├── Security+ ├── 3. Implementation │ ├── Readme.md │ ├── 3.4 install and configure wireless security settings.md │ ├── 3.7 implement identity and account management controls..md │ ├── 3.1 implement secure protocols.md │ ├── 3.6 apply cybersecurity solutions to the cloud.md │ ├── 3.9 implement public key infrastructure.md │ ├── 3.8 implement authentication and authorization solutions..md │ └── 3.2 implement host or application security solutions.md ├── 2. Architecture and Design │ ├── Readme.md │ ├── 2.2 virtualization and cloud computing concepts.md │ ├── 2.6 Explain the security implications of embedded and specialized systems..md │ ├── 2.4 authentication and authorization design concepts.md │ ├── 2.5 implement cybersecurity resilience. .md │ ├── 2.3 secure application development, deployment, and automation concepts.md │ ├── 2.7 Explain the importance of physical security controls.md │ └── 2.1 Security concepts in an enterprise environment .md ├── 4. Operations and Incident Response │ ├── Readme.md │ ├── 4.4 Given an incident, apply mitigation techniques or controls to secure an environment..md │ ├── 4.3 Given an incident, utilize appropriate data sources to support an investigation.md │ ├── 4.5 Explain the key aspects of digital forensics..md │ ├── 4.2 Summarize the importance of policies, processes, and procedures for incident response..md │ └── 4.1 use the appropriate tool to assess organizational security..md ├── 5. Governance, Risk, and Compliance │ ├── Readme.md │ ├── 5.1 Compare and contrast various types of controls.md │ ├── 5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture.md │ ├── 5.5 Explain privacy and sensitive data concepts in relation to security.md │ └── 5.4 Summarize risk management processes and concepts..md ├── 1. Attacks, Threats, and Vulnerabilities │ ├── Readme.md │ ├── 1.8 Techniques used in Pentesting.md │ ├── 1.7 Techniques Used in Security Assessments.md │ ├── 1.6 Security Concerns with Various Vulnerabilities.md │ ├── 1.4 Network Attacks.md │ ├── 1.5 Threat Actors, Vectors, and Intelligence Sources.md │ └── 1.1 Social Engineering Techniques.md └── Readme.md ├── README.md └── Network+ ├── Readme.md ├── 3. Network Operations └── Readme.md ├── 5. Network Troubleshooting and Tools └── Readme.md ├── 4. Network Security └── Readme.md └── 2. Infrastructure └── Readme.md /Security+/3. Implementation/Readme.md: -------------------------------------------------------------------------------- 1 | W 2 | -------------------------------------------------------------------------------- /Security+/2. Architecture and Design/Readme.md: -------------------------------------------------------------------------------- 1 | W 2 | -------------------------------------------------------------------------------- /Security+/4. Operations and Incident Response/Readme.md: -------------------------------------------------------------------------------- 1 | W 2 | -------------------------------------------------------------------------------- /Security+/5. Governance, Risk, and Compliance/Readme.md: -------------------------------------------------------------------------------- 1 | W 2 | -------------------------------------------------------------------------------- /Security+/1. Attacks, Threats, and Vulnerabilities/Readme.md: -------------------------------------------------------------------------------- 1 | W 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | My Notes while studing for CompTIA Network+(N10-008) CompTIA Security+(SY0-601) 2 | -------------------------------------------------------------------------------- /Network+/Readme.md: -------------------------------------------------------------------------------- 1 | # CompTIA N10-007 Network+ 2 | 3 | Notes for the Professor Messer course [CompTIA N10-007 Network+](https://www.professormesser.com/network-plus/n10-007/n10-007-training-course/). 4 | 5 | Topics: 6 | 7 | * [1. Networking Concepts](1.%20Networking%20Concepts/Readme.md) 8 | 9 | * [2. Infrastructure](2.%20Infrastructure/Readme.md) 10 | 11 | * [3. Network Operations](3.%20Network%20Operations/Readme.md) 12 | 13 | * [4. Network Security](4.%20Network%20Security/Readme.md) 14 | 15 | * [5. Network Troubleshooting and Tools](5.%20Network%20Troubleshooting%20and%20Tools/Readme.md) 16 | -------------------------------------------------------------------------------- /Security+/Readme.md: -------------------------------------------------------------------------------- 1 | The purpose of this repository is to store my notes about the ' CompTIA Security+ SY0-601' learning and study. 2 | 3 | I hope, if you have landed here, this document can be of any use for you. 4 | 5 | ## Exam Objectives (Domains) 6 | 7 | | Domain | Percentage of Examination | 8 | |:------------------------------------------| :-------------------------| 9 | | 1. Attacks, Threats, and Vulnerabilities | 24% | 10 | | 2. Architecture and Design | 21% | 11 | | 3. Implementation | 25% | 12 | | 4. Operations and Incident Response | 16% | 13 | | 5. Governance, Risk, and Compliance | 14% | 14 | 15 | ## Sections 16 | 17 | * [1. Threats, Attacks, and Vulnerabilities](https://github.com/darshannn10/Comptia-Notes/tree/main/Security%2B/1.%20Attacks%2C%20Threats%2C%20and%20Vulnerabilities) 18 | * [2. Architecture and Design](https://github.com/darshannn10/Comptia-Notes/blob/main/Security%2B/2.%20Architecture%20and%20Design) 19 | * [3. Implementation](https://github.com/darshannn10/Comptia-Notes/blob/main/Security%2B/3.%20Implementation) 20 | * [4. Operations and Incident Response](https://github.com/darshannn10/Comptia-Notes/blob/main/Security%2B/4.%20Operations%20and%20Incident%20Response) 21 | * [5. Governance, Risk, and Compliance](https://github.com/darshannn10/Comptia-Notes/blob/main/Security%2B/5.%20%20Governance%2C%20Risk%2C%20and%20Compliance) 22 | -------------------------------------------------------------------------------- /Security+/5. Governance, Risk, and Compliance/5.1 Compare and contrast various types of controls.md: -------------------------------------------------------------------------------- 1 | # Security control 2 | 3 | - Security risks are out there 4 | 5 | - Many different types to consider 6 | 7 | 8 | 9 | - Assets are also varied 10 | 11 | - Data, physical property, computer systems 12 | 13 | 14 | 15 | - Pervent security events, minimize the impact, limit the damage 16 | 17 | 18 | 19 | # Control categories 20 | 21 | - Managerial control 22 | 23 | - Control that addresses security design 24 | 25 | - Security policies, standard operating procedures 26 | 27 | 28 | 29 | - Operational controls 30 | 31 | - Controls that are implemented by the people 32 | 33 | - Security guards, awareness programs 34 | 35 | 36 | 37 | - Technical controls 38 | 39 | - Controls implemented using systems 40 | 41 | - operating system controls 42 | 43 | - firewall, antivirus 44 | 45 | 46 | 47 | # Control types 48 | 49 | - Preventive 50 | 51 | - Physically control access 52 | 53 | - Door lock 54 | 55 | - Security guard 56 | 57 | - Firewall 58 | 59 | 60 | 61 | - Detective 62 | 63 | - May not prevent access 64 | 65 | - Only identifies and records intrusion attempt 66 | 67 | 68 | 69 | - Corrective 70 | 71 | - Designed to mitigate damage 72 | 73 | - IPS can block an attacker 74 | 75 | - Backups can mitigate a ransomware infection 76 | 77 | - A backup site can provide options when a storm hits 78 | 79 | 80 | 81 | - Deterrent 82 | 83 | - May not directly prevent access 84 | 85 | - Warning signs, login banner 86 | 87 | 88 | 89 | - Compensating 90 | 91 | - Doesnt prevent an attack 92 | 93 | - Restores using other means 94 | 95 | - Re-image or restore from backup 96 | 97 | 98 | 99 | - Physical 100 | 101 | - Fences 102 | 103 | - Locks 104 | 105 | -------------------------------------------------------------------------------- /Network+/3. Network Operations/Readme.md: -------------------------------------------------------------------------------- 1 | # Network Operations 2 | 3 | ## Network Documentation 4 | 5 | * Documenting network: 6 | 7 | 1. Mapping the network - logical and physical network maps 8 | 2. Change management 9 | 3. Managing cables 10 | 4. System labeling 11 | 5. Circuit labeling 12 | 6. Patch panel labeling 13 | 7. Baselines - point of reference 14 | 8. Inventory management 15 | 16 | ## Business Continuity 17 | 18 | * Fault tolerance - maintain uptime in case of failure; adds complexity and cost. 19 | 20 | * Single device fault tolerance - RAID, redundant power supplies and redundant NICs. 21 | 22 | * Multiple device fault tolerance - server farms with load balancing and multiple network paths. 23 | 24 | * Redundancy and fault tolerance - redundant hardware components, RAID, UPS, clustering and load balancing. 25 | 26 | * High availability (HA) - includes many different components working together; higher costs. 27 | 28 | * NIC teaming - LBFO (Load Balancing/Fail Over); multiple network adapters; port aggregation; fault tolerance. 29 | 30 | * UPS (Uninterruptible Power Supply) - short-term backup power; can be offline, line-interactive or online. 31 | 32 | * Generators - long-term power backup; power an entire building 33 | 34 | * Dual-power supplies - redundant; hot-swappable. 35 | 36 | * Recovery sites: 37 | 38 | 1. Cold site - no hardware, data, people. 39 | 2. Warm site - only hardware available. 40 | 3. Hot site - exact replica; stocked with hardware, updated. 41 | 42 | * Full backups - all selected data backup; takes a lot of time. 43 | 44 | * Incremental backups - all files changed since last incremental backup. 45 | 46 | * Differential backups - all files changed since the last full backup. 47 | 48 | * Snapshots - capture current configuration and data in cloud; revert to known state or rollback to known configuration. 49 | 50 | ## Network Monitoring 51 | 52 | * Process monitoring: 53 | 54 | 1. Log management 55 | 2. Data graphing 56 | 3. Port scanning 57 | 4. Vulnerability scanning 58 | 5. Patch management 59 | 6. Baseline review 60 | 7. Protocol analyzers 61 | 62 | * Event management: 63 | 64 | 1. Interface monitoring 65 | 2. SIEM (Security Information and Event Management) 66 | 3. Syslog 67 | 4. SNMP (Simple Network Management Protocol) 68 | 69 | ## Remote Access 70 | 71 | * Remote access protocols: 72 | 73 | 1. IPSec (IP Security) - security for OSI layer 3; confidentiality, integrity, standardized; AH (Authentication Header) and ESP (Encapsulation Security Payload). 74 | 2. Site-to-Site VPNs - encrypt traffic between sites through public Internet. 75 | 3. SSL VPN (Secure Sockets Layer VPN) - uses SSL/TLS protocol (tcp/443); authenticate users. 76 | 4. Client-to-Site VPNs - remote access VPN. 77 | 5. DTLS VPN (Datagram Transport Layer Security VPN) - transport using UDP instead of TCP. 78 | 6. Remote desktop access - RDP (Microsoft Remote Desktop Protocol), VNC (Virtual Network Computing). 79 | 7. SSH (Secure Shell) - encrypted console communication (tcp/22). 80 | 8. File transferring - FTP (File Transfer Protocol), FTPS (FTP over SSL), SFTP (SSH FTP), TFTP (Trivial FTP). 81 | -------------------------------------------------------------------------------- /Security+/5. Governance, Risk, and Compliance/5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture.md: -------------------------------------------------------------------------------- 1 | # Compliance 2 | 3 | - Meeting the standard of laws, policies, and regulations 4 | 5 | 6 | 7 | - A healthy catalog of regulations and laws 8 | 9 | - Across many aspects of business and life 10 | 11 | - Many are industry-specific or situational 12 | 13 | 14 | 15 | - Penalties 16 | 17 | - Fines, incarceration, loss of employment 18 | 19 | 20 | 21 | - Scope 22 | 23 | - Cover national, territory, or state laws 24 | 25 | - Domestic and international requirements 26 | 27 | 28 | 29 | # GDPR - General data protection regulation 30 | 31 | - European Union regulation 32 | 33 | - Data protection and privacy for individuals in the EU 34 | 35 | - Name, address, photo, email address 36 | 37 | 38 | 39 | - Controls export of personal data 40 | 41 | - Users can decide where their data goes 42 | 43 | 44 | 45 | - Give individuals control of their personal data 46 | 47 | 48 | 49 | - Site privacy policy 50 | 51 | 52 | 53 | # PCI DSS 54 | 55 | - Payment card industry data security standard 56 | 57 | 58 | 59 | - Six control objectives 60 | 61 | - Build and maintain a secure network 62 | 63 | - Protect cardholder data 64 | 65 | - Maintain a vulnerability management program 66 | 67 | - Implement strong access control measures 68 | 69 | - Regularly monitor and test networks 70 | 71 | - Maintain an information security policy 72 | 73 | 74 | 75 | # Security Frameworks 76 | 77 | - Secure your data 78 | 79 | - Use a security framework 80 | 81 | - Document processes 82 | 83 | 84 | 85 | # Center for internet security (CIS) 86 | 87 | - Center for Internet Security Critical Security Controls for Effective Cyber Defense 88 | 89 | - CIS CSC 90 | 91 | 92 | 93 | - Improve cyber defenses 94 | 95 | 96 | 97 | - Designed for implementation 98 | 99 | 100 | 101 | # NIST RMF 102 | 103 | - National Institute of Standards and Technology Rish Management Framework (RMF) 104 | 105 | - Mandatory for US federal agencies 106 | 107 | 108 | 109 | - Six step process 110 | 111 | 1. Categorize 112 | 113 | 2. Select 114 | 115 | 3. Implement 116 | 117 | 4. Assess 118 | 119 | 5. Authorize 120 | 121 | 6. Monitor 122 | 123 | 124 | 125 | # NIST CSF 126 | 127 | - National Institue of Standards and Technology Cybersecurity Framework (CSF) 128 | 129 | 130 | 131 | - Framework core 132 | 133 | - Identify, protect, detect, respond, and Recover 134 | 135 | 136 | 137 | - Framwork implementation Tiers 138 | 139 | - An organizations view of cybersecurity risk and processes to manage the risk 140 | 141 | 142 | 143 | # ISO/IEC Frameworks 144 | 145 | - ISO/IEC 27001 146 | 147 | - ISO/IEC 27002 148 | 149 | - ISO/IEC 27701 150 | 151 | - ISO 31000 152 | 153 | 154 | 155 | # SSAE SOC 2 type 1/2 156 | 157 | - The American institute of Certified public accountant (AICPA) 158 | 159 | 160 | 161 | - SOC 2 - Trust Criteria 162 | 163 | 164 | 165 | - Type 1 audit 166 | 167 | - Test controls in place at a particular point in time 168 | 169 | 170 | 171 | - Type 2 audit 172 | 173 | - Tests control over a period of at least 6 months 174 | 175 | 176 | 177 | # Cloud Security Alliance (CSA) 178 | 179 | - Security in cloud computing 180 | 181 | 182 | 183 | - Cloud controls Matric (CCM) 184 | 185 | 186 | 187 | - Enterprise Architecture 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | -------------------------------------------------------------------------------- /Security+/4. Operations and Incident Response/4.4 Given an incident, apply mitigation techniques or controls to secure an environment..md: -------------------------------------------------------------------------------- 1 | # The endpoint 2 | 3 | - The end-user device 4 | 5 | - Desktop PC, Laptop, phone, etc 6 | 7 | 8 | 9 | - Many ways to exploit a system 10 | 11 | - OS vulnerability, malware, user intervention 12 | 13 | 14 | 15 | - Security team has to cover all of the bases 16 | 17 | 18 | 19 | # Application approved/deny lists 20 | 21 | - Any application can be dangerous 22 | 23 | - Vulnerabilities, trojan horses, malware 24 | 25 | 26 | 27 | - Approved list 28 | 29 | - Nothing runs unless it's approved 30 | 31 | - Very restrictive 32 | 33 | 34 | 35 | - Blocklist / deny list 36 | 37 | - Anti-virus, anti-malware 38 | 39 | 40 | 41 | - Quarantine 42 | 43 | - Anything suspicious can be moved to a safe area 44 | 45 | 46 | 47 | # Examples of application approval list 48 | 49 | - Decisions are made in the operating system 50 | 51 | - Often built-in to the operating system 52 | 53 | 54 | 55 | - Application hash 56 | 57 | - Certificate 58 | 59 | - Allow digitally signed apps from certain publishers 60 | 61 | 62 | 63 | - Path 64 | 65 | - Only run the application in these folders 66 | 67 | 68 | 69 | - Network zone 70 | 71 | - Apps can only run from this network zone 72 | 73 | 74 | 75 | # Configuration changed 76 | 77 | - Firewall rules 78 | 79 | - Manage application flow 80 | 81 | 82 | 83 | - Mobile device manager (MDM) 84 | 85 | - Enable or disable phone and tablet functionality 86 | 87 | 88 | 89 | - Regardless of physical location 90 | 91 | 92 | 93 | - Data Loss Prevention (DLP) 94 | 95 | - Block transfer of personally identifiable information (PII) 96 | 97 | 98 | 99 | # Configuration changes 100 | 101 | - Content filter/URL filter 102 | 103 | - Limit access to untrusted websites 104 | 105 | - Block known malicious sites 106 | 107 | - Large blocklists are used to share suspicious site URLs 108 | 109 | 110 | 111 | - Updating or revoking certificates 112 | 113 | - Manage device certs 114 | 115 | 116 | 117 | # Isolation 118 | 119 | - Administratively isolate a compromised device from everything else 120 | 121 | 122 | 123 | - Network isolation 124 | 125 | - Isolate a remediation VLAN 126 | 127 | 128 | 129 | - Process isolation 130 | 131 | - Limit application execution 132 | 133 | - Prevent malicious activity 134 | 135 | 136 | 137 | # Isolation 138 | 139 | - On it own isolated VLAN 140 | 141 | 142 | 143 | # Containment 144 | 145 | - Application containment 146 | 147 | - Run each application in its own sandbox 148 | 149 | 150 | 151 | - Limit interaction with the host operating system and other applications 152 | 153 | 154 | 155 | - Ransomware would have no method of infection 156 | 157 | 158 | 159 | - Contain the spread of a multi-device security event 160 | 161 | - Disable administrative shares 162 | 163 | - Disable remote management 164 | 165 | - Disable local account access 166 | 167 | 168 | 169 | # Segmentation 170 | 171 | - Prevent unauthorized movement 172 | 173 | - Limit the scope of a breach 174 | 175 | 176 | 177 | # SOAR 178 | 179 | - Security Orchestration, Automation, and Response 180 | 181 | - Integrate third-party tools and data sources 182 | 183 | - Make security teams more effective 184 | 185 | 186 | 187 | - Runbooks 188 | 189 | - A linear checklist of steps to perform 190 | 191 | - Step-by-step approach to automation 192 | 193 | - Reset a password, create a website certificate 194 | 195 | 196 | 197 | - Playbook 198 | 199 | - Condition steps to follow; a broad process 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | -------------------------------------------------------------------------------- /Security+/3. Implementation/3.4 install and configure wireless security settings.md: -------------------------------------------------------------------------------- 1 | # Securing a wireless network 2 | 3 | - An organization wireless network can contain confidential information 4 | 5 | 6 | 7 | - Authenticate the users before granting access 8 | 9 | - Who gets access to the wireless network 10 | 11 | 12 | 13 | - Ensure all communication is confidential 14 | 15 | 16 | 17 | # Wireless encryption 18 | 19 | - All wireless computers are radio transmitters and receivers 20 | 21 | - Anyone can listen 22 | 23 | - Encrypting the data will be the solution 24 | 25 | 26 | 27 | # WiFi protected access (WPA2) 28 | 29 | - CCMP block cipher block chaining 30 | 31 | - Created in 2004 32 | 33 | - CCMP security servies (AES protocol) 34 | 35 | 36 | 37 | - Has a brute-force problem 38 | 39 | - PSK brute-force problem 40 | 41 | 42 | 43 | # WPA 3 44 | 45 | - GCMP block cipher mode 46 | 47 | - Galois/Counter mode protocol 48 | 49 | - A stronger envryption than WPA2 50 | 51 | - GCMP security services 52 | 53 | 54 | 55 | # Simultaneous Authentication (SAE) 56 | 57 | - WPA3 uses PSK authentication process 58 | 59 | - Includes mutual authentication 60 | 61 | - Creates a shared session key without sending that key across the network 62 | 63 | - No hashes, no brute force attacks 64 | 65 | 66 | 67 | - In SAE, everyone uses a different session key 68 | 69 | 70 | 71 | # Wireless authentication methods 72 | 73 | - Shared password / pre-shared key (PSK) 74 | 75 | - Personal 76 | 77 | - WPA3 - PSK 78 | 79 | - Centralized authentication (802.1X) 80 | 81 | - Enterpise 82 | 83 | - WPA3- Enterpise (802.1X) 84 | 85 | 86 | 87 | # Captive portal 88 | 89 | - Authentication to a network 90 | 91 | - Common on wireless networks 92 | 93 | 94 | 95 | - Access table recognizes a lack of authentication 96 | 97 | - Username / password ex: Hotel 98 | 99 | 100 | 101 | # Using WPS 102 | 103 | - Wi-Fi Protected Setup 104 | 105 | - Used to be called Wi-Fi Simple Config 106 | 107 | 108 | 109 | - Allows "easy" setup of a mobile device 110 | 111 | 112 | 113 | # The WPS hack 114 | 115 | - WPS has a design flaw 116 | 117 | - PIN is an eight-digit number, only 10,000,000 combinations 118 | 119 | - Easy to hack 120 | 121 | 122 | 123 | # Extensible Authentication Protocol (EAP) 124 | 125 | - EAP integrates with 802.1X 126 | 127 | - Prevents access to the network 128 | 129 | 130 | 131 | # IEEE 802.1X 132 | 133 | - Port-based Network Access Control 134 | 135 | - USed in conjunction with an access database 136 | 137 | 138 | 139 | - Three different parts 140 | 141 | - Supplicant, Authenticator, the Authentication server 142 | 143 | 144 | 145 | # EAP-FAST 146 | 147 | - EAP Flexible Authentication via Secure Tunneling 148 | 149 | 150 | 151 | # PEAP 152 | 153 | - Protected Extensible Authentication Protocol 154 | 155 | - Uses EAP in TLS tunnel 156 | 157 | 158 | 159 | - User autneticatites with MSCHAPv2 160 | 161 | 162 | 163 | # EAP-TTLS 164 | 165 | - EAP Tunneled Transport Layer Security 166 | 167 | - Requires a digital certificate 168 | 169 | 170 | 171 | # Radius Federation 172 | 173 | - Members of one organization can authenticate 174 | 175 | - Uses 802.1x as the authentication method 176 | 177 | 178 | 179 | # Site survey 180 | 181 | - Determine existing wireless landscape 182 | 183 | - Sample the existing wireless spectrum 184 | 185 | - IDentify existing access points 186 | 187 | - Workaround existing frequencies 188 | 189 | - Plan for an ongoing site survey 190 | 191 | 192 | 193 | # Wireless packet analysis 194 | 195 | - Wireless networks are incredibly easy to monitor 196 | 197 | - You have to be quiet, You cant hear the network if you are busy transmitting 198 | 199 | - Some network drivers won't capture wireless information 200 | 201 | - View wireless-specific information 202 | 203 | 204 | 205 | # Access point placement 206 | 207 | - Minimal overlap 208 | 209 | - Avoid interference 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | -------------------------------------------------------------------------------- /Security+/2. Architecture and Design/2.2 virtualization and cloud computing concepts.md: -------------------------------------------------------------------------------- 1 | # Infrastructure as a service (IaaS) 2 | 3 | - A computing method that uses the cloud to provide any or all infrastructure needs. 4 | 5 | - IT resources such as servers, load balancers, are provided in the cloud. 6 | 7 | 8 | 9 | - You are still responsible for the management of the security. 10 | 11 | - Your data is out there, more within your control. You control the operating system 12 | 13 | 14 | 15 | - Web server providers 16 | 17 | - Microsoft Azure and AWS 18 | 19 | 20 | 21 | # Software as a service (SaaS) 22 | 23 | - A computing method that uses the cloud to provide application services to its users. 24 | 25 | - On-demand software - no local installation 26 | 27 | - Virtual infrastructure allows developers to provision services 28 | 29 | - A complete application offering; No development work required 30 | 31 | 32 | 33 | # Platform as a service (PaaS) 34 | 35 | - A computing method that uses the cloud to provide any platform-type services 36 | 37 | - No servers, no software, no maintenance team, no HVAC 38 | 39 | 40 | 41 | - You don't have direct control of the data, people. or infrastructure 42 | 43 | 44 | 45 | - **Example** Salesforce.com 46 | 47 | 48 | 49 | # Anything as a service (XaaS) 50 | 51 | - A broad description of all cloud models 52 | 53 | 54 | 55 | - Services delivered over the internet 56 | 57 | - Flexible consumption model 58 | 59 | 60 | 61 | - IT becomes more of an operating model 62 | 63 | 64 | 65 | # Cloud service providers 66 | 67 | - Provide cloud services 68 | 69 | - SaaS 70 | 71 | - PaaS 72 | 73 | - LaaS 74 | 75 | 76 | 77 | - Charge a flat fee or based on use 78 | 79 | 80 | 81 | - You still manage your processes; Internal staff, Development team, Operational support 82 | 83 | 84 | 85 | # Managed service providers (MSP) 86 | 87 | - A cloud service provider 88 | 89 | 90 | 91 | - Not all cloud service providers are MSPs 92 | 93 | 94 | 95 | - MSP support is in charge of 96 | 97 | - Network connectivity management 98 | 99 | - Backups and disaster recovery 100 | 101 | 102 | 103 | - Manage Security Service Provider ( MSSP ) 104 | 105 | - Firewall management 106 | 107 | - patch management 108 | 109 | - security audits 110 | 111 | 112 | 113 | # On-premises 114 | 115 | - Your applications are on local hardware 116 | 117 | - Your servers are in your data center in your building 118 | 119 | 120 | 121 | # Off-premises / hosted 122 | 123 | - Your server not in your building 124 | 125 | - They may not even be running your hardware 126 | 127 | - Usually a specialized computing environment ' 128 | 129 | 130 | 131 | # Edge computing 132 | 133 | - Provisioning processing resource close to the network edge of IoT devices to reduce latency 134 | 135 | - IoT devices on the internet, Devices with very specific functions. A huge amount of data 136 | 137 | 138 | 139 | - Edge computing, application data is on an edge server ( Local system ). 140 | 141 | - Often process data on the device itself, No latency, no network requirement 142 | 143 | 144 | 145 | # Fog computing 146 | 147 | - A cloud that is close to your data 148 | 149 | 150 | 151 | - Cloud + Internet of Things 152 | 153 | - Extends the cloud, Distributes the data, and processing. No latency, local decisions made from local data 154 | 155 | 156 | 157 | - Sensitive data never leaves 158 | 159 | 160 | 161 | - The fog is in the middle, the data is sitting there and isn't pushed to the cloud. 162 | 163 | 164 | 165 | # Thin client 166 | 167 | - Basic application usage; Applications actually run on a remote server, Virtual desktop infrastructure 168 | 169 | 170 | 171 | - Desktop as a service (DaaS). 172 | 173 | 174 | 175 | - No huge memory or CPU needs to connect to the cloud, network connectivity 176 | 177 | 178 | 179 | # Virtualization 180 | 181 | - Runs many different operating systems on the same hardware 182 | 183 | - Each application instance has its own operating system 184 | 185 | - Separate operating machines, has a guest operating system 186 | 187 | 188 | 189 | - Virtual machines can become expensive 190 | 191 | 192 | 193 | # Application containerization 194 | 195 | - Container; Everything you need to run an application, Code, and dependencies 196 | 197 | 198 | 199 | - An isolated process in a sandbox; self-contained 200 | -------------------------------------------------------------------------------- /Network+/5. Network Troubleshooting and Tools/Readme.md: -------------------------------------------------------------------------------- 1 | # Network Troubleshooting and Tools 2 | 3 | ## Network Troubleshooting 4 | 5 | * Troubleshooting process: 6 | 7 | 1. Identify the problem 8 | 2. Establish a theory 9 | 3. Test the theory 10 | 4. Create plan of action 11 | 5. Implement the solution 12 | 6. Verify full system functionality 13 | 7. Document findings 14 | 15 | ## Network Tools 16 | 17 | * Common hardware tools include cable crimpers, cable testers, TDR/OTDR (Time Domain Reflectometer/Optical TDR), punch-down tools, light meter, tone generator, loopback plugs, multimeters, and spectrum analyzers. 18 | 19 | * Common software tools include protocol analyzers, network/port scanners, wireless packet analyzers, and speed test sites. 20 | 21 | * Command line tools: 22 | 23 | ```shell 24 | ping 9.9.9.9 #test reachability 25 | 26 | tracert 9.9.9.9 #determine route of packet, traceroute in UNIX-based systems 27 | 28 | nslookup #lookup info from DNS servers, use dig instead 29 | 30 | dig #domain info groper, advanced domain info 31 | 32 | ipconfig #ifconfig for UNIX, shows interface config 33 | 34 | iptables #stateful firewall, filter packets in kernel 35 | 36 | netstat #network stats 37 | 38 | tcpdump #capture packets, apply filters 39 | 40 | pathping 9.9.9.9 #combines ping and traceroute 41 | 42 | nmap #network mapper, port scan, OS scan, service scan 43 | 44 | route print #view routing table 45 | 46 | arp -a #view local ARP table 47 | ``` 48 | 49 | ## Wired Network Troubleshooting 50 | 51 | * Attenuation - signal loss; electrical signals through copper, light through fiber. 52 | 53 | * dB loss symptoms - no connectivity, intermittent connectivity, poor performance; test distance and signal loss. 54 | 55 | * Latency - delay between the request and response; waiting time. 56 | 57 | * Jitter - time measured between frames; excessive jitter can cause data loss. 58 | 59 | * Excessive jitter troubleshooting - confirm available bandwidth; check infrastructure; apply QoS. 60 | 61 | * Crosstalk (XT) - signals on one circuit affects another circuit; leaking of circuit; XT can be measured with TDR. 62 | 63 | * NEXT (Near End XT) - interference measured at transmitting end. 64 | 65 | * FEXT (Far End XT) - interference measured away from transmitter. 66 | 67 | * XT troubleshooting - wiring issues; maintain twists; use category 6A cable to increase cable diameter; test and certify installation. 68 | 69 | * EMI (Electromagnetic Interference) can be avoided by cable handling; avoid power cords, fluorescent lights, electrical systems; test after installation. 70 | 71 | * Short circuit - two connections are touching; wires inside connection/cable. 72 | 73 | * Open circuit - break in connection; no communication. 74 | 75 | * Troubleshooting opens and shorts - replace cable; use TDR. 76 | 77 | * Incorrect cable type - excessive physical errors; check cable outer part; confirm with TDR, cable tester. 78 | 79 | * Troubleshooting interfaces - bad cable, hardware problem; verify config, two-way traffic. 80 | 81 | * Damaged cables - check physical layer, check TDR, replace cable. 82 | 83 | ## Wireless Network Troubleshooting 84 | 85 | * Reflection - too much reflection can weaken signal; position antennas to avoid excessive reflection. 86 | 87 | * Refraction - data rates are affected as signal is less directional; happens in outdoor long-distance wireless links. 88 | 89 | * Absorption - signal passes through object and loses signal strength; changes with frequency; put antennas on ceiling, avoid going through walls. 90 | 91 | * Latency and jitter can cause wireless interference, signal and capacity issues. 92 | 93 | * Attenuation issues - control power output on access point; use receive antenna with higher gain; move closer to antenna. 94 | 95 | * Incorrect antenna placements - antennas placed too close can cause interference due to overlapping channels; if placed too far, it can cause slow throughput. 96 | 97 | * Overcapacity issues - device saturation; bandwidth saturation. 98 | 99 | ## Network Service Troubleshooting 100 | 101 | * Troubleshooting DNS issues - check IP configuration; use nslookup or dig to test. 102 | 103 | * Troubleshooting IP configurations - check documentation, check devices around; monitor traffic, use tracert and ping. 104 | 105 | * Rogue DHCP server - client assigned an invalid/duplicate address; disable rogue DHCP communication; disable rouge; renew IP leases. 106 | 107 | * Blocked TCP/UDP ports - apps not working; firewall or ACL configuraion; confirm with packet capture; run TCP/UDP based traceroute tool. 108 | -------------------------------------------------------------------------------- /Network+/4. Network Security/Readme.md: -------------------------------------------------------------------------------- 1 | # Network Security 2 | 3 | ## Access Control 4 | 5 | * AAA framework - Authentication, authorization and accounting; RADIUS (Remote Authentication Dial-in User Service) protocol used commonly; TACACS/XTACACS/TACACS+ used alternatively. 6 | 7 | * Kerberos - network authentication protocol; mutual authentication; SSO (Single Sign On). 8 | 9 | * LDAP (Lightweight Directory Access Protocol) - for reading, writing directories over IP network; used to update X.500 directory. 10 | 11 | * Auditing - log all access details; usage auditing, restrictions. 12 | 13 | * NAC (Network Access Control) - port-based NAC (IEE 802.1X); makes use of EAP (Extensible Authentication Protocol) and RADIUS. 14 | 15 | * Port security - prevent unauthorized users from connecting to a switch interface; based on MAC address; configure max source MAC addresses on an interface. 16 | 17 | * MAC filtering - limit access through MAC address; through packet captures; security through obscurity. 18 | 19 | * Captive portals - authentication to a network. 20 | 21 | * ACLs (Access Control Lists) - used to allow/deny traffic; defined on ingress/egress of interface; evaluated on certain criteria. 22 | 23 | ## Wireless Network Security 24 | 25 | * EAP (Extensible Authentication Protocol) - authentication framework; used by WPA and WPA2. 26 | 27 | * Types of EAP: 28 | 29 | 1. EAP-FAST - Flexible Authentication via Secure Tunneling. 30 | 2. EAP-TLS - Transport Layer Security; strong security, wide adoption. 31 | 3. EAP-TTLS - Tunneled TLS; support other authentication protocols in TLS tunnel. 32 | 4. PEAP - Protected EAP; encapsulates EAP in TLS tunnel; commonly implemented as PEAPv0/EAP-MSCHAPv2. 33 | 34 | * Wireless security modes - open system, WPA2-Personal (WPA2-PSK), and WPA2-Enterprise (WPA2-802.1X). 35 | 36 | * Geofencing - restrict/allow features when device is in particular area. 37 | 38 | ## Network Attacks 39 | 40 | * Denial of Service - overload a service to fail; network DoS, bandwidth DoS, DDoS (Distributed DoS) and DDoS amplification. 41 | 42 | * Social engineering principles - authority, intimidation, consensus, scarcity, urgency, familiarity, and trust. 43 | 44 | * Insider threats - phishing innocent employees, careless or disgruntled employees; requires defense in depth. 45 | 46 | * Logic bomcs - malware waiting for a predefined event; time bombs, user events; tough to identify. 47 | 48 | * Rogue access points - significant potential backdoor; easy to plug in a wireless access point; use 802.1X. 49 | 50 | * Wardriving - WiFi monitoring combined with GPS; huge intel in short period of time. 51 | 52 | * Phishing - social engineering combined with spoofing; spear phishing. 53 | 54 | * Ransomware - data unavailable until ransom is provided; malware encrypts data files; crypto-malware; use offline backups, updated apps. 55 | 56 | * DNS poisoning - modify DNS server, modify client host file, send fake response to valid DNS request. 57 | 58 | * Spoofing - pretend to be something you are not; email address spoofing, caller ID spoofing, MITM attacks, MAC spoofing, IP spoofing. 59 | 60 | * Wireless deauthentication - significant wireless DoS attack. 61 | 62 | * Brute force attacks - keep trying the login process until password is cracked. 63 | 64 | * VLAN hopping - switch spoofing and double tagging. 65 | 66 | * MITM attacks - redirects traffic; ARP poisoning; man-in-the-browser attack, using malware. 67 | 68 | * Vulnerability - weakness in a system; may or may not be discovered; types such as data injection, sensitive data exposure, security misconfiguration, etc. 69 | 70 | * Exploits - take advantage of a vulnerability; multiple exploit methods. 71 | 72 | ## Device Hardening 73 | 74 | * Methods to harden device security: 75 | 76 | 1. Change default credentials 77 | 2. Use strong, random passwords 78 | 3. Upgrade firmware 79 | 4. Patch management 80 | 5. File hashing 81 | 6. Disable unnecessary services 82 | 7. Watch the network 83 | 8. Use secure protocols 84 | 9. Generate new keys 85 | 10. Disable unused TCP and UDP ports, and unused interfaces 86 | 87 | ## Mitigation 88 | 89 | * Mitigation techniques: 90 | 91 | 1. IPS signature management 92 | 2. Device hardening 93 | 3. Privileged accounts 94 | 4. FIM (File Integrity Monitoring) 95 | 5. Access Control Lists 96 | 6. Honeypots 97 | 7. Pentests 98 | 99 | * Switch Port Protection: 100 | 101 | 1. Spanning Tree Protocol 102 | 2. BPDU guard - Bridge Protocol Data Unit; STP control. 103 | 3. Root guard - spanning tree determines root bridge; root guard allows you to pick root. 104 | 4. Flood guard - configure max MAC addresses on an interface. 105 | 5. DHCP spoofing - IP tracking on layer 2 device; firewall for DHCP. 106 | -------------------------------------------------------------------------------- /Security+/1. Attacks, Threats, and Vulnerabilities/1.8 Techniques used in Pentesting.md: -------------------------------------------------------------------------------- 1 | # Penetration Testing 2 | 3 | - A test that uses active tools and security utilities to evaluate security by simulating an attack on a system. A pen test will actively test and bypass security controls. 4 | 5 | - Simulate an attack 6 | 7 | - Similar to vulnerability scanning; we try to exploit the vulnerabilities 8 | 9 | - Often a compliance mandate; 3rd-party testing 10 | 11 | 12 | 13 | # Rules of engagement 14 | 15 | - An important document should be provided on what to attack 16 | 17 | - Type of testing and schedule; On-site physical breach, internal test, external test 18 | 19 | 20 | 21 | - The rules 22 | 23 | - IP address 24 | 25 | - Emergency contacts 26 | 27 | - How to handle sensitive information 28 | 29 | - In-scope and out-of-scope devices 30 | 31 | 32 | 33 | # Working knowledge 34 | 35 | - How much do you know about the test; many different approaches 36 | 37 | 38 | 39 | -Unkown environment 40 | 41 | - Blind test 42 | 43 | 44 | 45 | - Known environment 46 | 47 | - Full disclosure 48 | 49 | 50 | 51 | - Partially known environment; A mix of known and unknown, Focus on certain systems or applications 52 | 53 | 54 | 55 | # Exploiting vulnerabilities 56 | 57 | - Try to break into the system 58 | 59 | - Gain privilege escalation 60 | 61 | - Buffer overflows can cause instability 62 | 63 | 64 | 65 | # Lateral movement 66 | 67 | - Move from system to system 68 | 69 | - The inside of the network is unprotected 70 | 71 | 72 | 73 | # Persistence 74 | 75 | - Once you gain access you need to gain backdoor access 76 | 77 | - Always have a way into the network 78 | 79 | 80 | 81 | # The pivot 82 | 83 | - Gain access to systems that would normally not be accessible 84 | 85 | - Use a vulnerable system as a proxy or relay 86 | 87 | 88 | 89 | # White box 90 | 91 | - Having all the knowledge of the applications and testing the internal workings 92 | 93 | 94 | 95 | # Black box 96 | 97 | - Outside the network with little or no prior knowledge 98 | 99 | 100 | 101 | # Gray box 102 | 103 | - Combination of white and black box testing, Search for defects. 104 | 105 | 106 | 107 | # Reconnaissance 108 | 109 | - Need information before the attack 110 | 111 | - Gathering a digital footprint 112 | 113 | - Understand the security posture 114 | 115 | - Minimize the attack area; Create a network map 116 | 117 | 118 | 119 | # Passive footprint 120 | 121 | - The phase-in an attack or pen test in which the attacker or tester gathers information about the target 122 | 123 | - Learn as much as you can from open sources 124 | 125 | - Social media and corporate websites. 126 | 127 | - Social engineering 128 | 129 | 130 | 131 | # Open Source Intelligence (OSINT) 132 | 133 | - Gather information from many open sources 134 | 135 | - Find information on anyone or anything 136 | 137 | - Data is everywhere 138 | 139 | 140 | 141 | - Automate gathering which can gather information fast 142 | 143 | 144 | 145 | # Wardriving or warflying 146 | 147 | - The practice of using a Wi-Fi sniffer to detect WLANs and then making use of them using WEP or WPA cracking tools 148 | 149 | - Combine WiFi monitoring and a GPS; search from your car or plane 150 | 151 | 152 | 153 | - Huge amount of intel in a short period of time 154 | 155 | - All of this info can be done for free; Kismet, inSSlDer, wigle.net 156 | 157 | 158 | 159 | # Active footprinting 160 | 161 | - Trying the doors and visible on network traffic 162 | 163 | - Ping scans, port scans 164 | 165 | - DNS queries 166 | 167 | - OS scans, OS fingerprinting 168 | 169 | - People can see that we are performing these task 170 | 171 | 172 | 173 | # Red-team 174 | 175 | - The Offensive security team 176 | 177 | - Ethical hacking; find security holes 178 | 179 | 180 | 181 | - Exploit vulnerabilities 182 | 183 | - The hacker gains access 184 | 185 | 186 | 187 | - Social engineering attacks 188 | 189 | 190 | 191 | # Blue team 192 | 193 | - Defensive security 194 | 195 | - Protecting data 196 | 197 | 198 | 199 | - Operational security 200 | 201 | - daily security tasks 202 | 203 | 204 | 205 | - Incident response 206 | 207 | - Damage control 208 | 209 | 210 | 211 | - Threat hunting 212 | 213 | - find and fix the holes 214 | 215 | 216 | 217 | - Digital forensics 218 | 219 | - find data everywhere 220 | 221 | 222 | 223 | # Purple team 224 | 225 | - Red and blue teams work together. 226 | 227 | - Deploy applications and data securely 228 | 229 | 230 | 231 | # White team 232 | 233 | - Not on a side, the referees in a security exercise 234 | 235 | - Enforces the rules and resolves any issues 236 | 237 | - Manages the post-event assessments 238 | -------------------------------------------------------------------------------- /Security+/1. Attacks, Threats, and Vulnerabilities/1.7 Techniques Used in Security Assessments.md: -------------------------------------------------------------------------------- 1 | # Threat hunting 2 | 3 | - A constant game of Cat and Mouse, there is always a chase 4 | 5 | - Strategies are constantly changing but Firewalls getting stronger 6 | 7 | 8 | 9 | - The goal is to always Speed up the reaction time 10 | 11 | 12 | 13 | # Intelligence fusion 14 | 15 | - Using sources of threat intelligence data to automate the detection of IoC (Indicator of response) 16 | 17 | - There is an overwhelming amount of security data 18 | 19 | 20 | 21 | - separate teams such as Security operations, Security intelligence, threat response 22 | 23 | - Many data types 24 | 25 | 26 | 27 | - Security information and event management (SIEM) platform can apply intelligence fusion techniques 28 | 29 | 30 | 31 | # Threat feeds 32 | 33 | - Collect the data; logs and sensors, network information, internet events, intrusion detection 34 | 35 | - Add external sources; Threat feeds, government alerts, and social media 36 | 37 | 38 | 39 | # Maneuver 40 | 41 | - The concept that threat actor and defender may use deception or counterattacking strategies to gain positional advantage 42 | 43 | - Firewall rule, block an IP address, delete malicious software 44 | 45 | - automate maneuvers; the computer reacts instantly 46 | 47 | - combine with fused intelligence; ongoing combat from many fronts 48 | 49 | 50 | 51 | - The hacker will try to distract you with one task but then attack another section 52 | 53 | 54 | 55 | # Vulnerability scanning 56 | 57 | - Usually minimally invasive; Unlike a penetration test 58 | 59 | - Port scan; poke around and see what's open 60 | 61 | 62 | 63 | - Identify systems; test from the inside and out 64 | 65 | - Gather as much information as possible 66 | 67 | 68 | 69 | # Non-intrusive scans 70 | 71 | - Gathering information, don't try to exploit a vulnerability 72 | 73 | 74 | 75 | # Intrusive scans 76 | 77 | - Find the vulnerability to see if it works 78 | 79 | 80 | 81 | # Non-credential scan 82 | 83 | - The scanner can't log in to the remote device 84 | 85 | 86 | 87 | # Credentialed scan 88 | 89 | - You are a normal user, emulates an insider attack 90 | 91 | 92 | 93 | # Application scans 94 | 95 | - Desktop, mobile apps 96 | 97 | 98 | 99 | # Web applications 100 | 101 | - Software on a web server can be vulnerably 102 | 103 | 104 | 105 | # Network scans 106 | 107 | - Misconfigured firewalls, open ports, and vulnerable devices 108 | 109 | 110 | 111 | # Vulnerability research 112 | 113 | - National Vulnerability Database 114 | 115 | - Common Vulnerabilities and Exposures shows vulnerabilities 116 | 117 | - Microsoft Security Bulletins 118 | 119 | 120 | 121 | # Common Vulnerability Scoring System 122 | 123 | - Scores vulnerability from 0 to 10 124 | 125 | - The scoring standards do change over time 126 | 127 | 128 | 129 | # False positive 130 | 131 | - A vulnerability does not really exist after the scan 132 | 133 | - It is different than a low-severity vulnerability 134 | 135 | 136 | 137 | # False negative 138 | 139 | - The vulnerability exists, you just couldn't detect it 140 | 141 | 142 | 143 | # Security information and Event Management (SIEM) 144 | 145 | - Logging of security events and information 146 | 147 | - Log collection of security alerts 148 | 149 | - Log aggregation and long-term storage 150 | 151 | - Data correlation 152 | 153 | - Forensic analysis 154 | 155 | 156 | 157 | # Syslog 158 | 159 | - A protocol enabling different appliances and software applications to transmit logs or event records to a central server 160 | 161 | - Standard for message logging; Diverse system, consolidated log 162 | 163 | 164 | 165 | - Usually a central log collector 166 | 167 | - Requires a lot of disk space 168 | 169 | 170 | 171 | # SIEM data 172 | 173 | - Security Information and Event Management ( SIEM ) 174 | 175 | - Data inputs 176 | 177 | - VON connections 178 | 179 | - firewall session logs 180 | 181 | - denied outbound traffic flows 182 | 183 | - Network utilizations 184 | 185 | - Packet capture 186 | 187 | 188 | 189 | # Security monitoring 190 | 191 | - Constant information flow 192 | 193 | 194 | 195 | - Track important statistics 196 | 197 | 198 | 199 | - Send alerts when problems are found 200 | 201 | 202 | 203 | # Security reports and analyzing the data 204 | 205 | - Over a long period of time, there are security reports 206 | 207 | - Big data analytics; Identify patterns 208 | 209 | - User and entity behavior analytics (UEBA) 210 | 211 | - Sentiment analysis; public discourse correlates to real-world behavior 212 | 213 | 214 | 215 | # Security orchestration, automation, and response (SOAR) 216 | 217 | - Automate routine, tedious, and time-intensive activities 218 | 219 | - Automation is important because it is faster than humans 220 | 221 | 222 | 223 | - Orchestration 224 | 225 | - connect many different tools together, firewalls, account management, email filters 226 | 227 | 228 | -------------------------------------------------------------------------------- /Security+/5. Governance, Risk, and Compliance/5.5 Explain privacy and sensitive data concepts in relation to security.md: -------------------------------------------------------------------------------- 1 | # Information life cycle 2 | 3 | - Creation and receipt 4 | 5 | - Create data internally or receive data from a third party 6 | 7 | - Distribution 8 | 9 | - Records are sorted and stored 10 | 11 | - Use 12 | 13 | - Make business decisions, create products and services 14 | 15 | - Maintenance 16 | 17 | - Ongoing data retrieval and data transfers 18 | 19 | - Disposition 20 | 21 | - Archiving or disposal of data 22 | 23 | 24 | 25 | # Consequences 26 | 27 | - Reputation damage 28 | 29 | - Opinion of the organization becomes negative 30 | 31 | - Identity theft 32 | 33 | - Company and/or customers information becomes public 34 | 35 | 36 | 37 | - Fines 38 | 39 | - Uber did not disclose 40 | 41 | - They paid them 100,000 to not say anything 42 | 43 | 44 | 45 | - Intellectual property (IP) theft 46 | 47 | - Stealing company secrets 48 | 49 | 50 | 51 | # Notification 52 | 53 | - Internal escalation process 54 | 55 | - Breaches are often found by technicians 56 | 57 | - Provide a process for making those findings known 58 | 59 | - External escalation process 60 | 61 | - Public notifications and disclosures 62 | 63 | - Refer to security breach notification laws 64 | 65 | 66 | 67 | # Privacy impact assessment (PIA) 68 | 69 | - Almost everything can affect privacy 70 | 71 | - Privacy risk needs to be identified in each initiative 72 | 73 | - Advantages 74 | 75 | - Fix privacy issues before they become a problem 76 | 77 | 78 | 79 | # Notices 80 | 81 | - Terms of service 82 | 83 | - Terms of use, terms, and condition 84 | 85 | - Privacy notice, privacy policy 86 | 87 | 88 | 89 | # Labeling sensitive data 90 | 91 | - Not all data has the same level of sensitivity 92 | 93 | - License tag number vs. health records 94 | 95 | - Different levels require different security and handling 96 | 97 | - Additional permissions 98 | 99 | - A different process to view restricted network access 100 | 101 | 102 | 103 | # Data classifications 104 | 105 | - Proprietary 106 | 107 | - Data that is property of an organization 108 | 109 | - PII - Personally Identifiable information 110 | 111 | - Data that can be used to identify an individual 112 | 113 | - PHI - protected health information 114 | 115 | - Health information associated with an individual 116 | 117 | 118 | 119 | - Public / unclassified 120 | 121 | - No restrictions on viewing the data 122 | 123 | - Private / classified/restricted/internal use only 124 | 125 | - Sensitive 126 | 127 | - Intellectual property PII PHI 128 | 129 | - Confidential 130 | 131 | - Very sensitive 132 | 133 | - Critical 134 | 135 | - Data should always be available 136 | 137 | - Data classifications 138 | 139 | - Internal company financial information 140 | 141 | - Government data 142 | 143 | - Open data 144 | 145 | - Transfer between government entities 146 | 147 | - May be protected by law 148 | 149 | - Customer data 150 | 151 | - PII 152 | 153 | 154 | 155 | # Tokenization 156 | 157 | - Replace sensitive data with a non-sensitive placeholder 158 | 159 | - SSN 226-12-1112 with 691-61-8539 160 | 161 | - Common with credit card processing 162 | 163 | 164 | 165 | # Data minimization 166 | 167 | - Minimal data collection 168 | 169 | 170 | 171 | - Included in many regulations 172 | 173 | - HIPAA has a minimum Necessary rule 174 | 175 | - Some information may not be required 176 | 177 | - Do you need a telephone number 178 | 179 | - Internal data use should be limited 180 | 181 | 182 | 183 | # Data masking 184 | 185 | - Data obfuscation 186 | 187 | - Hide some of the original data 188 | 189 | - Protects PII 190 | 191 | - Other sensitive data 192 | 193 | - May only be hidden from view 194 | 195 | - Many different techniques 196 | 197 | 198 | 199 | # Anonymization 200 | 201 | - Makes it impossible to identify individual data from a dataset 202 | 203 | - Many different anonymization techniques 204 | 205 | - Convert from detailed customer purchase data 206 | 207 | - Remove name, address, change phone number 208 | 209 | 210 | 211 | # Pseudo-anonymization 212 | 213 | - Replace personal information 214 | 215 | 216 | 217 | - May be reversible 218 | 219 | 220 | 221 | - Random replacement 222 | 223 | 224 | 225 | # Data responsibilites 226 | 227 | - High-level data relationships 228 | 229 | - Organizational responsiblites 230 | 231 | - Data owner 232 | 233 | - Accountable for specific data 234 | 235 | - VP of sales own customer rleationship data 236 | 237 | 238 | 239 | # Data roles 240 | 241 | - Data controller 242 | 243 | - Manages the purposes and means by which personal data is processed 244 | 245 | - Data processor 246 | 247 | - Processes data on behalf of the data controller 248 | 249 | - Payroll controller and processor 250 | 251 | - Payroll department 252 | 253 | 254 | 255 | - Data custodian/steward 256 | 257 | - Responsible for data accuracy, privacy, and security 258 | 259 | 260 | 261 | - Data protection officer (DPO) 262 | -------------------------------------------------------------------------------- /Security+/2. Architecture and Design/2.6 Explain the security implications of embedded and specialized systems..md: -------------------------------------------------------------------------------- 1 | # Embedded systems 2 | 3 | - A computer system that is designed to perform a specific, dedicated function, such as a microcontroller. 4 | 5 | - Hardware and software designed for a specific function 6 | 7 | 8 | 9 | - Is built with only this task in mind, can be optimized for size and/or cost 10 | 11 | 12 | 13 | - **Example** Common light controllers, digital watches 14 | 15 | 16 | 17 | # SoC (System on a chip) 18 | 19 | - Multiple components running on a single chip 20 | 21 | 22 | 23 | - Small form-factor, extgernal interface support, Cache memory, flash memory, low power concumption. 24 | 25 | - **Example** is a raspberry pi. 26 | 27 | 28 | 29 | # Field-programmable gate array (FPGA) 30 | 31 | - An intergrated circut that can be configured after manufacturing 32 | 33 | - A problem doesn't require a hardware replacement, Reporgram the FPGA. 34 | 35 | 36 | 37 | - Common in infrastructure, Firewall logic, routers. 38 | 39 | 40 | 41 | # SCADA / ICS 42 | 43 | - Supervisory Control and Data Acquistion System, Large-scale, multi-site industrial control systems 44 | 45 | - Pc manages equipment 46 | 47 | - Distributed control systems 48 | 49 | - Requires extensive segmentation, No access from the outside 50 | 51 | 52 | 53 | # IoT 54 | 55 | - Internet of Things, Heating and cooling. Sensors 56 | 57 | - Smart devices, Home automation, video doorbells 58 | 59 | - Wearable technology, Watches, health monitors 60 | 61 | - Facility automation 62 | 63 | 64 | 65 | - Not made for security. IoT devices can be seprate from the home network just in case someone gains access 66 | 67 | - Weak defualts 68 | 69 | 70 | 71 | 72 | 73 | # Specialized 74 | 75 | - Medical devices, Heart monitor, insulin pumps. 76 | 77 | - Vehicles, the internal network is often accessible from mobile networks 78 | 79 | - Aircraft, DoS could damage the aircraft 80 | 81 | - Smart meters, Measure power, and water usage 82 | 83 | 84 | 85 | # VoIP 86 | 87 | - Voice over internet protocol 88 | 89 | - A relatively complex embedded system, Can be relatively important 90 | 91 | - Each device is a computer, Separate boot 92 | 93 | 94 | 95 | # HVAC 96 | 97 | - Heating Ventilation, and Conditioning 98 | 99 | - A complex science, Not something you can properly design 100 | 101 | - Pc manages equipment, Security is not in mind. 102 | 103 | 104 | 105 | # Drones 106 | 107 | - FLying vehicle, no pilot on board 108 | 109 | - May be manually controlled, Often with some autonomy 110 | 111 | - Extensive commercial and non-commercial use 112 | 113 | 114 | 115 | # Multifunction devices (MFD) 116 | 117 | - No longer a simple printer, Very sophisticated firmware 118 | 119 | - Some images are store locally on the device 120 | 121 | - Logs are stored on the device which a hacker can access 122 | 123 | 124 | 125 | # RTOS ( Real-time Operating System) 126 | 127 | - An operating system with a deterministic processing schedule 128 | 129 | - Industrial equipment, automobiles 130 | 131 | - Military environments 132 | 133 | - Extremely sensitive to security issues 134 | 135 | 136 | 137 | # Surveillance systems 138 | 139 | - Video/audio surveillance, embedded system are in the cameras 140 | 141 | - Secure the security system, Do support firmware upgrades 142 | 143 | 144 | 145 | # 5g 146 | 147 | - 5 generations cellular networking, Launched worldwide 2020 148 | 149 | 150 | 151 | - Significant performance improvements, High frequencies 152 | 153 | 154 | 155 | - Significant IoT impact, Bandwidth becomes less of a constraint 156 | 157 | 158 | 159 | # Subscriber identity module (SIM) 160 | 161 | - A universal integrated circuit 162 | 163 | - Used to provide information to a cellular network provider 164 | 165 | - contains mobile details, IMSI ( International mobile subscriber identity) 166 | 167 | 168 | 169 | # Narrowband 170 | 171 | - Communicate analog signals over a narrow range of frequencies, Over a long-range distance 172 | 173 | - Many IoT (internet of things) communicate 174 | 175 | 176 | 177 | # Baseband 178 | 179 | - Generally a single cable with a digital signal 180 | 181 | 182 | 183 | - The communication signal used all the bandwidth 184 | 185 | 186 | 187 | - Bidirectional communication, using the same wire/fiber 188 | 189 | 190 | 191 | - Ethernet standard 192 | 193 | 194 | 195 | # Zigbee 196 | 197 | - Internet of things networking, Open standard 198 | 199 | - Alternative to WiFi and Bluetooth, Longer distances than Bluetooth 200 | 201 | - Mesh network of all Zigbee devices in your home, Tell Amazon Echo to lock the door 202 | 203 | 204 | 205 | # Uses the ISM band 206 | 207 | - Industrial Scientific, and Medical 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | -------------------------------------------------------------------------------- /Network+/2. Infrastructure/Readme.md: -------------------------------------------------------------------------------- 1 | # Infrastructure 2 | 3 | ## Cabling 4 | 5 | * Cabling is foundational to network communication; twisted pair copper cabling is very common, with 2 types - UTP (Unshielded Twisted Pair) and STP. 6 | 7 | * Common copper connectors - RJ11, RJ45, BNC, DB-9, DB-25 and F-connector. 8 | 9 | * Fiber communication - transmission by light; no RF signal so difficult to monitor; signal slow to degrade; immune to interference. 10 | 11 | * Multimode fiber - short-range; cheap. 12 | 13 | * Single-mode fiber - long-range; costly. 14 | 15 | * Common optical fiber connectors - ST, SC, LC and MT-RJ. 16 | 17 | * Common copper termination standards are T568A and T568B. 18 | 19 | * Straight-through cables - patch cables; common Ethernet cable; connect workstations to network devices; opposite type is cross-over cables. 20 | 21 | * Common network termination points - 66 block, 110 block, copper patch panel and fiber distribution panel. 22 | 23 | * Transceiver - transmitter and receiver in single component; provides a modular interface; duplex or BiDi (bidirectional) communication; e.g. - GBIC, SFP/SFP+, QSFP. 24 | 25 | * Common Ethernet standards - 100BASE-TX, 1000BASE-T, 1000BASE-SX, 1000BASE-LX, 10GBASE-T 26 | 27 | ## Networking Devices 28 | 29 | * Hub - multi-port repeater; half-duplex; less efficient; OSI layer 1. 30 | 31 | * Bridge - connects physical networks to distribute traffic; similar to wireless access points; OSI layer 2. 32 | 33 | * Switch - bridging done in hardware; OSI layer 2. 34 | 35 | * Router - routes traffic between IP subnets; OSI layer 3. 36 | 37 | * Firewall - filters traffic by port number; can encrypt and proxy traffic; OSI layer 4 (layer 7 for next-gen firewalls). 38 | 39 | * Wireless access point - extends wired network onto wireless network; OSI layer 2. 40 | 41 | * Modem - modulator/demodulator; converts analog to digital signals. 42 | 43 | * Media converter - physical layer signal conversion; OSI layer 1. 44 | 45 | ## Advanced Networking Devices 46 | 47 | * Multilayer switch - switch and router in same device. 48 | 49 | * Wireless LAN controllers - centralized management of WAPs. 50 | 51 | * Load balancer - distributes load through multiple servers; fault-tolerance; TCP and SSL offload; caching, prioritization and content-switching. 52 | 53 | * IDS/IPS - detect and prevent intrusions; identifies on the basis of signature, anomaly, behaviour and heuristics. 54 | 55 | * Proxy - sits between users and external network; receives user requests and sends request on their behalf; for caching, access control, URL filtering and content scanning. 56 | 57 | * VPN concentrator - encrypted data traversing public networks; can be deployed through cryptographic hardware or software. 58 | 59 | * AAA framework - provides authentication, authorization and accounting; RADIUS protocol used commonly. 60 | 61 | * UTM (Unified Threat Management) - all-in-one security appliance; web security gateway. 62 | 63 | * NGFW (Next-gen Firewalls) - OSI Layer 7; application layer gateway; stateful multilayer inspection. 64 | 65 | * VoIP PBX (Private Branch Exchange) - VoIP with corporate phone switch. 66 | 67 | * Content filter - control traffic based on data in content; anti-malware, anti-virus. 68 | 69 | ## Virtualization 70 | 71 | * Hypervisor - VM Manager; requires virtualization support. 72 | 73 | * Jumbo frames - Ethernet frames with more than 1500 bytes of overload (upto 9216 bytes); increased efficiency. 74 | 75 | * FC (Fibre Channel) - high-speed topology; supported over both fiber and copper; servers and storage connect to FC switch. 76 | 77 | * FC over data network - FCoE (FC over Ethernet), FCIP (FC over IP). 78 | 79 | * iSCSI (Internet Small Computer Systems Interface) - send SCSI commands over IP network; RFC standard. 80 | 81 | * InfiniBand - high-speed switching topology; used in research, supercomputers. 82 | 83 | ## WAN Technologies 84 | 85 | * Common types of WAN services: 86 | 87 | 1. ISDN (Integrated Services Digital Network) - delivered through BRI, PRI; for phone systems. 88 | 2. T1/E1 - time-division multiplexing. 89 | 3. T3/DS3/E3 - delivered on coax (BNC connectors). 90 | 4. SONET (Synchronous Optical Networking) - through OC (Optical Carrier). 91 | 5. ADSL (Asymmetric Digital Subscriber Line) - uses telephone lines; download speed faster than upload speed. 92 | 6. Metro Ethernet 93 | 7. Cable broadband 94 | 8. Dialup 95 | 96 | * Common WAN transmission mediums: 97 | 98 | 1. Satellite networking - costly; high latency. 99 | 2. Copper - cheaper; limited bandwidth. 100 | 3. Fiber - high-speed; costly. 101 | 4. Wireless - cellular; intermittent and roaming communication; limited by coverage. 102 | 103 | * Frame relay - LAN traffic encapsulated into frame relay frames. 104 | 105 | * ATM (Asynchronous Transfer Mode) - used for SONET; high throughput, real-time, low latency. 106 | 107 | * MPLS (Multiprotocol Label Switching) - packets through WAN are labelled. 108 | 109 | * PPP (Point-to-point protocol) - OSI layer 2 protocol; creates connection between 2 devices; data link functionality with authentication, compression, error detection and multilink. 110 | 111 | * PPPoE - PPP over Ethernet; easy to implement. 112 | 113 | * DMVPN (Dynamic Multipoint VPN) - VPN built itself; tunnels built dynamically, on-demand. 114 | 115 | * SIP (Session Initiation Protocol) trunking - control protocol for VoIP; more efficient. 116 | 117 | * Demarcation point - point of connection with outside world. 118 | 119 | * CSU/DSU (Channel Service Unit/Data Service Unit) - sits between router and circuit; CSU connects to network provider and DSU to DTE (data terminal equipment). 120 | 121 | * NIU (Network Interface Unit) - smartjack; built-in diagnostics. 122 | -------------------------------------------------------------------------------- /Security+/3. Implementation/3.7 implement identity and account management controls..md: -------------------------------------------------------------------------------- 1 | # Identity provider (Idp) 2 | 3 | - Who are you? 4 | 5 | - A service needs to vouch for you 6 | 7 | - Authentication as a service 8 | 9 | 10 | 11 | - A list of entities 12 | 13 | - Users and devices 14 | 15 | 16 | 17 | - Commonly used by SSO applications 18 | 19 | - Cloud-based services need to know who you are 20 | 21 | 22 | 23 | # Attribures 24 | 25 | - An identifier or property of an entity 26 | 27 | - provides identification 28 | 29 | 30 | 31 | - Personal attributes 32 | 33 | - One or more attributes can be used for the identification 34 | 35 | 36 | 37 | # Certificates 38 | 39 | - Digital certificate 40 | 41 | - Assigned to a person or device 42 | 43 | 44 | 45 | - Binds the identity of the certificate owner 46 | 47 | 48 | 49 | - Requires an existing public key infrastructure (PKI) 50 | 51 | 52 | 53 | # Tokens and cards 54 | 55 | - Smart card 56 | 57 | - Integrates with devices 58 | 59 | 60 | 61 | - USB token 62 | 63 | - Certificate is read 64 | 65 | 66 | 67 | # SSH keys 68 | 69 | - Secure terminal communication 70 | 71 | 72 | 73 | - Use a key instead of a username and password 74 | 75 | 76 | 77 | - Key management is critical 78 | 79 | 80 | 81 | - SSH key managers 82 | 83 | 84 | 85 | # User Accounts 86 | 87 | - An account on a computer associated with a specific person 88 | 89 | - The computer associates the user with a specific identification number 90 | 91 | 92 | 93 | - Storage and files can be private to that user 94 | 95 | 96 | 97 | - No privileged access to the operating system 98 | 99 | 100 | 101 | # Shared and generic accounts 102 | 103 | - Shared accounts are used by more than one person 104 | 105 | 106 | 107 | - Very difficult to create an audit trail 108 | 109 | - No way to know exactly who was working 110 | 111 | 112 | 113 | - Password management becomes difficult 114 | 115 | 116 | 117 | - Do not use generic accounts 118 | 119 | 120 | 121 | # Guest accounts 122 | 123 | - Access to a computer for guests 124 | 125 | - No access to change settings, modify applications, view other user's files, and more 126 | 127 | 128 | 129 | - This brings significant security challenges 130 | 131 | 132 | 133 | # Service accounts 134 | 135 | - Used exclusively by services running on a computer 136 | 137 | - No interactive/user access 138 | 139 | - Web server, database server, etc. 140 | 141 | 142 | 143 | - Access can be defined for a specific service 144 | 145 | - Web server rights and permissions 146 | 147 | 148 | 149 | - Commonly use usernames and passwords 150 | 151 | - You'll need to determine the best policy for passwords 152 | 153 | 154 | 155 | # Privileged accounts 156 | 157 | - Elevated access to one or more systems 158 | 159 | - Admin, root 160 | 161 | 162 | 163 | - Complete access to the system 164 | 165 | - often used to manage hardware, drivers, and software installation 166 | 167 | 168 | 169 | - This account should not be used for normal administration 170 | 171 | 172 | 173 | - Needs to be secured 174 | 175 | - 2 factor 176 | 177 | - Change password frequently 178 | 179 | 180 | 181 | # Account policies 182 | 183 | - Control access to an account 184 | 185 | 186 | 187 | # Perform routine audits 188 | 189 | - Is everything following the policy? 190 | 191 | 192 | 193 | - Have audits scheduled 194 | 195 | 196 | 197 | - Certain actions can be reported so you are informed 198 | 199 | 200 | 201 | # Auditing 202 | 203 | - Permission auditing 204 | 205 | - Some administrators don't need to be there. 206 | 207 | 208 | 209 | - Usage auditing 210 | 211 | - How are your resources used? 212 | 213 | - Are your systems and applications secure? 214 | 215 | 216 | 217 | # Password complexity and length 218 | 219 | - Make your password strong 220 | 221 | - Resist guessing or brute-force attack 222 | 223 | 224 | 225 | - Increase password entropy 226 | 227 | - No single words, no obvious password 228 | 229 | 230 | 231 | - Mix upper and lower case and use special characters 232 | 233 | 234 | 235 | - Stronger passwords are at least 8 characters 236 | 237 | 238 | 239 | - Prevent password reuse 240 | 241 | 242 | 243 | # Account lockout and disablement 244 | 245 | - Too many incorrect passwords will cause a lockout 246 | 247 | - Prevents online brute force attacks 248 | 249 | - Should be normal for most user accounts 250 | 251 | 252 | 253 | - Disabling accounts 254 | 255 | - Part of the normal change process 256 | 257 | - You don't want to delete accounts 258 | 259 | - Deleted accounts may have encryption keys 260 | 261 | 262 | 263 | # Location-based policies 264 | 265 | - Network location 266 | 267 | - IP subnet based on identity 268 | 269 | 270 | 271 | - Geolocation 272 | 273 | - GPS 274 | 275 | - 802.11 wireless 276 | 277 | - IP address 278 | 279 | 280 | 281 | - Geofencing 282 | 283 | - Automatically allow or restrict access 284 | 285 | 286 | 287 | - Geotagging 288 | 289 | - Add location metadata to a document or file 290 | 291 | - Latitude and longitude, distance, time stamps 292 | 293 | 294 | 295 | - Location-based access rules 296 | 297 | - Stop outside attacks. 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | -------------------------------------------------------------------------------- /Security+/1. Attacks, Threats, and Vulnerabilities/1.6 Security Concerns with Various Vulnerabilities.md: -------------------------------------------------------------------------------- 1 | # Zero day 2 | 3 | - A vulnerability in software that is unpatched by the developer or an attack that exploits such a vulnerability 4 | 5 | - A vulnerability that has been discovered but the company does not know about 6 | 7 | - These can be extremely destructive 8 | 9 | 10 | 11 | # Open Permissions 12 | 13 | - Users have too many Permissions towards sensitive data 14 | 15 | - Open door where the hacker can just walk on in 16 | 17 | 18 | 19 | - Permissions can be complex and it is easy to make mistakes 20 | 21 | 22 | 23 | - **Example** - 14 million Verizon records exposed; Third-party left an Amazon S3 dta repository open 24 | 25 | 26 | 27 | # Unsecure root accounts 28 | 29 | - Root is easy to access which gives the user privileges to do what they want 30 | 31 | - It is the default admin account 32 | 33 | - Some Root passwords can be weak 34 | 35 | 36 | 37 | # Erros 38 | 39 | - Errors give too much information to the hacker 40 | 41 | - Errors can give service type, version information, debug data 42 | 43 | 44 | 45 | - **Example** -Patreon was compromised; debugger to help monitor and troubleshoot website issues 46 | 47 | 48 | 49 | # Weak encryption 50 | 51 | - Easy to crack hashes can lead to information being stolen 52 | 53 | - Encryption protocol (AES,3DES) 54 | 55 | 56 | 57 | - length of encryption is important and make sure wireless encryption is used 58 | 59 | 60 | 61 | # Insecure protocols 62 | 63 | - Having outdated protocols can lead to vulnerabilities in the network 64 | 65 | - Some protocols aren't encrypted 66 | 67 | 68 | 69 | - Verify a packet capture to make sure it is encrypted is a way to see if you have a great protocol. 70 | 71 | 72 | 73 | # Default settings 74 | 75 | - Default settings make it easy for the hacker to get in. Default passwords are a huge vulnerability. 76 | 77 | 78 | 79 | - **Example** Mirai botnet takes advantage of default configurations 80 | 81 | 82 | 83 | # Open ports and services 84 | 85 | - Ports that accept packets is an open port 86 | 87 | - Some open ports can be misconfigured, unpatched, and vulnerable to exploits 88 | 89 | 90 | 91 | - Make sure firewalls are in place 92 | 93 | 94 | 95 | # Third-party risks 96 | 97 | - I.T security doesn't change because it's a third-party 98 | 99 | - Always plan for the worst; Human error is still a big issue 100 | 101 | 102 | 103 | # System integration 104 | 105 | - Professional installation and maintenance 106 | 107 | - Can be on-site with physical or virtual access 108 | 109 | 110 | 111 | - Less security on the inside; Port scanners and traffic captures 112 | 113 | - Can run software on the internet network 114 | 115 | 116 | 117 | # Lack of vendor support 118 | 119 | - Security requires diligence, it takes the vendor some time to patch a vulnerability. 120 | 121 | - Vendors are the only ones who can fix the products 122 | 123 | 124 | 125 | - **Example** Trane Comfortlink 2 thermostats: there were three vulnerabilities in April 2014. The patches were then released in April 2015 126 | 127 | 128 | 129 | # Supply chain 130 | 131 | - You cant always control security at a third-party location 132 | 133 | - Always maintain local security control 134 | 135 | 136 | 137 | - Hardware and software from a vendor can contain malware 138 | 139 | - Counterfeit hardware is out there 140 | 141 | 142 | 143 | # Outsourced code development 144 | 145 | - Access the codebase which can lead to security issues 146 | 147 | - Cloud-base access 148 | 149 | 150 | 151 | - Verify security to other systems 152 | 153 | - Test the code security; check for backdoors 154 | 155 | 156 | 157 | # Data storage 158 | 159 | - Consider the type of data; Contact the type of data 160 | 161 | 162 | 163 | - Storage at a third=party location needs encryption 164 | 165 | - Check the input and output 166 | 167 | 168 | 169 | # Improper or weak patch management 170 | 171 | - The update server determines when you patch 172 | 173 | - Test all your apps, then deploy 174 | 175 | 176 | 177 | # Firmware 178 | 179 | - The BIOS of the device 180 | 181 | 182 | 183 | # Operating system 184 | 185 | - Monthly and on-demand patches can secure the operating system 186 | 187 | 188 | 189 | # Applications 190 | 191 | - Provided by the manufacturer as-needed 192 | 193 | 194 | 195 | - **Example** Equifax had a data break of 147.9 million and many more. Apache Struts, a patch that was identified on March 7, 2017. Wasn't patched till July 30th 196 | 197 | 198 | 199 | # Legacy platforms 200 | 201 | - Some devices remain installed for a long time 202 | 203 | - Legacy devices with older operating systems, applications, middleware may have vulnerabilities 204 | 205 | 206 | 207 | - Maybe running end-of-life software 208 | 209 | 210 | 211 | # Impacts 212 | 213 | - Malicious cyber activity cost between 57 billion and 109 billion in 2016 214 | 215 | - More than just finances, The company reputation is also damaged 216 | 217 | 218 | 219 | # Data loss 220 | 221 | - Vulnerability unsecured databases 222 | 223 | - no password or default password 224 | 225 | 226 | 227 | - internet-facing databases are being deleted 228 | 229 | - Thousands of databases are missing 230 | 231 | 232 | 233 | - **Example** Hacker Overwrites data with the word "meow"; no message or motive 234 | 235 | 236 | 237 | # Identity theft 238 | 239 | - Hackers target companies that have personal information 240 | 241 | - Equifax had data stolen in July 2017 242 | 243 | 244 | 245 | # Financial Loss 246 | 247 | - Bank of Bangladesh; Society for Worldwide interbank 248 | 249 | - Attackers set secure messages to transfer nearly one billion dollars 250 | 251 | 252 | 253 | # Reputation impacts 254 | 255 | - Getting hacked isn't a great look 256 | 257 | 258 | 259 | - **Example** October 2016 - uber breach 25.6 million names, email addresses, and mobile phone numbers; They paid 148 million in fines 260 | 261 | 262 | 263 | # Availability loss 264 | 265 | - Outages and downtown 266 | 267 | - Ransomware can lock your files and down your system 268 | -------------------------------------------------------------------------------- /Security+/3. Implementation/3.1 implement secure protocols.md: -------------------------------------------------------------------------------- 1 | # Domain Name System 2 | 3 | - The Domain Name System (DNS) resolves fully qualified domain names to IP addresses. 4 | 5 | - Uses a distributed database system that contains information on the domains and hosts within those domains 6 | 7 | 8 | 9 | - dnschef in Kali Linux allows you to create a fake domain. 10 | 11 | - Using Metasploit, you can create your own DHCP server. 12 | 13 | 14 | 15 | # DNS Secrutiy Extensions (DNSSEC) 16 | 17 | - A security protocol that provides authentication of DNS data and uploads DNS data integrity. 18 | 19 | - To mitigate against spoofing and poisoning attacks, there is a process for DNS responses. 20 | 21 | 22 | 23 | - DNSSEC has a package of resource records signed with a private key. 24 | 25 | - When the server records an exchange, the authoritative server records the exchange. 26 | 27 | 28 | 29 | # SSH ( Secure Shell ) 30 | 31 | - A remote administration and file-copy program that supports VPNs by using port forwarding that runs on port 22 32 | 33 | - The main use for SSH is secure file transfer (SFTP) 34 | 35 | - The most used is [openssh](openssh.com) 36 | 37 | 38 | 39 | - SSH servers are identified by a public/private key pair (asymmetrical) 40 | 41 | - Kerberos 42 | 43 | 44 | 45 | # Secure/Multipurpose Internet Mail Extensions (S/MIME) 46 | 47 | - An email encryption standard that adds digital signatures and public-key cryptography to traditional MIME communications 48 | 49 | - The user is issued a digital certificate containing his or her public key. 50 | 51 | - Between user interaction, both of them have each other's keys. Public and private keys. 52 | 53 | 54 | 55 | # Secure Real-time Protocol (SRTP) 56 | 57 | - Version of RTP using TLS 58 | 59 | - A master key used to secure versions (AES) 60 | 61 | 62 | 63 | - Voice and video over IP 64 | 65 | - Authentication, integrity, and replay protection 66 | 67 | 68 | 69 | # Lightweight Directory Access (LDAP) 70 | 71 | - A network protocol used to access network directory databases, Which store information about authorized users and their privileges 72 | 73 | - Runs on port 389 74 | 75 | - No security and all transmissions are in plaintext 76 | 77 | - Vulnerable to sniffing and man-in-the-middle-attacks 78 | 79 | 80 | 81 | # LDAP secure 82 | 83 | - A network protocol used to access network directory databases, which store information about the authorized user and their privileges 84 | 85 | - The server is installed with a digital certificate which is used to secure the tunnel for the user credential exchange. 86 | 87 | 88 | 89 | # File Transfer Protocol (FTP) 90 | 91 | - A protocol used to transfer files between network hosts. 92 | 93 | - Configured with several public directories 94 | 95 | 96 | 97 | # File Transfer Protocol, Secure (FTPS) 98 | 99 | - A type of FTP using TLS for confidentiality 100 | 101 | 102 | 103 | # SSH File Transfer Protocol (SFTP) 104 | 105 | - A secure version of the File Transfer Protocol that uses SSH 106 | 107 | - Uses FTP to encrypt the authentication and data transfer between client and server 108 | 109 | 110 | 111 | # Simple Network Management Protocol Security 112 | 113 | - Protocol for monitoring and managing network devices. 114 | 115 | - Widely used framework for management and monitoring 116 | 117 | - Runs on a switch, router, server, or other SNMP-compatible network devices 118 | 119 | 120 | 121 | # Protocol, version 3 (SNMPv3) 122 | 123 | - Standard based protocol that is defined in RFC 3413 to 3415 124 | 125 | - Message integrity 126 | 127 | - Authentication 128 | 129 | - encryption 130 | 131 | 132 | 133 | # Hypertext transfer protocol over SSL/TLS (HTTPS) 134 | 135 | - The protocol used to provide web content to browsers. HTTP uses port 80. HTTPS provides encrypted transfers using port 443. 136 | 137 | - A clients connection to HTTP is using the correct TCP port 138 | 139 | 140 | 141 | - IPsec 142 | 143 | - Internet Protocol Security is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network 144 | 145 | 146 | 147 | - Transport mode 148 | 149 | - This mode is used to secure communications between hosts on a private network. 150 | 151 | ![image](https://user-images.githubusercontent.com/81980702/120405847-25bcfb80-c30f-11eb-82b3-59f41b5798c5.png) 152 | 153 | 154 | 155 | - Tunnel mode 156 | 157 | - This mode is used for communications between VPN gateways across an unsecured network creating a VPN 158 | 159 | ![image](https://user-images.githubusercontent.com/81980702/120405852-2b1a4600-c30f-11eb-8488-5d59723c5621.png) 160 | 161 | 162 | 163 | - ESP 164 | 165 | - Whole IP packet is encrypted and encapsulated as a datagram with a new IP header 166 | 167 | 168 | 169 | # Post Office Protocol v3 (POP3) 170 | 171 | - TCP port 110 enables a client to access email messages stored in a mailbox on a remote server 172 | 173 | - The server deletes messages once the client has downloaded them 174 | 175 | 176 | 177 | # Internet Message Access Orticik v4 (IMAP4) 178 | 179 | - TCP/IP application protocol providing a means for a client to access and manage email messages stored in a mailbox on a remote server 180 | 181 | - supports permanent connections to a server over port 143 182 | 183 | 184 | 185 | # Time synchronization 186 | 187 | - Classic NTP has no security features 188 | 189 | 190 | 191 | # Use cases 192 | 193 | - Email 194 | 195 | - Secure/Multipurpose Internet Mail Extensions (S/MIME) 196 | 197 | 198 | 199 | - Voice and video 200 | 201 | - Secure Real-time Protocol (SRTP) 202 | 203 | 204 | 205 | - Time synchronization 206 | 207 | - NTP 208 | 209 | 210 | 211 | - Web 212 | 213 | - Hypertext transfer protocol over SSL/TLS (HTTPS) 214 | 215 | 216 | 217 | - File transfer 218 | 219 | - File Transfer Protocol, Secure (FTPS) 220 | 221 | 222 | 223 | - Directory services 224 | 225 | - Lightweight Directory Access (LDAP) 226 | 227 | 228 | 229 | - Remote access 230 | 231 | - SSH ( Secure Shell ) 232 | 233 | 234 | 235 | - Domain name resolution 236 | 237 | - Domain Name System 238 | 239 | 240 | 241 | - Routing and switching 242 | 243 | - Protocol, version 3 (SNMPv3) 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | -------------------------------------------------------------------------------- /Security+/5. Governance, Risk, and Compliance/5.4 Summarize risk management processes and concepts..md: -------------------------------------------------------------------------------- 1 | # Risk assessment 2 | 3 | - Identify assets that could be affected by an attack 4 | 5 | - Identify threats 6 | 7 | - Loss of data, disruption of services, etc. 8 | 9 | - Determine the risk 10 | 11 | - High, medium, or low risk 12 | 13 | - Assess the total risk to the organization 14 | 15 | 16 | 17 | # RIsk assessments 18 | 19 | - External threats 20 | 21 | - Outside the organization 22 | 23 | - Hacker groups, Former employees 24 | 25 | - Internal threats 26 | 27 | - Employees and partners 28 | 29 | - Disgruntled employees 30 | 31 | - Legacy system 32 | 33 | - Outdated, older technologies 34 | 35 | - May bot be supported by the manufacturer 36 | 37 | - May does not have security patches 38 | 39 | # Multi-party risk 40 | 41 | - Breaches involving multiple parties 42 | 43 | - Often trusted business relationships 44 | 45 | - May 2019 - American medical collection agency 46 | 47 | - Data breach disclosed personal information on 24 million individuals 48 | 49 | # Risk assessments 50 | 51 | - Intellectual property (IP) theft 52 | 53 | - Theft of ideas, inventions, and creative expressions 54 | 55 | - Human error, hacking, employees with access 56 | 57 | - Identify and protect IP 58 | 59 | - Software compliance/licensing 60 | 61 | - Operational risk with too few licenses 62 | 63 | - Financial risk with budgeting 64 | 65 | # Risk management strategies 66 | 67 | - Acceptance 68 | 69 | - A business decision 70 | 71 | - Risk-avoidance 72 | 73 | - Stop participating in a high-risk activity 74 | 75 | - Transference 76 | 77 | - Buy some cybersecurity insurance 78 | 79 | - Mitigation 80 | 81 | - Decrease the risk with software 82 | 83 | 84 | 85 | # Evaluating risk 86 | 87 | - Risk register 88 | 89 | - Every ptoject has a plan, but also has risk 90 | 91 | - Identify and document the risk associated with each step 92 | 93 | - Risk matrix heat map 94 | 95 | - View the results of the risk assessment 96 | 97 | - Visually identify risk based on color 98 | 99 | - Assists with making strategic decisions 100 | 101 | ![c10ef3448f6408fc9f0dc2e2f0ef0965.png](:/6ed5f350c0f74880b3c8b397582d87b8) 102 | 103 | 104 | 105 | # Audit risk model 106 | 107 | - Inherent risk 108 | 109 | - impact + likelihood 110 | 111 | - Residual risk 112 | 113 | - Inherent risk + control effectiveness 114 | 115 | - Risk appetite 116 | 117 | - The amount of risk an organization is willing to take 118 | 119 | 120 | 121 | # Risk control assessment 122 | 123 | - Risk has been determined 124 | 125 | - Time to build cybersecurity requirements 126 | 127 | - Find the gap 128 | 129 | - Often requires a formal audit 130 | 131 | - Build and maintain security systems based on the requirements 132 | 133 | - Determine if existing controls are compliant or non-compliant 134 | 135 | 136 | 137 | # Risk awareness 138 | 139 | - A constantly changing battlefield 140 | 141 | - New risks, emerging risks 142 | 143 | - Knowledge is key 144 | 145 | - Part of every employee's daily job role 146 | 147 | - Maintaining awareness 148 | 149 | - Ongoing group discussions 150 | 151 | - Presentation from law enforcement 152 | 153 | # Regulations that affect risk posture 154 | 155 | - Regulations directly associated with cybersecurity 156 | 157 | - Protection of personal information, disclosure of information breaches 158 | 159 | - Requires a minimum level of information security 160 | 161 | - HIPPA 162 | 163 | - Health insurance portability and accountability act 164 | 165 | - NEw storage requirements 166 | 167 | - GDPR 168 | 169 | - General data protection regulation 170 | 171 | 172 | 173 | # Qualitative risk assessment 174 | 175 | - Identify significant risk factors 176 | 177 | - Ask opinions about the significance 178 | 179 | - Display visually with traffic light grid or similar method 180 | 181 | - Likelihood 182 | 183 | - Annual Rate of Occurrence (ARO) 184 | 185 | 186 | 187 | # Quantitative risk assessment 188 | 189 | - SLE 190 | 191 | - Single loss expectancy 192 | 193 | - ALE 194 | 195 | - Annualized loss expectancy 196 | 197 | - The business impact can be more than monetary 198 | 199 | 200 | 201 | 202 | 203 | # Disaster types 204 | 205 | - Environment threats 206 | 207 | - Tornado, hurricane, earthquake 208 | 209 | - Person-made threats 210 | 211 | - Internal and external threats 212 | 213 | 214 | 215 | # Recovery 216 | 217 | - Recovery time objective (RTO) 218 | 219 | - Get up and running quickly 220 | 221 | - Recovery point objective (RPO) 222 | 223 | - How much data loss is acceptable 224 | 225 | - Meantime to repair MTTR) 226 | 227 | - Time required to fix the issue 228 | 229 | - Meantime between failures (MTBF) 230 | 231 | - Predict the time between outages 232 | 233 | 234 | 235 | # Functional recovery plans 236 | 237 | - Recover from an outage 238 | 239 | - Step-by-step guide 240 | 241 | - Contact information 242 | 243 | - Someone is on call 244 | 245 | - Technical process 246 | 247 | - Reference the knowledge base 248 | 249 | - Recover and test 250 | 251 | 252 | 253 | # Removing single points of failure 254 | 255 | - A single event can ruin your day 256 | 257 | - Unless you make some plans 258 | 259 | - Network configuration 260 | 261 | - Multiple devices 262 | 263 | - Facility/utilities 264 | 265 | - People/Location 266 | 267 | - There's no practical way to remove all points of failure 268 | 269 | 270 | 271 | # Disaster recovery plan (DRP) 272 | 273 | - Detailed plan for resuming operations after a disaster 274 | 275 | - Application. data center, building 276 | 277 | - Extensive planning prior to the disaster 278 | 279 | - BAckups 280 | 281 | - Off-site replication 282 | 283 | - cloud alternatives 284 | 285 | - Many third-party options 286 | 287 | - Physical location 288 | 289 | - Recovery services 290 | 291 | 292 | 293 | # Impact 294 | 295 | - Life 296 | 297 | - The most important consideration 298 | 299 | - Property 300 | 301 | - The risk to buildings and assets 302 | 303 | - Safety 304 | 305 | - some environments are dangerous 306 | 307 | - Finance 308 | 309 | - Reputation 310 | 311 | 312 | 313 | # Mission-essential functions 314 | 315 | - If a hurricane blew through, what functions would be essential to the organization 316 | 317 | 318 | 319 | - What computing systems are required for these mission-essential function 320 | 321 | 322 | 323 | # Site risk assessment 324 | 325 | - All locations is a bit different 326 | 327 | 328 | 329 | - Recovery plans should consider unique environments 330 | 331 | -------------------------------------------------------------------------------- /Security+/2. Architecture and Design/2.4 authentication and authorization design concepts.md: -------------------------------------------------------------------------------- 1 | # Directory services 2 | 3 | - A network service that stores identity information about all the objects in a particular network 4 | 5 | - Keep all of an organizations username and passwords in a single database 6 | 7 | 8 | 9 | - Large distributed database 10 | 11 | - All authentication requests reference this directory 12 | 13 | 14 | 15 | ![image](https://user-images.githubusercontent.com/81980702/120222834-32096180-c206-11eb-91f9-20a77db4d20b.png) 16 | 17 | > Browsing obects in an active directory 18 | 19 | 20 | 21 | # Federation 22 | 23 | - A process that provides a shared login capability across multiple systems and enterprises. 24 | 25 | - Provide network access to others, Not just employees, Partners, suppliers, customers, etc. 26 | 27 | 28 | 29 | = Third parties can establish a federated network, Authenticate and authorize 30 | 31 | - Third parties must establish a trust relationship 32 | 33 | 34 | 35 | - **Example** - Log in with Twitter, Log in with Facebook, Log in with Linkedin on websites 36 | 37 | 38 | 39 | # Attestation 40 | 41 | - Prove the hardware is really yours, a system you can trust 42 | 43 | - Easy when it's just your computer, 44 | 45 | 46 | 47 | - Remote attestation, the device provides an operational report to a verification server 48 | 49 | 50 | 51 | - Encrypted and digitally signed with the TPM 52 | 53 | 54 | 55 | - AN IMEI or other unique hardware component can be included in the report 56 | 57 | 58 | 59 | # Short message service (SMS) 60 | 61 | - Text messaging 62 | 63 | - Login factor can be sent via SMS to a predefined phone number 64 | 65 | 66 | 67 | - Input the SMS code into the log in 68 | 69 | 70 | 71 | - Security issue exist, a Phone number can be reassigned, SMS can be intercepted 72 | 73 | 74 | 75 | # Push notification 76 | 77 | - Similar process to an SMS notification 78 | 79 | - Usually on a mobile device 80 | 81 | 82 | 83 | - Security challenges 84 | 85 | - Application can be vulnerable 86 | 87 | 88 | 89 | # Authentication Apps 90 | 91 | - Carry around a physical hardware token generator, USe software-based token generator on your phone 92 | 93 | 94 | 95 | # TOTP 96 | 97 | - TIme-based One-TIme Password Algorithm 98 | 99 | 100 | 101 | - Secret key is configured ahead of time 102 | 103 | 104 | 105 | - Timestamp usually increments every 30 seconds 106 | 107 | 108 | 109 | # HOTP 110 | 111 | - HMAC-based One-Time Password algorithm 112 | 113 | - Token-based authentication, The hash is different every time 114 | 115 | 116 | 117 | # Phone call 118 | 119 | - A voice call provides the token 120 | 121 | - the voice will tell you the code 122 | 123 | 124 | 125 | - phone call be intercepted or forwarded 126 | 127 | 128 | 129 | # Static codes 130 | 131 | - Authentication factors that don't change 132 | 133 | - Personal Identification Number (PIN) 134 | 135 | 136 | 137 | - Can also be alphanumeric, paraphrase 138 | 139 | 140 | 141 | # Smart cards 142 | 143 | - Integrated circuit card 144 | 145 | - Common on credit cards but also used on identities 146 | 147 | 148 | 149 | - Multiple factors, Use the card with a PIN or fingerprint 150 | 151 | 152 | 153 | # Biometric Factors ( Something you are ) 154 | 155 | - Examples of something you are 156 | 157 | - Fingerprint scanner, Phones. Laptops, door access 158 | 159 | - Retinal scanner, Unique capillary structure in the back of the eye 160 | 161 | - Iris scanner, Texture, color 162 | 163 | - Voice recognition, Talk for access 164 | 165 | - Facial recognition, the shape of the face, and features 166 | 167 | 168 | 169 | - Gait analysis 170 | 171 | - Identify a person based on how they walk 172 | 173 | 174 | 175 | - Veins 176 | 177 | - Vascular scanners, Match the surface of the skin 178 | 179 | 180 | 181 | # Biometric acceptance rates 182 | 183 | - False acceptance rate (FAR) 184 | 185 | - Likelihood that an unauthorized user will be accepted, not sensitive enough 186 | 187 | 188 | 189 | - False rejection rate (FRR) 190 | 191 | - Likelihood that an authorized user will be rejected 192 | 193 | 194 | 195 | - Crossover error rate (CER), 196 | 197 | - Defines the overall accuracy of a biometric system 198 | 199 | 200 | 201 | # AAA Framework ( Authentication, Authorization, and Accounting ) 202 | 203 | - Identification 204 | 205 | - This is who you claim to be, can be your user name 206 | 207 | 208 | 209 | - Authentication 210 | 211 | - who you say you are, 212 | 213 | - Password and other authentication factors 214 | 215 | 216 | 217 | - Authorization 218 | 219 | - based on your identification and authentication 220 | 221 | 222 | 223 | * Accounting, resource used, Login time, data sent, logout time 224 | 225 | 226 | 227 | # Cloud vs on-premises Authentication 228 | 229 | - Cloud-based security, 230 | 231 | - centralized platoform 232 | 233 | - centralized platform 234 | 235 | - Automation options with API integration 236 | 237 | 238 | 239 | - On-premises 240 | 241 | - authentication system, 242 | 243 | - Internal moniotring and management 244 | 245 | 246 | 247 | # Factors 248 | 249 | - Something you know 250 | 251 | - Something you have 252 | 253 | - Something you are 254 | 255 | 256 | 257 | # Attributes 258 | 259 | - Somewhere you are 260 | 261 | - Something you can do 262 | 263 | - Something you exhibit 264 | 265 | - Someone you know 266 | 267 | 268 | 269 | # Something you know 270 | 271 | - It is in your brain, password, 272 | 273 | - PIN and patterns, Not written down, it is in your brain 274 | 275 | 276 | 277 | # Something you have 278 | 279 | - Smart card, integrates with devices. It has a PIN. May require a pin 280 | 281 | 282 | 283 | - USB token, A certificate is on the USB device 284 | 285 | 286 | 287 | - Hardware or software tokens, Generates pseudo-random authentication codes 288 | 289 | 290 | 291 | - Your phone, an SMS you have 292 | 293 | 294 | 295 | # Something you are 296 | 297 | - Biometric authentication, fingerprint, iris scan, voice print 298 | 299 | 300 | 301 | - Difficult to change, you cant change your password, Not foolproof 302 | 303 | 304 | 305 | # Somewhere you are 306 | 307 | - Provide a factor based on your location 308 | 309 | 310 | 311 | - IP address, not perfect, but can help provide more info 312 | 313 | 314 | 315 | - Mobile device location services 316 | 317 | 318 | 319 | # Something you can do 320 | 321 | - A personal way of doing things, Handwriting analysis 322 | 323 | 324 | 325 | - very similar to biometrics, close but not quite 326 | 327 | 328 | 329 | # Someone you know 330 | 331 | - A social factor 332 | 333 | 334 | 335 | - web of trust 336 | 337 | 338 | 339 | - Digital signature 340 | 341 | -------------------------------------------------------------------------------- /Security+/2. Architecture and Design/2.5 implement cybersecurity resilience. .md: -------------------------------------------------------------------------------- 1 | # Redundancy 2 | 3 | - Duplicate parts of a system, If a part fails, the redundant part can be used 4 | 5 | - Maintain uptime, No software available 6 | 7 | - No system failure 8 | 9 | 10 | 11 | # Geograpgical Dispersal 12 | 13 | - Bad things can happen in a local area; Hurricanes, tornadoes, flooding 14 | 15 | - Disperse technologies to different geographies 16 | 17 | - Data centers might be part of normal operations 18 | 19 | 20 | 21 | # Disk redundancy 22 | 23 | - Multipath I/O (input/output) 24 | 25 | - Multiple drives create redundancy 26 | 27 | 28 | 29 | - Raid ( Redundant Array of Independent Disks ) 30 | 31 | - Level 1 - Mirroring means that data is written to two disks simultaneously, providing redundancy (if one disk fails, there is a copy of data on the other). The main drawback is that storage efficiency is only 50%. 32 | 33 | - Level 5 - Striping with parity means that data is written across three or more disks, but additional information (parity) is calculated. This allows the volume to continue if one disk is lost. This solution has better storage efficiency than RAID 1. 34 | 35 | - Level 6 - 36 | 37 | Double parity, or level 5 with an additional parity stripe, allows the volume to continue when two devices have been lost. 38 | 39 | 40 | 41 | # Load balancing 42 | 43 | - Some servers are active, others are on standby 44 | 45 | - If an active server fails, the passive server takes its place 46 | 47 | 48 | 49 | # NIC teaming 50 | 51 | - Load Balancing / failover (LBFO) 52 | 53 | - Aggregate bandwidth, redundant paths 54 | 55 | 56 | 57 | - multiple network adapters, looks like a single adapter 58 | 59 | - NICs talk to each other, Usually multicast instead of broadcast 60 | 61 | 62 | 63 | # UPS 64 | 65 | - Uninterruptible power supply; Short-term backup power 66 | 67 | 68 | 69 | - Blackouts, brownouts, surges 70 | 71 | 72 | 73 | - UPS types; Offline/standby UPS, Line-interactive UPS, On-line double-conversion UPS 74 | 75 | 76 | 77 | # Generators 78 | 79 | - Long-term power backup; Full storage requirement, Power can entire building. 80 | 81 | - It will take a few minutes to get the generator to get up to speed 82 | 83 | 84 | 85 | # Dual power supplies 86 | 87 | - Redundancy, Internal power supplies 88 | 89 | - Each power supply can handle 100% of the load 90 | 91 | 92 | 93 | # Power distribution units (PDUs) 94 | 95 | - Provide multiple power outlets, usually in a rack 96 | 97 | 98 | 99 | - Often include monitoring and control 100 | 101 | 102 | 103 | # SAN replication 104 | 105 | - Share data between different devices, if one device fails, you can still work with the data 106 | 107 | 108 | 109 | - Storage area network (SANs), Specialized high-performance network of storage devices 110 | 111 | 112 | 113 | - SAN-to-SAN, duplicate data from one data center to another 114 | 115 | 116 | 117 | - SAN snapshot, Create a state of data based on a point in time 118 | 119 | 120 | 121 | # VM replication 122 | 123 | - Virtual machine redundancy, Maintain one VM, replicate to all others 124 | 125 | - Consistent service offering 126 | 127 | - Recover from a replicated copy 128 | 129 | 130 | 131 | # On premises vs. cloud redundancy 132 | 133 | - Speed, Local devices are connected over a very fast network 134 | 135 | 136 | 137 | - Cloud connection is almost always slower 138 | 139 | 140 | 141 | - Purchasing your own storage is an expensive capital investment 142 | 143 | 144 | 145 | - Local data is private, data stored in the cloud requires additional security controls 146 | 147 | 148 | 149 | # Incremental backup 150 | 151 | - A full backup is taken first 152 | 153 | - Subsequent backups contain data changed since the last full backup 154 | 155 | 156 | 157 | ![image](https://user-images.githubusercontent.com/81980702/119596204-5ac3ce00-bda4-11eb-8e13-fab76035875b.png) 158 | 159 | 160 | 161 | # Differential backup 162 | 163 | - A full backup is taken first 164 | 165 | - Subsequent backups contain data changed since the last full backup 166 | 167 | 168 | 169 | ![image](https://user-images.githubusercontent.com/81980702/119596313-8a72d600-bda4-11eb-8470-dc1deb95e4db.png) 170 | 171 | 172 | 173 | # Backup media 174 | 175 | - Magnetic tape, 100 GB to multiple terabytes per cartridge. 176 | 177 | 178 | 179 | - Disk, faster than magnetic tape, Deduplicate and compress 180 | 181 | 182 | 183 | - Copy, a useful strategy, may not include versioning 184 | 185 | 186 | 187 | # NAS vs. SAN 188 | 189 | - Network Attached Storage 190 | 191 | - file-level access 192 | 193 | 194 | 195 | - Storage Area Network 196 | 197 | - Looks and feels like local storage 198 | 199 | 200 | 201 | # Cloud 202 | 203 | - Backup to a remote device in the cloud 204 | 205 | - support many devices, may be limited by bandwidth 206 | 207 | 208 | 209 | - Capture an exact replica of everything on a storage drive 210 | 211 | 212 | 213 | - Restore everything on a partition 214 | 215 | 216 | 217 | # Offline backup 218 | 219 | - Backup to local devices 220 | 221 | - Fast and secure 222 | 223 | 224 | 225 | # Online backup 226 | 227 | - Remote network connected 228 | 229 | 230 | 231 | - Encrypted 232 | 233 | 234 | 235 | # Non-persistence 236 | 237 | - The cloud is always in motion, Applications instances are built and torn down 238 | 239 | 240 | 241 | - Snapshots can capture the current configuration and data 242 | 243 | 244 | 245 | - Revert to a known state 246 | 247 | 248 | 249 | - Rollback to known configuration, Don't modify the data but use a previous configuration 250 | 251 | 252 | 253 | - Live boot media. 254 | 255 | 256 | 257 | # High availability 258 | 259 | - Redundancy doesn't always mean available 260 | 261 | 262 | 263 | - High availability is always on, multiple components working together. 264 | 265 | 266 | 267 | - Active/Active can provide scalability advantages 268 | 269 | 270 | 271 | - Higher availability almost always means higher cost 272 | 273 | 274 | 275 | # Order of restoration 276 | 277 | - Application-specific, certain components may need to be restored first 278 | 279 | 280 | 281 | - Databases should be restored before the application 282 | 283 | 284 | 285 | # Diversity 286 | 287 | - A zero-day OS vulnerability can cause significant outages 288 | 289 | 290 | 291 | - Multiple security devices, A fire, and an IPS 292 | 293 | 294 | 295 | - Vendors, a single vendor can become a disadvantage, multiple are recommended 296 | 297 | 298 | 299 | - Cryptographic, All cryptography is temporary, Diverse certificate authorities can provide additional protection 300 | 301 | 302 | 303 | - Controls, Administrative controls, Physical controls, Technical controls, Combine them together 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | -------------------------------------------------------------------------------- /Security+/2. Architecture and Design/2.3 secure application development, deployment, and automation concepts.md: -------------------------------------------------------------------------------- 1 | # Development to production 2 | 3 | - How will you deploy it safely and make it reliable 4 | 5 | 6 | 7 | - Have a schedule of when the application will be deployed 8 | 9 | - Patch Tuesday, Test and deploy Wednesday, or some set day 10 | 11 | 12 | 13 | - Manage the process, safely move from a non-production phase to full production 14 | 15 | 16 | 17 | # Sandboxing 18 | 19 | - Isolated testing environment 20 | 21 | - no connection to the real world or production system 22 | 23 | 24 | 25 | - Try some code, Break some code, nobody gets hurt 26 | 27 | - Incremental development 28 | 29 | 30 | 31 | # Development 32 | 33 | - Secure environment 34 | 35 | - Writing code 36 | 37 | 38 | 39 | - Developers test in their sandboxes 40 | 41 | 42 | 43 | # Test 44 | 45 | - Still in the development stage 46 | 47 | - All of the pieces are put together 48 | 49 | 50 | 51 | # Verifying the application 52 | 53 | - There is a QA team or quality Assurance 54 | 55 | - Verifies features are working as expected 56 | 57 | - Staging; Almost ready to roll out, more test 58 | 59 | - Working with a copy of production data; Run performance tests 60 | 61 | 62 | 63 | # Using the application 64 | 65 | - When the application is live, it is rolled out to the user community 66 | 67 | - A challenging step, impacts users 68 | 69 | 70 | 71 | - Logistical challenges 72 | 73 | - New servers 74 | 75 | - New software 76 | 77 | - Restart or interrupt service 78 | 79 | 80 | 81 | # Secure baselines 82 | 83 | - All application instances must follow this baseline 84 | 85 | - Firewall settings 86 | 87 | - patch levels 88 | 89 | - OS file versions 90 | 91 | 92 | 93 | - Find immediate corrections 94 | 95 | 96 | 97 | # Provisioning 98 | 99 | - The process of deploying an application to the target environment such as an enterprise, desktop, mobile devices, or the cloud 100 | 101 | - Application software security, operating system 102 | 103 | - Network security, VLAN, internet access, external access 104 | 105 | 106 | 107 | # Scalability and elasticity 108 | 109 | - Make sure the application can handle application workload 110 | 111 | - Scalability, the ability to increase the workload in a given infrastructure 112 | 113 | 114 | 115 | - Build an application instance that can handle 100,000 transactions per second 116 | 117 | 118 | 119 | # Orchestration 120 | 121 | - Automation is the key to cloud computing, Services appear and disappear automatically 122 | 123 | - Entire application instances can be instantly provisioned, All servers, networks, switches, firewalls, and policies 124 | 125 | 126 | 127 | # Deprovisioning 128 | 129 | - Dismantling and removing an application instance 130 | 131 | - Security provisioning is important 132 | 133 | - Firewall policies must be reverted 134 | 135 | 136 | 137 | # Secure coding concepts 138 | 139 | - A balance between time and quality 140 | 141 | - Testing, Testing, testing, The QA process 142 | 143 | 144 | 145 | # Stores procedure 146 | 147 | - SQL databases 148 | 149 | - Client requests can be complex 150 | 151 | 152 | 153 | - Stored procedures limit the client interactions 154 | 155 | 156 | 157 | - Allows the user to not make any outside database calls 158 | 159 | 160 | 161 | # Obfuscation/camouflage 162 | 163 | - Make something normally understandable, very difficult to understand 164 | 165 | - Only helps prevent the search for humans, Scripts can still find the vulnerability 166 | 167 | 168 | 169 | # Code reuse/dead code 170 | 171 | - Code reuse, copy and paste 172 | 173 | - If the old code has security vulnerabilities, reusing the code that spreads to other applications 174 | 175 | 176 | 177 | # Input validation 178 | 179 | - What is the expected input, validate actual vs. expected 180 | 181 | 182 | 183 | - Steps to stop unwanted inputs 184 | 185 | - Document all input methods 186 | 187 | - Check and correct all input (normalization) 188 | 189 | - Check and correct all input, A zip code should be only X characters 190 | 191 | 192 | 193 | - Fix any data with improper input 194 | 195 | - Using fuzzers will find what you missed 196 | 197 | 198 | 199 | # Validatrion points 200 | 201 | - Server-side validation, 202 | 203 | - checks occur on the server 204 | 205 | - Help protect against malicious users 206 | 207 | 208 | 209 | - Client-side validation 210 | 211 | - The end-users app makes the validation decisions 212 | 213 | 214 | 215 | - Can filter legitimate input from genuine users 216 | 217 | 218 | 219 | # Memory management 220 | 221 | - As a developer, you must be mindful of how memory is used 222 | 223 | - Never trust data input, Malicious user can attempt to circumvent your code 224 | 225 | 226 | 227 | - **Example** - Buffer overflows 228 | 229 | 230 | 231 | # Third-party libraries and SDKs 232 | 233 | - Your programming language does everything 234 | 235 | 236 | 237 | - Third-party libraries and software development kits (SDKs) 238 | 239 | 240 | 241 | - There is a security risk, it was written by someone else 242 | 243 | 244 | 245 | # Data exposure 246 | 247 | - So much sensitive data, Credit card numbers, social security numbers, medical information 248 | 249 | 250 | 251 | - Know how the application is handling data, Encryption, and other information 252 | 253 | - All input and output process is important 254 | 255 | 256 | 257 | # Version Control 258 | 259 | - Create a file, make a change, make another change 260 | 261 | - Commonly used in software development 262 | 263 | - Useful for security 264 | 265 | 266 | 267 | # Exploiting an application 268 | 269 | - Attackers often exploit application vulnerabilities 270 | 271 | - Once you exploit one binary, you can exploit them all 272 | 273 | 274 | 275 | # Software diversity 276 | 277 | - Alternative computer paths would result in a different binary each time 278 | 279 | 280 | 281 | - An attack against different binaries would only be successful on the traction of the users 282 | 283 | 284 | 285 | # Automation and scripting 286 | 287 | - Plan for change, implement automatically 288 | 289 | 290 | 291 | - Automated courses of action, many problems can be predicted 292 | 293 | - Continuous monitoring 294 | 295 | - Configuration validation 296 | 297 | 298 | 299 | # Continuous integration 300 | 301 | - Code is constantly written 302 | 303 | - Changes for security problems 304 | 305 | 306 | 307 | - Basic set of security checks during development 308 | 309 | - Even more security checks 310 | 311 | 312 | 313 | # Continuous delivery/deployment 314 | 315 | 1. Automate the testing process 316 | 317 | 2. Automate the release process 318 | 319 | 3. Click a button and deploy the application 320 | 321 | 4. Continuous deployment 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | -------------------------------------------------------------------------------- /Security+/2. Architecture and Design/2.7 Explain the importance of physical security controls.md: -------------------------------------------------------------------------------- 1 | # Barricades / bollard 2 | 3 | - Prevent access, there are limits to the prevention 4 | 5 | 6 | 7 | - Channel people through a specific access point 8 | 9 | 10 | 11 | - Identify safety concerns 12 | 13 | 14 | 15 | - Can be used to an extreme 16 | 17 | 18 | 19 | # Access control vestibules 20 | 21 | - Opening one door causes others to lock 22 | 23 | - All doors are normally locked, Unlocking one door prevents others from being unlocked 24 | 25 | 26 | 27 | - One door open/other locked 28 | 29 | - One at a time, controlled groups 30 | 31 | 32 | 33 | # Alarms 34 | 35 | - Circuit based- Circuit is opened or closed 36 | 37 | 38 | 39 | - Door, Window, Fence 40 | 41 | 42 | 43 | - USeful on the perimeter 44 | 45 | 46 | 47 | - Motion detection, Radio frequencies 48 | 49 | 50 | 51 | - Duress, Triggered by a person 52 | 53 | 54 | 55 | # Signs 56 | 57 | - Clear and specific instructions 58 | 59 | 60 | 61 | - Keep people away from restricted areas 62 | 63 | 64 | 65 | # Video surveillance 66 | 67 | - CCTV (Closed-circuit television) 68 | 69 | 70 | 71 | - Camera features are important 72 | 73 | 74 | 75 | - Motion recognition can alarm and alert when something moves 76 | 77 | 78 | 79 | - Often many different cameras 80 | 81 | 82 | 83 | # Industrial camouflage 84 | 85 | - Conceal an important facility in plain sight 86 | 87 | - Protect a data center, No business signs, visual clues, Surround it with a water feature 88 | 89 | 90 | 91 | # Guards and access lists 92 | 93 | - Security guard, Physical protection at the reception area of a facility 94 | 95 | 96 | 97 | - ID badge, Picture name, and other details 98 | 99 | - Must be worn at all times 100 | 101 | 102 | 103 | # Guards 104 | 105 | - Two-person integrity/control 106 | 107 | 108 | 109 | - Minimize exposure to an attack 110 | 111 | 112 | 113 | - NO single person has access to a physical asset 114 | 115 | 116 | 117 | - Robot sentries, Monitoring, rounds/periodic checks 118 | 119 | 120 | 121 | # Biometrics 122 | 123 | - Biometric authentication, Fingerprint, retina, voiceprint 124 | 125 | - Usually stores a mathematical representation of your biometric 126 | 127 | 128 | 129 | - Difficult to change 130 | 131 | - Used in very specific situations 132 | 133 | 134 | 135 | # Door access controls 136 | 137 | -Conventional 138 | 139 | 140 | 141 | - Deadbolt 142 | 143 | - Electronic 144 | 145 | - Token-based 146 | 147 | 148 | 149 | # Cable locks 150 | 151 | - Temporary security, connect your hardware 152 | 153 | - Cable works almost anywhere 154 | 155 | 156 | 157 | - Most devices have a standard connector 158 | 159 | 160 | 161 | # USB data blocker 162 | 163 | - Don't connect unknown USB interfaces 164 | 165 | 166 | 167 | - Use a USB data blocker, allow voltage, and reject data 168 | 169 | 170 | 171 | - Use your power adapter, avoid the issue entirely 172 | 173 | 174 | 175 | # Proper lighting 176 | 177 | - More light means more security 178 | 179 | - Specialized design 180 | 181 | 182 | 183 | # Fencing 184 | 185 | - Build a perimeter 186 | 187 | - Transparent or opaque, see through the fence (or not) 188 | 189 | - Robust, Difficult to cut the fence 190 | 191 | - Prevent climbing 192 | 193 | 194 | 195 | # Fire suppression 196 | 197 | - Electronics require unique responses to fire 198 | 199 | - Detection, Smoke detector, Flame detector, Heat detector 200 | 201 | - Suppress with water 202 | 203 | 204 | 205 | # Sensors 206 | 207 | - Motion detection 208 | 209 | - Identify movement in an area 210 | 211 | 212 | 213 | - Noise detection 214 | 215 | - Recognize an increase in sound 216 | 217 | 218 | 219 | - Proximity reader 220 | 221 | - Commonly used with electronic door 222 | 223 | 224 | 225 | - Moisture detection 226 | 227 | 228 | 229 | # Drones 230 | 231 | - Quickly cover large areas 232 | 233 | 234 | 235 | - More than physical security 236 | 237 | - Site survey or damage assessments 238 | 239 | 240 | 241 | # Faraday case 242 | 243 | - Blocks electromagnetic fields 244 | 245 | 246 | 247 | - A mesh of conductive material 248 | 249 | 250 | 251 | - Not a comprehensive solution 252 | 253 | 254 | 255 | # Screened subnet 256 | 257 | - Formerly known as a demilitarized zone (DMZ) 258 | 259 | - An additional layer of security between the internet 260 | 261 | 262 | 263 | ![image](https://user-images.githubusercontent.com/81980702/120240336-ef578180-c225-11eb-8edb-e3661f9ec2e1.png) 264 | 265 | > A screened host 266 | 267 | 268 | 269 | # Protected distribution 270 | 271 | - Protected Distribution System (PDS) 272 | 273 | - Protect your cables and fibers 274 | 275 | - Prevent cable and fiber taps 276 | 277 | 278 | 279 | # Secure areas 280 | 281 | - Physically secure the data, As important as the digital security 282 | 283 | - An important part of a security policy 284 | 285 | 286 | 287 | - Secure active operaions 288 | 289 | - Secure offline data 290 | 291 | 292 | 293 | # Air gap 294 | 295 | - Physical separation between networks 296 | 297 | 298 | 299 | - Most environments are shared, Shared routers, switches, firewalls 300 | 301 | 302 | 303 | - Specialized networks require an air gap, Stock market, SCADA, Airplanes, Nuclear power plants 304 | 305 | 306 | 307 | # Vaults and safes 308 | 309 | - A secure reinforced room 310 | 311 | 312 | 313 | - Store backup media 314 | 315 | 316 | 317 | - Protect from disaster or theft 318 | 319 | 320 | 321 | # Hot and cold aisles 322 | 323 | - Data centers, Lots and lots of equipment 324 | 325 | - Optimize cooling, Keep components at optimal temperatures 326 | 327 | - Conserve energy, Data centers are usually very large rooms, FOcus the cooling 328 | 329 | 330 | 331 | ![image](https://user-images.githubusercontent.com/81980702/120240513-56753600-c226-11eb-9444-6f85cc4319ae.png) 332 | 333 | > Visual of aisles 334 | 335 | # Data destruction and media sanitization 336 | 337 | - Disposal becomes a legal issue, Some information must not be destroyed 338 | 339 | - Consider offsite storage 340 | 341 | 342 | 343 | # Protect your rubbish 344 | 345 | - Secure your garbage, Fence the lock 346 | 347 | 348 | 349 | - Shred your documents, This will go so far 350 | 351 | 352 | 353 | - Burn documents, no going back 354 | 355 | 356 | 357 | - Pulp the paper, large tank washing to remove ink 358 | 359 | 360 | 361 | # Physical destruction 362 | 363 | - Heavy machinery 364 | 365 | - Drill/Hammer, Quick and easy 366 | 367 | - Electromagnetic ( degaussing ) 368 | 369 | - Can also burn digital media 370 | 371 | 372 | 373 | # Certificate of destruction- 374 | 375 | - Destruction is often done by a 3rd party 376 | 377 | - A third party confirms that a certificate was destroyed, A paper trail of broken detail 378 | 379 | 380 | 381 | # Sanitizing media 382 | 383 | - Purge data, Remove it from an existing datastore 384 | 385 | 386 | 387 | - Delete some of the data from a database 388 | 389 | 390 | 391 | - Wipe data, Unrevoerable removal of data 392 | 393 | 394 | 395 | # Data security 396 | 397 | - UK National Health Service, A third party sold data instead of destroying it 398 | 399 | 400 | 401 | 402 | 403 | 404 | 405 | 406 | 407 | 408 | 409 | 410 | 411 | 412 | 413 | 414 | 415 | 416 | 417 | 418 | 419 | 420 | 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | 429 | 430 | 431 | 432 | 433 | 434 | 435 | 436 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | 444 | 445 | 446 | 447 | 448 | 449 | -------------------------------------------------------------------------------- /Security+/4. Operations and Incident Response/4.3 Given an incident, utilize appropriate data sources to support an investigation.md: -------------------------------------------------------------------------------- 1 | # Identify vulnerability 2 | 3 | - The scanner looks for everything 4 | 5 | - The signatures are the key 6 | 7 | 8 | 9 | - The vulnerabilities can be cross-referenced online 10 | 11 | - National Vulnerability Database - nvd.nist.gov 12 | 13 | - Microsoft Security Bulletins 14 | 15 | 16 | 17 | - Some vulnerabilities cannot be definitively identified 18 | 19 | 20 | 21 | # Vulnerability scan results 22 | 23 | - Lack of security controls 24 | 25 | - No firewall 26 | 27 | - No anti-virus 28 | 29 | - No anti-spyware 30 | 31 | 32 | 33 | - Misconfigurations 34 | 35 | - Open shares 36 | 37 | - Guest access 38 | 39 | 40 | 41 | - Real vulnerabilites 42 | 43 | - Especially newer ones 44 | 45 | 46 | 47 | # Dealing with false positives 48 | 49 | - False positives 50 | 51 | - A vulnerability is identified that doesn't really exist 52 | 53 | 54 | 55 | - This is different than a low-severity vulnerability 56 | 57 | 58 | 59 | - False negatives 60 | 61 | - A vulnerability exists, it wasn't detected 62 | 63 | 64 | 65 | - Update the latest signatures to get rid of a false signature 66 | 67 | 68 | 69 | # SIEM 70 | 71 | - Security information and event management 72 | 73 | - Logging of security events and information 74 | 75 | 76 | 77 | - Security alerts 78 | 79 | - Real-time information 80 | 81 | 82 | 83 | - Log aggregation and long-term storage 84 | 85 | 86 | 87 | - Data correlation 88 | 89 | - Link diverse types 90 | 91 | 92 | 93 | - Forensic analysis 94 | 95 | 96 | 97 | # Getting the data 98 | 99 | - Sensors and logs 100 | 101 | - Operating systems 102 | 103 | - Infrastrucutre devices 104 | 105 | - NetFlow sensors 106 | 107 | - Sensitivity settings 108 | 109 | - Easy to be overwhelmed with data 110 | 111 | - Informational, Warning, Urgent 112 | 113 | 114 | 115 | # Viewing the data 116 | 117 | - Trends 118 | 119 | - Identify changes over time 120 | 121 | - Easily view constant attack machines 122 | 123 | 124 | 125 | - Alerts 126 | 127 | - IDentify a security event 128 | 129 | - View raw data 130 | 131 | 132 | 133 | - Correlation 134 | 135 | - View data in different ways 136 | 137 | 138 | 139 | # Network log files 140 | 141 | - Switches, routers, access points, VPN concentrators 142 | 143 | 144 | 145 | - Network changes 146 | 147 | - Routing updates 148 | 149 | - Authentication issues 150 | 151 | - NEtwork security issues 152 | 153 | 154 | 155 | # System log files 156 | 157 | - Operating system information 158 | 159 | - Extensive logs 160 | 161 | - File system information 162 | 163 | - Authentication details 164 | 165 | 166 | 167 | - Can also include security events 168 | 169 | - Brute force, file changes 170 | 171 | 172 | 173 | - MAy require filtering 174 | 175 | 176 | 177 | # Application log files 178 | 179 | - Specific to the application 180 | 181 | - Information varies widely 182 | 183 | 184 | 185 | - Windows 186 | 187 | - Event viewer / application log 188 | 189 | 190 | 191 | - Linux / macOS 192 | 193 | - Var/log 194 | 195 | 196 | 197 | - Parse the log details on the SIEM 198 | 199 | - FIler out unneeded information 200 | 201 | 202 | 203 | # Security log files 204 | 205 | - Detailed security-related information 206 | 207 | - Block and allowed traffic 208 | 209 | - Exploit attempts 210 | 211 | - blocked URL categories 212 | 213 | - DNS sinkhole 214 | 215 | 216 | 217 | - Security devices 218 | 219 | - IPS, Firewall, proxy 220 | 221 | 222 | 223 | - Critical security information 224 | 225 | 226 | 227 | # Web log files 228 | 229 | - Web server access 230 | 231 | - IP address, web page URL 232 | 233 | 234 | 235 | - Access errors 236 | 237 | - Unauthorized or non-existent folder/files 238 | 239 | - Exploit attempts 240 | 241 | 242 | 243 | - Server activity 244 | 245 | 246 | 247 | # DNS log files 248 | 249 | - View lookup requests 250 | 251 | - Add other DNS queries 252 | 253 | 254 | 255 | - IP address of the request 256 | 257 | - Identify queries to known bad URLs 258 | 259 | 260 | 261 | - Block or modify known bad requests at the DNS server 262 | 263 | 264 | 265 | # Authentication log files 266 | 267 | - Know who logged in 268 | 269 | - Account names 270 | 271 | - Source IP address 272 | 273 | - Authentication method 274 | 275 | - Sucess and failure reports 276 | 277 | 278 | 279 | - Identify multiple failures 280 | 281 | 282 | 283 | - Correlate with other events 284 | 285 | 286 | 287 | # Dump files 288 | 289 | - Store all contents of memory into a diagnostic file 290 | 291 | - Developers can use this info 292 | 293 | 294 | 295 | - Easy to create from the windows task manager 296 | 297 | 298 | 299 | - Some applications have their own dump file process 300 | 301 | 302 | 303 | # VoIP and call manager logs 304 | 305 | - View inbound and outbound call info 306 | 307 | - Endpoint details 308 | 309 | - Gateway communication 310 | 311 | - Security information 312 | 313 | - Authentications 314 | 315 | - audit trails 316 | 317 | 318 | 319 | - SIP traffic logs 320 | 321 | - Session intiation protocl 322 | 323 | 324 | 325 | # Syslog 326 | 327 | - Standard for message logging 328 | 329 | - Diverse systems create a consolidated log 330 | 331 | 332 | 333 | - Usually a central logging receiver 334 | 335 | - Integrated into the SIEM 336 | 337 | 338 | 339 | - Each log entry is labeled 340 | 341 | 342 | 343 | - Syslog daemon options 344 | 345 | 346 | 347 | # Journalctl 348 | 349 | - Linux has a lot of logs 350 | 351 | - The OS, daemons, application 352 | 353 | 354 | 355 | - System logs are stored in a binary format 356 | 357 | 358 | 359 | - Journalctl provides a method for querying the system journal 360 | 361 | 362 | 363 | # Bandwidth monitors 364 | 365 | - The fundamental network statistic 366 | 367 | 368 | 369 | - Many different ways to gather this metric 370 | 371 | - SNMP, Netflow, sflow, IPFIZ 372 | 373 | 374 | 375 | # Metadata 376 | 377 | - Data that describes other data sources 378 | 379 | 380 | 381 | - Email 382 | 383 | - Headers details, sending servers, destination address 384 | 385 | 386 | 387 | - Mobile 388 | 389 | - Type of phone, GPS location 390 | 391 | 392 | 393 | - Web 394 | 395 | - Operating system, browser type, IP address 396 | 397 | 398 | 399 | - Files 400 | 401 | - Name, address, phone number, title 402 | 403 | 404 | 405 | # Netflow 406 | 407 | - Gather traffic statistics from all traffic flows 408 | 409 | - Shared communication between devices 410 | 411 | 412 | 413 | - Netflow 414 | 415 | - Standard collection method 416 | 417 | - Many products and options 418 | 419 | 420 | 421 | - Probe and collector 422 | 423 | - Probe watches network communication 424 | 425 | 426 | 427 | - Usually a separate reporting app 428 | 429 | 430 | 431 | # IPFIX 432 | 433 | - IP flow information export 434 | 435 | - A newer, Netflow based standard 436 | 437 | 438 | 439 | # sFlow 440 | 441 | - sFlow (Sampled Flow) 442 | 443 | - Only a portion of the actual network traffic 444 | 445 | 446 | 447 | - Usually embedded in the infrastructure 448 | 449 | - Switches, routers 450 | 451 | 452 | 453 | - Relatively accurate statistics 454 | 455 | 456 | 457 | # Protocol analyzer 458 | 459 | - Solve complex application issues 460 | 461 | - get into the details 462 | 463 | 464 | 465 | - Gather packets on the network 466 | 467 | 468 | 469 | - View detailed traffic information 470 | 471 | 472 | 473 | 474 | 475 | 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | -------------------------------------------------------------------------------- /Security+/3. Implementation/3.6 apply cybersecurity solutions to the cloud.md: -------------------------------------------------------------------------------- 1 | # HA across zones 2 | 3 | - Availability zones 4 | 5 | - Isolated locations within a cloud region 6 | 7 | - AZ commonly spans across multiple regions 8 | 9 | 10 | 11 | - Build applications to be highly available (HA) 12 | 13 | - Run as active/standby or active/active 14 | 15 | 16 | 17 | - Use load balancers to provides seamless HA 18 | 19 | 20 | 21 | # Resource policies 22 | 23 | - Identity and access management (IAM) 24 | 25 | - Who gets access 26 | 27 | - What they get access to 28 | 29 | 30 | 31 | - Map job functions to roles 32 | 33 | - COmbine users into groups 34 | 35 | 36 | 37 | - Provide access to cloud resources 38 | 39 | 40 | 41 | - Centralize user accounts 42 | 43 | 44 | 45 | # Secrets management 46 | 47 | - API keys, passwords, certificates 48 | 49 | - This can quickly become overwhelming which is difficult to manage 50 | 51 | 52 | 53 | - Authorize access to the secrets 54 | 55 | - Limit access to the secrets 56 | 57 | 58 | 59 | # Integration and auditing 60 | 61 | - Integrate security across multiple platforms 62 | 63 | 64 | 65 | - Consolidate log storage and reporting 66 | 67 | - Cloud-Based Security Information and Event Management (SIEM) 68 | 69 | 70 | 71 | - Auditing 72 | 73 | - Validate security controls 74 | 75 | 76 | 77 | # Cloud storage 78 | 79 | - Data in on a public cloud 80 | 81 | - is not public data 82 | 83 | 84 | 85 | - Access can be limited 86 | 87 | - and protected 88 | 89 | 90 | 91 | - Data may be required in different geographical locations 92 | 93 | - A backup is always required 94 | 95 | 96 | 97 | - Availability is always important 98 | 99 | 100 | 101 | # Permissions 102 | 103 | - A significant cloud storage concern 104 | 105 | - One permission mistake can cause a data break 106 | 107 | 108 | 109 | - Public access 110 | 111 | - Should not usually be the default 112 | 113 | 114 | 115 | - Identity and Access Management (IAM) 116 | 117 | - Bucket policies 118 | 119 | - Globally blocking public access 120 | 121 | - Don't put data in the cloud unless it needs to be there 122 | 123 | 124 | 125 | # Encryption 126 | 127 | - Cloud data is more accessible than non-cloud data 128 | 129 | - Server-side encryption 130 | 131 | - Encrypt the data in the cloud 132 | 133 | - Data is encrypted when stored on disk 134 | 135 | 136 | 137 | - Client-side encryption 138 | 139 | - Data is already encrypted when it's sent to the cloud 140 | 141 | - Performed by the applications 142 | 143 | 144 | 145 | # Replication 146 | 147 | - Copy data from one place to another 148 | 149 | - Disaster recovery, high availability 150 | 151 | 152 | 153 | - Data analysis 154 | 155 | - Analytics big data analysis 156 | 157 | 158 | 159 | - Backups; COnstant duplication of data 160 | 161 | 162 | 163 | # Cloud networks 164 | 165 | - Connect cloud components 166 | 167 | - Users communicate to the cloud 168 | 169 | - Over a VPN tunnel 170 | 171 | 172 | 173 | - Cloud devices communicate with each other 174 | 175 | 176 | 177 | # Virtual networks 178 | 179 | - A cloud contains virtual devices 180 | 181 | 182 | 183 | - virtual switches, virtual routers 184 | 185 | 186 | 187 | # Public and private subnets 188 | 189 | - Private cloud 190 | 191 | - All internal IP addresses 192 | 193 | - Connect to the private cloud over a VPN 194 | 195 | 196 | 197 | - Public cloud 198 | 199 | - External IP addresses 200 | 201 | - Connect to the cloud from anywhere 202 | 203 | 204 | 205 | - Hybrid cloud 206 | 207 | - Combine internal cloud resources with external 208 | 209 | 210 | 211 | # Segmentation 212 | 213 | - The cloud contains separate VPCs, Containers, and microservices 214 | 215 | 216 | 217 | - Separation is a security opportunity 218 | 219 | 220 | 221 | - Add security systems between application components 222 | 223 | 224 | 225 | # API inspection and integration 226 | 227 | - Microservice architecture is the underlying application change 228 | 229 | 230 | 231 | - API calls can include risk 232 | 233 | - API monitoring 234 | 235 | 236 | 237 | # Compute cloud instances 238 | 239 | - The IaaS component for the cloud computing environment 240 | 241 | - Amazon Elastic Compute Cloud (EC2) 242 | 243 | - Google Compute Engine (GCE) 244 | 245 | - Microsoft Azure VM 246 | 247 | - Manage computing resources 248 | 249 | 250 | 251 | # Security groups 252 | 253 | - A firewall for compute instances 254 | 255 | - Layer 4 port number 256 | 257 | - TCP or UDP 258 | 259 | 260 | 261 | - Layer 3 address 262 | 263 | - Individual addresses 264 | 265 | - CIDR block notation 266 | 267 | 268 | 269 | # Dynamic resource allocation 270 | 271 | - Provision resources when they are needed 272 | 273 | - Based on demand 274 | 275 | - Provisioned automatically 276 | 277 | 278 | 279 | - Scale-up and down 280 | 281 | - Allocate compute resources 282 | 283 | - Rapid elasticity 284 | 285 | 286 | 287 | # Instance awareness 288 | 289 | - Granular security controls 290 | 291 | - Define and set policies 292 | 293 | 294 | 295 | # Virtual private cloud endpoint 296 | 297 | - VPC gateway endpoints 298 | 299 | - Allow private cloud subnets 300 | 301 | - Keep private resources private 302 | 303 | 304 | 305 | # Container Security 306 | 307 | - Containers have singular security concerns as any other application deployment method 308 | 309 | 310 | 311 | - Use container-specific operating systems 312 | 313 | - A minimalist OS designed for containers 314 | 315 | 316 | 317 | - Group container types on the same host 318 | 319 | 320 | 321 | # Cloud access security Broker (CASB) 322 | 323 | - Clients are at work, data is in the cloud 324 | 325 | 326 | 327 | - How do you make your security policies work in the cloud? 328 | 329 | 330 | 331 | - CASB works of multiple characteristics 332 | 333 | - Visibility 334 | 335 | - Compliance 336 | 337 | - Threat prevention 338 | 339 | - Data security 340 | 341 | 342 | 343 | # Application security 344 | 345 | - Secure cloud-based applications 346 | 347 | - Complexity increases in the cloud 348 | 349 | 350 | 351 | - Application misconfigurations 352 | 353 | - One of the most common security issues 354 | 355 | 356 | 357 | - Authorization and access 358 | 359 | - Control should be strong 360 | 361 | 362 | 363 | # Next-Gen Secure Web Gateway (SWG) 364 | 365 | - Protect users and devices 366 | 367 | - Regardless of location and activity 368 | 369 | 370 | 371 | - Go beyond URLs and GET request 372 | 373 | - Examine application API 374 | 375 | 376 | 377 | - Examine JSON strings and API request 378 | 379 | 380 | 381 | - Instance - aware security 382 | 383 | 384 | 385 | # Firewalls in the cloud 386 | 387 | - Control traffic flows in the cloud 388 | 389 | - Inside the cloud and external 390 | 391 | 392 | 393 | - Cost 394 | 395 | - Relatively inexpensive compared to appliances 396 | 397 | 398 | 399 | - Segmentation 400 | 401 | - Between microservices, VMs, or VPCs 402 | 403 | 404 | 405 | # Security controls 406 | 407 | - Integrated and supported by the cloud provider 408 | 409 | - Many configurations options 410 | 411 | 412 | 413 | - Third-party solutions 414 | 415 | - Support across multiple cloud providers 416 | 417 | - Single pane of glass 418 | 419 | - More extensive reporting 420 | 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | 429 | 430 | 431 | 432 | 433 | 434 | 435 | 436 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | 444 | 445 | 446 | 447 | 448 | 449 | 450 | 451 | 452 | 453 | 454 | 455 | 456 | 457 | 458 | 459 | 460 | 461 | 462 | 463 | 464 | 465 | 466 | 467 | 468 | 469 | 470 | 471 | 472 | 473 | -------------------------------------------------------------------------------- /Security+/3. Implementation/3.9 implement public key infrastructure.md: -------------------------------------------------------------------------------- 1 | # Public Key Infrastructure 2 | 3 | - Policies, procedure, hardware, software, people 4 | 5 | - Digital certiciates 6 | 7 | 8 | 9 | - This is a big,big,endeavor 10 | 11 | 12 | 13 | - Also refers to the binding of public keys to people or devices 14 | 15 | 16 | 17 | # The key management lifecycle 18 | 19 | - Key generation 20 | 21 | - create a key with the requested strength 22 | 23 | 24 | 25 | - Cerificate generation 26 | 27 | 28 | 29 | - Distribution 30 | 31 | - Make the key available to the user 32 | 33 | 34 | 35 | - Storage 36 | 37 | - Securely store and protext against unauthorized use 38 | 39 | 40 | 41 | - Revocation 42 | 43 | - Manage keys that have been compromised 44 | 45 | 46 | 47 | # Digital certificates 48 | 49 | - A public key certificate 50 | 51 | - Binds a public key with a digital signature 52 | 53 | 54 | 55 | - A digital signature adds trust 56 | 57 | - PKI uses Certificate Authority 58 | 59 | 60 | 61 | - Certificate creation can be built into the OS 62 | 63 | 64 | 65 | # Commerical certificate authorities 66 | 67 | - Built-in to your browswer 68 | 69 | 70 | 71 | - Purchase your web site certificate 72 | 73 | 74 | 75 | - Create a key pair, send the public key to the CA to be signed 76 | 77 | 78 | 79 | - May provide different levels of trust and additional features 80 | 81 | 82 | 83 | # Private certificate authorities 84 | 85 | - You are your own CA 86 | 87 | - Built in CA 88 | 89 | 90 | 91 | - Needed for medium-to-large organization 92 | 93 | 94 | 95 | # PKI trsut relationships 96 | 97 | - Single CA 98 | 99 | - Everyone recieves their certificates 100 | 101 | 102 | 103 | - Hierarchial 104 | 105 | 106 | 107 | # Registration authority (RA) 108 | 109 | - The entity requesting the certificate needs to be verified 110 | 111 | 112 | 113 | - Approval or rejection 114 | 115 | - The foundation of trust in this model 116 | 117 | 118 | 119 | - Responsible for revocations 120 | 121 | 122 | 123 | - Manage renewals and re-key requests 124 | 125 | 126 | 127 | # Whats is a digital certificate? 128 | 129 | ![image](https://user-images.githubusercontent.com/81980702/123101666-e8bdc380-d3f9-11eb-8e59-153a84793f15.png) 130 | 131 | 132 | 133 | # Common Name (CN) 134 | 135 | - The FQDN ( Fully qualified domain name) For the certificate 136 | 137 | ![image](https://user-images.githubusercontent.com/81980702/123101794-0428ce80-d3fa-11eb-944d-2fb6b4343869.png) 138 | 139 | 140 | 141 | - There is 398 day browser limit 142 | 143 | 144 | 145 | # Key revocation 146 | 147 | - Certificate Revocation List (CRL) 148 | 149 | - Maintained by certificate Authority 150 | 151 | - Changes all the time 152 | 153 | 154 | 155 | - Example: CVE-2014-0160 156 | 157 | - OpenSSL was patched and every web server certificate was replaced 158 | 159 | # Getiing revocation details to the browser 160 | 161 | - OCSP ( Online Certificate Status Protocol) 162 | 163 | - The browser can check certificate revocation 164 | 165 | 166 | 167 | - Not all browsers/apps support OCSP 168 | 169 | 170 | 171 | # Web server SSL certificate 172 | 173 | - Domain validation certificate (DV) 174 | 175 | - Owner of the certificate has some control over a DNS domain 176 | 177 | 178 | 179 | - Extended validation certificate (EV) 180 | 181 | - Additional checks have verified the certificate owner's identity. 182 | 183 | 184 | 185 | - Subject alternative name (SAN) 186 | 187 | - Extension to an X.509 certificate 188 | 189 | - Lists additional identification information 190 | 191 | 192 | 193 | - Wildcard domain 194 | 195 | - Certificates bason on the name of the server 196 | 197 | - * means all server names in a domain 198 | 199 | 200 | 201 | # Code signing certificate 202 | 203 | - Developers can provide a level of trust 204 | 205 | - Applications can be signed by the developer 206 | 207 | 208 | 209 | - The user's operating system will examine the signature 210 | 211 | 212 | 213 | # Root certificate 214 | 215 | - The public key certificate that identifies the root CA ( Certificate Authority) 216 | 217 | - THe root certificate issues other certificates 218 | 219 | 220 | 221 | # Self-signed certificates 222 | 223 | - Internal certificates don't need to be signed by a public CA 224 | 225 | - Your company is the only one going to use it 226 | 227 | 228 | 229 | - Build your own CA 230 | 231 | 232 | 233 | # Machine and computer certificates 234 | 235 | - You have to manage many devices 236 | 237 | 238 | 239 | - Other business processes rely on the certificate 240 | 241 | 242 | 243 | # Email certificate 244 | 245 | - Use cryptography in an email platform 246 | 247 | 248 | 249 | - Encrypting emails 250 | 251 | - Use a recipient public key 252 | 253 | 254 | 255 | - Receiving encrypted emails 256 | 257 | - Use your private key to decrypt 258 | 259 | 260 | 261 | # User certificate 262 | 263 | - Associate a certificate with a user 264 | 265 | - A powerful electronic ID card 266 | 267 | 268 | 269 | # Certificate file formats 270 | 271 | - X.509 digital certificates 272 | 273 | - The structure of the certification is standardized 274 | 275 | 276 | 277 | - There are many certificate file formats 278 | 279 | - You can convert different formats 280 | 281 | 282 | 283 | # DER (Distinguished Encoding Rules) 284 | 285 | - Format designed to transfer syntax for data structures 286 | 287 | 288 | 289 | - Used for JAVA 290 | 291 | 292 | 293 | # PEM ( Privacy-Enhanced Mail) 294 | 295 | ![image](https://user-images.githubusercontent.com/81980702/123103994-27ed1400-d3fc-11eb-8441-067e600d2b39.png) 296 | 297 | 298 | 299 | - ASCII format 300 | 301 | - Letters and numbers 302 | 303 | - Easy to email 304 | 305 | - Readable 306 | 307 | 308 | 309 | # PKCS #12 310 | 311 | - Public Key Cryptography Standards #12 312 | 313 | 314 | 315 | - Personal Informational Exchange Syntax Standard 316 | 317 | 318 | 319 | # CER (Certificate) 320 | 321 | - Primarily a Windows X.509 File extension 322 | 323 | 324 | 325 | - Contains a public key 326 | 327 | 328 | 329 | - COmmon format for Windows certificates 330 | 331 | 332 | 333 | # # PKCS #12 334 | 335 | - Public Key Cryptography Standards #7 336 | 337 | 338 | 339 | - Cryptographic message syntax 340 | 341 | 342 | 343 | # Online and Offline CAs 344 | 345 | - A compromised certificate authority 346 | 347 | - No certificates issued by that CA can be trusted 348 | 349 | 350 | 351 | - Distribute the load 352 | 353 | - Take the CA offline and protect it 354 | 355 | 356 | 357 | # OCSP stapling 358 | 359 | - Online certificate status protocol 360 | 361 | - Provides scalability for OCSP checks 362 | 363 | 364 | 365 | - The CA is responsible for responding to all client OCSP requests 366 | 367 | 368 | 369 | - Instead, Have certificate holders verify their own status 370 | 371 | 372 | 373 | # Pinning 374 | 375 | - You are communicating over TLS/SSL to a server 376 | 377 | 378 | 379 | - Pin the expected certificate or public key to an application 380 | 381 | 382 | 383 | # PKI trust relationships 384 | 385 | - Single CA 386 | 387 | - Everyone recieves their certificates from on authority 388 | 389 | 390 | 391 | - Hierarchical 392 | 393 | - SIngle CA ussues certs to intermediate CAs 394 | 395 | 396 | 397 | - Mesh 398 | 399 | - Cross-certifying CAs 400 | 401 | 402 | 403 | - Web of trust 404 | 405 | ![image](https://user-images.githubusercontent.com/81980702/123105362-5c150480-d3fd-11eb-8b90-33caa9fe4ed6.png) 406 | 407 | 408 | 409 | # Key escrow 410 | 411 | - Someone else holds your decryption keys 412 | 413 | - A third party has it 414 | 415 | 416 | 417 | - Need clear process and procedures 418 | 419 | - You must be able to trust your 3rd-party keys 420 | 421 | 422 | 423 | # Certificate chaining 424 | 425 | - Chain of trust 426 | 427 | - List all of the certs between the server and root CA 428 | 429 | 430 | 431 | - The chain starts with the SSL certificate 432 | 433 | 434 | 435 | - The web server needs to be configured with the proper chain 436 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | -------------------------------------------------------------------------------- /Security+/1. Attacks, Threats, and Vulnerabilities/1.4 Network Attacks.md: -------------------------------------------------------------------------------- 1 | # Rogue access point 2 | 3 | - A point that has been installed on the network without authorization, whether with malicious intent or not. 4 | 5 | - It detects rogue WAPs 6 | 7 | - An unauthorized WAP creates a backdoor to attack a network 8 | 9 | 10 | 11 | # Evil twins 12 | 13 | - A wireless access point that deceives users into believing that it is a legitimate network access point 14 | 15 | - It is a WAP masquerading as a legitimate one 16 | 17 | 18 | 19 | # Bluejacking 20 | 21 | - Sending of unsolicited messages to another device via Bluetooth 22 | 23 | - Typical functional distance is about 10 meters 24 | 25 | - Personal Area Networks (PANs) 26 | 27 | 28 | 29 | # Bluesnarfing 30 | 31 | - A wireless attack where an attacker gains access to unauthorized information on a device using a Bluetooth connection. 32 | 33 | - First major security weakness in Bluetooth 34 | 35 | - Even a PIN can be brute-forced through 36 | 37 | - Older devices that have access to Bluetooth can be vulnerable 38 | 39 | 40 | 41 | # Wireless Disassociation 42 | 43 | - The network keeps on disappearing; you are not able to stop it 44 | 45 | - Wireless deauthentication; denial of service attack 46 | 47 | 48 | 49 | - **Example** - 802.11 management frames allow you to find access points and manage QoS. 50 | 51 | 52 | 53 | # Wireless jamming 54 | 55 | - Many different types; constant, random bits / constant, legitimate frames 56 | 57 | - Sent at random times and Reactive jamming; When someone tries to communicate 58 | 59 | - Needs to be somewhere close 60 | 61 | 62 | 63 | # Radio frequency (RF) jamming 64 | 65 | - Denial of service attack 66 | 67 | - Decreases the signal-to-noises ratio at the receiving device 68 | 69 | - Sometimes it is not intentional but can be intentional 70 | 71 | 72 | 73 | # Radio-frequency identification (RFID) 74 | 75 | - They are everywhere; They are used anywhere to track 76 | 77 | - Radar Technology; No battery 78 | 79 | - RFID attacks can involve data capture, spoof the reader, denial of service, and decrypt communication 80 | 81 | 82 | 83 | # Near field communication (NFC) 84 | 85 | - Two-way wireless communication 86 | 87 | - payment systems 88 | 89 | - Bootstrap for other wireless; a token 90 | 91 | 92 | 93 | - **Examples** Remote capture, Frequency jamming, Relay; on path attack 94 | 95 | 96 | 97 | # Initialization vector 98 | 99 | - An input to a cryptographic primitive being used to provide the initial state. 100 | 101 | 102 | 103 | - Attack on a wireless network that modifies the IV of a encrypted packet. The attacker can learn the plaintext of one packet then compute the RC4 key. 104 | 105 | 106 | 107 | # MAC address 108 | 109 | - The physical address of a network adapter 110 | 111 | - 48 Bits / 6 bytes long 112 | 113 | 114 | 115 | * **Example** 8c:2d:aa:4b:98:a7 8C:2d:aa = Manufactur model number 4b:98:a7 = Serial number (speicifc to the address) 116 | 117 | 118 | 119 | - Lan switching 120 | 121 | - forward or drop frames; Based on the MAC address 122 | 123 | - Gather a list of MAC addresses 124 | 125 | 126 | 127 | - Maintains a loop-free environment ( Using spanning tree protocol ) 128 | 129 | 130 | 131 | - the sources mac address and destination mac address get sent to the switch 132 | 133 | - The switch makes a table of MAC addresses which directs traffic 134 | 135 | 136 | 137 | - MAC flooding 138 | 139 | - A variation of an ARP poisoning attack where a switch's cache table is inundated with frames from random source MAC addresses 140 | 141 | - The mac table is only so big 142 | 143 | 144 | 145 | - Attackers send info to the mac table and fill it up which turns the switch into a hub. The hub then can capture all networks for a hacker to take advantage of. 146 | 147 | 148 | 149 | ![image](https://user-images.githubusercontent.com/81980702/120088435-142ce700-c0b6-11eb-9221-0e2f732195e7.png) 150 | 151 | > Picture of ARP flooding 152 | 153 | 154 | 155 | # MAC cloning 156 | 157 | - attacker modifies the mac address to match the mac address of the legitimate device 158 | 159 | - Creates a DoS; Disrupt communication to the legit MAC 160 | 161 | - Manipulate through software 162 | 163 | 164 | 165 | # Address resolution protocol (ARP) poisoning 166 | 167 | - ARP stands for Address Resolution Protocol 168 | 169 | - A network-based attack where an attacker with access to target local network segments redirects an IP address to the MAC address of a computer that is not the intended recipient 170 | 171 | 172 | 173 | - on-path attack that can receive data from two different computers 174 | 175 | 176 | 177 | # DNS poisoning (spoofing) 178 | 179 | - A network based attack where an attacker exploits the traditionally open nature of a DNS system to redirect a domain name to an IP address of the attackers choosing 180 | 181 | - Modify the information in a DNS server 182 | 183 | - Modify the client host file 184 | 185 | - Send a fake response to a valid DNS request 186 | 187 | 188 | 189 | # Domain hijacking 190 | 191 | - Gets access to the domain registration and you have control of where the traffic flows 192 | 193 | - Brute force is used, Social engineering the password gains access to the email address 194 | 195 | 196 | 197 | - **Example** - The domain change in a Brazilian bank left the hacker under control for 6 hours. The bank had 5 million customers and 27 billion in assets. 198 | 199 | 200 | 201 | # Universal resource locator (URL) redirection 202 | 203 | - Unique identifier used to locate a resource on the internet. It is also referred to as a web address 204 | 205 | - Hacker redirects the URL to a malicious website 206 | 207 | 208 | 209 | # Domain reputation 210 | 211 | - If a domain or email servers have been hijacked, they are likely used for spam or distributing malware. 212 | 213 | - The domain could then be put on a block list. 214 | 215 | 216 | 217 | - concept wherein a domain reputation API or a similar program is able to assess the reputation of a domain or IP address using a set of data resources. 218 | 219 | - It is used to accept and reject connections. 220 | 221 | 222 | 223 | # Distributed denial-of-service (DDoS) 224 | 225 | - Packets can be sent causing the network to stop working 226 | 227 | - Force a server to stop working 228 | 229 | - Takes a design failure or vulnerability 230 | 231 | - can be caused for a creative advantage 232 | 233 | - can be used to create a spoofing attack 234 | 235 | - can be created by accident; loop or even downloading a big file 236 | 237 | - can be caused with botnets 238 | 239 | 240 | 241 | - Application DoS 242 | 243 | - Makes the application break or work harder by overflowing with packets 244 | 245 | - A zip bomb can be used in an Application Dos and even cloud base services 246 | 247 | 248 | 249 | - **Operational Technology (OT) DoS** 250 | 251 | - the hardware and software for industrial equipment 252 | 253 | 254 | 255 | - **Example** - Powergrid can stop operate and even traffic lights can turn all green which is hazardous 256 | 257 | 258 | 259 | # Malicious scripts 260 | 261 | - Automate task and they have alot of speed 262 | 263 | 264 | 265 | - **Powershell** 266 | 267 | - .ps1 file extension 268 | 269 | - Extends command line function 270 | 271 | - Attacks windows OS 272 | 273 | 274 | 275 | - **Python** 276 | 277 | - General-purpose scripting language 278 | 279 | - Popular in alot of tech and used for cloud orchestration 280 | 281 | - Attacks infrastructure; Routers, switches, and servers 282 | 283 | 284 | 285 | - **Shell script** 286 | 287 | - Automate and extend the command line 288 | 289 | - Starts with a shebang 290 | 291 | - Attack Linux/unix environments 292 | 293 | - Controls the os on the command line 294 | 295 | 296 | 297 | - **Macros** 298 | 299 | - Automate functions inside an application 300 | 301 | - Attackers create exploits that execute with macros 302 | 303 | 304 | 305 | - **Visual Basic For Applications** 306 | 307 | - Automates processes in a Windows application 308 | 309 | - Code can be run through these processes; very vulnerable. 310 | -------------------------------------------------------------------------------- /Security+/3. Implementation/3.8 implement authentication and authorization solutions..md: -------------------------------------------------------------------------------- 1 | # Password keys 2 | 3 | - Hardware-based authentication 4 | 5 | - Something you have 6 | 7 | 8 | 9 | - Help prevent unauthorized logins and account take over 10 | 11 | 12 | 13 | - Doesn't replace other factors 14 | 15 | - Passwords are still important 16 | 17 | 18 | 19 | # Password vaults 20 | 21 | - Password managers 22 | 23 | - All passwords are in one password 24 | 25 | - A database of credentials 26 | 27 | 28 | 29 | - Secure storage 30 | 31 | - All credentials are encrypted 32 | 33 | 34 | 35 | - Create unique passwords 36 | 37 | - Passwords are not the same across sites 38 | 39 | 40 | 41 | # Trusted Platform Module (TPM) 42 | 43 | - A specification for cryptographic functions 44 | 45 | - HArdware to help with all of the encryption 46 | 47 | 48 | 49 | - Cryptographic processor 50 | 51 | - Random number generator 52 | 53 | 54 | 55 | - Persistent memory 56 | 57 | - Comes with unique keys burned in during production 58 | 59 | 60 | 61 | - Versatile memory 62 | 63 | - Password protected 64 | 65 | 66 | 67 | # Hardware security module (HSM) 68 | 69 | - High-end cryptographic hardware 70 | 71 | - Plug-in card or separate hardware devices 72 | 73 | - Key backup 74 | 75 | - Secured storage 76 | 77 | 78 | 79 | - Cryptographic accelerators 80 | 81 | 82 | 83 | - Used in large environments 84 | 85 | 86 | 87 | # Knowledge-based authentication (KBA) 88 | 89 | - Use personal knowledge as an authentication factor 90 | 91 | - Something you know 92 | 93 | 94 | 95 | - Static KBA 96 | 97 | - Pre-configured shared secrets 98 | 99 | - Often used with account recovery 100 | 101 | - Example: what was the make and model of the first car? 102 | 103 | 104 | 105 | - Dynamic KBA 106 | 107 | 108 | 109 | # Gaining access 110 | 111 | - An outside user tries to gain access to a firewall/VPN concentrator 112 | 113 | - The VPN and firewall sends information to the AAA server to see if it is valid 114 | 115 | - It is then sent on to the file server 116 | 117 | 118 | 119 | # PAP 120 | 121 | - Password Authentication Protocol) 122 | 123 | - A basic authentication method 124 | 125 | - used in legacy operating systems 126 | 127 | 128 | 129 | - PAP is in the clear 130 | 131 | - Non-encrypted password exchange 132 | 133 | 134 | 135 | # CHAP 136 | 137 | - Challenge-Handshake authentication protocol 138 | 139 | - Encrypted challenge sent over the network 140 | 141 | 142 | 143 | - Three-way hand shale 144 | 145 | - Server compares receives hash 146 | 147 | 148 | 149 | # MS-CHAP 150 | 151 | - Microsoft implementation of CHAP 152 | 153 | 154 | 155 | - Used DES 156 | 157 | - Easy to brute force 158 | 159 | - Do not use this 160 | 161 | - we use L2TP, IPSEC, 802.1X 162 | 163 | 164 | 165 | # RADIUS 166 | 167 | - ( Remote Authentication Dial-in User Service) 168 | 169 | - One of the more common AAA protocols 170 | 171 | 172 | 173 | - Centralize authentication for users 174 | 175 | 176 | 177 | # TACACS 178 | 179 | - Terminal access Controller Access-control system 180 | 181 | - Remote authentication protocol 182 | 183 | 184 | 185 | - XTACACS 186 | 187 | 188 | 189 | - TACACS+ 190 | 191 | 192 | 193 | # Kerberos 194 | 195 | - Network authentication protocol 196 | 197 | - Authenticate once, Trusted by the system 198 | 199 | - No need to re-authenticate everything 200 | 201 | 202 | 203 | - Microsoft started in 2000 204 | 205 | 206 | 207 | # SSO with Kerberos 208 | 209 | - Authenticate one time 210 | 211 | - Lots of backend ticketing 212 | 213 | - Cryptographic tickets 214 | 215 | 216 | 217 | - No constant username and password input 218 | 219 | - only works with Kerberos 220 | 221 | 222 | 223 | - There are other SSO methods 224 | 225 | 226 | 227 | # RADIUS, TACACS+. KERBEROS 228 | 229 | - Three different ways to communicate to an authentication server 230 | 231 | 232 | 233 | - Often determined by what is at hand 234 | 235 | - VPN concentrator can talk to a RADIUS server 236 | 237 | 238 | 239 | - TACACS+ 240 | 241 | - A Cisco device 242 | 243 | 244 | 245 | - KERBEROS 246 | 247 | - Windows 248 | 249 | 250 | 251 | # IEEE 802.1x 252 | 253 | - Port-based Network Access control (NAC) 254 | 255 | 256 | 257 | - EAP integrated with 802.1X 258 | 259 | 260 | 261 | - Used in conjunction with an access database 262 | 263 | 264 | 265 | # Federation 266 | 267 | - Provide network access to others 268 | 269 | - Not just employees - Partners, suppliers, customers. etc. 270 | 271 | 272 | 273 | - Third-parties can establish a federated network 274 | 275 | 276 | 277 | - Third-party must establish a trust 278 | 279 | 280 | 281 | # Security Assertion Markup Language (SAML) 282 | 283 | - Open standard for authentication and authorization 284 | 285 | 286 | 287 | - You can authenticate through a third party to gain access 288 | 289 | 290 | 291 | - Not originally designed for mobile apps 292 | 293 | 294 | 295 | # The SAML authentication flow 296 | 297 | - Resource server, Client browser, the authorization server 298 | 299 | 300 | 301 | # OAuth 302 | 303 | - Authorization Framework 304 | 305 | - Determines what resources a user will be able to access 306 | 307 | 308 | 309 | - Created by Twitter, Google, and many others 310 | 311 | 312 | 313 | - Not an authentication protocol 314 | 315 | - Allows what another app can do 316 | 317 | 318 | 319 | # Access control 320 | 321 | - Authorization 322 | 323 | - The process of ensuring only authorized rights are exercised 324 | 325 | 326 | 327 | - The process of determining rights 328 | 329 | - Policy definition 330 | 331 | 332 | 333 | # Mandatory Access Control (MAC) 334 | 335 | - The operating system limits the operation of an object 336 | 337 | 338 | 339 | - Every object gets a label 340 | 341 | - Confidential, secret, top-secret, etc. 342 | 343 | 344 | 345 | - Labeling of objects uses predefined rules. 346 | 347 | 348 | 349 | # Discretionary Access Control (DAC) 350 | 351 | - Used in most operating systems 352 | 353 | - A familiar access control model 354 | 355 | 356 | 357 | - You create a spreadsheet 358 | 359 | - As the owner you control who has access 360 | 361 | 362 | 363 | # Role-based access control (RBAC) 364 | 365 | - You have a role in your organization 366 | 367 | - Manager, director, team lead, project manager 368 | 369 | 370 | 371 | - Administrators provide access based on the role of the user 372 | 373 | 374 | 375 | # Attribute-based access control (ABAC) 376 | 377 | - Users can have complex relationships to applications and data 378 | 379 | 380 | 381 | - ABAC can consider many parameters 382 | 383 | 384 | 385 | - Combine and evaluate multiple parameters 386 | 387 | 388 | 389 | # Rule-based access control 390 | 391 | - Generic term for following rules 392 | 393 | - Conditions other than who you are 394 | 395 | 396 | 397 | - Access is determined through system-enforced rules 398 | 399 | 400 | 401 | - The rule is associated with that object 402 | 403 | 404 | 405 | - Example: Only can access at certain parts of the day 406 | 407 | 408 | 409 | # File system security 410 | 411 | - store files and access them 412 | 413 | 414 | 415 | - Encryption can be built-in. 416 | 417 | 418 | 419 | # conditional access 420 | 421 | - Difficult to apply old methods of authentication to new methods of working 422 | 423 | 424 | 425 | - Conditions 426 | 427 | - Employee or partner location 428 | 429 | 430 | 431 | - Controls 432 | 433 | - Allow or block, require MFA, provide limited access 434 | 435 | 436 | 437 | - Administrators can build complex access rules 438 | 439 | 440 | 441 | # Privileged access management (PAM) 442 | 443 | - Managing superuser access 444 | 445 | - Administrator and root 446 | 447 | - You don't want to use this in the wrong hands 448 | 449 | 450 | 451 | - Store privileged account in a digital vault 452 | 453 | 454 | 455 | - PAM advantages 456 | 457 | - Centralized password management 458 | 459 | - Enables automation 460 | 461 | - Manage access for each user 462 | 463 | 464 | 465 | 466 | 467 | 468 | 469 | 470 | 471 | 472 | 473 | -------------------------------------------------------------------------------- /Security+/4. Operations and Incident Response/4.5 Explain the key aspects of digital forensics..md: -------------------------------------------------------------------------------- 1 | # digital forensics 2 | 3 | - collect and protect information relating to an intrusion 4 | 5 | 6 | 7 | - RFC 3227 - Guidelines for evidence collection and archiving 8 | 9 | 10 | 11 | - Standard digital forensic process 12 | 13 | - Must be detail-oriented 14 | 15 | 16 | 17 | # Legal hold 18 | 19 | - A legal technique to preserve relevant information 20 | 21 | 22 | 23 | - Hold notification 24 | 25 | - Custodians are instructed to preserve data 26 | 27 | 28 | 29 | - Separate repository for electronically stored information (ESI) 30 | 31 | 32 | 33 | # Capture Video 34 | 35 | - A moving record of the event 36 | 37 | 38 | 39 | - Capture the status of the screen and other volatile information 40 | 41 | 42 | 43 | - Don't forget security cameras and your phone 44 | 45 | 46 | 47 | - The video content must be achieved 48 | 49 | 50 | 51 | # Admissinility 52 | 53 | - Not all data can be used in a court of law 54 | 55 | 56 | 57 | - Legal authorization 58 | 59 | - Search and seizure of information 60 | 61 | 62 | 63 | - Procedures and tools 64 | 65 | - The correct tools used the correct way 66 | 67 | 68 | 69 | - Technical and academic qualifications 70 | 71 | 72 | 73 | # Chain of custody 74 | 75 | - Control evidence 76 | 77 | - Maintain integrity 78 | 79 | 80 | 81 | - Everyone who contacts the evidence 82 | 83 | - Use hashes 84 | 85 | - Avoid tampering 86 | 87 | 88 | 89 | - Label and catalog everything 90 | 91 | - Digitally tag all items for ongoing documentation 92 | 93 | 94 | 95 | # Recording time offsets 96 | 97 | - The time zone determines how the time is displayed 98 | 99 | - Document the local device settings 100 | 101 | 102 | 103 | - Different files systems store timestamps differently 104 | 105 | - FAT : Time stored in local 106 | 107 | - NTFS : Time stored in GMT 108 | 109 | 110 | 111 | - Record the time offset from the operating system 112 | 113 | - The windows registry 114 | 115 | - Many different values 116 | 117 | 118 | 119 | # Event logs 120 | 121 | - System logs 122 | 123 | - Documents important operating system and application events 124 | 125 | 126 | 127 | - Export and store for future reference 128 | 129 | - Filter and parse 130 | 131 | 132 | 133 | - Log store 134 | 135 | - Linux : /var/log 136 | 137 | - Windows : event viewer 138 | 139 | 140 | 141 | # Interviews 142 | 143 | - Who might have seen this> 144 | 145 | 146 | 147 | - Not all witness statements are 100% accurate 148 | 149 | 150 | 151 | # reports 152 | 153 | - Document the findings 154 | 155 | - For internal use, legal proceedings 156 | 157 | 158 | 159 | - Summary information 160 | 161 | 162 | 163 | - Detailed explanation of data acquisition 164 | 165 | 166 | 167 | # Order of volatility 168 | 169 | - How long does data stick around? 170 | 171 | - Some media is much more volatile than others 172 | 173 | - Gather data in order from the most volatile to less volatile 174 | 175 | 176 | 177 | - Most volatile to least volatile 178 | 179 | - CPU 180 | 181 | - ARP cache, process table, kernel statistics 182 | 183 | - Temporary file systems 184 | 185 | - disk 186 | 187 | - remote logging and monitoring data 188 | 189 | - physical configuration 190 | 191 | - archival media 192 | 193 | 194 | 195 | # Disk 196 | 197 | - Copy everything on a storage drive 198 | 199 | - Hard drive,SSD, flash drive 200 | 201 | 202 | 203 | - Drive image preparation 204 | 205 | - Power down to prevent changes 206 | 207 | 208 | 209 | - Connect to the imaging device 210 | 211 | 212 | 213 | - Forensic clone 214 | 215 | - bit-for-bit copy 216 | 217 | 218 | 219 | # Random-access memory (RAM) 220 | 221 | - A difficult target to capture 222 | 223 | 224 | 225 | - Memory dump 226 | 227 | - Grab everything inactive RAM 228 | 229 | 230 | 231 | - Import data 232 | 233 | 234 | 235 | # Swap/pagefile 236 | 237 | - Used by different operating systems 238 | 239 | 240 | 241 | - A place to store RAM when memory is depleted 242 | 243 | - There's a lot more space on the storage drive 244 | 245 | 246 | 247 | - Can also contain portions of an application 248 | 249 | 250 | 251 | - Contains data similar to a RAM dump 252 | 253 | 254 | 255 | # Operating system 256 | 257 | - OS files and data 258 | 259 | - May have been modified 260 | 261 | 262 | 263 | - Core operating system 264 | 265 | - Executable files and libraries 266 | 267 | - Can be compared to later to known-good files 268 | 269 | 270 | 271 | - Other OS data 272 | 273 | - Logged in users 274 | 275 | - Open ports 276 | 277 | 278 | 279 | # Device 280 | 281 | - Mobile devices and tablets 282 | 283 | - A more challenging forensics task 284 | 285 | 286 | 287 | - Capture data 288 | 289 | - Use an existing backup file 290 | 291 | 292 | 293 | - Data 294 | 295 | - Phone calls 296 | 297 | - Contact information 298 | 299 | - Text messages 300 | 301 | 302 | 303 | # Firmware 304 | 305 | - Extract the device firmware 306 | 307 | - Rootkits and exploited hardware device 308 | 309 | - A reprogrammed firmware or ROM 310 | 311 | 312 | 313 | - Specific to the platform 314 | 315 | - Firmware implementation vary widely 316 | 317 | 318 | 319 | - Data discovery 320 | 321 | - Exploit data 322 | 323 | 324 | 325 | # Snapshot 326 | 327 | - generally associated with VMS 328 | 329 | 330 | 331 | - Incremental between snapshots 332 | 333 | - original image is the full backup 334 | 335 | - Each snapshot is incremented from the last 336 | 337 | 338 | 339 | # Cache 340 | 341 | - Store data for use later 342 | 343 | - Often used to increase performance 344 | 345 | - Many different caches 346 | 347 | 348 | 349 | - Can contain specialized data 350 | 351 | - CPU cache is very short-term instruction storage 352 | 353 | 354 | 355 | - Some data may never be used 356 | 357 | - Erased after a specified timeframe or when the cache is full 358 | 359 | - Browser caches are often long-lived 360 | 361 | 362 | 363 | - Data 364 | 365 | - URL locations 366 | 367 | 368 | 369 | # Network 370 | 371 | - Gather information about and from the network 372 | 373 | 374 | 375 | - Inbound and outbound sessions 376 | 377 | 378 | 379 | - Packet data 380 | 381 | - Capture raw network data 382 | 383 | - May include long-term packet captures 384 | 385 | 386 | 387 | # Artifacts 388 | 389 | - Digital items left behind 390 | 391 | - Every contact leaves a trace 392 | 393 | - May not be obvious 394 | 395 | 396 | 397 | # Forensics in the cloud 398 | 399 | - Adding complexity to the digital forensics process 400 | 401 | - Cloud technologies 402 | 403 | 404 | 405 | - Technical challenges 406 | 407 | - Devices are not totally in your control 408 | 409 | - There may be limited access 410 | 411 | - Associate data with a specific user 412 | 413 | 414 | 415 | - Legal issues 416 | 417 | - Laws are different around the world 418 | 419 | - The rules may not be obvious 420 | 421 | 422 | 423 | # Right-to-audit clauses 424 | 425 | - Common to work with business partners 426 | 427 | 428 | 429 | - Cloud computing providers 430 | 431 | - Can hold all of the data 432 | 433 | - manage internet access 434 | 435 | - are they secure 436 | 437 | 438 | 439 | - Right-to-audit should be in the contract 440 | 441 | - A legal agreement to have the option to perform a security audit 442 | 443 | 444 | 445 | # Regulatroy/jurisdiction 446 | 447 | - Cloud computing technology appeared relatively quickly 448 | 449 | 450 | 451 | - Forensics professional must know their legal rights 452 | 453 | 454 | 455 | 456 | 457 | - Data stored in the cloud may not be located in the same country ] 458 | 459 | 460 | 461 | - Location of the data is critical 462 | 463 | 464 | 465 | # Data breach notification laws 466 | 467 | - Notification laws 468 | 469 | - If consumer data is breached, the consumer must be informed 470 | 471 | 472 | 473 | - Many data breach notification laws 474 | 475 | - Notification requirements also vary 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | 488 | 489 | 490 | 491 | 492 | 493 | 494 | 495 | 496 | 497 | 498 | 499 | 500 | 501 | 502 | 503 | 504 | 505 | 506 | 507 | 508 | 509 | -------------------------------------------------------------------------------- /Security+/2. Architecture and Design/2.1 Security concepts in an enterprise environment .md: -------------------------------------------------------------------------------- 1 | # Configuration management 2 | 3 | - There are constant changes within the I.T network 4 | 5 | - operating systems 6 | 7 | - patches 8 | 9 | - application updates 10 | 11 | - network 12 | 13 | - modifications, 14 | 15 | 16 | 17 | - Identify and document hardware and software settings 18 | 19 | - Documentation will be crucial 20 | 21 | 22 | 23 | # Diagrams 24 | 25 | - Network diagrams 26 | 27 | - Document the physical wires and device s 28 | 29 | 30 | 31 | - Physical data center layout 32 | 33 | - Device diagrams; Cables 34 | 35 | 36 | 37 | # Baseline configuration 38 | 39 | - The security of an application environment should be well defined 40 | 41 | - Firewall settings 42 | 43 | - patch levels 44 | 45 | - OS file versions 46 | 47 | 48 | 49 | - Integrity measurements check for the secure baseline 50 | 51 | 52 | 53 | ![image](https://user-images.githubusercontent.com/81980702/120130150-1319b980-c18b-11eb-8d95-cd1364101a29.png) 54 | 55 | > Baseline configuration of hosts to ensure that config settings match. 56 | 57 | 58 | 59 | # Standard naming conventions 60 | 61 | - Create a standard 62 | 63 | - Naming needs to be understood by everyone 64 | 65 | 66 | 67 | - Examples of things that need labeling 68 | 69 | - Devices 70 | 71 | - Asset tag names 72 | 73 | - computer names 74 | 75 | - serial numbers 76 | 77 | - Networks; Port labeling 78 | 79 | - Domain configurations 80 | 81 | 82 | 83 | # IP schema 84 | 85 | - An ip address plan or model Consistent addressing for network devices 86 | 87 | - Helps avoid duplicate IP addressing 88 | 89 | 90 | 91 | - Examples of what should be labeled 92 | 93 | - Locations 94 | 95 | - number of subnets 96 | 97 | - hosts per subnet 98 | 99 | - IP ranges; different sites have a different subnet 100 | 101 | 102 | 103 | # Data Protecting 104 | 105 | - A primary job task 106 | 107 | - an organization is out of business without data 108 | 109 | 110 | 111 | - Data is everywhere 112 | 113 | - Storage drive 114 | 115 | - network 116 | 117 | - in a CPU 118 | 119 | 120 | 121 | - Protecting the data 122 | 123 | - Encryption 124 | 125 | - security policies 126 | 127 | - Data permissions 128 | 129 | 130 | 131 | # Data sovereignty 132 | 133 | - Data that resides in a country is subject to the laws of that country 134 | 135 | - Laws may prohibit where data is stored. Data collected on EU citizens must be stored in the EU 136 | 137 | 138 | 139 | # Data masking 140 | 141 | - Data obfuscation 142 | 143 | - hide the original data 144 | 145 | - Protects Personal Identifiable Information (PII) 146 | 147 | - May only be hidden from view 148 | 149 | 150 | 151 | -**Example** - On a receipt, there is a credit card number with Xs to stop the viewer from seeing the whole number 152 | 153 | 154 | 155 | # Data encryption 156 | 157 | - Encode information into unreadable data 158 | 159 | 160 | 161 | - This causes Confusion 162 | 163 | - The encrypted data is drastically different than the plaintext 164 | 165 | 166 | 167 | - **Example** - Having the encryption longer than the text written 168 | 169 | 170 | 171 | # Diffusion 172 | 173 | - Change one character of the input, and many characters change of the output. 174 | 175 | - One character should change the cipher text 176 | 177 | 178 | 179 | # Data at-rest 180 | 181 | - The data is on a storage device 182 | 183 | - Hard drive, 184 | 185 | - SSD 186 | 187 | - flash drive 188 | 189 | 190 | 191 | - Encrypt the data; Whole disk encrpytion 192 | 193 | - Apply permissions 194 | 195 | 196 | 197 | # Data in-transit 198 | 199 | - Data is transmitted in-motion 200 | 201 | - Not much protection as it travels 202 | 203 | 204 | 205 | - Network-based protection; Firewall IPS 206 | 207 | - Provide transport encryption; TLS 208 | 209 | 210 | 211 | # Data in-use 212 | 213 | - Data is actively processing in memory 214 | 215 | - System RAM 216 | 217 | - CPU 218 | 219 | 220 | 221 | - The data is almost always decrypted 222 | 223 | 224 | 225 | - The attackers can pick the decrypted information out of RAM 226 | 227 | 228 | 229 | - **Example** Target corp breach. Data was stolen from data in use at POS systems 230 | 231 | 232 | 233 | # Tokenization 234 | 235 | - Replace sensitive data with a non-sensitive placeholder 236 | 237 | 238 | 239 | - **Example** ssn 266-12-1112 but is 691-61-8539 240 | 241 | 242 | 243 | - Common with credit cards processing 244 | 245 | - Replacing number and characters with another set. 246 | 247 | - .No encryption 248 | 249 | 250 | 251 | # Information Rights Management (IRM) 252 | 253 | - Control how data is used 254 | 255 | 256 | 257 | - Restrict data access to unauthorized persons 258 | 259 | - Prevent copy and paste 260 | 261 | - control screenshots 262 | 263 | - manage to print 264 | 265 | - restrict editing 266 | 267 | 268 | 269 | # Hardware security module (HSM) 270 | 271 | - A physical device that is tamper-proof that safeguards secret digital keys. 272 | 273 | - Used when implementing PKI or SSH to achieve a high degree of data protection 274 | 275 | 276 | 277 | # Geographical considerations 278 | 279 | - Legal implications 280 | 281 | - Business regulations vary between states. 282 | 283 | 284 | 285 | - It is important to note that it is important that data is linked to geographical legally. 286 | 287 | 288 | 289 | - Offsite recovery and offsite back is important, 290 | 291 | 292 | 293 | # Response and recovery controls 294 | 295 | - Incident response and recovery 296 | 297 | 298 | 299 | - Incident response plan should be established 300 | 301 | - Document is critical 302 | 303 | 304 | 305 | - Limit the impact of an attacker 306 | 307 | - Limit the data exfiltration and limit access to sensitive data 308 | 309 | 310 | 311 | # SSL/TLS inspection 312 | 313 | - Commonly used to examine outgoing SSL/TLS 314 | 315 | - Transport Layer Security is up to date. 316 | 317 | 318 | 319 | - SSL inspection relies on trust 320 | 321 | - SSL inspection allows you to be in the middle. 322 | 323 | 324 | 325 | - A browser doesn't trust a website unless a CA has signed the webserver. 326 | 327 | 328 | 329 | - Validates with DNS record, phone call, etc. 330 | 331 | 332 | 333 | - The browser looks at the web certs to see if it matches then encrypts the information 334 | 335 | 336 | 337 | # Hashing 338 | 339 | - Represent data as a short string of text 340 | 341 | - A message-digest 342 | 343 | 344 | 345 | - One-way trip 346 | 347 | It- Impossible to recover the original message from the digest. 348 | 349 | 350 | 351 | - Verify a download document that is the same as the original. 352 | 353 | - You can verify the document on a website. 354 | 355 | 356 | 357 | - Used as a digital signature 358 | 359 | 360 | 361 | - **Example** SHA256 hash, 256 bits / 64 hexadecimal characters. 362 | 363 | 364 | 365 | # API considerations 366 | 367 | - Application Programming Interface 368 | 369 | 370 | 371 | - Secure and harden the login page 372 | 373 | 374 | 375 | - On-path attack 376 | 377 | - Intercept and modify API messages 378 | 379 | - replay API commands 380 | 381 | - Inject data into an API message. 382 | 383 | 384 | 385 | - DDoS can cause an API to go down. 386 | 387 | 388 | 389 | - WAF, Web Application Firewall 390 | 391 | 392 | 393 | # Site resiliency 394 | 395 | - Recovery site is prepped 396 | 397 | 398 | 399 | - A disaster is called 400 | 401 | - failover to the alternate processing site 402 | 403 | 404 | 405 | - Revert back to the primary location. 406 | 407 | 408 | 409 | # Hot site 410 | 411 | - An exact replica Stocked with hardware, constantly updated 412 | 413 | 414 | 415 | - Applications and software are constantly updated 416 | 417 | - Automated replication 418 | 419 | 420 | 421 | - Flip a switch and everything moves 422 | 423 | 424 | 425 | # Cold site 426 | 427 | - No hardware, empty building. No data 428 | 429 | - No people 430 | 431 | 432 | 433 | # Warm site 434 | 435 | - Somewhere between hot and cold. 436 | 437 | - Has racks and some equipment, Hardware is ready and waiting 438 | 439 | 440 | 441 | # Honeypots 442 | 443 | - Attract the bad guys, it traps them there 444 | 445 | 446 | 447 | - The attacker is probably a machine; Makes an interesting recon 448 | 449 | 450 | 451 | - Honeypots creates a virtual world 452 | 453 | - Many different options; Kippo, Google Hack Honeypot, Wordpot, etc. 454 | 455 | 456 | 457 | # Honeyfiles and honeynets 458 | 459 | - More than one honeypot 460 | 461 | 462 | 463 | - More than one source of information; Stop spammers' 464 | 465 | 466 | 467 | - Example is passwords.txt; It is a bear trap not real 468 | 469 | 470 | 471 | # Fake telemetry 472 | 473 | - Machine learning, interpret big data to identify the invisible 474 | 475 | 476 | 477 | - Train the machine with actual data 478 | 479 | 480 | 481 | - Send the machine learning model with fake telemetry; Make malicious malware look good. 482 | 483 | 484 | 485 | # DNS sinkhole 486 | 487 | - A DNS that hands out incorrect IP addresses 488 | 489 | - This can be bad, an attacker can redirect a user to a malicious site 490 | -------------------------------------------------------------------------------- /Security+/3. Implementation/3.2 implement host or application security solutions.md: -------------------------------------------------------------------------------- 1 | # Antivirus 2 | 3 | - Software that is characterized by signature-based detection and prevention of the known viruses. 4 | 5 | - On access antivirus scanner or intrusion prevention system works by identifying when processes or scripts are executed and intercepted. 6 | 7 | 8 | 9 | # Anti-malware 10 | 11 | - Malware detection, Versus, Worms, Trojans, Spyware, PUPs, Cryptojackers 12 | 13 | - It captures signatures but unfortunately it is not consistent 14 | 15 | 16 | 17 | # Endpoint detection and response (EDR) 18 | 19 | - Configure the management system to push the hasn't software and updates 20 | 21 | - Assign hosts to appropriate groups for policy assignment; Isolate a client when a threat is detected 22 | 23 | - Test the different host groups configuration setting to ensure that the expected range of threats are detected 24 | 25 | - Use a monitoring dashboard to verify status across all network hosts. 26 | 27 | 28 | 29 | # Data Loss Prevention 30 | 31 | - Many Endpoint Protection Platforms have a Data Loss Prevention agent 32 | 33 | - There are configured policies to identify privileged files and strings that should be kept private or confidential 34 | 35 | - The agent enforces the policy to prevent data from being copied or attached to a message without authorization 36 | 37 | 38 | 39 | # Next-generation firewall (NGFW) 40 | 41 | - Host or network firewall capable of parsing application layer protocol header and data 42 | 43 | - Product combined application-aware filtering with user account-based filtering and the ability to act as an intrusion prevention system 44 | 45 | 46 | 47 | # Host-Based Intrusion Detection (HIDS) / Host-Based Intrusion Prevention (HIPS) 48 | 49 | - Host-based intrusion detection systems provide threat detection via log and file system monitoring 50 | 51 | - HIDS come in many different forms with different capabilities 52 | 53 | 54 | 55 | - HIPS 56 | 57 | - File system integrity monitoring uses signatures and monitor ports 58 | 59 | 60 | 61 | # Host-based firewall 62 | 63 | - A software application running on a single host and designed to protect that host 64 | 65 | - Implemented as a software application running on a single host designed to protect that host only. 66 | 67 | - Also enforcing packet filtering ACLs, a personal firewall 68 | 69 | 70 | 71 | # Unified extensible firmware interface (UEFI) 72 | 73 | - A system firmware providing support for 64-bit CPU operation at boot, full GUI, and mouse operation 74 | 75 | - Provides code that allows the host to boot to an OS 76 | 77 | 78 | 79 | # Measured boot 80 | 81 | - A UEFI feature that gathers secure metrics to validate the boot process in an attestation report 82 | 83 | - Checks whether hashes of key streams state data ( Boot firmware, Boot loader, OS kernel, etc. 84 | 85 | 86 | 87 | # Boot attestation 88 | 89 | - Report of boot state integrity data that is signed by a tamper-proof TPM key and is reported to a network server 90 | 91 | - The boot log can be analyzed for signs of compromise, such as the presence of unsigned drivers. 92 | 93 | 94 | 95 | ![image](https://user-images.githubusercontent.com/81980702/120778594-18a93380-c4ec-11eb-9ef2-32a551f021d0.png) 96 | 97 | > Secure boot settings in UEFI 98 | 99 | 100 | 101 | # Tokenization 102 | 103 | - Replace sensitive data with a non-sensitive placeholder 104 | 105 | - Example - SSN 266-12-1112 which is now 691-61-8539 106 | 107 | - This is not encryption or hashing 108 | 109 | 110 | 111 | # Hashing a password 112 | 113 | - Hashes represent data as a fixed-length string of text 114 | 115 | - A message digest, or "fingerprint" 116 | 117 | - A common way to store passwords 118 | 119 | 120 | 121 | # Adding some salt 122 | 123 | - Random data added to a password when hashing 124 | 125 | - Every yser gets their own random salt 126 | 127 | - Stops rainbow tables with hashes 128 | 129 | - Slows down brute force attacks 130 | 131 | 132 | 133 | # Secure cookies 134 | 135 | - Cookies are a vector for session hijacking and data exposure if not configured correctly 136 | 137 | - Some key parameters for the set cookies are 138 | 139 | 1. Avoid using persistent cookies for session authentication 140 | 141 | 2. Set the Secure attribute to make the cookies inaccessible to document object/model/client-side scripting 142 | 143 | 3. USe the SameSite attribute to control where a cookie may be sent 144 | 145 | 146 | 147 | # HTTP Headers 148 | 149 | - A number of security options can be set in response to the header returned by the server. 150 | 151 | - Developers are constrained by compatibility and implementation between different client browser and server software types. 152 | 153 | - Options to help with security are 154 | 155 | 1. HTTP Strict Transport Security - Forces browser to connect using HTTPS only 156 | 157 | 2. COntent Security Policy - mitigates clickjacking, script injection, etc 158 | 159 | 3. Cache-control - Sets whether the browser can cache responses 160 | 161 | 162 | 163 | # Input validations 164 | 165 | - Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application 166 | 167 | - SQL injections 168 | 169 | - To prevent this, all input methods should be tested and documented 170 | 171 | 172 | 173 | # Code Signing 174 | 175 | - The principal means of proving the authenticity and integrity of code ( Executable or a script ) 176 | 177 | - The developer creates a cryptographic hash or files that signs the hash using the private key. 178 | 179 | 180 | 181 | # Manual code review 182 | 183 | - The process of peer review of uncompiled source code by other developers 184 | 185 | - Identify oversights, mistaken assumptions, or a lack of knowledge or experience. 186 | 187 | 188 | 189 | # Dynamic code analysis 190 | 191 | - The application is tested under real-world conditions by using a staging environment 192 | 193 | - Example: exposure to race conditions or unexpected user input 194 | 195 | 196 | 197 | # Fuzzing 198 | 199 | - A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds. 200 | 201 | - Means of testing an application in which input validation routines work well 202 | 203 | - input and records responses made by the applications 204 | 205 | 206 | 207 | ![image](https://user-images.githubusercontent.com/81980702/120784416-adfaf680-c4f1-11eb-95cc-d5dbfa2938b6.png) 208 | 209 | 210 | 211 | # Hardening 212 | 213 | - The process of making a host or app configuration secure by reducing its attack surface, through running only necessary services 214 | 215 | - Installing monitoring software to protect against malware and intrusions 216 | 217 | - Establishing a maintenance schedule to ensure the system is patched to be secure 218 | 219 | 220 | 221 | # Open port and services 222 | 223 | - Open port allows client software to connect to the application over a network 224 | 225 | - These should be disabled or blocked at a firewall if remote access is not required 226 | 227 | 228 | 229 | # Registry 230 | 231 | - The primary configuration data for Windows 232 | 233 | - Useful to know what an application modifies 234 | 235 | - Some registry changes are important 236 | 237 | 238 | 239 | ![image](https://user-images.githubusercontent.com/81980702/120828060-b408cb80-c521-11eb-95c1-28b9484acb63.png) 240 | 241 | > What the Windows Registry Editor looks like 242 | 243 | 244 | 245 | # Disk encryption 246 | 247 | - Prevent access to application data files 248 | 249 | - File system encryption 250 | 251 | 252 | 253 | # Full disk encryption (FDE) 254 | 255 | - Encrypt everything on the drive 256 | 257 | - Bitlocker is an example, It comes with windows 258 | 259 | 260 | 261 | # Self-encrypting drive (SED) 262 | 263 | - Hardware-based full disk encryption 264 | 265 | - No operating system software needed 266 | 267 | 268 | 269 | - Opal storage specification 270 | 271 | - The standard 272 | 273 | 274 | 275 | # Operating system hardening 276 | 277 | - Many and varied 278 | 279 | - Windows, Linux, iOS, Android 280 | 281 | 282 | 283 | - Updates 284 | 285 | - Operating systems 286 | 287 | - User accounts; Good passwords 288 | 289 | - Limited access and security; Limit network access 290 | 291 | 292 | 293 | - Monitor and secure 294 | 295 | - Anti-virus, anti-malware 296 | 297 | 298 | 299 | # Patch management 300 | 301 | - Incredibly important 302 | 303 | - Monthly updates ( Incremental ) 304 | 305 | - Third-party updates, Application developers 306 | 307 | 308 | 309 | # Sandboxing 310 | 311 | - Application cannot access unrelated resources 312 | 313 | 314 | 315 | - Commonly used during development 316 | 317 | - USed in many different deployments 318 | 319 | 320 | 321 | # Hardware Root of Trust (RoT) 322 | 323 | - A cryptographic module embedded within a computer system that can be endorse and trusted in the boot settings 324 | 325 | - Submit a report to the network access control 326 | 327 | 328 | 329 | # Trusted platform module (TPM) 330 | 331 | - A specification for hardware-based storage of digital certificates, kets, hashed passwords, and other user and platform identification 332 | 333 | - TPM is implemented as part of the chipset or embedded in the CPU 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | -------------------------------------------------------------------------------- /Security+/4. Operations and Incident Response/4.2 Summarize the importance of policies, processes, and procedures for incident response..md: -------------------------------------------------------------------------------- 1 | # Security incidents 2 | 3 | - User clocks an email attachment and executes malware 4 | 5 | - Malware then communicates with external servers 6 | 7 | 8 | 9 | - DDoS 10 | 11 | - Botnet attack 12 | 13 | 14 | 15 | - Confidential information is stolen 16 | 17 | - Thief wants money or it goes public 18 | 19 | 20 | 21 | # Roles and responsibility 22 | 23 | - Incident response team 24 | 25 | - Specialized group, trained and tested 26 | 27 | 28 | 29 | - IT security management 30 | 31 | - Corporate support 32 | 33 | 34 | 35 | - Compliance officers 36 | 37 | 38 | 39 | # NIST SP8-61 40 | 41 | - National Institute of standards and technology 42 | 43 | 44 | 45 | - The incident response lifecycle 46 | 47 | - Preparation 48 | 49 | - Detection and analysis 50 | 51 | - Containment, Eradication, and Recovery 52 | 53 | - Post-incident activity 54 | 55 | 56 | 57 | # Preparing for an incident 58 | 59 | - Communication methods 60 | 61 | - Phones and contact information 62 | 63 | 64 | 65 | - Incident handling hardware and software 66 | 67 | - Laptops, removable media, forensic software, digital cameras. etc. 68 | 69 | 70 | 71 | - Incident analysis resources 72 | 73 | 74 | 75 | - Incident mitigation software 76 | 77 | - Clean OS and application images 78 | 79 | 80 | 81 | # The challenge of detection 82 | 83 | - Many different levels of detail, different levels of perception 84 | 85 | 86 | 87 | - A large amount of "volume" 88 | 89 | - Attacks are incoming all the time 90 | 91 | - How do you identify the legitimate threats 92 | 93 | 94 | 95 | - Incidents are almost always complex 96 | 97 | 98 | 99 | # Incident precursors 100 | 101 | - An incident might occur in the future 102 | 103 | 104 | 105 | - Web server log 106 | 107 | - Vulnerability scanner in use 108 | 109 | 110 | 111 | - Exploit announcement 112 | 113 | 114 | 115 | - Direct threats 116 | 117 | 118 | 119 | # Incident indicators 120 | 121 | - An attack is underway 122 | 123 | - An exploit is successful 124 | 125 | 126 | 127 | - Buffer overflow attempt 128 | 129 | - Identified by an intrusion detection/prevention system 130 | 131 | 132 | 133 | - Host-based monitor detects 134 | 135 | 136 | 137 | - Network traffic flows deviate from the norm 138 | 139 | 140 | 141 | # Isolation and containment 142 | 143 | - Generally, a bad idea to let things run their course 144 | 145 | 146 | 147 | - Sandboxes 148 | 149 | - Isolated operating system 150 | 151 | - Run malware and analyze the results 152 | 153 | 154 | 155 | - Isolation can sometimes be problematic 156 | 157 | 158 | 159 | # Recovery after an incident 160 | 161 | - Get things back to normal 162 | 163 | - Remove the bad, keep the good 164 | 165 | 166 | 167 | - Eradicate the bug 168 | 169 | - Remove malware 170 | 171 | - Disable breached user accounts 172 | 173 | - Fix vulnerabilities 174 | 175 | 176 | 177 | - Recover the system 178 | 179 | - Restore from backups 180 | 181 | - Replace compromised files 182 | 183 | - Tighten down the perimeter 184 | 185 | 186 | 187 | # Reconstitution 188 | 189 | - A phased approach 190 | 191 | 192 | 193 | - Recovery may take months 194 | 195 | 196 | 197 | - The plan should be efficient 198 | 199 | - Start with quick, high-value security changes 200 | 201 | 202 | 203 | - Later phases involve heavy lifting 204 | 205 | 206 | 207 | # Lessons learned 208 | 209 | - Learn and improve 210 | 211 | - No system is perfect 212 | 213 | 214 | 215 | - Post-incident meeting 216 | 217 | 218 | 219 | - Don't wait too long 220 | 221 | 222 | 223 | # Answer the tough questions 224 | 225 | - What happened 226 | 227 | 228 | 229 | - How did your incident plans work? 230 | 231 | 232 | 233 | - What would you do next time? 234 | 235 | 236 | 237 | # Exercise 238 | 239 | - Test yourselves before an actual event 240 | 241 | - Scheduled update sessions (annual,semi-annual,etc.) 242 | 243 | - Use well-defined rules of engagement 244 | 245 | - Do not touch the production systems 246 | 247 | - Very specific scenario 248 | 249 | - Limited time to run the event 250 | 251 | 252 | 253 | - Evaluate the response 254 | 255 | 256 | 257 | # Tabletop exercises 258 | 259 | - Performing a full-scale disaster drill can be costly 260 | 261 | 262 | 263 | - Many of the logistics can be determined through analysis 264 | 265 | 266 | 267 | - Get key players together for a tabletop exercise 268 | 269 | 270 | 271 | # Walkthrough 272 | 273 | - Include responders 274 | 275 | - A step beyond a tabletop exercise 276 | 277 | 278 | 279 | - Test processes and procedures before an event 280 | 281 | 282 | 283 | - Identifies actual faults or missing steps 284 | 285 | 286 | 287 | # Simulation 288 | 289 | - Test with a simulated event 290 | 291 | - Phishing attacks, password requests, data breaches 292 | 293 | 294 | 295 | - Going phishing 296 | 297 | - Create a phishing email attack 298 | 299 | - Send to your actual user community 300 | 301 | 302 | 303 | - Test internal security 304 | 305 | 306 | 307 | - Test the users 308 | 309 | - Who clicked 310 | 311 | 312 | 313 | # Stakeholder management 314 | 315 | - Keeping a good ongoing relationship with the customer of IT 316 | 317 | - These can be internal or external 318 | 319 | 320 | 321 | - Most of this happens prior to an incident 322 | 323 | - Ongoing communication and meetings 324 | 325 | 326 | 327 | - Continues after the incident 328 | 329 | 330 | 331 | # Communication plan 332 | 333 | - Get your contact list together 334 | 335 | - There are a lot of people in the loop 336 | 337 | 338 | 339 | - Corporate / organization 340 | 341 | - CIO / Head of information security 342 | 343 | 344 | 345 | - Internal non-IT 346 | 347 | 348 | 349 | - External contacts 350 | 351 | - System owner, law enforcement 352 | 353 | 354 | 355 | # Disaster recovery plan 356 | 357 | - If a disaster happens, IT should be ready 358 | 359 | 360 | 361 | - Disasters are many and varied 362 | 363 | - Natural disasters 364 | 365 | - Technology or system failures 366 | 367 | - human-created disasters 368 | 369 | 370 | 371 | - A comprehensive plan 372 | 373 | 374 | 375 | # Continuity of operations planning (COOP) 376 | 377 | - Not everything goes according to plan 378 | 379 | - We rely on our computer systems 380 | 381 | - There needs to be an alternative 382 | 383 | 384 | 385 | # Incident response team 386 | 387 | - Receives, reviews, and responds 388 | 389 | 390 | 391 | - Determine what type of events requires a response 392 | 393 | - A virus infection? Ransomware? DDoS 394 | 395 | 396 | 397 | - May or may not be a part of the organizational structure 398 | 399 | 400 | 401 | - Focuses on incident handling 402 | 403 | - Incident response 404 | 405 | - Incident analysis 406 | 407 | - Incident reporting 408 | 409 | 410 | 411 | # Retention policies 412 | 413 | - Backup your data 414 | 415 | - How much and where 416 | 417 | - copies, versions, the lifecycle of data 418 | 419 | 420 | 421 | - Regulatory compliance 422 | 423 | - A certain amount of data backup may be required 424 | 425 | 426 | 427 | - Operational needs 428 | 429 | - Accidental deletion 430 | 431 | - Disaster recovery 432 | 433 | 434 | 435 | - Differentiate by type and application 436 | 437 | - Recover the data you need when you need it 438 | 439 | 440 | 441 | # Attacks and responses 442 | 443 | - A constantly moving chessboard 444 | 445 | - The rules are also constantly changing 446 | 447 | 448 | 449 | - Response and intelligence teams need assistance 450 | 451 | 452 | 453 | - Understand attacks 454 | 455 | 456 | 457 | - Assess the risk in an organization 458 | 459 | 460 | 461 | # MITRE ATT&ACK framework 462 | 463 | - The MITRE corporation 464 | 465 | - US not-for-profit based in Massachusetts 466 | 467 | 468 | 469 | - The MITRE ATT&ACK framework 470 | 471 | - https://attack.mitre.org/ 472 | 473 | 474 | 475 | - Determine the actions of an attacker 476 | 477 | - Identify the point of intrusion 478 | 479 | - Understand methods used to move around 480 | 481 | - Identify potential security techniques 482 | 483 | 484 | 485 | # Diamond Model of Intrusion Analysis 486 | 487 | - Designed by the intelligence community 488 | 489 | - guide analysts to help understands intrusions 490 | 491 | 492 | 493 | - Apply scientific principles to intrusion analysis 494 | 495 | - Measurement, testability, and repeatability 496 | 497 | - Appears simple but it's complex 498 | 499 | 500 | 501 | - An adversary deploys a capability over some infrastructure against a victim 502 | 503 | - Use the model to analyze and fill in the details 504 | 505 | 506 | 507 | ![image](https://user-images.githubusercontent.com/81980702/123148343-be81fb00-d425-11eb-866a-83d7be745e86.png) 508 | 509 | 510 | 511 | # Cyber Kill chain 512 | 513 | - Seven phases of a cyber attack 514 | 515 | - A military concept 516 | 517 | ![image](https://user-images.githubusercontent.com/81980702/123148827-3a7c4300-d426-11eb-93c3-91bfdaf63e0b.png) 518 | 519 | 520 | 521 | 522 | 523 | 524 | 525 | 526 | 527 | 528 | 529 | 530 | 531 | 532 | 533 | 534 | 535 | 536 | 537 | 538 | 539 | 540 | 541 | 542 | 543 | 544 | 545 | 546 | 547 | 548 | 549 | 550 | 551 | 552 | 553 | 554 | 555 | 556 | 557 | 558 | 559 | 560 | 561 | 562 | 563 | 564 | 565 | 566 | 567 | 568 | 569 | 570 | 571 | 572 | 573 | 574 | 575 | 576 | 577 | 578 | 579 | 580 | 581 | 582 | 583 | 584 | 585 | 586 | 587 | 588 | 589 | 590 | 591 | 592 | 593 | -------------------------------------------------------------------------------- /Security+/1. Attacks, Threats, and Vulnerabilities/1.5 Threat Actors, Vectors, and Intelligence Sources.md: -------------------------------------------------------------------------------- 1 | # Threat Actors 2 | 3 | - The entity responsible for an event that has an impact on the safety of another entity 4 | 5 | - Broad scope of actors 6 | 7 | 8 | 9 | # Advanced Persistent Threat (APT) 10 | 11 | - Attackers are in the network and undetected 12 | 13 | - on a FireEye report, 71 days in America, 177 days in EMEA, and 204 days in APAC before they are detected 14 | 15 | 16 | 17 | - Insiders 18 | 19 | - A type of threat actor who is assigned privileges on a system that cause an intentional or unintentional incident 20 | 21 | - more than just passwords on sticky notes 22 | 23 | 24 | 25 | - Attacks can be directed at the vulnerable system but he knows what to hit 26 | 27 | - Eats away from the inside, they know everything 28 | 29 | 30 | 31 | # Nation state 32 | 33 | - National security; always an external entity 34 | 35 | 36 | 37 | - **Example** - Highest sophistication; Military, utilities; Stuxnet worm 38 | 39 | 40 | 41 | # Hacktivist 42 | 43 | - A hacker with a purpose; social exchange or political agenda; often external 44 | 45 | - Funds are limited which is a disadvantage 46 | 47 | 48 | 49 | # Script Kiddie 50 | 51 | - Runs pre-made scripts without any knowledge of what's happening 52 | 53 | - Can be internal or external 54 | 55 | - Not very sophisticated 56 | 57 | 58 | 59 | # Criminal syndicates 60 | 61 | - professional criminals That do professional crimes 62 | 63 | - Most always external 64 | 65 | - very sophisticated 66 | 67 | - Crime that is organized 68 | 69 | 70 | 71 | # Expert with technology 72 | 73 | - **White Hat** 74 | 75 | - Authorized; ethical hacker with good intentions 76 | 77 | 78 | 79 | - **Black Hat** 80 | 81 | - Unauthorized; Malicous 82 | 83 | 84 | 85 | - **Gray Hat** 86 | 87 | - Semi-authorized; finds a vulnerability but doesnt use it 88 | 89 | 90 | 91 | # Shadow IT 92 | 93 | - Computer hardware, software, or services used on a private network without authorization from the system owner 94 | 95 | - Going Rouge; working around the internal IT organization 96 | 97 | 98 | 99 | # Competitors 100 | 101 | - Many different motivations, The competitors want an edge over their competitor 102 | 103 | - High level of sophistication 104 | 105 | 106 | 107 | - **Example** - Has many different intents; Shut down your computer, steal customers lists, corrupt manufacturing databases 108 | 109 | 110 | 111 | # Vectors 112 | 113 | - **Attack vectors** 114 | 115 | - A method used by the attacker which gains them unauthorized access to a system 116 | 117 | 118 | 119 | - A lot of works and time goes into finding vulnerabilities in those vectors 120 | 121 | 122 | 123 | # Direct access 124 | 125 | - Physical access to a system is significant 126 | 127 | 128 | 129 | - Modify the operating system; reset the admin password a few times 130 | 131 | - Attach a keylogger to collect username and passwords 132 | 133 | 134 | 135 | # Wireless 136 | 137 | - Default login credentials; modify the access point 138 | 139 | 140 | 141 | - Rouge access point; A less-secure entry point to the network 142 | 143 | 144 | 145 | - Evil twin; emulate the authentication details; man in the middle attack 146 | 147 | 148 | 149 | # Email 150 | 151 | - Everyone has an email account, It is attractive to hackers 152 | 153 | - Phishing attacks 154 | 155 | - Social engineering attacks 156 | 157 | - Deliver malware to the user 158 | 159 | 160 | 161 | # Supply chain 162 | 163 | - Tamper with the underlying infrastructure, There are layers to operations 164 | 165 | - Target was affected by a supply chain attack 166 | 167 | - Malware can modify the manufacturing process 168 | 169 | 170 | 171 | - **Examples** - Counterfeit networking equipment; install backdoor 172 | 173 | 174 | 175 | # Social media 176 | 177 | - Attackers thank you for putting personal information online 178 | 179 | - User profiling; Where you were born; what is the name of your school mascot as a security question 180 | 181 | 182 | 183 | - Hackers can pose as Fake friends who try to get additional information 184 | 185 | 186 | 187 | # Removable media attack vectors 188 | 189 | - Get around the firewall by USB 190 | 191 | - Malicious software on USB flash drives; infect air-gapped networks 192 | 193 | - USB devices can act as keyboards 194 | 195 | 196 | 197 | # Cloud 198 | 199 | - Public-facing applications and services 200 | 201 | - Security misconfigurations; Data permissions and public data stores 202 | 203 | - Brute force attacks 204 | 205 | - Orchestration attacks 206 | 207 | 208 | 209 | # Threat intelligence 210 | 211 | - Research the threats 212 | 213 | - Data is everywhere 214 | 215 | - Make decisions based on what the hackers have researched 216 | 217 | - Used by researchers 218 | 219 | 220 | 221 | # Open-source intelligence (OSINT) 222 | 223 | 224 | 225 | - Open source; Publicly available sources 226 | 227 | - Internet; Discussion groups, social media 228 | 229 | - Government data 230 | 231 | - Commercial data 232 | 233 | 234 | 235 | # Closed/proprietary intelligence 236 | 237 | - Someone else has already compiled the threat information 238 | 239 | - Threat intelligence services 240 | 241 | - Constant threat monitoring 242 | 243 | 244 | 245 | # Vulnerability database 246 | 247 | - Common Vulnerabilities and Exposures (CVE); A community-managed list of vulnerabilities; sponsored by the U.S department of homeland Security 248 | 249 | - Researches find vulnerabilities 250 | 251 | - U.S. National Vulnerability Database 252 | 253 | 254 | 255 | # Public/Private information centers 256 | 257 | - Public threat intelligence 258 | 259 | - often classified information 260 | 261 | 262 | 263 | - Private threat intelligence 264 | 265 | - private companies have resources 266 | 267 | 268 | 269 | - Need to share critical security details 270 | 271 | 272 | 273 | - Cyber threat Alliance (CTA) 274 | 275 | 276 | 277 | # Automate indicator sharing (ALS) 278 | 279 | - Intelligence industry needs a standard way to share important threats 280 | 281 | 282 | 283 | - Structured threat information eXpression (STIX) 284 | 285 | - describes cyber threat information 286 | 287 | 288 | 289 | # Dark Web 290 | 291 | - Overlay networks that use the internet; Requires specific software such as Tor 292 | 293 | 294 | 295 | - **Examples** Hacking groups and services; Tools and techniques; credit card sales; accounts and passwords 296 | 297 | 298 | 299 | # Indicator of compromise (IOC) 300 | 301 | - A sign that an asset or network has been attacked or is currently under attack 302 | 303 | - Unusual amount of network activity 304 | 305 | - Change to file hash values 306 | 307 | - Changes to DNS data 308 | 309 | - Uncommon login patterns 310 | 311 | - Spikes of reading requests to certain files 312 | 313 | 314 | 315 | # Structures Threat Information eXpression (STIX) 316 | 317 | - A framework for analyzing cybersecurity incidents 318 | 319 | - Allows to see attacks in a timely manner 320 | 321 | - Threat analysis, automated threat exchange, automated detection 322 | 323 | 324 | 325 | ![image](https://user-images.githubusercontent.com/81980702/120111396-6a8e3a00-c137-11eb-92f9-3ad14fe9a3e2.png) 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | # Trusted Automated Exchange of Intelligence Information (TAXII) 334 | 335 | - A protocol for supply codified information to automate incident detection and analysis 336 | 337 | 338 | 339 | ![image](https://user-images.githubusercontent.com/81980702/120111404-71b54800-c137-11eb-8c8e-f4224020e257.png) 340 | 341 | 342 | 343 | # Predictive analytics 344 | 345 | - Analyze large amounts of data very quickly 346 | 347 | - Find suspicious patterns 348 | 349 | - Identify behaviors; DNS queries, traffic patterns, location data 350 | 351 | - Creates a forecast for potential attacks 352 | 353 | 354 | 355 | # Threat Maps 356 | 357 | - Animated map showing threat sources in near real-time 358 | 359 | 360 | 361 | # File/core repositories 362 | 363 | - Github 364 | 365 | - Public code repositories 366 | 367 | - Attackers are always looking for this code 368 | 369 | 370 | 371 | - Threat research 372 | 373 | - Know your enemy 374 | 375 | - A never-ending process and you cant rely on a single source 376 | 377 | 378 | 379 | # Vendor website 380 | 381 | - Vendors and manufacturers; they wrote the software 382 | 383 | - They know when problems are accounted 384 | 385 | - They react when surprises happen; Knows zero-days 386 | 387 | 388 | 389 | # Vulnerability feeds 390 | 391 | - Automated vulnerability notifications 392 | 393 | 394 | 395 | - Third-party feeds 396 | 397 | 398 | 399 | - Roll-up to a vulnerability management system 400 | 401 | 402 | 403 | # Conferences 404 | 405 | - Watch and learn 406 | 407 | 408 | 409 | - Researchers; new DDoS methods 410 | 411 | 412 | 413 | - Stories from the trenches 414 | 415 | 416 | 417 | - Building relationships 418 | 419 | 420 | 421 | # Acadenuc journals 422 | 423 | - Research from academic professionals 424 | 425 | - Evaluations of exisitng security 426 | 427 | - Detailed post mortem 428 | 429 | - Extremely detailed 430 | 431 | 432 | 433 | # Request for comments 434 | 435 | - Published by the Internet Society 436 | 437 | 438 | 439 | - Not all RFCs are standard documents 440 | 441 | 442 | 443 | # Local industry groups 444 | 445 | - A gathering of local peers 446 | 447 | - Associations 448 | 449 | - Industry user groups 450 | 451 | 452 | 453 | # Social media 454 | 455 | - Haking group conversations 456 | 457 | - Honeypot monitoring on Twitter 458 | 459 | 460 | 461 | - **Examples** - keyword monitoring; CVE, Bugbounty, 0-day 462 | 463 | 464 | 465 | # Threat feeds 466 | 467 | - Monitor threat announcements 468 | 469 | - many sources of information 470 | 471 | 472 | 473 | # TTP 474 | 475 | - Tactics, Techniques, and procedures 476 | 477 | - Search through data and networks 478 | 479 | - Different types of TTP 480 | 481 | - Shows how hackers are doing it 482 | -------------------------------------------------------------------------------- /Security+/4. Operations and Incident Response/4.1 use the appropriate tool to assess organizational security..md: -------------------------------------------------------------------------------- 1 | # Traceroute 2 | 3 | - Determine the route a packet takes to a destination 4 | 5 | - Map the entire path 6 | 7 | 8 | 9 | - Different commands for each OS 10 | 11 | - Tracert (Windows) 12 | 13 | - Traceroute (Unix/Linux/macOS) 14 | 15 | 16 | 17 | - Takes advantage of ICMP Time to Live Exceeded error message 18 | 19 | ![image](https://user-images.githubusercontent.com/81980702/123106679-74395380-d3fe-11eb-8e10-5f909642ab08.png) 20 | 21 | 22 | 23 | # nslookup and dig 24 | 25 | - Lookup information from DNS servers 26 | 27 | - Canonical names, IP addresses, Cache timers, etc. 28 | 29 | 30 | 31 | - nslookup 32 | 33 | - Both Windows and POSIX-based 34 | 35 | - Lookup names and IP addresses 36 | 37 | 38 | 39 | - Dig 40 | 41 | - more advanced domain information 42 | 43 | - Probably your first choice 44 | 45 | 46 | 47 | # Ipconfig and ifconfig 48 | 49 | - Most of your troubleshooting starts with the IP address 50 | 51 | 52 | 53 | - Determines the TCP/IP and network adapter information 54 | 55 | 56 | 57 | - ipconfig - Windows TCP/IP configuration 58 | 59 | - ifconfig - Linux interface configuration 60 | 61 | 62 | 63 | # Ping 64 | 65 | - Test reachability 66 | 67 | 68 | 69 | - One of your primary troubleshooting tools 70 | 71 | 72 | 73 | # Pathping 74 | 75 | - Combine ping with traceroute 76 | 77 | 78 | 79 | - Measures round trip time and packet loss 80 | 81 | 82 | 83 | # netstat 84 | 85 | - Network statistics 86 | 87 | - Many diffeent operating systems 88 | 89 | 90 | 91 | - ``netstat -a`` 92 | 93 | - Show all active connections 94 | 95 | 96 | 97 | - ``netstat -b`` 98 | 99 | - Show **Windows** binaries (Windows) 100 | 101 | 102 | 103 | - ``netstat -n`` 104 | 105 | - Does not resolve names 106 | 107 | 108 | 109 | # Address resolution Protocol 110 | 111 | - Determine a MAC address based on its IP address 112 | 113 | 114 | 115 | # Arp 116 | 117 | - command ``arp -a`` to determine internet address 118 | 119 | 120 | 121 | # route 122 | 123 | - View the device's routing table 124 | 125 | - Find the devices routing table 126 | 127 | 128 | 129 | - Windows 130 | 131 | - ``Route print`` 132 | 133 | 134 | 135 | - Linux and macOS 136 | 137 | - ``netstat -r `` 138 | 139 | 140 | 141 | # Curl 142 | 143 | - Client URL 144 | 145 | - Retrieve data using a URL 146 | 147 | - Uniform resource locator 148 | 149 | - Web pages, FTP, Emails, databases, etc. 150 | 151 | 152 | 153 | - Grab raw data 154 | 155 | 156 | 157 | 158 | 159 | # IP scanners 160 | 161 | - Search a network for IP addresses 162 | 163 | - Locate active devices 164 | 165 | 166 | 167 | - Uses many different techniques 168 | 169 | - ARP 170 | 171 | - ICMP 172 | 173 | - TCP ACK 174 | 175 | 176 | 177 | # hping 178 | 179 | - TCP/IP packet assembler/analyzer 180 | 181 | - A ping that can send almost everything 182 | 183 | 184 | 185 | - Ping a device 186 | 187 | - ICMP, TCP, UDP 188 | 189 | - Example ``#hping3 --destport 80 10.1.10.1`` 190 | 191 | 192 | 193 | # NMAP 194 | 195 | - Stands for Network Mapper 196 | 197 | - Port scan 198 | 199 | - Operating system scan 200 | 201 | 202 | 203 | - Service scan 204 | 205 | - What service is available on a device 206 | 207 | 208 | 209 | - Additional scripts 210 | 211 | - NSE 212 | 213 | 214 | 215 | # theHarvester 216 | 217 | - Gather OSINT; Open-source intelligence 218 | 219 | 220 | 221 | - Scrape information from google or bing 222 | 223 | - Find associated IP addresses 224 | 225 | 226 | 227 | - List of people from LinkedIn 228 | 229 | 230 | 231 | - DNS brute force 232 | 233 | - Find those unknown hosts; 234 | 235 | 236 | 237 | #sn1per 238 | 239 | - Combine many recon tools into a single framework 240 | 241 | - dnsenum, metasploit, nmap, theHarvester 242 | 243 | 244 | 245 | - Both non-intrusive and very intrusive scanning options 246 | 247 | 248 | 249 | # Scanless 250 | 251 | - Run port scans from a different host 252 | 253 | - Port scan proxy 254 | 255 | 256 | 257 | # dnsenum 258 | 259 | - Enumerate DNS information 260 | 261 | - FInd hostnames 262 | 263 | 264 | 265 | - View host information from DNS servers 266 | 267 | - Man servies and host are listed in DNS 268 | 269 | 270 | 271 | - Find hostnames in Google 272 | 273 | 274 | 275 | # Nessus 276 | 277 | - Industry leader in vulnerability scanning 278 | 279 | 280 | 281 | - Identify known vulnerabilities 282 | 283 | - Find systems before they can be exploited 284 | 285 | 286 | 287 | - Extensive reporting 288 | 289 | - A checklist of issues 290 | 291 | 292 | 293 | # Cuckoo 294 | 295 | - A sandbox for malware 296 | 297 | - Test a file in a safe environment 298 | 299 | 300 | 301 | - A virtualized environment 302 | 303 | - Windows, Linux, macOS, Android 304 | 305 | 306 | 307 | - Track and trace 308 | 309 | 310 | 311 | # Cat 312 | 313 | - Concatenate 314 | 315 | - Lik together in a series 316 | 317 | 318 | 319 | - The cat command shows what a text file has onto a terminal 320 | 321 | 322 | 323 | # Head 324 | 325 | - View the first part of a file 326 | 327 | - The head, or beginning, of the file 328 | 329 | 330 | 331 | - use the command ``-n`` to specify the number of lines 332 | 333 | 334 | 335 | # tail 336 | 337 | - View the last part of a file 338 | 339 | - The tail, or end, of the file. 340 | 341 | 342 | 343 | - use the command ``-n`` to specify the number of lines 344 | 345 | 346 | 347 | # grep 348 | 349 | - Find text in a file 350 | 351 | - Search through many files at a time 352 | 353 | 354 | 355 | # chmod 356 | 357 | - Change mode of a file system object 358 | 359 | - r=read 360 | 361 | - w-write 362 | 363 | - x=execute 364 | 365 | ![image](https://user-images.githubusercontent.com/81980702/123127845-452bdd80-d410-11eb-9991-f67882493d14.png) 366 | 367 | 368 | 369 | # logger 370 | 371 | - Add entries to the system log 372 | 373 | - syslog 374 | 375 | 376 | 377 | - Example: ``- logger "Useful for including information in a local or remote Syslog"`` 378 | 379 | 380 | 381 | # SSH (Secure Shell) 382 | 383 | - Encrypted console communication - TCP/22 384 | 385 | 386 | 387 | - Looks and acts the same as Telnet 388 | 389 | 390 | 391 | # Windows PowerShell 392 | 393 | - Command line for system administrators 394 | 395 | - .ps1 file extension 396 | 397 | - Included with Windows 8/8.1 and 10 398 | 399 | 400 | 401 | - Extend command-line functions 402 | 403 | - Uses cmdlets 404 | 405 | 406 | 407 | # Python 408 | 409 | - General-purpose scripting language 410 | 411 | - .py file extension 412 | 413 | 414 | 415 | - Popular in many technologies 416 | 417 | 418 | 419 | # OpenSSL 420 | 421 | - A toolkit and crypto library for SSL/TLS 422 | 423 | - Build certificates 424 | 425 | 426 | 427 | - Create X.509 certificates 428 | 429 | - Manage certificate signing request 430 | 431 | 432 | 433 | - Message digests 434 | 435 | - Support for many hashing protocols 436 | 437 | 438 | 439 | # Wireshark 440 | 441 | - Graphical packet analyzer 442 | 443 | - get into the details 444 | 445 | 446 | 447 | - Gather frames on the network 448 | 449 | 450 | 451 | - View traffic patterns 452 | 453 | 454 | 455 | # tcpdump 456 | 457 | - Capture packets from the command line 458 | 459 | - Display packets on the screen 460 | 461 | - Write packets to a file 462 | 463 | 464 | 465 | # Tcpreplay 466 | 467 | - A suite of pakcet replay utilites 468 | 469 | - Replay and edit packet captures 470 | 471 | 472 | 473 | - Test security devices 474 | 475 | - Check IPS signatures and firewall rules 476 | 477 | 478 | 479 | - Evaluate the performance of security devices 480 | 481 | 482 | 483 | # DD 484 | 485 | - A reference to the DD command in IBM mainframe JCL (Job Control Language) 486 | 487 | 488 | 489 | - Create a bit-by-bit copy of a drive 490 | 491 | - Used by many forensic tools 492 | 493 | 494 | 495 | - Comand to create `` dd if=/temp/sda-image.img of =/dev/sda`` 496 | 497 | 498 | 499 | # memdumo 500 | 501 | - Copy information in system memory to the standard output stream 502 | 503 | - Everything that happens is in memory 504 | 505 | - Many third-party tools can be read in a memory dump 506 | 507 | 508 | 509 | - Copy to another host across the network 510 | 511 | 512 | 513 | # WinHex 514 | 515 | - A universal hexadecimal editor 516 | 517 | - Windows OS 518 | 519 | 520 | 521 | - Edit disk, files, RAM 522 | 523 | - Includes data recovery features 524 | 525 | 526 | 527 | - Disk cloning 528 | 529 | - Drive replication 530 | 531 | 532 | 533 | - Secure wipe. 534 | 535 | 536 | 537 | # FTK imager 538 | 539 | - AccessData Forensic drive imaging tool. 540 | 541 | - Include file utilities and read-only image mounting 542 | 543 | - Windows executable 544 | 545 | 546 | 547 | - Widely supported in many forensic tools 548 | 549 | 550 | 551 | - Support many different file systems and full disk encryption methods 552 | 553 | 554 | 555 | # Autopsy 556 | 557 | - Perform digital forensics of hard drives, smartphones 558 | 559 | 560 | 561 | - Extract many different data types 562 | 563 | - Download files 564 | 565 | - Browser history and cache 566 | 567 | - Email messages 568 | 569 | - Databases 570 | 571 | - much more 572 | 573 | 574 | 575 | # Exploitation frameworks 576 | 577 | - A pre-built toolkit for exploitations 578 | 579 | - Build custom attacks 580 | 581 | - add more tools as vulnerabilities 582 | 583 | - Increasing powerful utilities 584 | 585 | 586 | 587 | - Metasploit 588 | 589 | - attack known vulnerabilities 590 | 591 | 592 | 593 | # Password crackers 594 | 595 | - Find the passwords 596 | 597 | - Online cracking; try username/password combinations 598 | 599 | 600 | 601 | # Data sanitization 602 | 603 | - Completely remove data 604 | 605 | - No usable information remains 606 | 607 | - Many different use cases; Clean a hard drive for future use 608 | 609 | 610 | 611 | 612 | 613 | 614 | 615 | 616 | 617 | 618 | 619 | 620 | 621 | -------------------------------------------------------------------------------- /Security+/1. Attacks, Threats, and Vulnerabilities/1.1 Social Engineering Techniques.md: -------------------------------------------------------------------------------- 1 | # Phishing 2 | 3 | - An email-based social engineering attack in which a cybercriminal sends an email from a **supposedly** reputable source to try and elicit private information. 4 | 5 | - **Example** – An email will appear in a mailbox asking to reset password for a particular program. The link is malicious or leads you to a fake website that tries to steal confidential information. 6 | 7 | 8 | 9 | # Smishing 10 | 11 | - A portmanteau of **“SMS”** and phishing where cybercriminals send text messages to the user to try and get personal information or infect their device with malware. 12 | 13 | - **Example** - A text message from your bank asking you for personal information or even a text asking you to click on a malicious link. 14 | 15 | 16 | 17 | # Vishing 18 | 19 | - A portmanteau of “voice” and phishing where cyber criminals make phone calls or leave voice mails to lure an individual to reveal personal information such as bank or credit card information. 20 | 21 | - **Example** – During tax season, cybercriminals pretended to be the IRS to try and collect information. This also happened during COVID-19, impersonation of a covid 19 Vaccine increased 22 | 23 | 24 | 25 | # Spam 26 | 27 | - Unsolicited bulk messages being sent through email, instant messaging, or other digital communication tools. Cybercriminals use this to try and collect confidential information by reaching a large audience by mass messaging. 28 | 29 | - **Example** – mass marketing junk emails with malicious content sent out to everyone at a company. 30 | 31 | 32 | 33 | # Spam Over Internet Messaging (SPIM) 34 | 35 | - Spam that is **propagated** through instant messaging rather than email. 36 | 37 | - **SPIM** is usually done through social media sites. The attacker's goal is to get more information. 38 | 39 | - **Example** – Someone messages you on Facebook messenger saying that they work for a specific company and want you to give them confidential information. 40 | 41 | 42 | 43 | # Spear Phishing 44 | 45 | - An email or electronic communication scam targeted towards a specific individual, organization, or business. 46 | 47 | - The hacker has specific information about the target which makes can make the email seem more legitimate. 48 | 49 | - **Example** – Email sent seemed to be from the National Center for Missing and Exploited Children sent directly to the person or organization. It was targeted toward the lead person in charge. 50 | 51 | 52 | 53 | # Dumpster Diving 54 | 55 | - A criminal targets a company or person and searches their trash for important information to fuel their motive. 56 | 57 | - **Example** – A company throws away a sensitive document without shredding it. A criminal comes by and steals the document from the trash. 58 | 59 | 60 | 61 | # Shoulder Surfing 62 | 63 | - A technique used to obtain personal information by looking over someone’s shoulder while they are on a computer handling confidential information. 64 | 65 | - **Example** – While someone is on an airplane and they are doing work during their flight, the person behind can see information by looking at their screen. 66 | 67 | 68 | 69 | # Pharming 70 | 71 | - An impersonation attack in which a request for a website, typically an e-commerce site, it redirected to a similar-looking website. 72 | 73 | - **Example** – A user opens their browser and types in a url to their bank and has no suspension of it being fake. Their login information is written on the website and the cybercriminal then has the information. 74 | 75 | 76 | 77 | # Tailgating 78 | 79 | - An attacker seeking entry to a restricted area where access is unattended or controlled by electronic access that can simply walk in behind a person who has legitimate access. 80 | 81 | - **Example** – The person who has legitimate access open the door in a polite manner to the restricted area to an attacker who now has entry. 82 | 83 | 84 | 85 | # Eliciting information 86 | 87 | - An attacker has a casual conversation with the person he is targeting which leads to the information given to the attacker without the victim feeling interrogated or suspicious. 88 | 89 | - **Example** – The attacker acts as a third party and has lunch with someone from corporate. He asks about information and it is given to him without any suspension. 90 | 91 | 92 | 93 | # Whaling 94 | 95 | - An email-based or web-based form of phishing which targets senior executives or wealthy individuals 96 | 97 | - **Example** – A cybercriminal acts as a junior developer and asks someone higher up for information and possible code that can help them penetrate a company. 98 | 99 | 100 | 101 | # Prepending 102 | 103 | - Adding text that appears to be granted by the mailing system. 104 | 105 | - **Example** – an attacker may add "RE:" to the subject line to make it appear as though the message is a reply or may add something like "MAILSAFE: PASSED" 106 | 107 | 108 | 109 | # Identify Theft 110 | 111 | - A criminal uses your information and pretends to be you to commit fraud or gain more authority or entry to his target. 112 | 113 | - **Example** – A cybercriminal gets your social security number and opens up credit and can also use that to have an advantage over phishing attempts. 114 | 115 | 116 | 117 | # Invoice scams 118 | 119 | - A cybercriminal sends an invoice usually through email to the target user. The cybercriminal tries to get the user to call them or gain access to their computer. 120 | 121 | - **Example** – Best Buy Geek squad invoice gets sent to your email in regard to a billing plan. They want you to click on a malicious link or call a number to get personal information. 122 | 123 | 124 | 125 | # Credential harvesting 126 | 127 | - A cybercriminal sets up a fake website that looks like it is with a company well known. The goal is for the user to type in their personal information such as a login which will then be seen by the criminal. 128 | 129 | - They try to get as many credentials as they can through this website. This can also be done through **DNS poisoning**. 130 | 131 | - **Example** – A fake banking website that targets users to enter their password. 132 | 133 | 134 | 135 | # Reconnaissance 136 | 137 | - A hacker collects information about a system before they hack into it. The hacker usually knows a lot about the system through footprinting, Enumeration, and scanning. 138 | 139 | - **Example** – A hacker interacting with a company’s website to understand what exactly goes through their network. Nmap is also used to map out a network 140 | 141 | 142 | 143 | # Hoax 144 | 145 | - A malicious communication that tricks the user into performing undesired actions such as deleting important system files in an attempt to remove a virus, or sending money. The hoax is not real 146 | 147 | - **Example** - A user goes to a website and a pop-up shows. It says the user's computer has been compromised. The pop-up is a hoax, the user computer isn’t compromised. 148 | 149 | 150 | 151 | # Impersonation 152 | 153 | - A setup is usually set up by the attacker. They can act like someone from a reputable company such as Microsoft. The attacker then asks for information from the victim. 154 | 155 | - **Example** - A voicemail that states “This is an enforcement action executed by the US Treasury intending your serious attention”. 156 | 157 | 158 | 159 | # Watering hole attack 160 | 161 | - A cybercriminal has trouble getting into the system because it is safe. They look for another entry from the victim’s history such as a third party to gain entry. 162 | 163 | - The cybercriminal researches third parties that the company may use and infects their website, This then gets relayed to the companies network. 164 | 165 | - **Example** – The victim goes to a sandwich shop website and inputs his information there. The hacker then tries to get the login from the sandwich shop. 166 | 167 | 168 | 169 | # Typo squatting 170 | 171 | - Also known as “URL hijacking”. The attacker makes a URL that is similar to the legitimate website that the user might accidentally make a typo which leads to the non-authentic website. 172 | 173 | - **Example** – A website such as facebook.com is visited frequently. The attacker might make a non-legitimate website called “faacebook.com” which a user can visit if there is a typo. 174 | 175 | 176 | 177 | # Pretexting 178 | 179 | - A social engineering attack that involves a story that will be used to achieve the attacker motive. 180 | 181 | - Example – An attacker calls an employee of a company and acts as if they are high in power such as a CEO, which then asks for sensitive data. The plan to act as a CEO is the pretext. 182 | 183 | 184 | 185 | # Influence campaigns 186 | 187 | - A fake campaign that sways public opinion on political issues. The goal of the criminals behind this campaign is to divide, distract, and persuade. 188 | 189 | - The criminal sets up fake users, creates content, post on social media, amplifies messages, real users share the message, mass media picks it up. 190 | 191 | - **Hybrid warfare** – Military strategy where a country tries to sway views politically. It has fake news and known as “Cyber Warfare”. 192 | 193 | - **Social Media** - The attack usually happens on social media to affect the general population on their opinions. 194 | 195 | 196 | 197 | # Principles (reasons for effectiveness) 198 | 199 | - **Authority** 200 | 201 | - People find it difficult to refuse a request by someone they perceive as superior 202 | 203 | 204 | 205 | - **Intimidation** 206 | 207 | - They use scare tactics such as you will be arrested, payroll won’t be processed, etc. 208 | 209 | 210 | 211 | - **Consensus** 212 | 213 | - Convivence based on what’s normally expected; “a coworker did this for me last week” 214 | 215 | - Many people act just as they think others will act 216 | 217 | 218 | 219 | - **Scarcity** 220 | 221 | - The situation won’t last very long; Rushes the process to make the victim ignore thinking. 222 | 223 | - This is a false sense of scarcity. 224 | 225 | 226 | 227 | - **Familiarity** 228 | 229 | - They try to become your friend or relate to you to, so you let down your security. 230 | 231 | - There is a natural charisma that allows people to be persuaded. 232 | 233 | 234 | 235 | - **Trust** 236 | 237 | - Gives the victim a sense of safety, they can claim they are a part of the IT team. 238 | 239 | 240 | 241 | - **Urgency** 242 | 243 | - They state that this needs to be done or you will be arrested or your bank will be charged. 244 | --------------------------------------------------------------------------------