Must know Items Flashcards
Information Security - InfoSec
Information security (or infosec) refers to the protection of data resources from unauthorized access, attack, theft, or damage
InfoSec Properties - CIA Triad & how it is enforced
Three main tenants of Information Security
Confidentiality
- info known to certain people
- enforced by permissions, authentication, encryption
Integrity
- Data is correct and transferred as intended
- enforced by hash/checksum
Availability
- accessible to authorized user to view and/or modify
- enforced by backups/redundancy
non-repudiation
A fourth important tenant of InfoSec
non-repudiation
- A subject can not deny creating or modifying data
- enforced by signing electronically
- related to integrity
Security Control Categories
Technical
- controls implemented as a system
- hw, sw, security appliances, firewalls
Operational
- controls that depend on a person for implementation
- security guard, training programs
Managerial
- controls that give oversight to the system
- NDA, risk identification, tools to evaluate and select other security controls
Security Control Functional Types
Preventative
- before an attack happens and attempts to block it
Detective
- during an attack to identify it
Corrective
- after an attack to mitigate it
Physical
- alarms, gates, locks, fences, lighting, security cameras, guards
Deterrent
- psychologically discourages - signs, warnings of legal penalties
Compensating
- controls which serve as a substitute
NIST Cyber Security Framework (CFS)
A list of activities/objectives taken to mitigate risks
Provides
- a statement of current capabilities
- a measure of progress
- verifiable for regulatory compliance reporting
ISO 27001
International Standard relating to InfoSec rules and regulations
ISO 27002
International Standard relating to InfoSec best practices
ISO 27701
International Standard relating to personal data and privacy
ISO 27017 and 27018
International Standard relating to cloud security
ISO 31000
International Standard relating to enterprise risk management (ERM)
Regs, Standards and Legislation
Sarbanes-Oxley (SOX)
- relates to due diligence, criminalizes negligence
- risk assessments, internal controls, and audit procedures
General Data Protection Regulation (GDPR)
- EU’s fairness and right to privacy regulation
- very common standard in use today
Grahm-Leach-Bliley Act (GLBA) - for financial industry
HIPPA - how to handle health data from a corporate view point
PCI DSS - how to handle credit card info
Risk impact
Vulnerability + Threat = Risk
Vulnerability
- weakness which could cause a data breach
Threat
- someone or something which could exploit a vulnerability to cause a data breach
Risk
- likelihood and impact/consequence of threat actor exploiting a vulnerability
- assess by identifying a vulnerability and then evaluate the likelihood of it being exploited by a threat and the impact that a successful exploit would have.
Attack Surface
points where an attacker can discover/exploit vulnerabilities in a network or application
Attack Vector
How to access a system
- direct access
- removable media
- remote and wireless
- supply chain
- web and social media
- cloud
Threat Intelligence
Can learn from anywhere, just need to research and follow up
- Tools - Mitre ATT&CK, OWASP, CVE, CVSS
- honeypots/nets
TTP and IoC
Tactics, Techniques and Procedures (TTP)
- how you know you are being attacked
- identify attackers
Indicators of Compromise
- knowing a system has been compromised
- evidence of TTP on the system
SIEM
Security Information and Event Management
- a platform which uses cyber threat intelligence (CTI) data and AI to produce actionable intelligence on an attack
SOAR
Security Orchestration, Automation, and Response
- a solution to the problem of an Analysts’ ability to respond to an overwhelming volume of alerts
- usually automates SIEM
- used to drive incident response and threat hunting
Threat Data Feeds
STIIX - Structured Threat Information eXpression - syntax
TAXII - Trusted Automated eXchange - protocol/service
AIS - Automated Indicator of Sharing - service for sharing threat intel
Threat Maps - global attack maps
CVE - Common Vulnerabilities and Exposure - database by Mitre
SCAP
Security Content Application Protocol
- used by many scanners to obtain feed updates
- defines ways to compare a systems actual configuration to a target secure baseline
- defines common identifiers
OSINT
Open Source Intelligence
-an open source threat intelligence service
Network Reconnaissance and Discovery
Footprinting
Basic command line tools:
ipconfig - win - shows assigned network interfaces (MAC to IP, default gateway)
ifconfig - linux form of ipconfig
ping - probe a host on a particular IP or hostname using ICMP
- ICMP - Internet Control Message Protocol
arp - display the local machines Address Resolution Protocol (ARP) cache
- useful for showing recent MACs associated with each IP
- can show a Man in the middle attack (gateway MAC IP is not real routers MAC address)
Network Reconnaissance and Discovery
Routes/Routing
Tools to test routing configurations and connectivity with remote hosts and networks
route - view/config the hosts local routing table
- usually shows the gateway router and any subnets, additional host entries are suspicious
tracert - win - using ICMP, reports round trip time (RTT) for hops between host and remote host
traceroute - linux form of tracert, but uses UDP
pathping - win - provides latency stats and packet loss along a route over a longer measuring period
mar - linux form of pathping
- high latency times to gateway indicate Man in the Middle attack
- high latency times on other hops indicate DoS or could be network congestion
Network Reconnaissance and Discovery
Nmap
Nmap is an open source IP Scanner
Basic use for port scanning and port identification:
nmap
Service discovery - which hosts are operating and which applications it is using
nmap can scan protocols (TCP SYN -s S, UDP -s U, port ranges -p)
Fingerprinting - detailed analysis of services on a particular host
nmap can scan more intently using -s V or -A
- provides protocol, app name and version, os type and version, device type
Network Reconnaissance and Discovery
netstat and nslookup
netstat used for state of TCP/UDP ports on the local machine
nslookup used for IP resolution uses DNS
Network Reconnaissance and Discovery
other tools
theHarvester - gathers OSINT
dnsenum - hosting info, name records, and ip ranges in use
scanless - scans for open ports that should not be open
curl - client tool for performing data transfers over many types of protocols
nc, ncat - connection tool to test connections
Nessus - network scanner to show vulnerabilities
Network Reconnaissance and Discovery
Packet Capture and Analysis tools
tcpdump - lin - cmd line tool to capture packet traffic
wireshark - performs a pcap ( packet capture) and analysis of traffic