IoT nowadays is everywhere. Now there’s about 20 billion IoT devices. In 2031 there will be around 35 billion IoT devices connected to the internet.

Interesting information about IoT devices & other stuff

When more network devices we have and more digital components ads up to the systems, we get bigger attack surface.

SCADA/ICS are also very very important. The Industrial systems are in control of our water and electricity.

• The best hack is the one that nobody has discovered.

Microwave is working on the same frequency as the Wi-Fi - 2.4-2.5GHz. If you’ll turn on the microwave, it will jam the Wi-Fi signal.

On IoT device’s small Linux systems, there’s not enough storage place for a good encryption or other security methods. Encryption takes computing power.

Interesting attacks:

• Node Cloning

  • You can clone a bluetooth device. It can send a communication to the device which is paired with simillar MAC Address device.

• Zigbee - it is a main protocol for IoT

Speed vs Security

IoT devices need speed. It does not have time for encryption. If you encrypt data, it takes time and time means latency. So IoT transfers data in clear text.

IoT OS

Most of the IoT devices are using OWRT.

STRIDE Classification Model

1. Spoofing

2. Tampering

3. Repudiation

4. Information Disclosure

5. Denial of Service

6. Elevation of Privilege

3 steps of STRIDE

1. Identify the Architecture

2. Identify the Architecture Components

3. Identify the Threats

Security solutions

• You can set up the devices to use different ports. Not the default ports. Just as like default credentials. Change ports and credentials.

Tools for IoT Reconnaissance

One of the best tools is header grabber - Shodan. This is the main point where you want to go.

Cameras

Hikvision and Dahua Technology ar chinese cameras and they are very insecure.

They are sold also as a white label. Dahua and Hikvision have 100+ relabelers/OEMs.

Main cameras protocols:

• RTSP (Real-Time Streaming Protocol) - usually port 554. Sometimes owners wants to change the port and they just add one more 5, so the port will be 5554 or 8554. Ending by “54” is most of the time will be a camera. RTSP is used only for cameras.

  • Used for Live Streaming

  • Example would look rtsp://example.com

• RTP (Real-Time Transport Protocol)

• PSIA

  • Used for configuration, camera discovery and live streaming (using RTSP)

• ONVIF (Open Network Video Inteface Forum) - it allows access through a set of standardized API’s.

  • Used for camera discovery, configuration and live streaming (using RTSP)

  • ONVIF requests are transmitted through XML SOAP messages.

List of default cameras passwords:

Link

Always try the simplest technique first.

cameradar is a best tool to brute force credentials and fint the route.

Some vulns found in Dahua cameras:

CVE-2021-33044

CVE-2021-33045

Shodan API

You can use Shodan API. Install it via pip:

pip install shodan

shodan init

shodan search <example>

You can use API and then put the search results into a file and save it for later

Camera hacking

• It is important to check what is the firmware. If the firmware is 3.0+, it was patched.

• There’s a chrome extension which helps to make MiTM attack to get the password reset for the dahua camera.

• To see the camera you need to use Microsoft Edge (a.k.a. Internet Explorer)

• The best hack is the one that victim does not know about.

• Always cover your tracks!

• You should make upload validation for firmware version updates. There are input validations, but there also should be upload validation.

• There’s always a way to get into the system

Useful Tools

• Pale Moon browser (Also streams video from cameras) - use 32bit version.

• Mousepad - a good txt editor for Kali. Don’t think that it will be better than Nano though :D

• Ipinfo.io - useful info about IPs

• Do not leave a user with a name admin. It makes a lot easier for an attacker to get in. He only need to guess the password.

RFID

RFID is a form of anti-theft control. It is a way to track the items/people/products and other stuff.

• RFID readers can act as IoT devices.

• RFID usually feeds data into the IoT network.

RFID Tags

There are active, passive and semi-passive tags.

• It has it’s own power source

Advantages of RFID are:

• Speed

• Durability

• Security - if it is encrypted. Encryption has to be good.

NFC is a sub-set of RFID.

You could use high gain antena and pick the NFC signal.

Challenges of RFID

• Cost

• Interference

• Privacy

Additional info about RFID

Low frequency = low range

Higher frequency = more memory

Higher frequency = Problems with interference

MIFARE is a most popular player. They are made by NXP technology, a dominant player in this field.

2G/3G mobile phones operate at Ultra-High Frequency (UHF) - 860-960 MHz.

LF cards are easier to work with. It is also easier to clone.

VPN security

If you use VPN, you hide your traffic from ISP. Of course if you use cookies, you show lots of information to the endpoint. It does not matter that you use VPN. VPN does not make you safe.

If you use for example VPN + Firewall + IDS, it is safer, because there are more layers that attacker has to pass.

Fortinet is not very secure, there has been many CVEs showing Fortinet gaps.

Router security

If you compromise the router, you own all of the traffic on the network.

RouterSploit works good for easy stuff. Always use the easiest way first.

When you compromise SNMP v1, you are in the network. There’s a good tool in Kali - snmpcheck.

There are also some other good tools for routers security cracking.

Bluetooth security

There are some HW tools which makes the cracking BL/BLE security easier.

You should keep in mind that Bluetooth is difficult to jam, because it does frequency hopping.

One of the key BL security is frequency hopping.

Hedy Lamarr invented the bluetooth frequency hopping.

For example your keyboard has bluetooth and you crack the keyboards bluetooth security. Then you can send the keystrokes to the computer remotely. If you send keystrokes, you control the device.

Bluetooth classic

• It operates at 2.4GHz ISM

• It uses 79 channels, each spaced by 1MHz apart, ranging from 2402MHz to 2480MHz

• Typical range - up to 100 meters

• Each Bluetooth device has a unique 48-bit address (BD_ADDR)

• It consumes more power than BLE (Bluetooth Low Energy)

Bluetooth BLE

It operates in 2.4GHz ISM band. It uses 40 2-MHz channels. Typical range up to 50 meters

• It allows devices to work for months or even years with a small battery. Device only wakes up when it is needed.

• It supports 2 types of communication - device to device and broadcast-based.

• Key protocols are GATT (Generic Attribute Profile) and GAP (Generic Access Profile)

• It is not compatible with Bluetooth classic. Usually devices has both, BLE and Bluetooth Classic.

• BLE is ideal for IoT.

Mesh

Possibly Mesh networking will be the future.

Outro

It was really interesting to dive into these technologies. I’ve used some Linux tools, I’ve purchased some HW for the tasks.

Security of these technologies is really important. It is a great challenge, but with great challenges comes the best experience and lessons.

As always I’d like to give a big credit to Master OTW. I really like his learning style. If you want to dive deeper into IoT hacking. Check out OTW course on Hackers-Arise.

When I was learning cybersecurity topics in the past year, I’ve grasped lots of different tools and techniques.

Some of the most iconic for me were:

1. CAN BUS (controller area network)

2. Radio Frequency

3. Cryptography

I was lucky to have an opportunity to learn from OTW books. I really like his learning style.

Anyway, when I was studying, one thing seriously caught my attention and I knew that I will try to build it - Honeypot.

I was surprised that this method is actually in use to defend against “bad guys”.

Homelab begins

I wanted to build honeypot, for that i needed HW (aka Homelab). That’s when I decide to analyze what kind of HW I need.

I’ve already had Raspberry Pi 3B, it’s a decent micro computer for some tasks. I needed some networking hardware.

I bought MikroTik router and TP-Link 8 ports switch. I also had to buy few ethernet cables.

Having your own router is a good option to legally break network. You can test your Wi-Fi breaking skills and experiment with different configurations.

Gear used

TP-Link TL-SG108E Gigabit Switch

Mikrotik hAP ac2

Raspberry Pi 3b

Honey Pot

It took me some time to finally try to build a honeypot. Life happens as the old saying says.

So yeah, I began to dive deeper, to plan, to make a schema on how it should look like. I was thinking on how can I scale it in the future.

First lesson

When I’ve connected the Ethernet wires and I’ve tried to connect to the Switch admin panel I’ve got some difficulties. After about 30 minutes I’ve found out that I cannot connect to the Switch, because my ISP router blocks the connection and the craziest thing is that ISP router is also a TP-Link, so the admin login page looks the same.

It is only one lesson which I had. There were many others.

Here’s the schema of my current home lab:

Current phase

Now I have software set up on my Raspberry. I also have VLAN configured in the Switch for the honeypot.

Problems that I’m solving now:

1. Making Mikrotik to act as a separate router, not to be on the same subnet as my ISP router. I already found the way to do it. Using mactelnet I can connect to the Mikrotik using it’s MAC address. Then I have full admin privilege for the router.

2. Before turning the honeypot on, I want to make sure to keep my anonymity, because let’s be real. I will open the doors for all hackers around the world. I’m thinking that maybe I could rent a place somewhere to keep the home lab running.

Vision for later

1. After the successful launch, I’m planning to set up a log management system. Possible options are:

   1. ELK / OpenSearch

   2. Graylog / Loki + Grafana

2. For alerts and SIEM I’m thinking to try Wazuh.

Now I’m diving deep into the TCP/IP. I have physical Charles M. Kozierok TCP/IP guide. That knowledge will let me understand on how the process works from the smallest technical details and why things break.

Outro

I learn new thing every experiment session that I have.

I remember one guy who told me - “why do you need physical lab? Just use virtual machines”. The answer is - physical lab gives you the real feel on how the set up happens. For example that case where the ISP router blocked the access to the Mikrotik router was really surprising. If you’d use virtual machines, you wouldn’t get these surprising scenarios.

So yeah, It is kind of an intro blog post about my home lab. For sure there will be other updates about the process.

Cheers and have a wonderful Christmas and a happy new year!

It is one of the most important parts of Penetration Testing process.

It is identifying all of the ways we could attack a target. We must do our best in this phase.

Long story short - enumeration is collecting as much information as possible.

NMAP

Nmap is for scanning, mapping, detecting and analyzing networks. Talking about technical sides, this is how for example TCP-SYN(-sS) scan works:

• If our target sends a SYN-ACK flagged packet back to us, Nmap detects that the port is open.

• If the target responds with an RST flagged packet, it is an indicator that the port is closed.

• If Nmap does not receive a packet back, it will display it as filtered. Depending on the firewall configuration, certain packets may be dropped or ignored by the firewall.

• The most effective host discovery method is to use ICMP echo requests

• Scan may not work because of the firewall. Later on we’ll check how to evade firewall and IDS/IPS.

• The Connect scan (Full TCP Connect scan) is one of the least stealthy techniques, as it fully establishes a connection, which creates logs on most systems and is easily detected by modern IDS/IPS solutions.

There are 6 states that we can obtain from a NMAP scan:

Output formats

We can save nmap outputs in many different formats:

• Normal output (-oN) with the .nmap file extension

• Grepable output (-oG) with the .gnmap file extension

• XML output (-oX) with the .xml file extension

• Save the results in all formats -oA

With the XML output, we can easily create HTML reports that are easy to read, even for non-technical people. This is later very useful for documentation, as it presents our results in a detailed and clear way.

To convert the stored results from XML format to HTML, we can use the tool xsltproc.

Service enumeration

It is really important to determine the application and its version as accurately as possible. We can use this information to scan for known vulnerabilities and analyze the source code for that version if we find it.

This information can help us to search for a more precise exploit that fits the service and the operating system of our target.

Quick port scan is a good way to do it, because if we do more sophisticated scans, IDS can spot us and block out our IP.

sudo nmap IP_ADDRESS_TO_SCAN -p- -sV

-p- - scans all of the ports

-sV - gives us the versions of services

I bet you like to see progress happening. To do this, we can write use —stats-every option.

Scripting in NMAP

There’s a possibility to use scripting in nmap. There are a total of 14 categories into which these scripts can be divided:

So these are the categories of the scripts. There are scripts by themselves. For example a really useful script is http-enum. It enumerates directories used by popular web applications and servers.

Performance of scanning

Sometimes network is big, very big. So we need to scan for useful information as fast as possible. There are few options which helps to complete the scan faster.

We can use various options:

• how fast (-T <0-5>),

• with which frequency (--min-parallelism <number>),

• which timeouts (--max-rtt-timeout <time>) the test packets should have

• how many packets should be sent simultaneously (--min-rate <number>)

• the number of retries (--max-retries <number>) for the scanned ports the targets should be scanned.

Timeouts

For a packet to travel, it takes time. Round-Trip-Time - RTT.

Generally, Nmap starts with a high timeout (--min-RTT-timeout) of 100ms.

We can make a scan with adjusted RTT options:

sudo nmap 10.X.X.X/24 -F --initial-rtt-timeout 50ms --max-rtt-timeout 100ms

Of course be careful. If we set the initial RTT timeout too short, we can overlook some useful info.

Max Retries

Another way to increase scan speed is by specifying the retry rate of sent packets (--max-retries). The default value is 10, which is pretty much. We can set it to 2 or even 0 so after not receiving a response from a port, nmap will go to another port.

Example would look like this:
sudo nmap 10.X.X.X/24 -F --max-retries 0

Again, like with the timeouts, keep in mind that by making the retries lower, we risk to overlook valuable information about our target.

Rates

When setting the minimum rate (--min-rate <number>) for sending packets, we tell Nmap to simultaneously send the specified number of packets. It will attempt to maintain the rate accordingly.

This method also can save you time when scanning with nmap.

Timing

The default timing template used when we have defined nothing else is the normal (-T 3).

We have 6 different timing templates in NMAP:

• -T 0 / -T paranoid

• -T 1 / -T sneaky

• -T 2 / -T polite

• -T 3 / -T normal

• -T 4 / -T aggressive

• -T 5 / -T insane

We can find more detailed information about templates in nmap documentation.

Thoughts after the module

Nmap is indeed a very powerful tool. I was thinking about Nmap as a simple scanning tool, I was using it for basic scanning of the targets, to find open ports which I can invite myself inside.

After this module I see that scripts gets nmap to the whole new level. We can find lots of information using scripts.

I have a vision to dive deep into the TCP/IP and I see that the knowledge I’ll gain will be priceless when using tools such as nmap.

After practical rooms I’ve learned that curl is also useful for getting info from certain files on the web.

I’m also surprised how easy it is to adapt the nmap performance by your needs. You can cut the scanning time by half easily using some of the performance and timing options.

OUTRO

On the next blog post we’ll see how to avoid IPS/IDS and Firewalls with nmap.

Nmap makes some network traffic which, if not controlled, Firewalls can capture and block us.

See ya later!

• During any penetration testing exercise, it is likely that we will need to transfer files to the remote server.

There are few options for this:

• One method is running a Python HTTP server on our machine and then using wget or cURL to download the file on the remote host.

• Another method to transfer files would be using scp

• When there are firewall protection we can use Base64 encoding/decoding

• To validate that the transfer was successful, we can check the hash value on the target machine and on our machine with md5sum <file>.

Vulnerable Machines and Applications

Here’s a list of vulnerable machines/apps that are safe to train on:

Blog

Good blog to visit from time to time is - https://0xdf.gitlab.io/

Websites to train Windows Powershell and Linux Terminal

Worth checking - Under The Wire and Over The Wire. You can also train Bash and Powershell scripts here.

Types of Pentesting

There are 3 main types of pentesting

• It is essential to get in the habit of taking extensive notes and saving all console output early on. The better we get at this while practicing, the more second nature it will become when on real-world engagements. Proper notetaking is critical for us as penetration testers and will significantly speed up the reporting process and ensure no evidence is lost.

Reverse shell cheat sheets

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

• https://highon.coffee/blog/reverse-shell-cheat-sheet/

Thoughts after practical exercises

Process of gathering flag by the user and root was really cool. I saw the importance of OSINT. I’ve found the password to the admin user of the wordpress dashboard. All of the process looked something like this:

• OSINT

• System enumeration to find sub-urls and users.

• Login to admin account

• Check plugins which are used for the site

• Find an exploit which would work with one of the plugins

• Create malicious PHP payload.

• Import PHP payload to the vulnerable MyImages plugin. It does not care if you upload a jpg, pdf or php.

• With malicious code uploaded we can open reverse shell while listening on netcat

• We’re in, but it is not comfortable to use plain web terminal, so we shall “summon” bash with python.

• Locate what version of python is being used

• Spawn the bash with python3 -c 'import pty; pty.spawn("/bin/bash")'

• You’re in.

OUTRO

Let’s learn more tools. Follow my blog for more.

Try to learn one new thing everyday.

• Once we gain initial access to a box, we want to thoroughly enumerate the box to find any potential vulnerabilities we can exploit to achieve a higher privilege level.

• There are checklists for privilege escalation online. A good place is HackTricks.

There are some scripts for Linux and Windows Enumeration:

Linux:

• LinEnum

• linuxprivchecker

Windows:

• Seatbelt

• JAWS

For server enumeration we could use Privilege Escalation Awesome Scripts Suite (PEASS).:

• PEASS is a good place which is maintained and includes scripts for Windows And Linux

We could also check Vulnerable Software with commands like:

• dpkg -l or to check Program Files in windows.

• To check what commands we can do as super users we can type - sudo -l

• To switch to the root user we can type sudo su . By the way, su stands for super user.

• We can exploit via sudo privileges. A good place to see what kind of commands can work with sudo is GTFOBins

• For windows there’s a list of programs that we can exploit too. LOLBAS is the place to look.

Scheduled Tasks

• We can schedule a task

• If we can write to a directory called by a cron job, we can write a bash script with a reverse shell command, which should send us a reverse shell when executed.

• Directories where we should write scheduled tasks are:

  • /etc/crontab

  • /etc/cron.d

  • /var/spool/cron/crontabs/root

Thoughts after privilege escalation room in HTB

Privilege escalation is very important and very powerful part. When I was trying to escalate my privileges to another user it took some thought process. Very useful command is sudo -l. You can see what privileges as a super user you have.

Also a good method is to check the system info with uname -a.

Another method is to check installed packages on the system with dpkg -l. You can search for the “holes” in the packages with a tool like GTFOBins.

I’ve managed to get both flags, as a different user and as a root. It was also an interesting method to connect with ssh id_rsa.

OUTRO

Learn one new thing everyday and you will be armed with knowledge in the future.

See ya in the next blog posts.

Shout out to HTB for making learning Cyber Security so interactive, challenging and fun.

• Notepad++

• GitBook (has fetures to host a page or make wiki page)

• Cherrytree

• Evernote

• Sublime Text

• Notion

• Visual Studio Code

It is important to make sure that any client data is only stored locally and not synced to the cloud if using one of these tools on real-world assessments.

Every infosec professional should maintain a knowledge base.

Start early with documentation.

• Usage of a VPN service does not guarantee anonymity or privacy but is useful for bypassing certain network/firewall restrictions or when connected to a possible hostile network

Services

• There are some really useful NMAP scripts for use. They are located at:

  •     /usr/share/nmap/scripts/
    

    Syntax for using NMAP scripts is:

  • nmap --script <script name> -p<port> <host>

• A good tool for bruteforcing community string names is onesixtyone.

Web Services

• To find hidden files or directories on the webserver that are not intended for public access we can use these tools:

  • ffuf

  • GoBuster

  • whatweb

  • curl - it is also important to be familiar with curl usage methods

• It is important to get familiar with HTTP status codes. We can find them here

Shells

• Reverse Shell is the most common type of shell.

• Web shell is typically a web script like PHP or ASPX that accepts our command through HTTP request.

• A great benefit of a web shell is that it would bypass any firewall restriction in place, as it will not open a new connection on a port but run on the web port on 80 or 443, or whatever port the web application is using.

• Another great benefit is that if the compromised host is rebooted, the web shell would still be in place, and we can access it and get command execution without exploiting the remote host again.

Risk management process can help:

Main goal is to maintain CIA triad.

• A deep understanding of the risk management process is critical for anyone starting in information security.

• It is essential to prioritize clear and accurate documentation from the very beginning.

Proof of Concept (PoC) or Proof of Principle is a project management term. In project management, it serves as proof that a project is feasible in principle.

• We confirm discovered vulnerabilities.

• We prepare steps that shows the vulnerability to the owner

• However, there is one significant disadvantage that has occurred from time to time. Once the administrators and developers have received such a script from us, it is easy for them to "fight" against our script. They focus on changing the systems so that the script we created no longer works.

• For example, if a user uses the password Password123, the underlying vulnerability is not the password but the password policy. It can mean that there’s a problem in the organization. No strong password policy.

Post-Engagement

• We have Pre-Engagement in the beginning and Post-Engagement at the end.

Cleanup

• After we’re done we need to perform a cleanup.

  • Delete Tools

  • Delete scripts

  • Revert configuration changes

• We should have detailed notes of our activities so it will be easier to cleanup later.

• If there are places where we cannot visit to delete scripts, we need to inform client about those places.

• We should also document the cleanup process.

Documentation and Reporting

• Before ending the process completely we must prepare adequate documentation for all findings that we plan to include in our report.

• We need top include:

  • Command outputs

  • Screenshots

  • List of affected hosts

• We can’t keep any PII (Personal Identifiable Information)

• We can’t keep incriminating info or other sensitive data we came across throughout testing.

Our Report should consist of the following:

• An attack chain (in the event of full internal compromise or external to internal access) detailing steps taken to achieve compromise

• A strong executive summary that a non-technical audience can understand

• Detailed findings specific to the client's environment that include a risk rating, finding impact, remediation recommendations, and high-quality external references related to the issue

• Adequate steps to reproduce each finding so the team responsible for remediation can understand and test the issue while putting fixes in place

• Near, medium, and long-term recommendations specific to the environment

• Appendices which include information such as the target scope, OSINT data (if relevant to the engagement), password cracking analysis (if relevant), discovered ports/services, compromised hosts, compromised accounts, files transferred to client-owned systems, any account creation/system modifications, an Active Directory security analysis (if relevant), relevant scan data/supplementary documentation, and any other information necessary to explain a specific finding or recommendation further

We create a draft report until and later on we modify it by adding answers to client questions.

Report Review Meeting

Here after client receives a Report, we sit and talk about the results of our assessment. There can also be involved other team members of the company.

This is the meeting where there will be questions from the client.

Sometimes clients come with the list of questions about specific findings.

Post-Remediation Testing

Most engagements include post remediation testing as part of the project’s total cost.

• We will need to reaccess the target environment and test each issue to ensure it was appropriately remediated.

• We will issue a post-remediation report such as:

We should not be implementing changes ourselves or even giving precise remediation advice (i.e., for SQL Injection, we may say "sanitize user input" but not give the client a rewritten piece of code). This will help maintain the assessment's integrity and not introduce any potential conflict of interest into the process.

Data Retention

• We should retain evidence for some time after the penetration test in case questions arise about specific findings or to assist with retesting "closed" findings after the client has performed remediation activities.

• Any data retained after the assessment should be stored in a secure location owned and controlled by the firm and encrypted at rest.

• All data should be wiped from tester systems at the conclusion of an assessment.

Close Out

Once we have delivered the final report, assisted the client with questions regarding remediation, and performed post-remediation testing/issued a new report, we can finally close the project.

• Any artifacts leftover from the engagement are stored securely (encrypted)

• The final steps would be invoicing the client and collecting payment for services rendered.

• As we continually grow our technical skillset, we should always look for ways to improve our soft skills and become more well-rounded professional consultants. In the end, the client will usually remember interactions during the assessment, communication, and how they were treated/valued by the firm they engage.

Practice

• All the theories in the world will be of no use to us if we cannot transfer them into practice and apply our knowledge to real-world, hands-on situations.

• Technical skills are only half the battle, however. We also need excellent written and verbal communication skills to be effective penetration testers.

• Have a friend or teammate act as a fictitious customer. Use that time to practice asking your initial scoping questions and defining the pentest you expect to deliver.

• Penetration testing is fun. What some people may find boring, however, is an essential part: thorough documentation and strong reporting skills.

• A client won't be able to do much with a vague two-page report.

• That being said, if our presentation is sloppy and the report is difficult to follow or does not go in-depth on vulnerability reproduction steps and give clear remediation recommendations, or the executive summary is poorly written, our hard work will not be well-received.

• Take notes while learning and while doing labs. These notes will be valuable as we move along in our careers.

• We also need to learn how to write a non-technical documentation for non technical people. We also need to learn how to keep the quality and concise.

It’s a phase where we gather all available information about the company.

This is the phase which we return to multiple times.

OSINT

Open source intelligence is a great way to gather lots of information.

Pilaging is also one of the really important parts.

Vulnerability Assessment

During this phase we examine and analyze the information gathered during information gathering phase.

There are four types of analysis:

• If we have to test covertly and avoid alerts, we should mirror the target system locally as precisely as possible.

• Suppose we are unable to detect or identify potential vulnerabilities from our analysis. In that case, we will return to the Information Gathering stage and look for more in-depth information than we have gathered so far.

Exploitation

• We must prioritize possible attacks.

• There are methodologies like CVSS Scoring for this.

  • We calculate the probability of seccess.

Example of CVSS:

Post Exploitation

• This is the stage aims to obtain sensitive and security-relevant information.

• In most cases we need higher privileges than a standard user.

• This stage includes the following components:

  • Evasive Testing

    • If a skilled administrator monitors the systems, any change or even a single command could trigger an alarm that will give us away.

    • We can provide value to the client in this situation by still writing up an entire attack chain and helping them identify gaps in their monitoring and processes where they did not notice our actions.

    • Perhaps we did not thoroughly test a payload, or we got careless and ran a command such as net user or whoami that is often monitored by EDR systems and flagged as anomalous activity.

  • Information Gathering

    • Since we have new perspective about the system and the network, we need again gather as much information as possible

    • We also do Vulnerability Assessment here with new information

  • Pillaging

    • Pillaging is the stage where we examine the role of the host in the corporate network. We analyze the network configurations.

    • Some parts are:

      • | Interfaces | Routing | DNS | | --- | --- | --- | | ARP | Services | VPN | | IP Subnets | Shares | Network Traffic |

      • It helps us to understand how different parts of the systems communicate

  • Vulnerability Assessment

    • We can maintain access and we can use information about the system to repeat Vuln Assessment stage, but this time from inside the system.

• Privilege Escalation

  • The goal is to get the highest possible privileges on the system or domain.

  • If we have root privileges there are many doors open for us

• Persistence

  • Once we have an overview of the system, our immediate next step is maintaining access to the exploited host.

  • We need a back door in other words

  • This step is essential and often used as the first step before the Information Gathering and Pillaging stages.

• Data Exfiltration

  • During the Information Gathering and Pillaging stage, we will often be able to find personal information and customer data.

  • Many companies use encryption on the disks.

  • Important point about exfiltrating information is to write fake card number, change it, so that we do not hold the real sensitive information and we wont be responsible for any live sensitive data.

Outro

Thanks to HTB Academy for opportunity to learn.

It’s also a stage where we communicate with our client. We ask what needs does he have. After that we make a Kick-Off meeting.

To start any of the process you need to first sign Non-Disclosure Agreement (NDA).

We must know who in the company is permitted to contract us for a penetration test. There can be employees who wants to do sabotage against the company that they work for.

There are some documents that we need to prepare:

These documents should be reviewed by a lawyer after preparation.

We also need to be sure that we can deliver the assessment our client requires.

Here’s a list of questions that are worth of being asked:

Final question to ask is what kind of pentest it will be - black box, grey box or white box?

This information is important for us to determine the timeline.

After that we prepare a Scoping Document.

Pre-Engagement Meeting

This meeting discusses all relevant and essential components with our customer before the penetration test. We explain them to our customer.

This phase typically occurs via e-mail and during an online conference call or in-person meeting.

We may encounter clients during our career that are undergoing their first ever penetration test, or the direct client PoC (Proof Of Concept) is not familiar with the process. It is not uncommon to use part of the pre-engagement meeting to review the scoping questionnaire either in part or step-by-step.

Other important parts

• It is important to get written agreements from third parties that they are aware of the penetration test happening

• It’s also important to determine Limitations and restrictions.

• We must prioritize our client’s wishes. Don’t do more than our client wants.

Rules of Engagement

Here’s a check list for the Rules of Engagement:

• We must also inform our customers about potential risks during a penetration test

• We must say that customers must contact us immediately if the penetration test performed negatively impacts their network.

• Explaining process demonstrates our professional approach.

Contractors Agreement

If pentest is also physcial, different kind of laws apply here. We need to sign another agreement as “get out of jail for free” card.

Here’s a checklist:

Outro

I’m learning for a HTB CPTS certificate. Information that you’ve read is my knowledge base for the future.

I invite you to check Hack The Box for amazing courses and challenges.

Penetration testing process

• There’s no step by step process in pentesting. There are stages.

• Each stage builds on the other

Stages of the Penetration Testing:

1. Pre-engagement

   1. It’s a stage for educating the client and adjusting the contract

      1. NDA, Goals, Scope, TIme estimation, Rules of Engagement

2. Information gathering

   1. Describes how to obtain information about the necessary components in various ways.

   2. Looking for potential security gaps

3. Vulnerability Assessment

   1. We analyze results from our Information Gathering stage

   2. We look for knows vulnerabilities in the systems

4. Exploitation

   1. We use the results to test our attacks against the potential vectors.

   2. We try to gain initial access to the systems.

5. Post-Exploitation

   1. At this stage we have access to the exploited machine.

   2. We may try to escalate our privileges to obtain the highest possible rights.

   3. We may hunt for sensitive data. For example credentials or other data.

6. Lateral Movement

   1. It describes movement within the internal network of our target company.

7. Proof-of-Concept

   1. In this stage we document the steps we took to achieve network compromise.

   2. It is important do document our finding well, because company then can fix those gaps and they see the importance of every vulnerability fix.

   3. We prove that the vulnerabilities exist.

8. Post-engagement

   1. Detailed documentation is prepared now.

   2. We clean up all traces of our actions on all hosts and servers.

   3. We create the deliverables for our client.

   4. Report walkthrough meeting is set up.

In the next article we’ll look at teach of the stages in detail.

This is the day where I can introduce myself as a Certified Security Specialist. It was kind of a journey I’d say. Not only because of the certification itself, but because of the broader picture that I see after using many learning resources. I’d say that this journey was Security+++ and it is only a beginning. I’m so excited. I’d say that I had two semesters in my journey. Let’s dive deeper:

Vision when starting?

Before starting my cyber transition journey I had a vision to dive deeper. Not only into the Security+ (which itself is kind of a broad cert).

First of all I wanted to dive deeper into Linux. I was using it for a few years before, but I wanted to understand it more deeply. The possibilities on Linux OS is endless.

After that I wanted to understand Network, which is a very important topic in a context of Cyber Security.

After Network I wanted to understand tools and techniques which are used in Cyber Security world (not all of them, but at least the most popular).

Important part about my journey is that I’ve used Physical Books. I’ve bought them and I have them as a cheat sheets.

FIRST SEMESTER

Linux Basics for Hackers

This book was very fun and interesting. I really love how Master OTW writes. Real world examples, history of computers and stuff like that. I really enjoyed tasks after every chapter. It gave me lots of practical skills and understanding about Linux OS.

Network Basics for Hackers

I really wanted to dive into this book even before the Linux basics, because I felt that this book has some really really important part of IT in general. It was really rich with content about Internet and Networks in general. It was really interesting to do practice tasks. I bough Alpha external NIC with capability of Monitor mode. Scanning networks and seeing that there are still networks “protected” with WPS was kind of disappointing. With nowadays computing power brute forcing WPS takes few hours.

I want to clarify that I was not cracking Wi-Fis, only scanning them from outside.

Getting Started Becoming a Master Hacker

This book was kind of a desert. I had a grasp on different tools. I had a really interesting dive into the history of Hacks and cyber security in general. I really enjoyed this book. Lots of hands on practice tasks.

What surprised me?

There was few topics that really surprised me.

One of them is RF (Radio Frequencies). It is soooo powerful and important. Long story short - everything is Radio. Wi-Fi, Bluetooth, GPS, GSM.

Other topic was CAN (Controller Area Network). In other words - vehicles networks. How does everything work in a vehicle. I understood how thieves are stealing vehicles and how once again RF is doing a big part in this field. It was really interesting to do a practice tasks with CAN simulator. You can literally tell a vehicle to open all of the doors and accelerate to 100km/h via terminal.

SHORT BREAK

I think it is really important to give yourself time after learning big piece of information. Good sleep is your friend.

SECOND SEMESTER

After a break it was time to learn for the Security+ exam.

Hackers-Arise Boot-camp

First part was a boot-camp by Master OTW on Hackers-Arise. As mentioned before, OTW is a really good teacher. I like that he was teaching not only the topics of exam, but he also gave real world examples of the stuff that he was teaching.

Professor Messer

After that I wanted to dive into dry theory and mark all of the topics that I felt weak after Hackers-Arise boot-camp. Professor Messer is a great resource.

Boson practice exams

I think one of the most important resource was Boson Simulation Exams. A really really good resource for studying and feeling how the exam looks like and how does the questions are formulated.

Acronyms

This was a tough part. There are 300+ possible acronyms in the Securtiy+ exam. First I was just grinding them, but after that I was doing other technique. I was studying the topics and trying to understand the process of different technologies (acronyms) and then they’ve just clicked.

Outro

Well, I could talk and write about this journey, but it is only a beginning. I am really excited for the upcoming projects. One of them is physical lab for a deeper dive into the Network, Firewall configuration, logging and important parts of Cyber Security.

Believe in yourself and you can do anything!

CREDITS

Huge credits and a big thank you to the Master OTW.

Thanks to the Professor Messer

A big thank you to Benjamin - my support and mastermind when times are difficult:

End of first year. Stay tuned for the future.

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Digital Forensics and Incident Response (DFIR)

There are many types of Forensics:

• Log forensics

• Registry Forensics

Important steps

• Record any time offset

  • It is always best to use a good time server (NTP)

  • It is really important to have the same time set on every device, because then you can make a timeline of event

  • Encrypt hashes with private key (signing). If it is hashed, then you cannot change stuff, because the hash will change.

EDiscovery

• EDiscovery or EEvidence

• Always start with the most volatile evidence first

  • Cache would be the most volatile

  • Then you could attempt to extract data in RAM

• Take photograph

• Always make a copy of evidence

• Avoid contaminating the original evidence

• Hard drive will be copied bit by bit (dd command in Linux)

  • To capture deleted files, you must have a bit by bit copy of a hard-drive

• Do not use simple OS tools

  • They do not make forensically sound copies

Chain of custody

Before doing a forensics procedure, always copy the hash instantly.

• Always think it might be presented in court, be careful

• Identification, collection, preservation, present in court

First responders in a DF (Digital Forensics) case

• First responder is really important

• Could be a system or network admin

• Attempt to find the root causes

• Has to be prepared and his actions should be planned

  • Usually has a first responder toolkit

• Before you touch anything, take photographs on how it looked before touching anything.

Damage and loss control

• Preparation

  • Produce policies

• Identification

• Containment

  • Make sure that attacker cannot move further

• Eradication

• Recovery

• Lesson Learned

Reporting

• Breach law may affect you

• Could affect your reputation

It is really important to tell if you got hacked as an organization because it can save other companies. Usually hacks happen as domino effect in organizations.

Cross Border Issues

• Jurisdiction is a large problem

• Where do we prosecute from?

  • If for example crime happened in Russia, through 5 different countries

• Cross Border issues also applies to people and other data

  • Beware if you travel with hacking tools

  • Beware if you have international locations

  • Beware if you travel oversea with strong crypto tools

• If you have laptop with Kali installed, you can become a suspect in some countries.

• You can get laptop with KALI confiscated in some countries. It really happens

Awareness Training

It is security awareness for end users. You cannot protect other people, but you can make them aware of what possible threats there are.

Awareness should include

User habits such as:

• Passwords

• Data handling

• Clean Desk policies

• Personally owned devices

Modify employee behavior and improve attitudes towards information security.

Threat awareness:

• New viruses

• Phishing attacks

• Social Network Dangers

Educate your users!

Easiest target

• Easiest target is usually between the chair and the desk

• Beware of insider threats

  • There is no patch for human stupidity

  • Never underestimate stupidity

  • Users are easily predictable

MOST EFFECTIVE WEAPONS ARE:

Awareness, Training, Education, Policies

Data Classification

• Allow the identification of sensitive or classified data

• Each classification has its own protection requirements

• Subject must have proper security clearance

• Usually based on Mandatory Access Control (MAC)

Data Classification Process

Classification is based on these topics:

• Value of data

• Sensitivity and value of the information

• Decide on Controls

Classification Criteria

• Usefulness of data

• Value

• Age

• The level of damage that could be caused

• Effects the data has on national security

• Who should be accessing this data?

Process

• Identify Data Owner

• Identify Data Custodian (person who will be responsible for the data)

• Develop the classification criteria based on CIA

• Define Controls

• Define Document exceptions

• Document how to transfer custody of the data

• Declassification procedures

• Security awareness program

Classification Issues

• Large problem is that data gets classified but it does not get declassified

• Usually forgotten about

• People loose trust in data classification

Awareness and Training

• Train users on proper usage of classification

• Attempt to keep it simple

• If it is too complex, it will not be in use

• KISS principle applies everywhere

Compliance with laws

• Be familiar with the law

• Be aware of local and national laws

Retention Policies

• You must develop Retention Policies

  • What will be kept

  • Where it will be kept

  • For how long will it be kept

  • Who and Where will it be kept

• Storage devices degrade

Business Continuity Plan (BCP) & Disaster Recovery Plan (DRP)

Objectives

• Business Impact Analysis

• Risk Management

• Selecting, developing, testing and implementing recovery plans

• Roles and responsibilities

• Backup and offsite facilities

BCP

It ensures that your organization is still running. All of the processes still does their job.

• Think on what happens to business if disaster happens

• It can affect your

  • Reputation

  • Operations

  • Market Position

Roles and Responsibilities

Senior Executives:

• Consistent support and final approval of plans (will be in exam)

• Setting the business continuity policy

• Prioritizing critical business functions

• Allocating sufficient resources and personnel

• Providing oversight for and approving the BCP

Senior functional management:

• Develop and document maintenance and testing strategy

• Identify and prioritize mission-critical systems

• Monitor progress of plan development

• Monitor progress of plan execution

Mean time to repair (MTTR) and Mean time between failure (MTBF)

MTTR

• Average time needed to repair a failure

• Ability to recover quickly from a failure

• Spare equipment could be useful

MTBF

Hardrives usually have MTBF value. They test it when producing and then write how long the hardware will last.

• Average time between each failure

• Amount of failure

Uninterruptible Power Supply (UPS) [BATTERY]

• Computers are connected to the UPS

• Usually a large room with batteries

• Must have two power inverter

Standby UPS:

• Smaller UPS model

• Provide energy when a power failure happen

• Must consider size versus total load

Backup generator

Some organizations such as hospitals have backup energy generators

Some key points:

• It is essential for long term interruption

• Large data centers uses these things

• Must gave fuel supply for a month

• Must be of proper size

• It should be tested regularly

Single point of failure

• Avoid any single point of failure

  • It includes UTM (Unified Threat managemenet).

• Redundant network connections

• Redundant server for critical services

• Spare equipment

  • Hard drive

  • Router

  • Switches

RAID (ALWAYS ON EXAM)

• Redundant array of independent disks

• Redundant array of inexpensive disks

• HARD DRIVES ARE THE WEAKEST LINK IN BUSINESS

• Goals could be:

  • Increase of speed on read and write

RAID-0 - striped disk array without fault tolerance

RAID-1 - Mirroring & Duplexing

RAID-5 - Block-level striping and distributed parity

RAID-6 - Block-level striping and dual parity - can sustain the loss of two disks

RAID-10 - Combo RAID-1 + RAID-0

Business Impact Analysis (BIA)

• Helps identify and prioritize information systems

• Determine mission/business functions

• Determine recovery criticality

• Identify resource requirements

• Allow you to research other disasters

Tests & Recovery Exercises

• Checlist Test

• Structured Walk through Test

  • This one is really good. It’s best remembered

• Simulation Test

• Parallel Test

• Full Interruption Test

Hot, Warm, Cold sites

• Can be owned or rented

• Choice is driven by Maximum Tolerable Downtime (MTD)

• Choice is also driven by money losses per minute

OUTRO

Time flies. It was final section of the boot camp. It’s a very good feeling when you understand that the first journey of cybersecurity is close to finish.

Of course in cybersecurity learning never ends. I’m okay with that never ending learning journey and I can’t wait to meet all of the challenges that are waiting in this field.

What’s next?

Now I’ll start taking practice exams @Boson that I’ve purchased. I’ll start with Security+ 601, and after some additional final studying steps I’ll try the 701 practice exam (I have 2 practice exams available).

After that I’ll buy entry to the real CompTIA Security+ exam.

Keep following for thoughts about my experience in this final phase of my journey.

Once again, I’d like to say a BIG thank you to Master Occupy The Web. I love his teaching style. To see more courses of his, visit Hackers-Arise.

Have a good one!

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Risk Management

Threat and risk analysis (TaR)

• Minimizing risks

• What are the steps

• Likelihood versus impact

• SLE, ALE, ARO

• Managing risks

• Delphi method

• Methodologies

Governance

• Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives.

• Information security is not only a technical issue .

• For information security to be effective, it requires the active engagement of executive management. (could be a question)

Risk & Risk management

• Risk is the probability of something happening. If you ever gambled, you know what is a probability.

• What is acceptable level of probability?

• Information Security (IS)

Categories of Risk

• Man Made

• Weather related

• Physical damage

• Human error

• Inside and outside attacks

• Power Failure

• Application error

Asset & Information Value

• Establishing asset value

• Assign Quantitative value

  • Real and meaningful values

• Assign Qualitative value

  • Subjective rating

  • Can be low, medium, high

Techniques to Minimize Risks (will be in exam)

• Mandatory Vacation - workers must go on vacation regularly

  • A detective mechanism

  • The new person might found out about anomalies such as:

    • Scripts being schedule to run at regular intervals

    • Illegal usage of company resources

    • Script extracting data from the database

• Job Rotation

  • New employee may see something is wrong

  • Mostly done in DoD and government agencies

  • Not very common in commercial companies

  • Should be combined with mandatory vacation

• Separation of Duties (SoD)

  • A method of enforcing security

  • One person cannot complete a critical task

• Least Privilege

  • Applies to processes and users

Qualitative Approach

• Scenario based technique, it includes:

  • Brainstorming

    • Invite greatest minds in your company and just let them talk and brainstorm

  • Story boarding

  • Focus groups

  • Surveys

  • Questionnaires & Checklist

Quantitative Approach

Steps:

• Assign value to information and assets

• Estimate potential loss per risk

• Perform a threat analysis

• Derive the overall loss potential per threat

• Reduce, assign, or accept the risk

Main risk management concepts

• Exposure Factor (EF)

  • Based on likelihood (PERCENTAGE) and impact (DOLLARS/EURO)

• Single Loss Expectancy (SLE)

  • Formula - Asset Value (AV) x Exposure Factor (EF)

• Annualized Rate of Occurrence (ARO) - hard to count

  • Estimated frequency a threat will occur within a year

• Annualized Loss Expectancy (ALE)

  • Formula is - SLE x ARO

Handling Risks

• Risks CAN NEVER BE TOTALLY ELIMINATED

  • There’s no risk free environment

• There are always some residual risks

• What can you do about the risks you have?

  • Transfer the risk (Buy insurance)

  • Reduce the risk

  • Reject/Ignore the risk

  • Accept the risk

Risk mitigation Strategies

• Implement controls based on risks

• Change Management

• Incident Management

• User rights and permission review

  • Do it periodically. Make sure that people doesn’t have more permissions than they need.

• Perform routine audits

Data Leakage & Fraud

Data leakage Protection (DLP)

Tools to prevent unauthorized persons from being able to take away confidential information

Real world examples of occurrences:

• The Swedish military forgot a USB drive in a library

• UK military forgot a laptop in a taxi

• Barack Obama got his campaign idea stolen

Do not send Credit card number in clear text!!! Any sensitive information.

How does DLP work?

• A user send an email with sensitive data

  • DLP analyzes it. If there’s a sensitive data it warns the user.

• User tries to save a file to a USB Flash Drive

  • DLP identifies that it is intellectual property and blocks it. Of course there are ways to bypass that.

Fraud Detection

• Look for obvious sign something is wrong

  • Governance is non existent

  • There is a lack of separation of duties

  • Management override internal controls

  • Environment is corrupted

What can i do?

• Develop strong policies and enforce them

• Develop a code of conduct for employees

• Have a mechanism to report suspicious activity

• Protect people who talk. Make them anonymous.

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

About Security+

If you have this certification you say that you're serious about cyber security.

It’s challenging and very good for the beginning of career in cybersecurity.

Cloud Computing

• On-demand self-service

• Broad network access

  • Capabilities available over the network

• Resource pooling

  • Flexible

  • Good example is Amazon AWS

  • Location Independence - that means that you can access it from anywhere on the planet

  • Customer has no control of exact location of resources

  • Resources could be storage, processing, memory, network bandwidth and virtual machines.

• Rapid elasticity

  • In some cases automatically, to quickly scale out or in

  • Appears to be unlimited to the customer

• Measured service

  • They keep track on how many resources you use. It can be according to storage usage, processing usage, bandwidth usage and active user accounts

  • Metering is usually done using pay-per-use model.

  • Transparency is when you know exactly for what are you being charged. Usually cloud computing does that.

Thin client - it’s a standard computer. Laptop or PC.

SaaS (Software as a service) model (this topic is always in the exam)

• Software resides in the cloud. People can use it.

• Accessible through a thin client interface such as a browser.

PaaS (Platform as a service)

• Customer can deploy onto the cloud infrastructure

• Only compatible apps can be deployed

• Customer has control on application deployed

• Customer can control hosting environment configuration

Iaas (Infrastructure as a service)

• Similar to a dedicated server

• Customer can install an OS that he wants, also apps

• Customer does not control underlying cloud infrastructure

• May have limited control on network component

Providers has to offer:

• Facility

• Hardware

• Virtualized infrastructure

Deployment models (will be in exam)

• Private Cloud

  • For one company only

  • May be managed by company

• Community Cloud

  • Shared by multiple companies

  • Usually companies with shared concerns

  • May be managed by company

  • May be on premise or off premise

• Public Cloud

  • Cloud is made available to general public

  • Cloud is available to large industry group

  • Cloud is owned by the organization selling cloud services

  • Amazon EC2 is a good example

• Hybrid cloud

  • Composed of two or more clouds

  • Could be a mix of private, community, or public clouds

  • Each of the cloud are unique entities

Cloud computing advantages

• Qualified Staff

• Platform Strength

• Availability of resources

• Backup and Recovery

• Mobile Endpoints

• Data concentration

• Data Center and Cloud oriented

Also an advantage that if you get hacked, vendor of the cloud will pay you, it’s their responsibility to defend your structure. They did not protect you.

Disadvantages

• System complexity

• Shared Multi-Tenant environment

• Internet facing service

  • All of the things are done via the web.

• Loss of control

  • Lost control over physical aspects

  • Security and privacy can be a challenge

Infrastructure security

Authorization

• Access criteria

  • Roles, groups, location, time

  • Transaction types

• Default to no access - that means that in the beginning you have no access and the access is gathered only when a person needs it. You start with - nobody has access to everything.

  • Access is explicit

  • Access could be implicit as well

  • Must fail safe

• Fail safe in the logical context is no access

  • People have access ONLY if they need it for real. This is THE SAFEST MODEL TO BUILD ORGANIZATION.

• The Need to Know applies

• The principle of Least privilege applies as well

Hardening / Bastion Host

Hardening is a process to make the system “harder”. More secure.

• Disable Unnecessary Services

• Protecting Management Interfaces

• Default Passwords Removed

  • It’s a common method to get into the system

• Password Protection

  • NEVER STORE IN CLEAR TEXT

• PATCH

• Disabling unnecessary accounts

• Hardening the TCP/IP Stack

Why to do hardening?

• OS’s are very insecure out of the box

• Lower the amount risks

• Allow only what is needed for the system role

• Remove ALL non essential service

• Might require some trail and errors

• Will pay off in the long run

Turn off the service and see what breaks.

Checklist for saving time

• Based on a consensus of experts

• NIST has a National Checklist Program

• Security Content Automation Protocol (SCAP)

  • Checklist are being converted to SCAP

• Can be applied to a large range of Hardware(HW) and Software(SW)

Checklist are nice because you know what are the best practices. If something happens, you can say that you’ve followed best practices.

Do not reinvent the wheel

There are already some organizations who made checklists and needed information:

• The Center for Internet Security - non profit organization. Has many hardening models

• NIST

Hardware Security

• Cable locks

• Safe

• Locking Cabinet

• Vault

Host security on Mobile Devices

• Screen lock

• Strong password

• Device encryption

• Remote wiping/sanitation

• Voice Encryption

• GPS Tracking

• Virtualization for testing to avoid host infection

  • Good malware knows if you’re testing it in virtual system

Firewall Topics

• Rule Based Management

  • Keep it Simple

    • Less Rules you have, the easier it is

  • You must have security policies

  • Convert the policies to a security architecture

  • Ockham's Razor (RULE) - principal that the simplest explanation is the best explanation

  • Rule order will greatly affect performance

  • Comment your rules for others to understand

  • Backup your rule base & regularly audit

• ACL (Access Control List)

  • Should be as granular(fine) as possible

  • Drop unwanted packets instead of Rejecting

  • Beware of default global properties

  • Allow Admin access only from trusted IP’s

  • Give the attacker as little information as possible

  • Ensure logging is properly configured

  • Also check what’s leaving your network

• Types of Firewalls & Proxies

  • Personal firewall

    • Class of firewalls for users workstation

    • Offers protection from threats

    • Prevent inbound connections

    • Protects only one computer versus a network

    • Can provide integrity checking mechanisms

    • Allow for very detailed rule base to be created

    • Should be part of your baseline requirements

  • Generations of enterprise firewalls

    • First is Packet filters

    • Then proxies

    • Stateful Firewall

  • Application Firewalls

  • Network Access Control (NAC) or Network Acces Protection (NAP)

  • NAP determines who can access the network

• Firewall

  • It can be implemented in HW or SW

  • Enforces your security policies on traffic

  • Similar to a Dumb security guard

  • Some firewalls inspect all 7 layers of the OSI model

    • Of course for a good price

  • Controls the flow of traffic

  • You must understand their limitation

• What does Firewall do?

  • Controls flow of traffic between networks or hosts

  • Restrict data flow to & from the internal networks. Also from the internet

  • Acts as a “traffic cop”

  • Can provide extensive logging

  • Could be used as a NAT device

  • Can be used as a VPN device

  • Could be a Unified Threat Management (UTM) - that means it is a master of all trades.

  • New types:

    • Web Application Firewall

    • Application Firewall

• Network Access Control (NAC)

  • Also called Network Access Protection (NAP)

  • A common requirement for firewalls

  • Inspect incoming connections

  • NAC Health checs

    • Latest updates

    • Configuration settings of security tools above

    • Elapsed time since the previous malware scan

• Packet Filters

  • Most basic type of firewall

  • Filter one packet at the time

  • Fast & Inexpensive

  • It is not going to tell you if the packet is malicious

  • Packet filters limitations

    • Does not detect IP spoofing

    • Does not provide source authentication

    • Does not detect IP framentation

    • Does not detect strange combination of flags

      • SYN and FIN together

• Flood guards

  • Defense agains DoS or DDoS

  • Detects ongoing attacks

  • Automatically attempts to block such attacks

  • Checks if there are too much traffic

  • Can identify and attempt to stop SYN flood, Ping flood, Port flood

  • Offering these services can make you a lot of money

  • Tools of flood guards:

    • DDoS mitigation appliances

    • Traffic anomaly detectors

    • QoS

    • Intrusion Prevention System

    • Access Control Lists (ACL)

    • SYN flood protection

    • RFC 2827 (must be complied with it)

    • Network Ingress Filtering

    • Defeating IP source Spoofing DoS attack

• Network Segregation

  • Used for SCADA systems

    • Supervisory Control and Data Acquisition

    • Electricity, Oil and Gas Pipelines, Water utilities

      • This is the most dangerous part in cyber warfare

  • Use by the Department of Defense (DoD)

  • Should be internally by companies

Proxy Servers

• Creates a gap between internal users & public network

• Act as a middle man

• Still known as the most secure type of firewall

• Users MUST go through the proxy

• Proxy is a server which inspects all of the connections.

Application level proxy

• It is the smartest type of proxy

• Operates at the Application Layer (7)

• Understands the inner working of protocols

• Understand syntax

• Can be used as an access control tool

  • May require password

Circuit Level Proxy

• Also called Generic Proxy

• Used when an application proxy cannot be used

• Mostly SOCKS as a protocol today

• Supported by a limited number of applications

  • Browsers

  • Email client

• Can act as VPN

Stateful Packet inspection (SPI)

• Intercept packets at the network layer

• Monitor the state of connections

  • SYN, ACK, FIN flags

• Can enforce proper three way handshake

• Can track connectionless protocols such as UDP

• Fast and efficient on inbound traffic

• No need to read the whole rule base

• Can prevent some probes and attacks

• Can restrict commands within protocols

Application firewall

• Newer trend in Stateful Packet Inspection

  • AKA Deep Packet inspections

  • Adds basic intrusion detection to SPI

• It is next generation firewall

• It’s an IDS

• Inspects protocols at the application layer

  • Allow or deny access based on how an application is running

Web Security Gateways

• Newer technolgy

• A for of specialized Application Firewall

• Reside in front of web server

• Minimize attacks through web browsers

• Protect against some of the phishing attempts

Unified Threat Management (UTM)

All in one Security device

• What could go wrong?

• It’s a bad idea

Limitation of Firewall Inspection

• Can only work effectively on traffic they can inspect

  • Cryptography hides the contents of the traffic

  • SSH, TLS, SSL, IPSEC

• Cannot read application data that is encrypted

• Sometimes it does not understand tunneled traffic

• May not be able to detect internal threats

Recommendations

• NAT is a form of routing and not a type of firewall

• Perform granular (very fine) Egress Filtering

• Choose a firewall that blocks harmful traffic

• Assess your need carefully before choosing

• Management of firewalls should be centralized

• Change Control must be in place

• Always have backup copies of rule base

Filtering

• URL filtering

  • User will visit malicious or offensive website

  • Make a whitelist of sites you can visit

  • You must monitor surfing habit

  • This is even more important in school with kids

  • Can filter specific categories

  • Can enforce policies

  • Tools

    • Websense

    • SurfPatrol

• Spam filtering

• Antivirus

  • Software that look for and detect viruses

  • Viruses distributed via:

    • Files that are downloaded

    • Emails

  • Does not understand high level attacks

• Pop-Up blocker

  • Tool to prevent pop up windows from opening

  • Feature built within most of browsers today

  • Allow the user to specifically allow site popup

• Content Inspection

• Malware inspection

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Some Questions and answers

These questions and answers will make you undestand how CompTIA Security+ exam feels like.

Terminology that was used

SLA—Service level agreement. An agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Organizations use SLAs when contracting services from service providers such as Internet Service Providers (ISPs).

AUP—Acceptable use policy. A policy defining proper system usage and the rules of behavior for employees. It will often describe the purpose of computer systems and networks, how users can access them, and the responsibilities of users when accessing the systems.

NDA—Non-disclosure agreement. An agreement that is designed to prohibit personnel from sharing proprietary data. It can be used with employees within the organization and with outside organizations. It is commonly embedded as a clause in a contract.

MOU - (Memorandum of Understanding) is a written agreement between two or more parties that defines their working relationship, expectations, and responsibilities. While not legally binding, it serves as a formal, non-binding document outlining the parties' intentions and the scope of their collaboration

MTBF—Mean time between failures. Provides a measure of a system’s reliability and is usually represented in hours. The MTBF identifies the average (the arithmetic mean) time between failures. Higher MTBF numbers indicate a higher reliability of a product or system.

MTTR—Mean time to recover. Identifies the average (the arithmetic mean) time it takes to restore a failed system. Organizations that have maintenance contracts often specify the MTTR as a part of the contract.

RPO—Recovery point objective. A term that refers to the amount of data you can afford to lose by identifying a point in time where data loss is acceptable. It is often identified in a BIA. Compare with RTO.

RTO—Recovery time objective. The maximum amount of time it should take to restore a system after an outage. It is derived from the maximum allowable outage time identified in the BIA. Compare with RPO.

Smishing - SMS (short message service) + phishing

MITRE - it’s an organization which is responsible to maintain Common Vulnerabilities and Exposures (CVE) database. So vulnerabilities like CVE-2017-0143 comes from MITRE.

WAF—Web application firewall—A firewall specifically designed to protect a web application. A WAF inspects the contents of traffic to a web server, can detect malicious content such as code used in a cross-scripting attack, and block it.

SPF - The Sender Policy Framework (SPF) is an email authentication protocol designed to prevent email spoofing, a common technique used in phishing attacks and email spam. As an integral part of email cybersecurity, SPF enables the receiving mail server to check whether incoming email comes from a domain authorized by that domain’s administrators.

DNSSEC—Domain Name System Security Extensions. A suite of extensions to DNS used to protect the integrity of DNS records and prevent some DNS attacks.

PCI DSS - (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure the secure handling of cardholder data, including credit and debit card information. It's a globally recognized standard, mandated by major payment brands like Visa, Mastercard, and American Express, for all entities that store, process, or transmit cardholder data.

CASB—Cloud access security broker. A software tool or service that enforces cloud-based security requirements. It is placed between the organization’s resources and the cloud, monitors all network traffic, and can enforce security policies.

HIDS—Host-based intrusion detection system. HIDS is software installed on a system to detect attacks. A HIDS is used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files, and in some cases, it can detect malicious activity missed by antivirus software. Compare with HIPS, NIDS, and NIPS.

NIDS—Network-based intrusion detection system. A device that detects attacks and raises alerts. A NIDS is installed on network devices, such as routers or firewalls and monitors network traffic. It can detect network-based attacks.

NIPS—Network-based intrusion prevention system. A device that detects and stops attacks in progress. A NIPS is placed inline (also called in-band) with traffic so that it can actively monitor data streams, detect malicious content, and stop attacks in progress.

RA—Recovery agent. A designated individual who can recover or restore cryptographic keys. In the context of a PKI, a recovery agent can recover private keys to access encrypted data, or in some situations, recover the data without recovering the private key. In some cases, recovery agents can recover the private key from a key escrow.

OCSP—Online Certificate Status Protocol. An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.

CSR—Certificate signing request. A method of requesting a certificate from a CA. It starts by creating an RSA-based private/public key pair and then including the public key in the CSR. Most CAs require CSRs to be formatted using the Public-Key Cryptography Standards (PKCS) #10 specification.

CA—Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Certificates are an essential part of asymmetric encryption, and they include public keys and details on the owner of the certificate and the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate. Compare with PKI.

SED—Self-encrypting drive. A drive that includes the hardware and software necessary to encrypt a hard drive. SEDs include all the encryption circuitry built into the drive, and they automatically encrypt the drive without user action. Users typically enter credentials to decrypt and use the drive. Compare with FDE.

Elasticity - Cloud elasticity is the ability of a cloud system to rapidly scale computing resources (like CPU, memory, and storage) up or down in response to changing demand.

PEAP—Protected Extensible Authentication Protocol. An extension of EAP sometimes used with 802.1X. PEAP provides an extra layer of protection for EAP and it is sometimes used with 802.1X. PEAP requires a certificate on the 802.1X server. Compare with EAP, EAP-TLS, EAP-TTLS, and EAP-FAST.

IPS—Intrusion prevention system. A preventive control that can stop an attack in progress. It is similar to an active IDS except that it’s placed inline with traffic. An IPS can actively monitor data streams, detect malicious content, and stop attacks in progress. It can be used internally to protect private networks, such as those holding SCADA equipment. Compare with IDS.

ISA - An Interconnection Security Agreement (ISA) is a document that defines the security requirements for a connection between two information systems, often between an agency and an external system.

BCP—Business continuity plan. A plan that helps an organization predict and plan for potential outages of critical services or functions. It includes disaster recovery elements that provide the steps used to return critical functions to operation after an outage. A BIA is a part of a BCP, and the BIA drives decisions to create redundancies such as failover clusters or alternate sites. Compare with BIA and DRP.

Table-top exercise - A tabletop exercise—or table top exercise—is an interactive, discussion-based session that prepares key team members for an emergency, disaster, or crisis.

Zone based firewalls:

1. Zone - A zone is a logical area in which the devices having the same trust levels reside. After creating a zone, an interface is assigned to a zone. By default, traffic is not allowed from one zone to another.

For example, first, we create a zone called inside then if the router interface fa0/0 resides on the most trusted network which we name as inside, then fa0/0 is assigned to the inside zone.

Important concepts

• Data on a VPN is considered data in transit.

• Incremental backups are performed on weeknights. Incremental backup backs up only files that have been modified since the last full or incremental backup.

• All things shares the kernel.

Thoughts after test exam

There are lots of acronyms used. I think it is really important to learn as much acronyms as possible. Some of the questions includes acronyms and answers are acronyms, so it is really important to understand them.

Sometimes you can find part of the answer in a question itself. I felt how questions are formulated and it does not look so scary as I thought it would look. So that’s a good part.

I see that I must spend some time for learning acronyms.

Anyways, I know that I’ll be able to pass the exam.

Some more test exams are waiting in the future.

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Resilience and Physical Security

If a hacker can physically access to the physical site. It is game over. This part is really important.

Physical security ways:

• Hardware locks

  • Conventional Locks

    • Easily picked locks and keys easily duplicated

    • Control and distribution of keys can be a problem

  • Pick-resistant locks

    • Higher cost

    • Harder to pick and keys not as easily duplicated

    • Distribution and control still a problem

  • Electronic Combination Lock

    • A keypad for a combination

    • Also called a cipher lock (can be in exam)

  • Electronic key systems

    • Cards encoded with access code

    • Magnetic cards can be duplicated or compromised

    • Smart Card would be a better choice

      • RFID cards

• Video Surveillance

  • Analyze your requirement

  • Estimate width of area to be monitored

  • Is there a need for zooming

  • What are the weather conditions if used outside?

  • How do you maintain capability?

    • Many building shuts all light off at the end of the day. So maybe you need night vision?

  • You need to protect the cameras so that it cannot be easily hacked. Intruders may see passwords entered in keypads through cameras if they are easily hackable.

• Fencing and walls

  • Bollard - it prevents attack with moving object. Such as vehicle loaded with explosives

    Illustration of bollard:

    

  • Fences must be a proper height

    • 1.5 meter height fence will deter casual trespasser

    • Secure areas uses 2.5+ meters height of the fence

    • Perimeter Intrusion Detection and Assessment System (known as PIDAS fencing)

      

    • Fences must be regularly inspected

• Proximity Readers

• Access List

• Security guard

  • Most efficient physical security control, but also the most expensive

  • Guard can enforce security policy

  • Can prevent Piggybacking or Tailgating attacks

  • Guard must be well trained

  • Can do patrols at random intervals

• Passive monitoring

Physical access logs

• Fortress mentality

  • Check to see everybody who comes and leaves

  • Good method is that there is only one door through which you can come and leave

• Use logging features (check when people come and go)

• Ensure guards are well trained

ID Badges

• Great for authenticating users

• Sometimes combines with smart cards

• They are very cheap and very efficient

Door Access Systems

• Use to control access to sensitive areas

• Can be biometric or Smart Card

• Based around the Electronic Access Control (EAC)

Physical Tokens

• Type II authentication factor

Could be:

• Metal Keys

• Smart Card

• Magnetic Card

• Photo ID

• Synchronous or Asynchronous tokens

• Biometrics

Site selection

• Select your data center location carefully

• Get familiar with the building code

• Investigate who are your neighbors

• What is the crime rate in the area

• Talk to you insurance company

• What about logistics for ambulance, firefighters and stuff like that.

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Identity and Access Management

Establish a baseline?

It is a minimum acceptable level of security

Could be as simple as minimum password length

Security is a process (exam emphasizes it)

• Use the PDCA model

  • Plan, Do, Check, Act model

• It is not a destination but a journey

• New threats and vulnerabilities all the time

Cybersecurity is a blessing and a curse. You must constantly learn. That’s why it is so important to love what you do.

DMZ (Demilitarized zone) (always in exam)

Demilitarized zone is kind of a border between friendly networks and unfriendly networks. It’s one step upper after firewall.

There’s demilitarized zone in for example south and north Korea. Border in the network.

Firewall directs traffic to internal network or to DMZ.

DMZ is kind of additional firewall.

Identification

• Claimed identity

• Public information

• Based upon first and last name

• User name

• User account

• Employee number

• There is no secret

Authentication

• Verifying if identification is true.

• Three types:

  • Authenticate by knowledge

  • By ownership

  • By characteristics

• Single factor

• Two factor

• Three factor

Multi factor authentication is when you check two types, for example knowledge (password) and characteristics (fingerprint). Multi factor means two different groups.

Two factor is when you check for example two passwords. Or two different entry cards.

Access control

• A model for developers

• Look at one need or another

• Use access control technologies and mechanisms

Authentication factors

There’s three main ways:

• Something you know (password, pin)

  • Type 1

  • Size is limited

  • Insecure storage

  • Operational problems

    • Help desk, easy to guess

    • Easy to get passwords

  • Physical problems

    • Can be compromised through lack of physical security

  • Hard to remember a complex pin or password.

• Something you have (card, token)

  • Based on ownership

  • Also called type 2

  • Cryptographic keys or digital certificates

  • Smart cards

  • Magnetic cards

  • Memory cards

• Something you are (biometric)

  • Based on unique physical characteristics

  • Type3

  • Sophisticated and expensive

  • Biometric errors

    • Type1 - false reject rate (FRR)

    • Type2 - false accept rate (FAR)

  • Accuracy

    • Crossover error rate (CER)

    • Equal error rate (EER)

    • The more accurate, the more errors you get.

Biometric authentication is tricky because if someone steals your fingerprint, you can’t change the fingerprint.

Mutual authentication

• User and server authenticate to each other

• Commonly used for:

  • Private web site

    • User must show his certificate to the web

  • To authenticate to VPN device

  • To access to intranet

Access Control Models (for sure will be in Sec+)

Discretionary Access Control (DAC)

• Owner decides who has access

• Owner manage their own files

• Access is granted based on the identity of the user

• Implemented through access control lists (ACL)

It is adequate for low level security environment ONLY.

Mandatory access control (MAC)

• Orange book class “B”, high security

• Military uses this model

• Controls are imposed by System Owner.

• Based upon the sensitivity of an object

• Subject must have appropriate Security Clearance

• In MAC there are labels

• Categories are used for the Need to Know (NDK)

Trusted operating systems

• In order to use MAC, you need secure OS

• Trusted Solaris

• SELinux (used by Russian military)

• Root is only another user in the system

Lattice Based Access Control

• Use to implement MAC, File Access, Integrity levels

• Use for complex access control decisions

It defines:

• Greatest upper band

• Least upper bound

Rule based Access Control (RuBAC)

• Use to implement rules based mechanisms

  • Can filter not only based on Identity

  • Can use IP, Protocols, Ports

  • More secure than DAC (Discretionary Access Control)

• Rules are applied universaly

Role based access Control (RBAC)

• Also called Non-Discretionary Access control

• Policies are defined by the System

• Distinguished from MAC

• Maps well to organizational structure

• Good for high turnaround of personnel

• User can belong to one or many roles

Groups and roles

• Requires planning

• Based on company mission and goals

• You must analyze job tasks

• Apply separation of duties

• Consult the owner to determine access.

Appropriate roles and permissions

Three approaches:

• Centralize

  • Single team, person, department

• Decentralize

  • Each site has their own administrator

• Hybrid

  • A mix of the two

  • Most commonly used

Access control matrix and ACL

Usually use in DAC

Password Policy

• Forces to use strong password

• Does not let user to choose their own password

• Dictates to user:

  • Password length

  • Type of characters

• Part of company security policies

• Avoid overly complex passwords because people forget it.

Password Creation

• You need to teach users how to construct a password

• All passwords should be at least 12 characters long

• Change password regularly

• Do not allow reuse of passwords

• Changing letters with numbers is called munging. Example: Hell0

Protect your password

• Memorize passwords, do not write them down

  • Writing them down makes the concept of password disappear.

• Use different password for different applications

• Minimum password history should be at least 5 to 10 passwords.

Password policies are stored in Local Security Policy

Usernames and passwords

• Most commonly used

• Used on Web Apps and Portals

  • Should be encrypted in storage

• Should never be transmitted in clear text

• Do not use simple password

Time of day restriction

• Also called Temporal access control

• Access is based on time of day.

• These days when there are lots of ransom, you should do backups as often as possible.

Account expiration

• Great for temporary worker, for example intern or contractor.

• Ensure there is no dormant account

• Ease system administration

Logical Tokens

• Two categories:

  • Synchronous (clock is involved)

  • Asynchronous (series of steps)

• Better than static password

• You must educate workers on how to use them

• Token is kind of like ID card.

• You should know about: Seed, Salt, IV, Nonce (could be in exam)

• Salt is added to a password to make it harder to identify your hash of the password. Same password hashes would look different because of the SALT.

Single Sign-On (SSO)

• Authenticate only once and access to all resources

• Advantages:

  • Requires less passwords

  • Authenticate once and not many times

  • Expires after some time

• Disadvantages:

  • One key for all places

  • Interoperability issues

  • Requires significant Planning and Analysis

Lightweight Directory Access Protocol (LDAP)

• It’s a directory publishing service

• Parent protocol is X.500

• Stores attribute based data (kind of a database)

• Data generally read and not written

• Uses port 389 for LDAP and 636 for Secure LDAP

Kerberos (SSO)

• Built by MIT in the 1980

• Uses Symmetric Keys or Secret Keys

• Key Distribution Centre (KDC) - it is unique to Kerberos

  • Authentication Server (AS)

  • Ticket Granting Service (TGS)

• Principals

  • Users, Services, Applications

• Uses Tickets Granting Ticket (TGT) and Tickets

  • Tickets define on what you have acces to

If exam will talk about tickets it is Kerberos. (mark this)

Remote Authentication Dial-In User Service (RADIUS)

• It is open source

• A client/server protocol

• Shared Key between client and server

• Authenticate dial-in or network users

• Profiles are kept in a central database

• Track usage for billing

• Uses the UDP

Terminal Access Controller Access-Control System (TACACS+)

• Service from CISCO

• TACACS+ is an industry standard under RFC (Request for Comment) 1492 - it’s kind of a standard

• More detailed logging than RADIUS

• Uses TCP (was seen in exam, keep in mind)

• TACACS+ improves security.

• It uses LDAP in authentication phase.

Remember that RADIUS uses UDP and TACACS uses TCP.

Due care and Due Diligence (important concepts)

• Due Diligence - Do Detect

  • Identifying risk

  • Based on best practices

  • For example: All computers must have antivirus.

• Due Care = Do correct

  • Bringing the risk down to an acceptable level

  • Maintaining the risk at that lever over time

  • For example: Updating virus database 10 times a day

Personal Identity Verification (PIV) Cards

• CAC card is an example

  

• Required for all US Government Employees

• Used for secure access to computers and buildings

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes data of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Kerchoff’s Principle (1883)

• It must not be required to be secret.

  • Effective cryptographys algorithm must not be secret.

• Algorithm has to be publicly known

• Too many secrets can lead to easier compromise

• Only the key should be secret and protected

In OWASP TOP3 many cases are cryptographic misconfiguration

Unknown cryptography algorithm is not more secure.

Hashing algorithms (will be in exam)

• SHA

• SHA1 (160-bit, developed by NSA)

  • 160-bits (could be in exam)

• SHA2 (256, 384 and 512)

• MD2 (MD algorithms were developed by Ron Rivest)

  • 128-bit

• MD4 (128-bit)

• MD5 (128-bit)

  • 128 bits

• HAVAL (Variation of MD5)

• LANMAN

  • Developed in 1980

  • Was not used very much

  • It is easy to hack it

• NTLM

  • Sends an 8-byte challenge to the client

  • Client returns the challenge in encrypted form

  • If response is correct, client is authenticated

  • Optional on Windows 2000

• NTLM V2

  • Offer Session Security

  • Encrypted with 128 bit key

  • You must configure servers to accept only NTLM V2

  • Use passwords longer than 14 characters

There are lots of old systems in the world

Corporations does not update systems

SCADA uses really old systems.

Registry Editor is important part in Windows. It controls software behavior in the system.

• Collision

  • Happens with hashing algorithms

  • Two different inputs creates same output (hash)

  • MD5 today has multiple collision

    • Less collisions means more integrity

  • Use SHA-1 for forensics

• The Birthday paradox (sometimes appears in exam)

  • Based on probability

  • How many people do I need in a room to have a 50% chance that two of them have the same birthday?

    • Answer is: 23

  • It is easier to generate random messages to attempt to get a collision instead of trying all possible values.

  • Guessing is often better

Hashes or message digest is:

• A one way function comparable to a CRC check

• Usually 128-bit or 160-bit.

  • 160-bit looks strange.

    • It is 128bits + 32bits

• You can’t reverse hash. It is one-way.

• Encrypted text can be as short as 3 characters or as long as 1000 characters. The hash length will be the same.

• 1 bit changed means hash changes. 50% of hash changes when changing 1 bit!

• If two inputs generate same hash it’s called Collision

  • Here’s where integrity comes.

  • It’s a sign of weakness of the algorithm

• You can find hashes on you Kali system in /etc/shadow

OFFTOPIC:

Check about Stuxnet attack (2010)

Symmetric Cipher Authentication

• A message authentication Code (MAC) is used

• Also called a keyed Hash

Data Encryption Standard (DES) (WILL BE IN EXAM)

• Originally from IBM, Block Cipher

• 16 rounds of encryption

• Lucifer Algorithm accepted as DES standard 1974

• DES and AES are standards. These are not the algorithms.

• Original used 48 to 128-bit key

• NIST - National Institute of Standards and Technologies

• The key is 64 bits in it’s total lenght

Triple DES or 3DES

• 3 X DES applied to plaintext

Rivest Shamir Adleman (RSA)

• Developed by Rivest, Shamir and Adleman

• Patented in 1977

  • Was free to use by anyone

  • Became the de facto standard

• Digital signatures, key distribution, encryption

• Based on Difficulty of factoring large numbers

• Key sizes: 512, 1024, 2048, 4096, 8192

Pretty Good Privacy (PGP)

• Developed by Phil Zimmerman

• Was initially a 1024 bits cipher

• Offers Email and File Encryption

• Offers Drive Encryption

• The Web Of Trust was initially used with PGP

NSA always asks that there would be a Backdoor open for them in an algorithm. PGP refused.

Eliptic Curve Cryptosystem (ECC)

• Short Key size with same strength as large key size

• Very efficient for small portable devices

  • it is used in every portable device now.

Advanced Encryption Standard (AES) - (MUST KNOW for the exam)

• Created by Vincent Rijmen and Joan Daemen (Dutch engineers)

• Effective as of May 26, 2002

• Block Symmetric Encryption Algorithm

  • There’s stream and block symmetric

  • Block sizes of 128, 192, 256

• Rounds (10, 12, 14) - how many times it will go through encryption algorithm

• This is World STANDARD.

• IT IS NOT AN ALGORITHM, IT’S A STANDARD

NIST picks the best algorithm. Secure and fast.

One Time Pad (One Time Password)

• Known as the unbreakable cipher

  • If the pad is truly random or protected it is unbreakable

• No longer used today

SSL/TLS

In the beginning nothing was encrypted,

• Secure Sockets Layer (SSL)

  • Developed in Netscape

  • Protects the communication channel (Session)

  • Server authenticates to client

  • Optionally client can authenticate to server

  • Used for secure WWW connections

• Transport Layer Security (TLS)

  • Was supposed to replaced SSL

  • More features than SSL

S/MIME

• Application-layer protocol (Layer 7 of OSI model)

• Provides data integrity, confidentiality and authentication

Public Key Infrastructure (PKI)

Concepts that you need to be aware of:

• Recovery Agent

  • A recovery agent can save you data if you loose it

  • No longer used,

• Public Key

• Private Key

• Certificate Authority (CA)

  • These are the companies that issue certificates

  • Top level of trust

  • Commercial Companies:

    • VeriSign

    • Baltimore

    • Thawte

  • Can have sub-CA of their own

  • Can also be private, like:

    • DoD

    • Microsoft

    • Cisco

  • Must be protected at all cost

• Registration authority

  • User fills a form, get certificate and gets approval or not

  • Identity will be attached to digital certificate

• Key escrow

  • A copy of a Private key kept by the issuer

  • Could be clear text copies kept in a safe

• Certificate Revocation List (CRL)

  • Answers the question if certificate is still valid today?

  • Contains list of compromised certificates and checks if upcoming certificate is not in that list.

  • Mostly replaced today by OCSP (Online Certificate Status Protocol)

• Trust models

  • How do we know if the certificate we see is real?

    • There’s a PKI model

      • Nice Hierarchy

    • There’s a Web of trust

      • If I’m friend with you, then I’m gonna trust anybody who you trust

Key Management

• The need for key management

• CA and RA

• Keys are:

  • Public

  • Private

  • No trust on keys by default

• We need automated way of distributing keys

• We need creation and distribution

• Key length long enough for usage

• Keys need to be backup or escrowed

• Keys should be properly destroyed

OFF TOPIC

Mark Shuttleworth is a founder of UBUNTU. He spent lots of money on it and made it free to people. He made his billion while selling digital certificates in the beginning. He also went to the space.

Is quantum computing for the future or is it already here, in the present?

What are the dangers for technology of quantum computing for the future?

What is quantum computing?

Bits an qubits is the main difference

• Bit can be only binary. It can be only 0 or 1.

• Qubit can be 0 and 1 at the same time (superposition).

  • It can let you know all of the availabilities at once.

Revolution in computing

• Quantum computing gives us quantum parallel calculations. This gives us lots of speed.

• Qantum interferention let’s us reach the answer as fast as possible.

• Decoheration

  • In other words it’s instability.

Most powerful computers

• IBM CONDOR 1121(qubits) (it has the most powerful processor)

• KOOK ABURRA 4158(qubits) (planning for the 2025)

  • With this much qubits, you can crack AES126 key.

• Google Willow 103(qubits) (introduced at 2024 12 09)

• IAONQ

Main advancements in quantum computing

Main algorithms are:

• Shor’s algorithm

  • It gives us ability to factor big numbers

• Grover-s algorithm

  • Makes the search in NoSQL databases a lot faster. This algorithm can find stuff in chaos.

Future of Quantum computing

• Google wants to achieve 1 million qubits. Number is big, but Google likes big numbers.

Businesses working in Quantum Computing

• IBM

• Google

• Intel

• Xanadu

• IonQ (First in Europe, other businesses are in USA)

• Business representatives:

  • Rigetti

  • D-Wave

  • Quantinuum

AI + Quantum Computing

Quantum machine learning:

• It gives us lots of effectiveness and speed for calculation.

• It takes low energy.

Quantum neural networks:

• New architecture using quantum parallelism.

Data Classification:

• A lot faster big data analysis

Synergy potential

It can make faster pharmacy industry for medication foundings.

9 qubit types

Businesses need to decide which type they need to use.

• Superconducting qubits

• Trappen ion qubits

• Photonic qubits

• Spin qubits in semiconductors

• Nuclear spin qubits

• Neutral atom qubits

• Mechanical qubits

• Moleccular qubits

Cyber Security dangers in quantum era

• Shor’s algorithm can easily break RSA and ECC encryption systems.

• Nowadays security standards won’t be safe anymore.

• Digital signatures won’t be as safe as before.

Shor’s algorithm

Classical computing is using mathematical calculations. Quantum computing mathematical calculations means nothing. It take seconds.

Quantum security management

Quantum computer can now easily brute force the password. It takes 1 second.

Quantum computing can easily give you answers who did the attack. It basically say who is attacker. SOC/SIEM systems can be safer than ever before.

Quantum Communication

Quantum Key Distribution (QKD)

• Safe cryptographic key exchange.

• Europe has one satellite EAGLE-1 with QKD availability.

ML40 is the main algorithm for quantum security.

Quantum Hackers (#qacker)

Future Perspectives

In the near feature (5 years or even earlier) the threat is real.

Preparation for Q day: Situation now and our future

This is the day when quantum computer will be powerful enough to crack asymmetric cryptography.

We can’t wait for this day and only then start preparing. We must start to think about our security now.

There are reports that chinese qackers already broke military-grade encryption. We do not know what they are capable of.

Who should be interested?

Basically everyone who has network connection.

How to prepare for Q day?

• There are new algorithms being created. Post quantum algorithms. The following algorithms are already approved:

  • ML-KEM

  • ML-DSA

  • SLH-DSA

• Technology giants already produces new Post Quantum algorithms.

• There are new groups in European Union dedicated to Post Quantum Cryptography

Transition to Post Quantum Cryptography

Until 2027 European Union Countries must be ready for quantum threats. There are plans prepared for achieving this.

• Road to quantum security has already started. That’s the good news.

Post Quantum Cryptography (PQC) migration inside organizations

Main quantum threats:

• Quantum computer will be capable of cracking nowadays cryptographic algorithms.

• Save now - decrypt later

  • Attackers can now keep the keys and decrypt it later.

First step: Cryptography investigation in your organization

• Checking where asymmetric algorithms are used.

• Talking with system admins.

How to manage founded risks?

• We can check strategies on how we will do it.

• Resources and budget

• Decision selection

• Forming new teams

Testing

• Lab testing

• It’s a really good method to check whether your strategies work or not.

• You need to decide and check which PQC algorithm is best for you.

Making it reality

• It’s a step by step process

• Risk management

• Minimize the disturbances

• Crypto flexibility

Summary of migration in organization

• It’s a step by step process

• It’s a big strategical project

• Team work

• We have to act now!

Discussion outcomes

How to prepare for Quantum Computing?

What’s the most difficult challenge here?

• Qackers are the most dangerous now.

• The future of quantum computing is not the maybe, it’s guaranteed to happen.

• It’s opportunity to be safer.

• Education is a challenge too. How to talk with C level executives about it.

• Big challenge now is psychological aspect.

• Post Quantum Cryptography sounds scary…

What are the real usage of quantum computing in businesses?

• Manufacturers react differently

• Make current technologies stronger

• Creating PQC adaptation systems

• New QKD adaptations

• 2035 is the year when Post Quantum Era should begin

• CloudFlare has already developed some techniques for safe Software Development.

• SCADA/ICS systems will face a challenge, because old controllers cannot adapt to quantum systems.

• Cryptocurrency industry will have a big challenge, because cryptocurrencies are based upon algorithms.

What do you think about post quantum standardization of algorithms, what does it means for the future?

• Challenge will be to test new algorithms. To make sure that the algorithm is safe.

• There has to be a process which checks if the methods of creating algorithms is known.

Do we have too much now?

• If we want to have safe future, we need to create ecosystem for these processes.

• We do not have many quantum computers. That’s the problem.

• We must have infrastructure for this thing. Let’s give toys to the scientists.

We must check who developed the libraries used for quantum algorithms.

How to do inventory analysis?

• There should be a data manager. A person who knows where and how data are stored. Ant what is the data.

• It takes time. Lots of time.

• Just write what data and where you store it. Take a simple Excel file and start.