Security+ - HackMD

# Security+ ## Network Netflow: info network traffic. blackholing/sinkhold: route trafic to non exsistent server. Layer 3: filter IP ### Authentication protocol: PGP(pretty good privacy): include aaa * each user generate key pair. * compress data before encrypt. RADIUS * UDP * encrypt passwd only * no remote access protocol * use passwd shared secret + MD5 hash off authen req to protect communication. * NAS is client. TACACS+ * TCP * CISCO * encrypt packet * slower operation 802.1x tiêu chuẩn authen AAA(Authen, Author, Accounting(monitor, tracking)) Prevent remote connection(when connect to network) ### Wifi EAP(Extensible Auth protocol): thiết lập và quản lý kết nối mạng an toàn(passwd,cert,smart card, vân tay)+RADIUS * data link layer * allow 1 way auth method WAP(wireless app protocol): create mobile web page. ### For safe ACL(access control list) VLAN segmentation: separate layer 2 network NAC(network access control): prevent physically connection. Disable the SSID(tên wifi) (prevent evil twin) Disable WPS:ease set up new wireless device by allow router config them after 8-pin enter.(brute force) ### ARP spoofing prevent DAI(dynamic ARP inspection): maintain trusted DB(IP:ARP) DHCP snooping: tạo các port trust và untrust (sử dụng trên switch) port security: allow specific MAC pass over every port in switch. persistent(ticky) MAC learning: switch auto learn and asociate MAC addr wuth specific interface.(lưu trữ vĩnh viễn địa chỉ MAC kể cả khi restart) ### Attack vector DNS poisoning: ghi đè DNS spoofing: làm tràn ### Device #### Router port mirroring or SPAN port: all trafic is replicated and send to another device for analysis.(đặt router ở vị trí an toàn, MAC filter,ACL: chỉ định IP, tắt port unused,encrypt) Inject corrupt routing table. Có một số router dc admin config telnet để kết nối. #### switch điều hướng packet, còn hub thì k. stored limited MAC in DB(spoof MAC). ### Tool Hping: ICMP/udp/tcp test FW, not sp ipv6-> use nping traceroute: ICMP Ptunel: tunel tcp using icmp ## Application UAC(user access control): Message box popup and ask you to run process. NBAD(Network behavior anomaly detection): anomaly là thông thường, so sánh với hoạt động thông thường của network. NTA(network trafic analysis) Proxy cache store the cache of web. Forwarding Proxy monitor traffic, disallowd access to "banned" protocol/web. FW in proxy, but using separate boxes. 1 for FW, 1 for proxy function. Reverse proxy can be replace load balancing. when: * URL * HTTP method: GET,POST,PUT,DELETE * cookie Load balancing: Layer 4(TCP,UDP), Layer 7(URL). ### Bluetooth Eviltwin: fake trùng tên wifi Bluesnarfing: nhận thông tin Bluejacking: gửi thông tin ### Services 25 tcp SMTP (simple mail transfer protocol) not encrypt 69 TFTP trial 110 POP3(Post Office Protocol): save mail to client 143 imap(internet message access protocol): save mail on server 161,162 udp SNMP(simple network management protocol) 137-139 NetBioS 389 LDAP(Light weight directory protocol): * mutual authen, it's sec. * read,remove,update data in network * not encrypt 445 SMB(simple message block) replace NetBIOS 465/587 udp s/SMTP 514 udp syslog 636 tcp s/LDAP FTP: 21 control, 20 data connection sFTP tcp: 990 control,989 data connection 1433 tcp MSSQL 1514 wazuh manager 1515 wazuh agent 1701 L2TP(layer 2 tunnel protol): establish remote connection 3389 RDP (remote desktop protocol) 5000 logstash 5601 kibana 8000 splunk 9200 Elasticsearch 9997 splunk forwarder 55000 wazuh api ### Authentication PAP: clear text usrname, passwd send to server. CHAP: user hashed value, passwd to server TOPT: time OTP HOTP: HMAC(hash) OTP Retinal scan: quét mạch máu của mắt Iris scan: quét bên ngoài đồng tử. pupil dilation: sự tăng kích thước đồng tử ## Architecture batsion host: máy giám sát airgap system: network/pc with unique sec require single point of failure: 1 server, if off then sys not work. ### Cloud on-premise server: máy chủ vật lý tại cty. jumpbox: control remote access of multi server on private cloud hybrid cloud: mix on-premise server,private cloud,third-party,public cloud Metered service: đo lường rapid elasticity: co dãn nhanh IaaS(Infrastructure: cơ sở hạ tầng): như load balancer, server,... SaaS(Software as a service) PaaS(Platform):provides resources somewhere between SaaS and IaaS. based on Oracle or MS SQL or PHP and MySQL Daas(Desktop) SECaaS(Security) FaaS(Function) MSSP(managed sec service provider) VDI:virtual desktop interface VPC:virtual private cloud Orchestration: kết hợp * resource Orc: EC2 in Amazon * workload Orc: manager app * service Orc: work on service themself Infrastrure as code (IaC): auto Orc snowfake system: sys difffer standard template with IaC. Hypervisor: * Type 1: run physical hardware. * Type 2: run on host operating system. ### System NIDS(network intrusion detect system): hệ thống giám sát phân tích sâu packet, no change packet structure HIDS(host-based):cài vào máy cần theo dõi.Giám sát lưu lượng đến và đi để cảnh báo user những xâm phạm trái phép. 1 FW(firewall) ở public server, 1 ở pub -> private network. IDS: so sánh lưu lượng với các mẫu attack có sẵn(pattern corrlation). * signature-based intrusion detect(chuỗi byte malicious) * anomaly-based: so sánh với hoạt động thường ngày. IPS(Intrusion prevent system): hệ thống kiểm soát phân tích các packet và ngăn gửi packet.(base on protocol,port,signature) nằm ở khu vực FW. UEBA: user entity behavior analyse sentiment analysis: sử dụng AI để detect. ### OS-Based Excution control SPR: Software Restriction Policies,configured as group policy objects (GPOs) AppLocker: lock app. WDAC: Windows Defender Application Control ### Prevent powershell script * Use group policy to restrict execution of PowerShell to trusted **accounts and hosts**. * Use group policy execution control to run scripts only from **trusted locations**. * Consider use of Constrained Language Mode (devblogs.microsoft.com/powershell/ powershell-constrained-language-mode) and signed scripts to **limit the ability** * Use PowerShell logging (docs.microsoft.com/en-us/powershell/scripting/windowspowershell/wmf/whats-new/script-logging?view=powershell-7) and the Antimalware * Scan Interface (docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps) to detect and prevent obfuscated and suspicious code. * Prevent the use of **old PowerShell versions** to mitigate the use of a downgrade attack to bypass access controls. ## Nhân sự và tổ chức FISMA: Federal info sec manager COPPA: Children online privacy protect act HIPPA: Health insurance RP: relying party: provide sevice, conduct SAML transaction Idp: Identity provider SLA(service level agreement): cam kết chất lượng dịch vụ MOU(memorandum of understanding): prelimiary(thỏa thuận)2 cty work together NDA(non-disclosure agreement):cam kết không để lộ thông tin DLP: Data loss prevent DSUA: data share use agreement Data Owner: responsible for maintain integrety,confidentialy Data steward: labe,ensure data right format Data custodian: manage which data assets are stored TTP: Tatic, technique,procedure. MITRE ATT&CK(attack.mitre.org):detect, mitigration OpenIoC: depth research APT, but not detection, mitigration Lockeed Martin: general life circle description, not prevent diamon model: graphical representation attacker behavior PII:personally identible info SPI:sensitive personal info BCP: business continuity plan PHI:protected health info GDPR:general data protect regulation CRM: customer relationship management PCI-DSS:payment card industry data sec standard BYOD:bring your own device COPE:company owned/personal enable CYOD:choose your own device MDM:mobile devices manager purple team: made red and blue team work together to maximize capabilities. white team: trọng tài, ensure competition fairly CISO:Chief Information Security Officer ## Crypto IV attack: observe relation from different keys to find clear text revocation: thu hồi key khi bị lộ. DNSSEC: RSA/SHA-1 block-cipher have fixed length(8,16,32,64,..) stream-cipher encrypt single bit at a time Symmetric: AES,DES,3DES,RC4,blowfish Asysmmetric:PGP,Diffle-Hellman,ECC,RSA,DSA,GPG. DSA:digital signature standard * NIST 1994 * digital signature only, not encrypt * same speep as RSA when creating signature * SHA-1 hash Algorithms * 10-40 time slower when verifying signature ### Output bit key ECC:same level sec 256-bit DES: 56 3DES: 168 MD5:16 byte, 128 bit NTLM:128 RIPEMD:160 SHA-2:256 SHA-1:160 AES:128,192,256 RSA, diffle: 3072 ### Passwd attack * Bruteforce * Spray passwd: 1 passwd for many acc. * Directory bruteforce: list passwd on internet. * cognitive passwd: generate passwd on info gained. * hybrid: wordlist + number * rainbow: crack passwd ## Logging 1. Log all relevant event, filter irrelevent event. 1. Establish and document scope of event. 1. Develope use case to defind threat. 1. Plan incident response for an event. 1. Establish a ticket process to track event. 1. Schedule regular threat hunting. ## Social engineering Spear phising: lừa đảo một nhóm người. Phising: lừa đảo người cụ thể. Whaling: giả mạo nhân viên cấp cao. Vishing: gọi lừa đảo.(attacker gọi cho victim) Hoxes: gọi lừa đảo.(victim gọi cho attacker) Spam Tailgating: theo đuôi Dumpster diving: lục thùng rác impersonation: giả mạo eavesdropping: nghe lén Shoulder surfing: nhìn lén invoice scam: hóa đơn gỉa mạo Pharming: dẫn dụ nạn nhân đến trang web giả mạo. 1. change IP in host file/DNS db -> redirect victim to malicious page. 2. Waterhole: put on web that potential victim will access ## Permission Acc manager policy: create -> decommission (từ lúc tạo đến lúc xóa) Data ownership policy: how ownership info create, used Data classification policy: classification structure of data in use. GPO:group policy object:help admin create policy,deploy MAC(mandatory access control):admin set all permission, strongest protection DAC(discretionary AC):creator set permission RBAC(role-based AC):phân quyền dựa theo role. ABAC(attribute-based AC): most detail,explicit ## IoT (internet of things) ICS(industrial control system) SCADA(supervisory control anda data acquisition) TPM(trusted platform module): chip gắn trên bo mạch: * Bảo vệ khóa, mk. * Xác minh: chặn thay thế software. * Quản lý khóa mã hóa Component: * random number generation. * sealing(niêm phong). * remote attestation(chứng thực) * blind * securrel generation of cryptographic key Các sản phẩm IoT do chạy hệ điều hành độc quyền nên phân tích user activity. Các hệ thống IoT khó thay nên đáp án nào mà kêu thay thì loại ngay. ![image](https://hackmd.io/_uploads/Bkobbyuy0.png) * FAR:false acceptance rate is the frequency at which the system admits a person who should not be admitted. * FRR:false rejection rate is the frequency at which the system denies access to an authorized user incorrectly. The FAR can be improved by increasing the sensitivity of the system, while the FRR can be improved by decreasing the sensitivity of the system. * CER:crossover error rate which is the sensitivity point at which the FAR and FRR are equal. ## Disaster HVAC:heat,ventilation(sưởi ấm),air condition UPS:uninteruptible power supply MTTD: Mean time to detect MTBF:Mean time between failure MTTF:Mean time to failure: used for non-repairable assets Maximum Tolerable Downtime MTTR:mean time to repair MEF: mission essential function MTD: Maximum Tolerable Downtime: maximum time that system or service maybe stop working mà không gây ra hậu quả nghiêm trọng MTTP (Maximum Tolerable Period of Disruption): thời gian cầm cự trước khi sys sập RTO (Recovery Time Objective): time to recover RPO (recovery point object):mức độ mất dữ liệu mà hệ thống có thể chịu đựng được. Nếu RPO là vài ngày thì một hệ thống sao lưu băng từ đơn giản là đủ; nếu RPO bằng 0 hoặc được đo bằng phút hoặc giây, thì sẽ cần phải có giải pháp dự phòng và sao lưu cụm máy chủ đắt tiền hơn. ![image](https://hackmd.io/_uploads/r1VuRWPJR.png) DRPs:Disaster recovery plans RAID(resdundant array of independent disk) RAID0:strip RAID1:mirror RAID5: cần ít nhất 3 ổ. case 1 ổ sập k mất data RAID6: cần ít nhất 4 ổ. case 2 ổ sập k mất data ![image](https://hackmd.io/_uploads/SJFkEzPyR.png) hot-site:sử dụng dc liền. warm-site:thêm data mới sử dụng dc. cold-site:k có gì hết. ## Incident response **Chain of custody**: documentation reinforces the integrity and proper handling of evidence from collection, to analysis, to storage, and finally to presentation. **IRP**(incident response plan): lists the procedures, contacts, and resources. available to responders for various incident categories playbook/runbook: SOAR(checklist of action) buy insurance-> transference ![image](https://hackmd.io/_uploads/ry4Ec08J0.png =x200) ![image](https://hackmd.io/_uploads/Hk_foCUk0.png =x300) ### CSIRT(team incident response) * incident response manager * sec analyst * triage analyst(filter log, monitor analyse) * forensic analyst * threat researcher(threat intelligent,overall context) * cross functional support(những ng liên quan như admin, data owner,...) ### Trainning * Tabletop: members đóng vai trò trong incident, make decision, action to solve problem.The training does not use computer systems * Walkthroughs:Unlike a tabletop exercise, the responders perform actions such as running scans and analyzing sample files, typically on sandboxed versions of the company's actual response and recovery tools * Simulations (Mô phỏng): include red team,blue team, white team. ### Forensic CPU cache: L1,L2,L3,GPU RAM: * route table * ARP cache * process table * kernal statistic * temp file system * swap space * virtual memory Hard drive:SSD,flash memory devices ### santitize Disk wipping: ghi đè liên tục purging: xóa, reuse shredding: băm nhỏ ổ đĩa, not reuse degaussing: khử từ, not reuse ## Another attack * jamming attack: làm nhiễu sóng. * applifier attack: tận dụng service dễ bị lạm dụng đẻ tăng cường lưu lượng đến target. * Booting server from CD-ROM or flobby disk can change admin passwd or gain access to protected file. * TCP hijacking: jump into session if guess next number in packet sequence -> create DoS. * Open mail relay: SMTP configured anyone on internet send mail through it. * rougue anti-virus: fake software ## Tips * 70% threat come from internal threat * Nếu thấy file lạ thì nên quét online vì nhanh và share community. Có thể phần mềm quét trên máy cũng đã bị hack. * Location-based authentication: nếu ở chỗ lạ thì sẽ limited permission when authen. ## English word Deterrent: răn đe Compensating: bù đắp Scarity: sự khan hiếm intimidation: sự hăm dọa consensus: đoàn kết Stagging: vận hành thử remediate: khắc phục eradication: diệt từ containment: ngăn chặn adversary: kẻ thù disposal:xử lý ## Một số giải pháp gợi ý: - Firewall: pfSense + Suricata - IPS/IDS: Security Onion (Trên bundle này có rất nhiều IPS/IDS như Snort, Suricata, Zeek, HoneyPot, ...) Còn nếu muốn build riêng 1 trong các sản phẩm độc lập thì cũng được. - NAC: Packetfense - FIM: OSSEC/Wazuh, samhain (File Integrity Monitoring ) - WAF: Mod_Security, Coraza, CrowSec - Proxy: NginX, Linkerd - SIEM/SOAR: Splunk, Graylog, ELK, OSSIM