Must know Items Flashcards
Information Security - InfoSec
Information security (or infosec) refers to the protection of data resources from unauthorized access, attack, theft, or damage
InfoSec Properties - CIA Triad & how it is enforced
Three main tenants of Information Security
Confidentiality
- info known to certain people
- enforced by permissions, authentication, encryption
Integrity
- Data is correct and transferred as intended
- enforced by hash/checksum
Availability
- accessible to authorized user to view and/or modify
- enforced by backups/redundancy
non-repudiation
A fourth important tenant of InfoSec
non-repudiation
- A subject can not deny creating or modifying data
- enforced by signing electronically
- related to integrity
Security Control Categories
Technical
- controls implemented as a system
- hw, sw, security appliances, firewalls
Operational
- controls that depend on a person for implementation
- security guard, training programs
Managerial
- controls that give oversight to the system
- NDA, risk identification, tools to evaluate and select other security controls
Security Control Functional Types
Preventative
- before an attack happens and attempts to block it
Detective
- during an attack to identify it
Corrective
- after an attack to mitigate it
Physical
- alarms, gates, locks, fences, lighting, security cameras, guards
Deterrent
- psychologically discourages - signs, warnings of legal penalties
Compensating
- controls which serve as a substitute
NIST Cyber Security Framework (CFS)
A list of activities/objectives taken to mitigate risks
Provides
- a statement of current capabilities
- a measure of progress
- verifiable for regulatory compliance reporting
ISO 27001
International Standard relating to InfoSec rules and regulations
ISO 27002
International Standard relating to InfoSec best practices
ISO 27701
International Standard relating to personal data and privacy
ISO 27017 and 27018
International Standard relating to cloud security
ISO 31000
International Standard relating to enterprise risk management (ERM)
Regs, Standards and Legislation
Sarbanes-Oxley (SOX)
- relates to due diligence, criminalizes negligence
- risk assessments, internal controls, and audit procedures
General Data Protection Regulation (GDPR)
- EU’s fairness and right to privacy regulation
- very common standard in use today
Grahm-Leach-Bliley Act (GLBA) - for financial industry
HIPPA - how to handle health data from a corporate view point
PCI DSS - how to handle credit card info
Risk impact
Vulnerability + Threat = Risk
Vulnerability
- weakness which could cause a data breach
Threat
- someone or something which could exploit a vulnerability to cause a data breach
Risk
- likelihood and impact/consequence of threat actor exploiting a vulnerability
- assess by identifying a vulnerability and then evaluate the likelihood of it being exploited by a threat and the impact that a successful exploit would have.
Attack Surface
points where an attacker can discover/exploit vulnerabilities in a network or application
Attack Vector
How to access a system
- direct access
- removable media
- remote and wireless
- supply chain
- web and social media
- cloud
Threat Intelligence
Can learn from anywhere, just need to research and follow up
- Tools - Mitre ATT&CK, OWASP, CVE, CVSS
- honeypots/nets
TTP and IoC
Tactics, Techniques and Procedures (TTP)
- how you know you are being attacked
- identify attackers
Indicators of Compromise
- knowing a system has been compromised
- evidence of TTP on the system
SIEM
Security Information and Event Management
- a platform which uses cyber threat intelligence (CTI) data and AI to produce actionable intelligence on an attack
SOAR
Security Orchestration, Automation, and Response
- a solution to the problem of an Analysts’ ability to respond to an overwhelming volume of alerts
- usually automates SIEM
- used to drive incident response and threat hunting
Threat Data Feeds
STIIX - Structured Threat Information eXpression - syntax
TAXII - Trusted Automated eXchange - protocol/service
AIS - Automated Indicator of Sharing - service for sharing threat intel
Threat Maps - global attack maps
CVE - Common Vulnerabilities and Exposure - database by Mitre
SCAP
Security Content Application Protocol
- used by many scanners to obtain feed updates
- defines ways to compare a systems actual configuration to a target secure baseline
- defines common identifiers
OSINT
Open Source Intelligence
-an open source threat intelligence service
Network Reconnaissance and Discovery
Footprinting
Basic command line tools:
ipconfig - win - shows assigned network interfaces (MAC to IP, default gateway)
ifconfig - linux form of ipconfig
ping - probe a host on a particular IP or hostname using ICMP
- ICMP - Internet Control Message Protocol
arp - display the local machines Address Resolution Protocol (ARP) cache
- useful for showing recent MACs associated with each IP
- can show a Man in the middle attack (gateway MAC IP is not real routers MAC address)
Network Reconnaissance and Discovery
Routes/Routing
Tools to test routing configurations and connectivity with remote hosts and networks
route - view/config the hosts local routing table
- usually shows the gateway router and any subnets, additional host entries are suspicious
tracert - win - using ICMP, reports round trip time (RTT) for hops between host and remote host
traceroute - linux form of tracert, but uses UDP
pathping - win - provides latency stats and packet loss along a route over a longer measuring period
mar - linux form of pathping
- high latency times to gateway indicate Man in the Middle attack
- high latency times on other hops indicate DoS or could be network congestion
Network Reconnaissance and Discovery
Nmap
Nmap is an open source IP Scanner
Basic use for port scanning and port identification:
nmap
Service discovery - which hosts are operating and which applications it is using
nmap can scan protocols (TCP SYN -s S, UDP -s U, port ranges -p)
Fingerprinting - detailed analysis of services on a particular host
nmap can scan more intently using -s V or -A
- provides protocol, app name and version, os type and version, device type
Network Reconnaissance and Discovery
netstat and nslookup
netstat used for state of TCP/UDP ports on the local machine
nslookup used for IP resolution uses DNS
Network Reconnaissance and Discovery
other tools
theHarvester - gathers OSINT
dnsenum - hosting info, name records, and ip ranges in use
scanless - scans for open ports that should not be open
curl - client tool for performing data transfers over many types of protocols
nc, ncat - connection tool to test connections
Nessus - network scanner to show vulnerabilities
Network Reconnaissance and Discovery
Packet Capture and Analysis tools
tcpdump - lin - cmd line tool to capture packet traffic
wireshark - performs a pcap ( packet capture) and analysis of traffic
Network Reconnaissance and Discovery
Packet Injection and Replay tools
Tools to allow for spoofing/forged data on network traffic
hping - can test host/prot detection and firewall testing, traceroute testing, and DoS testing
tcpreplay - can replay captured traffic (.pcap files) through a network interface
RAT
Remote Access Trojan - gives an attacker a means of remote access to the system
Scanning Intrusive vs non-Intrusive
Non-Intrusive is not using network bandwidth to perform the scan, like looking at types of traffic generated by a device
Intrusive uses network bandwidth or network connections
Pen testing
Black Box/Hat - unknown environment - non credentialed testing
White Box/Hat - known environment - credentialed testing
Grey Box/Hat - partially known environment
Attack Exercises Teams
Red team - attack unknown environment
Blue team - defensive role
White team - knows the rules, arbitrator
Purple team - red and blue team meet for regular debriefs during the exercise
Pen test attack life cycle
persistence
- able to reconnect to attack sys
privilege escalation
- higher perm for actions
lateral movement
- move to another host
pivoting
- ability to bypass network boundary
actions/objectives
- exfiltrate (steal) data
cleanup
- remove evidence of attack
Kill Chain Reconnaissance tools
and if Passive or Active technique
OSINT - passive
Social Engineering - passive and active
Footprinting -nmap and packet sniffing - active
War driving - mapping the location and type of wireless networks target is operating
Drones/UAV
Worm
an in memory-resident malware that can run without user intervention and replicate over network resources
a worm gets into a system from exploiting a vulnerability in a process when the user browses a website, runs a vulnerable server application, or is connected to an infected file share
Virus
malware designed to replicated and spread from computer to computer usually infecting executable applications or program code
is only execute when the user performs an action such as downloading and running an infected process
multiparite a virus using multiple vectors
polymorphic a virus which changes dynamically or obfuscate their code to evade detection
Logic bomb
malware which has a trigger before exposing itself
a trigger could be pre-configured time or date, user event
a mine is when a script is left as a trap
Malware Indicators
Browser changes or over ransomware notification
Anti-virus notification
Sandbox execution
- Cuckoo tool
Resource utilization/consumption
- taskmanager or top cmd
File system changes
- Registry
- Temp files
Process Analysis
Requires a baseline of ‘normal’ by taking benchmarks of the system in order to be able to spot abnormalities
Need for advanced attacks
Social Engineering Principles
Reasons for Effectiveness
Familiarity/liking
- establishes trust with victim
Consensus/social proof
- exploit polite behaviors
Authority and intimidation
- make victim afraid to refuse
- exploit lack of knowledge or awareness
Scarcity and urgency
- rush victim into a decision
Pretexting
Using a scenario with convincing details
tailgating
unknown
access premises covertly
follow someone through a door
Piggybacking
Known
access premises without authorization but with knowledge of employee
getting employee to hold a door
Symmetrical Encryption
sender and receiver must use the same key
Fast therefore good for bulk encryption
Difficult to pass the key between the two parties w/out compromise
asymmetrical better for key sharing
Asymmetrical Encryption
Utilizes key pairs - a private and a public key
each key can encrypt and decrypt but the key used to encrypt can not then decrypt
private key encrypts, then the public key decrypts and vice versa
Typical process of sending encrypted message between two parties:
1 two parties exchange the public keys
2 each can then encrypt the message being sent with their private key
3 send the encrypted message to the reciever
4 the receiver then decrypts the encrypted message with the senders public key
Signing with Public keys
Signatures are asymmetrical encryption in reverse
to Sign - Sender who is signing uses their private key
to Verify - Receiver then uses the senders public key to decrypt the signing message
Digital Certificate
A wrapper for a public key associated with a digital identity
Identity assertion is validated by a Cert Authority (CA) (a 3rd party) by signing the certificate
Both parties must trust the CA
This is known as Public Key Infrastructure (PKI) standard is X.509
Access Controls
Subjects
- user or sw that requests access
Objects
- resources networks, servers, data
Identification
- associating a subject with computer/network account
Authentication
- Challenge the subject to supply credentials to gain access to the account
- passwords, pin, biometrics
Authorization
- rights/permissions/privileges assigned to the account
- What we are allowed to access
Accounting
- auditing use of the account
- who did what on the system
Authentication Factors
Something you know
- knowledge factor
- password, PIN, challenge questions, date of birth
Something you have
- Ownership factor
- Hardware token, FOB, smart card, birth certificate
Something you are/do
- biometric factor
- fingerprint, iris
Authentication Attributes
somewhere you are
- geolocation
- IP location
- switch port, VLAN, wireless network
something you can do
-perform an action uniquely
something you exhibit
-behavior or trait unique to you
someone you know
-web of trust
Kerberos
Kerberos players: Supplicant(client), the KDC svr, and the app svr
Client needs to use the app svr
Kerberos Authentication
- client requests ticket to app svr
- KDC verifies user and produces a session ticket to be used on specified app svr
- client has now been authenticated and has the session key to use with app svr
Kerberos Authorization
- client requests session ticket to app svr
- KDC provides a session ticket key and a TGT for the app svr to the client
- client sends the session key and TGT to the app svr plus an authenticator
- app svr verifies the TGT and session key, send the client an authenticator
- client verifies the authenticator
- now have mutual authentication
- client and app svr can now do business
EAP and 802.1
See diagram, think RADIUS and TACACS+, AAA servers
Know process of authentication it uses
Biometric Authentication
FRR - False Rejection Rate
FAR - False Acceptance Rate
CER - Cross-over Error Rate, the sweet spot
Role Based Access Control (RBAC)
• Non-discretionary and more centralized control
• Based on defining roles then allocating users to roles
• Users should only inherit role permissions to perform particular tasks
Similar to group based permission management
Discretionary Access Control (DAC)
- Based on resource ownership
- Access Control Lists (ACLs)
- Vulnerable to compromised privileged user accounts
Mandatory Access Control
Uses sensitivity labels for objects
Uses security clearance labels for subjects
Centralized point of management:
Rules are set and can not be changed by any subject account and are therefore no-discretionary
Subjects can not change object labels nor their own label
system defined, very rigid
Used by trusted OS, like SE Linux
Attribute Based Access Control (ABAC)
Limits access based off of any attribute tied to a file.
- File extension
- time
- size
- content
Centralized point of management
Very flexible but can become complex
PAM - Privileged Access Management
Refers to policies, procedures, and technical controls to prevent malicious abuse of privileged accounts
Attempts to mitigate risks from weak configuration control over privileges
SAML
Security Assertions Markup Language
- open standard for implementing identity and service provider communications
- attestations/assertions
- xml format
- signed using XML signature
- communication protocols
- HTTPS
- SOAP (Simple Object Access Protocol)
-tied to OAUTH and OpenId
Network Appliances and the OSI Model
All People Seem To Need Data Processing
Please Do Not Throw Sausage Pizza Away
See diagram for details of each layer
1 Physical - moves bits - wires, fiber, etc
2 Datalink - Switch, Bridge, WAP local networks, connects nodes inside a LAN
arp (address resolution protocol)
3 Network - Router (IP) - global networking LAN to LAN connections
firewall
4 Transport - end to end connections TCP, UDP
DNS
5 Session - host to host (process to process)
6 Presentation - Syntax layer, encryption and formatting
7 Application - End user layer, creates to send, open received
Private IP addresses found on a host
These are non-routable over the internet
- x.x.x (Class A private)
- 16-31.x.x (Class B private)
- 168.x.x (Class C private)
Compare and contrast Network based solution vs Host based solution
Network based solution: Pro: - wide overarching picture of network - offloads processing from individual hosts Con: - not detailed
Host based solution: Pro: - fine picture of individual host - Can be cheaper: cost of solution, cost of implementation Con: - No overarching network context
Know common ports and protocols
Which of these ports can be used to not alter SFTP? 20/21
SFTP - FTP via SSH - port 22
FTPS - FTP via TLS - port 21
unsecure: SMTP (25), POP3 (110), IMAP (143)
secure: STMPS (587 STARTTLS, 465 IMPLICIT TLS), POP3S (995), IMAPS (993)
udp - DNS (53) for for queries, TFTP (69), NTP (123), SNMP (161,162) RADIUS (1812,1813)
either - TACACS(49), Kerberous (88), SMB(server Msg Block 137-139), LDAP (389), LDAPS (636)
CASB
Cloud Access Security Broker
Enterprise management SW used to mediate (broker) access to cloud services by users across all types of devices
Functions provided:
- enable single sign-on authentication, access controls, and authorizations
- scan for malware and rogue access points (APs)
- monitor and audit user and resource activity
- mitigate data exfiltration through prevention of access to unauthorized could services
- prevent unauthorized application and plugin updates
implemented using
- forward proxy at the CLIENT net edge
- reverse proxy at the CLOUD net edge without modifying a user’s system
- application programming interface (API) using connections between the cloud service and cloud consumer
As a Service items - SaaS
SW as a Service
- client brings data
- CSP provides Apps, OS, HW
Example: Web Mail
As a Service items - PaaS
Platform as a Service:
- client provides Data and App
- CSP provides OS and HW and multi-tier DB
Example: Azure Development platform
As a Service items - IaaS
Infrastructure as a Service
- client provides Data, App, and OS
- CSP provode HW
Example: Amazon Web Services (AWS)
Cross Site Scripting (XSS)
Know for test
Run a script on your system can do anything permissions allow automates malicious actions Know for TEST: Two Flavors: Non-Persistent/reflected - coded in a link Persistent/stored - injected into Database Client side - Document Object Model (DOM) - infects the browser
SQLi
SQL injections
will always have a totality in the query, like A=A or 1=1
recognize as SQL query
Incident Response Cycle
PICERL
-will be on test, usually describes scenario and asks what is next step
Note: Can have overlaps in steps
Prep
- have tools and training up to date and ready for use
Identify
- Detection and Analysis (it happened and what happened)
- we have a virus and which virus
Containment
-isolation
Eradication
-Removal and destruction
Recovery
- Recover data, bring systems back online
- Go back to Identify, may have not fully recovered
Post-Incident
- lessons learned, documentation
- improve Prep stage, go back to prep stage
Cyber Kill Chain Attack Framework
or
Steps of Attack / Framework
will be on test
Steps of Attack / Framework Reconnaissance / Research Weaponization / Build your attack Delivery / get into; Component Access Exploitation / Breach Security or Activation Installation / Persistence - how to stay Cmd & Control / Reach back to Attacker Actions on Objectives / The Attack
