Misc Flashcards
Nmap TCP SYN scan is also known as?
Stealth scan or half open scan
Nmap -sI (capital i)
Zombie scan/decoy also known as Idle scan
NIST 800-53
Information security standard that provides a category of privacy and security controls for information systems
CVSS Base Metrics
AV
AC
PR
UI
S
C
I
A
AV (Attack Vector) N=Network, A=Adjacent, L=Local, P=Physical
AC (Attack Complexity) L=low, H=High
PR (Privileges Required) N=None, L=Low, H=High
UI (User Interaction) N=None, R=Required
S (Scope) U=Unchanged, C=Changed
Confidentiality, Integrity, Availability
H=High, L=Low, N=None
High Risk Ports
SSH 22, Telnet 23, FTP 20 & 21, NetBIOS 137-139, SMB 445, DNS 53, POP3 110, RDP 3389, SMTP 24, SQL 3306
SLA
Service Level Agreement
Contract with performance metrics, how they are measured, penalties
MOU
Memorandum of Understanding
Not binding, outlines plans
IoC
Indicator of Compromise
Behavioral- change login patterns, excessive file access or sharing, access unauthorized resources
Network- abnormal traffic patterns, access from malicious IP, multiple failed logins, malware
Host-Based- Process ID, registry keys, network connections
Cloud Infrastructure Assessment Tools
Pacu
Prowler
Scout Suite
Open Source Security Testing Methodology Manual (OSS TMM)
Developed by ISECOM and used for security testing and analysis.
Beaconing Traffic IoCs
Regular
Small footprint (might be just SYN)
Changing IPs and domains
Protocols: IRC, DNS, HTTP(S), social media
Peer-to-Peer (P2P) Communication IoCs
Hidden in SMB or IPP
ARP/man in the middle using ARP spoofing
Rouge Devices IoCs
Rouge devices can be unaccounted for and/or unwanted
Detection: human eye, network mapping, NAC and intrusion detection
Nonstandard Port Usage IoCs
Well know ports: 0-1023 TCP/UDP
Registered ports: 1024-49151 TCP/UDP
Dynamic and private: 49152-65535
Data Exfiltration IoCs
Stealing data
HTTP(S) channel with public storage services
Web app attacks (SQLi)
DNS as a channel
E-mail, P2P, IM
Encrypted tunnels (IPsec, SSL)
