False Positive vs False Negative

 False Positive / False Negative

A false positive "reports" an issue when there is no problem. 

Example: You run a vulnerability scan, and it says that your web server is missing Apache updates. When you talk to the website admin, he informs you that he has no Apache web servers, only Windows IIS. 

A false negative should have caught the problem but missed it completely. For example, you know that your system is missing updates, but when you perform the vulnerability, it says all the updates are there.

In both cases, you need to tune your system.

Vulnerability scanners, IPSs, & IDSs are all prone to both false positives & false negatives.

Blockchain

 Blockchain Usages

Blockchain is a decentralized method for transactional records protected via encryption.

Each record is called a block and is hashed.

The hash for a previous block is added to the hash for the next block in the chain. 

If a transaction is recorded incorrectly, it cannot be deleted; the correct values must be added as a new transaction.

Cryptocurrency transactions can be reviewed in a public ledger.

Blockchain can be used for different applications, providing integrity:

• Financial transactions
• Voting machines
• Notarization
• Identity and access management
• Data storage

Tokenization

 Credit Cards - Tokenization

Tokenization is used to make it easy to reorder a credit card. One such method is the vendor storing the credit card information (not in plaintext) for monthly or yearly subscriptions. 

This process can replace part or all of the original data. The token is located on a token server.

Tokenization is a security technique that replaces sensitive data with a non-sensitive substitute called a token. Tokens are unique identifiers that link to the original data but cannot be deciphered to access the original information.

Tokenization is used in many areas, including:

Payment processing

Tokenization protects credit card and bank account numbers by replacing them with tokens. This removes the connection between the transaction and sensitive data, making transmitting data over wireless networks safer.

Speech recognition

Voice-activated assistants like Siri or Alexa use tokenization to process spoken words. When you ask a question or command, your spoken words are converted into text, which is then tokenized.

Commodities

Tokenization can turn ownership of commodities like oil, gold, or agricultural products into on-chain tokens, making the market for these assets more liquid and accessible.

Tokenization is also known as "masking" or "obfuscation."

 Attack Frameworks

MITRE ATT&CK (MITRE Adversarial Tactics, Techniques, and Common Knowledge)

This provides a database of known TTPs (Tactics, Techniques, and Procedures). 

Here is a link to the website: MITRE ATT&CK

Each individual technique is assigned a unique ID. 

The tactics are persistence, command & control, and initial access.

The Diamond Model of Intrusion Analysis

This is used to analyze an intrusion based on four core features:

• Victim
• Capability
• Infrastructure
• Adversary

Cyber Kill Chain Attack Framework

This is a white paper put out by Lockheed Martin.

This shows the order of the stages of an attack.

1. Reconnaissance—This is the stage where the attacker chooses the methods to use for the attack. The attacker collects information about the target's computer systems, supply chain, and employees.

2. Weaponization - The attacker chooses what exploit and payload code to use for the attack. 

3. Delivery - the attack vector to transmit the attack code to the target, an email attachment, or a USB drive.

4. Exploitation - trick a user into running the code by clicking on an attachment or drive-by-download.

5. Installation - this stage is for persistence

6. Command and Control (C2) - this stage is where the attacker can install additional tools

7. Actions on Objectives - this stage is where data exfiltration occurs.

Directory Traversal Attack

 Directory Traversal Attack Examples

http://www.sample.com/../../../etc/passwd

http://www.sample.com%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

http://www.sample.com%2f..%2f..%2f..%2fetc%2fpasswd

http://www.sample.com2f..2f..2f..2fetc2fpasswd

C:\Users\JohnDoe\AppData\Local\Microsoft\Office

Some of these examples used percent encoding. 

%2E is a period "."

%2F is a "/."

 METADATA

Metadata is data about data, such as information about things you used on your mobile device, like taking a picture, the date and time, and the GPS location.

• GPS Tagging
• Photographs
• Video 

Files on your PC, smartphone, laptop, tablet, etc. Multiple attributes are recorded and attached to these files. If the person creating the document backdates the date on the document, you can see the date it was made.

• Date and time created.
• When it was modified
• When it was accessed

Metadata is recorded when you make a phone call or send a text.

• Incoming and outgoing phone numbers are involved.
• The date and time of the class.
• The duration of the calls.
• SMS text time

Protecting Passwords Against Offline Attacks

 Offline Password Attacks & Preventive Measures

Rainbow table attack

The best protection against this attack type is adding salt (random data) to the password before hashing.

Brute Force & Dictionary

The best method for slowing down the attacker from discovering the password is to use key stretching. This method uses thousands of rounds of hashing. This does not make the key stronger, but the attacker has to do a lot of processing to check each possible key to find the correct one. There are 2 methods on the exam:

PBKDF2 & bcrypt

Port Numbers to know for the exam

 Port Numbers - Associated Protocol

Port Number                                   Protocol

21        TCP                                      FTP (File Transfer Protocol)

22        TCP                                      SCP  (Secure Copy Protocol)

22        TCP                                      SFTP (Secure File Transfer Protocol) 

23        TCP                                      Telnet

22        TCP                                      SSH (Secure Shell)

53        TCP / UDP                            DNS (Domain Name System)

67        UDP                                     DHCP (Dynamic Host Configuration Protocol - server) 

68        UDP                                     DHCP (Dynamic Host Configuration Protocol - client)    

69        UDP / TCP                           TFTP (Trivial File Transfer Protocol)

80        TCP                                      HTTP (Hypertext Transfer Protocol)

135      TCP /UDP                            RPC (Remote Procedure Call)

139      TCP                                      NetBIOS (MS file sharing port - legacy)

143      TCP                                      IMAP (Internet Message Access Protocol)

161      UDP                                     SNMP (Simple Network Management Protocol)

443      TCP                                     HTTPS (Hypertext Transfer Protocol Secure)

445      TCP                                     SMB (Server Message Block)

1812    UDP                                     RADIUS (Remote Authentication Dial-in User Service)

3389    TCP                                     RDP (Remote Desktop Protocol)

Brute Force, Dictionary, Spraying Attacks

 Password Discovery Methods

All of these attacks covered in the section are online attacks. 

BRUTE-FORCE:

• Uses an exhaustive list trying to guess the passwords.
• Password guessing programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second. 
• Brute force attacks are run against a single username with multiple password guesses.

EXAMPLE:
cbgto1gpy

cbgto2gpy

cbgto3gpy

cbgto4gpy

cbgto5gpy

cbgto6gpy

In this example, the sixth character changes when the program has completed all possible combinations with the sixth character and has not discovered the password. Then, the fifth character changes to the letter "p" and continues the process. 

DICTIONARY:

• A dictionary attack will go through common words out of the dictionary and does not use complexity.
• Dictionary attacks are run against a single username with multiple password guesses. This is also an automated program.

SPRAYING ATTACK:

• A spraying attack is one password, normally simple or commonly used against multiple accounts (2 or more usernames). 
• The attacker waits a period such as 30 minutes or longer. 
• This is done to bypass account lockout. 
• Most account lockouts reset the failed login counter back to "0" at that point.

There are two primary ways to prevent brute-force or dictionary attacks:

• Account lockout after 3 to 5 failed login attempts
• The other is to use MFA (Multi-Factor Authentication)

Access Protocol by Network Type

 Kerberos, RADIUS, & SAML

Kerberos

• Inside a network such as an office
• Domain environment

RADIUS (AAA)

• VPNs
• Wireless (Enterprise mode)
• Keywords: AAA, PKI, 802.1x

SAML (Security Assertion Markup Language)

• Accessing a third-party website, web domain, webpage, CSP
• Uses federation for authentication
• Provides SSO (Single Sign-on)
• Uses username & password from a popular website such as Google as the identity provider

Pass the Hash Attack

 PtH (Pass the Hash Attack)

Attackers and penetration testers use the pass-the-hash attack. This allows them to achieve lateral movement or pivot to other systems in the network.

You do not have to crack the password, as the hash is the password.

One way to prevent this attack is to use group policy to prevent the caching of administrator passwords.

The other is to use the password-salting method. That way, the hashes will be completely different even if the admin uses the same local password for each system.

SSL Stripping Attack & Prevention

 SSL Stripping - SSL/TLS Downgrade

This type of attack can be called either of the above names. Pay attention to the question. The question may have stated that the user went to his financial organization's website, https://www.bank.com, but when you look at the logs, the user actually went to http://www.bank.com. 

HTTPS would have used port 443, whereas HTTP will use port 80. That could be another hint that the attack was SSL Stripping or an SSL/TLS downgrade attack.

The ways of preventing these attacks (has to be configured on the server):

• HSTS (HTTP Strict Transport Security)
• HTTP security header

CVE & CVSS the differences

 CVE and CVSS

CVE (Common Vulnerabilities and Exposures)

CVE deals with the platform, which is known to have a vulnerability.

Operating System

Applications

Hardware such as a switch, router, firewall, etc.

IoT (Internet of Things)

CVSS (Common Vulnerability Scoring System)

This lets us know the criticality of the vulnerability.

This is a calculated value based on several elements.

Percent Encoding and the Attacks they are Associated

 PERCENT ENCODING

Character            Percent Encoding        Attack

space                   %20                              SQLi

'                            %27                              SQLi

Examples: 

%27%20or%20%27

'%20or%20"

.                            %2E                            Directory Traversal

/                            %2F                            Directory Traversal

Examples:

%2E%2E%2F%2E%2E%2F

..%2E..%2E

..2F..2F

<                           %3C                           XSS (Cross-site Scripting)

>                           %3E                           XSS (Cross-site Scripting)

<script>

Also, look for .js at the end of a URL

New Blog for CompTIA Network+ (Link)

 

Below is the link for the blog for CompTIA Network+. This is a work in progress, and we will attempt to add posts daily.

These posts will mainly contain exam-driven material. However, there will also be real-world videos on how to use certain tools.

CompTIA Network+ Exam Prep Blog Link

CompTIA Security+ SY0-701 Acronyms Video

 CompTIA Security+ SY0-701 Acronyms

CompTIA Security+ SY0-701 Acronyms Flashcards

Acronyms needed to know for the SY0-701 exam

CompTIA Security+ SY0 701 Acronym Flashcards