-- Misc Flashcards
(22 cards)
Footprinting
Footprinting includes going through the target organization’s official websites and social media, performing dumpster diving, searching sources for employees’ names, email addresses, and IDs, going through a tour of the organization, and other kinds of onsite observation.
Watering Hole
A watering hole attack is when an attacker targets a website that’s commonly visited by a specific group (like employees of a certain company or industry), infects it with malware, and waits for the victims to come to them.
Plaintext (or cleartext)
an unencrypted message
Ciphertext
an encrypted message
Algorithm
the process used to encrypt and decrypt a message.
Cryptanalysis
the art of cracking cryptographic systems
Encryption keys
Encryption keys are used to encrypt and decrypt data.
Symmetric encryption uses the same key to encrypt and decrypt data.
Asymmetric encryption uses one key to encrypt the data and a different key to decrypt the data. These keys are known as a public key and private key.
Hashing
Hashing is the process of converting one value into another using a mathematical algorithm like MD5 or SHA.
Hashing is used on data that does not need to be decrypted, such as passwords.
When a piece of data is run through a hashing algorithm, it always generates the same hash. If even one letter in a file has been altered, the resulting hash would be different. Because of this, hashing can be used to verify that data has not been altered during transmission.
A hash cannot be decrypted.
Salt
Salt, or salting the hash, means that a random number of characters are added to the password before the hash is created.
Digital signatures
By combining a user’s private encryption key and a hash of the data, a user can create a digital signature. A digital signature verifies that the data is legitimate and provides non-repudiation. This means that the sender cannot deny having sent the file.
Elliptic Curve Cryptography (ECC)
Elliptic Curve Cryptography is one of the newer methods being implemented. ECC can generate smaller keys that are more secure than most other methods. Many websites today use ECC to secure connections and data transmissions.
Perfect Forward Secrecy
This cryptography method is used quite often in messaging apps. Instead of the same key being used for an entire conversation or session on a website, each transmission is encrypted with a different unique key.
Steganography
Steganography is the technique of hiding or concealing a file, message, image, or video within another file, message, image, or video. Special programs are often used to hide messages in media files. If a hacker intercepts the message, all they see is the media. They don’t know that there is a hidden message.
Unknown Vulnerability Management Process
1) Analyze
2) Test
3) Report
4) Mitigate
Waterfall Model
1) Requirements
2) Design
3) Implementation
4) Testing
5) Deployment
6) Maintenance
Requirements All requirements for the application being developed are gathered from the client, user, or stakeholder.
Design The software is documented, diagramed, and designed.
Implementation The code is written.
Testing A quality assurance team makes sure requirements are met, the code works properly across devices, and security issues are noted.
Deployment The application is released to a client or the public.
Maintenance The application is monitored for bugs or problems that are patched or fixed while in use. This is an ongoing stage that continues throughout the life of the app.
Agile Model
Is made up of Sprints. Each sprint is a specific feature. Each spring goes through normal development cycle, i.e., requirements, design, development, testing, and deployment.
Testing is performed throughout.
The Agile model works in this manner:
It breaks development into smaller time frames called Sprints.
Each Sprint has a specific duration(usually two to three weeks).
Developers work on one feature during a Sprint.
At the end of each Sprint, developers move on to the next feature.
Testing is performed throughout the development cycle.
Coding Errors
Coding Error Type Description
Compile
An error that occurs during the building or compilation stage
Error compromises the software implementation
Prevents the app from running
Runtime
An error that occurs while software is running
Sometimes called bugs
Application Testing
Secure Testing Method Description
Static application security testing
Known as white box testing
Focuses on analyzing source code, binaries, and byte code early in the development process
Good at identifying things like SQL injections and buffer overflows
Can identify the exact cause of a coding problem:
Only in code that’s written but not deployed
Is language specific
Can run continually and be widely applied
Has a high percentage of false positives
Limited in the types of vulnerabilities it can detect
Dynamic application security testing
Known as black box testing
Scans applications after deployment
Tests from the outside
Uses a series of tests to determine vulnerabilities and flaws
Not language specific
Has fewer false positives
Hard to automate
Cannot pinpoint the cause of a flaw
Can take up to a week to complete the testing process
Interactive application security testing Has two types:
Passive:
Interactive functionality is built into static application security testing.
Uses source code scanners during runtime.
Active:
Testing tools can access interpreters and compilers, allowing precise identification of a problematic line of code in runtime.
Speeds up testing and remediation.
Can help in the Development stage by catching vulnerabilities early.
Can help in the QA stage by adding automated security checkpoints.
Can help in the Production stage through continuous monitoring.
Incident Response Lifecycle
1) Preparation
2) Detection
3) Analysis
4) Containment
5) Eradication
6) Recovery
7) Lessons Learned
Preparation — makes the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies creating incident response resources and procedures.
Detection — discovers indicators of threat actor activity. Indicators that an incident may have occurred might be generated from an automated intrusion system. Alternatively, incidents might be manually detected through threat hunting operations or be reported by employees, customers, or law enforcement.
Analysis — determines whether an incident has occurred and performs triage to assess how severe it might be from the data reported as indicators.
Containment — limit the scope and magnitude of the incident. Incident response aims to secure data while limiting the immediate impact on customers and business partners. It is also necessary to notify stakeholders and identify other reporting requirements.
Eradication — removes the cause and restores the affected system to a secure state by applying secure configuration settings and installing patches once the incident is contained.
Recovery — reintegrates the system into the business process it supports with the cause of the incident eradicated. This recovery phase may involve restoring data from backup and security testing. Systems must be monitored closely to detect and prevent any reoccurrence of the attack. The response process may have to iterate through multiple phases of identification, containment, eradication, and recovery to affect a complete resolution.
Lessons learned — analyzes the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. Outputs from this phase feed back into a new preparation phase in the cycle.
Runbooks
Runbooks are a condition-based series of protocols you can use to establish automated processes for security incident response. Assessment, investigation, and mitigation are accelerated using a runbook. Even though processes are automated, human analysis is still used in some cases.
playbook
A playbook is a checklist-style document specifying how to respond to a threat or incident. The steps are listed in the order to be performed. A playbook ensures a consistent approach to security issues.
Order of Volatility
1) RAM
2) Swap Files / Page Files
3) Hard Drive
4) Remote Logs
5) Archived Data
or
1) CPU registers and cache memory
2) RAM
3) Mass Storage
4) Partition and File Blocks
5) Memory caches
6) Files and Directories
