λ ls -al / ./ # root directory bin/ # essential user command binaries boot/ # static files of the boot loader dev/ # device files etc/ # system configuration home/ # user home directory lib/ # essential shared libraries and kernel modules. media/ # mount point for removable media mnt/ # mount point for temporarily mounted filesystems opt/ # add-on application software packages. sbin/ # system binaries tmp/ # temporary files usr/ # applications for regular users var/ # variable files
- /etc/crontab: run scheduled commands
- /etc/fstab: contains info on partitions and filesystems
- /etc/hosts: list of hostnames and ip addresses.
- /etc/group: similar to /etc/passwd but for groups
- /etc/inittab: runs different programs and processes on startup
- /etc/motd: message of the day printed after login.
- /etc/passwd: list of users
- /etc/resolve.conf: list of domain name servers used by local machine.
- /proc/cpuinfo: cpu information
- /proc/filesystems: print filesystems currently in use.
- /proc/version: linux version and other info.
- /var/log/messages: used by syslog daemon to store kernel boot-time messages.
- /var/log/lastlog: used by system to store info about last boot.
| Permission | Binary | Decimal | ============================= | R | W | X | - | - | - | - | | - | - | - | 0 | 0 | 0 | 0 | | - | - | X | 0 | 0 | 1 | 1 | | - | W | - | 0 | 1 | 0 | 2 | | - | W | X | 0 | 1 | 1 | 3 | | R | - | - | 1 | 0 | 0 | 4 | | R | - | X | 1 | 0 | 1 | 5 | | R | W | - | 1 | 1 | 0 | 6 | | R | W | X | 1 | 1 | 1 | 7 | =============================
- man: unix reference manual
- info: display system information
- whatis: display one line summary of specified command
- su: log in as another user
- sudo: use root permission to perform specified task.
- cd: change directory
- ls: list directory contents
- find: find files.
- mkdir: create a directory.
- clear: clear screen
- rmdir: remove directory
- mv: move files
- ln: create a link to a file
- touch: update access and modification time of a file.
- cp: copy file.
- rm: remove files or directories
- history: view command history
- cat: combine standard input to standard output.
- more: page through file contents.
- less: page through file contents.
- tail: display end of file.
- head: display start of file.
- grep: find a string within a file.
- file: display file classification
- w or who: display logged in users and what they are doing.
- du: display disk usage
- date: show data and time
- df: display capacity and free capacity on different physical devices.
- uptime: shows how long the system has been up and load averages.
- uname: display info about the system.
- whoami: shows you the owner of this account.
- finger: find personal information of a user.
- chmod: change file permissions.
- chown: change ownership of a file.
- chgrp: change group associated with a file.
- mount: mount device.
- umount: finish writing to the device and remove from the filesystem.
- cal: display calendar
- ps: display process status information.
- useradd: add user.
- userdel: remove a user.
- passwd: change login password.
- addgroup: create a new group.
- groupdel: remove a group.
- shutdown: reboot or shutdown a system.
A computer network is two or more computers that are connected together in some manner so they can exchagne information. A subnet is a section or partition of a computer network.
TCP/IP: has 4 layers.
- application layer (bgp, dns, ftp, http, imap, ldap, ntp, pop, rip, rpc, sip, smtp, snmp, ssh, telnet, tls/ssl)
- transort layer (tcp, udp)
- internet layer (ip, icmp, arp, rarp, ipsec)
- network access layer. (ethernet, ppp, adsl, isdn, fddi)
- connection-based with error control and flow control.
- tcp header carries information on source port, destination port, sequence number, acknowledge number, control flags, window and others.
Three way handshake:
- Computer A Sends SYN to Computer B.
- Computer B Sends SYN, ACK to Computer A.
- Computer A Send ACK to Computer B.
UDP (User Datagram Protocol)
- connectionless, no error control, no flow control.
- UDP header carries source port, destination port, and others;
- Is a unique global address for a network interface.
- IPV4 is a 32 bit long identifier.
- Written in dotted decimal notation.
- each byte is identified by a decimal number in the of 0-255.
- ifconfig: display info on the network interfaces currently active.
- ifdown: shut down the network interface.
- ifup: start up the network interface.
- ping: check if host is available.
- traceroute: print the route packets trace to network host.
- route: show / manipulate the IP routing table.
- netstat: print network connections, routing tables, interface statistics, masquerade connections and multicase memberships.
- tcpdump: record all network traffic.
InfoSec: Protecting physical and intellectual assets. CIA: Confidentiality, Integrity, Availability.
- Confidentiality: allow only authorized subjects access to information.
- Integrity: allow only authorized subjects to modify information.
Availability: ensure that information and resources are accessible when needed.
- Assets: data, device and etc.
- Threats: possible danger that might exploit a vulnerability to breach security.
- Vulnerabilities: weakness of an asset or group of assets that can be exploited.
IT System: System whose purpose involves information. OT System: System that detects or cause a change through the direct monitoring and/or control of physical devices, processes and events
- social networks
- adobe application software
- web applications
- ransomware (cryptoviral extortion)
- fake antivirus
- DNS server hijacking
- mobile devices
- internet of things
- focused on manipulation of individuals for various purposes.
- uses psychological methods.
- exploits human trust.
security tools and processes
Firewall: controls the incoming and outgoing network traffic by analyzing the data packets.
- first generation: packet filters act by inspecting the packets which transfer between computers on the internet.
- second generation: ‘stateful’ filters records all connections passing through it and determines whether a packet is the start of a new connection, a part of an existing connection or not part of any connection.
- third generation: application layer it can “understand” certain applications and protocol such as FTP, DNS or HTTP.
Goes beyon tradition firewall functions by adding security capabilities threat mitigation technologies such as anit-malware and intrustion prevention systems.
- System or device which monitor network or computer activities for any signs of malicous activities;
IPS: in-line, active. IDS: out of band, passive. False positive: identifies something as an attack, but it’s normal traffic. False negative: it fails to interpret something as an attack when it should have.
Anomoly based IDS: determines normal network activity and alert the admin when traffic is detected which is abnormal. Signature based IDS: monitors packets in the network and compares with preconfigured signatures.
Vulnerability Management System
- identifies weaknes present within assets.
- provides knowledge to defend against attacks.
- vulns arise from flaws, misconfigurations and policy failure.
Anti-Malware * used to prevent, detect and remove malware from the computer. * installed on individual hosts, on key systems such as e-mail servers and web gateways. * signature based and reactive.
Next gen of threat protection. * dynamic defense to stop targeted, zero-day attacks. * realtime protection to block data exfiltration attempts. * global intelligence on advanced threats to protect the local network.
SIEM (security information and event management)
- real time analysis of security alerts.
- logs access attempts, the use of privileges, service failures based on system logs.
- provide high level reports on service metrics.
- reporting for compliance purposes.
mapping with nmap
NMAP: network exploration tool and security / port scanner.
- enumerates open ports on systems.
- shows if the system is alive.
- shows status of ports, open or filtered.
- describes the type of services offered on these ports.
- shows OS
States recognized by NMAP
- open: application is actively accpeting TCP connections, UDP datagrams.
- closed: closed port is accessible but no application is listening on.
- filtered: cannot determine whether the port is open.
- unfiltered: port is accessible, but nmap is unable to determine open or closed.
- open/filtered: unable to determine whether port is open or filtered.
- closed/filtered: unable to determin whether port is closed or filtered.
Port scanning: * -sS: TCP SYN. Stealth scan, full tcp connection is established. * -sT: TCP Full: Full connect. Most detectable. * -sU: UDP: UDP scanning. * -sP: Ping: perform ping sweep. * -P0: don’t ping. perform scan even if target not responding to ping. * -p0-65535: TCP scan. call all ports.
This phase usually reveals program names, version numbers other detailed information that will be used to determine the vulns on the system.
- -sV: Service : Service detection
- -O: OS fingerprinting: try to find the OS running on the machine.
Risk: A combination of the liklihood that a threat will exploit a vulnerability on an asset, and the resulting impact that the successful exploit will cause to the organization.
Risk = Likelihood x Severity (impact)
Threat and Risk Assessment (TRA)
- asset valuation
- threat assessment
- risk assessment
Initiation: TRA process must be supported by PMO (Project Management Office) and fully integrated into the project management charter.
Asset Valuation: Determine what we are building, what the value will be and what we need to protect. CIA triad.
Threat Assessment Determine what the realistic threats to a system may be and what their business impact would be if they were to come to realization.
Risk Rating = Likelihood vs Severity
============================================ | catastrophic (5) | 5 | 10 | 15 | 20 | 25 | | significant (4) | 4 | 8 | 12 | 16 | 20 | | moderate (3) | 3 | 6 | 9 | 12 | 15 | | low (2) | 2 | 4 | 6 | 8 | 10 | | negligible (1) | 1 | 2 | 3 | 4 | 5 | ============================================ 1: improbable 2: remote 3: occasional 4: probable 5: frequent
How do we eliminate the risks?
we don’t. develop controls, mitigations, or workarounds to set risk to an acceptable level.
Factor Analysis of Information Risk (FAIR)
- Risk - a situation involving exposure to loss or danger.
Kinds of losses:
- fines and judgments
- competitive advantage
Annualized Loss Expectancy
ARO: Annual Rate of Occurrence SLE: Single Loss Expectancy ALE: Annual Loss Expectancy
ALE = ARO x SLE
Quantitative vs Qualitative Risk
Quantitative Risk: When a specific number can be attributed to risk. Qualitative Risk: When risk is referenced by a generalized category (low, medium, high).
The last step of a risk assessment is to report on what was found, what was mitigated, and present residual risk to a person at an appropriate level of authority.
This person is not the project manager, it is likely not your boss, and it is likely not a developer. It is a person that has the signing authority and poer to correct or accept issues that they consider too high risk for the organization.
Vulns can exist in both processes and technology. Process vulns exist within official or unofficial procedures, or by a lack of procedures, within an organization.
Vulns that exist within technology itself. These vulns may exist within third party applications, operating systems or custom built applications.
Some of the most proliferate and dangerous vulns are in third party software.
Vulnerability Management Life Cycle
- Prioritize Assets
- goto 1
Used to enumerate what the system consists. This step may consist of a review of design documents or it may consist of a cursory scan of the environment.
Determine what exactly it is that we would like to scan. What do we see as high risk to systems and how can we test how those risks manifest.
Test for vulnerabilities.
- Vulnerability testing.
- Penetration testing.
- Process reviews.
Results of the assessment phase are typically extremely verbose. Nessus and other scanning tools can provide large reports.
Identified risks must be remediated or addressed. Remediation efforts include:
- correction of the root cause.
- acceptance of risk.
- mitigating controls.
Following remediation, mitigated risks and their vulns should be tested for effectiveness through a verification stage.
Vulnerability Management Systems
- identify weaknesses present within assets.
- provide the organization with the neccessary knowledge to defend against attacks.
- vulns arise from flaws, misconfigurations and policy failure.
- scanning is conducted against network, host system and application assets.
- scanning web-based applications
Penetration testing linux.
The process of gaining control over a system.
- attempt to turn the target machine into a puppet that will execute your commands;
- exploit is a realization of a vulnerability;
- the attack vector will vary from target to target.
- give more attention to remote access services (ssh, telnet, ftp, vnc)
- Vulnerability: weakness which allows an attacker to compromise a systems security.
- Exploit: code which allows an attacker to take advantage of the vuln system.
- Payload (remote code): mal code intended as part of an exploit to run arbitrary commands on the target system. It is the additional software of functionality that we install on the target system one the exploit has been successfully executed;
- Auxiliaries: set of tools that perform scanning, sniffing, fingerprinting and other security assessments
- NOP (No Operation): assembly language instruction often added to shellcode.
- Encoders: provided to evade the detection of antivirus, firewall, IDS/IPS and other similar malware defenses by encoding the payload during penetration operation.
Top 10 vulns found unpatched on scanned web servers.
- SSL/TLS Poodle Vulnerability
- Cross Site Scripting
- SSL v2 support detected
- SSL Weak Cypher Suites supported.
- Invalid SSL certificate chain.
- Missing secure attribute in an SSL cookie.
- SSL and TLS protocol renogotiation vulnerability
- PHP (strrchr()’ function information disclosure vulnerability.
- http TRACE XSS attack
- OpenSSL ‘bn_weexpend()’ Error Handling Unspecified Vulnerability
SOX: Sarbanes oxley
- US Law
- penalty for fraudulent financial statements.
- financial records kept in IT.
CSOX: Canadian SOX
- Canadian law
PIPA: Alberta Privacy Legislation
- protect private information
- anything not on business card.
PIPEDA: Federal privacy legislation.
- anything not on business card.
PCI: Payment Card Industry
- how payment card data can be stored.