 NIST - National institute of standardization and technology.

Non-regulatory federal agency in US

department of commerce.
 ISO - International Organization standardization. Non-government organization. Recognize world-wide and
adopted globally.
 Threat, vulnerability and exploit
 Vulnerability - Application, OS, Hardware, Misconfigurations, Shrink wrap software.
 Common Vulnerability and exposure CVE - List of vulnerabilities, sponsored by US-CERT, the office of
Cybersecurity and communication at the US department of Homeland and Security. Maintained by MITRE
 National Vulnerabilities database NVD - List of vulnerabilities. Maintained by NIST.
 Exploit-DB - Site maintained by Offensive Security where security researchers and other individuals post
exploits for known vulnerabilities.
 Risk - Basic elements of risk : Assets, threats, and vulnerabilities.
 Risk Management Framework (RMF) - is a structured and systematic approach developed by the NIST to
manage and assess cybersecurity risks within organizations. The RMF provides a framework for managing
risks associated with information systems and helps organizations ensure the confidentiality, integrity, and
availability of their sensitive data.
 Kind of threats :
 Natural disaster
 Hacker
 Cyberattack
 Viruses and malware
 Disclosure of Information
 DoS or DDos - Kind if attack against availability, bringing the network down by flooding it w/ useless
traffic. Launched via botnets.
 Threat actor - Individual or group who perform an attack.
 Script kiddies
 Organized crime group - Scam people, steal info, make money.
 State sponsors and govt - Stealing data like intellectual property, research and major data from
manufacturers, govt, agencies and etc.
 Hacktivist - promoting social or political cause.
 Terrorist groups - Political or religious belies.
 Threat intelligence refers to the information and analysis gathered about potential cyber threats,
vulnerabilities, and risks that can pose harm to individuals, organizations, or systems. It involves collecting,
analyzing, and interpreting data from various sources to understand the tactics, techniques, and
procedures used by threat actors. Can be beneficial for the Security Operations Center (SOC).

 Threat Intelligence Information

 Structure Threat Information Expression (STIX)- Developed by MITRE. IP address, domain name
 Trusted Automated Exchange of indicator Information (TAXII) - MITRE
 Cyber Observable Expression (CyBox) - MITRE
 Open Indicators of Compromise (OpenIOC) -
 Open Command and Control (OpenC2) - Facilitated by the US National Security Agency.
 Threat Intelligence Platform - is a software solution or tool that helps organizations collect, analyze, and
act upon threat intelligence data. It enables organizations to proactively identify and mitigate potential
cybersecurity threats and vulnerabilities. TIP support the ff:
 Threat Intelligence Collection
 Data Correlation - Automatically analyzing and and correlating TI data.
 Enrichment and contextualization - Provides enriched context around threats.
 Analyze -
 Integrations w/ other security systems
 Injection-based vulnerabilities - SQL injection vulnerabilities, HTML injection vulnerabilities, Command
injection vulnerabilities.
 Code injection - Forcing system to process invalid data.
 Ex. Of code injection vulnerabilities -
1. SQL injection - Modify records in database.
i. In-band SQL injection
is the most common type of SQL injection attack. It occurs when an attacker is
able to inject malicious SQL code into a web application's database query. The injected
SQL code is executed directly within the application's database connection, allowing the
attacker to manipulate the database or retrieve sensitive information.
ii. Out-of-band SQL injection

1
 the attacker uses a different communication channel to retrieve the data or
information. For example, the attacker may inject a query that triggers an email or
initiates a DNS lookup, and then collects the results through those channels.
iii. Blind SQL injection
infer the results by observing the application's behavior.

 Sanitize and validate user input -

 Implement least privilege principle- Ensure that database accounts used by the
application have the least privileges necessary. Limit their permissions to only the
required database operations and avoid using accounts with administrative
privileges for routine application operations.
 Web application firewall - block injection attempts.
 Educate developers - Secure coding.

2. HTML script injection

3. Dynamic code evaluation
4. Object injection
5. Remote file inclusion
6. Uncontrolled format string
7. Shell injection.
 Command Injection -
 Authentication-Based Vulnerabilities - Attacker can bypass authentication.
 Credential brute forcing - trying diff usernames and passwords.
 Online brute-force attacks- Can easily detect.
 Offline brute-force attacks- Attacker can gain access to encrypted data or hashed passwords.
 Weak cryptographic algorithms - RC4, MD5, and DES
 WEP - Wired Equivalent Privacy, poorly designed security protocols.
An organization should implement techniques on systems and apps to throttle login attempts and
prevent brute-force attacks. Attempts should also be logged and audited.
 Session hijacking - also known as session stealing or session, is a type of attack where an
unauthorized individual gains control over a legitimate user's session on a computer system, network,
or web application. The attacker manipulates the session tokens or cookies used to authenticate and
maintain a user's session, allowing them to impersonate the victim and perform actions on their
behalf.
 Predicting session tokens - If attacker can predict session tokens, they can easily hijack the web
sessions to compromise the system or steal data.
 Sessions sniffing - Can occur through collecting packets of encrypted web sessions.
 Man-in-the-middle attack MITM
 Man-in-the-browser attack (MITB
If web applications do not validate and filter out invalid session ID values, they can potentially be used
to exploit other web vulnerabilities, such as SQL injection (if the session IDs are stored on a relational
database) or persistent XSS (if the session IDs are stored and reflected back afterward by the web
application).
Validating and filtering out invalid session ID values refers to the process of verifying the legitimacy
and correctness of session IDs used within a web application. It involves implementing checks to
ensure that only valid and authorized session IDs are accepted, while discarding or rejecting any
invalid or suspicious session IDs.
 Insecure Direct Object Reference Vulnerabilities or Redirecting - occur when an application exposes
internal references (such as database keys, file names, or resource identifiers) in a way that allows
attackers to directly manipulate those references and access unauthorized resources or perform
unauthorized actions. This vulnerability occurs when an application does not sanitize user input and
does not perform appropriate authorization checks.
 Example : https://store.h4cker.org/buy?customerID=1234,
https://store.h4cker.org/changepassd?user=omar
Mitigations for this type of vulnerability include input validation, the use of per-user or -session
indirect object references, and access control checks to make sure the user is authorized for the
requested object.
 Exploiting default credentials
 Exploiting weak credentials
 Exploiting Kerberos vulnerabilities.
 Cross-Site Scripting - Three major categories: Reflected XSS, Stored XSS, DOM-based XSS
 Cross-Site request forgery
 Cookie Manipulation attacks

2
  Race Conditions - Also referred to as time of check to time of use (TOCTOU). Multiple operations at a
time.
 APIs - APIs Application programming interface, are sets of rules and protocols that allow different
software apps to communicate and interact w/ each other.
 Simple Object Access Protocol - Developed by Microsoft. Replace older solutions such as the
distributed component object model. It used XML
 Representation State Transfer (ReST) - Easier to use than SOAP, used JSON instead of XML. It
uses standards such as Swagger and OpenAPI Specification for ease of documentation and to
encourage adoption.
 GraphQL - Query language for APIs that provides many developer tools. GraphQL is now used
for many mobile apps and online dashboards. Many diff languages support GraphQL.
 APIs Documentation- Provides roadmap about implementation. This roadmap can give
penetration tester a valuable clue which is valuable to security professional as well to attacker.
 Swagger(OpenAPI) - Modern framework.
 Web Services Description Language (WSDL) - XML-based language used to document the
functionality of a web service.
 Web Application Description Language (WADL) - XML-based language for describing
apps.
 Return-to-LibC Attacks and Buffer Overflows -
 A technique called ASCII armoring can be used to mitigate ret2libc attacks.
 Open Web Applications Security Project OWASP - Non-profit organization that focuses on improving
the security of software apps. It provides resources, tools, and the best practices to help organizations
develop and maintain secure web applications. OWASP list the top 10 most common vulnerabilities
against apps.
 Security vulnerability patching is one of the most important important processes of any
organization. Patching refers to the process of applying updates, fixes, or patches to software or
systems in order to address identified security vulnerabilities. The orgs might use the ff technologies
to maintain an appropriate vulnerability management program:
 Vulnerability scanners, such as Qualys, Nexpose, and Nessus
 Software composition analysis tools, such as BlackDuck Hub, Synopsys Protecode (AppCheck),
FlexNet Code Insight (Palamida), SourceClear, and WhiteSource.
 Security Vulnerability feeds, such as MITRE’s CVE list, NIST’s NVD, VulDB, and Recorded Future.
NETWORK SECURITY SYSTEMS
 ISO MODEL PDNTSPA
7. Application Layer
6. Presentation Layer
5. Session Layer
4. Transport Layer
3. Network Layer - Responsible for addressing, routing, and logical connectivity w/in an internet.
2. Data link layer - At this layer, it provides reliable and error-free transmission of data frames
between connected devices. It handles framing, flow control, error detection, and media access
control. An example of protocol at this layer is Ethernet and WiFi.
1. Physical layer - Responsible for transmission of raw bitstream over the physical media, such as
copper wires, fiber optic cables, or wireless signals.
 Traditional Firewall - Place between trusted and untrusted network. When firewall connected to
internet, they are often referred to as Internet edge firewalls.
 Network-based firewalls - play crucial role in perimeter security by providing several key
features, including:
 Network Address Translation (NAT) - Allows multiple devices to share a single public IP
address when accessing resources on the internet.
 Access Control Lists (ACLs) - Control and manage network traffic based on predefined
rules, specify which types of traffic are allowed or denied based on criteria such as source
IP address, destination IP address, port nums, protocols, and other parameters. ACLs
restrict unauthorized traffic from entering or leaving the network.
ACLs are based on a set of rules or entries that define who can access a resource and what
level of access they have. These rules typically specify the permissions granted to specific
users or groups, such as read, write, or execute.
 Application inspection - Inspect the content and behavior of the app traffic, helping to
identify and block potential threats or unauthorized acts. This can detect and prevent
malicious acts.
 VPN Support, Intrusion detection and prevention system, logging and reporting.
 Network-based firewalls - Primary task is to deny or permit traffic that attempts to enter or
leave the network based on explicit preconfigured policies and rules. Firewalls are often

3
 deployed in several other parts of the network to provide network segmentation w/in the
corporate infrastructure and also in data center. The processes used to allow or block traffic
may include ff:
 Simple packet-filtering techniques - Examine packet individually and decide whether to
allow or block them based on rules.
 Application proxies - Act as intermediaries between clients and servers, handling requests
and responses. Can provide advanced security features by inspecting and filtering app,
including performing deep packet inspection and content filtering.
 Network Address Translation - Multiple device using one IP add.
 Stateful Inspection Firewalls - Stateful inspection firewalls, also known as dynamic packet
filtering firewalls, are a type of firewall that examines the context and state of network
connections to make access control decisions. Unlike traditional packet filtering firewalls
that only inspect individual packets, stateful inspection firewalls maintain a state table to
track the state of each network connection.
 Next-generation context-aware firewalls. - offer context-awareness by examining
application-level data and user information to make more granular security decisions.
NGFWs may include features such as intrusion prevention systems (IPS), web filtering,
anti-malware scanning, deep packet inspection, application control, and user-based
policies.
 Packet Filtering Techniques - To control access to specific network segments by defining which
traffic can pass through them. They usually inspect incoming traffic at the transport layer of the
Open Systems Interconnection (ISO) model.
 Packet filters can analyze Transmission Control Protocol (TCP) or User Datagram Protocol
(UDP) packets and compare them against a set of rules called ACCESS CONTROL LIST.
They inspect the ff elements w/in a packet:
 Source address
 Destination address
 Source poprt
 Destination port
 Protocol
 Host-based firewall - Personal firewall.
 Access Control List ACLs - Configured I n firewalls, can also be configured in network
infrastructure devices such as routers, switches, wireless LAN controllers (WLCs), and others.
 Access Control Entry - Each entry of an ACL
 Inbound ACL - Router ACL and Cisco ASA
 Outbound ACL - Packets sents them through diff processes (NAT, QoS, and VPN) and then
applies the configured ACEs before transmitting the packets out on the wire.
 Characteristics of an ACL configured on a Cisco ASA or on a Cisco IOS zone-based firewall:
 When ACE is added to an existing ACL, it is appended to the end of ACL.
 If ACE that allows all IP traffic to pass, and then you create another ACE to block all IP
traffic, the packets will never be evaluated against the second ACE.
 There is an implicit deny at the end of ACL. If packet not match in ACE, it’s dropped and a
syslog is generated.
 Each interface assigned a security level (0 to 100). By default, you do not need to define an
ACE to permit traffic from high-security-level interface to a low-sec-interface. But if you
want to restrict traffic flows from high-sec-lev to low-sec-lev, you can define an ACL.
 Low-sec-lev to -high-sec-lev is denied by default.
 ACLs (extended or IPv6) must be applied to an interface to filter traffic that is passing
through the security-level interface.
 You can apply same ACL to multiple interfaces, but not recommended. because it can lead
to overlapping and redundant security policies, which can create confusion, increase
management complexity, and potentially introduce security vulnerabilities.
 ACLs can be used to control both traffic through the security appliance and traffic to the
security appliance itself. Means it can restrict access to certain resources, protect the
network from unauthorized pr malicious traffic, and last it can control who can manage or
access the security appliance and limit potential attack vectors. The ACLs controlling traffic
to the security appliances are called controlled plane ACLs.
 When TCP or UDP traffic flows through the security appliance, the return traffic is
automatically allowed because the connections are considered established and
bidirectional.
 Protocols like ICMP are considered unidirectional connections; therefore, you need to
allow ACL entries in both directions. Or enable the ICMP inspection engine.
 Cisco ASA supports 5 diff types of ACLs.

4
  Standard ACLs - Used to filter network traffic based on the source IP address only, but do
not consider other parameters like destination IP address, protocols, or ports.
 Extended ACLs - The most commonly deployed ACLs, can classify packets based on the ff
attributes:
 Source and destination IP addresses
 Layer 3 protocols (Operates the network layer)
 Source and/or destination TCP and UPD ports
 Destination ICMP type for ICMP packets
Extended ACLs can be used for interface packet filtering, QoS packet classification, packet
identification for NAT and VPN encryption.
 IPv6 ACLs -
 EtherType ACLs - Used to filter IP and non-IP based traffic by checking the ethertype code
field in the layer 2 header. CAn only be configured if the security appliance running in
transparent mode.
 Webtype ACLs - is used w/in security appliances to restrict traffic in SSL VPN tunnels, the
default behavior is often to drop packets that do not match any ACL rules. This is because
of the principle of “implicit deny” where if there is no explicit rule allowing a packet, it is
denied by default. When Appliance is configured w/ WebType ACL, it defines a set of rules
that specify which traffic is allowed or denied. Each packet that enters the SSL VPN tunnel
is evaluated against these rules. If packet match a rule, it is permitted to pass. If no rule
matched, the default behavior is to drop the packet, thus denying it. If no ACL is defined at
all, security appliance doesn’t have any explicit rules to evaluate incoming packets against.
So all packets are permitted by default w/o restrictions. So carefully define and configure
WebType ACLs according to the desired sec policies and reqs to ensure that only
authorized and necessary traffic is allowed through the SSL VPN tunnels.
 Applications Proxies - Or proxy servers, are devices that operate as intermediary agents on behalf of
clients that are on a private or protected network. Clients on protected network send connections
request to the app proxy to transfer data to the unprotected network.
 Network Address Translation - Real IP address is configured on the host, and the Mapped IP address
is the translated address. Often used by firewalls, however, other devices such as routers and wireless
access points provide support for NAT. NAT hides the internal IP addresses from unprotected
network.
 Port address translation - Translates both IP addresses and port numbers. Allows multiple
devices to share public IP address by using unique port numbers to differentiate the
translations.
 Dynamic NAT - IP masquerading.
Cisco ASA, Firepower Threat Defense (FTD), Cisco IOS zone-based firewalls, and others can perform
all these NAT operations.
 Stateful Inspection Firewalls - Track every packet passing through their interfaces by ensuring that
they are valid, established connections. They examine not only the packet header contents but also
the app layer info w/in the payload. It monitors the state of the connection and maintains a database
w/ this information, usually called the state table.\
 Demilitarized zone (DMZ) - network segment or zone that sits between an organization’s internal
network and an external network, typically the internet. The purpose of a DMZ is to provide an
additional layer of security by segregating and isolating publicly accessible services from the internal
network. In large organizations, you can find multiple firewalls in different segments and DMZs.
 Firewalls provide network segmentation
 Application-based segmentation and micro-segmentation - Virtual firewalls between virtual
machines (VMs). Study the relationship and data interaction between two machine.
 High Availability - Cisco ASA provides high availability features such as the ff:
 Active-standby Failover - 2 firewall, when the primary(active) firewall fails, the secondary
(standby) firewall takes over.
 Active-active failover - 2 firewalls are active, if one file, the other one will continue to pass traffic
in the network.
 Clustering - Multiple firewall units to work together as a single logical device. If one fail, the
other will seamlessly continue to handle the network traffic w/o interruption.
 Firewalls in the Data Center - Firewalls can also deploy in data center. The placement will depend on
many factors, such as how latency the firewalls will introduce, what type of traffic you want to block
and allow, and in what direction the traffic will flow. Traffic going from on network segment to
another network segment is often referred to as east-to-west or west-to-east traffic, also know as
lateral traffic. Similarly, traffic going to and from data center often referred to north-to-south.