From c6a089c807ae76807f5902632d9548cfbef283ab Mon Sep 17 00:00:00 2001 From: Brendan McDevitt Date: Mon, 1 Jan 2018 20:35:26 -0500 Subject: [PATCH] added 100 days of code challenge intro post --- .../2017-08-22-security+-notes-part1.markdown | 149 ------------ .../2017-08-23-security+-notes-part2.markdown | 226 ------------------ .../2017-08-24-securty+-notes-part3.markdown | 103 -------- ...-01-01-100-days-of-code-challenge.markdown | 12 + 4 files changed, 12 insertions(+), 478 deletions(-) delete mode 100644 _posts/2017-08-22-security+-notes-part1.markdown delete mode 100644 _posts/2017-08-23-security+-notes-part2.markdown delete mode 100644 _posts/2017-08-24-securty+-notes-part3.markdown create mode 100644 _posts/2018-01-01-100-days-of-code-challenge.markdown diff --git a/_posts/2017-08-22-security+-notes-part1.markdown b/_posts/2017-08-22-security+-notes-part1.markdown deleted file mode 100644 index cea882a..0000000 --- a/_posts/2017-08-22-security+-notes-part1.markdown +++ /dev/null @@ -1,149 +0,0 @@ -# Security Threats and Controls - -## CIA Triade -Data needs to be the following: -- Confidentiality -- Integrity -- Availability - -## Security Policy Steps -- obtain support & committment for policy proposed throughout entire org -- analyze risks to security within the org that the policy proposes -- implement controls that detect and prevent losses & procedures that enable - the org to recover from losses -- review, test, and update procedures continually. continued compliance. - -## Security Controls -- National Institute of Standards and Technolog (NIST) -- Federal Information Processing Standards [(FIPS)](http://csrc.nist.gov/publications/PubsFIPS.html) - -## Control Types -- Fips 200 (Minimum Security Requirements) -- security control will belong to 1 of 18 families of classes. -- Access Control, Awareness and Training, Audit and Accountability, Security - Assessment and Authorization, Configuration Management, Contingency Planning, - Identification and Authentication, Incident Response, Maintenance, Media - Protection, Physical and Environmental Protection, Planning, Personnel - Security, Risk Assessment, Systems and Services Aquisition, System and - Communications Protection, System and Information Integrity, Program - Management - -## Physical Security Control Types -- Administrative - controls that determine the way people act, including - policies, procedures, and guidance. -- Technical - controls implemented in operating systems, software, and hardware - devices. -- Preventative - the control physically or logically restricts unauthorized - access. A directive can be thought of as an administrative version of a - preventive control. -- Deterrent - the control may not physically or logically prevent access, but - psychologically discourages an attacker from attempting an intrusion. -- Detective - the control may not prevent or deter access, but it will identify - and record any attempted or successful intrusion. -- Corrective - the control responds to and fixes an incident and may also - prevent its reoccurrence. -- Compensating - the control does not prevent the attack but restores the - function of the system through some other means, such as using data backup or - an alternative site. - -## Access Control and ACL -- Identification -- Authentication -- Authorization -- Accounting - -## Formal Access Control Models -- DAC - Discretionary Access Control - The owner is granted full control over - the resource, meaning that s/he can modify its ACL to grant rights to others. -- RBAC - Rule Based Access Control - Under RBAC, a set of organizational roles - are defined and users allocated to those roles. -- MAC - Mandatory Access Control - based on the idea of security clearance - levels. Rather than defining access control lists on resources, each object - and each subject is granted a clearance level (referred to as a label). - - -# Crypto: - -## Bit length of hashing algorithm - - sha-1, 160 bits - - sha-2, up to 512 bits - - md5, 128 bits - - ripemd-160 - 160 bits - -## Stream ciphers and block ciphers - - 3DES / Triple DES - block cipher - 56 bit key - 64 bit blocks - - AES / AES25 - block cipher - 128 bit block size, variable key length - - RC4 stream cipher - from 40 to 128 bits, variable length key - used in SSL / WEP - - Blowfish - 64 bits, variable length key - - Twofish - 128 bits, variable length key - - RSA - finds prime factors of large sets of number. variable key size. 2048 - key size ( 2048 / 8 ) - 11 - - DSA (Digital Signature Algorithm) - - -## Asymmetric vs Symmetric encryption -### Asymmetric - - uses pki. two keys, one key is needed to encrypt & decrypt the other - - public key, private key -### Symmetric - - uses the same key for encryption & decryption - -## PKI (Public Key Infrastructure) -Three main elements to a PKI: -- Organization -- Servers -- Client - -## Key Management -Stages of a key lifecycle. Key mgmt can either be centralized(admin controls -all of it) or decentralized(each user controls own keys). -- Key Generation -- Certificate Generation -- Distribution -- Storage -- Revocation -- Expiration - -## Public Key Crypto Standards -- PKCS #1 - defines the properties of public/private key pairs and the - algorithms for RSA encryption. -- PKCS #3 - defines Diffie-Hellman key agreeement. -- PKCS #6 - the original (v1) standard for X.509 certificates. As noted above, - the latest X.509 v3 standard is published as RFC 5280 . -- PKCS #7 - provides the basis for S/MIME (Secure Multipart Internet Mail - Extensions), allowing users to sign and encrypt email messages using digital - certificates. S/MIME is published as the Cryptographic Message Standard (CMS) - in RFC 5652 . -- PKCS #10 - format for requests certificates from a CA - -## RFCS -- [2104](https://tools.ietf.org/html/rfc2104) hashbased message authentication code (HMAC) -- [5280](https://tools.ietf.org/html/rfc5280) x.509 public key infrastructure -- [2527](https://tools.ietf.org/html/rfc2527) certificate policies -- [4880](https://tools.ietf.org/html/rfc4880) pretty good privacy (pgp) -- [5280](https://tools.ietf.org/html/rfc5280) -- [5652](https://tools.ietf.org/html/rfc5652) -- [4120](https://tools.ietf.org/html/rfc4120) kerberos -- [1334](https://tools.ietf.org/html/rfc1334) PAP - password authentication protocol -- [1994](https://tools.ietf.org/html/rfc1994) CHAP - challenge handshake authentication protocol -- [4226](https://tools.ietf.org/html/rfc4226) HOTP - HMAC based one-time password algorithm -- [6238](https://tools.ietf.org/html/rfc6238) TOTP - Timebased one-time password algorithm -- [3748](https://tools.ietf.org/html/rfc3748) EAP - Extensible Authentication Protocol -- [5216](https://tools.ietf.org/html/rfc5216) EAP-TLS -- [2865](https://tools.ietf.org/html/rfc2865) RADIUS - Remote Authentication Dial-in User Service - -## FIPS - Federal Information Processing Standards -- FIPS 180 -- FIPS 198 -- FIPS 186 -- FIPS 140 -- FIPS 201 - -## Suite B -Suite B is a set of cryptographic algorithms mandated by the National Security -Agency (NSA) for use by US government agencies. Suite A is an unpublished list -of classified algorithms. -- Encryption AES-128 & AES-256 -- Digital Signature - ECDSA with 256 and 384 bit keys -- Key Exchange - Diffie Hellman with 256 and 384 bit keys -- Cryptographic Hash - SHA-256 and SHA-384 diff --git a/_posts/2017-08-23-security+-notes-part2.markdown b/_posts/2017-08-23-security+-notes-part2.markdown deleted file mode 100644 index c37b3a8..0000000 --- a/_posts/2017-08-23-security+-notes-part2.markdown +++ /dev/null @@ -1,226 +0,0 @@ -## LDAP -- everything is done in plaintext -- there is a TLS version of it. LDAPS -- port 636 - -## Windows Active Directory -- tree and forest type of hierarchical design -- For example, the widget.com parent domain (the root of the tree) could - contain child domains (sales.widget.com, mis.widget.com, partners.widget.com, - and so on). These domains have twoway transitive trusts, meaning that (for - example) a user account in one domain in the tree could access resources (an - application or file server for instance) in another domain. - -### Security Accounts Manager -- database on windows systems up to windows 7 that stored hashed version - usually ntlm hash of passwords. stored in the registry path: - %SystemRoot%/system32/config/SAM - -### Naming Strategy -- how will AD namespace integrate with public dns entries? -- consider grouping OU by location & group info - -### Group Management -AGDLP (Accounts go into Global groups, which go into Domain Local groups, -which get Permissions) -- domain local - privileges only assigned to members in same domain. Accounts - or universal and global groups from any trusted domain can be a member of a - domain local group. -- global - groups can contain only user and global or universal group accounts - from the same domain but can be used to assign rights to resources in any - trusted domain (essentially, the opposite of domain local scope). -- univesal - can contain accounts from any trusted domain and can also be used - to grant permissions on any object in any trusted domain. -- other groups: security, distribution, system - -### Group Policy and Local Security Policy -- password policy: min age, complexity, min length, password history (y/n), - change pass option, pass expire (y/n) -- account restrictions: time, workstation, # consecutive logins, expiration - date, disable account, max # incorrect login attempt before lockout - -## Secure Network Topologies -topology - a description of how a computer network is physically or logically -organized. - -### Subnetting -- useful because traffic that passes through each subnet can be subject to -filtering and access control at the router. -- also can make it harder to sniff traffic on the network due to it being - divided. - -### Zones -an area of the network where the security configuration is the same for all -hosts within it. -- Firewalls block traffic based on zones - example zones: intranet, exranet - (semi-trusted hosts, who must auth with extranet), internet -- Uses ACL -- DMZ - demilitarized zone. traffic cannot pass through. - -### Tunneling -VPNs are biggest example. a tunnel is often used as example to describe a VPN's -functionality. - -### Switches -- VLAN protocols: VTP (VLAN Trunking Protocol), GARP (Generic Attribute - Registration Protocol), GVRP (Generic VLAN Registration Protocol) -- Pruning - removing broadcasts related to particular VLANs from a trunk to - preserve bandwidth -- Vulnerabilities: MAC flooding, ARP poisoning, VLAN hopping: this exploits the - native VLAN feature of 802.1Q. Native VLANs are designed to provide - compatibility with non-VLAN capable switches. The attacker (using a device - placed in the native VLAN) crafts a frame with two VLAN tag headers. The - first trunk switch to inspect the frame strips the first header and the frame - gets forwarded to the target VLAN. VTP attacks (attacker masquerades as - another switch to try to have the configuration replicated to it), Spanning - Tree Attacks - -### Routers -- fault tolerant -- dynamic router protocols: bgp (big isp), opsf - link state algorithm used, - rip - distance vector algorithm. less efficient than link state algorithm. -- attacks: fingerprinting, exploits in the OS running the router, spoofed - routing info, denial of service, arp poisoning, icmp redirect - -### Network Address Translation -Types: -- Static 1:1 mapping made between inside / outside address ip space -- Dynamic - has pool of addresses. assigns and relases them as needed -- Overloaded -- Destinaton -- NAPT - assigning ports to internal ip -- DNAT - destination port forwarding to open up internal port to interwebs - -### Firewalls -basic function of a firewall is traffic filtering -- types: packet filtering, stateful, stateful inspection, application aware -devices -- packet filtering: can inspect the headers of ip packets -- packet filtering: block traffic with ip filtering, protocol type, port - filtering -- stateful inspection: records up to layer 5 (session) layer. Stores state - information in a statet table -- application aware: records up to layer 7 (application) layer. - -### Proxies and Gateways -- Proxy can be setup as man-in-the-middle to filter traffic or simply monitor - outbound traffic -- can work as a caching engine to store frequently requested web pages in an - effort to speed up load times -- Reverse Proxy - a way to take internal facing applications and make them face - the public internet - -### Implementing a Firewall or Gateway -- Appliance Firewall - uses dedicated hardware -- Router Firewall - built into router -- Switch Firewall - some layer 3 switches can perform packet filtering -- NOS Firewall - designed to run under a network server -- Application Firewall - software based firewall running on a host -- Personal Firewall - software based firewall only running on a single host - -### Web Application Firewall (WAF) -Designed to specifically block threats over https and https - -### Web and Security Gateways -- Designed for corporate control over websites employees visit on a network. -- Is usually implemented via a stand-alone appliance or proxy server software. -- Can also be used to filter email attachments - -### Intrusion Detection System (IDS) / Network Intrusion Detection Systems -(NIDS) -- will detect an attack and log, usually creating and alerting the - administrator -- uses an analysis engine: usually with console access. -- passive in nature: there to be able to alert and notify the administrator of - the event triggered -- some have active detection: will end the TCP session - -### Intrusion Prevention System (IPS) -Designed to detect an attack, log it, and put a stop to it! Usually by -completely ending the TCP connection and/or session. - -### Unified Threat Management (UTM) -All-in-one merger of roles of NIDS / IDS / IPS / NIPS -usually will be very high end machines capable or accepting lots of traffic and -analyzing it along with signature checking against a database. - -### Host Based IDS (HIDS) -captures information from a single host on a network - -### IDS Analysis Engines -- signature based detection or pattern matching. engine is loaded with a DB of - attack patterns or malware signatures and checks incoming traffic against - this DB. -- behavior based detection: engine is trained to first recognize a baseline - 'normal' behavior, and then acts on incoming traffic that deviates from the - baseline or 'normal' behavior -- anomaly based detection: acts if the engine detects things that are anomolous - in nature or irregularities occurring in protocols. - -### Wifi Security -- Wardriving - driving around looking for insecure wireless access points -- Warchalking - marking locations with something so you can come back later to - pwn the wifi network. -- WEP cracking - aircrack-ng suite of tools can be used to listen to ARP IV's - since the encryption key is transfered via plaintext. encryption is an rc4 - cipher. -- WPA2 - AES put in place to encrypt instead of RC4. -- WPA2 - attacker can get pre-shared encryption key by associating with access - point. then the attacker will brute force the passphrase using the pre-shared - encryption key. - -### Open Authentication and Captive Portals -open wifi basically an unecrypted open network. -- captive portal: on an open network, making a secondary login usually with - https via a web browser so clients have to login. -- mac address filtering could work to better secure an open wifi network -- another method to secure: disable dhcp and enforce users connceting to use a static ip -- signal strength: increase / decrease power of wifi antenna based on site-survey for the - physical space - -### IPSEC -- layer 3 -- two core protocols: AH (authentication header), ESP(encapsulation security - payload). -- AH will encrypt the IP header in the packet -- ESP will encrypt the entire payload. -- HMAC-MD5, HMAC-SHA-1, or HMAC-SHA-2 and 3DES or AES (symmetric encryption - ciphers) are the algorithms typically used by ESP. - -#### Internet Key Exchange / ISAKMP -- AH and ESP both depend on a shared secret key that is only known to the two - hosts -- phase 1: establishes identity of two hosts & key agreement with diffie hellmen key exchange. -- phase 2: diffie-hellmen key agreement establishes shared key used to sign - packets for msg integrity. diffie-hellmen however does not authenticate the - endpoints. -- phase 3: authenticatin endpoint kicks in. endpoints are: pki, pre-shared - key, kerberos - -#### Transport and Tunnel Modes -- Transport mode - ip header is not encrypted, only the payload is -- Tunnel mode - entire ip packet. header + payload all encrypted - -### Remote Access Hardening -things to look for on servers in regards to hardening: -- malware protection - is antivirus installed? -- security information - is authentication info stored on the server? -- data transfer - files copied to remote hosts can no longer be secured -- local privileges - sudo users and what not that can escalate privileges -- weak authentication - users that use weak passwds get pwned - -## RFC -- [1123](https://tools.ietf.org/html/rfc1123) -- [3022](https://tools.ietf.org/html/rfc3022) NAT -- [1918](https://tools.ietf.org/html/rfc1918) Private IP address classes -- [2637](https://tools.ietf.org/html/rfc2637) PPTP -- [2661](https://tools.ietf.org/html/rfc2661) L2TP -- [3193](https://tools.ietf.org/html/rfc3193) IPSec in conjuction with L2TP as - a vpn solution -- [4301](https://tools.ietf.org/html/rfc4301) IPSec -- [4385](https://tools.ietf.org/html/rfc4385) Algorithms that an implementation - must adhere to be standards-compliant. -- [1001](https://tools.ietf.org/html/rfc1001) NETBios -- [1002](https://tools.ietf.org/html/rfc1002) NetBios -- [4942](https://tools.ietf.org/html/rfc4942) IPv6 Vulnerabilities - diff --git a/_posts/2017-08-24-securty+-notes-part3.markdown b/_posts/2017-08-24-securty+-notes-part3.markdown deleted file mode 100644 index d189397..0000000 --- a/_posts/2017-08-24-securty+-notes-part3.markdown +++ /dev/null @@ -1,103 +0,0 @@ -## Host Security -- Common Criteria (CC) -- Security Target (ST) -- baseline: snapshot of the typical activity on your network on any given host. - -### OS Hardening -- Windows: Group Policy, Local Security Policy -- Unix: SystemV (AT&T), BSD (All the BSDS YES!) -- Linux: Many distributions. -- Patch Management - make sure you patch your shit yo -- Windows: Windows update to update the OS -- Linux/Unix: System package manager or recompile packages based on needs -- Hotfixes: specific customer request for a piece of software to be fixed. - Usuaully hurried in nature. -- Windows: Service packs -- Windows Update Services: basically an update server that works like a proxy - server. you can centralize and speed up windows updates times in your organization -- Firmware Updates: you have seen examples via IPMI updates on servers. Routers - / Switches very important to have latest firmware updates applied. -- Driver updates: Make sure all the crapp windows software has been updated to - latest drivers. linux will take care via the pkg manager. -- Endpoint Security: If they can't get to your individual hardended server - because you have something like a firewall setup at your network endpoint, - then you are doing it right! -- Physical Security: Access to USB port / network ports on servers, switches, routers -- Mac Filtering: Specifying which MAC addresses are allowed to connect to a - specific network port. -- PNAC (Port Based Network Access Control) - performs some sort of - authentication of the attached device before activating the port. -- EAPoL (Extensible Authentication Protocol over LAN) - authenticating devices - using EAP or with PKI to pass authentication portion over to a RADIUS server. - RADIUS server will check creds and give access denied or allow access. If - access granted, switch will enable the VLAN tag that the port is setup with - to enable network access. - -### Data Security -- data policy: describes the security controls that will be applied to protect - data at each stage of its lifecycle. -- information classification and access control: unclassified (public) data, - classified (private/restricted) data, confidential aka highly sensitive data, - secret data, top-secret. -- classified, confidential, secret, and top-secret should be encrypted -- publication and distribution: storage and retrieval, distribution - what - restrictions are there on making copies of the data, security - what is the - security process if the document is compromised -- data states: data at rest, data in-transit, data in-use -- retention, storage, and destruction: retention aka archiving the data, - destruction aka destroying the data - -### Personally Identifiable Information (PII) -Protect yourself from identity theft yo, limit the use of PII! -- PII - data that can be used to identify, contact, or locate an individual (or - in the case of identity theft, to impersonate them). -- Examples: tattoos, social security number, usernames, passwords, email - addresses, dobs, cc # - -### Data Encryption -Encrypt all the things -- file / folder encryption - many different filesystems that support - encryption, efs and luks are some examples -- disk encryption: BitLocker, TrueCrypt(discontinued), Symantec Drive - Encryption -- Hardware based encryption: TPM (Trusted Platform Module) - a little piece of - hardware that stores the encryption key on it. starting to also be hardware - based solutions that are meant to be installed as add-ons to bring load away - from CPU. -- Removable media encryption: usb devices, yubikeys, many different kinds. -- Database encryption: most of the time it is better to encrypt files on the - disk. encryption usually done at the column level so this is very CPU - intensive. - -### Data Loss Prevention -Dont lose that data! -- a database that identifies confidential data that should not be lost. -- requires the following components: policy server - to configure - confidentiality ruleset, endpoint agents - to enforce policy on client - computers, network - agents - scan communications at network borders and interface with web and - messaging servers to enforce policy. -- rights management services: assigns file permissions based on different - document roles(such as author, editor, or reviewer). Restrict printing and - forwarding of documents, event when sent as file attachments, Restrict - printing and forwarding of email documents. - -### Big Data -The new buzzword to throw around in todays IT world -- big data: an unstructured database set, usually setup into some sort of - database management system. - -### Backup Plans and Policies -Do you have backups of your backups? -- backup types: full, incremental, differential -- keep your stuff backed up versionally - use version control, stupid. -- snapshots - meant to keep copies of open files, zfs, btrfs filesystems have - this feature built-in to the filesystem. -- tapes: tapes are mainly used for archiving purposes. they use an autoloader - to preload tapes. tapes are rotated. a good rotation policy - monthly, - weekly, daily. -- is there an offsite backup solution in place? -- make you sure that you are testing backups to make sure you can restore - everything from them - - diff --git a/_posts/2018-01-01-100-days-of-code-challenge.markdown b/_posts/2018-01-01-100-days-of-code-challenge.markdown new file mode 100644 index 0000000..20a533b --- /dev/null +++ b/_posts/2018-01-01-100-days-of-code-challenge.markdown @@ -0,0 +1,12 @@ +--- +layout: post +title: "100-days-of-code-challenge" +date: 2018-01-01 +categories: programming +--- + +With a brand new year, comes a fresh start, a clean slate. I am going to begin +my new year with something I have just come across: [100daysofcode](http://100daysofcode.com/) challenge. +I have forked the 100 days of code repo from github and am using the log to +track my daily progress. It will be fun, and it will be a great way to keep me +accountable for building my python knowledge.