Section1 Flashcards
Regulations
Legally binding mandates which demands strict adherence to data protection rules
GDPR - general data protection regulation
Imposes strict rules on data processing and movement within the EU and for businesses or a company dealing with EU citizens data.
Fines up to 4% or 20 million euros
GLBA - Gramm-Leach-Bliley Act
Financial service act of 1999
Protect privacy of individuals, financial information held by financial institutions.
Includes encryption, security audits, sec measures
HIPAA- health insurance portability and accountability act
Fiscal, admin, technical safeguards.
Regulates confidentiality, and security of healthcare information
Encryption, secure access controls and reg audits
Fines: 100$ -50k. Max pen 1.5m per year
PCI DSS - payment card, industry, data security standard
For credit cards/payments
Secure networks, implementing strong, access control, conducting regular network, monitoring, and testing
5k - 100k per month until fixed
ISO / IEC 27000 series
Specifications for implementing maintaining and improving IT security management systems
Mitigate legal risks, build customer trust
Stakeholder alignment
Ensures that everyone understands the objectives, timelines and outcomes of a pen test
Types of Assessments
Network
Wireless
Application
Mobile
Web
Cloud
API
Network assessment
Network topology
Firewall configs
Security policies
Wireless assessments
Simulate attacks on wireless networks to understand security issues and provide recommendations
App assessments
Code audits
Old Dependency audits
App configs
Mobile assessments
Check data leaks
Improper session handling
Insecure data storage
Web assessments
Look for SQL injection, cross, side, scription, security misconfiguration
Cloud assessments
Check cloud configurations and compliance
API assessments
Check authentication, authorization, data handling practices
Types of agreements
NDA
MSI master service agreements
SOW statements of work
TOS terms of service
MSA master serv agreement
Project scope
Payment details
Confidentiality clauses
Liability issues
Statement of work SOW
Outline objectives, deliverables, scope of work, timelines, payment schedules, and responsibilities of each party
Legal and ethical considerations overview
Authorization letters
Mandatory reporting requirements
Potentials risks to pentester
Establish escalation path
Authorization letter
Formally grant’s permissions to pentester to conduct a simulated cyber attack against organizations systems
Mandatory reporting
Dictate how and when findings should be disclosed
Risks to tester
1.Conduct thorough risk assessment
2.implement precautionary measures to protect system
3.establish mutual understanding with client
Escalation path
Outline chain of command.
Mitigates: operation interference, system, interference, accidental breach of data
Rules of engagement overview
Exclusions
Test cases
Test window
Goal reprioritization
Business impact analysis
Exclusions
Specifically designated areas out of scope and off-limits
Test cases
Predefined scenarios to evaluate the security of a system
Test window
Time frame to run test
Goal reprioritization
Change goals based on findings
IP address
Nodes within network or on internet
Shared responsibility model
Laid out different rules and responsibilities of stakeholders involved in keeping a hosted environment secure
Building model actors
Hosting providers
customers
penetration testers
third party service providers
Hosting providers
Secure infrastructure that runs services offered to customers
Target selection 4.
CIDR ranges
Domains
IPs
URLs
CIDR - classless inter-domain Routing
Method used to allocate IP addresses and route Internet
Cloud security out of the box from cloud providers
AWS - AWS trusted advisor and AWS inspector
Azure - azure security center and azure advisor
GCP - cloud security command center and cloud Armo
Before cloud pen testing
Notify service provider
3rd party shared responsibility
Software vendors
External consultants
Partners
MITRE ATTACK framework - adversarial tactics techniques
Who funds?
Funded by the US computer, emergency readiness team, and the US Department of Homeland security.
MITRE tailored models
Enterprise
Mobile
Cloud
And different operating systems
MITRE categories
Initial access
execution,
persistence,
privilege escalation,
defense, evasion
Mitre - initial access category
Spear phishing
Drive by compromise
Spearphishing
Targeted emails with malicious attachment
CIDR block for 192.168.100.0/24
192.168.100.1 - 192.168.100.254
Domains
Human readable addresses
OWASP ACRONYM
Open Web application security project
OWASP general info
Non profit
OWASP top 10 - 10 most common vulns
OWASP top ten
Broken access control
Cryptographic failures
Injections
Insecure design
Sec misconfigurations
Outdated components/packages
Auth failure
Data integrity failure
Logging failures
SSRF - server-side request forgery
Broken access control
Users can access what they shouldn’t be able to
Cryptographic failures
Failures related to managing sensitive data securely
Injection flaws
SQL, no SQL, command injection
MASVS acronym
Mobile application, security verification standard
MASVS control groups
MASVS-XXXXX
MASVS-STORAGE
Focus on secure storage of sensitive data
MASVS-CRYPTO
Cryptographic measures
MASVS-AUTH
Ensure strong mechanism to verify user identities and grant appropriate access rate rates
MASVS-NETWORK
Security of communication between mobile app and endpoints such as TLS/SSL
MASVS-PLATFORM
Focus on how securely app interacts with underlying mobile platform and other apps on same device
MASVS-CODE
Secured development of apps code
MASVS-RESILIENCE
Ability to withstand and respond to reverse engineering and tampering
MASVS-PRIVACY
Implements privacy controls that align with laws and regulations
MASVS checklist OWASP
Mobile application, security testing guide (MASTG)
MAS Checklist
PTES acronym
Penetration testing execution standard
PTES - general info
Framework to conduct thorough and effective penetration tests
PTES - pre-engagement interactions
First communication and the reason for conducting a penetration test.
Time estimation, scoping, additional support, questionnaires, scope, creep, start and end dates, IP ranges and domains, dealing with third parties, acceptable, social engineering, goals, lines of communication, emergency, contact information, rules of engagement, technology in place
PTES - Information gathering 3
Compliance driven
best practice
state sponsored
Open source intelligence
Footprinting - maps network env
PTES - threat modeling
Understanding business assets and processes that need protection and the threats and they’re capabilities
CREST defensible penetration test guidelines CDPT - general
Established a standard for conducting penetration tests with a clear structured approach
Council of registered ethical security testers (CREST)
An organization of security companies that sets rigorous standards for cyber security services
How many companies in CREST
Over 300
How to become crest certified?
Extensive audit and accreditation process
CREST purpose
Find highly qualified individuals and companies for penetration testing
