Main Flashcards
Prepending
Two seperate definitions
1. Making a message appear more trustworthy by adding text before the message. E.g adding [SAFE] to the subject of an email.
2. Url high hijacking technique where the attacker puts text at the beginning of their typosquatted URL https://pprofessormesser.com/
Pharming
Similar to phishing but attacking DNS in order to redirect to your malicious site in order to harvest credentals.
Pretexting
A fictitious scenario added to a conversation to make a request more believable. Used by attackers in social engineering.
Hoaxes
A threat that doesn’t actually exit.
e.g Email chain about fake cyber attack
Methods for identifying spam
- Allowed list, trusted senders
- SMTP standards checking, block emails that don’t meet RFC standards
- rDNS, reverse DNS, block email where sender’s domai doesn’t match IP address
- Tarpitting, intentionally slow down server conversation
- Recipient filtering, block all email not addressed to valid recipient email address
Credential harvesting
Grabbing all the credentials stored on a PC, phone, etc
Principles of Social Engineering
- Authority
- Intimidation
- Consesus / Social Proof
- Scarcity
- Urgency
- Familiarity / Liking
- Trust
Types of malware
- Virus
- Crypto-malware
- Ransomware
- Worms
- Trojan horse
- Rootkit
- Keylogger
- Adware/Spyware
- Botnet
Virus
Malware that can reproduct itself through file systems or network. Key difference between worms: Virus requires user input to spread, like opening a malicious file
Worms
Malware that self-replicates across a network with no user interaction
Crypto-malware
Newer generation of ransomware, pay the bad guys for your data back. This is what you think of when you think “ransomware”
Ransomware
Malware that attempts to extort money from the target. May or may not encrypt data
Trojan horse
Malware that pretends to be something else, e.g Rouge AV
Rootkit
Malware that modifies core system files, can be invisible to the operating system and traditonal AV
e.g Malicious kernel drivers
Rainbow tables
Optimized pre-built set of hashes
Salt
Random data added to password when hashing. Every user gets own random salt. Stops rainbow tables. Slow down brute force process. Same password will create different hashes depending on the salt.
Machine learning attacks
- Poison the training data
- Find ways to evade the AI. E.g Holes in an AI based IPS or IDS
Birthday attack
Find a collison through brute force. Generate multiple versions of plaintext to match hashes.
Downgrade attack
Attacker forces the system use a worse form of encryption if it is supported.
Replay attack
Gather network information with a tap ARP poisoning, malware, or protocol analyzer. Then resend the information collected to the server, maybe it will be accepted as valid.
SSRF
Server side request forgery. Attacker tells the web server to do something, and it does it. Caused by bad programming and not checking for who sent the request.
Shimming
Code that acts as an adapater for backwards compatibility. Often written by malware developers.
Metamohpric Malware
Refactors itself to make it appear different each time. Intelligently redesigns itself.
SSL Stripping / HTTP Downgrade
Attacker sits in middle of conversation between victim and server. Attacker essentially has all the encryption keys, so it can decrypt the HTTPs data, giving plaintext. Attacker reads everything, but the victim thinks he’s running HTTPS the entire time.
Bluejacking
Sending unsolicited messages to another device via bluetooth
Bluesnarfing
Access a bluetooth-enabled device and transfer data
e.g Contact list, calendar, email, pictures, video, etc
Cryptographic nonce
Arbitrary number that is used only once in a cryptograhic process. Usually a random or psuedo-random number or a counter. A salt is an example of a nonce.
Initalization Vector (IV)
Type of nonce. Used for randomizing an encryption scheme.
MAC Flooding
Filling up the MAC table on a switch, forcing ou tthe legitmate MAC addresses. The switch will begin to flood out on all interfaces, turning the switch into a hub. Attacker can then easily capture all network traffic.
DNS poisoning
Modify the DNS server, change it so that DNS lookups give the responses that the attacker desires. Can be used to highjack domains, get victims to go to your malicious site, DOS.
URL Highjacking Techniques
- Typosquatting / brandjacking, takes advantage of poor spelling
- Outright mispelling
- Typing error
- Different phrase in URL
- Different top-level domain, e.g .org instead of .com
Types of threat actors
- Insiders
- Nation states
- Hackitivst
- Script kiddies
- Hackers
- Shadow IT
- Organized crime
- Competitors
Broad categories of threat intelligence
- Open source
- Closed/proprietary
Threat intelligence sources
- Vulnerability databases
- Information-sharing centers
- Automated indicator sharing (AIS)
- Indicators of compromise (IOC)
- Predictive analysis
- Dark web intelligence
- File/code repos
- Threat maps
Automated Indicator sharing (AIS)
Enables real-time exchange of machine-readable cyber threat indicators through a server/client architecture for communications.
TTP
Tactics, techniques, procedures used by adversaries
Threat hunting
Find the attacker before they find you
Types of vulnerability scans
- Non-intrusive
- Intrusive
- Credentialed
- Non-credentialed
Syslog
Standard for message logging, needs a lot of disk space, used on central log collector integrated into the SIEM
SOAR
Security orchestration, automation, and response
- Orchestration - Connect many different tools together
- Automation - Handle security tasks automatically
- Response - Make changes immediately
Pentester’s process
- Recon / footprinting
- Inital exploitation
- Lateral movement
- Persistence
- Pivoting
Security teams
- Red team
- Blue
- Purple - Red and blue working together
- White - Refs
Baseline configuration
Established reference point for integrity measurement checks.
Data masking
Techniques used to obfuscate sensitive data
Data states
- At rest
- In transit - Over network
- In use - Ram
Tokenization
Replace sensitive data with non-sensitive placeholder
IRM
Information Rights Management.
Technology used to limit the scope of what users can do with data. e.g Preventing copy past, screenshotting, printing, etc
Site resilliency: Types of sites
- Hot - Exact replica
- Warm - Between hot and cold
- Cold - Electricity, building, not much else
DNS Sinkhole
DNS that hands out incorrect IP addresses
Types of cloud models
- IaaS Infrastructure as a service - Sometimes called hardware as a service
- PaaS Platform - Someone else handles the platform you handle development, no servers, no software, no maintenance team, no HVAC
- SaaS Software - On demand software, no local installation
- XaaS Anything - Broad description of all cloud models
0 octal
000
1 octal
001
2 octal
010
3 octal
011
4 octal
100
5 octal
101
6 octal
110
7 octal
111
Data governance
Processes used by an organization to manage, process, and protect data. Used to ensure availability, readability, integrity, and security of data. Also, used to comply with external laws and regulations.
HIPAA
Health insurance portability and accountability act. A data governance regulation. Mandates that organizations protect health information.
GLBA
Gramm-leach Bliley act. Data governance regulation that requires financial institutions to provide consumers with a privacy notice explaining what information they collect and how it is used.
SOX
Sarbanes-oxley act. Data governance regulation that requires that executives take individual responsibility for the accuracy of financial reports.
GDPR
General data protection regulation. Data governance regulation that mandates the protection of privacy data for individuals who live in the EU
Data retention policy
Specifies how long data is retained and sometimes specifies where it is stored.
Blank
TCP 21, 22
SSH Port
TCP 22
DNS Port
53 tcp for zone transfers
53 udp for name resolution queries
NTP Port
UDP 123
BGP
Border gateway protocol
Enables exchange of routing information between autonomous systems
TCP 179
IPSec port
Uses internet key exchange (IKE) over port 500 UDP
RDP port
TCP 3389
POP3, secure POP ports
TCP 110 unencrypted
TCP 995 encrypted
Imap4 and encrypted imap ports
TCP 143 unencrypted
TCP 993 encrypted
Smtp and smtp-over-TLS port
TCP 25 unencrypted
TCP 587 for email encrypted with tls
Telnet port
TCP 23
FTP ports
Active mode: TCP 21 control signals, TCP 20 for data
Passive mode: TCP 21 control signals, random TCP port for data
Sftp
TCP 22
Secure FTP
Inherently secure. Unlike FTPS, which just adds a layer of security with TLS. Both are secure though.
Used by SSH for file transfers. Not FTPS!
LDAP, LDAPS
Lightweight Directory Access Protocol
LDAP TCP 389
LDAPS TCP 636
LDAP specifies the formats and methods used to query directories. Commonly is used to store information for authentication.
SSTP ports
Secure socket tunneling protocol
Encrypts VPN traffic using tls on port TCP 443
TFTP Port
Trivial file transfer protocol
UDP 69
Kerberos port
UDP 88
Ping
Ping -t 172.26.5.1, continuous
Ping -c 4 172.26.5.1, 4 times
Ipconfig
Ipconfig /all
Ipconfig /flushdns, flush dns cache
Ipconfig /displaydns, show dns cache
Ifconfig
Ifconfig -a, similar to ipconfig /all
Ifconfig eth0, show conf. eth0
Ifconfig eth0 promisc, enable promisc mode, process all traffic
Ifconfig eth0 allmulti, enable multicast mode, process all multicast traffic
Ifconfig eth0 -allmulti, disable multicase mode
Ip (tool)
Ip link show, show interfaces
Ip link set eth0 up, enable eth0
Ip -s link, show network stats
Netstat
Netstat -a, show all tcp udp ports being listened on
Netstat -r, show routing table
Netstat -e, show network stats
Netstat -s, show net stats for specific protocols
Netstat -n, show addresses and ports in numerical order
Netstat -p protocol, show stats on specific protocol
Netstat, show open TCP connections
You can combine options. E.g netstat -anp tcp
Tracert
Windows
tracert google.com, show hops between system and Google
racert -d google.com, don’t resolve IP addresses to host names, makes command faster
Traceroute
Linux
Traceroute -n google.com, don’t resolve IPs
Pathping
Sends pings to hops on routes. Computes statistics depending on responses to pings.
Pathping -n google.com
If a hop has 100% packet loss. Chances are it is just blocking icmp. If it really is bad, then all other hops from that point on in the path must also be dropping 100%.
Arp
Windows and Linux
Arp, help on windows, arp cache linux
Arp -a google.com, show arp cache entry for specified ip
Arp -a, show entire cache on windows
Tail
Tail -n 15 /var/log/messages, show last 15 lines.
Tail /var/log/messages, show last 10 lines
Logger
Linux
Add entires to /var/log/syslog
Journalctl
Linux
Query linux system logging utility called journald.
Journalctl – since “1 hour ago”, show logs only in journals.
Journalctl –list-boots, show boot logs
FAR
False acceptance rate
Biometrics
FRR
False rejection rate
Biometrics
CER
Crossover error rate
Point on graph of sensitivity (x), error percentage (y), where FAR and FRR intersect. Increasing or decreasing sensitivity at this point will cause one of the error rates to go up and the other to go down. Lower CER means a better biometric accuracy.
Role-BAC
Role based access control
Uses roles to manage rights and permissions for users. Roles are often implemented as groups. Think Microsoft security groups.
Admins have complete access
Executives have access to data on any project on server but can’t change server settings
Project managers have full control over their own projects but not any other teams projects
Team members can do work that project managers assign them but have little access outside of it.
Rule-BAC
Rule based access control
Uses rules. Common example is rules in routers and firewalls, which use access control lists to contain and organize the rules. Some rules are static, others might be modified on the spot.
DAC
Discretionary access control
Objects (files, folders, etc) have an owner, the owner establishes access for the objects. Example is NTFS used in windows, which allows users and administrators to restrict access to files and folders with permissions.
SID
Security identifier. Used in windows discretionary access control. Long string of characters used to identify users.
MAC (not network)
Mandatory access control
Uses labels to determine access. Admins assign labels to objects and users. If the labels match, then the user has access. Example SELinux. A lattice chart is used to layout the scheme.
ABAC
Attribute-based access control
Evaluates attributes and grants access based on the value of these attributes. Example, Homer has attributes employee, inspector, nuclear aware. A file server has a share called inspector, that grants access to the folder for any user that has the attributes employee, inspector, nuclear aware.
Many SDNs use ABAC schemes instead of rules on physical routers.
Conditional access
Used with traditional access control schemes but adds additional capabilites with if then statements. Policies in conditional access use signals which are similar to attributes in an ABAC scheme. Implemented in Microsoft azure active directory.
Jump server
Hardened server used to access and manage devices in another network with a different security zone.
Screened subnet
Aka DMZ. Buffered zone between a private network and the internet. Will contain some internet facing servers surrounded by firewalls such that the internal network is protected.
Network address translation gateway
Hosts NAT and provides internal clients with private IPs a path to the internet.
Zero trust network
Doesn’t trust any device by default even if the device was previously verified. Security model based on the principle of Zero trust. Can be implemented by requiring multifactor authentication.
UTM
Unified threat management
Single solution that combines multiple security controls. An appliance that performs URL filtering, malware inspection, content inspection, DDoS mitigation, etc
MSP
Managed Service provider. A cloud service provider that provides network connectivity managment, backup and disaster ecovery, growth management and planning
MSSP
Managed Security Service Provider. A cloud service provider for firewall management, patch managemnt, security audits, emergency response.
Fog computing
Cloud that’s close to your data. Cloud + IOT = Fog computing. Immeditate data stays local so no latency. No bandwith requirements. Privdate data never leaves - minimizes security concerns. Local decisons made from local data.
Eslasticity
Scale up, down, out and in as it is required (automatically)
FaaS
Function as a service. Applications are seperated into indvividual, autonomous functions. Remove operating system from the equation. Runs in stateless compute container.
VPC
Virtual private cloud. Pool of resources created in a public cloud.
SDN
Software Defined Networking. (Infrastructure as code)
SDV
Software Defined Visibility. (infrastructure as code)
Deployment stages
- Test - Still in development
- QA
- Staging - Looks and feels like a production environment
- Production
SQL Secure coding
- Stored procedures
Software diversity
Using alternative compiler paths to result in a different binary each time compiled. An exploit for one version of the binary should not affect many others.
Continuous Integration
Code constantly written and merged int ocentral repo everyday.
CD
Continuous delivery/deployment. Continuous delivery means automate the testing and release process, cllick and button and deploy the application. Continuous deployment means automatically deploy to production with no human integration or manual checks.
Federation
Providing network access to thrid parties such as partners, suppliers, customers, etc. A federated network allows authentication between two organization.
Attestation
Prove the hardware is really yours.
TOTP
Time based one time password. Secret key and time of day, no counter.
HOTP
HMAC based one time password. Based on secret key and counter.
Biometric authentication methods
- Fingerprint
- Retinal
- Iris
- Voice recognition
- Facial
- Gait anlysis
- Veins
AAA
Idebtification, Authetication, authorization, accounting
Factors of authentication
- Something you are
- Somewhere you are
- Something you can do - Handwriting analysis, you’re special
- Something you know
- Something you have
Disk redundancy techniques
- Multipath I/O
- RAID
- Multiple drives
RAID types
- RAID 0 - Striping without parity, high performance, no fault tolerance
- RAID 1 - Mirrioring, Duplicates data for fault tolerance but requires twice the disk space
- RAID 5 - Striping with parity, Fault tolerant and only requires an additonal disk for redunancy
- RAID 0+1, RAID 1+0, RAID 5+1, Multiple raid types, Combine raid methods to increase redundancy
Network redundancy techniques
- Load balancing
- NIC teaming
Power redundancy techniques
- UPS
- Generator
- Dual pwoer supply
- PDU - Power distribution unit, provides power to multiple power outlets usually in a rack
Backup types
- Full
- Incremental - All changes since last incremental
- Differential - All changes since last full
NAS
Network attached storage. Connect to a shared storage device across the network and get file-level access to it.
SAN
Storage area network. Looks and feels like a local stroage device. Block level access, very efficient reading and writing.
HA
High availability
SoC
System on a chip. Multiple components running on a single chip, common with embedded systems.
FPGA
Field Programmable gate array Integrated circuit that can be configured after manufacturing. Common in firewall logic and routers.
ICS
Industrial control systems. Like SCADA
RTOS
Real time operating system. OS with a deterministic processing schedule. No time to wait for other processes. Found in industrial equipment, automobiles, and military environments. Extremely sensitive to security issues.
SIM
Subscriber identity module. SIM card.
Narrowband
Form of embedded system communication. Communicate analog signals over a narrow range of frequencies.
Baseband
Form of embedded systems communication. Generally a single cable with digital signal, copper or fiber. Uses all bandwith, utilization either 0% or 100%.
Air gap
Physical seperation between networks.
Zigbee
IOT Networking open standard. Alternative to WiFi or bluetooth. Longer distances than bluetooth, less power consumption than WiFi.
Cipher
Algorithm uses to encrypt and/or decrypt
Ciphertext
Encrypted message
Key strengthing techniques
- Key streching - Larger keys tend to be more secure
HE
Homomorphic encryption. Perform calculations on data white it’s encrypted.
Symmetric vs asymmetric encryption
- Symmetric - Doesn’t scale well
- Symmetric is faster
ECC
Eliptic curve cryptography. Asymmetric.
Digital signature
Prove message was not changed - Integrity. Prove source of message - Authentication. Make sure signature isn’t fake - Non-repudiation.
PFS
Perfect forward secrecy. Refers to encryption system that changes the keys used to encrypt and decrypt.
Stream cipher
Encryption is done one bit or byte at a time. High speed, low hardware complexity. Used with symmetric encryption. Starting state should never be the same twice. Often combined with an IV
IV
Initalization vector
Block cipher
Encrypt fixed-length groups. Used with symmetric encryption. Different modes of operations. e.g ECB, CBC, CTR, GCM
ECB
Electronic code block. Block cipher mode of operation. Simplest mode. Each block encrypted with same key, identical plaintext blocks create identical ciphertext blocks.
CBC
Cipher block chaining. Mode of block cipher operation. Each plaintext block is XORed with the pevious ciphertext block.
CTR
Counter. Mode of block cipher operation. Block cipher acts like a stream cipher, encrypts successive values of a counter.
GCM
Galois/Counter mode. Mode of block cipher operation. Combines counter mode with galois authentication. Very efficient encryption and authentication. Commonly used with packetized data such as in TLS.
SRTP
Secure Real-Time transport protocol.
Secure protocol for audio and video traffic.
S/MIME
Secure/Multipurpose Internet mail extensions
Public-private key encryption mechanism that allows for the protection of the information within emails. As well as digital signatures for integrity. Requires PKI.
SNMPv3
Simple Network Management protocol version 3. Secure protcol for managing network devices.
EDR
Endpoint detection and response. Detecting threats on an endpoint, investigating, and responding.
DLP
Data loss prevention
TPM
Trusted platform module. Specification for cryptographic functions. Hardware to help with cryptographic functions.
East-west and North-south traffic
East-west traffic - Traffic between devices in the same data center.
North south traffic - Ingress/egress to an outside device
L2TP
Layer 2 tunneling protocol. Commonly implemented with IPSec. Can be used as a tunneling protocol for VPNs.
AH
Authentication header. Member of the IPSec protocol suite.
ESP
Encapsulating security payload. Member of the IPSec protocol suite.
IPSec modes
Transport mode. Tunnel mode.
QoS
Quality of service. Describes process of controlling traffic flows.
FIM
File integrity monitoring. Some files should never change.
Stateless firewall
Does not keep track of traffic flows.
Stateful firewall
Keeps track of traffic flows. Remembers the “state” of the session.
WAF
Web application firewall.
COPE
Corporate owned personally enabled. Device deployment model. Employees free to use device as if it was their personally owned device. But the organization purchases it and owns it.
BYOD
Bring your own device. Device deplyoment model. Employees can being their own mobile device to work and attach them to the network. Employee is responsible for selecting and supporting the device, typically must comply with a BYOD policy when connecting to the network.
CYOD
Choose your own device. Device deplyoment model. Employees selects a device from a list of acceptable devices. Employee purchases and brings the device to work.
HSM
Hardware security module. High end cryptographic hardware.
CEO Fraud
Sending fake emails from senior executives.
Invoice fraud
Impersonating a trusted colleague or vender to request payment or money transfer,
Footprinting
Gathering information about computer systems and their entities.
Virus hoax
Typically harmless messages that spread through social engineering often using sensational claims and urging users to forward the message to warn others about a fake cyber threat.
Watering hole attack
Attempts to discover which websites a group of people are likely to visit and then infects those websites with malware that can infect the visitors/
Influence campaign
Hacking public opinion. Often run by nation state actors to divide individuals or persuade them. Frequently performed using social media with lots of fake or bot accounts, and relies on real users to spread the misinformation.
Change control meetings
Discussing changes to IT infrastructure. Important to use standaridzed naming and numbering conventions in ensure efficient communication during such meetings.
Confusion (encryption)
Ensures ciphertext is very different from the original plaintext.
Diffusion (encryption)
Ensures that a small change in the plaintext results in a significant change in the ciphertext.
DNSSEC
Domain Name System Security Extension. Provides a means of validating the information recieved from a DNS server so that it really did come from the server that was requested and that the information was not changed as it went through the network.
FTPS
TCP 989, 990
File transfer protocol secure.
Uses TLS or SSL to encrypt FTP. Unlike SFTP, not inherently secure, just an added layer of security with TLS/SSL.
Phishing
Creating a fake website or communication that closely resembles an authentic one to deceive users.
Principles of social engineering
- Authority
- Scarcity
- Familiarity
- Intimidation
- Consensus
- Urgency
- Trust
TAXII
Trusted Automated eXchange of Indicator Information.
An open standard that defines a set of services and messages exchanges used to share information. Provides a standard way for organizations to exchange cyber threat information.
STIX
Structured Threat Information eXpression.
An open standard that indentifies what cyber threat information organizations should share. Provides a common language for addressing a wide range of cyber threat information. STIX data is shared via TAXII.
Known-plaintext attack
Attacker knows both plaintext and its corresponding ciphertext. He uses this information to determine the encryption/decryption method and perhaps reveal keys. He can then decrypt all messages.
Chosen plaintext attack
Attacker knows the ciphertext but not all of the plaintext, only a “chosen” part of it. He then uses various techniques to attempt to decrypt the chosen part, which will allow him to decrypt all messages.
Ciphertext only attack
Attacker doesn’t have any information on the plaintext. He must work with the ciphertext only.
DHCP Starvation
Attacker floods network with IP address lease requests. DHCP server runs out of IPs.
Horizontal Priv esc
Attacker gains access to resources that would only normally be available to a user of a higher privledge level. Does not necessarily have to be an administrator or root account.
Veritcal Priv esc
Attacker gets administrative or root access to a system via a vulnerability
TOCTOU
Time of check to time of use attack
Attacker exploits a race condition in order to do somethign malicious with data after the operating system verifies access is allows (time of check) but before the operating system performs a legitmate action (time of use)
Rogue AP
An AP placed wthin a network without official authorization. Might be used to bypass security and gain access to the network or to sniff traffic. 802.1X authentication can prevent this by requiring users to provide a username, password or other type of authentication before being allowed access to the network.
EAP
Authentication method for wireless networks. However, it can also be used anywhere an 802.1x server is used. Provides method for two systems to create a secure encryption key called pairwise master key. Systems then use the key to encrypt data between them.
PEAP
Protected EAP
Extra layer of protection for EAP. Encapsulates the EAP conversation in TLS tunnel. Requires certificate on the server but no on the clients.
EAP-FAST
EAP-Flexible Authentication via Secure Tunneling
Built by Cisco. Supports certificates but they are optional.
EAP-TLS
Requires certificates on both the 802.1X server and the clients.
EAP-TTLS
EAP-Tunneling TLS
Extension of PEAP that allows systems to use older authentication methods such as PAP. Requires certificate on the 802.1X server but not the clients.
IEEE 802.1X
Requires users to authenticate when connecting to a wireless AP or plugging into a port. Can be implemented as a RADIUS or Diameter server. Supports usernames and passwords as well as certificates.
Enterprise mode
WPA2 mode. Forces users to authenticate with unique credentials when connecting to the network. Uses an 802.1X server, often implemented as a RADIUS server.
SAE
Simultaneous authentication of equals. Used in WPA3, variant of dragonfly key exchange which is based on diffie hellman.
RADIUS Federation
Creating a federation using 802.1X and RADIUS servers
WPS
Wi-fi protected setup.
Press a button on the printer to connect to its Hotspot. Enter a pin to connect your phone to the AP.
IV attacks
Discover the initialization vector and use it to discover the pre-shared key.
Bluebugging
Blursnarfing, but the attacker installs a backdoor. Allowing them to listen to comms, send messages, etc remotely from the victims device.
VPN Tunneling Protocols
- IPSEC in tunnel mode
- SSL/TLS
- L2TP - Layer 2 tunneling protocol
IPSec tunnel mode
Used as a tunneling protocol to encrypt VPN comms. In this mode both the payload and headers of the IP packet are encrypted.
IPSec transport mode
Only the payload of the IP packet, not headers. Not used for VPNs usually unless you don’t care about internal IPs being exposed.
ESP
Encapsulating security payload
Protocol number 50
Encrypts data in IPSec. Includes AH.
AH
Authentication header.
Protocol number 51.
Allows hosts in an IPsec communication to authenticate with each other before exchanging data.
VPN: Full tunnel
When connected to the VPN, all traffic regardless of destination will be tunneled through the VPN.
VPN: split tunnel
Admin determines which specific traffic should be tunneled through the VPN. Perhaps he will restrict it to traffic destined for the internal network only.
Site-to-site VPN
Uses two VPN servers to act as gateways for two geographically separated networks. The process of accessing resources in the remote network is seemless from the user’s perspective.
Direct/remote access VPN
Allows users to access private networks via a public network. Process is NOT seemless to the user, as the user has to manually connect to the VPN server.
Always-on VPN
The VPN connection is established and maintained always. This opposes an on-demand connection. Can be used with both site to site VPN and direct access VPN.
HTML5 VPN Portal
Allows users to connect to the VPN using their web browser. Uses TLS to encrypt the session. Tends to be very resource intensive.
NAC
Network Access Control
Methods to ensure that devices connecting to a network meet certain predetermined characteristics. NAC will perform host health checks. Possibly via an agent. A VPN server will query the NAC (assuming there is one) and query the client for a health report before allowing the client to connect to the internal network.
VPN authentication methods
VPN should ensure that only authorized users access it.
1. PAP - Password Authentication Protocol
2. CHAP - Challenge Handshake Authentication Protocol
3. RADIUS
4. TACACS+
PAP
Password Authentication Protocol
Used in VPNs for authentication. Used with Point to point protocol (PPP) to authenticate clients. PAP allows users to authenticate with a password or PIN. However, it is sent over the network in cleartext, so it’s not secure.
CHAP
Challenge Handshake Authentication Protocol.
Used by VPNs for authentication. Uses point to point protocol (PPP). CHAP allows users to authenticate with a shared secret. The client hashes the shared secret combining it with a nonce, and then sends it to the server. More secure than PAP because the shared secret is NOT sent in plaintext.
TACACS+
Terminal Access Controller Access-Control System Plus
Authentication system that is an alternative to RADIUS. Can be used by VPNs for authentication. Can be used with kerberos. Two essential security benefits over RADIUS: 1. Encrypts the entire authentication process. 2. Uses multiple challenges and responses between the client and the server.
AAA Protocols
Protocols that provide authentication, authorization, and accounting
1. RADIUS
2. TACACS+
3. Diameter
MDM
Mobile device management
Includes technologies to manage mobile devices.
UEM
Unified endpoint management
Ensure systems are up to date with patches, AV, and are secured with standard security practices. Can be used to manage mobile devices or any device.
NIST RMF
Mandatory framework for US federal agencies and organizations that handle federal data.
Six step process
1. Categorize: define the environment
2. Select: pick the appropriate controls
3. Implement: define proper implementation
4. Assess: determine if controls are working
5. Authorize: make a decision to authorize a system
6. Monitor: check for ongoing compliance
NIST CSF
NIST cybersecurity framework
Framework core
Identify, protect, detect, respond, and recover
ISO/IEC 27001
Information security management
Framework that provides information on infosec management system (ISMS) requirements. Three stage certification process for an organization to become compliant.
ISO 27002
Information technology security techniques
Complement to ISO 27001. While ISO 27001 identifies requirements to become certified, ISO 27002 provides organizational with be practices guidelines.
ISO 27701
Privacy information management system (PIMS)
Based on ISO 27001, outlines a framework for managing and protecting PII. Provides organizations with guidance to comply with global privacy standards, such as European General Data Protection Regulation (EU GDPR)
ISO 31000
Family of standards related to risk management. Provides guidelines that organizations can adopt to manage risk
SOC 2 Type I
A report that describes an organization’s systems and covers the design effectiveness of security controls on a specific date. Design effectiness refers to how well the security controls address risks but not necessarily how well they work when mitigating risks.
SOC 2 Type II
Report that describes an organization’s systems and covers security controls’ operational effectiveness over a range of dates, e.g 12 months. Operational effectiveness refers to how well the controls worked when mitigating risks during the range of dates.
NIST SP 800-87
Risk Management Framework for Information Systems and Organizations
Covers the Risk Management Framework (RMF). Provides organizations a 7 step process to identify and mitigate risks.
- Prepare
- Categorize information systems
- Select security controls
- Implement security controls
- Assess security controls
- Authorize information systems
- Monitor security controls
SLE
Single Loss Expectancy
Cost of any single loss.
ARO
Annual rate of occurrence
Indicates how many times the loss will occur annually.
ALE
Annual Loss Expectancy
How much loss is accrued from failures during the entire year.
ALE = SLE * ARO
Risk register
Detailed document listing information about risks. Typically includes risk scores along with recommended security controls to reduce the risk scores.
Risk matrix
Plots risk on a graph.
RPO
Recovery Point Objective
Identifies a point in time where data loss is acceptable, refers to databases.
MTBF
Mean Time Between Failures
Provides a measure of a system’s reliability, usually represented in hours.
MTTR
Mean Time To Recover
Identifies the arithmetic mean time it takes to recover a failed system.
BIA
Business Impact Analysis
Important part or a Business Continuity Plan (BCP). Helps an organization identify critical systems and components that are essential to an organization’s success.
BCP
Business Continuity Plan
Plan that includes disaster recovery elements that provide steps used to return critical functions to operation after an outage.
RTO
Recovery Time Objective
Maximum amount of time it can take to restore a system after an outage.
CA
Certificate Authority
Issues, manages, validates, and revokes certificates. Can be public like a large organization e.g Symantec or can be a single service running on a server within a private network.
Root certificate
First certificate created but the CA that Identifies it. If the root certificate is placed into the trusted root CA store, then all certificates issued by the CA will be trusted.
Intermediate CA
A CA that is created by a root CA to create certificates on the root CA’s behalf.
Child CA
A CA that has certificates issued to it by an intermediate CA. The child CA then gives these certificates to end users and devices.
CSR
Certificate Signing Request
A request you send to a CA to have the CA create/sign a certificate on your behalf.
RA
Registration authority
Assists in the certificate registration process. Sometimes, it is found in large organizations. RA never issues certificates it only assists the registration process.
CRL
Certificate revocation list
Used by the CA to revoke a certificate before its expiration date.
OCSP
Online certificate status protocol
Allows client to query the CA with the serial number of the certificate. The CA will then respond with an answer of good, revoked, or unknown. Unknown could indicate that the certificate is a forgery.
Stapling
Part of Online Certificate Status Protocol (OCSP). The certificate presenter receives a time stamped OCSP response from the CA signed with a digital signature. The certificate presenter then appends/staples the timestamped OCSP response to the certificate during the TLS Handshake process. Which eliminates the need for clients to query the CA.
Public key pinning
Security mechanism designed to prevent attackers from impersonating a website using fraudulent certificates. When configured, the web server responds to HTTPS requests with an extra header which includes a list of hashes derviced from valid public keys used by the web site. When clients connect to the web server they recalculate the hashes and then compare the calculated hashes with the ones they have stored from before. If they match then the client knows this is the same web server.
Key escrow
Placing a copy of a private key in a safe environment. E.g giving the key to a third party
CER
Cannocial Encoding Rules
One of the base formats for certificates. E.g cert.cer
DER
Distinguished Encoding Rules
One of the base formats for certificates. E.g cert.der
PEM
Privacy Enhanced Mail
Certificate format, despite name can be used for anything.
P7B
Certificate format using PKCS version 7.
P12
Certificate format using PKCS version 12.
PFX
Personal Information Exchange
Certificate format, predecessor to P12.
CIRT
Computer Incient Response Team
AAAA Record
Holds hostname and IPv6 address, similar to A record but for IPV6
A record
Holds hostname and IPv4 address
PTR Record
Pointer record
Opposite of an A record. For when client queries DNS with an IP.
MX Record
Mail exchange record
Identifies a mail server used for email. Linked to A or AAAA record of the mail server. When there is more than one mail server, the one with the lowest preference number in the MX record is the primary mail server.
CNAME Record
Canonical name record
Allows single system to have multiple names associated with a single IP address.
SOA record
Start of authority record
Includes information about the DNS zone and some of its settings which are useful for clients to know. E.g TTL
Cyber kill chain
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- C2
- Actions on Objectives
Diamond model of intrusion analysjs
- Adversary
- Capabilities
- Infrastructure - domain names, email addresses, ips, etc used by the adversary
- Victim
MITRE ATT&CK
Adversarial Tactics, Techniques, and Common Knowledge
Knowledge base of tactics and techniques used in real-world attacks.