1.1
Phishing – social engineering to get sensitive information off of a person
Typosquatting – typos that blend in with the actual word. Makes it look legit but it is not
Prepending – adding a letter at the front of the url to deceive
Pharming – redirecting legit url to a fake url
Vishing – voice phishing
Smishing – sms text msg phishing
Reconnaissance – gather information pre-phishing. Background information and build pretext
Pretext – made up scenario to fool the victim into believing
Spear phishing – targeted to a specific person
Whaling – targeting a high value personnel like CEO or CFO
Impersonation – spoofing. Pretending to be someone that you are not
Eliciting information – extracting information from the victim
Identity fraud
Credit card fraud – using your credit card or opening a new credit card in victim’s name
Bank fraud – attacker gains access to victim’s bank account
Loan fraud – attacker uses victim’s info to get a loan
Government benefits fraud – attacker uses victim’s information to receive benefits on their
behalf
Do not disclose personal information easily
Dumpster diving – going through the trash to recover valuable documents from the dumpster
May be legal/illegal depending on where you live
Make sure your dumpster is locked and protected
Don’t throwaway raw information in the dumpster
Shoulder surfing – spying over the shoulder to gain information that is stored in someone’s computer
Can be close and can be far
Be aware of your surroundings, make sure your screen is filtered and not viewable from outside
or by other people
Computer hoax – threat that doesn’t actually exist but seem like it’s real
Watering hole attack – poisoning the website that victims visit often. Third-party attack
Spam – unsolicited message (unwanted message)
Advertising, phishing, anything unwanted by the receiver
Mail gateways – they stop the spam from reaching the inbox
Identifying spams
Use allowlisting (block everything except the ones specifically stated in the list)
SMTP standards checking – block everything that does not follow the RFC standards
rDNS (reverse DNS) – block email when sender’s domain address does not match the IP address
Tarpitting – intentionally slow down the server conversation
Recipient filtering – block all email addresses that are not a valid recipient
Influence campaign – swaying public opinion on political and social issues
Nation state actors – divide, distract, persuade on a country level
Ex) trying to change votes
Often includes many many individuals
Military warfare – country tries to change the way people of other country thinks
Hybrid warfare – mix of military strategies with the cyber technologies
Influence news and elections
Tailgating – following someone to gain unauthorized access to places
Johnny Long / No Tech Hacking – social engineering. Blend in with clothing, 3rd party with a legitimate
reason
Invoice scam – research before sending, send to the actual person who pays the bill. Impersonate. Send
fake invoice and get payment information
Principles
Authority – higher up impersonation. Use power
Intimidation – consequences if you don’t help
Consensus – told it is what normally happens. What others did as well.
Scarcity – situation is limited
Urgency – situation MUST be done quickly
Familiarity – someone you know, common friends
Trust – someone who is safe like IT
1.2
Maleware – malicious software
Virus, crypto-malware, ransomware, spyware, adware, worm, trojan horse, rootkit, logic bomb,
keylogger, botnet
Malware – requires human to run it
Worms – can travel through network by itself
Virus – can reproduce itself, may or may not cause problems
Program virus – part of application
Boot sector virus – resides in the kernel
Script virus – browser based virus
Macro virus – common in Microsoft office
Filess virus – stealth attack, avoids anti-malware. Operates in memory
Ransomware – attacker requests money. May be fake ransom.
Crypto-malware – newer generation of ransomware. Data unavailable until cash is given. Encrypts the
file until the money is received.
Ransomeware protection:
Have back up, keep OS up to date, applications up to date, anti-virus/anti-malware signatures
Backdoor – code manipulation for technicians to bypass security authentication process
Potentially Unwanted Program (PUP) – identified as anti-virus/anti-malware. Often installed with other
programs. Aggressive toolbar?
Trojan Horse – often applications disguised as other useful programs.
Remote Access Trojans – Allows the attacker to remotely tap into the victim’s hardware.
Rootkits – sits inside the kernel. Invisible to the operating system. Modifies the core system files
Zeus/Zbot malware – bank account cleaning attack
Specific programs to remove rootkits. Look for the unusual
Adware – ads pop up without your consent. Can cause performance issues.
Spyware – malware that spies on you without your consent. Can trick you into installing it. Browser
monitoring. Keylogging.
Bots – once computer is infected, it becomes a bot
Botnet – group of bots that work together. Usually used for DDoS (Distributed Denial of Service) attacks.
Ways to not become a bot – update OS and AV, run regular checks make sure your system is free of any
malware. Prevent C&C from connecting by blocking at firewall
Logic bomb – waits for predefined event to occur. Usually caused by someone with a grudge
Password attacks
Passwords should never be kept in plaintext. Passwords are usually kept in hashes with salts.
Password Spraying Attack – many accounts are tried with set of passwords, can bypass password lockout
mechanism
Brute force – uses all combinations possible to try and crack the password
Dictionary attack – uses dictionary words to try and crack the password
Rainbow tables – has pre-calculated hashes of passwords
How to make passwords more secure? – Add salt to the passwords. Salt – random data.
Don’t pick up random USB cables. Can be deadly for the computer if it includes malware in them.
Flash drives. Don’t pick up random flash drives and plug them into your computer. Virus can be
anywhere in that. It could be in the excel sheet or pdf files in the flash drive.
Skimming – Stealing credit card information. Copy data from the magnetic stripe or get the card number
with CVV.
ATM Skimming – small camera to watch the pin
Card cloning – card details from a skimmer to create a duplicate card.
Machine learning – machines learn from a given data set.
Artificial intelligence – becoming more and more prevalent today. Uses machine learning to act like an
artificial human.
Securing the learning algorithms – check the training data and constantly retrain with new set of data.
More and better data = good for the training.
Supply chain attack – must verify where the items come from. Verify everyone in the supply chain is
reliable.
Cloud-based vs On-Premises attacks
Cloud does not make it impenetrable.
On-premise – you’re responsible for everything. Physical controls. Have on-site IT team to make security
better. Can be more expensive to have a local team and have all the physical checks in place. Security
changes made can take time.
Cloud – you don’t need local team but your data can be accessed by a third-party. Everything is managed
by the cloud provider and have very little downtime. However, they may not be customizable to your
liking and require all users to follow security practices.
Cryptographic attacks – focused on breaking the cryptography.
Make sure Private keys are unknown to anyone but yourself
Birthday attack – there is a chance of multiple versions of plaintext having same hash.
Collision – hash of two different plaintexts being the same.
Downgrade attack – attacker forcefully downgrades the connection to communicate over an older
version. 2014 – TLS Vulnerability. Forced clients to fall back to SSL 3.0 (significant cryptographic
vulnerability).
Privilege escalation – gaining higher level access to a system through exploiting a vulnerability. Able to
gain unauthorized access to higher level without the authorization to do so.
Mitigating privilege escalation – patch quickly. Update anti-virus software
Cross-site scripting (XSS)
Non-persistent XSS – attacker is able to run script against a website. (search box) User needs to click on a
specific link every time to pass on the script.
Persistent XSS attack – script is stored on a server. When user connects, it will execute. No specific target.
Anyone who visits it will be affected.
Prevent XSS by having a good input validation.
Malware are typically all known. So attackers are looking for creating a zero-day vulnerability to attack
systems with.
Attackers can target drivers of systems. Drivers are essential part as they control the I/O of the system.
Shimming – space filler between two objects. IT – Application compatibility function (Running windows
11 but program is designed for Windows 7, you can set the program to run in Windows 7 mode)
Refactoring – Metamorphic: malware is different (unique) every time you download it. Can add NOP (No
Operational) instructions, meaning it won’t run, to make it different every time. Can also redesign itself.
Reordering functions and the flow of the application.
SSL Stripping/HTTP downgrade – on-path attack that requires the attacker to sit between the user and
the server.
User sends HTTP request which attacker intercepts. Attacker forwards the request to Server and Server
replies with HTTPS request. Attacker Re-sends HTTPS request then Server acknowledges and sends it
back to the attacker who then forwards it to the user. User sends credentials in the open (HTTP) and
attacker forwards that to the server to gain access.
User -> Attacker -> Server
Race condition – things happening at the same time which causes unintentional changes to happen. Can
be very critical. (Time-of-check to Time-of-use attack, TOCTOU. Something may have happened since the
last time you’ve checked)
Memory vulnerabilities
Memory leak – memory slot is allocated for specific programs. Programs use more than the allotted
space then it will crash.
NULL Pointer Dereference – programs point to specific point of reference when accessing memory.
Attacker can make the program point to a null point of reference.
Directory traversal – With get requests, attacker can use ../ to traverse to a parent directory. Should not
happen with good well written code.
All this happens as a result of improper error handling and input handling.
Error handling – errors will happen. Messages shouldn’t be too descriptive about the system and the
network. Should give detail on what the problem is without giving away too much detail.
Input handling – input validation is key to avoiding attacks. Having a proper input validation will prevent
many injection attacks which causes DoS and other harm to you.
API attack – (Application Programming Interface) Used mostly by mobile devices. Like with HTTP get and
responses, API Gets and Responses can be attacked by an attacker.
Resource exhaustion – Specialized DoS attack that exhausts the resource of a system. Famous – small zip
file when extracted, bloats into 4500 terabytes of data. Quickly depletes the system’s resource.
1.4
Rogue Access Points – devices not authorized to connect to the network. Connected to the network by
an attacker.
Wireless Evil Twin – an access point that looks like an existing network (similar SSID) and security
settings. These may overpower the existing access points
Bluejacking – soliciting messages via Bluetooth
Bluesnarfing – retrieving information from a device over Bluetooth connection
Wireless disassociation attack – attack that involves attacker sending deauthentication frames to a
network for a specific MAC address. Results the device losing connection due to the deauthentication
frame.
Radio Frequency jamming – Reducing the ability of a device to receive a good signal. May not be
intentional. Can be small things like microwave oven.
Wireless Jamming – similar to radio frequency jamming, interfering with the wireless connection.
Wireless jamming needs to be done close. Can go on “Fox hunting” to hunt for the disruptor.
Different types:
Constant – constantly sending frames to jam
Random time – send frames at random intervals
Reactive jamming – only send frames when you detect someone communicating
RFID (Radio Frequency Identification) – Small identification devices that are everywhere. Uses radio
frequency to identify things. (Badges, location, pet id). Bidirectional.
Vulnerable to replay attack, interruption, spoofing (attacker can spoof the tag data to make the reader
think like it’s something different), jamming. No encryption
Near Field Communication – two way wireless communication. Payment systems like apple pay or google
pay. Encrypted communication
Concerns: since it’s wireless, it can be susceptible to remote captures.
Randomizing Cryptography
Nonce – random number that’s used once
When password hashes are sent to authenticate, they’re sent with a nonce to make the password hash
random every time they’re sent.
Initialization Vector (IV) – type of nonce used in encryption ciphers.
Salt – random set of characters added to the hash of passwords when storing the passwords.
On-path network attack – aka Man in the Mittle (MITM) attack. Attacker sits in-between two
communicating devices. Sender -> Attacker -> Receiver. Attacker can intercept and analyze all
communication happening within the communication channel. Needs the attacker to be on the same
network.
On-path browser attack – attacker places malware in the browser which automates the process of
capturing data from the victim’s browser. Does not require the attacker to be within the private network.
Just needs to get malware on the browser and they’re set.
MAC flooding – MAC Address – 48 bits / 6 bytes long. XX:XX:XX:XX:XX:XX. The first 6 is OUI
(Organizationally Unique Identifier) and last 6 is the serial number of the device.
LAN Switching
Switches forward frame based on MAC Addresses. Switches have MAC Address table which stores the
MAC address of devices and their interfaces. To not get into a loop, switches should always use Spanning
Tree Protocol (STP).
The MAC table is set in size so attacker can flood the switch to fill the table up with random MAC
addresses. Once the table is full, the switch will not have space for legitimate devices’ MAC addresses.
The legitimate devices will send frames which the switch will send broadcast messages of the frames to
all devices connected because they cannot specify which interface the message should go to.
MAC cloning/spoofing – Attacker can spoof a legitimate MAC address to circumvent the wireless/wired
MAC address filter or do a DoS on the legitimate MAC address by using their MAC address.
DNS Poisoning – modifying the config files of the DNS server
Ex) professormesser.com 10.2.5.1 legit
professormesser.com 100.100.100.100 fake
Attacker can change DNS server file to have 100.100.100.100 as the ip address of professormesser.com
Everyone trying to connect to professormesser.com using that DNS server will get a reply with
professormesser.com being 100.100.100.100 instead of 10.2.5.1, which is the legit one.
Domain hijacking – gaining access of the server
URL hijacking – make a website similar to the real website
Ex) professormesser.com real
professormessor.com fake
Very similar and easily mistaken
Typosquatting, misspelling, typing error, different phase, different top-level domain all can be vulnerable
for users.
Domain reputation is key. If a domain has been infected, users may not be comfortable connecting to the
website next time on and will avoid connecting to that domain.
Denial of Service – forces service to fail, prevent users from accessing the service
Friendly dos – failure caused by events not involving malicious human intent (layer 2 switch without STP,
water line breakage)
DDoS – used by botnet to disrupt a service. Botnet C&C sends commands to bots to mass connect to a
service, bringin the service down.
Using DNS to amplify – DNS queries are small requests send to the DNS server which DNS server replies
with massive information. Using this, botnet can send multiple DNS queries to overload the destination
with massive DNS query results.
Application DoS – zip bomb, small file that extracts into a huge amount of data.
Operational Technology DoS – industrial equipment that are interrupted. Requires specific knowledge as
they’re not like the typical equipment used by most people.
Malicious scripts – used for automating tasks
Attacking different OS requires different type of scripts
General – python scripts
Windows – powershell
Shell scripts – Linux and other OS that relies heavily on command lines
Visual Basic for Application (VBA) – automated processes within Windows applications (Microsoft office)
Macro – automated functions within an application or an operating system
1.5
Threat Actors
APT (Advanced Persistent Threat) – attackers that are highly skilled and persistent once they get into the
network.
Insider – person inside the organization. Knows about the security infrastructure better than the hackers.
Nation states – Operates on a government level. Can affect the nation’s politics.
Hactivists – Activist hackers. Focused on a social or political issue. Can be sophisticated. Funding is
limited.
Script kiddies – people who do not know how to hack. They use pre-made codes to try and hack systems.
Organized crimes – organized group of hackers that are at the organizational level. They have good
funding. They are often organized to generate revenue from hacking.
Hackers – general definition of experts with technology. Driven by money, power, and ego.
Authorized – people who are hired to hack into a system. Paid to test penetration
Unauthorized – people who maliciously hack into systems
Semi-authorized – people who hack into systems out of curiosity. No malicious intent.
Shadow IT – Not a real IT of the organization. Shadow IT acts as a rogue IT department within the
organization, not abiding to rules. Are not always good to have: many risk involving waste of money,
security risks, compliance issues, and may cause dysfunction in the organization.
Competitors – Espionage. Competitors may try to hack or try to leak competitors’ information to put
them out of the league.
Attack vectors – any type of attack methods
There are a lot of attack vectors for an organization.
Direct access – physical access to the organization’s server. Keep them locked and make sure no
unauthorized personnel are allowed to enter the server room.
Wireless attack vector – Rogue access points / evil twins/ default login credentials / and weak and old
protocols. They’re all examples of a wireless attack vector.
Email attack vector – susceptible to spam emails where phishing is very likely to occur. Social
engineering.
Supply chain attack vector – you don’t know what the device has gone through. It’s a possibility that the
device may have had malware attack before being brought into the organization.
Social media attack vector – be careful of what you post online. Your status, address, phone numbers,
any photos. They can all come bite you.
Removable media attack vector – USBs are deadly. They can bypass firewall. USBs can also act as a
keyboard where once plugged in, it’ll automatically start typing.
Cloud attack vector – security is a big issue for cloud services. Usually third-party, make sure they’re
keeping vulnerabilities patched right away. Publicly facing applications are always a risk.
Threat intelligence – researching of potential threats
Open source intelligence (OSINT) – publicly available and free. Internet groups, government data,
commercial data.
Closed/proprietary intelligence – These are researches made by organizations that are sold for money.
Very organized and easy to navigate.
Vulnerability databases – hosted by government agencies that provide detailed information about
various types of vulnerabilities.
Common Vulnerabilities and Exposures (CVE) – are managed by government agencies that
provide information about the common vulnerabilities.
NVD (US National Vulnerability Database) – provides information about CVE and are hosted by
Department of Home Security and Cybersecurity and Infrastructure Security Agency.
Public/private information sharing centers – public sharing centers use publicly available information to
share amongst each other.
Private companies can gather information and sell them to customers.
Cyber Threat Alliance – group where members of the group upload specifically formatted threat
intelligence. Each threat intelligence is validated by the members of the group.
Automated indicator sharing (AIS) – automated way of sharing information and important threat data
amongst the industry workers.
Structured Threat Information Expression (STIX) – describes the cyber threat information.
Trusted Automated Exchange of Indicator Information (TAXII) – shares the STIX information secretly.
Dark web intelligence – studies the dark web and the hackers on there. Monitors the hacker groups and
their forums.
Indicator of Compromise (IOC) – common indicators are:
Unusual amount of traffic
Change in hash values that are usually not changed
Irregular international traffic
Changes to DNS data
Uncommon login patterns
Spikes of read requests to certain files
Predictive analysis – analyze large pool of data to predict what data attackers will likely target later.
Threat maps – identify attack trends. Created from real data.
File/code repositories – organizational code repositories should remain private to the organization.
Source codes should never be leaked to the public.
Threat research – threats should be researched to help prepare / prevent any attacks.
Vendor websites – The vendors know their product the best. Make sure the vendors are patching
vulnerabilities ASAP and check their website for any new vulnerabilities.
Conferences – Good place to gather information as industry people will attend and likely give their story.
Academic Journals – academic professionals research specific vulnerabilities. They provide extremely
detailed analysis of technologies and vulnerabilities. Good source for a very detailed report.
Request for Comment (RFC) – RFCs are often written by IETF (Internet Engineering Task Force). RFCs are
often turned into standards but not always. They can serve as experimental documents for information.
Provides many information regarding vulnerabilities.
Local Industry Group – local group of industry peers that share information. Can be a good place to share
information about similarly interested topics.
Social media – good to search keywords on social media to see what other industry professionals are
saying about the topic.
Threat feeds – announcements from the government to stay informed about the different
Tactics, Techniques, Procedures – what the adversaries are doing to get into our system. Good to study
their pattern and ways of trying to hack into the system.
1.6
Vulnerability types
Zero-day attacks – vulnerabilities that are newly created and there are not patches for them yet.
Open permissions – Wrong config settings that result in open permission for the public to view.
Unsecure root accounts – root accounts have privileged access. Make sure they’re well protected
Error – error messages can sometimes give too much information about the problem and the system.
Weak encryption – having weak encryption (less than 128 bit key size) and outdated hashing algorithm
like MD5 can be a huge security issue.
Unsecure protocols – Some protocols are not secured (Telnet, FTP, SMTP, IMAP). Make sure you use
secure version of them. (SSH, SFTP, IMAPS)
Default settings – always change settings of hardware and software. Don’t ever leave them in default
settings that are straight from the manufacturers.
Open ports and services – ports need to be open for applications to communicate and work with.
Manage proper firewall ruleset and always test and audit.
Improper patch management – make sure patches and audits are done frequently and always make sure
that systems have up-to-date patches
Legacy platforms – Some old systems are still in use. They may require additional layer of security
protections.
Third-party risks – some services are put on the third-party. Make sure their security is reliable and
always prepare for the worst.
System integration risk – Having a third-party professional inside your organization can be a risk itself.
You don’t know their intent. They have access to your software in your internal network.
Lack of vendor support – You have to rely on vendors to patch their product fast. Make sure they are
fixing problems fast!
Supply chain risk – You don’t know where the hardware and software have come from. They may include
malware. Make sure they’re clean the best you can.
Outsource code development – all coding environment must be on a separate network or environment
from the main network. Make sure they’re isolated to ensure maximum security for the source code
environment!
Data storage – data can be stored on third-party and they need to be encrypted well. Transferring data
out of the storage should always be encrypted.
Vulnerability impacts
We need to make sure what the impact of losing said data will be like.
Data loss, identity theft, financial loss, reputation impacts, availability loss are all impacts that could
happen from attacks.
They all have some form of monetary loss for the organization so make sure your system and network is
secure and well maintained.
Threat Hunting
Threats are always changing. Must be up-to-date on the latest news on new types of threats
Intelligence data is reactive. Try to get reaction time faster.
There are too much data available on the security. Many different teams in different aspects of security
operation (intelligence, threat response, etc).
Fuse the intelligence data and teams together and do one massive analysis.
Fusing the data – Fusing the data, add external sources, and use this data to focus on predictive analysis
and user behavioral analysis.
Cybersecurity maneuver – Move IT infrastructure reactively. Use automation to haste the process. Move
firewalls, change firewall rule, OS, block IP, and delete malicious software all accordingly.
Vulnerability scans
Vulnerability scanning is not invasive. Meaning, it will not be deep and exploiting a vulnerability like pen
testing. Vulnerability scanning is to find any potential vulnerabilities. Test from outside and inside and
gather as much information as possible.
Scan types
Non-intrusive – gather information and don’t try to exploit a vulnerability
Intrusive – see if you can exploit a vulnerability
Non-credential – see what you can gather without any access
Credential scan – see what you can gather with access using valid credentials
What they scan
Everything inside the database. Vulnerability scanner scans everything that they have signatures for.
They can scan applications (mobile and desktop), software on web server, and networks (misconfigured
firewalls, open ports, vulnerable devices).
Vulnerability research – There are many sources hosted by Government and companies to view what are
common vulnerabilities. Common Vulnerabilities and Exposures (CVE). National Vulnerability Database
(NVD).
Government has NVD for the public to view the different kinds of vulnerabilities that exists.
CVE is an informative website hosted by mitre for the public.
Some vulnerabilities are not scannable by the vulnerability scanner and have to be manually searched
for.
Common Vulnerability Scoring System – scoring system of vulnerabilities. 1 – 10
Common vulnerabilities Vulnerability scanners look for:
Lack of security controls. (no firewall, no anti-virus, no anti-spyware)
Misconfigurations. (Open shares, guest access)
Real vulnerabilities. (actual openings caused my not updated patches or zero day vulns.)
False positives – vulnerability scanners may scan false positives which are threats that don’t exist but
scanner mistakenly reports it as a vulnerability
False negative – worse than false positive. False positive is a fake vulnerability but false negative is a
vulunerability that is reported as being safe. So false negatives are very dangerous.
One opening can cause detrimental effects on an organization. Make sure all systems are configured with
correct account settings and device settings. Make sure all servers are set with correct access control and
permission settings. Security devices should be set with correct firewall rules and authentication options.
SIEM – Log collector for security events and information. Provides real-time information about the
events on the network.
Syslog – central logging repository system. All the logs come into one single location. Needs a lot of
storage capacity.
SIEM data – SIEM captures everything like authentication attempts, VPN connections, firewall session
logs, basically anything that happens on the network that can leave a log. It can also capture packets and
monitor the security of the system.
Using the data, analyst can analyze the data from SIEM to identify any patterns or user behavior to
identify the pattern of users’ activities. This can help in figuring out insider threats, target attacks, and
anything that DLP or SIEM might miss.
SOAR (Security orchestration Automation Response) – Security orchestration is different security
functions like firewall, account management, email filters working together. Automation is making this
orchestration automatic with response to incidents.
PenTesting – penetration testing is finding vulnerabilities and using those vulnerabilities to exploit it and
get into the system.
Pentesting isn’t hacking, it’s ethical hacking. Requires authorization to do so.
Rules of engagement – preset rules on what the pentester can and cannot do.
Working knowledge – Unknown (blind): tester does not have any information regarding the environment
Known – tester does have full knowledge of the environment
Partially known – tester have some knowledge but not all.
Ultimate goal of pentester is to get into the system exploiting the vulnerability. May cause denial of
service or loss of data (have to be prepared for that). Make sure that if there’s an opening, find the
opening and exploit it. This way, the security operation people can fix it.
Path of attack – Initial vulnerability exploit (find exploit and get through the security). Lateral movement
(once in the network, move from system to system. Internal network is relatively unprotected).
Persistence (once in, make sure to build a backdoor or some form that will allow you to easily get back
into the network), Pivot (inside the internal network, make a pivoting point that will allow you to get into
an unauthorized area)
Aftermath – clean everything up. Restore any configuration files you’ve changed, change every setting
back to normal and delete any created accounts during the process.
Reconnaissance – This is the phase before the actual attack. Find everything about the target
beforehand. You want to minimize the area of attack and create an understanding of the target’s
network and security infrastructure.
Passive footprinting – using open source to gather information about the target. The target will not know
that you’re collecting information.
Wardriving/warflying – driving around gathering wireless access point information using cars / drones.
Open Source Intelligence (OSINT) – the process of using open source to gather information
Active footprinting – actually trying to see if there are openings. Searching network for any open ports or
something. Using DNS queries and pings.
Security teams
Red team – pen testers.
Blue team – defenders. They try to defend against attacks
Purple team – red team and blue team working together.
White team – referees. They oversee the security team. They provide rules and scores of the teams.
2.1
Configuration management – change is always happening. Must document everything and maintain a
record of all changes.
Diagrams – keep a network diagram of the physical devices and wires and have physical data center
layout. Have all of things in a diagram.
Set a baseline – every system and devices must have base configuration set. This baseline should be
constantly updated to have the latest baseline for higher security.
Have standard naming convention – this way, it’ll be easier for everyone to know what things are. Have
tags for devices that provide names, serial numbers, and location. Have ports labeled and have account
names that are descriptive of what they do.
IP ranges should be planned as well. Have subnets divided for specific uses.
Data protection – data is everywhere. Data must be encrypted to be protected. Data residing in different
countries must follow their regulation. GDPR (General Data Protection Regulation) states the regulation
of data protection. Ex) EU residents’ data must be stored in EU.
Data masking – data obfuscation is necessary. Make sure your sensitive data are masked. Masked data =
**** **** **** 1234. Encryption is two way process. Cryptographic cypher and a key is needed to
encrypt data. Confusion and protection is the main reason why we encrypt our data.
Diffusion is the reason why when you even change one character, the output is drastically different
Data at rest – data that is sitting in the storage device. Storage must be protected.
Data in transit – data that is being transmitted over the network. TLS. Must be protected.
Data in use – when data is being used by the system. Sits at the RAM, CPU register and cache. Attacking
the system RAM for environment that uses their system constantly will be effective.
Tokenization – replacing sensitive data with non-sensitive data. Ex) real credit card number is replaced
with a random, non-sensitive number. This is used in NFC with phone payment method.
Ex) phone registers real credit card number. Tokenization server registers token for that credit card
number. Phone gets the token from the tokenization server and when making payment, phone sends the
vendor the token. The vendor checks with the tokenization server to verify the token matches with the
credit card number.
Information rights management (IRM) – Controls how data is used. Restrict access to data to
unauthorized persons and allow the person to only use that right.
Data Loss Prevention (DLP) – DLP can sit on end-device (data in use), the network (data in transit), and
on the server (data at rest). USB is pretty dangerous. USB can serve as attack vector.
Cloud DLP – watches everything in the network. Sits in cloud and manages what data moves in and out.
DLP and email – Sending data through email is very dangerous and DLP can prevent this. Emailing PII out
of an organization is very dangerous so DLP can stop this type of data loss.
Managing security
Geographical consideration – different legal requirements in different areas. Plan on having backup sites.
Incident response is key. Attacks are happening all the time. Document the attack, identify the attack,
and contain the attack. Try to limit what the attacker can do as much as you can.
SSL/TLS inspection
SSL/TLS is an encryption tunnel for connection from point A to point B. Attackers want to inspect the
SSL/TLS connection.
How? SSL/TLS relies on trust. Browsers have CAs. This CA chain can contain a lot of certificates. Unless
the website you’re visiting is trusted by the CA chain, your browser will not trust that website. Websites
pay CA to have their website trusted by the CA. CA = Certificate Authority.
Hashing – message digest that can provide integrity. Hashing is one way, meaning it cannot be reverted
from the hash into original data. It can be a digital signature (integrity, authentication, non-repudiation).
API (Application Programming Interface) – Limit API access to legitimate users only (critical).
Make sure users are only allowed to do what they’re authorized to do. Read only should only allow read
of the data.
Site resiliency – Plan for back up situations. Have back up sites.
Hot site – exact replica. Data is backed up constantly. All hardware are updated to match the operational
site. Up and running in minutes.
Cold site – only the location exists. Hardware and everything else does not exist.
Warm site – somewhere in the middle of hot and cold site. Hardware may or may not be available. They
take less time to set up than cold site but still need setting up to do.
Honeypots and deception
Honeypots – fake systems that are designed to lure attackers into attacking the system. Once luring the
attacker, it traps the attackers in the system.
Honeyfiles and honeynets – honey files are fake files that seem attractive to the attackers (password.txt).
Honeynets are networks that consist of many honeypot. It lures the attackers into them.
Why do these exist? – to learn what the attackers want and see the vulnerability that can exist in your
own network.
Fake telemetry – machine learning can be corrupted. Machine learning relies on datasets solely. By
corrupting the dataset, attackers can make machine learning in favor of them, by having malware seem
benign.
DNS Sinkhole – DNS that hands out incorrect IP addresses. This can be both good and bad. If attacker
does this, it can redirect legit websites to malicious websites. If the good DNS provider does this, it can
redirect users from going into malicious websites to legit websites.
2.2
Infrastructure as a service (IaaS) – Outsource equipment. Third-party is responsible for giving you the
hardware, you’re responsible for everything else. Ex) server provided.
Software as a Service (SaaS) – you outsource an application entirely to a third party provider. They’re
responsible for managing everything and you just use the application.
Platform as a Service (PaaS) – Inbetween IaaS and SaaS. In PaaS, you’re responsible for the application
and data, but the third party provider gives you the tools and environment for you to build your own
application.
Anything as a Service (XaaS) – broad description of all cloud models. Services are delivered over the
Internet and pricing is usually flexible.
Managed Service Providers – means cloud service providers but not all cloud service providers are MSPs.
MSPs support network connectivity management, backups and disaster recovery, and growth
management planning.
Managed Security Service Providers – service providers that provide firewall management, patch
management and security audits, and emergency response. Those that are responsible for the security
of your environment.
On-premises vs off-premises – On-premises you’re responsible for everything, but you have flexibility for
everything. You can do whatever you want. Off-premises, usually, it’s not running on your hardware. You
have to rely on the third-party.
Types of cloud computing –
Public – publicly available over the Internet
Community – group of organizations with similar interest pool resource to share the same resources
Private – your own private cloud
Hybrid – mix of public and private
Cloud Computing
Cloud computing is a way of providing computing power to customers that do not have computing
power. It can be a great option for startups as startup costs are cheap and you pay more as you grow
more. It may not always be a good option as latency could exist and whatever happens to the provider
may bring the system down.
It’s great because it can provide instant computing power with elasticity and provide vast amount of data
storage capacity.
Edge Computing
Edge computing is IoT devices that mostly communicate local. Ex) Car systems talk to each other and
store data locally for the car to use. No latency and no network equipment. No need to go to cloud and
come back, just talk locally and exchange locally.
Fog Computing
Cloud + IoT devices
Fog is a cloud that sits between the cloud server and your IoT devices. They act as intermediate for when
the IoT devices need to talk to one another. They can also relay IoT devices’ data to the cloud when
needed.
Thin Client – basic hardware that has just enough computing power to connect to a virtual desktop
infrastructure. Has keyboard, mouse, and monitor support and has enough power to support those and
connect to a remote desktop.
Virtualization – running virtualized machines inside a single machine. Runs on the hypervisor of the host
computer and has separate Operating System per applications.
Containerization – Concept of containers. Still runs on single hardware but instead of having separate
operating systems per applications, each application can be run on one single main operating system and
use Docker software to have containers for the application that’s isolated just for them. These are
lightweight and can be deployed onto a completely new environment with just an image of them.
Microservices and APIs
Monolithic programs have very large codebase. This can be very tough to make changes to and manage.
Instead, having microservices for each function will allow changes to happen as often as needed and be
easily accessible. API is the “glue” that “glues” all the microservices together. Microservices are scalable
and resilient, meaning they’re easily increased and decreased and outage of microservices only affect
those microservices and not extend outside of them.
Serverless architecture
Function as a Service (FaaS) – applications are separated into individual, autonomous functions.
Developers create a server-side logic that triggers on an event. This runs in a stateless compute
container.
Transit gateway – transit gateway is the router of a virtual private cloud network. User getting into the
VPC will need to use Virtual Private Network (VPN) to first make contact with the transit gateway and
through the transit gateway, they’ll be directed to the VPC.
Resource policies – each service providers specify their our resource policy.
Azure – specify which resources can be provisioned
Amazon – specify the resources and what actions they’re allowed to take. Also, explicitly allow users.
Service integration – Many services have different providers who have different configurations and
processes. Service Integration and Management (SIAM) integrates different providers into a single group
so an organization can use them.
Infrastructure as a Code (IaaC)
Write a code on exact configuration of each application instances. By having this set of code, you can
build an application that will run exactly the same every time.
Software Defined Networking (SDN) – This essentially divides the networking devices into two states.
Control plane and Data plane. Control plane manages the configuration of the device whereas the Data
plane manages the actual operation. This allows dynamic changes for the devices and can be done
without any human intervention.
Software Defined Visibility (SDV) – SDV provides visibility of the network. The traffic flow of the network
is displayed with detail.
VM Sprawl – creating new VM instance is easy. It can get out of control. Having decommissioned VMs
not terminated that still has data is dangerous.
VM escape – attack that happens on a VM where the attacker can leave the VM environment and go into
other VMs or move into a host system.
2.3
Secure Deployments
Sandbox – isolated testing environment
This sandbox environment does not have connection to the real world or production system.
Building the application should be on a separate environment than the production environment.
Have a secure environment for writing code and testing the code.
Quality Assurance - Once application is done being written, make sure the quality is checked (Quality
Assurance). During this phase, features are checked to be functioning correctly and new functionalities
are validated along with verifying old errors do not reappear.
Staging – after QA, product is almost ready and copy of the data is placed into testing. This is almost the
same data that will be used for production. Performance and usability tests are conducted in this phase.
Production – in this phase, the application is live and is rolled out to the community. Users need to learn
the changes and the providers need to do things accordingly: set up new servers, software, restart or
interrupt services.
Going from staging to production, there should be a secure way of doing so.
Make sure the system is secure. Some security baselines:
Make sure firewall settings, patch levels, OS file versions are the same as before. Make sure integrity
checks are done on the product.
Provisioning
Deploying an application. Set up every configuration for every machine involved. Verify application is
secured along with the network if you’re providing that as well. Software should be checked to make
sure no integrity was violated and no malicious code exists.
Consider scalability and elasticity of the service. Scalability = setting enough resource for a given
workload
Elasticity = ability to increase/decrease resource depending on the workload.
Orchestration – automation in cloud computing is key. Cloud computing is on-demand so things are
moving in real-time. Services appear and disappear automatically. Entire application instance can be
automated. Ex) Europe and NA instances. When Europe operation hours start, automatically start the
application instance for Europe. When Europe operation hours end, automatically end and do the same
for NA.
Deprovisioning – when application instances are no longer needed, deprovision them but do them with
everything in mind. Make sure to delete everything and firewall policies should be reverted back to
normal. Don’t leave everything behind.
Secure coding concepts
It’s a balance between time and quality. Always test the code.
Stored procedures.
Rather than sending SQL queries from the client, send calls to SQL stored procedures. This way, the user
cannot edit the SQL procedure, but only sends a call to call the stored procedure that resides in the
database.
Also, for codes, make sure you obfuscate the code. Simple “echo “Hello World”” can turn into a massive
code bit that’s hard for humans to read and understand.
Code reuse/dead code
Reusing old codes in different part of the program can be very dangerous. If the reused code has been
found to be vulnerable, everywhere else in the program that uses the same code is at risk.
Dead code – code that is written to execute and does what it’s supposed to do but the result is not used
anywhere in the program.
Input validation – MAKE SURE YOU VALIDATE THE INPUT. Validating user input is critical to maintaining
security.
Having a client-side or server-side validation is good. (Preferably server-side validation)
Memory management – application utilizes part of memory. Make sure you validate user input to not
allow buffer overflow or null point dereferencing.
Third-party libraries and SDKs – while they’re readily available for use and they’re great for importing a
pre-written code for your need, they’re made available for the public. This can be a risk incase the SDK’s
or Third-party libraries’ codes are insecure.
Data exposure – Make sure input/output data and every data the application stores is encrypted.
Version control – keeping versions of the application or whatever software/website is good incase you
need to reference or go back to previous versions.
Exploiting an application – attackers will find vulnerability for applications. If they get through one binary,
they can get through all applications.
Software diversity – this is where software diversity comes in. Having a unique binary (meaning every
user’s application has different binary when they download) will prevent this attack. A successful attack
will only affect a few of the people’s applications.
Automation and scripting – Changing and monitoring everything can be automated.
Continuous Integration – software is always developing. New codes are written every day to improve the
software. Due to this, code has to be tested constantly.
Continuous delivery/deployment – Delivery = automated testing and releasing with a push of a button
Deployment = even more automation. Testing and deploying into production is automated without any
human involvement.