Exam Overview
What are some core linux hardening components?
1. Keeping the system updated w/ recent security patches 2. Unused servers/applications/services/ports must be disabled or decomissioned 3. All access to the services and applications on the server should be monitored and logged 4. Avoid using a root account to the maximum extent 5. Any kind of privileged access must be performed over SSH wherever possible
What is Terraform?
An open source framework for developing and managing cloud resources. It works on AWS, Google Cloud, and Microsoft Azure. It manages multi tiered applications and networks. Like other DevOps tools, it allows admins to design infrastructure as code (IaC) and can also implement Software Defined Networking.
What is ScoutSuite?
An open source project which is owned and primarily developed by the NCC Group. It is a multi-cloud security auditing tool that works for AWS, Axure, Google Cloud, Alibaba Cloud, and Oracle cloud.
How should a system (server/laptop) hardening policy be developed?
Around these points... 1. Accessibility to the system 2. Software installation rights on the system 3. Data permission 4. Recovery from failure
Why are there different types of firewalls?
Because firewalls operate at different layers of the OSI model
Metasploit module: Payloads
Code that runs remotely, there exists a multitude of payloads for many operating systems and software
What is continuous delivery (CD)?
Deploying smaller changes more often, and automated delivery of updates
What are firewalls?
Devices or programs that control the flow of network traffic between networks or hosts that employ differing security postures. Essentially, a router with additional software for network traffic control and inspection.
Server security principle: Least privilege
Dictates that each task, process, or user is granted the minimum rights required to perform its job. By applying this consistently, if a task, process, or user is compromised, the scope of damage is constrained to the limited resources available to the compromised entity.
What are basic server security steps for servers that host content?
For web servers, database servers, and directory servers to ensure that content is fully secured, it depends on the kind of server and content, so there are no broad recommendations
Metasploit module: Encoders
Formats the payload to ensure the make it to their destination
Server security principle: Separation of privilege
Functions, to the degree possible, should be separate an dprovide as much granularity as possible. This concept can apply to both systems and operators/users. in the case of systems, functions such as read/edit/write and execute should be separate. In the case of system operators and users, roles should be as separate as possible.
What happens during the information gathering stage of the pentesting process?
Target selection 1. Identification and naming of target (likely will identify additional servers domains and companies that may not have been part of the initial scope) 2. Consider RoE limitations (important from a legal and scope creep perspective) 3. Consider the length of time for the test 4. Consider the end goal of the test (focus on the critical assets, de prioritize and categorize less relevant aspects)
What should good pen-testing be testing for?
It should look to test the capabilities of an organization around detecting and responding to... 1. information gathering 2. foot printing 3. scanning and vulnerability analysis 4. infiltration (attacks) 5. data aggregation 6. data exfiltration
Server security principle: Work factor
Organizations should understand what it would take to break the system or network's security features. The amount of work necessary for an attacker to break the system or network should exceed the value that the attacker would gain from a successful compromise.
Metasploit module: Auxiliary
Performs scanning, enumerating fuzzing, and sniffing
Metasploit module: Post
Post-expoitation that can run on compromised target to pivot deeper into the network
What are intrusion detection and prevention systems (IDPS)?
Primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security admins.
Linux hardening - How do you manage granular access control?
SELinux
Server security principle: Simplicity
Security mechanisms (and information systems in general) should be as simple as possible. Complexity is at the root of many security issues.
What is penetration testing?
Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network.
Linux hardening - how do you detect scans against the system?
Snort, Tripwire, PortSentry
What is an intrusion prevention system (IPS)?
Software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents
Linux hardening - how do you control application layer access?
Squid proxy
Server security principle: open design
System security should not depend on the secrecy of implementation or it's components
Server security principle: psychological acceptability
Users should understand the necessity of security. This can be provided through training and education. In addition, the security mechanisms in place should present users with sensible options that give them the usability they require on a daily basis. If users find the security mechanisms too cumbersome, they may devise ways to work around or compromise them. The objective is not to weaken security, so it is understandable and acceptable, but to train and educate users and to design security mechanisms and policies that are usable and effective.
Linux hardening - How do you manage monitoring CPU, memory, disk I/O, storage, logs?
glances, multitail, stat
Linux hardening - how do you control inbound and outbound traffic on the host?
iptables, ufw, shorewall
Linux hardening - How do you check file system permissions?
ls, chmod, mv, setfacl
Linux hardening - how do you condust integrity checks of the installation medium?
md5sum
Linux hardening - How do you check for running servers/open ports?
nmap, netstat
Linux hardening - how do you track changes to permissions?
sXID
Linux hardening - how do you configure remote authentication?
ssh, disabling root login... use key based authentication for SSH
Linux hardening - How do you manage diagnostics and debugging?
strace
Linux hardening - how do you configure sudo access?
sudoers file
Linux hardening - how do you limit the login capabilities of users?
usermod -s /usr/sbin/nologin user1
What tools should be used for DevSecOps with AWS?
1. AWS Inspector/Chef Compliance (this should be used for automated policy governance and compliance AKA security as code) 2. AWS Cloudtrail/Cloudwatch/SNS, Threatstack, Sumo Logic (for logging, analyzing, and monitoring) 3. AWS Lambda (automated correction)
What are countermeasures to the exploitation phase of the pentesting process?
1. Anti-virus 2. Encoding 3. Encrypting 4. Whitelisting 5. DLP 6. ASLR 7. Firewall (host/network/WAF) 8. IDPS (host/network)
What is the typical hardening process?
1. Change default passwords/strong password policy 2. Harden remote access 3. Disable/uninstall unnecessary accounts 4. Disable/uninstall unnecessary services and software 5. Set backups 6. Enable logging 7. Update software 8. Test (vulnerability scan, penetration testing)
How does firewall implementation work?
1. Create a firewall policy that specifies how firewalls should handle inbound and outbound network traffic 2. Identify all requirements that should be considered when determining which firewall to implement. 3. Create rulesets that implement the organization's firewall policy while supporting firewall performance 4. Manage firewall architectures, policies, software, and other components throughout the life of the firewall solution.
What are two tools used to exfiltrate data?
1. DNSExfiltrator 2. ICMP Exfiltrator
What are some core considerations for an IDPS implementation?
1. Ensure all components are secured appropriately 2. Consider using multiple types of IDPS tech to achieve more comprehensive and accurate detection and prevention of malicious activity... within this, consider whether or not multiple IDPS should be integrated 3. When evaluating IDPS products, organizations should consider using a combination of several sources of data on the products' characteristics and capabilities
What is high level threat modeling?
1. Gathering relevant information 2. Identifying and categorizing primary and secondary assets 3. Identifying and categorizing threats and threat communities 4. Mapping threat communities against primary and secondary assets
What are the goals of DevOps?
1. Infrastructure as code 2. "Immutable" infrastructure 3. Continuous delivery 4. Deployment pipeline 5. DevOps and Security (DevSecOps, Agile Security, and Secure Design)
What are the top ten web security risks?
1. Injection 2. Cross site scripting (XSS) 3. Insecure direct object references 4. Cross site request forgery (CSRF) 5. Security misconfiguration 6. Insecure cryptographic storage 7. Failure to restrict URL access 8. Insufficient transport layer protection 9. Unvalidated redirects and forwards 10. Broken authorization and session management 11. Using components with known vulnerabilities 12. Underprotected APIs
How does one implement application hardening in code?
1. Introducing secure software development into the software development lifecycle (SSDLC... secure software development lifecycle or SDLC... secure development lifecycle... there's also the SAMM Software Assurance Maturity Model, which is an open source framework) 2. Developer security awareness training 3. Code reviews (automated and manual)
What happens during the pre-engagement stage of the penetration testing methodology?
1. Introduction to scope (how should pentesters spend their time, what are the testing targets) 2. Time estimation (once determined, add 15 - 20% buffer, establish clear beginning and end dates) 3. Scope meeting (happens after contract is signed, detailed discussion about what will be tested, countries/provinces/states in which the target environments are operating) 3. Goals (the primary goal of a test should not be driven by complilance, which is secondary to understanding the maturity of the organization's security posture) 4. Establish lines of communication
What kind of information gathering happens within a corporate context for pentesting?
1. Physical (locations/addresses/ownership records, physical security measures, including central and remote locations, and relationships with business partnerships, customers, suppliers, shared office space, shared infrastructure, rented equipment) 2. Logical (accumulate info from partners, clients, competitors-- including network information. This also includes significant company dates, job openings, political donations, professional licenses, etc.) 3. Org chart (position identification and specific people to target, mapping changes within the org such as promotions and lateral moves) 4. Electronic (document metadata, such as author/dates/geotags/computer info, marketing communications such as branding and current initiatives) 5. Infrastructure assets (network blocks owned, email addresses, remote access, app usage, defensive technologies) 6. Financial (financial reporting and market analysis)
What are some tools and purposes you can use them for in the Discovery and Vulnerability Identification part of pentesting?
1. Ping sweeps (ping, nmap) 2. Port scanning (nmap) 3. Service detection and identification (nmap, netcat, telnet, various clients such as web browser, SQL client, etc.) 4. Operating system enumeration (nmap) 5. Network vuln scanning (Nessus, Qualysis, SAINT, Nexpose) 6. Application/vuln scanning (BurpSuite Provy, ZAP, IBM App Scan, Nikto)
What are basis server security steps?
1. Plan the installation and deployment of the OS and other components for the server 2. Install, configure, and secure the underlying OS and server software 3. Employ secure admin and maintenance processes, including application of patches and upgrades, monitoring of logs, backups of data and the OS, and periodic security testing
At a high level, what does server hardening entail?
1. Planning and addressing the security aspects of the deployment of a server. 2. Implementing appropriate security management practices and controls when maintaining and operating a secure server. 3. Ensuring that the server operating system is deployed, configured, and managed to meet the security requirements of the organization. 4. Ensuring that the server application is deployed, configured, and managed to meet the security requirements of the organization. 5. Committing to the ongoing process of maintaining the security of servers to ensure continued security.
Aside from Metasploit, what are two common exploitation frameworks?
1. PowerShell Empire 3 2. Covenant C2
What is the penetration testing methodology?
1. Pre-Engagement interactions 2. Information gathering 3. Threat modeling 4. Vulnerability analysis 5. Exploitation 6. Post-exploitation 7. Reporting
How does one implement DevSecOps with AWS?
1. Prevent logins to production servers by default 2. Prevent logins to the production AWS management console 3. All configuration changes must be done as code and submitted as a pull request for review 4. Reduce alert fatigue by making sure that changes should only be performed by automation bots
What are some of the things that post-exploitation should identify?
1. Sensitive data 2. Configuration settings 3. Communication channels 4. Relationships between network devices (topology and data flow) 5. Ability for lateral movement within a network 6. Ability to move data into/out of the network or system 7. Possibility of a backdoor
How do you mitigate threats with STRIDE?
1. Spoofing - Authentication via TLS certificates, SSH host keys, passwords, access cards 2. Tampering - Integrity via ACLs/permissions, cryptographic mechanisms, logging 3. Repudiation - Non-repudiation via logging, log analysis tools, secure log storage, secure time stamps 4. Denial of service - Availability via filters, throttling, high availability design, cloud services, DoS protection 5. Escalation of privilege - Authorization via role based access control groups, group membership, system privileges, sandboxes
What is threat modeling with STRIDE?
1. Spoofing - Pretending to be someone or something you're not 2. Tampering - Modifying something you're not supposed to modify 3. Repudiation - Claiming you didn't do something (regardless of whether you did or not) 4. Information disclosure - Exposing information to people who are not authorized to see it 5. Denial of service - Attacks designed to affect the ability of systems or resources 6. Escalation of privilege - When a program or user is technically able to do things they're not supposed to do.
What are the parts of a vulnerability analysis in penetration testing?
1. Testing (the process of discovering flaws in systems and applications that can be leveraged by an attacker. The tester should properly scope the testing for applicable depth and breadth to meet the goals/requirements of the desired outcome. 2. Two types (active - automated scanners for network and web apps, passive - traffic monitoring and metadata analysis) 3. Validation (correlation between multiple tools such as grouping by flaw category, mapping to CVEs or compliance frameworks, manual testing such as fingerprinting/authentication/enumeration/business logic, and developing an "attack tree" 4. Research (public research such as databases, vendor advisories, exploit databases, default credentials, hardening guidelines/common misconfigurations... private research such as setting up a replica environment, testing different configurations, static code analysis)
What does windows hardening from a high level entail?
1. Update software 2. Enable logging 3. Create a strong password policy 4. Harden remote access 5. Disable/uninstall unnecessary services and accounts 6. Set up backups 7. Test (vuln scan/pentest)
What are the components of the DevOps Pipeline?
1. Visibility (all aspects of the delivery system, including building, deploying, testing, and releasing are visible to every member of the team to promote collaboration) 2. Feedback (team members learn of problems as soon as possible when they occur, so they are able to fix them as fast as possible) 3. Continually deploy (Through a fully automated process, you can deploy and release any version of the software to any environment)
What are the most common mobile application security risks?
1. Weak server side controls 2. Insecure data storage 3. Insufficient transport layer protection 4. Unintended data leakage 5. Poor authorization and authentication 6. Broken cryptography 7. Client side injection 8. Security decisions via untrusted inputs 9. Improper session handling 10. Lack of binary protections
What is Microsoft BitLocker?
A built in tool and mechanism that provides an encryption option for data at rest. It can be used to encrypt the entire volume/disk.
What is DevOps?
A culture/movement/practice that emphasizes the collaboration and communication of both software developers and other IT professionals while automating the process of software development and delivery and infrastructure changes. It reinforces the concept of building security in throughout the stages of the development lifecycle, rather than simply bolting security on at the end of the process.
What is metasploit?
A framework that automates a lot of the repetitive work in penetration including exploitation, command and control, privilege escalation, lateral movement, and general actions on objectives.
What is the windows server core?
A minimal server installation option that provides a low maintenance server environment with limited functionality. It helps to reduce the attack surface by minimizing the services running on the server and by eliminating the need for the binary installation files to reside on the server.
What is nessus?
A network-vulnerability scanner.
What is the Windows Server Message Block (SMB)?
A protocol that allows computers to access or share files, printers, and other network resources remotely. The version 3.0 uses the Advanced Encryption Standard (AES) method for encryption and signing.
What is IPtables?
A tool within user space that allows the user to interact and configure the tables within the Linux kernel firewall that are represented by various netfilter modules. It is not a network firewall and manages traffic coming to or from itself only. You can set different policies that permit or deny traffic based on simple logic conditions. It also allows a user to deny traffic coming in on ports, rerouting it, and even provide conditional checks based on incremental counters that can prevent SSH wordlist based dictionary attacks.
How do firewalls operate at the Application Layer of the OSI Model (DNS/HTTP/SMTP/FTP/SQL)
At this level, "deep packet inspection" firewalls operate (eg they inspect the packet for malware, deny specific app traffic, etc.)
How do firewalls operate at the Transport Layer of the OSI Model (TCP/UDP layer)
At this level, "stateful firewalls" operate (eg ephemeral ports will be allows outbound if they are a part of the session)
How do firewalls operate at the Network Layer of the OSI Model (IP layer)
At this level, "stateless firewalls" operate (e.g. checks src address, dst address, protocol, and port)
Metasploit module: Exploits
Contains payloads to exploit a target with a specific vulnerability
Metasploit module: Evasions
Evades antivirus and endpoint protection
What are some general info gathering methods that exist for penetration testing?
External: 1. Customer provided information (scope) 2. ARIN/WHOIS information 3. Search engine information 4. Domain registrar information 5. Discovery scripts Internal 1. Customer provided information (scope) 2. Passive network sniffing (this includes IP address space enumeration and protocol discovery)
Server security principle: Failsafe
If a failure occurs, the system should fail in a secure manner (ie security controls and settings remain in effect and are enforced). It is usually better to lose functionality rather than security.
What does the "evaluating security needs" aspect of system hardening entail?
In order to assess the appropriate level of security and hardening, determine the following: 1. Type of business within which the organization engages 2. Type of information the organization/system processes and stores 3. Type of connections that the network/system should accomodate 4. Functional/business requirements of the system 5. Philosophy of the organization's management
What is internal hardening for operating systems?
It reduces the opportunity for privilege escalation due to local process exploitation, file/group permission abuse, account takeover attacks, and ensures the OS kernel and system services are hardened appropriately.
What is Microsoft Applocker?
It allows you to specify which users or groups can run particular applications in your organization based on unique identities of files. Benefits include... 1. Application inventory 2. Protection against unwanted software 3. Licensing conformance 4. Software standardization 5. Manageability improvements
What is external hardening for operating systems?
It ensures that system services are not leaking data or vulnerable to known exploits and that they limit remote users/access, Denial of Service (DoS) and prevent brute force attacks.
What is ICMP Exfiltrator?
It has two sides, the compromised system side which is icmpexfil.sh. This is a bash script that executes the ping command along with listener's IP and arbitrary command, and converts output data into hex for convenient transfer of data over ICMP data bits. There's also the attacker side, which is run with listener.py, and is a python script which acts as a custom ICMP only listener.
What is DNSExfiltrator?
It is a program that has two sides. On the server side, it comes as a python script (dnsexfiltrator.py) which acts as a custom DNS server receiving the file. The other is the client side (or victim's side) which comes in three versions-- dnsEcfiltrator.cs (c# script that can be compiled with csc.exe to provide a windows managed executable), Invoke-DNSExfiltrator.ps1 (a powershell script providing the exact same functionalities by wrapping the DNS Exfiltrator assembly), and sndExfiltrator.js (a JS script which is a conversion of the DNS Exfiltrator DLL assembly using DotNetToJScript and providing the exact same functionalities).
Metasploit module: Nops
Keeps the payload sizes consistent, essential in creating a buffer overflow
Linux hardening - how do you configure centralized authentication?
LDAP
Linux hardening - how do you encrypt disk partitions?
Linux unified key setup-on-disk-format [LUKS]
What do most penetration tests involve?
Looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.
What is continuous integration (CI)?
Merging the development branches together (master branch), must successfully pass a series of tests
Intrusion detection - Network-Based (NIDS)
Monitors network traffic for particular network segments or devices and analyzes the network and application protocol activity to identify suspicious activity
Server security principle: Defense in depth
Organizations should understand that a single security mechanism is generally insufficient. Security mechanisms (defenses) need to be layered so that compromise of a single security mechanism is insufficient to compromise a host or a network. No "silver bullet" exists for information system security.
Server security principle: complete mediation
Rather than providing direct access to information, mediators that enforce access policy should be employed. Common examples of mediators include file system permissions, proxies, firewalls, and mail gateways.
Server security principle: Compromise recording
Records and logs should be maintained so that if a compromise does occur, evidence of the attack is available to the organization. This information can assist in securing the network and host after the compromise and aid in identifying the methods and exploits used by the attacker. This information can be used to better secure the host or network in the future, and these records/logs can assist organizations in identifying and prosecuting attackers.
What is hardening?
The practice of reducing or removing the accessibility of capabilities and features that could be used for system abuse. The scope of what those features are and which ones are enabled/disabled are determined by the use case at hand.
What is intrusion detection?
The process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security policies.
What happens during the post-exploitation phase of the pentesting process?
The purpose of this phase is to determine the value of the machine compromised and to maintain control of the machine for later use
What are metasploit modules?
They form the core component of metasploit. Each module has a different function but can be used in conjunction with one another.
What is a common problem with security controls?
They often make systems less convenient or more difficult to use. Usability must always be taken into consideration when designing solutions. If not, many users will attempt to circumvent security controls.
What are basic server security steps for network protection?
This might apply to firewalls, packet filtering routers, and proxies. Choosing the mechanism for a particular situation depends on several factors, including the location of the server's clients (eg internet, internal, internal and remote access), the location of the server on the network, the types of services offered by the server, and the types of threats against the server.
What is the exploitation phase of the pentesting process?
This phase focuses solely on establishing access to a system or resource by bypassing security restrictions
What happens during the threat modeling phase of penetration testing?
This phase is critical for both the testers and the organization. It provides clarity into the organization's risk appetite and prioritization. It enables the tester to focus on delivering an engagement that closely emulates the tools, techniques, capabilities, accessibility, and general profile of the attacker.
Server security principle: Least common mechanism
When providing a feature for the system, it is best to have a single process or service gain some function without granting that same function to other parts of the system. The ability for the web server process to access a back end database, for instance, should not also enable other applications on the system to access the back end database
Linux hardening - how do you monitor user activity?
acct package