# RECAP ##### Bel-LaPadula is focused on confidentiality rather than integrity. As a result, the model defines properties that are different from those that were defined in the Biba model. The Bell-LaPadula properties are defined as follows:- (A) The Simple Security Property explains that a particular subject at one security level may not read an object at a higher security level (B) The * (star) Property says that a subject at one security level may not write to an object at a lower security level (C) The Discretionary Security Property uses an access matrix to indicate discretionary accessl ---- ##### The Biba model is developed in 1975 and is named after its developer, Kenneth Biba. There are mainly three objectives for ensuring data integrity:- (A) Unauthorized parties cannot modify data (B) Authorized parties cannot modify data without specific authorization (C) Data should be true and accurate, meaning it has both internal and external consistency --- ##### The Biba Model is a security model which defines three sets of rules which included the following:- (A) The Simple Identity Property says a subject at one level of integrity may not read a data object at a lower integrity level (B) The * (star) Identity Property says a subject at one level of integrity may not write to data objects at a higher level of integrity (C) The Invocation Property says a process from below may not request access at a higher level. --- ##### Govrnmental Data Classifications: (1) Top secret – The highest level of data classification. Only a limited number of people are allowed to look at data classified as top secret. (2) Secret – The exposure of secret information would cause serious damage to national security. (3) Confidential – The exposure of confidential information would cause damage to national security. (4) Restricted – The exposure of restricted data would have undesirable effects. (5) Official – This is information that relates to government business and may not be an indicator of the potential for harm if the information were lost or exposed. (6) Unclassified – This information can be viewed by everyone. This may include declassified information that was once considered a higher classification but the threat posed by its exposure has subsided.e --- ==The Parkerian Hexad is a set of six elements of information security proposed by Donn B. Parker in 1988. It adds three additional attributes to the three classic security attributes of the CIA triad.== ##### Robert Cialdini proposed six principles as part of his theory of influence: (1) Reciprocity (2) Commitment (3) Social Proof (4) Authority (5) Liking (6) Scarcity --- ##### The four categories of vulnerability include the following: (1) False-positive wherein the scanner has identified something it believes to be a vulnerability. After investigation, it turns out it’s not a vulnerability. (2) False-negative wherein the scanner has not identified a vulnerability. It later turns out that there was a vulnerability that the scanner missed. (3) True positive wherein the scanner has identified a vulnerability, and after manual investigation, it turns out to be a legitimate vulnerability. (4) True negative wherein the scanner has not identified a vulnerability, and there is not a vulnerability to identify. --- The five functions of the National Institute of Standards and Technology (NIST) represent the five primary pillars for a successful and holistic cybersecurity program. They aid organizations in easily expressing their management of cybersecurity risk at a high level and enabling risk management decisions. The five functions included in the framework core are: Identify, Protect, Detect, Respond, and Recover. ISO 27001 was developed to help organizations of any size or any industry to protect their information systematically and cost-effectively through the adoption of an Information Security Management System (ISMS). The phases of ISO 27001 include the following: Plan, Do, Check, and Act. The Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted. It is described in RFC 5280 and is generated and published periodically, often at a defined interval. ##### RIR Regional Internet Registries (RIR) is an organization that manages and controls internet addresses in a specific region, usually a country and sometimes an entire continent. There are five Regional Internet Registries: (1) African Network Information Center (AfriNIC) (2) American Registry for Internet Numbers (ARIN) (3) Asia Pacific Network Information Centre (APNIC) (4) Latin America Network Information Centre (LACNIC) (5) Reseaux IP Europeens Network Coordination Centre (RIPE NCC) --- ##### SAINT Security Administrator’s Integrated Network Tool (SAINT) is an updated version of one of the first vulnerability scanners (SATAN). It allows network administrators to scan their local area networks for security flaws. SAINT can then prepare reports detailing the extent and seriousness of these weaknesses, as well as providing links to fix and recommend security procedures. ##### IDA IDA is considered the king of debuggers and disassemblers. It is an interactive, programmable, extensible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. It has become the de-facto standard for the analysis of hostile code, vulnerability search, and commercial-off-the-shelf validation. --- ##### LAND ATTACK The Local Area Network Denial (LAND) attack sets the source and destination information of a TCP segment to be the same. This sends the segment into a loop in the operating system, as it is processed as an outbound, then an inbound, and so forth. This loop would lock up the system. --- ##### BUFFER OVERFLOW ATTACK The buffer overflow attack takes advantage of a memory structure called the stack. The stack is a section of memory where data is stored while program functions are executing. The goal of a buffer overflow attack is to inject a section of code, called shellcode, that the attacker wants to be executed. The place in the stack where the return address is kept needs to point to the space in memory where the shellcode now resides. --- ##### DES - Symetric Key Cryptography Symetric key cryptography is a type of encryption scheme in which the same key is used both to encrypt and decrypt messages. Any symmetric key algorithm can be either a stream or a block cipher.m Block ciphers take the entire block of data to be encrypted and turn it into fixed-length blocks. If the total length of the data isn’t multiple of the block size, the last block is padded to get to the size of the block. It may commonly use a block length of 64 bits. An example of a block cipher that uses a symmetric key is the Data Encryption Standard (DES). --- ##### The Data Encryption Standard (DES) can be explained as follows:- (A) It is a block cypher that uses symmetric key (B) This is a long-deprecated encryption standard, but it raises an important element about cryptography (C) One of the problems with DES is that it only uses a 56-bit key. --- ##### Bluesnarfing can be defined as follows:- (A) It is more dangerous than bluejacking (B) Bluejacking is sending data to a device, bluesnarfing is getting data from a device (C) Bluetooth devices have to be exposed to a certain degree to allow other devices to begin a pairing process (D) The possibility of another device taking advantage of that little time window (E) It’s been possible to gain access to a device over Bluetooth without having gone through the pairing process --- ##### Bluejacking is a term which can be defined as:- (A) When an attacker sends data to a Bluetooth device without having to get through the pairing process, or perhaps the pairing happens without the receiver knowing about it (B) Bluejacking attack to transmit an unsolicited message to a victim. This might be a picture or a text message. (C) This could be a spoof attack, where you send a message that appears to be from someone else in order to get the recipient to do something. --- ##### DDos Attacks A Fraggle attack is defined as follows- (A) It is similar to the Smurf attack (B) In a Smurf attack, spoofed ICMP messages are sent to a broadcast address while a Fraggle attack uses the same approach, but instead of ICMP, UDP messages are sent (C) UDP, like ICMP, doesn’t validate the source address and is connectionless, which means it can be spoofed (D) The attacker sends a UDP request to the broadcast address of a network with the target address set as the source --- ##### Local AreaNetwork Denial (LAND) can be explained as follows:- (A) The system of the victim can crash by this attack (B) In the LAND attack, source and destination information of a TCP segment set to be the same (C) This sends the segment into a loop in the operating system, as it is processed as an outbound, then an inbound, and so forth (D) This loop would lock up the system. --- ##### The Identify function can be defined as:- (A) It is a function about identifying risk to the business (B) Identifying assets (C) Identifying policies used for governance (D) Identifying a risk management strategy. (E) These procedures or actions should be guided by the organization or business ensuring that security and the business are aligned in a mutual understanding of the goals. --- Cyberwarfare: Libicki defines cyber warfare as th use of information systems against the virtual personas of individuals or groups. It is the broadest of all information warfare. It includes information terrorism, semantic attacks (similar to Hacker warfare, but instead of harming a system, it takes over the system while maintaining the perception that it is operating correctly), and simula-warfare (simulated war, for example, acquiring weapons for mere demonstration rather than actual use). Economic warfare: Libicki notes that economic information warfare can affect the economy of a business or nation by blocking the flow of information. This could be especially devastating to organizations that do a lot of business in the digital world. Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. According to Libicki, “intelligence-based warfare” is warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battlespace. Electronic warfare: According to Libicki, electronic warfare uses radio-electronic and cryptographic techniques to degrade the communication. Radio electronic techniques attack the physical means of sending information, whereas cryptographic techniques use bits and bytes to disrupt the means of sending information.e Reconnaissance: An adversary performs reconnaissance to collect as much information about the target as possible to probe for weak points before attacking. Installation: The adversary downloads and installs more malicious software on the target system to maintain access to the target network for an extended period. Command and control: The adversary creates a command and control channel, which establishes two-way communication between the victim’s system and adversary-controlled server to communicate and pass data back and forth. Weaponization: The adversary selects or creates a tailored deliverable malicious payload (remote-access malware weapon) using an exploit and a backdoor to send it to the victim. Netork Indicators: They are useful for command and control, malware delivery, and identifying details about the operating system, browser type, and other computer-specific information. Host-based Indicators: Host-based indicators are found by performing an analysis of the infected system within the organizational network. Behavioral Indicators: Behavioral IoCs are used to identify specific behavior related to malicious activities such as code injection into the memory or running the scripts of an application. Email Indicators: Socially engineered emails are preferred due to their ease of use and comparative anonymity. Strategic threat intelligence: Strategic threat intelligence provides high-level information regarding cybersecurity posture, threats, details about the financial impact of various cyber activities, attack trends, and the impact of high-level business decisions. Operational threat intelligence: It provides contextual information about security events and incidents that help defenders disclose potential risks, provide greater insight into attacker methodologies, identify past malicious activities, and perform investigations on malicious activity in a more efficient way. Technical threat intelligence: It provides rapid distribution and response to threats. For example, a piece of malware used to perform an attack is tactical threat intelligence, whereas the details related to the specific implementation of the malware come under technical threat intelligence. Tactical threat intelligence: Tactical threat intelligence plays a major role in protecting the resources of the organization. It provides information related to the TTPs used by threat actors (attackers) to perform attacks. | What Users Do | What Attacker Gets | | ------------- | ------------------ | | Maintain profile | Contact info, location, and related information | | Connect to friends, chat | Friends list, friends’ info, and related information | | Share photos and videos | Identity of family members, interests, and related information | | Play games, join groups | Interests | | Create events | Activities | | Record Type | Description | | ----------- | ---------- | | A | Points to a host’s IP address | | MX | Points to domain’s mail server | | NS | Points to host’s name server | | CNAME | Canonical naming allows aliases to a host | | SOA | Indicate authority for a domain | | SRV | Service records | | PTR | Maps IP address to a hostname | | RP | Responsible person | | HINFO | Host information record includes CPU type and OS | | TXT | Unstructured text records | | Google Dork | Description | |-----|--------| | intitle:"Login Page" intext:"Phone Adapter Configuration Utility" | Pages containing login portals | | inurl:/voice/advanced/ intitle:Linksys SPA configuration | Finds the Linksys VoIP router configuration page | | intitle:"D-Link VoIP Router" "Welcome" | Pages containing D-Link login portals | | intitle:asterisk.management.portal web-access | Look for the Asterisk management portal | | inurl:”NetworkConfiguration” cisco | Find the Cisco phone details | | inurl:”ccmuser/logon.asp” | Find Cisco call manager | | intitle:asterisk.management.portal web-access | Finds the Asterisk web management portal | | inurl:8080 intitle:”login” intext:”UserLogin” “English” | VoIP login portals | | intitle:” SPA Configuration” | Search Linksys phones | Email Indicators: Attackers usually prefer email services to send malicious data to the target organization or individual. Such socially engineered emails are preferred due to their ease of use and comparative anonymity. Examples of email indicators include the sender’s email address, email subject, and attachments or links Host-Based Indicators: Host-based indicators are found by performing an analysis of the infected system within the organizational network. Examples of host-based indicators include filenames, file hashes, registry keys, DLLs, and mutex Network Indicators: Network indicators are useful for command and control, malware delivery, and identifying details about the operating system, browser type, and other computer-specific information. Examples of network indicators include URLs, domain names, and IP addresses Behavioral Indicators: Behavioral IoCs are used to identify specific behavior related to malicious activities such as code injection into the memory or running an application's scripts. Well-defined behaviors enable broad protection to block all current and future malicious activities Cryptography cipher = algorithm for cryptography Types of cipher 1. Classical 1.1 Substitution Cipher = words substituted with cipher text 1.2 Transposition Cipher = Transplaced the rearrangement of text eg. - rail fence cipher, route cipher myszkowski cipher 2. Modern Ciphers 2.1 Based on the type of key used 2.1.1 Symmetric key (private key cryptography) 2.1.2 Asymetric Key (public key cryptography) 2.2 Based on the input of data 2.2.1 Block Cipher eg. - AES, DES, IDEA,etc 2.2.2 Stream Cipher eg. - RC4, SEAL, etc Types of