Security+ - HackMD

<h1>Security+</h1> ## Incident Response ### Incident Response Procedures You have them split into 6 categories. - Preparation - Identification - Containment - Eradication - Recovery - Lessons Learned #### Preparation This phase involves activities and planning that occur before an incident actually takes place. Its primary goal is to ensure that an organization is ready to respond promptly and effectively when an incident occurs. #### Identification Process of recognizing whether an event that occurs should be classified as an incident. #### Containment Is focused on isolating the incident. - Imagine that is a virus, you want to stop it from propagating, so you take it offline #### Eradication Remove the threat or attack - Imagine that now the system is offline you want to remove the threat safely #### Recovery Focused on data restoration, system repair, and re-enabling any servers or networks taken offline during the incident response - Now that it's virus free you want to recover what was lost, repair the system and put it back online. #### Lessons Learned Is a process used to document the incident response process and make changes to the procedures and processes used and improve. - You sit at the table and discuss how was the other steps, if it was OK, what could've been better. ### Incident response planning An incident response team are key people that are available to respond to any incident that meets the severity and priority thresholds set out by the incident response plan It consists of - Incident response manager - Oversee and prioritize actions during the detection, analysis, and containment of an incident. - Security Analyst - The detective that determines what happened up until that point - Triage Analyst - Assigned to work on the network during the incident response - Responsible for filtering out false positives, monitoring and analysis to detect any new or potential intrusions. - Forensic Analyst - The detective, focused on figuring out what happened already on the network and recovering key artifacts and evidence and then using these to build a timeline. - Threat Researcher - They provide threat intelligence and overall context during incident response, always up-to-date on current threats and news. - Cross functional support - Any person, could be a system administrator, a lawyer, HR, accounting, they're basically there as a support. ## Networking ### OSI Used to explain network communications between a host and a remote device over a LAN or WAN. This is Bottom up Please (Physical) Do (Data Link) Not (Network) Throw (Transport) Sausage (Session) Pizza (Presentation) Away (Application) #### Physical Represents the actual network cables and radio waves used to carry data over a network. Here cables and radios. (BITS) #### Data Link Describes how a connection is estabilished, maintained and trasnferred over the physical layer and uses physical addressing (MAC addresses). Here MAC Addresses, Switches and (FRAMES) #### Network Uses logical address to route or switch information between hosts, the network and the internetworks. Here IP, L3 Switches and Routers. (Packets) #### Transport Manages and ensures transmission of the packets occurs from a host to a destination using either TCP or UDP (Segments - TCP) (Datagrams - UDP) #### Session Layer Manages the establishment, termination and synchronization of a session over the network. #### Presentation Layer Translates the information into a format that the sender and receiver both understand. #### Application layer Layer from which the message is created, formed, and originated. (HTTP, SMTP and FTP) ### Network Access Control (NAC) Security technique in which devices are scanned to determine its current state prior to being allowed access onto a given network. It can be used as hardware or software solution If a device fails the inspection is placed into digital quarantine, only is allowed to receive communication, not start. #### Persistant agents A piece of software that is installed on the device requesting access to the network. #### Non-Persistant agents Uses a piece of software that scans the device remotely or is installed and subsequently removed after the scan #### IEEE 802.1x Is a standard used in port-based NAC ### NAT (Network Address Translation) Process of changing an IP address while it transits across a router. #### PAT (Port Address Translation) Router keeps track of requests from internal hosts by assigning them random high number ports for each request. ###### what we normally use at home ## Network Attacks ### Ports A port is a logical communication endpoint that exists on a computer or server - Inbound ports - Outbound ports #### Well known ports Ports **0 - 1023** are considered well-known and are assigned by the Internet Assigned Number Authority (IANA). #### Registered ports Ports **1024 - 49151** are considered registered and usually assigned to proprietary protocols #### Dynamic or Private ports Ports **49152 - 65535** can be used by any application without being registered with IANA. Temporary outbound connections from your PC will have this range. #### Memorizing ports ###### Please note, if requested there are actually 65536 ports, however, usable ports only 65535, as port 0 is the wildcard, (Like in networking) - 21 TCP - FTP (File transfer protocol) Is used to transfer files from host to host - 22 TCP/UDP - SSH, SCP, SFTP (Secure Shell) Is used to remotely administer network devices and systems, SCP is used for secure copy and SFTP for secure FTP. - 23 TCP/UDP - Telnet (Unencrypted method to remotely administer network devices, should not be used.) - 25 TCP - SMTP (Simple Mail Transfer Protocol) Is used to send email over the internet. - 53 TCP/UDP - DNS (Domain Name Service) is used to resolve hostnames to IPs and IPs to hostnames. - 69 UDP - TFTP (Trivial FTP) is used as a simplified version of FTP to put a file on a remote host or get a file from a remote host. - 80 TCP - HTTP (Hyper Text Transfer Protocol) is used to transmit web page data to a client for unsecured web browsing. - 88 TCP/UDP - Kerberos (Used for network authentication using a system of tickets within a Windows Domain) - 110 TCP - POP3 (Post Office Protocol V3) is used to *receive* email from a mail server - 119 TCP - NNTP (Network News Transfer Protocol) is used to transport Usenet articles. - 135 TCP/UDP - RPC/DCOM-scm (Remote Procedure call) Is used to locate DCOM ports to request a service from a program on another computer on the network. - 137 - 139 TCP/UDP - NetBIOS is used to conduct name querying, sending of data, and other functions over a NetBIOS connection. - 143 TCP - IMAP (Internet Message Access Protocol) is used to receive email from a mail server with more features than POP3 - 161 UDP - SNMP (Simple Network Management Protocol) is used to remotely monitor network devices. - 162 TCP/UDP - SNMPTRAP (Used to send Trap and InfromRequests to the SNMP manager on a network) - 389 TCP/UDP - LDAP (Lightweight Directory Access Protocol) is used to maintain directories of users and other objects. - 443 TCP - HTTPS (Hyper Text Trasnfer Protocol Secure) is used to transmit webpage data to a client over TLS encrypted connection. - 445 TCP - SMB (Server Message Block) is used to provide shared access to files and other resources on a network. - 465/587 TCP - SMTP SSL/TLS (Is used to send email over the internet with an SSL and TLS secured connection) - 514 UDP - Syslog (Is used to conduct computer message logging especially for routers and firewall logs) - 636 TCP/UDP - LDAP SSL/TLS (Is used to maintain directories of users and obects over encrypted SSL/TLS) - 860 TCP - iSCSI is used for linking data storage facilities over IP - 989/990 TCP - FTPS (File Transfer Protocl Secure) is used to transfer files from host to host over an encrypted connection. - 993 TCP - IMAP4 SSL/TLS (Internet Message Access Protocol) is used to receive email from a mail server over an SSL/TLS encrypted connection. - 995 TCP - POP3 SSL/TLS (Post Office Protocol V3) is used to receive email from a mail server using an SSL/TLS encrypted connection. - 1433 TCP - Ms-sql-s (Microsoft SQL Server) is used to receive SQL database queries from clients. - 1645-1646 UDP - RADIUS (Remote Authentication Dial-In User Service is used for authentication and authorization (1645) and accounting (1646)) - 1701 UDP - L2TP (Layer 2 TUnnel Protocol) is used as an underlying VPN protocol but has no inherent security. - 1723 TCP/UDP - PPTP (Point-to-Point Tunneling Protocol) is an underlying VPN protocol with built-in security. - 1812-1813 UDP - RADIUS (Remote Authentication Dial-In User Service) is used for authentication and authorization (1812) and accounting (1813) - 3225 TCP/UDP - FCIP (Fibre Channel IP) is used to encapsulate Fibre Channel frames within TCP/IP packets. - 3260 TCP - iSCSI Target (iSCSI Target is a listening port for a iSCSI target devices when linking data storage facilities over IP) - 3389 TCP/UDP - RDP (Remote Desktop Protocol) is used to remotely view and control other Windows Systems via a GUI - 3868 TCP - Diameter (A more advanced AAA protocol that is a replacement for RADIUS) - 6514 TCP - Syslog TLS (It is used to conduct computer message logging, especially for routers and firewall logs, over a TLS encrypted connection) ### DoS (Denial of Service) Term used to describe many different types of attacks which attempt to make a computer or server's resources unavailable. #### Flood Attack A specialized type of DoS which attempts to send more packets to a single server or host than they can handle. - Ping flood - An attacker attempts to flood the server by sending too many ICMP echo request packets AKA pings - Smurf attack - Attacker sends a ping to a subnet broadcast address and devices reply to spoofed IP (victim server) using up bandwidth and processing power. - Fraggle attack - Attacker send a UDP echo packet to port 7 (ECHO) and port 19 (CHARGEN) to flood a server with UDP packets. - SYN Flood - Variant on a DoS where attacker initiates multiple TCP sessions but never completes the 3-way handshake. - Flood guards, time-outs and IPS (Intrusion Prevention System) can prevent SYN Floods. - XMAS Attack - A specialized network scan that sets the FIN, PSH, and URG flags and can cause a device to crash or reboot. #### Ping of Death An attack that sends an oversized and malformed packet to another computer or server. Old #### Teardrop Attack Attack that breaks apart packets into IP fragments, modifies them with overlapping and oversized payloads, and sends them to a victim machine #### PDoS (Permanent Denial of Service) Attack which exploits a security flaw to permanently break a networking device by reflashing its firmware. #### Fork Bomb Attack that creates a large number of processes to use up the available processing power of a computer. ### DDoS A group of compromised systems attack a single target simultaneously to create a DoS. #### DNS Amplification Attack which relies on the large amount of DNS information that is sent in response to a spoofed query on behalf of the victimized server. #### Stopping a DDoS - Blackholing or Sinkholing - Identifies any attacking IP addresses and routes all their traffic to a non-existent server through a null interface. ### Spoofing Occurs when an attacker masquerades as another person by falsifying their identity. ### Hijacking Exploitation of a computer session in an attempt to gain unauthorized access to data, services or other resources on a computer or server. #### Session theft Attackers guess the session ID for a web session, enabling them to takeover the already authorized session of the client. #### TCP/IP Hijacking Occurs when an attacker takes over a TCP session between two computers without the need of a cookie or other host access. #### Blind Hijacking Occurs when an attacker blindly injects data into the communication stream without being able to see if it is successful or not. #### Clickjacking Attack that uses multiple transparent layers to trick a user into clicking on a button or link in a page when they were intending to click on the actual page #### MitM (Man-in-the-Middle) Attack that causes data to flow through the attackers computer where they can intercept or manipulate the data also known as On-Path #### MitB (Man-in-the-Browser) Occurs when a Trojan infects a vulnerable web browser and modifies the web pages or transactions being done within the browser #### Broken Authentication A software vulnerability where the authentication mechanism allows an attacker to gain entry. - Weak password credentials - Weak password reset methods - Credential hijacking - Session Hijacking #### Watering hole Occurs when malware is placed on a website that the attacker knows his potential victims will access #### XSS (Cross-Site Scripting) Cross-site scripting is another way that you can use this vulnerability to conduct session hijacking against a victim. ### Replay attack Network-based attack where a valid data transmission is fraudulently or maliciously rebroadcast, repeated or delayed. Basically an attacker can wait for you to login into your bank account, and then replay it so it can gain access into your account. This was used in wireless hacking, where you would capture a handshake and then you could replay it so you can gain access to that wifi, however it's only against older protocols ### Null Connection A connection to the Windows interprocess communication share (IPC$) ``` net use \\IP\ipc$ "" /u:"" ``` the first 2 "" is regarding the password, here you're saying you have blank password, the second "" is referring to the username, so a blank username and password. How to mitigate? - Block 445 smb and 139 netbios. - IPS at the boundary ### Transitive attacks They aren't really an attack, but more of a conceptual method. Transitive Property is mathmatics, for example if A=B, and B=C then A=C. This could be used on Transitive Trust when it comes to networks, like the family tree analogy here, if net A trust B and B trusts C then A trusts C, however an attacker just needs to get into one of the networks to all networks trust him. ### DNS attacks - DNS Poisoning - Occurs when the name resolution information is modified in the DNS server's cache. - This modification of data is done to redirect client computers to fraudulent or incorrect websites, usually as follow-on attacks - As a way to combat this DNSSEC was created, and uses encrypted digital signatures when passing DNS information between servers. - Unauthorized Zone Trasnfer - Occurs when an attacker requests replication of the DNS information to their systems for use in planning future attacks. - Altered Hosts file (/etc/hosts) - Occurs when an attacker modifies the host file to have the client bypass the DNS server and redirects them to an incorrect or malicious website. - Pharming - Occurs when an attacker redirects one website's traffic to another website that is bogus or malicious. - Domain Name Kiting - Attack that exploits a process in the way a domain name is registered so that the domain name is kept in limbo and cannot be registered by an authenticated buyer. - Basically the way it works is, imagine that facebook was just created and still don't have any domain names bought, like facebook.com, I could go and abuse the way that it's bought a domain, if you "buy" a domain you have a 5 day grace-period to be billed, and if I remove the domain before those 5 days I'm not billed, so I keep that domain in limbo, by adding, removing, adding, removing, so facebook.com cannot buy it and I'm not paying. ### ARP Poisoning - ARP (Address Resolution Protocol) and is used for mapping an IP address to a physical machine address that is recognized in the local network. Attack that exploits the IP address to MAC resolution in a network to steal, modify or redirect frames within the local area network. To prevent this implement good VLAN segmentation and DHCP Snooping, to ensure that IP Addresses aren't getting yoinked by an attacker ## Securing Networks ### Securing network devices Network devices include switches, routers, firewalls and more. #### Default Accounts A user or admin level account that is installed on a device by the manufacturer during production - Weak passwords - Known username #### Privilege escalation Occurs when a user is able to gain the rights of another user or administrator. - Horizontal escalation means that an attacker can log into user A, and then escalate to user B. - Vertical escalation means that an attacker log into user A but now escalates to admin. #### Backdoor A way of bypassing normal authentication in a system. Because this devices are made of hardware and software an attacker can gain access and install a backdoor on the device. ### Securing network media Copper, fiber optic and coaxial cabling used as the connectivity method in a wired connection. #### EMI (Electromagnetic Interference) A distrubance that can affect electrical circuits, devices and cables due to radiation or electromagnetic conduction. - Install shielding around the source or shield the cables. #### RFI (Radio Frequence Interference) A distrubance that can affect electrical circuits, devices and cables due to AM/FM transmissions or cell towers. - RFI causes more problems for wireless networks. - It can be mitigated by shielding the building in itself, or using stronger devices that overcome the interference. #### Crosstalk Occurs when a signal is transmitted on one copper wire and creates an undesired effect on another wire. - Very common on older cat network cables, like cat3 or early version cat5, Cat5E and Cat6A aren't really subject to crosstalk nearly as much. #### Data Emanation The electromagnetic field generated by a network cable or device when transmitting An attacker can listen to the data being sent, however this is not common unless you're in the military and have top secret documents. #### PDS (Protected Distribution System) Secured system of cable management to ensure that the wired network remains free from eavesdropping, tapping, data emanations and other threats. ### Securing Wi-Fi Devices - Change the default username and password on the router. - Disable remote administration. #### SSID (Service Set Identifier) Uniquely identifies the network and is the name of the WAP used by the clients. - Exam: Disable the SSID broadcast is good security #### Rogue Access Points An unauthorized WAP (Wireless access point) or Wireless Router that allows access to the secure network. - Mitigate this by enable MAC filtering on the network, NAC and run a good IDS or IPS on your network. #### Evil Twin A rogue, counterfit, and unauthorized WAP with the same SSID as your valid one. - Mitigation: You could only stop this if you find the Rogue AP and unplug it - My note: You could also start deauthing the Rogue AP so if any legit client tries to connect it would not succeed. ### Wireless Encryption #### Pre-Shared Key (PSK) Same encryption key is used by the access point and the client. #### WEP (Wired Equivalent Privacy) The original 802.11 wireless security standard that claims to be as secure as a wired network. - WEP weakness is its 24-bit IV (Initialization Vector), that it uses in establishing the connection and it's sent in clear text. #### WPA (WiFi Protected Access) Replacement for WEP, which uses TKIP (Temporal Key Integrity Protocol) which uses a 48-bit IV instead of the WEP's 24, Message Integrity Check (MIC) and RC4 Encryption. It uses all of this to make sure that the data is securing and ensuring that it's not modified in transit. #### WPA2 (WiFi Protected Access V2) 802.11i standard to provide better wireless security, featuring AES with a 128-bit Key, CCMP and Integrity Checking. ***EXAM TIP!*** | If you are asked about... | Look for the answer with... | | -------- | -------- | | Open | No security or protection provided | | WEP | IV | | WPA | TKIP and RC4 | | WPA2 | CCMP and AES | #### WPA3 (WiFi Protected Access V3) Was introduced in 2018 to strengthen WPA2. - Enterprise mode: Equivalent cryptographic strenght of 192-bits. - Uses AES-256 encryption with a SHA-384 hash for integrity checking. - Personal mode: Minumum cyptographic strenght of 128-bits. - Uses CCMP-128 encryption within AES. Largest improvement was the removal of the PSK (Pre-Shared-Key) exchange. - SAE (Simultaneous Authentication of Equals) - Is now used instead of PSK. - A secure password-based authentication and password-authenticated key agreement method. - Provides forward secrecy #### Forward secrecy or Perfect Forward Secrecy Is a feature of key agreement protocols (like SAE) that provides assurance that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised. 1. The AP and the client use a public key system to generate a pair of long-term keys. 2. The AP and the client excange a one-time use session key using a secure algorithm like Diffie-Hellman. 3. The AP sends the client messages and ecrypt them using the session key created in Step 2. 4. Client decrypts the messages received using the same one-time use session key. 5. The process repeats for every message being sent, starting at Step 2. to ensure forward secrecy. #### WPS (Wi-Fi Protected Setup) Automated encryption setup for wireless networks at a push of a button but is severely flawed and vulnerable. - Always disable WPS! ### Wireless Access Points Wireless Security also relies upon proper WAP Placement. - ESS (Extended Service Set) Multi-AP Omnidirecitonal antennas means that they're going to radiate equal signal. ###### Wireless B, G and older N use a 2.4GHz Signal. ###### Wireless A, newer N and AC use a 5.0GHz Signal #### AP Isolation Creates network segments for each client when it connects to prevent them from communicating with other clients on the network ### Wireless attacks #### Jamming Intentional radio frequency interference targeting your wireless network to cause a DoS condition (Like we see in the movies) #### War driving You drive in war, or it's the act of searching for wireless networks by driving around until you find them, one of those. #### War chalking Act of physically drawing symbols in public places to denote the open, closed and protected networks in range. #### IV Attack Occurs when an attacker observes the operation of a cipher being used with several different keys and finds a math relationship between those keys to determine the clear text data. This happened with WEB because of the 24-bit IV. #### WiFi Disassociation/Deauthing attack Attack that targets an individual client connected to a network forces it offline by deauth, and then captures the handshake when it reconnects. Used in WPA/WPA2. #### Brute Force Attack Occurs when an attacker continually guesses a password until the correct one is found. #### Bluejacking Sending of unsolicitated messages to Bluetooth-Enabled devices. #### Bluesnarfing Unauthorized access of information from a wireless device through a Bluetooth connection. ***Exam Tip!!!*** Bluejacking sends information Bluesnarfing takes information. ### RFID (Radio Frequency Identification) Devices that use a radio frequency signal to transmit identifying information about the device or token holder. - It can operate between 10cm to 200m depending on the device. #### NFC (Near Field Communication) Allows two devices to transmit information when they are in close range through automated pairing and transmission. - Operated within 4cm from each other. ### Access Control Models #### DAC (Discretionary Access Control) The access control policy is determined by the owner. Normal perms, the owner of a folder decides who gets to r/w/x #### MAC (Mandatory Access Control) An access control policy where the computer system determines the access control for an object. Basically it's the military version, top secret and what not. #### RBAC (Role-Based Access Control) An access model that is controlled by the system (MAC) but utilizes a set of permissions instead of a single data label to define the permission level Basically a group version, like Linux has. #### ABAC An access model that is dynamic and context-aware using IF-THEN statements example: IF user is in group X, THEN give him access to \\fileserver\X ## Vulnerability Assessment ### Tabletop Exercise (TTX) Exercise that uses an incident scenario against a framework of controls or a red team. ### Peneteration Test A test that uses active tools and security utilities to evaluate security by simulating an attack on a system to verify that a threat exists, actively test it, bypass security controls, and then finally exploit vulnerabilities on a given system ### OVAL (Open Vulnerability and Assessment Language) A standard designed to regulate the transfer of secure public information across networks and the Internet utilizing any security tools and services available. - Oval is composed of 2 parts, the language and interpreter. ***EXAM TIP!!!*** Just need to remember that OVAL stands for Open Vulnerability and Assessment Language, and that it's used to share data between lots of different tools that are focused on vuln assessments. #### OVAL Language An XML schema used to define and describe the information being created by OVAL to be shared among the various programs and tools. #### OVAL Interpreter A reference developed to ensure the information passed around by these programs complies with the OVAL schemas and definitions used by the OVAL language. ## Risk Assessment A process used inside of risk management to identify how much risk exists in a given network or system ### Risk The probability that a threat will be realized. ### Vulnerabilities Weakness in the design or implementation of a system. ### Threat Any condition that could cause harm, loss, damage or compromise to our information technology systems. - It's outside of our control, you can only mitigate. Like earthquakes. Example: You wake up and want to arrive early, you have the risk of being late, this could be for example. - Vulnerabilities; - You forgot to put gas in your car the day before. - You forgot that it was your day to put the kids in school. - Threats; - Traffic Jams, - Natural disasters, - Always getting red lights. What can we do about this? Well you could always wake up earlier, so even if there was a traffic jam you would leave your house earlier, this is called risk management, it's used to minimize the likehood of a negative outcome. ### Risk Management It's used to minimize the likehood of a negative outcome as explained above. There's 4 strategies. #### Risk avoidance A strategy that requires stopping the activity that has risk or choosing a less risky alternative. - Instead of using 100 PCs connected and having only 30 being used you could disconnect the 70 extra PCs. #### Risk Transfer A strategy that passes the risk to a third party. - This is used with car insurance, the risk of hiting your car and you need to pay to fix the other person's car you get insurance to get that covered. - In IT for example you could have insurance against natural disasters, if a flood occurs and damages your servers you'd be OK, it's risk transfer. #### Risk mitigation A strategy that seeks to minimize the risk to an acceptable level. - Imagine that you have a server with multiple vulnerabilites, however it has 5 critical, 1 High and 1 normal, you would patch the 5 crits, and the high and you might be OK with the normal vuln, as it's not that impactant. #### Risk acceptance A strategy that seeks to accept the current level of risk and the costs associated with it if the risk were realized. - You have a non important file-server running a version of windows that has a kernel vulnerability, however to update the version you would also need to upgrade the CPU for a newer more expensive one, instead you prefer to accept the risk as the server is not that needed. #### Residual Risk The risk remaining after trying to avoid, transfer or mitigate the risk ### Security Assessment Verify that the organization's security posture is designed and configured properly to help thwart different types of attacks. Assessments might be required by contracts, regulations or laws. Assessments may be active or passive #### Active Utilize more intrusive techniques like scanning, hands-on testing, and probing of the network to determine vulnerabilites. - Unlimited #### Passive Utilize open source information, the passive collection and analysis of the network data, and other unobtrusive methods without making direct contact with the targeted systems - Limited ## Security Controls Methods implemented to mitigate a particular risk ### Physical Controls Any security measure that is design to deter or prevent unauthorized access. EX: Doors, Bollards etc... ### Technical Control Safeguards and countermeasures used to avoid, detect, counteract or minimize security risks EX: Cameras, Motion sensors, encryption ### Administrative Control Focused on changing the behaviour of people rather than the risk involved. Ex: Policies, procedures, user training. NIST categories are management, operational and technical. ### Management Controls Security controls that are focused on decision-making and the management of risk. - Policies, procedures etc... ### Operational Controls Focused on the things done by people. - User training, testing the disaster recovery plan. ### Technical Controls Logical controls that are put into a system to help secure it. - AAA (Authentication, Authorization and Accounting), Passwords, Encryption. ### Preventative Controls Security controls that are installed before an event happens and are designed to prevent something from occurring. - UPS ### Detective Controls Used during the event to find out whether something bad might be happening. - IDS, IPS, Alarms, logs, CCTV ### Corrective Control Used after an event occured. - Backups A single control can be categorized into multiple types or categories. Example: CCTV is detective control and physical control. ### Compensating Control Used whenever you can't meet the requirement for a normal control ###### Example: You want some retina scanners, however the supplier takes 2 to 3 months to ship them, so while you wait you opt for a normal lock, this is Compensating ###### Any residual risk not covered by a compensating control is an accepted risk. ## Monitoring Types ### Signature-Based Network traffic is analyzed for predetermined attack patterns ### Anomaly-Based A baseline is established and any network traffic that is outside of that baseline is evaluated. ### Behaviour-based Activity is evaluated based on the previous behaviour of applications, executables, and the operating system in comparison to the current activity of the system. ### SNMP (Simple Network Management Protocol) A TCP/IP protocol that aids in monitoring network-attached devices and computers. - Is incorporated into a network management and monitoring system. It's broken into 3 components. #### Managed devices Computers or other devices monitored throught the use of agents by a network management system. #### Agents Piece of software loaded on the managed device to redirect the information to the network management system #### NMS (Network Management System) Software run on one or more servers to control the monitoring of network-attached devices and computers. You should use SNMPv3 because it provides integrity, authentication and encryption. ### SIEM A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications. - Splunk - ELK/Elasitc Stack - ArcSight - QRadar - Alien Vault and OSSIM - Graylog ### SOAR (Security Orchestration, Automation and Response) A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment. - Primarly used in incident response. - Next GEN-SIEM If you combine a SOAR with SIEM you can do the following - Scan security/threat data - Analyze it with ML (Machine learning) - Automate data enrichment - Provision new resources ###### A playbook is a chgecklist of actions to perform to detect and respond to a specific type of incident. ###### A runbook is an automated version of a playbook that leaves clearly defined interaction points for human analysis. ## Cloud Computing A way of offering on-demand services that extend the traditional capabilities of a computer or network. It relies on virtualization to gain efficiencies and cost savings. ### Hyperconvergence Allows providers to fully integrate the storage, network and servers. ### VDI (Virtual Desktop Infrastructure) Gives a virtual desktop for a user, like citrix. ### Public A service provider makes resources availiable to the end users over the internet. EG: Google Drive ### Private A company creates its own cloud environment that only it can utilize as an internal enterprise resource. A private cloud should be chosen when security is more important than cost. EG: US gov. ### Hybrid Hybrid clouds is between private and public clouds, you could have a private cloud for finances and secrets and public cloud for email or web servers. ### Community Resources and costs are shared among several different organizations who have common service needs. ### As a service #### SaaS (Software as a Service) Provides all the hardware, operating system, software and applications needed for a complete service to be delivered. Eg: Office365 #### IaaS (Infrastructure as a Service) Provides all the hardware, operating system, and backend software needed in order to develop your own software or service. Eg: Web-server or VPS (Virtual Private Server). #### PaaS (Platform as a Service) Provides your organization with the hardware and software needed for a specific service to operate. Eg: Heroku, Google App Engine, Microsoft Azure App Service, so it's basically you have an app that want to develop and don't want to spend money on the resources, you get a PaaS #### SECaaS Provides your organization with various types of security services without the need to maintain a cybersecurity staff. Eg: SOC, Anti-malware, Firewalls, Vulnerability scans, Content filtering. #### FaaS (Function as a Service) A cloud service model that supports serverless software architecture by provisioning runtime containers in which code is executed in a particular programming language. #### Serverless A software architecture taht runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances. Everything is developed as a function or microservice. Serverless eliminates the need to manage physical or virtual servers. Eg. Netflix Serverless depends on orchestration ###### Our job as cybersecurity professionals is to ensure that the clients accessing the services have not been compromised. Not the clients like the users of Netflix, but the developers of Netflix ### Cloud-based infrastructure Must be configured to provide the same level of security as a local solution. ### VPC (Virtual Private Cloud) A private network segment made available to a single cloud consumer within a public cloud. The consumer is responsible for configuring the IP address space and routing within the cloud. Is typically used to provision Internet-Accessible applications that need to be accessed from geographically remote sites. ### CASB (Cloud Access Security Broker) Enterprise management software designed to mediate access to cloud services by users across all types of devices. Benefits: Single Sign-on (SSO) Malware and rogue device detection Monitor/audit user activity Mitigate data exfiltration It provides visibility on how your clients and other network nodes use your cloud services. #### Forward proxy A security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the conents of that traffic comply with policy. Eg: You could use a forward proxy at home to monitor your kids activity #### Reverse proxy An appliance positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with the policy. #### API (Application Programming Interface) A library of programming utilities used to enable software developers to access functions of another application. It's also a method that uses the brokers connections between the cloud service and the cloud consumer. ***APIs*** allow for the automated administration, management and monitoring of a cloud service. ###### An API is used for example you created a website that searches online for all the restaurants that serve certain types of food and you only want to see the 4.5 to 5 star restaurants, instead of building the website from scratch you'll get for example Google maps API and use those reviews, or other review website APIs. ### Cloud Threats #### Insecure API - Data received by an API must pass server-side validation routines. (Input Validation). - An API must only be used over and encrypted channel (HTTPS). - Implement throttling/rate-limiting mechanisms to protect from a DoS. - Error handling and error messages should be sanitized, so it doesn't show clues to an attacker. #### Improper Key Management - APIs should use secure authentication and authorization such as SAML or OAuth/OIDC before accessing the data - Do not hardcode or embed a key into the source code! - Delete unnecessary keys and regenerate keys when moving into a production environment *(Don't use pre-prod keys in prod duh!)* - Hardening policies in place for any of your client hosts and your servers and development workstations. #### Logging and Monitoring - Insufficient logging and monitoring. - Logs must be copied to non-elastic storage for long-term retention *(You don't want logs to disappear after an error occurs and overwrites all previous logs)* #### Unprotected Storage - Cloud storage containers are referred to as buckets or blobs. - Each container is going to host its own data objects. - Access control to storage is administered through container policies, IAM authorizations and object ACLs (Access list) - Incorrect permissions may occur due to default read/write permissions left over from creation (Least privilege always) - Incorrect origin settings may occur when using content delivery networks (CDN) - You need to configure what's known as a cross-origin resource sharing policy AKA CORS Policy - CORS is a Content delivery network policy that instructs the browser to treat requests from nominated domains as safe (Weak CORS policies expose the site to vulnerabilities like XSS, CSRF etc...) ## Orchestration The automation of multiple steps in a deployment process Is the automation of the automations Rapid elasticity in cloud computing would not be possible without orchestration ###### Eg. When creating the linux servers for the school project, instead of doing every single command and prompt manually we first did it and then created a script to automate it, that's orchestration. Third-party orchestration platform is protection from vendor lock-in ### Resource orchestration This is to provision and allocate resources within a cloud environment or other solution. ### Workload orchestration This is for the management of applications and other cloud workloads that need to be performed and basically looking at the components to create the product you need. ### Service orchestration This is going to be used to deploy services into cloud environments ## CI/CD Before this was done like this - Development (You create the code and figure out what it's going to do) - Testing/Integration (You would put the code into a kind of test environment and make sure it doesn't break anything) (You would start the integration process which means you might buy new servers and might install all the software to see how it operates in that full environment) - Staging (You'd put everything into a set of servers taht look like the production environment, getting ready to move from testing into staging and then into production) - Production (When it's deployed into prod servers and is being used by the end users) ### Continuous integration A software development method where code updated are tested and commited to a development or build server/code repository rapidly CI can test and commit updates multiple times per day CI detects and resolves devolpment conflicts early and often. ### Continuous delivery A software development method where application and platform requirments are frequently tested and validated for immeadiate availability ###### Focuses on automated testing of code in order to get it ready for release ### Continuous deployment A software development method where application and platform updates are committed to production rapidly ###### Focuses on automated testing and release of code in order to get it into the production environment more quickly ## DevSecOps A combination of software, development, security and operations and systems operations by integrating each discipline with the others It uses a shift-left mindset ###### Shift left basically means on a waterfall method that security usually is the last to be done, and devsecops shifts left (to the beginning) the security part. - Integrate security from the beginning - Test during and after development - Automate compliance checks (HIPAA, GDPR) ### DevOps An organizational culture shift that combines software development and systems operations by referring to the practice of integrating the two disciplines within a company Operations and developers can build, test and release software faster and more reliably ## IaC (Infrastructure as Code) A provisioning architecture in which deployment of resources is performed by scripted automation and orchestration Allows for the use of scripted approaches to provisioning infrastructure in the cloud. ### Snowflake system Any system that is different in its configuration compared to a standard template within an infrastructure as code architecture - This leads to a lack of consistency and to security issues and inefficients in support. ### Idempotence A property of IaC that an automation or orchestration action always produces the same result regardless of the component's previous state basically it means for example, if you have a script and that script always prints "hello", thats idempotence, always give the same result Eliminate the snowflakes ## AI (Artificial Intelligence) The science of creating machines with the ability to develop problem sovling and analysis strategies without significant human direction or intervention ### Machine learning A component of AI that enables a machine to develop strategies for solving a task given a labeled dataset where features have been manually identified but without further explicit instructions. You have to train it Machine learning is only as good as the datasets used to train it. ### ANN (Artificial Neural Network) An architecture of input, hidden and output layers that can perform algorithmic analysis of a dataset to achieve outcome objectives. ### Deep Learning A refinement of machine learning that enables a machine to develop strategies for solving a task given a labeled dataset and without further explicit instructions. It uses complex calsses of knowledge defined in relation to simpler classes of knowledge to make more informed determinations about an environment. Like a child --- ### RAID (Redundant Array of Independent Disks) Allows the combination of multiple hard disks into a single logical hard disk drive that is recognized by the OS. #### RAID 0 Provides data striping across multiple disks to increase performance. Ie. You split 1 file into multiple disks. - minumum 2 disks #### RAID 1 Provides redundancy by mirroring the data identically on two hard disks Ie. You have a file and put them whole in 2 diff disks - minimum 2 disks #### RAID 5 Provides redundancy by striping data and parity data across the disk drives. Ie. If one disk fails the other 2 can reconstruct the data based on the parity. - minimum 3 disks #### RAID 6 Provides redundancy by striping and double parity data across the disk drives. Better than 5. Ie. Instead of having one stripe for parity has two, you can lose up to 2 disks and the data will still be OK. - Minimum 4 disks #### RAID 10 or 1-0 Creates a striped RAID of two mirrored RAIDs (Combines RAID 1 & RAID 0). Ie. It has the speed of a RAID 0 and the redundancy of a RAID 1. - Minimum 4 disks ### Redundant Sites Classified into 3 categories. Hot, warm or cold sites. #### Hot Sites A near duplicate of the original site of the organization that can be up and running within minutes. #### Warm Sites A site that has computers, phones, and servers but they might require some configuration before users can start working. #### Cold Sites A site that has tables, chairs, bathrooms and possibly some technical items like phones and network cabling. ## Authentication ### (MFA) Multi-Factor Authentication Use of two or more authentication factors to prove a user's identity. #### Five basic factors of authentication - Knowledge - A password, PIN, any memorized information - Ownership - Tokens, smart-card reader, USB Dongle, auth app. - Characteristic - Biometrics - Location - Different locations - Action - The way you sign your name. #### TOTP (Time-based One Time Password) A password is computed from a shared secret and current time. #### HOTP (HMAC-based One Time Password) A password is computed from a shared secret and is synchronized between the client and the server. ### Authentication Models #### Context-Aware Authentication Process to check the user or system attributes or characteristics prior to allowing it to connect. Ex: US Company, no users outside US, blocks non-US logins. #### SSO (Single Sign-On) A default user profile for each user is created and linked with all of the resources needed. #### FIdM (Federated Identity Management) A single identity is created for a user and shared with all of the organizations in a federation. - Cross-Certification - Web-Of-Trust - Trusted Third-Party - Place their trust on a trusted 3rd party. #### SAML (Security Assertion Markup Language) Attestation model built upon XML used to share federated identity management information between systems. #### OpenID An open standard and decentralized protocol that is used to authenticate users in a federated identity management system. - User logs into an Identity Provider (IP) - Uses their account at Relying Parties (RP) Example: Google Sign-In, you could sign/register into websites using your google account, like EpicGames. ### 802.1x Standardized framework used for port-based authentication on wired and wireless networks. 3 roles are required for an auth to occur under 802.1x 1. Supplicant: User or device requesting access to the network. 2. Authenticator: The device from where the user is trying to access the network 3. Authentication Server: The centralized device that performs the authentication, the RADIUS or TACACS+ server. 802.1x can prevent rogue devices. Allows to encapsulate the EAP. #### EAP (Extensible Authentication Protocol) A framework of protocols that allows for numerous methods of authentication including passwords, digital certificates and public key infrastructure. - EAP-MD5, only use with strong passwords, it's one way authentication process. - EAP-TLS uses digital certificates for mutual authentication. - EAP-TTLS uses a server-side digital certificate and the client-side uses a password. - EAP-FAST (Flexible Authentication via Secure Tunnel) by using a protected access credential instead of a certificate for mutual authentication - PEAP (Protected EAP) Supports mutual authentication by using server certificates and Microsoft's AD to authenticate a clients password. - LEAP is proprietary to Cisco-based networks. ### LDAP and Kerebros LDAP (Lightweight Directory Access Protocol) is a Database used to centralize information about clients and objects on the network. - Ports: Unencrypted - 389; Encrypted - 636 Kerberos is an authentication protocol used by Windows to provide for two-way authentication using a system of tickets. - Port: 88 #### RADIUS (Remote Authentication Dial-In User Service) Provides centralized administration of dial-up, VPN, and wireless authentication services for 802.1x and the EAP - Application Layer - Responsible for AAA - Authentication ***PORT: 1812*** - Authorization - Accounting ***PORT: 1813*** - May also use 1645 and 1646 in some proprietary variation. #### TACACS+ (Terminal Access Controller Access Control System +) Cisco proprietary Port 49 ## Auth Summary ### 802.1x IEEE standard that defines Port-based Network Access Control (PNAC) and is a data link layer authentication technology used to connect devices to a wired or wireless LAN. ### LDAP Application layer protocol for accessing and modifying data Used by Active Directory ### Kerberos Authentication protocol used in Windows using mutual auth. Uses tickets ### RAS (Remote Access Services) Service that enables dial-up and VPN connections to occur from remote clients. ### CHAP (Challenge Handshake Protocol) Authentication scheme that is used in dial-up connections. ### RADIUS Centralized administration system for dial-up, VPN and wireless authentication. Uses either the ports: UDP-1812/1813 Or: UDP-1645/1646 ### TACACS+ Cisco Proprietary version of RADIUS, provides separate Authentication and Authorization functions over port 49(TCP) ### Remote Access Service #### PAP (Password Authentication Protocol) Used to provide authentication but it's not considered secure since it transmits the password unencrypted. #### CHAP (Challenge Handshake Authentication Protocol) Used to provide authentication by using the users password to encrypt a challenge string of random numbers. ###### MS-CHAP is windows's version, provides stronger encryption and mutual auth. Both are used mostly with dial-up connections ## Security Principles ### CIA Confidentiality Integrity Authentication ### CIAA Confidentiality Integrity Authentication Availiability ## Frameworks ### ISO 27001 This is a globally recognized standard for information security management systems. It provides a comprehensive framework for managing and improving information security based on risk assessments and best practices. ### NIST Cybersecurity Framework Developed by the National Institute of Standards and Technology (NIST) in the United States, this framework offers guidance for organizations to manage and reduce cybersecurity risk. It consists of five core functions: Identify, Protect, Detect, Respond, and Recover. <h2> Cryptography </h2> <p> ROT13 cipher is encryption, Base64 as well; A cipher is an algorithm that encrypts or decrypts. Encryption strenght comes from the key, not the algorithm, imagine ROT13 being 13 the key, so, ROT64 is better than 13, the same as Base64. <h3> Encryption </h3> Symetric vs assym Symmetric use the same key, to encrypt and decrypt, whilst Assymmetric uses different keys to encrypt and decrypt, so Asymmetric is safer. Symmetric Algorithm AKA Private Key is an algorithm that both the sender and receiver bust know the same secret using a privately held key. Example: Symmetric key is the same as house key, that me and my GF use to enter our home. Asymmetric Encryption aka Public Key is an algorithm that use different keys to encrypt and decrypt data. Symmetric is faster however it lacks the key distribuition that Asymmetric provides. So hybrid is used, it's used Asymm as a secure way to transfare a private key (sym key). <h4> Stream or block cipher </h4> ***Stream*** = Keystream generator to encrypt data bit by bit or using a math XOR (Exclusive OR) function to create the ciphertext, good for streaming audio and video (Skype) and are symmetric, that use the same key. ***Block*** = Breaks the input into fixed lenght blocks of data and performs the encryption on each block, IE: I went fishing today = "[I wen] [t Fishi] [ng today]" but in bits, then encrypts it; Easier to implement and better sec. <h3> Symmetric Algorithms </h3> <h4> DES </h4> ***Data Encryption Standard*** is an encryption algorithm which breaks the input into 64-bit blocks and uses transposition and substitution to create ciphertext using an effective key strenght of only 56-bits !NOT SECURE! <h4> 3DES </h4> ***Triple DES*** is an encryption algorithm that uses three separate symmetric keys to encrypt, decrypt and then encrypt the plain text into cipher text in order to increase the strenght of DES, has 112-bit key <h4> AES </h4> ***Advanced Encryption Standard***, 128, 129 or 256-bit used standard by the US Government <h4> Twofish </h4> Uses 128, 192, and 265-bit encryption. Blowfish and Twofish are opensource <h4> RC4 -- only stream cipher </h4> Stream cipher using a variable key size from 40-bits to 2048-bits that is used in SSL and WEP. RC5 and RC6 are the same but it's in blocks instead of Stream, it was introduced to replace DES, but AES was chosen. <h3> Assymetric Ciphers AKA Public Key Cryptography </h3> PKC can provide with Confidentiality, integrity, authentication and non-repudiation. How it works: I sent a text to someone, let's call it B, so I encrypt the text using B's Public Key, now it's Ciphertext, then B will decrypt with his own Private key, and now it's a text again. <h4> Digital signature is used as well! </h4> Take the example above, but now I also send a hash digest that it's encrypted with my own personal key, that way B knows that I sent the text ***Exam TIP!!!*** It's called asymmetric because it uses 2 keys. ## Asymmetric algorithms ### Diffie-Hellman AKA DH Used to conduct key exchanges and secure key distribuiton over an insecure network, like the hybrid approach talked earlier. It's also used for the establishment of a VPN tunner using IPSec, however it's suscetible to MITM (Man-in-the-middle) attacks, so auth is needed. ***EXAM TIP*** Remember 2 things, it's an Asymmetric algorithm and it's used for key excange inside of creating a VPN tuneel establishment as part of IPSec. ### RSA RSA is called after the inventors, Ron, Adi and Leonard. It relies on the mathematical difficulty of factoring large prime numbers. It's also widely used for key exchange, encryption and digital signatures. It supports key sizes from 1024-bits to 4096-bits, it's widely used in organizations around the globe. The hardware/software tokens that change the 6 digits every 30 to 60 seconds are using RSA, like STEAM, Twitch etc... ### ECC ECC or Elliptic Curve Cryptography is used in mobile devices and it's based on the algebraic structures of elliptical curves over finite fields to define its keys. ECC is very efficient and provides better security than an equivalent RSA key of the same size, for example ECC is 6x more efficient than RSA, so for a 256-bit key ECC you'd need 2048-bit RSA to be just as secure, for this reason it's going to be more used in IoT devices. ### ECDH Elliptic Curve Diffie-Hellman ### ECDHE Elliptic Curve Diffie-Hellman Ephemeral uses a different key for each portion of the key estabilshment process inside the DH Key Exchange. ### ECDSA Elliptic Curve Digital Signature Algorithm, used as a public key encryption for the US Gov. ***EXAM TIP*** Remember that ECC and all of it's variants are most commonly used for mobile devices and low-power computing devices because it gives you equivelent protection to other asymmetric algorithms with a lower key size. --- ### PGP - Pretty Good Privacy An encryption program used for signing, encrypting and decrypting emails. Now it can encrypt emails, files and even entire disks. PGP uses IDEA, a symmetric algorithm, howeverit's a hybrid tool, it uses symmetric cipher for the bulk data but uses RSA to create the digital signatuers used in emails and also to send the session keys over an untrusted network. Uses 128 bits or more for symmetric functions and between 512 and 2048-bits for asymmetric function. It became open-source and had a kid called GPG ### GPG - Gnu Privacy Guard GPG is a newer and updated version of the PGP that uses AES for its symmetric encryption functions in comparison with PGP that uses IDEA --- ### Key management Is how an organization will generate, exchange, store and use encryption keys. ### One-time pad A one-time pad is a stream cipher that encrypts plaintext information with a secret random key that is the same lenght as the plaintext input, AKA keystream ### steghide Just to remember about the art of hiding stuff inside of files. ### Blockchain A shared, immutable ledger for recording transactions, tracking assets and building trust. ### Public Ledger Record-keeping system that maintains participants identities in a secure and anon form, It also keeps track of the respective cryptocurrency balances (If we're talking about crypto) and it has a record book for all the genuine transactions. Food analogy from IBM that is pushing blockchain for commercial use: The blockchain allows you to actually know everything about the transactions, they want to use it as a supply chain ledger, so let's imagine that you would like to know something about a food item in the supermarket, you would know when and where and how that food was grown, when where and how it was picked, when where and how it was shipped, when where and how it was processes all the way through the sales chain until you're looking at it. This way you can know everything about that food and you know it's legit because it's inside a public ledger. ### Quantum #### Quantum computing A computer that uses quantum mechanics to generate and manipulate quantum bits (qubits) in order to access enourmous processing powers. ***EXAM TIP!*** when you talk about homomorphic encryption, I want you to think about the fact that this is a good thing to use with your cloud providers, if they offer it. <h1> Hashing </h1> ### MD5 MD5 or Message Digest 5 is an algorithm that creates a fixed-length 128-bit hash value unique to the input file However there's so much hash that MD5 can provide, so it could occur a collision that it's a condition when two different files create the same hash digest ### SHA1 SHA1 or Secure Hash Algorithm is an algorithm that creates a fixed-length 160-bit value unique to the input value ### SHA-2 Family of algorithms that includes SHA-224, SHA-256, SHA-348 and SHA-512 ### SHA-3 Family of algorithms that creates hash digests between 224-bits and 512-bits, however it uses more rounds of computation. ### RIPEMD RIPEMD or RACE Integrity Primitive Evaluation Message Digest (oof) is an open-source hash algorithm that creates a unique 160-bit, 256-bit or 320-bit message digest for each input file. The most popular is the 160-bit version, it was created as a competition for the SHA family, like diff italian mafias ### HMAC HMAC or Hash-based Message Authentication Code uses a hash algorithm to create a level of assurance as to the integrity and authenticity of a given message or file. Usually used with another hashing algorithm, like MD5 or SHA. ### Digital signatures and collisions Basically since collisions could happen it could be spoofed by an actor, and they could create a malicious file and have the same hash as a legit file, so Digital Signatures come to play. What they do is create the hash digest, encrypt with their private key so you would decrypt using my public key, resulting in non-repudiation. --- ### LANMAN (LM Hash) Original version of password hashing used by Windows that uses DES and is limited to 14 characters Really old, kinda granny old, it used to split into 2 seven-character chunks, make it uppercase in one of the chunks and then it was run through the encryption algorithm. ### NTLM Hash (NT Lan Manager Hash) Replacement of LM Hash that uses RC4 and was released with Windows NT 3.1 in 1993. ### NTLMv2 Hash Replacement to the NTLM hash and uses HMAC-MD5 and is considered difficult to crack. And it's used when you're not using KERBEROS (Domain Auth) for authentication. ***EXAM TIP!!!*** Instantly match hashing and integrity. And MD5 and SHA are the most common, however MD5 is less secure than SHA --- ### Pass the Hash Pass the hash is a technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash instead of requiring the associated plaintext password It sounds like the id_rsa auth that we do on CTF but no, this type of attack is by scrapping the hash on the memory or MiTM. It's really difficult to defend because there are many possible exploits in Windows as well the apps on it. Mimikatz is a penetration testing tool used to automate the harvesting of hashes and conduction the pass the hash attack. ### Birthday attack Technique used by an attacker to find two different messages that have the same identical hash digest. Because of what we talked previously of "collision" It's called that way because of the Birthday paradox, that if you have a random group of people the changes are that you're going to have two people in that group with the same birthday. ### Key Stretching A technique that is used to mitigate a weaker key by increasing the time needed to crack it, at least 128-bit long. WPA, WPA2, PGP, bcrypt and others utilize key stretching. ### Salting Adding data into a one-way cryptographic hash to help protect against password crackign techniques. ## Public Key Infrastructure A PKI is an entire system of hardware, software, policies, procedures and people that is based on asymmetric encryption. PKI and Public Key Cryptography/Encryption are closely related but are not the same thing. Public Key Cryptography belongs to PKI, because it's kinda of the root of all, as the name suggests it's the infrastructure. ### Digital certificates Digitally-signed eletronic documents that bind a public key with a user's identity, kinda like the Social security number on an ID/Passport. ### X.509 Is a standard used PKI for digital certificates and contains the owner/users information and the certificate authority's information. The certificate auth is the trusted 3rd party. ### x.690 Uses BER, CER and DER for encoding. ### PEM Privacy-enhanced Eletronic Mail .pem, .cer, .crt or .key ### PKCS#12 Public Key Cryptographic System #12 .p12 ### Personal Information Exchange .pfx ### PKCS#7 Public Key Cryptographic Systems #7 .p7b ***Exam TIP!!!*** Remember these file types are associated with PKI ### BER - Basic Encoding Rules The original ruleset governing the encoding of data structures for certificates where several different encoding types can be utilized. ***Exam tip!!!*** BER has the ability to have multiple encoding types. ### CER - Canonical Encoding Rules A restricted version of the BER that only allows the use of only one encoding type. ### DER - Distinguished Encoding Rules Restricted version of the BER which allows one encoding type and has more restrictive rules for lenght, character strings and how elements of a digital certificate are stored in X.509. ### Wildcard Certificates Kinda like the wildcard on IP, instead of having a certificate for www.google.com you could have a *.google.com certificate, then your mail.google.com, calendar.google.com will all be certified under the the same certificate. ### SAN (Subject Alternative name) Allows a certificate owner to specify additional domains and IP to be supported #### Sided certificates You have single-sided and dual-sided certificates, the single-sided is used normally when browsing the web, and only the server needs to validade his certificate, however for double sided both the user and server need to validate the certificates, this is commonly used in highly secure environments. ### Validation The certificates are validated on what it's called chain of trust, bottom-up. So let's do an analogy: In your family usually the older person is the most trusted, let's say your grandfather you trust him, your grandfather trusts your father, so you also trust your father, but then your father trusts you, so your kid will also trust you. ***You have Transitive trust, that if your grandparent trusts your father and if your father trusts you then your grandparent also trusts you.*** This is called a certification path *** ### Certificate Authorities The entity that issues certificates to a user. Like Verisign, Digisign and many others act as the Root CA (Granparent). #### CSR - Certificate Signing Request It's a crucial component in the process of obtaining a digital certificate, A CSR is a file generated by an entity (e.g., a website owner or server administrator) that wants to obtain a digital certificate from a Certificate Authority (CA). #### Registration Authority Used to verify information about a user prior to requesting that a certificate authority issue the certificate. #### Certificate Revocation List (CRL) An online list of digital certificates that the certificate authority has revoked. Usually it's because it has been compromised #### OCSP Online Certificate Status Protocol A protocol that allows you to determine the revocation status of a digital certificate using its serial number. However doesn't use encryption It's an alternative to CRL. #### OCSP Stapling Allows the certificate holder to get the OCSP record from the server at regular intervals and include it as part of the SSL or TLS handshake. This was known as the TLS Certificate Status Request Extension ### Public Key Pinning Allows an HTTPS website to resist impersonation attacks by presenting a set of trusted public keys to the user's web browser as part of the HTTP header. ### Key Escrow Occurs when a secure copy of a user's private key is held in case the user accidently loses ther key, it is recomended that two different administrators are present anytime a key is being taken out of escrow, being ***Separation of Duties*** ### Key Recovery Agent A specialized type of software that allows the restoration of a lost or corrupted key to be performed. ### Web of Trust A decentralized trust model that addresses issues associated with the public authentication of public keys within a CA-Based PKI System. It's basically the way that reviews work, you trust a restaurant based on the reviews, the same works for Web Of Trust, in this example you could visit a website that has a Self-Signed certificate, by trusting it you kinda give it a score, and the more people that trust that self-signed certificate the better will be. --- ## Security Protocols ### S/MIME (Secure/Multipurpose Internet Mail Extensions) S/MIME is used to secure emails and messaging apps, it adds a digital certificate like e-id and allows the sender to add their own certification it provides Non-Repudiation, Message Integrity and Security, it'll encrypt all data in the email, even malware, so it's easier to not get flagged, however some email gateways can decrypt the contents of the email to verify if it's OK or not, however it must store a copy of your private key, which is also not secure. ### TLS/SSL SSL or Secure Socket Layer and TLS or Transport Layer Security are thrown back in forth a lot, however keep in mind that nowadays almost everything uses TLS, as SSL was last updated in '96 with SSLv3, it was replaced by TLS, and now it's on TLSv1.3 ### HTTP So HTTP is port 80, however HTTPS is 443, why? because thats where SSL or TLS creates the tunnel. ### Emails SMTP or Simple Mail transfer protocol is what's used to send emails unsecurely, like http, it runs or port 25, however sending emails encrypted will go through port 465 instead, as the tunnel created by TLS is on that port and then the SMTP traffic is sent through the tunnel ### Downgrade attack A downgrade attack is when a protocol is tricked into using a lower quality version of itself instead of a higher quality version. Example: I have an old ass PC that only uses TLS1.0, however your server can use TLS1.2, TLS1.3 it doesn't matter, so what can I do with my PC? Not be able to access it? No, you want me to access your server, so your server will downgrade to version 1.0 for me to access it. Mitigation, just go to the server configuration and add support to only version 1.1 and 1.2 ### Defender As a defender it's hard to know what the user is downloading/uploading when using TLS as it's a tunnel that we have no access to, so what we can have in place is a proxy and do a break and inspect, so you're downloading stuff from somewhere, I need to break the request, inspect it and then forward back to you in case it's safe, so it's hard and time/resource consuming to do that. ### SSH Secure shell A protocol that can create a secure channel between two computers or network devices to enable one device to control the other device. SSH was created as a replacement for Telnet, it was first used in Unix and Linux, but now it's used in Windows as well. SSH requires a server (Daemon) to be run on one device and a client on the other. FTP runs on 21, the same as telnet, and SSH runs on 22, and why does SFTP run on 22? Because it uses SSH for the tunneling. SSH 2.0 uses Diffie-Hellman key exchange and MACs (Message authentication codes) ## VPN A secure connection between two or more computers or devices that are not on the same private network --- ### PPTP Point-to-Point Tunneling Protocol A protocol that encapsulates PPP packets and ultimately send data as encrypted traffic uses CHAP-based authentication which is vulnerable, if using this use EAP-TLS instead #### PPP Point-to-Point protocol Originally used for dial-up connections, but it's used in combination with PPTP over port **1723** --- ### L2TP Layer 2 tunneling protocol A not secure connection between two or more computers or devices that are not on the same private network on it's own. It's usually paired with IPSec and it's used over port **1701** #### IPSec A TCP/IP protocol that authenticates and encrypts IP packets and effectively securing communications between computers and devices using this protocol. ```` Provides the CIA Confidentiality (Encryption) Integrity (Hashing) Authentication (Key Exchange) ```` Operates in 2 modes: ##### Transport mode: Host to host transport mode only uses encryption of the payload of an IP packet but not its header, it's usually used inside a Private Network. ###### Analogy: Truck transportation, when driving we only lock the back, not the cab, the cab being the header and the trailer being the packet. ##### Tunnel mode: A network tunnet is created which encrypts the entire IP packet (payload and header), It's usually used for WAN transmission. ###### Analogy: Same as above, but now put all in a container ship, now no one knows whats inside or where it's going, just that theres a transport ship. #### IKE - Internet Key Exchange Method used by IPSec to create a secure tunnel by encrypting the connection between the authenticated peers. It occurs in 3 main ways Main mode: Uses 3 separate exchanges Aggressive mode: It's quicker than main because it only uses three packets. Quick Mode: Only the negotiated parameters of the IPSec session are going to be handled. ### Security Association (SA) Establishment of secure connections and shared security information using certificates or cryptographic keys. ### Authentication Header (AH) Protocol used in IPSec that provides Integrity and Authentication. ### Encapsulating Security Payload (ESP) Provides integrity, confidentiality and authenticity of packets by encapsulating and encrypting them. </p>