Public
OWASP TOP 10:
A4- XML External Entities (XXE)
A7- Cross-Site Scripting (XSS)
A9- Using Components with Known Vulnerabilities
A10- Insufficient Logging & Monitoring
The OSI Reference Model:
Layer | Description | Technologies | Data Unit |
1 | Physical | USB, Bluetooth | Bit |
2 | Data Link | ARP, PPP | Frame |
3 | Network | IP | Packet |
4 | Transport | TCP | Segment |
5 | Session | X255, SCP | Data |
6 | Presentation | AFP, MIME | Data |
7 | Application | FTP, HTTP, SMTP | Data |
TCP/IP Model:
Layer | Description | OSI Layer Equivalent |
1 | Network Access | 1, 2 |
2 | Internet | 3 |
3 | Transport | 4 |
4 | Application | 5-7 |
TCP Handshake:
SYN -> SYN-ACK -> ACK
ARP
Resolves IP address to physical address
Network Security Zones
Internet - uncontrollable
Internet DMZ - controlled buffer network
Production Network Zone - very restricted; controls direct access from uncontrolled zones; has no users
Intranet Zone - controlled; has little to no heavy restrictions
Management Network Zone - might find VLANs and IPSEC; highly secured; strict policies
Vulnerabilities
Common Vulnerability Scoring System (CVSS) - places numerical score based on severity
National Vulnerability Database (NVD) - US government repository of vulnerabilities
Vulnerability Categories
Misconfiguration - improperly configuring a service or application
Default installation - failure to change settings in an application that come by default
Buffer overflow - code execution flaw
Missing patches - systems that have not been patched
Design flaws - flaws inherent to system design such as encryption and data validation
Operating System Flaws - flaws specific to each OS
Default passwords - leaving default passwords that come with system/application
Vulnerability Management Tools
Nessus
Qualys
GFI Languard
Nikto
OpenVAS
Retina CS
Terms to Know
Hack value - perceived value or worth of a target as seen by the attacker
Zero-day attack - attack that occurs before a vendor knows or is able to patch a flaw
Doxing - searching for and publishing information about an individual usually with a malicious intent
Enterprise Information Security Architecture (EISA) - process that determines how systems work within an organization
Incident management - deals with specific incidents to mitigate the attack
Threat Modeling
Identify security objectives
Application Overview
Decompose application
Identify threats
Identify vulnerabilities
Risk Management
Risk identification
Risk assessment
Risk treatment
Risk tracking
Risk review
*Uses risk analysis matrix to determine threat level
Types of Security Controls
Description | Examples |
Physical | Guards, lights, cameras |
Technical | Encryption, smart cards, access control lists |
Administrative | Training awareness, policies |
Description | Examples |
Preventative | authentication, alarm bells |
Detective | audits, backups |
Corrective | restore operations |
Business Analysis
Business Impact Analysis (BIA)
Maximum Tolerable Downtime (MTD)
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)
Annualized Loss Expectancy (ALE)
Annual Rate of Occurrence (ARO)
Single Loss Expectancy (SLE) $$ ALE = SLE * ARO $$
User Behavior Analysis (UBA) - tracking users and extrapolating data in light of malicious activity
CIA Triad
Confidentiality - passwords, encryption
Integrity - hashing, digital signatures
Availability - anti-dos solutions
Bit flipping is an example of an integrity attack. The outcome is not to gain information - it is to obscure the data from the actual user.
Confidentiality != authentication - MAC address spoofing is an authentication attack
Common Criterial for Information Technology Security Evaluation
Routinely called "Common Criteria" (CC)
Evaluation Assurance Level (EAL) - goes from level 1 - 7
Target of Evaluation - the system that is being tested
Security Target (ST) - document describing the TOE and security requirements
Protection Profile (PP) - security requirements that are specific to the type of device being tested
Access Control Types
Mandatory (MAC) - access is set by an administrator
Discretionary (DAC) - allows users to give access to resources that they own and control
Security Policies
Access Control - what resources are protected and who can access them
Information Security - what can systems be used for
Information Protection - defines data sensitivity levels
Password - all things about passwords (how long, characters required, etc.)
E-Mail - proper and allowable use of email systems
Information Audit - defines the framework used for auditing
Policy Categorizations
Promiscuous - wide open
Permissive - blocks only known dangerous things
Prudent - blocks most and only allows things for business purposes
Paranoid - locks everything down
Standards - mandatory rules to achieve consistency
Baselines - provide the minimum security necessary
Guidelines - flexible or recommended actions
Procedures - step by step instructions
Script Kiddie - uneducated in security methods, but uses tools that are freely available to perform malicious activities
Phreaker - manipulates telephone systems
The Hats
White Hat - ethical hackers
Black Hat - hackers that seek to perform malicious activities
Gray Hat - hackers that perform good or bad activities but do not have the permission of the organization they are hacking against
Hacktivist - someone who hacks for a cause
Suicide Hackers - do not case about any impunity to themselves; hack to get the job done
Cyberterrorist - motivated by religious or political beliefs to create fear or disruption
State-Sponsored Hacker - hacker that is hired by a government
Attack Types
Operating System (OS) - attacks targeting OS flaws or security issues inside such as guest accounts or default passwords
Application Level - attacks on programming code and software logic
Shrink-Wrap Code - attack takes advantage of built-in code or scripts
Misconfiguration - attack takes advantage of systems that are misconfigured due to improper configuration or default configuration
Infowar - the use of offensive and defensive techniques to create an advantage
Hacking Phases
Reconnaissance - gathering evidence about targets
Scanning & Enumeration - obtaining more in-depth information about targets
Gaining Access - attacks are leveled in order to gain access to a system
Maintaining Access - items put in place to ensure future access
Covering Tracks - steps taken to conceal success and intrusion
Types of Reconnaissance
Passive - gathering information about the target without their knowledge
Active - uses tools and techniques that may or may not be discovered
Security Incident and Event Management (SIEM)
Functions related to a security operations center (SOC)
Identifying
Monitoring
Recording
Auditing
Analyzing
Ethical hacker - employs tools that hackers use with a customer's permission; always obtains an agreement from the client with specific objectives before any testing is done
Cracker - uses tools for personal gain or destructive purposes
Penetration Test
Clearly defined, full scale test of security controls
Phases
Preparation - contracts and team determined
Assessment - all hacking phases (reconnaissance, scanning, attacks, etc.)
Post-Assessment - reports & conclusions
Types
Black Box - done without any knowledge of the system or network
White Box - complete knowledge of the system
Gray Box - has some knowledge of the system and/or network
Law Categories
Criminal - laws that protect public safety and usually have jail time attached
Civil - private rights and remedies
Common - laws that are based on societal customs
Laws and Standards
OSSTM Compliance - "Open Source Security Testing Methodology Manual" maintained by ISECOM , defines three types of compliance
Legislative - Deals with goverment regulations (Such as SOX and HIPAA)
Contractual - Deals with industry / group requirement (Such as PCI DSS)
Standards based - Deals with practices that must be followed by members of a given group/organization (Such as ITIL ,ISO and OSSTMM itself)
OSSTM Controls
OSSTM Class A - Interactive Controls
Authentication - Provides for identification and authorization based on credentials
Indemnification - Provided contractual protection against loss or damages
Subjugation - Ensures that interactions occur according to processes defined by the asset owner
Continuity - Maintains interactivity with assets if corruption of failure ccours
Resilience - Protects assets from corruption and failure
OSSTM Class B - Process Controls
Non-repudiation - Prevents participants from denying its actions
Confidentiality - Ensures that only participants know of an asset
Privacy - Ensures that only participants have access to the asset
Integrity - Ensures that only participants know when assets and processes change
Alarm - Notifies participants when interactions occur
ISO 27001 - Security standard based on the British BS7799 standard, focuses on secuirty governance
NIST-800-53 - Catalogs security and privacy controls for federal information systems, created to help implementation of FISMA
ISO 27002 AND 17799 - Based on BS799 but focuses on security objectives and provides security controls based on industry best pratice
FISMA - "Federal Information Security Modernization Ac Of 2002" A law updated in 2004 to codify the authority of the Department of Homeland Security with regard to implementation of information security policies
FITARA - "Federal Information Technology Acquisition Reform Act" A 2013 bill that was intended to change the framework that determines how the US GOV purchases technology
HIPAA - "Health Insurance Portability and Accountability Act" a law that set's privacy standards to pro tect patient medical records and health information shared between doctors, hospitals and insurance providers
PCI-DSS - "Payment Card Industry Data Security Standard" Standard for organizations handling Credit Cards, ATM cards and other POS cards
COBIT - "Control Object for Information and Related Technology" IT Governance framework and toolset , created by ISACA and ITGI
SOX - "Sarbanes-Oxley Act" Law that requires publicly traded companies to submit to independent audits and to properly disclose finical information
GLBA - "U.S Gramm-Leach-Bliley Act" Law that protects the confidentiality and integrity of personal information that is collected by financial institutions.
CSIRT - "Computer Security Incident Response Team" CSIRT provided a single point of contact when reporting computer security incidents
ITIL - "Information Technology Infrastructure Library" - An operational framework developed in the '80s that standardizes IT management procedures
Controls
Directive - Also known as procedural controls because they deal with company procedures such as security policies, operations plans, and guidelines.
Deterrent - Controls that are used to dissuade potential attackers, such as signs that warn possible attackers about the alarm system and monitoring in place.
Preventive - Controls used to stop potential attacks by preventing users from performing specific actions, such as encryption and authentication
Compensating - Controls used to supplement directive controls, such as administrator reviewing logs files for violations of company policy
Detective - Controls used to monitor and alert on malicious or unauthorized activity , such as IDS's and CCTV feeds monitored in real life
Corrective - Controls used to repair damage caused by malicious events. Such as AntiVirus software and IPS (IPS being both a detective and corrective control)
Recovery
Last updated