Please enable JavaScript.
Coggle requires JavaScript to display documents.
security - Coggle Diagram
security
history timeline
enigma
components
plug board
configurable statically substitute letter
keyboard
input
3-6 rotors
substitute letter dependent on current turning position
rotor arrangement can be changed
rotors used can be changed
reflector
statically substitute letter
lamps
displays output
function
share secrets for the day /
set configuration for the day
rotor configuration
rotor order
rotor starting positions
selected rotors
plug board configuration
encrypt
input letter via keyboard
letter is substituted by plug board
letter is substituted by 3-5 rotors
letter is substitutes by reflector
letter is substituted by 3-5 rotors
turn next rotor in order
(order works like counting)
letter is substituted by plugboard
letter is displayed by lamps
attack
cracking machines
bomba
Marian Rejewski
turing bombe / christopher
Alan Turing
made use of the non involutory property (TODO?)
brute force with known plane text
crib
properties
stream cypher
non involutory
lorenz-machine
attack
cracking machines
colossus
function
encrypt
5 "bit" key is generated by another part of the machine
this key changed after every letter
encrypted letter is the XOR output of message bits and keyword bits
letter is split into 5 "bits"
letter is typed
cypher
types
stream cypher
algorithms
block cypher
algorithms
merkel damgard
encryption
symetric encryption
asymetric encryption
hash/encryption cracking
types
wordlist attack
rainbow table attack
brute force attack
tools
john the ripper
hashcat
thc hydra
steganography
classic steganography
first letter of every word forms a message
or similar
hidden ink
modern steganography
trailing bits in files
magic sequence
encoding message in the least significant bits of a picture
encoding a message in sound (z.B. frequency in spectrogram)
hidden message in file metadata
cryptography
machine cryptography
symmetric algorithms
lorenz-machine
engima
computer cryptography
symmetric algorithms
aes
3des
des
diffie hellman (for key exchange)
TODO
asymmetric algorithms
elliptic curve cryptography (ECC)
rivest shamir adelman (RSA)
values
public key
inverse element of private key
contains
n
d
= inverse element of e
private key
contains
p
p*q = n
q
phi(n) = (p-1)(q-1)
1 more item...
e
= inverse element of d
function
properties
function is easy to compute in one way
but hard in the other
prime factorization is hard to compute
n is known:
p and q are hard to compute
multiplication is easy to compute
p and q is known:
p * q = n
e and d are interchangeable
encrypt
message^e mod n
decrypt
encryption^d mod n
post quantum cryptography
to be inveted
table cryptography
symmetric algorithms
bacon cypher
cesar cypher
rot 13
skytal
vigenere cypher
substitution
mono alphabetic substitution
one input always gives the same output
poly alphabetic substitution
one input gives different outputs depending on other factors
(should still be deterministic)
digital watermark
what?
insertion of imperceptible and inseparable information (watermark)
watermark can't be easily removed because it is embedded into the original data (like with modern steganography)
watermark can sometimes be restored even if data was modified (robustness)
why?
solves proof of digital ownership problem
digital forensic
tools
memory dump
helios USB stick
statistical analysis / abnormality detection
legal
requirements
"Hausdurchsuchungsbefehl"
issued by
"Richter"
"Statsanwaltschaft"
teniques
chain of custody
procedure
data analysis
reporting
data collection
data inspection
guidline
must follow the procedure
must document all steps taken
must document exact time of all steps
only work with copies of the original data
must not alter original data
torrents
components
tracker
connects leechers to seeders
peers
seeders
provide file data
leechers
download file data
swarm
list of all peers currently in the network
torrent client
program that reads .torrent files and connects users to a network
definition
decentralized peer to peer file sharing network
function
.torrent files is downloaded
torrent file is opened with a torrent client
download is started
leeching new file data
seeding already obtained data
download is finished
now seeding until torrent is closed
private key infrastructure (PKI)
infrastructure implementations
1-tier pki
TODO
2-tier pki
TODO
3-tier pki
TODO
components
certificate
extensions
CRL distribution point (CDP)
online certificate status protocol (OCSP)
authority information access (AIA)
base attribute
serial number
signature algorithm
issuer name
802.1X version
TODO
certification authority (CA)
types
general types
subordinate CA
issuing CA
root CA
active directory specific CA types
TODO
registration authority (RA)
monitoring
syslog
priority field
severity
alert
critical
error
warning
information
debug
notice
emergency
facility
linux implementations
rsyslog
syslog-ng
syslogd
windows implementations
kiwi syslog
simple network management protocol (SNMP)
versions
version 2
added community strings
authentication
authorization
read and write communites
read community
version 1
version 3
added encryption
added username & password authentication
components
device
agents
responds to function calls
management information base (MIB) /
object identifier tree (OID tree)
manager
functions
get
set
trap
active directory (AD)
advanced audit policies
adds additional events
event viewer
allows to view events
event collector
aggregates events
event forwarder
forwards event to a collector
event subscriptions
source initiated
forwarder imitates subscription
collector initiated
collector initiates subscription
attacks
active directory (AD)
privilege escalation
AS-Rep roasting
Kerber roasting
Pass the Hash
Pass the Ticket?
DCsync
post exploitation
golden tickt
silver ticket
security appliance
security operation center (SOC)
hierachy
level 1: alert analyst
responds to alerts
level 2: incident responder
responds to incident
investigates incident
level 3: thread hunter
prevent further attacks
stops the ongoing attack
manger
manages the team
common vulnerability scoring system (CVSS)
uses standardized questions to assign a severity score to an attack
vocabulary for event recording and incident sharing (VERIS)
defines terminology that should be used to report events and incidents
SOC metric (TODO)
measures performance of a SOC team
mean detection time
mean time to respond
dwell time
time between attack and containment
mean time to contain
time between detection and containment
mean time to control
network operation center (NOC)
responds to non human caused incidents
security information and event manger (SIEM)
implementations
splunk
function
basic functionality
central collection of security appliance logs
alert rules
user entitiy behavior analytics (UEBA)
user and entity awareness
abnormality detection
security orchestration automation response(SOAR)
SOC automation
network based application recognition (NBAR)
maps traffic to specific applications
first line of defense
devices
Switches
switchport portsecurity
dhcp snooping
dynamic arp inspection (DAI)
protocol hardening
storm control
intrusion detection system (IDS)
intrusion prevention system (IPS)
SIEM
Endpoint security /
antivirus
signature based
cloud security engine
sandboxing
antimalware scan interface (AMSI)
network access control (NAC)
AAA
firewall (FW)
Server security
device hardening
principals
CIA
confidentiality
integrity
availability
current cyber attacks
current attacks
(distributed) denial of service DDOS
amplification attacks
NTP amplification
request a monlist (log of last 600 queries) from NTP Server via spoofed IP
NTP server sends multiple packets to spoofed IP (victim)
DNS amplification
DNS Server sends multiple packets to spoofed IP (victim)
request a large zone (needing multiple packes) from a spoofed ip
AD attacks
Pass the Hash und co (siehe unten)
zero day exploits
current incidents
attack "Kärnten"
affected entitiy
"Landesverwaltung (Behörden und Bezirkshauptmanschaften)"
attack
publification of sensitiv data
corona test results
pictures of passports
DSGVO :!:
ransomware
5 Million Euros
payment in bitcoin
prevention
backups :<3:
possible attack vectors
social engineering
phishing
wailing
spearing
blackmailing
bribery
physical access
rubber ducky
physical keylogger
sniffer
cyber kill chain
phase 1: active reconnaissance / passive reconnaissance
attacks
port scanning
OSINT
social engineering
precautions
awareness
offering as little data possible
port security
network segregation
IDS/IPS
phase 4: exploitation
payload is executed
precautions
IDS/IPS
endpoint security
backups
phase 5: installation (gaining persistency)
attacks
golden ticket
execute on startup
infect other files
precautions
immutable systems? (Fedora sivlerblue)
phase 7: actions and objective
attacks
precautions
phase 2: weaponization
using gained information to create a payload
phase 3: delivery
deliver payload to victim system
attacks
worms
physical access
social engeneering
precautions
sandboxing
awareness
IDS/IPS
phase 6: command and control (CnC)
attacks
DNS tunneling
precautions
IDS/IPS
(phase 8: clearning tracks)
security triangle
cost
usability
security
security wheel
monitor
test
improve
secure
evolution of firewalls
timeline
stateless less
filtering base on
port
source
destination
IP
source
destination
protocol
example implementation
Cisco: ACL
statefull packet filter
additional filtering based on connections
connection slots
example connection states
new
established
related
example uses
block outside traffic but allow return traffic
example implementation
Linux: iptables
Cisco: Policy-Map inspect
deep packet inspection
example uses
regex URL matching for http get requests
DNS type filtering
example implementation
CBAC
filtering based on
any information in any layer
application gateway
example implementations
azure application gateway
filtering based on
deep packet inspection
additional features
TLS termination
TCP interception
traffic loadbalancing
zone based firewall
filtering based on
zone pairs
source zone
ingoing interface
destination zone
outgoing interface
intrusion detection system (IDS)
types
network based
host based
components
rule set
signature based
content based signature
checks for content of packages
context based signature
checks for logical connection between packets
anomaly/behavioral based
needs a baseline
heuristic based
often paired with AI
hybrid of signature based and anomaly based
analysis engine
traffic controller
signature database
user interface
placements
inline
routing traffic
passive
port mirror
intrusion prevention system (IPS)
extends IDS by reacting to the detected attacks
positioning is important
inline is more secure
can be replaced by IDS + SIEM with SOAR
next generation firewall (ng-fw)
example implementation
Cisco: Firepower
security engine is outsourced to the cloud
network flows are sent to the cloud via z.B. netflow
potential to stop zero days
kann ALLLLLES
distributed firewall
managed firewall
misc
reputational based filtering
every public IP is ranked in a list
when the rating for one IP is under a threshold the IP is blocked
more money spend = more up to date lists
bogus IPs
proxy
is required for TCP and TLS interception
mail security
uses sandboxing
whitelisting
blacklisting
greylisting
waits for retry
sandboxing
things are testing in a virtual environment