comptia security Flashcards
EAP
extensible authentication protocol
802.1X
802.1X is a network authentication protocol that opens ports for network access when an organization authenticates a user’s identity and authorizes them for access to the network. The user’s identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server
SRTP
secure real time transport protocol - to encrypt and provide authentication for RTP - real time transport protocol traffic - used for audio/video streaming
HIDS
host based intrusion detection system
sw installed on the system to detect attacks
HIPS - host based intrusion prevention system is an extension of a HIDS to detect and block attacks
HIPS
extension of HIDS // host based intrusion prevention system
mail gateway
- is placed between an email server and the internet and it can filter out spam (spam filter)
- typically includes DPL (data loss prevention) capabilities
- can inspect the contents of outgoing traffic looking for key words and block any traffic containing proprietary data
reverse proxy
protects an internal web server
media gateway
converts data from one format to another such as telephony traffic to IP-based traffic
web application firewall
protects a web server
SSID
service set identifier
A service set identifier (SSID) is a unique identifier assigned to a wireless network. It allows devices on the network to identify and connect to the correct network. Most SSIDs are case-sensitive and can be up to 32 characters long
WEP
wired equivalent privacy
WPA2
Wi-Fi protected access II
NAC
network access control - can inspect VPN clients for health status, e.g. having up to date OS and antivirus sw
after they connect to a network
PaaS
platform as a service - a cloud computing model that provides cloud customer with a preconfigured computing platform they can use as needed
- provides an easy to configure OS and on demand computing
–> IaaS and SaaS
PAP
password authentication protocol - an older one where pwds are sent across the network in cleartext –> CHAP, MS-CHAPv2
passive reconnaissance
a penetration testing method used to collect information, typically uses open-source intelligence –> active reconnaissance
pass the hash
pwd attack that captures and uses the pwd hash, attempts to log on as the user with the hash commonly associated with the Microsoft NTLM protocol
PBKDF2
pwd based key derivation function 2
- a key stretching technique that adds additional bits to a pwd as a salt
- it helps prevent brute force and rainbow table attacks
NTLM
new technology LAN manager
a suite of protocols that provide confidentiality, integrity and authentication within Windows Systems
versions: NTLM, NTLMv2, NTLM2 Session
nonce
a number used once
cryptography elements frequently use a nonce to add randomness
steganography
uses obfuscation to hide data within data
OCSP
online certificate status protocol
an alternative to using a CRL
allows to query a CA with the serial number of a certificate
CA answers with good, revoked, unknown
DLP
data loss prevention
can reduce the risk of emailing confidential info outside the organisation
Saas
sw as a service provides sw or applications such as webmail via the cloud
TPM
trusted platform module
provides full drive encryption
COPE
corporate owned personally enabled
mobile device deployment model
= MDM mobile device mgmt that gives centralized control over COPE
–> BYOD, CYOD
CYOD
choose your own device
a mobile device deployment model
employees can connect their personally owned device to the network as long as the device is on a preapproved list
=storage segmentation to protect company data on mobile devices owned by users
ISA
interconnection security agreement specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities:
BETWEEN ANY FEDERAL AGENCY AND A THIRD PARTY INTERCONNECTING THEIR SYSTEMS
ALE
annual (annualized) loss expectancy
the expected loss for a year
it is used to measure risk with ARO and SLE in a quantitative risk assessment
SLE x ARO = ALE
ARO
annual (annualized) rate of occurrence
the number of times a loss is expected to occur in a year
it is used to measure risk with ALE and SLE in a quantitative risk assessment
SLE
single loss expectancy
the monetary value of any single loss
used to measure risk with ALE and ARO in a quantative risk assessment
SLE x ARO = ALE
S/MIME
secure/multipurpose internet mail extensions
popular standard used to secure email
provides:
confidentiality
integrity
authentication
non-repudiation
signature-based detection tool
type of monitoring used on intrusion detection and intrusion prevention systems
detects attacks based on KNOWN ATTACK PATTERNS documented as attack signatures
- signature based IDS systems use signatures similar to antivirus software
a unique identifier is established about a known threat so that the threat can be identified in the future
SIEM
security information and event mgmt
attempts to look at security events throughout the organisation
sideloading
copying an app package to mobile device
useful to developers when testing apps
shimming
driver manipulation method
uses additional code to modify the behaviour of a driver
Shibboleth
open source federated identity solution
SHA
secure hash algorithm
hashing function used to provide INTEGRITY
versions: SHA-1, SHA-2, SHA-3
hash is an alphanumeric string created by executing a hashing algorithm against data (file or message)
hashing algo creates a fixed-length, IRREVERSIBLE output
if the data never changes, the resulting hash will always be the same
by comparing hashes created at two different times, you can determine if the original data is still the same
if the hashes are the same, the data is the same
SFTP
secure file transfer protocol
TCP port 22
an extension of SSH (secure shell) used to encrypt FTP traffic
session hijacking
an attack that attempts to impersonate a user by capturing and using a session ID
session IDs are store in COOKIES!!
SED
self-encrypting drive
secure boot
process that checks and validates system files during the boot process
TPM typically uses a secure boot process
it is a security system offered by UEFI
it is designed to prevent a computer from being hijacked by a malicious OS
under secure book UEFI is configured with digital certs from valid OS vendors
the system fw checks the OS boot loader using the stored certificate to ensure that the OS vendor has digitally signed it
this prevents a boot loader that has been changed by malware or an OS installed without authorization from being used.
the TPM can also be invoked to compare hashes of key system state data (boot fw, boot loader, and OS kernel) to ensure they have not been tampered with by a rootkit
SAML
security assertion markup language
XML-based standard used to exchange authentication and authorization information between different parties
SAML provides SSO for web-based application
SDN
software defined network
uses sw and virtualization technologies to replace hw routers
SDNs separate the data and control planes
LDAP
lightweight directory access protocol
used to communicate with directories such as microsoft active directory
it identifies objects with query strings using codes such as CN=Users and DC=GetCertifiedGetAhead
LDAPS
lightweight directory access protocol secure
used to encrypt LDAP traffic with TLS
bollards
short vertical posts that act as a baricade
block vehicles but not ppl
HVAC
heating
ventilation
air conditioning
- physical security control that increases availability by regulating airflow within DCs and server rooms
RTO
recovery time objective
the max amount of time it should take to restore a system after an outage
it is derived from the max allowable outage time identified in the BIA
bcrypt
a key stretching algorithm
used to protect pwds
bcrypt salts pwds with additional bits before encrypting them with Blowfish
this thwarts rainbow table attacks
BIA
bussiness impact analysis
includes info on potential losses
DRP
disaster recovery plan
includes methods to recover from an outage
symmetric encryption algorithms
AES - advanced encryption standard
DES - data encryption standard
RC4 - Rivest Cipher 4
hashing
provides integrity for digital signatures and other data
hash=checksum
hashing verifies integrity for data such as email, d/l files, and files stored on a disk
hash is a number created with a hashing algorithm
HASHES ARE ONE-WAY FUNCTIONS
digital signature
is a hash of the message encrypted with the senders private key but the encryption doesnt provide integrity
the digital signature provides non-repudiation which doesnt provide integrity
SHA-2
secure hash algorithm version 2
is used for integrity
ECC
elliptic curve cryptography has minimal overhead and is often used with mobile devices for encryption
key stretching techniques
1) PBKDF2 = pwd-based key derivation function 2
2) bcrypt
that salt pwds with additional bits to protect agains brute force attempts
OCSP
online certificate status protocol
provides real time responses to validate certs issues by a Certificate Authority (CA)
CRL
certificate revocation list
includes a list of revokes certs
DSA
digital signature algorithm
creates a digital signature
HMAC
hash based message authentication code
creates a hash
Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key.
With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography.
How does HMAC differ from hashing?
A hash lets you verify only the authenticity of the data (i,. e., that the data you received is what was originally sent).
An HMAC lets you verify both the authenticity and the originator of the data. A hash doesn’t use a key.
Why is HMAC more secure than general hashing?
The strength of HMAC lies in its combination of both a secret key and a hash function. The secret key adds a layer of security by ensuring that only those with the key can generate or verify an HMAC. This aspect is particularly important in scenarios where confidentiality and data integrity are critical.
AUP
acceptable use policy
informs users of their responsibilities when using an organisations equipment
cognitive pwd attack
utilizes information that a person would know eg name of a first pet and use it to change the users pwd
–> Sarah Palin example
rainbow table attack
is a pwd attack that uses a DB of precalculated hashes
- PBKDF2 and bcrypt thwart rainbow table attacks
SRTP
- secure real-time transport protocol
- used to encrypt and provide authentication for RTP traffic
- used for audio/video streaming
honeynet
group od servers configured as honeypots
an 802.1x server
provides port-based authentication and can authenticate clients
clients that cant authenticate (eg guests) can be redirected to the guest network which grants them Internet access but not access to the internal network
NAT
network address translation
translates private IP addresses to public IP addresses
PEAP
protected extensible authentication protocol
an extension of EAP
sometimes used with 802.1x
PEAP requires a cert on the 802.1x server
PEM
privacy enhanced mail
common format for PKI certs
it can use either CER (ASCII) or DER (binary) formats and can be used for almost any type of certs
chroot
Linux command used to change the root directory
often used for sandboxing
chmod
linux admins use it to change permissions for files
FDE
full disk encryption
SED
self-encrypting drive
a drive that includes the hw and sw necessary to encrypt a hard drive
- users typically enter credentials to decrypt and use the drive
runtime code # compiled code
runtime code = code that is interpreted when it is executed
compiled code = has been optimized by an application and converted into an executable file
RADIUS
remote authentication dial-in user service
DNS
domain name system
DHCP
dynamic host configuration protocol
SCADA
supervisory control and data acquisition system
trojans
commonly create backdoors
spear phishing
eg email targeting users in the same organisation
vishing
similar to phishing - but uses telephone technology
salting
method used to prevent brute force attacks to discover pwds
account lockout control
locks an account after the wrong pwd is guessed too many times
DNS poisoning
domain name system poisoning
attempts to redirect web browsers to malicious URLs
replay attack
attempts to capture packets to impersonate one of the parties in an online session
SLA
service level agreement
between a company and a vendor that stipulates performance expectations such as min uptime and max downtime levels
BPA
business partners agreement
MOU/MOA
memorandum of understanding or memorandum of agreement - a type of agreement that defines responsibilities of each party
- compare with ISA
ISA
interconnection security agreemenr
specifies technical and security requirements for connections between two or more entities
arp (not ARP)
a command-line tool to show and manipulate ARP (address resolution protocol) cache
ARP poisoning
an attack that misleads systems about the actual MAC address of the system
XSS attack
cross-site scripting attack
protection against:
- input validation
- WAF: web application firewall = monitors, filters, and or blocks HTTP traffic to a web server
normalization
organising tables and columns in a DB to reduce redundant data and improve overall DB performance
netcat
useful for remotelly administering servers but it doesnt collect and analyze packets
- can be used for banner grabbing and will provide info on the operating system
protocol analyzer=sniffer
can capture traffic sent over a network and identify the type of traffic , the source of the traffic and protocol flags used within individual packets
to EXAMINE PACKETS
used to VIEW DATA sent in CLEAR TEXT
fault tolerance
the capability of a system to suffer a fault, but continue to operate
the system can tolerate the fault as if it never occurred
RAID
RAID stands for Redundant Array of Inexpensive (Independent) Disks.
row cost solution for fault tolerance for disks
RAID increases data availability
load balancing
round-robin is one of the methods used in load balancing
rainbow table
a file containing precomputed hashes for character combination
rainbow tables are used to discover pwds
bcrypt
a key stretching technique designed to protect against brute force and rainbow table attacks
PBKDF2
pwd based
key derivation
function 2
both (bcrypt as well) salt the pwd with additional bits
bcrypt- based on Blowfish
confusion (in the context of encryption)
means that the ciphertext is significantly different than the plaintext
diffusion (cryptography)
ensures that small changes in the plaintext result in large changes in the ciphertext
obfuscation
attempt to hide data or make sth unclear
collision
hashing algorithm vulnerability
a has vulnerability that can be used to discover pwds
a hash collision occurs when two different pwds CREATE THE SAME HASH
ECDHE
elliptic curve diffie-hellman ephemeral
allows entities to negotiate encryption keys securely over a public network
CASB
cloud access security broker
- sw tool that enforces cloud-based security requirements
- placed between the organisation’s resources and the cloud
- monitors all network traffic
- can enforce security policies
CTM
counter mode
a mode of operation used for encryption that combines IV with a counter
the combined result is used to encrypt blocks
pinning
a security mechanism used by some web sites to PREVENT WEB SITE IMPERSONATION
web sites provide clients with a list of PUBLIC KEY HASHES
clients store the list and use it to validate the web site
stapling
the process of appending a digitally signed OCSP response to a certificate
it reduces the overall OCSP traffic sent to a CA
perfect forward secrecy
a characteristic of encryption key ensuring THAT THE KEYS ARE RANDOM
perfect forward secrecy methods do not use DETERMINISTIC ALGORITHMS
IPsec (internet protocol security)
TLS (transport layer security)
often use
HMAC-MD5
HMAC-SHA1
HMAC= hash-based message authentication code
hashing algorithms
MD5
SHA
HMAC
RIPEMD
RIPEMD
race integrity promitives evaluation message digest
SHA
secure hash algorithm
MD5
message digest 5
IV
initialization vector provides a starting value for a cryptographic algorithm
it is a fixed-size random or pseudo-random number that helps create random encryption keys
ideally the IV should be large enough so that the algorithm doesnt reuse the same IV and re-create the same encryption keys
RADIUS
remote authentication dial-in user service
encrypts pwd packets
uses shared keys for symmetric encryption
when users authenticate, RADIUS servers and clients use the shared key to encrypt and decrypt data exchanged in a CHALLENGE/RESPONSE session
without the shared key, clients are unable to decrypt the data and respond appropriately
RTO
recovery time objective
= the amount of time it takes to identify a problem and then perform recovery eg restore from back up or switch in an alternative system
RPO
recovery point objective
the amount of data loss that a system can sustain measured in time
if a virus destroys a DB an RPO of 24 hours means that the data can be recovered from a backup copy to a point not more than 24 hours before the DB was infected
MTBF
mean time between failure
expected lifetime of a product before it fails and must be replaced or repaired
MTTR
mean time to repair
mean time to recover
is a measure of the time taken to correct a fault to restore the system to full operation
often specified in the maintenance contracts
virtual machine escape vulnerabilities
most severe issue that may exist in a virtualized environment
the attacker can access a single virtual host and then leverages that access to intrude on the resources assigned to a different virtual machines
DATA REMNANT
the residual representation of digital data that remains even after attempts have been made to remove it or erase it
VIRTUALIZATION SPRAWL
when the number of virtual machines on a network reaches a point where the administrator can no longer manage them effectively
virtual machine migration
moving a virtual machine from
one physical hardware environment to the other
syslog
system logging protocol
port 514
is a way network devices can use a standard message format to communicate with a logging server
designed to make it easy to monitor network devices
devices can use a syslog agent to send out notification messages
nslookup
used to query the Domain Name System to obtain the mapping between a domain name and an IP address or to view other DNS records
“set type=ns” tells nslookup only reports information on name servers
“set type=mx” -> info only about mail exchange servers
risk
results from the combination of
a THREAT and a VULNERABILITY
BCP
bussiness continuity plan
credentialed scan
logs into a system and retrieve their configuration information
non-credentialed scan
relies on external resources for config settings that can be altered or incorrect
TACACS+
is an extension to TACACS =
terminal access controller access control system
developed as a proprietary protocol by Cisco
RADIUS
REMOTE AUTHENTICATION DIAL-in USER SERVICE
is a networking protocol that operates on port 1812 and provides centralized Authentication
Authorization
Accounting mgmt
for users who connect and use a network service
KERBEROS
a network authentication protocol designed to provide strong mutual authentication for client/server applications using secret-key cryptography developed by MIT
CHAP
challenge-handshake authentication protocol is used to authenticate a user or network host to an authenticating entity
AUTHENTICATION PROTOCOL
DOES NOT PROVIDE AUTHORIZATION OR ACCOUNTING SERVICES
the simplest load balancing scheduling algorithm
round-robin
affinity
a scheduling method used with load balancers
it uses the clients IP address to ensure the client is redirected to the same server during a session
Shibboleth
one of the federated identity solutions
open source and freely available
includes Open libraries written in C++ and Java
OAuth
open standard for authorization
instead of creating a diff account for each web site you access, you can often use the same account that you have created with Google, FB, paypal etc
OpenID Connect
works with OAuth 2.0
allows clients to verify the identity of end users without managing their credentials
exemple Skyscanner - after logging using FB credentials Skyscanner provides more personalized experience for the users
is used for authentication on the Internet, not internal networks!!!
TFTP
trivial file transfer protocol
port 69
SMTP
simple mail transfer protocol
port 25
DNS
domain name service
protocol port 53
IDOR
insecure direct object references
cybersecurity issue when a web app developer uses an identifier for direct access to an object but provides no additional access control and/or authorization checks
race condition
sw vulnerability when the resulting outcome from execution processes is directly dependent on the order and timing of certain events
those events fail to execute in the order and timing intended by the developer - hacker gamer example !!
IMAP
internet message access protocol
a TCP/IP application protocol that provides a means for a client to access email messages stored in a mailbox on a remote server using TCP port number 143
unlike POP3 messages persist on the server after the client has d/l them
IMAP also supports mailbox mgmt functions such as creating subfolders and access to the same mailbox by more than one client at the same time
dereferencing
attempts to access a pointer that references an object at a particular memory location
WEP
wired equivalent privacy
an older mechanism for encrypting data sent over a wireless connection
uses 24-bit initialization vector to secure its pre-shared key
replaced by WPA -wifi protected access
that uses RC4 cipher and a temporal key integrity protocol (TKIP)
replaced by WPA2 after the completion of the 802.11i security standard
uses improved AES cipher with counter mode with cipher-block chaining message authentication protocol CCMP for encryption
replaced by WPA3 most secure wireless encryption method
uses the simultaneous authentication of equals SAE to increase the security of preshared keys
provides the enhanced open mode
WPA3 Enterprise mode supports AES with the Galois/counter mode protocol GCMP-256 for the highest levels of encryption
measured boot
a feature where a log of all boot actions is taken and stored in a trusted platform module for later retrieval and analysis by anti-malware sw on a remote server
master boot record analytics
used to capture the hard disks required information to support a forensic investigation
it would not detect malware during the systems boot-up process
startup control
determines which programs will be loaded when the operating system is initially booted
risk response acctions
accept
avoid
mitigate or
transfer
FTP
file transfer protocol
port 20 and 21
data anonymization
is the process of removing personally identifiable information from data sets so that the ppl whom the data describe remain anonymous
hybrid pwd cracking approach
combining diff methods such as the dictionary and brute force methods into a single tool
proximity badge
embeds an RFID chip into the card or badge
when the user swipes their card over the reader, it sends an RF signal that uniquely identifies the cards holder
RFID - radio-frequency identifcation systems
RFID attacks
attacks against radio-frequency identification systems
such as
eavesdropping
replay
DoS
access control vestibule
physical security access control system
comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens
VDI
virtual desktop infrastructure
VPC
virtual private cloud
UEBA
user and entity behaviour analytics
can provide an automated identification of suspicious activity by user accounts and computer hosts
ABAC
attribute-based access control
provides most detailed and explicit type of access control over a resource because it is capable of making access decisions based on a combination of subject and object attributes, as well as context-sensitive or system-wide attributes
info such as the group membership, the OS being used or even the machines IP could be considered when granting or denying access
order of volatility
order in which you should collect evidence
legal hold
process that an organization uses to perserve all forms of potentially relevant information when litigation is pending or reasonably anticipated
access control model with a network switch if it requires multilayer switches to use authentication via RADIUS/TACACS+
you need to use 802.1x for the protocol
the IEEE 802.1x standard is a network authentication protocol that opens ports for network access when an organization authenticates a user’s identity and authorizes them for access to the network
this defines port security
the users identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server
nmap
the worlds most popular open-source scanning utility
services. msc
the services console allows to disable or enable Windows services
dd tool
used to copy files, disks, and partitions, and it can also be used to create forensic disk images
Nessus
proprietary vulnersbility scanner developed by Tenable
it does contain the ability to conduct a port scan, its primary role is as a VULNERABILITY SCANNER
LDAPS
provides mutual authentication of the client and the server
- because its using TLS
the five factors of authentication
knowledge - sth you know
possession - sth you have
biometric - sth you are
action - sth you do
location - somewhere you are
PHI
protected health information
any info that identifies so as the subject of medica and insurance records, plus their associated hospital and laboratory test results
this type of data is protected by the Health Insurance Portability and Accountability Act = HIPAA
it requires notification of thr individual, the Secretary of the US Department of Health and Human Services -HHS, and the media if more than 500 individuals are affected in the case of a data breach
credit card information is protected under
the PCI DSS information security standard
war walking
walking around a build while locating WIRELESS networks and devices
it will not help find a WIRED ROGUE DEVICE
on wired network
- checking valid MAC addresses against a known list
- scanning for new systems or devices
- physically surveying for unexpected systems
can be used to find rogue devices on a WIRED NETWORK
ICMP
internet control message protocol
nbtstat
diagnostic tool for NetBIOS over TCP/IP
used to troubleshoot NetBIOS name resolution problems
harvesting
process of gathering data, normally user credentials
SOW
statement of work
MSA
master service agreement
parties agree to the terms that wil govern future transactions/future agreements
SLA
service level agreement
outlines the detailed terms
under which a service is provided
including reasons the contract may be terminated
pass the hash = PtH
is the process of harvesting an account’s cached credentials when the user logs in to a single sign-on
golden ticket
a Kerberos ticket that can grant other tickets in an Active Directory environment
attackers who can createna golden ticket can use it to grant admin access to other domain members even to domain controllers
lateral
movement
an umbrella term for variety of attack types
compromising host credentials
pivoting
attackers compromise one central host
- the pivot
that allows them to spread out to other hosts that would otherwise be inaccessible
CSMA/CA
carrier-sense multiple access with collision avoidance
is a network multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by beginning transmission only after the channel is sensed to be idle
IoC
indicators of compromise
degausser
used to wipe magnetic media
TTX
tabletop exercise:
RED TEAM - the adversary, attempting to penetrate the network or exploit it as a rogue internal attacker
BLUE TEAM - consists of system administrators, cybersecurity analysts and network defenders
MECM
microsoft endpoint configuration mgmt
provides remote control
patch mgmt
sw distribution
OS deployment
network access protection
hw & sw inventory
SaaS
sw as a service
any sw or application provided to users over a network such as the internet
eg Gmail
private IP addresses
10.x.x.x
172.16-31.x.x
192.168.x.x
ATP ATTACK
An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.[1][2] In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.
CVSS
common
vulnerability
score
system
OSINT
open-source
intelligence –>
refers to legally gathered information from free, public sources = information found on the internet
TCP
Transmission Control Protocol
Transmission Control Protocol (TCP) is a communications standard that enables application programs and computing devices to exchange messages over a network. It is designed to send packets across the internet and ensure the successful delivery of data and messages over networks.
FDE
full disk encryption
CVE
common vulnerabilities & exposures
IoCs
indicators of compromise:
telltale
signs that an attcack has taken place
may include:
- file signatures
- log patterns
- etc
- may be found in file and code repositories
OSINT
open source threat inteligence
CISA
cybersecurity & infrastructure security agency
forward proxy vs reverse proxy
A forward proxy deals with client traffic, regulating and securing it.
In contrast,
a reverse proxy shields servers by handling client requests, ensuring they reach the right server, and returning the results to clients, who are unaware of the server’s direct involvement.
IPsec VPN Tunnel Mode vs IPsec VPN Transport Mode
Tunnel Mode provides end-to-end security by encrypting the entire IP packet,
while
Transport Mode only encrypts the payload of the packet.
Another difference is the use case: Tunnel Mode is used for connecting entire networks, while Transport Mode is used for host-to-host communication.
RTOS
real-time operating systems
specialized OS designed for embedded systems (with limited resources) that require precise timing and deterministic behavior
- provide real-time scheduling (certain tasks will be completed within a specific timeframe –> critical for medical devices and automotive systems
- designed to be lightweight and efficient, with a small memory footprint and low processing overhead
SOAR
SOAR (security orchestration, automation and response)
chown vs chmod
chown is an abbreviation for “changing owner”, which is pretty self-explanatory. While chmod handles what users can do with a file once they have access to it, chown assigns ownership. As you may have noticed, none of the chmod commands we discussed above changed who owns the files we’re working with.
dd command in linux
The dd command is one of the most powerful and versatile tools in the Linux operating system. Often referred to as “data duplicator” or “disk destroyer,” dd is a command-line utility that can copy and convert data at a low level. Its capabilities range from creating disk images to performing data recovery operations.
Cuckoo
A Cuckoo Sandbox is a tool that is used to launch malware in a secure and isolated environment, the idea is the sandbox fools the malware into thinking it has infected a genuine host.
The sandbox will then record the activity of the malware and then generate a report on what the malware has attempted to do while in this secure environment.
Cuckoo is an open source automated malware analysis system. It’s used to automatically run and analyze files and collect comprehensive analysis results that outline what the malware does while running inside an isolated operating system.
NIC teaming
What is Network Interface Card (NIC) Teaming? Network Interface Card (NIC) teaming combines multiple network interface cards to work together as a single unit. Doing this gives us a few advantages: Increased bandwidth: The biggest advantage is the extra throughput you achieve with multiple interfaces.
NIC teaming can help in the following ways:
1) Bandwidth. Network bandwidth is a connection’s maximum total data transfer rate. NIC teaming aggregates two or more NICs, increasing the bandwidth.
2) Redundancy. One connection to one switch is a single point of failure. Teaming supports multiple connections.
Is NIC teaming the same as LACP?
There are two main kinds of NIC teaming:
1) Switch dependent. Also referred to as LACP, 802.3ad, or Dynamic Link Aggregation, this teaming method uses the LACP protocol to understand the teaming topology.
Three NIC teaming configurations are available.
1) Switch independent teaming—Used when a switch does not support NIC teaming.
2) Static teaming—Used for a switch that supports teaming but must be configured manually.
3) LACP teaming—Used for a switch that supports LAN Aggregation Control Protocol (LACP).
MAC scheme
a mandatory access control scheme
Mandatory access control is a centrally-managed access system.
MAC assigns each network user a security level.
It also assigns objects on the network with security attributes such as clearance levels and group identities. Users with the right security credentials can access protected objects.
Mandatory access control (MAC) is a security strategy that restricts the ability individual resource owners have to grant or deny access to resource objects in a file system.
What is the difference between mandatory and discretionary access control?
The main difference between discretionary access control and mandatory access control is the key factor of controlling resource access.
In discretionary access control, access is controlled by the resource users, while in mandatory access control, access is controlled by the system.
It isnt used to control access to administrator accounts!!
What are the 4 types of access control?
Access Control Models and Methods | Types of Access Control
There are four types of access control methods:
1) Mandatory Access Control (MAC),
2) Role-Based Access Control (RBAC),
3) Discretionary Access Control (DAC), and
4) Rule-Based Access Control (RBAC or RB-RBAC).
A method is chosen based on the level of access needed by each user, security requirement, infrastructure, etc.
incremental vs differential backups
A differential backup strategy only copies data changes since the last full backup.
An incremental data backup strategy copies data changes since the last backup.
security control categories
DESCRIBE HOW A CONTROL WORKS
1) technical - uses hw, sw, fw to reduce risk
2) managerial - administrative in function, documented in orgs security policy - focus on managing risk!!
3) operational: help ensure that the day-to-day operations of an orgs comply with the security policy // implemented by operational staff
4) physical: locks, fences, security guards
security control types
DESCRIBE THE GOAL THAT THE CONTROL IS TRYING TO ACHIEVE
preventive
deterrent - to discourage
detective
corrective - to restore normal operations after an inc occurs
compensating - are alternative controls when a primary control is not feasible
directive - provide instructions to individuals on how they should handle security-related situations that arise
increase availability by adding:
fault tolerance and redundancies, such as RAID
failover clusters
backups
generators
PATCHING: ensuring systems stay available is by keeping them up-to-date with patches
redundancy
adds duplication to critical systems and provides FAULT TOLERANCE –> a system with fault tolerance can tolerate a fault
goal to remove SPOF
1) disk redundancies: fault-tolerant disks:
1.1 RAID-1 (mirroring),
1.2 RAID-5 (striping with parity),
1.3. RAID-10 (striping with a mirror) all these allow a system to continue to
operate even if a disk fails
2) server r.: FAILOVER CLUSTERS
3) network r..
3.1 LOAD BALANCING (e.g. high-volume website);
3.2 NIC (network interface card) teaming: provides redundancy and
increased bandwidth by putting two or more network cards in a single server
4) power r.
4.1 UPSs
4.2 power generators
scalability:
horizontal scaling
vertical scaling
to be able to increase the capacity to meet new demand
adding more servers to existing one –> horizontal scaling
vertical scaling: doesn’t add more servers but more RESOURCES: memory, processing power to individual servers // there is a limit based on the system (e.g. when a server only supports max 32GB of RAM)
elasticity
automates scalability by having the system add and remove resources as needed
what kind of control is a lock
physical, preventive and deterrent control
firewall is an example of which security control?
technical & preventive control
examples of technical controls
encryption
antivirus sw
IDSs & IPSs
firewalls
least privilege (individuals&processes are granted only the privileges they need to perform their assigned tasks or functions, but no more –> privileges are combination of rights & permissions)
managerial controls
are administrative in function
documented in orgs security policy
these controls use planning and assessment methods to review the orgs ability to reduce and manage risk
1) risk assessments
1.1) quantitative risk assessment - uses cost and asset values to quantify risk
based on monetary values
1.2) qualitative risk assessment - categorizes risk based on probability and
impact
2) vulnerability assessments - attempts to discover current vulnerabilities
operational controls
–> help ensure that the day-to-day operations of an orgs comply with the security policy
–> implemented by operational staff (instead of systems)
1) awareness & training // pwd security, clean desk policy, understand phishing etc
2) configuration & change management
3) media protection // USB flash drives, external & internal drives, backup tapes
NIST
https://csrc.nist.gov/publications/sp800
The National Institute of Standards and Technology
is part of the U.S. Department of Commerce
- they publish Special Publications (SPs) in the 800 series –> important reference for security community
- SP 800-53: Security and Privacy Controls for Information Systems and Organizations –> 3 chapters discuss security controls + 3 appendices –> Appendix C: provides details on hundreds of individual security controls divided into 20 different families
preventive controls
1) hardening
1.1) disabling unnecessary ports and services
1.2.) implementing secure protocols
1.3) keeping a system patched
1.4) using strong pwds along with a robust pwd policy
1.5) disabling default and unnecessary accounts
2) training
3) security guards
4) account disablement process
5) IPS - Intrusion Prevention System can block malicious traffic before it reaches a network
6) change management processes - help prevent outages from configuration changes
deterrent controls
some physical security controls used to deter threats:
1) warning signs
2) login banners
what kind of control is a security guard
preventive & deterrent
detective controls
1) log monitoring
2) SIEM systems –> Security information and event management systems
3) security audit
4) video surveillance –> CCTV (that is also a deterrent control)
5) motion detection
6) IDS
corrective controls
attempts to reverse the impact of an incident or problem after it has occurred
purpose
–> getting things back to normal as quickly as possible
–> they restore the confidentiality, integrity, and/or availability
1) backups and system recovery
2) incident handling processes: defines steps to take in response to security incidents:
2.1) incident response policy
2.2) incident response plan
an example of compensating control
employees have to use smart cards when authenticating to a system
to allow new employees to access the network and still maintain a high level of security the org might choose to implement TOTP (Time-based One-Time Pwd) as a compensating control –> which still provides a strong auth solution
directive controls
are designed to provide instruction to individuals on how they should handle security-related situations that arise (not technical mechanisms)
1) policies, standards, procedures, and guidelines: step -by-step guidance on achieving a goal
2) change management
change management - type of control?
operational
directive
preventive
encryption -type of control?
preventive technical control
fire suppression system - type of control?
physical technical control
Windows Logs
viewable using WINDOWS EVENT VIEWER
1) Security log // functions as a security, an audit and an access log
2) System log
3) Application log
network logs
on routers, fws, web servers, network IDS/IPSs
logging all traffic // logging all traffic that the device blocks // or both
COW
Copy on Write
TOU
Time-of-Use
type of race condition that occurs when an attacker can change the state of a system resource between the time it is checked and the time it is used
TOC
Time-of-Check
TOE
Time-of-Evaluation
type of race condition that involves the manipulation of data or resources during the time window when a system is making a decision or evaluation
Mutex
mutually exclusive flag that acts as a gatekeeper to a section of code so that only one thread can be processed at a time
Deadlock
occurs when two or more processes are unable to proceed because each is waiting for the other to release a resource
race condition
software vulnerability where the outcome depends on the timing of events not matching the developer’s intended order
3 main types of race condition
TOC –> Time-of-Check
TOU –> Time-of-Use
TOE –> Target\time-of-Evaluation
to protect against a race condition,
users can use locks and mutexes to lock resources while a process is being run
vulnerabilities lead to
- unauthorized access
- data breaches
- system disruptions
forms of attacks
unauthorized access
data theft
malware infections
denial of service attacks
social engineering
how to fix the vulnerabilities
1) hardening the system
2) patching
3) enforcing baseline configurations
4) decommissioning old and insecure assets
4) creating isolation of segmentation for devices
blue tooth attacks
- bluesnarfing
- bluejacking
- bluebugging
- bluesmark
- blueborne
mobile phone vulnerabilities and attacks
side loading
jailbreaking
insecure connection methods (wifi & bluetooth)
methods that mitigate these vulnerabilities
1) patch management
2) mobile device mgmt solutions
3) preventing sideloading and rooting of devices
OS vulnerabilities
1) unpatched systems
2) zero-day Vulnerabilities
3) misconfigurations
4) data exfiltration
5) malicious updates
how to protect against the above
1) patching
2) encryption of data
3) utilizing host-based firewalls
4) configuring access controls and permissions
5) configuration management
6) installing endpoint protection
7) implementing Host-Based IPS
8) Requiring the Use of Application Allow Lists
XML Injection
Security vulnerability that targets web applications that process XML data (extensible markup language)
to protect your server when it receives XML data:
Input Validation
Input Sanitization
Encryption (TLS)
*******
otherwise it is vulnerable to
snooping
spoofing
request forgery
injection of arbitrary code
XSS Cross-Site Scripting
web security vulnerability where malicious scripts are injected into web pages viewed by other users / to compromise the site’s visitors
it gets you to run some kind of a malicious script that bypasses normal security mechanisms
XSRF Cross-Site Request Forgery
Web security exploit that focuses on an attacker who attempts to trick a user
buffer owerflow
sw vulnerability that occurs when a program writes more data to a memory buffer that it can hold
occurs when data exceeds allocated memory, potentially enabling unauthorized access or code execution
==========================
buffer owerflow attacks in IT are being used as the initial vector!!, causing 85% of data breaches
race condition
sw vulnerability that occurs when multiple processes or threads in a concurrent system access shared resources or data simultaneously - this can lead to unpredictable outcomes
firmware
specialized form of software stored on hardware device, like a router or a smart thermostat, that provides low-level control for the device’s specific hardware
device spoofing (blue tooth)
occurs when an attacker impersonates a device to trick a user into connecting
On-Path-Attack
exploits Bluetooth protocol vulnerabilities to intercept and alter communications between devices without either party being aware
Bluejacking
an attacker sends unsolicited messages often as a prank or to test the vulnerabilities
Bluesnarfing
unauthorized to steal
contacts
call logs
text messages
Bluebugging
make calls
send text messages
access the internet
Bluesmack
denial of service, causes device to crash or become unresponsible
Blueborne
infects the device over the air without any intervention from the user
Bluetooth best practices
1) turned off when not in use
2) device set to NON DISCOVERABLE mode by default
3) regularly updating to the latest fw to address any known vulnerability
4) only pairing with known and trusted devices
5) always using unique PINs or passkeys
6) being cautious of unsolicited connection requests
7) using encryption for sensitive data transfers
Bluetooth vulnerabilities
Insecure Pairing
Device Spoofing
On-Path Attacks
mobile vulnerabilities
Sideloading
Jailbreaking and Rooting
Insecure connection methods
Sideloading
the practice of installing applications on a device from unofficial sources which actually bypasses the device’s default app store
Jailbreaking/Rooting
process that gives users escalated privileges on the devices and allows users to circumvent the built-in security measures provided by the devices –> usually done for the purposes of customization
Insecure connection methods (mobile vulnerabilities)
- avoid open Wi-Fi and unknown Bluetooth pairings for security (use your own data cellular connection)
- long, strong, and complex password
- 802.1x authentication methods
MDM
Mobile Device Management Solution
used to conduct patching of the devices by pushing any necessary updates to the devices to ensure that they are always equipped with the latest security patches
+
standardized configuration
SQL Injection
Structured Query Language
Select, Insert, Delete, Update
=======================
the attacker enters the injection parameter:
by entering data
modifying cookies
changing POST data
Using HTTP headers
=========================
how to prevent it:
1) input validation
2) use a web application firewall (between the client and the web server)
XML Bomb
(Billion Laughs Attack)
XML encodes entities that expand to exponential sites, consuming memory on the host and potentially crashing it
XML External Entity (XXE)
An attack that embeds a request for a local resource
Is it HTML / JavaScript / XML question?
Font | Image | Href
HTML
Question | ID | Type | Element | Entity
that is going to be an XML question
4 steps of a XSS Cross-Site Scripting Attack
1) Attacker identifies an input validation vulnerability within a trusted website
2) Attacker crafts a URL to perform code injection against the trusted website (and spread the link via email, post etc)
3) The trusted site returns a page containing the malicious code injected
4) Malicious code runs in the client’s browser with permission level as the trusted site
functions of XSS Cross-Site Scripting Attack
breaks the browser’s security and trust model
1) defacing the trusted website
2) stealing the user’s data
3) intercepting data or communications
4) installing malware on client’s system
https://xss-game.appspot.com
Non-Persistent XSS
This type of attack only occurs when it’s launched and happens once
Persistent XSS
Allows an attacker to insert code into the backend database used by that trusted website
Document Object Model (DOM) XSS Attack
Exploits the client’s web browser using client-side scripts to modify the content and layout of the web page
DOM XSS runs with the logged in user’s privileges of the local system
document.cookie
document.write
its a DOM based xross site scripting
session management
enables web applications to uniquely identify a user across several different actions and requests
by server-side tracking
by cookie tracking
types of cookies
- persistent
- non-persistent (session)
non-persistent (session) cookie
resides in memory and is used for a very short period of time (deleted afterwards)
persistent cookies
stored in the browser cache until either deleted by a user or expired
session hijacking
type of spoofing attack where the attacker disconnects a host and then replaces it with his or her own machine by spoofing the original host IP
Session Prediction Attack
type of spoofing attack where the attacker attempts to predict the session token in order to hijack the session
–> session tokens need to be generated using a non-predictable algorithm
XSRF
- Cross-Site Request Forgery
Malicious script is used to exploit a session started on another site within the same web browser
how to prevent XSRF
(Cross-Site Request Forgery)
1) use user-specific tokens in all form submissions
2) add randomness and prompt for additional information (passwords - MFA)
3) Require users to enter their current password when changing their password
what is buffer
a temporary storage area where a program stores its data
Stack
a memory region where a program stores the return addresses from function calls
“Smashing the Stack”
Occurs when an attacker can execute their malicious code by overwriting the return address (in the stack)
NOP Slide
took a pic
mitigation against a buffer overflow attack
ASLR
Address Space Layout Randomization
A security measure that randomizes memory addresses, making buffer overflow attacks harder for attackers
Dereferencing
A fundamental operation in programming, and the vulnerabilities arise from unsafe or concurrent usage, particularly in scenarios involving race conditions
Dirty COW (Copy On Write)
Popular 2016 exploit, showcasing a race condition exploitation
types of DDoS
1) denial of service
2) amplified distributed denial of service
3) reflected distributed denial of service
DNS attacks
1) DNS cache poisoning
2) DNS amplification attacks
3) DNS tunneling
4) Domain hijacking
5) DNS zone transfer attacks
IoCs
1) account lockouts
2) concurrent session utilization
3) blocked content
4) impossible travel
5) resource consumption
6) resource inaccessibility
7) out of cycle logging
8) published documents that you have been hacked
9) missing log files
ICMP
The Internet Control Message Protocol (ICMP) is a network layer protocol used by network devices to diagnose network communication issues. ICMP is mainly used to determine whether or not data is reaching its intended destination in a timely manner.
Is ICMP the same as ping?
ICMP is one of the protocols of the TCP/IP suite. The ICMP echo request and the ICMP echo reply messages are commonly known as ping messages.
types of flood attacks
a) ping flood (ICMP echo - ICMP internet control message protocol) –> to prevent: many organisations are simply blocking ECHO replies and having firewalls dropping these requests / attackers gets a request timeout message
b) SYN Flood / an attacker will initiate multiple TCP sessions but never complete the three-way handshake –> to prevent this from occurring
1) FLOOD GUARDS can be installed in the network (can be a feature in some routers & firewalls)
2) Timeout can be configured on those half open requests after a period of time (say 10, 15, 30 seconds)
3) IPS
PING FLOOD
ping flood (ICMP echo - ICMP internet control message protocol) –> to prevent: many organisations are simply blocking ECHO replies and having firewalls dropping these requests / attackers gets a request timeout message
SYN Flood
an attacker will initiate multiple TCP sessions but never complete the three-way handshake –> to prevent this from occurring
how to prevent SYN FLOODs
1) FLOOD GUARDS can be installed in the network (can be a feature in some routers & firewalls)
2) Timeout can be configured on those half open requests after a period of time (say 10, 15, 30 seconds)
3) IPS
PERMANENT DENIAL OF SERVICE - PDoS
an attack which exploits a security flaw by reflashing a firmware, permanently breaking networking device
Fork Bomb
a large number of processes is created to use up a computer’s available processing power
(not a worm because - only inside the processor’s cache on a single computer)
DNS Amplification Attack
specialized DDoS that allows an attacker to initiate DNS request from a spoof IP address to flood a website
how to prevent DNS Amplification Attack
1) Blackholing/Sinkholing: attacking IP addresses are identified and its traffic routed to a non-existent server through a null interface - this will stop the attack / attackers can move to a new IP and restart the attack all over again / only a temporary solution
2) IPS / for smaller scale attacks as you need a lot of processing power to handle a big DDoS
3) ELASTIC CLOUD INFRASTRUCTURE / one of the most effective methods, where you can scale up when the demand increases, you can ride out a DDoS attack –> very expensive when you scale up
specialized clouds providers that have taken to on this challenge to ride out DDoS attacks:
CLOUDFLARE
AKAMAI
DNS Attacks
