CompTIA Security+ SY0-601
Phishing:
- social engineering & spoofing
- check URL
- site usually not perfect
- Typosquatting:
- URL Hijacking: use similar URL but one letter diff
- prepending: add an extra letter pprofessor.com
- pretexting: setting up why they are calling/emailing
- fake
- pharming:
- dns poisoning redirects all users to fake site
- vishing: voice call phishing
- smishing: SMS phishing
- spear phishing: specific people
- whaling: CEO phishing
Impersonation:
- pretext: lie to setup attacks
- pretend to be from Microsoft, Visa, etc...
- identity fraud
Dumpster Diving:
- legal
- get info
- lock & fence with illegal trespassing signs
- makes illegal
Shoulder surfing:
- privacy filter
- turn monitor away from windows
Hoaxes:
- fake threats / fake nigerian prince inheritance
- gift card scams (get you to buy a card under threat of jail time)
Watering hole attack:
- 3rd party infected
- attacker infects 3rd party app/site that users in a company go to regularly
- infect everyone on site but only care about a specific company
- Firewalls & IPS (Intrusion Prevension System)
Spam:
- unsolicited messages
- SPIM: Spam over Instant Messaging
- phishing, advertising, etc...
- mail gateway or spam filter: screened subnet
- allow list
- SMTP standard checking
- rDNS: reverse DNS - block email that doesn't match sender domain
- Tarpitting: intentionally slow down connection to server
- slows down spammer server, deters them
- recipient filtering: block all email not addressed to valid recipient
Influence Campaigns:
- persuade, distract
- through social media
- china CCP fake reviews/comments
- mass media can pickup on this
- cyber warfare: china CCP
Social Engineering Attacks:
- Tailgating: following behind
- use clothing (safety vest, etc...)
- take up smoking right outside of building so people allow you in when they go back in
- invoice scam: fake invoice that seems legit, accounting dept may pay!
- credential harvesting: using browsers to extract credentials
- using virus, employee clicks and it downloads all credentials
Principles of Social Engineering:
- take advantage of emotion
- authority
- intimidation
- consensus / social proof: other people have done it
- scarcity: time limit/urgent
- urgency
- familiarity/liking: pretend to be friendly
- trust: say from IT dept.
Overview of Malware:
- malicious software
- botnets, DDOS, keylogger, adware, virus/worms, ransomeware, crypto malware, trojan horses, rootkits
Viruses & Worms:
- viruses: reproduce itself but need human to start
- program virus
- boot sector virus
- script virus
- macro virus (runs in other apps, like Microsoft Office)
- fileless virus: stealth, operates in RAM, never in storage
- change registry to allow to return after reboot
- worm: can reproduce itself without intervension
- move from computer to computer
- Firewall/IPS/IDS
Ransomware:
- pay to get data back
- have a good backup separate
Trojan and RATs:
- trojan horse: app that isn't what it seems
- games that are actually viruses
- PUP (Potentially Unwanted Program)
- uTorrent installs browser toolbar that doesn't go away
- backdoors: keep access easily available
- many diff malware can use it
- some apps have backdoors
- RAT (Remote Access Trojan):
- ultimate backdoor
- admin control, remote
- can do anything an admin can do (keylog, restart pc, change settings, etc...)
Rootkits:
- modify kernel
- invisible to antivirus/antimalware
- specific rootkit removers
- UEFI secure boot stops rootkits normally
Adware:
Spyware:
- can be trojan horse, keylogger, etc...
- malwarebytes software to remove
Bot:
- robot
- botnet: controlled through C&C server (Command & Control)
- can create DDOS/proxies/DDOS as a service
Logic Bombs:
- waits for predefined event
- someone with a grudge
- time bomb (after a certain amount of time triggers)
- user event (moving a file triggers)
- difficult to identify & gather evidence (deletes itself after)
- formal change control system to make sure nothing is changed
- host based intrusion detection
Password Attacks:
- hash password: message digest/fingerprint
- no duplicates, no reversing
- SHA-256
- brute force: trying a bunch of passwords
- hashing a bunch of passwords to compare to hash they are trying to crack
- offline attack of hashed passwords
- dictionary attack: has substitutions included as well (h3ll0)
- spraying attack: try a few common passwords before lockout
- move onto next account if doesn't work
- avoid alerting company
- rainbow table:
- optimized prebuilt set of hashes
- each OS or app can use diff encryption to create a hash, need to account for this (not all SHA-256)
- Salt:
- two same passwords with diff hashes (add salt - random data)
- rainbow table won't work
- attacker needs to know how salt was implemented
Physical Attacks:
- malicious USB cable (has additional electronics inside)
- could have HID (Human Interface Device) inside
- can open terminal and start typing inside
- never plug in any USB cable
- malicious USB flash drive: similar to cable
- autoplay is dangerous
- HID makes it appear to be a keyboard/mouse and starts infecting your system
- malicious files in USB (inside pdfs, etc...)
- act as ethernet adapter
- skimming:
- stealing credit card info as you use it to pay for something
- pull on card reader
- card cloning:
- make same duplicate card you have
- cloning gift cards: use before legit user can use it
Adversarial AI:
- spam folder can recognize more
- youtube reccommending
- attackers use malicious/invalid data
- train tesla to do wrong things
- train AI to become racist (Seinfeld)
- need to retrain with new data
Supply Chain Attacks:
- using 3rd party company that interacts with attacker's target
- narrow down vendors a company uses
- strict controls
- verify devices are good
Cloud based vs on premises security:
- on premises:
- customize security posture
- on site IT team
- local team can be expensive
- local team maintains uptime and availability
- security changes can take time
- cloud based:
- data in a secure environment
- 3rd party may have access to data
- cloud providers manage large scale security
- users must follow best practices
- less downtime
- scalable security options
- may not be as customizable as on premises
Cryptographic Attacks:
- birthday attack:
- in class of 23 students --> 50% chance 2 share a birthday
- 70% if 30 students
- hash collision:
- 2 plaintexts that have same hash (shouldn't be possible)
- attacker generates multiple plaintexts to match hash
- increasing size of hash will decrease probability of collission
- downgrade attack:
- force systems to downgrade their security/encryption (manipulate 2 sides of conversation)
Privilege Escalation:
- using normal user to gain higher privileges
- data execution prevention: only data in executable areas can run
- address space layout randomization
- prevent buffer overrun at known memory address
Cross-Site Scripting:
- XSS
- browser vulnerability, one site share to another site
- browser send info straight to attacker
- JS usually
- non persistent (reflected) XSS attack:
- website allows scripts to run in user prompt
- attacker needs victim to click link
- attacker gathers whatever info they want
- persistent (stored) XSS attack:
- embedded in post (social media)
- anyone who clicks link is infected
- no specific target
- go directly to sites, don't click links
- use extensions to block JS
Code Injection Attack:
- SQL, HTML, LDAP, XML
- SQL "OR 1=1" you can see entire database
- DLL injection (Dynamic Link Library): windows library with malware
Buffer Overflow:
- too much memory being used, spills over and overwrites other memory
- poor programming
- difficult to find and to make
Replay Attacks:
- replay/resend some info that the victim originally sent in order to get information from the server they were connected to
- replay data gathered to make it seem as if it's coming from someone else
- usually requires an on path attack to gather info
- replay attack doesn't require on path
- pass the hash:
- if hacker gets access to hash when victim sends to server, can use to gain access
- SSL/TLS encryption ensures even if attacker gathers data, can't use it
- salting hash also stops attacker from using hash
- cookies:
- may contain info for replay attack (session ID, etc...)
- sidejacking (session hijacking):
- session ID allows you to continue to make requests to server without signing in again
- attacker can use session ID to access account/server without username/password
- SSL/TLS prevent this
- header manipulation:
- info gathering: wireshark, kismet
- XSS vulnerability: gather info directly, not from network
- modify headers and cookies to look same as victim's computer
- always encrypt with HTTPS (TLS/SSL)
Request Forgeries:
- cross site requests:
- common and legit
- loading youtube vids on a separate site
- cross site request forgery:
- XSRF, CSRF
- takes advantage of trust a web app has for user
- requests made without your knowledge or consent
- attacker posts facebook status on your account
- cryptographic token prevents this
- SSRF (Server Side Request Forgery):
- send request to server
- server requests on behalf of attacker
- access internal server information
Driver Manipulation:
- drivers are trusted by OS
- vulnerable
- can contain keyloggers, etc...
- shimming:
- windows compatibility mode:
- allows running older versions of apps
- app compatibility shim cache
- attackers write their own shims to get around UAC (User Account Controls)
- Refactoring / Metamorphic malware:
- unique version of malware
- adding extra useless code, loops, etc... for uniqueness
- ensures antivirus can't match signature to verify it is malware
SSL Stripping / HTTP Downgrade:
- combines an on path attack
- makes victim's browser communicate with HTTP rather than HTTPS
- keep browser up to date
- attacker gets encrypted access to server but victim doesn't
Race Condition:
- TOCTOU (time of check to time of use attack):
- changing things too fast
- transferring money to accounts at the same time, repeatedly can give you more money
Other Application Attacks:
- memory leak: unused memory isn't properly released after being used
- null pointer dereference: make app point to memory point where nothing exists (crash app)
- overflow: large number in small space
- directory traversal attack: read files from web server that are outside website's file directory
- improper error handling: attackers can use info from errors
- improper input handling: SQL injection
- API (Application Programming Interface) Attack: gain access to data, create DOS,
- resource exhaustion: specialized DOS attack --> can be one device, uses up all resources
- ZIP bomb: 42 kilobyte zip file decompresses to 4.5 petabytes!
- nobody else can use resouces because backed up
- DHCP starvation: attacker floods network with IP address requests and diff MACs
- DHCP runs out of addresses in pool, nobody else can use
- switches can limit num requests
rogue access point:
- putting your own AP in your company office
- attacker can hack your AP and then have easy access to office network
- wifi pineapple --> make AP
- wireless evil twin:
- coffee shop fake AP with same SSID
- if stronger signal, everyone will use it instead
- use HTTPS & VPN if using public wifi
Bluejacking:
- send unsolicited messages to another bluetooth device
- not a big concern, just messages
- bluesnarfing:
- access to data on device by bluetooth (older devices)
Wireless Disassociation Attacks:
- AKA Wireless Deauthentication Attack
- intermittent wifi up and down
- type of DOS attack to stop people communicating to AP
- 802.11 wireless includes management frames in packets
- management frames make everything work
- manage QoS, how to find AP, etc...
- original wireless standards didn't have management frames
- 802.11w updated this in 802.11ac
- still some frames must be sent in clear to first connect
- beacons, probes, authentication, etc...
Wireless Jamming:
- RF (Radio Frequency) Jamming:
- DOS prevent wireless comm
- transmit interfering wireless signal
- degrease signal to noise ratio at receiving device
- microwave ovens and fluorescent lights can do this unintentionally
- constant random bits or constant legit frames
- reactive jamming: only when someone tries to communicate
- needs to be close or have the jamming device close
- fox hunting: use antenna and headphones to find where the device is
RFID & NFC Attacks
- RFID:
- track anything
- radar technology, radio energy powers a tag
- some RFID have batteries to create their own signal
- DOS signal jamming: nobody can read
- decryption keys can be googled sometimes
- NFC:
- type of RFID
- use phone to pay
- bluetooth uses NFC to simplify pairing
- can use for unlocking doors, etc...
- DOS jamming possible too
- relay / replay attack: on path attacks
- loss of RFC device control: someone stealing phone and using to pay things
Randomizing Cryptography:
- nonce: arbitrary number used once
- randomized or could be a counter as long as attackers can't figure it out
- usually use password hash and nonce to validate your credentials
- server will send different nonce every time
- IV (Initialization Vector): type of nonce (randomized encryption - WEP, SSL)
- salt: type of nonce (password storage)
On path attacks:
- AKA Man in the middle attack
- attacker can see and possibly modify info going back and forth
- ARP (Address Resolution Protocol) poisoning:
- no authentication or encryption
- spoofing the ARP allows attacker to pretend it is the victim
- ARP allows to asks for MAC of a device using it's IP
- attacker sends their own MAC as if it is the other device and repeats this to the other device
- malware/trojan does proxy work
- man in the browser attack
MAC Flooding & Cloning:
- every device has diff MAC
- 6 bytes long hexidecimal:
- first 3 bytes: Manufacturer OUI (Organizationally Unique Identifier)
- every NIC from a manufacturer always has same first 3 bytes
- last 3 bytes: serial number
- increment the number for each NIC the company manufactures
- switches work at MAC level
- contains list of all MACs on network
- maintain loop-free environment
- STP (Spanning Tree Protocol)
- switch adds MAC of any new device communicating with it
- frame switching: switch compares MAC of incoming and outgoing packets to match to MAC table it created
- MAC flooding: sending thousands of MACs to switch
- when switch runs out of space for storing MACs, the switch starts sending packets to everyone
- turns switch into a hub basically
- floodguard: detects and prevents this normally, most switches have this
- MAC spoofing/cloning:
- gain access to network that they aren't allowed to
- create a DOS: disrupt comm with legit MAC
- easy to mod MACs
- many switches can block spoofed/cloned MACs
DNS Attacks:
- DNS Poisoning/Spoofing:
- change site that a domain directs to
- modify DNS server
- modify client host file on each device
- send fake response to a valid DNS request:
- on path attack, change IP to whatever they want
- Domain hijacking:
- gain access to domain registration
- brute force, social engineering, etc...
- change domain info (can change site that a domain is directed to)
- URL hijacking:
- badly spelled domain used as ad website or phishing site or malware
- professormesser.com legit, proffessormessor.com not legit
- domain reputation:
- if company email is being hijacked to send spam, word will get around and will be blocked everywhere
- if web server is infected, search engines will index and put a warning on your site
Denial of Service:
- force a service to fail
- used as a smoke screen or against competition
- can be accidental
- STP (Spanning Tree Protocol) to prevent layer 2 loops (plugging in things wrong)
- DDOS: bot net creating DOS attacks all at once
- DDOS DNS Amplification: pretend to be a webserver asking for domain resolution
- botnet sends multiple requests like this, all get sent to webserver, too much to handle
- botnet spoofs IP to seem like it is the webserver
- zip bomb: small compressed file decompresses into huge file
- (OT) Operational Technology DOS:
- power grid, traffic lights
Malicious Scripts:
- automated attacks
- powershell .ps1 scripts common for attackers
- python: used cross platform
- cloud, server, router, etc...
- Shell: Linux attacks
- Macros: normal macros auto function in apps or OS
- make easier to use
- attackers exploit these
- VBA (Visual Basic for Applications):
- automate processes within Windows apps, like Office suite
Threat Actors:
- AKA attacker
- APT (Advanced Persistent Threat)
- hard to identify attackers inside network
- insiders in company can be threat actor
- governments can be threat actor
- hacktivist can be a threat actor
- hacker & activism
- script kiddie: non sophisticated scripts, doesn't know what they're doing
- trying to brag that they hacked
- organized crime
- hackers
- shadow IT (create your own IT functions without interacting with IT department at work)
- competitors
Attack Vectors:
- method used by attacker to gain access
- direct access attack vectors: physical access to OSs
- keylogger on keyboard
- transfer files
- pull power, DOS
- wireless attack vectors:
- rogue APs
- default login credentials
- Evil twin
- on path attacks
- protocol vulnerabilities
- email attack vectors:
- phishing, malware, social engineering
- supply chain attack vectors:
- each step on supply chain can be compromised
- gain access to target using a vendor
- malware modifying manufacturing process
- social media attack vectors:
- gather info, fake friends
- removable media attack vectors:
- get around firewall with USB
- malicious USB keylogger, etc...
- data exfiltration
- cloud attack vectors:
- brute force, phishing, orchestration attack, DOS
Threat Intelligence:
- OSINT (Open Source Intelligence): publicaly published problems
- closed/proprietary intelligence: selling info
- vulnerability database:
- CVE (Common Vulnerabilities and Exposures) published by NVD (US National Vulnerability Database)
- ranking of how critical
- CTA (Cyber Threat Intelligence): members upload threat intelligence, everyone validates it
- AIS (Automated Information Sharing): standards for how to share threat data
- STIX (Structured Thread Information eXpression): describes cyber threat info, incl motivation, abilities, etc.
- TAXII (Trusted Automated eXchange of Indicator Information): securely shares STIX data
- dark web intelligence
- IOC (Indicator Of Compromise):
- an event that indicates intrusion
- unusual network activity, change hashes, DNS changes, etc...
- predictive analysis: id behaviours, create forcasts for attcks, use AI
- threat maps: where and when attacks are happening
- file/code repositories:
- github, sometimes accidentally public code
Threat Research:
- vendor websites: list any threats
- CVEs
- conferences
- academic journals
- RFC (Request for Comments):
- published by ISOC (Internet Society): written by IETF (Internet Engineering Task Force
- not all documents are standardized
- local industry/user groups
- social media
- threat feeds
- TTP (Tactic, Technique, Procedure): how the attacker will try to gain access
- vulnerability management system: put all these resources into one feed
Vulnerability Types:
- zero day attacks
- open permissions
- unsecured root account
- errors give too much info
- weak encryption (storage and network)
- MD5 outdated hash
- insecure protocols (FTP, SMTP, IMAP)
- default settings & uname/passwrd
- Mirai botnet: hacks IoT devices
- open ports and services
- improper patch management
- legacy platforms
Third Party Risks:
- prepare for a breach
- system integration risk:
- third party has access to integrate things, can be on site as well
- lack of vendor support
- supply chain risk
- outsourced code dev
- data storage (cloud/server)
- transfer encrypted and storage encrypted
- lack of security controls
- misconfigurations
Vulnerability Impacts:
- data loss
- meow attack: delete all data and replace with meow
- identity theft
- financial loss
- reputation impacts
- availability / uptime loss
Threat Hunting:
- intelligence fusion: deciding what is important info
- use data analytics
- collect data, add external sources (gov alerts, etc...)
- predictive analysis
- deploy security (firewalls, software, etc...)
- all automated by data analytics
Vulnerability Scans:
- determine if there is potential to gain access
- perform as if you were an attacker, from outside and inside LAN
- non intrusive scans: gather info, dont try to exploit anything
- intrusive scans: exploit things
- non-credential scans: scanner can't login
- credential scans: someone with some level of access to system
- application scans, web app scans, network scans
- CVEs use CVSS (Common Vulnerability Scoring System) to determine how critical a threat is
- CVSS 2.0 & CVSS 3.x --> different scoring
- false positives: some vulnerabilities don't actually exist
- not same as low severity vulnerability
- false negative: dangerous, scan missed the threat
- configuration review: make sure everything is secure
SIEM (Security Information and Event Management Device):
- logging of security events and info
- log collection
- data correlation
- forensic analysis
- syslog: standard for message logging
- SIEM data:
- record of VPN connectivity, server authentication attempts, etc...
- packet captures
- SOC (Security Operation Center)
- send alerts to text/email if something is found
- dashboard with overview, more readable
- security reports with graphs
- analyzing data:
- big data analytics: id patterns in massive amounts of data
- UEBA (User and Entity Behaviour Analytics): detect insider threats, id targetted attacks
- sentiment analysis: if they hate you, they hack you
- SOAR (Security Orchestration, Automation, Response):
- ensure setup and maintenance of security, automate task scheduled things, respond to changes immediately
Penetration Testing:
- simulate attack
- often compliance mandate
- NIST (National Institute of Standards and Technology)
- rules of engagement:
- document, schedule, which devices can be used in test (in scope)
- working knowledge: unknown or known things about company
- exploiting: can cause DOS, need to try many methods
- process:
- initial exploit
- lateral movement: moving around when inside system
- persistence: make sure you can get back in
- the pivot: gain access to systems that shouldn't be accessible to users, use as proxy, relay, etc...
- cleanup: return everything back to normal
- bug bounty: some people make a living doing this
Reconnaissance:
- minimize attack area
- create network map
- passive footprinting: use open sources, social media, websites, etc...
- social engineering, dumpster diving
- OSINT
- wardriving / warflying: combine wifi and gps to find where networks are
- driving around city to find all SSIDs
- flying a drone works as well
- Kismet & inSSIDer will map these out
- active footprinting:
- ping, port scans, nmap, etc...
- someone can see you doing this
Security Teams:
- red team: offensive, penetration tester, ethical hackers
- blue team: defensive, respond to insidents, opsec, threat hunting, digital forensics
- purple team: some companies combine blue and red so they can collaborate
- white team: oversees all teams, in charge of everything
Configuration Management:
- only constant is change
- document updates and changes
- network diagrams
- device diagrams
- cable diagrams
- baseline configuration: security defined baseline config
- integrity checks
- standardized naming conventions: for devices, accounts, emails, etc...
- IP schema: define ranges, locations, reserved addresses
Protecting Data:
- data sovereignty: data residing in countries
- GDPR (General Data Protection Regulation): for EU data
- data collected on EU citizens must be stored in the EU
- data masking: protect PII, etc...
- blanking out credit card number on receipt
- data encryption:
- plaintext to ciphertext
- diffusion:
- change one piece of plaintext to make different ciphertext
- data at rest:
- data on a storage device
- encrypt data on drive
- assign permissions
- data in transit/motion:
- networks
- allow/block on firewall
- encryption
- data in use:
- in memory, not encrypted
- tokenization:
- replace sensitive info with different info
- used wih NFC payment
- not encryption --> original data and token are NOT mathematically related
- user connects NFC device for payment to a card
- remote token server gives you a token and associates with card
- IRM (Information Rights Management):
- control how data is used
- pdf, office docs, etc...
- prevent copy and paste, screenshots, printing, etc...
- each user has their own rights
DLP (Data Loss Pevention):
- endpoint DLP: data in use on your computer
- data in motion, data at rest and data in use protection
- DLP can allow/block USBs
- cloud based DLP:
- block malware and unwanted access
- DLP on email: ID bad emails
Managing Security:
- geographical considerations
- offsite backups & recoveries
- response and recovery formal process:
- identify attack, contain attack, limit access and exfiltration
- SSL/TLS: TLS is used now, SSL old
- TLS inspection
- examine encrypted traffic
- based on trust, Certificate Authorities CAs
- TLS proxy
- add your own CA certificate to be inbetween communication
- TLS decription on firewall but reincrypts with private encryption to send to computer
- hashing: one way trip, can verify a download, can be a digital signiture and know who sent it
- shouldn't be collisions in good hashing algorithm (SHA-256)
- API considerations:
- control software or hardware programmatically
- on path attacks
- API injection
- DOS
- limit use of API to legit users
- authorization prevention
- WAF (Web Application Firewall): API communication control
Site Resiliency:
- recovery site prepped when a disaster happens
- move over the running of everything
- hot site: an exact replica of everything
- all synced
- cold site: empty building
- bring people, data, computers
- warm site: rack space
- you bring hardware OR hardware is ready
Honeypots and Deception:
- attract attackers
- determine how and what attackers do
- kippo, google hack honeypot, wordpot, etc...
- honeynet: multiple honeypots
- honeyfiles: attractive bait
- fake telemetry: attackers train AI to think malware is fine
- DNS Sinkhole: DNS hands out incorrect IP
- invalid/incorrect fully qualified domain names (FQDN) IP resolution
- integrated into firewall
Edge and Fog Computing:
- Edge (IoT): local devices process application data on an edge server (local system), no internet required
- Fog: cloud that's close to your data, distribute data and processing between cloud and local
- keep sensitive data on LAN, send other info to cloud
Designing the Cloud:
- thin client: connect to DaaS or VDI
- apps run in cloud
- virtualization: cloud always runs multiple OSs at once
- hypervisor: software allowing PC to run virtual machines
- containerization:
- everything runs on one host operating system but apps are containerized for each user
- reduces need for separate required resources for each OS
- Docker is an example
- Microservices and APIs:
- monolithic apps
- app contains all decision making process
- APIs breaks up services into smaller parts with Microservices
- scalable, resilient, secure
- serverless architecture:
- FaaS (Function as a Service): apps separated into individual autonomous functions
- remove OS from equation
- features are ephemeral or event triggered
- Transit gateway:
- common to create many VPCs
- VPC (Virtual Private Cloud): pool of resources created in public cloud
- connect through VPN
- resource policies:
- assigning permissions to cloud resources based on region or IPs
- service integration:
- SIAM (Service Integration and Management): many different service providers
Infrastructure as Code:
- describe apps, network, etc as code
- SDN (Software Defined Networking):
- control plane (manage/control of device)
- data plane (operation management)
- centrally managed, agile, open standards, programatically configured
- SDV (Software Defined Visibility):
- see traffic to secure data
- SIEM (Security Information and Event Management)
- VXLAN (Virtual eXtensible LAN) & SSL/TLS encryption
Virtualization Security:
- VM sprawl: VMs are sprawled everywhere, aren't sure which VMs are related to which apps
- can use too many resources
- important to have formal process for provisioning and deprovisioning instances
- id every virutal object
- VM escape: someone can access another VM from their own
Secure Development:
- patch tuesday
- how, when deploy?
- sandboxing: app dev testing
- steps:
- development
- testing
- QA team: quality assurance tests
- staging phase: working, almost done, still testing
- production: lots of changes will probably have to be made even after this
Provisioning and Deprovisioning:
- VLANS, cloud, security
- scalability (increase workload), elasticity (increase resources)
- orchestration: instantly provision/deprovision app and security without human intervention
Secure Coding Concepts:
- testing
- stored procedures: no modifications to SQL database queries are possible
- obfuscation/camouflage: change code into unreadable nonsense
- code reuse / dead code: old code can be vulnerable and dead code has no use
- input validation: sometimes input isn't validated, attackers will take advantage (zip code should be 4 char long, etc)
- server side validation
- client side validation
- memory management:
- buffer overflow crashing app or give higher access
- third party SKDs: speeds up dev process but may be vulnerable
- data exposure: sensitive info should be encrypted
- version control: keep track of all changes between versions of software
Software Diversity:
- alternative compiler paths resulting in different binary file each time
- attacks against binaries won't be able to attack the app on all PCs
Automation and Scripting:
- CI (Continuous Integration): code is written constantly
- always updating code
- security issue potentially
- can automate checks for this security
- CD (Continuous Delivery):
- testing and deployment is automated
Authentication Methods:
- directory services: database with usernames and passwords
- all authentication requests reference to this directory
- Kerberos/LDAP are examples
- federation: allow someone to authenticate to your network using 3rd party login
- login with FB or Twitter, etc...
- attestation: prove hardware is really yours
- automated process to determine which devices can connect (for a big company)
- remote attestation: operational report to verification server
- uses TPM, IMEI, etc...
- SMS: MFA
- easy for someone to reassign phone number
- push notification: apps that provide MFA key
- apps can be vulnerable
- authentication apps:
- same as physical token generator but just software
- TOTP (Time based One Time Password): algorithm uses secret key and time of day
- key changes every 30 sec or so
- HOTP (HMAC based One Time Passord algorithm): only once per session
- use once and never again
- phone call
- static codes: PIN for credit card
- passwords
- smart cards
Biometrics:
- something you are
- fingerprint scanner
- retinal scanner
- iris scanner
- voice recognition
- facial recognition
- gait analysis: way of walking
- vascular analysis (veins)
- FAR (False Acceptance Rate): likelihood that an unauthorized user will be accepted
- FRR (False Rejection Rate): how often authorized user is rejected
- CER (Crossover Error Rate):
- system isn't too sensitive that it blocks authorized users but is sensitive enough to block unauthorized ones
- where FAR & FRR cross in middle
Multi-factor Authentication:
- AAA (Authentication, Authorization, Accounting) Framework
- factors:
- something you know
- something you have
- something you are
- attributes:
- somewhere you are
- something you can do
- something you exhibit
- someone you know
Disk Redundancy:
- maintain uptime
- duplicate parts of system
- geographic dispersal: having redundancies somewhere far away
- disk redundancy:
- multipath I/O: used for network based storage
- RAID
Network Redundancy:
- load balancer: direct traffic to least used server or prevents traffic
- redirect traffic if server fails
- NIC teaming / Load Balancing / Fail Over (LBFO):
- redundant paths, aggregate bandwidth
- multiple NICs acting as one
- does same thing as load balancer
- multiple paths for network to get to same destination
Power Redundancy:
- UPS (Uninteruptible Power Supply)
- offline/standby UPS: switch over to UPS when power is lost
- line-interactive UPS: when voltage is lowering, UPS will up it
- online/double-conversion UPS: always online, no switching into it, always connected
- generators: days-weeks of power
- 10-15 sec between power loss and generator turn on
- dual power supplies: each runs at 50%
- hot swappable
- PDU (Power Distribution Unit): like a power bar but smart
- usually in a rack
- often include monitoring and control
Replication:
- SAN (Storage Area Network) replication
- SAN to SAN replication
- SAN snapshot: if realtime replication isn't available, snapshot of SAN will upload to other SAN
- VM replication: updating primary VM and replicate to update copies, just copies changed files! easy
Backup Types:
- file backups
- archive bit/attribute: file is ready for archiving
- "file is ready for archiving" will not be checked after you full backup
- incremental, full, synthetic, differential
- differential does not clear archive attribute/bit
- magnetic tape, disk,
- NAS (Network Attached Storage): file level access
- must rewrite entire file to change something
- SAN (Storage Area Network): block level access
- can change portions of files
- cloud backup
- image backup: exact duplicate of system
- offline vs online backup
Resiliency:
- non persistence: cloud apps never permanent
- use snapshots to revert
- rollback to known config
- live boot media
- (HA) high availability
- need more of everything
- order of restoration:
- application specific
- database before apps
- backup specific
- diversity of physical tech and cryptography
Embedded Systems:
- smart watch is example
- SoC (System on a Chip):
- multiple components running on single chip
- raspberry pi is example
- FPGA (Field Programmable Gate Array):
- array of logic blocks
- can change capabilities of chips
- SCADA (Supervisory Control Data Acquisition System)
- ICS (Industrial Control System)
- building operations controlled on network
- IoT
- specialized:
- heart monitor
- vehicles
- aircraft
- VOIP: voip phones have embedded system
- HVAC
- drones
- MFD printers, scanners
- RTOS (Real Time Operating System):
- anti lock breaks
- no time to wait for other processes
- surveillance cameras
Embedded Systems Communication:
- 5G: 10Gb/s
- SIM (Subscriber ID) card: IMSI allows to add to cell network
- narrowband: communicate analog signals over narrow range of frequencies, far distance
- baseband: single fiber/copper cable connection - use 0% or 100%
- broadband: multiple fiber/copper cable connections
- Zigbee: 802.15.4 PAN - alternative to wifi and bluetooth
- longer distances than bluetooth, less power consumption than wifi
- mesh network
- used for IoT
- uses ISM band
Embedded Systems Constraints:
- low cost device / off the shelf
- hard to upgrade
- limits to communication
- batteries may be needed
- computing power is less
- cryptography hardware probably doesn't exist
- inability to patch
Physical System Controls:
- bollards/barricades
- moats
- access control vestibule: check A+ for review
- alarm
- circuit based, motion detect, duress button
- signs
- CCTV (Closed Circuit TV)
- industrial camouflage: building looks plain
- guards and access lists
- robot sentries
- biometrics
- cable lock
- USB data blocker: prevent juice jacking
- only connects to power of USB, not data lines
- proper lighting
- fire suppression: dupont fm200
- drones
- fencing
- faraday cage: restrict/prevent radio signals
- screened subnet / DMZ
- PDS (Protected Distribution System): cables inside a metal conduit
- protect cables, prevent cable taps, prevent cable cuts (DOS)
Secure Areas:
- physical security just as important as network/software
- secure backups too
- air gap: physical separation between networks
- ensure one network cannot access other
- stock market network is example, power plants too
- vaults and safes: keep anything important, storage, etc...
- hot and cold aisles: optimize cooling in racks
- only cooling in cold aisle, hot aisle sent into cooling system
Secure Data Destruction:
- look at A+, destroying storage, paper, etc...
- purging data: delete some data from database
- wiping data: completely destroyed
- Sdelete (Win file level overwriting)
- DBAN (Darik's Boot and Nuke): whole drive wipe
Criptography Concepts:
- confidentiality, authentication, non-repudiation (who sent), integrity of information
- Hashing does this
- plaintext: unencrypted
- ciphertext: encrypted plaintext
- cipher: the algorythm used to encrypt/decrypt
- cryptanalysis: art of cracking encryption
- keys: added to cipher
- unknown to anyone
- larger is more secure
- multiple is better
- key stretching/strengthening: hashing the hash of a password if the hash isn't long enough
- libraries can do this - Blowfish cipher performs multiple rounds of hashing
- PBKDF2 (Password Based Key Derivation Function 2: part of RSA public key cryptography standards
- lightweight cryptography:
- don't need much processing power
- IoT
- (HE) Homomorphic Encryption:
- don't need to decrypt data to perform calculations with it
- never decrypt
Symmetric and Asymmetric Cryptography:
- symmetric: single key to encrypt/decrypt data
- secret key algorithm
- hard to scale, sharing with many people is hard
- asymmetric: multiple keys
- public key and private key
- key generator
- Diffie-Helman Key Exchange: can use public and private keys to make a symmetric key
- both users that need a symmetric key create their own with their own public and private keys
- resulting symmetric key is the same for both of them
- never have to send them
- no worries about encryption for sending
- encrypt with public key and decrypt with private key or opposite (like digital signiture)
- cannot derive one key from the other
- ECC (Elliptic Curve Cryptography):
- smaller keys, uses curves, asymmetric
Hashing and Digital Signatures:
- salting can make it so that even if everyone has same password, all hashes are different
- digital signatures: prove source, signed with private key, verify with public key, non-repudiation, integrity
- not encryption, just proves the above
Cryptographic Keys:
- allow to encrypt, hash, digitally sign
- larger keys are harder to crack
- symmetric keys are normally 128 bit or larger
- asymmetric keys are normally 3072 bit or larger
- key exchange is difficult problem
- out of band key exchange: phone call, courier, in person, etc.
- in band key exchange: sending key on internet
- additional encryption
- encrypt a symmetric key with an asymmetric key for transit
- needs to be changed often
- Diffie-Helman key exchange: see above for details
- SSL/TLS: server's private key can open any ciphertext into plaintext
- one point of failure
- PFS (Perfect Forward Secrecy): change method of key exchange every time, don't use server's private RSA key
- uses Elliptic curve or Diffie-Helman ephemeral
- session keys always different and aren't kept
Steganography:
- obfuscation of data
- hiding info in image/other media
- security through obscurity: not real security
- covertext: container document/file for secret info
- embed messages in TCP packets, use image, use audio files, video
- larger file = more secret data
Quantum Computing:
- qubits: each bit can be both 0 and 1 at the same time
- 4 qubits = 2^4 nibbles = 16 nibbles
- scalable
- cryptography way better
- can brute force everything
- NTRU: instead of finding prime factorizations for large numbers, relies on "closest vector" problem
- examining qubits changes them:
- inherrent integrity
- QKD (Quantum Key Distribution)
Stream and Block Ciphers:
- stream cipher: encrypt one byte at a time
- used for symmetric encryption
- high speed, low resources
- harder to randomize (only sees one byte at a time)
- combine IV (Initialization Vector)
- block cipher:
- encrypt fixed length block of data
- 64 or 128 bit blocks
- used with symmetric encryption
- modes of operation (methods of encryption):
- ECB (Electronic CodeBook):
- simplest: uses single encryption key for every block in the series
- CBC (Cipher Block Chaining):
- each plaintext block is XORed with previous ciphertext block
- adds additional randomization
- use an initialization vector (IV) for XORing
- CTR (Counter):
- uses incremental counter to add randomization
- counter is encrypted with block cipher encryption
- XOR to plaintext
- cipher text created
- GCM (Galois Counter Mode):
- encryption with authentication
- CTR mode combined with Galois authentication
- SSH & TLS use this
Blockchain Technology:
- distributed ledger
- payment, supply chain monitoring, digital voting, digital identification
- steps:
- transaction request
- copy of transaction sent to all devices on blockchain for verification
- verified transaction is added to new block of data containing verified transactions
- transactions hashed: know if it is changed
- add block to blockchain
Cryptography Use Cases:
- ECC (Elliptic Curve Cryptography) for devices with limited resources
- low latency, high resiliency
Cryptography Limitations:
- finding balance: speed vs security
- weak IV in WEP vulnerability
- time it takes
- key reuse: IoT have key embedded, need to update firmware to change
Secure Protocols:
- SRTP (Secure Realtime Transfer Protocol): Secure RTP
- uses AES to encrypt voice/video
- uses HMAC-SHA1: hash based message authentication code
- NTPsec (Network Time Protocol secure):
- cleaned up and fixed vulnerabilities
- S/MIME (Secure Multipurpose Internet Mail Extensions):
- piblic key encryption and digital signing of mail content
- requires PKI (Public Key Infrastructure)
- POP3: use STARTTLS extension to encrypt with SSL
- IMAP: secure IMAP uses SSL
- SSL/TLS: browser based email encryption should use this
- SSL not actually used anymore, TLS took over
- HTTPS: uses public key encryption, private key on server
- symmetric key transferred using asymmetric encryption
- IPsec (Internet Protocol security):
- OSI layer 3 security: authenticate and encrypt every packet
- confidentiality, integrity, anti-replay
- uses AH (Authentication Header): for authentication
- uses ESP (Encapsulation Security Payload): for encryption
- 2 ways to send info over IPsec (usually with a VPN):
1) Transport mode: IP header in front, IPsec header encapsulates data
- IP header still exposed, not encrypted
2) Tunnel mode: IPsec header around whole packet and create new IP header in front to send to IPsec concentrator
- FTPS: FTP over SSL
- SFTP: SSH file transfer protocol
- can do anything normally done in SSH and transfer files
- much more secure than FTPS
- LDAPS: normal LDAP uses X.500 specifications by ITU (International Telecommunications Union)
- non standard implementation of LDAP over SSL
- SASL (Simple Authentication ans Security Layer):
- many different methods: Kerberos, client certificates, etc...
- SSH
- DNSSEC: DNS originally had no security
- validate DNS responses with origin authentication and data integrity
- uses public key cryptography: digital signing
- SNMPv3:
- confidentiality, integrity, authentication
- DHCP: originally had no security
- in LDAP servers, DHCP must be authorized
- some switches have trusted certificates for DHCP (prevent DHCP snooping)
- DHCP DOS
Endpoint Protecton:
- defence in depth: layered protection
- antivirus and antimalware
- use signature based detection
- problem: hackers can change signatures
- EDR (Endpoint Detection and Response):
- look at what files do, machine learning
- not only relying on signatures
- can investigate and respond to threat automatically
- DLP (Data Loss Prevention):
- stop hackers from taking or deleting data
- NGFW (Next Generation FireWalls):
- AKA: application layer gateway / stateful multilayer inspection / deep packet inspection
- OSI application layer 7
- all data in every packet
- can id features in apps and block them
- examine encrypted data
- host based firewalls:
- run on singe PC (individual endpoint)
- HIDS (Host based Intrusion detection System)
- HIPS (Host based Intrusion Prevention System)
- can be built into endpoint protection software and antimalware
- id signatures, heuristics, behaviour
Boot Integrity:
- rootkits operate at kernel level, not seen by antimalware software
- TPM (Trusted Platform Module)
- physical module
- helps cryptographic process
- can store encryption keys
- password protected
- anti brute force
- HSM (Hardware Security Module)
- UEFI:
- secure boot:
- part of UEFI specification
- includes manufacturer's public key
- digital signature checked during BIOS update
- prevent fake BIOS install
- verifies bootloader
- compares trusted certificate to digital signature in bootloader
- trusted boot:
1) bootloader verifies digital signature of OS kernel
2) kernel verifies other startup components
3) ELAM (Early Launch Anti-Malware): checks every driver to see if trusted
- measured boot:
- remote attestation: device provides operational report to verification server
- encrypted and digitally signed with TPM
- attestation server checks signature
Database Security:
- tokenization: don't store real data, just store token
- SIN# and credit card stored this way temporarily
- new token for each transaction can be made
- no encryption
- hashing:
- encryption
- no collisions
- one way trip
- add salt to randomize
- no rainbow tables (set of hashes with their plaintext values)
Application Security:
- secure coding:
- input validation: make sure every user input field is secure
- normalization: ensure user input is appropriate to the field (ZIP code only has 4 numbers, date has x, etc..)
- fuzzing (Dynamic Analysis):
- send random input to application
- syntax testing, robustness testing
- see if something breaks
- usually automated
- secure cookies:
- information stored on your pc by browser
- secure cookies have secure attribute set
- only send over HTTPS
- sensitive info not saved in cookies
- HTTP secure headers:
- layer of security
- enforces browser to allow or disallow certain things
- secure header can be configured to force HTTPS
- only scripts for stylesheets, images, prevent XSS
- code signing:
- digital signatures for applications
- trusted CA signs developer's public key
- allow/deny list:
- software or security settings
- based on application hash, certificate, path, network zone
- Static code analyzers:
- SAST (Static Application Security Testing): help id security flaws
- still have to verify everything
- finds issues in code
Application Hardening:
- minimize attack surface
- remove vulnerabilities
- limit ports: close all except necessary
- NGFW is ideal
- NMAP scan to see which ports need to be open for certain apps
- registry:
- almost everything can be configured here in Windows
- disk encryption:
- FDE Bitlocker/filevault
- SED (Self Encrypting Drive): hardware based FDE, no OS needed
- OS hardening:
- updates
- user accounts with limited access
- network limited access
- antivirus
- patch management:
- automatically done unless enterprise environment
- incremental
- sandboxing:
- VMs
Load Balancing:
- distribute load to multiple servers
- fault tolerance
- some load balancers can actually perform SSL/TLS and TCP functions
- can also cache data
- prioritization
- content switching
- scheduling:
- round robin: each server selected in turn
- weighted round robin: prioritize server use
- dynamic round robin: distribute to server with lightest load
- active/active load balancing: if one server fails, others step in
- affinity: user communicating through load balancer is always sent to the same server
- active/passive load balancing: some servers are active, some on standby
- if one fails, other turns on
Network Segmentation:
- segment apps so they can't communicate, etc...
- PCI requirement for credit card info requires segmentation
- segmentation types:
- physical:
- air gap: air between two devices, no direct connection between 2 devices
- logical:
- VLANs: parts of switch logically separated
- screened subnet / DMZ
- Extranet: similar to screened subnet but has added authentication
- Intranet: only accessible from inside LAN and employees w VPNs
- east-west traffic: traffic between devices in same data center
- north south traffic: traffic device inside data center and device outside of data center
- need to be more secure
- zero trust: even on the inside require authentication
- virtual:
Virtual Private Networks:
- concentrator: encrypts and decrypts data for VPN
- can be hardware or software
- SSL VPN (tcp/443): no firewall issues
- no big VPN clients
- no crazy security
- HTML VPNs: browser includes API for web cryptography
- full tunnel: user communicates with concentrator, concentrator communicates with website you want
- split tunnel: some info can go outside tunnel and communicate directly with other websites
- site to site VPN: one VPN concentrator at a company connects to another at another company
- L2TP (Layer 2 Tunneling Protocol):
- connect 2 networks together as if they were on the same network
- actually a layer 3 thing
- commonly used with IPsec
- L2TP for VPN tunnel & IPsec for encryption
- IPsec (Internet Protocol security):
- OSI layer 3 security: authenticate and encrypt every packet
- confidentiality, integrity, anti-replay
- uses AH (Authentication Header): for authentication
- shared key and hash of packet usually with SHA-2
- no encryption, just data integrity, authentication, prevents replay attacks
- uses ESP (Encapsulation Security Payload): for encryption
- encryption usually with AES
- adds ESP header to packet
- 2 ways to send info over IPsec (usually with a VPN):
1) Transport mode: IP header in front, IPsec header encapsulates data
- IP header still exposed, not encrypted
- IP header ; AH header ; ESP header ; data ; ESP trailer ; integrity check value
2) Tunnel mode: IPsec header around whole packet and create new IP header in front to send to IPsec concentrator
- New IP header ; AH header ; ESP header ; IP header ; data ; ESP trailer ; integrity check value
Port Security:
- physical ports on a switch or router
- control and protect
- broadcasts: data sent to every device on network
- limited scope, VLAN scope
- ARP request use broadcast
- IPv6 has NO broadcasts
- has multicast
- broadcast storm control
- most switches can control broadcasts, multicasts, etc...
- loop protection: plugging things in to make a loop can DOS
- STP (Spanning Tree Protocol): 802.1D standard
- prevent loops on layer 2 networks
- blocking ports
- redirecting network, always monitoring
- BPDU guard (Bridge Protocol Data Unit):
- STP takes time to determine if a new switch should forward frames. called PortFast on Cisco
- bypass listening and learning states with BPDU
- DHCP snooping:
- IP tracking on layer 2 device
- switches have trusted and untrusted tables to know if a switch shouldn't be there
- MAC (Media Access Control) filtering:
- allow/deny MAC addresses
- obsurity: not real security
Secure Networking:
- DNSSEC: public key cryptography
- if user tries to go to a dangerous site, send them to a sinkhole address (different address)
- know if a device may be infected by malware
- also acts as content filtering
- out of band management: separate connector to access network management if something is down
- centralized console router (comm server)
- QoS:
- prioritizing certain things on network
- VOIP should be high priority, need real time data
- IPv6 security:
- difficult to do full port scan
- no need for NAT because many more ports than IPv4
- no more ARP
- new attacks exist: neighbor cache exhaustion - system unable to communicate
- taps:
- disconnect link, put tap in middle, monitor all traffic
- active / passive
- port mirror:
- aka port redirection / SPAN (Switched Port Analyzer)
- software based, built into switch
- same application as tap
- monitoring service:
- experts at SoC (Security Operations Center)
- ongoing security checks
- id threats and remediate
- maintain legal compliance
- FIM (File Integrity Monitoring):
- monitor important OS files
- alerts if changes
- SFC utility for windows | Tripwire for Linux
Firewalls:
- control flow of network traffic
- content filtering
- antimalware
- old firewalls only control traffic based on IP address and port#
- new firewalls control traffic by applications
- can act as VPN endpoint, encrypt traffic
- can act as layer 3 devices
- config for NAT and routing functions
- stateless firewall:
- doesn't keep track of traffic flows, each packet examined individually
- no history for packets
- uses rule base:
- which IPs are allowed to communicate with which other IPs
- has to have a rule for allowing both sides to communicate back and forth
- 2 ACL rules for one comm
- not common anymore
- stateful firewall:
- remember state of session
- everything within valid flow is allowed
- one ACL rule for both devices to communicate
- creates a session table
- more secure
- UTM (Unified Threat Management) / all in one security appliance:
- include firewall
- URL filtering, content inspection, malware inspection, spam filtering, CSU/DSU, routing, switching, VPN, etc...
- NGFW (Next Generation FireWall):
- data in every layer of OSI
- better than firewalls or UTMs
- IPS
- more secure
- WAF (Web Application Firewall):
- applies rules for HTTP/HTTPS apps
- can recognize SQL injection, XSS, etc and block
- PCI DSS requires WAF to be in place --> online purchases
- ACL (Access Control List):
- firewall list of allowed/blocked tupples
- tupples can be IP, app, port#, etc...
- top to bottom aproach: check from first thing and see if any rules in ACL
- if nothing matches, there is an implicit deny
- default not allowed
- open source firewall:
- IP and port number allow/block
- proprietary firewall:
- allow/block based on more advanced things
- hardware and software firewalls
- appliance, host based, virtual firewalls
Network Access Control:
- edge: control at edge of network, managed by firewall rules, hardly changes
- access control: control from anywhere, change rules anytime
- posture assessment/health checks: how secure to be
- BYOD concerns
- persistent agents: permanently installed on system
- periodic updates
- dissolvable agents: no installation required, runs during posture assessment, self terminates
- agentless NAC: integrated in Active Directory
- checks made during login and logoff
- can't be scheduled
- quarantine network: if your device doesn't meet requirements, it's put here and you can update it to meet them
Proxy Servers:
- caching
- URL filtering
- explicit: configure manually with IP
- transparent/invisible: end user has no idea a proxy is being used
- NAT is the simplest proxy
- forward proxy/internal proxy: used by internal users
- internally blocks anyone connecting to bad sites
- reverse proxy: exact opposite of forward proxy
- external people on internet access proxy to query web server, can be blocked
- open proxy: third party uncontrolled proxy
- used to circumvent existing security controls
- can be malicious
Intrusion Prevention:
- NIDS (Network based Intrusion Detection System)
- NIPS (Network based Intrusion Prevention System)
- more common, can do much more
- passive monitoring: examine a copy of the traffic
- use a port mirror, SPAN, network tap
- no way to prevent traffic
- IPS provides this
- out of band response:
- when malicious traffic is IDd, IPS sends TCP RST reset frames after the fact
- UDP can't disconnect
- in band response (inline monitoring):
- IPS checks before going to client
- methods:
- signature based: checking signatures for malware
- anomaly based: build baseline of normal traffic
- behavior based: observe requests, ID SQL injection
- heuristic based: big data
Other Network Appliances:
- Jump server: access internal devices through private connection inside
- can use SSH/VPN to access
- allows to access other servers on system
- HSM (Hardware Security Module):
- used in large environments
- clusters, redundant power
- high end cryptographic hardware
- key backups
- sensors and collectors:
- takes info from logs of firewall, authentication, etc...
- built in or separate device
Wireless Cryptography:
- WPA2:
- CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) or CBC-MAC
- AES: encryption
- CBC-MAC: MIC (Message Integrity Check)
- attacker can capture hash for PSK (Pre Shared Keys)
- WPA3:
- GCMP (Galois Counter Mode Protocol):
- AES: encryption
- GMAC (Galois MAC): MIC
- SAE (Simultaneous Authentication of Equals):
- shared session key, no more handshake
- perfect forward secrecy: key is thrown away after every session
- Diffie-Helman derived key with added auth component
- everyone uses a different key but same PSK
- AKA Dragonfly handshake
Wireless Authentication Methods:
- PSK (giving everyone same password)
- 802.1X (everyone has different credentials)
- WPA3 enterprise (802.1X): uses RADIUS, TACACS or LDAP to centralize everyone's username and password
- captive portal:
- library login, ask for uname/pswrd or just agree to terms
- WPS (Wifi Protected Setup):
- PIN to connect
- press button on WAP
- use NFC to connect
- 10M possible combinations for 8 digit pin, easy to crack
- only 11,0000 combinations
Wireless Authentication Protocols:
- EAP (Extensible Authentication Protocol):
- used in conjunction with 802.1X
- prevents network until authentication
- 802.1X:
- AKA: port based NAC (Network Access Control)
- must authenticate for wired or wireless
- 3 devices to authentication:
- supplicant: client
- authenticator: router
- authentication server
- EAP-FAST (Flexible Authentication Secure Tunneling):
- supplicant receives PAC (Protected Access Credential) --> shared secret
- supplicant and AS (Authentication Server) mutually authenticate and negotiate TLS (Trasport Layer Security) tunnel
- use RADIUS
- PEAP (Protected Extensible Authentication Protocol)
- created by Cisco, Microsoft, RSA security
- encapsulates EAP in a TLS tunnel
- AS uses digital certificate instead of PAC
- client doesn't use certificate
- MSCHAPv2 (Microsoft MS CHAP v2)
- GTC (Generic Token Card): hardware token card
- EAP-TLS: requires digital certificates on AS and all other devices
- PKI (Public Key Infrastructure):
- required for managing and deploying every device's certificates
- older devices may not support
- EAP-TTLS: requires only ONE single digital certificate on AS
- uses TLS tunnel
- can use any encryption protocol over this (PEAP, MSCHAP, etc...)
- RADIUS federation:
- use RADIUS with federation
- federation: members of one organization can authenticate to another organization with their same credentials
- use 802.1X as auth method w RADIUS backend and EAP to auth
- eduroam: used for university campuses
Installing Wireless Networks:
- site surveys: see where least interference is and optimal performance
- heat maps show this
- tools to see interfeerence, signal coverage, spectrum analyzer
- wireless packet analyzer: can't send anything for it to hear everything
- packets, noise ratio, channels, etc..
- wireshark
- overlapping channels:
- 2.4 GHz only has 3 channels that don't interfere with each other: 1, 6, 11
- 5 GHz has waaaay more
- location should maximize coverage, avoid interference with devices
- wireless infrastructure security:
- wireless controller: centralized management of WAPs
- manage config and performance
Mobile Networks:
- point to point: wifi repeaters
- point to multipoint: most common, can connect phone to computer through router. router connected to multiple things
- cell networks: land separated into cells
- traffic monitoring, location tracking, etc... security concern
- wifi: on path attacks, DOS
- bluetooth: PAN
- RFID: radar, usually externally powered
- NFC: built on RFID, speed up bluetooth paring
- can capture info or jam freq, or replay attack (man in middle)
- IR: infrared
- can transfer files with this
- no security
- USB
- GPS: need 4 satellites minimum, 30 in orbit
Mobile Device Management:
- MDM for BYOD
- control everything about device
- look at A+ notes for more info
- MCM (Mobile Content Management):
- secure access to data, protect from outsiders
- file sharing and viewing
- DLP (Data Loss Prevention): prevent copy paste info
- ensure encryption on device
- configured on MDM
- geofencing: enable/disable features depending on location
- disable cameras in your building
- context aware authentication:
- combine multiple things
- where you normally login, location, paired devices, etc
- containerization:
- splitting device into 2 --> company info and personal info separate
Mobile Device Security:
- HSM: MicroSD HSM can be inserted
- UEM (Unified Endpoint Management):
- manage security accross all devices
- evolution of MDM
- MAM (Mobile Application Management):
- which apps you can use and how
- MDM can delete apps, etc...
- SE Android (Security Enhanced):
- derived from SE Linux
- support access control
- NSA created SE Linux and SE Android
- SE Android is default now on devices
- prevents access to daemons
- changed from DAC (Discressionary Access Control) to MAC (Mandaroty Access Control)
- limit access and makes sandboxes between apps
- centralized policy config
Mobile Device Enforcement:
- rooting/jailbreaking:
- install custom firmware, new OSs too
- Sideloading: allows installing apps from outside app store
- Android can sideload normally but not iOS
- carrier unlocking:
- most phones locked to carrier
- keep you in contract
- firmware OTA updates
- USB OTG (Om The Go):
- connect 2 devices directly together with USB
- plug in laptop to phone and transfer files
- geotagging:
- tagging where you are when you do certain things
- wifi direct / ad hoc:
- 2 devices communicate directly to eachother without an AP
- ad hoc mode
- wifi direct is enhanced ad hoc mode, easier to setup
- less security
Mobile Deployment Models:
- BYOD:
- you buy device, use personally and for work
- COPE (Corporate Owned, Personally Enabled):
- company buys device but you can use peronally too
- CYOD (Choose Your Own Device):
- company buys device of your choosing
- corporate owned deployment:
- personal phone you buy AND company phone separate
- VDI/VMI (Virtual Desktop Infrastructure/Virtual Mobile Infrastructure):
- apps and data stored separately on cloud/centralized server
- like remote desktop
Cloud Security Control:
- AZ (Availability Zones):
- isolated locations with separate systems
- HA (High Availability)
- load balancers direct traffic to AZs
- IAM (Identity and Access Management):
- resource policies
- who gets access to what cloud resources
- configure groups of users
- secret management:
- manage secret keys, passwords, etc...
- separate server for this
- audit trail
- integration and auditing:
- SIEM (Security Information and Event Management) system
- cloud based consolidation of logs and reports
- create audits
Securing Cloud Storage:
- limit who can access what info on a cloud (private info stored on public cloud)
- assign permissions
- IAM (Identity Access Management):
- permissions to people
- bucket policies: groups
- global blocking public access
- encryption is important
- server side encryption
- client side encryption: data already encrypted before sent to cloud
- data replication: availability and recovery and analysis
Securing Cloud Networks:
- virtual networks in cloud: virtual switches, etc...
- rapid elasticity
- private cloud: VPN to access
- public cloud
- hybrid cloud
- segmentation: cloud has different containers that run different things
- supplement with WAF, NGFW, IPS for more security
- microservice architecture:
- uses API gateway calls to access specific services on specific databases
- API monitoring for security
Securing Compute Clouds:
- IaaS component for cloud computing environment:
- Amazon Elastic Compute Cloud (EC2)
- Google Compute Engine (GCE)
- Microsoft Azure Virtual Machines
- managed by VMs or containers
- security groups:
- firewall for compute instances
- layer 4 port number tcp/udp
- layer 3 address (CIDR), individual addresses
- dynamic resource allocation: auto increase/decrease resources
- aka: rapid elasticity
- requires monitoring to determine how many resources required
- instance awareness:
- granular security controls:
- each instance can be managed completely
- certain info can be blocked from being stored
- VPC (Virtual Private Cloud) endpoints:
- allow private cloud subnets to comm with other cloud services
- keep private resources private
- internet not required
- container security:
- instead of using a whole new VM, less resources
- use OS built for containerization: QubesOS
Cloud Security Solutions:
- CASB (Cloud Access Security Broker):
- can be client software, local security appliances or cloud based
- 4 characteristics:
1) Visibility:
- determine which apps are in use and who is allowed to use
2) Compliance: enforce HIPPA, PCIDSS, etc..
3) Thread prevention: allow access by authorized users, prevent attacks
4) data security: ensure all data transfers are encrypted or implementing DLP
- app security:
- apps must be configured securly
- authorization and access
- API security
- SWG (NextGen Secure Web Gateway):
- protect users and devices regardless of location
- examine API calls
- examine JSON strings
- firewalls in cloud
- virutal firewall
- can create for each VM or service, etc...
- third party cloud security providers
Identity Controls:
- IdP (Identity Provider):
- AaaS (Authentication as a Service)
- thrid party providing authentication
- list of users and devices
- SSO applications use this commonly
- SAML, OAuth, OpenID
- attributes: name, employer, etc...
- certificates: assinged to specific user or device
- requires PKI, includes CA
- tokens and cards
- SSH keys
- ssh-keygen: create public/private key pair
- ssh-copy-id user@host: copy public key to SSH server
- ssh user@host: login with no password prompt
- this uses public key to confirm your private key
Account Types:
- user acounts:
- username, id number
- files on user account not visible by other users
- no privileged acces to OS
- even admins should use user account when not needing higher privileges
- shared and generic account:
- guest login, anonymous login
- can't know who does what --> bad for audit trail
- password management difficult, if changed, how to inform everyone
- don't use shared accounts
- guest account:
- limited access,
- attacker can run privilege escallation
- no longer default on
- service account:
- used only by background services running on computer
- different services have different accounts
- privileged accounts:
- administrator --> windows
- root --> Linux
- complete access to OS
- only use when required
- strong passwords, MFA, frequent password changes
Account Policies:
- username/password policies
- password complexity and length
- increase entropy
- 8 characters minimum
- prevent password reuse
- account lockout and disable if too many attempts
- disable account if user leaves job
- authentication policies
- location based: IP subnet on network
- geoloaction
- geofencing
- geotagging
- time based
- audits scheduled & log analysis
- permissions being used
- usage auditing
Authentication Management:
- password key: YubiKey
- MFA, doesn't replace normal authentication
- password vault: password manager
- TPM: cryptographic processor to create more random numbers, etc.
- HSM: high end cryptographic hardware
- redundancy important in company
- KBA (Knowledge Based Authentication):
- use personal knowledge as authentication factor (something you know)
- static KBA: preconfigured shared secrets
- often used with account recovery
- ex: name of your first dog
- dynamic KBA: questions based on identity verification service
- uses information about you to make a question
PAP & CHAP
- methods for a VPN concentrator to communicate with AAA server for allowing user access to network
- PAP (Password Authentication Protocol):
- basic authentication method
- sends all info in the clear: including password
- NO ENCRYPTION
- application CAN encrypt password before sending through PAP but not the best
- CHAP (Challenge Handshake Authentication Protocol):
- encrypted challenge sent over network
- 3 way handshake
- after link established, server sends challenge message, client responds with password hash calculated from challenge and password, server compares received hash with stored hash.
- can occur periodically while session is active
- never sending the actual password, only hash of password and challenge
- MS-CHAP (Microsoft CHAP):
- NOT SECURE: easy to brute force
- used commonly with PPTP (Point To Point Protocol)
- MS-CHAP v2 is recent
- better to use L2TP, IPsec, 802.1X, etc...
Identity and Access Services:
- RADIUS (Remote Authentication Dial-in User Service):
- centralize authentication for users
- VPN concentrators, 802.1X, server auth, routers, switches
- RADIUS runs on all OSs
- TACACS (Terminal Access Controller Access Control System):
- remote authentication protocol
- originally dial-in
- Cisco created
- XTACACS (eXtended):
- updated
- TACACS+:
- most recent
- not backwards compatible
- more auth request and response codes
- open standard
- Kerberos:
- network authentication protocol
- authenticate once (SSO), trusted by system
- cryptographic tickets
- save time logging in
- only works with Kerberos
- smart cards, SAML, etc. also provide SSO
- mutual authentication (client and server auth each other)
- protect against on path or replay attacks
- created by MIT in 80s
- Microsoft incorporated into Windows
- open standard
- use RADIUS if VPN concentrator can only comm with server via RADIUS, use TACACS+ for Cisco devices, use Kerberos for Microsoft network
- NAC (Network Access Control):
- AKA 802.1X
- port based network access control
- don't get access until you authenticate
- EAP integrates with 802.1X
- used in conjunction with RADIUS, TACACS+, LDAP, etc...
Federated Identities:
- federation: using 3rd party (ex: facebook) to sign into another website
- SAML (Security Assertion Markup Language):
- open standard for authentication and authorization
- allows federation
- not designed for mobile apps
- client accesses app, app server requests SAML auth, client sends this request to auth server, auth server provides token, client sends token to app server.
- OAuth (Open Auth):
- created by google, twitter, etc...
- NOT an authentication protocol
- uses OpenID Connect for SSO authentication
- OAuth provides auth BETWEEN applications
- when one app needs to communicate with another app
- ex: dropbox needs access to google drive
Access Control:
- Authorization:
- which services does a user have access to
- policy enforcement from policy definition
- MAC (Mandatory Access Control):
- every object gets a label/classification
- ex: secret, top secret, confidential, etc...
- users can only access what they have been classed to
- DAC (Discressionary Access Control):
- user creates object and user decides who has access
- can change what they can do (read, write, execute)
- weak security in big organizations
- RBAC (Role Based Access Control):
- access based on the role of the employee
- admin controls this
- Windows Groups provides RBAC
- ABAC (Attribute Based Access Control):
- many parameters
- IP address, location, desired action, relationship to data
- "next generation" authorization model
- Rule based access control:
- admin sets who can access what and when and how
- rules on files, networks, etc...
- file system security:
- store files and access them
- part of most OSs
- Group/user rights and permissions
- Group policy in Windows
- NTFS in Windows can encrypt and decrypt
- conditional access:
- conditions: employee, what access, MFA, limited access
- admin can decide
- PAM (Privileged Access Management):
- managing superuser/admin/root access
- admins don't have full access until granted by digital vault
- privileges are time limited
- enables automation, manage access, tracking and auditing, centralized password management
PKI (Public Key Infrastructure):
- creating certificates & keys and associating them with users/devices
- creates foundation of trust
- Digital certificate process, create certs, distribute, revoke, store, manage, etc...
- policies, procedures, hardware, software, people
- key management lifecycle:
- key generation
- certificate generation
- distribution
- storage
- revocation
- expiration
- public key certificates:
- public key combined with digital certificate
- adds trust
- certificate authority (CA) generated the certificate
- web of trust is alternative: users vouch for eachother and digitally sign their certificates
- Windows Domain services, 3rd party Linux options
- browser maintains list of trusted certificate authorities
- CAs allow us to purchase a certificate from them
- building key pair, send public key to CA to be signed
- CSR (Certificate Signing Request) occurs
- CN (Common Name):
- FQDN (Fully Qualified Domain Name) associated with cert
- if site's certificate doesn't match CN, warning message "your connection is not private"
- can have multiple alternative CNs for one site
- max 13 month before renewal of certificate
- badssl.com shows examples
- private certificate authorities:
- your devices must trust the internal CA
- become your own CA
- free
- needed for med-large organizations that need web servers signed
- Windows Certificate Services, OpenCA
- PKI trust relationship:
- Single CA: everyone receives their certificates from one CA
- Hierarchical: single CA issues certs to intermediate CAs
- intermediate CA can send further down to Leaf CAs
- Leaf CAs send certs to users
- distributes certificate mangement load
- easier to deal with intermediary than root CA
- Mesh: cross certifying CAs
- every CA certifies every other CA
- doesn't scale well
- web of trust:
- alternative to PKI
- everyone verifies certs of people they know
- if you know someone who knows what you're accessing, trusted
- mutual authentication:
- server auths to client and vica-versa
- RA (Registratino Authority):
- entity requesting certificate needs to be verified by RA
- RA IDs and auths requester
- foundation of the trust
- can revoke
- manage renewal and re-key requests
- Key revocation:
- CRL (Certificate Revocation List):
- maintained by CA
- single large file with all revoked certificates
- could be due to compromise on site, changing settings, etc...
- OCSP (Online Certificate Status Protocol):
- automates checking certificates in browser
- if they are revoked, etc...
- messages sent to OCSP responder via HTTP managed by CA
- check the single certificate necessary
- old browsers don't support, some new don't do it even though they can
- for this reason, use multiple methods for checking validity of certificates
- click the Lock in SSL view to see certificates for any website!
Certificate Uses:
- web server SSL certificates:
- DV (Domain Validation) certificates:
- lock in the browser bar
- owner of certificate has control over DNS domain
- EV (Extended Calidation) certificates:
- additional features
- shows name of certificate owner in green in browser bar
- SSL is expected so not used much anymore
- SAN (Subject Alternative Name):
- lists additional id info
- allows single certificate to support many domains
- wildcard: *.professormessor.com
- www., ftp., etc...
- code signing:
- developer of program signs software
- can validate signature
- root certificate:
- foundation of PKI
- signed before intermediary or Leaf CA
- very important for security
- self-signed certificates:
- build your own certificates
- machine and computer certificates:
- deploy certificates for network to id devices connecting
- management software to validate
- email certificates:
- public key cryptography
- encrypt emails
- receive encrypted emails using private key to decrypt
- digitally sign email with your private key
- non-repudiation, integrity
- user certificates:
- integrated into smart cards, ID cards, etc...
Certificate Formats:
- X.509 standard for digital certificates
- defines structure of certificates, format of cert file can be different
- different file formats possible
- DER (Distinguished Encoding rules):
- binary format (non readable)
- designed to transfer syntax for data structures
- PEM (Privacy Enhanced Email):
- DER in ASCII format to transfer over email
- generally used by CAs
- PKCS #12 (Public Key Cryptography Exchange Syntax Standard):
- sending multiple certs at once
- container format
- .p12 or .pfx file
- can be password protected
- transferring key pairs is common this way
- extended from Microsoft's .pfx format (Personal Information Exchange)
- similar but not same as PKCS #12 .pfx
- CER (Certificate):
- certificate format
- used on Windows X.509 file extension
- can be binary DER or ASCII PEM format
- usually contains public key
- can send private key with .pfx file format
- .cer
- PKCS #7:
- .p7b file
- ASCII format
- private keys not included
- supported in Windows, etc...
Certificate Concepts:
- offline CAs:
- root CA should be offline to limit access from internet
- online CAs:
- intermediate/Leaf CAs
- OCSP stapling (Online Certificate Status Protocol):
- check if certs have been revoked
- staping puts the OCSP status in the SSL/TLS handshake that occurs
- faster than checking with CA after the fact
- Pinning:
- put certificate inside app you're using (compile it in)
- application will compare internal certificate to cert in server
- key escrow:
- 3rd party holds your decryption keys
- asking 3rd party for access instead
- need process and procedures:
- security, trust, circumstances for access
- certificate chaining:
- chain of trust: ensure intermediary/leaf CAs are in fact related to root CA
- list all CAs from one you access (SSL cert) back to root CA
- chain cert: any intermediate certs between you and root CA cert
Reconnaissance Tools Part 1:
- tracert (Windows), traceroute (Unix, Linux, MacOS):
- takes advantage of ICMP TTL error messages
- time in TTL refers to hops, not time
- some routers/firewalls block these ICMP messages, could be gaps
- running in Windows doesn't work as well
- uses ICMP echo requests
- different OSs do traceroute differently
- nslookup:
- all OSs but being deprecated
- dig (Domain Info Groper):
- replaces nslookup
- can install on Windows
- more advanced domain info
- ipconfig (Windows), ifconfig (Unix, Linux, MacOS):
- most troubleshooting starts with this
- ping local router/gateway
- adapter info, IP details
- ping:
- test reachability
- determine round trip time
- uses ICMP
- pathping (Windows):
- combine tracert & ping
- netstat:
- netstat -a: show all active connections
- netstat -b: Windows, show binaries
- netstat -n:do not resolve names (only IPs)
- ARP (Address Resolution Protocol):
- apr -a: see MAC addresses of devices connected
- can ping devices on network and then use arp to get their MAC
- shows IPs and MACs for router and all other devices connected
- route:
- list all IPv4 & IPv6 routes; find out which way packets will go
- Windows: route print
- Linux/MacOS: netstat -r
Reconnaissance Tools Part 2:
- curl (Client URL - Uniform Resource Locator):
- retreive HTML of any site, grab raw data
- ip scanners:
- scanning inside local subnet
- can use ARP to scan local subnet
- scanning outside local subnet:
- can use ICMP requests (ping) to
- can use TCP ACK
- can use ICMP timestamp requests
- use Nmap & hping for more info on these IPs
- hping:
- hping3
- hping3 --scan 80-443 -S 10.1.10.1 -V
- scan ports 80-443 on device 10.1.10.1 with Verbose
- which ports are open on a device, send almost anything
- can send crafted frames
- can cause DOS, only use on devices you are allowed!
- Nmap:
- network mapper: find and learn more about network devices
- port scan: find devices and ID open ports
- OS scan: discover OS of devices on network
- service scan: which services are running on devices
- NSE (Nmap Scripting Engine): vulnerability scans, extended abilities
- theHarvester:
- terminal app for gathering OSINT (Open Source Intelligence)
- scrape info from google, bing, linkedin, etc...
- DNS brute force
- sn1per:
- combine many recon tools
- non intrusive and intrusive
- scanless:
- run port scans from a different host
- port scan proxy
- remain annonymous
- ex: scanless -t scanme.nmap.org -s spiderip
- scans the nmap site as if coming from spiderip
- dnsenum:
- enumerate DNS information
- find host names & view info
- performs brute force to see if there are any subdomains
- testing with dictionary to see if any subdomains match
- Nessus:
- vulnerability scanner
- free and commercial options
- ID known vulnerabilities
- extensive reporting
- Cuckoo:
- sandbox for malware
- testing apps before actually deploying them
- scans API calls, network traffic, memory analysis, screenshots
- works on all OSs
File Manipulation Tools:
- cat:
- view contents of file OR link multiple files together
- cat file1.txt file2.txt > both.txt | more
- | more: see one page at a time
- head: see top part of file
- hean -n 5 file.txt: show first 5 lines of file
- tail: see bottom of file
- same options as head
- grep: find any text in a file
- grep poop text.txt
- chmod: change mode/permissions of file (read, write, execute)
- user, group, other
- read, write, execute
- ex: chmod 744 = user has read, write, execute | group has read only | other has read only
- see A+ notes for more info on changing permissions
- logger: add details to system logs (syslog)
- logger "this info is added to syslog"
Shell and Script Environments:
- OpenSSL: toolkit and crypto library for SSL/TLS
- create X.509 certificates, encrypt/decrypt SSL/TLS
Packet Tools:
- Wireshark:
- graphical packet analyzer, gathers frames on network OTA, view traffic patterns
- tcpdump:
- same function as wireshark but NON graphical
- tcpreplay:
- replay and edit packet captures
- test security, check signatures and firewall rules
Forensic Tools:
- dd: create bit by bit copy of a drive or directory
- create image file: dd if=/dev/sda of=/tmp/sda-image.img
- restore from an image: swap if and of fileds
- memdump: send all info in memory to a file
- WinHex: universal hexidecimal editor for Windows
- edit disks, files, RAM, disk cloning, secure wipe
- FTK imager:
- Windows
- mount drives, read encrypted drives, save files to other formats
- autopsy:
- view and recover data from storage device
- extract different data types: downloads, browser history, email, etc...
- * buy used hard drive, use this to see any info not deleted, could be company data. can message the company.
- exploitation framework:
- prebuilt toolkit for exploitations
- build custom attacks, add more tools
- ex: metasploit, SET (Social Engineering Toolkit)
- password crackers:
- online cracking, offline cracking with hashes
- lots of resources
- data sanitization:
- completely removing data but still usable
- one way trip
Incident Response Process:
- IT management, compliance officers, technical staff, user community
- NIST SP800-61 (special publication 800-61 revision 2)
- computer security incident handling guide
- steps:
- preparation
- communication methods
- hardware/software
- analysis record (hashed)
- incident mitigation software (clean OS)
- policies and procedures
- detection and analysis
- web server log
- exploit anouncement
- direct threats
- buffer overflow attempt
- antivirus alert
- configuration changes
- network traffic flow deviations
- containment, eradication, recovery
- sandboxing
- some malware runs differently in sandbox if recognized
- remove malware, fix vulnerabilities, recover system from backups
- patches, change network design
- post incident activity
- meeting, as soon as possible
- documentation: what happened, how resolved, what different next time, which indicators next time
Incident Response Planning:
- testing systems before an incident occurs
- scheduled security event exercise
- tabletop exercise: talk through a scenario and solve it without actually creating it
- walkthrough: everyone steps through an incident that was planned
- simulation: send phishing emails to own employees so that you can educate them
- stakeholder management: include them in case of incidents
- communication plan: contact list up to date, internal and external contacts
- disaster recovery plan: if systems are destroyed
- COOP (Continuity Of Operations Planning):
- manual transactions, paper receipts
- if power goes down, what to do?
- incident response team: determine incident and what to do, can be external to company or a bunch of different people
- retention policies: backups, operational needs, regulatory compliance
Attack Frameworks:
- MITRE ATT&CK Framework:
- how to prevent and protect against attacks
- US non profit
- id point of intrusions, understand methods, id security techniques
- attack.mitre.org
- Diamond model of intrusion analysis:
- understand relationships between problems
- apps.dtic.mil/docs/citations/ADA586960
- apply scientific principles to intrusion analysis
- measurement, testability, repeatability
- adversary, infrastructure, victim, capability
- uses, develops, exploits, connects to
- Cyber Kill Chain:
- 7 phases of cyber attack:
1) reconnaisance
2) weaponization
3) delivery
4) exploit
5) installation
6) command & control
7) actions on objectives
Vulnerability Scan Output:
- nessus: common vulnerability scan tool
- nvd.nist.gov --> cross reference
- tells you security risks
- can receive false positives, must research
- false negatives are hard to identify, don't get identified
- have latest signatures for scanner to reduce false positives/negatives
SIEM (Security Information Event Management) Dashboards:
- device that logs security events and information
- create security alers
- data correlation
- forensic analysis
- sensors and logs can be stored in SIEM database
- can categorize data: warning, urgent, etc...
- can parse data and alert, id trends, correlate
- can see failed password attempts, etc...
Log Files:
- network log files: switches, routers, VPN concentrators keep logs
- system log files: apps, security, setup
- application log files:
- Windows: event viewer / application log
- Linux/MacOS: /var/log
- can see all and parse in SIEM regardless of OS
- security log files: blocked traffic, DNS sinkhole traffic, exploit attempts
- created mainly by IPS, firewall, proxy
- web log files:
- errors, exploit attempts, server activity
- DNS log files:
- id query to bad sites
- authentication log files:
- who was denied and accessed, id brute force attacks
- Dump Files:
- memory dump, store everything in memory into a file
- windows task manager: right click app, click "create dump file"
- VoIP and call manager logs:
- view inbound and outbound call info
- audit trail, authentications, SIP traffic logs
Log Management:
- Syslog:
- standard for message logging
- SIEM central logging receiver
- syslog daemon options:
- Rsyslog (Rocket fast)
- syslog-ng (popular, has filtering and storage options)
- NXlog: collect from many diverse log types and devices
- Journalctl:
- Linux system logs stored in binary
- can't read as plaintext
- journalctl allows you to search and read the plaintext of these files
- bandwidth monitors: can use SNMP, NetFlow, sFlow, etc...
- metadata: data that describes other data
- gps location of picture, time and date of file saving
- email header with who sent, IPs, etc...
- NetFlow:
- standard collection method
- separates probe from collector
- IPFIX:
- updated NetFlow, flexible data support
- sFlow:
- look at only portion of netwok traffic
- easier to manage
- switches and routers sometimes come with sFlow already installed
- protocol analyzer output:
- gathers packets on network OTA, view detailed info, etc...
Endpoint Security Configuration:
- endpoint: desktop PC, laptop, phones, etc...
- app approve/deny list from IT security team
- use certificates, paths, app hash, etc... to determine which apps are okay
Security Configurations:
- firewall rules: manage app flows, block apps
- MDM
- DLP: Data Loss Prevention of PII
- URL filters
- certificates
- isolation: isolate apps/devices that aren't updated
- containment: app containment - every app running in its own sandbox, like android
- auto change permissions if someone is infected
- segmentation: separate internal network
- DMZ/screened subnets
- SOAR (Security Orchestration, Automation, Response):
- runbook: describes how to do things
- ex: step by step checklist of how to perform password reset
-playbook: conditional steps to follow to solve something
- runbook entries consollodated into more general things
Digital Forensics:
- collecting and protecting info related to security event
- RFC 3227: guidelines for evidence collection and archiving
- legal hold: data required to be stored
- separate repository for ESI (Ellectronically Stored Information)
- indefinite hold or temporary
- capture video/screen
- admissibility: some info may not be admissible in court of law depending how gathered/stored
- chain of custody: document who comes in contact or uses data, use hashes to verify nothing changed
- recording time offsets
- FAT: stores time in local time
- NTFS stores time in GMT
- event logs: copy/export
- interviews
- reports: what happened, how data collected, conclusions
Forensics Data Acquisition:
- order of volatility:
- collect and store most volatile data first (data that may be temporary)
- Most to least volatile:
- CPU registers/cache, router table/ARP cache/memory, temp files, disk, remote logging/monitoring, physical, archive
- disk:
- prepare drive to be imaged
- forensic clone: bit by bit copy
- memory:
- memory dump
- swap/pagefile:
- area of storage device used as if it were RAM
- OS files:
- logged in users, open ports, etc...
- files, libraries, etc...
- mobile device:
- capture data over USB
- firmware:
- modems/routers firmware hacks
- snapshot:
- usually VM's saving state, complete image of system
- cache:
- temp storage for speed
- specialized data
- browser caches & CPU caches
- network:
- packet data
- rewind back in time to see
- artifacts:
- digital items left behind
- every file leaves a trace
- found in log info, flash memory, recycle bin, browser bookmarks
On-Premises vs Cloud Forensics:
- right to audit clauses:
- how data is shared, how outsourcing is implemented, security?
- part of contract for using the cloud service
- data breach notification laws
- regulatory accessing data laws
Managing Evidence:
- integrity: ensuring data is not tampered with
- hashing: crypographically verify integrity
- digital fingerprint
- checksums: protects against accidental changes during transmission
- simple integrity check
- provenance: documentation of authenticity, where data came from
- chain of custody for data handling
- blockchain technology
- preservation:
- create copy of data and work on copy
- E-discovery: gathering data required by legal authorities
- obtain storage drives, etc...
- data recovery:
- deleted, files, hidden files, corruption, physical damage
- non-repudiation: verify who sent data
- MAC (Message Authentication Code): used for non-repudiation
- 2 parties involved (sender/receiver) can verify non-repudiation
- digital signature: non-repudiation can be publically verified
- strategic intelligence:
- gather info with OSINT
- CI Strategic (Counter Intelligence):
- prevent hostile intelligence operations
- gather intelligence on attacker
Security Controls:
- prevent security events, limit impact of events, limit damage from events
- managerial controls:
- policies, SOPs
- operational controls:
- security guards, awareness programs
- technical controls:
- firewalls, antivirus
- control types:
- preventive: prevent access to area (physical or network)
- IDS, motion detector, etc...
- corrective: block attack
- IPS, restore from good backup
- compensating: restores using other means
- re-image or restore from backup
- generator for power failure
- fences/locks
Security Regulations and Standards:
- GDPR (General Data Protection Regulation):
- EU regulation
- individuals have control over personal data, can delete accounts and data off servers
- detailed privacy policies for sites
- PCI DSS (Payment Card Industry Data Security Standard):
- 6 control objectives:
1) build and maintain secure network and systems
2) protect cardholder data
3) maintain vulnerability management program
4) implement strong access control measures
5) regularly monitor and test networks
6) maintain informaiton security policy
Security Frameworks:
- every company uses different frameworks
- CIS CSC (Center for Internet Security Critical Security Controls for Cyber Defense)
- improve cyber defense in 20 areas
- written by technologists
- NIST RMF (National Institute of Standards and Technology Risk Management Framework)
- mandatory for USA federal agencies
- 6 step process:
1) categorize: define environment
2) Select: pick appropriate controls
3) implement: define proper implementation
4) assess: determine if controls are working
5) authorize: make a decision to authorize a system
6) monitor: check for ongoing compliance
- NIST CSF (Cybersecurity Framework): used for commercial environment
- framework core: identify, protect, detect, respond, recover
- framework implementation tiers: company view of security risk and process to manage risk
- framework profile: alignment of standards, guidelines, practices to framework core
- ISO/IEC (International Organization for Standardization / International Electronical Commission):
- ISO/IEC 27001: standard for ISMS (Info Security Management Systems)
- ISO/IEC 27002: standard for info security controls
- ISO/IEC 27701: standard for PIMS (Privacy Info Management Systems)
- ISO 31000: international standards for risk management practices
- SSAE SOC 2 Type I/II (Statement on Standards for Attestation Engagements):
- comes from AICPA (American Institute of Crtified Public Accountants) auditing standard
- SSAE 18
- SOC 2: audits for IDS, IPS, firewalls, MFA
- Type I: test controls in place at particular point in time
- Type II: test controls over a period of at least 6 consecutive months
- CSA (Cloud Security Alliance):
- CCM (Cloud Controls Matrix): cloud specific security controls
- enterprise architecture
Secure Configurations:
- use guides to harden things
- default config of anything isn't secure
- web server hardening:
- data leakage
- permissions
- SSL
- log files
- OS hardening:
- updates
- minimum password length and complexity
- network access
- monitor for malware
- application server hardening:
- usually run in web server
- middleware
- dissable all unnecessary services
- updates
- file permissions
- network infrastructure hardening:
- change default password
- updates
- config authentication
Personnel Security:
- AUP (Acceptable Use Policy):
- how all technology in company ought to be used by employees
- business policies:
- job rotation: keep people moving between responsibilities
- no one person maintains control for long
- mandatory vacations: rotate others through the job
- important in high security environment
- separation of duties:
- split knowledge: no one person has all details of things
- dual control: 2 people with their own keys to open a safe for example
- clean desk: when you leave, nothing left on desk
- least privilege
- background cecks:
- credit info, criminal history
- adverse action: if company doesn't hire someone due to background check
- requires them to do a lot of paper work
- can do this with existing employees in some regions
- NDA (Non Disclosure Agreement)
- social media analysis
- on boarding & offboarding: procedures for getting employees set up and disabling when gone
- user training: gamification is common now
- CTF (Capture The Flag): common for red team
- phishing simulation
- CBT (Computer Based Training)
Third Party Risk Management:
- vendors: third parties have to abide by policies set out by company employing them for their services
- supply chain: assess the supply chain, where can be improved
- business partner: monitor any data transferred between two partners, easier to infect now
- common agreements:
- SLA (Service Level Agreement):
- minimum terms for services provided
- uptime, response time agreement
- MOU (Memorandum Of Understanding):
- both sides agree on contents of memorandum
- includes statement of confidentiality
- informal letter of intent, not signed contract
- MSA (Measurement System Analysis):
- used with quality management systems (Six Sigma)
- assess measurement process
- calculate measurement uncertainty
- BPA (Business Partnership Agreement):
- owner stake, financial contract, decision making agreements, contingencies
- NDA (Non Disclosure Agreement):
- trade secrets, business activities, etc...
- unilateral, bilateral, multilateral (one person, both sides agree, multiple sides)
- formal contract, signature required
- EOL (End of Life):
- manufacturer stops selling product
- continue security patches and updates
- EOSL (End of Service Life):
- no more patches or updates
- could be premium fee to continue to receive security patches
Managing Data:
- data governance: processes, policies
- data steward: person responsible for governance process, decides sensitivity level
- data classification:
- public, personal, restricted, etc...
- compliance laws: GDPR for example
- data retention:
- how long and what to retain
- legal requirements: emails may be required to be kept for years
Credential Policies:
- passwords must not be embedded in applications
- hash passwords and use TLS in transit
- personnel accounts: specific person has their own user account
- third party accounts: access cloud platforms, corporate systems,
- no account sharing
- MFA
- device accounts:
- screen lock requirements
- MDM
- device certificates
- geography based checks
- service accounts:
- permissions should be least for each service
- admin/root accounts:
- complete access to OS
- only use when required
- MFA
- change passwords often
Organizational Policies:
- change management:
- often overlooked/ignored
- need clear policies
- change control:
- determine scope
- analyze risk
- create plan
- get end user approval
- present proposal to change control board
- have a backout plan
- document changes
- asset management:
- id and track computing assets
- know who, what and where device is being used
- both hardware and data
- app tracking
- version and security checking
Risk Management Types:
- id assets that have associated risks
- id threats
- determine risk
- assess total risk to organization
- risk assessments:
- external threats:
- hackers, former employees
- internal threats:
- employees and partners
- legacy systems:
- outdated, lack security
- multiparty risk:
- many people affected
- IP (Intellectual Property) theft:
- human error, hacking
- software compliance/licensing:
- use correct amount and correct type of licenses
- risk management strategies:
- acceptance:
- accept potential problems
- use current ways of stopping threats
- risk-avoidance:
- stop participating in high risk activities
- outdated apps
- transference:
- buy cyber security insurance
- mitigation:
- decrease risk level
- invest in security systems
Risk Analysis:
- risk register:
- id risks for a project
- monitor results
- risk heat map / risk matrix:
- visually see risk with color
- how likely and how major are the consequences
- inherent risk:
- risk that exists in absense of controls
- imact + likelihood
- residual risk:
- risk after implementing controls
- inherent risk + control effectiveness
- risk appetite:
- how much risk a company is willing to take
- qualitative risk assesment:
- id risk factors by asking oppinions
- display visually with traffic light grid
- quantitative risk assesment:
- ARO (Annualized Rate of Occurance):
- likelihood per year
- SLE (Single Loss Expectancy):
- monetary loss if single event occurs
- ALE (Annualized Loss Expectancy):
- ARO * SLE
- regulations:
- HIPPA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation) for EU citizens
- disaster types:
- environmental threats
- person made threats: on purpose or by accident
- internal threats
- external threats
Business Impact Analysis:
- RTO (Recovery Time Objective): get back to particular service level when systems down
- RPO (Recovery Point Objective): how much data loss is acceptable? Bring system back online
- MTTR (Mean Time To Repair): predict time to repair
- MTBF (Mean Time Between Failures): predict time between outages
- functional recovery plans:
- contact info for everyone
- technical process for fixing
- recover and test
- removing single points of failure (keep redundancy)
- multiple network devices
- backup power and cloning devices
- multiple locations and people
- DRP (Disaster Recovery Plan):
- detailed plan for resuming operations after disaster
- impact: wellbeing of employees, property, safety, financial, reputation
- mission essential functions: id and figure out how to protect before a disaster
Privacy and Data Breaches:
- information life cycle:
- creation and receipt
- distribution
- use
- maintenance
- disposition
- consequences of data breaches:
- reputation
- stock price
- identity theft
- fines/lawsuits
- stealing IP (Intellectual Property)
- notificaton:
- internal escalation
- external escalation
- public disclosure
- PIA (Privacy Impact Assessment):
- privacy risk needs to be assessed
- fix privacy issues before there's a problem
- notices:
- terms of service (T&C)
- privacy policy/notice: how organization will protect data
Data Classifications:
- proprietary data
- PII (Personally Identifiable Information)
- PHI (Personal Health Information)
- classifications:
- public / unclassified
- private / classified / restricted / internal use only
- sensitive: PII, PHI, IP
- confidential
- critical
Enhancing Privacy:
- tokenization:
- ex: use phone to pay for things. Uses token instead of credit card number
- nobody can use them after
- no hashing, no encryption, just a random token
- data minimization:
- minimal data collection
- HIPPA and GDPR implement this
- only info that's relevant
- data masking:
- data obfuscation
- protects PII
- asterixs replacing numbers on receipts
- anonymization:
- impossible to identify individual data
- hashing, masking
- no way to convert back to original data
- sudonymization:
- replace PII with pseudonyms
- random replacement
- consistent replacement
- used to maintain statistical relationships
- may be reversable
Data Roles and Responsibilities:
- data owner
- data roles:
- data controller
- data processors: work under data controllers
- data custodians/stewards: responsible for security, manage access, ensure compliance with law
- DPO (Data Protection Officer): responsible for organization's data privacy, set policies, etc...