a wide range of other features useful for forensic examination. Although Autopsy is one example, commercial tools are broadly available with advanced features.
Hot Sites
A fully configured computer facility, with all information resources and services, communications links, and physical plant operations, that duplicates your company's computing resources and provides near-real-time recovery of IT operations.
Corporate Owned Implementation
A fully corporate-owned and -managed device is the most controlled environment and frequently more closely resembles corporate PCs with complete control and management suite. This is the least user-friendly of the options since a corporate-chosen and -managed device will meet corporate needs but frequently lacks the flexibility one of the more end user-centric designs.
Red Team
A group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. The Red Team's objective is to improve enterprise Information Assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders (i.e., the Blue Team) in an operational environment.
Business Constraint
A limitation placed on the solution design by the organization that needs the solution. This describes limitations on available solutions, or an aspect of the current state that cannot be changed by the deployment of the new solution.
What does tokenization use?
A lookup table
Significant Advantage of Disk Encryption
A lost or stolen system with a fully encrypted drive can often be handled as a loss of the system, instead of a loss or breach of the data the system contained.
Web Shell
A malicious script that has been loaded onto a web se1ver that enables an attacker to send remote commands to that server
XML (Extensible Markup Language)
A markup language that is designed to carry data instead of indicating how to display it.
Parameterized queries
A means of structuring SQL queries to limit escaping and thus prevent injection attacks.
Asset Criticality
A measure of the importance of an asset to the immediate survival of an organization.
Key things to note when Building an IR Team
A member of management or organizational leadership. This individual will be responsible for making decisions for the team and will act as a primary conduit to senior management for the organization. Ideally, teams should have a leader with enough seniority to make decisions for the organization in an emergency. Information security staff members are likely to make up the core of the team and will bring the specialized IR and analysis skills needed for the process. Since containment often requires immediate action using security tools like firewalls, intrusion prevention systems, and other security tools, the information security team can also help speed up the IR process. The team will need technical experts such as systems administrators, developers, or others from disciplines throughout the organization. The composition of the IR team may vary depending on the nature of the incident, and not all technical experts may be pulled in for every incident. Knowing the systems, software, and architecture can make a huge difference in the IR process, and familiarity can also help responders find unexpected artifacts that might be missed by someone who does not work with a specific system every day. Communications and public relations staff are important to help make sure that internal and external communications are handled well. Poor communications—or worse, no communications—can make incidents worse or severely damage an organization's reputation. Legal and human relations (HR) staff may be involved in some, but not all, incidents. Legal counsel can advise on legal issues, contracts, and similar matters. HR may be needed if staff were involved, particularly if the incident involves an insider or is an HR-related investigation. Law enforcement is sometimes added to a team, but in most cases only when specific issues or attacks require their involvement.
Filesystem permissions
A method for protecting files managed by the OS
Pair Programming
A method of programming in which two programmers write code using a single computer. One programmer in the "driver" role uses the mouse and keyboard to actually write the code while a second acts as a "navigator", keeping track of the big picture, catching errors, and making suggestions. Programmers switch roles frequently and communicate throughout the process. Costly as it reqs two full time devs
Certificate Pinning
A method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.
NXLog
A multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs
Nessus
A network-vulnerability scanner available from Tenable Network Security. Well Known
Birthday Theorem
A password attack named after the birthday paradox in probability theory. The paradox states that for any random group of 23 people, there is a 50 percent chance that 2 of them have the same birthday.
Pass the Hash
A password attack that captures and uses the hash of a password. It attempts to log on as the user with the hash and is commonly associated with the Microsoft NTLM protocol.
HMAC-based one-time password (HOTP)
A password is computed from a shared secret and is synchronized between the client and the server. Usually generated by a physical token
Password Vaults
A password manager that creates a database for all credentials/passwords, everything is encrypted with personal and enterprise options
Host Based Firewall
A piece of software running on a single host that can restrict incoming and outgoing network activity for that host only. Do not provide inisight into what traffic they are filtering without advanced filtering,.
Business Continuity Plan
A plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption
Legacy platform
A platform that is no longer in widespread use, often because it has been supplanted or replaced by an updated version of that earlier technology.
Switch Port Analyzer (SPAN) or Port Mirror
A port mirror sends a copy of all the traffic sent to one switch port to another switch port for monitoring. A SPAN can do the same thing but can also combine traffic from multiple ports to a single port for analysis. Both are very useful for troubleshooting and monitoring, including providing data for devices like intrusion detection systems that need to observe network traffic to identify attacks.
802.1x
A port-based authentication protocol. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.
Lightweight Directory Access Protocol (LDAP)
A protocol used by various client applications when the application needs to query a database.
Network Time Protocol
A secure version of the Network Time Protocol (NTP) exists and is called NTS, but NTS has not been widely adopted. Like many other protocols you will learn about in this lesson, NTS relies on TLS. Unlike other protocols, NTS does not protect the time data. Instead, it focuses on authentication to make sure that the time information is from a trusted server and has not been changed in transit.
OpenVAS
A security tool for conducting port scanning, OS identification, and vulnerability assessments. A client computer (*nix or Windows) must connect to the server to perform the tests.
Out of Band Management
A separate means of accessing the administrative interface should exist. Since most devices are now managed through a network connection, modern implementations use a separate management VLAN or an entirely separate physical network for administration. Physical access to administrative interfaces is another option for out-of-band management, but in most cases physical access is reserved for emergencies because traveling to the network device to plug into it and manage it via USB, serial, or other interfaces is time consuming and far less useful for administrators than a network-based management plane.
Hot aisles
A server room aisle that removes hot air.
Baseline Configuration
A set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
Resource Exhaustion
A situation in which a hardware device with limited resources (CPU, memory, file system storage, etc.) is exploited by an attacker who intentionally tries to consume more resources than intended.
Continuous Deployment
A software development approach where an organization's developers release products, features, and updates in shorter cycles, when ready, rather than wait for centrally-managed delivery schedules.
Cloud Access Security Broker (CASB)
A software tool or service that enforces cloud-based security requirements. It is placed between the organization's resources and the cloud, monitors all network traffic, and can enforce security policies.
Security Information and Event Management (SIEM)
A software-enabled approach to aggregating, filtering, and managing the reaction to events, many of which are collected by logging activities of IDPSs and network management devices.
Split Tunnel VPN
A split-tunnel VPN only sends traffic intended for systems on the remote trusted network through the VPN tunnel. Split tunnels offer the advantage of using less bandwidth for the hosting site, since network traffic that is not intended for that network will be sent out through whatever Internet service provider the VPN user is connected to. However, that means the traffic is not protected by the VPN and cannot be monitored.
Prepending
A technical method used in social engineering to trick users into entering their username and passwords by adding an invisible string before the weblink they click
API inspection
A technology that scrutinizes API requests for security issues.
What is the relation between Threats Vulnerabilities and risks
A threat without a corresponding vulnerability does not pose a risk, nor does a vulnerability without a corresponding threat.
Downgrade Attack
A type of attack that forces a system to downgrade its security. The attacker then exploits the lesser security control.
Nic Teaming
A type of link aggregation in which two or more NICs work in tandem to handle traffic to and from a single node.
Optical Media
A type of media used to store data which is read by a laser such as a CD or a DVD.
Differential Backup
A type of partial backup that involves copying all changes made since the last full backup. Thus, each new differential backup file contains the cumulative effects of all activity since the last full backup. Fast to recover but slow to backup
Incremental Backup
A type of partial backup that involves copying only the data items that have changed since the last partial backup. This produces a set of incremental backup files, each containing the results of one day's transactions. Fast to backup but slow to recover
Tool-assisted code review
A type of peer review in which authors and reviewers use tools designed for peer code review. Training may be required
White Box Test
A type of penetration test. Testers have full knowledge of the environment prior to starting the test. Compare with black box test and gray box test.
Gray Box Test
A type of penetration test. Testers have some knowledge of the environment prior to starting the test. Compare with black box test and white box test.
Black Box Test
A type of penetration test. Testers have zero knowledge of the environment prior to starting the test. Compare with gray box test and white box test.
Parameter Pollution
A web application attack where the attacker supplies multiple instances of the same parameter name in an HTTP request
What is one of the best ways to ensure that responses happen appropriately?
A well-written, tested set of playbooks for the incident types your organization is most likely to encounter is one of the best ways to ensure that responses happen appropriately in a stressful situation. The ability to refer to steps and processes that were created with forethought and care can make an immense difference in the quality of an incident response process.
3 major players in IaaS
AWS, Microsoft Azure and Google Cloud Platform.
Conditional access
Able to set conditions to see what employees are doing, if an employee is doing a certain task the system will be able to give or take more access to an employee depending on what they are accessing
Five basic requirements for a cryptographic hash function
Accept any input of any length, they produce an output of a fixed length, hash is easy to compute, one way, collision free.
Attribute Based Access Control
Access is based on attributes (of a person, a resource, or an environment)
How to view System D's Journal in Linux
Accessing the systemd journal that records what systemd is doing using the journald daemon can be accomplished using journalctl. This tool allows you to review kernel, services, and initrd messages as well as many others that systemd generates. Simply issuing the journalctl command will display all the journal entries, but additional modes can be useful. If you need to see what happened since the last boot, the -b flag will show only those entries. Filtering by time can be accomplished with the -since flag and a time/date entry in the format "year-month-day hour:minute:seconds."
Virtual Private Coud (VPC)
Achieve Segmentation. Teams can group systems into subnets and designate them as public or private.
Active/passive load balancing
Active/passive load balancer designs bring backup or secondary systems online when an active system is removed or fails to respond properly to a health check. This type of environment is more likely to be found as part of disaster recovery or business continuity environments, and it may offer less capability from the passive system to ensure some functionality remains.
Horizontal Cloud Scaling
Add more servers to a server cluster
Code Injection Attacks
Adding your own code/information into a data stream. Possible because of bad programming (the application should properly handle input/output.) So many different data type: HTML, SQL, XML, LDAP, etc. **modifies the requests for each language SQL injection can be especially devastating since it can reveal/damage/delete sensitive data. **ex: change request for "Smith" to "Smith OR '1=1' " SQL request which allows you to see all the information for ANY user not just Smith.
Agent Based adaptive Balancing
Agent-based adaptive balancing monitors the load and other factors that impact a server's ability to respond and updates the load balancer's traffic distribution based on the agent's reports.
What is probably one of the biggest threats to SIEM deployments?
Alert Fatigue.
2 choices when doing encryption
Algorithm, key
What are NGFWS akin to thanks to their many features?
All in one security devices, but they are deployed at network layer rather than endpoint.
Cloud Transit Gateways
Allow direct interconnection of cloud vpcs with on premises vlans for hybrid cloud ops.
Trusted Automated eXchange of Indicator Information (TAXII)
Allows cyber threat info to be communicated at the end of the application layer via HTTPS.
Caesar Cipher
Also known as a shift cipher, is one of the simplest forms of encryption. It is a substitution cipher where each letter in the original message (called the plaintext) is replaced with a letter corresponding to a certain number of letters up or down in the alphabet.
Off Site Storage
Alternate facility, other than the primary production site, where duplicated vital records and documentation may be stored for use during disaster recovery.
Digital Forensics in Intelligence
Although digital forensics work in most organizations is primarily used for legal cases, internal investigations, and incident response, digital forensics also plays a role in both strategic intelligence and counterintelligence efforts. The ability to analyze adversary actions and technology, including components and behaviors of advanced persistent threat tools and processes, has become a key tool in the arsenal for national defense and intelligence groups. At the same time, forensic capabilities can be used for intelligence operations when systems and devices are recovered or acquired, allowing forensic practitioners to recover data and provide it for analysis by intelligence organizations. Many of the tools that are used by traditional forensic practitioners are also part of the toolset used by intelligence and counterintelligence organizations. In addition to those capabilities, they require advanced methods of breaking encryption, analyzing software and hardware, and recovering data from systems and devices that are designed to resist or entirely prevent tampering that would be part of a typical forensic process.
Email Protocols
Although many organizations have moved to web-based email, email protocols like Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) remain in use for mail clients. Secure protocol options that implement TLS as a protective layer exist for both, resulting in the deployment of POPS and IMAPS
Reason for Different Models
Although these are common descriptions, real-world implementations vary significantly, and the lines between each of these solutions can be blurry. Instead of hard-and-fast rules, these are examples of starting places for organizational mobile device deployment models and can help drive security, management, and operational practices discussions. The best way to look at these practices in real-world use is as part of a spectrum based on organizational needs, capabilities, and actual usage.
Password Spraying
An attack method that takes many usernames and loops them with a single password.
Script Kiddie
An attacker with little expertise or sophistication. Script kiddies use existing scripts to launch attacks.
Kerberos
An authentication system developed by the Massachusetts Institute of Technology (MIT) and used to verify the identity of networked users.
Asymmetric Key Algorithm
An encryption method in which the key used to encrypt a message and the key used to decrypt it are different, or asymmetrical. provides solution to symmetric problems
Relying Party
An entity that relies upon the subscriber's credentials, typically to process a transaction or grant access to information or a system typically in a PKI.
Evil Twin Attack
An evil twin is a malicious fake access point that is set up to appear to be a legitimate, trusted network.
Capture the Flag (CTF)
An exploit-based exercise simulating an attack.
On Path Attack
An on-path (sometimes also called a man-in-the-middle [MitM]) attack occurs when an attacker causes traffic that should be sent to its intended recipient to be relayed through a system or device the attacker controls. Once the attacker has traffic flowing through that system, they can eavesdrop or even alter the communications as they wish. Figure 12.2 shows how traffic flow is altered from normal after an on-path attack has succeeded
Common Vulnerabilities and Exposures (CVE)
An online list of known vulnerabilities (and patches) to software, especially web servers. It is maintained by the MITRE Corporation.
Open Web Application Security Project (OWASP)
An open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
OAuth
An open source standard used for authorization with Internet-based single sign-on solutions.
Risk appetite
An organization's risk appetite is the level of risk that it is willing to accept as a cost of doing business.
Static Code Analysis
Analysis of source code carried out without execution of that software.
Host Intrusion Prevention System (HIPS)
Analyzes traffic before apps receive it, can take action on it and filter out malicious traffic or block specific elements of the data. It looks at all packets so can catch all malicious activity.
Layer 7 of OSI
App, Human/PC interaction. Ex: HTTP FTP SSH DNS
What are Containment Mitigation and Recovery Techniques?
Application allow listing (sometimes referred to as whitelisting), which lists the applications and files that are allowed to be on a system and prevents anything that is not on the list from being installed or run. Application deny lists or block lists (sometimes referred to as blacklists), which list applications or files that are not allowed on a system and will prevent them from being installed or copied to the system. Quarantine solutions, which can place files in a specific safe zone. Antimalware and antivirus often provide an option to quarantine suspect or infected files rather than deleting them, which can help with investigations.
Know how to implement application security controls.
Application security should be at the forefront of security operations principles. This includes protecting code through the use of input validation. Web applications that rely on cookies for session management should secure those cookies through the use of transport encryption. Code should be routinely subjected to code review as well as static and dynamic testing.
Elasticity security
Apps should be able to automatically provision resources to scale and then deprovision to reduce capacity when no longer needed.
Adversarial artificial intelligence is an emerging threat.
As artificial intelligence and machine learning become more common throughout the industry, attackers are also starting to look at how to leverage them as part of their attacks. Introducing bad or tainted data into machine learning environments can help attackers conceal malware or otherwise decrease the effectiveness of ML tools and AI-based detection and security systems. At the same time, the algorithms that are used for AI and ML tools can also be attacked, and modifications to those algorithms could benefit attackers.
Why is slack space analysis critical?
As it has a wealth of data about what has previously occured on a drive that it can provide.
Why are filesystem permissions imporant?
As they could be leveraged by attackers to acquire data and run apps they should not be able to.
How to ID scan targets?
Ask yourself. 1. What is the data classfiication of the info stored, processed or transmitted by the system? 2. Is the system exposed to the internet or public nets? 3. What services are offered by the system? 4. Is the system production test or dev?
Resource policies
Assigning permissions to cloud resources - Not the easiest task - Everything is in constant motion Specify which resources can be provisioned (Azure) - Create a service in a specific region, deny all others Specify the resource and what actions are permitted (Amazon) - Allow access to an API gateway from an IP address range Explicitly list the users who can access the resource (Amazon) - Userlist is associated with the resource
Attack frameworks help analysts identify and categorize attacks.
Attack frameworks are tools that can be used to categorize attacks, attack techniques, processes, and tools. MITRE'S ATT&CK framework breaks attacks into matrices that map to the complete attack lifecycle with techniques and components. The Diamond Model of Intrusion Analysis uses core features, meta-features, and confidence values to help analysts understand intrusions by moving between vertices on a diamond. The Cyber Kill Chain is a seven-step process that moves from reconnaissance to weaponization, delivery, exploitation, installation, command-and-control, and actions on the objective, focusing on attacks and exploits.
Data must be protected in transit, at rest, and in use.
Attackers may attempt to eavesdrop on network transmissions containing sensitive information. This information is highly vulnerable when in transit unless protected by encryption technology. Attackers also might attempt to breach data stores, stealing data at rest. Encryption serves to protect stored data as well as data in transit. Data is also vulnerable while in use on a system and should be protected during data processing activities.
Attackers exploit different vectors to gain initial access to an organization.
Attackers may attempt to gain initial access to an organization remotely over the Internet, through a wireless connection, or by attempting direct physical access. They may also approach employees over email or social media. Attackers may seek to use removable media to trick employees into unintentionally compromising their networks, or they may seek to spread exploits through cloud services. Sophisticated attackers may attempt to interfere with an organization's supply chain.
Authenticated Mode
Authenticated modes of encryption validate the integrity of the ciphertext to ensure that it has not been modified—often through the use of hash-based message authentication code (HMAC), also known as keyed-hash message authentication code.
Three Modes of operations for Cryptographic Systems
Authenticated, Unauthenticated, Counter and within Auth, Mutual and Single Sided Auth
The 7 Key principles for social engineering
Authority, Intimidation, Consensus, Scarcity, Familairity, Trust, urgency.
Online Certificate Status Protocol
Automated method of maintaining revoked certificates within a PKI.
What should new hire checks contain?
Background checks
Common Security layers
Badges, Fire suppression, alarms, gaseous suppression, signange, mantraps, locks, guards, cameras and sensors, hot aisles and cold aisles,
Considerations for Cloud Backups and Off Site storage
Bandwith reqs for the backups and restoration time, time and cost to retrieve files, reliability, New security models required for bakcups
Block Ciphers
Blocks ciphers perform encryption by breaking a message into fixed-length units, called blocks. Advantages of block ciphers include the following: -Implementation of block ciphers is easier than stream-based cipher implementation. -Block ciphers are generally less susceptible to security issues. -They are generally used more in software implementations. -Block ciphers employ both confusion and diffusion. Block ciphers often use different modes: ECB, CBC, CFB, and CTR.
UEFI measured boot
Boot processes measure each component starting with the firmware and ending with the boot start drivers. Does not validate against a known good list of signatures before booting, instead it relies on the UEFI firmware to hash the firmware, boot loader and anything else. The data is stored in the TPM and logsd can be validated remotely.
Cryptographic and authentication protocols provide wireless security.
Both WPA2 and WPA3 are used in modern Wi-Fi networks. These protocols provide for both simple authentication models, like WPA2's preshared key mode, and for enterprise authentication models that rely on RADIUS servers to provide user login with organizational credentials. Devices are frequently configured to use a variant of the Extensible Authentication Protocol (EAP) that supports the security needs of the organization and that is supported by the deployed wireless devices.
FTK and encase
Both are complete forensic tools, including acquisition, analysis, automation and investigation tools, and reporting capabilities. Although some organizations use Autopsy, and open source tools are heavily used by analysts who need forensic capabilities for incident response, these commercial packages see heavy use in police, legal, and similar investigations.
Nslookup and dig
Both can perform a looup of an IP address to return a domain name or vice versa, can also lookk up specific DNS info like MX (mail server),A, and other DNS records
Pulverizing
Break devices in to very small bits, size of output material can determine the potential for recovery of the data
Pulping
Breaks paper documents into wood pulp, can be recycled, destroys documents
Attacking One time Passwords
Bruteforce doesnt work well as it is always changing, attackers must use a stolen pass immediately, sms ones can be redirected using a cloned sim or if phone is part of a VoIP
CVE 2002-0126
Buffer Oveflow in BlackMoon FTP server 1.0 through 1.5
CVE 2001-0876
Buffer Overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, Me and xp
Bug bounty programs incentivize vulnerability reporting.
Bug bounty programs allow external security professionals to probe the security of an organization's public-facing systems. Testers who discover vulnerabilities are provided with financial rewards for their participation. This approach is a good way to motivate hackers to work for good, rather than using discovered vulnerabilities against a target.
Features of Next Gen Firewalls
Built in IPS or IDS functionality which can analyze traffic for attacks and either take action or alert on it. Antimalware and antivirus features that allow them to scan traffic for malware in addition to performing firewall operations. Geo-IP and geolocation capability to match threats with real-world locations. Proxying, which allows device to intercept traffic and analyze it by sitting in the middle of encrypted web traffic. Web app firewall capabilities designed to protect web apps. Sandboxing. Integrate threat intelligence feeds Perform Behavior analysis Perform loadbalancing and reverse proxy services.
Scripts and other code can be malicious.
Built-in scripting languages and tools like PowerShell, Python, Bash, and macro languages like Visual Basic for Applications (VBA) can all be leveraged by attackers. Fileless malware often leverages PowerShell to download and execute itself once it leverages a flaw in a browser or plug-in to gain access to a Windows system. Attackers can use languages like Python to run code that can be hard to detect on Linux systems, allowing remote access and other activities to occur. Macros included in Office documents require users to enable them, but social engineering can help attackers to bypass default security settings.
How can orgs implement the Risk Concepts?
By having a high degree of awareness and boiling down the risk register chart down to a simplified version for business leaders.
How can you ensure data remnance is not an issue?
By using the built in secure erase command. Destroying drives is also ideal.
Command and Control (C2)
C2 access allows two-way communication and continued control of the remote system. Defenders will seek to detect the C2 infrastructure by hardening the network, deploying detection capabilities, and conducting ongoing research to ensure they are aware of new C2 models and technology.
Shell
CLI. Windows is cmd, mac os is bash, shell scrpts can be ran here.
Secrets Management
Can be done with HSMS to manage encryption keys and perform crypto ops quick but hihghly expensive to purchase and operate but offer high security.
What advantage do Software and VM apps have?
Can be easily depolyed and scaled based on nedds.
Changed Scope
Can go beyond scope.
Host Intrusion Detection System
Can only report and alert on issues, therefore less likelyhood for causing issues but it cannot take action on traffic.
SIEM trends
Can point to a new problem that is starting, an exploit that is occuring or simply which malware is most prevalent.
Captive Portals
Captive portals redirect traffic to a website or registration page before allowing access to the network.
Snapshot
Captures full state of a system at the time the backup is completed, common in VM's.
Carrier Unlocking
Carrier unlocking allows phones to be used with other cellular providers. Monitoring the carrier unlock status of a device is not a common MDM capability and is typically handled at the carrier level.
Mobile Device Management
Challenge due to limitations, variations between os and dont have broad set of contreols business oriented devices do.
How does Kerberos Work?
Client requests an auth ticket, and checks credentials. When the client wants to use a service, the client sends the ticket to a Ticket Granting service and includes the name of the resource. The TGS sends back a valid session key.
Implement appropriate security controls in a cloud environment.
Cloud customers should understand how to use the controls offered by providers and third parties to achieve their security objectives. This includes maintaining resource policies and designing resilient cloud implementations that achieve high availability across multiple zones. From a storage perspective, cloud customers should consider permissions, encryption, replication, and high availability. From a network perspective, cloud customers should consider the design of virtual networks with public and private subnets to achieve appropriate segmentation. From a compute perspective, customers should design security groups that appropriately restrict network traffic to instances and maintain the security of those instances.
Security Grups
Cloud implemented firewalls. Define permissible network traffic. Function at the network layer.
On Demand Self Service Computing
Cloud resources available wherever and whenever you need them.
Cloud and E-Discovery
Cloud vendors provide services and will not permit you to place an intrusive legal hold and discovery agent in their cloud service. That means that as you adopt cloud services you must address how you would deal with legal holds for those services. Tools like Google's Vault provides both emails archiving and discovery support, helping organizations to meet their discovery requirements.
Code Security Methods
Code Signing, Code Reuse, Software Diversity, Code Repositories, Integrity Measurement, Application Resilience.
Explain secure code deployment and automation concepts.
Code repositories serve as version control mechanisms and a centralized authority for the secure provisioning and deprovisioning of code. Developers and operations teams should work together on developing automated courses of action as they implement a DevOps approach to creating and deploying software. Software applications should be designed to support both scalability and elasticity.
Endpoint detection and response
Combine monitoring capabilities on endpoint devicers and systems to collect correlate and analyze events. Key Features of EDR systems are the ability to search and explore the collected data and to use it for investigatons as well as the ability to detect suspicious data.
Head
Command to show you the first part of a file, default is 10 lines but can be changed with n flag. Can monitor mult files. Ie head - n 15 example.txt will show 15 lines from example.txt
Security professionals must know how to use command-line tools to gather network and system information.
Command-line tools are an important part of your network assessment and management toolkit. Route information can be gathered with ping, tracert and traceroute, and pathping. DNS information is provided by dig and nslookup. System information about networking and traffic can be provided by ipconfig, ifconfig, netstat, arp, and route. Scanning for ports frequently involves nmap and Nesuss, but a range of other tools can be used, including other IP-based scanners. netcat is a multifunction tool used by many security professionals because it is small and portable and has wide functionality. curl retrieves information based on URLs, and hping allows for packet construction and analysis. OSINT tools like theHarvester, Sn1per, and DNSEnum allow information to be gathered without directly communicating with target systems. Finally, packet capture tools like tcpdump and Wireshark allow traffic to be analyzed and reviewed in either a command-line or GUI environment, and a sandbox like Cuckoo can be used to test for the presence of malware in a safe environment.
Scalability Response Control
Common design element and useful response control for many modern systems. Two types, vertical and Horizontal
Implied Trust
Common in Embedded devices due to all the security constraints and hence why they must be extensively reviewed before deploying.
Organizations often adopt a set of security policies covering different areas of their security programs.
Common policies used in security programs include an information security policy, an acceptable use policy, a data ownership policy, a data retention policy, an account management policy, and a password policy. The specific policies adopted by any organization will depend on that organization's culture and business needs.
Darik's Boot and Nuke
Common practice for orgs that want to reuse a drive
Incident Response Policies
Commonly defined as part of building an IR capability. Well Written ones will include components of the IR process.
The three objectives of cybersecurity are confidentiality, integrity, and availability.
Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information. Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally. Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
Hardening the Windows Registry
Config permissions for the registry, disallow remote registry access and limit access to registry tools like regedit so attackers who gain access cant change or view the registry.
Continuous Integration
Continuous Integration (CI) is a development practice that requires developers to integrate code into a shared repository several times a day. Each check-in is then verified by an automated build, allowing teams to detect problems early. Maintain a code repository Automate the build Make the build self-testing Everyone commits to the baseline every day Every commit (to baseline) should be built Keep the build fast Test in a clone of the production environment Make it easy to get the latest deliverables Everyone can see the results of the latest build Automate deployment Tools: Jenkins Buildbot Travis CI
Control Risk
Control risk is the risk that arises from the potential that a lack of internal controls within the organization will cause a material misstatement in the organization's financial reports. Information technology risks can contribute to controlling risks if they jeopardize the integrity or availability of financial information. For this reason, financial audits often include tests of the controls protecting financial systems.
Security controls may be categorized based on their mechanism of action and their intent.
Controls are grouped into the categories of managerial, operational, and technical based on the way that they achieve their objectives. They are divided into types of preventive, detective, corrective, deterrent, compensating, and physically based on their intended purpose.
COPE (Corporate Owned, Personally Enabled)
Corporate-provided devices allow reasonable personal use while meeting enterprise security and control needs.
How to validate forensic data integrity.
Create a hash of the copy and of th OG drive and then compare them. MD5 and Sha1 are good for this.
Core Benefit of HSM
Create and manage encryption without exposing them to a single human. Cloud providers often use HSM internally for the management of their own encryptiojn keys,.
Elliptic Curve
Created in 1985 by Victor Miller, IBM. Endorsed by the NSA, schemes based on it for Suite B. Protects information classified up to top secret with 384bit keys. Based on y2 = x3 + Ax + B.
Virtualization
Creates multiple "virtual" machines on a single computing device
known plaintext attack
Cryptanalysis attack where the attacker is assumed to have access to sets of corresponding plaintext and ciphertext.
Cuckoo Sandbox
Cuckoo Sandbox is an automated malware analysis tool that can analyze malware in a variety of advanced ways, from tracking calls to system components and APIs to capturing and analyzing network traffic sent by malware. Since Cuckoo Sandbox is an automated tool, once it is set up you can simply have it analyze potential malware, as shown in Figure 12.12. In this example, the file was quickly identified as malware and received a rating of 10 out of 10.
Licensing Limitation
Curtail Bandwith.
Analysis/Requirements Phase
Customer input is sought to determine the functionality.
Cloud Scalability
Customers can manually or automacally increase capacity. Vertical Scaling in cloud, horizontal scaling in cloud
Risk identification and assessment helps organizations prioritize cybersecurity efforts.
Cybersecurity analysts seek to identify all of the risks facing their organization and then conduct a business impact analysis to assess the potential degree of risk based on the probability that it will occur and the magnitude of the potential effect on the organization. This work allows security professionals to prioritize risks and communicate risk factors to others in the organization.
Many vulnerabilities exist in modern computing environments.
Cybersecurity professionals should remain aware of the risks posed by vulnerabilities both on-premises and in the cloud. Improper or weak patch management can be the source of many of these vulnerabilities, providing attackers with a path to exploit operating systems, applications, and firmware. Weak configuration settings that create vulnerabilities include open permissions, unsecured root accounts, errors, weak encryption settings, insecure protocol use, default settings, and open ports and services. When a scan detects a vulnerability that does not exist, the report is known as a false positive. When a scan does not detect a vulnerability that actually exists, the report is known as a false negative.
Symmetric Key Algorithms
DES, 3DES, AES, Twofish, Blowfish, IDEA, Skipjack, RC2,RC4, RC5, RC6
Data loss prevention systems block data exfiltration attempts.
DLP technology enforces information handling policies to prevent data loss and theft. DLP systems may function at the host level, using software agents to search systems for the presence of sensitive information. They may also work at the network level, watching for transmissions of unencrypted sensitive information. DLP systems detect sensitive information using pattern-matching technology and/or digital watermarking.
A number of network design concepts describe specific implementations of network segmentation:
DMZ, Intranets, Extranets
DNS Original Port UDP/ TCP 53
DNSSEC UDP/TCP 53
In SaaS what is a shared responsibility?
Data
in PaaS what is the customer responsible for?
Data
Data Privacy Roles
Data Controllers, Data Stewards, Data Custodians, Data Processors, Data Protection Officers
Layer 2 of OSI
Data Link Layer, Data format for the network, error detection, flow control. Ex: Frames, Ethernet
DLP
Data Loss Prevention
Metadata
Data about data
Logical Copy
Data preserved but not match the state of the drive or device exactly. Inadmissible in many situations
What is the most volatile info/
Data stored in caches and registers are first in the order of volatility as they are most volatile, as the list goes on each item is less likely to disappear fast with backups being the least likely.
Know how to implement database security controls.
Databases often store an organization's most sensitive information, and database security controls should be put in place that protect that information adequately. This begins with the use of normalized database designs and continues with the use of stored procedures to interact with databases. Sensitive information stored in databases should be protected through the use of data minimization, data tokenization, and a combination of salting and hashing.
Quality of Service protocols
Define how traffic can be tagged and prioritized. According to QoS rules that apply based on apps, users, ports, protocols or IP's
Blind Timing based SQL injection
Depend on delay mechanisms, if a app returns data immediately it is usually not vulnerable to these attacks.
Managing mobile devices relies on both deployment methods and administrative tools.
Deployment methods include bring your own device; choose your own device; corporate-owned, personally enabled; and corporate owned. The risks and rewards for each method need to be assessed as organizations choose which model to deploy their devices in. Once that decision is made, tools like mobile device management or unified endpoint management tools can be used to configure, secure, manage, and control the devices in a wide range of ways, from deploying applications to securely wiping devices if they are lost or stolen. You need to understand the capabilities and limitations of MDM and UEM products as well as the devices and operating systems that they can manage.
Open Systems Interconnection Model
Describe how devices and software operate together through networks.
Input blacklisting
Describe malicious input that must be blocked. EX HTML Tags or SQL commands. Easy to block ' for sql but hard because last names might be something like O'Reilly
Attack Vector metric
Describes how an attacker would exploit vuln
Privileges Required Emtric
Describes the type of account access an attacker would need
Availablity Metric
Describes type of attack that might occur if an attacker successfully exploits the vulnerability.
Confidentiality Metric
Describes type of info disclosure that might occur if attacker exploits a vulnerabiulity
User Interaction Metric
Describes whether the attackers needs to involve another human.
Design Phase
Design for functionality, architecture, integration points and techniques, dataflows, business processes and any other elements.
Rules of Engagement (ROE)
Detailed guidelines and constraints regarding the execution of information security testing. The ROE is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions.
Certificate Practice Statement
Detailed statement of the procedures and practices the CA uses to manage the certificates
File Integrity Monitoring
Detect changes and report on them or restore them. Although there are numerous products on the market that can handle file integrity monitoring, one of the oldest and best known is Tripwire, a file integrity monitoring tool with both commercial and open source versions. File integrity monitoring tools like Tripwire create a signature or fingerprint for a file and then monitor the file and filesystem for changes to monitored files. They integrate numerous features to allow normal behaviors like patching or user interaction, but they focus on unexpected and unintended changes. A file integrity monitor can be a key element of system security design, but it can also be challenging to configure and monitor if it is not carefully set up. Since files change through a network and on systems all the time, file integrity monitors can be noisy and require time and effort to set up and maintain.
Network Based Intrusion Prevention Systems
Detect threats, block them, rely on one or more of three diff detection methods.
Network Based INtrustion Detection Systems
Detect threats, rely on one or more of three diff detection methods.
Defend against attacks to OT
Detecting an attack against an OT device or network without additional security tools in place often means noticing that it is not responding or that it appears to have fallen off the network. Further investigation may show that the device has crashed or is online but not responding to network traffic because it is overwhelmed. At that point, traditional incident response and network incident investigation techniques can be put in to play. Since OT and IoT devices in general remain less prepared for a potentially hostile network, design and architecture planning can be a critical control to keep them secure. Using isolated VLANs, limiting ingress and egress of network traffic, preventing unknown devices from being added to the isolated VLANs, and instrumenting those networks are all useful techniques to prevent OT network attacks of all sorts.
Steps for Assessing Embedded Systems
Determine how the embedded system interfaces with the world: does it connect to a network, to other embedded devices, or does it only have a keyboard or other physical interface? If the device does provide a network connection, identify any services or access to it provided through that network connection, and how you can secure those services or the connection itself. Learn about how the device is updated if patches are available, and how and when those patches should be installed; then ensure a patching cycle is in place that matches the device's threat model and usage requirements. Document what your organization would do in the event that the device had a security issue or compromise. Could you return to normal? What would happen if the device were taken offline due to that issue? Are there critical health, safety, or operational issues that might occur if the device failed or needed to be removed from service? Document your findings, and ensure that appropriate practices are included in your organization's operational procedures.
Quantitative Risk Assessment Methodology
Determine the asset value (AV) of the asset affected by the risk. This asset value (AV) is expressed in dollars, or other currency, and may be determined using the cost to acquire the asset, the cost to replace the asset, or the depreciated cost of the asset, depending on the organization's preferences. Determine the likelihood that the risk will occur. Risk analysts consult subject matter experts and determine the likelihood that a risk will occur in a given year. This is expressed as the number of times the risk is expected each year and is described as the annualized rate of occurrence (ARO). A risk that is expected to occur twice a year has an ARO of 2.0, whereas a risk that is expected once every one hundred years has an ARO of 0.01. Determine the amount of damage that will occur to the asset if the risk materializes. This is known as the exposure factor (EF) and is expressed as the percentage of the asset expected to be damaged. The exposure factor of a risk that would completely destroy an asset is 100 percent, whereas a risk that would damage half of an asset has an EF of 50 percent. Calculate the single loss expectancy. The single loss expectancy (SLE) is the amount of financial damage expected each time a risk materializes. It is calculated by multiplying the AV by the EF. Calculate the annualized loss expectancy. The annualized loss expectancy (ALE) is the amount of damage expected from a risk each year. It is calculated by multiplying the SLE and the ARO.
What is another part of Site Survey/
Determining which channels your access points will use is also part of this process. In the 2.4 GHz band, each channel is 20 MHz wide, with a 5 MHz space between. There are 11 channels for 2.4 GHz Wi-Fi deployments, resulting in overlap between channels in the 100 MHz of space allocated as shown in Figure 13.3. In most use, this means that channels 1, 6, and 11 are used when it is possible to control channel usage in a space to ensure that there is no overlap and thus interference between channels. In dense urban areas or areas where other organizations may have existing Wi-Fi deployments, overlapping the channels in use onto your heatmap will help determine what channel each access point should use.
What is an important part of configuration management apart from standards and tools?
Diagrams ie architecture, network and dataflow to see how orgs tech is set up, and documentation.
Route Security
Diff protocols have diff security, MITM attacks are on path attacks but outages due to loops are possible. Some common routing protocols are BGP, OSPF, and EIGRP. Their security is important since they are susceptible to attacks and mistakes.
The order of volatility is used to determine what to acquire first.
Different system components and resources are more likely to be changed or be lost during the time a forensic acquisition takes. Thus, forensic practitioners refer to the order of volatility to determine what is the most volatile and what is the least volatile. CPU cache and registers are typically the most volatile, followed by the process table, ARP cache, kernel statistics, and similar data. Next, system RAM; temporary files and swap space, with data on the hard disk; remote logs; and finally backups are all less volatile. Your forensic acquisition process should take the order of volatility into account as well as the circumstances of your acquisition process to determine what to capture first.
encryption algorithms used to support a digital signature infrastructure
Digital Signature Algorithm (DSA) as described in FIPS 186-4, Rivest, Shamir, Adleman (RSA) as specified in ANSI X9.31, Elliptic Curve DSA (ECDSA) as specified in ANSI X9.62
Understand the purpose and use of digital certificates.
Digital certificates provide a trusted mechanism for sharing public keys with other individuals. Users and organizations obtain digital certificates from certificate authorities (CAs), who demonstrate their trust in the certificate by applying their digital signature. Recipients of the digital certificate can rely on the public key it contains if they trust the issuing CA and verify the CA's digital signature.
Explain how digital signatures provide nonrepudiation.
Digital signatures provide nonrepudiation by allowing a third party to verify the authenticity of a message. Senders create digital signatures by using a hash function to generate a message digest and then encrypting that digest with their own private key. Others may verify the digital signature by decrypting it with the sender's public key and comparing this decrypted message digest to one that they compute themselves using the hash function on the message.
Disaster recovery planning builds resiliency.
Disaster recovery plans activate when an organization experiences a natural or man-made disaster that disrupts its normal operations. The disaster recovery plan helps the organization quickly recover its information and systems and resume normal operations.
What are the discovery processes in the e-discovery?
Discovery processes allow each side of a legal case to obtain evidence from each other and other parties involved in the case, and e-discovery is simply an electronic discovery process. In addition to legal cases, discovery processes are also often used for public records, Freedom of Information Act requests, and investigations. It helps to view electronic discovery using a framework, and the Electronic Discovery Reference Model (EDRM) is a useful model for this.
What is another good way to build resilience into an infrastructure?
Diversity of tech, variety of vendors, crypto solutions, platforms and controls.
Provenance
Documenting the provenance, or where an image or drive came from and what happened with it, is critical to the presentation of forensic analysis. Forensic suites have built-in documentation processes to help with this, but manual processes that include pictures, written notes, and documentation about the chain of custody, processes, and steps made in the creation and analysis of forensic images can yield a strong set of documentation to provide appropriate provenance information. With documentation like this, you can help ensure that inappropriate handling or processes do not result in the repudiation of the images or process, resulting in the loss of a legal case or an inability to support criminal or civil charges.
3 Types of DNS and domain related attacks
Domain Hijacking, DNS Poisoning, URL Redirection.
Domain Name System Security Extensions (DNSSEC)
Domain Name System Security Extension (DNSSEC) focuses on ensuring that DNS information is not modified or malicious, but it doesn't provide confidentiality like many of the other secure protocols listed here do. DNSSEC uses digital signatures, allowing systems that query a DNSSEC-equipped server to validate that the server's signature matches the DNS record. DNSSEC can also be used to build a chain of trust for IPSec keys, SSH fingerprints, and similar records.Secure Lightweight Directory Application Protocol (LDAPS) is a TLS-protected version of LDAP that offers confidentiality and integrity protections.
Domain name resolution protocl
Domain name resolution remains a security challenge, with multiple efforts over time that have had limited impact on DNS protocol security.
What advantage do Cloud Appliances have?
Dynamically created used and scaled as needed.
Elliptic Curve Group
Each elliptic curve has a corresponding elliptic curve group made up of the points on the elliptic curve along with the point O, located at infinity. Two points within the same elliptic curve group (P and Q) can be added together with an elliptic curve addition algorithm.
How an attacker could steal your cookies
Eaves drop and steal a copy of the cookie as it is transmitted, Install malware on users browser, engage in MITM and pretend to be someone they arent
Defense against Ransomware
Effective Backup to store files in seperate area, usually best as paying is a financial loss and people may just demand more money.
Email and Web Traffic Protocols
Email and web traffic relies on a number of secure options, including HTTPS, IMAPS, POPS, and security protocols like Domain-based Message Authentication, Reporting & Conformance (DMARC), Domain Keys Identified Mial (DKIM) and Sender Policy Framework (SPF)
Unique Security Constraints of an embedded system
Embedded systems typically have less computational power, less memory, and less storage than traditional systems. Limited resources mean that embedded systems may not have the resources to provide encryption, antivirus, or other security features, and that they may not be able to log data. Some embedded systems do not have network connectivity, or they may use specialized communication protocols to communicate, making remote patching and management challenging. Their operating systems and the software used by embedded systems frequently do not have the same functionality as a desktop or mobile operating system, and they may lack authentication capabilities or other key features that you might expect in a traditional system.
Drive encryption and sanitization helps prevent data exposure.
Encrypting drives and media helps keep them secure if they are stolen or lost. Full-disk encryption covers the entire drive, whereas volume or file encryption protects portions of the contents. Sanitizing drives and media involves wiping them using a secure deletion process, or their destruction to ensure that the data cannot be recovered. Using appropriate processes based on the security requirements for the data and the type of drive or media involved is critical to making sure that the data is properly removed.
Weak Encryption
Encryption that is relatively easy or simple to decrypt without the encryption key.
Volume Encryption
Encrypts only a part of a hard drive instead of the entire disk.
What does Jamf Pro, Config Manager, and CFEngine do>
Enforce standards, manage systems, and report on areas where systems do not match expected settings.
What do hot and cold aisles do?
Ensure servers have proper airflow.
How can diagrams/documentation benefit config management?
Ensure that deployments meet the standards and requirements of the org, and are CRITICAL during incident response as it can help you recover faster. Can also be provided to auditors which become a useful artifact for assessment of designs
UEFI secured boot
Ensures system boots using only software that the original equipment manufacturer trusts.
Enterprise Authentication
Enterprise authentication relies on a RADIUS server and utilizes an Extensible Authentication Protocol (EAP) for authentication.
process table, Kernel Stats, System's ARP cache and other similar info are
Ephemeral data and can be captured through a combination of memory and disk acquisition, but it is important to remember that the capture will only be of the moment in time when the acquisition is done. If events occurred in the past, this data may not reflect the state that the system was in when the event occurred.
Persistence
Establish permanence on networok via backdoor incase they get kicked out.
Attacks against wireless networks
Evil Twin attack, Rogue Accesss Points.
Common attacks against wireless networks exploit vulnerabilities in protocols and human behavior. .
Evil twins pretend to be legitimate networks, and rogue access points are devices that are connected inside your network, allowing attackers to pass your security perimeter. Bluejacking sends unsolicited messages to Bluetooth devices, whereas bluesnarfing focuses on stealing contacts and other data. Protocol attacks against Wi-Fi can allow disassociation to occur, causing systems to reconnect and permitting an attacker to capture useful data or to deceive the user or system into connecting to an evil twin. Jamming attacks flood the network with noise or unwanted signals, causing outages or disconnections
Function as a Service (FaaS)
Example of PaaS computing. Allows customers to upload code functions to procvier and provider will execute on a regular basis. AWS Lambda is an example of FaaS/PaaS.
Policy documents should include exception processes.
Exception processes should outline the information required to receive an exception to security policy and the approval authority for each exception. The process should also describe the requirements for compensating controls that mitigate risks associated with approved security policy exceptions.
Sudo
Execute a command as another user
Cybersecurity exercises ensure that teams are prepared for security incidents.
Exercises are designed to test the skills of security professionals. Blue teams are responsible for managing the organization's defenses. Offensive hacking is used by red teams as they attempt to gain access to systems on the target network. White teams serve as the neutral moderators of the exercise. Purple teaming is conducted after an exercise to bring together the red and blue teams for knowledge sharing.
Extranets
Extranets are networks that are set up for external access, typically by partners or customers rather than the public at large.
Response and recovery are critical when failures occur.
Failures will occur, so you need to know how to respond. Nonpersistence and last-known good configurations allow you to return to a trusted or previous state. Scalability, whether horizontal with more systems or vertically with power-capable systems, provides more resources to handle loads. Horizontal scalability allows you to add and remove more systems or services and thus provides additional flexibility. Having a disaster recovery location, like a hot, warm, or cold site or a redundant cloud or hosted location, can help ensure that your organization can return to operations more quickly. Having a predetermined restoration order provides a guideline on what needs to be brought back online first due to either dependencies or importance to the organization.
Physical Security Controls
Fences, placement of Bollardsdd, Lighting, Guards, cameras, Faraday cages, drone defense, man trap, the works.
File Transfer Protocol
File Transfer Protocol (FTP) has largely been replaced by a combination of HTTPS file transfers and SFTP or FTPS, depending on organizational preferences and needs.
Files and data on a diskl
Files and data on a disk change more slowly but are the primary focus of many investigations. It is important to capture the entire disk, rather than just copy files so that you can see deleted files and other artifacts that remain resident.
Man in the Browser
Final on Path attack variant. his attack relies on a Trojan that is inserted into a user's browser. The Trojan is then able to access and modify information sent and received by the browser. Since the browser receives and decrypts the information, a browser-based on-path attack can successfully bypass TLS encryption and other browser security features, and it can also access sites with open sessions or that the browser is authenticated to, allowing an MitB attack to be a very powerful option for an attacker. Since browser based on-path attacks require a Trojan to be installed, either as a browser plug-in or a proxy, system-level security defenses like antimalware tools and system configuration management and monitoring capabilities are best suited to preventing them.
Important Configuration Changes
Firewall rule changes, either to add new firewall rules, modify existing firewall rules, or in some cases, to remove firewall rules. Mobile device management (MDM) changes, including applying new policies or changing policies; responding by remotely wiping devices; locating devices; or using other MDM capabilities to assist in the IR process .Data loss prevention (DLP) tool changes, which may focus on preventing data from leaving the organization or detecting new types or classifications of data from being sent or shared. DLP changes are likely to be reactive in most IR processes, but DLP can be used to help ensure that an ongoing incident has a lower chance of creating more data exposure. Content filter and URL filtering capabilities, which can be used to ensure that specific sites are not able to be browsed or accessed. Content filter and URL filtering can help prevent malware from phoning home or connecting to C2 sites, and it can also prevent users from responding to phishing attacks and similar threats. Updating or revoking certificates, which may be required if the certificates were compromised, particularly if attackers had access to the private keys for the certificates. At the same time, removing certificates from trust lists can also be a useful tool, particularly if an upstream service provider is not responding promptly and there are security concerns with their services or systems.
Controls that might affect scan results:
Firewall settings, network segmentations, Intrusion Detection Systems, (IDSs), Intrustion Prevention Systems (IPSs)
Honeypots
First and Most common info gathering tool. systems that are intentionally configured to appear to be vulnerable but that are actually heavily instrumented and monitored systems that will document everything an attacker does while retaining copies of every file and command they use. They appear to be legitimate and may have tempting false information available on them.
Fixed Weighted
Fixed weighted relies on a preassigned weight for each server, often based on capability or capacity.
Volume Based
Focus on sheer amount of traffic causing DDOS. Some rely on amplification. 2 types of Volume attacks, UDP and ICMP floods.
Cloud Networking
Follows the same virutalization model as other cloud infrastructure resources. Supports Software Defined Networking Movement.
Data Ownership Policies and Proceduresa
For example, the vice president of Human Resources might be the data owner for employment and payroll data, whereas the vice president for Sales might be the data owner for customer information. Clear lines of data ownership place responsibility for data in the hands of executives who best understand the impact of decisions about that data on the business. They don't make all of these decisions in isolation, however. Data owners delegate some of their responsibilities to others in the organization and also rely on advice from subject matter experts, such as cybersecurity analysts and data protection specialists.
Forensic reports must be well organized and to the point.
Forensic analysis doesn't end when the technical examination of devices and drives is over. Forensic reports summarize key findings, then explain the process, procedures and tools, as well as any limitations or assumptions that impact the investigation. Next, they detail the forensic findings with appropriate evidence and detail to explain how conclusions were reached. They conclude with recommendations or overall conclusions in more detail than the summary provided.
Pass-Around Code Review
Form of manual peer review where completed code is sent to review. more flexibility but dont provide the same easy opportunity to learn about he code.
European Union's General Data Protection Regulation (GDPR)
Formalizes the role of Data Protection officer, requiring that every data controller designate a DPO and grant that individual the autonomy to carry out their responsibilities without undue oversight.
Wifi Protocol Security
Fortunately, Wi-Fi protocols like WPA2 and WPA3 provide security features and functionality to help keep wireless signals secure. Those features include encryption options, protection for network frames, and authentication options. Wi-Fi devices are most commonly deployed in either ad hoc mode, which allows devices to talk to each other directly, or in infrastructure mode, which sends traffic through a base station, or access point. Wi-Fi networks use service set identifiers (SSIDs) to identify their network name. SSIDs can be broadcast or kept private.
Two Types of Proxy Servers:
Forward Proxies, Reverse Proxies
Forward proxies
Forward proxies are placed between clients and servers, and they accept requests from clients and send them forward to servers. Since forward proxies conceal the original client, they can anonymize traffic or provide access to resources that might be blocked by IP address or geographic location. They are also frequently used to allow access to resources such as those that libraries subscribe to.
Battle over passwords
Frequent changes and long passwords are good but hard to remember and might be less useful
Types of Backups
Full, Incremental, Differential, snapshot, images
Reconaissance
Gather info about the victim
HMAC
Hash-based Message Authentication Code. An HMAC is a fixed length string of bits similar to other hashing algorithms such as MD5 and SHA-1, but it also uses a secret key to add some randomness to the result. Deos not do nonrepudiation
Validating acquired data helps keep it admissible.
Hashing drives and images ensure that the acquired data matches its source. Forensic practitioners continue to commonly use MD5 or SHA1 despite issues with both hashing methods because adversarial techniques are rarely at play in forensic examinations. Checksums can be used to ensure that data is not changed, but they do not create the unique fingerprints that hashes are also used to provide for forensic artifacts.
Three Goals of Guideline
Help agencies determine if, and to what extent, their agency will implement and rely on electronic records and electronic signatures. Provide agencies with the information they can use to establish policy or rules governing their use and acceptance of digital signatures. Provide direction to agencies for sharing of their policies with the Office of the Chief Information Officer (OCIO) pursuant to state la
What does the Opal Standard Specify?
How devices must protect data when outside of their owners control and how to ensure that devices produced by various vendors can all interoperate successfully.
What else could Admins want to control?
How devices use their wireless connectivity
HTTPS Protocol
Hypertext Transfer Protocol over SSL/TLS (HTTPS) relies on TLS in modern implementations but is often called SSL despite this. Like many of the protocols discussed here, the underlying HTTP protocol relies on TLS to provide security in HTTPS implementations.
Account Disablement Policy
Identifies what to do with accounts for employees who permanently leave or are on a leave of absence. Most policies require admins to disable the account ASAP. Disabling the account ensures the data associated with it remains available.
Why might Remote Wipe Not work?
If device cant get signal, ie faraday cage or RF blocker
Downfall of Disk Encryption
If key is lost, the data drive will liekly be unrecoverable. And tech support is challenging and data corruption etc.
How to identify Ransomware
If you suddenly get a paywall when not expecting one to accesss data. Black mail etc.
Access control schemes determine what rights accounts have.
Important access control schemes include attribute-based access control (ABAC), which employs user attributes to determine what access the user should get. Role-based access control (RBAC) makes decisions based on roles, whereas rule-based access control (also sometimes called RBAC) uses rules to control access. In addition to knowing these access control schemes, be familiar with mandatory access control (MAC), which relies on the system administrator to control access, and discretionary access control (DAC), which allows users to make decisions about access to files and directories they have rights to. Conditional access controls which devices can access an environment, typically based on their security state or other requirements. PAM (privileged access management) is focused on controlling administrative accounts. Finally, test takers also need to know how to use and apply common filesystem permissions.
Keccak algorithm
In 2012, the federal government announced the selection of the Keccak algorithm as the SHA-3 standard.
CYOD Implementation
In CYOD models, the organization pays for the device and typically for the cellular plan or other connectivity. The user selects the device, sometimes from a list of preferred options, rather than bringing whatever they would like to use. In a CYOD design of this type, support is easier since only a limited number of device types will be encountered, and that can make a security model easier to establish as well. Since CYOD continues to leave the device in the hands of the user, security and management is likely to remain less standardized, although this can vary.
Securing underlying wireless infrastructure requires strong network device administration and security practices.
In addition to protocols like these, the controllers and access points must be protected. Like other network devices, controllers and APs need to be regularly patched and updated, and must be configured securely. They also must have protected administrative interfaces and should be configured to log and report on the network, their own status, and security issues or potential problems.
Soc Report
In addition to the three categories of SOC assessment, there are two different types of SOC report. Both reports begin with providing a description by management of the controls put in place. They differ in the scope of the opinion provided by the auditor: Type 1 and Type 2
Where are ABACS useful?
In app security where they are used in enterprises with complex user roles and databases and APIS
Ephemeral Keys
In ephemeral Diffie-Hellman key exchanges, each connection receives a unique, temporary key. That means that even if a key is compromised, communications that occurred in the past, or in the future in a new session, will not be exposed. Ephemeral keys are used to provide perfect forward secrecy, meaning that even if the secrets used for key exchange are compromised, the communication itself will not be.
Rainbow Tables
In password cracking, a set of precalculated encrypted passwords located in a lookup table.
Explain the three major cloud service models.
In the anything-as-a-service (XaaS) approach to computing, there are three major cloud service models. Infrastructure-as-a-service (IaaS) offerings allow customers to purchase and interact with the basic building blocks of a technology infrastructure. Software-as-a-service (SaaS) offerings provide customers with access to a fully managed application running in the cloud. Platform-as-a-service (PaaS) offerings provide a platform where customers may run applications that they have developed themselves.
Name 3 ways data must be protected
In transit, at rest, in use
How to permanently stop service in ubuntu and linux
In ubuntu, update-rc.d, in RedHat and CentOs chkConfig
Mitigation techniques ensure that the impact of incidents are limited.
Incident responders use a variety of techniques to mitigate and contain incidents. One of the most common tasks is to change configuration for endpoint security solutions as well as devices. That may include using allow lists or block/deny lists, quarantining files or devices, making firewall changes, using MDM or DLP tools, adding content or URL filtering rules, or revoking or updating certificates. At the network and infrastructure level, isolation, containment, and segmentation are all used to separate systems involved in incidents from other systems or networks. Security orchestration, automation, and response (SOAR) tools can be used to manage and monitor these processes and to automate elements of the response process.
Cloud Security Alliance (CSA)
Industry org focused on developing and promoting best practices in cloud security. They developed the Cloud Security Matrix.
Where are infrared connections most frequently used?
Infrared connections are most frequently used for point-to-point connections between individual devices, but IR technologies that exist to create networks and groups of devices do exist. Despite this, infrared connectivity is less frequently found in modern systems and devices, having largely been supplanted by Bluetooth and Wi-Fi.
Cloud Service Models
Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS)
Few Key Terms to describe different states of risk
Inherent Risk, Residual Risk, Risk Appetitie Control Risk
how to defend against cross site scripting
Input Validation. Dont allow users to put script tag in reflected in put./
Software-Defined Visibility
Insight into traffic
Cloud Carriers
Intermediaries that provide the connectivity that allows the delivery of cloud services from providers to consumers.
Sources of Threat Intelligence
Internet, public and private sources to keep up to date on threats and vulnerabilities.
Intra nets
Intranets are internal networks set up to provide information to employees or other members of an organization, and they are typically protected from external access.
Diffie-Hellman key exchange
Invented in the 1970s, it was the first practical method for establishing a shared secret key over an unprotected communications channel.
Dumpster Diving
Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away
2 Major VPN Techs
IpSec and SSL
Four tools to gather network info
Ipconfig (Win)/ifConfig(Linux), netstat, arp, route
Blind SQL Injection
Is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the attacker constructs input strings that probe the target through simple Boolean SQL expressions. The results are usually not visible to the attacker.
Disadvantages of Seperation of duties between dev and operations
Isolating ops teams from the dev process inhibits their understanding of the business req's, isolating devs from operational considerations leads to designs that are wasteful of processors, memory and network consumption. Requesting clear hand offs from development to operations reduces agility and flexibiliy by requiring a lengthy transition phase. Increasing the overhead associated with transitions encourages combining many small fixes and enhancements into one major release.
Some ideas that are more broad, but help with Configuration change and removing systems, devices, or even entire network segments to stop spread.
Isolation, Containment, Segmentation
What happens when you delete a regular file?
Its nondestructive. in other words, when a file is deleted, the fastest way to make the space available is to simply delete the file's information from the drive's file index and allow the space to be reused when it is needed. Quick formatting a drive in Windows only deletes the file index instead of overwriting or wiping the drive, and other operating systems behave similarly.
What are some Configuration Management tools that are the most powerful ops security professionals have to ensure all systems in their enterprise are safe.
Jamf Pro for Mac, Configuration Manager for Windows, or CFEngine which is open source.
Password Hack Tools
John The Ripper, Hashcat
Physical security controls are the first line of defense.
Keeping your site secure involves techniques like using industrial camouflage as well as security controls like fences, lighting, alarms, signage, bollards, access control vestibules, cameras, and other sensors. Ensuring that only permitted staff are allowed in by using locks, badges, and guards helps prevent unauthorized visitors. Fire suppression and other environmental controls keep systems and devices from risks caused by natural or human disasters.
Several Weaknesses of Symmetric Key Cryptography
Key Distribution is Major Problem: Parties have a secure method of exchanging a secret key before establishing comms. Symmetric Key Cryptography does not implement Non repudiation The Algorithm is not scalable Keys must be regenerated often.
DES-EEE3
Key length of 168 biuts. The #;s indicate there are 3 encryption ops and the 3 is the 3 keys.
DDOS Prevention
Knowing whether your ISP provides the capability and under what circumstances it will activate or can be turned on can be a critical network defense for your organization. If your ISP does not provide DDoS prevention, a second option is to ensure that your network border security devices have DDoS prevention capabilities.
Extensible Configuration Checklist Description Format (XCCDF)
Language for specifying checklists and reporting checklist results.
Least Connection
Least connection sends traffic to the server with the fewest number of active connections.
First Part of the E-Discovery Process
Legal Holds
What is a common problem with HIPS>
Legitimate traffic can get blocked potentially causing an outage.
What is an extremely important factor in determining the strength of the cryptosystem?
Length of the cryptographic key.
Unified Extensible Firmware Interface (UEFI)
Leverage 2 different ways to ensure that the system is secure. Secure boot and measured boot.
AI and ML
Leverage large amounts of data to find ways to identify malware that may include heuristis signature or other detection capabilites.
Agentless Nac
Lightweight and easier to handle, Provide Less detail
Challenge Handshake Authentication Protocol (CHAP)
Like PAP, CHAP performs one-way authentication. However, authentication is performed through a three-way handshake (challenge, response, and acceptance messages) between a server and a client. The three-way handshake allows a client to be authenticated without sending credential information across a network.
microSD hardware security modules (HSMs).
Like the hardware security modules, we have talked about elsewhere in this book, a microSD HSM is a hardware key management and Public Key Infrastructure (PKI) tool in a very small form factor. In fact, HSMs like this are available as more than just microSD cards—they come in USB, SIM, and other form factors as well.Like other HSMs, these devices provide services for key creation, backup and restore, and management, and support public key authentication and other cryptographic tools. Of course, the devices aren't useful on their own and require an app to use them.
Certificate Chaining
Linking several certificates together to establish trust between all the certificates involved.
How to acquire a forensic copy of a drive or device to make a complete copy
Linux command dd, FTK imager, Memdump, Winhex
Asset Inventory
List of connected systems
Block lists
Lits of software or apps that canot be installed.
FTK Imager can also capture
Live Memory. using the GUI
How to implement redundant network devices
Load Balancers and Nic Teaming
Other sources when doing report analysis that should be consulted are
Log Reviews, Security information and event management systems, Configuration Management Systems.
How to USE OpenSSL as part of assessing Org Security
Loo for places where secure comms are needed but absent or where OpenSSL is misconfigured. Understand why it be might be used, and know the features that it brings that help to improve the security of comms for your organization.
What to do if you cannot test for a rootkit from a trusted device?
Look for behaviors and signatures typical of rootkits through Identifty checking and data validation.
Heuristic or behavior based detection
Looks at what actions the software takes and matches them to profiles of unwanted activities.
2 Important protocol level protections
Loop Prevention, broadcast storm, Bridge Protocol Data Unit (BDPU) guard, Dynamic Host Configuration Protocol (DHCP) snooping
Loop Prevention
Loop prevention focuses on detecting loops and then disabling ports to prevent the loops from causing issues. Spanning Tree Protocol (STP) using bridge protocol data units, as well as anti-loop implementations like Cisco's loopback detection capability, send frames with a switch identifier that the switch then monitors to prevent loops. Although a loop can be as simple as a cable with both ends plugged into the same switch, loops can also result from cables plugged into different switches, firewalls that are plugged in backward, devices with several network cards plugged into different portions of the same network, and other misconfigurations found in a network.
CVSS score .1-3.9
Low rating
Low Frequency RFID
Low-frequency RFID is used for short-range, low-power tags and are commonly used for entry access and identification purposes, where they are scanned by a nearby reader. Low-frequency RFID is not consistent around the world, meaning that tags may not meet frequency or power requirements in other countries.
How many frequency ranges do RFID tags have and what are they? 3.
Lowfrequency, High Frequency and Ultra High Frequency
Solution to challenging Mobile Device Management
MDM and UEM
How to defeat keyloggers?
MFA, ensure keyloggers are not installed
3 Major Attack Framework's
MITRE's ATT&CK, The Diamond Model of Intrusion Analysis and Lockheed Martin's Cyber Kill Chain
If you create a forensic image with dd, you also want to do this
Make an MD5sum Hash of the image, use pipes tee command and md5 sum like this dd if=/dev/sda bs=4k conv=sync,noerror | tee example.img | md5sum> example.md5
Scarcity
Make something look desirable because it is the last one available when its not.
Salting Hashes
Makes password hashes harder to decrypt or guess by adding additional text to each password before it is hashed
Physical Attacks
Malicious Flash Drives, USB Cables, Card Cloning, Skimming, Attack Supply Chain
Network DDOS
Malicious actors commonly use large-scale botnets to conduct network DDoS attacks, and commercial services exist that conduct DDoS attacks and DDoS-like behavior for stress- and load-testing purposes. All of this means that organizations need to have a plan in place to detect and handle network DDoS attacks.
There are many types of malware.
Malware includes ransomware, Trojans, worms, potentially unwanted programs, fileless viruses, bots and their associated command-and-control systems, crypto malware, logic bombs, spyware, keyloggers, remote access Trojans, rootkits, and backdoors. Each type of malware has distinctive elements, and you need to know what identifies each type of malware, how to identify it, what controls are commonly deployed against it, and what to do if you encounter it.
Cross Site Scripting
Malware that uses the trust on a website to redirect users to untrusted websites which captures data or installs more malware
Secure Orchastration Automation and Response
Managing multiple security technologies can be challenging, and using the information from those platforms and systems to determine your organization's security posture and status requires integrating different data sources. At the same time, managing security operations and remediating issues you identify is also an important part of security work. SOAR platforms seek to address these needs .As a mitigation and recovery tool, SOAR platforms allow you to quickly assess the attack surface of an organization, the state of systems, and where issues may exist. They also allow automation of remediation and restoration workflows.
Many techniques are used for social engineering.
Many adversarial and security techniques rely on social engineering. Phishing and its related techniques of spear phishing, whaling, smishing, and vishing seek to gain personal information using social engineering techniques to drive responses. Techniques like tailgating and shoulder surfing are used in person to gain access to information. Eliciting information and impersonation can be used to acquire data or access. Across these and other techniques, a combination of technical, interpersonal, and physical techniques are used to accomplish the social engineer's goal.
Data Collection
Many components of datacenters rely on network appliances to acquire data. Hardware and software appliances can act as sensors, gathering data about the physical environment, network traffic, or other information that centralized services and management need to ensure the continued operations of the organization. Since the sheer amount of data acquired from sensors can be enormous, a tiered design using data collection collectors and aggregators that centralize subsets of data is also common. Collectors and aggregators can also provide preprocessing, de-duplication, or other information management services to ensure that the central management and analysis servers to which they provide data are not overwhelmed.
Secure protocols provide ways to send and receive information securely.
Many original Internet protocols are not secure—they do not provide encryption or authentication and can be captured and analyzed or modified. Using secure versions of protocols or using an alternate secure service and protocol is an important part of ensuring that a network is secure. Key protocols include voice and video protocols like SRTP; email protocols like IMAPS and POPS; and security protocols like DMARC, DKIM, and SPF. File transfers can be done via SFTP or FTPS instead of FTP, and directory services can be moved from LDAP to LDAPS. Some protocols do not have as many or as complete of secure options. In fact, DNS, routing, and DHCP all have limited options for secure communications. Network administrators must take these into account while designing and operating their networks.
Obfuscation/camouflage
Masking the data (encryption is an example) to avoid detection by static code analysis. Typically involves a decoder and the encoded payload.
Standardized Agreements and practices to manage third party risks
Master Service Agreements (MSA), Service Level Agreements (SLA), Memorandum of Understanding (MOU), Business partnership Agreements (BPAs)
Revocation request grace period
Max response time where a CA will perform any requested revocation.
Unprotected APis
May lead to unauthorized use of functions ans it may allow anyone with knowledge of APi urls to modify a service.
0
Means no permission
Organizations face a variety of security compliance requirements.
Merchants and credit card service providers must comply with the Payment Card Industry Data Security Standard (PCI DSS). Organizations handling the personal information of European Union residents must comply with the EU General Data Protection Regulation (GDPR). All organizations should be familiar with the national, territory, and state laws that affect their operations.
MD5
Message Digest 5. A hashing function used to provide integrity. MD5 uses 128 bits. A hash is simply a number created by applying the algorithm to a file or message at different times. The hashes are compared to each other to verify that integrity has been maintained. Reduce speed of message digest production significantly and prone to collisions
Homomorphic encryption
Method that allows computation of certain fields in a dataset without decrypting it.
Platform as a service (PaaS)
Middle between SaaS and IaaS. Provides a platofrm where customer may run apps they have developed themselves.
RAID 10
Mirroring and Striping. Data is striped across two or more drives and then mirrored to the same number of drives. Combines RAID 1 and Raid 0. Hence Raid10
RAID 1
Mirroring, Data copied to another drive, high read speeds from mult drives, data available if drive fails, uses twice the storage.
Cryptography Secrecy
Modern Systems do not rely on secrecy of algorithms, but rely on secret keys for communications.
Security teams must monitor for supply chain risks.
Modern enterprises depend on hardware, software, and cloud service vendors to deliver IT services to their internal and external customers. Vendor management techniques protect the supply chain against attackers seeking to compromise these external links into an organization's network. Security professionals should pay particular attention to risks posed by outsourced code development, cloud data storage, and integration between external and internal systems.
How can patch management be done?
Modern software can check with update tools, however it can also be done with Microsoft's Endpoint configuration Manager for Windows and third party apps.
Secure Web Gateways
Monitor web requests made by internal users and evaluate them against the orgs security policy.
Common Procedures Orgs Include
Monitoring Procedures, Evidence Production Procedures, Patching Procedures
Pro of disks
More expensive for same capacity as tape but faster...
RADIUS (Remote Authentication Dial-In User Service)
Most common Authentication, Authorization and Accounting (AAA) systems for network devices. Can operate via TCP or UDP in a client server model.
Password Authentication
Most common authentication method on the Internet and in the computer world.
CVE 2003-0818
Multiple integers overflow in Microsoft ASN.1 Library.
Multipath solutions
Multiple network paths that ensure a severed cable or failed device will not cause loss of connectivity.
Single Loss Expectancy (SLE)
Multiply asset value by Exposure Factor
Security Considerations of Containerization Platforms
Must enforce isolation between containers to prevent operational and security issues that might occur if an app running in one container is able to accidentally or intentionally interact with resources assigned to another container.
mutual authentication
Mutual authentication provides that greater degree of trust and still relies on x.509 certificates, but it requires that certificates be provided by both entities. If both parties validate and trust those certificates, they can be used as the foundation of a TLS connection. Unlike single-sided authentication, this process ensures that both sides are satisfied that the other system is legitimate.
Order of vulnerability report
Name, Severity, Detailed Description, Solution, See also, output, port/hosts, vuln info, risk info
RSA Algorithm
Named after inventors Rivest, Shamir, and Adelman, RSA is a system for encrypting and decrypting a message using a pair of keys, both of which contain the product of two prime numbers.
Port 125-139 (TCP/UDP)
NetBios
Swiss Army Knife
Netcat.
NIC
Network Interface Card
Network address allocation Protocol
Network address allocation using (DHCP) does not offer a secure protocol, and network protection against DHCP attacks relies on detection and response rather than a secure protocol.
Storage Area Network (SAN)
Network dedicated to providing disk storage to other computers on the network.
Managed service providers (MSPs)
Next generation of ASPs, offering customization and expanded capabilities such as business processes and complete management of the network servers.
Can you recover a file that was deleted with secure delete?
No
Is File Transfer via FTP common?
No it is uncommon but 2 secure options exist and remain in use. FTOPS and SFTP
Is DNS itself secure?
No it travels in an unencrypted, unprotected state and does not have authentication capabilities built in. DNSSEC solves this.
CVSS Score 0
No rating
Response Controls
Non persistence, ability to return to a last known good config, Scalability, Off site and site resiliency,
Database Security
Normalization, parameterized Queries, Obfuscation and Camouflage.
Dig (Windows)
Not available unless Windows subsystem is instaleld.
SIEM Alarms
Note that the alarms are categorized by their time and severity, and then provide detailed information that can be drilled down into. Events like malware beaconing and infection are automatically categorized, prioritized, marked by source and destination, and matched to an investigation by an analyst as appropriate. They also show things like which sensor is reporting the issue.
How to protect against Malicious Drivers?
OS's already do.
in PaaS what are the vendor responsibilities?
OS, Hardware, Datacenter
Key element of OT
OT will typically have less reporting, less management, and fewer security capabilities built in, meaning that detecting and responding to network DDoS and other attacks against OT devices and systems will need to be handled using external devices and tools.
What is privilege creep?
Occurs when a user gets additional permission over time as they rotate through different positions or roles -violates the least privilege principle
Watering hole
Occurs when malware is placed on a website that the attacker knows his potential victims will access
Oversubscription
Occurs when more users are connected to a system than can be fully supported at the same time.
disposition phase
Occurs when something has reached end of its life. Important for cost savings, replacing tools and more.
Hash collision
Occurs when the hashing algorithm creates the same hash from different passwords
What are the 3 main methods of Key Exchange>
Offline, Public Key encryption, Diffie-Hellman
Warm Sites
Offsite office space with available systems and service connections, requiring staffing and updates allowing recovery within hours to days.
Cloud Benefits
On demand self service computing, scalability, elasticity, measured service, agility and flexibility
Shredding
On site, data can still be recovered so combo with burning or pulping
When deploying an NGFW, where are you likely to deploy it?
On the network level, not the host/endpoint layer.
How does an evil twin attack work?
Once a client connects to the evil twin, the attacker will typically provide Internet connectivity so that the victim does not realize that something has gone wrong. The attacker will then capture all of the victim's network traffic and look for sensitive data, passwords, or other information that they can use. Presenting false versions of websites, particularly login screens, can provide attackers who have successfully implemented an evil twin with a quick way to capture credentials.
What are some notable parts of the hardening process>
Open Ports/Services, registry, disk encryption, OS, and patch management including both third party and auto updates.
Arachni
Open Source Web App Scanner
3 major types of authenticaton in Modern WIfi Networks
Open, Use of preshared keys, Enterprise authentication
Operational Technology DDOS
Operational technology (OT) is the software and hardware that controls devices and systems in buildings, factories, powerplants, and other industries. The growth of the Internet of Things (IoT) has led to more devices being network enabled and thus a whole new set of devices that can be attacked through the network. Since IoT devices frequently lack the security protections that computers and network devices have and may have more limited amounts of processor, memory, and storage available, they can be even more vulnerable to network-based DDoS attacks than other devices on the network.
Tail
Opposite of head, shows the last 10 by default and number can be changed with -n. However, the -f flag is most important. tail - f will show you the file as it changes. can monitor mult files
Tier 1 partial
Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. There is limited awareness of cybersecurity risk at the organizational level. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization does not understand its role in the larger ecosystem with respect to either its dependencies or dependents.
Planning is critical to successful incident response.
Organizations build incident response plans to make sure that they know what they will do during an incident instead of figuring it out during the incident. Plans may include business continuity plans that ensure that the business can continue to operate, as well as disaster recovery plans that address how the organization would recover from a major disaster. Communications plans outline who needs to receive communications, who will do the communications, and when communications will occur, making sure that critical communications aren't neglected. Finally, continuity of operation planning is conducted by the U.S. government to ensure that agencies have detailed plans to continue operations in the event of disruption or incidents.
Legal holds and e-discovery drive some forensic activities.
Organizations face legal cases and need to respond to legal holds, which require them to preserve and protect relevant information for the active or pending case. E-discovery processes also require forensic and other data to be provided as part of a legal case. Organizations must build the capability and technology to respond to these requirements in an appropriate manner to avoid losing cases in court.
Standards frameworks provide an outline for structuring and evaluating cybersecurity programs.
Organizations may choose to base their security programs on a framework, such as the NIST Cybersecurity Framework (CSF) or International Organization for Standardization (ISO) standards. U.S. federal government agencies and contractors should also be familiar with the NIST Risk Management Framework (RMF). These frameworks sometimes include maturity models that allow an organization to assess its progress. Some frameworks also offer certification programs that provide independent assessments of an organization's progress toward adopting a framework.
Sensitive Info Inventory
Organizations often deal with many different types of sensitive and personal information. The first step in managing this sensitive data is developing an inventory of the types of data maintained by the organization and the places where it is stored, processed, and transmitted. Organizations should include the following types of information in their inventory: Personally identifiable information (PII) includes any information that uniquely identifies an individual person, including customers, employees, and third parties. Protected health information (PHI) includes medical records maintained by healthcare providers and other organizations that are subject to the Health Insurance Portability and Accountability Act (HIPAA). Financial information includes any personal financial records maintained by the organization. Government information maintained by the organization may be subject to other rules, including the data classification requirements discussed in the next section Once the organization has an inventory of this sensitive information, it can begin to take steps to ensure that it is appropriately protected from loss or theft.
Vendors are a source of external risk.
Organizations should conduct their own systems assessments as part of their risk assessment practices, but they should also conduct supply chain assessments as well. Performing vendor due diligence reduces the likelihood that a previously unidentified risk at a vendor will negatively impact the organization. Hardware source authenticity techniques verify that hardware was not tampered with after leaving the vendor's premises.
Data protection Officer (DPO)
Organizations should identify a specific individual who bears overall responsibility for carrying out the organization's data privacy efforts. This person, often given the title of a chief privacy officer, bears the ultimate responsibility for data privacy and must coordinate across functional teams to achieve the organization's privacy objectives.
Containerization Platforms
Orgs implementing containerization run things like Docker to provide standardized interfaces to OS resources. interface remains consistent
Factors that influence when vulnerability scans occur
Orgs risk appetite, regulatory req's, technical constraints, business constraints, licensing limitatons
Cloud partners
Orgs that offer ancillary products that support or integrate with the offerings of a cloud service provider.
Network security services and management techniques help make sure that a network stays secure.
Out-of-band management puts management interfaces on a separate VLAN or physical network or requires direct connection to help prevent attackers from gaining access to management interfaces. Access control lists are used on network devices to block or permit specific traffic based on information like port, protocol, or IP addresses. Quality of service protocols and settings can be used to prioritize traffic to ensure that important traffic makes it through a network while limiting the impact of attacks and misconfigurations. Route security is challenging because of a lack of significant security capabilities in routing protocols. Authenticated routing protocols do exist, and they can help limit some impacts from attacks against routing protocols. DNS security is also limited, but DNSSEC helps to validate DNS servers and responses. DNS servers must be properly configured to prevent zone transfers and other DNS attacks. TLS is used broadly to protect network traffic, acting as a wrapper for many other protocols. Monitoring services and systems help to ensure that they remain online and accessible but require care due to the amount of information that can be generated and the fact that false positives are possible if the validation and monitoring does not fully validate service responses. File integrity monitors check to see if files have been changed and can alert on changes or restore existing files to a pre-change or pre-deletion state. Honeypots and honeynets are used to gather information about attackers, and honeyfiles and false telemetry data are used to identify potential breaches and attackers who have gathered information from systems in your environment.
Cat
Output files to console or append files to others. cat example.txt will print where as cat more.txt > example.txt will append more.txt to example.txt
Common Issues when dealing with Supply Chain
Outsourced Code Dev, Cloud data storage, and integration between internal and external systems. All must be monitored carefully.
Certificate Formats
PEM: Most common format CAs issue and can have .pem, .crt, .cert DER: Binary form of a certificate instead of ASCII PEM format. PFX: Base64 encoded ASCII format and only contains certificates and chain certificates, not private keys.
POP3 TCP 110
POP3 TCP 995- Secure Pop 3
Code Review Modls
Pair Programming, Over the shoulder, Pass around Code, Tool Assisted.
Common Account Polciies
Password Complexity, Lifespans, MFA, Time of day, network location, geolocation,
Passwords can be acquired and cracked in many ways.
Password attacks can be conducted both online against live systems and offline using captured password stores. Brute-force attacks like spraying and dictionary attacks as well as password cracking can recover passwords in many circumstances. Unencrypted or plain-text passwords and improper storage methods make attacks even easier for attackers who can access them.
One time password
Password generated by a security token, which expires as soon as it is used.
Best way to prevent previously mentioned malware attacks and more?
Patches, using secure configs, privilege management being used, secure boot tools, validate files
Ongoing Operations and Maintenance
Patching, updating, minor mods, Longest phase.
PCI DSS
Payment Card Industry Data Security Standard
Penetration testing places security professionals in the role of attackers.
Penetration tests may be conducted in a manner that provides the testers will full access to information before the test (white box), no information at all (black box), or somewhere in between those two extremes (gray box). Testers conduct tests within the rules of engagement and normally begin with reconnaissance efforts, including war driving, war flying, footprinting, and open source intelligence (OSINT). They use this information to gain initial access to a system. From there, they seek to conduct privilege escalation to increase their level of access and lateral movement/pivoting to expand their access to other systems. They seek to achieve persistence to allow continued access after the vulnerability they initially exploited is patched. At the conclusion of the test, they conduct cleanup activities to restore systems to normal working order and remove traces of their activity.
Guards
People that patrol/protect areas, can be robotic sentries but those are rare. Humans can be falliable
Penetration Testers
People who are paid to legally hack into computer systems with the sole purpose of helping a company identify weaknesses in their system
Tor relieso n
Perfect Forward Secrecy
Blind Content-Based SQL Injection
Perp sens input to the web app to see if app is interpreting injected code.
PII
Personally Identifiable Information
Types of web attacks
Pharming, Typosquatting, Watering hole
4 phases of Federal Continuity of Operatons Planning Stages
Phase 1: Readiness and Preparedness Phase 2: Activation and Relocation. Phase 3: Continuity of Operations Phase 4: Reconsitution
More info about Ping
Ping has been used to map networks and as a denial-of-service tool when attacking network stacks that did not handle a Ping of Death properly. Many networks block ping or highly restrict ICMP traffic in general, so you may not receive a ping response when you use ping. That doesn't mean the host is down or unreachable but merely that ping is blocked for legitimate reasons.
ping cmd
Ping sends ICMP echo request packets to the destination host and calculates the minimum, maximum, and mean round-trip times. As you might expect, you can use command-line flags to determine how many pings you send, the size of the payload, and various other settings. One of the most useful flags is the -t flag, which continues to send pings until it is stopped. Running ping -t can show if a system suddenly stops responding or if the response time for the system fluctuates significantly.
What are the seven phases of the Software Development Life Cycle?
Planning, Requirements, Design, Coding, Testing, Training and Transition, Ongoing Ops and Maintenacne.
Playbooks
Playbooks are step-by-step guides intended to help incident response teams take the right actions in a given scenario. Organizations build playbooks for each type of incident or event that they believe they are likely to handle, with examples ranging from advanced persistent threats to phishing attacks. A playbook will often have stages with steps at each stage of the incident response cycle, as well as a set of guidelines about when to activate the playbook and who should be involved to run through the playbook.
Pointer de-referencing
Pointers can cause security issues, commonly used concept in app development. If an app tries to dereference a null pointer a null pointer exception will cause a crash. However it could allow attackers to bypass security controls.
Policy frameworks consist of policies, standards, procedures, and guidelines.
Policies are high-level statements of management intent for the information security program. Standards describe the detailed implementation requirements for policy. Procedures offer step-by-step instructions for carrying out security activities. Compliance with policies, standards, and procedures is mandatory. Guidelines offer optional advice that complements other elements of the policy framework.
Privileged Access Management (PAM)
Policies, procedures, and support software for managing accounts and credentials with administrative permissions.
Three components of policy working together
Policy sets out the high-level objectives of the security program and requires compliance with standards, which includes details of required security controls. Guidelines provide advice to organizations seeking to comply with the policy and standards.
Number of Security and Privacy Concerns IOT devices bring
Poor security practices, including weak default settings, lack of network security (firewalls), exposed or vulnerable services, lack of encryption for data transfer, weak authentication, use of embedded credentials, insecure data storage, and a wide range of other poor practices .Short support lifespans—IoT devices may not be patched or updated, leaving them potentially vulnerable for most of their deployed lifespan. Vendor data-handling practice issues, including licensing and data ownership concerns, as well as the potential to reveal data to both employees and partners of the vendor and to government and other agencies without the device owner being aware.
How do remote network attacks happen?
Powershell, Visual Basic, Bash or Python on Linux systems.
Static codes
Pre generated and stored in a secure location which can be stolen
Where Can NAC checks occur?
Preadmission or postadmisison
Layer 6 of OSI
Presentation layer, Format data handles encryption, compression EX SSL IMAP SSH
Eliciting Information
Procedures or techniques involving interacting with and communicating with others that is designed to gather knowledge or inform
SHa-1
Produces a 160-bit hash value and is used in DSS
Annualized Loss Expetancy
Product of the LSE and the ARO
Skipjack
Promoted by the NSA. Skipjack uses an 80-bit key, supports the same four modes of operation as DES, and operates on 64-bit blocks of text. Skipjack provides cryptographic routines in support of Clipper and Capstone. Skipjack faced public opposition because it was developed so that the government could maintain information enabling legal authorities (with a search warrant or approval of the court) to reconstruct a Skipjack access key and decrypt private communications between affected parties.
Protocol based ddos
Protocol-based network DDoS attacks focus on the underlying protocols used for networking. SYN floods send the first step in a three-way handshake and do not respond to the SYN-ACK that is sent back, thus consuming TCP stack resources until they are exhausted. These attacks are one of the most common modern protocol-based network DDoS attacks. Older attacks targeted vulnerable TCP stacks with attacks like the Ping of Death, which sent a ping packet too large for many to handle, and Smurf attacks, which leveraged ICMP broadcast messages with a spoofed sender address, causing systems throughout the broadcast domain to send traffic to the purported sender and thus overwhelming it. Fragmented packets, packets with all of their TCP flags turned on (Christmas Tree or Xmas attacks), and a variety of other attacks have leveraged flaws and limitations in how the networking was implemented in operating systems. Security professionals need to know that the features of network protocols and the specific implementations of those protocols may be leveraged as part of an attack and that they may need to identify those attacks.
Digital Signatures
Provide authentication of a sender and integrity of a sender's message.
Common Configuration Enumeration (CCE)
Provides a naming system for system configuration issues.
Common Platform Enumeration (CPE)
Provides a standard nomenclature for describing product names and versions
Object Storage
Provides customers with the ability to place files in buckets and treat each file as an independent entity that may be accessed over the web opr API
Benefits of Penetration Testing
Provides knowledge we cannot obtain elsewhere, provides an important blueprint for remediation, give us focused data.
Why is powershell a popular attack choice?
Provides many capabilities like remote and local execution, network access and more. It is available by default and not monitored usually.
Fog Computing
Provisioning processing resource between the network edge of IoT devices and the data center to reduce latency.
Can Proxies filter content?
Proxies frequently have content filtering capabilities, but content filtering and URL filtering can also be part of other network devices and appliances such as firewalls, network security appliances, IPSs, and others.
Common Business Classification Levels
Public Private Sensitive Confidential Critical Proprietary
Describe the four major cloud deployment models.
Public cloud service providers deploy infrastructure and then make it accessible to any customers who wish to take advantage of it in a multitenant model. The term private cloud is used to describe any cloud infrastructure that is provisioned for use by a single customer. A community cloud service shares characteristics of both the public and private models. Community cloud services do run in a multitenant environment, but the tenants are limited to members of a specifically designed community. Hybrid cloud is a catch-all term used to describe cloud deployments that blend public, private, and/or community cloud services together.
How does Asymmetric work?
Public is used to send message, but private must be used to decode. or vice versa
Qualitative Risk Assessment
Quantitative techniques work very well for evaluating financial risks and other risks that can be clearly expressed in numeric terms. Many risks, however, do not easily lend themselves to quantitative analysis.
RADIUS
RADIUS servers can be federated to allow individuals from other organizations to authenticate to remote networks using their home organization's accounts and credentials. Federating RADIUS servers like this requires trust to be established between the RADIUS servers as part of a federation. Many higher education institutions provide a federated authentication service for wireless called eduroam, which allows students, faculty, and staff from any eduroam institution to authenticate and use the networks at any other eduroam supporting organization. Of course, RADIUS servers can be federated in a single organization as well if there are multiple RADIUS domains.
Because of the small size of RFId, how can they be implemented?
RFID tags can be embedded in stickers, small implantable chips like those used to identify pets, and in the form of devices like tollway tags. RFID tags can be attacked in a multitude of ways, from simple destruction or damage of the tag so that it cannot be read, to modification of tags, some of which can be reprogrammed. Tags can be cloned, modified, or spoofed; readers can be impersonated; and traffic can be captured.
Real Time Operating System (RTOS)
RTOS is an operating system that is used when priority needs to be placed on processing data as it comes in, rather than using interrupts for the operating system or waiting for tasks being processed to be handled before data is processed. Since embedded systems are widely used for industrial processes where responses must be quick, real-time operating systems are used to minimize the amount of variance in how quickly the OS accepts data and handles tasks.
Radio Frequency Systems two types
Radio frequency systems like Zigbee can be narrowband or wideband.
Lockheed Martin's Cyber Kill Chain
Reconnaissance Weaponization Delivery Exploitation Installation Command-and-control Actions on objectives
What is one of the best ways to reduce the attack surface of a system?
Reduce the number of ports. and disable services that aren't necessary
Redundancy builds resilience.
Redundant systems, networks, and even datacenters are a key element in ensuring availability. Redundant designs need to address the organizational risks and priorities that your organization faces to ensure the best trade-offs between cost and capabilities. Geographic dispersal; multipath networks; load balancers; NIC teaming; power protection and redundancy; RAID; backups; and diversity of technologies, systems, and platforms are all ways to build and ensure resiliency.
Cloud Security Matrix
Reference doc designed to help orgs understand the appropriate use of cloud security controls
Scalability
Refers to how well a system can adapt to increased demands
Why has waterfall been replaced?
Relatively inflexible, but can be used for complex systems. Recommended for fixed scope and a known timeframe.
What should an Org develop if they adopt compensating controls to address an exception?>
Remediation Plans that bring the org back into complicance with the original control
3 functions of TPM
Remote Attestation, Binding, Seasling
Port 3389 (TCP/UDP)
Remote Desktop Protocol (RDP)
Remote Access Tech protocols
Remote access technologies—including shell access, which was once accomplished via telnet and is now almost exclusively done via SSH—can also be secured. Microsoft's RDP is encrypted by default, but other remote access tools may use other protocols, including HTTPS, to ensure that their traffic is not exposed.
Tokenization Databse
Replace personal identifiers with a unique identifier using a look up table
Hashing Databases
Replace senstivie info with irreversible alternative
Malicious USB
Require dedicated engineering, rare, effectively invisible.
password lifespans
Require regular password changes to limit time that password could be exposed, before MFA.
Vertical Scaling
Requires a larger or more powerful system or device, can help when all tasks or functions need to be handled on the same system or infrastructure. Expensive to increase, however it is required for every large memory footprint app
Agent-based NAC
Requires installation and thus adds complexity and maintenance but greater insight.
Pharming
Reroutes requests for legitimate websites to false websites
Recovery:
Restoration to normal is the heart of the recovery phase. That may mean bringing systems or services back online or other actions that are part of a return to operations. Recovery requires eradication to be successful, but it also involves implementing fixes to ensure that whatever security weakness, flaw, or action that allowed the incident to occur has been remediated to prevent the event from immediately reoccurring.
Reverse Proxies
Reverse proxies are placed between servers and clients, and they are used to help with load balancing and caching of content. Clients can thus query a single system but have traffic load spread to multiple systems or sites.
Bug bounty
Reward scheme operated by software and web services vendors for reporting vulnerabilities.
RMF
Risk Management Framework. Formal process for implementing security controls and authorizing system use. a mandatory standard for federal agencies that provides a formalized process that federal agencies must follow to select, implement, and assess risk-based security and privacy controls.
Risk Formula
Risk Severity = Likelihood * Impact
Organizations may choose from a variety of risk management strategies.
Risk avoidance strategies change business practices to eliminate a risk. Risk mitigation techniques seek to reduce the probability or magnitude of a risk. Risk transference approaches move some of the risk to a third party. Risk acceptance acknowledges the risk and continues normal business operations despite the presence of the risk.
Tier 2: Risk Informed.
Risk management practices are approved by management but may not be established as organizationwide policy. There is an awareness of cybersecurity risk at the organizational level, but an organizationwide approach to managing cybersecurity risk has not been established. Generally, the organization understands its role in the larger ecosystem with respect to either its own dependencies or dependents, but not both
Load balancing algorithms that they rely on
Round Robin, Least Connection, agent based adaptive balancing, Source IP hashing
Round Robin
Round-robin sends each request to servers by working through a list, with each server receiving traffic in turn.
How are Siem Rules Determined
Rule conditions can use logic to determine if and when a rule will be activated, and then actions can trigger based on the rule. Results may be as simple as an alert or as complex as a programmatic action that changes infrastructure, enables or disables firewall rules, or triggers other defenses.
What is a Runbook?
Runbooks are the operational procedures guides that organizations use to perform actions. Since they are procedural guides, Runbooks simplify the decision process for common operations that may support incident response, and they can help guide and build automation for tasks like communications, malware removal, or scanning. Runbooks are typically action oriented and thus may be paired with a playbook as elements of the playbook's process.
Difference between San and NAS
SAN provides block level access, NAS presents data as files.
Specialized systems like SCADA, ICS, and IoT systems exist throughout your organization and require unique security solutions.
SCADA and ICS or industrial control systems are used to manage and monitor factories, power plants, and many other major components of modern companies. IoT systems are Internet-connected devices that perform a wide variety of tasks, from monitoring to home automation and more. They may be controlled by third parties or have other security implications that must be addressed as part of a security plan to keep each endpoint secure.
Security Content Automation Protocol (SCAP)
SCAP is a multipurpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. Goals for the development of SCAP include standardizing system security management, promoting interoperability of security products, and fostering the use of standard expressions of security content.
FTP TCP (21 and 20)
SFTP TCP 22 (SSH)
SIEM devices
SIEM devices and software have broad security capabilities, which are typically based on the ability to collect and aggregate log data from a variety of sources and then to perform correlation and analysis activities with that data. This means that organizations will send data inputs—including logs and other useful information from systems, network security devices, network infrastructure, and many other sources—to a SIEM for it to ingest, compare to the other data it has, and then to apply rules, analytical techniques, and machine learning or artificial intelligence to the data. SIEM systems may include the ability to review and alert on user behavior or to perform sentiment analysis, a process by which they look at text using natural language processing and other text analysis tools to determine emotions from textual data.
SIEM data
SIEM follows the entire lifecycle for data, they can integrate with Google and other cloud services to import data.
List of Infrared Specifications and their Speeds
SIR, 115 Kbit/s MIR, 1.15 Mbit/s FIR, 4 Mbit/s VFIR, 16 Mbit/s UFIR, 96 Mbit/s GigaIR, 512 Mbit/s-1 Gbit/s
SMS Codes for OTP
SMS sent to phone and input code
IS SMTP Secure in itself?
SMTP itself does not provide a secure option, although multiple efforts have occurred over time to improve SMTP security, including attempts to standardize on an SMTPS service. However, SMTPS has not entered broad usage. Now, email security efforts like Domain Keys Identified Mail (DKIM), Domain-based Message Authentication, Reporting & Conformance (DMARC) and Sender Policy Framework (SPF) are all part of efforts to make email more secure and less prone to spam. Email itself continues to traverse the internet in unencrypted form through SMTP which makes S/MIME one of the few broadly supported options.
service organization controls (SOC) audit under the American Institute for Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 18 (SSAE 18). There are three different categories of SOC assessment:
SOC 1, SOC 2, SOC 3
Port 22 and TCP
SSH (Secure Shell)
Telnet TCP 23
SSH TCP 22
Scope Metric
Says whether the vuln can affect systems beyond scope
Secure Real Time Protocol
Secure Real-Time Protocol (SRTP) is a secure version of the Real-time Protocol, a protocol designed to provide audio and video streams via networks. SRTP uses encryption and authentication to attempt to reduce the likelihood of successful attacks, including replay and denial-of-service attempts. RTP uses paired protocols, RTP and RTCP. RTCP is the control protocol that monitors the quality of service (QoS) and synchronization of streams, and RTCP has a secure equivalent, SRTP, as well.
Secure Shell (SSH)
Secure Shell (SSH) is a protocol used for remote console access to devices and is a secure alternative to telnet. SSH is also often used as a tunneling protocol or to support other uses like SFTP. SSH can use SSH keys, which are used for authentication. As with many uses of certificate or key-based authentication, a lack of a password or weak passwords as well as poor key handling can make SSH far less secure in use.
Site Security Plan
Secure site assets, Deter, Detect, Delay, Screen and control access.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
Secure/Multipurpose Internet Mail Extensions (S/MIME) provides the ability to encrypt and sign MIME data, the format used for email attachments. Thus, the content and attachments for an email can be protected, while providing authentication, integrity, nonrepudiation, and confidentiality for messages sent using S/MIME.Unlike many of the other protocols discussed here, S/MIME requires a certificate for users to be able to send and receive S/MIME-protected messages. A locally generated certificate or one from a public certificate authority (CA) is needed. This requirement adds complexity for S/MIME users who want to communicate securely with other individuals, because certificate management and validation can become complex. For this reason, S/MIME is used less frequently, despite broad support by many email providers and tools.
Hardening and protecting systems relies on security tools and technology to keep systems secure.
Securing endpoint devices requires considering the entire device: how it boots, how data is secured, how it is configured, what services it provides, if its communications are secure, and how it is protected against network threats. Fortunately, security professionals have a wide range of tools, including secure and trusted boot, to protect against attacks on the boot process or drivers. Antivirus, antimalware, sandboxes, allow lists, and deny lists provide control over the applications and programs that run on endpoints. Endpoint detection and response and data loss prevention tools, among many others, provide insight into what systems are doing and where issues may exist while adding more controls that administrators and security professionals can use to keep systems and data secure. Network security tools like host intrusion prevention and detection systems, host firewalls, and similar tools can detect and often stop attacks from the network.
Data sources and data management for incident response provide insight into what occurred as well as investigative and detection tools.
Security event and information management (SIEM) tools are used in many organizations to gather and analyze data using dashboards, automated analysis, and manual investigation capabilities. Information such as vulnerability scan output, system configuration data, system and device logs, and other organizational data are ingested and analyzed to provide broad insight into events and incidents. Logging tools like rsyslog, syslog-ng, syslog, and NXLog are all commonly found in logging infrastructures that centralize and manage logs. Network traffic information is gathered using NetFlow, SFlow, and packet analyzers, among other tools. They provide useful information about bandwidth usage as well as details about which systems communicated, the ports and protocols in use, time and date, and other high-level information useful for incident analysis. In addition to log and event information, metadata from files and other locations is commonly used for incident investigation and incident response.
Security analysts need to be familiar with command-line tools, shells, and secure transport protocols.
Security exam takers need to know the basics of command-line tools, including head, tail, cat, and grep, which allow you to manipulate and view text files. Managing permissions with chmod and adding information to log files via logger are also tasks security professionals need to be familiar with. In addition to these tools, equally important are using secure shells via SSH, protecting data in motion using OpenSSL, and knowing about scripting languages like Python and PowerShell and when and why they might be used.
Threat intelligence provides organizations with valuable insight into the threat landscape.
Security teams may leverage threat intelligence from public and private sources to learn about current threats and vulnerabilities. They may seek out detailed indicators of compromise and perform predictive analytics on their own data. Threat intelligence teams often supplement open source and closed-source intelligence that they obtain externally with their own research.
The foundation of network security is a secure design.
Segmentation into different security zones based on risk or security requirements helps to protect networks. DMZs, intranets, and extranets are all examples of common network segmentation options, and zero-trust networks extend the segmentation concept to make every system defend itself. NAC protects networks from untrusted devices being connected, whereas port security and port-level protections like loop prevention and broadcast storm protection ensure that malicious or misconfigured systems do not cause network issues. Port spanning and mirroring allow packet capture by creating a copy of traffic from other ports. VPNs are used to tunnel network traffic to another location, and they can be encrypted or simply tunneled.
IP schema
Segmenting systems based on purpose location or other factors help address collision, avoid running out of addresses and more.
Gamification
Selective use of game design and game mechanics to drive employee engagement in non-gaming business scenarios.
Sensors as they relate to SIEM
Sensors are typically software agents, although they can be a virtual machine or even a dedicated device. Sensors are often placed in environments like cloud infrastructure, a remote datacenter, or other locations where volumes of unique data are being generated, or where a specialized device is needed because data acquisition needs are not being met by existing capabilities. Sensors gather useful data for the SIEM and may either forward it in its original form or do some preprocessing to optimize the data before the SIEM ingests it. Choosing where to deploy sensors is part of network and security architecture and design efforts, and sensors must be secured and protected from attack and compromise just like other network security components.
Seperation of duties between dev and operations
Seperating this provides a comfortable work enviroment but has significant disadvantages.
Domain Validation Certificate
Server security certificate that provides the lowest level of validation available. Owner of the certificate has some control over a DNS domain.
Cloud Roles
Service Providers, Consumers, partners, auditors carriers
What does a virus trigger do?
Sets the conditions for when the virus will execute.
How does DevSecOps work?
Shared responsibility that is part of the entire development and ops cycle/
Bollards
Short vertical posts that act as a barricade. Bollards block vehicles but not people.
Antimalware packages
Signature based protection, Heuristic or Behavior based detection, Ai and ML systems Sandboxing
What can a data breach do to an Org?
Significant and diverse impacts such as immediate financial damage, reputation damage, long term financial issues, operational damage if availablity is down.
Important thing to note about Scada and ICS
Since ICS and SCADA systems combine general-purpose computers running commodity operating systems with industrial devices with embedded systems and sensors, they present a complex security profile for security professionals to assess. In many cases, they must be addressed as individual components to identify their unique security needs, including things like customized industrial communication protocols and proprietary interfaces. Once those individual components are mapped and understood, their interactions and security models for the system as a whole or as major components can be designed and managed.
Nac Validation
Since NAC has the ability to validate security status for systems, it can be an effective policy enforcement tool. If a system does not meet security objectives, or if it has an issue, the system can be placed into a quarantine network. There the system can be remediated and rechecked, or it can simply be prohibited from connecting to the network.
Acquistion from Containers
Since containers are designed to be ephemeral, and their resources are often shared, they create fewer forensic artifacts than a virtual or physical machine. In fact, though containers can be paused, capturing them and returning them to a forensically sound state can be challenging. Container forensics require additional planning, and forensic and incident response tools are becoming available to support these needs.
Network FOrensic Data
Since network traffic is ephemeral, capturing traffic for forensic investigation often requires a direct effort to capture and log the data in advance. If network traffic isn't actively being logged, forensic artifacts like firewall logs, IDS and IPS logs, email server logs, authentication logs, and other secondary sources may provide information about when a device was on a network, what traffic it sent, and where it sent the traffic. When forensic examiners do work with network traffic information, they will frequently use a packet analyzer like Wireshark to review captured network traffic. In-depth analysis of packets, traffic flows, and metadata can provide detailed information about network behaviors and content. The same taps, span ports, and port mirrors used for network security devices can also be useful for network forensics, allowing copies of network traffic to be sent to collection servers. Although this can be useful, it can also result in massive amounts of data. Capturing all or selected network traffic is a process that most organizations reserve for specific purposes rather than a general practice. Instead, most organizations end up relying on logs, metadata, traffic flow information, and other commonly collected network information to support forensic activities
why shouldnt port security be relied on to prevent untrusted systems from connecting?
Since spoofing MAC addresses is easy.
Secure wireless network designs take existing networks and physical spaces into account.
Site surveys include physical tours of a facility using tools that can identify existing wireless networks and access points as well as signal strengths and other details that help map the location. Network designs take into account channel spacing, access point placement, and even the composition of the building when placing access points.
Horizontal Scaling
Small systems but adds more, can take advantage of the ability to transparently add and remove resources. Provides opps for upgrades, patching and incident response.
Common Ways to obtain a password
Social Engineering, Eavesdropping, Obtaining a dump of passwords/
Credential Harvesting
Social engineering techniques for gathering valid credentials to use to gain unauthorized access.
Physical attacks rely on social engineering.
Social engineers use in-person, physical attacks to access organizations and networks. Malicious USB flash drives and cables, as well as card cloning and skimming attacks, are all part of a social engineer's toolkit. In addition, social engineers and other attackers may target the supply chain, which can be at risk for physical attacks through modifications of devices and software before they arrive at your organization. Social engineers who can access suppliers or the logistical chain that your organization relies on can compromise your security before you even take possession of your purchases.
Social media
Social media analysis performed by the organization may include assessments of both personal and professional accounts, because that activity may reflect positively or negatively upon the organization. Organizations should make their expectations and practices clear in a social media policy.
Know how to analyze the indicators associated with application attacks.
Software applications may suffer from a wide range of vulnerabilities that make them susceptible to attack. You should be familiar with these attacks, including privilege escalation, cross-site scripting, injection attacks, request forgery attacks, and the many other ways that attackers can exploit application code. Understanding the methods behind these attacks helps security professionals build adequate defenses and identify attacks against their organizations.
SaaS
Software as a Service; a subscription service where you purchase licenses for software that expire at a certain date.
Software Diversity
Software development technique in which two or more functionally identical variants of a program are developed from the same specification but by different programmers or programming teams.
Understand secure software development concepts.
Software should be created using a standardized software development life cycle that moves software through development, test, staging, and production environments. Developers should understand the issues associated with code reuse and software diversity. Web applications should be developed in alignment with industry-standard principles such as those developed by the Open Web Application Security Project (OWASP).
Hypervisor
Software that runs on a physical computer and manages one or more virtual machine operating systems.
Insecure Protocols
Some protocols aren't encrypted - All traffic sent in the clear - Telnet, FTP, SMTP, IMAP • Verify with a packet capture - View everything sent over the network • Use the encrypted versions- SSH, SFTP, IMAPS, etc.
Three major types of factors for MFA
Something you know, Something you have, something you are
Secure Coding Practices 2
Source Code Comments, Error Handling, hard coded credentials, memory management, Race Conditions, Unprotected API's Driver Manipulation
Source IP hashing
Source IP hashing uses a hash of the source IP to assign traffic to servers. This is essentially a randomization algorithm using client-driven input.
Dedicated mobile security technologies can provide specialized capabilities.
Specialized hardware and software can add additional features and capabilities to mobile devices. Test takers need to be familiar with mobile hardware security modules, including those that use a microSD card form factor to provide cryptographic capabilities for mobile devices. SEAndroid, a version of SELinux for Android, allows Android devices to implement mandatory access control (MAC) capabilities in similar ways to what SELinux provides for other Linux distributions. Android devices using SEAndroid can enforce security policies more effectively, including default deny policies and separation of filesystem and application environments.
White Team
Staff administering, evaluating, and supervising a penetration test or incident response exercise.
Scan Sensitivity Levels
Start with template, add plugins as necessaary, some are too intense and need to be ran in a test environment or only run non intrusive plugins.
Role Authorizaton
States that the subjects active role must be authorized.
Winding Down Vendor Relationship
Steps taken when a vendor relationship ends, This should include specific steps they will follow. Especially when a vendor announces a prodcuts End of Life or a services End of Life. Same steps work when org decides to stop using service on its own.
Flash Media
Storage, often removable, that has no moving parts. (USB flash drive)
Hardware Security Models (HSMS)
Store and manage keys ina secure manner that prevents humans from ever working with keys directly. Ie yubi key, or cloud providers
Cipher Feedback Mode
Stream based, operates against data produced in real time. Uses memory buffers instead of breaking a message into blocks, as buffer fills it encrypts and sends.
RAID 6
Striping with double Parity. RAID 5 but additional parity is stored on another drive, ALlows for more than one drive to fail at a time. Slower write than 5, rebuilding arrays is slow
RAID 5
Striping with parity, Data is striped across drives with one being used for checksum of the data, parity is spread across drives with the data. Reads are fast writes slow failures can be rebuilt as long as one drive fails. Can only tolerate a single drive failure at a time tho, so rebuilding arrays after a drive loss can impact performance
RAID 0
Striping. Better speed all capacity used, data lost if drive lost.
SIM
Subscriber Identity Module
Subscription service protocol
Subscription services such as cloud tools and similar services frequently leverage HTTPS but may also provide other secure protocols for their specific use cases. The wide variety of possible subscriptions and types of services means that these services must be assessed individually with an architecture and design review, as well as data flow reviews all being part of best practices to secure subscription service traffic if options are available.
How does 802.1x work?
Supplicants send authentication requests to authenticators such as network switches, access points or wireless controllers which connect to an authentication server via RADIUS.
Swap and Pagefile info
Swap and pagefile information is disk space used to supplement physical memory. Much like capturing information from RAM, capturing the swap and pagefile can provide insight into running processes. Since it is actively used by the system, particularly on machines with less memory, it also changes more quickly than many files on disk.
Explain the differences between symmetric and asymmetric encryption.
Symmetric encryption uses the same shared secret key to encrypt and decrypt information. Users must have some mechanism to exchange these shared secret keys. The Diffie-Hellman algorithm provides one approach. Asymmetric encryption provides each user with a pair of keys: a public key, which is freely shared, and a private key, which is kept secret. Anything encrypted with one key from the pair may be decrypted with the other key from the same pair.
What are common logs used by incident responders?
System Logs, Application Logs, Security Logs, Vulnerability Scan output, Network and security device logs, web logs, dns logs, authentication logs, dump files, VoIp, call manager logs, and Session Initiation Protocol Logs
Time based one time passwords
TOTPS, use algorithm to derive a one time password using the current time as part of the code gen process.
Three Exercises that incident response teams use to prepare
Tabletop Exercises, Walk throughs, Simulations
How is IaC done?
Takes many forms, usually as feature offered by cloud providr or functionality enabled by a third party cloud management platofrm.
Physical Backup media (Offline Storage)
Tape, Disks, Optical, Flash
Technical Constraints
Technical constraints are limitations on the design of a solution that derive from the technology used in its implementation. See also business constraint.
Why can source code coments be good?
Tells attackers what code does, so devs should ensure commented versions remain secret.
What data is lost when pc is shit off or restarted?
Temporary Files and Swap Space
Web application scanning
Test for SQL injection, Cross site scripting (xss) and cross site request forgery (CSRF) vulnerabilities.
How to detect Rootkits
Test the suspected system from a trusted device.
Static Testing
Testing of a software development artifact, e.g., requirements, design or code, without execution of these artifacts, e.g., reviews or static analysis.
Dynamic testing
Testing that involves the execution of the software of a component or system.
How do admins control a devices wireless connectivity use
That can take the form of limiting which Wi-Fi networks devices can connect to, preventing them from forming or joining ad hoc wireless networks, and disabling tethering and the ability to become a wireless hotspot. Bluetooth and NFC controls can also help prevent the device from being used in ways that don't fit organizational security models, such as use as a payment method or access device.
What does Parameter Pollution Rely on?
That the platform wont handle the URL properly, allowing the injection attack to slip through the filtering tech.
What does the diamond model focus heavily on
The Diamond Model focuses heavily on understanding the attacker and their motivations and then uses relationships between these elements to allow defenders to both understand the threat and think about what other data or information they may need to obtain or may already have available.
How many stages is the EDRM split into and what are they?
The EDRM model uses nine stages to describe the discovery process: Information governance before the fact to assess what data exists and to allow scoping and control of what data needs to be provided Identification of electronically stored information so that you know what you have and where it is Preservation of the information to ensure that it isn't changed or destroyed Collection of the information so that it can be processed and managed as part of the collection process Processing of the data to remove unneeded or irrelevant information, as well as preparing it for review and analysis by formatting or collating it Review of the data to ensure that it only contains what it is supposed to, and that information that should not be shared is not included Analysis of the information to identify key elements like topics, terms, and individuals or organizations Production of the data to provide the information to third parties or those involved in legal proceedings Presentation of the data, both for testimony in court and for further analysis with experts or involved parties
What core components are part of the NIT framework?
The Framework Core, The Framework Implementation, Framework Profiles
Major info security Regulations
The Health Insurance Portability and Accountability Act (HIPAA) The Payment Card Industry Data Security Standard (PCI DSS). The Gramm-Leach-Bliley Act (GLBA).The Sarbanes-Oxley (SOX) Act. The General Data Protection Regulation (GDPR). The Family Educational Rights and Privacy Act (FERPA). Various data breach notification laws
Benchmarks
The NIST and ISO frameworks are high-level descriptions of cybersecurity and risk management best practices. They don't offer practical guidance on actually implementing security controls. However, government agencies, vendors, and industry groups publish a variety of benchmarks and secure configuration guides that help organizations understand how they can securely operate commonly used platforms, including operating systems, web servers, application servers, and network infrastructure devices. These benchmarks and configuration guides get down into the nitty-gritty details of securely operating commonly used systems.
What is the first thing a forensic practitioner will review?
The Order of Volatility.
What do the 5 steps assess?
The Quantitative scale of a single risk: That is combo of threat and vulnerability
Four Key Metrics used in the BIA process
The Recovery Point Objective (RPO) The Mean Time Between Failures (MTBF) The Mean Time to Repair (MTTR) The Recovery Time Objective (RTO)
SHA256
The SHA (Secure Hash Algorithm) is one of a number of cryptographic hash functions. A cryptographic hash is like a signature for a text or a data file. SHA-256 algorithm generates an almost-unique, fixed size 256-bit (32-byte) hash. Hash is a one way function - it cannot be decrypted back. This makes it suitable for password validation, challenge hash authentication, anti-tamper, digital signatures. SHA-256 is one of the successor hash functions to SHA-1, and is one of the strongest hash functions available.
What is the central security monitoring tool in many orgs?
The Security Information and Event Management (SIEM) tool
There are seven key principles for social engineering.
The Security exam outline focuses on seven key social engineering principles. Authority relies on the victim believing that the person has a reason to be in charge or in a position of power. Intimidation relies on bullying or scaring the target into doing what is desired. Consensus builds on the trust that individuals have in others and what they think others are doing or believe. Scarcity leverages human reactions to limited supply. Familiarity uses what you expect and what you are used to against you. Trust is built and then used against the target. Urgency, the final item, makes what the social engineer expresses seem as if it is needed immediately.
SIEM devices can also packet capture
The ability to capture and analyze raw packet data from network traffic, or to receive packet captures from other data sources, can be useful for incident analysis, particularly when specific information is needed about a networking event. Correlating raw packet data with IDS or IPS events, firewall and WAF logs, and other security events provide a powerful tool for security practitioners.
Vulnerability Scanning
The act of scanning for weaknesses and susceptibilities in the network and on individual systems.
List of major strengths of Asymmetric Key Cryptography:
The addition of new users requires the generation of only one public-private key pair. Users can be removed far more easily from asymmetric systems. Key regen is only req'd when private key is compromised. Asymmetric can provide integrity authentication and nonrepudiation. Simple distribution, no preexisting comm link needs to exist.
Risk Appetitie
The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
Role Assignment
The assignment of a specific role that determines whether a user or group can access a specific item and perform an operation on it.
RAM
The content of random access memory (RAM) can be very helpful for both investigations and incident response. Memory can contain encryption keys, ephemeral data from applications, and information that may not be written to the disk but that can be useful to an investigation.
PCI DSS 3 criteria for compensating controls to be satisfactory
The control must meet the intent and rigor of the original requirement. The control must provide a similar level of defense as the original requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. The control must be "above and beyond" other PCI DSS requirements.
What is the Windows Registry>
The core of how windows tracks what is going on and thus an important target for attackers.
What is the most important part of the process of Digital Forensics?
The creation of documentation- including what you have observed, what conclusions can be made from data, and what evidence exists to support those conclusions—is necessary in order to be successful. You will document timelines and sequences of events, looking for clues as to what occurred and why, and you will use timestamps, file metadata, event logs, and a multitude of clues to piece together a complete picture.
Curl
The curl utility is found on Linux systems and is used to transfer data via URLs. That means it is frequently used to manually perform HTTP commands like HTTP get or to fetch HTTP headers. It can also be used for file transfer via FTP, FTPS, and SFTP, and for general purposes for a wide variety of protocols that use a URL. A sample curl command to retrieve a page using an HTTP get can be performed using this: curl --request GET https://www.example.com
Production Environment
The environment for the actual system operation. It includes hardware and software configurations, system utilities, and communications resources. Also called the operational environment.
Test Environment
The environment that analysts and programmers use to develop and maintain programs.
Eradication:
The eradication stage involves removing the artifacts associated with the incident. In many cases, that will involve rebuilding or restoring systems and applications from backups rather than simply removing tools from a system since proving that a system has been fully cleaned can be very difficult. Complete eradication and verification is crucial to ensuring that an incident is over.
Ultra High Frequency RFID
The final frequency range is ultra-high-frequency RFID, the fastest to read and with the longest range. This means that high frequency RFID tags are used in circumstances where readers need to be further away. High-frequency tags have found broad implementation for inventory and antitheft purposes as well as a multitude of other uses where a tag that can be remotely queried from meters away can be useful.
Actions on Objectives
The final stage occurs when the mission's goal is achieved. Adversaries will collect credentials, escalate privileges, pivot and move laterally through the environment, and gather and exfiltrate information. They may also cause damage to systems or data. Defenders must establish their incident response playbook, detect the actions of the attackers and capture data about them, respond to alerts, and assess the damage the attackers have caused.
Multiple Tiers of Monitoring
The first and most simple validates whether a service port is open and responding. That basic functionality can help identify significant issues such as the service failing to load, crashing, or being blocked by a firewall rule. The next level of monitoring requires interaction with the service and some understanding of what a valid response should look like. These transactions require additional functionality and may also use metrics that validate performance and response times. The final level of monitoring systems looks for indicators of likely failure and uses a broad range of data to identify pending problems. Service monitoring tools are built into many operations' monitoring tools, SIEM devices, and other organizational management platforms. Configuring service-level monitoring can provide insight into ongoing issues for security administrators, as service failures or issues can be an indicator of an incident.
Certificate Signing Request
The formal request sent from a client to a CA asking for a certificate to be generated.
Understand the goals of cryptography.
The four goals of cryptography are confidentiality, integrity, authentication, and non-repudiation. Confidentiality is the use of encryption to protect sensitive information from prying eyes. Integrity is the use of cryptography to ensure that data is not maliciously or unintentionally altered. Authentication refers to the uses of encryption to validate the identity of individuals. Nonrepudiation ensures that individuals can prove to a third party that a message came from its purported sender.
Discretionary Access Control (DAC)
The least restrictive access control model in which the owner of the object has total control over it.
Geolocation
The location of a device identified by GPS. It can help locate a lost or stolen mobile device. Or in this case, prevent login from outside of an area
Mandatory Access Control (MAC)
The most restrictive access control model, typically found in military settings in which security is of supreme importance.
Password Authentication Protocol (PAP)
The oldest and most basic form of authentication and also the least safe because it sends all passwords in cleartext.
OS
The operating system itself can contain useful information. The Windows registry is a common target for analysis since many activities in Windows modify or update the registry.
.Tier 4: Adaptive
The organization adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators. There is an organizationwide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. The organization understands its role, dependencies, and dependents in the larger ecosystem and contributes to the community's broader understanding of risks.
CYOD (Choose Your Own Device)
The organization owns the device but allows the user to select and maintain it.
Root Certificate
The original digital certificate issued by a Certification Authority.
Initialization Vector Attack
The original implementation of wireless security was WEP (Wired Equivalent Privacy). WEP used a 24-bit initialization vector, which could be reverse-engineered once enough traffic from a network was captured. After the traffic was analyzed, the initialization vector used to generate an RC4 key stream could be derived, and all traffic sent on the network could be decrypted. Fortunately, IV attacks are no longer a concern for modern networks. Both WPA2 and WPA3 do not use weak initialization vectors like this, making the IV attack historical knowledge.
Security Constraints of Embedded Systems that should be taken into account
The overall computational power and capacity of embedded systems is usually much lower than a traditional PC or mobile device. Although this may vary, embedded systems may use a low-power processor, have less memory, and have very limited storage space. That means that the compute power needed for cryptographic processing may not exist, or it may have to be balanced with other needs for CPU cycles. At the same time, limited memory and storage capacity mean that there may not be capacity to run additional security tools like a firewall, antimalware tools, or other security tools you're used to including in a design. Embedded systems may not connect to a network. They may have no network connectivity, or they may have it but due to environmental, operational, or security concerns it may not be enabled or used. In fact, since many embedded systems are deployed outside of traditional networks, or in areas where connectivity may be limited, even if they have a built-in wireless network capability, they may not have the effective range to connect to a viable network. Thus, you may encounter an inability to patch, monitor, or maintain the devices remotely. Embedded devices may need to be secured as an independent unit. Without network connectivity, CPU and memory capacity, and other elements, authentication is also likely to be impossible. In fact, authenticating to an embedded system may not be desirable due to safety or usability factors. Many of the devices you will encounter that use embedded systems are built into industrial machinery, sensors and monitoring systems, or even household appliances. Without authentication, other security models need to be identified to ensure that changes to the embedded system are authorized. Embedded systems may be very low cost, but many are effectively very high cost because they are a component in a larger industrial or specialized device. So, simply replacing a vulnerable device can be impossible, requiring compensating controls or special design decisions to be made to ensure that the devices remain secure and do not create issues for their home organization.
Which ports should remain open?
The ports that must be available to provide necessary services.
Threat Hunting
The practice of proactively searching for cyber threats that are lurking undetected in a network.
Certificate Stapling
The process of appending a digitally signed OCSP response to a certificate. It reduces the overall OCSP traffic sent to a CA.
Code Signing
The process of assigning a certificate to code. The certificate includes a digital signature and validates the code.
Piggybacking
The process of connecting to a wireless network without the permission of the owner of the network.
Risk Management
The process of systematically addressing the risks facing an org. Risk assessment serves 2 roles in this process The risk assessment provides guidance in prioritizing risks so that the risks with the highest probability and magnitude are addressed first. Quantitative risk assessments help determine whether the potential impact of risk justifies the costs incurred by adopting a risk management approach.
Software Development Life Cycle
The process that a program goes through. It consists of the development, maintenance, and demise of a software system. The phases include analysis, design, coding, testing/verification, maintenance, and obsolescence
Feasibility Phase
The project phase that demonstrates that the client's requirement can be achieved, this phase identifies and evaluates the options to determine the one preferred solution. Requires heavy
Gold Master image
The thing that runs VDI's
BYOD (bring your own device)
The user brings their own personally owned device. This provides more user freedom and lower cost to the organization, but greater risk since the organization does not control, secure, or manage the device.
Agent-based scanning
The vulnerability scanning is conducted using a software application installed locally on each target
Server-based Scanning
The vulnerability scanning is launched from one or more scanning servers against the targets
Virtual machine Sprawl
The widespread proliferation of virtual machines without proper oversight or management.
What do the 4 digits after CVE represent.?
The year the vulnerability was discovered/
IP Scanning Tools
There are many other options for IP scanning tools, ranging from simple options that use netcat to test for open ports to complete tools like the Angry IP Scanner and the Spiceworks IP Scanner. Many others also exist and may be in use in organizations you may work with. They all operate on similar principles: they attempt to connect systems, and then connect to each port on each IP address or system that they are configured to scan and report back what they find.
Network appliances are used to provide security services to networks and systems
There are many types of network appliances. Jump servers and jump boxes provide a secure way to access systems in another security zone. Load balancers spread load among systems and can use different scheduling options as well as operational modes like active/active or active/passive designs. Proxy servers either centralize connections from a group of clients out to a server or from a group of servers out to clients, often as a load-balancing strategy. Content and URL filters limit what information can enter and exit a network based on rules, and data loss prevention systems monitor to ensure that data that shouldn't leave systems or networks is identified and flagged, sent securely, or stopped. NAT gateways allows many systems to use a single public address while preventing inbound connections without special configuration. IDS and IPS devices identify and take action based on malicious behavior, signatures, or anomalies in traffic. HSMs create, store, and manage encryption keys and certificates and can also be used to offload cryptographic processing. Data collection devices like sensors and collectors help with data gathering. Firewalls are used to build security zones and are placed at trust boundaries. UTM devices combine many of these security features and capabilities into a single appliance or system.
Modern enterprises rely on many types of wireless connectivity.
There are many wireless connectivity options for organizations and individuals. Devices may connect via cellular networks, which place the control of the network in the hands of cellular providers. Wi-Fi is widely used to connect devices to organizational networks at high speed, allowing ease of mobility while providing security using enterprise security protocols. NFC and RFID provide short-range, relatively low-bandwidth exchange of data and are used for payment, ID cards, and inventory tagging, among many other purposes. Infrared, although still in use in some areas, is less popular due to its line-of-sight requirements and limited bandwidth in many circumstances.
Single points of failure
These are systems, devices, or other components that, if they fail, would cause an outage. For example, if a server only has one power supply, the failure of that power supply would bring down the server, making it a single point of failure. Adding a redundant power supply to the server resolves that single point of failure.
Legacy systems pose a unique type of risk to organizations.
These outdated systems often do not receive security updates and cybersecurity professionals must take extraordinary measures to protect them against unpatchable vulnerabilities.
Why should an org have proceses for onboarding and offboarding?
These processes ensure that the organization retains control of its assets and handles the granting and revocation of credentials and privileges in an orderly manner.
Internal risks are those risks that originate from within the organization.
They include malicious insiders, mistakes made by authorized users, equipment failures, and similar risks.
MAC Randomization
This adds additional complexity for network administrators who have historically used MAC address, system, and user tracking to ascertain who was using a system when an event or incident occurred. As you consider ways to track MAC cloning and other layer 2 attacks, you need to be aware that what was once considered a consistent pairing of system and MAC address may no longer be valid and that you may need additional log information to match users, systems, and hardware addresses. In addition, although MAC address randomization is supposed to avoid collisions where two devices select and use the same MAC address, it is theoretically possible, and a collision would be indistinguishable from a MAC cloning attack at first glance.
Purpose Limitation
This means that information should be used only for the purpose that it was originally collected and that was consented to by the data subjects.
Spiral Model
This model encourages constant improvements as each phase is repeated several times as the solution becomes more and more complete
Key Space
This represents the total number of possible values of keys in a cryptographic algorithm or other security measure, such as a password.
Installation
This stage focuses on persistent backdoor access for attackers. Defenders must monitor for typical artifacts of a persistent remote shell or other remote access methodologies.
Reconnaisance
This stage identifies targets. Adversaries are planning their attacks and will gather intelligence about the target, including both open source intelligence and direct acquisition of target data via scanning. Defenders must gather data about reconnaissance activities and prioritize defenses based on that information.
Weaponization
This stage involves building or otherwise acquiring a weaponizer, which combines malware and an exploit into a payload that can be delivered to the target. This may require creating decoy documents, choosing the right command-and-control (C2) tool, and other details. The model emphasizes the fact that defenders need to conduct full malware analysis in this stage to understand not only what payload is dropped but also how the weaponized exploit was made. Defenders should also build detections for weaponizers, look at the timeline of when malware was created versus its use, and collect both files and metadata to help them see if the tools are widely shared or closely held and thus potentially very narrowly targeted.
Delivery
This stage occurs when the adversary deploys their tool either directly against targets or via a release that relies on staff at the target interacting with it, such as in an email payload, on a USB stick, or via websites that they visit. Defenders in this stage must observe how the attack was delivered and what was targeted, and then infer what the adversary was intending to accomplish. Retention of logs is critical because it can help you determine what happened and aid in analysis of the attack.
Exploitation
This stage uses a software, hardware, or human vulnerability to gain access. It can involve zero-day exploits and may use either adversary-triggered exploits or victim-triggered exploits. Defense against this stage focuses on user awareness, secure coding, vulnerability scanning, penetration testing, endpoint hardening, and similar activities to ensure that organizations have a strong security posture and very limited attack surface.
DNSEnum
This tool is used to find DNS servers and entries for a domain and can be directed to query a specific DNS server or default to the DNS server the system it is running on relies on.
Managed power distribution units (PDUS)
This type of PDU allows for remotely connecting and monitoring the power. The PDU distributes clean power to multiple resources such as servers, routers, and switches. Good for resilience.
Threat actors come from many different sources.
Threat actors may be very simplistic in their techniques, such as script kiddies using exploit code written by others, or quite sophisticated, such as the advanced persistent threat posed by nation-state actors and criminal syndicates. Hacktivists may seek to carry out political agendas, whereas competitors may seek financial gain. We can group hackers into white-hat, gray-hat, and black-hat categories based on their motivation and authorization.
Role of Security Practitioners in a DevSecOps model.
Threat analysis, comms, planning, testing, feedback and more.
Threat hunting discovers existing compromises.
Threat hunting activities presume that an organization is already compromised and search for indicators of those compromises. Threat hunting efforts include the use of advisories, bulletins, and threat intelligence feeds in an intelligence fusion program. They search for signs that attackers gained initial access to a network and then conducted maneuver activities on that network.
Lots of data coming in to SIEM, whats the answer?
Thresholds. filter rules, and use other methods of managing the sensitivity of the SIEM. Alerts may be set to activate only when an event has happened a certain number of times, or when it impacts specific high-value systems. Or, an alert may be set to activate once instead of hundreds or thousands of times. Regardless of how your SIEM handles sensitivity and thresholds, configuring and managing them so that alerts are sent only on items that need to be alerted on helps avoid alert fatigue and false positives.
How is message integrity enforced?
Through Message digests known as digital signatures.
What is the most common way to build reslience?
Through Redundancy
How does DES generate the ciphertext?
Through a long series of exclusive or XOR ops.
Four Maturity Model Tiers
Tier 1. Partial, Tier 2. Risk Informed. Tier 3, Repeatable Tier 4 Adaptive
Key ROE elements
Timeline, What systems are included/excluded, data handling req's, what behaviors to expect, what resources are committed to the test, legal concerns, when and how comm will occur.
What is perhaps the most important feature in Autopsy?
Timelines
What to be cautious about with TImelines
Timelining capabilities like these rely on accurate time data, and inaccurate time settings can cause problems for forensic timelines. Incorrect time settings, particularly in machines in the same environment, can cause one machine to appear to have been impacted an hour earlier than others, leading practitioners down an incorrect path. Always check to make sure that the timestamps for files and time settings for machines are what you expect them to be before jumping to conclusions about what happened at a specific time!
Patching
Timely patching decreases how long exploits can be used, however most companies won't patch themselves until after release for a few days.
Opal Standard
To ensure you get a secure device, is to id a reputable standard and purchase ones that are validated to meet that standard. For Self Encrypting Drives, the Opal Standard does that.
Why would you want to delay patching the company?
To provide insight into any issues the patch might cause and because orgs may not have resources to patch test. This still leaves them open for attack though.
Exploitation frameworks
Tools used to store information about security vulnerabilities. They are often used by penetration testers (and attackers) to detect and exploit software.
Demonstrate familiarity with emerging issues in cryptography.
Tor uses perfect forward secrecy to allow anonymous communication over the Internet. The blockchain is an immutable distributed public ledger made possible through the use of cryptography. Homomorphic encryption allows the protection of sensitive data while still facilitating computation on that data in a manner that preserves privacy. Quantum computing challenges modern approaches to cryptography and may be a disruptive force in the future.
Logging Protocols and Tools
Traditional Linux logs are sent via syslog, with clients sending messages to servers that collect and store the logs. Over time, other syslog replacements have been created to improve upon the basic functionality and capabilities of syslog. When speed is necessary, the rocket-fast system for log processing, or rsyslog, is an option. It supports extremely high message rates, secure logging via TLS, and TCP-based messages as well as multiple backend database options. Another alternative is syslog-ng, which provides enhanced filtering, direct logging to databases, and support for sending logs via TCP protected by TLS. The enhanced features of syslog replacements like rsyslog and syslog-ng mean that many organizations replace their syslog infrastructure with one of these options. A final option for log collection is NXLog, an open source and commercially supported syslog centralization and aggregation tool that can parse and generate log files in many common formats while also sending logs to analysis tools and SIEM solutions.
Layer 4 of OSI
Transport Layer Transmission of data, error control. EX TCP, UDP
What two malware types often include a backdoor?
Trojans and rootkits/
Related Key attack
Two chosen plaintext attacks run in parallel, but you are using two different but related keys. You would have two streams of text being encrypted into ciphertext by these two keys. Commonly used against wireless network encryption.
Substitution and Transposition
Two processes of Symmetric Key Cryptography The substitution portion is accomplished by XORing the plaintext message with the key. The transposition is done by swapping blocks of the text.
Specialized Mobile Device Security tools
Two tools, MicroSd hardware security modules and SEAandroid
Account types and account policies determine what users can do.
Types of user accounts include users, guests, administrative (privileged) accounts, and service accounts. Accounts are controlled using account policies that determine password complexity, history, and reuse, and whether accounts can be used at specific times, from specific locations, or if there are other requirements for the account. Accounts can also be secured by disabling them when they are no longer needed or if they may not be secure, or by locking them out if authentication fails to help prevent brute-force attacks.
Realms
Typically seperated by trust boundaries and have distinct Kerberos Key distribution centres
Proximity Readers
Typically used with ID cards and contain an NFC or RFID chip to communicate with the reader. Person doesn't need to physically touch the reader. Works in tandem with access lists/access control systems.
Digital Signature Standard DSS
U.S. standard that outlines the approved algorithms to be used for digital signatures for government authentication activities.
UDP flood
UDP floods take advantage of the fact that UDP doesn't use a three-way handshake like TCP does, allowing UDP floods to be executed simply by sending massive amounts of traffic that the target host will receive and attempt to process. Since UDP is not rate limited or otherwise protected and does not use a handshake, UDP floods can be conducted with minimal resources on the attacking systems. UDP floods can be detected using IDSs and IPSs and other network defenses that have a UDP flood detection rule or module. Manual detection of a flood can be done with a packet analyzer as part of a response process, but manual analysis of a live attack can be challenging and may not be timely
UEM (unified endpoint management)
UEM tools combine mobile devices, desktops and laptops, and many other types of devices in a single management platform.
URL redirection
URL redirection can take many forms, depending on the vulnerability that attackers leverage, but one of the most common is to insert alternate IP addresses into a system's hosts file. The hosts file is checked when a system looks up a site via DNS and will be used first, making a modified hosts file a powerful tool for attackers who can change it. Modified hosts files can be manually checked, or they can be monitored by system security antimalware tools that know the hosts file is a common target. In most organizations, the hosts file for the majority of machines will never be modified from its default, making changes easy to spot.
USB data blocker
USB data blockers are used to prevent data transfers to USB drives. This device is connected between the USB charging port and your charging cable and helps to protect access to your data.
USB Data Blocker
USB data blockers that prevent USB data signals from being transferred while still allowing USB charging can be an effective solution.
USB
USB is an important connectivity method for many mobile devices. Since USB is a direct cabled connection, it isn't subject to the same risks that a wireless network is, but it does come with its own concerns. One of the most significant risks that USB connectivity brings to mobile devices is that the device that is connected can then access the mobile device, often as a directly mounted filesystem, and may also be able to perform software or firmware updates or otherwise make changes or gather data from the mobile device. Some organizations ban connecting to USB chargers or using cables or systems to charge from that the organization has not preapproved or issued. Some organizations will issue charge-only USB cables that allow charging but do not have the data pins connected inside the USB cable.
If you want to verify the signature on a message sent by someone else,
USe the senders public key
Badges
Ued for entry via mag stripe or RFID, but also include a pic and other info that can quickly allow a personnel and guards to determine if the person is who they say they are. Makes them a target for social engineering attacks.
Shutting down your websitr
Ultimate risk avoidance when it comes to DDOS
Unauthenticated Modes
Unauthenticated modes do not validate the integrity of the ciphertext, potentially allowing an attack with modified padding in block ciphers. As a security practitioner, be aware that the safe recommendation is to use and implement authenticated modes rather than unauthenticated modes of encryption to prevent these issues.
Unclassified
Unclassified information is information that does not meet the standards for classification under the other categories. Information in this category is still not publicly releasable without authorization.
Understand the shared responsibility model of cloud security.
Under the shared responsibility model of cloud security, cloud customers must divide responsibilities between one or more service providers and the customers' own cybersecurity teams. In an IaaS environment, the cloud provider takes on the most responsibility, providing security for everything below the operating system layer. In PaaS, the cloud provider takes over added responsibility for the security of the operating system itself. In SaaS, the cloud provider is responsible for the security of the entire environment, except for the configuration of access controls within the application and the choice of data to store in the service.
What are some basic defenses against AI attacks?
Understand quality and security of source data, Work with devs to make sure its secure, ensures that changes to algorithms are reviewed tested and documented. Prevent intentional or unintentional bias in algorithms. Engage domain experts when possible.
DevOps
Unity between development and operations team. Software testing is hihgly automated and collaborative.
chkrootkit
Unix malware detection tool that looks for rootkits,sniffers, deleted logs, Trojans, kernel modules
Acquisition from VM
Unlike a server, desktop, or laptop, a virtual machine is often running in a shared environment where removal of the system would cause disruption to multiple other servers and services. At the same time, imaging the entire underlying virtualization host would include more data and systems than may be needed or appropriate for the forensic investigation that is in progress. Fortunately, a virtual machine snapshot will provide the information that forensic analysts need and can be captured and then imported into forensic tools using available tools.
Key things to design your wifi network for
Usability, Performance, Security as well as tuning and palcement
What is another way to harden Endpoints?
Use Naming Convetions or a standardized IP schema
What Do RTU's use?
Use a microprocessor to control a device or collect data from it to pas on to an ICS or SCADA system.
How to find the open ports quick
Use a port scanner to assess which ports are open and prioritize targets./
Symmetric Cryptosystems
Use a shared secret key available to all users of the cryptosystem.
Asymmetric Cryptosystems
Use individual combinations of public and private keys for each user of the system.
Weak Configurations Example
Use of default settings, unsecured accts, open ports, open permissions
Use of preshared keys
Use of preshared keys (PSKs) requires a passphrase or key that is shared with anybody who wants to use the network. This allows traffic to be encrypted but does not allow users to be uniquely identified.
how to erase SSD?
Use secure erase command if supported
If you want to decrypt a message sent to you
Use your private key
Different account types
User, Privleged/Admin, Shared and generic, Guest, service
Ways to Assert or claim Identity
Usernames, Certficates, Tokens, SSH Keys, Smartcards
Virtualization Security
Virtual Machine Escape vulnerabilities, Virtual Machine Sprawl
Cloud Compute Resources
Virtualized Servers, Containers
Reasons for Penetration Testing
Visibility into Orgs security that isnt available byu other means.
Right Protocol For Voice and Video
Voice and video rely on a number of common protocols. Videoconferencing tools often rely on HTTPS, but secure versions of the Session Initiation Protocol (SIP) and the Real-time Transport Protocol (RTP) exist in the form of SIPS and SRTP, which are also used to ensure that communications traffic remains secure.
Vulnerabilities
Vulnerabilities are weaknesses in our systems or controls that could be exploited by a threat.
Nexpose
Vulnerability Scanner whose principal advantage is close integration with Metasploit, allowing for active testing of active discovered vulnerabilities
Vulnerability scans probe systems, applications, and devices for known security issues.
Vulnerability scans leverage application, network, and web application testing to check for known issues. These scans may be conducted in a credentialed or noncredentialed fashion and may be intrusive or nonintrusive, depending on the organization's needs. Analysts reviewing scans should also review logs and configurations for additional context. Vulnerabilities are described consistently using the Common Vulnerabilities and Exploits (CVE) standard and are rated using the Common Vulnerability Scoring System (CVSS).
Wi-Fi Vulnerabiltiies
WPA2 preshared keys can be attacked if they are weak, and WPA passphrase hashes are generated using the SSID and its length. Rainbow tables exist for these SSIDs matched with frequently used passwords, meaning that common network names and weak passwords can be easily leveraged.WPA2 doesn't ensure that encrypted communications cannot be read by an attacker who acquires the preshared key. In other words, WPA2 doesn't implement perfect forward secrecy. Other attacks exist, including attacks on authentication via MS-CHAPv2, attacks on WPS, the quick single-button setup capability that many home Wi-Fi devices have built-in, flaws in the WPA2 protocol's handling of handshakes for reestablishing dropped connections, and even flaws in the newest WPA3 protocol that result in the potential for successful downgrade attacks and handshake protocol issues.
Software Dev Models
Waterfall, Spiral, Agile.
Threat actors differ in several key attributes.
We can classify threat actors using four major criteria. First, threat actors may be internal to the organization, or they may come from external sources. Second, threat actors differ in their level of sophistication and capability. Third, they differ in their available resources and funding. Finally, different threat actors have different motivations and levels of intent.
Code Repositories
Web-based tool programmers use to archive and host source code; often used by open source projects so that developers can access the parts of the code they want to modify.
Weighted Least
Weighted least connection uses the least connection algorithm combined with a predetermined weight value for each server.
Weighted Response Time
Weighted response time combines the server's current response time with a weight value to assign it traffic.
The end of the data lifecycle may require secure destruction.
When a device or media is retired, it may need to be securely destroyed to prevent data loss. A variety of techniques exist, including burning, shredding, or pulping paper media, or shredding, pulverizing, or degaussing devices and magnetic media. Using the appropriate solution will help prevent data from being exposed when a system or media is retired or sold. Third parties perform these services and can provide destruction receipts and other documentation to ensure that the destruction was done properly without organizations having to maintain the capability on their own.
Virtual machine Escape
When a user (or malware) is able to break out of a VM's isolation (or lack thereof) and gain access to the hosting computer.
Tailgating
When an unauthorized individual enters a restricted-access building by following an authorized user.
Secret Key Cryptography
Where a single key is sent with the message to another user for the receiver to decode the message.
Implementation Decisions for VPN
Whether it will be used for remote access or a site to site vpn, the other is whether they will be a split tunnel or full tunnel vpn
Important diff between CSF and RMF
While both are mandatory for government, only the CSF is commonly used in private industry.
Deauthers vs Jamming
Wi-Fi deauthers are often incorrectly called jammers. A deauther will send deauthentication frames, whereas a jammer sends out powerful traffic to drown out traffic. Jammers are generally prohibited in the United States by FCC regulations, whereas deauthers are not since they operate within typical wireless power and protocol norms.
Open wifi in WPA3
Wi-Fi enchanced Open Certification
WPA2
WiFi Protected Access 2. Has 2 major usage modes. WPA-Personal And WPA -Enterprise
Exploit Weak Keys
Wireless Equivalent Privacy (WEP) is easy to exploit as it uses an improper implementation of the RC4 encryption algorithm
How do CASBS operate?
With 2 diff approaches. Inline and API CASB
How is Agile different from waterfall and spiral?
Work is broken up in to short sessions called sprints that last a few days to weeks.
How does Transposition work?
Write message by placing successive chars in next row until you get to the bottom of the column. Then to get cipher text read rows across. Decrypt by reconstructing and reading down.
Security Assertion Markup Language (SAML)
XML based open standard for exchanging authentication and authorization info. SAML is often used between id providers and service providers for web based apps.
Do viruses have a trigger?
Yes
Does Asymmetric Keys provide support for digital signature tech?
Yes
Does rbac support multiple roles for subjects?
Yes
Do vendors also have to sign NDAS
Yes they have to sign NDAS
Despite IOT Concerns, do they continue to grow in popularity?
Yes!
Can Antimalware give false positives?
Yes, some legitimate tools are RAT's (Remote Access Trojans) and therefore can be false positived.
Can backdoors be used for good?
Yes, some software and hardware manufacturers use them to provide ongoing access.
Is Securing the SIM important?
Yes. Documented examples of SIMs being removed and repurposed, including running up significant bills for data use after they were acquired, appear regularly in the media. SIM cloning attacks can also allow attackers to present themselves as the embedded system, allowing them to both send and receive information as a trusted system.
Asset Value (AV)
Your organization uses that server to send email messages to customers offering products for sale. It generates $1,000 in sales per hour that it is in operation. After consulting threat intelligence sources, you believe that a DoS attack is likely to occur three times a year and last for three hours before you are able to control it. The asset in this case is not the server itself, because the server will not be physically damaged. The asset is the ability to send email and you have already determined that it is worth $1,000 per hour. The asset value for three hours of server operation is, therefore, $3,000.
Radio Frequency
Zigbee is one example of a network protocol that is designed for personal area networks like those found in houses for home automation. Protocols like Zigbee and Z-wave provide low-power, peer-to-peer communications for devices that don't need the bandwidth and added features provided by Wi-Fi and Bluetooth. That means that they have limitations on range and how much data they can transfer, and that since they are designed for home automation and similar uses they do not have strong security models. As a security practitioner, you should be aware that devices that communicate using protocols like Zigbee may be deployed as part of building monitoring or other uses and are unlikely to have enterprise management, monitoring, or security capabilities.
pathping
a Windows tool that also traces the route to a destination while providing information about latency and packet loss. calculates data over a time, rather than a single traversal of a path, providing some additional insight into what may be occurring on a network, but it can be significantly slower because each hop is given 25 seconds to gather statistical data.`
Port Security
a capability that allows you to limit the number of MAC addresses that can be used on a single port. This prevents a number of possible problems, including MAC (hardware) address spoofing, content-addressable memory (CAM) table overflows, and in some cases, plugging in additional network devices to extend the network. Although port security implementations vary, most port security capabilities allow you to either dynamically lock the port by setting a maximum number of MAC addresses or statically lock the port to allow only specific MAC addresses. Although this type of MAC filtering is less nuanced and provides less information than NAC does, it remains useful.
Trusted Platform Module
a chip designed to secure hardware by storing encryption keys, digital certificates, passwords, and data specific to the host system for hardware authentication
Request Forgery
a class of attack where a user performs a state-changing action on behalf of another user, typically without their knowledge.
Private Cloud
a cloud that is owned and operated by an organization for its own benefit
dd
a command-line utility that allows you to create images for forensic or other purposes. The dd command line takes input such as an input location (if), an output location (of), and flags that describe what you want to do, such as create a complete copy despite errors. To copy a drive mounded as /dev/sda to a file called example.img, you can execute a command like the following: dd if=/dev/sda of=example.imgconv=noerror,sync Additional settings are frequently useful to get better performance, such as setting the block size appropriate for the drive. If you want to use dd for forensic purposes, it is worth investing additional time to learn how to adjust its performance using block size settings for the devices and interfaces that you use for your forensic workstation.
Key Escrow
a control procedure whereby a trusted party is given a copy of a key used to encrypt database data
Continuity of Operation Planning (COOP)
a federally sponsored program in the United States that is part of the national continuity program. COOP defines the requirements that government agencies need to meet to ensure that continuity of operations can be ensured. Those requirements include how they will ensure their essential functions, the order of succession for the organization so that staff know who will be in charge and who will perform necessary functions, how the authority will be delegated, how disaster recovery can function using continuity facilities, and a variety of other requirements. COOP defines how federal agencies build complete disaster recovery and business continuity plan.
Field Programmable Gate Array (FPGA)
a type of computer chip that can be programmed to redesign how it works, allowing it to be a customizable chip. A manufacturer that chooses to use these can program it to perform specific tasks with greater efficiency than a traditional purpose-built chip. This alone is not an embedded system, however. Systems may integrate these as a component in an embedded system or as the program processor inside of one. If an embedded system integrates this, you need to be aware that it could potentially be reprogrammed.
Card Cloning
acquired information from a skimmer that can be made into a duplicate card, most commonly found when duplicating gift cards, can't duplicate chips, only magnetic strips
Common Password combos
administrator/password, admin/password, admin/admin
Block Storage
allocates large volumes of storage for use by Virtual Server Instances. These volumes are then formatted as virtual disks by the OS.q
Software defined networking movement
allow engineers to interact with and modify cloud resources through teir API;s
VPC endpoint
allows connection of VPCs to each other using the cloud provider's secure network backbone.
SSL Stripping
an attack that in modern implementations removes TLS encryption to read the contents of traffic that is intended to be sent to a trusted endpoint. A typical SSL stripping attack occurs in three phases: A user sends an HTTP request or a web page. The server responds with a redirect to the HTTPS version of the page. The user sends an HTTPS request for the page they were redirected to, and the website loads. An SSL stripping attack uses an on-path attack when the HTTP request occurs, redirecting the rest of the communications through a system that an attacker controls, allowing the communication to be read or possibly modified. Although SSL stripping attacks can be conducted on any network, one of the most common implementations is through an open wireless network, where the attacker can control the wireless infrastructure and thus modify the traffic that passes through their access point and network connection.
Directory Traversal Attack
an attack that involves navigating to other directories an gaining access to files and directories that would otherwise be restricted
Sn1per
an automated scanning tool that combines multiple tools for penetration testers, including reconnaissance via WhoIs, DNS, and ping; port scanning and enumeration;
in PaaS what is a shared responsibility betwen vendor and customer?
application
The Sarbanes-Oxley (SOX) Act
applies to the financial records of U.S. publicly traded companies and requires that those companies have a strong degree of assurance for the IT systems that store and process those records.
Regulatory and Jurisdiction concerns,
are also a significant element in the adoption of cloud services. Regulatory requirements may vary depending on where the cloud service provider operates and where it is headquartered. The law that covers your data, services, or infrastructure may not be the laws that you have in your own locality, region, or country. In addition, jurisdictional concerns may extend beyond which law covers the overall organization. Cloud providers often have sites around the world, and data replication and other services elements mean that your data or services may be stored or used in a similarly broad set of locations. Local jurisdictions may claim rights to access that data with a search warrant or other legal instrument. Organizations that have significant concerns about this typically address it with contractual terms, through service choices that providers make available to only host data or systems in specific areas or countries, and by technical controls such as handling their own encryption keys to ensure that they know if the data is accessed.
Threats
are any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of our information or information systems.
Default configurations,vulnerabilities, lack of patching, and similar issues
are common with specialized systems, much the same as with other embedded systems. When you assess specialized systems, consider both how to limit the impact of these potential problems and the management, administration, and incident response processes that you would need to deal with them for your organization.
Communication plans
are critical to incident response processes. A lack of communication, incorrect communication, or just poor communication can cause significant issues for an organization and its ability to conduct business. At the same time, problematic communications can also make incidents worse, as individuals may not know what is going on or may take undesired actions, thinking they are doing the right thing due to a lack of information or with bad or partial information available to them. Because of the importance of getting communication right, communication plans may also need to list roles, such as who should communicate with the press or media, who will handle specific stakeholders, and who makes the final call on the tone or content of the communications.
Clean Desk Policies
are designed to protect the confidentiality of sensitive information by limiting the amount of paper left exposed on unattended employee desks. Organizations implementing a clean desk policy require that all papers and other materials be secured before an employee leaves their desk.
Content Filters
are devices or software that allow or block traffic based on content rules. These can be as simple as blocking specific URLs, domains, or hosts, or they may be complex, with pattern matching, IP reputation, and other elements built into the filtering rules. Like other technologies, they can be configured with allow or deny lists as well as rules that operate on the content or traffic they filter
Data custodians
are individuals or teams who do not have controller or stewardship responsibility but are responsible for the secure safekeeping of information. For example, a data controller might delegate responsibility for securing PII to an information security team. In that case, the information security team serves as a data custodian.
Data stewards
are individuals who carry out the intent of the data controller and are delegated responsibility from the controller.
Assessments
are less formal reviews of security controls that are typically requested by the security organization itself in an effort to engage in process improvement. During an assessment, the assessor typically gathers information by interviewing employees and taking them at their word, rather than preforming the rigorous independent testing associated with an audit.
DMZs, or demilitarized zones
are network zones that contain systems that are exposed to less trusted areas. DMZs are commonly used to contain web servers or other Internet-facing devices but can also describe internal purposes where trust levels are different.
Honeynets
are networks set up and instrumented to collect information about network attacks. In essence, a honeynet is a group of honeypots set up to be even more convincing and to provide greater detail on attacker tools due to the variety of systems and techniques required to make it through the network of systems.
Stakeholder Management Plans
are related to communication plans and focus on groups and individuals who have an interest or role in the systems, organizations, or services that are impacted by an incident. Stakeholders can be internal or external to an organization and may have different roles and expectations that need to be called out and addressed in the stakeholder management plan. Many stakeholder management plans will help with prioritization of which stakeholders will receive communications, what support they may need, and how they will be provided, with options to offer input or otherwise interact with the IR process, communications and support staff, or others involved in the response process.
Web Application Firewalls (WAF)s
are security devices that are designed to intercept, analyze, and apply rules to web traffic, including tools such as database queries, APIs, and other web application tools. In many ways, a WAF is easier to understand if you think of it as a firewall combined with an intrusion prevention system. They provide deeper inspection of the traffic sent to web servers looking for attacks and attack patterns and then apply rules based on what they see. This allows them to block attacks in real-time, or even modify traffic sent to web servers to remote potentially dangerous elements in a query or request.
Data processors
are service providers that process personal information on behalf of a data controller. For example, a credit card processing service might be a data processor for a retailer. The retailer retains responsibility as the data controller but uses the service as a data processor.
External risks
are those risks that originate from a source outside the organization. This is an extremely broad category of risk, including cybersecurity adversaries, malicious code, and natural disasters, among many other types of risk.
Authentication Logs
are useful to determine when an account was logged into and may also show privilege use, login system or location, incorrect password attempts, and other details of logins and usage that can be correlated to intrusions and misuse.
Service level agreements (SLA).
are written contracts that specify the conditions of service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet the SLA. SLAs commonly cover issues such as system availability, data durability, and response time
Why do Lengthy Security policies become quickly outdated?
as necessary changes to individual requirements accumulate and become neglected because staff are weary of continually publishing new versions of the policy.
The Framework Implementation
assesses how an organization is positioned to meet cybersecurity objectives. . In the case of the NIST maturity model, organizations are assigned to one of four maturity model tiers
Address Resolution Protocol (ARP) poisoning
attacks send malicious ARP packets to the default gateway of a network with the intent of changing the pairings of MAC addresses to IP addresses that the gateway maintains. Attackers will send ARP replies that claim that the IP address for a target machine is associated with their MAC address, causing systems and the gateway to send traffic intended for the target system to the attacker's system. Attackers can use this to conduct on-path attacks by then relaying the traffic to the target system, or they can simply collect and use the traffic they receive. ARP poisoning can also be used to create a denial of service by causing traffic not to reach the intended system. ARP poisoning can be detected by tools like Wireshark as well as purpose-built network security devices that perform protocol analysis and network monitoring.
Protected Extensible Authentication Protocol (PEAP)
authenticates servers using a certificate and wraps EAP using a TLS tunnel to keep it secure. Devices on the network use unique encryption keys, and Temporal Key Integrity Protocol (TKIP) is implemented to replace keys on a regular basis
Internet of Things (IOT)
broad term that describes network-connected devices that are used for automation, sensors, security, and similar tasks. IoT devices are typically a type of embedded system, but many leverage technologies like machine learning, AI, cloud services, and similar capabilities to provide "smart" features.
DNSSEC (Domain Name System Security Extensions)
can be used to help close some of these security gaps. DNSSEC provides authentication of DNS data, allowing DNS queries to be validated even if they are not encrypted.
Network Traffic and logs
can provide detailed information or clues about what was sent or received, when, and via what port and protocol amongst other useful details.
How does NAC do its job?
can use a software agent that is installed on the computer to perform security checks. Or the process may be agentless and run from a browser or by another means without installing software locally. Capabilities vary, and software agents typically have a greater ability to determine the security state of a machine by validating patch levels, security settings, antivirus versions, and other settings and details before admitting a system to the network. Some NAC solutions also track user behavior, allowing for systems to be removed from the network if they engage in suspect behaviors.
chmod
change permissions
Domain Hijacking
changes the registration of a domain, either through technical means like a vulnerability with a domain registrar or control of a system belonging to an authorized user, or through nontechnical means such as social engineering. The end result of domain hijacking is that the domain's settings and configuration can be changed by an attacker, allowing them to intercept traffic, send and receive email, or otherwise take action while appearing to be the legitimate domain holder. Domain hijacking isn't the only way that domains can be acquired for malicious purposes. In fact, many domains end up in hands other than those of the intended owner because they are not properly renewed. Detecting domain hijacking can be difficult if you are simply a user of systems and services from the domain, but domain name owners can leverage security tools and features provided by domain registrars to both protect and monitor their domains.
How to detect backdoors
check for open ports and services.
Mobile metadata is
collected by phones and other mobile devices as they are used. It can include call logs, SMS and other message data, data usage, GPS location tracking, cellular tower information, and other details found in call data records. Mobile metadata is incredibly powerful because of the amount of geospatial information that is recorded about where the phone is at any point during each day.
Toolchains
collections of tools to improve coding, building and test, packaging, release, config and config management. Used with Dev Ops
Interactive Testing
combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces
Split Knowledge
combines the concepts of sep of duties and 2-person control into a single solution -the info/privilege required to perform an operation should be divided among 2 or more users -ensures no single person has sufficient priv's to compromise the sec of the environment
Dictionary Attacks
compare passwords to a list of common words, and can search for multiword phrase combinations
Embedded systems
computer systems that are built into other devices. Industrial machinery, appliances, and cars are all places where you may have encountered embedded systems. often highly specialized, running customized operating systems and with very specific functions and interfaces that they expose to users. In a growing number of cases, however, they may embed a relatively capable system with Wi-Fi, cellular, or other wireless access that runs Linux or a similar, more familiar operating system.
Kerchoff Principle
concept that makes algorithms known and public, allowing anyone to examine and test them. -a cryptographic system should be secure even if everything is known about the system (except key)
Protecting against SSL Stripping
configuring systems to expect certificates for sites to be issued by a known certificate authority and thus preventing certificates for alternate sites or self-signed certificates from working. Redirects to secure websites are also a popular target for attackers, since unencrypted requests for the HTTP version of a site could be redirected to a site of the attacker's choosing to allow for an on-path attack. The HTTP Strict Transport Security (HSTS) security policy mechanism is intended to prevent attacks like these that rely on protocol downgrades and cookie jacking by forcing browsers to connect only via HTTPS using TLS. Unfortunately, HSTS only works after a user has visited the site at least once, allowing attackers to continue to leverage on-path attacks. Attacks like these, as well as the need to ensure user privacy, have led many websites to require HTTPS throughout the site, reducing the chances of users visiting an HTTP site that introduces the opportunity for an SSL stripping attack. Browser plug-ins like the Electronic Frontier Foundation's HTTPS Everywhere can also help ensure that requests that might have travelled via HTTP are instead sent via HTTPS automatically.
How are Inherent and Residual risk as well as risk appetite linked?
connected by the way that an organization manages risk. An organization begins with its inherent risk and then implements risk management strategies to reduce that level of risk. It continues doing so until the residual risk is at or below the organization's risk appetite.
WLAN Controllers
controllers to help managed access points and the organization's wireless network. They offer additional intelligence and monitoring; allow for software-defined wireless networks; and can provide additional services, such as blended Wi-Fi and 5G wireless roaming. Wireless controllers can be deployed as hardware devices, as a cloud service, or as a virtual machine or software package. Not all organizations will deploy a wireless controller. Small and even mid-sized organizations may choose to deploy standalone access points to provide wireless network access.
The Gramm-Leach-Bliley Act (GLBA)
covers U.S. financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for that program.
Wi-Fi
covers a range of wireless protocols that are used to provide wireless networking. Wi-Fi primarily relies on the 2.4 GHz and 5 GHz radio bands and uses multiple channels within those bands to allow multiple networks to coexist. Wi-Fi signals can reach to reasonably long ranges, although the frequencies Wi-Fi operates on are blocked or impeded by common obstacles like walls and trees. Despite those impediments, one of the most important security concerns with Wi-Fi networks is that they travel beyond the spaces that organizations own or control.
Smart meters
deployed to track utility usage, and bring with them a wireless control network managed by the utility. Since the meters are now remotely accessible and controllable, they provide a new attack surface that could interfere with power, water, or other utilities, or that could provide information about the facility or building
Framework Profiles
describe how a specific organization might approach the security functions covered by the Framework Core. An organization might use a framework profile to describe its current state and then a separate profile to describe its desired future state.
Change management and change control policies that
describe how the organization will review, approve, and implement proposed changes to information systems in a manner that manages both cybersecurity and operational risk.
The Diamond Model of Intrusion Analysis
describes a sequence where an adversary deploys a capability targeted at an infrastructure against a victim. In this model, activities are called events, and analysts label the vertices as events are detected or discovered. The model is intended to help analysts discover more information by highlighting the relationship between elements by following the edges between the events.
Code of conduct/ethics that
describes expected behavior of employees and affiliates and covers situations not specifically addressed in policy.
Disassociation
describes what happens when a device disconnects from an access point. Many wireless attacks work better if the target system can be forced to disassociate from the access point that it is using when the attack starts. That will cause the system to attempt to reconnect, providing an attacker with a window of opportunity to set up a more powerful evil twin or to capture information as the system tries to reconnect. The best way for attackers to force a system to disassociate is typically to send a de-authentication frame, a specific wireless protocol element that can be sent to the access point by spoofing the victim's wireless MAC address. When the AP receives it, it will disassociate the device, requiring it to then reconnect to continue. Since management frames for networks that are using WPA2 are often not encrypted, this type of attack is relatively easy to conduct. WPA3, however, requires protected management frames and will prevent this type of deauthentication attack from working.
User Acceptance Testing
determine if the system satisfies the user and business requirements
Unified Threat Management (UTM)
devices frequently include firewall, IDS/IPS, antimalware, URL, and email filtering and security, data loss prevention, VPN, and security monitoring and analytics capabilities. The line between UTM and NGFW devices can be confusing, and the market continues to narrow the gaps between devices as each side offers additional features. UTM appliances are frequently deployed at network boundaries, particularly for an entire organization or division. Since they have a wide range of security functionality, they can replace several security devices while providing a single interface to manage and monitor them. They also typically provide a management capability that can handle multiple UTM devices at once, allowing organizations with several sites or divisions to deploy UTM appliances to protect each area while still managing and monitoring them centrally.
Artifacts
devices, printouts, media, and other items related to investigations can all provide additional useful forensic data.
Open Shortest Path First (OSPF)
does integrate some security features, including MD5-based authentication, although it is not turned on by default. Like other authenticated protocols, OSPF does not secure the actual data, but it does validate that the data is complete and from the router it is expected to be from.
MAC cloning
duplicates the media access control address (hardware address) of a device. Tools like the Linux macchanger and iproute2 allow a system's MAC address to be manually changed. Attackers may choose to do this to bypass MAC address-restricted networks or to acquire access that is limited by MAC address. MAC cloning can be hard to detect without additional information about systems from a source other than network devices. Network access control (NAC) capabilities or other machine authentication and validation technologies can help identify systems that are presenting a cloned or spurious MAC address.
EAP Tunneled Transport Layer Security (EAP-TTLS)
extends EAP-TLS, and unlike EAP-TLS, it does not require that client devices have a certificate to create a secure session. This removes the overhead and management effort that EAP-TLS requires to distribute and manage endpoint certificates while still providing TLS support for devices. A concern for EAP-TTLS deployments is that EAP-TTLS can require additional software to be installed on some devices, whereas PEAP, which provides similar functionality, does not. EAP-TTLS does provide support for some less secure authentication mechanisms, meaning that there are times where it may be implemented due to specific requirements.
Inherent Risk
facing an organization is the original level of risk that exists before implementing any controls. Inherent risk takes its name from the fact that it is the level of risk inherent in the organization's business.
Stateless Firewall (Packet Filters)
filter every packet based on data such as the source and destination IP and port, the protocol, and other information that can be gleaned from the packet's headers. They are the most basic type of firewall.
General idea of Compensating control
finds alternative means to achieve an objective when the organization cannot meet the original control requirement. Compensating controls balance the fact that it simply isn't possible to implement every required security control in every circumstance with the desire to manage risk to the greatest feasible degree.
Media Access Control
flooding targets switches by sending so many MAC addresses to the switch that the CAM or MAC table that stores pairings of ports and MAC addresses is filled. Since these tables have a limited amount of space, flooding them results in a default behavior that sends out traffic to all ports when the destination is not known to ensure traffic continues to flow. Attackers can then capture that traffic for their own purposes. MAC flooding can be prevented by using port security, which limits how many MAC addresses can be learned for ports that are expected to be used by workstations or devices. In addition, tools like NAC or other network authentication and authorization tools can match MAC addresses to known or authenticated systems.
Business Continuity Plans
focus on keeping an organizational functional when misfortune or incidents occur. In the context of IR processes, BC plans may be used to ensure that systems or services that are impacted by an incident can continue to function despite any changes required by the IR process. That might involve ways to restore or offload the services or use of alternate systems. Business continuity plans have a significant role to play for larger incidents, whereas smaller incidents may not impact an organization's ability to conduct business in a significant way.
Dynamic Host Configuration Protocol (DHCP) snooping
focuses on preventing rogue DHCP servers from handing out IP addresses to clients in a managed network. DHCP snooping drops messages from any DHCP server that is not on a list of trusted servers, but it can also be configured with additional options such as the ability to block DHCP messages where the source MAC and the hardware MAC of a network card do not match. A final security option is to drop messages releasing or declining a DHCP offer if the release or decline does not come from the same port that the request came from, preventing attackers from causing a DHCP offer or renewal to fail.
MAM tools
focuses specifically on the applications that are deployed to mobile devices. Common features include application delivery, configuration, update and version management, performance monitoring and analytics, logging, and data gathering, as well as various controls related to users and authentication. Although MAM products are in use in some organizations, they are becoming less common as more full-featured MDM and UEM tools take over the market to provide more control of mobile devices.
Application Logs
for Windows include information like installer information for applications, errors generated by applications, license checks, and any other logs that applications generate and send to the application log.
Security Logs
for Windows systems store information about failed and successful logins, as well as other authentication log information. Authentication and security logs for Linux systems are stored in /var/log/auth.log and /var/log/secure.
Core Features of Diamond Model
for an event, which are the adversary, capability, infrastructure, and victim (the vertices of the diamond)
Audits
formal reviews of an organization's security program or specific compliance issues conducted on behalf of a third party. Audits require rigorous, formal testing of controls and result in a formal statement from the auditor regarding the entity's compliance. Audits may be conducted by internal audit groups at the request of management or by external audit firms, typically at the request of an organization's governing body or a regulator.
FTK Imager
free tool for creating forensic images. It supports raw (dd)-style format as well as SMART (ASR Data's format for their SMART forensic tool), E01 (EnCase), and AFF (Advanced Forensics Format) formats commonly used for forensic tools. Understanding what format you need to produce for your analysis tool and whether you may want to have copies in more than one format is important when designing your forensic process. Physical drives, logical drives, image files, and folders, as well as multi-CD/DVD volumes are all supported by FTK Imager. In most cases, forensic capture is likely to come from a physical or logical drive.
Where are NAT gateways frequently used?
frequently used for cloud infrastructure as a service environment where private addresses are used for internal networking. A NAT gateway service can be used to allow systems to connect to the Internet. Since NAT gateways do not allow external systems to initiate inbound connections unless rules are specifically put in place to allow it, they can allow secure outbound access without creating additional risks to the systems behind the gateway.
Snapshots
from virtual machines are an increasingly common artifact that forensic practitioners must deal with.
ISO 27002
goes beyond control objectives and describes the actual controls that an organization may implement to meet cybersecurity objectives. ISO designed this supplementary document for organizations that wish to Select information security controls Implement information security controls Develop information security management guidelines
Preparation
his phase, you build the tools, processes, and procedures to respond to an incident. That includes building and training an incident response team, conducting exercises, documenting what you will do and how you will respond, and acquiring, configuring, and operating security tools and incident response capabilities.
Compensating Controls
idea used by many exception processes to mitigate the risk associated with exceptions to security standards. The Payment Card Industry Data Security Standard (PCI DSS) has a great exampke.
What does an example playbook for malware look like?
identification stage might include identifying indicators of compromise using antimalware and antivirus software, packet captures, and network traffic analysis, and then a path forward to a containment stage with steps for that stage as well.
Structure of the framework Core
identify, protect, detect, respond, recover
What makes digital forensics legally admisisble?
if it is offered to prove the facts of a case and it does not violate the law. To determine if the evidence is admissible, criteria such as the relevance and reliability of the evidence, whether the evidence was obtained legally, and whether the evidence is authentic, are all applied. Evidence must be the best evidence available, and the process and procedures should stand up to challenges in the court.
Rf and protocol attacks
if you wanna use an evil twin or disconnect a system from wireless you have to use Disassociation or Jamming.
Stored Procedures
implementation of parameterized queries.
The General Data Protection Regulation (GDPR)
implements security and privacy requirements for the personal information of European Union residents worldwide.
Auditability
important component of cloud governance. Coud computing contracts should include language guaranteeing the right of the customer to audit cloud service providers. Use of Auditing is essential to providing customers with the assurance that the provider is operating in a secure manner and meeting its contractual data protection obligations.,
System Logs
include everything from service changes to permission issues. The Windows system log tracks information generated by the system while it is running.
Printers
including multifunction printers (MFPs), frequently have network connectivity built in. Wireless and wired network interfaces provide direct access to the printers, and many printers have poor security models. Printers have been used as access points to protected networks, to reflect and amplify attacks, and as a means of gathering information. In fact, MFPs, copiers, and other devices that scan and potentially store information from faxes, printouts, and copies make these devices a potentially significant data leakage risk in addition to the risk they can create as vulnerable networked devices that can act as reflectors and amplifiers in attacks, or as pivot points for attackers.
Cloud Auditors
independent orgs that provide 3rd party assessments of cloud services and operations.
Secret
information requires a substantial degree of protection. The unauthorized disclosure of Secret information could reasonably be expected to cause serious damage to national security.
Confidential
information requires some protection. The unauthorized disclosure of Confidential information could reasonably be expected to cause identifiable damage to national security.
Top Secret
information requires the highest degree of protection. The unauthorized disclosure of Top Secret information could reasonably be expected to cause exceptionally grave damage to national security.
Reflected XSS
injected code is bounced or reflected off a web server in the form of an error message or other result
Firmware
is a less frequently targeted forensic artifact, but knowing how to copy the firmware from a device can be necessary if the firmware was modified as part of an incident or if the firmware may have forensically relevant data. Firmware is often accessible using a hardware interface like a serial cable or direct USB connection, or via memory forensic techniques.
RFID
is a relatively short-range (from less than a foot of some passive tags to about 100 meters for active tags) wireless technology that uses a tag and a receiver to exchange information. RFID may be deployed using either active tags, which have their own power source and always send signals to be read by a reader; semi-active tags, which have a battery to power their circuits but are activated by the reader; or passive tags, which are entirely powered by the reader.
Risk avoidance
is a risk management strategy where we change our business practices to completely eliminate the potential that a risk will materialize. Risk avoidance may initially seem like a highly desirable approach. After all, who wouldn't want to eliminate the risks facing their organization? There is, however, a major drawback. Risk avoidance strategies typically have a serious detrimental impact on the business.
SEAndroid
is a version of Security Enhanced Linux for Android devices. SEAndroid provides the ability to enforce mandatory access control on Android devices. That means that Android processes of all types can be better compartmentalized, limiting exploits as well as helping to secure system services, system and application data, and logs.Like many security systems, any action that isn't explicitly allowed is denied—a default deny system. SEAndroid operates in an enforcement mode that logs any permission denials that occur in addition to enforcing them. SEAndroid allows a broad range of policies to be implemented on Android devices.
nmap
is a very popular port scanning tool available for both Windows and Linux. It can scan for hosts, services, service versions, and operating systems, and it can provide additional functionality via scripts. Basic nmap usage is quite simple: nmap [ hostname or IP address] will scan a system or a network range. Additional flags can control the type of scan, including TCP connect, SYN, and other scan types, the port range, and many other capabilities.
Nesssus
is a vulnerability scanning tool. Although nmap will simply identify the port, protocol, and version of a service that is running, Nessus will attempt to identify whether the service is vulnerable and will provide a full report of those vulnerabilities with useful information, including references to documentation and fixes. Alternatives to Nessus such as the open source OpenVAS and commercial tools like Rapid7's Nexpose are also commonly deployed in addition to Nessus, but the Security exam outline focuses on Nessus.
Vulnerability scan output
is another form of data that can be pulled into incident analysis activities. Scans can provide clues about what attackers may have targeted, changes in services, or even suddenly patched issues due to attackers closing a hole behind them.
IPSec (Internet Protocol Security)
is more than just a single protocol. In fact, IPSec is an entire suite of security protocols used to encrypt and authenticate IP traffic. The Security exam outline focuses on two components of the standard: Authentication header (AH) and Encapsulated Security Payload (ESP) . Frequently used for VPns where it is used in tunnel mode to create a secure network between 2 locations
Segmentation
is often employed before an incident occurs to place systems with different functions or data security levels in different zones or segments of a network. Segmentation can also be done in virtual and cloud environments. In essence, segmentation is the process of using security, network, or physical machine boundaries to build a separation between environments, systems, networks, or other components. Incident responders may choose to use segmentation techniques as part of a response process to move groups of systems or services so that they can focus on other areas. You might choose to segment infected systems away from the rest of your network or to move crucial systems to a more protected segment to help protect them during an active incident.
The National Institute for Standards and Technology (NIST)
is responsible for developing cybersecurity standards across the U.S. federal government. The guidance and standard documents they produce in this process often have wide applicability across the private sector and are commonly referred to by nongovernmental security analysts due to the fact that they are available in the public domain and are typical of very high quality. In 2018, NIST released version 1.1 of a Cybersecurity Framework (CSF) designed to assist organizations attempting to meet one or more of the following five objectives: Describe their current cybersecurity posture. Describe their target state for cybersecurity. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process. Assess progress toward the target state. Communicate among internal and external stakeholders about cybersecurity risk.
Key Element of Digital Forensics
is the acquisition and analysis of digital forensic data. That data can be in the form of drives, files, copies of live memory, and any of the other multitude of digital artifacts that we create in the normal process of using computers and networks. Since forensic information can be found in many different places, planning forensic information gathering is crucial to having a complete and intact picture of what occurred. Gathering that forensic data is just the start of a process that involves careful documentation and detailed analysis.
The Recovery Point Objective (RPO)
is the amount of data that the organization can tolerate losing during an outage
The Recovery Time Objective (RTO)
is the amount of time that the organization can tolerate a system being down before it is repaired. The service team is meeting expectations when the time to repair is less than the RTO.
The Mean Time to Repair (MTTR)
is the average amount of time to restore a system to its normal operating state after a failure.
Disaster Recovery Plan (DRP)
is the discipline of developing plans to recover operations as quickly as possible in the face of a disaster. The disaster recovery planning process creates a formal, broad disaster recovery plan for the organization and, when required, develops specific functional recovery plans for critical business functions. The goal of these plans is to help the organization recover normal operations as quickly as possible in the wake of disruption.
Risk acceptance
is the final risk management strategy and it boils down to deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk. A risk acceptance approach may be warranted if the cost of mitigating risk is greater than the impact of the risk itself.
Risk mitigation
is the process of applying security controls to reduce the probability and/or magnitude of a risk. Risk mitigation is the most common risk management strategy and the vast majority of the work of security professionals revolves around mitigating risks through the design, implementation, and management of security controls. Many of these controls involve engineering tradeoffs between functionality, performance, and security.
residual risk .
is the risk that remains after an organization implements controls designed to mitigate, avoid, and/or transfer the inherent risk
Bluesnarfing
is unauthorized access to a Bluetooth device, typically aimed at gathering information like contact lists or other details the device contains. Unfortunately, there aren't many security steps that can be put in place for most Bluetooth devices.
route
is used to display and modify a system's routing tables. As with many of the other tools listed here, route's functionality and flags are different between Windows and Linux. Both tools have similar underlying functionality for adding, displaying, and removing routes despite the command-line differences.
tcpdump info
it can capture packets using a variety of filtering and output options. Since network traffic can be high volume, capturing to a file is often a good idea with tcpdump. A typical tcpdump command line that captures TCP port 80 traffic from the primary network interface for a Linux system to a PCAP file looks like this: tcpdump -w capture.pcap -i eth0 tcp port 80
Bluetooth
like Wi-Fi and many other technologies, it operates in the 2.4 GHz range, which is used for many different wireless protocols. Bluetooth is primarily used for low-power, short-range (less than 100 meters and typically 5-30 meters) connections that do not have very high bandwidth needs. Bluetooth devices are usually connected in a peer-to-peer rather than a client-server model. Since Bluetooth is designed and implemented to be easy to discover, configure, and use, it can also be relatively easy to attack. Bluetooth does support encryption, but the encryption relies on a PIN used by both devices. Fixed PINs for devices like headsets reduce the security of their connection. Attacks against authentication, as well as the negotiated encryption keys, mean that Bluetooth may be susceptible to eavesdropping as well as other attacks.
What factors does a playbook consider?
like industry best practices, organizational policies, laws, regulation, and compliance requirements, and the organizational structure and staffing. They also define when they are complete, allowing organizations to resume normal operations.
Data breach notifcation laws.
like other regulatory elements, also vary from country to country, and in the United States notably from state to state. Contracts often cover the maximum time that can elapse before customers are notified, and ensuring that you have an appropriate breach notification clause in place that meets your needs can be important. Some vendors delay for days, weeks, or even months, potentially causing significant issues for customers who are unaware of the breach.
Web Logs
like those from Apache and Internet Information Services (IIS), track requests to the web server and related events. These logs can help track what was accessed, when it was accessed, and what IP address sent the request. Since requests are logged, these logs can also help identify attacks, including SQL injection and other web server and web application-specific attacks.
Subject of a certificate
may contain a wildcard, indicating that it is good for sub domains but not higher domains. ie *.certmike.com would be valid for certmike.com www.certmike.com, mail.certmike.com, secure.certmike.com
Example command to print out a hash
md5sum /dev/sdb> drive1.hash
More Info About Netcat
netcat can be used for purposes as simple as banner grabbing to determine what a service is. It can provide a local or remote shell, allow raw connections to services, transfer files, and allow you to interact with web servers.Connecting to a service with netcat is as simple as this: nc [hostname] [port] Commands like SMTP or HTTP can then be directly issued. netcat can act as both a listener and a client, allowing shells or file transfers to be performed. Using netcat for file transfer involves first setting up a listener: nc -lvp [port]> /home/example/file.txt Then Downloading it using netcat is simple: nc [listener IP] [port] < /file/location/for/download/file.txt netcat's wide variety of uses mean that it can be used for many purposes. You can even port scan with netcat!.
Infrared
network connections only work in the line of sight. IR networking specifications support everything from very low-bandwidth modes to gigabit speeds. Have multiple specifications.
2 common tools for Port and Vuln Scannig
nmap, Nessus and IP scanners in general
Arduinos
not considered single-board computers. Instead, they belong to a class of computer known as a microcontroller. They include a lower-power CPU with a small amount of memory and storage, and they provide input and output capabilities. They are often used for prototyping devices that interface with sensors, motors, lighting, and similar basic capabilities. Unlike the Raspberry Pi, these do not have a wireless or wired network connection built into them, thus reducing their attack surface because they lack direct physical access.
Legal Hold (Digital Forensics)
notice that informs an organization that they must preserve data and records that might be destroyed or modified in the course of their normal operations. Backups, paper documents, and electronic files of all sorts must be preserved.
Alert Fatigue
occurs when alerts are sent so often, for so many events, that analysts stop responding to them. In most cases, these alerts aren't critical, high urgency, or high impact and are in essence just creating noise. Or, there may be a very high proportion of false positives, causing the analyst to spend hours chasing ghosts. In either case, alert fatigue means that when an actual event occurs it may be missed or simply disregarded, resulting in a much worse security incident than if analysts had been ready and willing to handle it sooner.
SQL injection attack
occurs when users enter a SQL statement into a form in which they are supposed to enter a name or other data
Single Sided Authentication
occurs when you browse to a website that presents an x.509 certificate. Your browser validates that certificate and you carry on, knowing that the server has a valid certificate and is the server you expect it to be. The server, however, does not have any proof that your system is specifically trustworthy or identifiable. Since you're using TLS, you'll still have secure data exchanges, but in some cases you may want a higher degree of trust.
Nikto
open source web app/server scanner -performs tests against web servers for dangerous files/programs, checks for outdated server versions,
IPSec VPN
operate at layer 3, require a client, and can operate in either tunnel or transport mode. In tunnel mode, entire packets of data sent to the other end of the VPN connection are protected. In transport mode, the IP header is not protected but the IP payload is. IPSec VPNs are often used for site-to-site VPNs, and for VPNs that need to transport more than just web and application traffic.
Encapsulated Security Payload (ESP)
operates in either transport mode or tunnel mode. In tunnel mode, it provides integrity and authentication for the entire packet; in transport mode, it only protects the payload of the packet. If ESP is used with an authentication header, this can cause issues for networks that need to change IP or port information.
Enterprise Risk Management (ERM)
organizations take a formal approach to risk analysis that begins with identifying risks, continues with determining the severity of each risk, and then results in adopting one or more risk management strategies to address each risk.
Stateful Firewall (Dynamic Packet filter)
pay attention to the state of traffic between systems. They can make a decision about a conversation and allow it to continue once it has been approved rather than reviewing every packet. They track this information in a state table and use the information they gather to allow them to see entire traffic flows instead of each packet, providing them with more context to make security decisions.
Job Rotation
practices take employees with sensitive roles and move them periodically to other positions in the organization. The motivating force behind these efforts is that many types of fraud require ongoing concealment activities. If an individual commits fraud and is then rotated out of their existing assignment, they may not be able to continue those concealment activities due to changes in privileges and their replacement may discover the fraud themselves.
Things Attack Matrices for MITRE Include
pre-attack, enterprise matrices focusing on Windows, macOS, Linux, and cloud computing, as well as iOS and Android mobile platforms. It also includes details of mitigations, threat actor groups, software, and a host of other useful details. All of this adds up to make ATT
The incident response cycle and incident response process outlines how to respond to an incident. The Security exam's incident response cycle includes
preparation, identification, containment, eradication, recovery, and lessons learned. A response process may not be in a single phase at a time, and phases may move forward or backward depending on discoveries and further events. Incident response teams are composed of staff, including management, security staff, technical experts, and communications and public relations staff, and may also include legal, human relations, and law enforcement members in some circumstances. Organizations hold exercises like tabletop exercises, walk-throughs, and simulations to allow their teams to practice incident response.
Privacy Notice
privacy notice that outlines their privacy commitments. In some cases, laws or regulations may require that the organization adopt a privacy notice. In addition, organizations may include privacy statements in their terms of agreement with customers and other stakeholders.
Public Cloud
promotes massive, global, and industry wide applications offered to the general public
WLAN Controllers security importance
properly securing controllers and access points is an important part of wireless network security. Much like other network devices, both controllers and APs need to be configured to be secure by changing default settings, disabling insecure protocols and services, setting strong passwords, protecting their administrative interfaces by placing them on isolated VLANs or management networks, and by ensuring that they are regularly patched and updated. In addition, monitoring and logging should be turned on and tuned to ensure that important information and events are logged both to the wireless controller or access point and to central management software or systems. More advanced WLAN controllers and access points may also have advanced security features such as threat intelligence, intrusion prevention, or other capabilities integrated into them. Depending on your network architecture and security design, you may want to leverage these capabilities, or you may choose to disable them because your network infrastructure implements those capabilities in another location or with another tool, or they do not match the needs of the network where you have them deployed.
Key Management Practices
protecting the security of keying material. -include safeguards surrounding the creation, distribution, storage, destruction, recovery, and escrow of secret keys
Bridge Protocol Data Unit (BPDU) guard
protects STP by preventing ports that should not send BPDU messages from sending them. It is typically applied to switch ports where user devices and servers will be plugged in. Ports where switches will be connected will not have BPDU turned on, because they may need to send BPDU messages that provide information about ports, addresses, priorities, and costs as part of the underlying management and control of the network.
Master Service Agreements (MSA)
provide an umbrella contract for the work that a vendor does with an organization over an extended period of time. The MSA typically includes detailed security and privacy requirements. Each time the organization enters into a new project with the vendor, they may then create a statement of work (SOW) that contains project-specific details and references the MSA.
Guidelines
provide best practices and recommendations related to a given concept, technology, or task. Compliance with guidelines is not mandatory, and guidelines are offered in the spirit of providing helpful advice. That said, the "optionality" of guidelines may vary significantly depending on the organization's culture.
Cellular Networks
provide connectivity for mobile devices like cell phones by dividing geographic areas into "cells" with tower coverage allowing wireless communications between devices and towers or cell sites. Modern cellular networks use technologies like LTE (long-term evolution) 4G and related technology and new 5G networks, which are being steadily deployed around the world. 5G requires much greater antenna density but also provides greater bandwidth and throughput. Whereas cellular providers and organizations that wanted cellular connectivity tended to place towers where coverage was needed for 4G networks, 5G networks will require much more attention to antenna deployment, which means that organizations may need to design around 5G antenna placement as part of their building and facility design efforts over time. Cellular connectivity is normally provided by a cellular carrier rather than an organization, unlike Wi-Fi or other technologies that companies may choose to implement for themselves. That means that the cellular network is secure, managed, and controlled outside of your organization, and that traffic sent via a cellular connection goes through a third-party network. Cellular data therefore needs to be treated as you would an external network connection, rather than your own corporate network.
Log Files
provide incident responders with information about what has occurred. Of course, that makes log files a target for attackers as well, so incident responders need to make sure that the logs they are using have not been tampered with and that they have timestamp and other data that is correct. Once you're sure the data you are working with is good, logs can provide a treasure trove of incident-related information.
Standards
provide mandatory requirements describing how an organization will carry out its information security policies. These may include the specific configuration settings used for a common operating system, the controls that must be put in place for highly sensitive information, or any other security objective. Standards are typically approved at a lower organizational level than policies and, therefore, may change more regularly.
NIST CSF
provides a broad structure for cyber security controls.
WPA3-Personal
provides additional protection for password-based authentication, using a process known as Simultaneous Authentication of Equals (SAE). SAE replaces the preshared keys used in WPA2 and requires interaction between both the client and network to validate both sides. That interaction slows down brute-force attacks and makes them less likely to succeed. Since SAE means that users don't have to all use the same password, and in fact allows them to choose their own, it helps with usability as well. WPA3-Personal also implements perfect forward secrecy, which ensures that the traffic sent between the client and network is secure even if the client's password has been compromised.
The Payment Card Industry Data Security Standard (PCI DSS)
provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers worldwide.
ISO 31000
provides guidelines for risk management programs. This document is not specific to cybersecurity or privacy but covers risk management in a general way so that it may be applied to any risk.
arp
provides information about the local host's ARP cache. Using the -a flag will show the current ARP cache for each interface on a system on a Windows system, but the same flag will show alternate formatting of the ARP information for Linux systems. arp can be used to add and remove hosts from the ARP table and as part of passive reconnaissance efforts.
netstat
provides network statistics by protocol and includes information about the local address and the remote address for each connection, as well as the state of TCP connections. Other statistics like open ports by process ID, lists of network interfaces, and services vary in availability from version to version.
CPU Cache and Registers
rarely directly captured as part of a normal forensic effort. Although it is possible to capture some of this information using specialized hardware or software, most investigations do not need this level of detail. The CPU cache and registers are constantly changing as processing occurs, making them very volatile.
Recovering Files
recovering files with a recovery tool or by manual means requires reviewing the drive, finding files based on headers or metadata, and then recovering those files and file fragments .In cases where a file has been partially overwritten, it can still be possible to recover fragments of the files. Files are stored in blocks, with block sizes depending on the drive and operating system. If a file that is 100 megabytes long is deleted, then partially overwritten by a 25-megabyte file, 75 megabytes of the original file could potentially be recovered.
Data minimization
reduces risk by reducing the amount of sensitive information that we maintain. In cases where we cannot simply discard unnecessary information, we can protect information through de-identification and data obfuscation. The tools used to achieve these goals include hashing, tokenization, and masking of sensitive fields.
Admissibility for Digital Forensics
requires that the data be intact and unaltered and have provably remained unaltered before and during the forensic process. Forensic analysts must be able to demonstrate that they have appropriate skills, that they used appropriate tools and techniques, and that they have documented their actions in a way that is reliable and testable via an auditable trail. Thus, their efforts and findings must be repeatable by a third party if necessary.
Intellectual property (IP) theft
risks occur when a company possesses trade secrets or other proprietary information which, if disclosed, could compromise the organization's business advantage.
The Mean Time Between Failures (MTBF)
s a measure of the reliability of a system. It is the expected amount of time that will elapse between system failures. For example, if the MTBF is six months, you can expect that the system will fail once every six months, on average.
Principle of Least Privilege
says that individuals should be granted only the minimum set of permissions necessary to carry out their job functions. Least privilege is simple in concept but sometimes challenging to implement in practice. It requires careful attention to the privileges necessary to perform specific jobs and ongoing attention to avoid security issues.
Broadcast Domain
segment of a network in which all the devices or systems can reach one another via packets sent as a broadcast at the Data Link layer.
Mandatory Vacations
serve a similar purpose by forcing employees to take annual vacations of a week or more consecutive time and revoking their access privileges during that vacation period.
cold aisles
server room aisles that blow cold air from the floor
Community Cloud
serves a specific community with common business models, security requirements, and compliance considerations
Risk transference
shifts some of the impacts of risk from the organization experiencing the risk to another entity. The most common example of risk transference is purchasing an insurance policy that covers a risk. When purchasing insurance, the customer pays a premium to the insurance carrier. In exchange, the insurance carrier agrees to cover losses from risks specified in the policy.
Output Feedback Mode (OFB)
similar to CFB, except that the quantity XORed with each plaintext block is generated independently of both plaintext and ciphertext, essentially by repeatedly encrypting the "seed"
Electronic Codecourse Mode EBC
simplest, least secure, each time the algorithm processes a block it encrypts the bock using the same key. Impractical to use ECB except on short transmissions as attackers can build a code course of all possible encrypted values.
Blue Jacking
simply sends unsolicited messages to Bluetooth-enabled devices.
Why is a retention policy important?
since it may determine how long the organization keeps incident data, how long logs will be available, and what data is likely to have been retained and thus may have been exposed if a system or data store is compromised or exposed.
Raspberry Pi
single-board computers, which means that they have all the features of a computer system on a single board, including network connectivity, storage, video output, input, CPU and memory. provide a relatively capable computational platform, and they can run a variety of operating systems, including Linux and Windows. more likely to be found used for personal development or small-scale custom use rather than in broader deployment as the core of industrial or commercial embedded systems.
Site to Site VPN
site-to-site VPNs are used to create a secure network channel between two or more sites. Since site-to-site VPNs are typically used to extend an organization's network, they are frequently always on VPNs, meaning that they are connected and available all of the time, and that if they experience a failure they will automatically attempt to reconnect.
Cookies
small computer programs left behind on your computer when you visit a website. Can be stored client side
Spyware
software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.
Broadcast storm
sometimes called storm control, prevents broadcast packets from being amplified as they traverse a network. Preventing broadcast storms relies on several features such as offering loop protection on ports that will be connected to user devices, enabling STP on switches to make sure that loops are detected and disabled, and rate-limiting broadcast traffic.
Mobile Device Management (MDM) tools
specifically target devices like Android and iOS phones, tablets, and other similar systems.
Qualitative risk assessments
substitute subjective judgments and categories for strict numerical analysis, allowing the assessment of risks that are difficult to quantify.
What else can IPSEC use?
switch port analyzer Layer 2 Tunneling Protocol (L2TP) VPNs. L2TP VPNs do not provide encryption on their own and instead simply provide tunnels. They are often combined with IPSec to provide that security. Not every IPSec VPN uses L2TP, but you should know about L2TP for the exam.
Walk throughs
take a team through an incident step by step. This exercise can help ensure that team members know their roles as well as the IR process, and that the tools, access, and other items needed to respond are available and accessible to them. A walk-through is an excellent way to ensure that teams respond as they should without the overhead of a full simulation.
Bluetooth impersonation attacks (BIAS)
take advantages of weaknesses in the Bluetooth specification, which means that all devices that implement Bluetooth as expected are likely to be vulnerable to them. They exploit a lack of mutual authentication, authentication procedure downgrade options, and the ability to switch roles. Although BIAS attacks have not yet been seen in the wild, as of May 2020 information about them had been published, leading to widespread warnings that exploits were likely to be developed.
Seperation of duties
takes two different tasks that, when combined, have great sensitivity and creates a rule that no single person may have the privileges required to perform both tasks.. Ex Bank splitting up jobs so no one person has all the account info.
Unit Testing
test individual units or pieces of code for a system. Happens in Dev phase
Data governance policy
that clearly states the ownership of information created or used by the organization.
Patching procedures
that describe the frequency and process of applying patches to applications and systems under the organization's care
Credential management policy
that describes the account lifecycle from provisioning through active use and decommissioning. This policy should include specific requirements for personnel who are employees of the organization as well as third-party contractors. It should also include requirements for credentials used by devices, service accounts, and administrator/root accounts.
Data classification policy
that describes the classification structure used by the organization and the process used to properly assign classifications to data
Continuous monitoring policy
that describes the organization's approach to monitoring and informs employees that their activity is subject to monitoring in the workplace.
.Data retention policy
that outlines what information the organization will maintain and the length of time different categories of work product will be retained prior to destruction.
Information Security Policy
that provides high-level authority and guidance for the security program.
Acceptable Use Policy (AUP)
that provides network and system users with clear direction on permissible uses of information resources.
The magnitude of the impact
that the risk will have on the organization if it does occur. We might express this as the financial cost that we will incur as the result of a risk, although there are other possible measures.
The likelihood of occurrence, or probability,
that the risk will occur. We might express this as the percent chance that a threat will exploit a vulnerability over a specified period of time, such as within the next year.
Security designs in most environments rely on the concept of defense in depth.
they are built around multiple controls design to ensure that a failure in a single control—or even multiple controls—is unlikely to cause a security breach. As you study for the exam, consider how you would build an effective defense-in-depth design using these components and how you would implement them to ensure that a failure or mistake would not expose your organization to greater risk.
Timelines (autopsy)
timelines are very important, and Autopsy's timeline capability allows you to see when filesystem changes and events occurred. This is particularly useful if you know when an incident happened or you need to find events as part of an investigation. Once you know when a person was active, or the events started, you can then review the timeline for changes that were made near that time. You can also use timelines to identify active times where other events were likely to be worth reviewing.
Role Based Training
to make sure that individuals receive the appropriate level of training based on their job responsibilities. For example, a systems administrator should receive detailed and highly technical training, whereas a customer service representative requires less technical training with a greater focus on social engineering and pretexting attacks that they may encounter in their work.
Hashing
transforming plaintext of any length into a short code called a hash
Key to Siem dashboards
understanding that they provide a high-level, visual representation of the information they contain. That helps security analysts to quickly identify likely problems, abnormal patterns, and new trends that may be of interest or concern. SIEM dashboards have a number of important components that provide elements of their display. These include sensors that gather and send information to the SIEM, trending and alerting capabilities, correlation engines and rules, and methods to set sensitivity and levels.
If you want to encrypt a message
use the recipient's public key
If you want to digitally sign a message you are sending to someone else
use your private key
tcpdump commands
used for packet capture
Industrial Control Scheme
used to manage and monitor factories, power plants, and many other major components of modern companies.
Right-To-Audit Clauses
which are part of the contract between the cloud service and an organization. A right-to-audit clause provides either a direct ability to audit the cloud provider or an agreement to use a third-party audit agency. Many cloud providers use standard contracts and may not agree to right-to-audit clauses for smaller organizations. In those cases, they may instead provide access to regularly updated third-party audit statements, which may fit the needs of your organization. If you have specific audit requirements, you will need to address them in the contract if possible, and decide whether the ability to conduct the audit is a deciding factor in your organization's decision to adopt the cloud provider's services if not.
Open WIfi
which do not require authentication but that often use a captive portal to gather some information from users who want to use them.Open networks do not provide encryption, leaving user data at risk unless the traffic is sent via secure protocols like HTTPS.
Confidence Value
which is undefined by the model but that analysts are expected to determine based on their own work.
Phishing Simulations
which send users fake phishing messages to test their skills. Users who click on the simulated phishing message are sent to a training program designed to help them better recognize fraudulent messages.
Does Spiral have greater flexibility than waterfall?
yes.
potentially unwanted program (PUP)
A PUP is a software inadvertently installed that contains adware, installs toolbars, or has other objectives.
Stuxnet
A computer worm designed to find and infect a particular piece of industrial hardware; used in an attack against Iranian nuclear plants
Gray-Hat
A skilled hacker who falls in the middle of white hat and black hat hackers. The gray hat may cross the line of what is ethical, but usually has good intentions and isn't malicious like a black hat hacker.
Insider Threat
A threat to an organization that comes from employees, contractors, and anyone else that may have willingly been given insider knowledge.
Logic Bomb
Code placed inside programs that will activate when a condition is met. Kind of like a trigger. Relatively rare. Big impact.
Focus of Adversarial Ai Attacks?
Data poisoning, attacks against privacy
Ways worms can spread
Email attachements, network file shares, self-install.
integrity
Ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally.
confidentiality
Ensures that unauth individuals cannot get sensitive info.
Common Attack Vectors
External/Removable Media + Attrition (ddos, brutforce) + Web + Email + Impersonation (mitm, rogue ap, SQL injection) + Improper Usage + Loss or Theft of Equipment+Supply Chain Interference via 3rd party.
Data Minimization tools
Hashing, tokenization, and masking
Worms
Independent computer programs that copy themselves from one computer to other computers over a network
What are the 4 major criteria to classifying Threat Actors?
Internal Vs External, Level of Sophistication and Credibility, Resources available/Funding, Motivation/Intent.
Constrained Language Mode
Limits sensitive commands in powershell
Remote Access Trojans
Malicious programs that run on systems and allow intruders to access and use a system remotely.
Variety of Viruses
Memory Resident Viruses, Non memory resident viruses, Boot sector viruses, Macro viruses, Email viruses., Fileless Viruse.
Consensus
People do what others are doing. Attacker might try to convince someone others already clicked the link so it safe.
Rootkits
Programs that allow hackers to gain access to your computer and take almost complete control of it without your knowledge. These programs are designed to subvert normal login procedures to a computer and to hide their operations from normal detection methods.
Data Minimization
Reducing amt of sensitive info that is maintained.
Trust
Relies on connection, work to build a connection.
Familiarity
Rely on you liiking the individual or org individual is claiming to represent. IE someone impersonating apple.
Common Security Team Practices
Seeking out information on latest threats, doing preemptive checks with this knowledge, supplement their findings with actions of their own.
Backdoor
Software code that gives access to a program or a service that circumvents normal security protections.
Bots
Software robots that function automatically. A botnet is a group of computers that are joined together. Attackers often use malware to join computers to a botnet, and then use the botnet to launch attacks.
Computer Viruses
Spreads from one computer to another without the knowledge or permission of the computer users by attaching itself to emails or files
What is the best way to take down a botnet?
Taking down the domain name.
security controls
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
Dark web
The portion of the internet that is intentionally hidden from search engines, uses masked IP addresses, and is accessible only with a special web browser.
Attack Vectors
Vulnerabilities that exist in networks, operating systems, apps, databases, mobile devices, and cloud environments
Payload
What the virus does
Social Engineering
techniques that trick a person into disclosing confidential information