Please enable JavaScript.
Coggle requires JavaScript to display documents.
CompTIA Security+ Chapter 8 (Monitoring Logs and Event Anomalies…
CompTIA Security+ Chapter 8
Risk Managment
Threats
malicious human threats
accidently human threats
environmental
Threat Assessments
environmental
manmade
internal
external
Vulnerabilities
lack of updates
default config
lack of malware protection or updated definition
lack of firewalls
lack of organizational policies
Risk Management
Residual risk
Risk Response Techniques:
avoid
transfer
mitigate
accept
Risk Assessment
determine asset value
identify threat and vulnerability
likelihood of threat
recommendations
Quantitative Risk Assessment
Single Loss Expectancy (SLE)
Annual Rate of Occurence (ARO)
Annual Loss expectancy (ALE)
ALE = SLE x ARO
Quantitative Risk Assessment
Impact x Likelihood
use 1 to 10 scale, or low, med, high
Documenting the assessment
Risk Register
Supply chain assessment
Scanning and Testing Tools
Vulnerabilities
Identify assets and capabilities
Prioritize assets based on value
Identify vulnerabilities and prioritize them
Recommend controls
Password Cracker
offline (from data breach) & online (brute force)
Network Scanner
ping scan
arp ping scan
syn stealth scan
port scan
service scan
OS detection
Network Mapping
Wireless scanner
Rogue System Detection
rogue AP
Received signal strength indicator (RSSI)
Banner grabbing - return HTML banner with info
Vulnerabilities Scanner
Dictionary of known vulnerabilities:
Common Vulnerabilities and Exposure (CVE)
Security Content Automation Protocol (SCAP)
National Vulnerability Database (NVD)
Scans:
open ports, weak passwords, default config, sensitive data, config errors
Credentialed scan VS non-credentialed scan
Config Compliance Scanner
configuration validation
Penetration Testing
Passive Reconnaissance - gather info, not illegal
Active Recon - scanners - illegal
Initial Exploitation
Escalation of Privilege
Pivot
Persistence
White, grey, black Box Testing
White, grey black Hats
Intrusive VS non-intrusive testing
Passive VS Active tools
Exploitation Framework
tools used to check vul, execute exploits
Metasploit Framework
BeEF (Browser Exploitation Framework)
w3ad (Web Application Attack and Audit Framework)
Security Tools
Protocol Analyzer
Wireshark
Command-Line Tools
tcpdump (linux)
packet/protocol analyzer
Nmap (linux)
GUI version = Zenmap
identify active hosts, IP, protocols, services, OS
nc - Netcat(linux)
remote access
banner grabbing attack, port scanner
echo “” | nc -vv -n -w1 72.52.206.134 80
Monitoring Logs and Event Anomalies
Operating System Event Logs
Windows Event Viewer
Security Log (windows) - log on/off, access resource
Application Log - apps or programs running
System Log - start, shutdown, services, drivers
Firewall and Router Access Logs
Traffic, allowed, blocked
packet source and dest
Linux Logs
System Log Viewer
cat var/log/auth.log
utmp, wtmp, btmp files - stores status of sys, user, failed login attempts
SIEM (Security Information and Event Management)
combine Security Event Management (SEM) & Security Information Management (SIM)
Additional Capabilities:
Aggregate data from multiple sources
Correlation Engine - detect patterns
Automated Alerting
Automated triggers
Time sync
Event de-duplication
logs
WORM (Write once read many)
Common to locate SIEM in private network
Continuous Security Monitoring
periodic assessments, audits, tests
Usage Auditing Reviews
Logs user actions
Audit trail recreation
Permission Auditing Review
Privilege Creep - violates least privilege