Scenarios, Applications & Methods Flashcards
Protocol Analyzer
Example: Wireshark Protocol Analyzer
Use: Analyze wireless traffic performance to find IOC:s.
A protocol analyzer is a tool that can capture and analyze wired or wireless traffic passing over a given communications channel. This might also be called a packet sniffer, network analyzer, or packet analyzer.
Network Scanner
Example: NMAP/Wireshark
Use: To identify unauthorized traffic, open ports etc.
Network scanners can help identify which servers are running on which hosts, and on which ports. After you’ve scanned, determine if those services should be running at all.
Scanners can be used for rogue system detection. You can actively scan for unauthorized devices. Alternatively, you can passively inspect traffic logs for communication with unauthorized devices.
Network scanners can also be used to create network diagrams of how machines are connected to one another.
Password Cracker
Example: John The Ripper
Use: Analyzing passwords
These are tools used by attackers to find weak passwords. Admins could also use them to test the password health of their own users and detect problems early.
Vulnerability Scanner
Example: Tenable
Use: Find Vulnerabilities
These are programs designed to scan a system for issues. These issues might include misconfiguration, old software versions, and so on. They can operate at the network level, host level or application level.
SIEM
Example: Splunk
Use: Automated, to discover and treat security threats using logs.
SIEM stands for security information and event management. SIEM systems are hardware and software meant to analyze aggregated security data. They rely on a few different concepts
Configuration compliance scanner
Example: Qualys
Use: A protocol for managing information related to security configurations, and validating them in an automated way.
Exploitation frameworks
Example: Metasploit
Use: Used by attackers to exploit systems.
Data Sanitization Tool
Use: allow you to “destroy, purge or otherwise identify for destruction” data on systems.
Anti-Malware Tool
Example: Bitdefender, Norton, Cylance, Mcafee
Use: Anti-Malware programs scan a computer system to prevent, detect and remove malware.
Troubleshoot common security issues - Unencrypted credentials/clear text
The problem: sending credentials from one machine to another in cleartext. This means that the unencrypted information could be subject to eavesdropping for use in later attacks. Cleartext credentials could also show up in logs.
The solution: don’t send credentials in clear text.
Troubleshoot common security issues - Logs and events anomalies
The problem: Logs are meant to show event anomalies. You don’t want to dump ALL events into logs unless that information has a potential security implication or will be used in some form, later.
The solution: be conscientious about what needs to go into your logs so that you have a better signal-to-noise ratio. Log events that matter for security, specific to your organization.
Troubleshoot common security issues - Permission issues
The problem: incorrect setting of user rights and permissions, such that people have more or fewer permissions than they should.
The solution: periodic reviews and audits of rights and permissions.
Troubleshoot common security issues - Access violations
The problem: when someone tries to access a resource that they don’t have permission to access. This might be because they’re making a mistake or deliberately trying to get past security. It also might be that permissions are set inappropriately.
The solution: track access violations through a SIEM system to be aware of and act on violations.
Troubleshoot common security issues - Certificate issues
The problem: when a user attempts to use a certificate that does not have a complete chain of trust back to a trusted root.
The solution: Manage trusted certificates well so that users are not “fixing” the issue by trusting the cert anyway.
Troubleshoot common security issues - Data exfiltration
The problem: an attacker tries to steal data and export it out of your system.
The solution: don’t store data that doesn’t need to be stored. Use data loss prevent (DLP) tools as described in earlier chapters. Use firewalls and network segmentation to make it more difficult to exfiltrate.
Troubleshoot common security issues - Misconfigured devices
The problem: when a device needs to be setup the correct way and you, well, botched it. This is usually a human error issue. Maybe you selected “everyone” on an access control list by accident.
The solution: regular audits, and most importantly, test that things are working as desired.
Troubleshoot common security issues - Firewall
The problem: firewalls depend on rulesets to allow or block packets. Incomplete, incorrect or sloppy rulesets cause issues.
The solution: regular audits, of course. Also avoid making “temporary” rules to test out new things, because you’ll forget and they’ll become permanent.
Troubleshoot common security issues - Content filter
The problem: content filters limit what users can view on a network. If the rules are too broad, you might be blocking valid or important resources.
The solution: make sure that your content filters are specialized to your organization, and that you can act to address miscommunications.
Troubleshoot common security issues - Access points
The problem: access points can be configured with rules about which traffic to grant or deny access to a network. These rules and criteria can get unwieldy to manage.
The solution: same old answer… audits and security tools to manage things at scale.
Troubleshoot common security issues - Weak security configurations
The problem: weak security configurations are configuration parameter choices that result in greater security risks.
The solution: avoid alloying deprecated protocols or cipher suites. Don’t allow users to have weak passwords or unlimited password attempts, and so on.
Troubleshoot common security issues - Personnel issues
The problem: poorly trained users can weaken the security posture of a company, even if all your hardware and software is configured well.
The solution: invest in regular training for your employees.
Troubleshoot common security issues - Policy violation
The problem: personnel don’t adhere to written policies of the organization.
The solution: if it’s a knowledge issue, invest in policy-specific training. If it’s an awareness issue, invest in awareness training. If it’s willful disobedience, make sure your HR policy has teeth.
Troubleshoot common security issues - Insider threat
The problem: users inside the system who have access to and permissions on a network abuse their trust for malicious means.
The solution: make sure HR is screening new hires. Make sure you’re monitoring employee activity. And make sure you’ve got separation of duties so no single person has too much power.
Troubleshoot common security issues - Social engineering
The problem: attackers use social engineering against your employees.
The solution: provide your employees with comprehensive awareness training so that they can recognize and combat social engineering attacks.
Troubleshoot common security issues - Social media
The problem: social media over-sharing can result in giving away confidential information. This might help attackers with their social engineering attacks. And, employees with extreme viewpoints that they share online might land the company in hot water.
The solution: have some kind of social-media policy that lets employees know what company information is acceptable to share. Work with HR on the “extreme viewpoints” thing.
Troubleshoot common security issues - Personal email
The problem: use of personal email means it’s easier for data exfiltration to happen. It also means that it’s easier for malware to get in.
The solution: prohibit use of personal email.
Troubleshoot common security issues - Unauthorized software
The problem: installation and use of software that shouldn’t be allowed on a system.
The solution: use whitelisting to restrict what can run on a machine. Don’t give users permission to install programs. Regularly audit things.
Troubleshoot common security issues - Baseline deviation
The problem: not a problem so much as a means of monitoring progress (or lack thereof).
The solution: measure the system’s current state by use of tools (default passwords, permission issues, and so on). Regularly re-measure the system and track progress or issues.
Troubleshoot common security issues - Asset management
The problem: understanding what hardware and software you have, where it is, and how it’s configured is difficult at scale.
The solution: use tools and processes to make this a regular and as-much-as-possible automated task.
Troubleshoot common security issues - Authentication issues
The problem: any issues related to authentication. This could mean leaving default passwords, it could also mean repeated failed logins. You get the idea.
The solution: avoid leaving default passwords in place. Log when users log-in, log-out, or have a failed log-in attempt, as needed. Act on brute-force login attempts.
