Chapter 1 - Mastering Security Basics

Question 1

Availability

Answer 1

Indicates that data and services are available when needed

Question 2

Redundancy

Answer 2

Adds duplication to critical system and provides fault tolerance so if a critical component has a fault, the redundancy allows the service to continue without interruption.

-Disk redundancies (RAID)
-Server redundancies (virtualization can help)
-Network redundancies (NIC teaming)
-Power redundancies (UPS)

Question 3

Scalability and elasticity

Answer 3

Both contribute to high availability

Scalability refers to the ability of a system to handle increasing workload or demand by adding resources such as processing power, memory, or storage capacity. It measures how well a system can accommodate growth without sacrificing performance or efficiency.

Elasticity refers to the ability of a system to automatically or dynamically adapt to changing workload or demand by provisioning or releasing resources as needed. It involves scaling resources up or down based on demand in a flexible and automated manner. Often described in regards to cloud computing.

Scalability focuses on the ability of a system to handle growth by adding resources in a proactive manner, whereas elasticity focuses on the dynamic and automated adjustment of resources in response to changing demand.

Question 4

Resiliency

Answer 4

The ability for systems to heal themselves or recover from faults with minimal downtime.

-Performing and testing full backups
-Backup power sources (UPS, generators)
-NIC teaming
-Redundant disk subsystems

Question 5

Managerial controls

Answer 5

Managerial controls are primarily administrative in function, typically documented in an organization’s security policy and focus on managing risk.

Two common managerial controls are:
-Risk assessments
-Vulnerability assessments

Question 6

Operational controls

Answer 6

Help ensure that the day-to-day operations of an organization comply with the security policy. People implement and execute them.

Operational controls include:
- Awareness and training
-Configuration management.
Baselines to ensure that systems start in a secure, hardened state.
-Media protection.
Physical media like USB flash drives, external and internal drives, and backup tapes
-Physical and environmental protection
Includes physical controls such as cameras, door locks, and environmental controls such as heating and ventilation systems.

Question 7

Types of Security Controls

Answer 7

Security controls are categorized as managerial (documented in written policies), operational (performed in day to day operations), or technical (implemented with technology).

Question 8

Technical Controls

Answer 8

Technical controls use technology such as hardware, software and firmware to reduce vulnerabilities.

Some examples include:
-Encryption
-Antivirus software
-IDS and IPS
-Firewalls
-Least privilege principle

Question 9

Physical controls and environmental controls

Answer 9

Include motion detectors and fire suppression systems.

Question 10

Preventative controls

Answer 10

The primary goal of preventative controls is to prevent security incidents, some examples including:

-Hardening
-Training
-Security guards
-Change management (help prevent outages from configuration changes)
-Account disablement policy
-IPS

Question 11

Detective controls

Answer 11

Attempt to detect when vulnerabilities have been exploited, resulting in a security incident. Detective controls discover the event after it has occurred. Examples include:

-Log monitoring
-SIEM systems (detect trends and raise alerts in real time)
-Security audit
-Video surveillance
-IDS

Question 12

Corrective and recovery controls

Answer 12

Attempt to reverse the impact of an incident or problem after it has occurred.

-Backups and system recovery
-Incident handling process

Question 13

Physical controls

Answer 13

Any controls you can physically touch:

-Bollards and barricades
-Access control vestibules
-Lighting
-Signs, fences, sensors and more

Can be multiple control types, ie locks are physical, deterrent and preventative

Question 14

Deterrent controls

Answer 14

Attempt to discourage a threat, to discourage potential attackers from attacking and from employees from violating a security policy

Deterrent and preventative often overlap

-Security guard
-Cable locks
-Physical locks

Question 15

Compensating controls

Answer 15

Alternative controls used instead of a primary control, such as requiring employees to use smart cards when authenticating on a system, but allowing new employees to access the network using a TOTP while their smart card gets made.

Question 16

Response controls

Answer 16

Commonly referred to as incident response controls, are controls designed to prepare for security incidents and respond to them once they occur; usually started by creating security policies then training personnel on how to respond to incidents.

Question 17

Ping

Answer 17

Basic command to test connectivity for remote systems; can verify a system can resolve valid hostnames to IP addresses, test the NIC, and asset organizational security.

*Checks connectivity by sending Internet Control Message Protocol (ICMP) echo request packets, and remote systems answer with ICMP echo reply packets, which is how you know a system is operational.

• Can be used for domain name resolution
  -Can be filtered out by Firewalls - admins often configure firewalls to block ICMP traffic or echo requests to prevent DoS attacks. Can use the ping command to check the effectiveness of your IPS or firewall.

Question 18

Hping

Answer 18

similar to ping but can send the pings using TCP, UDP and ICMP - helpful in identifying if a firewall is blocking ICMP traffic, but is only available on Linux-like systems.

Question 19

ipconfig and ifconfig

Answer 19

ipconfig on Windows

-Shows the TCP/IP configuration information for a Windows system, including items such as the computer’s IP address, subnet mask, default gateway, MAC address and address of a DNS server.
-Shows the configuration info for all NICs on a system, including wired and wireless NICs. Often used by technicians for troubleshooting.

ifconfig on Linux (“interface configuration”), has more capabilities than ipconfig

EXAMPLES:
- ipconfig: provides basic info on the NIC, such as the IP address, subnet mask and default gateway

-ipconfig /all and ifconfig -a
Shows a comprehensive listing of TCP/IP configuration info for each NIC, including the MAC address, addressed of assigned DNS servers, and address of a DHCP server if the system is a DHCP client.

NEED SUDO ON LINUX FOR:
-ifconfig eth0
shows the configurations of the first ethernet interface (NIC) on a Linux system. If the system has multiple NICs you can use eth1, eth2 etc, and also use wlan0 to view information on the first wireless interface.

-ifconfig eth0 promisc
Enables promiscuous mode on the first Ethernet interface, which allows a NIC to process all traffic it receives. Normally a NIC is in non-promiscuous mode, and it ignores all packets not addressed to it. Disable this with ifconfign eth0 -promisc

-ifconfig eth0 allmulti
Enables multicast mode on the NIC, allowing the NIC to process all multicast traffic received by the NIC.

*Normally a NIC uses a non-promiscuous mode and only processes packets addressed directly to its IP address. You would want to see all traffic on a system if using a protocol analyzer

Question 20

ip instead of ifconfig

Answer 20

Many Linux distros have deprecated ifconfig command and recommand using “ip” command instead, which displays info and configures network interfaces but doesnt use the same commands or have the same abilities like using a promiscuous mode.

sample commands:

-ip link show
Shows the interface along with some details on them

-ip link set eth0 up
Enables a network interface

-ip -s link
Shows statistics on network interfaces

Question 21

Netstat

Answer 21

Alllows you to view statistics for TCP/IP protocols on a system and gives you the ability to view active TCP/IP network connections.

Many attacks establish connections from an infected computer to a remote computer, which you can identify via netstat if you expect this.

Netstat displays the state of a connection, such as ESTABLISHED, to indicate an active connection.

Question 22

tracert and traceroute

Answer 22

tracert command lists all the routers between two systems, with each router referred to as a hop, in addition to the RTT (round trip time) for each hop. Used by Windows systems.

Linux systems use traceroute.

Used by network admins to identify faulty routers on the network.

Question 23

pathping

Answer 23

combines the functions of the ping and tracert commands to locate potential problems between two systems - problems on any hops or problems on any of the segments between two hops.

Question 24

Arp

Answer 24

command line tool that is related to the Address Resolution Protocol; however “arp” the command and ARP the protocol are not the same thing.
-ARP resolves IP addresses to MAC addresses and stores the result in the ARP cache.

*arp command is used to view and manipulate the ARP cache

Question 25

LAMP

Answer 25

LAMP stack is an open source stack used by many organizations hosting web servers which is an acronym, for Linux, Apache, MySQL, PHP or Perl or Python.

Linux = OS
Apache = web server application
MySQL = database management system
–>Developers create dynamic webpages with scripting languages such as PHP, Perl or Python.

Question 26

cat

Answer 26

Command is used to display contents of a file.

Short for concatenate, t

Question 27

grep

Answer 27

Command used to search for a specific string or pattern of text within a file.

Short for globally search a regular expression and print

EX:
sudo grep “authentication failure” /var/log/auth.log
–> this shows only the entries with the text “authentication failure”

or

sudo cat /var/log/auth.log | grep “authentication failure”
–> this reads the file with cat and then pipes the results to the grep command

Question 28

head

Answer 28

command that allows you to only see the beginning of a file.

By default it only shows the first 10 lines of a file.

Question 29

tail

Answer 29

command that allows you to see the end of a file, displaying the last 10 lines by default.

sudo tail -n 15 theodyssey.txt

*the -n switch/operator specifies how many lines to display

Question 30

logger

Answer 30

command used to add entries to the /var/log/syslog file from the terminal or from scripts and applications.

Sometimes used by admins before performing an operation such as when starting a backup operation:

logger backup started
–> gives you a timestamped entry with the text of “backup started”

Question 31

journalctl

Answer 31

command that queries the Linux system logging utility (journald) and displays the log entries from several source. You can’t query journald directly because it stores log data in binary format, but jornalctl displays the data as text.

*If you enter the command by itself it displays all journal entries which can be extensive, but you can limit the output in various ways:

journalctl –since “1 hour ago”

journalctl –list-boots

Question 32

chmod

Answer 32

command used to modify permissions on Linux system files or folders (short for “change mode”). Any file can have read, write and execute permissions.

R= can open file and view contents
W= can modify the contents, generally combined with read (2)
X= can launch the file and is used with executable files (1)

1st permissions =owner -u
2nd= group -g
3rd = other (everyone else) - o

Question 33

Windows logs

Answer 33

• Security log: functions as a security log, audit log, and access log, and records auditable events such as successes or failures (when actions performed by a user succeed or fail such as a login attempt)

-System log: records events related to the functioning of the OS, such as when it starts, when it shuts down, info on services starting and stopping, drivers loading or failing or any other system components.

-Application log: records events sent to it by applications or programs running on the system, such as warnings, errors and routine messages.

Question 34

Network logs

Answer 34

Record traffic on the network, and are on a variety of devices including routers, firewalls, web servers and NIDS/NIPS. Can manipulate the devices to log all traffic passing through the devices, all traffic it blocks or both. Helpful when troubleshooting connectivity issues.

Web servers typically log requests to the web server for pages:
-host (IP)
-user-identifier (name of user if known)
-authuser (login name of user if logged on)
-date
-request (actual request line sent by client)
-status (HTTP status code returned to client)
-bytes (byte length of reply)

Question 35

SIEM system

Answer 35

Security Information and Event Management systems provide a centralized solution for collecting, analyzing and managing data from multiple sources, useful in large enterprises with massive amounts of data and and activity to monitor. Can be installed on centralized systems or be dedicated hardware and often include:

-log collectors
-data inputs
-log aggregation
-correlation engine
-reports
-packet capture
-user behavior analysis
-sentiment analysis
-security monitoring
-automated triggers
-time synchronization
-event deduplication
-logs/WORM

Question 36

syslog

Answer 36

the syslog protocol specifies a general log entry format and the details on how to transport log entries.

You can deploy a centralized syslog server to collect syslog entries from a variety of devices in the network similar to how a SIEM server collects log entries.

syslog -ng and rslog are two additional open source software utilities used instead of syslogd on Linux-like systems and provide additional extensions.

Question 37

NXLog

Answer 37

another log management ool and is similar to rsyslog and syslog -ng, however it supports log formats for Windows such as event log entries, and can be installed on both systems. Functions as a log colleector and can integrate with most SIEM systems.

Question 38

Linux logs

Answer 38

common Linux logs are located in the /var/log/ directory. You can view logs in the System Log Viewer on Linux systems or by using the cat command from the terminal.