Professor Messer YouTube

}}Note for me:}}

}}Ctrl + F the word “==Showjumper==” to search for topic to research later.}}

https://www.youtube.com/playlist?list=PLG49S3nxzAnkL2ulFS3132mOVKuzzBxA8

I have one day to learn over 21 hours of information so I will be skipping videos I have already watched, already know, or will probably not be on the tests. A few definitions will be from my textbook as well, so I can learn how the tests will word it.

  • Rootkits
    • Malware that modifies files in kernel of OS
    • Is invisible to the OS
    • Secure boot will not boot a system that has a modified kernel
  • Spyware
    • Adware
    • Can be installed with other apps as a PUP
    • Ads for software to remove adware may be adware
    • Attackers get paid when you view ads
    • Spyware
    • Identify theft
    • Can be a Trojan horse
    • Attack bank account
    • Only use well known anti-virus or anti-malware software
    • Have a known good backup
  • Bots and Botnets
    • When your system is taken over by malware and the malware controls your OS
    • Instructed by a Command and Control (C&C) server
    • Can create DDoS
    • Threat actors rent out botnets
    • Can be removed with anti-virus or anti-malware software
    • If you know the type of network flow the C&C uses, you can block it with an IPS or firewall
  • Logic bombs
    • An attack that occurs when an event is triggered
    • Time bombs occur on a specific date and time
    • Logic bombs can occur when a file is moved or deleted or a computer is turned on
    • Many logic bombs self destruct after the execute
    • Can delete master boot records and OSs
    • Can disable electrical circuits
    • Do not have predefined signatures, so are hard to recognize and delete
    • Have predefined procedures for changing settings, so any changes that happen outside of the procedures are suspicious
    • Some applications look for changes and alert any unauthorized changes
  • Password attacks
    • Very dangerous to store passwords in plaintext
    • A hash is a cryptographic algorithm that creates a unique signature of a set of data
    • aka message digest
    • aka fingerprint
    • Unique
    • A collision is when two sets of data have the same hash
    • Cannot be reversed
    • Do not store passwords, store their hashes. When a user enters their username and password, hash the password and compare it to to the hash stored under the username. If the hashes are identical, the password is correct and the user is authenticated.
    • A spraying attack is an attacker trying multiple common passwords on multiple accounts to avoid the account locking them out or raising an alarm for too many incorrect password attempts
    • Brute force attacks on hashed passwords take a very long time
    • Online brute force attacks try passwords on the device
      • Takes a very long time and will probably result in being locked out
    • Offline brute force attacks try passwords on the downloaded password file
      • Take a lot of GPU umph but is faster and won’t lock out the account or alert security
    • Dictionary attacks hash words and try them as passwords
    • People usually use words as passwords, so this is a good time saver for the attacker
    • Wordlists on the internet are lists of words associated with a line of work and/or language and are likely passwords
    • Can perform letter substitutions
      • p&w0rd
    • Distributed cracking uses multiple systems
      • Idk what this is. DuckDuckGo isn’t helping so it’s probably not on the test (???)
      • ==Showjumper==
    • GPS > CPU for password cracking
    • Rainbow tables are pre-built databases of hashes
    • Saves time because you don’t have to hash every password
    • Not every app and OS will use the same hash algorithm, so there is not a “one size fits all” rainbow table
    • Salts are random data added to a password before it is hashed
    • Every user has a unique salt
    • Do not use sequential salts!
    • Defeats rainbow tables
    • Slows down but doesn’t completely defeat brute force attacks
  • Physical attacks
    • Malicious USB cables look like normal USB cables but have electronics inside. It can tell the OS it is a HID (Human Interface Device; what keyboards, mice, etc are) and can interact with the device to download malware.
    • Malicious flash drives can have malware downloaded on them
    • Don’t pick up sus flash drives in parking lots!
    • Can also act as a HID, but doesn’t have to to crud up your computer
    • Can be configured as a boot device or an Ethernet adapter
    • Skimming is stealing card information by copying card information as the card is being used
    • ATMS can have cameras that steal card info
    • Examine card scanning system before using them. Attackers can put skimming systems on them.
    • Card cloning is when attackers duplicate your card onto another card for them to use
    • Magnetic stripes can be cloned, but chips cannot be cloned
    • Gift cards use stripes and can be cloned
  • Adversarial Artificial Technology
    • Machine learning is providing computers with data for them to learn from
    • Targeted advertisements
    • Poisoning the training data makes the AI behave incorrectly or dangerously
    • Attackers can extract data from the AI, which is very dangerous if the AI is trained with legitimate sensitive information like real SSNs
  • Supply Chain Attacks
    • Attackers can infect any step along the supply chain. This is a difficult attack to detect as customers trust their products are clean when they receive them.
    • Target’s credit card data was stolen when their HVAC vendor’s VPN was compromised and the attacker infiltrated their systems through the HVAC company.
    • A way to combat supply chain attacks is to have a smaller supply base and hold the vendors to tight security standards
  • Cloud-based vs On-Premises Attacks
    • Cloud security costs less and is more convenient, but its security is entirely up to the cloud provider
    • The cloud provider has more experience with large-scale security and your data is more accessible. You also don’t have the additional cost of a team and hardware and upgrading your security or storage takes seconds. However, your customization is limited to what the provider allows and a third party could access your data.
    • On-site data is more expensive and less convenient, but you have control over it
    • You can manage your team and equipment with trusted individuals and devices, but they are all your responsibility to procure and maintain
  • Cryptographic Attacks
    • A birthday attack is when an attacker takes advantage of the fact that there is a relatively high chance they can find a hash that is the same as a hash of sensitive data and use this inconsistency to break the cryptographic algorithm.
    • Can be prevented by increasing the size of the hash
    • Downgrade attacks force systems to downgrade their security
  • Privilege Escalation
    • A vulnerability like a bug or configuration error can allow a user or application to have elevated privileges, which can be very dangerous
    • Does not have to be very high privileges, can be horizontal escalation
    • Can be prevented with anti-virus and anti-malware software
    • Data execution prevention means only data in executable areas can run
  • Cross-site scripting
    • Abbreviated as XSS
    • When information from one site to be shared with another site
    • Attackers can use JavaScript on a vulnerable website to gather information from a user’s browser
    • Non-persistent (reflected) XSS attacks allow an attacker to run scripts within user input fields on the device, like in a search field
    • Requires the user to click a link
    • Persistent (stored) XSS attacks are stored permanently on a server and runs a malicious script on the computer of anyone who visits the site
    • User tokens that never expire are very dangerous!
    • Disable automatically running JavaScript scripts
  • Injection Attacks
    • A code injection attack is when an attackers puts their code into an already existing data stream
    • Caused by insecure programming
    • Common attacks are SQL, XML, LDAP, and DDL
    • Defeat by validating data before accepting it
  • Buffer Overflow Attack
    • When one section of memory overwrites a section of memory. The attack can control this and put a malicious script into sensitive data storage. Hard to carry out and hard to detect.
  • Replay Attacks
    • When an attacker intercepts data sent over the network and copies the data to fool a program or app into thinking they are a legitimate user
    • Capturing a session ID to impersonate a user is called session hijacking or sidejacking
    • Done with a network tap, ARP poisoning, and malware
    • Pass the hash is a replay attack when an attacker captures a password hash and passes it to the network to be authorized
    • Can be defeated by encrypting the channel or salting the password, maybe with the session ID
    • Cookies can contain personal data that an attacker take take advantage of
    • Attackers can use an XSS attack to gather a session ID and then use the session ID to modify headers
    • HTTP headers inform the browser how to function while communicating with the website
    • Can be defeated by encrypting all communication and forcing HTTPS communication
  • Request Forgeries
    • Cross-site requests includes loading legitimate text and videos on a website. Most of them do not require login credentials because your browser is trusted.
    • Cross-site request forgery (XSRF) is taking advantage of the trust the web app has for your browser. An attacker could use your credentials to act as you on websites you visit.
    • Can be defeated by the web app having anti-forgery techniques and a cryptographic token
    • Server-side request forgery (SSRF) is sending requests to the web server, usually to access services such as a private network.
    • Can be defeated by validating user input and server output
    • Rare but very dangerous vulnerability
  • Driver Manipulation
    • Drivers connect the computer hardware to the OS software. They are trusted by the OS.
    • Windows Compatibility mode runs an application in a different Windows version. Can be taken advantage of by attackers because it gets around some security features.
    • Refactoring or metamorphic malware changes every time it is downloaded. Attackers add pointless code and reorder the code to change how it appears to the anti-virus software.
  • Other Application Attacks
    • Memory leak
    • Unused memory is never released and eventually crashes the system
    • NULL pointer dereference crashes applications
    • Integer overflow can manipulate memory
    • Directory traversal means users can read that are outside of a website’s file directory, like the Windows folder.
    • Error messages should not show enough information that an attacker can use it.
    • Validate user input and server output.
    • Application Programming Interface (API) attacks try to gain access to data or crash the API or system by manipulating the API
    • Resource exhaustion is a DoS attack on one device
    • Can attack a computer using a zipped file that unzips to a huge amount of memory or a DHCP server by flooding the network with IP address requests so it runs out of IP address for legitimate requests.
  • Rogue Access Points and Evil Twins
    • Rogue access points are access points that are added to the network without IT authorization, aka ghost IT. Unauthorized wireless sharing by a computer is also a rogue access point.
    • Can be defeated by surveying the physical environment every so often, using third-party tools to create rogue access points to see what devices connect to it, and using Network Access Control (NAC) (802.1x) to require that users must sign in with a username and password before network access is allowed.
    • Evil twins are access points placed by an attacker hoping legitimate users will connect to it. They can overpower existing access points.
  • Bluejacking and Bluesnarfing
    • Bluejacking is sending unsolicited messages using Bluetooth
    • Bluesnarfing is accessing data on a mobile phone using Bluetooth. The problem was patched in 2003 so it’s not much of a problem unless you have an old device.
    • Bluetooth has a range of about 10 meters
  • Wireless Disassociation Attacks
    • A kind of DoS attack that tries to disconnect devices from the wireless network.
    • 802.11 is an unencrypted wireless standard.
    • Updated in 802.11w, which encrypts management frames and prohibits third parties from sending management frames.
    • Rolled into 802,11ac
  • RFID and NFC attacks
    • Radio-frequency identification tags are very small tracking tags that can be put in pets, cards, and products that need to be tracked. Some RFID tags do not have a power source, they are powered by the radio energy sent to the tag.
    • Attackers can spoof tags and change their contents and jam the signals from the tag
    • Near field communication (NFC) is in devices and supports two way communication. They enable you to pay with your phone.
    • The signals can be jamming or intercepted
  • On-Path Attacks
    • aka man-in-the-middle attack
    • Redirects your information
    • Normal ARP operation
    • A computer sends out an Address Resolution Protocol message with an IP address asking the device with the IP address to reply with its MAC address.
    • The router sees the ARP message and replies with its IP address and MAC address.
    • The computer stores the MAC address in its ARP cache.
    • Poisoned ARP operation
    • The attacker connects to the network and sends a message to the computer it is trying to infect with the IP address of the router and the MAC address of the attacker’s computer. The targeted computer did not send an ARP message.
    • Because ARP does not have security preventing thing, it will store the router’s IP and the attacker’s MAC together.
    • The attacker then poisons the router in the same way, so anything sent between the devices in either direction will pass through the attacker’s computer.
    • ARP poisoning requires the attacker is on the same network as the two devices.
    • Malware performing a man-in-the-middle attack from the victim’s computer is a man-in-the-browser attack
  • MAC Flooding and Cloning
    • An attacker can send traffic from multiple MAC addresses to flood the switch’s MAC address table. When the MAC address table is full, it starts broadcasting frames instead of sending them to specific devices. This opens up network traffic for an attacker to capture.
    • An attacker can change the MAC address of their device to a device already on the network so the switch sends packets to the attacker’s device.
  • DNS Attacks
    • Modifying the client host file or sending a fake response to a valid DNS request.
    • DNS poisoning is when an attacker changes the IP address for a website in the DNS server so that it directs devices to the attacker’s IP instead of the legitimate website’s IP.
    • Domain hijacking is changing the domain name information from the admin’s account
    • URL hijacking is when an attacker registers the domain name of a site very similar to a legitimate site and either redirects traffic to another website, creates a phishing website to harvest information, or shows viewers ads to earn money.
  • Malicious Scripts
    • Windows PowerShell
    • Shell script in Linux/UNIX
    • Macros
    • Visual Basic for Applications (VBA)
  • Threat Research
    • Vendor Websites
    • Vulnerability feeds
    • Academic journals
    • Request for comments (RFC)
    • Local industry groups
    • Threat feeds
  • Vulnerability Types
    • Open permissions
    • Unsecured root accounts
    • Error messages that display too much information
    • Weak encryption
    • Insecure protocols
    • Default settings
    • Open ports and services
    • Improper patch management
    • Legacy platforms
  • Threat Hunting
    • Intelligence fusion is combining security data from multiple devices or programs and using data analytics to filter out the important data
  • Security Information and Event Management
    • Creates security information and event logs
    • Collects server authentication attempts, VPN connections, firewall session logs, denied outbound traffic flows, and network utilization.
    • Also captures packets when prompted to by a security alert.
    • Provides real-time information and long-term storage
    • Combines data from multiple devices
    • Syslog is the standard for message logging
    • Needs a huge amount of storage space'
    • Sends alerts if a problem is found and can create tickets for technicians to solve
    • Security orchestration, automation, and response (SOAR)
    • Automates tedious and time intensive activities
    • Connects tools like firewalls and email filters together
    • Automatically handles security tasks
    • Can operate continuously
  • Protecting Data
    • Data obfuscation is hiding part of the data, like a card number on a receipt. You can also shuffle data.
    • Data diffusion is changing one character of the plaintext so the ciphertext is very different.
    • Tokenization is replacing sensitive data with fake data that is not sensitive.
  • Managing Security
    • Where your cloud data is physically stored makes a difference. Sovereignty laws apply to where the data is stored, not where the customer lives or where the customer access the data.
    • Same goes for offsite backups
    • Response and recovery controls are formal processes to recover from an attack
    • The identification and containment of the attack must be documented
    • Limit the reach of the attacker if possible
    • Transport Layer Security (TLS) replaced Secure Sockets Layer (SSL)
    • SSL inspection is difficult but necessary. It’s like a MITM attack, but not an attack
    • Add your own internal CA in your firewall and have it sign certificates for every browser and device on your network.
    • Your internal CA will decrypt packets from your devices using your internal key, then re-encrypt them using the server’s public key from a public CA to secure the data over the internet.
      • My way of understanding this is you ask your mom to buy a present for your friend on your behalf and mail it to you. She mails it in a box and wrapped in newspaper. You unwrap the present, peek inside to make sure it’s the right gift, then re-wrap it with your wrapping paper.
    • Hashing is used to verify digital signatures
    • API security
    • Authentication
    • Authorization
    • Web Application Firewall (WAF)
  • Site Resiliency
    • Hot sites have all hardware and data backups ready to go
    • Cold sites have no hardware or data backups
    • Warm sites have some equipment but you bring your hardware and data
  • Honeypots and Deception
    • DNS sinkholes can redirect IP addresses to or from malicious sites
  • Cloud models
    • Managed service providers (MSP) provide network connectivity management, backup and disaster recovery, and growth management and planning
    • not necessarily cloud providers, but they can be
    • Niche of MSPs are Managed Security Service Providers (MSSP), which provide firewall management, patch management, security audits, and emergency response
    • Infrastructure as a service (IaaS)
    • aka Hardware as a service (HaaS)
    • Just hardware infrastructure
    • You are responsible for everything else, including the OS and security
    • E.g., web service providers
    • Software as a service (SaaS)
    • On-demand software
    • E.g., email sites like Google Mail
    • Platform as a service (PaaS)
    • Vendor provides the OS, infrastructure, virtualization, and some “building blocks” to quickly build applications, and you do everything else
    • Anything as a service (XaaS)
    • Every other kind of cloud service
    • Usually available on public clouds
    • ^^Client Managed^^ and Provider Managed$$
On PremisesIaaSPaaSSaaS
<<^^Application^^<<<<Application<<<<Application<<{{Application{{
<<^^Data^^<<<<Data<<<<Data<<{{Data{{
<<^^Runtime^^<<<<Runtime<<{{Runtime{{{{Runtime{{
<<^^Middleware^^<<<<Middleware<<{{Middleware{{{{Middleware{{
<<^^OS^^<<<<OS<<{{OS{{{{OS{{
<<^^Virtualization^^<<{{Virtualization{{{{Virtualization{{{{Virtualization{{
<<^^Servers^^<<{{Servers{{{{Servers{{{{Servers{{
<<^^Storage^^<<{{Storage{{{{Storage{{{{Storage{{
<<^^Networking^^<<{{Networking{{{{Networking{{{{Networking{{
  • Edge and Fog Computing
    • Edge computing processes data very close to the device or the device processes its data
    • IoT devices
    • Fog computing processes data in a cloud close to the data
    • Cloud + IoT
    • Similar to a private cloud
  • Designing the Cloud
    • Thin clients are devices that run off a remote server
    • aka Virtual Desktop Infrastructure (VDI) or Desktop as a service (DaaS)
    • Virtualization is running many OSs on the same hardware
    • Containers are software that only contain the OS capabilities necessary to run a software
    • Application Programming Interfaces (APIs) break up a large application into individual services, or microservices. Each represents a function provides by the application. They are accessed through the API gateway. Each function is contained, so updating or removing a function or the function crashing does not affect the rest of the application.
    • Function as a service (FaaS) separates applications into individual functions without an OS. They are run in stateless compute containers. Often managed by a third party.
    • Virtual Private Clouds (VPC) are pools of applications in a public cloud.
    • Accessed through a Transit Gateway, like a cloud router
    • Users connect to it through a VPN
    • Service integration and management (SIAM) is deploying your application on different cloud providers and managing it on one interface.
  • Infrastructure as code
    • Describing the hardware infrastructure as code to blend it with the cloud
    • Software Defined Networking (SDN) is separating the functionality of the network into the control plane and the data plane
    • Can manage the network from a single point of view
    • Must be vendor neutral
    • Software defined visibility (SDV) is being able to manage and view data from next gen firewalls, web app firewalls, SIEMs, and other security devices through one application
  • Virtualization Security
    • VM sprawl and when VMs are all over your network and unaccounted for
  • Secure Coding Techniques
    • Obfuscate sensitive data
    • Remove dead code
    • Validate user input
    • Be careful when using code libraries
    • Keep previous versions in case you need to roll back or to determine if the code has been changed
  • Software diversity
    • Coding software so it changes slightly every download is a security measure. An attacker cannot develop a script that would take advantage of its binary file because every binary file would be different.
  • Authentication Methods
    • Directory services
    • Keep an organization’s username and passwords in a single database
    • Users need one username and password for every service provided by the organization
      • Like Microsoft and Google
    • Federation is using credentials from a third party to authenticate users
    • log in with Google/Apple/Twitter/etc
    • Attestation proves that the hardware connecting to the network is hardware the organization approves
    • SMS
    • Not considered secure
    • Push notifications
    • More secure than SMS, but still not very secure
    • One time tokens from hardware or software
    • time based one-time password (TOTP) uses a secret key and the time of day to create a unique key with a server
    • HMAC based one-time password (HOTP) is one-time passwords that do not expire like a TOTP, but can never be reused
    • Both considered secure
    • Phone calls
    • Not considered secure
    • PIN
    • Password or passphrase
    • Smart cards
  • Biometrics
    • False acceptance rate (FAR) is the likelihood that an unauthorized user will be accepted, which means the biometric reader is not sensitive enough
    • False rejection rate (FRR) is the likelihood that an authorized user will be rejected, which means the biometric reader is too sensitive
    • The crossover error rate (CER) defines the overall accuracy of the biometric system. It is the sensitivity rate where the FAR and FRR are equal.
  • Multi-factor Authentication
    • Authentication
    • Something you know
      • Password
      • PIN
      • Pattern
    • Something you have
      • Smart card
      • Token
      • Phone
    • Something you are
      • Biometrics
    • Somewhere you are
      • Sensitive location
      • IP address
      • GPS
    • Something you can do
      • Signature
    • Something you exhibit
      • Gait
      • Typing analysis
    • Someone you know
      • Web of trust (certificates)
      • Digital signature
    • Authorization
    • Accounting
  • Disk Redundancy
    • RAID Level 0: Striped disk without fault tolerance, best for non-critial data that must be read and written at a high speed
    • RAID Level 1: Disk mirroring, best for critical storage and small servers
    • RAID Level 5: Independent disks with distributed parity (error checking), all-round system with good performance and security, best for servers with a limited number of drives
    • RAID Level 10: A combination of RAID 1 and RAID 0
  • Backup Types
    • Full backups are the starting point for all backups. Archive bit cleared (set to 0).
    • Differential backups back up data that has changed since the last full backup. To restore data, only the most recent differential backup and the most recent full backup are needed. Archive bit not cleared.
    • Incremental backups back up data that has changed since the last full backup or last incremental backup. To restore data, every incremental backup as well as the most recent full backup are needed. Archive bit cleared.
    • Network-attached storage (NAS) is a single storage device that serves files over the network
    • A storage area network (SAN) is a dedicated network storage facility
    • Can support multiple storage devices, but all devices operate as one device
    • Multipath is creating multiple physical paths between a SAN and the devices accessing it
  • Business Impact Analysis
    • Recovery time objective (RTO) is the time it takes to recover from a disaster to a particular service level
    • Recovery point objective (RPO) is the the minimum requirement to get a system working again and the minimum acceptable data loss
    • Mean time to repair (MTTR) is an estimate of the time it will take to recover
    • Mean time between failures (MTBF) is an estimate of the time between failures
    • Functional recovery plan
    • Contact information
    • Procedures to follow to solve the problem
    • Recover and test if normal operation is achieved
    • Single points of failure
    • Redundant switches and routers
    • Backup hardware
    • Backup generators and cooling and heating systems
    • People
      • Steve’s the only guy who knows how this works
    • Disaster recovery plan
    • Detailed plan for resuming operations after a disaster
    • Mission-essential functions
    • What functions are absolutely critical for the organization to operate? These need to get off the ground first.
    • What computing systems are absolutely necessary for these functions?
  • Data roles and responsibilities
    • Data owner
    • Accountable for specific data
    • Data controller
    • Manager the purposes and means by which personal data is processed
    • Data processor
    • Processes data on behalf of the data controller
    • Data custodian/steward
    • Responsible for data accuracy, privacy, and security
    • Chooses data labels
    • Ensures compliance
    • Manages access rights
    • Implements security controls
    • Data protection officer (DPO)
    • Responsible for the organization’s data privacy
    • Sets policies, implements processes and procedures.
  • Data classifications
    • PII (Personally Identifiable Information)
    • Data that can be used to identify an individual
    • PHI (Protected Health Information)
    • Health information associated with an individual
    • HIPPA mandates this data needs to be kept private
    • Confidential
    • Highest level of data sensitivity
    • Should only be made available to users with highest level of pre-approved authentication
    • Private
    • Restricted data with a medium level of confidentiality
    • For users who have a need-to-know basis of the contents
    • Sensitive
    • Data that could cause catastrophic harm to the company if disclosed, such as technical specifications for a new product
    • Restricted to employees who have a business need to access the data and have been approved
    • Critical
    • Data classified according to availability needs; if critical data not available, the function and mission would be severely impacted
    • Critical data must be rigorously protected
    • Proprietary
    • Belongs to the enterprise
    • Can be available to any current employee or contractor
    • Public
    • No risk of release
    • For all public consumption; data is assumed to be public if no other data label is attached
  • Load balancing
    • Active/active load balancing
    • Distributes the network load across multiple servers
    • Round-robin selects each server in turn
    • Weighted round-robin prioritizes a server
    • Dynamic round-robin assigns the load to the server with the lowest use, which will change as more users access and leave the website
    • Affinity means a user needs to use the same server for the duration of their session
    • Active/passive load balancing
    • Some servers are active and some are passive. If an active server fails, a passive server will take over.