1. What is one difference between an HTTP GET and an HTTP POST request?
Only POST requests may include parameter data in the request body
Only POST requests can encode parameters in the URL
Only GET requests use the REFERER header
Only GET requests are subject to the same-origin policy
2. Which of the following is true about static and dynamic web content?
The server often produces dynamic content based on the contents of the database
Static content may be re-generated with each request
Static pages may include PHP programs, which execute at the browser
Javascript programs embedded in HTML pages are run server-side to produce dynamic content
3. SQL injection exploits a bug in what interaction of a web application?
Network to server
Server to client
Server to database
Client to server
4. SQL injection often allows an attacker to do which of the following?
Overrun a buffer to smash the stack
All of the above
Cause memory to be used after it's freed
Access information he shouldn't
5. If you had to summarize the key (most specific) programming failure with SQL injection, it would be:
Confusing data with code
Bypassing authentication
Trusting without verifying
Circumventing the same origin policy
6. What is escaping an example of?
Blacklisting
Sanitization
Checking
Whitelisting
7. Suppose a web application implements authentication by constructing an SQL query from HTML from data using PHP's prepared statements. What would happen if an attacker entered FRANK' OR 1=1; -- in the web form's user field?
The text will modify the structure of the SQL query and possibly bypass authentication
The application will try to authenticate a user whose name is FRANK' OR 1=1; --
The text will corrupt the query structure and the database will view it as a syntax error
The text will be confused as the password and authentication will probably fail
8. Why is it undesirable to implement session identifiers using (only) hidden form fields?
The session ID is forgotten when the browser window is closed
Such fields cannot contain binary data
Such fields cannot include timeout information
These fields are easily modified by the user
9. Suppose a browser submits a GET request to URL http://www.mybank.com/accountinfo on 20 February 2015. Which of the following cookies, if already stored at the browser, would be sent with the request?
lang=us-english; expires=Sat, 1-Aug-2015; path=/accountinfo/; domain=.fidelity.com
sessid=ABCDEFG; expires=Sat, 21-Feb-2015; path=/; domain=.mybank.com
edition=us; expires=Thu, 19-Feb-2015; path=/accountinfo/prefs; domain=.mybank.com
edition=us; expires=Wed, 18-Feb-2015; path=/; domain=.mybank.com
10. Which of the following are ways that session cookies could be stolen or forged?
Copying a cookie by keylogging
Compromising the browser or server
Predicting the cookie's structure and reconstructing it
11. Which of the following are ways to reduce the impact of a stolen cookies?
Associate the cookie with the server's IP address
Changing a user's cookie from session to session
Prevent cookies from entering the DNS cache
12. How can the REFERER field be used to defend against CSRF attacks?
It can be used to ensure that sensitive requests are (only) initiated by interaction with a site's own pages
It can be used to check that a Javascript program is from the proper origin
It can't be used reliably because it only works for dynamic content
It ensures that requests only come from authenticated users
13. <script></script>tags in HTML pages most often identify programs written in what language?
Javascript
Java
PHP
C
14. The browser implements security for Javascript programs for what reason?
It doesn't -- Javascript programs run at the server so the browser can ignore them
It doesn't -- these programs are only used to render dynamic content but are otherwise not security-relevant
Such programs could deny service by running forever
Such programs may access browser-controlled resources, which include potentially sensitive data in HTML documents and cookies
15. XSS subverts what policy?
Whitelisting
Secure defaults
Same Origin
Availability
16. What is the difference between stored (or persistent) XSS and reflected XSS?
Stored XSS works by injecting code in a site's served content, while reflected XSS injects code in a URL
Stored XSS embeds Javascript in an a URL, while reflected XSS embeds it in a mirrored site
Stored XSS is amenable to blacklisting but reflected XSS is not
Stored XSS works on database queries while reflected XSS works on cookies, which are received from and reflected back to the server
Tech Notes
Sunday, May 28, 2017
Thursday, May 25, 2017
Curriculum
I am going to approach this learning experience by following a structured path that includes everything I need to know. Here will live the master curriculum which I will add to and update as I go along.
Introduction to Malware https://www.cybrary.it/skill-certification-course/malware-fundamentals-certification-training-course
There are many great (and free) resources on the web. After building a list of courses I wanted to take based off of a Cyber Security masters degree curriculum, I found that cybrary had everything I needed to get started so I will be using many of their resources to fulfill my educational requirements.
I love information but I also love simplicity. I plan to use these resources to learn to be a security personnel as quickly and efficiently as possible.
There is a useful extension on chrome called vimeo repeat & speed that can be used to watch the HD videos sped up.
I will be posting each course with my course notes so that this blog can be searched when more information is needed on a subject.
Off we go!
System Security https://www.cybrary.it/skill-certification-course/fundamental-system-security-certification-training-course
Introduction to Malware https://www.cybrary.it/skill-certification-course/malware-fundamentals-certification-training-course
Secure Systems Architecture https://www.cybrary.it/skill-certification-course/security-architecture-fundamentals-certification-training-course
Cryptography https://www.cybrary.it/skill-certification-course/cryptography-certification-training-course
Cryptography https://www.cybrary.it/skill-certification-course/cryptography-certification-training-course
Web Application Penetration Testing https://www.cybrary.it/course/web-application-pen-testing/
Cyber Security Operational Policy https://www.cybrary.it/skill-certification-course/policy-development-certification-training-course
Secure Software Design and Development https://www.cybrary.it/skill-certification-course/software-development-security-certification-training-course
Network Visualization and Vulnerability Detection https://www.cybrary.it/skill-certification-course/end-user-network-security-certification-training-course
Cyber Incident Response and Computer Network Forensics https://www.cybrary.it/skill-certification-course/incident-response-certification-training-course
Introduction to Vulnerabilities https://www.cybrary.it/course/metasploit/
Cryptography
Historical uses of cryptography
-Caesar cipher -shifted character 3 spaces to the left
-Scytale -spartans used this cipher to communicate messages to generals in the field, wrapped tape around a rod, diameter of the rod is the pre-agreed upon secret
-Vignere -a polyalphabetic cipher, key word is agreed upon, first letter of the key is matched against first letter of the message
-Vernam cipher -the only mathematically unbreakable form of cryptography, one time key pad
Security services provided by cryptography
-privacy, authenticity, integrity, non-repudiation
plain text + initialization vector + algorithm + key = cipher text
Desirable qualities of an algorithm
-confusion, diffusion, avalanche, permutations, open-Kerchkoff's principle
Desirable qualities of a key
-long, random, secret
Symmetric cryptography
-the same key is used by both parties to both encrypt and decrypt
-two types of symmetric ciphers or algorithms --> stream and block
-stream is very efficient, however generally considered to be not as secure
-RC-4 is a stream cipher
-block ciphers are slower but more secure
-two main block ciphers used today are AES and 3DES
-drawbacks of symmetric cryptography -out of band key exchange, not scalable, no authenticity, integrity, or non-repudiation
Asymmetric cryptography
-every user has a key pair -public key is made available to anyone who requests it, private key is only available to that user and must not be disclosed or shared
-the keys are mathematically related so that anything encrypted with one key can only be decrypted by the other
-Caesar cipher -shifted character 3 spaces to the left
-Scytale -spartans used this cipher to communicate messages to generals in the field, wrapped tape around a rod, diameter of the rod is the pre-agreed upon secret
-Vignere -a polyalphabetic cipher, key word is agreed upon, first letter of the key is matched against first letter of the message
-Vernam cipher -the only mathematically unbreakable form of cryptography, one time key pad
Security services provided by cryptography
-privacy, authenticity, integrity, non-repudiation
plain text + initialization vector + algorithm + key = cipher text
Desirable qualities of an algorithm
-confusion, diffusion, avalanche, permutations, open-Kerchkoff's principle
Desirable qualities of a key
-long, random, secret
Symmetric cryptography
-the same key is used by both parties to both encrypt and decrypt
-two types of symmetric ciphers or algorithms --> stream and block
-stream is very efficient, however generally considered to be not as secure
-RC-4 is a stream cipher
-block ciphers are slower but more secure
-two main block ciphers used today are AES and 3DES
-drawbacks of symmetric cryptography -out of band key exchange, not scalable, no authenticity, integrity, or non-repudiation
Asymmetric cryptography
-every user has a key pair -public key is made available to anyone who requests it, private key is only available to that user and must not be disclosed or shared
-the keys are mathematically related so that anything encrypted with one key can only be decrypted by the other
Security Systems Architecture
Governance and Risk Management
Risk Governance -comes from executive management and the board of directors, the job is to align the risk strategy with the objectives of the organization
-Are we doing the right things?
-Are we doing things right?
-Are we getting things done well?
-Are we maximizing the benefits?
Risk Management -planning, building, running, and monitoring according to the directions established and in compliance with governance
Enterprise Risks: Databases
-code injection -only allow users to input the bare minimum, input validation, force users who are untrusted to use an interface that is trusted before they access your backend data
-scripting -regulate field size
-aggregation -the collection of information
-inference
-entity, semantic, and referential integrity
Utilities
-power -spikes, surge, sag, brownout, fault, blackout
-HVAC, humidity, EMI, RFI
Network Components
-cable, hubs, switches, routers, firewalls, proxies, network services, wireless communication
Users
-internal theft, fraud, salami attacks, data diddling, falsification of time-sheets, compromise of sensitive information, disgruntled employees
What are Enterprise Goals?
-the COBIT 5 generic enterprise goals can provide a starting point for the strategic planning
-the derived enterprise goals should be linked to stakeholder needs and governance objectives of value creation, namely benefits realization, risk optimization and resource optimization
Key principles of Enterprise Architecture
-define protections that enable trust in the cloud
-develop cross-platform capabilities and patterns for proprietary and open source providers
-facilitate trusted and efficient access, administration, and resiliency to the customer
-provide direction to secure information that is protected by regulations
Introduction to Malware
What is malware analysis and why is it useful?
-malicious is software that executes without permission or knowledge
-malicious is software that executes without permission or knowledge
-it has software problems just like every other product: compatibility issues, bugs, customer service, versions/updating issues, team development/source code control
Anti-virus software cannot be relied on because it is a difficult task to make a program or algorithm to determine if some software is malicious.
Anti-virus software is not dead, it does catch a lot of old stuff, but it only detects about 17% of the time
50-97% of breaches involve malware, in most breaches malware has automated some task for an attacker or increased their capabilities by taking advantage of a vulnerability, exploiting something on a system, and increasing their foothold
Breach happens -Now what?
Typically you reimage the machine
Advanced: Incident response
-analyze logs, network traffic, strange processes etc.
-is it anywhere else?
-how did it get there
Mature: Gather intelligence
-what is the impact
-what is the risk
-financially motivated? hacktivism? opportunistic? advanced persistent threat (apt)?
70-90% of malware samples are unique to an organization- Verizon data breach report
Types of Analysis
-Dynamic Analysis -executing the malware. Simple, Fast, Easy to miss things.
-Static Analysis -reverse engineering. Slow, deep technical knowledge. With enough time anything can be reversed.
-Hybrid Static/Dynamic -most analysis is a mixture: You will find something in the disassembly then you confirm/investigate while the malware is executing.
-Memory forensics can be useful but is not the end all be all
System Security
System Security https://www.cybrary.it/skill-certification-course/fundamental-system-security-certification-training-course
This course provided a good introduction to system security. For those with an IT background this course may not be necessary but I thought it was useful.
Notes
Appropriate procedures to establish host security
Application Security
Anti-Malware -takes care of viruses, worms, and trojans
-software has been designed to find the specific signatures of the malware on a system; track, identify, deactivate
-regularly update the signature/definition files to keep the anti-malware software effective
Anti-Spam -organizations will use spam filters on emails and messages to prevent spam from getting to the users inbox
-prevents/limits servers from congestion
Anti-Spyware -spyware can track your activity online by reviewing your cookies
-anti-spyware eradicates tracking cookies from your system
Pop-up blockers- pop ups are usually how you get adware, you can turn on pop-up blockers by going to your internet options page
Host-based firewalls -a firewall that resides on a computer system that protects traffic coming in or leaving the system
-this is something to monitor periodically to prevent intrusion into the system and to facilitate the generation of alerts
Patch management -patches are produced to fix flaws that exist within software
-individuals in an organization should be responsible for validating the source of a patch, testing it for sufficiency, and migrating the patch to the production systems once it has been found to be robust
-never download a patch and install it directly on your real system
Hardware Security
-cable locks- prevent rearrangement of the infrastructure you have; most likely used for laptops
-safe -lock away spares, documents
-locking cabinets -used for servers, switches, patch panels, and server racks to prevent unauthorized access and modification
-unauthorized access could change config = loss of integrity
-mobile device -screen lock, strong password
-devices should support encryption so that keys are required before anyone has access
-this way if you lose your device, you know that nobody else has access to the content
-encryption is the best form of security for mobile devices
-another option is remote wipe which allows your providers or device administrators to send a script to the phone that can either erase or cause damage to the content on the phone so that it cannot be accessed anymore
-devices should be returned to IT before they are shared between users; sanitization is very important
-voice encryption is another best practice
-one voice solution is VoIP (Voice over internet protocol)
-a malicious person can packet sniff our transmission, when we use voice encryption our packets are encrypted as they move on data lines which prevents eavesdropping
-another best practice is GPS tracking on mobile devices
-if GPS is disabled, you can still sync the picture content with your email to try to identify the location of the device
Virtualization
-a hypervisor is the software environment within which we build virtual machines
-it shares resources with your host PC such as memory, processor, ports etc
-virtualization is different from multi booting where you have multiple operating systems on the host PC, but can only run one at a time
-with virtualization we can run all the machines at the same time provided there is sufficient memory and a reliable processor that supports virtualization
Benefits -allows for maximum utilization of hardware, cost saving (buy less machines, less space, less licenses)
Data Security
-data loss prevention -financial, medical, trade secret, PII(personal identifiable information)
Data in motion -email, network, chat sessions
Data at rest -database, file sharing, desktop or laptop
Data in use -copiers, printer, removable media, screen, clipboard
storage area networks -devoted to storage and useful during disaster recovery situations
handling big data -some companies now employ security incidents events managers so that data that is of concern can be put on one management interface
Data Encryption
-this is required to ensure confidentiality
-encrypting data changes it from plain text to cipher text
Full disk encryption -you encrypt the entire content of the hard drive, unless unauthorized users provide encryption keys, they don't have access to the data
Database encryption -unless keys are provided, no access to database
Individual files -moving a file off an encrypted disk can make it vulnerable, if you want to sent one file or a group of files, encrypting them ensures that they are still encrypted while in transit or storage
Labels:
cybersecurity,
infosec,
pentesting,
security,
system security
Subscribe to:
Posts (Atom)