🌌 arthurs.dev

Recent Notes

Security+ Weaknesses

9 min read

  • Incident response process
  • Lateral movement through a network
  • Bastion host
  • Digital certificates usually use RSA
  • S/MIME (PGP)
  • SaaS, PaaS, IaaS
  • NIST SP 800-53
  1. WEP and WPA are outdated wireless protocols. The gold standard is WPA2, or WPA3 (not yet fully adopted). While WPA2 uses AES + CCMP, it can also use TKIP (bad) for legacy.
  2. Data controller determines why data is processed. Data custodian is responsible for safe handling/transport. Data steward maintains and implements data governance policies. Data owner decides who can access, edit, use, or destroy their information.
  3. CI = build & test → CD (Delivery) = stage & prep for deploy → CD (Deployment) = push to production automatically
  4. Continuous assessment is an ongoing process to evaluate risks. Incident responserefers to how an incident is handled.
  5. OSI Model: A low number (1) is low level (physical), whereas high (7) is high level (application).
  6. Due diligence: “An act with a certain standard of care,” i.e. the investigation or exercise of care that a reasonable business or person is normally expected to take before entering into an agreement or contract with another party.
  7. Identity Federation: The concept of sharing login details.
  8. Pretexting means to construct a fabricated scenario, a sort of social engineering attack.
  9. Zero-trust:
    1. Never trust always verify.
    2. Least privilege access
    3. Implicit deny/default deny
    4. Network micro-segmentation
    5. Policy-driven access control
    6. Plan for compromise
  10. Control plane is the part of the network responsible for making decisions.
  11. Data plane performs physical actual forwarding of that traffic.
  12. Governance Board holds ultimate decision-making authority, above operational managers.
  13. Key escrow is a system in which a copy of a cryptographic key is given to a third party.
  14. Reflected DDOS an attacker forges the victims IP as the source address, sending packets to numerous third party servers, who then return a response to the victim rather than the original sender. Amplified DDOS is similar, often also using spoofed source IPs, but using services that inflate traffic volume by responding with a much larger (10s or 100s times larger) packet.
  15. OSI Model (Please Do Not Throw Sausage Pizza Away):
    1. Physical - Wires, cables, radio signals
    2. Data Link - MAC addresses, switches, frames, error detection
    3. Network - IP addressing, routing, packets, routers
    4. Transport - TCP/UDP, ports, reliable delivery, segmentation
    5. Session - Manages connections, start/stop of sessions
    6. Presentation - Data formatting, encryption, compression
    7. Application - User-facing protocols: HTTP, FTP, SMTP
  16. Spraying is a few passwords tried across many accounts. Brute force is many passwords tried against one account.
  17. Risk
    1. Risk Appetite → Hunger for risk, CEO/board-level strategy, willingness to take on risk in pursuit of objectives
    2. Risk Tolerance → How much heat a system/process can take
    3. Risk Acceptance → “We’ll live with this risk”
    4. Risk Deterrence → “We’ll discourage this risk”
  18. NGFW
    1. Can distinguish between different types of traffic
    2. Integrated with other security products
    3. Deep packet inspection and signature based intrusion detection
  19. Wiretapping, comparable to packet sniffing, is a physical method of eavesdropping on communications by directly connecting to the network’s physical infrastructure.
  20. Logic bomb is dormant malicious code that only activates after a specific trigger (time or action).
  21. A simulation is often team based, and more heavily planned. A functional exercises focus on testing responses in real-time, using real tools/systems, without direct competition between teams. A tabletop exercise is strictly discussion based. A fail-over exercise actually fail a datacenter over to a hot location.
  22. An audit trail is a detailed, chronological record that provides a complete history of activities, transactions, and changes within a system, documenting who did what, when, and why.
  23. Ephemeral means to last for a very short time.
  24. NetFlow is a standardized method of gathering network statistics from switches, routers, and other devices on your network
  25. Agent-based NAC (network access control) involves installing software agents on devices for real time monitoring and policy enforcement.
  26. Security controls
    1. Deterrent
    2. Preventative
    3. Corrective (fixes after goes wrong)
    4. Detective (identifies something bad)
    5. Compensating (alternative control when main control isn’t feasible)
    6. Directive (gives instructions/policies)
  27. Database journaling records changes in a separate file (the journal) before applying them to the main database. This helps reduce corruption in the event of a write interruption.
  28. Credential stuffing: Based on the assumption that many users reuse usernames and passwords, attackers use lists from older breaches on other services.

Acronyms

  1. DKIM (DomainKeys Identified Mail): Allows association of domain name with an email, uses cryptographic signatures.
  2. MTA (Mail Transfer Agent): Responsible for routing mail between servers, no cryptographic signatures.
  3. SPF (Sender Policy Framework): Specifies which mail servers are permitted to send email for a domain, no cryptographic signatures.
  4. DMARC (Domain-based Message Authentication, Reporting, and Conformance): Allows domain owners to specify policies on handling mail that doesn’t authenticate with either DKIM or SPF.
  5. SMTP (Simple Mail Transfer Protocol: Used for sending emails.
  6. TOCTOU (Time-Of-Check to Time-Of-Use): A race condition that can be exploited by an attacker to (for example) modify a file that was created and change the value before it’s used.
  7. EAP (Extensible Authentication Protocol): A flexible framework for authenticating users via multiple methods.
  8. SNMP (Simple Network Management Protocol): For network errors and metrics. It allows controlling network configurations and storing data related to components.
  9. SASE (Secure Access Service Edge): Next generation VPN tech allowing secure communication to cloud services.
  10. CRL (Certificate Revocation List): Used to determine if a certificate has been administratively revoked.
  11. SCAP (Security Content Automation Protocol): Focuses on the standardization of vulnerability management across multiple tools.
  12. DLP (Data Loss Prevention): Identify and block the transmission of data across a network.

Policy Based

  1. MAC (Mandatory Access Control): Access is determined by a set of rules set by a central authority.
  2. DAC (Discretionary Access Control): The owner of the resource decides who is allowed to access it.
  3. ABAC (Attribute Based Access Control): Based on system-wide attributes and other contexts (e.g. time).

Business Related

  1. RPO (Recovery Point Objective): Maximum acceptable amount of data loss measured in time. E.g. maximum backup lifespan.
  2. RTO (Recovery Time Objective): Target amount of time to restore IT and business activities post-disaster.
  3. MTTR (Mean Time to Restore)
  4. MTBF (Mean time between failures): Relating to system reliability.
  5. SOW (Statement of Work): Specifies the detailed scope of work, tasks, deliverables, timelines, and costs for a specific project.
  6. MOU (Memorandum of Understanding): Formal agreement outlining mutual understanding and intention to collaborate.
  7. MOA (Memorandum of Agreement): Formal document where both sides agree to a broad set of goals and objectives associated with the partnership.
  8. SLA (Service Level Agreement): Defines the level of service expected from the vendor (performance metrics). Usually very specific.
  9. UTM (Unified Threat Management): Combines various security functionalities into one appliance. E.g. intrusion detection/prevention, firewall capabilities, content filtering, and anti-malware tools.
  10. AML/KYC (Anti-Money Laundering, Know Your Customer)
  11. ARO (Annualized Rate of Occurrence): Expected frequency of risk.
  12. SLE (Single Loss Expectancy): The cost of a single occurrence of a risk event. Calculated partially using EF)
  13. ALE (Annualized Loss Expectancy): Usually SLE multiplied by ARO.
  14. EF (Exposure Factor): Proportion of asset value lost per risk event.
  15. COPE (Corporate owned, personally enabled): Regarding devices.
  16. COBE (Corporate owned, business exclusive)
  17. CYOD (Choose your own device)
  18. ICS (Industrial Control Systems)

Common Ports

  • 5060 - VoIP (UDP)
  • 1433 - Microsoft SQL server
  • 53 - DNS
  • 20/21 - FTP
  • 22 - SSH
  • 23 - Telnet
  • 25 - SMTP (mail sending)
  • 80 - HTTP
  • 443 - HTTPS (SSL/TLS)
  • 3389 - RDP
  • 445 - SMB (Windows file sharing)
  • 143 - IMAP (mail retrieval)
  • 110 - POP3 (mail retrieval)
  • 67/68 (UDP) - DHCP (address assignment)
  • 161/162 (UDP) - SNMP (network monitoring)

Other things

  1. Managerial controls (threat assessment is one)
  2. PCI DSS
  3. Network-based DLP/Host-based DLP (requires agents)
    1. Watermarking to identify sensitive information
  4. Data in use (by a system/program), data-in-transit (over a network), data-at-rest (on a harddrive)
  5. Technical controls (firewalls, access control lists, etc)
  6. Strategic risk
  7. Tokenization (designed to be reversible)
  8. APTs
  9. RFCs (Request for comments — internet protocols)
  10. IoC (indicators of compromise)
  11. Updated watering hole description: just a frequently visited website
  12. Typosquatting: buying domain with slight spelling errors of target
  13. Threat hunting (vulnerability scanning, war driving, pen testing)
  14. Nslookup (DNS lookup)
  15. SOW
  16. Rules of engagement
  17. Footprinting
  18. PR (Privileges required)
  19. On-path attack/session hijacking
  20. Downgrade attack
  21. RSA us asymmetric
  22. AES is (best) successor to DES and 3DES
  23. CRLs (Certificate revocation list)
  24. EV (extended validation) the highest level of assurance for a certificate
  25. Root CAs (highly protected, not normally certificate issuers and are offline but delegate authority to intermediate CAs)
  26. HSMs (hardware security modules manage encryption keys)
  27. LDAP (a directory service)
  28. differential backups are changes since last full backup, incremental are changes since last backup
  29. warm sites have systems, connectivity, and power, but not live data/operations to immediately take over, a HOT site can immediately take over, a cold site has space and power
  30. failover testing
  31. tabletop exercise vs simulated
  32. access control vestibule (an airlock system that prevents tailgating)
  33. CSA (Cloud security alliance) CCM (Cloud controls matrix) is a reference document. NIST SP 500-292 is a reference model for cloud computing. ISO 27001 is a general standard for cybersecurity. PCI DSS is a financial regulatory requirement.
  34. IaaS/PaaS explained
  35. CRM (customer relationship management)
  36. MSP/MSSP (MSSP more security)
  37. Legacy unsupported and no longer sold, end of life no longer made but may have support for some time
  38. KMS (key management system)
  39. IR (incident response)
  40. SCADA (supervisory control and data acquisition)
  41. SIM card for cell phone
  42. HIPS (host-based intrusion prevention system)
  43. HIDS (host-based intrusion detection system)
  44. SoC (system on a chip…?)
  45. SNMP traps provide info about issues such as links going down, reboots, authentication failures
  46. honey net intentially exposes vulnerabilities
  47. Jump server provides secure, monitored access to a protected network. Users log into the jump server which then has access.
  48. Proxies filter/manage traffic
  49. VLAN logically separates network segments
  50. WAF web application firewall is specialized in web traffic
  51. DNSSEC prevents DNS poisoning, validating the origin of DNS information and ensuring they have not been modified
  52. SD-WAN allows for software defined (dynamic) wide area networks
  53. SPF, DKIM, DMARC are used to identiy and validate email servers
  54. POP, IMAP(S), and HTTP(S) can be used to retrieve mail
  55. IPSec?
  56. UEM (Unified Endpoint Management)
  57. MDM
  58. NFC (near field communication) like tap to pay credit cards
  59. PSK (preshared key)
  60. NIST → Identify Protect Detect Respond Recover
  61. Backout plan
  62. Change management process allows for a security impact analysis
  63. AUP (acceptable use policy)
  64. Mandatory vacations (allows fraudulent activity to come to light in their absence)

Graph View