Chapter 4 Objective 4.1 Network Reconnaissance and Discovery pathping → Combines ping & tracert command Admins use it to locate potential problems between two systems hping → This command is similar to ping command but it can send the ping using TCP, UDP & ICMP packets Useful to identify if firewall is blocking ICMP traffic theHarvester → Passive recon CLI tool → Uses OSINT methods to gather data such as emails, employee names, host IPs, & URLs It uses popular search engine for queries & give you a report sn1per → Automated scanner used for vulnerability assessment & to gather info on targets during penetration test scanless → Python based CLI tool used to scan ports dnsenum → Enumerate DNS records for domains It can perform many Domain Name System (DNS)-related functions, including querying A records, nameservers, and MX records, as well as performing zone transfers, Google searches for hosts and subdomains, and net range reverse lookups. It can work in automated fashion Cuckoo → Open Source automated software analysis system / Sandbox Primary purpose → Analyze suspicious files Forensics dd → Disk Imaging Tool (Open Source Tool) memdump → Can dump any addressable memory space to the terminal or redirect the output to the dump file WinHex → Windows-based hexadecimal editor used for evidence gathering, data analysis, editing, recovering of data & data removal It can work directly with the memory FTK imager → A part of Forensic Toolkit (FTK) sold by AccessData (Proprietary Tool) FTK Imager is a free tool that can image both systems and memory It can capture an image of a disk as a single file or multiple files & save the image in various formats Autopsy → GUI Digital Forensic Platform → Forensic Utilities Objective 4.2 Incident Response Plan This plan provides details about incident response policy It provides organizations with a formal, coordinated plan than personnel can use when responding to the event Elements: Definitions of Incident Types → Helps to identify difference between an event & an actual incident Incident Response Team → This team is composed of employees with expertise in different areas Also referred as → A computer incident response team (CIRT), Security Incident Response Team, Computer Emergency Response Team (CERT) Roles & Responsibilities → Many incident plan identify specific roles for incident response team along with their responsibilities Communication Communication is a part of incident response plan & it provides directions on how to communicate issues related to an incident Communication Plan includes: First Responders → Initial responders should know when to inform incident response entities & who to contact Internal Communication → Incident Response Team should know when to inform senior personnel of an incident Reporting Requirements → Laws requires reporting requirements External Communication → Media Law Enforcement → Provides teams with Digital Forensics tools & knowledge Customer Communication → Laws indicate that when an organization must inform their customers regarding data breach Incident Response Process Preparation → This phase occurs before an incident & provides guidance to personnels on how to respond to an incident Identification → Verify it is a actual incident or not Containment → After identifying an incident, security personnel attempt to isolate or contain it This protects critical systems while maintaining business operations The goal of isolation is to prevent the problem from spreading to other areas in network Eradication → After containing the incident, it’s necessary to remove components from the attack Includes deleting or disabling the infected accounts Recovery → During the recovery process, admins return all affected systems to normal operation & verify they are operating normally Lessons Learned → After personnel handle an incident, security personnel perform the lessons learned review This incident may provide some valuable lessons & organizations might modify procedures or add additional controls to prevent reoccurrence of the incident Exercises Tabletop Exercise → Also known as Desktop Exercise → Discussion Based Exercise A coordinator gathers participants in a room & leads them through one or more hypothetical scenarios such as cyber-attack or natural disaster The coordinator introduces each stage of the scenario & the participants identify how they would respond based on organization’s plan This exercise validates the plan & sometimes reveals flaws Walkthroughs → Workshops or orientation seminars that train team members about their roles & responsibilities Helps the personnel to plan tabletop exercise to develop a formal tabletop test plan Simulations → Functional exercises that allow personnel to test the plan in a simulated operational environment → Hands-On Exercises Attack Frameworks MITRE ATT&CK → Adversarial Tactics, Techniques And Common Knowledge It is a knowledge base of tactics, techniques used in real-world attacks The Diamond Model of Intrusion Analysis → Focus on understanding the attacker by analyzing four key components of every intrusion event: Adversary → Can be identified by email addresses, handles used in online forums Capabilities → Refers to malware, exploits & other hacker tools used in intrusion Infrastructure → Refers to internet domain names & IP addresses used by adversary Victim → Victims can be identified by their names, emails or network identifiers Cyber Kill Chain → Includes seven elements of tracking attack from recon to performing actions to achieve attacker’s objectives Lockheed Martin cyber kill chain → Implicitly assumes a unidirectional workflow It fails to consider that an adversary may retreat during an attack Workflow: Reconnaissance → Information gathering about the target Weaponization → Creating the malicious payload Delivery → Sending the malicious payload to the target Exploitation → Executing the malicious payload Installation → Installing malware to maintain access Command and Control (C2) → Establishing communication with the compromised system Actions on Objectives → Performing final objectives like data exfiltration or further compromise Stakeholder Management Stakeholder management involves working with stakeholders, or those who have an interest in the event or impacted systems or services Disaster Recovery Plan It identifies how to recover critical systems after a disaster & often prioritizes services to restore after an outage Testing validates the plan The final phase of disaster recovery includes a review to identify any lessons learned & may include an update to the plan Disaster recovery is a part of an overall business continuity plan Business Continuity Plan (BCP) Helps an organization to predict & plan for potential outages of critical services or functions The goal is to ensure that critical business operations continue & organization can survive the outage Continuity of Operations Planning (COOP) Focuses on restoring mission-essential functions at recovery site after a critical outage Site Resiliency → If one site suffers a catastrophic failure, an alternate site can take over after the disaster. Ensures critical functions can continue or be rapidly resumed during and after disruptions COOP planning enhances organizational resilience, reduces financial losses, and helps maintain trust and confidence among stakeholders. Retention Policies This policy identifies how long data is retained & sometimes specifies how it is stored Some laws mandates the retention of data for specific time frames. Proper data governance practices ensure that these time frames are known & followed Objective 4.3 syslog → This protocol specifies general log entry format & details on how to transport log entries Originators → Any systems that sends syslog messages Collector → Originators send syslog log entries to the collector → syslog server Syslog protocol only specifies how to format the syslog messages & send them to the collector Linux systems include the syslogd daemon which is the service that handles the syslog messages → etc/syslog.conf → var/syslog Syslog-ng → Extends syslogd, allowing a system to collect logs from any source It provides correlation, routing abilities to route log entries, rich filtering capabilities, content-based filtering, It supports TCP & TLS Rsyslog → Improvement for syslog-ng → Ability to send log entries directly into database engines It supports TCP & TLS NXLog → Log Management Tool similar to rsyslog & syslog-ng → Supports Linux & Windows It functions as a log collector & can be integrated with SIEM systems journalctl → Command that displays several log entries from different sources on Linux system Bandwidth Monitors → By comparing captures taken at different times, investigators can determine changes in network traffic. PRTG and Cacti are both network monitoring tools that can provide bandwidth monitoring information. Bandwidth monitors can help identify exfiltration, heavy and abnormal bandwidth usage, and other information that can be helpful for both incident identification and incident investigations. NetFlow → A feature available on many routers & switches that can collect IP traffic statistics & send them to NetFlow collector Analysis software of NetFlow allows admins to view & analyze network traffic Netflow data provides detailed information about the network traffic → Metadata → source and destination IP addresses, ports, protocols, timestamps, and the amount of data transferred sFlow → A sampling protocol → Provides traffic information based on a preconfigured sample rate Ex. It may capture 1 packet out of 10 packets & send this sample data to the collector As it captures & send only sample data, it is less likely to impact the device’s performance, allowing it to work on devices with high volume of data IP Flow Information Export (IPFIX) → Similar to NetFlow v9 → Replacement to NetFlow Objective 4.5 Documentation / Evidence Legal Hold → Refers to a court order to maintain different types of data as evidence Data retention policy applies here Admissibility → When collecting documentation & evidence, it’s essential to follow specific procedures to ensure that the evidence is admissible in a court of law Chain of custody → A process that provides assurances that evidence has been controlled & appropriately handled after collection Forensics experts establish chain of custody when they first collect the evidence It provides a record of every person who was in possession of a physical asset collected as a evidence → Chain of custody forms are forms that list every person who has worked with or who has made contact with the evidence that is a part of an investigation A proper chain of custody procedure ensures that evidence presented in the court of law is the same evidence that security professionals collected A well-documented chain of custody can help establish provenance for data, proving where it came from, who handled it, and how it was obtained. Provenance → Refers to tracing something back to its origin The provenance of a forensic artifact includes the chain of custody, including ownership and acquisition of the artifact, device, or image Tags → A tag is places on evidence items when they are identified Sequence of Events Timestamps Time Offset → Provides info about how the timestamps are recorded Reports → After analyzing all the relevant evidence, digital forensics experts create a report documenting their findings Includes TTPs of attackers Acquisition and Preservation Order of Volatility → Refers to the order in which you should collect evidence You should collect evidence starting with most volatile & moving to least volatile Order of volatility from most to least: Registers, Cache → The contents of CPU cache and registers are extremely volatile, since they are changing all of the time. Literally, nanoseconds make the difference here. An examiner needs to get to the cache and register immediately and extract that evidence before it is lost. Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory Temporary File Systems Disk Remote Logging and Monitoring Data that is Relevant to the System in Question Physical Configuration, Network Topology, and Archival Media Old: Cache → Data in cache memory including the processor & hard drive cache RAM → Data in RAM used by OS & applications Swap / Pagefile → Swap (pagefile) is the system disk drive → Extension of RAM & stored on hard drive Disk → Data files stored on local disk drives & they remain there after rebooting Attached Devices → USB drive also holds data when system is powered down Network → Servers & shared folders accessible by users & used to store log files Data Acquisition → Snapshot → Forensic experts use snapshots to capture data for forensics analysis Artifacts → Forensics artifacts are the pieces of data on a device that regular users are unaware of, but digital forensic experts can identify & extract Web History Recycle Bin Windows Error Reporting Remote Desktop Protocol (RDP) cache When artifacts are acquired as part of an investigation, they should be logged and documented as part of the evidence related to the investigation. On-Premises Versus Cloud Concerns Right to Audit Clauses → Allows customers to hire an auditor & review the cloud provider’s record Auditing helps customer to ensure that the cloud provider is implementing adequate security Many cloud service providers do not allow customer-driven audits, either by the customer or a third party. They also commonly prohibit vulnerability scans of their production environment to avoid service outages. Instead, many provide third-party audit results in the form of a service organization controls (SOC) report or similar audit artifact. Regulatory Jurisdiction → The company must comply with relevant laws Data Breach Notification Laws → This law requires organizations to notify customers about a data breach & take steps to mitigate the loss Integrity Provenance → Refers to tracing something back to its origin Others eDiscovery → Electronic Discovery → It is the identification & collection of electronically stored information Strategic Intelligence and Counterintelligence → Refers to collecting, processing & analyzing information to create long-term plans & goals Counterintelligence activities assume that attackers are also using strategic intelligence methods.

Chapter 5 Objective 5.1 Category Managerial Controls → Primarily administrative in function & are typically documented in an organization’s written security policy They use planning & assessment methods to provide an ongoing review of the organization’s ability to reduce & mange risk Administrative controls dictate how security policies should be executed to accomplish the company’s security goals Ex. Risk Assessments, Vulnerability Assessments Operational Controls → Ensures that the day-to-day operations of an organization comply with their overall security plan Primarily implemented & executed by people instead of systems Ex. Awareness & Training, Configuration Management, Media Protection, Physical & Environmental Protection Technical Controls → Use technology such as hardware, software & firmware to reduce vulnerabilities Admins installs & configures a technical control & technical controls provide the protection automatically Ex. Encryption, Antivirus, IDS, IPS, Firewalls, Least Privilege Control types Preventive Controls → Attempt to prevent security incidents Ex. Hardening systems, Training, Security guards, Change Management, Account Disablement Policy, Intrusion Prevention System (IPS) Detective Controls → Attempt to detect when vulnerabilities have been exploited, resulting in a security incident Ex. Log monitoring, SIEM systems, Security Audits, Video Surveillance, Motion Detection, Intrusion Detection System (IDS) Corrective & Recovery Controls → Attempts to reverse the impact of an incident or problem after it has occurred Ex. Backups & System Recovery, Incident handling processes, Antivirus Physical Controls → Controls that you can physically touch Ex. Barricades, Control Vestibules (Mantraps) Deterrent Controls → Attempt to discourage a threat → Attempt to discourage potential attackers from attacking & attempt to discourage from violating security policy Ex. Cable locks, Physical locks Compensating Controls → Alternate controls used instead of primary control Organizations adopt compensating controls to address a temporary exception to a security requirement. Doesn’t prevent attack but restores using other means Ex. Re-image or Restore from backup, Hot Site, Backup Power System Ex. PCI DSS Conditions: The control must meet the intent & rigor of the original requirement The control must provide similar level of defense as the original requirement The control must be “above & beyond” other PCI DSS requirements Response Controls → Incident Response Control → Controls designed to prepare for security incidents & respond them when they occur Objective 5.2 Regulations, Standards, and Legislation General Data Protection Regulation (GDPR) → This mandates the protection of privacy data for individuals who live in EU. Requires a data protection officer (DPO) to oversee the organization’s data protection strategy and implementation, and make sure that the organization complies with the GDPR. Payment Card Industry Data Security Standard (PCI DSS) → When using credit cards, company should comply with PCI DSS Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard) → Send notification to your credit card processor Key Frameworks Center for Internet Security (CIS) → Identify, develop, validate, promote & sustain best practice solutions for cyber defense & build & lead communities to enable environment of trust in cyberspace National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/ Cybersecurity Framework (CSF) → Used to mitigate risks The NIST RMF’s process is. Prepare Categorize system Select controls Implement controls Assess controls Authorize system Monitor controls Cloud Security Alliance (CSA) → A non-profit organization that promotes best practices related to the cloud CSA’s Cloud Control Matrix → Maps existing standards(COBIT, HIPAA, FedRAMP) to common control descriptions allowing control requirements to be compared and validated across many standards and regulations Reference architecture → A document or set of documents that provides a set of standards Objective 5.3 Personnel Acceptable Use Policy (AUP) → It describes the purpose of computers systems & networks, how users can access them, and the responsibilities of users when they access the systems Job rotation → A concept that has employees rotate through different jobs to learn the processes & procedures in each job. Helps to prevent or expose dangerous shortcuts or even fraudulent activity Mandatory Vacation → Helps to detect when employees are involved in malicious activity such as fraud These policies help to deter fraud and discover malicious activities while the employee is away. Separation of Duties → A principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process Two people perform separate actions to prevent inventory fraud This helps prevent potential fraud, such as if a single person prints and signs checks. Least Privilege → Specifies that individuals and processes are granted only the privileges needed to perform assigned tasks or functions, but no more Dual Control → A security mechanism that requires two individuals to simultaneously verify and approve an action or access to a system Job Rotation vs Separation of Duties Vs Dual Control Job Rotation → Periodic movement of employees between roles Skill enhancement, reduce fraud risk, reduce monotony Separation of Duties → Dividing tasks and privileges among multiple individuals Minimize risk of fraud and errors Dual Control → Requiring two individuals to simultaneously verify an action Prevent unauthorized access or actions Third-Party Risk Management Vendors → Implement vendor diversity to provide cybersecurity resilience end of life (EOL) → Refers to the date when a product will no longer be offered for sale. end of service life (EOSL) → Indicates the date when you expect a lack of vendor support because vendors no longer create patches or upgrades to resolve vulnerabilities for the product. Service level agreement (SLA) → An agreement between a company & vendor that stipulates performance expectations, such as minimum uptime & maximum downtime levels Memorandum of understanding (MOU) → Expresses an understanding between two or more parties indicating their intention to work together toward a common goal. Business partners agreement (BPA) → A written agreement that details the relationship between business partners, including their obligations toward the partnership. Measurement Systems Analysis (MSA) → Evaluates the processes & tools used to make measurements Interconnection Security Agreement(ISA) → A formal agreement between organizations that governs the security requirements and responsibilities when connecting their information systems or networks. Non-Disclosure Agreement (NDA) → Non-disclosure agreement (NDA) is the legal basis for protecting information assets. Non-disclosure agreements (NDAs) are legally binding agreements to keep information confidential If the employee or contractor breaks this agreement and does share such information, they may face legal consequences. Objective 5.4 Risk management strategies Risk management is the practice of identifying, monitoring, and limiting risks to a manageable level Risk Awareness → Acknowledgement that risk exists & must be addressed to mitigate them Inherent Risk → Refers to the risk that already exists before the controls are in place to manage the risk Residual Risk → It is the amount of risk that remains after managing or mitigating risk to an acceptable level Control Risk → Refers to the risk that exists if in-place controls do not adequately manage risks Control risks specifically apply to financial information, where they may impact the integrity or availability of the financial information. Risk Appetite → Refers to amount of risk an organization is willing to accept Risk Avoidance → Organization can avoid risk by not providing a service or not participating in a malicious activity Risk Mitigation → The organization implements controls to reduce risks. These controls reduce the vulnerabilities or reduce the impact of threat Ex. Patching systems immediately after the release of patches, which helps to mitigate the risk of known security vulnerabilities being exploited by malicious actors Risk Acceptance → The amount of risk that organization willing to accept Risk Transference → The organization transfers the risk to the another entity or at least shares the risk with another entity Cybersecurity Insurance → Helps to protect businesses & individuals from losses related to cybersecurity incidents such as data breaches & network damage Risk Analysis Risk Register → Lists all known risks for a system or an organization Risk Matrix → Plots the risks onto a graph or a chart Heat Map → Similar to Risk Matrix, but instead of using words, it uses colors such as green, red Risk control assessment → Examines organization’s known risks & evaluates the effectiveness of in-place controls risk control self-assessment → Risk control assessment performed by employees Internal Risk → Risks that the organization itself creates are internal risks. External Risk → External risks are those created by factors outside the organization’s control. Multiparty Risk → A multiparty risk involves multiple organizations. Legacy System Risk → A legacy system risk is created by a system or process that is no longer supported or updated IP Theft Risk → An intellectual property (IP) theft risk occurs when proprietary information or trade secrets might be exposed or lost. Regulations that affect risk posture: Health Insurance Portability and Accountability Act (HIPAA) → Mandates organization to protect the health information Gramm-Leach Bliley Act (GLBA) → Financial Services Modernization Act → Includes financial privacy rules a critical legislation safeguarding consumers’ financial privacy This requires financial institutions to provide customers with a privacy notice explaining what information they collect & how it is used Sarbanes-Oxley Act (SOX) → SOX requires the executives within an organization take individual responsibility for the accuracy of financial reports Mandates financial and IT controls to protect against corporate fraud. General Data Protection Regulation (GDPR) → EU mandates the protection of privacy data for the individuals that live in EU HITECH → Health Information Technology for Economic and Clinical Health Act This act extends HIPAA’s privacy and security requirements and encourages healthcare organizations to invest in strong cybersecurity measures FISMA → Federal Information Security Management Act Establishes a comprehensive framework for ensuring the security of information and information systems for all executive branch agencies Sets standards for securing federal government information systems. COPPA → Children’s Online Privacy Protection Act Regulates online collection of personal information from children under 13. CCPA → California Consumer Privacy Act Grants California residents rights over their personal data collected by businesses. CISA → Cybersecurity Information Sharing Act Encourages sharing of cybersecurity threat information between the government and private sector. Risk assessment types Quantitative Risk Assessment → Measures the risk using a specific monetary amount. It is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have This monetary amount makes it easy to prioritize risks Single Loss Expectancy (SLE) → Cost of any single loss Annual Rate of Occurrence (ARO) → Indicates how many times the loss will occur in a year Annual Loss Expectancy (ALE) → SLE x ARO = ALE Qualitative Risk Assessment → Uses judgements to categorize risks based on likelihood of occurrence (probability) & impact. Qualitative risk assessment is the process of ranking which risk poses the most danger using ratings like low, medium, and high. Business Impact Analysis It is important part of Business Continuity Plan (BCP) It helps organization to identify critical systems & components that are essential to the organization’s success It helps to identify vulnerable business processes, which are mission essential functions It identifies maximum downtime limits for these systems & components, various scenarios that can impact these systems & components, and the potential losses from an incident Recovery Time Objective (RTO) → Identifies the maximum amount of time it can take to restore a system after an outage Recovery Point Objective (RPO) → Identifies a point in time where the data loss is acceptable It is the period of time a company can tolerate lost data being unrecoverable between backups Mean time between failures (MTBF) → Provides a measure of a system’s reliability & usually represented in hours → Identifies the average time between failures A measurement to show how reliable a hardware component is a prediction of how often a repairable system will fail. Mean Time to Failure (MTTF) → MTTF is the average time to failure for a non-repairable system or component. It measures the expected operational lifetime before failure. Helps in predicting the lifespan and planning replacements. Mean time to repair (MTTR) → Identifies the average time it takes to restore a failed system Also called Mean time to recover Assessing and improving maintenance efficiency Disaster recovery plan (DRP) → Identifies how to recover critical systems after a disaster and often prioritizes services to restore after an outage. The first step to developing an effective disaster recovery plan is to identify the assets. Functional Recovery Plan → A recovery plan focused on a specific technical and business function

Implicit Deny → It ensures that anything not specifically allowed in the rules is blocked Private IP Addresses 10.x.x.x → 10.0.0.0/8 → 255.0.0.0 → Class A 172.16.x.x to 172.31.x.x → 172.16.0.0/12 → 255.240.0.0 → Class B 192.168.x.x → 192.168.0.0/16 → 255.255.0.0 → Class C Difference between Dictionary & Rainbow table Dictionary → List of potential passwords (words) Rainbow Table → Precomputed table containing hash of potential passwords Skimming vs Card Cloning Skimming → Capturing credit card data at Point of Sale (POS) Card Cloning → Making a copy of credit card STIX & TAXII → Threat Feed Refer Notes Difference between SOAR & SIEM Security orchestration, automation, and response (SOAR) services are designed to integrate with a broader range of both internal and external applications. SOAR includes security operations automation Windows SAM → Database in Windows that stores user account information, including usernames & hashed passwords. Intelligence Fusion → Combines all this data to create a picture of likely threats and risks for an organization Maneuver → A threat hunting concept that involves thinking like a malicious actor to help recognize indicators of compromise that might otherwise be hidden Types of DDOS → Operational, Network, Application Application (DDoS) → aimed at applications Network DDOS → A network DDoS would be aimed at network technology, either the devices or protocols that underly networks. OT DDOS → An operational technology (OT) DDoS targets SCADA, ICS, utility or similar operational systems. Difference between Vulnerability Scan & Penetration Testing Vulnerability Scan → Vulnerability scans use automated tools to look for known vulnerabilities in systems and applications and then provide reports to assist in remediation activities. Penetration Testing → Penetration tests seek to actually exploit the vulnerabilities and break into systems. Security audits → Security audits usually focus on checking policies, incident reports, and other documents. Known Vs Unknown Environment An unknown environment test is also called black-box or a zero-knowledge test because it does not provide information beyond the basic information needed to identify the target. A known environment, or white-box test, involves very complete information being given to the tester. SOAR Functionalities Bluejacking vs Bluesnarfing vs Bluebugging Bluejacking → Practice of sending unsolicited messages to nearby bluetooth devices Bluesnarfing → Unauthorized access to, or theft of info from a bluetooth device Bluebugging → Gains access to the phone & install a backdoor Spyware & Adware are both common examples of PUPs Pharming Attack Techniques changing the local hosts file exploiting a trusted DNS server. Fileless viruses often take advantage of PowerShell to perform actions once they have used a vulnerability in a browser or browser plug-in to inject themselves into system memory. Cross-site request forgery (XSRF or CSRF) takes advantage of the cookies and URL parameters legitimate sites use to help track and serve their visitors. A botnet that uses Internet Relay Chat (IRC) as its command-and-control channel & IRC’s default port is TCP 6667 LDAP focuses on input validation & filtering the output rather than parameterization SSL stripping attack is a on-path attack → An SSL stripping attack requires attackers to persuade a victim to send traffic through them via HTTP while continuing to send HTTPS encrypted traffic to the legitimate server by pretending to be the victim. U.S. Trusted Foundry program → Intended to prevent supply chain attacks by ensuring end-to-end supply chain security for important integrated circuits and electronics. Information Sharing and Analysis Centers (ISACs) help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards. ISACs collect, analyze and share actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency Filesystem Permissions: 0 → — → No permission 1 → –x → Execute 2 → -w- → Write 3 → -wx → Write + Execute 4 → r– → Read 5 → r-x → Read + Execute 6 → rw- → Read + Write 7 → rwx → Read + Write + Execute Threat Actors Vs Threat Vectors Threat Actors → Individuals or entities initiating attacks Threat Vectors → Methods used to carry out attacks Subnet Calculation Formula /32 → 1 /31 → 2 /30 → 4 /29 → 8 Power Outage → PDU, UPS, Generator Power Distribution Unit (PDU) → A device that distributes electrical power to multiple devices from a single source. No battery backup; power is only distributed. May provide surge protection, overload protection, and monitoring capabilities. Uninterruptible Power Supply (UPS) → A device that provides emergency power to connected equipment when the input power source fails. Continues to supply power to connected devices during short-term outages. Generator → A device that converts mechanical energy into electrical energy. Typically used as a backup power source for extended outages. Provides long-term backup power during extended outages. Air Gap is more efficient than separating in VLAN for preventing the malware. Using both server-side execution and validation requires more resources but prevents client-side tampering with the application and data. An Arduino is a microcontroller well suited for custom development of embedded systems. They are small, inexpensive, and commonly available. If key length is increased by 1, potential factors will increase in factors of 2 (Twice as much) Prime factorization algorithms and elliptic curve cryptography are believed to be vulnerable to future quantum computing–driven attacks against cryptographic systems. Account Usage Auditing → Provide a warning that someone’s account is being used when they are not actually using it Both Advanced Encryption Standard (AES) and Data Encryption Standard (DES) are block ciphers. RADIUS provides AAA Datacenter Hot aisle/cold aisle is a layout design for server racks and other computing equipment in a datacenter. The goal of a hot aisle/cold aisle configuration is to conserve energy and lower cooling costs by managing airflow. An infrared camera will detect heat levels on the aisles. Although the rest of the options are potential issues for a datacenter, an infrared camera won’t help with them. Software-defined networking (SDN) makes the network very scalable. A cloud access security broker (CASB) is used to monitor cloud activity and usage and to enforce security policies on users of cloud services. Microservice architectures build applications as a set of loosely coupled services that provide specific functions using lightweight protocols. Infrastructure as code (IaC) is the process of managing and provisioning computer datacenters through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. RTOS Security → Using secure firmware, as well as using an RTOS with time and space partitioning, are both common methods to help ensure RTOS security. Homomorphic encryption can perform computations on the ciphertext without access to the private key that the ciphertext was encrypted with. Tape backups are the most common solution for cold backups off-site. An advantage of compiling software is that you can perform static code analysis. Version Numbering → ensures that the proper current version of software components is included in new releases and deployments NIC Teaming → Greater throughput and fault tolerance USB data blockers are used to ensure that cables can only be used for charging, and not for data transfer. The Linux kernel uses user-driven events like keystrokes, mouse movement, and similar events to generate randomness (entropy). OpenID vs OAuth OpenID → OpenID is an authentication protocol that allows users to log in to multiple applications or websites using a single set of credentials. Logging in to different websites using a Google or Facebook account. → Single sign-on (SSO) OAuth → OAuth is an authorization protocol used for providing client applications delegated access to server resources on behalf of a user. Allowing a mobile app to access your Google Drive files without sharing your Google password. FIDO U2F → An open standard provided by the Fast IDentity Online Alliance, is a standard for security keys Load Balancer Algorithms Least connection-based → takes load into consideration and sends the next request to the server with the least number of active sessions Round Robin → simply distributes requests to each server in order Weighted Time → Uses health checks to determine which server is currently responding the quickest, and routing traffic to that server. Source IP Hash → Uses a unique hash key generated from the source and destination IP addresses to track sessions, ensuring that interrupted sessions can be seamlessly reassigned to the same server, thus allowing the sessions to continue uninterrupted. Global Positioning System (GPS) data and data about local Wi-Fi networks are the two most commonly used protocols to help geofencing applications determine where they are. Hashing → Hashing is commonly used in databases to increase the speed of indexing and retrieval since it is typically faster to search for a hashed key rather than the original value stored in a database Secrets management services provide the ability to store sensitive data like application programming interface (API) keys, passwords, and certificates The three channels that do not overlap are 1, 6, and 11 in the U.S. installations of 2.4 GHz Wi-Fi networks Infrared (IR) is the only line-of-sight method on the list Digital certificates use the X.509 standard (or the PGP standard) and allow the user to digitally sign authentication requests. Microsoft System Center Configuration Manager (SCCM) → provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory. Heuristic vs Anomaly-based detection Heuristic: Heuristic IPS uses algorithms and rules to detect potentially malicious behavior, often identifying new and unknown threats. However, it does not specifically create a baseline of normal activity. Heuristic IPS technology uses artificial intelligence to identify attacks that have no prior signature. Anomaly-based: Anomaly-based IPS establishes a baseline of normal network behavior and then monitors traffic to detect and block deviations from this baseline. This makes it the best fit for the requirement of observing normal network activity and blocking deviations Checksum vs Hash Windows Log Files & Linux Log Files Containment vs Isolation Types of dashboard in SIEM Multiple files could have the same checksum value, whereas a hashing algorithm will be unique for each file that it is run against. → Hashing > Checksum CentOS and Red Hat both store authentication log information in /var/log/secure instead of /var/log/auth.log used by Debian and Ubuntu systems. grep "Failed password" /var/log/auth.log → Command used check for bruteforce attack in Linux systems Mapping networks using ping relies on pinging each host, and then uses time-to- live (TTL) information to determine how many hops exist between known hosts and devices inside a network. When TTLs decrease, another router or switch typically exists between you and the device. Zero-wiping a drive can be done using dd → dd if=/dev/zero of=/dev/sda bs=4096 The Content-Addressable Memory (CAM) tables on switches contain a list of all the devices they have talked to. Content Filter → A content filter is specifically designed to allow organizations to select both specific sites and categories of content that should be blocked. The Windows swapfile is saved in the root of the drive by default. → C:/pagefile.sys A system crash, or system dump, file contains the contents of memory at the time of the crash The infamous Windows blue screen of death results in a memory dump to a file, allowing analysis of memory contents. Anti-forensics activities follow lateral movement in the Cyber Kill Chain model. It helps to remember that after an attacker has completed their attack, they will attempt to hide traces of their efforts, and then may proceed to denial-of-service or exfiltration activities in the model. Jurisdictional boundaries exist between states and localities, as well as countries, making it challenging for local law enforcement to execute warrants and acquire data from organizations outside of their jurisdiction in many cases. Virtual machine forensics typically rely on a snapshot gathered using the underlying virtualization environment’s snapshot capabilities. This will capture both memory state and the disk for the system and can be run on an independent system or analyzed using forensic tools. The Volatility framework is a purpose-built tool for the acquisition of random access memory (RAM) from a live system. Standards: ISO 27001 → International standard for information security management systems (ISMS) Specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). ISO 27002 → An international standard for implementing and maintaining information security systems Provides guidelines and best practices for organizational information security standards and information security management practices. ISO 27017 → An international standard for cloud security Provides guidelines for information security controls applicable to the provision and use of cloud services. ISO 27018 → Establishes guidelines to protect personal data in cloud computing environments. ISO 27019 → Provides guidelines for information security management in the energy utility industry, focusing on process control systems. ISO 27031 → Provides guidelines for ICT readiness for business continuity to ensure information and communication technology systems can support business operations in the event of disruptions. ISO 27032 → Provides guidelines for improving the state of cybersecurity, emphasizing the protection of cyberspace, including critical information infrastructure. ISO 27033 → Provides guidelines for improving the state of cybersecurity, emphasizing the protection of cyberspace, including critical information infrastructure. ISO 27701 → extends the ISO 27001 and 27002 standards to include detailed management of PII (Personally Identifiable Information) and data privacy ISO 29100 → Establishes a high-level framework for protecting personally identifiable information (PII) and provides a privacy framework. NIST 800-12 → A general security standard and it is a U.S. standard, not an international one NIST 800-14 → A standard for policy development, and it is also a U.S. standard, not an international one ISO 22301 → An international standard that outlines how organizations can ensure business continuity and protect themselves from disaster NIST CSF → Cybersecurity Framework A voluntary framework that provides a set of standards, guidelines, and best practices for managing cybersecurity risks. Offers a risk-based approach for managing and reducing cybersecurity risks, focusing on critical infrastructure. NIST SP 800-37 → Outlines the Risk Management Framework (RMF) for federal information systems to ensure they are secure and risk-managed. NIST SP 800-115 → Provides technical guidance on conducting security testing and assessments. NIST SP 800-122 → Offers guidelines for protecting the confidentiality of personally identifiable information (PII). NIST SP 800-128 → Details best practices for security-focused configuration management of information systems. NIST SP 800-137 → Provides guidance for continuous monitoring of information systems and organizations to maintain security posture. NIST SP 800-145 → Defines cloud computing and its essential characteristics, service models, and deployment models. Change management is the process of documenting all changes made to a company’s network and computers. Privacy Roles: Data Owner → Responsible for the data’s overall management and governance, including its security and integrity. Data owners assign labels such as top secret to data A data controller or data owner is the organization or individual who collects and controls data. Determines data usage policies, sets data access permissions, and is accountable for the data’s accuracy and appropriateness. Ultimate responsibility for maintaining confidentiality, integrity, and availability Ex. Department head deciding access to datasets Data Processor → An entity or individual that processes data on behalf of the data controller Data processors are service providers that process data for data controllers. Follows data controller instructions, ensures regulatory compliance Ex. Cloud service provider handling client data Data Steward → Ensures data quality and fitness for purpose A data steward carries out the intent of the data controller and is delegated responsibility for the data. Oversees data governance policies, ensures data quality, and manages data assets to ensure they meet business needs. Ex. A data quality analyst who reviews data entries for accuracy and consistency. Data Custodians → Responsible for the safe custody, transport, storage of data, and the implementation of business rules. Custodians assign security controls to data. Manages and protects data, ensures proper handling and safeguarding of data, and maintains data integrity and availability. Ex. IT professional managing data backups Privacy Officer → A privacy officer ensures that companies comply with privacy laws and regulations. Ex. Compliance officer ensuring adherence to GDPR/HIPAA System administrators are responsible for the overall functioning of IT systems. Security program administrators often use different types of training to ensure that trainees who react and respond differently to training are given training that helps them. Customer data can include any information that a customer uploads, shares, or otherwise places in or creates via a service. Standard for Attestation Engagements (SSAE) SOC 2 engagement assesses the security and privacy controls that are in place, and a Type 2 report provides information on the auditor’s assessment of the effectiveness of the controls that are in place. An SOC 1 report assesses the controls that impact the accuracy of financial reporting. Type 1 reports a review auditor’s opinion of the description provided by management about the suitability of the controls as designed. Predictive analysis for Threat Intelligence come from: Large Security Datasets Behavior Patterns Current Security Trends Polymorphism → Technique created by malware creators to shift the signature of malware to prevent detection by antivirus tools. ISACs (Information Sharing and Analysis Centers) → Collaborative industry organizations that analyze and share cybersecurity threat information within their industry verticals in USA Shimming & Refactoring DVR → Ability to record video in CCTV IP Spoofing is a technique used by attackers to create IP packets with a forged source IP address. → MITM Attack Use secure firmware to secure RTOS CIA & DAD Triad Confidentiality → Disclosure Integrity → Alteration Availability → Denial Breach Impact Financial Risk → Risk of monetary damage to the organization as a result of data breach Reputational Risk → Occurs when the negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers & stakeholders Identity Theft → Use of exposed PII information in attacks Strategic Risk → Risk that organization will become less effective in meeting its major goals & objectives as a result of the breach Strategic risk affects business plans Operational Risk → Risk to the organization’s ability to carry out its day-to-day operations Operational risk affects inefficiency & delay within the organization Compliance Risk → Occurs when a security breach causes an organization to violate legal or regulatory requirements Ex. HIPAA → Health Information Security Groups → Works as a virtual firewall for instances allowing rules to be applied to traffic between instances SSH Tunneling → also known as SSH port forwarding A technique used to securely transmit data between a local and a remote host over an unsecured network It leverages the Secure Shell (SSH) protocol’s encryption capabilities to create an encrypted tunnel for transmitting network traffic. Difference between MDM & UEM MDM → Primarily manages mobile devices such as smartphones and tablets. Functions → Device Inventory, Device Configuration, Security Management, App Management, Monitoring UEM → Manages a wide range of endpoint devices, including mobile devices, desktops, laptops, IoT devices, and wearables. Functions → Device Management, Application Management, Content Management, Identity Management, Policy Management, Automation Asymmetric Vs Symmetric Encryption Advantages & Disadvantages Symmetric Advantages Faster compared to asymmetric encryption due to simpler algorithms and operations. More efficient for bulk encryption and large data sets. Shorter key lengths provide equivalent security levels compared to asymmetric encryption. Widely used for securing data in transit and at rest. Symmetric Disadvantages Key Distribution Challenges in managing and storing keys securely. Less scalable for secure communication among multiple parties compared to asymmetric encryption. Does not inherently provide mechanisms for verifying sender identity or message integrity without additional protocols. Asymmetric Advantages No need to securely distribute keys; each user has a public-private key pair. Offers better security because the private key never leaves the owner’s possession. Provides digital signatures for verifying the sender’s identity and integrity of the message. Supports secure communication between multiple parties without requiring pre-shared secrets. Asymmetric Disadvantages Slower compared to symmetric encryption due to more complex algorithms. Requires longer key lengths for equivalent security levels compared to symmetric encryption. Less efficient for bulk encryption and large data sets. Which is the most commonly used certificate format → PEM 802.11x vs CHAP vs Kerberos 802.1X → Wi-Fi Authentication EAP Methods (EAP-TLS, PEAP, etc.) Network Access Control (NAC) When 802.1X is enabled, devices connecting to the network do not gain access until they provide the correct authentication credentials. This 802.1X standard refers to the client as the supplicant, the switch is commonly configured as the authenticator, and the back-end authentication server is a centralized user database such as Active Directory. CHAP → Network Authentication Challenge-Response Authentication for point-to-point connections Mutual authentication, challenge-response mechanism Kerberos → Network Authentication Network authentication protocol Ticket-based authentication, SSO, mutual authentication RADIUS → Centralized authentication, authorization, and accounting Centralized management, extensibility, supports various authentication methods CSA’s Cloud Control Matrix → A framework designed to provide fundamental security principles to guide cloud vendors and customers in assessing the overall security risk of a cloud service Smart Card vs Proximity Cards Proximity Cards → A proximity card is a contactless card that usually utilizes RFID to communicate with the reader on a physical access system. These are commonly used to access secured rooms (such as server rooms) or even a building itself (such as at a mantrap) Hash Algorithm Sizes Cynthia needs to prevent drones from flying over her organization’s property. What can she do? When you are concerned about application security, what is the most important issue in memory management? Yasmine wants to implement a cloud-based authorization system. What protocol is she most likely to apply? What is the purpose of Unified Extensible Firmware Interface (UEFI) Secure Boot? What is the size of the wrapper applied by TKIP around the WEP encryption utilizing a key that is derived from the MAC address of the machine and the packet’s serial number? ...

Intro Hi everyone, I have passed my Comptia Security+ 601 exam recently. In this blog, I will share my notes(objective-wise) & insights about this exam. Resources CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide: Link Professor Messer’s SY0-601 CompTIA Security+ Practice Exams: Link Passmall Security+ Practice Exams: Link Jason Dion - CompTIA Security+ (SY0-601) Practice Exams & Simulated PBQs: Link Outro Please forgive if you find any spelling mistakes or grammatical mistakes. I wish you all the best for your exams!! ...

Intro Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. In this writeup, I will be exploiting DVWA vulnerabilities in different severities. Setup docker run --rm -it -p 8000:80 kaakaww/dvwa-docker:latest Walkthrough 1. I found a login page after opening the site. Bruteforce Password 1. Capture login & analyze behavior username=admin&password=zap&Login=Login&user_token=6cd51b8a24a524b9349dd75c09c0cfb3 2. Reflecting Login failed after incorrect creds 3. To automatically handle CSRF Tokens ZAP -> Tools -> Options -> Anti-CSRF -> Add `user_token` 4. Fuzz password & add sample payloads ...

Challenge: Protecting Camp I made a small site to keep a list of things I need to buy to keep me safe before I go camping, maybe it’s keeping some other things safe too! Attachment: protecting_camp.zip Walkthrough This challenge shows a Camping Checklist on main page. Solve 1. Reviewing the code Found a snippet that could be vulnerable to SSRF app.get('/api/flag', (req, res) => { var url = req.protocol + '://' + req.get('host') + req.originalUrl; try{ parsed = parseUrl(url) if (parsed.resource != '127.0.0.1'){ res.send("Hey... what's going on here\n"); }else{ fs.readFile("./flag.txt", 'utf8', (err, data) => { if (err) { res.send("There was an error and this is sad :(\n") }else{ res.send(data+"\n") } }); }} catch (error) { res.status(400).json({ success: false, message: 'Error parsing URL' }); } }); Above code checks whether the host is 127.0.0.1 or localhost. ...

Challenge: Repo Recon Leak Leak Leak Can you find the secret leak? Source Code: https://github.com/mowzk/repo-recon Walkthrough The challenge page contains a login form where it asks for username and password. The hint is leak. We have to find a token kind of thing to pass authentication. The challenge provides the source code on GitHub: https://github.com/mowzk/repo-recon Solve 1. Reviewing files in the Repo .env file FLAG_VALUE=placeholderflag ADMIN_HASH=$2b$04$9HAfoKBcIKUrTh8F73fL0.aWH/X5dYRnWXL7eikRaxqAEqRlktKM. VIVER=prosogyrous This is the place where developer can potentially drop a token & this can be recorded in one of the commits. ...

Challenge: BeepBoop Cryptography Help! My IOT device has gone sentient! All I wanted to know was the meaning of 42! It’s also waving its arms up and down, and I… oh no! It’s free! AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Automated Challenge Instructions Detected failure in challenge upload. Original author terminated. Please see attached file BeepBoop for your flag… human. BeepBoop beep beep beep beep boop beep boop beep beep boop boop beep beep boop boop beep beep boop boop beep boop beep beep beep beep boop boop beep beep beep beep boop beep boop boop boop boop beep boop boop beep boop boop boop beep beep boop beep beep boop boop beep boop beep boop boop beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep boop boop beep beep boop beep boop beep boop boop boop boop beep boop beep beep boop boop boop beep boop boop beep beep boop boop beep beep beep beep boop beep boop boop beep boop boop boop beep beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep beep boop beep boop boop beep boop beep boop boop boop beep beep boop beep beep boop boop beep boop beep boop boop beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep boop boop beep beep boop beep boop beep boop boop boop boop beep boop beep beep boop boop boop beep boop boop beep beep boop boop beep beep beep beep boop beep boop boop beep boop boop boop beep beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep beep boop beep boop boop beep boop beep boop boop boop beep beep boop beep beep boop boop beep boop beep boop boop beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep boop boop beep beep boop beep boop beep boop boop boop boop beep boop beep beep boop boop boop beep boop boop beep beep boop boop beep beep beep beep boop beep boop boop beep boop boop boop beep beep boop boop beep beep boop boop boop beep boop boop boop beep beep boop beep beep boop boop boop boop boop beep boop Intro The hint is given indirectly in the challenge: waving hands up & down This means it is communicating in binary form: 0 & 1 ...

Challenge 1: BeepBoop Blog A few robots got together and started a blog! It’s full of posts that make absolutely no sense, but a little birdie told me that one of them left a secret in their drafts. Can you find it? https://beepboop.web.2023.sunshinectf.games Intro The challenge page is a blog that contains multiple posts from different robots. We are a bunch of robots who like posting! We are chronically online, and our posts are not coherent. Enjoy our posts! ...

Challenge: DDR All the cool robots are playing Digital Dance Robots, a new rythmn game that… has absolutely no sound! Robots are just that good at these games… until they crash because they can’t count to 256. Can you beat the high score and earn a prize? nc chal.2023.sunshinectf.games 23200 Solve 1. Task: Robot will give a 50 arrow string & you have to reply with WASD form. W for up arrow A for left arrow S for down arrow D for right arrow 2. When you enter a correct answer, it will increase score by 1 & give you a new string. 3. We have to complete 256 challenges in order to get the flag. 4. Use pwntools ...