Terms in this set (147)
Well known ports:
3. Lateral Movement
4. Report to Management
4. Lateral movement
5. Action (data exfiltration)
Pen Test --> Kill Chain:
Black Box = None
Grey = Partial
White = Full
Previous knowledge before a Pen Test:
Sysadmin is not aware of the test
Used to verify that hardware can be trusted (ensured by NSA):
Which are LESS reliable: Disassemblers or Decompilers
Sandbox used for Malware Testing
Linux distribution loaded with Malware reverse engineering tools:
Table Top Exercise
Live Fire Exercise
Pattern of Life - traffic representative of everyday activities
Red = Bad guys
Blue = Good guys
White = Neutral guys
Red team vs blue team vs white team
Value x Probability
Standard Risk Formula:
Potential Loss x Probability of Occurence
Center for Internet Security
Critical Security Controls
Level 0 = Field Instrumentation
Level 1 = PLCs
Level 2 = Human Machine Interaction (ie eng wrkstations)
Level 3 = App Servers / Publishing Servers
Level 4 = Corporate Network
What are the ICS (Industrial Control System Levels)?
Supervisory Control and Data Acquisition Systems (ICS systems)
Security Content Automation Protocol - for reporting vulnerabilities
Vulnerability Scanner by Tenable
Nessus Attack Scripting Language
Free Framework by Greenbone Network, used for vulnerability scanning
Network Vulnerability Tests
Web Server vulnerability scanner with NO GUI
Common Vulnerability Scoring System - standard for quantifying vulnerabilities
Base: characteristics common over time and environments
Temporal: characteristics that may change over time, but NOT over environments
Environmental: characteristics unique to a specific environment
Name the 3 CVSS Metric Types:
Memorandum Of Understanding - outlines duties and expectations of vulnerability scans
1. Choose a tool
2. Establish MOU
3. Determine scanning frequency and type
What are the 5 steps of Managing Vulnerability Scanning?
Defense Information System Agency - provides IT support for any branch that is responsible for defense of country
Security Technical Implementation Guides - methodology for enhancing security
Technical Team --> Management --> Contractor --> Government
What is the escalation path for Incident Response?
2. Detect & Analysis
3. Contain, Eradicate, & Recover
4. Post activities
What are the steps in the IR Lifecycle?
Indicators Of Compromise
Computer Emergency Readiness Team
Information Sharing & Analysis Center
1. Threat intelligence value
2. Crime scene evidence
3. Ability to restore
What are the 3 factors to consider before removing a host from the network?
This type of analysis lets a system run and you just observe behavior.
This type of analysis involves disassemblers or decompilers.
1. SANS Internet Storm Center
2. CERT Coordination Center @ Carnegie Melon
The latest software bugs can usually be found at these two sites:
Advance Persistent Threat
Techniques, Tactics, & Procedures
Max Tolerable Downtime
Probability & Criticality
What are the primary components of Risk Analysis?
What are the 3 types of data that can have serious consequences?
2. Recovery Time
3. Data Integrity
4. Economic Considerations
5. System Process Criticality
What are the 5 key factors for determining scope of impact?
Digital Forensics focuses on only these questions:
1. Evidence collection should not affect integrity
2. Personnel should be trained
3. Investigator's activities should be documented and reviewed
These are the 3 rules developed by the National Institute of Justice as guidance for forensics:
What are the 4 phases of Forensic Investigations?
1. Prepare destination media
2. Prevent changes to original
3. Hash original evidence
4. Copy original evidence
5. Verify copy
6. Safeguard original evidence
What are the 6 steps of Acquisition?
Used to encrypt evidence to prevent tampering
1. /etc - primary system directory and where apps go
2. /var/log - app logs
These are the 3 key Linux directories to look for evidence in:
1. Bandwidth utilization abnormal
3. Irregular peer-to-peer communication
What are 3 key symptoms of a compromised host?
National Institute of Standards & Technology - a non-regulatory agency of the Dept of Commerce.
Security & Privacy controls for Federal Information Systems and Organizations; outlines controls put in place to be compliant with FIPS
NIST Special Publication (SP) 800-53
Federal Information Processing Standards
Cyber Security Framework: 3 parts
1. Framework Core (5 functions common to all orgs)
2. Implementation Tiers (categorize practices T1-T4)
3. Framework Profile (compares current state to desired state)
CSF Framework Core:
Control Objectives for Information & related Technology - a framework and set of control objectives developed by ISACA and ITGI used to define goals for the controls to manage IT and ensure it maps to business needs.
What is COBIT?
1. Plan & Organize
2. Acquire & Implement
3. Deliver & Support
4. Monitor & Evaluate
What are the 4 domains of COBIT?
Sherwood Applied Business Security Architecture - Framework and methodology for enterprise security architecture and service management.
The Open Group Architecture Framework - Framework used to iteratively develop business, data, application, & security architecture
Acceptable Use Policy
Electronically Store Information
Electronic Discovery Reference Model - 8 steps
What is EDRM and what does it stand for?
1. Administrative (policies and procedures)
2. Technical/Logical (hardware and software)
3. Physical (ie, security guards)
What are the 3 types of Compensation Controls?
Gramm-Leach Biley Act - protects consumer financial information
Federal Information Security Management Act - applies to IS belonging to Federal agencies
Capability Maturity Model Integration - comprehensive guidelines for developing products and software
What is CMMI?
What are the 5 levels of CMMI?
Context based authentication falls into these 4 categories:
3. Session hijacking
5. Privilege escalation
What are the 6 key authentication system exploits?
Cross-site scripting - accesses information stored in the browser and then executes code there
Trend - helps predict future
Historical - simply compares past to present
Trend Analysis vs Historical Analysis
Audit logging for a Linux machine
Testing code that has been modified to make sure security flaws and functionality were not compomised
Used to test traffic passing between two endpoints, normally to investigate input, parameters, plaintext creds, & session tokens
Sending large amounts of random/flawed data to trigger failures and exploit problems
Software Engineering Institute - Best practices for secure coding & CMMI
CMMI for Development - 4 main areas
1. Organizational Preparedness for Secure Development
2. Security management in projects
3. Security requirements & technical solutions
4. Security verification and validation
Open Web Application Security Project - non-profit org aimed to increase security of software
2. Broken authentication & session management
4. Insecure direct object references
5. Security Misconfigurations
6. Sensitive Data Exposure
7. Missing function level access controls
8. Cross-site request forgery (CSRF)
9. Using components with known vulnerabilities
10. Non-validated redirects and forwards
Top 10 Web Application Security Risks
Specializes in Information Security & Cybersecurity training
1. Display generic error messages
2. Implement account lockouts
3. Limit sensitive data use
4. Use HTTPS everywhere
5. Use parameterized SQL queries
6. Automate application deployment
These are 6 recommendations from SANS institute for application security:
Center for Internet Security - non-profit with goal to enhance cybersecurity for private and public orgs
1. Integrated Intelligence Center - receives threat reports and shares them.
2. MS-ISAC - focuses on SLTT government partners
3. Trusted Purchasing Alliance
4. Security Benchmarks Division - design recommendations & benchmarks
CIS 4 main divisions
2. Cisco ASA w FirePOWER
3. Palo Alto
Top three firewalls:
IDS with scripting that can make it function like an IPS
Open source IDS/IPS
Web Application Firewall (WAF)
Web Application Firewall (WAF) - open source
Web Application Firewall (WAF) - open source, high performance
SIEM: AlienVaults version of OSSIM
Unified Security Management Platform
Logging - SIEM like
Open Source Security Information Manager - free set of tools integrated to provide a SIEM solution
SIEM created by Security Intelligence Platform
Vulnerability Scanner by Tenable, for large enterprises
Free Open Source Vulnerability Scanner by Greenbone Networks, for large enterprises
Vulnerability Scanner by Rapid7
Command line Open Source Vulnerability Scanner
Free tool that provides basic network graphing
Similar to MRT, a free tool that provides network graphing
Traffic monitoring and analytics
Interception Proxy by PortSwigger - Web application scanning/vulnerability tool
Interception Proxy by OWASP - web application testing
Interception Proxy by Subgraph - web application testing
Free framework, but customized by Rapid7 to offer paid add-ons - pen test software
XML Fuzzer by PortSwigger - discovers vulnerabilities in web clients and servers
Fuzzer by OWASP - automated fuzzing platform
Windows based Fuzzer
Microsoft SDL Fuzzer
Digital Forensic Suite by Guidance Software
Forensic imaging tool by AccessData
Digital Forensic Suite by e-fense
Universal Forensic Extraction Device - Mobile Forensic Suite by Cellebrite
Windows password cracking tool
Cain & Abel
What are the levels of syslog messages from most to least severe?
2. PKCS7 & PKCS12
What are the PKI standards for X.509?
Security Controls for FISO: 18 Families, each assigned to 1 of 3 classes (Technical, OP/Admin, Mgmt)
Course of Action for Incident Scenarios
What is a CoA Matrix
What are the 3 CSA+ Security Control Classes
What are the CSA Functions of Security Controls?
Exposure Factor - % of an asset's value that would be lost
Single Loss Expectancy - Value x EF
*amount lost from a single incident
Annual Loss Expectancy: SLE x ARO
What is an example of a Qualitative Risk Approach?
1. Test object (prove effectiveness or discover weakness)
2. Understand security system and document weaknesses
3. Interview personnel
SP 800-115: NIST's technical guide to Information Security Testing & Assessment is based on these 3 principal activities:
1. External Threat
2. Internal Threat
Pen Test are generally divided into these 3 classes
What are the 6 Rules of Engagement (per CSA+)?
Used to determine who works at a company (get names)
What is Email Harvesting?
Follows code in website looking for useful data or sometimes vulnerabilities.
What is Website Ripping
A tool used for Topology Discovery
What is footprinting?
2. Social Engineering
What are the 3 main categories of Recon?
A detailed analysis of services running on a host.
What is Fingerprinting
This tool is commonly used to determine what services are running on a target host.
This tool is a GUI version of Netstat
What tool is commonly used to prevent NMap scanning?
NMap probes are being blocked by a firewall
NMAP reports the state of port 80 as "filtered." What does this indicate?
2. Open | Filtered
3. Closed | Filtered
What are NMap port states of unreliable scans?
If UDP packet is sent and nothing is received, it could indicate the port is open or that a firewall is blocking it. The result is inconclusive. A better approach is to send application specific UDP packet, but these are limited.
Also, UDP does not send ACKs, so timeouts must occur, which will result in long scanning times.
What is the problem with UDP scanning?
Port is closed.
You just performed a SYN scan to a target on port 80. The target responded with an RST packet. What does this indicate?
To determine if there is a Firewall, since results will only show as filtered or unfiltered.
When might you use an ACK scan?
High # of false positives, host disruptions, and high network bandwidth utilization.
What is the downside of non-invasive scanning?
Exploit gives you access...Payload is what is executed after you gain access.
Exploit vs Payload