Chapter 1 - Mastering Security Basics Flashcards
Availability
Indicates that data and services are available when needed
Redundancy
Adds duplication to critical system and provides fault tolerance so if a critical component has a fault, the redundancy allows the service to continue without interruption.
-Disk redundancies (RAID)
-Server redundancies (virtualization can help)
-Network redundancies (NIC teaming)
-Power redundancies (UPS)
Scalability and elasticity
Both contribute to high availability
Scalability refers to the ability of a system to handle increasing workload or demand by adding resources such as processing power, memory, or storage capacity. It measures how well a system can accommodate growth without sacrificing performance or efficiency.
Elasticity refers to the ability of a system to automatically or dynamically adapt to changing workload or demand by provisioning or releasing resources as needed. It involves scaling resources up or down based on demand in a flexible and automated manner. Often described in regards to cloud computing.
Scalability focuses on the ability of a system to handle growth by adding resources in a proactive manner, whereas elasticity focuses on the dynamic and automated adjustment of resources in response to changing demand.
Resiliency
The ability for systems to heal themselves or recover from faults with minimal downtime.
-Performing and testing full backups
-Backup power sources (UPS, generators)
-NIC teaming
-Redundant disk subsystems
Managerial controls
Managerial controls are primarily administrative in function, typically documented in an organization’s security policy and focus on managing risk.
Two common managerial controls are:
-Risk assessments
-Vulnerability assessments
Operational controls
Help ensure that the day-to-day operations of an organization comply with the security policy. People implement and execute them.
Operational controls include:
- Awareness and training
-Configuration management.
Baselines to ensure that systems start in a secure, hardened state.
-Media protection.
Physical media like USB flash drives, external and internal drives, and backup tapes
-Physical and environmental protection
Includes physical controls such as cameras, door locks, and environmental controls such as heating and ventilation systems.
Types of Security Controls
Security controls are categorized as managerial (documented in written policies), operational (performed in day to day operations), or technical (implemented with technology).
Technical Controls
Technical controls use technology such as hardware, software and firmware to reduce vulnerabilities.
Some examples include:
-Encryption
-Antivirus software
-IDS and IPS
-Firewalls
-Least privilege principle
Physical controls and environmental controls
Include motion detectors and fire suppression systems.
Preventative controls
The primary goal of preventative controls is to prevent security incidents, some examples including:
-Hardening
-Training
-Security guards
-Change management (help prevent outages from configuration changes)
-Account disablement policy
-IPS
Detective controls
Attempt to detect when vulnerabilities have been exploited, resulting in a security incident. Detective controls discover the event after it has occurred. Examples include:
-Log monitoring
-SIEM systems (detect trends and raise alerts in real time)
-Security audit
-Video surveillance
-IDS
Corrective and recovery controls
Attempt to reverse the impact of an incident or problem after it has occurred.
-Backups and system recovery
-Incident handling process
Physical controls
Any controls you can physically touch:
-Bollards and barricades
-Access control vestibules
-Lighting
-Signs, fences, sensors and more
Can be multiple control types, ie locks are physical, deterrent and preventative
Deterrent controls
Attempt to discourage a threat, to discourage potential attackers from attacking and from employees from violating a security policy
Deterrent and preventative often overlap
-Security guard
-Cable locks
-Physical locks
Compensating controls
Alternative controls used instead of a primary control, such as requiring employees to use smart cards when authenticating on a system, but allowing new employees to access the network using a TOTP while their smart card gets made.
Response controls
Commonly referred to as incident response controls, are controls designed to prepare for security incidents and respond to them once they occur; usually started by creating security policies then training personnel on how to respond to incidents.
Ping
Basic command to test connectivity for remote systems; can verify a system can resolve valid hostnames to IP addresses, test the NIC, and asset organizational security.
*Checks connectivity by sending Internet Control Message Protocol (ICMP) echo request packets, and remote systems answer with ICMP echo reply packets, which is how you know a system is operational.
- Can be used for domain name resolution
-Can be filtered out by Firewalls - admins often configure firewalls to block ICMP traffic or echo requests to prevent DoS attacks. Can use the ping command to check the effectiveness of your IPS or firewall.
Hping
similar to ping but can send the pings using TCP, UDP and ICMP - helpful in identifying if a firewall is blocking ICMP traffic, but is only available on Linux-like systems.
ipconfig and ifconfig
ipconfig on Windows
-Shows the TCP/IP configuration information for a Windows system, including items such as the computer’s IP address, subnet mask, default gateway, MAC address and address of a DNS server.
-Shows the configuration info for all NICs on a system, including wired and wireless NICs. Often used by technicians for troubleshooting.
ifconfig on Linux (“interface configuration”), has more capabilities than ipconfig
EXAMPLES:
- ipconfig: provides basic info on the NIC, such as the IP address, subnet mask and default gateway
-ipconfig /all and ifconfig -a
Shows a comprehensive listing of TCP/IP configuration info for each NIC, including the MAC address, addressed of assigned DNS servers, and address of a DHCP server if the system is a DHCP client.
NEED SUDO ON LINUX FOR:
-ifconfig eth0
shows the configurations of the first ethernet interface (NIC) on a Linux system. If the system has multiple NICs you can use eth1, eth2 etc, and also use wlan0 to view information on the first wireless interface.
-ifconfig eth0 promisc
Enables promiscuous mode on the first Ethernet interface, which allows a NIC to process all traffic it receives. Normally a NIC is in non-promiscuous mode, and it ignores all packets not addressed to it. Disable this with ifconfign eth0 -promisc
-ifconfig eth0 allmulti
Enables multicast mode on the NIC, allowing the NIC to process all multicast traffic received by the NIC.
*Normally a NIC uses a non-promiscuous mode and only processes packets addressed directly to its IP address. You would want to see all traffic on a system if using a protocol analyzer
ip instead of ifconfig
Many Linux distros have deprecated ifconfig command and recommand using “ip” command instead, which displays info and configures network interfaces but doesnt use the same commands or have the same abilities like using a promiscuous mode.
sample commands:
-ip link show
Shows the interface along with some details on them
-ip link set eth0 up
Enables a network interface
-ip -s link
Shows statistics on network interfaces
Netstat
Alllows you to view statistics for TCP/IP protocols on a system and gives you the ability to view active TCP/IP network connections.
Many attacks establish connections from an infected computer to a remote computer, which you can identify via netstat if you expect this.
Netstat displays the state of a connection, such as ESTABLISHED, to indicate an active connection.
tracert and traceroute
tracert command lists all the routers between two systems, with each router referred to as a hop, in addition to the RTT (round trip time) for each hop. Used by Windows systems.
Linux systems use traceroute.
Used by network admins to identify faulty routers on the network.
pathping
combines the functions of the ping and tracert commands to locate potential problems between two systems - problems on any hops or problems on any of the segments between two hops.
Arp
command line tool that is related to the Address Resolution Protocol; however “arp” the command and ARP the protocol are not the same thing.
-ARP resolves IP addresses to MAC addresses and stores the result in the ARP cache.
*arp command is used to view and manipulate the ARP cache
LAMP
LAMP stack is an open source stack used by many organizations hosting web servers which is an acronym, for Linux, Apache, MySQL, PHP or Perl or Python.
Linux = OS
Apache = web server application
MySQL = database management system
–>Developers create dynamic webpages with scripting languages such as PHP, Perl or Python.
cat
Command is used to display contents of a file.
Short for concatenate, t
grep
Command used to search for a specific string or pattern of text within a file.
Short for globally search a regular expression and print
EX:
sudo grep “authentication failure” /var/log/auth.log
–> this shows only the entries with the text “authentication failure”
or
sudo cat /var/log/auth.log | grep “authentication failure”
–> this reads the file with cat and then pipes the results to the grep command
head
command that allows you to only see the beginning of a file.
By default it only shows the first 10 lines of a file.
tail
command that allows you to see the end of a file, displaying the last 10 lines by default.
sudo tail -n 15 theodyssey.txt
*the -n switch/operator specifies how many lines to display
logger
command used to add entries to the /var/log/syslog file from the terminal or from scripts and applications.
Sometimes used by admins before performing an operation such as when starting a backup operation:
logger backup started
–> gives you a timestamped entry with the text of “backup started”
journalctl
command that queries the Linux system logging utility (journald) and displays the log entries from several source. You can’t query journald directly because it stores log data in binary format, but jornalctl displays the data as text.
*If you enter the command by itself it displays all journal entries which can be extensive, but you can limit the output in various ways:
journalctl –since “1 hour ago”
journalctl –list-boots
chmod
command used to modify permissions on Linux system files or folders (short for “change mode”). Any file can have read, write and execute permissions.
R= can open file and view contents
W= can modify the contents, generally combined with read (2)
X= can launch the file and is used with executable files (1)
1st permissions =owner -u
2nd= group -g
3rd = other (everyone else) - o
Windows logs
- Security log: functions as a security log, audit log, and access log, and records auditable events such as successes or failures (when actions performed by a user succeed or fail such as a login attempt)
-System log: records events related to the functioning of the OS, such as when it starts, when it shuts down, info on services starting and stopping, drivers loading or failing or any other system components.
-Application log: records events sent to it by applications or programs running on the system, such as warnings, errors and routine messages.
Network logs
Record traffic on the network, and are on a variety of devices including routers, firewalls, web servers and NIDS/NIPS. Can manipulate the devices to log all traffic passing through the devices, all traffic it blocks or both. Helpful when troubleshooting connectivity issues.
Web servers typically log requests to the web server for pages:
-host (IP)
-user-identifier (name of user if known)
-authuser (login name of user if logged on)
-date
-request (actual request line sent by client)
-status (HTTP status code returned to client)
-bytes (byte length of reply)
SIEM system
Security Information and Event Management systems provide a centralized solution for collecting, analyzing and managing data from multiple sources, useful in large enterprises with massive amounts of data and and activity to monitor. Can be installed on centralized systems or be dedicated hardware and often include:
-log collectors
-data inputs
-log aggregation
-correlation engine
-reports
-packet capture
-user behavior analysis
-sentiment analysis
-security monitoring
-automated triggers
-time synchronization
-event deduplication
-logs/WORM
syslog
the syslog protocol specifies a general log entry format and the details on how to transport log entries.
You can deploy a centralized syslog server to collect syslog entries from a variety of devices in the network similar to how a SIEM server collects log entries.
syslog -ng and rslog are two additional open source software utilities used instead of syslogd on Linux-like systems and provide additional extensions.
NXLog
another log management ool and is similar to rsyslog and syslog -ng, however it supports log formats for Windows such as event log entries, and can be installed on both systems. Functions as a log colleector and can integrate with most SIEM systems.
Linux logs
common Linux logs are located in the /var/log/ directory. You can view logs in the System Log Viewer on Linux systems or by using the cat command from the terminal.
