Sec+ preparation #5


Intro
Let’s jump into next day of preparing for SEC+.
Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes data of various topics. Real professional.
You can purchase Security+ SY0-701 boot camp here
Prelude
- It is important not to wait too long after preparation for exam.
Security Content Automation Protocol (SCAP)
We need to master these acronyms
Common Configuration Enumeration (CCE)
- Discussing system configuration issues
Common Platform Enumeration (CPE)
- Product names, versions
Common Vulnerabilities and Exposures (CVE)
This one is important
When we talk about vulnerabilities, this will go into place
Not everyone is patching the software
If vulnerability is exposed, does not mean everybody patches it
Common Vulnerability Scoring System (CVSS)
Approach for measuring.
Severity
Extensible Configuration Checklist Description Format (XCCDF)
- Language for reporting checklist results
Open Vulnerability and Assessment Language (OVAL)
- Low level testing procedures
Many of these things comes from NIST.
NIST is a place where it is good to search for new information. They have lots of info.
Lots of companies use NIST guidelines to secure systems.
False Positives
There are lots of false positives in vulnerability scanners and IDSes.
As a penetration tester we have to check which false positives are real. So we’re kind of practical analyst of vulnerability scanners results.
Reconciling Scan Results with Other Data Sources
Logs
Security information and event management (SIEM) systems.
Main tool is SPLUNK.
It gathers lots of logs and puts it in one database. Then you can search it.
CISCO purchased it.
Hotfixes (will be in exam)
Term used to say - a patch
Update that usually fixes a single issue
Basically it is a patch for a single issue - that is a hotfix.
A collection of Hotfixes is called Service Pack.
Service Packs (SP)
A collection of updates, fixes.
Delivered as a single installable package.
Contains a collection of patches.
Patches
Quick and Dirty piece of code to fix an issue.
Immediate solution that is provided to users.
All patches should be tester in the lab first.
Ensure you have a back out plan before applying. Patches usually break other stuff.
If you know when was the last time the system was rebooted, then you know when was the last time the system was patched. Patches requires system reboot. Useful info for hackers.
Patch Management
Process of using a patching strategy and plan.
You must validate that all systems are patched.
It is a time consuming process
- Large companies have dedicated team for this.
Weak Configurations
These are configurations that are often times leading to vulnerable systems.
Default settings
People install systems and leave default settings. For example passwords like admin and stuff like that.
This case is popular in IoT world.
Open service ports that are not necessary.
Open permissions that allow users access.
Insecure Protocols
Many of the older protocols used on networks are not secure. They are still used these days.
For example http and https.
Weak encryption
It is a crucial part to protect secure data.
When implementing encryption you have two important choices:
You have to choose algorithm
There are many algorithm.
Most secure is AES (Advanced Encryption Standard).
You have to choose encryption key
One of the places which provides encryption is VeraCrypt. You can find documentation on how this process happens.
To understand more about encryption it is smart to dive into Cryptography. Hackers-Arise has course about Cryptography.
Penetration testing
Testing methodology where professional simulate real-world attacks on an organization’s IT systems. Good guys that break inside the system. Then they report info to fix broken stuff.
It’s a synonym for term - Ethical Hacking
Penetration testing vs. Security assesment
Security assessment finds vulnerabilities only while A penetration test goes further.
Assessment only reports the vulnerabilities to the owner.
Penetration testing types
Physical penetration testing
Pentester tries to get into physical perimeter, kind of physical computer or doors.
It also includes social engineering
Offensive pentesting
Defensive pentesting
- Sees the ability to defend against attacks.
Integrated penetration testing
- It' contains both, offensive and defensive pentesting.
Establish a Baseline (important)
Baseline reporting
What do I audit against
- We have to have baseline on how servers and system must look like
How do I know if it is wrong or right
- You don’t know how wrong looks like when you don’t know how the good looks.
Know they systems and networks
Detect deviation from baseline
Detect unusual event
Metrics can help
Code Review
Developers should do it
Your own or commercial application
Could prevent common attacks such as:
Determine Attack Surface
Two cardinal rules of system security are:
Patch
Reduce your attack surface
- Taking out any unnecessary surfaces
Every application, every surface is vulnerably. The more surfaces run, the highest chance of getting hacked.
Apply principle of least privilege. (will be in exam)
- Don’t give anybody powers that they do not need.
Give people as little privilege as they need to do their job properly.
Reduce number of entry points.
The less you offer, the less possibility of attacks exists.
Architecture
Network architecture is a first step:
Start with a strategy
Define goals
Add business requirements
There are many architecture frameworks such as:
Zachman Framework
The Open Group Architecture Framework (TOGAF)
Federal Enterprise Architecture
Gartner
For exam we need to undeerstand that there are different frameworks.
Infrastructure
Supporting elements
Power and alternate power systems
- Very important factor is redundancy. If something fails, there has to be a backup process to fill that gap. For example hospitals have generators.
Building
Sometimes you need backup building.
If building is flooded it’s bad.
HVAC (Heating, Ventilation, Air Conditioning)
Cabling
Supplies
Furniture
Honeypot (almost always in exam)
Give attacker something that looks nice for attacking.
A sacrificial lamb
Legal and Ethical
Used to learn from the offensive side
Computer with flaws exposed to the public network
If system looks easy to attack it’s most of the time a honeypot
A collection of honeypot is called honeynet
There are sticky honeypots such as Labrea.
Port Scanners
Such as Nmap (it is a very important tool)
Discovery Tool
There are 65536 (2¹⁶) ports in total
Any of these ports can host a service
Any port can be used for any service
- Sometimes it adds another security level.
Discover Version of the services running
Password Crackers
There are many crackers
LopthCrack
OphCrack
John the Ripper (it can do hash detection too, it’s very nice for that)
Cain & Abel
Hydra
Hashcat
Hash is one way encryption so you cannot decrypt it.
Subscribe to my newsletter
Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
