Cyber Security Analyst (CySA+)

Identification, prioritization, and remediation of vulnerabilities before a threat can exploit them.An organized approach to scanning and continuous assessment of your organizational security posture.

Laws and regulations that govern information storage and processing. HIPPA, GLBA, and FERPALaws and regulations that require vulnerability management programs. PCI-DSS, FISMA

Payment Card Industry Data Security StandardSpecific security controls for credit card processors and merchants.Most specific of any requirement for vulnerability management.Examples:Internal and external scans must be conducted.Scanned at least quarterly and all major changes Internal scans by qualified individualsExternal scans by approved scanning vendorRemediate any high-risk vulnerabilities and re-scan until a clean report is achieved.

Federal Information Security Management ActSpecifies security controls for government. Both agencies and organizations that run the systems.Systems are classified as low, moderate, or high impact which dictate the requirements.Requirements:Scan systems when new threats emerge.Use tools/techniques that are interoperableAnalyze scan reports from assessments.Remediate vulnerabilities based on risk.share findings with other agencies to eliminate similar vulnerabilities in other systems.

Laws and regulations that require vulnerability management programs (like PCI_DSS, and FISMA) don't apply companies.But....vulnerability management is still very important to them as a key component to security. Therefore, organizations can and do require scanning under their own corporate policies.

What systems do you want to be covered by your scans?Do you scan all systems or just critical assets?Scanning tools like QualysGuard can be used to build your asset inventory automatically.Admins then take that information and classify the systems as critical or no-critical.

how often do we scan the systems?Schedule determined by your goals to meet security, compliance, or other business requirements.Automate email reports or alerts can be configured.Example: Nessus scanner allows you to setup daily, weekly, monthly, or other scheduled scans by date/time.

How much time between a new threat and scan?

Do you fall under FISMA or PCI-DSS requirements.

Network may not support scanning everything.

Do you have to avoid high business activity times?

Scanners can control y concurrent scans can be performed through licensing.

Start Small. Start with a small section of your network.Expand slowly. Gradually add more scope to your scans.Prevent overwhelming the enterprise systems and your sys admin team.

Install and load Nessus Web client.LoginPolicies TabSet up scanAdd and give it a name (Windows Scans)Leave default if necessary.--Vulnerability scan you may want to use a credentialed scan.--An attacker will not use credentialed scan.Plug-ins- turn on or off plug-ins depending on scan (Windows)Preferences - If you have DCs on the network.Scans tab and scan now or schedule a scan.Select your policy or the policy you created.Type scan targets.LaunchAfter scan completes it will show up in reports.by default the report will show you the most vulnerable.

Open source

Web app spacific

Is run on the client.

Describes the extent of the scan.What networks and systems are included?How will you test if a system is on the network? Ping sweep.What tests will be performed against the systems during a scan?Importance of your scope.Develop scope properly and gain agreement from staff and management.Ensure you are unlikely to cause issues during your scanning efforts.You do not want to take systems down during work hours.Minimizing the scope.Network segmentation often allows you to minimize your scope for compliance scans.PCI-DSS networks should be segmented from the rest of the organizational network.

Scheduling Automated scans.Producing reports.Providing authenticated access for scans.Choosing plugins and scan agents.Conducting scans from different perspectives. (Internal, External)

Will not allow an unsafe check to occur.Sometimes vulnerability scans will knock out a service or server for a period of time.

Plug-ins contain hundreds of vulnerabilities.Enable/Disable plug-ins.If Linux system Disable Windows plug-ins and visa-versaSome scans can disrupt your systems or cause loss of dataEnsure you are scanning safely and with permissions.

Vendors provide templates for scans with common settings.Admins can also create their own templates for commonly used scans.This prevents errors ans saves time.

Comprehensive scanners provide you with different scan perspectives.External scans provide a viewpoint of the attacker.internal scans provide insider threat viewpoint.Data center scans provide a close internal scan, one that might be blocked by other security devices.PCI-DSS requires both internal and external.

Also called Credential scan.Some security devices can prevent some details of a scan from being successful.Provides the scanner read-only access to the servers.Scanner can access the operating system, databases, and applications on the server.

Small software agents installed on your server or clients.Provides an inside-out perspective of vulnerabilities on the server or client.Agent-based approaches require more resources on the server and often system administrators fight against their installation.Can get very detailed information.

Vulnerability management tools are vulnerable also.You should always update the tools and its plug-ins/signatures before use.This can be automated, as well, but check to verify the update has occurred before use.PatchingImplements bug fixFeature enhancementsImproves scan quality.Update plug-ins daily

Vulnerability management used to be performed by numerous types of software with no common protocolSecurity Content Automation Protocol (SCAP) led by NIST standardized vulnerability management between different software.Ensures standardization.NIST SP 800-117 Guide to adopting and using SCAPhttps://csrc.nist.gov/publications/detail/sp/800-117/final

Common configuration Enumeration - Standard names for system configuration issues.

Common platform Enumeration - Standard names for product names and versions.

Common Vulnerabilities and Exposures - Standard names for security-related software flaws.IMPORTANT

Common Vulnerability Scoring System - Standard approach for severity of software flaws.IMPORTANT

Extensible Configuration Checklist Description Format - Language for checklists and reporting results.

Open Vulnerability and Assessment Language - Language for low-level testing procedures used by the checklists.

DetectionRemediationTestingor Continuous Monitoring =Provides for on-going scanning of the network.Checks for vulnerabilities as often as possible based on resources available.Provides earlier detection of vulnerabilities.AutomationMany products include built-in workflows and automation to track vulnerabilities through the cycle.Can automatically close out vulnerabilities when testing shows they are resolved.Some tools can be integrated into your IT Service Management system.

Vulnerability Reporting.Vulnerability analysts need to communicate the issues found to the system administrators.Scanners provide detailed reporting that can be automated to alert system administrators at periodic intervals.Critical vulnerabilities found can be sent out of cycle because they are soo critical.Dashboards. Managers love dashboards because it provides a high-level summary of issues.Overview of Hosts. Shows which hosts are most vulnerable.Criticality - Shows which vulnerabilities are most critical.

Dashboards. Managers love dashboards because it provides a high-level summary of issues.

Overview of Hosts. Shows which hosts are most vulnerable.

Criticality - Shows which vulnerabilities are most critical.

Remediation Priority. Man-hours, money, equipment, and other items are a limited resource.Vulnerability management is all about prioritization of organizational efforts.You can't fix everything right away.

How critical is the system and information it contains?Take into account confidentiality, integrity, and availability if the vulnerability was exploited.Example:If an attacker was able to breach your customer database and get all their information. How bad is this?

How difficult is it to fix the vulnerability?How much time and money will it cost to fix?Example:I can spend all my time and money fixing the vulnerability #1, or I can fix vulnerabilities, 2, 3, 4, and 5.

How severe is the vulnerability?Each vulnerability is given a criticality value in the Common Vulnerability Scoring System (CVSS).Different vulnerabilities are more severe than others.Example:Known-exploit against a software bug that allows remote-code execution is very severe.Cross-site scripting vulnerabilities might be less severe if its on an intranet server only.

How exposed is the server to the vulnerability?External facing servers are more exposed than intranet servers.Often, you should fix a lower external vulnerability before a higher internal one.

Implementing and testing a solution.Vulnerability Analysts do not implement the fixesTheir role is to find the issues and pass them to the system administrators to fixFixes may not be quick, often they require approval from the Change Control Board,Fixes should be tested in a lab environment prior to rolling it out to the enterprise.

Coordinate your efforts.Vulnerability Analysts view fixes as the highest priority.Not everyone in the organization does.You need to coordinate with others to get these vulnerabilities remediated.Service degradation, promises to customers, and IT governance can slow down your efforts.

Vulnerability scanning places a resource tax upon the network and its servers when scans are conducted.Scans can risk disrupting business functions.Overcoming objections:Consider different scanning times (non-peak hours).Change scanning settings to lower intensity modes.

MOUs and SLAs have specific up-time, performance, and other requirements that the organization must meet.Scans can risk disrupting business functions.Overcoming Objections:Ensure the cybersecurity team is involved in the drafting of the MOAs and SLAs.Discuss appropriate times and scope for scans.

Can create hurdles in getting approval to implement changes.Fixes can risk disrupting business functions.Overcoming Objections:Work within the organization policies when possible to get resources and support.Utilize the Emergency Change Control board when critical fixes must be implemented quickly.

Scanners do a great job of automating the identification of vulnerabilities. However, a trained analyst is required to understand the implications of those vulnerabilities to:Eliminate false positives.Find root causes.Prioritize remediation actions.

Look at the Synopsis (Remote windows execution) and Description (much more detail).See Also (For greater detail)SolutionRisk Factor and CVSS(2.0 not 3.0) ScoreReferences Exploitable, Plugin, and HostsSee Nessus sample reports here -https://www.tenable.com/products/nessus/sample-reports

Common Vulnerability Scoring Systems (CVSS)Industry standard for identifying the severity of a vulnerability.Analysts use this score to help prioritize remediation effortsMeasured in six categories:Three for the exploitabilityThree for the impactThere are two versions of CVSSSySA focuses on CVSS not CVSS 3.0CVSS 3.0 adds two additional measures:User Interaction (exploitable metric)Scope (both exploitable and impact metric)SEE CVSS score breakdown here:https://nvd.nist.gov/vuln-metrics/cvss/v2-calculatororhttps://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_SystemCVSS Base Score ChartCVSS v2.0 RatingsCVSS v3.0 RatingsSeverity Base Score Range Severity Base Score Range  None 0.0 Low 0.0-3.9 Medium 4.0-6.9 High 7.0-10.0

Access Vector (AV) Metric - Describes the method an attacker would use to exploit the vulnerability.Three Categories:Local - physical access or logical access to the systemAdjacent Network - Access to LAN for affected systemNetwork - Remote Access from WAN

Access Complexity (AC) Metric - Describes the difficulty an attacker would have to exploit the vulnerability.High - Requires difficulty/specialized conditions. Medium - Requires "somewhat specialized" conditions.Low - No Specialized conditions required.

Authentication (Au) Metric - Describes the number of times an attacker would have to authenticate.Multiple - Requires two or more authentications.Single - Requires one authentication.None - No authentication required.

Confidentiality (C) Metric - Describes the impact to confidentiality of data processed by the system.None - No impact to confidentiality.Partial - Considerable disclosure of information.Complete - Total disclosure of information.

Integrity (I) Metric - Describes the impact to integrity of data processed by the system.None - No impact to integrity of the system.Partial - Modification of some information possible.Complete - Total loss of integrity.

Availability (A) Metric - Describes the impact to availability of the system.None - No impact to availability of the system.Partial - Reduced performance or loss of functionality.Complete - Total loss of availability.

SEE CVSS score breakdown here:https://nvd.nist.gov/vuln-metrics/cvss/v2-calculatororhttps://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_SystemCVSS Base Score ChartCVSS v2.0 RatingsCVSS v3.0 RatingsSeverity Base Score Range Severity Base Score Range  None 0.0Low 0.0-3.9Medium 4.0-6.9High 7.0-10.0

The Temporal score changes over the lifetime of the vulnerability.As exploits are developed, disclosed, and mitigations made available, the score changes.Not covered by the CySA examTemporal Score = Base score x Exploitability x Remediation Level x Report Confidence.

Exploitability (E) Metric - Current state of exploitation techniques or automated exploitation available.UnprovenProof-of-ConceptFunctionalHighNot Defined

Remediation Level (RL) Metric - Used to decrease temporal score as mitigations and fixes are made available.

Report Confidence (RC) Metric - Used to show the level of confidence in the existence of the vulnerability and the technical details of the report.

CVSS scores are helpful, but they alone don't tell you how a vulnerability affects your systems.

Scans can often report a vulnerability exists even if it does not.How often this occurs is known as the false positive error rate.Vulnerabilities can be validated and verified:Check if a patch is missing.Attempt to exploit erroneous code.Verify the system configuration.

Vulnerabilities that are known, but will not be fixed by the organization.Vulnerabilities that are on the system but are to expensive to fix.Once the risk is accepted by management, they should be documented in the scanner to prevent future reporting of them.

Not everything reported by the scanner is considered a vulnerability.Some are reported as "informational".Typical "informational" items are configurations that would allow an attacker to perform reconnaissance.

Compare results with other information sourcesLogs from servers, network devices, applications, and other devices.Configuration management systems.Security information and event monitoring (SIEM).

Conduct Trend Analysis - Trend analysis also allows the analyst to ensure the vulnerability management program is working effectively.

Vulnerability scanners can detect 10000's of different types of vulnerabilities.

Missing patchesUnsupported Software or AppsBuffer OverflowsPrivilege EscalationArbitrary Code ExecutionInsecure Protocol UseDebugging Modes

One of the most common issues found. One of the easiest to fix.Missing patches.Comes from improper patch management.

Software vendors do not support software forever, they have an "end of life" date.After the "end of life" date, no more patches are released for the software.

Occurs when the attacker manipulates a program to place more data into memory than it is allocated for causing overflow.Another specific type is integer overflow.These vulnerabilities tend to exist for a long time, but are corrected by a patch.In 2015, over 85% of the data breaches were caused by buffer overflow attacks.

Occurs when an attacker upgrades their level of access to an admin or root user.For example, CVE-2016-7255 is an example in Windows Vista, 2008, 7, 8.1, 10, and 2016 machines.Kernel-mode drivers are exploitable to allow local users to become an admin.

Allows an attacker to run software on a targeted victim machine.Remote code execution is worse, because it allows it to occur over the network.

When using older protocols not designed with security in mind.Example: FTP, Telnet, SMBv1, SSL, .........

Debugging modes give lots of information to developers, but should be disabled prior to server and code deployment.Debugging information could give attackers a lot of information during a reconnaissance.

Missing Firmware UpdatesSSL and TSL IssuesDomain Name Service (DNS) IssuesInternal IP DisclosureVirtual Private Network (VPN) Issues

Network devices rely on firmware for their operating systems.Firmware needs patching and upgrades.

Secure Socket Layer (SSL) and Transport Layer Security (TSL) are designed to secure information sent over the internet (such as HTTPS).SSL is insecure and should not be used.Admins should disable support for older versions. (SSL and TSL before v1.2)Insecure Cipher Use:SSL/TSL are only the protocol used, not the cipher.Cipher is the encryption algorithm. Do not use RC4Certificate Problems:Certificates identity servers and exchange the encryption keys.

DNS servers are victims of reconnaissance and other attacks.

Networks that use NAT attempt to hide their internal IP structure.Information could be leaked in headers if a server isn't configured properly.

VPN's consist of application protocols ans SSL/TSL encrypted tunnels.Configuration issues and missing firmware patches an also affect VPN's.

VM EscapeManagement Interface AccessVirtual Host PatchingVirtual Guest IssuesVirtual Network Issues

The most serious issue of all virtualization issues. Occurs when an attacker can break out of the virtual machine (guest) and reach the host (hypervisor).In May 2017, a hacking contestant stitched together 3 different exploits and managed to perform a VM escape.

This interface controls access to all the virtual machines and can configure them.Should be highly secured, including use of two-factor authentication.

Just like other servers, Virtual hosts need patching of the OS and software.This can help prevent VM Escape.

Each Guest represents another server on the network, and they all need patching.Ensure your remediation and patch management considers all your VMs.Ensure your vulnerability management program also scans Guest VMs.

Virtual firewalls, routers, and switches all need to be considered as part of your scanning program.If embedded as part of your VM solution, ensure appropriate patching is being done to prevent attacks.

Injection AttacksCross-Site Scripting (XSS)Cross-Site Request Forgery (CSRF)Nessus and Qualysguard can scan for Web vulnerabilities, but they are not specialized (like Nikto).https://www.owasp.org/index.php/Category:Attack

Most common is SQL injection.Allows an attacker to send commands through a web server to a back-end system, bypassing the normal security controls.Prevent this through input validation and using least privilege for the database.Injection flaws, particularly SQL injection, are unfortunately very common in web applications. There are many types of injections:SQL,Hibernate Query Language (HQL),LDAP,XPath,XQuery,XSLT,XML,OS command injectionand many more.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.Attacker embeds scripting commands on a website that is executed by a regular user without knowing it.Victim in this case is the regular user, not the server.If one of these are discovered during a scan, you need to work with the developer to fix the code and setup proper controls to prevent it in the future.https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.Attacker cannot see web server's response, but this attack can be used to have victim transfer funds, change their password, ect.https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Big threat inside your network at the office and at home.Smart home.Not often patched or updated.Shodan Tool

(SCADA) Supervisory Control and Data Acquisition Systems.Power plants and factories. Monitoring sensors.Not often patched or upgrades.Should be separated and off the network.

(ICS) Industrial Control Systems - Pumps, valves.

Information Security Policy Framework:PoliciesStandardsProceduresGuidelinesPolicies, Standards, and Procedures should be followed.Your information security framework should include the method for granting any necessary "exceptions".Exceptions:Specific approval to deviate from a policy, standard, procedure.Approval authority is specified in policy.Exception request includes:Policy, standard, procedure requiring exception.Reason for exception Scope and duration of exceptionDescription of compensating controls to lower risk

High-level statements of intent. Must be followed. Management Intent.Contain broad statements about cybersecurity objectives in the company.Framework to meet the business goals and to define roles, responsibilities, and terms used in other security documents.Who approves the policies?Usually the C-suite will approve the policy for the organization.Without management buy-in, the policy is a waste of your time and effort.Top-down approach is most effective

Used to implement a policy.Includes mandatory actions, steps, or rules needed to achieve cybersecurity.Approved by a lower level than C-suite, such as Director of Information Systems or mid-level manager.Standards can also exist in industry frameworks (COBIT, ITIL, etc.)

Detailed step-by-step instructions created for people to perform an action.Actionable steps to create a consistent method for achieving a security objective.Example:The service desk has a procedure for how to create a new user's account.Encompass all the security related policies, standards, and guidelines for action by your front-line employees.

Not required actions, just recommendations.Flexible in nature to allow for exceptions and allowances during a unique situation.Example:The organization may create a guideline showing users how to store data files in a cloud service and how to encrypt the files.These aren't required, but may be useful to the end user and can be changed quickly.

Policies provide the control objectives the organization wants to achieve.This is the desired end state, not the method to accomplish them.Security controls are used to achieve the control objectives.Physical ControlsLogical ControlsAdministrative Controls

Controls that impact the physical world.CamerasFencesGatesLocksLightingAlarm SystemFire Suppression Systems

Technical controls to enforce (CIA) confidentiality, integrity, and availability. Even Non-repudiationACL's in a firewall or routerEncryption schemes.

Procedural controls to implement good cybersecurity practices.Policies and procedures.Separation of dutiesBackground checksReviewing log files

Physical, logical, and administrative controls are most effective when they are combined.To prevent theft of data from a server:Physical controls for building accessLogical controls like encrypting the HDAdministrative controls like requiring two people to open lock/door

Evaluation of your cybersecurity program is essential to it being effectively run.Evaluation occurs as audits and assessments.You get what you inspect, not what you expect.

Formal review of organizational cybersecurity program. Usually done internally.Or it can be for a specific compliance requirement (externally) like PCI-DSS.Rigorous, formal testing of controls resulting in formal declaration by the auditor of compliance.

Much less formal than a audit.Usually requested by the organization itself for process improvement purposes.Information gathered through interviews with employees (which is considered the truth) instead of independent verification.

The US has various laws and regulations that must be adhered to, based on your industry (CySA+ focus).

Health Insurance Portability and Accountability Act (HIPAA)Security and privacy rules for healthcare.Affects healthcare providers, insurers, and others storing health information.

Gramm-Leach-Bliley Act (GLBA)Requires financial institutions to have formal security programs in place.Must designate a "responsible" individual.

Sarbanes-Oxley (SOX) ActRequires publicly traded companies to maintain good security around their IT systems storing and processing their financial records.

Family Education Rights and Privacy Act (FERPA)Requires educational institutions to implement security and privacy controls for educational records.

Payment Card Industry Data Security Standard (PCI-DSS)Rules about storage, processing, and transmission of credit/debit card info.Not a law, but a contractual obligation.

Various State Laws.Requires companies to notify victims of data breaches in a timely manner.

Standard Frameworks:Creating your own cybersecurity framework is a daunting task.Standard frameworks exit to help provide a standard approach.

Designed to meet 1 or more of the 5 objectives.Describe current postureDescribe desired stateIdentify and prioritize areas for improvementAsses progress toward desired stateCommunicate risk among internal and external stakeholdersSpecificly modeled for Cybersecurity.Framework Core is a set of five security functions that apply to all industries.Framework Implementation tiers measure how the organization is positioned to meet cybersecurity objectives.Framework Profiles describe how the organization might approach the functions covered by Framework Core.

Used to be the most commonly used information security standard.Declining in usage outside of regulated regulated companies that require ISO compliance.To become ISO 27001 certified, an external accesor validates organizational compliance.

Information Technology Infrastructure Library (ITIL)Comprehensive approach to ITSM

Control Objective for Information and Related Technologies (COBIT).Set of best practices for IT governance developed by ISACA.Divides IT activities into four domains:Plan and OrganizeAcquire and ImplementDeliver and SupportMonitor and Evaluate

The Open Group Architecture Framework (TOGAF)Widely adopted approach to Enterprise Architecture.Four Domains: Business Architecture:Application Architecture:Data Architecture:Technical Architecture:

Sherwood Applied Business Security Architecture (SABSA).Alternative model for security architecture that maps to architectural layers from different perspectives.Used in Enterprise Architecture

Foundation of good security architecture.Does not rely on a single defensive measure or control for protection.Not fulproof.

Data - EncryptionApplication - PatchesEndpoint Security - Antivirus/Malware protectionNetwork - IDS/IPSPerimeter - FirewallsDifficult to design and implement, but it is important.Must consider business needs and usability in the design of layered controls.Four Design Models:Uniform Protection - Protected Enclaves - Risk or Threat Analysis-Based - Information Classification-Based

Gives same level of protection to all data, systems, or networks.Can be expensive for large networks. Focus is everything and everywhere.

Enclaves that house more sensitive data are given additional protection.Network is segmented and firewalls are placed between your most critical/sensitive assets.

Addresses specific risks or threats in the design of the networks and systems.Example:If you are concerned with phishing as a threat vector, you could employ additional controls to securely scan and filter your incoming emails.

Maps data protection to different classes of information.Higher classification levels get additional attention and security controls.Niper and Siper

Controls prevent, detect, counteract, or limit certain security risks.TechnicalAdministrativePhysicalPreventativeDetectiveCorrectiveCompensating

Designed to provide security through technical measures.FirewallsIDS/IPSAuthentication SystemsNetwork Segmentation

Also called Procedural ControlsDesigned to provide security through processes and procedures.Legal controls are a type of these controls that are put in place by the law.Incident Response PlansUser Awareness TrainingAccount Creation PolicyAcceptable Use Policy

Designed to provide security by preventing physical access or harm to the organization's systems or facilities.FencesMantrapsSecurity GuardsFire Suppression Systems

Designed to stop an incident before it happens.Proactive MeasuresFirewalls - Preventative and TechnicalAntivirusTrainingSecurity Guards - Preventative and Physical

Designed to detect when an incident occurs, capture details about it, and send an alert/alarm so someone can act.Intrusion Detection Systems Security CamerasLogs

Designed to fix an issue after an incident has occurred.Part of Incident Response Process.Reactive measures.Patches System rebuildingRestore from backups

Designed to satisfy a security requirement not being met by other controls.Minimizes threat down to an acceptable level of risk.Blocking certain ports instead of upgrading all the OSsSegmenting vulnerable software to a separate part of the network.

Combining the network architecture, configuration management, practices, and policies.Can be accomplished through:Network SegmentationFirewallsOutsourcing Network Segments

Compartmentalization of the NetworkBenefits:Reduces the network's attack surfaceLimits scope of regulatory complianceIncreases availability of critical servicesIncreases network efficiencyImplemented through:FirewallsRoutersSwitchesVLAN's

Simplest network design utilized to create a DMZ for a lower trusted segment of the network.

Different ACL and rule sets applied to each interface, creating multiple network segments.Often called service-leg DMZ

Dual-firewall puts a firewall at each control point.Allows for more stringent controls as you move deeper into the network.

Remote services - SaaS and PaaS rely on providers for security and network designs.Directly Connected Remote Network:Acts as an extension of your intranet.Utilizes LaaS with direct point-to-point VPNs.To users, it appears the IaaS is just part of your network.Low-level host protections at IaaS are still handled by the third-party service provider.

End-point security:Servers, desktops, laptops, smartphones, are all considered hosts on your network.Often the most at-risk part of the network since your users directly use them.Common Security Controls:Passwords and strong authenticationEncryption - File/Full DiskHost Firewalls/Host-based IPSData Loss Prevention (DLP) softwareWhitelisting/Blacklisting softwareAnti-malware/Antivirus softwarePatch managementConfiguration ManagementFile Integrity MonitoringLogging of events and issues

Encrypting and hashing.Encrypting files or the full disk can protect data at rest.Proper storage of the encryption keys/passphrases is critical to security.Hashing (file integrity check)files can be used to ensure file integrity, as well.

Logs must be securely stored and centrally monitored.Specialized log server or (SIEM) Security Information and Event Management......Tripwire, AlienVault, SplunkConfiguration Management (Microsoft SCCM) allow you to validate system settings and software across the connected hosts.

Integrating logs across the devices provides the most value and information.You need to conduct data aggregation and correlation, trend analysis, and historic analysis.

Combine data from multiple sources to identify events impacting different systems.System logsAuthentication logsApplication logsEvent logsand othersDetective control Splunk

Analyzes system, events, and devices to detect trends and patterns.Identifies issues that are outside of expected growth or usage patterns.Looks forward based on past history.

Analyzes system, events, and devices over time to detect trends and patterns.Helpful during incident responses as it looks back over a long period of time.

Separation of Duties - Requires more than one person to perform a task by breaking the task into additional parts. Provides a system of checks and balances to prevent fraud and abuse.

Process requires two individuals to perform the action together.

Focuses on ensuring important duties will always have someone who can perform them.Prevents issues from task not being performed during personnel turnover.

Allows us to identify any issues being hidden since the person will not maintain access to the systems.

Policies and procedures focuses on what to do when an employee is terminated.Retrieving company property, disabling accounts, changing security codes, ect.

Proper vetting of the provider.Employment practiceAccess ControlData ownership and controlIncident Response and notification process.

What kind of background checks are you doing on the service provider, employees.What internal personnel controls are used.how do they handle employee issues.

How is access control handled to the systemHow is your data physically or logically segmented from other organizations that the service provider handles.

Who owns the dataIs it encryptedDoes the service provider have access to just the data, or do also have the encryption keys

Users are the biggest threat to networks.Proper security training is the most cost effective control that can be applied in an organization.All the technical controls in the world won't stop a threat if a user lets the bad guys in.Acceptable use policy

Largest cause of a security failure.

Centralized Identity and Access Management (IAM).Systems built to create, store, and manage identity information including group memberships, roles, permissions and more.What can IAM do?Provision accountsAuthenticationSingle-Sign-On (SSO)LDAP DirectoryAccount MaintenanceReportingMonitoringLogging Auditing

Individual proves who they are.

Individual is provided access to a given resource.

Logs and monitors a user when a authentication or authorization attempt is made or completed.

Confidentiality is about not disclosing sensitive information to other people.How secure is the information?How secure does it need to be?Best methods to protect are:Physical Security - Locks, Fence, Guards, Cameras, a Safe.Electronic Security - Encryption (at rest and in transit), Passwords, Firewalls, 2FAFailure of Confidentiality occurs when someone can obtain or view the data.

Integrity is about preserving the state of the system—we don’t want attackers to change our data.How correct is the information?Has the data been modified at retrieval, in transit or in storage?Best methods to protect integrity are:Hashing of files and information.Checksum during data transmission.Failure of integrity occurs when someone modifies the data being stored or on transit.

How much up time is the system providing?Is the data accessible at all times by all users?Best methods:Redundancy in system design including components and data paths.Backup strategies and disaster recovery plans.Failure of Availability occurs when data cannot be accessed by the end user.

Risk - the probability (Likelihood) of the realization of a threatRisk = Vulnerability + ThreatVulnerability -Threat = No Risk

Asset - Any item that has value in the organization.People InformationEquipment Network/Servers/ComputersSoftwareProcesses

Vulnerability - Weakness in the system design, implementation, software code, or lack of preventative mechanisms.Vulnerabilities are internal factors. Software bugMisconfigured software or network deviceImproper physical securityCybersecurity Professionals control vulnerabilities.

Threat - Any condition that can cause harm, loss, damage, or compromise an asset. External factors.External Threats Natural disasterCyber attackBreach of integrity of dataDisclosure of confidential dataMalwareCybersecurity professionals cannot control threats, however they can be mitigated.

Risk Assessments - Measure your current level of risk based on threats, vulnerabilities, and mitigations in place.Should be conducted routinely.(NIST) National Institute of Standards and Technology 800-30 page 32https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Consider their capability, intent, and likelihood.Trusted InsidersCompetitorsSuppliersCustomersBusiness partnersNation States

Occurs when someone makes a mistake that hurts the security of the system.System Administrators take servers offline.

Occurs when equipment, software, or environmental controls fail.IT server fails due to hard drive failure.HVAC fails in server farm.OS bug or crash (software failure).

Occurs when natural or man-made disasters occur.FiresFloodingStormsLoss of power from city gridFiber cut

Internal FactorsOur focus is to match vulnerabilities to the threats identified.Remember if you have a threat without a vulnerability it is not a risk.

Likelihood and Impact - Measurement of the risk that the combined threat and vulnerability imposed is based on the likelihood and impact.Likelihood - The chance that the risk will be realized.Impact - The severity of damage that occurs if the risk is realized.Likelihood and Impact are Qualitative. low, medium or high.Qualitative is subjective.Quantitative is based on numbers or dollars. factual

Annual Loss Expectancy - Quantitative is based on numbers or dollars.ALE = Cost x OccuranceLet’s discuss the single loss expectancy (SLE). It contains information about the potential loss when a threat occurs (expressed in monetary values). It is calculated as follows: SLE = AV x EF, where EF is exposure factor. Exposure factor describes the loss that will happen to the asset as a result of the threat (expressed as percentage value). SLE is $30,000 in our example, when EF is estimated to be 0.3.Let’s continue this case. Annualized rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year. ARO is used to calculate ALE (annualized loss expectancy). ALE is calculated as follows: ALE = SLE x ARO. ALE is $15,000 ($30,000 x 0.5), when ARO is estimated to be 0.5 (once in two years).

Cyber Security professionals work to minimize risk through risk management and controls.

Common when the risk is low. Or controls are already in place.Does not mean there is no risk.

Risk is too high to accept. So the system configuration or design is changed to avoid the risk or vulnerability.

Minimize risk to an acceptable level.Not necessarily to eliminate all risks.By adding risk controls we can mitigate the risk down to an acceptable level.

If and organization cannot afford to accept, avoid, or mitigate the risk they can transfer the risk to another business.Example: Insurance companyData breach protection insurance.

Practices, policies, and procedures to increase security.Security Awareness TrainingPen testingVulnerability ManagementUtilize standard operating procedures

System, Devices, Software, and settings used to enforce CIA requirements.Firewalls, IDS, IPSInstalling anti-virus and endpoint Security

Locks, Fence, CCTV, Guards,

Most common network perimeter security.Usually at network boundaries.**Generally setup as triple-homed devices. Internet, DMZ, and Intranet.***DMZ: Semi-trusted zone.ACL - Access Control List - All traffic passing through the firewall is checked against the ACLACL contains rules to define what traffic can pass through the firewall.Deny by default.Common Ports. --- http://packetlife.net/media/library/23/common_ports.pdf ---20,21 FTP22 SSH23 Telnet25 SMTP53 DNS69 TFTP80/443 HTTP/HTTPS110 POP3123 NTP143 IMAP161 SNMP389 LDAP443 HTTPS1433 SQL Server1521 Oracle1720 H.3231723 PPTP3389 RDP

Checks each packet against rules (ACL) for IP and Port

Maintains information about the state of each connection.In addition to IP and Port.

Uses contextual information about users, apps and processes to make decisions.Layer 7 firewall.

Protects against Web application attacks like SQL Injection and Cross-site Scripting. (SQL/XSS).Placed in front of Web servers.

Separates networks into different levels of security.Much like Intranet, internet, and DMZ.We apply this same principle to break apart our large networks into more secure enclaves.

Limits network access to only authorized individuals or systems.Ensures the systems connecting to the network meet basic security requirements.

The protocol most commonly used for network access control.Works for wired and wireless connections.RADIUS Server.The typical authentication procedure consists of:Sequence diagram of the 802.1X progressionInitialization On detection of a new supplicant, the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as the Internet Protocol (and with that TCP and UDP ), is dropped.Initiation To initiate authentication the authenticator will periodically transmit EAP-Request Identity frames to a special Layer 2 address (01:80:C2:00:00:03) on the local network segment. The supplicant listens on this address, and on receipt of the EAP-Request Identity frame it responds with an EAP-Response Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this Identity response in a RADIUS Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request Identity frame.Negotiation (Technically EAP negotiation) The authentication server sends a reply (encapsulated in a RADIUS Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point the supplicant can start using the requested EAP Method, or do an NAK ("Negative Acknowledgement") and respond with the EAP Methods it is willing to perform.Authentication If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a RADIUS Access-Accept packet), or an EAP-Failure message (encapsulated in a RADIUS Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.

Agent-Based - Requires the device requesting access to have special software to communicate with the NAC service (Such as 802.1x).

Agentless - NAC authentication is conducted in a web browser and does not need special software (such as wifi in a hotel).

Uses dedicated appliances placed between the devices they services they are requesting.Example: Hotel networks that require you enter your name and room number before gaining access.

Relies on existing network and has device communicate to authentication server (like 802.1x).

An attempt to lure an attacker to specific targets.Honeypot DNS Sinkholes

Designed to falsely appear vulnerable and fool malicious attackers.They simulate successful attacks and allow us to monitor attack techniques.Designed to look like a lucrative target due to the types of services being run and vulnerabilities.

Provides false DNS information to malicious software.A compromised system requests DNS information from the server, but the server detects the suspicious request and gives the IP address of the sinkhole instead of the Command and Control server.

Securing Desktops, Laptops, Tablets, and Cell Phones.

Make it as resistant to attacks as possible.Disable unnecessary services.Disable unnecessary ports.Verifying secure configurations.Centrally controlling device security settings. Only admins can change.

Making sure patches are installed properly and as quickly as possible.(SCCM) System Center Configuration Manager.

If you can't implement a security control, you can compensate for it.Provides a similar level of security by using an alternate means.Examples:

Provides admins an efficient way of managing system and security configuration settings across many devices in a network. Example:Run scripts at login to verify compliance.Require the use of a firewall on all hosts.Mapping to a share drive on login.

Specialized software the enforces the company's security policies.This software should report to a centralized management system for cyber security analysts to view and analyze.Examples: Host-based IDS/IPSAntivirus

Mandatory Access Control - Sets all security permissions centrally and the users cannot change permissions locally.Great security, but is an administrative nightmare....only used in very sensitive environments.

Discretionary Access Control - Allows the owners of a file or resource to control the permissions of that resource.

NIST SP 800-115 - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf page 5-2.Simulate a cyber attack against a company using the same information, tools, and techniques available to an attacker.Goal: to gain access to your systems and report the findings.Performed by internal staff or external consultants.Time consuming and costly.

Testers conduct reconnaissance and gather as much information on the network, systems, users, and applications.Examples: Open source researchPort scanningEnumerationVulnerabilitiesWeb application scanning

Seek to bypass the security controls and gain access to the system.Attack Phase (Exploitation):Gain access Escalating Privileges - Admin rightsSystem Browsing - May refer back to discovery phase.Installing additional tools

Detailed report after the test.Contains results of the Pen Test.Successful attacks and suggestions on how to fix them.Things that could not be attacked.Prioritize based on risk posed by vulnerability exploited.

Beyond a Pen Test.Security exercise where Pen Testers and Defenders are put against each other to provide additional training.Performed in a simulated environment not the production network.Conducted by three types of teams:RedBlueWhite

AttackerReconnaissance and exploitationSimilar to a Pen Tester

DefenderSecures the network and attempts to keep the red team out through the use of security tools.Usually made up of system and network admins.

Referee. Mediator.Coordinates the exerciseMaintains the simulated environment and monitors the exercise.

Technique used to take a finished product and understand its inner workings through docomposition.Conducted through Dynamic Analysis or Static Analysis

Malware is placed in a Sandbox(Virtual) and its behavior is observed on the system and the virtual network.Automated solutions can do this in near real-time, where email attachments are launched and automatically analyzed for malicious activity.What becons, ports, services, ect. is it trying to talk to.

Software or hardware.

Analysis of the code of the malware. Difficult and time consuming.Readable - Ruby, PythonNot readable - C/C++ Java (Compiled)Static Analysis of compiled code requires a decompiler or analysis in binary format.

Difficult to perform due to embedded software in firmware.Most often, dynamic analysis is conducted on hardwareHardware should be purchased from a trusted supplier to minimize the risk of malware.

Gathering information to better understand the security landscape.Some security standards and laws, such as PCI-DSS, require information gathering from inside and outside your network to ensure compliance through quarterly vulnerability scans.Numerous tools and techniques for conducting discovery.

Creating a map of the network, systems, and other infrastructure of the companyCreate using a mix of information gathering tools a manual research.NIST SP 800-115 and Open Source Security Testing Methodology Manual (OSSTMM)(OSSTMM) http://www.pen-tests.com/open-source-security-testing-methodology-manual-osstmm.html

Utilizes host scanning tools to gather information about systems, services, and vulnerabilities in the network.Does not include exploitation of the vulnerabilities, only identification of them.Permission should be sought before conducting active reconnaissance because it could be mistaken as an attack.

Can approximate the network by using Time to live (TTL), Traceroute information, or other responses from the network.

Firewalls and Layer 3 Switches. ACL's can make it difficult to map a network fully.Wireless networks - Being able to determine what is wired or wireless.Virtualized newtworks -Cloud services -

nmap -O iptoscan ***OS scannmap -sV iptoscan *** Service Version. banner grabs and packet analasysnmap -O -sV iptoscannmap -sS iptoscan **Syn scannmap -sT iptoscan ** Full 3way handshakenmap -sA iptoscan ** AcknowledgmentNMAP cheat sheat: https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/

Graphical version of NMAP

MultiplatformGraphical port scannerDoes not provide service or OS information by default.Must use "fetchers" to get more information.Well-known, but not as full featured as NMAP or Zenmap

Metasploit has built-in scannersQualys Vulnerability ManagementTenable Nessus or write your own using Python.

Most common method for information gathering on a network and devices.Port scanners perform:Host Discovery. What is online or off linePort scanning and service.Service version identificationOperating System Identification.Port scanners also used for network inventory tasks and security audits.Well known ports - (0 - 1023)Registered ports - (1024 - 49151)Where you scan from matters.Internal scans will see more information than external scans.If you are trying to simulate a cyber attack during a Pen Test, you should be scanning from outside the network to match the attackers perspective.

Service identification attempts to identify the service and its version through banner grabbing or comparing TCP/UDP packet responses to known signatures.Scanning the subnet.

OS fingerprinting uses TCP/IP stack responses from the TCP and UDP packets sent to identify Windows, Linux, or OSX, and if possible, the version.

More difficult than active reconnaissance.Relies on logs and other data.Data you receive may be out of date.Often used during a cyber incident response. You don't want to let an attacker know you are looking for them.

Local system configuration data and log files can be used to build a network map.Some tools exist to parse configuration files into a usable topology.Much of this is done manually.

Network devices log many activities, their status, and events.Includes traffic patterns and utilization.Log files, configuration files, and network flows are great for passive recon.

Level Name Example 0 Emergencies Failure causing a shutdown1 Alerts Temperature exceeded2 Critical Software failure3 Errors Interface down4 Warning Configuration change5 Notifications Line Protocol up/down6 Information ACL violation 7 Debugging Debugging Messages

Invaluable when mapping a network.Identifies all routes and devices in detail.Provides details of SNMP and SYSLOG servers on the network, user and admin accounts, and more.

Cisco specific protocol. Volume of data and how much is going out at a certain amount of time.Captures IP traffic information for traffic monitoring to provide flow and volume(Not Packet Capture).Contains IP, source port, destination port, and class of service.Other vendors have "flows", like Juniper - Jflow and cflowd, Citrix - AppFlow, and HP -NetStreamNetFlow facilitates solutions to many common problems encountered by IT professionals.• Analyze new applications and their network impactIdentify new application network loads such as VoIP or remote site additions.• Reduction in peak WAN trafficUse NetFlow statistics to measure WAN traffic improvement from application-policy changes; understand who is utilizing the network and the network top talkers.• Troubleshooting and understanding network pain pointsDiagnose slow network performance, bandwidth hogs and bandwidth utilization quickly with command line interface or reporting tools.• Detection of unauthorized WAN trafficAvoid costly upgrades by identifying the applications causing congestion.• Security and anomaly detectionNetFlow can be used for anomaly detection and worm diagnosis along with applications such as Cisco CS-Mars.• Validation of QoS parametersConfirm that appropriate bandwidth has been allocated to each Class of Service (CoS) and that no CoS is over- or under-subscribed.How does NetFlow give you network information?What is an IP Flow?Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or fingerprint of the packet and determine if the packet is unique or similar to other packets.Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes.IP Packet attributes used by NetFlow:• IP source address• IP destination address• Source port• Destination port• Layer 3 protocol type• Class of Service• Router or switch interfaceAll packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This methodology of fingerprinting or determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache.

Built-in Windows utility, Linux, MacOS, and UnixProvides active TCP and UDP connections.Identify process using a connection.Provides statistics on sent/received date. Route table information.netstat -a active connectionsnetstat -o process using the connectionnetstat -e ethernet stats - like netflownetstat -r routing table informationnetstat -ano

Dynamic Host Configuration ProtocolProvides an IP address, default gateway, subnet mask, and DNS server to a host.DHCP server logs and configurations are useful during passive recon.Combined with firewall logs, you can determine which hosts use dynamic or static IPs.

Indicates what is accepted and what is blocked.Is a good way to passively understand your network design.Reading configurations is quicker than reverse engineering the log files.Often use log levels to categorize information and debug messages.Cisco, Palo Alto and Check Point all log things a little different, but have common items. IE: date/time stamp, Details of the event.Logs are designed to be human readable.Access logs on Cisco using "show logging" command.

System logs are collected by the system.Useful for troubleshooting and reconstructing a cyber attack.Log files provide information system configuration, applications, and user accounts.You need system access to get these logs,

Everything is going to be logged in the var/log directory. /var/logOther applications may store their own log files elsewhere.

Application Logs- Logged by programs/applicationsSecurity Logs- Records login events, resource usage, files created/open/deletedSetup Logs- Records application setup actions./installs.System Logs- Events from Windows components.Forwarded Event Logs - Event subscriptions from remote computers.

Often our first step in information gathering.DNS information is publicly available.A quick Whois search can give you many details to use.Host names can tell you about the server. (DC1.walmart.store120.com might be a domain controller.NSLOOKUPWHOIS Lookup Websites:https://who.is/http://whois.domaintools.com/http://www.whois.nethttps://www.exploit-db.com/google-hacking-database/

Human readable names we use to locate servers.Managed by registrars.Generic top level domains: .com, .net, .org, .edu, .mil, .govCountry code top-level domain: .com.uk, .edu.itIP RangesThere are 5 regional authorities;AFRINIC (Africa)ARIN (US,Canada, Antarctica, and Caribbean)APRIN (Asia. Australia, New Zealand, ect.)LACNIC - (Latin America, Carribean)RIPE - (Europe, Russia, Middle East)Each authority provides Whois services for their IP space.

TracerouteTraceroute is using UDP or ICMP ECHO to send out the packet with a Time To Live (TTL) of one, and incrementing it until reaching the target, the tcptraceroute is using TCP SYN to send out the packet to the target.tcptraceroute will receive a SYN/ACK packet if the port is open, and it will receive a RST packet if the port is closed.Figure:TracerouteAfter route number 17, we are no longer able to get the route information. Usually this         is because our traceroute is being blocked by a filtering device.

open a command prompt and type nslookupsee infoDNS RecordsMX (Mail server records)A (Address records)C (cononical records)PTR (Pointer records).WHOIS Lookup Websites:https://who.is/http://whois.domaintools.com/http://www.whois.net

Designed to replicate DNS Databases between two DNS serversThis is a vulnerability if some transfers are allowed, so most prevent zone transfers to servers that aren't trusted.You can use dig to perform the transfer.#dig axfr @dns-server domain.nameDigiNinja provides a couple DNS servers that allow zone transfers Zone transfersDNS Zone Transfer is generally used for DNS database replications and backups. The security problem with DNS zone transfer is that it can be used to decipher the topology of a company’s network. Specifically when a user is trying to perform a zone transfer it sends a DNS query to list all DNS information like name servers, host names, MX and CNAME records, zone serial number, Time to live records etc. Due to the amount of information that can be obtained DNS zone transfer cannot be easily found in nowadays.Figure: Query for name serverThe above image shows the how to get the dns server names.Figure: Zone Transfer FailedAs the response to our query is been failed thus we can say that zone transfer is configured properly

Used when you perform a DNS zone transfer.Simply sends manual or scripted DNS queries for each IP of the organization.Organizations can protect against this by sending responses slowly or with IDS/IPS rules to prevent this.DNS ReconnaissanceWe can interact with a DNS server using various DNS clients such as host, nslookup, dig,etc.nslookup is a computer program used in Windows and Unix to query Domain Name System(DNS) servers to find DNS details, including IP addresses of a particular computer, MX records for a domain and the NS servers of a domain. The name nslookup means “name server lookup”.Figure: NslookupThe above image explains that we connected to local server and asked to resolve a record for us. The server responded with the IP address of the victim.Before going ahead try to understand some DNS records. For more details please visithttps://en.wikipedia.org/wiki/List_of_DNS_record_types– A – Points to host IP address – MX – Points to domain mail server. – NS- Points to host name server – CNAME-Canonical naming allowing aliases to host. – SOA- Indicate authority for domain. – SRV-Service Record. – PTR-Maps IP address to hostname. – RP-Responsible Person. – INFO- Host Information.In order to retrieve mail server information we can use the following commandsFigure: Nslookup query for mail serverWhile gathering information can divided into 3 main techniques:-Forward lookup bruteforceReverse lookup bruteforceVerifying SPF RecordZone transfers1. Forward lookup bruteforceThe main idea behind this technique is to guess correct valid server names of organization. We can try this using the host command. The output gave us an IP address of the server.Figure: Forward lookup2. Reverse lookup bruteforceThis is a technique which is reverse to forward lookup bruteforce, in this case victim’s IP address is known and we need to find the server names and other information pertaining to the organization.Figure: Reverse lookup3. Verifying SPF RecordAn SPF record is a TXT record that is part of a domain’s DNS zone file. The TXT record specifies a list of authorized host names/IP addresses that mail can originate from for a given domain name.Figure: Verifying spf recordThe purpose of an SPF record is to prevent spammers from sending messages with forged From addresses at your domain.

Allows search of databases for domain and IP blocks.Provides detailed registration information used when claiming the domain name.Names, Addresses, IPs, Phone numbers, and more can be gained.WHOIS Lookup Websites:https://who.is/http://whois.domaintools.com/http://www.whois.net

Can be done using packet captures.Requires an intruder to breach a company's network to gather information.Treasure trove of information:-What hosts are on the network.-What OSs are running.-What shares are available.This is done using tools like Wireshark. https://www.wireshark.org/INFORMATION AGGREGATION:Gathering information from various platforms and tools for analysis with a single tool.theHarvester:-Gathers emails, domains, hostnames, employee names, open prots, banners, ect.-Text-based tool installed in Kali LinuxMaltego: Great harvesting tool. https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.phpShodan: Search engine for IoT devices and vulnerabilities.https://www.shodan.io/

Your organization has an online profile, whether you know it or not.This can be used by an attacker against you.In a Pen Test, we act as the attacker, so we must use this information.

Locations of facilities and buildings.Your physical security postureBusiness hoursWork routine of the organizationOrganizational charts. (Google)Relationships between departments and people.Documents contain metadataFinancial dataPersonal information of employees

Where can you get these documents?On the internet nothing is gone forever.Th internet archive: https://archive.org/Time travel service:http://timetravel.mementoweb.org/https://cachedview.com/Social mediaPaid public record searches;Zaba searchNETR online

Contains authors name and software versions used.IE: Word 2003

Uses Geo location coordinates from photos.Track patterns of lifehttp://exifdata.com/

Can be used to perform contact chaining and conduct social engineering campaigns. phishingTools: Immersion.Email HarvestingThe theharvester tool available in Kali-Linux is an e-mail accounts, username, and hostname/ subdomains gathering tool.As an example, if you want to find e-mail addresses and hostnames for a target domain using Google, following is the appropriate command: #./theHarvester.py -d targetdomain -l 100 -b googleFigure: Email HarvestingEmail harvesting can be used by hackers to carry out a phishing campaign against an entire organization. This is one aspect of how emails can be misused. Computer users, who are often unaware of phishing attacks can fall victim and end up loosing confidential information to the hackers.

Exploits the human element of securityOccurs via phone, email, social media, or in person.https://www.social-engineer.org/

Social Engineering Toolkithttps://www.social-engineer.org/framework/se-tools/computer-based/social-engineer-toolkit-set/

Geolocation Toolhttps://www.geocreepy.com/

Phishing and other tools.https://www.metasploit.com/

Successful reconnaissance does not always mean a successful attack, however we want to limit the damage that could occur as much as possible.We utilize the same technique to limit both casual and directed reconnaissance.

Monitoring must occur at connection points between two network zones.Often between Intranet and Intranet or Intranet and DMZ.Perform data collection so you can analyze the data at a later time.Data Sources:Network traffic analysis using IDS, IPS, HIDS, NIDS, Firewalls, and other security devices. Can be done through the following:Packet AnalysisProtocol AnalysisTraffic and Flow AnalysisDevice ans System LogsPort and Vulnerability ScansSecurity Information and Event Management LogsIf you outsource your services, you might have to rely on your SaaS or PaaS provider to detect it for you.

What is different about this? What's not normal?

Helps to identify future problems based on past.IE: Traffic congestion

Fingerprint or hash used to detect threats.

Detects threat behavior.Useful to detect unknown threats.

Human expertise is used to analyze the data.Security Analyst

Control the information you release.Blacklist systems that are abusing your services.Use CAPTCHAs to prevent scripts and bot.Utilize third-party registration for domains/IPsSet rate limits for lookups and searches.Avoid publishing zone files, if possible.Educate your users about social media risks.

Employ network defenses. HIPS, IDS, Firewall, ect.

Limit external exposure of services and know your forward facing footprint

Utilize an IPS to limit or stop probes and scans.

Utilize monitoring and alert systems based on signature, behavior, or anomaly.

What is a Cyber Incident Response?Actions taken in response to a security incident or event.An organized apporach to understanding the incident, mitigating its negative effects, planning the recovery, and investigating the root cause.NIST SP 800-61https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

The process is not linear but cyclical. NIST SP 800-61 page 30.https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdfCyber incidents will happen.No matter what your organization does to prevent a cyber incident...eventually one will happen.How will you respond?How will you react?How will you recover?Plan in advance.Allows you to have a coordinated and methodical response.Prior planning minimizes the damage and decreases your response time.

Takes preparation to build a well-prepared CSIRT.Requires proper policy foundation within the organization.Preparation includes building proper cyber defenses in the organization.Includes indentifying/training personnel and building response kits.Preparation Toolkits:Digital forensic workstationsForensic softwarePacket capture devicesSpare servers/network gearBackup devicesBlank removable mediaCollection, analysis, and laptopsPortable printersOffice suppliesEvidence collection materialsand more

The Hardest to StandardizeTools help in detection, but it takes a trained analyst to understand all the details during analysis.When detection,occurs, analysts shift to validation mode, then into analysis.Primarily passive activities designed to uncover and analyze incidents.

IDS/IPS, SEIM, Anti-virus, or other software alerts.

From operating systems, services, applications, network devices, and network flows

Suspicious activity reported by users or admins

News, media, and other open-source information.Ransomware out on the market ect.....

Profile networks/systems.Understand your baseline.Create good logging policies/practices.Conduct event correlation by synchronize network and system clocks.Maintain organization knowledge base.Capture network traffic ASAP in incident.Filter information to reduce confusion.Know when to bring in outside help.

Focus on stopping the spread of the incident, remove it from the network, and recovering from it.Phase focuses on active detection and removal of the incident.5 Steps:Pick containment strategy.Use Strategy to Limit Damage Incident CausesGather evidence needed for potential future legal actionsIdentify attacking system or attackerRemove effects of the incident and recover normal business operations

Objective of Containment:Limit the damage to the organization.Provide incident handlers an opportunity to collect evidence and repair the issue.Maintain and operate services for your customers.Perform containment as quickly as possible.Isolate the issue.Stop the spread of the incident.Containment Considerations:Containment is not perfect. It's quick and dirty.Can cause some loss of business functionality.Coordinate with stockholders before you take actions.

Proactive strategy to prevent spread from one part of network to another.Isolate or RemovalRemove a system from your network and directly connect to internet.Remove the attacker (disconnect PC)

Gather evidence needed for potential future legal actions.

Remove effects of the incident and recover normal business operations

CSIRT isn't done once the incident is contained and eradicated, they still need to conduct:Event ReconstructionLessons LearnedEvidence Retention

Recreate a timeline of the incident.Identify the root cause of the intrusion and/or incident.Conduct consultations with system admins and management.

Utilizes the timeline to aid improvement of procedures and tools used by CSIRT.Group discussion to determine how the incident was handled, and how it could have been handled better.Lessons learned must be fed into the ITSM processes in order to follow-on actions to be taken.What happened and when?How did staff perform?Were procedures followed?Were procedures adequate?What should have been done differently?Was information shared effectively?How could we detect incidents sooner?What new tools or resources does the organization need?

Large quantities of evidence have been collected.What do we do with all the evidence?The CSIRT must identify internal/external retention requirements.If legal actions will be conducted, consult an attorney before deleting anything.

US Government Agencies must retain all incident handling items for 3 years due to legal requirements.Most organizations maintain records for 2 years, unless otherwise required by regulatory requirements.HIPPAFIRPASOX

Members are permanent or temporary.Core team is cybersecurity professionals with incident response experience.Temporary members brought in for specific cases (DBA or SQL Admin).Smaller organizations have CSIRT as a collateral role in addition to their day job.

What does management do?Active role in an incident response.Ensure the team has funding, resources, and expertise needed to conduct incident response.Make critical business decisions.Communicate with legal or news media.Communicate with key stakeholders.

Who is on the CSIRT team?Team of professionals responsible for handling a security incident within an organization by using a standardized procedure.Leader is a skilled Incident Responder.Subject matter expert. (Linux, Windows, DBA,)IT support staff.Legal counsel. (advisors)Human resource staff.Public relations and marketing staff.

Can you outsource the CSIRT?Retaining a third-party gives you instant capability without daily resourcing.Can be very expensive.Ensure your organization is comfortable with the third-party's guaranteed response time.Agree upon the scope of work to be performed. What does the organization have to do for themselves.

What would trigger activation of CSIRT?Who authorizes the activation?Do they respond for all parts of the organization, or just specific ones? only ecommerce or internal network.Can CSIRT talk to law enforcement?Can CSIRT talk to the media? Generally CEO, CIO, CSO.How would CSIRT escalate an issue?

Testing the teams.Plans without testing are ineffective.You must ensure the teams are trained and ready for an incident response.Testing allows a walk-through of the policy, procedures, and playbooks.Can be combined with a penetration test to simulate a real attack.

Foundation of the organization's Incident Response program.Guides efforts at a high-level.Provides authority for response efforts.Approved by CEO or CIO.Should be fairly timeless.

Contents of the PolicyStatement of management commitment.PurposeObjectiveScope of policyDefinition terms.....What is a event....Roles, responsibilities, and authority.Incident prioritization schemeMeasures of performance for CSIRTReporting requirementsContact information

Detailed information.Step-by-step guidelines.Not a replacement for CSIRT's professional judgement and expertise.Often developed as a specific playbook.Playbook:Describes a response to a high severity incident such as:Data breach of financial information.Data breach of PII.Phishing attack against customers.Web server defacement.Loss of corporate laptop.Intrusion into the corporate network.Windows Golden Ticket reset.

During an incident, how will you communicate and share information?

How will the CSIRT communicate amongst themselves and to leadership?How will management communicate to other employees?EmailTextPhoneMeetingYour incident response plan dictates how you will communicate during an incident.Use an out-of-band communication method.If voip is attacket do not use phones.Printer

When will you communicate with outside people like law enforcement, media, shareholders, and others?Your incident response plan should state when.......What information are you going to give them.Press releases....statements.Who?Law Enforcement....If incident involves criminal acts.Information sharing partners......Do you want to share indications of the incident?Vendors....Can provide patches and support during incident.Other Organizations affected..........Do you have evidence others were targeted?Media or General Public.............May be mandatory depending on type of incident.Do you volunteer the information to the media?

All incidents should be classified by their threat and severity.Allows comparison of current incident with past and future ones.Aids in personnel's understanding of the incident being worked on.10 classifying threats:External or Removable MediaAttritionWebEmailImpersonationImproper UsageLoss or Theft of EquipmentUnknown

Event - Any observable occurrence in a system or network. Adverse Event - Any event that has negative consequences. Incidents - An imminent threat of violation, or a violation itself, of a security policy, acceptable use policy, or standard security practice. Not every event is an incident, however every incident contains at least one event.

10 classifying threats:External or Removable MediaAttritionWebEmailImpersonationImproper UsageLoss or Theft of EquipmentUnknown

Attack executed by removable media or peripheral.

Not a category under NIST, but prevalent today.Often funded by nation states, organized crime, or other sources.Highly skilled and sophisticated attackers.Often takes advantage of zero-day vulnerabilities.

Attack employing brute-force to compromise, deny, or degrade services, systems, or networks.

Attack executed from web-based applications or site.

Attack executed from email or attachment.

Attack that replaces something benign with something malicious (spoofing, SQL injection, etc.)

Violation of organization's Acceptable Use Policy (P2P program).

Computing device or media is lost or stolen.

Attack that comes from an unknown origin.

Attack that comes from a known origin, but doesn't fit into the other categories.

Degree of impairment that an incident causes an organization and the effort to recover from the incident.Functional Impact...Degree of impairment to an organization.Economic Impact...Amount of financial loss to an organization.Recoverability Impact...Amount of time lost by an organization.

Degree of impairment to an organization.Do not need to memorize tableNIST 800-61 (Table 3-2)https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Amount of financial loss to an organization.Do not need to memorize tableNIST 800-61 (Table 3-2)https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Amount of time lost by an organization.Do not need to memorize tableNIST 800-61 (Table 3-4)https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

The type of date involved in the incident also affects the classification of severity.Information Impact...Degree of information compromised during the incident.

Degree of information compromised during the incident.Government side only. NIST 800-61 Table 3-3 Do not need to memorize.https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdfPrivate Company not covered by NIST 800-61NoneRegulated Information BreachIntellectual Property BreachConfidential Proprietary BreachIntegrity Loss

Network event analysis is a common task for cybersecurity analysts.Gather, correlate, and analyze data from different systems/sensors on the network.Used to detect or prevent incidents.

Provides data flow on the network and information on the status of the device.Relies on capturing the data about the traffic passing through a router.Called Network Flows.NetFlow, slow, J-Flow: Depending on the manufacturer.All are standardized for monitoring traffic flow.Count information about the traffic at the interface.Sample traffic (1:100, 1:1000, ect). Gives information a connection types, not the data itself.RMON:Operates at layers 1, 2, 3, 4 of the OSI model.Operates as client/server model with probes.Provides statistics, history, alarms, and events to a Management Information Base.SNMPv3 (Simple Network Management Protocol): port 161Collects information about routers/switches.Information is about the devices themselves, not the traffic crossing through those devices.

Request is sent to a remote system and data is collected from the end point to a centralized server.Data contains information about:AvailabilityRoutesPacket delaysPacket lossBandwidth

PingData acquired by using ICMP on remote system.Basic up and down information and latency only.

iPerfMeasures maximum bandwidth of a given network.Remote testing of a link.Useful to determine a baseline of the network.

Uses a network tap to copy all traffic between two devices.Useful for after-the-fact analysis.Detailed information about:Rate of trafficProtocols usedContent

Many network monitoring tools are available for different cases.Combination of network data is more powerful than a single piece of data.Different tools can analyze data in different ways.

Passive Monitoring and packet capture.Used for packet analysis.https://www.wireshark.org/

Netflow Traffic Analyzerhttps://demo.solarwinds.comNetwork Performance Monitor

Paessler Router Traffic Grapher. https://www.paessler.com/prtgServer monitoring, network monitoring, and bandwidth monitoring.Open-source FreePacket Sniffing: Monitors packet headers to determine traffic type.Flows: Collects information about connections.SNMP: Network devices report about events through traps.WMI: Windows Management Instrumentation. Management data of the OS using scripts or application access.

https://www.nagios.org/Network and system log monitoring tool.Provides GUI for system, services, and monitoring capabilities.

Cacti https://www.cacti.net/Uses SNMP polling of network devices for status information and shows a GUI.

Cybersecurity analysts should be able to determine an incident based on events.Analysis of logs and other data are key to understanding if an event will become an incident.Types of Network Events:BeaconingUnusual Bandwidth ConsumptionLink Connection FailuresUnexpected Traffic

Beaconing or a heartbeat sends a signal to a command and control system/sevver due to a botnet or malware infection.Usually sent over HTTP (80) or HTTPS (443)Can be difficult to detect.Generally occurs at a certain frequency or pattern. Every 5 minutes for seconds.Indication of malware.

Unusual Bandwidth Consumption.Unusual bandwidth consumption could cause service issues or can be a sign of a larger issue.

Link Connection FailuresGenerally occurs due to a hardware, firmware, or software issue.Could be as simple as a bad module, broken cable, or unplugged connector.Bad or malicious software.DOS attack

Unexpected Traffic.Detected by IDS/IPS, traffic monitoring systems, or by manual observation.Understand your baselineNot all unexpected traffic is malicious, but it should be investigated/understood.Could be unusual based on type of traffic, end point location, or amount.Connections from other countries if you are a US company? not good

Baseline or Anomaly-BasedMonitoring system alarm based on traffic that is outside the normal baseline.

Heuristics/Behavior-BasedUses signatures and defined rules to detect.

Protocol AnalysisSeeks to detect protocols where they aren't expected, like VPNs or IPv6 tunnels.

Much of your incident handling will involve network probes and attacks.Network probes are usually part of reconnaissance efforts and are easy to detect......like a port scan.

Denial of Service (DOS) Detection:Attacks on a given network, system, or service from a single source.Attempts to overwhelm system or network.Prevention:Block the attacker using your firewall or IPS.Distributed Denial of Service (DDOS)Attack on a given network, system, or service from simultaneous/multiple sources.Detection:Traffic coming from unknown botnet IPsMonitoring your traffic and usage patterns.Prevention:Network designed with distributed network of endpoints...(like Akamai). https://www.akamai.com/Ensure your networks can scale upwards.

MAC Address Validation:Ensure all devices are "Known Devices"Check device MAC against vendor codes. First 6 digits of the MAC address is the vendor.Scan the Network to ID devices.Conduct physical site inspections.Analyze traffic for irregular behavior.

Usually occurs when an employee or attacker connects a wired device such as a hub/switch.Prevention: Network Access Control and Port Security (802.1X).

Can be detected by conducting wireless surveys and mapping the area.Often used as an Evil Twin to trick users and steal information.

Processor (CPU), Memory, and Drives.CPU attacks usually occur as DOS or malicious software.Memory is monitored by the OS based on given thresholds:Memory leaks occur when programs don't release memory after being terminated. Eventually, all memory can be used up. System restarts to release the memory.

System Monitoring Tools -Windows:Resource Monitor (RESMON):Built-in Windows tool for monitoring.CPU, Memory, Disk, and Network Utilization.Performance Monitor (PERFMON):Built-in Windows tool for monitoring. Supports collection from remote systems.Linux:ps - CPU and memory utilization, process info.top - Like ps, but provides sorting by top usage.df - Report of disk usage.w - Accounts logged on, who ran process.

Use centralized management tools to conduct installs and inventory.Antivirus and anti-malware tools.Conduct blasklisting of unsupported software/files.Application whitelisting - more effective than blacklisting.

Users and permissions are complex with the number systems in use.Central Management tools (SIM/SIEM) can correlate logs for analysis.Authentication LogsUser Creation LogsSystems LogsApplication LogsSecurity Event Logs

Services and Applications should be monitored per good ITSM processes.Are they up/down?Are they responding properly?Are they functioning properly?Are they conducting transactions properly?Are they logging properly?

Non-security issues:Authentication errors.Permission Issues.Services do not start on boot up.Service Failures.Investigate the issues to ensure it is not security related.Use antivirus, antimalware, file integrity checks, and whitelisting to verify.Windows:services.msc (GUI) or sc (command line)Event Viewer to view application logsLinux:service-status-all (command line)/var/log directory to view application logsuse tail to view the end of the log files.

Create and understand your baseline.Log/alert on anything outside of baseline.HIPS

Anything that does not match the typical behavior.Investigate the activity and solve.

Were they authorized?Do they have excessive permissions?

Improper output or garbage output.User and admin training imperative to determining the root cause.

Why is the application sending out data?Detect with network monitoring.

Simple issue or DDOS attack?Monitoring tools can help determine reason.

Causes OS errors and crashes.Monitoring for them is hard.Detecting after a crash is easier.

Forensics are used to determine any changes, activities, or actions that have occurred on a host/server/computer.Allows incident responders to determine what occurred by putting together various pieces of information.Similar techniques are used by incident response teams and law enforcement.

Documentation is one of the most important steps in digital forensics.Everything you do needs to be repeatable by third-party investigators.Chain of Custody is imperative for use in law enforcement.

Contain a wide variety of software and hardware needed to conduct collection and analysis of data in the field.Toolkits vary widely in cost and capability. $10-20k

Conducts data capture and analysis.Multicore CPUMaximum RAMLarge, Fast Storage, SSD, RAID

Capture and analyze forensic images.Document and track investigations:Forensic Toolkit (FTK) - Commercial ProductsEnCase - Commercial ProductsSANS Investigative Forensic Kit (SIFT) - Open-sourceThe Sleuth Kit (TSK) - Open-source

Ensures hard drives being imaged cannot be written to or its data changed. There are hardware (expensive) and software (not as forensicly sound) variants.Ensures integrity of the captured disk.

Designed to copy HD without changing the original. Bit-by-Bit copy.Dedicated device that copies drive and hashes the disk image.Creates images, hashes, and chain of custody metadataExpensiveDedicated device

Clean HDs that are ready to receive disk images on.Drives are prepared using a drive wipe before use in the field.

Be ready to copy/collect any type of media you come across while in the field.IDESATAeSATA

Used to photograph system layout, system configurations, drive labels, how a machine is cabled, etc.

Label cables, components, and other items collected while in the field.

Mobile devices have different operating systems and security issues.Capturing data from mobile devices can be more difficult and needs special tools.TabletsMobil phones

Different phones require small screwdrivers or a push pin tool to access the SIM card.Address bookcontactscall history

Apple - Lightning cables or 30-pinAndroid - USB, UCB-C, Micro USB, Mini,

Specialized software for accessing mobile devices.

Commercial and Open-Source for:ImagingAnalysisHashing and ValidationProcess and Memory DumpsPassword CrackingLog Viewer

Bit by bit copy of a drive, including the slack space and unalocated space.FTK Imager -- Free to use--ProprietaryEnCase Imager -- Free to use--Proprietarydd -- open-source -- free

dd is a standard Linux/UNIX toolCan clone drives using bit-by-it copy.#dd bs=64k if=/dev/disk1/sda1 of=/mnt/usb1/sda1.imgconnect usb through write blockerfdisk -lmd5sum (filename)

Commercial product that is free to use.Documents chain of custody, adds hash, and creates metadata tags for later analysis.GUI basedOpen FTKFile-create disk imageselect drivewhere to savetype a file name and other infowhere to store

Creates timeline of system changes.Validates file against known good copy.File system analysis for hidden files, changes, access, and metadata.Windows Registry analysis.Log file parsing and analysis.Commercial:FTK and EnCaseOpen-Source:SIFT, CAINE, and Autopsy

Creates a unique file integrity check of a disk image after creation.Used as part of Chain of Custody.EnCase uses built-in hashing with its .EO1 format.Should use both MD5 and SHA1/SHA256.

State of the OS and data in-resident memory at the time of collection.Difficult to collect without changing the contents of the memory.Useful to capture decryption keys for full disk encryption.Hibernation files and crash dumps can also contain some of this data.

Linux:fmem and LiMEWindows:DumpItALL: windows, linux, os xVolatility FrameworkEnCaseFTKMemory dumps on system can be found at %SystemRoot%\MEMORY.DMPAnalyze dumps with Microsoft,s WinDbg

Encrypted and password protected files require cracking or guessing.Hacking tools like John the Ripper and Cain and Able can be used.DOC, XLS, PPT, and ZIP files have other specialized password cracking tools:Advanced Office Password BreakerElcomSofts Distributed Password RecoveryZip2John........numerous others.

Used to analyze log files from collected system images.Can create timelines and allow you to visualize the data cleanly.

7 Step Process:Determine what you want to find out.Determine location to find the info.Document your plan.Acquire/preserve the evidence.Perform initial analysis (log actions).Conduct deeper analysis (log actions).Report on your findings.

Date Collection Priorities:CPU, Cache, Registers, Running Processes, and MemoryNetwork TrafficHDD and USB drivesBackups, Printouts, Optical Media

What do you do when you find something you don not expect?There is always a rick you will find what you did not want to find .......Employee breaking the AUP.......Evidence of illegal activities'''''''Removing malware and finding XXX

Do you need to ID the attacker?Is there a good business reason why?Attackers cover their tracks well, and indentifying them can take a lot of time and resources, where your goal is simply to minimize the business impact.Law enforcement has a different viewpoint on this.

Remove any artifacts of the incident by removing the malware and any changes it made.Restore the network back to full functionality.Correct any security deficiencies.Remove malicious code, sanitize compromised media, and fix any of the affected user accounts.Recovery is NOT:Rebuilding the entire network.Fully redesigning of the system.Not a reason to buy all new equipment.

Once an attacker touches your system, consider it compromised.Reconstruct or reimage the system from a known good backup.Consider the root cause of the incident so that the system isn't susceptible to the same attack vector.

Patching any system that may be vulnerable to the same attack vector.This is a good time to re-scan and patch ALL of your systems......

Clear:Logical techniques used to sanitize data (reset to factory state or overwriting a disk with all 0s).Purge:Physical or logical techniques to make data recovery from a disk infeasible using newest techniques (degaussing or or overwrite 0s 35x)Destroy:Date recovery infeasible and disk drive unusable for storage (melting, incinerating, destroying) PII, secret stuff

Only authorized user accounts exist on each system in the network.Verify permissions assigned to each user.Verify all systems are logging correctly.Verify vulnerability scans on all systems are routinely conducted.

Change Management Process:Emergency Change Management Board may have authorized numerous actions during the incident response.Follow-up to ensure all changes have been documented properly.Need to ensure that network diagrams and vulnerability scan profiles are updated.Lessons-Learned:Document the details, the root cause, and the solution to a security incident.Fact-finding meetings should be conducted as close to the end of an incident response as possibleNeeded changes identified during the lessons-learned process should be fed into the resourcing and Change Mgmt process.Final Report:Every incident should finish with a compiled written report.Establish organizational "memory".Can serve as documentation in case further legal action occurs in the future.Can identify other deficiencies in the incident response that need to be addressed by mgmt.

Emergency Change Management Board may have authorized numerous actions during the incident response.Follow-up to ensure all changes have been documented properly.Need to ensure that network diagrams and vulnerability scan profiles are updated.

Document the details, the root cause, and the solution to a security incident.Fact-finding meetings should be conducted as close to the end of an incident response as possibleNeeded changes identified during the lessons-learned process should be fed into the resourcing and Change Mgmt process.

Every incident should finish with a compiled written report.Establish organizational "memory".Can serve as documentation in case further legal action occurs in the future.Can identify other deficiencies in the incident response that need to be addressed by mgmt.Should Include:Timeline of incident and response eventsRoot causeLocation and description of evidenceActions taken to contain, eradicate, and recoverEstimated impact to organizationPost-recovery validation effort resultsDocumentation of lessons-learned

Important Phase.No technical work is performed.Timing, Scope, and Authorization is gained during this phase.NEVER conduct a Pen Test without authorization.