Please enable JavaScript.
Coggle requires JavaScript to display documents.
Security+ (Threats, Attacks & Vulnerabilities (Crypto-malware, Trojans…
Security+
Threats, Attacks & Vulnerabilities
Crypto-malware
Trojans
Ransomware
Worm
Rootkit
Keylogger
Adware
Spyware
Bots
RAT (Remote Access Trojan)
Logic Bomb
Backdoor
Focus
Course on Wireshark
nmap
netstat
arp
netcat
nslookup
dig
Wireless adapter in promiscuous mode
aircrack
ettercap
zenmap
Course on Kali Linux
Mobile Device Management
Content Management
databases, documents, application management
Geolocation
Geofencing
Push Notification Services
Passwords & PINs
Biometrics
Screen Locks
Remote Wipe
Application Management
Context Aware Authentication
Storage Segmentation
Mobile Device Encryption
Containerization
Mobile Enforcement
Sideloading: getting around the Android or Apple store
Carrier Unlock
Rooting/Jailbreaking
Firmware OTA Upates (Over The Air)
Camera Use
External Media (extra SD card in phone)
Recording microphone/GPS Tagging
Payment Methods
Vulnerability Impact
Race Condition - something running out of control that denies use, certain types of resources are eaten up quickly
Embedded System - immutable system, easy to forget about patching them, anti-malware, firewalls
Lack of vendor support - can no longer patch or update devices or software which makes it open to security issues
Weak Configuration - default configuration
Misconfiguration - haven't turned on a service like a stateless firewall, or forgot to turn off default services
Improperly configured account - user or system account that doesn't have the right permissions (regular user being able to delete a drive, etc.). Also includes rights.
Vulnerable Business Processes - unconsidered business processes that leave a business open to potential impacts (Storing non-essential information, extra PII that you don't need).
Memory/Buffer Vulnerabilities - pointer difference, DLL injection, memory leaks, buffer overflow
System Sprawl/Undocumented Assets - (VM sprawl) not under control of the administrator so it isn't being patched or properly monitored.
Mobile Connectivity
SATCOM
Bluetooth
NFC (Near Field Communication)
Need near or almost physical contact between devices
ANT
simple wireless communication, very slow, well protected - heart monitors, pedometers, etc.
Infared
TV receivers
USB OTG (USB On The Go)
WiFi Direct
Ad Hoc connections
Direct wireless connection from one device to another device
Roku uses this
Wireless Tethering
Turns phone into a WAP
Protocols
IP Addressing
IPV4 - 1782.16.254.1 - 32 bit address
IPV6 - 8, 4 digit chunks, up to 128 bit address
Link Local: FE80 (localhost)
Common to have more than 1 IPV6 address
Private IP Ranges: 10.0.0.0 - 10.0.0.255, 172.16.0.0 -173.31.255.255, 192.168.1.0 - 192.168.255.255
TCP - most of the work over the Internet, connection-oriented, 3 way handshake, sends lots of packets
UDP - user datagram protocol, connection-less, no acknowledgement, sends lots of packets
ICMP - maintenance worker of tcp/ip networks, handles arp messages and pings, always 1 packet doing its thing
Ports
HTTP - 80, 8080
Remote Shell - Telnet - 23
Secure Shell - SSH - 22
File Transfer - FTP - 20 & 21, FTP/SSH - 22, FTPS - 20 & 21 but secure, SFTP - 22, Secure Copy - SCP - 22, primitive but works, Trivial FTP - TFTP - trivial form of FTP, runs on UDP port 69, NETbios - 137-139, but modern SMB version runs on 445
SMTP - 25 sends mail to other people, IMAP 143, POP 110 (for receiving mail)
DNS - TCP port 53
DHCP - UDP port 67 & 68
SNMP - UDP ports 161 & 162
LDAP - 389
RDP - TCP port 3389
TLS - originally designed for secure websites, successor to SSL, 4 aspects: encryption, key exchange, authentication HMAC
DNS
port 53
completely insecure
DNSSEC - generates a key pair, has upstream DNS server sign them creating zones, purely authentication and prevents MITM attacks, popular on public DNS servers like Google's DNS servers
Email
SMTP, POP, IMAP all insecure
SSL/TLS encrypted SMTP - 465, 587 - uses TLS
SSL/TLS encrypted IMAP - 993 - uses TLS
SSL/TLS encrypted POP - 995 - uses TLS
Incident Response Process
Preparation - the big plan, who's doing what, organize types of incidents that might happen
Reporting - what reports go to whom? escalation
Practice Scenarios
Identification - recognize what incident has occurred, reports form users, check the monitoring tools you use, watch alerts and logs, assess impact, define whose involved
Containment - mitigate damage, stop the attack, segregate the ntework, sutdown the ystem, turn off a service
Eradication - remove malware, close off vulnerabilities, add new controls
Recovery - restore from backups, pull from snapshots, hire replacement personnel, monitor
Documentation - document the incident, what failed? what worked? generate a final report
Vulnerability Assessment
Credentialed - you have usernames and passwords
Non-credentialed - don't have usernames or passwords [outsider]
Intrusive
Non-Intrusive - most vuln. assessments are this
Identify vulnerabilities AND misconfigurations
Watch out for false positives
Compliance
Backups
Full
Incremental - only that which has changed since full backup
Differential - only need 2 backups to restore
Snapshots
Local backups - tapes, external hard drives
Offsite backups - remote backups
Cloud backups - big downside is initial time to do first full backup
Scanning Tools
Traceroute
nmap
Microsoft Baseline Security Scanner
Nessus
Nexpose
OpenVAS
Digital Forensics
1.) Incident Occurs
2.) Legal Hold
Chain of Custody
Chain of Custody - gathering evidence against someone, show good integrity of evidence itself
1.) Define the evidence
2.) Document collection method
3.) Date/time collected
4.) Person(s) handling the evidence information
5.) Function of person handling the evidence
6.) All locations of the evidence
Order of Volatility
Memory
Caches
Routing table
ARP table
Data on disc
Optical, flash drives
Cache files, temp files
write blocker enabled tools
Remotely logged data
Backups
Forensic Data Acquisition
1.) Capture the system image
2.) Network traffic and logs
3.) Capture video of workstation, seating area
4.) Take hashes
5.) Take screenshots
6.) Interview witnesses
7.) Track man hours
Deployment Models
Private
Public
Hybrid
Community
Group of people all contributing to a shared cloud
Desktop Virtualization
VDE (Virtual Desktop Environment)
Accessing a remote physical desktop, ex: Windows Remote Desktop
VDI (Virtual Desktop Integration)
Accessing a virtualized environment in the cloud
Static Hosts
device designed to do a specific thing (printer, game controller, WAP)
ICS (Industrial Control Systems)
Ex: HVAC
Ex: SCADA
Network Segmentation (Defense in Depth)
Network segmentation is used to protect static hosts
Static Hosts are secured using Defense In Depth concepts
Attacking Web Sites
Know how to read log files for the exam
CLF - Common Log Format
Host - Ident Authuser - Date Time - Request - Status Byte size
cPanel
XSS - Cross-site scripting client side script injected into trusted web site
XML Injection - insert XML information that into an application or service
Attacking Applications
Injection Attack - add extra input to an application - 1.) Code Injection 2.) Command Injection - uses a command to access the underlying OS
SQL Injection
LDAP Injection
Know Distringuished Name (DN) format from LDAP
Buffer Overflow - exceeding memory storage
Deploying Mobile Devices
COBO (Corporate Owned Business Only)
COPE (Corporate Owned Personally Enabled)
CYOD (Choose Your Own Device)
BYOD (Bring Your Own Device)
Incident Response Plan (annual practice)
CIRT - Cyber Incident Response Team - group of people who respond to incidents, full or part time, IT security team, IT department, HR, Legal, PR
Document incident types and categories - physical access, malware, phishing, social engineering, data access
Roles and Responsibilities - users, help desk, human resources, database manager, incident hotline, IR manager/IR officer, IR team
Reporting Requirements/Escalation - determine severity, clear chain of escalation, reporting to law enforcment
Physical Controls
Deterrent Controls
prevents bad guys from entering your physical infrastructure
Lighting
Signage
Security Guards
Preventative Controls
Fence
Gate
Barricades
Bollards
K-Ratings - strong fences designed to stop vehicles
Man Trap
Air Gaps (Cabling Systems)
Safes
Cabinets
Faraday Cages
Locks
Cable Locks
Screen Filters
Physical Key/Card Management Systems
Detective Controls
Cameras
Motion Detectors
Infrared
Log Files
Protecting Your Servers
SSL Accelerator (physical card) - speeds up asymetric encryption, sits on intranet side of router that connects to Internet
Load Balancer - actually a proxy, can track sessions
DDOS Mitigator - detects DOS attacks and signals proxies to filter out bad data and DOS attacks but allow valid requests to go through.
Container
Container
Houses the application instance
Like a VM for an application instance
Image
location on HD, files
Network Models
OSI 7 Layer Model
1 - Physical - what kind of cables do I use, etc.
2 - Data Link Anything - that works with a MAC address (network cards, switches)
3 - Network (IP Addresses (routers))
4 - Transport - Breaking data down to packets, routing packets
5 - Session - Connections between systems (sending emails, sharing folders)
6 - Presentation - Convert data into a format that applications can read
7 - Applications - items in applications that make them network-aware (API)
TCP/IP Model
1 - Network Interface (physical cabling, MAC addresses, network cards
ROUTERS ARE AN EXCEPTION
3 - Transport (TCP or UDP)
4 - Application (application, presentation, session layers from OSI model)
2 - Internet (anything to do with an IP address (routers))
Social Engineering
Principles
Authority
Intimidation
Consensus
Scarcity
Familiarity
Trust
Urgency
Attacks
Phishing - emails to steal personal info
Tailgating
Unauthorized Access
Shoulder Surfing
Dumpster Diving
Spear Phishing - phiishing directed toward a specific person or group
Whaling - exec or management targeting of phishing
Vishing - phone phishing
Hoax - fake virus warnings
Watering hole attack - attempt tto infect a popular website that users frequent
Contingency Planning
Disaster Recovery
Backup sites - Cold, Warm, Hot
Business Continuity
Exploiting a Target
Penetration Testing
2.) Discover Vulnerabilities
Recon
Passive Discovery - WHOIS lookup, phone calls, not sending packets over to the target
Semi-passive - sends packets, but nothing loud or out of the ordinary
Active Discovery - putting packets downrange, scanners, nmap that could alert an IDS or IPS or firewall
3.) Exploit Vulnerabilities (Metasploit - Pen Testing Framework)
Grab usernames and passwords
Take data from a database
Corrupt a webpage
1.) Get Authorization
Define targets
Attack Models
White Box - attackers have extensive knowledge about the target, cheapest type of Pen Test
Black Box - attackers know nothing, more like strangers, external hacking, slow
Gray Box - somewhere between white and black
Pivot - use the compromised system to attack other systems
Persistence
Obtaining escalation of privilege
Armitage
Threat Actor Types and Attributes
Pen Testing Concepts
Encryption
Acronyms
Risk Management
Access Controls
IaaS, PaaS, SaaS