old notes

homework

#UofTBootcamp #netsec #cyberkillchain #c2 #homework #classwork

Follow-up Questions

11.1 Notes – how does firewall affect zoom/signal? – review TCP flags – meaning of “stateness” as agnostic of network connection? – ACTIVITY: blocking all ICMP pings – i thought this was not a good practice


Homework

Layered Security: multiple products to address a single aspect of security

  • gateway (hardware) and firewall (hard and soft) to restrict access
  • subset of defense in depth
  • evaluated in three areas: administrative, physical, technical
  • admin: policies and procedures, i.e. role-based access control (RBAC) or employee training against phishing scams
  • physical: locking server rooms

Defense in Depth: Redundancy approach

  • strategy leveraging multiple security measures so if one line of defense is compromised, additional layers are backup
  • buys time to launch countermeasures if infiltrated
  • addresses hardware, software, people re: negligence, human error
  • includes anti-virus, firewalls, secure gateways, VPNs, machine learning to detect anomalies in behaviour of employees and endpoints

common issues organizations have to deal with when implementing a cybersecurity strategy:

  • anti-malware software not updated or is not installed on all devices.
  • Employees have not been trained and are falling victim to phishing schemes.
  • Software patches are not being updated or are ignored.
  • Security policies are not enforced or even known by employees.
  • Missing or poorly implemented encryption.
  • Remote employees are connecting to unsecured networks, such as the public internet.
  • Physical security flaws, such as unsecured server rooms.
  • Business partners, such as cloud service providers, are not fully secure.

Elements of Defense in Depth System:

1. Physical Controls: key cards to enter a building or scanners to read fingerprints 2. Net Sec controls: software authenticating employee to enter network/use device/application 3. Admin controls: authorizes employees, once authenticated, to access only certain applications or parts of the network 4. Antivirus: stops malicious software from entering network/spreading 5. Behavioural Analysis: algorithmns/ML can detect anomalies in the behaviour of employees and in the application and devices themselves

Core layers of defense in depth strategy should include:

  • Strong, complex passwords
  • Antivirus software
  • Secure gateway
  • Firewall
  • Patch management
  • Backup and recovery
  • least privilege

  • As companies grow and the number of devices, applications, and services used across the organization increases, these serve as important security layers in a defense-in-depth strategy:

  • Two-factor authentication (2FA) or multi-factor authentication (MFA)

  • Intrusion detection and prevention systems

  • Endpoint detection and response (EDR)

  • Network segmentation

  • Encryption

  • Data loss prevention

  • VPNs

Intrusion Detection and Attack indicators

difference-between-ids-ips-venn-diagram-768x611.webp

1. What's the difference between an IDS and an IPS?

IDS (Intrusion Detection System) is a detection and monitoring tool that doe snot take action on its own so a human (or another system) has to read and interpret the results. IPS (Intrusion Prevention System) is a control system that accepts or rejects a packet based on the rulelist — this means that unlike IDS, the IPS can take action against potential attacks.

Another difference is that IPS sits on the network in the same area as a firewall might (between the outside and internal network) so traffic has to flow through the IPS. An IDS only monitors the traffic, it is not in the line of traffic.

The last difference is that while both are known for generaeting false positives, in the event of an IDS, the false positive will only create alerts whereas for the IPS, this coudl cause the loss of important data or functions (again because it sits on the network).

2. What's the difference between an Indicator of Attack and an Indicator of Compromise?

An Indicator of Attack (IOA) focuses on detecting the intent of what an attacker is trying to accomplish regardless of the malware or exploit being used and is typically an alert before a network or application is exploited. On the other hand, an Indicator of Compromise (IOC) is regarded as the evidence that indicates a network security breach. It is usually gathered after a suspicious incident, on a scheduled basis or after an unusual discovery.

The Cyber Kill Chain

Name each of the seven stages for the Cyber Kill chain and provide a brief example of each.

1. Stage 1: Reconnaisance – Attackers pick a target and perform analysis, collect information (such as email addresses, conference information, technology stack, etc) and evaluate their target's weaknesses.

Example: Trying to discover what firewalls or intrusion prevention systems are in place for a targeted network. Using tools such as nmap, stan, or Strobe to search for vulnerabilities.

2. Stage 2: Weaponization – Attackers determine how best to get inside the network by exploiting the discovered vulnerabilities.

Example: Using a malware tailored to exploit the specific techhology that they discovered in the Reconnaisance stagethat the target network uses. Using a Zero-day vulnerability they have discovered.

3. Stage 3: Delivery – The chosen attack method is delivered to the target encironment.

Example: An infected USB drive is dropped off at the target office, a malicious attachment is sent via a phishing email, etc.

4. Stage 4: Exploitation– The attackers leverage the vulnerabilities and execute the malicious code on the target network.

__Example: __Triggering a Buffer overflow/underflow on a vulnerable database.

5. Stage 5: Installation – The malware weapon is installed, giving the attaker's an access point to the target environment, ideally one that they can return to effortlessly.

Example: A DLL Hijacking attack that exploits the way some Windows applicatons search and load Dynamic Link Libraries (DLL) by copying the name of a legitimate DLL and placing the malicious DLL in a position that the application will search first so that the malicious DLL will load instead. The malicious DLL could be written to launch the malware and then the legitimate DLL can be loaded to avoid suspicion, creating a persistent point of entry for the attacker.

6. Stage 6: Command and Control (C2) – The attackers have uninterrupted remote access to the target environment and can manipulate it to their choosing.

__Example: __

7. Stage 7: Actions on Objective – The original goal(s) of the attack can be executed.

Week 11.1 Notes: Intro Netsec + Firewalls

Defense in Depth: Perimeter || Network || Host || Application || Data

Net Sec Definition from SANS:

  • physical and software preventative measures to protect underlying network infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure
  • goal is to create a secure platform for computers, user, programs to perform permitted critical functions within secure environment

Firewall: between application servers and routers to provide access control

  • control access to single host or network
  • first layer of defense on perimeter of the network's edge
  • can slow connections, affect lack of connection, break networked apps like zoom, messager
  • filter incoming/outgoing packets
  • access policies / rules

Firewall Steps:

(1) Intercept traffic before it reaches target host or router (2) Inspect source and destination address, ports, TCP flags, and other features of incoming packets (3) Allow/deny packets

Firewall Types + OSI

MAC: useless comparison to approval list, can be spoofed easily

STATELESS Packet Filtering : create checkpoints within a router and examine packets as they progress through an interface; if not pass inspection, drop – stateless = does not care about network connection – layer 3-4 – statically evaluate contents of packets and do not keep track of the state of a network connection – use rules based on individual packets such as: source/destination IP, source/destination port info, IP protocols, Ingress and egress interface – vulnerable to spoofing, no custom rules

STATELESS Packet Filtering : still L3-4 but is stateful so it can determine whether a packet is NEW, ESTABLISHED, or rogue bc it understands context of entire data stream. – statefull firewalls do not look at individual packets but connection as a whole – inspect packets' conversation and routing tables, use a combination of TCP handshake verification and packet inspection tech – cannot determine what traffic is doing, only identify that a connection is using x protocol, not what the payload is

Circuit-level gateways: SESSION LAYER – verify the TCP handshake by looking at the HEADER of a packet only – NOT PAYLOAD – TCP handshake checks verify: unique session identifier, state of connection (established vs closed), sequencing info – ensures that session packets are from legit sources – fast/easy but does not check contents of packets – if packet contains malware but has correct TCP, data is allowed to pass

Application gateways: Proxy firewalls L3-7, STATEFUL – inspect actual contents of packet, including authentication and encryption – use deep packet inspection and stateful inspection to determine if incoming traffic is safe or harmful – intercept all traffic without data source knowing – connection is established to proxy firewall which inspects traffic and passes/drops – more secure, provides log/file audit – resource intensive, requires hardware, bypassed with encryption

UFW: Uncomplicated Firewall: provides stateless and stateful packet filtering

  • works on all kinds of network address and port translation, i.e. NAT, NAP (Network Addressing Protection)
  • manage multiple devices over CLI UFW features:
  • host-based
  • multi-level logs, great insight into attacks
  • remote management – security concern?
  • rules for allow/deny regarding: source/destination IP addresses, port numbers, packet types — all without opening packet
  • TCP handshake, packet inspection
  • rate-limited connections to protect from brute force DISADVANTAGE: all firewall services must be stopped/restarted for changes, interrupting service

firewalld: dynamically managed firewall w/o disruption using zones to divide network interfaces into groups of shared trust level

Zones: each zone has rules/configs that can runtime (valid until next reboot or service reload, used for testing) or permanent Services: designate which service you want ot allow, it will automatically open those ports

11.1 Activities

Activity UFW (Uncomplicated Firewall) – need to have ports 110, 143, 587, 80, 443 to be open at all times as part of its daily operations. -


#bash #scripting #bashsyntax #UofTBootCamp #homework

Takeaways

  • quotes around the array in a for loop is best practice:

Without them, the for loop will break up the array by substrings separated >by any spaces within the strings instead of by whole string elements within >the array. ie: if you had declare -a arr=("element 1" "element 2" "element 3"), >then for i in ${arr[@]} would mistakenly iterate 6 times since each string >becomes 2 substrings separated by the space in the string, whereas for i in >"${arr[@]}" would iterate 3 times, correctly, as desired, maintaining each >string as a single unit despite having a space in it.

  • you can only capture with echo. Using return is the same as exit (so you can only capture the exit code)

Syntax Quickies

quick init + iteration

read -a arr <<< "one two three" for i in ${arr[@]} do echo $i done

  • access elements

passing multiple arrays as arguments

`takesaryas_arg() { declare -a argAry1=(“${!1}”) echo “${argAry1[@]}”

declare -a argAry2=(“${!2}”) echo “${argAry2[@]}” } trywithlocalarys() { # array variables could have local scope local descTable=( “sli4-iread” “sli4-iwrite” “sli3-iread” “sli3-iwrite” ) local optsTable=( “—msix —iread” “—msix —iwrite” “—msi —iread” “—msi —iwrite” ) takesaryasarg descTable[@] optsTable[@] } trywithlocal_arys`


About Me

#whoami #cv #extendedcv #favouritebooks #philosophy #email #me #at #yffenim@protonmail.com #guaranteed #slow #reply


CTF Learning Journey

#bandit #overthewire #hackthebox #leviathan


Infosec Concept Notes and Cheatsheets

#threatmodeling


UofT Cybersecurity Bootcamp

#UofTBootcamp #classwork #homework #classwork


Homelab Experimentations

#brainstorm #config_1


Searchable Tags by Topic

#ssh #nmap #nc #git #grep #awk #ps


Other Careers

#activism #poetry #prose #fiction #literature #movementtherapy #personaltraining