Chapter 3 Objective 3.1 Insecure Protocols Telnet → Port 23 → Telnet transmits data in plaintext, vulnerable to MITM & Eavesdropping Secure Alternative → SSH → Port 22 → SSH provides encrypted communication FTP → Port 21 → FTP transmits data in plaintext, vulnerable to interception & tampering Secure Alternative → FTPS (FTP Secure) → Port 990 / 989 → Uses SSL / TLS for encryption SFTP (SSH File Transfer Protocol) → Port 22 → Uses SSH for file transfer HTTP → Port 80 → HTTP transmits data in plaintext Secure Alternative → HTTPS → HTTP Secure → Port 443 → Uses SSL / TLS SMTP → Port 25 → SMTP transmits emails in plaintext, vulnerable to interception & unauthorized access Secure Alternative → SMTPS → SMTP Secure → Port 465 → use SSL/TLS to encrypt email communications SMTP with STARTTLS → Port 587 → use SSL/TLS to encrypt email communications POP3 → Port 110 → POP3 transmits emails in plaintext, vulnerable to eavesdropping Secure Alternative → POP3S → POP3 Secure → Port 995 → uses SSL/TLS IMAP → Port 143 → IMAP transmits data in plaintext, vulnerable to interception Secure Alternative → IMAPS (IMAP Secure) → Port 993 → uses SSL / TLS SNMP v1/v2 → Port 161/162 → Lacks encryption, vulnerable to interception & tampering Secure Alternative → SNMPv3 → Port 161/162 → Adds encryption, authentication & integrity protection to data LDAP → Port 389 → LDAP transmits data in plaintext, vulnerable to interception & tampering Secure Alternative → LDAPS (LDAP Secure) → Port 636 → Uses SSL/TLS for encrypt directory service Protocols DNS Security Extensions (DNSSEC) → Provides validation for DNS responses It adds Resource Record Signature (RRSIG) (Digital Signature) to each record RRSIG provides data integrity & authentication for DNS replies Helps to prevent DNS poisoning attack S/MIME → Secure/Multipurpose Internet Mail Extensions Used to digitally sign & encrypt an email Uses both asymmetric & symmetric encryption SRTP → Secure Real Time Protocol → Uses port 5004 RTP → Real Time Protocol → Delivers audio & video over IP networks SRTP provides encryption, message authentication & integrity for RTP LDAPS → LDAP over TLS uses port 636 FTPS → FTP, Secure → uses TLS to encrypt FTP traffic SNMPv3 → Simple Network Management Protocol → Monitors & manages network devices such as routers & switches Uses port 161/162 Can modify devices’ configuration & can check device report status SNMPv3 agents installed on devices send information to SNMP manager via notifications known as traps Flood guard sends SNMP trap messages in response to an alert SNMP Usage → Commonly used to gather information from routers, switches, and other network devices → It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device IPSec → Used to encrypt IP traffic Authentication Header → IPSec uses AH to allow each conversation hosts to authenticate with each other before exchanging the data AH provides authentication & integrity Encryption → IPSec includes Encapsulating Security Payload (ESP) to encrypt data & provide confidentiality IPSec uses Internet Key Exchange (IKE) to authenticate clients in the IPSec conversation → Internet key exchange (IKE) is used to set up security associations (SAs) on each end of the tunnel. Modes: Transport Mode → Only the payload (the data being transmitted) of the IP packet is encrypted and/or authenticated. The IP header remains intact. Typically used for end-to-end communication between two hosts or devices. Tunnel Mode → The entire IP packet (including the original IP header and payload) is encapsulated within a new IP packet with a new IP header Commonly used for site-to-site VPN connections where entire packets need to be protected. Post Office Protocol (POP3) → Transfers emails from servers down to clients POP3 → Port 110 POP3S → Port 995 IMAP → Internet Message Access Protocol → Used to store email on the server & it allows users to organize & manage emails in folders on the server IMAP → Port 143 IMAP Secure → Port 993 Use Cases Voice and video → Real Time Protocol (RTP) → a network protocol designed for delivering audio and video over IP networks Secure Real Time Protocol (SRTP) → An extension of RTP that provides encryption, message authentication, and integrity, as well as replay protection for RTP data. SRTP ensures secure transmission of real-time audio and video communications. Session Initiation Protocol (SIP) → A signaling protocol used to initiate, maintain, modify, and terminate real-time sessions that involve video, voice, messaging, and other communications applications and services. Time Synchronization → Network Time Protocol (NTP) → A protocol used to synchronize the clocks of computers over a network. Simple Network Time Protocol (SNTP) → A simplified version of NTP, used for less complex and less demanding synchronization needs It provides time synchronization but with reduced accuracy and fewer features compared to NTP. Email and Web → Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), HTTP, HTTPS File Transfer → File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), SSH, SSL, TLS, IPSec, SFTP, FTPS Directory Services → LDAP Remote Access → Remote Desktop Protocol (RDP) → Uses port 3389 Domain Name Resolution → DNSSEC Network Address Allocation → IPv4, IPv6 Objective 3.2 Endpoint Protection Endpoint Detection & Response (EDR) → Provides continuous monitoring of endpoints Performs a deep investigation of all activity on endpoints Collect and analyze data from endpoints to detect anomalies, provide visibility into potential threats, and facilitate timely responses to incidents. Incident response, threat hunting, forensic analysis Data Loss Prevention (DLP) → Prevent data loss Next-Generation Firewall (NGFW) → An advanced firewall that adds capabilities that aren’t available in first generation or second generation firewalls NGFW performs deep packet inspection, adding application level inspection as a core feature NGFW can identify application commands & detect potentially malicious traffic Features → Deep Packet Inspection (DPI), Integrated IPS, Identifies and controls applications, Sandboxing, malware detection, SSL/TLS decryption, Built-in URL filtering Comparison First Gen → Packet Filtering → Based on IP addresses, ports, and protocols Second Gen → Stateful Packet Inspection → Tracks active connections and the state of the connection NGFW → Deep Packet Inspection (DPI) → Identifies applications, users, and content HIDS → Host-Based Intrusion Detection System An additional software installed on a system such as workstation or a server For HIDS, the traffic passes through the network interface card (NIC) HIDS can help to detect malicious software (malware) that traditional antivirus can miss Boot Integrity UEFI → Unified Extensible Firmware Interface → Performs many of same functions as BIOS but provides some enhancement A specification for a software program that connects a computer’s firmware to its operating system (OS) BIOS → provides instructions on starting → It runs some basic checks, locates the OS & boots BIOS & UEFI can be upgraded with using flashing → Flashing overwrites the software within the chip with newer software BIOS vs UEFI BIOS → Initializes hardware components and boots the OS Generally slower boot times due to the sequential initialization process. UEFI → More complex initialization process with support for modern hardware and boot methods Faster boot times due to parallel initialization processes and optimized boot methods Measured Boot → Goes through enough boot process to perform these checks without allowing a user to interact with a system. If it detects that system has lost integrity & can no longer be trusted, the system won’t boot A security feature that helps ensure the integrity of the boot process by recording each step in the boot sequence and storing the measurements in a secure location, typically in a Trusted Platform Module (TPM) Boot Attestation → Signature Key Files used to boot the computer Boot attestation requires that systems record and measure the boot process, and subsequently verify to a system that the process was secure. Measured Boot Vs Secure Boot Measured Boot → Ensure integrity of the boot process through measurements Records and stores measurements of each boot component in TPM Can provide remote attestation of system integrity Useful for environments requiring verifiable integrity Secure Boot → Ensure only trusted code is executed during boot Verifies digital signatures of each boot component Does not provide remote attestation Useful for environments requiring strict execution control Trusted Boot → Verifies the operating system kernel signature and starts the ELAM(Early Launch Anti-Malware) process. Cryptographically verifies each boot stage Verifies each stage using digital signatures Integrity and authenticity of entire boot process Devices requiring complete boot process security Database Tokenization → Replaces sensitive elements with a token A tokenization can convert the token back into its original form Salting → Adds random texts to passwords before hashing them Used to prevent rainbow table attacks, brute force & dictionary attack Application Security Secure Cookies → Cookie that has the secure attribute set When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS). Code Signing → Identifies author & the hash verifies that code hasn’t modified Verifies the originator of the component & thus make malware less likely SED & FDE Full Disk Encryption (FDE) → Encrypts the entire disk Users typically need to enter a password or use a cryptographic key stored on a separate device (like a smart card or USB token) to unlock the disk and access its contents. Ex. Veracrypt, BitLocker (Windows), FileVault (macOS), LUKS (Linux). Self Encrypting Drive (SED) → Also known as hardware based FDE drives Automatically encrypts & decrypts data on a drive without user interaction A storage device that automatically encrypts data before it is written to the drive and decrypts it when read, without requiring any action from the operating system or user. SED doesn’t need authentication Opal → Set of specifications for SEDs It defines what hardware vendors must do to ensure SEDs are configured to prevent unauthorized access Opal-Compliant drives requires users to enter credentials to unlock the drive while booting the system Trusted Platform Module TPM is hardware chip on computer’s motherboard that stores cryptographic keys used for encryption TPM provides Full Disk Encryption capabilities It keeps the hard drives locked or sealed until the system completes the system verification & authentication process TPM supports boot attestation process → When TPM is configured, it captures signature of key files used to boot the computer & stores the report of signatures within the TPM Uses burned-in cryptographic keys & Includes built-in protections against brute-force attacks Secure Boot → When system boots, the secure boot process checks the files against the stored signatures to ensure that they haven’t changed → If it detects that files have been modified, it blocks the boot process to protect the data on the drive Remote Attestation → It uses a separate system instead of checking boot files reports in TPM It captures the signatures of key files & sends it to remote system Hardware root of trust → When private key matched with the public key, it provides hardware root of trust also known as Known Secure Starting Point A TPM includes a unique RSA asymmetric key burned into the chip that provides a hardware root of trust Objective 3.3 Load Balancing Active/Active → Can optimize & distribute data loads across multiple computers / networks Distributes traffic equally among all the servers in the web farm Scheduling → Load balancers use a scheduling technique to determine where to send a new request. They use Round-Robin algorithm to send request Persistence → Load balancers use source address affinity to direct the request Source affinity sends requests to the same server based on the requester’s IP address & provides the user with persistence Load balancers can detect when a server fails → If server stops responding, load balancers will not send request to this server → Contributes to high availability Active/Passive → One server is active & another server is inactive If active server fails, the inactive server takes over Two servers have a monitoring connection to each other to check each other’s health Load Balancer Algorithms Least connection-based → takes load into consideration and sends the next request to the server with the least number of active sessions Round Robin → simply distributes requests to each server in order Weighted Time → Uses health checks to determine which server is currently responding the quickest, and routing traffic to that server. Source IP Hash → Uses a unique hash key generated from the source and destination IP addresses to track sessions, ensuring that interrupted sessions can be seamlessly reassigned to the same server, thus allowing the sessions to continue uninterrupted. Network segmentation Virtual Local Area Networks (VLAN) → Separates or Segments traffic on physical networks A logical network segment within a physical network infrastructure that allows devices to be grouped together even if they are not physically connected on the same network switch. We can create multiple VLANs with a single Layer 3 Switch A VLAN can locally group several computers together or logically separate computers without regard their physical location VLANs are used to separate various traffic types (voice, data) Screened Subnet → Buffer zone between internet & intranet (internal network) It allows to access services while segmenting access to internal network An additional layer of security is implemented to protect internal networks from external threats East-West → Refers to traffic between servers Intranet → Internal Network Extranet → Part of the network that can be accessed by authorized entities from outside of network Zero Trust → A network that doesn’t trust any devices by default, even if it’s previously verified Helps to reduce attacks from internal clients Zero trust in not technology, instead it is a security model based on principle of zero trust VPN SSL/TLS → Some tunneling protocols use TLS to secure VPN channels Provides the easiest way for users to use VPN since it does not require a client. (most user-friendly) Split Tunnel → A VPN admin determines what traffic should use the encrypted tunnel Full Tunnel → All traffic goes through the encrypted tunnel while the use is connected to VPN Site-to-Site VPN → Includes two VPN servers that acts as a gateways for two networks separated geographically IPSec VPNs are used for site-to-site VPNs Ex. Users in the remote office can connect to the servers in the HQ location easily Always-On → Create a VPN connection as soon as user’s device connect to the internet Layer 2 tunneling protocol (L2TP) → L2TP is tunneling protocol → Uses port 1701 Uses IPsec for encryption, providing confidentiality and integrity of data transmission. Combines the features of PPTP (Point-to-Point Tunneling Protocol) and L2F (Layer 2 Forwarding) to create a tunnel between two endpoints. HTML5 VPN Portal → Allows users to connect to the VPN using their web browser It uses TLS to encrypt the session → Can be resource intensive SSTP → Secure Socket Tunneling Protocol A VPN protocol developed by Microsoft for creating secure, encrypted connections over the internet SSTP is designed to provide secure remote access to networks by tunneling Point-to-Point Protocol (PPP) traffic through an SSL/TLS channel. → Port 443 TCP Network access control (NAC) Refers to a set of technologies and policies used by organizations to ensure that devices connecting to their networks are secure and compliant with established security policies Features: Verifies the identity of users and devices attempting to connect to the network. Checks endpoints (devices) for compliance with security policies and configurations before granting network access. Defines rules and policies that dictate who and what can access specific parts of the network. Automatically corrects or isolates non-compliant devices to remediate security issues before allowing access. Monitors connected devices continuously to detect anomalies or suspicious behavior. Integrates with existing security solutions such as firewalls, IPS/IDS, SIEM Helps organizations improve network security by controlling access, enforcing policies, and detecting/responding to security threats in real-time. Agent NAC → NAC uses agent when the client attempts to log on remotely A permanent agent installed on the client & stays on client Agentless NAC → A dissolvable agent is downloaded & runs on client when clients logs on remotely It collect the information it needs, identifies the client as healthy or non-healthy & reports the status back to NAC system NAC agents remove themselves immediately after they report to the NAC system Other NAC agents remove themselves after session ends An agentless NAC system scans a client remotely without installing code on the client Port Security Port security limits the computers that can connect to physical ports on a switch MAC Filtering → Restricts access to switch ports based on the MAC (Media Access Control) address of devices connected to the port. Ex. Each physical port is assigned to a single specific MAC address → MAC Address Sticky Port security filters by MAC address, allowing whitelisted MAC addresses to connect to the port and blocking blacklisted MAC addresses. Broadcast Storm → Caused when two ports of a switch connected together Spanning Tree Protocol (STP) & Rapid STP (RSTP) helps to prevent broadcast storm & loop prevention for switches BPDU Guard → Bridge Protocol Data Unit Guard STP sends BPDU in the network to detect loops When the loops are detected, STP blocks the traffic from switch ports sending redundant traffic DHCP Snooping → DHCP snooping is a preventive measure When DHCP snooping is enabled, the switch only send DHCP broadcast traffic (DHCP Discover Message) to trusted ports Prevents rogue DHCP servers as well as malicious or malformed DHCP traffic. It also allows the capture and collection of DHCP binding information to let network administrators know who is assigned what IP address. Network Appliances Jump Servers → Also called Jump box → A hardened server used to access & manage devices in another network with a different security zone A jump server is places between different security zones It can provide secure access to devices in screened subnet from internal network Proxy Servers → Forwards requests from clients for services like HTTP or HTTPS → Forward Proxy Server Improves performance by caching content Can restrict users’ access to inappropriate websites by filtering content A proxy server is located on the edge of the network bordering the internet & intranet A web proxy can be used to block certain websites. Transparent Proxy → Accepts & forwards requests without modifying them Non-Transparent Proxy → Use URL filters to restrict access to certain sites Both types of proxy log user activity Reverse Proxy Server → Accepts requests from internet for a single web server It appears as a web server to clients but it forwards requests to the web server & serves pages returned by web server Reverse proxy is configured to protect the web server Reverse proxy server can be used for a web farm of multiple servers → When it is used with web farm → It can act as a load balancer Forward Proxy Vs Reverse Proxy Forward Proxy → A forward proxy regulates client access to the internet, enhancing security and policy enforcement within an internal network It sits between the client and the internet and forwards client requests to the internet. In a corporate network, a forward proxy may be used to control access to the internet and enforce security policies. Reverse Proxy → A reverse proxy, manages external requests to servers, offering load balancing and concealing server identities for added security It sits in front of servers and directs client requests to the appropriate backend servers. A reverse proxy can distribute incoming web requests to multiple web servers in a server farm. NIDS / NIPS Signature-based Detection → Detects known malware based on signature definitions Heuristic-Based Detection → Detects previously unknown malware based on behavior Can detects unknown anamalies Inline → An IPS placed inline with traffic can detect, react to & prevent attacks Passive → Collects data passively Heuristic vs Anomaly-based detection Heuristic: Heuristic IPS uses algorithms and rules to detect potentially malicious behavior, often identifying new and unknown threats. However, it does not specifically create a baseline of normal activity. Heuristic IPS technology uses artificial intelligence to identify attacks that have no prior signature. Anomaly-based: Anomaly-based IPS establishes a baseline of normal network behavior and then monitors traffic to detect and block deviations from this baseline. This makes it the best fit for the requirement of observing normal network activity and blocking deviations Hardware Security Module (HSM) → A security device that can added to a system to manage, generate & securely store cryptographic keys HSM supports security methods of TPM Many server based applications use an HSM to protect keys Aggregators → Store log entries from dissimilar systems Firewalls Stateful → Inspects traffic & makes decisions based on the traffic context or state Unified Threat Management (UTM) → A single solution that combines multiple security controls UTM will reduce the workloads of admins without sacrificing security URL Filtering → Performs same job as a proxy server → Block access to sites based on the URL Admins can configure URL filters to allow / block access to specific sites Malware Inspection → Screens incoming data for known malware & blocks it Content Inspection → Monitors incoming data streams & attempts to block any malicious content Includes spam filter to inspect incoming emails Can block specific type of transmissions such as audio or video & file types such as .zip DDOS Mitigator → Attempts to detect DDOS attacks & blocks them Common security issue of UTM is misconfigured content filter Key Features → Firewall, IPS/IDS, Antivirus & Anti-malware, Content Filtering, Spam Filtering, Application Control, Web Filtering, DLP, Logging, Reporting Network Address Translation (NAT) Gateway → NAT is a protocol that translates public IP addresses to private IP addresses & private addresses back to public. NAT gateway hosts NAT & provides internal clients with private IP addresses a path to internet Benefits: Public IP addresses don’t need to be purchased for all clients NAT hides internal computers from the internet Hides the internal network structure, making it harder for attackers to target specific devices. Static NAT → Uses single public IP address in one-to-one mapping Dynamic NAT → Uses multiple public IP addresses in one-to-many mapping Quality of service (QoS) → Refers to technologies running on a network that measure & control different traffic types It allows admins to prioritize certain types of traffic over others Implications of IPv6 → All devices on internal network don’t support IPv6 natively Port Mirroring → Port Spanning → Port Tap → Allows admins to configure the switch to send all traffic the switch receives to a single port Port Mirroring is not passive (active) Network Tap → Network taps copy all traffic to another destination, allowing traffic visibility without a device inline. Network tapping is completely passive File Integrity Monitor (FIM) → Some antivirus scanners use file integrity monitors to detect modified system files by calculating hash of systems files as a baseline Objective 3.4 Cryptographic Protocols WEP → RC4 stream cipher → 64-bit or 128-bit Vulnerable to various attacks (e.g., IV attacks, dictionary attacks) WiFi Protected Access (WPA) → Introduced to address the weaknesses of WEP. Introduced to address the weaknesses of WEP. TKIP (Temporal Key Integrity Protocol) Uses 802.1X for enterprise or PSK (Pre-Shared Key) for home networks WiFi Protected Access 2 (WPA2) → WPA2 can operate in open, enterprise or Pre-Shared key (PSK) mode Utilizes Advanced Encryption Standard (AES) for encryption Supports both 802.1X (EAP) and PSK authentication methods. Open Mode → Doesn’t use any security → All data transferred in cleartext PSK or Enterprise Mode → Users access the wireless network anonymously with a PSK or passphrase Enterprise mode forces users to authenticate with unique credentials before granting them access to the wireless network Enterprise mode uses 802.1X server, often implemented as RADIUS server (Authentication) WiFi Protected Access 3 (WPA3) → Newest wireless cryptographic protocol It uses Simultaneous Authentication of Equals (SAE) instead of PSK used with WPA2 SAE is a variant of Dragonfly Key Exchange which is based on Diffe-Hellman A password-based authentication and key exchange protocol used primarily in wireless networks WPA3 is replacement for WPA2 WPA3 also supports enterprise mode → Uses RADIUS server & requires users to authenticate SAE helps to prevent brute-force attacks against keys by making attackers interact with the network before each authentication attempt. This slows down brute-force attacks. Comparison → WPA3 > WPA2 > WPA > WEP Counter-mode/CBC-MAC Protocol (CCMP) → WPA2 uses strong cryptographic protocols such as AES & Counter Mode/CBC-MAC Protocol (CCMP) An encryption protocol used in WiFi networks to provide confidentiality, integrity & authentication. Simultaneous Authentication of Equals (SAE) → WPA3 uses SAE instead of PSK Authentication Protocols Extensible Authentication Protocol (EAP) → EAP provides method for two systems to create a secure encryption key also known as Pairwise Master Key Systems use this key to encrypt all data transmitted in between the devices AES based CCMP uses this key Used with WPA-Enterprise or WPA2-Enterprise. Lightweight EAP (LEAP) → LEAP is an early EAP method developed by Cisco Systems Uses a variant of MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol) for authentication. Deprecated due to security vulnerabilities. Protected EAP (PEAP) → Provides an extra layer of protection for EAP PEAP protects the communication channel by encapsulating & encrypting the EAP conversation in TLS tunnel PEAP requires a certificate on the server but not on the client Ex. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) Used in enterprise Wi-Fi networks with server-side certificates. EAP-FAST → EAP - Flexible Authentication via Secure Tunneling → Replacement for lightweight EAP (LEAP) EAP fast supports certificates, but they’re optional Uses a Protected Access Credential (PAC) to establish a TLS tunnel between the client and the authentication server. Provides mutual authentication and protection against man-in-the-middle attacks. Used in environments requiring lightweight and secure authentication. EAP-TLS → EAP-TLS requires certificates on the 802.1X server & clients EAP-TLS is an EAP method that uses TLS for mutual authentication between the client and the server. Used in environments requiring strong mutual authentication and encryption. EAP-TTLS → EAP-TTLS is an extension of PEAP EAP-TTLS is an EAP method that encapsulates EAP methods within a TLS tunnel. Allows systems to use older authentication methods such as password authentication protocol (PAP) within a TLS tunnel Used in environments where user credentials are stored centrally. RADIUS Federation → Creates a federation using 802.1X & RADIUS servers Methods WiFi Protected Setup (WPS) → Allows users to configure wireless devices without typing in the passphrase Users can configure devices by pressing buttons or by entering a short eight-digit PIN WPS is susceptible to brute force attacks Captive portals → A technical solution that forces clients using web browsers to complete a specific process before it allows them to the network Free internet access, paid internet access Alternative to 802.1X, as 802.1X can be expensive & sometimes not feasible to organizations Installation Considerations Site Survey → Examines the wireless environment to identify potential issues, such as areas with noise or other devices operating on the same frequency bands Admins can periodically perform site survey to verify that environment hasn’t changed & detect potential security issues Heat Maps → Gives you a color-coded representation of wireless signals Color red shows where the wireless signals are strongest Color blue shows where the wireless signals are weakest Also it shows dead spots WiFi Analyzers → Identifies activity on channels within the wireless spectrum & analyze activity in 2.4 & 5 GHz frequency ranges Allows you to analyze one frequency range at a time & see each channel’s activity on a graph BSSID → Basic Service Set Identifier → Unique identifier used in 802.11 WiFi networks to identify a specific access point within a Basic Service Set (BSS) Objective 3.5 Mobile Device Management (MDM) Vendors sell Unified Endpoint Management (UEM) solutions to manage mobile devices Application Management → Can restrict what applications can run on mobile devices Use allow list to control applications & prevent unapproved application from installing Full Device Encryption → Organizations use full device encryption on corporate-devices to provide device security, application & data security Storage Segmentation → Used to isolate data Users might required to use external storage for any corporate data to reduce the risk of data loss if device is lost Content Management → Can force user to authenticate again when accessing data within the encrypted segment Containerization → Organizations can encrypt a container in mobile devices without encrypting the entire device Running organization application in container isolates & protects the application & data Useful when employees use their own device Geolocation → Includes GPS capabilities to identify the location of the device & device movement Geofencing → Organization use GPS to create a virtual fence or geographical boundary GPS Tagging → Adds geographical information to the files such as pictures when posting them on social media Context-Aware Authentication → Uses multiple elements to authenticate a user & mobile device It can include user’s identity, geolocation & verification that the device is within a geofence, time of day & type of device These elements help prevent unauthorized users from accessing the app & data SEAndroid → Security-Enhanced Android (SEAndroid) uses Security-Enhanced Linux (SELinux) to enforce access security It operates using default denial principle → Anything not allowed is denied Enforces Mandatory Access Control (MAC) SELinux supports two modes: Enforcing Mode → This mode enforces SELinux policy. Any activity that is denied by the policy is blocked & logged Permissive Mode → This mode doesn’t enforce SELinux Policy but it does log all activity that policy would block if it was in enforce mode Admins use this mode to verify that policy works as intended before changing it to enforcing mode Enforcement and Monitoring Jailbreaking → Refers to removing all software restrictions from Apple Devices Rooting → Process of modifying an Android device to give the user a root level access to device Sideloading → Process of copying apk to the device & then activating / installing it Over-The-Air (OTA) Updates → Updates to the OS overwrites the firmware using OTA updates ad hoc → In ad hoc mode, wireless devices connect to each other without access point Objective 3.6 Solutions Cloud Access Security Broker (CASB) → A software tool or service deployed between an organization’s network & the cloud provider It provides security by monitoring traffic & enforcing security policies Functions: Visibility → Identifies and monitors cloud applications, data flows, and user activities. Data Security → Protects data through DLP, encryption, tokenization, and access controls. Threat Protection → Detects and blocks malware, identifies anomalies, and integrates threat intelligence. Compliance → Enforces regulatory policies, provides audit trails, and supports legal holds. IAM → Integrates SSO, MFA, and automates user provisioning and deprovisioning. Shadow IT Control → Discovers, assesses, and mitigates risks associated with unauthorized cloud services. Security Configuration → Manages and monitors cloud service configurations to ensure compliance with security policies. Collaborating & Sharing Control → Controls and monitors data sharing and collaboration within cloud platforms. Next Generation Secure Web Gateway (SWG) → A combination of proxy server & stateless firewall Clients are configured to access all internet resources via the SWG & it filters the traffic to prevent threats from infiltrating the network SWG Includes: URL filtering → prevent users from visiting unauthorized sites Stateless Packet Filtering → To detect & block malicious traffic Malware detection & filtering to block malware Network-based Data Loss Prevention (DLP) Sandboxing to check for threats Objective 3.7 Identity Identity provider (IdP) → Creates, maintains & manages identity information for principles Account Types Personal or End-User Account → Admins create these accounts & assign appropriate privileges based on user’s responsibilities Basic credential policy Administrator & Root Accounts → Privileges accounts that have additional rights & privileges beyond what regular user has Credential policy requires stronger authentication such as MFA Service Accounts → Some application & services need to run under the context of account Admins create a regular user account for service like SQL, provide appropriate privileges & configure a SQL server to this account This account is like a regular user account but the difference is it is used by service or application not by user Credential policies may require long, complex passwords for this accounts & passwords should not expire It is common practice to prohibit interactive logins to a GUI or shell for service accounts. Use of a service account for interactive logins or attempting to log in as one should be immediately flagged and alerted on as an indicator of compromise (IoC). Device Accounts → Computers & other devices also have accounts Ex. Microsoft Active Directory only allows users to log on to computers joined to the domain Third-party Accounts → Accounts from external entities that have access to the network Strong Credential Policy Guest Accounts → Useful if you want to grant someone limited access to compute or network without creating a new account Admins commonly disable guest accounts & only enable it in special situations Sponsored Authentication for Guest Accounts → Requires a guest user to provide valid identification when registering their wireless device for use on the network. This requires that an employee validates the guest’s need for access, which is known as sponsoring the guest. Shared / Generic Account / Credentials → Organizations create a regular user account that temporary workers will share. If a temporary agency sending a different person everyday, a shared account may provide better solution than guest account because the access can be tailored for the shared account Basic credential policy Account Policies Time-based Logins → Referred as time of the restrictions → Ensure that users can only log on to computers during specific times Objective 3.8 Authentication Management Knowledge-based authentication → Organization use KBA to prove the identity of individuals Static KBA → Used to verify the identity when you’ve forgotten your password Ex. Your first dog’s name Dynamic KBA → identifies individuals without account Organizations use this for high risk transactions such as financial institutions or healthcare industry The site queries public & private data source such as credit reports It craft MCQ questions that only the user would know & users typically have limited amount of time to answer these questions → This limits the amount of time an attacker can do searches on the Internet to identify accurate answers Cognitive password attack → A form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity. If you post a lot of personal information about yourself online, then this type of password can easily be bypassed. Authentication / Authorization Password Authentication Protocol (PAP) → Used with Point-To-Point protocol (PPP) to authenticate clients A significant weakness of PPP is that it sends passwords over network in cleartext Susceptible to sniffing attacks Challenge-Handshake Authentication Protocol (CHAP) → Uses PPP & authenticates remote users, but it is more secure than PAP The goal of CHAP is to allow the client to pass credentials over a public network without allowing attackers to intercept the data & later use it in attack CHAP uses an encrypted challenge & three-way handshake to send credentials Prevents session hijacking RADIUS → Remote Authentication Dial-In Service → Centralized Authentication Service It is a networking protocol used for centralized authentication, authorization, and accounting (AAA) management in computer networks. RADIUS servers are commonly used to authenticate users accessing network resources, such as Wi-Fi networks, VPNs, and other network services. Uses port 1812 / 1813 Instead of each VPN server needing a separate database to identify & authenticate, VPN servers forwards the authentication requests to central RADIUS server RADIUS can be also used with 802.1X server with WPA2 Enterprise Mode Each VPN server is configured with a shared secret & the RADIUS server is configured with the matching shared secret for each of the VPN servers Centralized RADIUS servers holds a centralized database of user accounts → LDAP Server RADIUS uses UDP which provides best delivery mechanism RADIUS only encrypts password by default & can be used with EAP to encrypt the entire session TACACS+ → Terminal Access Controller Access-Control System Plus → RADIUS alternative Uses port 49 Uses TCP to provide Authentication, Authorization & Accounting services It provides two essential security benefits over RADIUS It encrypts the entire authentication process It uses multiple challenges & responses between the client & server It is authentication service for network devices & it can be used with Kerberos SAML → Security Assertion Markup Language → an XML based format used for SSO on web browsers If organization trust each other, they can use SAML as a federated identity management system Users authenticate with one website & are not required to authenticate again when accessing the second website Many web based portal use SAML for SSO SAML defines three roles: Principal → Principal is typically a user → User log once & if necessary, principal requests an identity from identity provider Identity Provider (IdP) → Creates, maintains & manages identity information for principals Service Provider → An entity that provides services to principals Kerberos → A network authentication protocol used within Windows Active Directory domains & some unix environments known as realms It provides mutual authentication that can help to prevent on-path attacks & uses tickets to prevent replay attacks Uses port 88 Kerberos includes several requirement to work properly: A method of issuing tickets used for authentication: A key distribution center uses a complex process of issuing ticket-granting tickets (TGTs) & other tickets Tickets provide authentication for users when they access resource such as files on the file server These tickets sometimes referred as tokens Time Synchronization → Kerberos v5 requires all systems to be synchronized within 5 minutes of each other Helps to prevent replay attacks A database of subjects or users → DB of users When users log on to Kerberos, KDC issues a ticket to the user, typically with a lifetime of 10 hours to be useful for single workday When users try to access resource, they present ticket for authentication & user is issues a ticket to access the resource Kerberos uses symmetric key cryptography to prevent unauthorized disclosure & to ensure confidentiality Kerberos does not send the users password across the network. → When the user’s name is sent to the authentication service, the service retrieves the hash of the user’s password from the database → then uses that as a key to encrypt data to be sent back to the user. → The user’s machine takes the password that the user entered, hashes it, and then uses that as a key to decrypt what was sent back by the server. Access Control Schemes Attribute-based Access Control (ABAC) → Evaluates attributes & grants access based on the value of those attributes Attributes can be characteristics of user, the environment & the resource ABAC uses policies to evaluate attributes & grants access when the system detects a match in the policy Ex. Homer is nuclear safety inspector → Attributes → employee, inspector, nuclear aware Many Software Defined Networks (SDNs) use ABAC schemes ABAC policy statements typically include 4 elements: Subject → Typically a user Object → Resource such as file, database or application Action → Action is what user is attempting to do such as reading or modifying file Environment → Includes everything outside of subject & object attributes ABAC system has a lot of flexibility & can enforce both MAC & DAC scheme Role-based Access Control (RBAC) → Uses roles to manage rights & permissions for users Useful for users within a specific department who perform same job functions Admins create roles & assigns specific rights & permissions to the roles Role-based Access Control is also called hierarchy-based or job-based A matrix is planning document that matches the roles with the required privileges Group-based Privileges → Reduce the administrative workload of access management Admins put user accounts into security groups & assign privileges to the group Users within the group automatically inherit the privileges assigned to the group Rule-based Access Control (Rule-BAC) → Uses rules → Ex. Firewalls / Routers Routers & Firewalls use rules within access control lists (ACLs) It is based on set of approved instructions such as ACL Some Rule-BAC uses rules that trigger in response to an event, such as modifying ACL after detecting an attack or granting additional permissions to a user in a certain situations Mandatory Access Control (MAC) → Uses labels (sometimes referred as sensitivity labels or security labels) to determine access Security admins assign labels to both subjects (users) & objects (files / folders) When the labels match, the system can grant access to subject for the object It is commonly used when access needs to be restricted based on need to know Security labels often reflect classification levels of data & clearances granted to individuals Discretionary Access Control (DAC) → In DAC, objects have an owner & owner establishes access for the objects Many operating systems such as Windows & Unix-based systems use DAC scheme Ex. New Technology File System (NTFS) → Provides security by allowing users & admins to restrict access to files & folders with permissions DAC scheme is more flexible than MAC scheme Conditional Access → Conditional Access policies use signals, which are similar to attributes in ABAC scheme Some common signals are: User / Group membership, IP Location, Device Privileged Access Management (PAM) → Allows an organization to apply more stringent security controls over accounts with elevated privileges such as admin / root account PAM implements the concept of just in-time administration → Admins won’t have administrative privileges until they need them → When they need them, they send a request for the elevated privileges PAM system grant the request, typically by adding the account to a group with elevated privileges After a pre-set time (such as 15 minutes), their account is automatically removed from the group, revoking the privileges PAM Capabilities: Allows users to access the privileged account without knowing the password Automatically change privileges account passwords periodically Limit the time users can use the privileged account Allow users to check out credentials Log all access of credentials It reduces opportunities for attackers to user administrative privileges Filesystem Permissions → NTFS Permissions: Write Read Read & Execute Modify Full Control Objective 3.9 Public Key Infrastructure (PKI) Key Management → Manage public & private keys within PKI Certificate Authority (CA) → Issues, manages, validates & revokes certificates Intermediate CA → Root CA issues certificates to Intermediate CAs & Intermediate CAs issues certificates to child CAs → Child CAs issues certificates to devices or end users Registration Authority (RA) → Assists the CA by collecting registration information RA never issues certificates, instead it only assist in registration process The registration authority works with the certificate authority to identify and authenticate the certificate requester. Certificate Revocation List (CRL) → CAs use CRL to revoke certificates CRL is version 2 certificate that includes a list of revoked certificates identified by their serial numbers Since public keys are distributed via certificates, adding certificate in CRL is best way to deauthorize a public key Certificate Elements: Serial Number → Uniquely identifies the certificate Issuer → Identifies the CAs that issued the certificate Validity Dates → Includes “Valid From” & “Valid To” dates Subject → Identifies the owner of the certificate Public Key → Asymmetric encryption uses the public key in combination with the matching private key Usage → Some certificates are only for encryption or authentication Certificates Attributes: CN → Common Name → fully qualified domain name (FQDN) o → Organization L → Locality S → State or Province C → Country Online Certificate Status Protocol (OCSP) → Allows client to query the CA with the serial number of the certificate to determine if it is valid Indicates if certificate is good, revoked or unknown OCSP is a protocol used by the browser to check the revocation status of a certificate DV (Domain Validation) Certificate → CA verifies that the certificate subject has control of the domain name EV (Extended Validation) Certificate → prove that the X.509 certificate has been issued to the correct legal entity. Certificate Signing Request (CSR) → Used to request a certificate The certificate signing request is sent with the public key to the certificate authority Once the certificate information has been verified, the CA will digitally sign the public key certificate. Subject Alternative Name (SAN) → SAN certificate is used for multiple domains that have different names but are owned by the same organization → Ex. x.google.com, x.android.com Certificate Formats Distinguished Encoding Rules (DER) → Canonical Encoding Rules (CER) & DER are the best formats of certificates CER → Used for ASCII certificates DER → Used for binary certificates PEM → Privacy Enhanced Mail (PEM) → Can be used for any certificate purpose → Most Commonly Used Certificate Format P7B → Use PKCS version 7 format & they are CER-based Used to share public keys with proof of identity of the certificate holder P12 → Use PKCS version 12 format & they are DER based Commonly used to store private key with a certificate Personal Information Exchange (PFX) → Predecessor to the P12 certificate & it has same usage Binary Format Admins use this format on Windows Systems to import or export certificates Concepts Online Versus Offline CAs → Online CA → Accessible over network Offline CA only accept CSR manually Large organizations keep root CA offline to reduce the risk of compromise Stapling → Alternative of OCSP The certificate presenter appends the certificate with a timestamped digitally signed OCSP response from the CA This reduces OCSP traffic to & from the CA Allows client to validate the certificate without contacting the OSCP server Pinning → Helps to prevent attackers from impersonating a web site with a fraudulent certificate The web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions Trust Model → CAs are trusted by placing a copy of their root certificate into a trusted root CA store Key Escrow → The process of placing a copy of a private key in a safe environment If the original key is lost, the organization retrieves the copy of the key to access the data Certificate Chaining → Combines all certificates from the root CA down to the certificate issued to end user

Chapter 4 Objective 4.1 Network Reconnaissance and Discovery pathping → Combines ping & tracert command Admins use it to locate potential problems between two systems hping → This command is similar to ping command but it can send the ping using TCP, UDP & ICMP packets Useful to identify if firewall is blocking ICMP traffic theHarvester → Passive recon CLI tool → Uses OSINT methods to gather data such as emails, employee names, host IPs, & URLs It uses popular search engine for queries & give you a report sn1per → Automated scanner used for vulnerability assessment & to gather info on targets during penetration test scanless → Python based CLI tool used to scan ports dnsenum → Enumerate DNS records for domains It can perform many Domain Name System (DNS)-related functions, including querying A records, nameservers, and MX records, as well as performing zone transfers, Google searches for hosts and subdomains, and net range reverse lookups. It can work in automated fashion Cuckoo → Open Source automated software analysis system / Sandbox Primary purpose → Analyze suspicious files Forensics dd → Disk Imaging Tool (Open Source Tool) memdump → Can dump any addressable memory space to the terminal or redirect the output to the dump file WinHex → Windows-based hexadecimal editor used for evidence gathering, data analysis, editing, recovering of data & data removal It can work directly with the memory FTK imager → A part of Forensic Toolkit (FTK) sold by AccessData (Proprietary Tool) FTK Imager is a free tool that can image both systems and memory It can capture an image of a disk as a single file or multiple files & save the image in various formats Autopsy → GUI Digital Forensic Platform → Forensic Utilities Objective 4.2 Incident Response Plan This plan provides details about incident response policy It provides organizations with a formal, coordinated plan than personnel can use when responding to the event Elements: Definitions of Incident Types → Helps to identify difference between an event & an actual incident Incident Response Team → This team is composed of employees with expertise in different areas Also referred as → A computer incident response team (CIRT), Security Incident Response Team, Computer Emergency Response Team (CERT) Roles & Responsibilities → Many incident plan identify specific roles for incident response team along with their responsibilities Communication Communication is a part of incident response plan & it provides directions on how to communicate issues related to an incident Communication Plan includes: First Responders → Initial responders should know when to inform incident response entities & who to contact Internal Communication → Incident Response Team should know when to inform senior personnel of an incident Reporting Requirements → Laws requires reporting requirements External Communication → Media Law Enforcement → Provides teams with Digital Forensics tools & knowledge Customer Communication → Laws indicate that when an organization must inform their customers regarding data breach Incident Response Process Preparation → This phase occurs before an incident & provides guidance to personnels on how to respond to an incident Identification → Verify it is a actual incident or not Containment → After identifying an incident, security personnel attempt to isolate or contain it This protects critical systems while maintaining business operations The goal of isolation is to prevent the problem from spreading to other areas in network Eradication → After containing the incident, it’s necessary to remove components from the attack Includes deleting or disabling the infected accounts Recovery → During the recovery process, admins return all affected systems to normal operation & verify they are operating normally Lessons Learned → After personnel handle an incident, security personnel perform the lessons learned review This incident may provide some valuable lessons & organizations might modify procedures or add additional controls to prevent reoccurrence of the incident Exercises Tabletop Exercise → Also known as Desktop Exercise → Discussion Based Exercise A coordinator gathers participants in a room & leads them through one or more hypothetical scenarios such as cyber-attack or natural disaster The coordinator introduces each stage of the scenario & the participants identify how they would respond based on organization’s plan This exercise validates the plan & sometimes reveals flaws Walkthroughs → Workshops or orientation seminars that train team members about their roles & responsibilities Helps the personnel to plan tabletop exercise to develop a formal tabletop test plan Simulations → Functional exercises that allow personnel to test the plan in a simulated operational environment → Hands-On Exercises Attack Frameworks MITRE ATT&CK → Adversarial Tactics, Techniques And Common Knowledge It is a knowledge base of tactics, techniques used in real-world attacks The Diamond Model of Intrusion Analysis → Focus on understanding the attacker by analyzing four key components of every intrusion event: Adversary → Can be identified by email addresses, handles used in online forums Capabilities → Refers to malware, exploits & other hacker tools used in intrusion Infrastructure → Refers to internet domain names & IP addresses used by adversary Victim → Victims can be identified by their names, emails or network identifiers Cyber Kill Chain → Includes seven elements of tracking attack from recon to performing actions to achieve attacker’s objectives Lockheed Martin cyber kill chain → Implicitly assumes a unidirectional workflow It fails to consider that an adversary may retreat during an attack Workflow: Reconnaissance → Information gathering about the target Weaponization → Creating the malicious payload Delivery → Sending the malicious payload to the target Exploitation → Executing the malicious payload Installation → Installing malware to maintain access Command and Control (C2) → Establishing communication with the compromised system Actions on Objectives → Performing final objectives like data exfiltration or further compromise Stakeholder Management Stakeholder management involves working with stakeholders, or those who have an interest in the event or impacted systems or services Disaster Recovery Plan It identifies how to recover critical systems after a disaster & often prioritizes services to restore after an outage Testing validates the plan The final phase of disaster recovery includes a review to identify any lessons learned & may include an update to the plan Disaster recovery is a part of an overall business continuity plan Business Continuity Plan (BCP) Helps an organization to predict & plan for potential outages of critical services or functions The goal is to ensure that critical business operations continue & organization can survive the outage Continuity of Operations Planning (COOP) Focuses on restoring mission-essential functions at recovery site after a critical outage Site Resiliency → If one site suffers a catastrophic failure, an alternate site can take over after the disaster. Ensures critical functions can continue or be rapidly resumed during and after disruptions COOP planning enhances organizational resilience, reduces financial losses, and helps maintain trust and confidence among stakeholders. Retention Policies This policy identifies how long data is retained & sometimes specifies how it is stored Some laws mandates the retention of data for specific time frames. Proper data governance practices ensure that these time frames are known & followed Objective 4.3 syslog → This protocol specifies general log entry format & details on how to transport log entries Originators → Any systems that sends syslog messages Collector → Originators send syslog log entries to the collector → syslog server Syslog protocol only specifies how to format the syslog messages & send them to the collector Linux systems include the syslogd daemon which is the service that handles the syslog messages → etc/syslog.conf → var/syslog Syslog-ng → Extends syslogd, allowing a system to collect logs from any source It provides correlation, routing abilities to route log entries, rich filtering capabilities, content-based filtering, It supports TCP & TLS Rsyslog → Improvement for syslog-ng → Ability to send log entries directly into database engines It supports TCP & TLS NXLog → Log Management Tool similar to rsyslog & syslog-ng → Supports Linux & Windows It functions as a log collector & can be integrated with SIEM systems journalctl → Command that displays several log entries from different sources on Linux system Bandwidth Monitors → By comparing captures taken at different times, investigators can determine changes in network traffic. PRTG and Cacti are both network monitoring tools that can provide bandwidth monitoring information. Bandwidth monitors can help identify exfiltration, heavy and abnormal bandwidth usage, and other information that can be helpful for both incident identification and incident investigations. NetFlow → A feature available on many routers & switches that can collect IP traffic statistics & send them to NetFlow collector Analysis software of NetFlow allows admins to view & analyze network traffic Netflow data provides detailed information about the network traffic → Metadata → source and destination IP addresses, ports, protocols, timestamps, and the amount of data transferred sFlow → A sampling protocol → Provides traffic information based on a preconfigured sample rate Ex. It may capture 1 packet out of 10 packets & send this sample data to the collector As it captures & send only sample data, it is less likely to impact the device’s performance, allowing it to work on devices with high volume of data IP Flow Information Export (IPFIX) → Similar to NetFlow v9 → Replacement to NetFlow Objective 4.5 Documentation / Evidence Legal Hold → Refers to a court order to maintain different types of data as evidence Data retention policy applies here Admissibility → When collecting documentation & evidence, it’s essential to follow specific procedures to ensure that the evidence is admissible in a court of law Chain of custody → A process that provides assurances that evidence has been controlled & appropriately handled after collection Forensics experts establish chain of custody when they first collect the evidence It provides a record of every person who was in possession of a physical asset collected as a evidence → Chain of custody forms are forms that list every person who has worked with or who has made contact with the evidence that is a part of an investigation A proper chain of custody procedure ensures that evidence presented in the court of law is the same evidence that security professionals collected A well-documented chain of custody can help establish provenance for data, proving where it came from, who handled it, and how it was obtained. Provenance → Refers to tracing something back to its origin The provenance of a forensic artifact includes the chain of custody, including ownership and acquisition of the artifact, device, or image Tags → A tag is places on evidence items when they are identified Sequence of Events Timestamps Time Offset → Provides info about how the timestamps are recorded Reports → After analyzing all the relevant evidence, digital forensics experts create a report documenting their findings Includes TTPs of attackers Acquisition and Preservation Order of Volatility → Refers to the order in which you should collect evidence You should collect evidence starting with most volatile & moving to least volatile Order of volatility from most to least: Registers, Cache → The contents of CPU cache and registers are extremely volatile, since they are changing all of the time. Literally, nanoseconds make the difference here. An examiner needs to get to the cache and register immediately and extract that evidence before it is lost. Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory Temporary File Systems Disk Remote Logging and Monitoring Data that is Relevant to the System in Question Physical Configuration, Network Topology, and Archival Media Old: Cache → Data in cache memory including the processor & hard drive cache RAM → Data in RAM used by OS & applications Swap / Pagefile → Swap (pagefile) is the system disk drive → Extension of RAM & stored on hard drive Disk → Data files stored on local disk drives & they remain there after rebooting Attached Devices → USB drive also holds data when system is powered down Network → Servers & shared folders accessible by users & used to store log files Data Acquisition → Snapshot → Forensic experts use snapshots to capture data for forensics analysis Artifacts → Forensics artifacts are the pieces of data on a device that regular users are unaware of, but digital forensic experts can identify & extract Web History Recycle Bin Windows Error Reporting Remote Desktop Protocol (RDP) cache When artifacts are acquired as part of an investigation, they should be logged and documented as part of the evidence related to the investigation. On-Premises Versus Cloud Concerns Right to Audit Clauses → Allows customers to hire an auditor & review the cloud provider’s record Auditing helps customer to ensure that the cloud provider is implementing adequate security Many cloud service providers do not allow customer-driven audits, either by the customer or a third party. They also commonly prohibit vulnerability scans of their production environment to avoid service outages. Instead, many provide third-party audit results in the form of a service organization controls (SOC) report or similar audit artifact. Regulatory Jurisdiction → The company must comply with relevant laws Data Breach Notification Laws → This law requires organizations to notify customers about a data breach & take steps to mitigate the loss Integrity Provenance → Refers to tracing something back to its origin Others eDiscovery → Electronic Discovery → It is the identification & collection of electronically stored information Strategic Intelligence and Counterintelligence → Refers to collecting, processing & analyzing information to create long-term plans & goals Counterintelligence activities assume that attackers are also using strategic intelligence methods.

Chapter 5 Objective 5.1 Category Managerial Controls → Primarily administrative in function & are typically documented in an organization’s written security policy They use planning & assessment methods to provide an ongoing review of the organization’s ability to reduce & mange risk Administrative controls dictate how security policies should be executed to accomplish the company’s security goals Ex. Risk Assessments, Vulnerability Assessments Operational Controls → Ensures that the day-to-day operations of an organization comply with their overall security plan Primarily implemented & executed by people instead of systems Ex. Awareness & Training, Configuration Management, Media Protection, Physical & Environmental Protection Technical Controls → Use technology such as hardware, software & firmware to reduce vulnerabilities Admins installs & configures a technical control & technical controls provide the protection automatically Ex. Encryption, Antivirus, IDS, IPS, Firewalls, Least Privilege Control types Preventive Controls → Attempt to prevent security incidents Ex. Hardening systems, Training, Security guards, Change Management, Account Disablement Policy, Intrusion Prevention System (IPS) Detective Controls → Attempt to detect when vulnerabilities have been exploited, resulting in a security incident Ex. Log monitoring, SIEM systems, Security Audits, Video Surveillance, Motion Detection, Intrusion Detection System (IDS) Corrective & Recovery Controls → Attempts to reverse the impact of an incident or problem after it has occurred Ex. Backups & System Recovery, Incident handling processes, Antivirus Physical Controls → Controls that you can physically touch Ex. Barricades, Control Vestibules (Mantraps) Deterrent Controls → Attempt to discourage a threat → Attempt to discourage potential attackers from attacking & attempt to discourage from violating security policy Ex. Cable locks, Physical locks Compensating Controls → Alternate controls used instead of primary control Organizations adopt compensating controls to address a temporary exception to a security requirement. Doesn’t prevent attack but restores using other means Ex. Re-image or Restore from backup, Hot Site, Backup Power System Ex. PCI DSS Conditions: The control must meet the intent & rigor of the original requirement The control must provide similar level of defense as the original requirement The control must be “above & beyond” other PCI DSS requirements Response Controls → Incident Response Control → Controls designed to prepare for security incidents & respond them when they occur Objective 5.2 Regulations, Standards, and Legislation General Data Protection Regulation (GDPR) → This mandates the protection of privacy data for individuals who live in EU. Requires a data protection officer (DPO) to oversee the organization’s data protection strategy and implementation, and make sure that the organization complies with the GDPR. Payment Card Industry Data Security Standard (PCI DSS) → When using credit cards, company should comply with PCI DSS Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard) → Send notification to your credit card processor Key Frameworks Center for Internet Security (CIS) → Identify, develop, validate, promote & sustain best practice solutions for cyber defense & build & lead communities to enable environment of trust in cyberspace National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/ Cybersecurity Framework (CSF) → Used to mitigate risks The NIST RMF’s process is. Prepare Categorize system Select controls Implement controls Assess controls Authorize system Monitor controls Cloud Security Alliance (CSA) → A non-profit organization that promotes best practices related to the cloud CSA’s Cloud Control Matrix → Maps existing standards(COBIT, HIPAA, FedRAMP) to common control descriptions allowing control requirements to be compared and validated across many standards and regulations Reference architecture → A document or set of documents that provides a set of standards Objective 5.3 Personnel Acceptable Use Policy (AUP) → It describes the purpose of computers systems & networks, how users can access them, and the responsibilities of users when they access the systems Job rotation → A concept that has employees rotate through different jobs to learn the processes & procedures in each job. Helps to prevent or expose dangerous shortcuts or even fraudulent activity Mandatory Vacation → Helps to detect when employees are involved in malicious activity such as fraud These policies help to deter fraud and discover malicious activities while the employee is away. Separation of Duties → A principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process Two people perform separate actions to prevent inventory fraud This helps prevent potential fraud, such as if a single person prints and signs checks. Least Privilege → Specifies that individuals and processes are granted only the privileges needed to perform assigned tasks or functions, but no more Dual Control → A security mechanism that requires two individuals to simultaneously verify and approve an action or access to a system Job Rotation vs Separation of Duties Vs Dual Control Job Rotation → Periodic movement of employees between roles Skill enhancement, reduce fraud risk, reduce monotony Separation of Duties → Dividing tasks and privileges among multiple individuals Minimize risk of fraud and errors Dual Control → Requiring two individuals to simultaneously verify an action Prevent unauthorized access or actions Third-Party Risk Management Vendors → Implement vendor diversity to provide cybersecurity resilience end of life (EOL) → Refers to the date when a product will no longer be offered for sale. end of service life (EOSL) → Indicates the date when you expect a lack of vendor support because vendors no longer create patches or upgrades to resolve vulnerabilities for the product. Service level agreement (SLA) → An agreement between a company & vendor that stipulates performance expectations, such as minimum uptime & maximum downtime levels Memorandum of understanding (MOU) → Expresses an understanding between two or more parties indicating their intention to work together toward a common goal. Business partners agreement (BPA) → A written agreement that details the relationship between business partners, including their obligations toward the partnership. Measurement Systems Analysis (MSA) → Evaluates the processes & tools used to make measurements Interconnection Security Agreement(ISA) → A formal agreement between organizations that governs the security requirements and responsibilities when connecting their information systems or networks. Non-Disclosure Agreement (NDA) → Non-disclosure agreement (NDA) is the legal basis for protecting information assets. Non-disclosure agreements (NDAs) are legally binding agreements to keep information confidential If the employee or contractor breaks this agreement and does share such information, they may face legal consequences. Objective 5.4 Risk management strategies Risk management is the practice of identifying, monitoring, and limiting risks to a manageable level Risk Awareness → Acknowledgement that risk exists & must be addressed to mitigate them Inherent Risk → Refers to the risk that already exists before the controls are in place to manage the risk Residual Risk → It is the amount of risk that remains after managing or mitigating risk to an acceptable level Control Risk → Refers to the risk that exists if in-place controls do not adequately manage risks Control risks specifically apply to financial information, where they may impact the integrity or availability of the financial information. Risk Appetite → Refers to amount of risk an organization is willing to accept Risk Avoidance → Organization can avoid risk by not providing a service or not participating in a malicious activity Risk Mitigation → The organization implements controls to reduce risks. These controls reduce the vulnerabilities or reduce the impact of threat Ex. Patching systems immediately after the release of patches, which helps to mitigate the risk of known security vulnerabilities being exploited by malicious actors Risk Acceptance → The amount of risk that organization willing to accept Risk Transference → The organization transfers the risk to the another entity or at least shares the risk with another entity Cybersecurity Insurance → Helps to protect businesses & individuals from losses related to cybersecurity incidents such as data breaches & network damage Risk Analysis Risk Register → Lists all known risks for a system or an organization Risk Matrix → Plots the risks onto a graph or a chart Heat Map → Similar to Risk Matrix, but instead of using words, it uses colors such as green, red Risk control assessment → Examines organization’s known risks & evaluates the effectiveness of in-place controls risk control self-assessment → Risk control assessment performed by employees Internal Risk → Risks that the organization itself creates are internal risks. External Risk → External risks are those created by factors outside the organization’s control. Multiparty Risk → A multiparty risk involves multiple organizations. Legacy System Risk → A legacy system risk is created by a system or process that is no longer supported or updated IP Theft Risk → An intellectual property (IP) theft risk occurs when proprietary information or trade secrets might be exposed or lost. Regulations that affect risk posture: Health Insurance Portability and Accountability Act (HIPAA) → Mandates organization to protect the health information Gramm-Leach Bliley Act (GLBA) → Financial Services Modernization Act → Includes financial privacy rules a critical legislation safeguarding consumers’ financial privacy This requires financial institutions to provide customers with a privacy notice explaining what information they collect & how it is used Sarbanes-Oxley Act (SOX) → SOX requires the executives within an organization take individual responsibility for the accuracy of financial reports Mandates financial and IT controls to protect against corporate fraud. General Data Protection Regulation (GDPR) → EU mandates the protection of privacy data for the individuals that live in EU HITECH → Health Information Technology for Economic and Clinical Health Act This act extends HIPAA’s privacy and security requirements and encourages healthcare organizations to invest in strong cybersecurity measures FISMA → Federal Information Security Management Act Establishes a comprehensive framework for ensuring the security of information and information systems for all executive branch agencies Sets standards for securing federal government information systems. COPPA → Children’s Online Privacy Protection Act Regulates online collection of personal information from children under 13. CCPA → California Consumer Privacy Act Grants California residents rights over their personal data collected by businesses. CISA → Cybersecurity Information Sharing Act Encourages sharing of cybersecurity threat information between the government and private sector. Risk assessment types Quantitative Risk Assessment → Measures the risk using a specific monetary amount. It is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have This monetary amount makes it easy to prioritize risks Single Loss Expectancy (SLE) → Cost of any single loss Annual Rate of Occurrence (ARO) → Indicates how many times the loss will occur in a year Annual Loss Expectancy (ALE) → SLE x ARO = ALE Qualitative Risk Assessment → Uses judgements to categorize risks based on likelihood of occurrence (probability) & impact. Qualitative risk assessment is the process of ranking which risk poses the most danger using ratings like low, medium, and high. Business Impact Analysis It is important part of Business Continuity Plan (BCP) It helps organization to identify critical systems & components that are essential to the organization’s success It helps to identify vulnerable business processes, which are mission essential functions It identifies maximum downtime limits for these systems & components, various scenarios that can impact these systems & components, and the potential losses from an incident Recovery Time Objective (RTO) → Identifies the maximum amount of time it can take to restore a system after an outage Recovery Point Objective (RPO) → Identifies a point in time where the data loss is acceptable It is the period of time a company can tolerate lost data being unrecoverable between backups Mean time between failures (MTBF) → Provides a measure of a system’s reliability & usually represented in hours → Identifies the average time between failures A measurement to show how reliable a hardware component is a prediction of how often a repairable system will fail. Mean Time to Failure (MTTF) → MTTF is the average time to failure for a non-repairable system or component. It measures the expected operational lifetime before failure. Helps in predicting the lifespan and planning replacements. Mean time to repair (MTTR) → Identifies the average time it takes to restore a failed system Also called Mean time to recover Assessing and improving maintenance efficiency Disaster recovery plan (DRP) → Identifies how to recover critical systems after a disaster and often prioritizes services to restore after an outage. The first step to developing an effective disaster recovery plan is to identify the assets. Functional Recovery Plan → A recovery plan focused on a specific technical and business function

Implicit Deny → It ensures that anything not specifically allowed in the rules is blocked Private IP Addresses 10.x.x.x → 10.0.0.0/8 → 255.0.0.0 → Class A 172.16.x.x to 172.31.x.x → 172.16.0.0/12 → 255.240.0.0 → Class B 192.168.x.x → 192.168.0.0/16 → 255.255.0.0 → Class C Difference between Dictionary & Rainbow table Dictionary → List of potential passwords (words) Rainbow Table → Precomputed table containing hash of potential passwords Skimming vs Card Cloning Skimming → Capturing credit card data at Point of Sale (POS) Card Cloning → Making a copy of credit card STIX & TAXII → Threat Feed Refer Notes Difference between SOAR & SIEM Security orchestration, automation, and response (SOAR) services are designed to integrate with a broader range of both internal and external applications. SOAR includes security operations automation Windows SAM → Database in Windows that stores user account information, including usernames & hashed passwords. Intelligence Fusion → Combines all this data to create a picture of likely threats and risks for an organization Maneuver → A threat hunting concept that involves thinking like a malicious actor to help recognize indicators of compromise that might otherwise be hidden Types of DDOS → Operational, Network, Application Application (DDoS) → aimed at applications Network DDOS → A network DDoS would be aimed at network technology, either the devices or protocols that underly networks. OT DDOS → An operational technology (OT) DDoS targets SCADA, ICS, utility or similar operational systems. Difference between Vulnerability Scan & Penetration Testing Vulnerability Scan → Vulnerability scans use automated tools to look for known vulnerabilities in systems and applications and then provide reports to assist in remediation activities. Penetration Testing → Penetration tests seek to actually exploit the vulnerabilities and break into systems. Security audits → Security audits usually focus on checking policies, incident reports, and other documents. Known Vs Unknown Environment An unknown environment test is also called black-box or a zero-knowledge test because it does not provide information beyond the basic information needed to identify the target. A known environment, or white-box test, involves very complete information being given to the tester. SOAR Functionalities Bluejacking vs Bluesnarfing vs Bluebugging Bluejacking → Practice of sending unsolicited messages to nearby bluetooth devices Bluesnarfing → Unauthorized access to, or theft of info from a bluetooth device Bluebugging → Gains access to the phone & install a backdoor Spyware & Adware are both common examples of PUPs Pharming Attack Techniques changing the local hosts file exploiting a trusted DNS server. Fileless viruses often take advantage of PowerShell to perform actions once they have used a vulnerability in a browser or browser plug-in to inject themselves into system memory. Cross-site request forgery (XSRF or CSRF) takes advantage of the cookies and URL parameters legitimate sites use to help track and serve their visitors. A botnet that uses Internet Relay Chat (IRC) as its command-and-control channel & IRC’s default port is TCP 6667 LDAP focuses on input validation & filtering the output rather than parameterization SSL stripping attack is a on-path attack → An SSL stripping attack requires attackers to persuade a victim to send traffic through them via HTTP while continuing to send HTTPS encrypted traffic to the legitimate server by pretending to be the victim. U.S. Trusted Foundry program → Intended to prevent supply chain attacks by ensuring end-to-end supply chain security for important integrated circuits and electronics. Information Sharing and Analysis Centers (ISACs) help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards. ISACs collect, analyze and share actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency Filesystem Permissions: 0 → — → No permission 1 → –x → Execute 2 → -w- → Write 3 → -wx → Write + Execute 4 → r– → Read 5 → r-x → Read + Execute 6 → rw- → Read + Write 7 → rwx → Read + Write + Execute Threat Actors Vs Threat Vectors Threat Actors → Individuals or entities initiating attacks Threat Vectors → Methods used to carry out attacks Subnet Calculation Formula /32 → 1 /31 → 2 /30 → 4 /29 → 8 Power Outage → PDU, UPS, Generator Power Distribution Unit (PDU) → A device that distributes electrical power to multiple devices from a single source. No battery backup; power is only distributed. May provide surge protection, overload protection, and monitoring capabilities. Uninterruptible Power Supply (UPS) → A device that provides emergency power to connected equipment when the input power source fails. Continues to supply power to connected devices during short-term outages. Generator → A device that converts mechanical energy into electrical energy. Typically used as a backup power source for extended outages. Provides long-term backup power during extended outages. Air Gap is more efficient than separating in VLAN for preventing the malware. Using both server-side execution and validation requires more resources but prevents client-side tampering with the application and data. An Arduino is a microcontroller well suited for custom development of embedded systems. They are small, inexpensive, and commonly available. If key length is increased by 1, potential factors will increase in factors of 2 (Twice as much) Prime factorization algorithms and elliptic curve cryptography are believed to be vulnerable to future quantum computing–driven attacks against cryptographic systems. Account Usage Auditing → Provide a warning that someone’s account is being used when they are not actually using it Both Advanced Encryption Standard (AES) and Data Encryption Standard (DES) are block ciphers. RADIUS provides AAA Datacenter Hot aisle/cold aisle is a layout design for server racks and other computing equipment in a datacenter. The goal of a hot aisle/cold aisle configuration is to conserve energy and lower cooling costs by managing airflow. An infrared camera will detect heat levels on the aisles. Although the rest of the options are potential issues for a datacenter, an infrared camera won’t help with them. Software-defined networking (SDN) makes the network very scalable. A cloud access security broker (CASB) is used to monitor cloud activity and usage and to enforce security policies on users of cloud services. Microservice architectures build applications as a set of loosely coupled services that provide specific functions using lightweight protocols. Infrastructure as code (IaC) is the process of managing and provisioning computer datacenters through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. RTOS Security → Using secure firmware, as well as using an RTOS with time and space partitioning, are both common methods to help ensure RTOS security. Homomorphic encryption can perform computations on the ciphertext without access to the private key that the ciphertext was encrypted with. Tape backups are the most common solution for cold backups off-site. An advantage of compiling software is that you can perform static code analysis. Version Numbering → ensures that the proper current version of software components is included in new releases and deployments NIC Teaming → Greater throughput and fault tolerance USB data blockers are used to ensure that cables can only be used for charging, and not for data transfer. The Linux kernel uses user-driven events like keystrokes, mouse movement, and similar events to generate randomness (entropy). OpenID vs OAuth OpenID → OpenID is an authentication protocol that allows users to log in to multiple applications or websites using a single set of credentials. Logging in to different websites using a Google or Facebook account. → Single sign-on (SSO) OAuth → OAuth is an authorization protocol used for providing client applications delegated access to server resources on behalf of a user. Allowing a mobile app to access your Google Drive files without sharing your Google password. FIDO U2F → An open standard provided by the Fast IDentity Online Alliance, is a standard for security keys Load Balancer Algorithms Least connection-based → takes load into consideration and sends the next request to the server with the least number of active sessions Round Robin → simply distributes requests to each server in order Weighted Time → Uses health checks to determine which server is currently responding the quickest, and routing traffic to that server. Source IP Hash → Uses a unique hash key generated from the source and destination IP addresses to track sessions, ensuring that interrupted sessions can be seamlessly reassigned to the same server, thus allowing the sessions to continue uninterrupted. Global Positioning System (GPS) data and data about local Wi-Fi networks are the two most commonly used protocols to help geofencing applications determine where they are. Hashing → Hashing is commonly used in databases to increase the speed of indexing and retrieval since it is typically faster to search for a hashed key rather than the original value stored in a database Secrets management services provide the ability to store sensitive data like application programming interface (API) keys, passwords, and certificates The three channels that do not overlap are 1, 6, and 11 in the U.S. installations of 2.4 GHz Wi-Fi networks Infrared (IR) is the only line-of-sight method on the list Digital certificates use the X.509 standard (or the PGP standard) and allow the user to digitally sign authentication requests. Microsoft System Center Configuration Manager (SCCM) → provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. Heuristic vs Anomaly-based detection Heuristic: Heuristic IPS uses algorithms and rules to detect potentially malicious behavior, often identifying new and unknown threats. However, it does not specifically create a baseline of normal activity. Heuristic IPS technology uses artificial intelligence to identify attacks that have no prior signature. Anomaly-based: Anomaly-based IPS establishes a baseline of normal network behavior and then monitors traffic to detect and block deviations from this baseline. This makes it the best fit for the requirement of observing normal network activity and blocking deviations Checksum vs Hash Windows Log Files & Linux Log Files Containment vs Isolation Types of dashboard in SIEM Multiple files could have the same checksum value, whereas a hashing algorithm will be unique for each file that it is run against. → Hashing > Checksum CentOS and Red Hat both store authentication log information in /var/log/secure instead of /var/log/auth.log used by Debian and Ubuntu systems. grep "Failed password" /var/log/auth.log → Command used check for bruteforce attack in Linux systems Mapping networks using ping relies on pinging each host, and then uses time-to- live (TTL) information to determine how many hops exist between known hosts and devices inside a network. When TTLs decrease, another router or switch typically exists between you and the device. Zero-wiping a drive can be done using dd → dd if=/dev/zero of=/dev/sda bs=4096 The Content-Addressable Memory (CAM) tables on switches contain a list of all the devices they have talked to. Content Filter → A content filter is specifically designed to allow organizations to select both specific sites and categories of content that should be blocked. The Windows swapfile is saved in the root of the drive by default. → C:/pagefile.sys A system crash, or system dump, file contains the contents of memory at the time of the crash The infamous Windows blue screen of death results in a memory dump to a file, allowing analysis of memory contents. Anti-forensics activities follow lateral movement in the Cyber Kill Chain model. It helps to remember that after an attacker has completed their attack, they will attempt to hide traces of their efforts, and then may proceed to denial-of-service or exfiltration activities in the model. Jurisdictional boundaries exist between states and localities, as well as countries, making it challenging for local law enforcement to execute warrants and acquire data from organizations outside of their jurisdiction in many cases. Virtual machine forensics typically rely on a snapshot gathered using the underlying virtualization environment’s snapshot capabilities. This will capture both memory state and the disk for the system and can be run on an independent system or analyzed using forensic tools. The Volatility framework is a purpose-built tool for the acquisition of random access memory (RAM) from a live system. Standards: ISO 27001 → International standard for information security management systems (ISMS) Specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). ISO 27002 → An international standard for implementing and maintaining information security systems Provides guidelines and best practices for organizational information security standards and information security management practices. ISO 27017 → An international standard for cloud security Provides guidelines for information security controls applicable to the provision and use of cloud services. ISO 27018 → Establishes guidelines to protect personal data in cloud computing environments. ISO 27019 → Provides guidelines for information security management in the energy utility industry, focusing on process control systems. ISO 27031 → Provides guidelines for ICT readiness for business continuity to ensure information and communication technology systems can support business operations in the event of disruptions. ISO 27032 → Provides guidelines for improving the state of cybersecurity, emphasizing the protection of cyberspace, including critical information infrastructure. ISO 27033 → Provides guidelines for improving the state of cybersecurity, emphasizing the protection of cyberspace, including critical information infrastructure. ISO 27701 → extends the ISO 27001 and 27002 standards to include detailed management of PII (Personally Identifiable Information) and data privacy ISO 29100 → Establishes a high-level framework for protecting personally identifiable information (PII) and provides a privacy framework. NIST 800-12 → A general security standard and it is a U.S. standard, not an international one NIST 800-14 → A standard for policy development, and it is also a U.S. standard, not an international one ISO 22301 → An international standard that outlines how organizations can ensure business continuity and protect themselves from disaster NIST CSF → Cybersecurity Framework A voluntary framework that provides a set of standards, guidelines, and best practices for managing cybersecurity risks. Offers a risk-based approach for managing and reducing cybersecurity risks, focusing on critical infrastructure. NIST SP 800-37 → Outlines the Risk Management Framework (RMF) for federal information systems to ensure they are secure and risk-managed. NIST SP 800-115 → Provides technical guidance on conducting security testing and assessments. NIST SP 800-122 → Offers guidelines for protecting the confidentiality of personally identifiable information (PII). NIST SP 800-128 → Details best practices for security-focused configuration management of information systems. NIST SP 800-137 → Provides guidance for continuous monitoring of information systems and organizations to maintain security posture. NIST SP 800-145 → Defines cloud computing and its essential characteristics, service models, and deployment models. Change management is the process of documenting all changes made to a company’s network and computers. Privacy Roles: Data Owner → Responsible for the data’s overall management and governance, including its security and integrity. Data owners assign labels such as top secret to data A data controller or data owner is the organization or individual who collects and controls data. Determines data usage policies, sets data access permissions, and is accountable for the data’s accuracy and appropriateness. Ultimate responsibility for maintaining confidentiality, integrity, and availability Ex. Department head deciding access to datasets Data Processor → An entity or individual that processes data on behalf of the data controller Data processors are service providers that process data for data controllers. Follows data controller instructions, ensures regulatory compliance Ex. Cloud service provider handling client data Data Steward → Ensures data quality and fitness for purpose A data steward carries out the intent of the data controller and is delegated responsibility for the data. Oversees data governance policies, ensures data quality, and manages data assets to ensure they meet business needs. Ex. A data quality analyst who reviews data entries for accuracy and consistency. Data Custodians → Responsible for the safe custody, transport, storage of data, and the implementation of business rules. Custodians assign security controls to data. Manages and protects data, ensures proper handling and safeguarding of data, and maintains data integrity and availability. Ex. IT professional managing data backups Privacy Officer → A privacy officer ensures that companies comply with privacy laws and regulations. Ex. Compliance officer ensuring adherence to GDPR/HIPAA System administrators are responsible for the overall functioning of IT systems. Security program administrators often use different types of training to ensure that trainees who react and respond differently to training are given training that helps them. Customer data can include any information that a customer uploads, shares, or otherwise places in or creates via a service. Standard for Attestation Engagements (SSAE) SOC 2 engagement assesses the security and privacy controls that are in place, and a Type 2 report provides information on the auditor’s assessment of the effectiveness of the controls that are in place. An SOC 1 report assesses the controls that impact the accuracy of financial reporting. Type 1 reports a review auditor’s opinion of the description provided by management about the suitability of the controls as designed. Predictive analysis for Threat Intelligence come from: Large Security Datasets Behavior Patterns Current Security Trends Polymorphism → Technique created by malware creators to shift the signature of malware to prevent detection by antivirus tools. ISACs (Information Sharing and Analysis Centers) → Collaborative industry organizations that analyze and share cybersecurity threat information within their industry verticals in USA Shimming & Refactoring DVR → Ability to record video in CCTV IP Spoofing is a technique used by attackers to create IP packets with a forged source IP address. → MITM Attack Use secure firmware to secure RTOS CIA & DAD Triad Confidentiality → Disclosure Integrity → Alteration Availability → Denial Breach Impact Financial Risk → Risk of monetary damage to the organization as a result of data breach Reputational Risk → Occurs when the negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers & stakeholders Identity Theft → Use of exposed PII information in attacks Strategic Risk → Risk that organization will become less effective in meeting its major goals & objectives as a result of the breach Strategic risk affects business plans Operational Risk → Risk to the organization’s ability to carry out its day-to-day operations Operational risk affects inefficiency & delay within the organization Compliance Risk → Occurs when a security breach causes an organization to violate legal or regulatory requirements Ex. HIPAA → Health Information Security Groups → Works as a virtual firewall for instances allowing rules to be applied to traffic between instances SSH Tunneling → also known as SSH port forwarding A technique used to securely transmit data between a local and a remote host over an unsecured network It leverages the Secure Shell (SSH) protocol’s encryption capabilities to create an encrypted tunnel for transmitting network traffic. Difference between MDM & UEM MDM → Primarily manages mobile devices such as smartphones and tablets. Functions → Device Inventory, Device Configuration, Security Management, App Management, Monitoring UEM → Manages a wide range of endpoint devices, including mobile devices, desktops, laptops, IoT devices, and wearables. Functions → Device Management, Application Management, Content Management, Identity Management, Policy Management, Automation Asymmetric Vs Symmetric Encryption Advantages & Disadvantages Symmetric Advantages Faster compared to asymmetric encryption due to simpler algorithms and operations. More efficient for bulk encryption and large data sets. Shorter key lengths provide equivalent security levels compared to asymmetric encryption. Widely used for securing data in transit and at rest. Symmetric Disadvantages Key Distribution Challenges in managing and storing keys securely. Less scalable for secure communication among multiple parties compared to asymmetric encryption. Does not inherently provide mechanisms for verifying sender identity or message integrity without additional protocols. Asymmetric Advantages No need to securely distribute keys; each user has a public-private key pair. Offers better security because the private key never leaves the owner’s possession. Provides digital signatures for verifying the sender’s identity and integrity of the message. Supports secure communication between multiple parties without requiring pre-shared secrets. Asymmetric Disadvantages Slower compared to symmetric encryption due to more complex algorithms. Requires longer key lengths for equivalent security levels compared to symmetric encryption. Less efficient for bulk encryption and large data sets. Which is the most commonly used certificate format → PEM 802.11x vs CHAP vs Kerberos 802.1X → Wi-Fi Authentication EAP Methods (EAP-TLS, PEAP, etc.) Network Access Control (NAC) When 802.1X is enabled, devices connecting to the network do not gain access until they provide the correct authentication credentials. This 802.1X standard refers to the client as the supplicant, the switch is commonly configured as the authenticator, and the back-end authentication server is a centralized user database such as Active Directory. CHAP → Network Authentication Challenge-Response Authentication for point-to-point connections Mutual authentication, challenge-response mechanism Kerberos → Network Authentication Network authentication protocol Ticket-based authentication, SSO, mutual authentication RADIUS → Centralized authentication, authorization, and accounting Centralized management, extensibility, supports various authentication methods CSA’s Cloud Control Matrix → A framework designed to provide fundamental security principles to guide cloud vendors and customers in assessing the overall security risk of a cloud service Smart Card vs Proximity Cards Proximity Cards → A proximity card is a contactless card that usually utilizes RFID to communicate with the reader on a physical access system. These are commonly used to access secured rooms (such as server rooms) or even a building itself (such as at a mantrap) Hash Algorithm Sizes Cynthia needs to prevent drones from flying over her organization’s property. What can she do? When you are concerned about application security, what is the most important issue in memory management? Yasmine wants to implement a cloud-based authorization system. What protocol is she most likely to apply? What is the purpose of Unified Extensible Firmware Interface (UEFI) Secure Boot? What is the size of the wrapper applied by TKIP around the WEP encryption utilizing a key that is derived from the MAC address of the machine and the packet’s serial number? ...

Intro Hi everyone, I have passed my Comptia Security+ 601 exam recently. In this blog, I will share my notes(objective-wise) & insights about this exam. Resources CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide: Link Professor Messer’s SY0-601 CompTIA Security+ Practice Exams: Link Passmall Security+ Practice Exams: Link Jason Dion - CompTIA Security+ (SY0-601) Practice Exams & Simulated PBQs: Link Outro Please forgive if you find any spelling mistakes or grammatical mistakes. I wish you all the best for your exams!! ...

Intro Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. In this writeup, I will be exploiting DVWA vulnerabilities in different severities. Setup docker run --rm -it -p 8000:80 kaakaww/dvwa-docker:latest Walkthrough 1. I found a login page after opening the site. Bruteforce Password 1. Capture login & analyze behavior username=admin&password=zap&Login=Login&user_token=6cd51b8a24a524b9349dd75c09c0cfb3 2. Reflecting Login failed after incorrect creds 3. To automatically handle CSRF Tokens ZAP -> Tools -> Options -> Anti-CSRF -> Add `user_token` 4. Fuzz password & add sample payloads ...

Challenge: Protecting Camp I made a small site to keep a list of things I need to buy to keep me safe before I go camping, maybe it’s keeping some other things safe too! Attachment: protecting_camp.zip Walkthrough This challenge shows a Camping Checklist on main page. Solve 1. Reviewing the code Found a snippet that could be vulnerable to SSRF app.get('/api/flag', (req, res) => { var url = req.protocol + '://' + req.get('host') + req.originalUrl; try{ parsed = parseUrl(url) if (parsed.resource != '127.0.0.1'){ res.send("Hey... what's going on here\n"); }else{ fs.readFile("./flag.txt", 'utf8', (err, data) => { if (err) { res.send("There was an error and this is sad :(\n") }else{ res.send(data+"\n") } }); }} catch (error) { res.status(400).json({ success: false, message: 'Error parsing URL' }); } }); Above code checks whether the host is 127.0.0.1 or localhost. ...

Challenge: Repo Recon Leak Leak Leak Can you find the secret leak? Source Code: https://github.com/mowzk/repo-recon Walkthrough The challenge page contains a login form where it asks for username and password. The hint is leak. We have to find a token kind of thing to pass authentication. The challenge provides the source code on GitHub: https://github.com/mowzk/repo-recon Solve 1. Reviewing files in the Repo .env file FLAG_VALUE=placeholderflag ADMIN_HASH=$2b$04$9HAfoKBcIKUrTh8F73fL0.aWH/X5dYRnWXL7eikRaxqAEqRlktKM. VIVER=prosogyrous This is the place where developer can potentially drop a token & this can be recorded in one of the commits. ...

Challenge: BeepBoop Cryptography Help! My IOT device has gone sentient! All I wanted to know was the meaning of 42! It’s also waving its arms up and down, and I… oh no! It’s free! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Automated Challenge Instructions Detected failure in challenge upload. Original author terminated. Please see attached file BeepBoop for your flag… human. BeepBoop beep beep beep beep boop beep boop beep beep boop boop beep beep boop boop beep beep boop boop beep boop beep beep beep beep boop boop beep beep beep beep boop beep boop boop boop boop beep boop boop beep boop boop boop beep beep boop beep beep boop boop beep boop beep boop boop beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep boop boop beep beep boop beep boop beep boop boop boop boop beep boop beep beep boop boop boop beep boop boop beep beep boop boop beep beep beep beep boop beep boop boop beep boop boop boop beep beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep beep boop beep boop boop beep boop beep boop boop boop beep beep boop beep beep boop boop beep boop beep boop boop beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep boop boop beep beep boop beep boop beep boop boop boop boop beep boop beep beep boop boop boop beep boop boop beep beep boop boop beep beep beep beep boop beep boop boop beep boop boop boop beep beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep beep boop beep boop boop beep boop beep boop boop boop beep beep boop beep beep boop boop beep boop beep boop boop beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep boop boop beep beep boop beep boop beep boop boop boop boop beep boop beep beep boop boop boop beep boop boop beep beep boop boop beep beep beep beep boop beep boop boop beep boop boop boop beep beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep boop boop boop boop boop beep boop Intro The hint is given indirectly in the challenge: waving hands up & down This means it is communicating in binary form: 0 & 1 ...

Challenge 1: BeepBoop Blog A few robots got together and started a blog! It’s full of posts that make absolutely no sense, but a little birdie told me that one of them left a secret in their drafts. Can you find it? https://beepboop.web.2023.sunshinectf.games Intro The challenge page is a blog that contains multiple posts from different robots. We are a bunch of robots who like posting! We are chronically online, and our posts are not coherent. Enjoy our posts! ...