1.0 Attacks, Threats, and Vulnerabilities
1.8 Techniques used in Pentesting
Penetration Testing
Known Environment - Tester is familiar with environment
Unknown Environment - Tester knows nothing about the environment
Partially Known Environment - Partially known and unknown, tester goes with info they have
Rules of Engagement - Agreed systems tester can target and what is to be tested
Lateral Movement - Moving from device to device within a network.
Privilege Escalation - Administrator access
Persistence - On-going access
Cleanup - Reverting systems back to original setting from before the test
Bug Bounty - System owner offers a reward for finding and reporting bugs in their system.
Pivoting - Using a system as a jump off point or a relay to access other parts of the network.
Passive and Active Reconnaissance
Drones - Surveillance
War Flying - WiFi enabled drone that can pick up networks and collect data about them.
War Driving - Similar to War Flying, but done with a car driving around instead of a flying drone.
Footprinting - Mapping the network, packet captures could see this happening.
OSINT - Open-source/public intel
Exercise Types
Red Team - Attackers
Blue Team - Defenders
White Team - Oversees blue/red team activity on a network
Purple Team - A team that consists of both offense and defense team members
Tuesday, July 26, 2022
Monday, July 25, 2022
Security+ 007 - 1.7 Techniques used in Security Assessments
1.0 Attacks, Threats, and Vulnerabilities
1.7 Techniques used in Security Assessments
Threat Hunting - Detecting and locating threats/vulnerabilities
Intelligence Fusion - Aggregating raw data and logs into a database
Threat Feeds - Information alerts, often 3rd party provided
Advisories and Bulletins - Security reports
Maneuver - Deployment of security tools and automated deployment
Vulnerability Scans
False Positives - Flagged event that doesn’t pose a threat
False Negatives - Vulnerability is on a device, but does not get flagged/detected
Log Reviews - Pull data sourced from device logs
Credentialed - Scan as if you have authorized account access
Non-Credentialed - Scan as if you have no access
Intrusive - Tries to use found exploits
Non-Intrusive - Only looks for exploits, but does not use them
Application - Scans software (anti-virus)
Web Application - Scans for XSS (cross-site scripting), sql/code injections
Network - Scans network for open ports and other network vulnerabilities
Common Vulnerabilities and Exposures (CVE) - Reference for public knowledge on known exploits.
Common Vulnerability Scoring System (CVSS) - Scoring system to indicate severity of known exploits.
Configuration Review - Scan device or software for misconfigurations
Syslog/Security Info and Event Management (SIEM) - Software, central hub for security info
Review Reports - Generate reports based on diverse data
Packet Capture - Monitor network traffic
Data Inputs - Feed raw data into SIEM (authentications, VPN connections, firewall logs, denied network traffic)
User Behavior Analysis - Set a baseline and use it as a risk-trigger
Security Monitoring - Constant monitoring of real-time info flow, track stats, send alerts when risk is found, automated ticket generation
Security Operations Center (SOC) - Centralized location to do security monitoring.
Log Aggregation - Database all logs
Log Collectors - Retrieves/accepts and stores all logs.
Security Orchestration, Automation and Response (SOAR) - Automate tedious and routine tasks, connecting multiple tools together, auto-responsive to maintain real-time security.
Sunday, July 24, 2022
Security+ 006 - 1.6 Security Concerns Associated with Vulnerabilities
1.0 Attacks, Threats, and Vulnerabilities
1.6 Security Concerns Associated with Vulnerabilities
Cloud-Based Vulnerabilities - Vulnerabilities for a cloud environment. More available to target, data breach/loss, potential privacy issues
On-Premises Vulnerabilities - In house data center, requires regular maintenance and additional fault resilience, more susceptible to physical-based events (nature, power outage)
Zero-Day Vulnerabilities - A previously unknown vulnerability/exploit
Weak Configurations
Open Permissions - No authentication requirements.
Unsecure Root Accounts - No authentication admin.
Errors - Errors should not include too much details to give an attacker extra info on a network/system, just need to be specific enough to say where to look.
Weak Encryption - Obsolete encryption methods, encryption that can easily be decrypted.
Unsecure Protocols - Unencrypted protocols
Default Settings - OEM/Factory set (public) credentials
Open Ports and Services - Manage Ports and traffic flow with a Firewall, open ports are open to communication and can be targeted.
Third-Party Risks
Vendor Management - Managing and monitoring vendor risk and vulnerabilities
System Integration - 3rd party device or access to inside the network
Lack of Vendor Support - Vendor doesn’t/slow to patch vulnerabilities.
Supply Chain - Vulnerabilities in the sources of what builds your capabilities.
Outsourced Code Development - 3rd party developers, isolate from the production environment.
Data Storage - On-prem or in cloud, needs proper protocols in place to secure and set access controls.
Improper or Weak Patch Management
Firmware - Commonly not patched often, can lead to devices being vulnerable.
Operating System (OS) - Core software running a device vulnerabilities
Applications - Software exploits
Legacy Platforms - No longer supported, retired software/hardware still in use
Impacts
Data Loss - Hardware failure, malicious removal, potentially can ruin a business.
Data Breaches - Access to data, can lead to extortion, potential loss of profits
Data Exfiltration - Malicious data transfer, unauthorized, can lead to ransomware/extortion
Identity Theft - Can lead to financial damages or unintended authorization
Financial - Interruption of business, loss of profits, unauthorized money transfers
Reputation - Loss of trust in the business
Availability Loss - Denial of service, loss of profits
1.6 Security Concerns Associated with Vulnerabilities
Cloud-Based Vulnerabilities - Vulnerabilities for a cloud environment. More available to target, data breach/loss, potential privacy issues
On-Premises Vulnerabilities - In house data center, requires regular maintenance and additional fault resilience, more susceptible to physical-based events (nature, power outage)
Zero-Day Vulnerabilities - A previously unknown vulnerability/exploit
Weak Configurations
Open Permissions - No authentication requirements.
Unsecure Root Accounts - No authentication admin.
Errors - Errors should not include too much details to give an attacker extra info on a network/system, just need to be specific enough to say where to look.
Weak Encryption - Obsolete encryption methods, encryption that can easily be decrypted.
Unsecure Protocols - Unencrypted protocols
Default Settings - OEM/Factory set (public) credentials
Open Ports and Services - Manage Ports and traffic flow with a Firewall, open ports are open to communication and can be targeted.
Third-Party Risks
Vendor Management - Managing and monitoring vendor risk and vulnerabilities
System Integration - 3rd party device or access to inside the network
Lack of Vendor Support - Vendor doesn’t/slow to patch vulnerabilities.
Supply Chain - Vulnerabilities in the sources of what builds your capabilities.
Outsourced Code Development - 3rd party developers, isolate from the production environment.
Data Storage - On-prem or in cloud, needs proper protocols in place to secure and set access controls.
Improper or Weak Patch Management
Firmware - Commonly not patched often, can lead to devices being vulnerable.
Operating System (OS) - Core software running a device vulnerabilities
Applications - Software exploits
Legacy Platforms - No longer supported, retired software/hardware still in use
Impacts
Data Loss - Hardware failure, malicious removal, potentially can ruin a business.
Data Breaches - Access to data, can lead to extortion, potential loss of profits
Data Exfiltration - Malicious data transfer, unauthorized, can lead to ransomware/extortion
Identity Theft - Can lead to financial damages or unintended authorization
Financial - Interruption of business, loss of profits, unauthorized money transfers
Reputation - Loss of trust in the business
Availability Loss - Denial of service, loss of profits
Friday, July 22, 2022
Security+ 005 - 1.5 Threat Actors, Vectors, and Intelligence Sources
1.0 Attacks, Threats, and Vulnerabilities
1.5 Threat Actors, Vectors, and Intelligence Sources
Actors and Threats - Entity responsible for an event that has an impact on the safety of another entity.
Advanced Persistent Threat (APT) - Stays in your network until removed, can act as reconnaissance for a larger attack.
Insider Threats - Potential employee, contractor, or vendor is a threat actor.
State Actors - Nation state, governmental threat actor.
Hacktivists - Threat actors with a goal or (political) purpose as motive.
Script Kiddies - Outside threat actor who uses many simple scripts until they find one that lets them into a network.
Criminal Syndicates - Professional organized groups of threat actors.
Hackers - Broadly, a person who is good with technology
Authorized - Hired to find network weaknesses and vulnerabilities, has permission.
Unauthorized - Malicious, looking to cause harm.
Semi-authorized - Researcher-type, looks for vulnerabilities and network access without direct permission, but does not act on them if found.
Shadow IT - Those within an organization that fulfill their own IT needs outside the purview of the property IT processes and procedures.
Competitors - Threat actors from an outside organization that you share a market with.
Attributes of Actors
Internal - Threat from within the organization.
External - Threat from outside of the organization.
Level of Sophistication/Capacity - Complexity/severity potential of the attack.
Resources/Funding - Sophisticated attacks often require higher costs.
Intent/Motivation - Goal of the attack.
Vectors
Direct Access - Physical Access
Wireless - Through a shared wireless network or rogue access point
Email - Malicious links/phishing
Supply Chain - Trusted 3rd party is compromised
Social Media - Malicious links and scams/phishing, unintended employee over-sharing
Removable Media - Auto-run code from hot-swappable media (USB drives, CDs, disks)
Cloud - Manipulated or malicious cloud-based applications
Threat Intelligence Sources - Places to get data
Open-Source Intelligence (OSINT) - Public data
Closed/Proprietary - Payed for data
Vulnerability Databases - Compiled information from multiple sources on vulnerabilities
Public/Private Info Sharing Centers - Organizations that collect and disseminate data
Dark Web - Black market data
Indicators of Compromise - DNS queries/network traffic, location data, Identify attack and reverse engineer
Automated Indicator Sharing (AIS) - Automated process to share security data between organizations.
Structured Threat Information eXpression (STIX) - Standard format for shared security data, contains info such as motive, ability, capability, and response info.
Trusted Automated eXchange of Intelligence Info (TAXII) - Security Data transfer protocol
Predictive Analysis - Using real-time data to try to identify compromise.
Threat Maps - Visual representation of where the attacks may be from and going.
File/Code Repositories - Databases of code shared between developers.
Research Sources
Vendor Websites - Vendor discovered/published data
Vulnerability Feeds - Government and private org provided vulnerability databases
Conferences - Convention, you can learn new research from presenters
Academic Journals - Peer-reviewed published research
Request For Comments (RFC) - Published by ISOC, often written by engineers on known issues/standards, best practices, and experimental and historical practices
Local Industry Groups - Geographically local meet-up
Social media - Groups often post to social media, keyword monitoring, public conversations
Threat Feeds - Automated threat feed sourced from multiple organizations
Adversary Tactics, Techniques, and Procedures (TTP) - What are threat actors doing to get access, what is their typical goal when in a network, where do they spend most of their time, which attack vectors do they like to use.
1.5 Threat Actors, Vectors, and Intelligence Sources
Actors and Threats - Entity responsible for an event that has an impact on the safety of another entity.
Advanced Persistent Threat (APT) - Stays in your network until removed, can act as reconnaissance for a larger attack.
Insider Threats - Potential employee, contractor, or vendor is a threat actor.
State Actors - Nation state, governmental threat actor.
Hacktivists - Threat actors with a goal or (political) purpose as motive.
Script Kiddies - Outside threat actor who uses many simple scripts until they find one that lets them into a network.
Criminal Syndicates - Professional organized groups of threat actors.
Hackers - Broadly, a person who is good with technology
Authorized - Hired to find network weaknesses and vulnerabilities, has permission.
Unauthorized - Malicious, looking to cause harm.
Semi-authorized - Researcher-type, looks for vulnerabilities and network access without direct permission, but does not act on them if found.
Shadow IT - Those within an organization that fulfill their own IT needs outside the purview of the property IT processes and procedures.
Competitors - Threat actors from an outside organization that you share a market with.
Attributes of Actors
Internal - Threat from within the organization.
External - Threat from outside of the organization.
Level of Sophistication/Capacity - Complexity/severity potential of the attack.
Resources/Funding - Sophisticated attacks often require higher costs.
Intent/Motivation - Goal of the attack.
Vectors
Direct Access - Physical Access
Wireless - Through a shared wireless network or rogue access point
Email - Malicious links/phishing
Supply Chain - Trusted 3rd party is compromised
Social Media - Malicious links and scams/phishing, unintended employee over-sharing
Removable Media - Auto-run code from hot-swappable media (USB drives, CDs, disks)
Cloud - Manipulated or malicious cloud-based applications
Threat Intelligence Sources - Places to get data
Open-Source Intelligence (OSINT) - Public data
Closed/Proprietary - Payed for data
Vulnerability Databases - Compiled information from multiple sources on vulnerabilities
Public/Private Info Sharing Centers - Organizations that collect and disseminate data
Dark Web - Black market data
Indicators of Compromise - DNS queries/network traffic, location data, Identify attack and reverse engineer
Automated Indicator Sharing (AIS) - Automated process to share security data between organizations.
Structured Threat Information eXpression (STIX) - Standard format for shared security data, contains info such as motive, ability, capability, and response info.
Trusted Automated eXchange of Intelligence Info (TAXII) - Security Data transfer protocol
Predictive Analysis - Using real-time data to try to identify compromise.
Threat Maps - Visual representation of where the attacks may be from and going.
File/Code Repositories - Databases of code shared between developers.
Research Sources
Vendor Websites - Vendor discovered/published data
Vulnerability Feeds - Government and private org provided vulnerability databases
Conferences - Convention, you can learn new research from presenters
Academic Journals - Peer-reviewed published research
Request For Comments (RFC) - Published by ISOC, often written by engineers on known issues/standards, best practices, and experimental and historical practices
Local Industry Groups - Geographically local meet-up
Social media - Groups often post to social media, keyword monitoring, public conversations
Threat Feeds - Automated threat feed sourced from multiple organizations
Adversary Tactics, Techniques, and Procedures (TTP) - What are threat actors doing to get access, what is their typical goal when in a network, where do they spend most of their time, which attack vectors do they like to use.
Sunday, July 17, 2022
AZ-500 003 - Deploy Azure AD Identity Protection
AZ-500: Microsoft Azure Security Technologies
Manage Identity and Access: Deploy Azure AD Identity Protection
Deploy and configure Identity Protection
Configure MFA for users, groups, and applications
Create Conditional Access policies to ensure your security
Create and follow an access review process
Azure AD Identity Protection - A tool that enables an org to automate the detection and remediation of ID-based risks, and assists with data logs in the portal or with a 3rd party utility.
ID Protection Default Policies
Azure MFA Registration Policy, Sign-in Risk Policy, Custom Conditional Access Policy
User Risk Policy - Identifies and responds to user accounts that may have compromised credentials. Can prompt the user to create a new password.
Sign-in Risk Policy - Identifies and responds to suspicious sign-in attempts. Can prompt the user to provide additional forms of verification using Azure AD Multi-Factor Authentication.
MFA Registration Policy - Makes sure users are registered for Azure AD Multi-Factor Authentication. If a sign-in risk policy prompts for MFA, the user must already be registered for Azure AD Multi-Factor Authentication.
Example Risk Detection Triggers:
Users with leaked credentials.
Sign-ins from anonymous IP addresses.
Impossible travel to atypical locations.
Sign-ins from infected devices.
Sign-ins from IP addresses with suspicious activity.
User Risk - User risk is a calculation of probability that an ID has been compromised.
User Risk Policy
Risky Users Report - Contains data for which users are at risk for up to the past 30 days, remediated risk, or had risk dismissed. Also has details about detection types, a history of all risky sign-ins, Conditional Access policies applied, MFA details, and device/app/location info.
Admin can set a response to a given condition/trigger, responses include:
Force a password reset
Confirm user compromised
Dismiss user risk
Block or Allow the sign-in
Investigate further using Azure ATP (Advanced Threat Protection)
Example Condition Triggers:
Location
Client Apps - Browser-based apps, mobile apps, and desktop clients
Risky Sign-ins
Azure Active Directory Multi-Factor Authentication (MFA) - Provides additional security by requiring a second form of authentication.
Authentication methods include:
Something you know (password/PIN)
Something you have (generated code, a specific device)
Something you are (biometrics)
MFA options
MFA Settings
Account Lockout - Set number of attempts allowed before lockout, time until lockout counter resets, time until account is auto unlocked.
Block/Unblock Users - Blacklist/whitelist user accounts
Fraud Alert - Configure so users can report fraud attempts, set auto block users when fraud is reported, fraud blocks account for 90 days or until released by an admin, and admin can review sign-in logs.
Notifications - Configure email notifications for fraud reports (typically sent to an ID admin).
OATH Tokens - Azure AD supports OATH-TOTP SHA-1 (keychain) tokens that refresh codes every 30 or 60 seconds.
Trusted IPs - Feature to allow federated users or IP address ranges to bypass MFA (only for inside of the company intranet)
Enable MFA - Azure AD>User Properties>Multi-Factor Authentication
All users start out Disabled. When you enroll users in per-user Azure AD Multi-Factor Authentication, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced. Administrators may move users between states, including from Enforced to Enabled or Disabled.
Azure AD Conditional Access - Tool used by AAD (Azure AD) to bring signals together to make decisions and enforce org policy. Enables an identity driven control plane (control of traffic).
Identity as a Service (IDaaS)
Conditional Access
Conditions: user/group, cloud application, device state, location (IP range), client application, and sign-in risk
Azure AD Access Reviews - Manage group membership, access to enterprise apps, and role assignments. User’s access can be reviewed on a regular basis.
When to access review:
Too many users in privileged roles
When automation is infeasible
When a new group is used for a new purpose
Business critical data access
To maintain a policy’s exception list
Ask group owners to confirm they still need guests in their groups
Have reviews recur periodically
Wednesday, July 13, 2022
AZ-500 002 - Implement Hybrid Identity
AZ-500: Microsoft Azure Security Technologies
Manage Identity and Access: Implement Hybrid Identity
Azure Connect - Integrates on-prem directories with Azure AD and provides a common ID to be used across multiple platforms.
Password Hash Synchronization - Sign-in method that syncs a hash of a user’s on-prem AD password with Azure AD.
Pass-Through Authentication - Sign-in method that allows users to use the same password on-prem and in the cloud, without extra infrastructure or a federated environment.
Federation Integration - Operational part of Azure AD Connect, used to configure a hybrid environment using on-prem infrastructure. Provides management tools such as cert renewal and server deployments.
Synchronization - Creates users, groups, and other objects, and is responsible for syncing on-prem users and groups with cloud members and groups. Syncing includes password hashes.
Health Monitoring - Azure AD Connect Health provides monitoring in a central location in the Azure portal.
Cloud Authentication Methods
Password hash synchronization (PHS) - Feature used to sync user passwords from an on-prem Active Directory instance to a cloud-based Azure AD instance.
Azure AD Pass-through Authentication (PTA) - Alternative to PHS, users can cloud authenticate with on-prem creds. Authentication validates directly against an on-prem AD.
Federated Authentication - Authentication process handled by a separate, trusted system.
Details on decision questions:
Azure AD can handle sign-in for users without relying on on-premises components to verify passwords.
Azure AD can hand off user sign-in to a trusted authentication provider such as Microsoft’s AD FS.
If you need to apply user-level Active Directory security policies such as account expired, disabled account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises components.
Sign-in features not natively supported by Azure AD:
Sign-in using smartcards or certificates.
Sign-in using on-premises MFA Server.
Sign-in using third-party authentication solution.
Multi-site on-premises authentication solution.
Azure AD Identity Protection requires Password Hash Sync regardless of which sign-in method you choose, to provide the Users with leaked credentials report. Organizations can fail over to Password Hash Sync if their primary sign-in method fails and it was configured before the failure event.
Password Writeback - Feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-prem directory in real time.
Manage Identity and Access: Implement Hybrid Identity
Azure Connect - Integrates on-prem directories with Azure AD and provides a common ID to be used across multiple platforms.
Password Hash Synchronization - Sign-in method that syncs a hash of a user’s on-prem AD password with Azure AD.
Pass-Through Authentication - Sign-in method that allows users to use the same password on-prem and in the cloud, without extra infrastructure or a federated environment.
Federation Integration - Operational part of Azure AD Connect, used to configure a hybrid environment using on-prem infrastructure. Provides management tools such as cert renewal and server deployments.
Synchronization - Creates users, groups, and other objects, and is responsible for syncing on-prem users and groups with cloud members and groups. Syncing includes password hashes.
Health Monitoring - Azure AD Connect Health provides monitoring in a central location in the Azure portal.
Cloud Authentication Methods
Password hash synchronization (PHS) - Feature used to sync user passwords from an on-prem Active Directory instance to a cloud-based Azure AD instance.
Azure AD Pass-through Authentication (PTA) - Alternative to PHS, users can cloud authenticate with on-prem creds. Authentication validates directly against an on-prem AD.
Federated Authentication - Authentication process handled by a separate, trusted system.
Details on decision questions:
Azure AD can handle sign-in for users without relying on on-premises components to verify passwords.
Azure AD can hand off user sign-in to a trusted authentication provider such as Microsoft’s AD FS.
If you need to apply user-level Active Directory security policies such as account expired, disabled account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises components.
Sign-in features not natively supported by Azure AD:
Sign-in using smartcards or certificates.
Sign-in using on-premises MFA Server.
Sign-in using third-party authentication solution.
Multi-site on-premises authentication solution.
Azure AD Identity Protection requires Password Hash Sync regardless of which sign-in method you choose, to provide the Users with leaked credentials report. Organizations can fail over to Password Hash Sync if their primary sign-in method fails and it was configured before the failure event.
Password Writeback - Feature enabled with Azure AD Connect that allows password changes in the cloud to be written back to an existing on-prem directory in real time.
Network+ 006 - 1.5 Common Ports and Protocols, and their Encrypted Alternatives
1.0 Networking Fundamentals
1.5 Common Ports and Protocols, and their Encrypted Alternatives
Ports Protocols
20/21 File Transfer Protocol (FTP) - File transfer functionality, unencrypted
22 Secure Shell (SSH) - Telecommunication network, encrypted
22 Secure File Transfer Protocol (SFTP) - File transfer functionality, encrypted
23 Telnet - Telecommunication network, unencrypted traffic
25 Simple Mail Transfer Protocol (SMTP) - Server to Server email, unencrypted
53 Domain Name System (DNS) - IP Address translation service
67/68 Dynamic Host Configuration Protocol (DHCP) - Automated configuration of IP Address service
69 Trivial File Transfer Protocol (TFTP) - Simple file transfer, UDP
80 Hypertext Transfer Protocol (HTTP) - Web data, unencrypted
110 Post Office Protocol v3 (POP3) - Receive email from an email server
123 Network Time Protocol (NTP) - Synchronizes the clocks between network devices, UDP
143 Internet Message Access Protocol (IMAP) - Receive email from an email server
161/162 Simple Network Management Protocol (SNMP) - Gathers data/stats from network devices. V1, v2 are unencrypted, V3 is encrypted.
389 Lightweight Directory Access Protocol (LDAP) - Network Directory data, unencrypted
443 Hypertext Transfer Protocol Secure (HTTPS) [Secure Socket Layer (SSL)] - Web data, encrypted
443 HTTPS [Transport Layer Security (TLS)] - Web data, encrypted, TLS is stronger than SSL
445 Server Message Block (SMB) - Windows file sharing, also goes by CIFS (Common Internet File System), TCP
514 Syslog - Log data, usually integrated into a SIEM, requires large disk space to database logs.
587 SMTP TLS - Server to Server email, encrypted
636 Lightweight Directory Access Protocol (Over SSL) (LDAPS) - Network Directory data, encrypted
993 IMAP over SSL - Email data, encrypted
995 POP3 over SSL - Email data, encrypted
1433 Structured Query Language (SQL) Server - Microsoft SQL database data
1521 SQLnet - Oracle SQL *Net, Oracle Net, Net8 data
3306 MySQL - Free and Open-source database data, acquired by Oracle
3389 Remote Desktop Protocol (RDP) - Connect to a device remotely
5060/5061 Session Initiation Protocol (SIP) - Manages VoIP (Voice over IP) signals and sessions.
IP Protocol Types
Internet Control Message Protocol (ICMP) - Messaging between network devices
TCP - Transmission Control Protocol, Connection-oriented (opens/closes a session) with built in reliability, packets are verified and acknowledged when received. Also has data flow control.
UDP - User Datagram Protocol, Connectionless (no session), no data flow control or packet verification/acknowledgement packets were received. Sends the packet and forgets.
Generic Routing Encapsulation (GRE) - Creates a tunnel between two endpoints, unencrypted without added built-in encryption.
Internet Protocol Security (IPsec) - OSI layer 3 security, packet authentication and encryption, common VPN protocol
Authentication Header (AH) - Provides data origin authentication, data integrity, and replay protection, unencrypted
Encapsulating Security Payload (ESP) - Provides data origin authentication, data integrity, and replay protection, encrypted
Connectionless vs Connection-Oriented
Connectionless - Does not establish a connection session.
Connection-Oriented - Establishes a (handshake) connection session.
Sunday, July 10, 2022
PowerShell 005 - PowerShell Remoting
PowerShell Remoting
PowerShell has the ability to connect remotely into other devices and run cmdlets from the device(s) as if you were executing cmdlets on your own device. This requires the service, WinRM, to be running. If you have admin privileges for a device on your network, this can be enabled remotely by using the following cmdlet:
Get-Service -name winrm -ComputerName [Hostname] | Set-Service -Status running
With this line we start by getting the service, selected by name, on target [Hostname], and then pipe | the retrieved service (WinRM) into the cmdlet to set the status of the service as “running” or in other words turns the service on. Once WinRM is running, we can you the cmdlet:
Enter-PSSession [Hostname]
If this cmdlet was successful, you will be running any additional cmdlets as the target device, using the resources available to that system. You can end this PowerShell session with the cmdlet:
Exit
After you run this your cmdlets will once again be running from your device as normal.
Additional Commands
PowerShell remoting is a powerful tool and can be used to do many things without interrupting the end-user. Some examples of what you can do once connected to a device are:
Whoami /all
Lists who is currently logged in, Security Identifiers (SID), privileges and group memberships.
Systeminfo
Displays info about the computer and its operating system.
Get-WmiObject -Class Win32_Product | select name
A list of all applications installed to the device.
Start-Process [Filepath]
End-Process [Processname OR a partial process name with *on each side*]
Remote install software, start or end a program. Many programs can be installed silently (does not disturb the end-user), but each software has its own syntax for this.
Resource: Silent Install HQ - Database on silent install syntax for many applications.
PowerShell has the ability to connect remotely into other devices and run cmdlets from the device(s) as if you were executing cmdlets on your own device. This requires the service, WinRM, to be running. If you have admin privileges for a device on your network, this can be enabled remotely by using the following cmdlet:
Get-Service -name winrm -ComputerName [Hostname] | Set-Service -Status running
With this line we start by getting the service, selected by name, on target [Hostname], and then pipe | the retrieved service (WinRM) into the cmdlet to set the status of the service as “running” or in other words turns the service on. Once WinRM is running, we can you the cmdlet:
Enter-PSSession [Hostname]
If this cmdlet was successful, you will be running any additional cmdlets as the target device, using the resources available to that system. You can end this PowerShell session with the cmdlet:
Exit
After you run this your cmdlets will once again be running from your device as normal.
Additional Commands
PowerShell remoting is a powerful tool and can be used to do many things without interrupting the end-user. Some examples of what you can do once connected to a device are:
Whoami /all
Lists who is currently logged in, Security Identifiers (SID), privileges and group memberships.
Systeminfo
Displays info about the computer and its operating system.
Get-WmiObject -Class Win32_Product | select name
A list of all applications installed to the device.
Start-Process [Filepath]
End-Process [Processname OR a partial process name with *on each side*]
Remote install software, start or end a program. Many programs can be installed silently (does not disturb the end-user), but each software has its own syntax for this.
Resource: Silent Install HQ - Database on silent install syntax for many applications.
AZ-500 001 - Manage Identity and Access: Overview
AZ-500: Microsoft Azure Security Technologies
Manage Identity and Access (30-35% of exam): Overview
I. Manage Azure Active Directory (Azure AD) Identities
1. Create and manage a managed identity for Azure resources
2. Manage Azure AD groups
3. Manage Azure AD users
4. Manage external identities by using Azure AD
5. Manage administrative units
1. Managed identities provide an automatically managed identity in Azure Active Directory for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications can use managed identities to obtain Azure AD tokens without having to manage any credentials.
2. Two types of groups
Security Groups - Used to manage access to a shared resource.
Microsoft 365 groups - Used to enable collaboration, gives users access to share inboxes, calendar, SharePoint sites, ect.
Three ways to assign group access
Assigned - Add user to group, static.
Dynamic User - User given group membership based on a set of rules, fluid.
Dynamic Device - Device is given (security) group membership based on a set of rules, fluid.
3. Azure AD defines users in three ways: Cloud Id, Directory-Synchronized Id, Guest Users
4. External users can be added as business-to-business (B2B), business-to-consumer (B2C), or guest roles.
5. Administrative unit - Azure AD resource that contains only users and groups and can be a container for other Azure AD resources.
Types of administrative unit roles: Authentication admin, Groups admin, Helpdesk admin, License admin, Password admin, User admin
II. Manage Secure Access by Using Azure AD
1. Configure Azure AD Privileged Identity Management (PIM)
2. Implement Conditional Access Policies, Including multifactor authentication
3. Implement Azure AD identity Protection
4. Implement Passwordless Authentication
5. Configure Access reviews
1. P2 License feature, Provides time-limited access to resources/privileges, can be set up to require MFA to activate any given role, can require justification for privileges (audited), and creates logs. This is used to help prevent lateral movement in the case of a compromise.
2. Use signals (user/location/device/app) to make access decisions and enforce them.
3. P2 License feature, Automate user risk and sign-in risk remediation
4. Use multiple authentication methods in lieu of a traditional password.
Windows Hello for Business - biometric and PIN authentication tied to a specific PC.
FIDO2 Security Keys - Generally on a USB drive, authentication through software.
Microsoft Authenticator App - Mobile app tied to a specific phone used to authenticate.
FIDO2 Smartcards - Software authentication on a smartcard (chip card).
Temporary Access Pass - Time-limited passcode.
5. Enable requirements to recertify group memberships, app access, and privileged roles.
III. Manage Application Access
1. Integrate single sign-on (SSO) and Identity Providers for Authentication
2. Create an App Registration
3. Configure App Registration Permission Scopes
4. Manage App registration Permission Consent
5. Manage API Permissions to Azure subscriptions and resources
6. Configure an Authentication Method for a Service Principal
Microsoft Identity Platform - App Registration > Client SDK > Endpoint > Target Audience
1. Use Azure AD to authenticate for non-Microsoft apps, you can also code this into apps.
2. Apps that authenticate with Azure AD must be registered to a directory, registration creates a unique Application ID.
3. Control/limit the amount of access provided to an application based on permissions.
4. Build a consent flow to provide an authentication option to a resource.
5. Microsoft Graph - Apps are authorized to call APIs when granted permissions by user/admins as part of the consent process.
Delegated Permissions - Used by apps that have a current signed-in user.
Application Permissions - Used by apps that do not have a signed-in user.
6. MS Link - Access Azure Sphere Public API with AAD application service principal
Managed Identities - Azure AD authentication, System-assigned or user-assigned.
Create a Managed ID Service Principal in AD.
Local endpoint requests token, token grants permissions to Service Principal.
IV. Manage Access Control
1. Configure Azure role permissions for management groups, subscriptions, resource groups, and resources
2. Interpret Role and Resource Permissions
3. Assign built-in Azure AD roles
4. Create and assign custom roles, including Azure roles and Azure AD roles
1. Azure Policy - Service in Azure that allows you to create, assign and manage policies. Focus on resource properties during deployment and for already existing resources.
Azure RBAC (Role-Based Access Control) - Used in conjunction with Azure AD admin roles to authenticate users, manages who has access to resources, what area they have access to, and what they can do with the resources.
2. Allow/restrict resource types, Allowed Virtual Machine SKUs (Shop-Keeping-Unit, purchasable item), Allowed/restrict geographical locations, Require/enforce a tag and its value, Azure Backup for VMs if enabled
Built-in Azure roles
Owner - Allows you to manage everything for a resource.
Contributor - Allows you to manage everything except access for a resource.
Reader - Allows you to view but not edit a resource.
User Access Administrator - Allows you to manage user access to a resource.
3. Azure AD roles - A name and set of permissions which are used for Access Control.
Built-in Azure AD roles
Global administrator - The highest level of access, can admin the admins.
User administrator - Creates and manages users/groups, and can reset most passwords.
Helpdesk administrator - Can reset passwords for non-admins.
Billing administrator - Can make purchases and manage subscriptions.
4. MS Link - Create and assign a custom role in Azure Active Directory
Saturday, July 9, 2022
Security+ 004 - 1.4 Potential Indicators of a Network Attack
1.0 Attacks, Threats, and Vulnerabilities
1.4 Potential Indicators of a Network Attack
Wireless
Evil Twin - Made to look legitimate, configured to match similar settings, wireless phishing.
Rogue Access Point - Access Point on a network that was not authorized.
Bluesnarfing - Attacker uses Bluetooth to access data.
Bluejacking - Unsolicited messages sent through Bluetooth.
Disassociation - Wireless connection keeps dropping, deauthenticated from wireless network.
RF Jamming - Radio Frequency is interfered with to prevent the signal from being received.
Radio Frequency Identification (RFID) - Attacks can be data capture, spoof RFID, jamming.
Near-Field Communication (NFC) - Two-way wireless communication, built on RFID.
Initialization Vector (IV) - A way to add randomization to the encryption process.
On-Path Attack (man-in-the-middle/man-in-the-browser attack) - An attacker is able to intercept and redirect communications/data from a device.
Layer 2 Attacks
Address Resolution Protocol (ARP) Poisoning - Redirects traffic by changing the cached ARP data on the target device, needs to be on the same local network.
Media Access Control (MAC) Flooding - Attacker sends traffic with many different MAC addresses to fill up a Switches MAC table, once overloaded the Switch will be more like a hub allowing the attacker to data capture network traffic.
MAC Cloning - Spoofing a MAC Address, can be used to create a duplicate of existing MAC device, circumvent filters, create a communication disruption.
Domain Name System (DNS)
Domain Hijacking - Attacker gets access to the domain registration and can control where the traffic flows.
DNS Poisoning - Attacker redirects network traffic.
Uniform Resource Locator (URL) Redirection - Makes use of similar looking URLs, misspelled URLs to try to get a victim to go to an incorrect site.
Domain Reputation - Internet tracks your security posture, suspicious emails or service providers will get limited once reported, can cause a domain to be flagged by search engines as containing malware.
Denial of Service (DoS) Attacks
Distributed Denial-of-Service (DDoS) - Force a service to fail by using many devices to cause a traffic spike/overload.
Network - Layer 2 loop without STP (spanning tree protocol), bandwidth overload, DNS amplification.
Application - Fill disk space, Overuse a measured cloud resource.
Operational Technology (OT) - Attacker targets industrial infrastructure, electric grid, traffic control, manufacturing plants or pipelines, ect.
Malicious Code or Script Execution
PowerShell - .ps1 file extension, uses cmdlets to run scripts and functions, or executables. Highly integrated to be used for Windows system administration.
Python - .py file extension, commonly used for cloud orchestration, broad support across many platforms.
Bash - .sh file extension, Bash/Bourne/Korn/C, Linux shells, often starts with hash-bang (#!).
Macros - Automated functions used within an app or OS, automated exploit.
Visual Basic for Applications (VBA) - Automates processes with Windows apps, can interact with the OS, similar to macros, vulnerabilities can lead to more direct access.
Thursday, July 7, 2022
Network+ 005 - 1.4 Subnets and IP Addressing Schemes
1.0 Networking Fundamentals
1.4 Subnets and IP Addressing Schemes
Binary Math
128 64 32 16 8 4 2 1 = 255
11111111.11111111.11111111.00000000 = 255.255.255.0
Public vs Private
RFC1918 - Designated private IP address ranges.
Network Address Translation (NAT) - When a device changes an IP address as it crosses through a network.
Port Address Translation (PAT) - Use of ports to designate which device is trying to communicate from a network.
IPv4 - OSI layer 3 address, consists of a 4 octet address, subnet, and gateway to communicate.
IPv6 - OSI layer 3 address, doesn’t use Broadcast, makes use of eight groups of four hexadecimal digits for addressing.
Automatic Private IP Addressing (APIPA) - Link local address, not able to communicate outside of the subnet, often a sign that DHCP failed to provide an IP address to the host.
Extended Unique Identifier (EUI-64) - IPv6 address configured based on a MAC address.
Multicast - Used extensively in IPv6, sends data to all devices wanting to receive the data.
Unicast - One to one, sending data between two systems.
Anycast - One to one-of-many, Sends data to an arbitrary system on a network.
Broadcast - Sending data to all systems on a network, limited by broadcast domain scope.
Link Local - Network address that is only able to communicate within a subnet (APIPA).
Loopback - 127.x.x.x, IP address range that represents the local host on a network.
Default Gateway - IP address that is used to allow a device to communicate beyond the subnet.
IPv4 Subnetting
Classless (variable-length subnet mask) - Subnetting a network into specific sizes based on the subnet mask itself instead of being based on an IP address class designation.
Classful - Subnetting architecture where an IP address can designate your subnet.
Classless Inter-Domain Routing (CIDR) notation - Slash notation, used as a quickhand for subnet masking, the number represents how many bits are in use for the network address vs host address. (255.255.255.0 = 11111111.11111111.11111111.00000000 = /24)
IPv6 Concepts
Tunneling
6to4 Addressing - Sends IPv6 over IPv4, creates an IPv6 address on an IPv4 one, no NAT support, requires relay routers.
4in6 Tunneling - Tunnel IPv4 through IPv6 network.
Teredo - Tunnels IPv6 through NATed IPv4, end-to-end IPv6 through IPv4
Miredo - Open-source Teredo for Linux/Mac OSx
Dual Stack - Router runs both IPv4 and IPv6 simultaneously.
Shorthand Notation - Leading zeros can be removed, groups of zeros can be abbreviated with ::
Router Advertisement - No ARP in IPv6, uses NDP (Neighbor Discovery Protocol)
Neighbor Solicitation (NS) - Multicast used to find other devices
Neighbor Advertisement (NA) - Device response to NS
Discover Routers - Router Solicitation (RS) and Router Advertisement (RA)
Stateless Address Autoconfiguration (SLAAC) - Auto configures a static IPv6 address without a DHCP server.
DAD (Duplicate Address Detection) - Used to detect IP conflicts/duplicates
Virtual IP (VIP) - IP address assigned to a virtual machine.
Subinterfaces - Virtual network interface (connection), a parent interface is divided into two or more virtual interfaces which you can assign an IP address to.
Subscribe to:
Posts (Atom)