made dir for security+ notes

_posts/security+/2017-08-22-security+-notes-part1.markdown

@@ -0,0 +1,149 @@
+# Security Threats and Controls
+
+## CIA Triade 
+Data needs to be the following:
+- Confidentiality 
+- Integrity
+- Availability
+
+## Security Policy Steps
+- obtain support & committment for policy proposed throughout entire org
+- analyze risks to security within the org that the policy proposes
+- implement controls that detect and prevent losses & procedures that enable
+  the org to recover from losses
+- review, test, and update procedures continually. continued compliance.
+
+## Security Controls
+- National Institute of Standards and Technolog (NIST)
+- Federal Information Processing Standards [(FIPS)](http://csrc.nist.gov/publications/PubsFIPS.html)
+
+## Control Types
+- Fips 200 (Minimum Security Requirements)
+- security control will belong to 1 of 18 families of classes. 
+- Access Control, Awareness and Training, Audit and Accountability, Security
+  Assessment and Authorization, Configuration Management, Contingency Planning,
+  Identification and Authentication, Incident Response, Maintenance, Media
+  Protection, Physical and Environmental Protection, Planning, Personnel
+  Security, Risk Assessment, Systems and Services Aquisition, System and
+  Communications Protection, System and Information Integrity, Program
+  Management
+
+## Physical Security Control Types
+- Administrative - controls that determine the way people act, including
+  policies, procedures, and guidance. 
+- Technical - controls implemented in operating systems, software, and hardware
+  devices. 
+- Preventative -  the control physically or logically restricts unauthorized
+  access. A directive can be thought of as an administrative version of a
+  preventive control. 
+- Deterrent - the control may not physically or logically prevent access, but
+  psychologically discourages an attacker from attempting an intrusion.
+- Detective - the control may not prevent or deter access, but it will identify
+  and record any attempted or successful intrusion. 
+- Corrective - the control responds to and fixes an incident and may also
+  prevent its reoccurrence. 
+- Compensating - the control does not prevent the attack but restores the
+  function of the system through some other means, such as using data backup or
+  an alternative site. 
+
+## Access Control and ACL 
+- Identification
+- Authentication
+- Authorization
+- Accounting
+
+## Formal Access Control Models
+- DAC - Discretionary Access Control - The owner is granted full control over
+  the resource, meaning that s/he can modify its ACL to grant rights to others. 
+- RBAC - Rule Based Access Control - Under RBAC, a set of organizational roles
+  are defined and users allocated to those roles. 
+- MAC - Mandatory Access Control - based on the idea of security clearance
+  levels. Rather than defining access control lists on resources, each object
+  and each subject is granted a clearance level (referred to as a label). 
+
+
+# Crypto:
+
+## Bit length of hashing algorithm 
+ - sha-1, 160 bits
+ - sha-2, up to 512 bits
+ - md5, 128 bits
+ - ripemd-160 - 160 bits
+
+##  Stream ciphers and block ciphers
+ - 3DES / Triple DES - block cipher - 56 bit key - 64 bit blocks
+ - AES / AES25 - block cipher - 128 bit block size, variable key length 
+ - RC4 stream cipher - from 40 to 128 bits, variable length key - used in SSL / WEP 
+ - Blowfish - 64 bits, variable length key
+ - Twofish - 128 bits, variable length key 
+ - RSA - finds prime factors of large sets of number. variable key size. 2048
+   key size ( 2048 / 8 ) - 11
+ - DSA (Digital Signature Algorithm) 
+
+
+## Asymmetric vs Symmetric encryption
+### Asymmetric 
+ - uses pki. two keys, one key is needed to encrypt & decrypt the other
+ - public key, private key 
+### Symmetric 
+ - uses the same key for encryption & decryption
+
+## PKI (Public Key Infrastructure)
+Three main elements to a PKI:
+- Organization
+- Servers
+- Client
+
+## Key Management
+Stages of a key lifecycle. Key mgmt can either be centralized(admin controls
+all of it) or decentralized(each user controls own keys).
+- Key Generation
+- Certificate Generation
+- Distribution
+- Storage
+- Revocation
+- Expiration
+
+## Public Key Crypto Standards
+- PKCS #1 - defines the properties of public/private key pairs and the
+  algorithms for RSA encryption. 
+- PKCS #3 - defines Diffie-Hellman key agreeement.
+- PKCS #6 - the original (v1) standard for X.509 certificates. As noted above,
+  the latest X.509 v3 standard is published as RFC 5280 . 
+- PKCS #7 - provides the basis for S/MIME (Secure Multipart Internet Mail
+  Extensions), allowing users to sign and encrypt email messages using digital
+  certificates. S/MIME is published as the Cryptographic Message Standard (CMS)
+  in RFC 5652 . 
+- PKCS #10 - format for requests certificates from a CA
+
+## RFCS
+- [2104](https://tools.ietf.org/html/rfc2104) hashbased message authentication code (HMAC)
+- [5280](https://tools.ietf.org/html/rfc5280) x.509 public key infrastructure
+- [2527](https://tools.ietf.org/html/rfc2527) certificate policies
+- [4880](https://tools.ietf.org/html/rfc4880) pretty good privacy (pgp)
+- [5280](https://tools.ietf.org/html/rfc5280) 
+- [5652](https://tools.ietf.org/html/rfc5652)
+- [4120](https://tools.ietf.org/html/rfc4120) kerberos
+- [1334](https://tools.ietf.org/html/rfc1334) PAP - password authentication protocol
+- [1994](https://tools.ietf.org/html/rfc1994) CHAP - challenge handshake authentication protocol
+- [4226](https://tools.ietf.org/html/rfc4226) HOTP - HMAC based one-time password algorithm
+- [6238](https://tools.ietf.org/html/rfc6238) TOTP - Timebased one-time password algorithm
+- [3748](https://tools.ietf.org/html/rfc3748) EAP - Extensible Authentication Protocol
+- [5216](https://tools.ietf.org/html/rfc5216) EAP-TLS 
+- [2865](https://tools.ietf.org/html/rfc2865) RADIUS - Remote Authentication Dial-in User Service
+
+## FIPS - Federal Information Processing Standards
+- FIPS 180
+- FIPS 198 
+- FIPS 186
+- FIPS 140
+- FIPS 201
+
+## Suite B
+Suite B is a set of cryptographic algorithms mandated by the National Security
+Agency (NSA) for use by US government agencies. Suite A is an unpublished list
+of classified algorithms. 
+- Encryption AES-128 & AES-256
+- Digital Signature - ECDSA with 256 and 384 bit keys
+- Key Exchange - Diffie Hellman with 256 and 384 bit keys
+- Cryptographic Hash - SHA-256 and SHA-384

_posts/security+/2017-08-23-security+-notes-part2.markdown

@@ -0,0 +1,226 @@
+## LDAP
+- everything is done in plaintext
+- there is a TLS version of it. LDAPS
+- port 636
+
+## Windows Active Directory
+- tree and forest type of hierarchical design
+- For example, the widget.com parent domain (the root of the tree) could
+  contain child domains (sales.widget.com, mis.widget.com, partners.widget.com,
+  and so on). These domains have twoway transitive trusts, meaning that (for
+  example) a user account in one domain in the tree could access resources (an
+  application or file server for instance) in another domain. 
+
+### Security Accounts Manager
+- database on windows systems up to windows 7 that stored hashed version
+  usually ntlm hash of passwords. stored in the registry path:
+  %SystemRoot%/system32/config/SAM  
+
+### Naming Strategy
+- how will AD namespace integrate with public dns entries?
+- consider grouping OU by location & group info
+
+### Group Management
+AGDLP (Accounts go into Global groups, which go into Domain Local groups,
+which get Permissions)
+- domain local - privileges only assigned to members in same domain. Accounts
+  or universal and global groups from any trusted domain can be a member of a
+  domain local group.
+- global - groups can contain only user and global or universal group accounts
+  from the same domain but can be used to assign rights to resources in any
+  trusted domain (essentially, the opposite of domain local scope). 
+- univesal - can contain accounts from any trusted domain and can also be used
+  to grant permissions on any object in any trusted domain.
+- other groups: security, distribution, system
+
+### Group Policy and Local Security Policy
+- password policy: min age, complexity, min length, password history (y/n),
+  change pass option, pass expire (y/n)
+- account restrictions: time, workstation, # consecutive logins, expiration
+  date, disable account, max # incorrect login attempt before lockout
+
+## Secure Network Topologies
+topology - a description of how a computer network is physically or logically
+organized.
+
+### Subnetting
+- useful because traffic that passes through each subnet can be subject to
+filtering and access control at the router. 
+- also can make it harder to sniff traffic on the network due to it being
+  divided. 
+
+### Zones
+an area of the network where the security configuration is the same for all
+hosts within it.
+- Firewalls block traffic based on zones - example zones: intranet, exranet
+  (semi-trusted hosts, who must auth with extranet), internet
+- Uses ACL
+- DMZ - demilitarized zone. traffic cannot pass through.
+
+### Tunneling
+VPNs are biggest example. a tunnel is often used as example to describe a VPN's
+functionality.
+
+### Switches
+- VLAN protocols: VTP (VLAN Trunking Protocol), GARP (Generic Attribute
+  Registration Protocol), GVRP (Generic VLAN Registration Protocol)
+- Pruning - removing broadcasts related to particular VLANs from a trunk to
+  preserve bandwidth
+- Vulnerabilities: MAC flooding, ARP poisoning, VLAN hopping: this exploits the
+  native VLAN feature of 802.1Q. Native VLANs are designed to provide
+  compatibility with non-VLAN capable switches. The attacker (using a device
+  placed in the native VLAN) crafts a frame with two VLAN tag headers. The
+  first trunk switch to inspect the frame strips the first header and the frame
+  gets forwarded to the target VLAN. VTP attacks (attacker masquerades as
+  another switch to try to have the configuration replicated to it), Spanning
+  Tree Attacks
+
+### Routers
+- fault tolerant
+- dynamic router protocols: bgp (big isp), opsf - link state algorithm used,
+  rip - distance vector algorithm. less efficient than link state algorithm. 
+- attacks: fingerprinting, exploits in the OS running the router, spoofed
+  routing info, denial of service, arp poisoning, icmp redirect
+
+### Network Address Translation
+Types: 
+- Static 1:1 mapping made between inside / outside address ip space 
+- Dynamic - has pool of addresses. assigns and relases them as needed
+- Overloaded
+- Destinaton 
+- NAPT - assigning ports to internal ip 
+- DNAT - destination port forwarding to open up internal port to interwebs
+
+### Firewalls
+basic function of a firewall is traffic filtering
+- types: packet filtering, stateful, stateful inspection, application aware
+devices
+- packet filtering: can inspect the headers of ip packets
+- packet filtering: block traffic with ip filtering, protocol type, port
+  filtering
+- stateful inspection: records up to layer 5 (session) layer. Stores state
+  information in a statet table
+- application aware: records up to layer 7 (application) layer. 
+
+### Proxies and Gateways
+- Proxy can be setup as man-in-the-middle to filter traffic or simply monitor
+  outbound traffic
+- can work as a caching engine to store frequently requested web pages in an
+  effort to speed up load times 
+- Reverse Proxy - a way to take internal facing applications and make them face
+  the public internet
+
+### Implementing a Firewall or Gateway
+- Appliance Firewall - uses dedicated hardware 
+- Router Firewall - built into router
+- Switch Firewall - some layer 3 switches can perform packet filtering
+- NOS Firewall - designed to run under a network server
+- Application Firewall - software based firewall running on a host
+- Personal Firewall - software based firewall only running on a single host
+
+### Web Application Firewall (WAF)
+Designed to specifically block threats over https and https
+
+### Web and Security Gateways 
+- Designed for corporate control over websites employees visit on a network.
+- Is usually implemented via a stand-alone appliance or proxy server software. 
+- Can also be used to filter email attachments 
+
+### Intrusion Detection System (IDS) / Network Intrusion Detection Systems
+(NIDS)
+- will detect an attack and log, usually creating and alerting the
+  administrator
+- uses an analysis engine: usually with console access. 
+- passive in nature: there to be able to alert and notify the administrator of
+  the event triggered
+- some have active detection: will end the TCP session 
+
+### Intrusion Prevention System (IPS)
+Designed to detect an attack, log it, and put a stop to it! Usually by
+completely ending the TCP connection and/or session. 
+
+### Unified Threat Management (UTM)
+All-in-one merger of roles of NIDS / IDS / IPS / NIPS
+usually will be very high end machines capable or accepting lots of traffic and
+analyzing it along with signature checking against a database. 
+
+### Host Based IDS (HIDS)
+captures information from a single host on a network
+
+### IDS Analysis Engines
+- signature based detection or pattern matching. engine is loaded with a DB of
+  attack patterns or malware signatures and checks incoming traffic against
+  this DB. 
+- behavior based detection: engine is trained to first recognize a baseline
+  'normal' behavior, and then acts on incoming traffic that deviates from the
+  baseline or 'normal' behavior
+- anomaly based detection: acts if the engine detects things that are anomolous
+  in nature or irregularities occurring in protocols. 
+
+### Wifi Security
+- Wardriving - driving around looking for insecure wireless access points
+- Warchalking - marking locations with something so you can come back later to
+  pwn the wifi network. 
+- WEP cracking - aircrack-ng suite of tools can be used to listen to ARP IV's
+  since the encryption key is transfered via plaintext. encryption is an rc4
+  cipher. 
+- WPA2 - AES put in place to encrypt instead of RC4. 
+- WPA2 - attacker can get pre-shared encryption key by associating with access
+  point. then the attacker will brute force the passphrase using the pre-shared
+  encryption key. 
+ 
+### Open Authentication and Captive Portals
+open wifi basically an unecrypted open network.
+- captive portal: on an open network, making a secondary login usually with
+  https via a web browser so clients have to login.
+- mac address filtering could work to better secure an open wifi network
+- another method to secure: disable dhcp and enforce users connceting to use a static ip
+- signal strength: increase / decrease power of wifi antenna based on site-survey for the
+  physical space
+
+### IPSEC
+- layer 3 
+- two core protocols: AH (authentication header), ESP(encapsulation security
+  payload). 
+- AH will encrypt the IP header in the packet
+- ESP will encrypt the entire payload. 
+- HMAC-MD5, HMAC-SHA-1, or HMAC-SHA-2 and 3DES or AES (symmetric encryption
+  ciphers) are the algorithms typically used by ESP.
+
+#### Internet Key Exchange / ISAKMP
+- AH and ESP both depend on a shared secret key that is only known to the two
+  hosts
+- phase 1: establishes identity of two hosts & key agreement with diffie hellmen key exchange.
+- phase 2: diffie-hellmen key agreement establishes shared key used to sign
+  packets for msg integrity. diffie-hellmen however does not authenticate the
+  endpoints.
+- phase 3: authenticatin endpoint kicks in. endpoints are: pki, pre-shared
+  key, kerberos
+
+#### Transport and Tunnel Modes
+- Transport mode - ip header is not encrypted, only the payload is
+- Tunnel mode - entire ip packet. header + payload all encrypted
+
+### Remote Access Hardening
+things to look for on servers in regards to hardening: 
+- malware protection - is antivirus installed?
+- security information - is authentication info stored on the server?
+- data transfer - files copied to remote hosts can no longer be secured
+- local privileges - sudo users and what not that can escalate privileges
+- weak authentication - users that use weak passwds get pwned
+
+## RFC
+- [1123](https://tools.ietf.org/html/rfc1123)
+- [3022](https://tools.ietf.org/html/rfc3022) NAT
+- [1918](https://tools.ietf.org/html/rfc1918) Private IP address classes
+- [2637](https://tools.ietf.org/html/rfc2637) PPTP 
+- [2661](https://tools.ietf.org/html/rfc2661) L2TP
+- [3193](https://tools.ietf.org/html/rfc3193) IPSec in conjuction with L2TP as
+  a vpn solution
+- [4301](https://tools.ietf.org/html/rfc4301) IPSec 
+- [4385](https://tools.ietf.org/html/rfc4385) Algorithms that an implementation
+  must adhere to be standards-compliant.
+- [1001](https://tools.ietf.org/html/rfc1001) NETBios
+- [1002](https://tools.ietf.org/html/rfc1002) NetBios
+- [4942](https://tools.ietf.org/html/rfc4942) IPv6 Vulnerabilities
+

_posts/security+/2017-08-24-securty+-notes-part3.markdown

@@ -0,0 +1,103 @@
+## Host Security
+- Common Criteria (CC)
+- Security Target (ST)
+- baseline: snapshot of the typical activity on your network on any given host.
+
+### OS Hardening 
+- Windows: Group Policy, Local Security Policy
+- Unix: SystemV (AT&T), BSD (All the BSDS YES!) 
+- Linux: Many distributions. 
+- Patch Management - make sure you patch your shit yo
+- Windows: Windows update to update the OS
+- Linux/Unix: System package manager or recompile packages based on needs
+- Hotfixes: specific customer request for a piece of software to be fixed.
+  Usuaully hurried in nature. 
+- Windows: Service packs 
+- Windows Update Services: basically an update server that works like a proxy
+  server. you can centralize and speed up windows updates times in your organization
+- Firmware Updates: you have seen examples via IPMI updates on servers. Routers
+  / Switches very important to have latest firmware updates applied. 
+- Driver updates: Make sure all the crapp windows software has been updated to
+  latest drivers. linux will take care via the pkg manager.
+- Endpoint Security: If they can't get to your individual hardended server
+  because you have something like a firewall setup at your network endpoint,
+  then you are doing it right! 
+- Physical Security: Access to USB port / network ports on servers, switches, routers 
+- Mac Filtering: Specifying which MAC addresses are allowed to connect to a
+  specific network port. 
+- PNAC (Port Based Network Access Control) - performs some sort of
+  authentication of the attached device before activating the port. 
+- EAPoL (Extensible Authentication Protocol over LAN) - authenticating devices
+  using EAP or with PKI to pass authentication portion over to a RADIUS server.
+  RADIUS server will check creds and give access denied or allow access. If
+  access granted, switch will enable the VLAN tag that the port is setup with
+  to enable network access. 
+
+### Data Security
+- data policy: describes the security controls that will be applied to protect
+  data at each stage of its lifecycle. 
+- information classification and access control: unclassified (public) data,
+  classified (private/restricted) data, confidential aka highly sensitive data,
+  secret data, top-secret. 
+- classified, confidential, secret, and top-secret should be encrypted
+- publication and distribution: storage and retrieval, distribution - what
+  restrictions are there on making copies of the data, security - what is the
+  security process if the document is compromised 
+- data states: data at rest, data in-transit, data in-use 
+- retention, storage, and destruction: retention aka archiving the data,
+  destruction aka destroying the data
+
+### Personally Identifiable Information (PII)
+Protect yourself from identity theft yo, limit the use of PII! 
+- PII - data that can be used to identify, contact, or locate an individual (or
+  in the case of identity theft, to impersonate them).
+- Examples: tattoos, social security number, usernames, passwords, email
+  addresses, dobs, cc #
+
+### Data Encryption
+Encrypt all the things
+- file / folder encryption - many different filesystems that support
+  encryption, efs and luks are some examples
+- disk encryption: BitLocker, TrueCrypt(discontinued), Symantec Drive
+  Encryption
+- Hardware based encryption: TPM (Trusted Platform Module) - a little piece of
+  hardware that stores the encryption key on it. starting to also be hardware
+  based solutions that are meant to be installed as add-ons to bring load away
+  from CPU. 
+- Removable media encryption: usb devices, yubikeys, many different kinds. 
+- Database encryption: most of the time it is better to encrypt files on the
+  disk. encryption usually done at the column level so this is very CPU
+  intensive. 
+
+### Data Loss Prevention
+Dont lose that data!
+- a database that identifies confidential data that should not be lost. 
+- requires the following components: policy server - to configure
+  confidentiality ruleset, endpoint agents - to enforce policy on client
+  computers, network
+  agents - scan communications at network borders and interface with web and
+  messaging servers to enforce policy.
+- rights management services: assigns file permissions based on different
+  document roles(such as author, editor, or reviewer). Restrict printing and
+  forwarding of documents, event when sent as file attachments, Restrict
+  printing and forwarding of email documents. 
+
+### Big Data
+The new buzzword to throw around in todays IT world
+- big data: an unstructured database set, usually setup into some sort of
+  database management system.
+
+### Backup Plans and Policies
+Do you have backups of your backups? 
+- backup types: full, incremental, differential 
+- keep your stuff backed up versionally - use version control, stupid. 
+- snapshots - meant to keep copies of open files, zfs, btrfs filesystems have
+  this feature built-in to the filesystem. 
+- tapes: tapes are mainly used for archiving purposes. they use an autoloader
+  to preload tapes. tapes are rotated. a good rotation policy - monthly,
+  weekly, daily. 
+- is there an offsite backup solution in place? 
+- make you sure that you are testing backups to make sure you can restore
+  everything from them 
+ 
+