Confidentiality, Integrity, Availability

1-1-Risk Management
1-1-1- Framework ( NIST Risk Management Framework Special Publication SP 800-37, ISACA
Risk IT Framework )

- Regulatory

- None-Regulatory ( ISCA IT Infrastructure )

- National Standards ( SP 800-37 )

- International Standards ( ISO 27000 )

- Industry Specific Standards

1-1-2- Risk Management Frameworks:

- NIST : Categorize, Select, Implement, Assess, Authorize, Monitor.

Vulnerability Threat, Threat Agent | Adversarial | Accidental | Structural | Environmental

Risk

Likelihood | Quantitative likelihood | Qualitative Likelihood |

Impact | Quantitative | Qualitative

CSU/DSU = is the device used to convert the user data from the DTE into a form acceptable to the WAN
service provider transmission link

1-1-3- Business Impact Analysis:

- Impact Analysis steps:

- Determine Mission Processes ( Important processes such as internet, servers..etc )

- Identify Critical Systems

- Single point of failure

- Identify resources requirements

- Identify recovery priorities

 - Impact types: Property, People ( Safety, deaths ), Finance ( Credits, Cash flow ), Reputation.

- Privacy Impact Assessment ( PIA ):

- Privacy Threshold Assessment ( PTA )

- Recovery Time Objective ( RTO ): Maximum amount of time to restore a CRITICAL system into
operation.

- Recovery Point Objective ( RPO ): Maximum amount of data that can be lost without
substantial impact.

1-1-4- Quantitative Risk Calculations:

- Exposure Factor: percentage of an asset lost as a result of an incident ( Asset Value x Exposure
Factor = Single loss Expectancy (SLE))( Annualized Rate of Occurrence ( ARO ) )

SLE / ARO = Annualized Loss Expectancy ( ALE )

Mean time to repair ( MTTR ): amount of time a certain asset is down until its repaired.

Mean time to failure ( MTTF ): amount of time from started working until its down. (
Usually for things that cant be repaired )

Mean time between failure ( MTBF ): amount of time between the start of each failure.

NIST SP 800-30 ( has list of all risks that might be exposed to )

1-2-Risk Assessment
- Nessus Web service

- Benchmark

- Secure Configuration Guide

- Network Infrastructure Devices

- General Purpose guides

1-3-Risk Response
- Risk Mitigation

- Risk Transference

- Risk Acceptance

- Risk Avoidance

1-4-Security Controls
1-4-1- Control Types:

- Administrative Control / Management Control:

- Laws

- Policies

- Guidelines

- Best Practices

- Technical Control:

- Computer stuff

- Firewalls

- Password Links

- Authentication

- Encryption

- Physical Control:

- Gates

- Guards

- Keys

- Mantraps

1-4-2- Security Control Functions:

 - Deterrent

- Preventative

- Detective

- Corrective

- Compensating

1-4-3- Examples:

- Mandatory Vacations

- Job Rotation

- Multi-Person Control

- Separation of Duties

- Principle of Least Privilege

- Extra Info

- Diversity vs Redundancy : Diversity = Using multiple tools, Redundancy = Using same

tool in multiple places

- Security controls come from the policies & standards

1-4-4- IT Security Governance:

- Sources:

- Laws & Regulations

- Standards

- Government Standards: NIST ( National Institute of Standards) , ISO (

International Organization for Standardization)

- Industry Standards: PCI-DSS

- Best Practices

- Common Sense
 - Policies:

- Organization Standards:

- Procedures:

1-4-5- Security Policies:

- Acceptable use policy: defined what a person can & cant do on company assets.

- Data Sensitivity & Classification Policies: define how important each data is.

- Access Control Policies: defined how to get access to data or resources.

- Password Policy

- Care & Use of equipment: how to maintain equipment...etc

- Privacy Policies: often for customers ToS.

- Personnel Policies: often for people who handle the data.

1-5- Organization Data:

1-5-1- Data Sensitivity ( Labeling ):

- Public:

- no restrictions ( postal data, bridges..etc )

- Confidential:

- Limited to authorized parties involved.

- Private :

- data limited to individuals ( PII, SSN...etc )

- Proprietary:

- like private but at a corporate level ( like formula of Coca Cola )

- Private health information ( PHI )

- any type of information related to a person ( HIPAA )

 1-5-2- Data Roles:

- Owner:

- Legally responsible for the data ( can be a company ).

- Steward / Custodian:

- Maintain the accuracy and integrity of data.

- Privacy officer:

- ensures data adheres to privacy policies and procedures.

1-5-3- Data users:

- Roles:

- Users:

- assigned standard permissions to complete tasks.

- Privileged users:

- increased access and control relative to a user.

- Executive users:

- sets policies on data & incident response actions.

- System administrator:

- has complete control over the system & data.

- System owner ( data owner ):

- has legal ownership of the data.

1-5-4- Role-based data controls:

- System owner: management level role, maintain systems, define a system

administrator

- System administrator: day to day administration of a system, implement security

controls
 - Data owner: define sensitivity of data, Define the protection of the data, defines access
to the data

- User: access the assigned data

- Privileged user: special access to data beyond a typical user

- Executive user: read-only access but can see all business data

1-5-5- Extra:

- Personally identifiable information ( PII )

- NIST SP 800-122

- Personal management controls

- Mandatory vacations

- prevents collusion

- Job rotation

- Separation of duties

- Dual execution

1-6- Security Training:

- Onboarding: ( bringing someone outside your infrastructure or company )

- Background check.

- NDA ( non-disclosure agreement )

- Standard Operation procedures.

- Specialized issues

- Rules of behavior

- General Security Policies

- Continuing education:

- Offboarding:

- disable accounts ( never delete accounts )

 - return credentials

- exit interview ( knowledge transfer )

1-7- Third party agreements:

1-7-1- Business Partner Agreements (BPA):

- Primary entities

- Time Frame

- Financial issues

- Management

1-7-2- Service Level Agreement (SLA):

- Service to be provided

- Minimum up-time

- Response time ( contacts )

- Start & End date

1-7-3- Interconnection Security Agreement (ISA) (NIST 800-47):

- Statement of requirements ( Why, Who is)

- System security considerations ( What info, Where is the info going, What services are
involved (https, smtp...etc), What encryption )

- Topological Drawing: ( technical drawing to show con locations, endpoints, ip, csu,
CSU/DSU )

- Signature authority ( time frame, security reviews, technical’s )

1-7-4- Memorandum of Understanding / Agreement: ( Not a Contract ) ( MOU / MOA )

- Purpose of the interconnection

- Relevant authorities

- Specify the responsibilities

- Downtime, Billing
 - Define the terms of the agreement

- Cost

- Termination / Reauthorization

2-1- Cryptography:
Obfuscation, confusion, encryption, decryption, Exclusive or XOR, symmetrical encryption, In-Band (
sending key with the data ), Out-of-Band, Block

Ceaser Cipher, Kerckhoffs Principle: as long as you don’t know the key, you cant understand the algo
completely.

Cryptosystem: very defined piece of cryptography to get things done.

Alice - Eve ( hacker ) - Bob

Collision

Electronic Code Book ( ECB ): can generate patterns of data

Block modes

2-1-1- Cryptography Methods:

- Symmetrical Encryption:

- In-Band ( sending key with the data ),

- Out-of-Band

- Primary way of encryption

- Asymmetric Encryption: ( used to send session key )

- uses a key pair

- Public Key: is only used to encrypt

 - Private Key: only used to decrypt

- Ephemeral Key:

- Temporary

- Data Encryption Standard ( DES ):

- 64bit, Initial Permutation ( steer the data )

- Block Cipher, 16 rounds, key size 56bit

- Triple DES :

- has 168bit key

- Blowfish:

- has random key size

- Advanced Encryption Standard ( AES ):

- Block cipher

- 128-bit Block Size

- Key size: 128,192,256 bits

- Rounds: 10, 12 or 14

- RC4 ( streaming encryption )

- Key size: 40 - 2048 bit

2-1-2- Block Modes:

- Electronic Code Book ( ECB ):

- can generate patterns of data

- Cipher Block Chaining ( CBC ):

- Uses Initialization vector which is same bit as the blocks

- Uses the encrypted data to encrypt next chunks

- Cipher Feedback ( CFB ):

 - Uses the Initialization vector by encrypting it.

- Counter ( CTR ):

- Nonce value + counter, generates a key for the block

2-1-3- Cryptosystem:

- RSA:

- Asymmetric Encryption

- Eliptic Curve Cryptography ( ECC ):

- Asymmetric Encryption

- Creates smaller key than RSA, provides same security with increased performance.

- Diffie Hellman:

- PGP/GPG

- PGP was used for email encryption ( OpenPGP )

- GPG is used for desk encryption.

- Hashing

- MD5

- uses 128 bit hash.

- Secure Hash Algorithm ( SHA )

- SHA-1 : 160 bit hash

( Both MD5 & SHA-1 are susceptible to collision )

- SHA-2 or (SHA-256, SHA-512)

- RIPEMD

- Not very common

- 128, 160, 256, 310 bit

 - HMAC

- Steganography: ( art of obfuscating data inside another )

2-1-4- Certificates of trust:

- Digital Signature

- Web of trust:

- requires too much maintenance.

- Public Key Infrastructure (PKI):

- requires Certificates Authority ( CA )

- requires intermediary certificates

- PKCS:

- PKCS-7 - stores certificates

- PKCS-12 stores certificates + private key as a package..

- X.509

- Certificate Revocation List ( CRL )

- lists provoked certificates

- takes long time to revoke

- Online Certificate Status Protocol ( OCSP )

- Real-Time check

2-1-5- Cryptographic Attacks:

- Brute force attack : using random inputs in order to crack a password

- Dictionary attack

- Rainbow tables : have hashes premade

 - Methods

- Obfuscation : can add new characters

- Salt

- Key Stretching : generates complicated key

3- Identity & Access management:

Identification / Authorization / Authentication

Multi factor authentication : using multiple authentication methods

Authorization Concepts:

-- Permissions:

- Administrators Assign Permissions

- Rights and Privileges:

- Least Privileges and separation of duties

- Access Control List:

- Mandatory Access Control: MAC, Labels

- Discretionary Access Control: DAC, Owner of data defines access, Roles

- Role-Based Access Control.

- Access to resources is defined by a set of rules.

- Groups.

- Implicit Deny
- Passwords Security:

- Good Security Policy: Complexity, Expiration, History

- Local Security Policy: Set password requirements, Lockdown for users.

- Group Policy Objects: set security policy for multiple domains, groups, OU's

- NTFS Permissions:

- Deny is stronger than allow, deny is for inheritance

- NTFS permissions are granted to users and groups on folders and files

- Permissions inherit from folders into the files and folders beneath it

- Copying and moving NTFS objects have different effects on NTFS assignments

- User account management:

- Continuous Access Monitoring:

- Track log on / log off activity

- Track file access

- Shared accounts: don't do it

- Multiple accounts: has to happen

- Use different user name and passwords

- Monitor which users belong to which groups

- Use least Privileges

- Monitor and log activity of users with multiple accts

- Default and generic names: change, delete default usernames

- Use dedicated service accounts

- AAA ( Authentication, Authorization and Accounting ):

 - Remote Authentication Dial-in user service ( RADIUS )

- Dial-in Networking

- RADIUS Server: main server

- RADIUS Client: comes between server and users

- RADIUS Supplicant: person trying to get authenticated

- Currently used for wireless networks,

- is used for network access

- Can use up to 4 different ports: 1812, 1813, 1645, 1646

- Terminal Access Controller Access-Control System Plus ( TACACS + )

- Decouples the authorization from the authentication

- Uses TCP port 49

- BOTH RADIUS AND TACACS+ do auditing for log files

- Single Sign-On:

- on a single area network, LAN uses Windows Active Directory:

- Federated Systems

- for multiple domains, Security Assertion Markup Language ( SAML ):

- Identity Provider IP

Broadcast storm

4-Tools of trade:
- PING ipv4, ipv6

- Netstat: get who you talk to, and who's talking to you, netstat -n ( outgoing ), netstat -a ( open
ports )

- Tracert: tracing route of a connection through the ISP

 - ARP ( Address Resolution Protocol ): arb poisoning

- ipconfig, ipconfig /all ( get mac )

- nslookup / dig

- netcat ( vulnerabilities assessment tool ), can listen and also post

- Network scanner:

- nmap, scan a host

- Zenmap, same as nmap but graphical

- Protocol analyzers

- Wireshark

-Sniffer, TKCAP, NTCAP

- TCPDump

- Simple Network Management Protocol ( SNMP ):

- Managed device

- SNMP Manager

- Network Management Station ( NMS )

- Management Information Base ( MIB )

- SNMP Queries

- GET

- Response

- Trap ( when issues happen in device, send back to station )

- Walk ( Multiple GET )

 - SNMP Versions:

- Version 1: no encryption

- V2 : basic encryption

- V3 : TLS encryption

- SNMP lingo

- SNMP community: organization of managed device

- Logs: Event logs, security logs..etc

- Non-Network Events: events happen in a host without being connected to a network

- Network Event: event that deals with communication between the host and something ont the
network

- Decentralized Logging: fine for small organizations

- Centralized Logging: for larger organizations or best practice

- Monitoring as a Service ( Maas ), pay to query all logs

5-Securing Individual systems:

- Denial of service:

- Volume attack

- PING Flood

- UDP flood

- Protocol attack

- SYN Flood / TCP/SYN Flood

- Application attack

- Slow loris attack : apache web server initiate connection and never respond, easy to fix

- Amplification attack
 - Smurf attack

- Distributed Denial-Of-Service attack: botnet

- Host threats:

- Spam: spam emails

- Phishing & Spear Phishing

- Spim: spam via instant messaging

- Vishing: using voice for phishing

- Clickjacking: redirecting on clicking Maliciously

- Typo squatting & Domain hijacking: typo domains, domain hijacking: taking domain names

- Privilege Escalation ( elevation ):

- Man-in-the-middle attack:

- Third-party interception between two-party conversation

- Wireless man-in-the-middle: sniffing using a interceptor usb

- 802.11

- WPA, WPA2 are encrypted

- WEP not encrypted

- Bluetooth

- NFC

- Wired man-in-the-middle

- Spoofing: Mac spoofing, IP spoofing, DNS addressing, DHCP spoofing

- Ettercap ( software )
 - Manipulating the M1M Data:

- Replay attack: replaying login packets to login

- Downgrade attack: talk to http, or weaker SSL

- Session hijacking:

- Firesheep ( tool to use for session hijacking )

- System Resiliency

- Scalability: increasing amount of servers to deal with traffic

- Elasticity: increasing amount of server as demand goes, and dropping them when demands is
lower

- Redundancy: Having more than one of things incase one system fails

- Distributive Allocation: multiple locations

- Non-Persistence:

- Snapshot(save state of entire system),

- Known State(reverse specific state such as updates)

- Rollbacks: ( rolls back drivers )

- Redundant Array of Independent Disks ( RAID )

- Provides Integrity

- Improves access

- RAID 0: increase speed of data, but has no data integrity

- RAID 1 ( mirroring ): doesn't change performance, but has data integrity

- Parity ( RAID 2 to RAID 4 ): dedicated parity drive to save math’s to recover one of the drivers,
has data integrity

- RAID 5: ( MIN 3 DRIVES ) you can't lose more than one drive
 - RAID 6 ( MIN 4 DRIVES ): saves 2 parity drives

- RAID 01 ( MIN 4 DRIVES ): mirror of strips by mirroring data inside the driver

- RAID 10 ( MIN 4 DRIVES ): same as mirror 01

- NAS and SAN:

- Network attached Storage ( NAS ): tend to be cheaper

- Runs over a standard network

- Shows up as normal shares on network

- Storage area network ( SAN ): tend to be expensive

- San provides block-level storage ( shows up as a hard drives )

- Fiber Channel ( FC ): hella expensive

- Host bus adaptor (HBA)

- iSCSi: poor man

- iSCSi initiator

- Physical Hardening:

- Removable media controls:

- MMC for windows

- Data Execution Prevention ( DEP )

- advanced settings > performance > data prevention > enable

- Disabling ports: from BIOS

- Turn off legacy non-active ports to avoid Vulnerable entry point

- Radio Frequency interference ( RFI ), Electro-Magnetic Interference ( EMI ), Electro-Static Discharge (

ESD ):
 - Radio Frequency interference ( RFI ) & Electro-Magnetic Interference ( EMI ): based on
radiation

- Separation

- Shielding

- Separation of circuit

- Electro-Static Discharge ( ESD ): based on electricity

- Protection from electric charges

- Host Hardening:

- Disable Unnecessary services:

- go to services > properties > startup type > disable

- Default passwords: changing default passwords in IoT

- Disabling Unnecessary accounts : disable guest accounts, duplicate accounts

- Patch Management :

- Monitor: might not get reminders.

- Test: Deploy in sandbox enjoinment first

- Evaluate

- Deploy patch

- Scheduling issues

- Document

- Anti-Malware:

- Training for users: training to detect signs of malware

- Procedures

- Best practices

- Monitoring

- Intrusion Detection systems ( IDS )

 - Third-party anti-malware tools

- Firewalls:

- Firewall work on an application-level basis

- Whitelist

- Blacklist

- Data and system security:

- Data integrity

- Speed/quick access

- High availability

- RAID

- Clustering: use multiple computers for the same job, expensive

- Load Balancing

- Virtualizing the servers

- Disk Encryption:

- Slow down your systems

- For mobile and portable devices

- Desktop systems with limited security

- TPM ( trusted platform module ): it's a soldered ship with private keys that can't be extracted,
used to encrypt disks

- Activate TPM

- PGP ( pretty good privacy ) disk:

- TrueCrypt

- BitLocker

- FileVault
- Hardware/Firmware security

- Full Disk encryption ( FDE )

- Self-Encrypting drive ( SED )

- Secure boot:

- TPM

- Hardware root of trust

- Secure supply chain

- Hardware security module ( HSM ): custom device to check signage

- Secure OS types:

- Server OS:

- Built-in functionality.

- connections

- Workstation

- Desktop versions

- Workhorse

- Embedded systems:

- Appliance

- Kiosk: like an LCD stand with huge screen attached

- Limited function

- Mobile OS

- Apple

- Android

- Securing Peripherals:
 - Wired vs Wireless

- Bluetooth

- Bluejacking: hijack device

- Bluesnarfing: grab data

- Class1 is 328', Class2 is 33', class3 is 3" distance

- Most mobile phones and Bluetooth headsets are Class2 range up to 33'

- 802.11

- WPS, WPA2

- Hidden Wi-Fi

- Wi-Fi SD-cards

- Displays

- USB ports

- Rubber duck, usb stick malicious

- Avoid backdoors

- Patch devices

- Malware:

- Virus:

- Attach to other files

- Propagate:

- Spread to other devices

- Activate

- Adware:

- Spyware:

- Hides inside the system

 - Trojan Horse & RATs

- Remote access Trojans ( RATs )

- Ransomware / Crypto-Malwares:

- Logic Bomb:

- Logic bombs are triggered by an event

- Rootkit & backdoor:

- Rootkit is software that escalates privileges to execute other things on computer.

- harder to detect rookits

- Backdoor:

- Polymorphic Malware / keylogger & armored Viruses

- Polymorphic Malware changes itself to confuse anti-virus

- Armored Viruses are hard for anti-malware to detect & destroy

- Key logger records keystrokes

- Analyzing outputs:

- Anti-Malware / anti-virus

- Configuring them

- Host-based firewall

- Windows firewall, implicit Allow/Deny

- File integrity

- File integrity check

- SystemFileChecker

- Application whitelist

* False positive - scan results identify a file that may not actually harm a system

* Host based firewalls are setup as implicitly deny by default; access is controlled by an ACL whitelist
- IDS and IPS

- Intrusion Detection system ( IDS ):

- Inside the network

- Monitors network traffic

- Sends alerts on suspicious activity

- Intrusion Prevention System ( IPS )

- Active IDS:

- IPS is close to the edge of the network

- Action to prevent will occur at the IPS device

* a Firewall filters, an IDS notifies, an IPS acts to stop

- Automatization strategies

- Template restoration:

- Continuous monitoring

- Automatic updates of OS

- Monitoring application whitelists

- Application development

* Powershell is built-in windows tool to write custom-built scripts to automate task

- Data Destruction / Media sanitation :

- Clearing: internal command to wipe like erase command

- Wiping: overwrites the drives

- Purge: external ways to destroy media

 - Crypto erase: encrypting device and destroying it's keys

- Destroy: corrupt the media

- Burning paper media

- Pulping souk in water and turn into mush

- Shredding

- pulverizing ( destroying it into fine particles )

* A trusted operating system is created by the manufacturer

to meet a specific configuration for high level security requirements.

6 - The Basic LAN:

- LAN Review:

- Switches: Filter & forward data based on MAC address

- VLAN: Provides layer 2 separation of networks

- Flood quarding:

- Spanning Tree Protocol ( STP ): prevents loop floods

- Routers: Filter & forward based on IP address

- Gateway & Firewall

- Network Topologies Review:

- Local Area Network ( LAN ): local computers connected to Broadcast Domain

- Wide Area Network ( WAN ): multiple LAN's connected to routers

- Metropolitan Area Network ( MAN ): it spans a city

- Internet : a large network

 - TCP/IP

- Intranet

- Private network runs on TCP/IP

- Extranet:

- Allow external connections to your Intranet

- Network Zone Review:

- LAN, VLAN

- Demilitarized Zone ( DMZ )

- Public facing server, protects the public and private network

servers with a firewall

- Wireless Networks:

- Wireless Access Point ( WAP ):

- SSID ( wireless waves )

- Guest network

- separate VLAN

- segmented, separated zone

- Wired or wireless

- Virtualization zone:

- Airgap:

* A VLAN is the separation of broadcast domains within a LAN. Whether the LAN is behind a firewall is
irrelevant. A WAN is an interconnection of two or more LANs

- Network access Controls:

- Wireless network

- Remote access
- VPN access

- Point-to-point Protocol ( PPP )

- Transport layer protocol ( TLP )

- Initiate connection

- Get address information

- Make connection

- Password authentication Protocol ( PAP ):

- sends password in clear text

- Challenge handshake authentication Protocol ( CHAP )

- used hashed passwords

- Extensible Authentication Protocol ( EAP )

- EAP-MD5

- Basically MSCHAP

- Takes those passwords hashes them into an md5 hash

- EAP-PSK:

- Uses pre-determined symmetric keys

- similar to WPA and WPA-2

- EAP-TLS:

- can handle an entire TLS

- Needs server and client certificates

- EAP-TTLS:

- Uses the TLS exchange method

- only requires server certificates

- 802.11, 802.1X

- LEAP
 - EAP-FAST:

- PEAP

- The network firewall:

- Stateful vs Stateless firewalls

- Stateless

- Access Control List ( ACL )

- Stateful firewall

- Application based firewall

- Proxy servers:

- Forward Proxy server

- Web Proxy

- Application specific

- Web proxy, FTP proxy, VoiP Proxy

- Transparent proxy

- Reverse Proxy server:

- High security

- Handle DOS attacks

- Load balancing

- Caching

- Encryption acceleration

* Forward hides the client, Reverse hides the server

- Honeypots:

- Honeypots

- Emulates web server

- Logs everything

- Honeynets

- Emulates a network

- Virtual Private Networks ( VPN )

- Remote Desktop: Emulates a desktop in that network

- VPN : directly connects into the network from a remote location, fully functional

- Connection Options:

- Lease line

- Via Public network, Virtualized

- Endpoints

- Vpn Tunnel

- vpn Endpoint

- Remote access VPN: connect via tunnel to a LAN network

- Site to site vpn: connects a whole network with another as local

* VPN is slower than being in the local area network

* VPN Concentrator: job to take vpn data

- Split VS full tunneling

- Split tunneling increase performance by creating a split in traffic using both

VPN or STD internet traffic
 - Protocol to setup tunnel

- Protocol to handle authentication and encryption

- Point-to-Point tunneling protocol ( PPTP )

- Oldest VPN protocol, uses PPP for tunnel, password only, TCP port 1723

- Layer 2 Tunneling protocol ( L2TP )

- Cisco Proprietary, Similar to PPTP, L2TP Tunnel, IPsec encryption, UDP port: 500, 4500

- Pure IPsec

- uses IPsec for tunneling and encryption, UDP ports 500, 4500, great for IPv6

- Secure Sockets Layer (SSL)/Transport Layer Security(TLS)

- TCP port 443

- Often works within a web browser

- TUN/TAP ( Virtual network driver) Tunnel

- TLS encryption

- OpenVPN:

- Unique tunnel

- Encryption based on SSL/TLS Protocol

- TCP port 1194, but can be changed easily

** Know the VPN protocols described (PPTP, L2TP..etc)

** Know the VPN port numbers

- IPsec

- Authentication headers

- Encapsulating Security payload (ESP)

- HMAC: Provides integrity

- Transport mode
 - Tunnel mode

- ISAKMP creates a security association (SA) between two hosts

- Initial authentication:

- Certificates

- Preshared keys

- Key exchange

- Encrypting Unsecured Protocols:

* IPsec works at the IP layer

* IPsec has a tunnel and transport mode

* Authentication header (AH) provide integrity

- Network intrusion detection systems/Network intrusion prevention systems NIDS/NIPS:

- NIDS is passive,

- Out-of-Band

- NIPS is active/inline

- In-Band

- Blocks from router

- Detection methods :

- Behavioral / anomaly

- Signature-based

- Rule-Based

- Heuristic

- Combines Anomaly and signature

- Port Mirroring and network taps are tools used with NIDS and NIPS
 - Collectors:

- Correlation engines:

- Security Information and event Management (SIEM):

- Aggregation: grabbing and storing data

- Normalization:

- Write once, read many ( WORM )

- Correlation: analyzing data, report in human friendly way

- Alerts:

- For notification if something goes bad

- Triggering

- Exceeding thresholds

7-Beyond Basic Lan:

- 802.11 network, infrastructure Mode:

- 802.11 Does not have any authentication or encryption

- Wireless protected access

- 802.11i:

- 802.1X authentication

- AES Encryption

* SSID is associated to the MAC address on a wireless access point and known as BSSID

* WEP proved authentication and encryption but easily hackable

* 802.11i known as WPA2 uses AES encryption

* SSL Stripping aka Reply attacks

 * HTTP strict transport security ( HSTS )

* Rogue access point : unauthorized Wi-Fi

* Evil twin

* 802.11 jammer illegal

* Deauthentication attack

* IV attack to crack WEP

* WPA/WPA2 uses 4-way handshake

* WPA is vulnerable to dictionary attack

* Wi-Fi protected setup

* Myth #1 turn off broadcast SSID isn't as good as people say

* Math #2 Setup MAC filters

* AP isolation is good practice

* 802.1X makes a strong robust network

- Wireless Hardening:

- Hardening 802.11 Networks

- Survey installation issues

- Survey tools: Site survey tools

- Find SSIDs

- Find MAC addresses

- Bands, channels and signals

- Heat maps

- Maintaining existing wireless networks

- Good documentation

- Monitor wireless networks

 - Define how to defend wireless clients

- Scanning: listening to malicious traffic

- Wireless Intrusion detection system ( WIDS )

* Monitors wireless radios

* Watches for rouge access points

* Knows MAC address of authorized equipment

* Watches working protocols

* Listen to the wireless network

- Wireless clients hardening:

- Trained clients are essential part of good wireless security

- Wireless Access points:

- Thick client

- Thin client

* DBI = Signal strength

* Bandwidth, channel and channel bandwidth can affect wireless

- Antenna types

- Omni

- Dipole

- Directional

- Patch graphic: half a sphere

- Antenna placement:

- Band selection
 - 2.4Ghz or 5Ghz

- Virtualization Basics:

* Hypervisor - Virtual machine Monitor ( VMM )

- Hypervisor Type1: runs directly on top of hardware independent of host OS

* Virtualization provides easy recovery, and low maintenance cost

- Virtualization Security:

- Cloud-Based virtualization

- Virtualization Characteristic

- Security feature

- patch management

- Centralized hardware maintenance

- Resilient and high availability

- Great testing and sandboxing environment

- Network separation

- Snapshots and backups

- Virtual threats:

- Malware, bad patch management. etc

- Security as a service ( SaaS )

- VM sprawl: everyone setting up multiple vm's

- VM escape
 - Virtualization Hardening:

- Remove remnant data

- Make good policies

- Define user privileges

- Patch everything

- Cloud access security brokers ( CASB )

- Makes sure policies are controlled

- Checks for malware

- Containers

* a container runs isolated instances of programs and services

* Containers are self-contained applications that can communicate with network resources that
have been explicitly allowed

* Containers can depend on each other and can be configured to communicate with each other
on a single host

* Containers run a single program and all it's dependencies when the program exists

- Infrastructure as a service ( IaaS ):

* IaaS enables you to quick configure network resources hosted by someone else

* Amazon web services ( AWS ) is a great example of IaaS

* AWS like most IaaS providers, only bills you for the time you are actually running a server.

- Platform as a service ( PaaS )

* PaaS enabled you to access a software development platform without the need to host it
yourself

* Heroku is a great example of PaaS

* A PaaS lets you very quickly get your software running live on the internet
- Software as a service ( SaaS ):

* SaaS is a subscription based license

* SaaS enables you to access applications via subscription

* Microsoft Office 365 is a great example of SaaS

* Other SaaS examples include Dropbox and Google Docs

- Deployment Models:

* A cloud is essentially a remote location running virtualized software, and the hardware is
hosted by a third party

* There are various cloud models: private, public, hybrid, and community

- Static Hosts: ( usually are single purpose devices )

- Industrial Control Systems ( ICS )

- Heating, Ventilation, and air conditioning (HVAC)

- Supervisory Control and Data Acquisition ( SCADA )

- Securing Static Hosts: ( treat static hosts like regular hosts )

- Change default passwords:

- Turn off unnecessary services

- Monitor security and firmware updates

- Defense in depth:

- Network segmentation to help protect static hosts

- Mobile connectivity:

- SATCOM ( satellite communication )

 - Bluetooth:

- Near-field communication ( NFC )

- ANT/ANT+ ( Bicycle odometers, Hear rate monitors, practice bikes )

- infrared ( allows you to control infrared devices such as TVs, usually are transmit only )

- USB ( USB on the go ( USB OTG ))

- Wifi and Tethering ( Wifi-Direct )

- Tethering

- Wireless tethering ( Hotspots )

* Set password on your phone

- Deploying mobile devices

- Mobile device management tools

- Mobile application management

- Mobile deployment options:

- Corporate owned, business only ( COBO )

- Corporate owned, personally enabled ( COPE )

- Choose your own device ( CYOD )

- Bring your own device ( BYOD )

- Mobile device management

- Content Management

- Application management

- Databases
 - Documents

- Geolocation

- Knows the location of that device

- Geo fencing

- Geolocation with a trigger

- Push notification services

- Applications will push notifications if you want

- Passwords and pins

- Require use of passwords and PINs

- Can recover passwords

- Biometrics

- Fingerprints

- Facial recognition

- Vocal recognition

- Can lock and unlock devices

- Use to configure applications

- Screen locks

- Make sure your screen is locked

- Remote wipe

- Great when the device is lost

- Application management:

- Versioning

- Updates

- Patches

- Context-aware authentication:
 - Where are they right now?

- What operation system are they using?

- What time of day are they trying to authenticate?

- Storage segmentation

- Dedicating a storage space for our applications

- Full device encryption

- We encrypt the entire storage of the device

- Containerization:

- Mobile enforcement:

- Side loading ( downloading applications out of stores )

- Carrier unlocking

- Rooting for android/Jailbreaking for apple

- Firmware over-the-air OTA updates

- Camera use

- SMS/MMS

- External media

- Recording mic/ GPS tagging

- Payment methods

- Physical controls

- Deterrent Physical Control

- Outside lighting

- Signage ( restricted area signs for example )

- Security guards
 - Preventative Physical Controls

- Fences

- Barricades

- K ratings ( rating for fences to stop vehicles )

- Mantrap

- Cabling systems ( Air gaps or VPN/VlAN )

- Safe

- Locked cabinets

- Faraday cages ( Protects from EMI & radio frequencies )

- Locks

- Key management

- Cable locks

- Screen filters

- Detective Physical Control

- Alarms

- Log files

- Motion detectors

- Cameras

- Heating, Ventilation, and air conditioning ( HVAC ):

- Office environment

- Server rooms

- Infrared camera

- Zone-based HVAC

- Hot & cold aisles ( Cooling comes from ground, while heat goes to the ceiling )
 - Securing HVAC.

- Leave air-gap

- MAC filtering

- Remote monitoring

- Fire Suppression

- Fire extinguisher classes ( A,B,C,D,K )

- Class A ( Ordinary combustibles like Wood )

- Class B ( Flammable liquid & gas )

- Class C ( Energized electrical equipment ) -- FOR SERVER ROOMS

- Class D ( combustible metals )

- Class K ( Kitchens, oil & fat )

- Fire extinguishers

- Halon

- FM-200

- Seal off server rooms

- Turn off the power

8- Secure Protocols:
- SSH Protocol

- Network Models: Numbers are Layers

- OSI Sever-layer Model

1- Physical: type of cables...etc

2- Data link: Network cards, switches...etc

 3- Network: IP addresses, Routers

4- Transport: Assembly disassembly area for big chunks of data

5- Session: Actual connection between two systems

6- Presentation: Old, used to convert data into readable format

7- Application: Smarts to make the application network aware ( API )

- TCP/IP Model

1- Network interface: all physical cables, network cards...etc

2- Internet: ip addresses, routers..etc

3- Transport: Assembly disassembly, TCP/UDP

4- Application: email, ftp, telnet...etc

- Know your protocols TCP/IP

- IP Addressing: IPV4 is 32-bit address with 4 octets, IPv6 is a 128-bit address

- IPv4

- NAT ( Network address translation )

- Private IP Range: start with 10, also 172.16 to 173.31, 192.168

- IPv6

- Link Local-FE80

- Internet address

- Transport protocols

- TCP: Connection oriented Three-way handshake

- UDP: Connectionless

- ICMP: Supporting protocol handling, ARP, PING

- Know your Protocols Applications

- Hypertext Transfer protocol (HTTP) port 80

- Secure Hypertext Transfer protocol (HTTPS) port 443

- Remote shell:

- Telnet:TCP port 23 insecure

- SSH: port 22 secure

- File transfer

- FTP (File transfer protocol) port 20-21 insecure

- FTP/SSH port 22

- FTPS: added SSL, TLS port 20-21

- SFTP (Secure file transfer protocol) port 22

- SCP (Secure copy) port 22: only moves files

- TFTP (Trivial File Transfer Protocol): Runs of UDP, only moves files, port 69

- NETbios port 137,138,139

- SMB: Port 445

- Mail:

- SMTP port 25, only sends mail

- IMAP ( internet message protocol ) port 143

- POP: port 110

- Et Cetera (etc):

- DNS: Domain name server: TCP port 53

- DHCP: Dynamic host configuration protocol: port 67/68

- SNMP: Simple network management protocol: udp port 161/162

- LDAP: Light weight directory access protocol port 389

- RDP: Remote desktop protocol TCP port 3389

- Transport Layer Security (TLS)

- Transport Layer Security (TLS)

- Secure Sockets Layer (SSL)

* SSL and TLS used all over the internet *

- Internet service hardening

- DNS: insecure

- DNSSEC: secure

- EMAIL:

- SMTP port 25

- SSL/TLS encrypted SMTP: port 465,587

- IMAP port 143

- SSL/TLS encrypted IMAP port 993

- POP port 110

- SSL/TLS encrypted POP port 995

- Protecting your servers: inside DMZ

- Load balancers

- Proxy services ( cloud flare ) ( DDOS mitigations )

- Firewalls

- SSL accelerator

- Secure Code Development:

- Waterfall Model:
 - Requirements

- Design

- Implementation

- Verification

- Maintenance

- Agile:

- Sprint:

- Scrum

- DevOps:

- Secure Deployment Concepts:

- Compiled vs runtime code

- Proper error handling

- Proper input validation

- Indexing

- Encryption/code signing

- Obfuscation

- Code reuse/dead code

- Server-side vs client-side execution

- Memory management

- Third-party libraries

- Data exposure

- Code quality and testing:

- Sandbox
 - Model verification

9- Testing your infrastructure:

- Vulnerability scanning tools:

- Vulnerability Assessment Tools:

- Tracert

- Advanced IP scanner

- Nmap

- Microsoft Baseline Security Analyzer ( MBSA )

- Vulnerability Assessment / Scanning tools:

- Nessus

- Nexpose

- OpenVAS

- Vulnerability Scanning Assessment:

* Vulnerability assessment should have authorization

* Intrusive vs non-intrusive

* Credentialed vs non-Credentialed

* PCIDSS compliance package ( for credit card companies )

- Identify Vulnerabilities

- Misconfigurations

- False positives

- Compliance
- Social Engineering principles:

- Authority: impersonate a position of authority

- Intimidation: frighten by threat

- Consensus: convince general group agreement

- Scarcity: to describe lack of something

- Familiarity: imply a closer relationship

- Trust:

- Urgency: immediate action

- Social Engineering attacks:

- Phishing

- Spear phishing

- Whaling: targets senior management and executives

- Vishing

- Hoax

- Watering hole attack: infect website where employees use to gain access

- Tailgating

- Shoulder surfing

- Dumpster diving

- Attacking web sites:

- Common log format ( CLF )

- Http logs

- cPanel logs

- Web applications attacks

 - Cross-site scripting XSS

- Client-side script injected into trusted web sides

- XML injections

- Attacking Applications

- Web apps:

- Injection attacks

- Code injection

- Command injection

- Sql injections

- LDAP ( Lightweight directory access protocol ) injection

* X.500

- Buffer Overflow

- Integer overflow ( large numbers )

- Exploiting a target :

- Get authorization

- Define targets

- Attack model

- White box: has knowledge about the target

- Black box : attackers know nothing about the target

- Gray box: between the two

- Discover vulnerabilities:

- Reconnaissance

- Passive discovery: not sending packets from your computer to the target
 - Semi-passive: sending packets but in a none-suspicious way

- Active discovery

- try to get information

- Exploit vulnerabilities

- Grab username and passwords

- Take data from a database

- Corrupt webpage

- Exploit the target

* Metasploit

* Kali Linux

* Armitage

- Exploitation:

- Banner grabbing

- Pivot: used the compromised system to attack other systems

- Persistence: connect again easily

- Privilege escalation: ability to gain elevated access to data and network

resources

- Vulnerability impact:

- Embedded systems:

- Lack of vendor support:

- Weak configuration:

- Default usernames and passwords

- Misconfiguration:

- Improperly configured account

- Vulnerable business processes

 - Memory/Buffer vulnerabilities

- Memory leak

- Overflow

- DLL Injection don’t have obvious performance symptoms

- System sprawl

10- Dealing with incidents:

- Incident Response:

* NIST 800-61: Computer Security Incident (Handling/Response process) Guide

- Incident Response process:

- Preparation:

- Practice Scenarios

- Reporting

- Identification:

- Containment

- Eradication

- Recovery

- Documentation

- Incident Response plan:

* CIRT - Cyber Incident response team.

- Document Indecent types/category definitions

- Physical access

- Malware

- Phishing
 - Social engineering

- Data access

- Roles and responsibilities:

- Users

- Helpdesk

- Human Resources

- Database manager

- Incident hotline

- IR manager/IR officer

- IR team

- Reporting requirements/escalation

- Determine severity

- Based on severity have a clear chain of escalation

- Informing law enforcement

- Practice

- Annual scenario drills

- Digital Forensics

* Legal hold

- Chain of custody

* Gathering evidence

* Data is of high integrity

- Define the evidence

- Document the collection method

- Date/time collected
 - Person(s) handling the evidence

- Function of person handling evidence

- All locations of the evidence

- Order of Volatility

- Memory

- Caches

- Routing table

- ARP table

- Data on the disc

- Optical, flash drives

- Cache files, temp files

- Write block

- Remotely logged data

- Web site data

- Remote file server logs

- Backups

- Trends

- Low volatility takes time to gather data

- Forensic Data Acuisition

- Capture the system image

- Network traffic and logs

- Capture video

- Security cameras
 - Record time offset

- Take hashes

- Take screenshots

- Interview witnesses

- Track man hours

- Contingency Planning:

* Disaster recovery

* Business continuity

- Evacuation Plan

- Cold site: it takes weeks to bring online, basic office space, no operational equipment,
cheapest recovery site

- Warm site: it takes days to bring online

- Hot site: it takes hours to bring online, real-time synchronization, very expensive

* Distance & location: make sure that backup site is not effected by the same event

* Internet requirements

* Housing & Entertainment

* Legal issues

- Order of Restoration:

- Power

- Wired LAN

- ISP Link

- Active directory/DNS/DHCP servers

- Accounting servers

- Sales and accounting workstations

- Video production servers

 - Video production workstations

- Wireless

- Peripherals ( printers, cameras, scanners, faxes )

- Annual exercises:

- Failover

- Alternative processing sites

- Alternative business practices

- After action reports

* Contingency planning attempts to mitigate adverse incidents to preserver business continuity

- Backups

- Backup methods

- Full backup: lots of overhead and not efficient

- Differential backup: backup all of the changes since the last full backup

- Incremental backup: only backs up changes made from last backup

* Differential backups changes since last full backup ( get bigger )

* Incremental backups changes since last incremental backup only

- Snapshots

- Backup media

- Local backups

- Offsite backups

- Cloud backups

* Snapshots are usually used with virtual machines and usually not stored on separate media