Sec+ preparation #5

Intro

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes data of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Prelude

• It is important not to wait too long after preparation for exam.

Security Content Automation Protocol (SCAP)

We need to master these acronyms

• Common Configuration Enumeration (CCE)

  • Discussing system configuration issues

• Common Platform Enumeration (CPE)

  • Product names, versions

• Common Vulnerabilities and Exposures (CVE)

  • This one is important

  • When we talk about vulnerabilities, this will go into place

  • Not everyone is patching the software

  • If vulnerability is exposed, does not mean everybody patches it

• Common Vulnerability Scoring System (CVSS)

  • Approach for measuring.

  • Severity

• Extensible Configuration Checklist Description Format (XCCDF)

  • Language for reporting checklist results

• Open Vulnerability and Assessment Language (OVAL)

  • Low level testing procedures

Many of these things comes from NIST.

NIST is a place where it is good to search for new information. They have lots of info.

Lots of companies use NIST guidelines to secure systems.

False Positives

There are lots of false positives in vulnerability scanners and IDSes.

As a penetration tester we have to check which false positives are real. So we’re kind of practical analyst of vulnerability scanners results.

Reconciling Scan Results with Other Data Sources

• Logs

• Security information and event management (SIEM) systems.

• Main tool is SPLUNK.

  • It gathers lots of logs and puts it in one database. Then you can search it.

  • CISCO purchased it.

Hotfixes (will be in exam)

• Term used to say - a patch

• Update that usually fixes a single issue

• Basically it is a patch for a single issue - that is a hotfix.

• A collection of Hotfixes is called Service Pack.

Service Packs (SP)

• A collection of updates, fixes.

• Delivered as a single installable package.

• Contains a collection of patches.

Patches

• Quick and Dirty piece of code to fix an issue.

• Immediate solution that is provided to users.

• All patches should be tester in the lab first.

• Ensure you have a back out plan before applying. Patches usually break other stuff.

• If you know when was the last time the system was rebooted, then you know when was the last time the system was patched. Patches requires system reboot. Useful info for hackers.

Patch Management

• Process of using a patching strategy and plan.

• You must validate that all systems are patched.

• It is a time consuming process

  • Large companies have dedicated team for this.

Weak Configurations

These are configurations that are often times leading to vulnerable systems.

• Default settings

  • People install systems and leave default settings. For example passwords like admin and stuff like that.

  • This case is popular in IoT world.

• Open service ports that are not necessary.

• Open permissions that allow users access.

Insecure Protocols

Many of the older protocols used on networks are not secure. They are still used these days.

For example http and https.

Weak encryption

• It is a crucial part to protect secure data.

• When implementing encryption you have two important choices:

  • You have to choose algorithm

    • There are many algorithm.

    • Most secure is AES (Advanced Encryption Standard).

  • You have to choose encryption key

One of the places which provides encryption is VeraCrypt. You can find documentation on how this process happens.

To understand more about encryption it is smart to dive into Cryptography. Hackers-Arise has course about Cryptography.

Penetration testing

Testing methodology where professional simulate real-world attacks on an organization’s IT systems. Good guys that break inside the system. Then they report info to fix broken stuff.

It’s a synonym for term - Ethical Hacking

Penetration testing vs. Security assesment

Security assessment finds vulnerabilities only while A penetration test goes further.

Assessment only reports the vulnerabilities to the owner.

Penetration testing types

• Physical penetration testing

  • Pentester tries to get into physical perimeter, kind of physical computer or doors.

  • It also includes social engineering

• Offensive pentesting

• Defensive pentesting

  • Sees the ability to defend against attacks.

• Integrated penetration testing

  • It' contains both, offensive and defensive pentesting.

Establish a Baseline (important)

• Baseline reporting

  • What do I audit against

    • We have to have baseline on how servers and system must look like

  • How do I know if it is wrong or right

    • You don’t know how wrong looks like when you don’t know how the good looks.

  • Know they systems and networks

    • Detect deviation from baseline

    • Detect unusual event

  • Metrics can help

Code Review

Developers should do it

• Your own or commercial application

• Could prevent common attacks such as:

  • Buffer overflow

  • Parameter manipulation

  • SQL Injection

  • XSS (Cross site scripting) and CSRF (Cross site request forgery) attack

  • Input Validation and user interaction

  • Attempt to outsmart the developer

  • Understand the logic of the application

Determine Attack Surface

Two cardinal rules of system security are:

1. Patch

2. Reduce your attack surface

   1. Taking out any unnecessary surfaces

Every application, every surface is vulnerably. The more surfaces run, the highest chance of getting hacked.

• Apply principle of least privilege. (will be in exam)

  • Don’t give anybody powers that they do not need.

• Give people as little privilege as they need to do their job properly.

• Reduce number of entry points.

• The less you offer, the less possibility of attacks exists.

Architecture

Network architecture is a first step:

• Start with a strategy

• Define goals

• Add business requirements

There are many architecture frameworks such as:

• Zachman Framework

• The Open Group Architecture Framework (TOGAF)

• Federal Enterprise Architecture

• Gartner

For exam we need to undeerstand that there are different frameworks.

Infrastructure

• Supporting elements

• Power and alternate power systems

  • Very important factor is redundancy. If something fails, there has to be a backup process to fill that gap. For example hospitals have generators.

• Building

  • Sometimes you need backup building.

  • If building is flooded it’s bad.

• HVAC (Heating, Ventilation, Air Conditioning)

• Cabling

• Supplies

• Furniture

Honeypot (almost always in exam)

Give attacker something that looks nice for attacking.

• A sacrificial lamb

• Legal and Ethical

• Used to learn from the offensive side

• Computer with flaws exposed to the public network

• If system looks easy to attack it’s most of the time a honeypot

• A collection of honeypot is called honeynet

• There are sticky honeypots such as Labrea.

Port Scanners

Such as Nmap (it is a very important tool)

• Discovery Tool

• There are 65536 (2¹⁶) ports in total

  • Any of these ports can host a service

  • Any port can be used for any service

    • Sometimes it adds another security level.

• Discover Version of the services running

Password Crackers

There are many crackers

• LopthCrack

• OphCrack

• John the Ripper (it can do hash detection too, it’s very nice for that)

• Cain & Abel

• Hydra

• Hashcat

Hash is one way encryption so you cannot decrypt it.