Cybersecurity #

Certifications #

Vulnerability Case Studies #

Links #

Info Graphs #

Goodies #

Great Scott Gadgets
- HackerRF One
  - Antenna 300 MHz to 1.1 GHz
  - Antenna 75 MHz to 1 GHz
- HackerRF Pro
- YARD Stick One
- There are extended versions:
  - PortaPack (Shipped in EU!)
Flipper Zero

Abbreviations #

VLAN - Virtual LAN
CSA - Cloud Security Alliance
CCM - Cloud Controls Matrix
SDN - Software defined networking
SDV - Software defined visibility
VPC - Virtual Private Cloud
HSM - Hardware Security Modules
CASB - Cloud Access Security Broker
MSP - Managed Service Provider
MSSP - Managed Security Service Provider
FDE - Full-disk encryption
TDE - Transparent Data Encryption
CLE - Column-Level Encryption
NIST - National Institute of Standards and Technology
AES - Advanced Encryption Standard
DES - Data Encryption Standard
ECC - Elliptic Curve Cryptography
PKI - Public Key Infrastructure
CN - Common Name
SANS - Subject Alternative Names
CSR - Certificate Signing Request
DV - Domain Validation
EX - Extended Validation
CRL - Certificate Revocation List
OCSP - Online Certificate Status Protocol
CPS - Certificate Practice Statement
DER - Distinguished Encoding Rules
PEM - Privacy Enhanced Mail
PFX - Personal Information Exchange
HMAC - Hash-Based Message Authentication Code
SHS - Secure Hash Standard
SHA - Secure Hashing Algorithm
SCAP - Security Content Automation Protocol
CGE - Common Configuration Enumeration
CGE - Common Platform Enumeration
CVE - Common Vulnerabilities and Exposures
CVSS - Common Vulnerability Scoring System
XCCDF - Common Configuration Checklist Description Format
OVAL - Open Vulnerability and Assessment Language
SIEM - Security Information and Event Management
IDS - Intrusion detection systems
IPS - Intrusion prevention systems
APT - advanced persistent threat
STIX - Structured Threat Information eXpression
TAXII - Trusted Automated eXchange of Intelligence Information
ISACs - Information Sharing and Analysis Centers
RAID - Redundant Array of Independent Disks
RTO - Recovery Time Objective
UAV - Unmanned Aerial Vehicles
CCTV - Closed-Circuit TV
RFID - Radio Frequency Identification
UEFI - Unified Extensible Firmware Interface
OEM - Original Equipment Manufacturer
PCRs - Platform Configuration Registers
TPM - Trusted Platform Module
PUFs - Physically Unclonable Functions
KMS - Key Management Services
EDR - Endpoint Detection and Response
DLP - Data Loss Prevention
HIPS - Host-Based Intrusion Prevention System
SD-WAN - Software-Defined Wide Area Network
MPLS - Multiprotocol Label Switching
SASE - Secure Access Service Edge
DMZ - Demilitarized Zone
NAC - Network Access Control
BPDU - Bridge Protocol Data Unit
STP - Spanning Tree Protocol
DHCP - Dynamic Host Configuration Protocol
VPN - Virtual Private Network
IPSec - Internet Protocol Security
AH - Authentication Header
ESP - Encapsulating Security Payload
SA - Security Associations
SSL - Secure Socket Layer
TLS - Transport Layer Security
SNMP - Simple Network Management Protocol
DKIM - DomainKeys Identified Mail
SPF - Sender Policy Framework
DMARC - Domain Based Message Authentication Reporting and Conformance
S/MIME - Secure Multipurpose Internet Mail Extension
SRTP - Secure Real Time Transport Protocol
SRTCP - Secure Real Time Control Protocol
HSTS - HTTP Strict Transport Security
QoS - Quality Of Service
DDoS - Distributed Denial-of-Service
NGFW - Next-Generation Firewalls
UTM - Unified Threat Management
ACLs - Access Control Lists
SSID - Service Set Identifiers
WPA - Wi‑Fi Protected Access
CCMP - Counter Mode Cipher Block Chaining Message Authentication Code Protocol
SAE - Simultaneous Authentication of Equals
OWE - Opportunistic Wireless Encryption
WLAN - Wireless Local Area Network
EAP - Extensible Authentication Protocol
PEAP - Protected EAP
EAP-FAST - EAP-Flexible Authentication Via Secure Tunneling
EAP-TLS - EAP-Transport Layer Security
EAP-TTLS - EAP-Tunneled Transport Layer Security
TKIP - Temporal Key Integrity Protocol
BYOD - Bring-Your-Own-Device
CYOD - Choose-Your-Own-Device
COPE - Corporate-Owned, Personally-Enabled
COBO - Corporate-Owned; Business Only
VDI - Virtual Desktop Infrastructure
UEM - Unified Endpoint Management
MDM - Mobile Device Management
MAM - Mobile Application Management
MCM - Mobile Content Management
GPS - Global Positioning System
NFC - Near Field Communication
PII - Personal Identifiable Information
PHI - Protected Health Information
DPO - Data Protection Officer

Study Topics #

Discretionary Access Control (DAC)
Hot Site
A documented restoration order helps ensure that systems and services that have dependencies start in the right order and that high‐priority or mission‐critical services are restored first
Fog commputing
Cloud Access Security Brokers
Transit gateway <VPC/On Prem connection>
General concepts
Backups
Endpoint security -> Insecure Ports
XDR is similar to EDR but has a broader perspective covering not only endpoints but also cloud services, security platforms, and other components.
A Windows Group Policy Object (GPO) can be used to control whether users are able to install software. Antivirus will not stop this, nor will EDR or a HIPS.
A host‐based intrusion prevention system (HIPS) can detect and prevent attacks against services while allowing the service to be accessible
SCADA (supervisory control and data acquisition) is a system architecture that combines data acquisition and control devices with communications methods and interfaces to oversee complex industrial and manufacturing processes, just like those used in utilities.
SCADA (supervisory control and data acquisition) is a system architecture that combines data acquisition and control devices with communications methods and interfaces to oversee complex industrial and manufacturing processes, just like those used in utilities.
SNMP traps can be configured to provide additional information, but typical SNMP traps provide information about issues such as links going down, authentication failures, and reboots
SD‐WAN (software‐defined wide area network) is commonly used to replace MPLS (Multiprotocol Label Switching) networks, which are typically higher cost than other connectivity options
Policy enforcement points communicate with policy administrators to forward requests from subjects and to receive instructions from them about connections to allow or end.
SASE (Secure Access Service Edge) combines network security and device security by leveraging SD‐WAN with security tools like Zero Trust, firewalls, and cloud access security brokers (CASBs)
Simultaneous Authentication of Equals (SAE) is used to establish a secure peering environment and to protect session traffic. Since the process requires additional cryptographic steps, it causes brute‐force attacks to be much slower and thus less likely to succeed
Wireless protocol
FDE: Full Disk Encryption
The Windows Security log records logon events when logon auditing is enabled. The Application and System logs do not contain these events.
CVSS format / SCAP
Metasploit
Footprinting - Detecitng running oS and versions etc
Spearphishing - specific group
Secure baselines are used to document the settings and procedures used to configure systems or devices. The other answer choices are not common industry terms
Ephemeral, short‐lived keys, are used with key establishment. 8 A checksum is a computation that is used to determine whether a file or message has been changed, allowing error detection. A hash generates a unique value for a file and is a one‐way function—it cannot be reversed to re‐create the original file.
RAID
A UPS (uninterruptible power supply) relies on batteries or other stored power to keep systems online during short power outages, and it can also provide stable power during power sags and undervoltage events.
The /etc/shadow file contains password hashes for most modern Linux implementations, and Ben can then use a tool such as rainbow tables or John the Ripper to crack passwords. John itself is not a password file or repository, and /etc/passwd is a secure pointer to /etc/shadow and does not actually contain useful information. Finally, an offline password attack implies activity that does not take place over the network, so SSH is not a valid answer.
n MOU provides an informal means to document the relationship between separate parties, making it well suited for situations involving different business units within the same company.
Boot attestation provides information about the software that it booted with to an attestation verification platform or system after boot, unlike secure boot, which uses a chained verification process to ensure that each component is signed and acceptable before it is loaded.
Remote access Trojans (RATs) are Trojans that are specifically designed to provide remote administrative access. The rest of the answers here are made up. *Trusted Automated Exchange of Indicator Information (TAXII) is intended to allow cyberthreat information to be communicated at the application layer via HTTPS. Structured Threat Information Expression (STIX) is an XML format for describing threat components. OpenIOC is an XML format for describing indicators of compromise. TTP is a generic term for adversary tactics, techniques, and procedures and is not a communication protocol or standard.
Sarbanes–Oxley Act (SOX Act), as it is specifically designed for U.S. publicly traded companies. It insists on a high level of confidence in the IT systems that manage these companies’ financial records.
Emily is looking for a solution to minimize the load of numerous third‐party audits. In such a situation, SSAE 18, also referred to as service organization controls (SOC) audits, is an ideal solution as it provides a common standard for auditors assessing service organizations. It allows the organization to undertake an external assessment instead of multiple third‐party assessments, sharing the resulting report with customers and potential clients. While COBIT, ISO 27001, and ISO 27002 are valuable auditing and assessment standards, they do not specifically address the issue of multiple third‐party audits. COBIT is a common framework for conducting audits and assessments, ISO 27001 describes an approach for setting up an information security management system, and ISO 27002 provides more detail on the specifics of information security controls, but none of them offer a solution like SSAE 18 for service organizations facing numerous audits.
Perfect Forward Secrecy ensures that even if someone later steals a private key, they can’t decrypt past communications. Each session gets its own unique, temporary encryption key, which is deleted afterward. So even if a hacker gets your server’s private key or Wi-Fi password later, they can’t go back and read old data that was captured before.
Anomalous behavior recognition typically looks at risk, unexpected, and unintentional behaviors. Repeated behavior is commonly in organizations because of ongoing tasks and processes.
Logging is operational control
If a phising email is tailored to your business (I work in insurance and they use insurance relevant topics or your role speicfic things) it will be spearphising instead of phising
Common motivations for internal threat actors include blackmail, financial gain, and ethical reasons.
New Technology LAN Manager (NTLM) had the flaw that sessions could be replayed.
Integer overflow is a thing, Buffer overflow is mroe about arrays or all non-initger attackcs
TCP 6667 => IRC
Worms spread themselves via vulnerabilities,
The Windows Security Account Manager (SAM) file and the /etc/shadow file for Linux systems both contain passwords and are popular targets for offline brute‐force attacks.
TCP port SQL: 1433
business email compromise (BEC) can be done via typo squatting, spoofing email or actual email compromise.
Jailbreaking and pakcage managers (requires jailbreak`) is iOS specific.
Sam is using blocked content logging to determine what systems may be compromised and attempting to connect to malicious domains and if users are trying to access those IP addresses or domains.
https://www.example.com/viewer.php?filename=../../../etc/passwd%00.png > %00 is a null byte, so applications stop readying after it, so the .png part is ignored.
Horizontal privilege escalation occurs when users at a similar level are able to use privileges or accounts belonging to peer users.
Firewall rules start at top and first match wins. So deny all usually is at the bottom.
AH > Authentication Header
NIPS -> Network Based Intrusion Prevention/Detection System
Partial backups are not the same as differential, partial is just a part of the entire scope that is backup, like a specific file.
COOP plans address loss of access to some or all of a facility, personnel, or services.
ICS: Industrial Controk Systems
IPSEC VPN works on Network lauer, VPN TLS on Transport layer
Screened subnet designs use a firewall with three interfaces, one for the Internet or an untrusted network, one for a protected but front‐facing network, and one for a shielded or protected network
Endpoint detection and response (EDR) focuses on identifying anomalies and issues, but it is not designed to be a malware analysis tool.
Red Hat stores authentication log information in /var/log/secure instead of /var/log/auth.log used by Debian and Ubuntu systems
Cuckoo, or Cuckoo Sandbox, is a malware analysis sandbox that will safely run malware and then analyze and report on its behavior.
Sn1per is a pen test framework.
sFlow, NetFlow, and IPFIX are all used to capture network flow information,
FDE can be enabled via MDM.
Windows Defender Firewall operates on a per‐application model and can filter traffic based on whether the system is on a trusted private network or a public network.
NXLog collects log
Incident response simulation involves actual actions taken, without creating issues or affecting prod.
Security keys are commonly used for passwordless authentication since they can provide both a physical token and cryptographic login credentials that are unlocked using a password, fingerprint reader, or camera.
OAuth 2.0 = Authorization framework (delegates access).
OpenID Connect (OIDC) = Authentication layer built on top of OAuth 2.0.
The Security Content Automation Protocol (SCAP) is frequently used to allow for monitoring and measurement of NIST 800‐53‐based controls.
Kerberos is one of a small number of commonly used AAA protocols for network devices
Kerberos is mainly used in: Windows domains (Active Directory) — it’s the default authentication mechanism.
Kerberos is primarily a network authentication protocol, not just for “network devices,” but for users and services communicating over a network.
Kerberos is a network authentication protocol for verifying the identity of users and services within a trusted domain — it’s not mainly for network devices like routers or switches, but for networked systems and applications.
Email security gateways are appliances or software virtual appliances that provide anti‐spam, anti‐phishing, and other email security–related services.
Bluetooth devices can be fingerprinted.
Software source code escrow is often used to ensure that organizations can obtain the software code if a company goes out of business or other adverse events occur that might endanger the company relying on the code. Reviewing the source code for an entire application is outside of the scope and capability of the majority of organizations, particularly when other dependencies are included.
SELinux switches linux to Mandatory Access COntrols
Enterprise password managers allow for “checking out” passwords and enforcing these to be changed after check out.
UEBA stands for User and Entity Behavior Analytics, a cybersecurity solution that uses machine learning to detect threats by analyzing the behavior of both users and non-human “entities”
Certification of destruction can include photographic evidence,
Embedded systems typically have few, if any hardening options because of their purpose‐built functionality. Benchmarks are rarely available for them, and most are not designed for central management or adding on security software.
Qualitative risk assessments measure likelihood on a descriptive scale like high, medium, or low. Quantitative assessments measure likelihood on a numeric scale using known event occurrence rates where possible.
Boards often include external members who may have industry or other experience and expertise that will benefit the organization, and they are sometimes, but not always, paid as part of their work on the board. Committees are frequently composed of internal staff;
A one‐time risk assessment that addresses the acquisition will best meet Sharon’s needs. Ad hoc assessments are less formal, and they are often used to quickly assess a system or other potential risk.
Data owners classify, protect, oversee the use of, and ensure the quality of data.
Data Custodians are the staff and teams who handle data
Provides technical guidelines for digital identity, focusing on authentication and password lifecycle management.
Risk exception recognizes risk areas where an organization may not be in compliance with policies or regulations, and may be acknowledged because they cannot be addressed in a timely manner or are required for the organization to conduct business.
Integrated penetration testing combines both offensive and defensive penetration testing,
A regulatory assessment doesn’t necessarily mean it’s performed by the regulator — it means the assessment’s purpose is to ensure compliance with a regulation.
CompTia: “Which concept label best fits the clues in this short paragraph?”— not “Which would I choose in a real-world scenario?”
The Payment Card Industry Data Security Standard (PCI DSS) is an industry standard, not a law, !!!!
- BUt there is a PCI DSS organization that contractlyly (not regulatory) enforces following it. So you do get fined by the bank or payment processor, cause htey get fined by this PCI SSC.
An Audit Committee is a subcommittee of an organization’s Board of Directors that oversees financial reporting, risk management, and internal and external audit activities. Often meets with CFO, CISO, internal auditors, and external auditors
Continuous integration/continuous delivery (CI/CD) pipelines deploy software on an ongoing basis, making them a good fit for continuous risk assessment techniques.
HIPPA is A REGULATION, LAW.
An organization’s risk threshold is the level where they will switch from accepting a risk to seeking to handle the risk. Their risk appetite is the amount of risk an organization is willing to accept to achieve its goals.
Anomalous behaviour: Risky, unexpected, and unintentional
Due Diligience : reasonable steps taken by a person to avoid committing a tort or offence.
Waylon is a risk owner. He is responsible for ensuring that the risks related to data and the application are managed appropriately. Risk owner is a thing.
Businesscontinuity is about HOW TO KEEP THE ORGANIZATION running, Dissaster recoveru is about HOW TO REPSONSE TO SITUATION X.
Playbooks list the actions that an organization will take as part of a response process.
- Guides incident response teams — what to do, who to involve, how to communicate.
Runbook lists the steps required to perform an action like notification, removing malware, or similar tasks.
- Guides technicians/analysts — the how-to instructions to execute tasks.
27002 guides the implementtion if a ISMS and controls, while 27001 is a STANDARD of ISMS framework.
For Risk Acceptance the residual risk is most important, cause you want to know what the risk is you will be accepting.
Disaster recovery plan tell what to do before, during and after the disaster occurs.
If you make decisions, data controller, if you enforce it, data steward.
Policy handbooks are used to provide information about high‐level security practices and goals.
NIST no longer recommends requiring password changes on a regular basis, and instead suggests that passwords only be changed when necessary. This helps to prevent password reuse and avoids influencing users to slightly modify passwords.
A malicious USB cable or drive can be made to look like jsut a keyboard.
There are actually some reasonable KPIs for monitoring security awareness effect.