B&B Security Alliance(2019) - BestComp Group(Telecom, Cyber, Software

Development- Georgia, Central Asia) və Barikat Cyber

Security(Qatar,Türkiyə). Penetration, SOC(SIEM qurmaq), Incident response,
Cloud xidmətləri, DLP, Network security, Social Engineering, Compliance

Fortinet, Checkpoint, McAfee, Backbox, Misrosoft, İBM Security

TCP(segment, netstat cmd to see connections between servers) - Connection

before transmission(3 way handshake), reliable(Packet sequence Order,
retransmission, error checking), slow data transfer, Congestion & Flow
Control(reduce if overload). Use: Web browse(HTTPS), Emails(SMTP,IMAP) or
text, FTP. Syn- Client sends Sequence number(which data package server has
to send). Faulty packets get discarded. FIN-ACK

UDP(datagram)- Connectionless, unreliable, quick transfer. Use:

Streaming,online gaming, voice and video calls,Voip, DNS queries, DHCP
Broadcasting. No delivery confirmation

DHCP (DORA) - When device connects to network or boot up(if there's no

Static ip), it broadcasts "DHCP Discover" packets to all devices on
network(usually router acts as DHCP server). Server sends back "DHCP
Offer"- available IP address from the pool. Client sends "DHCP Request"
accepts ip. Server sends "DHCP Ack" confirming assignment. The Ip address
is assigned to device for specific lease time(f.e 24 hours), then renew Ip

OSI - Physical(raw bit electric signals through WiFi, Bluetooth, fiver optic),
Data-link(Frames, Mac Address, Error detection and correction),
Network(packets), Transport(segments), Session(Netbios,netstat),
Presentation(Encryption), Application

SMPT- (when u click send)sends emails and check recipient address through
DNS, İMAP - receives(access), stores and manages emails, POP3 -Downloads
emails

Firewalls:Packet filtering, NGFW, Hardware, Software, Cloud based, NAT,

Proxy(Application layer inspection), Stateful

Smart İT, DefScope, Caspian İnnovation Center, Azİntelecom, Prosol,

CyberPoint, Bnb Security, DOST,KPMG,İnseco

[email protected]

[email protected]
CISSP, CEH certificates for Security engineers

NGFW - IPS, Application layer inspection (not only headers, but content
based exploit prevent, http,ftp), web filtering (urls, content, tag), DLP(role
based access control), multiple cihazların işi(sandboxing, antivirus,malware
detection), Filter users and their roles or GpU, VPN encrypted traffic-Palo Alto

Traditional - ACL- Packet header: Source, Destination Ip, port, protocol

Statefull FW- history, connections and content of packets

Stateless -only individual packets

Xdr Edr fərqi- Expands coverage beyond endpoints to include multiple

security layers like network, email, cloud, servers, applications, and
endpoints. Xdr - Ids, Ips, Firewall, cloud security integrate etmək olur

Antivirus- signature based scans against a database, quarantines or deletes

file.

Edr - behaviour analysis (login attempts, data transfer), Ai- machine learning,
can prevent even unknown threats(RESPONSE). Isolate infected endpoints,
files, processes, use pre-defined rules, Network analysis, Can roll back
system changes malwares done.

IPS - Signature based, behavioral anomalies. Application layer control, packet

inspection.Malware, DOS blocks. Firewall- Security rules. IDS needs human
action, not IPS

SIEM - Security Information and Event Management. Collects logs from

antivirus, firewall, apps etc.

SOAR - Automatic Incident response

Malware - malicious software. Inc: Ransomware,Virus,Trojan,Worm,Spyware,

Adware.

Virus- Attach to legitimate programs or files(need host file) and Spread to

other computers while sharing.(Unlike ransom and adware). Initiated when
run or execute file.

Trojan - Disguised as legitimate program.

Identity theft Protection - Strong password, don't share info, check what u
click and where u shop, install malware tools
Worm- like virus replicate, but target whole network. Enter by vulnerability or
email

Qradar- Applications: UBA(User behaviour analytics)-inside threats, SOAR

Rule wizard: offence, event, flow(network) and common rules. Common

rules-default attacks(data exfiltration, brute force, firewall denies). Default -5
failed login attempts, but can be changed

Why vlans(virtual) are used? *For congestion& bandwidth, Security , Prioritize

certain traffic(VoIp)

Domain controller -DNS

How to stop zero day? Sandboxing

Active directory - database

Domain Controller - A Server to authenticate and authorise users during login

and provide access to proper resources in AD. Store domain user, computer
accounts and security policies. Logs user events, distribution of group
policies. Usually there's at least 2 domain controllers. One is for backup when
the other fails. We install domain controller to every endpoint and join them
at the same domain. Trees&forests and trust relationships.
Workgroups(separate) and Domain(group)

Kerberos - Authentication protocol

Password spraying - Trying a few common passwords or a list of commonly

used ones against many Usernames acquired through reconnaissance.

SQL Injection - focuses on manipulating a web application's database by

injecting malicious SQL code

Cross-Site Scripting - targets users by injecting malicious scripts into web

pages they visit and steals their session. Prevent: Ensure all input fields
accept only expected types of input such as numbers or letters to prevent
scripts. Use HTML sanitization. Encode outputs.

DNS - U click domain and 1)Query is sent to Local Dns Resolver and it checks
cache to see ip 2) If it doesn't find, sends Recursive query to Root server(13
in the world) and this server 3)refers query to TLD(.com) server and 4)this
server refers it to Authoritative server which maintains ip records.5) And it
returns ip to Recursive Dns Resolver 6) And this returns to Local Resolver 7)
Browser uses Ip address to connect to Web server hosting the website. 8)
Web server sends the content to browser which displays on the screen.

NetBİOS - Name resolution (ip,mac), Session establish, terminate

NIC- Network Interface card : has own Mac address. Convert data to electric
signals. Enable to connect to internet

Hub - send data to all regardless of they need it or not, causes congestion,
low performance

Sniffing attack- Wireshark (not encrypted pack)

MAC spoofing- Fake ur MAC address

ARP poisoning - Connect ur Mac with other Ip address for e. default gateway.
Good for Man in the middle and session hijacking

ARP requests - if can't find in cache, broadcasts to learn the MAC address of
a device associated with a particular IP.

VLAN: Helps to group work stations that are not within the same locations
into the same broadcast domain

VLANs reduce broadcast traffic by confining broadcasts within the VLAN.

İmproved security : HR and finance departments can be assigned separate
VLANs to prevent unauthorized access.

National vulnerability database(NVD) and CVE (common vulnerabilities and

exposures). CVSS score

Notorious attacks - Wannacry (2017 ransomware): vulnerability Eternalblue.

Stuxnet(2010): Warm used by Israil and US which later spread . Linkedin
breach(117 million personal data and password: 2012)

*Antivirus targets malware on endpoints and operates at the device level,

But IPS targets network-based attacks and operates on network traffic to
stop attacks in real-time before they reach devices.

Types of NAT(Network Address Translation):

1) Static NAT: Maps a single private IP address to a single public IP address,

often used for web servers.

2) Dynamic NAT: Uses a pool of public IP addresses and assigns them

dynamically to internal devices as needed.
3) PAT (Port Address Translation): Also known as NAT Overload, it allows
multiple devices to share a single public IP address by mapping different port
numbers to each request. This is the most common form of NAT used in
home networks.

IP address 192.168.1.10 with a subnet mask of 255.255.255.0 means:

CIDR : 192.168.1.0/24 means the first 24 bits are the Network portion, and
the rest 8 bits are for Hosts.

Ipv4 -32 bit(32:4=8 bit every part) IPV6 - 128 bit

/24 (8 host bits): 2^8 - 2 = 254 usable addresses (subtracting 2 for network
and broadcast addresses).

/26 (6 host bits): 2^6 - 2 = 62 usable addresses.

Ipv6 example (8 section each 16 bit)-

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Types of Encryption Keys:

1. Symmetric Keys: The same key is used for both encryption and decryption.
Example algorithms include AES and DES.

2. Asymmetric Keys: Uses a public key for encryption and a private key for
decryption. RSA is a common example.(PKI-Public Key Infrastructure+Digital
Certificate)

Hashing - MD5, SHA-1, SHA256, Argon2, bcrypt

Salting : user pass- mypassword, salt- salt123, combined value -

salt123mypassword. And then hashes the combined value e7b1b8cd..

Network management protocols:

1)SNMP(Simple net management pro)- Network management, device

monitoring

2)ICMP - Internet Control Massage Protocol : Diagnostic functions, network

error (ex:ping,traceroute)

How to defend against ransomware? -Network segmentation (Vlan)

TTL - Time to live - how many hops before give "ICMP time exceeded".
Prevents loops (usually:64,128,255)

DMZ - Demilitarized Zone. Places public-facing servers in the DMZ. Even if an

attacker breaches the DMZ, they are still blocked from accessing the internal
network directly.

Threat intelligence - identify vulnerabilities, IOC(indicator of compromise) -

recognize patterns: ip address, domain names, malware hashes,tool.
TTP(Tactic, Technique, Procedure). Tools - Any.run, Virustotal(hash,ip)

Cyber Kill Chain:

Reconnaissance(OSINT,Nmap,Shodan), Weaponization(Metasploit, Cobalt

Strike, PowerShell Empire), Delivery (USB, Phishing, Websites), Exploitation,
Installation(backdoor), Command and Control(C2)-hands on keyboard,
Action- Data exfiltration, encryption for ransom

Prevent data breach - Train employes, strong password, monitor traffic, limit
access(ACL), patch vulnerability, encrypt data, 2FA,breach recovery
plan(cloud)

RADIUS(UDP) -Networking protocol to do(AAA) accounting, to authenticate

and authorize users who connect to network remotely(WiFi or VPN) + tracks
user activity (loginout etc)

TACACS+ -Network device(routers or switch) administration. Command

authorization- Restrict commands users can execute.(AAA)

WAF(Web Application Firewall) - Web Application scanning, filtering,

inspection

MDM - Mobile Device Management, Remote Configuration, enforce security

policies

PAM - Privileged access management (least privilege principle),role-based

access

SMB (Server Message Block)- Centralized File sharing, collaborative access,

printing services. SMB2(3)-improved versions with encryption and
performance

NTLM (NT LAN Manager) - security protocols used by Microsoft for

authenticating users and ensuring the integrity and confidentiality of their
interactions with Windows systems. Newer Windows versions now rely on
Kerberos
NTFS, FAT32, exFat - File systems

NTFS - Supports ACL(file, folder permission), File Encryption (EFS),

Compression to save disk space

SMPT- Simple Message Transfer Protocol