RAID: LAWS:

“RAID 0 – Striping” (say it altogether), 0 Redundancy | Bl0ck Due Care v Due Diligence: Think of a Doctors Standard of Care. That
RAID 1 – Mirroring. Picture the 1 is a girl in mirror. is the care. Diligence is the Doctors action on you. Due Care is
RAID 5 – 5trip1ng. Striping with 1 in it (get it?) Research/knowledge. Diligence is the actions. Docs act diligently.
Any Raid above 1 gets parity. HIPPA sounds like HEP A (medical protection law)
3- byte stripe parity then 4 block stripe parity HITECH Hi-Tech Breaching cyborgs attacking covered associates of
6 is just 5 with redundant parity stripes HIPPA.
$OX: Enron… ’02 shit got real. Publically traded companies: Adequate
Block Cipher Block Size/Key Size/rounds Financial Disclosure, Independent Auditors, Internal Security Controls
DES 64/56+8 parity/16 (CI$$P Jobs). Intentional Violators are Criminals
AES128 128/128/10 GLBA (The HIPPA of Financial Institutions) C&I of customer data.
AES192 128/192/12 Breach Notifications.
AES256 128/256/14 SB1386: Breach Notification. Breach BEACH (California)
Rijndeal 128-256(multiple of 32)/128-256(multiple of 32) CFAA: As amended Catch All for cyber-crime. 10 computers damaged
IDEA 64/128/16 is a Felony.
Blowfish 64/32-448/16 ECPA: No Wiretaps and shit…. All in the name Electronic
Twofish 128/128- 256/16 Communications….
RC5 32,64,128/up to 2048/ PATRIOT ACT: Not so Patriotic Reduction to restrictions in surveillance.
PCI-DSS: Piece a Diss? Piece a Diss shit aint no law… Pay me.
SHA-1 160 bit hash value EU US Privacy Shield: USA Companies need only volunteer…
SHA256 256bit Volunteers to fight in Europe.
SHA512 512bit CMM- “Erd-MO” IRDMO. Initial, Repeatable, Defined, Managed,
MD5 128bit Optimizing.
Asymmetric Algorithms: Forensic Evidence Steps: IP CEA PD (Internet | CEA | Police Department)
1. RSA DSA (SA Brothers) 1. IdentifyLook around
2. PreserveDon’t Step in that!
2. ECC El Gamal (E E)
3. CollectNow Pick it up footprint free
3. Diffie Hellman Knapsack (Guy named Diffie and his Knapsack) 4. ExamineWhat do we have here
The Rest are Symmetrical….. and Hashes… a Good Start. 5. AnalyzeTake a closer look
Symmetric: A FISH named DES had an IDEA on how to make RC4 and 6. PresentationSee? Look what I found!
AES SAFER. 7. DecisionWell? What do you think? [jury]
HASHES: A bunch MD’s hanging out with SHA’s HAVAL the RIPEmd Internet(IP) Chief Executive Asshole Police Department
TIGERs. Think crazy party with Docs, Sha’s having all the stinky tigers.
Electronic Discovery Reference Model
Default Answer for modern Crypto: AES (it’s used everywhere).
Identification locates the information that may be responsive to a
Digital Signatures: RSA [Real Signature Algorithm] discovery request when the organization believes that litigation is
ENTICEMENT VS ENTRAPMENT likely.
Tempting ‘em VS Tricking ‘em Preservation ensures that potentially discoverable information is
Legal VS Illegal protected against alteration or deletion.
Streaming Ciphers associated with Feedback: Never pee into the Collection gathers the responsive information centrally for use in the
wind. Streams feeding back into your face. eDiscovery process.
Processing screens the collected information to perform a “rough
RC4 IS ONLY STREAM
cut” of irrelevant information, reducing the amount of information
Twofish: 128 bits – 2x 64 bit fish. 2 Fish uses 2 Fish. A post-whitening requiring detailed screening.
fish and a pre-whitening fish. Review examines the remaining information to determine what
Caesar Cipher: Caes3R. 3R = 3 to the right.(substitution) information is responsive to the request and removing any
Diffie-Hellman and Mr. El Gamal are sneaky poopers- they drop information protected by attorney-client privilege.
DISCRETE LOGS. Discrete Logarithmic ciphers. Analysis performs deeper inspection of the content and context of
remaining information.
WEP: Pronounced WEEP- because the creators weep over how
Production places the information into a format that may be shared
insecure it is…. with others.
WPA: TKIP T for Temporary fix on the way to WPA2 Presentation displays the information to witnesses, the court, and
WP2: AES (Default- it isn’t TKIP) and CCMP (a lot like CCCP Russians. other parties.
Finally keeping the Russians Out). IP CPR APP
FIREWALLS: Layer 7 Application Firewalls. Application Proxies. Level 7
Humans can make decisions. Control Active Directory. Certificates. Evidence Types:
Certifiably Human. Direct Witnesses to the cops Secondary contract
Layer 5 Firewalls. Short Circuit- Johnny 5. Circuit Firewalls can Real Knives Corroborative back up
monitor TCP Handshakes- Robot shaking hands. Best Contract ever! Circumstantial proves another fact
5tateful Firewall5. Just like Johnny 5 they are alive. Not quite lvl 7 Code of Ethics Canons: SADA(Air force Artillery)
humans. 5’s are 5tateful and Circuit Level. Johnny 5 was an anomaly. 1. Protect Society, the common good, the infrastructure and necessary public
trust and confidence
Layer 3. Static Pack3t. Static. They are dumb turnstiles. Locked or
2. Act honorably, honestly, justly, responsibly, and legally.
unlocked. All or nothing. All or No TCP, DNS. Turnstil3s can’t stop 3. Provide Diligent and competent service to principals
virus because they are yuck (NYC Subway Turnstile). They CAN stop 4. Advance and protect the profession.
malformed packets…. Turnstiles CAN stop 1500 Super Mutants Policies: Mandatory High Level = Presidential.
(Malformed Humans). Program Policy Establishes Information Security Program
Policies have an owl! 2. Threat ID Risk = Threat*Vulnerability
Simply Finding THREAT and Vulnerabilities.
Policies- Why? Who Who What? Like an owl asking: Why? Who
who what? Purpose – Why | Scope – Who this covers | 3. Vulnerability ID
Responsibilities – Who does what | Compliance – What happens Current and planned controls
4. Control Analysis
when you don’t comply
1. Purpose -Why
2. Scope -Who 5. Likelihood DeterminationSimply figuring what the likelihood
and impact is.
3. Responsibilities-Who
4. Compliance- What 6. Impact Analysis
Only Discretionary Policies: Guidelines and Baselines you don’t have
7. Risk Determination Doing Quantitative and Qualitative
to wait in line. You’ll probably need management sign off to veer Analysis
from Baselines.
TCO, ALE and ROI oh my!
Control Recommendations
Risk Analysis: The Threat of a Fire could work through the 8.
Vulnerability of no sprinklers to destroy the whole building. The
building is at risk. Threat = potentially harmful source. Vulnerability = 9. Results Documentation Document your work
the weakness that allows the threat to do damage This shit was retired in 2012. But Conrad says to know it? WTF
Risky Titty is Vulnerable! Risk= Threat Times Vulnerability Just rote the 9 steps if you feel you have time. DON’T ROTE MEMORIZE THIS.
Risk = Threat * Vulnerability 🡨Starting point. Basic. Quantitate Risk Assessment
Risk = Threat * Vulnerability*Impact 🡨When you want to add weight Assign Asset Value(AV)
to the vulnerability. For example, you want a building full of Calculate Exposure Value(EV)
Calaulate Single Loss Expectancy(SLE=AV*EV)
expensive stuff to be a worse loss than an empty one. Well Impact Assess Annual Rate of Occurrence(ARO)
adds weight. Human life is infinitely irreplaceable. It trumps all. Derive Annual Loss Expectancy(ALE = SLE*ARO)
Risk = Threat * Vulnerability*Cost (simply make the impact in money) Perform cost benefit analysis of counter measure
Sleeve Fuck (movie quote- go home and …: SLEAVE F: SLE = AV*EF TCP/IP Model: 3-1-1-2 | 3 layers combined, 1 lyr, 1 lyr, 2 combined
Drinking ale leads to slaying with arrows: ALE = SLE*ARO
TCO: To.Tal.Cost. of.owner.ship- Its everyyy.thing. Initial purchase of Application
3 Presentation Application
mitigating safeguard. Upfront capital, annual mx, subscriptions. TCO
Session
of your care would be what you paid, plus cost of all repairs, gas and 1 Transport Host to Host
oil etc. 1 Network Internet
ROI: Return on Investment. What you are getting back from the Data-Link Network
safeguard. 2 Physical
Access
If ale is better than tacos you made a good choice. If ALE is > TCO you
have a +ROI (not –ROI) chose a good safeguard. Layers of Attacks:
In other words if TCO > ROI then bad choice. In other other words 4- SYN 4 Fraggle…. SYN 4 Fraggle!!
Safeguards should be saving money. Not simply costing the company. 3- Loki shed 3 Smurf Teardrops.
Biometrics Metrics: FRR v FAR… 2 is greater than one. 2 is a greater
NIST Risk Management Framework 800-37 offense than 1. Type 2 is False Acceptance and 1 is False Reject.
Categorize the information system and the information processed, Order of BioM’s: 1. Know 2. Have 3. Are Do you KNOW what you
stored, and transmitted by that system based on an impact analysis. HAVE here? No? You ARE an idiot!
Vested party is identified. XSS v CSRF: CSRF is the websites misplaced trust in the uSeR. XSS is
Select an initial set of baseline security controls for the information the user’s misplaced trust in the website (xSITEscripting). The subject
system based on the security categorization; tailoring and being mistrusted goes at the end of the sentence.
supplementing the security control baseline as needed based on an Finally got it: XSS is when an attacker tricks a victim into unwittingly
organizational assessment of risk and local conditions. If any overlays executing a code injection attack on a website. The user trusts the
apply to the system it will be added in this step website to not allow such bafoonery!
Implement the security controls identified in the Step 2 SELECTION CSRF- the website trusts that users aren’t dumb enough to fall for
are applied in this step. Social Engineer.
Assess third party entity assess the controls and verifies that the Biba vs Bell-Lapadula: Justin Biba has no integrity. Biba is about
controls are properly applied to the system. integrity. If you know that then Bell is Confidentiality=Keep
Authorize the information system is granted or denied an Authority secrets=No Read Up, No Write Down. (Obvious when you think
to Operate (ATO), in some cases it may be postponed while certain about it: Can’t read higher clearance stuff and can’t share with lower
items are fixed. The ATO is based off the report from the Assessment clearance holders). Flip those two for Integrity=Biba: No write up no
phase. read down.
Monitor the security controls in the information system are Clark-Wilson: Don’t touch my shit! Lewis and Clark telling Native
monitored in a pre-planned fashion documented earlier in the Americans not to touch their stuff. Untrusted users aren’t allowed to
process. ATO is good for 3 years, every 3 years the process needs to have access to resources without going through a protected
be repeated. application [web interfaces for example].
CSIAAM Access Control: MAC = Lattice – Big MAC with lattice. Lattice is a
MAC.
Risk Management Process: Love is Risky, Love potion no. 9. 9 steps Non-Discretionary = Role-Based. Job Roles are Non-Discriminatory in
1. System Characterization What do we have
USA.
CERTIFICATION and ACCREDITATION:
Certification is a technical evaluation of a software system’s security compliance
A-C-C - ACCREDITATION | ACCEPTANCE. Accreditation is management’s acceptance of Prev. Ctrls didn’t catch it! We need a
5. Recovery Strategy Recvry. Strat stat!
a product. First it’s certified, then accredited (accepted) and finally implemented.
6. Plan Design and Development How are we going to do this?
X T A C A C S +
C Lets do this! IMP TITTY
P
7. Implementation, Training and Testing

8. BCP/DRP Maintenance No Rest for the weary.

D I A M E T E R
C
P The Piss (PS) gets its own cup. In that cup is the .ini and scoping out
U what we’ll need.
R A D I U S
P D
P Business Continuity Planning (SICk AI)
RADIUS is the only one that use UDP. Project Scope and Planning
Order of TACACS. Then a wild X appeared (we read left to right). XTACACS. Then the X
Business Impact Assessment
rolled behind the word to the right and landed on its side- XTACACS+. The plus is the
bonus of Multi-Factor Authentication. Continuity Planning
Multitasking: Multi Multi Tasking- It allows multiple tasks to use multiple processes. Plan Approval and Implementation
Multithreading. Multiple. Threading = Multiplethreads at one time. Most applications
allow multithreading. Most processors allow multitasking. When you press ALT CTRL
Project Scope and Planning (A Long CAR)
DEL in Windows you get Task Manager… thus the CPU is running multiple Tasks. Each
app in of itself is multithreading.
Embedded Devices: Cell phones are embedded in our pockets. It’s Approved BCP from senior management
devices that are everywhere. Creation of a BCP team
Cyber Incident Response Life-Cycle: Structured Business Analysis
1. Preparation Boy Scouts prepare first! Then this little gem: Resources assessment
“The PD looks in RooM’s for PreCuM Lessons Legal and Regulatory analysis
2. Detection / ID with a bunch of Re-Re’s.” ALWAYS End with a
lessons learned.
3. Response / Containment ● Reporting happens throughout Business Impact Analysis (IP RAP)
starting at detection. Identify Priorities business activities
4. Mitigation / Eradication ● Remediation begins in Mitigation Risk Assessment(Likehood and Impact assessment)
and runs parallel. No sense in waiting to fix Resource Priorization
5. RePort
that shit.
6. ReCover Continuity Planning
Preventative Strategy
7. ReMediate
Event handling Strategy
8. Lessons Learned Documentation
Strategy development
PD(Dr Khor’s) RooM PC Medical Lessons Provisions and processes
Snort: NIPS Snort NIDS 🡨Snort open source NIPS and NIDS Buildings and Facilities
Tripwire: Picture a virtual tripwire into your PC. It’s a HIDS. For the Infrastructure
exam HIDS (Tripwire) observes the files…. So now picture the tripwire
attached to files. (Does it through Hashing FOOL!) Plan Approval and Implementation
DRP/BCP Training and Education
DRP: RAC AR Respond Activate Communicate Assess Reconstitution BCP Documentation
Rack AR-15… Continuity Planning Goals
Assess the incident Statement of Importance
Notify and escalate Statement of Priorities
Triage Statement of Organisation responsibilities
Contain the incident (stop it from spreading) Statement of Urgency/Timing
Analyze the nature and source of the incident Risk Assessment
Track and document the incident Risk Acceptance/Mitigation
Restore to normal Vital Record Program
Emergency Response Guidelines
Maintenance
Testing and Exercise

BCP and/or DRP Steps: PiSs Burp InBound! PS BIRP IB

1. Project Initiation Run the .ini first!

2. Scope the project Guns = Scopes = Range Fans… whats

covered.

3. Business Impact Analysis The big daddy NIST 800-37 Risk management Framework
Categorize Information system
4. ID Preventive Controls Prevent so you don’t need recovery
Select Security Control
Implement security Control
Assess security Control If it’s a B plan… Business Plan… BCP or BRP then it is business focused and
Authorize Security Control not IT focused. It covers IT as a support piece to other essential Business
Monitor Security Control functions.
The COOP. COnt. Op. Plan. You gotta fly the coop and hide out for 30
(Information Security Continuous monitoring)
days. Not IT focused… HQ writes it up. So- a chicken coop full of
accountants with 30 days of supplies. 30 days.
NIST Cyber security framework Cont. of Support Plan aka IT Contingency Plan: Addresses IT Disruption-
Identify,Protect,Detect,Response,Recover Not business plan. IT Supports ~~ hence Continuity of Support Plan.
Crisis Commo. Plan: Not IT Focused. Simply how to get a hold of people-
NIST Cryptographic life cycle Call trees.
Initation, Cyber Incident Response Plan: Remember PD in the RooM looking for
Development/Acquisition, PreCuM Lessons? Yeah. That. And its IT Focused. Cyber Cops.
Implementation and Assessment, DRP: Often IT Focused. Major Disruptions Long term effects
OEP (Occupant Emer. Plan): Coordinated effort to minimize loss of life and
Operation and Maintainance,
injury and property damage in response to a physical threat. Purely based
Sunset
on people.
Crisis Management Plan: When managers can’t communicate they go into
PKI Life cycle crisis.
Initialization BRP: The BURP is the relief after a disaster… going from
Issued DRP then BRP: The ol’ Durp and Burp.
Cancellation SO THE ONLY IT FOCUSED PLANS ARE (CDC):
● Continuity of Support / IT Contingency Plan
ISO 27001 ● DRP
Plan Do Check Act(PDCA) ● Cyber Incident Response Plan
Vital Records: SLA’s, Phone Lists, licensing info, support contracts, reciprocal
disaster occurs when the organization is not able to restore normal agreements, etc. etc. need to be stored in hard copy and digital formats
offsite. This should be self-evident.
services/functions
Grand-Father Methodology for Tapes = YYMMDD, Year / Month/ Day.
before reaching the maximum tolerable downtime (MTD) set by the
Grand-Father has a Date!! 7 Daily’s, 4 weekly, 12 Monthly.
business
Or Grandpa’s birthday is 7-4-12.
Electronic Vaulting: Big bags of money in and out…not individual bills
The Burp (BIRP) is the BIA- we figure out what we have to protect.
(the big bags of money are BATCH PROCESSING)
Then we ID how we are going to prevent bad things. Oh shit, that
Remote Journaling: Shitty Journalists keep logs not actual data. RJ
didn’t work- we need a Recovery Strategy. OK let’s get a Plan
sends transaction logs afar- not actual data.
Designed and Developed to get the company ready. DB Shadow: Shadows one direction under the sun. (One-way writes of DB
The Inbound is all about the Imp Titties. Implement Train and Test; Data to a Shadow DB)
and of course no rest for the weary… keep on it. ****TESTING OF DRP/BCP SHOULD BE DONE ANNUALLY********
The .ini calls up formal guidance and authority for the project. Walk-Through vs Walkthrough Drill: A drill is an actual… drill.
CPPT.exe is called by the .ini. The “Captain” aka CPPT is Continuity The goal of all the test are to ensure Organization Readiness
Planning Project Team figures who is who for the .ini.
3 Items Management Execs are responsible for in BCP/DRP:
1. Initiating Security Clearances: Private and Military
US Can Stop Terrorism: Unclassified, Sensitive, Confidential, Secret, Top
2. Final Approval Secret.
3. Demonstrate Due Care Due Diligence TS – Grave damageA Top Secret Grave for Jimmy Hoffa
Initiate Final Demon Due Due. S – Serious damage
BIA- 2 Processes to ultimately find the MTD’s for specific IT Assets. C- Cause damage
Processes: Classified Data is C, C and above. C for Confidential. C for Classified.
1. ID of Critical Assets. Private companies use: Chicken playing PSP
Confidential / Private, Sensitive, Public
2. Comprehensive Risk Assessment Conducted.
Confidential- C for Company, C for Confidential… its info about company stuff
**These are find the MTD (RTO+WRT) of Specific IT Assets.** versus Private which is about People info (PHI and PII for example). P for
Now you have the MTD…. You looked at how to prevent it… now people, P for Private.
look at how to save it if un-prevented…. Trademarks 10+renewed 10x unlimited
Recovery Strategies: Patents are 20 years from the time of patent
Redundant Site Instant fail over. Site running in parallel. Copyright = Copywrite and it is 70 years. Corporations get more than
Hot Site Just shy of parallel. Less than an hour recovery. common people do- so Corporations 70 years from conception. People get
lifetime plus 70 years (so they actually get more).
Parallel Databases and security etc.
Warm Site 24 to 48 hours boot up time. Back-Up Data not Gate Classes:
in parallel. Hardware ready- Backups not. 1. Residential
Cold Site Cheapest. No Backup data. No immediate 2. Commercial
hardware. MTD measured in weeks. May be 3. Industrial
waiting on vendor shipments of hardware etc. 4. Secure i.e. bank or airport.
*All these sites have raised floors, power, utilities and physical security* You’re looking for drugs. First you look around the house. Then head to
Walgreens. Then you head to the plant where they make the drugs only to
Other Plans: discover it is in a hidden vault in a bank.
Environmental: Humidity is half the problem. 40% to 60% Temperature: 10.0.0.0–10.255.255.255 (a full Class A range)
Comfortable house temps. 60-75 degrees 172.16.0.0–172.31.255.255 (16 Class B ranges)
Fire Type Codes: 192.168.0.0–192.168.255.255 (256 Class C ranges
A Ash (Wood and Paper) Water or Soda Acid
Gas or Soda Acid – Never Water Ipv6 use 128bits
B Boils (Gas and Oils)
flammable liquid and gas Transport(TCP) PDU is segment
C Current (Electrical) Nonconductive material such as gas. Network PDU is Packet
D Ding Ding (Metal) Dry Powder(for magnesium, titanium, IP single unit is datagram
potassium and sodium)
K Kitchen cooking media (fats, grease, and ARP translate IP to MAC
RARP translate MAC to IP
oils)
Halon never goes on your DAK! Halon on all but D, A or K.
POP3 – 110
Halon and its substitutes: HALON now playing on FM200!!! This is DJ FE-13
SMPT-25
FE-13 is the latest Fighter Jet. The FE-13 is the safest around.
802.3 v 802.11: The 3 is a Ethernet chord uncoiling. The 11 is rabbit ears on
Ip header protocol ICMP 1 ,IGMP 2 ,TCP 6, UDP 17
a Wi-Fi access point.
IPSec Transport Mode(only encrypt and authenticate IP payload) Tunnel
Attack Method: Recon. Scan Foot to fingertip. Where are they weak? Hit the
mode(encrypty and authenticate whole IP packet including data and routing
weakness.
info). Form new IP packet with new ip header
1. Recon
OSI Application Layer(HTTP, HTTPS, DICOM,
2. Footprint (network map) LDAP, MIME, SMTP, FTP,
3. Fingerprint SFTP)
4. Vulnerability Assessment Presentation Layer(TLS, SSL)
5. Attack Session Layer(RPC, SMB, SSH, NFS,
Recovery v Reconstitution: Reconstitution = Reconstruction = New building = NetBIOS, H.245, PAP,
get the toilet in before the server. Therefore, least critical go up first. PPTP, SCP, ZIP)
Recovery is the opposite. Recover the reactor. Get the cooling rods back Transport layer(TCP, UDP, BGP, DCCP,
online before the toilet. FCP, RDP)
Swapping v Paging: Swap whole books. Trading pages is a partial transfer. Network Layer(ATM, Routers, IP, IPSec,
ICMP, OPSF, IPv4, IPv6,
Software Development Cycle IPX, DDP, SPB)
IDIOD pronounced IDIOT. First I is .ini and second I is implementation. Last Datalink layer(Ethernet, FDDI, Frame
thing you do with anything is throw it away so second D is disposal. Relay, VLAN, MAC,
1. Initiation Switches, SPB)
2. Development or Acquisition Physical layer(Volts, PINS, bit-rate, serial
3. Implementation ------ Certification and Accreditation here. or parallel, USB, Ethernet
4. Operation 10Base varieties)
5. Disposal
OSI Layer 2(LLC IEEE802.2 and MAC IEEE802.3)
Software Development Cycle(from CBK)
Hub(Physical layer)
XXX
Bridge(Data link layer) Switch(2&3)
Initiation,
Router(Network Layer)
Requirements, (security requirement)
Architecture, (Threat modelling,apply security principles and controls to
mitigate those threats)
Design, (build security into the software’s blueprints,fix Vulnerabilities)
Ethernet address 48 bits
Development, (Secure coding,comprehensive testing,maintain security
DS-1 provides 1.544mbps over a T1 line
baseline)
Testing and validation,(Pen test,code testing,acceptance testing)
Unshield twisted pair(UTP) has 4 pairs of wires
Release and maintenance, and
IEEE802.5(Token ring media access)
Disposal
IR ADD T RD
POP(Post office protocol) is to receive mail
I ride a dog dog train
SMPT is to sent mail

COBIT Common criteria

4 domains EAL1 Functionally tested
Plan and Organize, EAL2 Structurally tested
Acquire and Implement, EAL3 Methodically tested and checked
Deliver and Support, and EAL4 Methodically Designed, tested, and reviewed
Monitor and Evaluate EAL5 Semi-formally designed and tested
EAL6 Semi-formally Verified, designed and tested
Class First binary digits Decimal range of first octet EAL7 Formally verified, designed, and tested
A 0XX 1–126 (FSM DM-SSF) For Sure My Dear Mother - So Sweet
B 10X 128–191 Forever
C 110 192–223 Ethernet 48 bits

RFC1918
Cat 5e 1Gbps

Database: ACID
Phases of Penetration Testing
Phase 1: Discovery or reconnaissance
OSI Model: PDNTSPA Phase 2: Scanning and probing
Phase 3: Exploitation
DoD Model: ATIN Phase 4: Post-exploitation
Phase 5: Reporting findings
Threat Modelling: STRIDE
Certification is a technical evaluation of a software system’s security
Bug Tracking: DREAD compliance with
specific standards to which it should conform
Incident Reponse Process Steps: DRMRRRL Accreditation means that management
understands the overall security of the evaluated system and formally
Capability Maturity Model: IRDMO
accepts
I Ride Dog/puppy MOtor cycle
the risks.
Evidence must be: ACACA

TCP Protocols Manage the Identity and Access Provisioning Lifecycle

Application: HTTP, HTTPS, DICOM,LDAP, MIME, SMTP, FTP,SFTP Provisioning
Presentation:In many references, no distinction between Presentation and Account Review
Application layer protocols & TLS, SSL Account Revocation
Session:RPC, SMB, SSH, NFS,NetBIOS, H.245, PAP,PPTP, SCP, ZIP
Transport;TCP, UDP, BGP, DCCP,FCP, RDP L2TP no encryption
Network :ATM, Routers, IP, IPSec,ICMP, OPSF, IPv4, IPv6,IPX, DDP, SPB Raid 5 run faster on hardware (bec of striping)
DataLink:Ethernet, FDDI, FrameRelay, VLAN, MAC,Switches, SPB,bridge
Physical:Volts, PINS, bit-rate, serialor parallel, USB, Ethernet10Base Spike: Momentary high voltage
varieties,repeaters,hub
Surge: Prolonged high voltage
Stream cipher-keystream
FAGAN:
1. Planning
2. Overview Accrediation/certification/assurance/acceptance/validation
3. Preparation
4. Inspection PASTA
5. Rework Stage I: Definition of the Objectives (DO) for the Analysis of Risks
6. Follow-up Stage II: Definition of the Technical Scope (DTS)
POPIRF Stage III: Application Decomposition and Analysis (ADA)
Stage IV: Threat Analysis (TA)
OWASP PenTest methodology Stage V: Weakness and Vulnerability Analysis (WVA)
● Pre-engagement Interactions Stage VI: Attack Modeling & Simulation (AMS)
● Intelligence Gathering Stage VII: Risk Analysis & Management (RAM)
● Threat Modeling
● Vulnerability Analysis Type 1/Type 2 hypervisor difference
● Exploitation
● Post Exploitation Nmap/nessus/Metasploit
● Reporting
CHAP is a security protocol that automatically performs
PenTest Methodology: PITVEPR
reauthentication of the client system throughout the connected
BCP (ISC2): Project Scope & Plan, BIA, Continuity Plan, Approval & session in order to detect session hijacking.
Implementation
Federal Sentencing Guidelines
BIA: IRLIR

Attack Methodology: RFFVA

Twofish 
Prewhitening
Risk Responses: RATARD

NIST Risk Management Framework: CSIAAM

Split dns
SDLC: CFCDCSM
The 169.254.x.x range is usually employed by the Microsoft APIPA response
Security Controls: PDCDRC
to failed DHCP services. The private IP addresses defined in RFC 1918 are
10.0.0.0 to 10.255.255.255 (a full Class A range), 172.16.0.0 to
Physical Security: DDDD
172.31.255.255 (16 Class B ranges), and 192.168.0.0 to 192.168.255.255 (255
Difference between assurance and accreditation Class C ranges).
Control Objectives for Information and Related Technology (COBIT) is a
documented set of best IT security practices crafted by Information Systems
Audit and Control Association (ISACA) and IT Governance Institute (ITGI).
trademarks are granted for an initial period of 10
years and can be renewed for unlimited successive 10-year periods.
XML exploitation is a form of programming attack that is used to either falsify
information being sent to a visitor or cause their system to give up
information without authorization.
The Graham-Denning model is focused on the secure creation and deletion
of both subjects and objects. Ultimately, Graham-Denning is a collection of
eight primary protection rules or actions (listed in the question) that define
the boundaries of certain secure actions.
A switch is a networking device that can be used to create digital network
segments (i.e., VLANs) that can be altered as needed by adjusting the
settings internal to the device rather than on endpoint devices. A router
connects disparate networks rather than creating network segments.
Trust comes first. Trust is built into a system by crafting the components of
security. Then assurance (in other words, reliability) is evaluated using
certification and/or accreditation processes.
DHCP Port UDP 67(destinationo port for server) 68(destination port for
client)
RIP UDP 520
OSPF IP Protocol 89
DNS 53
SMTP 25
FTP TCP 20(data) and 21(Control)
SSH TCP 22
Telnet TCP 23
TFTP UDP 69
SMTP TCP 25 outgoing mail
POP3 TCP 110 incoming mail
IMAP TCP 143 incoming mail
DHCP
kerberos 88
ldap 389(unencrypted) 636(encrypted)
HTTP 80
HTTPS 443
LPD 515 (printer)
NFS 2049(Network file system)
SNMP UDP 161(162 for trap messages)
SNMP v3 support encryption
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Privileged entities are those who are given special access to off-limits areas
of the company’s crucial IT infrastructure.
A VLAN (virtual LAN) is a hardware-imposed network segmentation created
by switches that requires a routing function to support communication
between different segments.
Kerberos
five main types of disaster recovery tests:
Read-through tests involve the distribution of recovery checklists
to disaster recovery personnel for review.
Structured walk-throughs are “tabletop” exercises that involve
assembling the disaster recovery team to discuss a disaster
scenario.
Simulation tests are more comprehensive and may impact one or
more noncritical business units of the organization.
Parallel tests involve relocating personnel to the alternate site and
commencing operations there.
Full-interruption tests involve relocating personnel to the
alternate site and shutting down operations at the primary site.
10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255
(172.16/12 prefix)
Dedicated security mode :
- All users can access all data.
- Clearance for all information.
- Need to know for ALL data system high security mode:
- All users can access some data, based on need to know
- Clearance for all information
- Need to know for SOME data compartmented security mode:
- All users can access some data, based on their need to know and approval.
- Clearance for all information they access
- Need to know for SOME data
- Use of information labels
Multi-level:
- All users can access some data, based on their need to know, approval and
clearance.
- Clearance for all information they access
- Need to know for SOME data Others:
Amendment Speed Frequency
802.11 2 Mbps 2.4 GHz
802.11a 54 Mbps 5 GHz
802.11b 11 Mbps 2.4 GHz
802.11g 54 Mbps 2.4 GHz
802.11n 200+ Mbps 2.4 GHz or 5 GHz
802.11ac 1 Gbps 5 GHz
Point-to-Point Protocol (PPP) This is a full-duplex protocol used for
transmitting TCP/IP packets over various non-LAN connections, such as
modems, ISDN, VPNs, Frame Relay, and so on. PPP is widely supported
and is the transport protocol of choice for dial-up internet connections.
PPP authentication is protected through the use of various protocols,
such as CHAP and PAP. PPP is a replacement for SLIP and can support
any LAN protocol, not just TCP/IP.
Serial Line Internet Protocol (SLIP) This is an older technology
developed to support TCP/IP communications over asynchronous serial
connections, such as serial cables or modem dial-up. SLIP is rarely used
but is still supported on many systems. It can support only IP, requires
static IP addresses, offers no error detection or correction, and does not
support compression.
Point-to-Point Tunneling Protocol (PPTP) is an encapsulation protocol
developed from the dial-up Point-to-Point Protocol. It operates at the
Data Link layer (layer 2) of the OSI model and is used on IP networks.
PPTP creates a point-to-point tunnel between two systems and
encapsulates PPP packets. It offers protection for authentication traffic
through the same authentication protocols supported by PPP:
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
Challenge Handshake Authentication Protocol (CHAP)
Password Authentication Protocol (PAP)
Extensible Authentication Protocol (EAP)
Shiva Password Authentication Protocol (SPAP)
Layer 2 Forwarding (L2F),
which is a mutual authentication tunneling mechanism. However, L2F
does not offer encryption. L2F was not widely deployed and was soon
replaced by L2TP. As their names suggest, both operate at layer 2. Both
can encapsulate any LAN protocol.
Layer 2 Tunneling Protocol (L2TP) was derived by combining elements
from both PPTP and L2F. L2TP creates a point-to-point tunnel between
communication endpoints. It lacks a built-in encryption scheme, but it
typically relies on IPsec as its security mechanism. L2TP also supports
TACACS+ and RADIUS. IPsec is commonly used as a security mechanism
for L2TP
TACACS+ enccrypt user name and password
PAP does not encrypt userame and password
Password Authentication Protocol (PAP) This is a standardized
authentication protocol for PPP. PAP transmits usernames and
passwords in cleartext.
security domain
5 rules of evidece authentic,accurate,complete,convincing,admssible
IPsec is often combined with Layer 2 Tunneling Protocol (L2TP) for
VPNs. L2TP transmits data in cleartext, but L2TP/IPsec encrypts data
and sends it over the internet using Tunnel mode to protect it while in
transit.
bluetooth use a weak encryption cipher
sha max 512
The NIST recommends 2048-bit keys for RSA. An RSA
key length of 3072 bits should be used if security is
required beyond 2030. NIST key management
guidelines further suggest that 15360-bit RSA keys are
equivalent in strength to 256-bit symmetric keys.
spml,saml,xacml
bridge separate collision domain
router separate broadcast domain
BCP(from Boson)
Develop BCP policy
conduct BIA
Identify preventive control
develop recovery strategy
develop IT contingency plan
perform DRP development, training and testing
perform BCP/DRP maintenance
fraggle attack udp
ring model
Technical Mechanisms
Technical mechanisms are the controls that system designers can
build
right into their systems. We’ll look at five: layering, abstraction, data
hiding, process isolation, and hardware segmentation.
l2tp pptp
Security Content Automation
Protocol (SCAP) to meet this need. SCAP provides this common
framework for discussion and also facilitates the automation of
interactions between different security systems. The components of
SCAP
include the following:
Common Vulnerabilities and Exposures (CVE) provides a naming
system for describing security vulnerabilities.
Common Vulnerability Scoring System (CVSS) provides a
standardized scoring system for describing the severity of security
vulnerabilities.
Common Configuration Enumeration (CCE) provides a naming
system for system configuration issues.
Common Platform Enumeration (CPE) provides a naming system for
operating systems, applications, and devices.
Extensible Configuration Checklist Description Format (XCCDF)
provides a language for specifying security checklists.
Open Vulnerability and Assessment Language (OVAL) provides a
language for describing security testing procedures
change management processes:
1. Request the change. Once personnel identify desired changes,
they
request the change. Some organizations use internal websites,
allowing personnel to submit change requests via a web page. The
website automatically logs the request in a database, which allows
personnel to track the changes. It also allows anyone to see the
status
of a change request.
2. Review the change. Experts within the organization review the
change. Personnel reviewing a change are typically from several
different areas within the organization. In some cases, they may
quickly complete the review and approve or reject the change. In
other
cases, the change may require approval at a formal change review
board after extensive testing.
3. Approve/reject the change. Based on the review, these experts
then approve or reject the change. They also record the response in
the change management documentation. For example, if the
organization uses an internal website, someone will document the
results in the website’s database. In some cases, the change review
board might require the creation of a rollback or back-out plan. This
ensures that personnel can return the system to its original condition
if the change results in a failure.
4. Test the change. Once the change is approved, it should be tested,
preferably on a nonproduction server. Testing helps verify that the
change doesn’t cause an unanticipated problem.
5. Schedule and implement the change. The change is scheduled
so that it can be implemented with the least impact on the system
and
the system’s customer. This may require scheduling the change
during
off-duty or nonpeak hours.
6. Document the change. The last step is the documentation of the
change to ensure that all interested parties are aware of it. This often
requires a change in the configuration management documentation.
If
an unrelated disaster requires administrators to rebuild the system,
the change management documentation provides them with the
information on the change. This ensures that they can return the
system to the state it was in before the change.