Security

Think about the services that only a few people need to access, but they need to be accessible from anywhere, over the internet. The internet is a giant untrusted monster network, full of evil people actively trying to harm you. If only a few people (let’s say in the ten-thousands) need to access your service, why do you make the service accessible to billions? It’s so asymmetrical. VPN Gateways VPN Gateways! They’re great! They sit on the edge of your network, and they let you access all your internal stuff! But if you want someone to be able to connect to your VPN over the internet, the VPN gateway itself must be publicly accessible. Yes, you likely have authentication on your gateway such as an IPSec Pre-Shared Key, and/or a username and password. But your gateway is still internet-facing, and let’s just say there are no guarantees for security. ...

This post is part of a larger series on Security+ 1.1 Given a scenario, analyze indicators of compromise and determine the type of malware Virus: an old-fashioned term going back to the mid-1980s. A piece of software that may intrude into your system, often by attaching to other existing files. Viruses will propagate or spread to other devices. They would also activate - or perform some function such as erasing the boot sector on your hard drive. There are many more specific terms to describe malware in this day and age. Ransomware: also known as crypto-malware. It is software that will encrypt your data and will demand payment from the user to get the decryption key. Can be mitigated with a good data backup strategy. Worm: a piece of malicious code that is capable of scanning your network, finding other systems, and spreading to the other systems by replicating itself. The first computer worm was antivirus software, spreading itself to remove a commonly found virus. The second computer worm caused a ton of damage and led to the first criminal conviction under the computer fraud and abuse act. Trojan Horse: a piece of software that disguises itself as something else. Typically related to an application that makes the user want to run the software. Rootkit / Backdoor: a piece of software that escalates its privileges which will typically allow root access to a system for the threat actor. This is sometimes referred to as a backdoor. A backdoor just means a way for an unauthorized person to access your system, this is a property of a rootkit. Keylogger: Malware that records keystrokes and will often automatically transmit keystrokes to the threat actor for review. Can be used for catching login credentials as they are typed. Adware: programs that attempt to display ads on your system to generate revenue. Spyware: a form of malware that hides itself and doesn’t typically display ads or make itself known, to allow for continuous exfiltration of data from the infected system. Bots: programs that run on your computer and accept command and control messages from a central location. Often many computers accept commands from the same source, this forms what is known as a botnet. This gives the controller a lot of power by having full control over many machines, denial of service attacks can be performed by commanding the botnet to send messages to a target system. RAT: stands for remote access trojan/tool. It’s a piece of software that allows a threat actor to view the screen and control the infected computer. Logic Bomb: typically some malware which is triggered by some event taking place. A common threat is to have a logic bomb go off if your employer disables your account. Polymorphic Malware: Malware that changes itself to try and bypass signatures that are used by antimalware software. By changing itself, it may be able to sneak by malware scanners since it will appear to be different than what the signatures are in the antimalware software. Armored Virus: malware which contains a lot of superfluous code to try and throw off threat researches and antimalware software from being able to determine what the malware is trying to do. 1.2 Compare and contrast types of attacks Social Engineering These are attacks that rely on the human factor. We as humans have feelings vulnerabilities too. Social engineering attacks are effective because they often rely on the following principles: ...

This post is part of a larger series on Security+ Common userspace utilities ping: Sends ICMP echo request to the destination, expects an ICMP echo reply but if not received before the timeout, will display as such. If a response is received, the RTT will typically be displayed in the output for each response. Implementations differ between operating systems and userspace utilities. # Windows uses -t to get correct, sane behavior ping -t 8.8.8.8 netstat: netstat will show network connections for transmission control protocol (incoming and outgoing), routing tables, as well as protocol statistics. # Windows uses netstat -a to show ports which the system is listening on as well netstat -a tracert: will display possible routes and measures transit delays of packets across an IP network. Windows uses tracert to send ICMP echo requests with an incrementing TTL starting from 0 until the specified is matched with an ICMP echo response. By default, it will perform reverse DNS lookups (PTR queries) to provide you with a hostname if possible. You can specify -d to prevent reverse DNS lookups which speed up the process drastically. tracert -d stevenpolley.net arp: allows displaying or manipulating the ARP cache. Can be used to investigate arp poisoning and L2 issues. arp -a ipconfig / ip / ifconfig (depracted): answers “who am I, and how am I configured” # Windows L3 configuration ipconfig # Windows L3 and L2 configuration ipconfig /all # Linux L3 configuration ip addr # Linux L2 configuration ip link # Linux deprecated userspace utility ifconfig nslookup/dig/drill (drill not on exam): you need to know how to make DNS queries using these tools. It’s important to know that nslookup performs DNS queries independent of system configuration, including the hosts file, cache, or if you have different DNS servers configured - it will perform a full DNS query when it’s run - that’s interesting and important for troubleshooting purposes. # Windows interactive mode to get MX record using 8.8.8.8 as DNS server # You can change mx for soa or ns or any other type of record. nslookup server 8.8.8.8 set type=mx stevenpolley.net # Linux dig command dig @8.8.8.8 stevenpolley.net MX netcat: able to open and listen on ports or act as a client on any port you want. That’s pretty cool - it’s like a swiss army knife. It obviously won’t respond correctly like a server implementation would unless it’s configured to do so, but can read incoming information (as a server) or responses (as a client) - that’s pretty neat! # netcat server listen on TCP port 8080 netcat -l 8080 # you can direct STDOUT to a file if you wish netcat -l 8080 > file.out # netcat as a client - STDIN is transmitted netcat stevenpolley.net 8080 # you can also transmit a file netcat stevenpolley.net 8080 < file.in # you can also capture a response to a file netcat stevenpolley.net 8080 > file.out Network Scanning Network scanners allow us to tell what systems are running on a particular network - or at least the systems that tell us they’re there when we ask certain questions. The most commonly used network scanner is nmap. Nmap has many command-line switches which allow you to define specifically what type of scanning you would like to perform, and it also allows you to define/constrain your scan to a specific set of IP hosts. ...

This post is part of a larger series on Security+ Using Guides for Risk Assessment Guides are not necessarily hard and fast rules. The idea of guides is to set bias. Yes, we as humans cannot get around biases, even when we are aware of them. Guides can help us set a baseline to help get a feel for where things should be. The idea is to use the incredibly fast, yet flawed built-in calculator we have evolved to optimize - intuition. ...

This post is part of a larger series on Security+ Auditing & Accountability: who’s making changes, why are they making changes Non-Repudiation: non-repudiation is when a person cannot deny having done something. For instance, if are required to change someone’s password and have knowledge of its value, if that account then performed bad actions, you could be liable. To get non-repudiation, you must have confirmation the user has changed their password to something different. Identification, Authorization, and Authentication Say you were buying a movie ticket and you printed off your confirmation code. To get your tickets you will need your driver’s license and your authorization number. The driver’s license identifies who you are, the authorization number indicates you have purchased tickets and these two together mean you are now fully authenticated. ...

This post is part of a larger series on Security+ Definitions Risk Management: The identification, and assessment of risk. Assets: Any part of our infrastructure that we are worried about getting harmed. Servers, network, services, applications, storage, people, intangible (such as reputation) Vulnerability: Weakness to an asset that leaves it open to bad things happening to it. eg) unlocked server room door, not changing default passwords Threats: The bad action or event, that could occur if a vulnerability were exploited. A threat is an abstract concept describing the scenario in which a vulnerability is leveraged. Threat Agent: The actor which carries out the threat (eg: hackers, criminals and bad storms that cause floods) Qualitative: Quantitative: Likelihood: Impact: The actual harm which may be caused by a threat. It can be things like costs, labor, downtime, etc. It can be viewed through both a quantitative or qualitative lens. Mitigation: Action taken to reduce the impact of a risk Pentesting: An outside party looks for vulnerabilities and will then provide a report on them Vulnerability Assessment: Threat Assessment: Finds threats applicable to your infrastructure. Managing Risk Risk Identification / Risk Assessment Looking at and cataloging all assets. This is part of a vulnerability assessment. ...

This post is part of a larger series on Security+ Cryptography is the science and study of taking data and making it hidden so others cannot understand it. Cryptography provides confidentiality by using obfuscation. There are a lot of ways to use obfuscation to provide confidentiality. Diffusion Confusion Encryption: the process of obfuscating data Decryption: the process of unobfuscating data. Cipher: Caesar cipher: a common that shifts letters in the alphabet by some number. ROT2 would replace instances of the letter A with the letter B. ROT3 would replace the instances of the letter A with the letter C. Very weak form of encryption. Cryptanalysis: the process of breaking down an encrypted message to understand how to decrypt it. Cryptography Components Algorithm: They should be known to everyone. Key: A variable secret. Exclusive Or (XOR) Ciphers such as the Caesar Cipher work well with alphabet/plaintext, however, it doesn’t work well with binary data. One example which does work well with binary data is XOR. This logic is fundamental to many(most?) common encryption algorithms. ...

I decided I’ll go for the S0-501 Exam, and will share my notes here. You can find all of my notes here At the time of this post, my notes are ongoing, very incomplete and are updated as I go along. There may be spelling, grammar grammar or grammar errors? Some sections are empty as well, but will be filled in the coming weeks. Free notes I've taken about the Sy0-501 exam topics. I have not yet taken this exam. ...

Port knocking is security through obscurity. Now normally, I say anything to do with security through obscurity is bad practice if that’s the only thing you’re relying on. The idea is that it’s not going to outright secure your network, but it’s going to drastically reduce the risk of an attack during an attacker’s discovery phase. Hiding valuables in your vehicle when it’s left unattended will reduce the likelihood of a criminal passerby from breaking into your vehicle. Likewise, keeping ports closed when they’re not actively in use will reduce the likelihood of a criminal portscanning your network to find your open SSH (Sometimes Secure Hell), RDP (Ransomware Deployment Protocol), or god forbid your HTTP or TELNET ports. To keep the analogy going, we are effectively keeping the open ports in the car, but we are throwing them in the glovebox. ...

I’ve been searching for a file-level backup solution that ticks all the boxes, specifically: Efficient - something that only copies differential data when performing backups Secure - Encryption of data at rest and in-flight Deduplication - Only store blocks of data once and use pointers to reference it Storage Provider Support - Ideally NFS out of the box or even rsync, but hey if it supports the typical cloud providers too that’s a bonus Trustworthy - Ideally free and open so that I can audit the source Easy - I don’t want to invest an hour learning how to use it at scale Ideally free Man, let me tell you - there are not a lot of options out there that meet all these requirements - but I stumbled upon restic, and it seems to be the best option I’ve come across. ...