Security

Protection
1. Digital Certificates
  1. Description
    1. Digital documents that verify the identity of a website or individual.
  2. Components
    1. Public Key
      1. For encryption and decryption.
    2. Issuer Info
      1. Details about the certificate authority (CA) that issued it.
    3. Subject Info
      1. Information about the entity the certificate represents.
  3. Types
    1. SSL/TLS Certificates
      1. For secure web communication.
    2. Code Signing Certificates
      1. To verify software authenticity.
    3. Email Certificates
      1. For secure email communication.
  4. Purpose
    1. Authentication
      1. Verifies the identity of the communicating parties.
    2. Encryption
      1. Secures data transmission.
    3. Integrity
      1. Ensures data hasn't been tampered with.
  5. Validation Levels
    1. Domain Validation (DV)
      1. Basic level, verifies domain ownership.
    2. Organization Validation (OV)
      1. Verifies the organization behind the domain.
    3. Extended Validation (EV)
      1. Highest level, extensive verification of the organization.
  6. Common Formats
    1. PEM
      1. Base64 encoded, used in Apache and similar servers.
    2. DER
      1. Binary format, used in Java platforms.
    3. PFX/P12
      1. Includes both the certificate and private key, used in Windows.
  7. X.509 Standard
    1. A standard that defines the format of public-key certificates.
    2. Components
      1. Version Number
      2. Indicates the X.509 version used.
      3. Serial Number
      4. Unique identifier for the certificate.
      5. Algorithm Info
      6. Details about the cryptographic algorithms used.
      7. Issuer
      8. The certificate authority that issued the certificate.
      9. Validity Period
      10. The time frame during which the certificate is valid.
      11. Subject
      12. The entity the certificate is issued to.
      13. Public Key
      14. The public key of the subject.
      15. Extensions
      16. Optional, additional attributes like key usage.
    3. Purpose
      1. Interoperability
      2. Ensures that certificates can be used across different systems and applications.
      3. Standardization
      4. Provides a consistent way to present and verify digital certificates
    4. Common Uses
      1. SSL/TLS
      2. For secure web communication.
      3. VPN
      4. For secure virtual private network connections.
      5. Email Security
      6. For secure email exchanges.
    5. Versions
      1. v1: Basic fields, rarely used today.
      2. v2: Added issuer and subject identifiers, also rarely used.
      3. v3: Most common, supports extensions for additional functionalities.
  8. CRL (Certificate Revocation List)
    1. A list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their expiration date.
    2. How It Works
      1. Issued by CA: The Certificate Authority regularly updates and publishes the CRL.
      2. Checked by Clients: Before trusting a certificate, clients can check if it's on the CRL.
    3. Reasons for Revocation
      1. Compromised private key
      2. Change in affiliation
      3. Certificate misuse
    4. Components
      1. Serial Numbers
      2. Each entry in the CRL includes the serial number of the revoked certificate.
      3. Revocation Date
      4. The date the certificate was revoked.
      5. CRL Signature
      6. The CRL itself is digitally signed by the CA to ensure its integrity.
2. TLS (Transport Layer Security)
  1. A cryptographic protocol for secure communication over a computer network.
  2. How It Works
    1. Handshake: Initial process to establish a secure connection.
    2. Encryption: Data is encrypted before being sent.
    3. Decryption: Data is decrypted upon receipt.
  3. Versions
    1. TLS 1.0: Older, less secure.
    2. TLS 1.1: Improved security but still considered outdated.
    3. TLS 1.2: Widely used, considered secure.
    4. TLS 1.3: Latest version, offers the best security.
  4. Components
    1. Cipher Suites: Sets of algorithms for key exchange, encryption, and data integrity.
    2. Certificates: X.509 digital certificates for authentication.
  5. Purpose
    1. Confidentiality: Keeps data private.
    2. Integrity: Ensures data isn't tampered with.
    3. Authentication: Verifies the identities of communicating parties.
  6. Common Uses
    1. HTTPS: Secure web browsing.
    2. FTPS: Secure file transfers.
    3. Secure Email: Encrypted email communication.
  7. Best Practices
    1. Always Use Latest Version: For optimal security.
    2. Strong Cipher Suites: Use suites with strong encryption algorithms.
    3. Regularly Update Certificates: To maintain trust.
  8. Parts of Requests
    1. Encrypted
      1. Data Payload: The actual content you're sending, like text, files, etc., is encrypted.
      2. HTTP Headers: Information like user-agent, cookies, and other metadata are also encrypted.
      3. URL Parameters: Any data in the URL after the domain is encrypted, but not the domain itself.
      4. Session Identifiers: Things like cookies and tokens used for maintaining the session state are encrypted.
    2. Not encrypted
      1. Domain Name: The actual website address you're connecting to is visible for routing purposes.
      2. Port Number: Also visible for routing.
3. Pretty Good Privacy (PGP)
  1. A data encryption and decryption program for secure communication, often used for emails.
  2. How It Works
    1. Public-Key Cryptography: Uses a pair of keys—public for encryption and private for decryption.
    2. Symmetric-Key Cryptography: Also uses a one-time session key for each message.
  3. Components
    1. Digital Signature: Authenticates the sender and verifies message integrity.
    2. Encryption: Scrambles the message content for confidentiality.
  4. Algorithms
    1. RSA: For key exchange and digital signatures.
    2. AES: For encrypting the actual message.
  5. Purpose
    1. Confidentiality: Encrypts messages so only the intended recipient can read them.
    2. Authentication: Verifies the sender's identity.
    3. Integrity: Ensures the message hasn't been altered.
  6. Common Uses
    1. Secure Email: Most popular use case.
    2. File Encryption: Can also encrypt files and folders.
  7. Best Practices
    1. Key Management: Regularly update and securely store your keys.
    2. Trust No One: Only decrypt messages from trusted sources.
4. Securing Network Traffic
  1. Encryption Protocols
    1. TLS/SSL: For secure web traffic (HTTPS).
    2. IPsec: For secure VPN connections.
  2. Firewalls
    1. Hardware Firewalls: Protect the network perimeter.
    2. Software Firewalls: Protect individual devices.
  3. Monitoring
    1. Intrusion Detection Systems (IDS)
      1. Monitor for suspicious activity.
    2. Intrusion Prevention Systems (IPS)
      1. Actively block or prevent malicious activity.
  4. VPNs (Virtual Private Network)
    1. Purpose
      1. Encrypts all traffic from a device.
    2. Types
      1. SSL VPN
      2. Uses SSL/TLS for secure web-based access.
      3. IPsec VPN
      4. Uses IPsec protocol, often for site-to-site connections.
      5. Remote Access VPN
      6. Allows users to connect to a remote network.
      7. Site-to-Site VPN
      8. Connects entire networks to each other.
    3. A technology that creates a secure, encrypted tunnel between your device and a remote server.
    4. How It Works
      1. Encrypts all data traffic from your device and routes it through a remote server, masking your IP address.
    5. Use Cases
      1. Secure Browsing
      2. Masks your IP and encrypts traffic for privacy.
      3. Remote Work
      4. Securely access work resources from home.
      5. Geo-Spoofing
      6. Access content restricted to certain locations.
    6. Security Protocols
      1. PPTP
      2. Older, less secure.
      3. L2TP/IPsec
      4. More secure than PPTP, commonly used.
      5. OpenVPN
      6. Open-source and highly secure.
    7. Pros and Cons
      1. Pros
      2. Enhanced privacy, secure data transmission, bypass geo-restrictions.
      3. Cons
      4. Slower internet speed, not 100% anonymous.
    8. Best Practices
      1. Choose a Reputable Provider
      2. Not all VPNs are created equal.
      3. Kill Switch
      4. Disconnects you from the internet if the VPN fails.
  5. Data Loss Prevention (DLP)
    1. Prevents sensitive data from leaving the network.
  6. Endpoint Security
    1. Antivirus: Protects against malware.
    2. Endpoint Encryption: Encrypts data on devices.
  7. Best Practices
    1. Regular Audits: To identify vulnerabilities.
    2. Multi-Factor Authentication (MFA): Adds an extra layer of security.
    3. Network Segmentation: Isolates different parts of the network.
  8. Zero Trust Architecture
    1. Principle: Never trust, always verify.
    2. Implementation: Strict access controls and continuous monitoring.
5. Cryptographic Hardware
  1. Physical devices designed to secure and manage digital keys and perform cryptographic operations.
  2. Types
    1. Hardware Security Module (HSM)
      1. A physical device that safeguards and manages digital keys, often used in enterprise settings.
    2. Smart Cards
      1. Portable cards with embedded chips that can perform cryptographic operations.
    3. USB Security Tokens
      1. USB devices that generate and store cryptographic keys.
    4. Trusted Platform Module (TPM)
      1. A microcontroller that stores keys, passwords, and certificates, often embedded in computer motherboards.
  3. Use Cases
    1. Data Encryption
      1. Hardware-based encryption is generally faster and more secure than software-based methods.
    2. Secure Key Storage
      1. Keys are stored in a secure hardware device, making them less susceptible to theft.
    3. Digital Signatures
      1. Used for authenticating digital documents and emails.
  4. Advantages
    1. Speed
      1. Hardware is generally faster at cryptographic operations than software.
    2. Security
      1. Less susceptible to malware and remote hacking attempts.
    3. Isolation
      1. Keys are isolated from the system, reducing the risk of exposure.
  5. Disadvantages
    1. Cost
      1. Cryptographic hardware can be expensive, especially for high-end devices like HSMs.
    2. Compatibility
      1. May require specific drivers or software to operate.
    3. Physical Security
      1. Being a physical device, it can be stolen or tampered with if not properly secured.
  6. Best Practices
    1. Regular Updates
      1. Keep the firmware up to date to patch any security vulnerabilities.
    2. Multi-Factor Authentication
      1. Use in conjunction with other authentication methods for added security.
    3. Secure Storage
      1. Store the device in a secure location when not in use.
  7. Trusted Execution Environment (TEE)
    1. A secure area inside a main processor that ensures sensitive data is stored, processed, and protected in a secure environment.
    2. Components
      1. Secure Kernel
      2. Manages the TEE and ensures that only authorized code runs in it.
      3. Trusted Applications
      4. Software that is authorized to run within the TEE.
    3. Use Cases
      1. Mobile Payments
      2. Digital Rights Management (DRM)
      3. Secure Boot
  8. TPM (Trusted Platform Module)
    1. This is a hardware device that's typically integrated into the hardware of a computer, that's a dedicated crypto processor
    2. A specialized chip on your computer's motherboard that stores RSA encryption keys specific to the host system for hardware authentication.
    3. Components
      1. Endorsement Key
      2. Storage Root Key
    4. Use Cases
      1. Disk Encryption
      2. Full Disk Encryption (FTE)
      3. Tools like BitLocker can use TPM for secure key storage and integrity checks.
      4. Secure Boot
      5. Password Management
6. Encryption Algorithms
  1. Symmetric
    1. AES (Advanced Encryption Standard)
      1. Usage: Widely used for secure data encryption.
      2. Key Length: 128, 192, or 256 bits.
    2. DES (Data Encryption Standard)
      1. Usage: Now considered weak; mostly replaced by AES.
      2. Key Length: 56 bits.
    3. Blowfish
      1. Usage: Good for both hardware and software implementations.
      2. Key Length: Variable, up to 448 bits.
    4. RC4
      1. Usage: Previously used in SSL/TLS; now considered insecure.
      2. Key Length: Variable, typically 128 bits.
  2. Asymmetric
    1. RSA (Rivest–Shamir–Adleman)
      1. Usage: Commonly used for secure data transmission and digital signatures.
      2. Key Length: Usually 2048 bits or higher.
    2. DSA (Digital Signature Algorithm)
      1. Usage: Mainly for digital signatures.
      2. Key Length: 2048 bits.
    3. ECC (Elliptic Curve Cryptography)
      1. Usage: Gaining popularity for its efficiency.
      2. Key Length: 256 bits (equivalent to 3072-bit RSA).
    4. ElGamal
      1. Usage: Used in secure email and other applications.
      2. Key Length: 1024 to 4096 bits.
7. Network Security
  1. Network Hardening Best Practices
    1. Firewall Configuration
      1. Rule-Based Access: Only allow necessary traffic.
      2. Ingress/Egress Filtering: Control incoming and outgoing traffic.
      3. Examples
      4. Cisco IOS firewall rules
      5. Juniper firewall rules
      6. Iptables firewall rules
      7. UFW firewall rules
      8. Configuring Mac OS X firewall
      9. Microsoft firewall rules
    2. Network Segmentation
      1. VLANs: Separate different types of traffic.
      2. DMZ: Isolate public-facing services.
    3. VPN for Remote Access
      1. Strong Encryption: Use robust encryption algorithms.
      2. Multi-Factor Authentication (MFA): Always a good idea.
    4. Intrusion Detection System (IDS)
      1. Real-Time Monitoring: Detect unauthorized access or anomalies.
    5. Regular Updates & Patch Management
      1. Automate: Use automated tools for updates.
      2. Vulnerability Scanning: Regularly scan for weaknesses.
    6. Strong Authentication
      1. MFA: Use at least two factors for authentication.
      2. Strong Password Policies: Encourage complex passwords.
    7. Least Privilege Principle
      1. Role-Based Access Control (RBAC): Assign permissions based on roles, not individuals.
    8. Logging & Monitoring
      1. Audit Trails: Keep logs of all network activities.
      2. Alerts: Set up real-time alerts for suspicious activities.
    9. Physical Security
      1. Data Center Access: Restrict who can physically access network hardware.
      2. Device Locks: Use locks on laptops and other portable devices.
    10. Employee Training
      1. Phishing Awareness: Educate staff on the dangers of phishing.
      2. Safe Browsing: Teach best practices for web use.
    11. Data Backups
      1. Regular Backups: Store backups in a secure, offsite location.
      2. Test Restores: Regularly test the restore process.
  2. IEEE 802.1X Protocol
    1. Authentication
      1. Supplicant is the client making the request to access the LAN or wireless access point.
      2. Authenticator takes the packet from the supplicator and sends it to the authentication server until the session is authenticated. Any other information sent before authentication occurs is dropped.
      3. Authentication server provides a database of information required for authentication, and informs the authenticator to deny or permit access to the supplicant.
      4. Authentication methods
      5. Shared key system is a shared key or passphrase that is manually set on both the mobile device and the AP/router.
      6. Open system is when the authentication server has a list of authorized clients to check against when a client requests access. This list is usually in the form of MAC addresses but it varies by network.
      7. Shared Key authentication methods
      8. Wired Equivalent Privacy (WEP) is not recommended for a secure WLAN. The main security risk is hackers capturing the encrypted form of an authentication response frame, using widely available software applications, and using the information to crack WEP encryption.
      9. Wi-Fi Protected Access (WPA) complies with the wireless security standard and strongly increases the level of data protection and access control (authentication) for a wireless network. WPA enforces IEEE 802.1X authentication and key-exchange and only works with dynamic encryption keys.
      10. Wi-Fi Protected Access 2 (WPA2) is a security enhancement to WPA. Users must ensure the mobile device and AP/router are configured using the same WPA version and pre-shared key (PSK).
      11. Association allows the access point or router to record each mobile device so that data is properly delivered. This occurs after authentication is complete.
  3. Proxies
    1. Servers that act as intermediaries between a user's computer and the internet.
    2. Types
      1. Forward Proxy
      2. What It Does: Filters client requests.
      3. Use Case: Content filtering, bypassing geo-restrictions.
      4. Reverse Proxy
      5. What It Does: Routes client requests to the appropriate backend server.
      6. Use Case: Load balancing, caching, SSL termination.
      7. Transparent Proxy
      8. What It Does: Redirects client requests without modification.
      9. Use Case: Content filtering, monitoring.
      10. SOCKS Proxy
      11. What It Does: Transfers any type of network traffic.
      12. Use Case: General-purpose proxy, often used for anonymity.
    3. Advantages
      1. Anonymity
      2. Hides your IP address.
      3. Content Filtering
      4. Blocks access to certain websites or content.
      5. Caching
      6. Stores copies of frequently accessed resources.
      7. Load Balancing
      8. Distributes incoming requests across multiple servers.
    4. Disadvantages
      1. Latency
      2. Can slow down your internet speed.
      3. Security Risks
      4. If not configured properly, can expose sensitive data.
      5. Limited Anonymity
      6. Not all proxies provide full anonymity.
    5. Examples
      1. HAProxy
      2. nginx
      3. Apache HTTP
  4. WiFi
    1. WEP (Wired Equivalent Privacy)
      1. An old security algorithm for wireless networks.
      2. How It Works
      3. Encryption: Uses RC4 stream cipher.
      4. Key: Typically a 40-bit or 104-bit key.
      5. Modern Alternatives
      6. WPA2/WPA3
      7. Stronger encryption and better security features.
    2. WPA2/WPA3
      1. WPA2 (Wi-Fi Protected Access 2)
      2. An advanced security protocol for wireless networks.
      3. How It Works
      4. Encryption: Uses AES (Advanced Encryption Standard).
      5. Authentication: Typically uses PSK (Pre-Shared Key) or EAP (Extensible Authentication
      6. WPA3 (Wi-Fi Protected Access 3)
      7. The latest and most secure Wi-Fi encryption standard.
      8. How It Works
      9. Encryption: Also uses AES but adds new features like SAE (Simultaneous Authentication of Equals).
      10. Authentication: Enhanced methods for stronger security.
      11. WPA3 is more secure but may not be compatible with older devices.
      12. Both Support
      13. MFP (Management Frame Protection)
      14. EAP methods for enterprise environments
  5. Unified Threat Management (UTM)
    1. UTM solutions stretch beyond the traditional firewall to include an array of network security tools with a single management interface. UTM simplifies the configuration and enforcement of security controls and policies, saving time and resources. Security event logs and reporting are also centralized and simplified to provide a holistic view of network security events.
    2. UTM options and configurations
      1. UTM hardware and software options
      2. Stand-alone UTM network appliance
      3. Set of UTM networked appliances or devices
      4. UTM server software application(s)
      5. Extent of UTM protection options
      6. Single host
      7. Entire network
      8. UTM security service and tool options can include
      9. Firewall
      10. Can be the first line of defense in catching phishing attacks, spam, viruses, malware, and other potential threats that attempt to access an organization’s network. Firewalls can be hardware devices or software applications. Firewalls filter and inspect packets of data attempting to enter and exit a managed network. Rules can be configured to permit or prevent certain types of packets from entering the network.
      11. Intrusion detection system (IDS)
      12. Passively monitors packets of data and network traffic for unusual patterns that could indicate an attack. IDS devices can monitor entire networks (NIDS) or just a single host (HIDS). IDS identifies, logs, and alerts IT Support about suspicious traffic. However, IDS does not prevent an attack from occurring. This system gives IT Support professionals the opportunity to inspect flagged events to determine how to handle the threat on a case by case basis.
      13. Intrusion prevention system (IPS)
      14. Actively monitors packets and network traffic for potential malicious attacks. IPS systems can be configured to automatically block attacks or to allow manual interventions. IPS devices can monitor entire networks (NIPS) or just a single host (HIPS).
      15. Antivirus software
      16. Uses a signature database to obtain the profiles of malicious files, such as spyware, Trojans, malware, worms, and more. The antivirus software monitors the organization’s network and systems for these virus signatures. Once identified, the software will block, quarantine, or destroy them.
      17. Anti-malware software
      18. Scans information streams for known malicious malware signatures and blocks threats. Additionally, anti-malware software can use heuristic analysis to detect novel malware threats by identifying key behaviors and characteristics. The software can also use sandboxing to isolate suspicious files.
      19. Spam gateway
      20. Filters, identifies, and quarantines spam email. Spam gateways are network servers that use Domain Name Server (DNS) management tools to protect against spam.
      21. Web and content filters
      22. Block user access to risky and malicious websites. When a user attempts to access an unauthorized or suspicious website using a browser, the UTM web filter can prevent the website from loading. The filter can also be customized to block certain types of websites or specific URLs, like social media or other websites that might be a distraction in the workplace.
      23. Data leak/loss prevention (DLP)
      24. Monitors outgoing network traffic for personal, sensitive, and confidential data. DLP includes a verification system to determine if the external data transfer is authorized or malicious, and can block unauthorized attempts.
      25. Virtual Private Network (VPN)
      26. Encrypts data and creates a private “tunnel” to safely transmit the data through a public network.
      27. Stream-based vs. proxy-based UTM inspections
      28. Stream-based inspection, also called flow-based inspection
      29. UTM devices inspects data samples from packets for malicious content and threats as the packets flow through the device in a stream of data. This process minimizes the duration of the security inspection, which keeps network data flowing at a faster rate than a proxy-based inspection.
      30. Proxy-based inspection
      31. A UTM network appliance works as a proxy server for the flow of network traffic. The UTM appliance intercepts packets and uses them to reconstruct files. Then the UTM device will analyze the file for threats before allowing the file to continue on to its intended destination. Although this security screening process is more thorough than the stream-based inspection technique, proxy-based inspections are slower in the transmission of data.
      32. Benefits of using UTM
      33. UTM can be cost-effective
      34. Reduces the time and resources needed to manage multiple stand-alone security tools. Purchasing a suite of integrated tools may also be less expensive than buying each tool separately.
      35. UTM is flexible and adaptable
      36. Offers flexible solutions and options for security management. The security services and tools in a UTM can be implemented in any combination that is appropriate for each network environment.
      37. UTM offers integrated and centralized management
      38. Consolidates multiple security tools into a central management console. This simplifies monitoring and addressing security threats, as well as streamlines the management of updates to the UTM components. The central management feature also helps IT Support staff identify and stop the full extent of an attack across an entire network.
      39. Risks of using UTM
      40. UTM can become a single point of failure in a network security attack
      41. If an attack disables an entire UTM solution, there would be no other backup security services or tools to stop that attack. One of the core principles of information systems management is to design and implement redundant, backup, and failover systems. When one element of an IT system is attacked or experiences a failure, there should always be a backup or parallel system to replace it.
      42. UTM might be a waste of resources for small businesses
      43. Small businesses may not need a robust security solution like UTM. The time and money needed to purchase, implement, and manage a complex UTM system may not provide a significant return on security benefits for a smaller network. Cybercriminals are more likely to attack larger targets.
  6. tcpdump
    1. A command-line utility that captures and analyzes network traffic.
    2. How It Works
      1. Capture Filters: Specify what kind of packets to capture.
      2. Display Filters: Control what information is displayed.
    3. Use Cases
      1. Troubleshooting: Identify network issues.
      2. Security: Detect suspicious activity.
      3. Performance Tuning: Analyze network performance.
    4. Basic Commands
      1. tcpdump -i eth0
      2. Capture All Traffic on an Interface
      3. tcpdump -i eth0 host 192.168.1.1
      4. Capture Specific Host Traffic
      5. tcpdump -i eth0 port 80
      6. Capture Specific Port Traffic
      7. tcpdump -i eth0 -w output.pcap
      8. Capture and Save to File
  7. wireshark
    1. A popular network protocol analyzer with a graphical interface.
    2. How It Works
      1. Capture Filters: Specify what to capture, similar to tcpdump.
      2. Display Filters: Fine-tune what you see in the interface.
      3. Packet Details: View packet contents in various formats.
    3. Use Cases
      1. Troubleshooting: Diagnose network issues.
      2. Security Audits: Detect anomalies or unauthorized access.
      3. Learning: Great educational tool for understanding network protocols.
  8. Host-Based Firewall
    1. A software firewall that controls incoming and outgoing network traffic based on a set of user-defined rules.
    2. How It Works
      1. Rule-Based: You set rules for allowing or blocking specific traffic.
      2. Stateful Inspection: Keeps track of the state of active connections.
      3. Application-Level Filtering: Controls traffic based on specific applications.
    3. Common Features
      1. Inbound/Outbound Rules: Control traffic coming in and going out.
      2. Logging: Keeps a record of allowed and blocked connections.
      3. Alerts: Notifies you of suspicious activity.
    4. Examples
      1. Windows Firewall: Built into Windows OS.
      2. UFW (Uncomplicated Firewall): Popular on Linux systems.
      3. Little Snitch: Known for macOS.
  9. Logging and Auditing
    1. Types of Logs
      1. System Logs: OS-level activities.
      2. Application Logs: Specific to a particular application.
      3. Security Logs: Unauthorized access attempts, policy violations, etc.
    2. Types of Auditing
      1. Automated Auditing: Software-based, real-time monitoring.
      2. Manual Auditing: Periodic reviews by human auditors.
    3. Common Tools
      1. Syslog: Standard for message logging on Unix systems.
      2. Windows Event Viewer: For Windows systems.
      3. Splunk: Advanced tool for log collection and analysis.
    4. Best Practices
      1. Regular Reviews: Don't just collect logs; review them.
      2. Secure Storage: Keep logs in a secure, tamper-proof environment.
      3. Retention Policy: Decide how long to keep logs based on legal and operational needs.
    5. rsyslog
      1. An open-source utility for log processing on Unix and Unix-like systems. It's an extension of the original syslog protocol.
      2. How It Works
      3. Collects Logs: From different parts of the system and network.
      4. Filters: Based on content, severity, facility, etc.
      5. Forwards: Sends logs to various destinations like files, databases, or other servers.
      6. commands
      7. sudo systemctl status rsyslog
      8. Check Status
      9. sudo systemctl restart rsyslog
      10. Restart Service
      11. tail -f /var/log/syslog
      12. View Logs
      13. Configuration File
      14. /etc/rsyslog.conf
      15. Best Practices
      16. Centralized Logging: Use rsyslog to forward logs to a centralized server for easier management.
      17. Secure Transport: Use TLS for secure log transmission over networks.
    6. SIEM (Security Information and Event Management)
      1. A comprehensive solution that provides real-time analysis of security alerts generated by various hardware and software infrastructures.
      2. Core Functions
      3. Data Aggregation: Collects data from multiple sources.
      4. Event Correlation: Links related records and identifies patterns.
      5. Alerting: Notifies admins of suspicious activities.
      6. Dashboards: Summarizes the security status.
      7. Compliance Reports: Helps in meeting regulatory standards.
      8. Popular Solutions
      9. Splunk: Known for its powerful analytics.
      10. IBM QRadar: Offers AI capabilities.
      11. ArcSight: Good for large enterprises.
      12. Best Practices
      13. Fine-Tune Alerts: Too many false positives can be as bad as missing an actual threat.
      14. Regular Updates: Keep the SIEM software up-to-date.
      15. User Training: Make sure the team knows how to use the SIEM effectively.
8. Disk Encryption
  1. A technology that encrypts the entire hard drive, making it unreadable without the correct decryption key or password.
  2. How It Works
    1. Full Disk Encryption (FDE): Encrypts the entire disk, including the OS.
    2. File-Level Encryption: Encrypts individual files or folders.
  3. Popular Tools
    1. BitLocker: Integrated into Windows, works well with TPM.
    2. FileVault 2: macOS solution.
    3. LUKS: For Linux systems.
  4. FTE Options
    1. PGP (Pretty Good Privacy)
    2. BitLocker: Integrates well with TPM (Trusted Platform Module).
Problems
1. Malware
  1. A type of malicious software that can be used to obtain your sensitive information, or delete or modify files
  2. Types
    1. Virus
      1. Infects files and spreads when the host is activated.
      2. File-based
      3. self-replicating
    2. Worm
      1. Spreads across networks without user action.
      2. Network-based
      3. self-replicating
    3. Trojan
      1. Disguised as legitimate software but carries malicious code.
      2. Deceptive
      3. non-replicating
    4. Ransomware
      1. Encrypts files and demands payment for decryption
      2. Encrypting
      3. extortion-based
    5. Spyware
      1. Collects personal information without consent.
      2. Data-collecting
      3. stealthy
    6. Adware
      1. Shows unwanted ads and can be intrusive.
      2. Annoying
      3. revenue-generating
    7. Rootkit
      1. Gains admin-level control over a system
      2. Stealthy
      3. privileged access
    8. Botnet
      1. Networks of compromised computers controlled remotely
      2. Network-based
      3. remote control
    9. Keylogger
      1. Records keystrokes to capture sensitive info
      2. Data-collecting
      3. stealthy
    10. Fileless Malware
      1. Lives in memory, not in files.
      2. Evasive
      3. memory-resident
    11. Backdoor
      1. Provides unauthorized remote access to a system.
      2. Stealthy
      3. privileged access
      4. remote control
    12. Logic Bomb
      1. A piece of code that triggers malicious activity when certain conditions are met.
      2. Conditional
      3. stealthy
      4. event-driven
  3. Measure
    1. Antimalware Protection, Malware Removal
      1. Gather and verify
      2. Symptoms
      3. Running slower than normal
      4. Restarts on its own multiple times
      5. Uses all or a higher than normal amount of memory
      6. After you’ve gathered information, verify that the issues are still occurring by monitoring the computer for a period of time. One way to monitor and verify is to review the activity on the computer’s resource manager where you can see open processes running on a system.
      7. When looking at the resource manager, you might see a program with a name you do not recognize, a program that is using a lot of memory, or both. If you see a suspicious program, you should investigate this application by asking the user if it is familiar to them.
      8. Quarantine malware
      9. To quarantine, or separate, the infected device from the rest of the network, you should disconnect from the internet by turning off WiFi and unplugging the ethernet cable. Once the computer is disconnected, the malware can no longer spread to other computers on the network.
      10. You should also disable any automatic system backup. Some malware can reinfect a computer by using automatic backup, because you can restore the system with files infected by the malware.
      11. Remove malware
      12. run an offline malware scan
      13. you may need to briefly connect to the internet to confirm that your malware program is fully updated.
      14. The scan should successfully identify, quarantine, and remove the malware on the computer. Once the process is complete, monitor the computer again to confirm that there are no further issues.
      15. To help ensure that a malware infection doesn’t happen again threat definitions should be set to update automatically, and to automatically scan for and quarantine suspected malware.
      16. After the malware has been removed from the computer, you should turn back on the automatic backup tool and manually create a safe restore point. If the computer needs attention in the future, this new restore point is confirmed safe and clean.
      17. Malware education
      18. Keep the computer and software updated
      19. Use a non-administrator account whenever possible
      20. Think twice before clicking links or downloading anything
      21. Be careful about opening email attachments or images
      22. Don't trust pop-up windows that ask to download software
      23. Limit your file-sharing
      24. Use antivirus software
      25. Key takeaways
      26. An infected device should be isolated from the local network and internet as soon as possible.
      27. Antivirus and Anti-Malware software is a key tool for detecting and removing malware.
      28. Keeping threat protection software updated makes malware removal faster and easier.
      29. Education is the first and best line of defense against malware.
2. Physical security
  1. Guards
    1. Guards monitor controlled access points throughout a facility to prevent unauthorized access.
  2. Door locks
    1. Door locks allow an area to be restricted. Only people with an authorized unlocking mechanism, like a key or security badge, can gain access to the restricted area.
  3. Equipment locks
    1. Equipment locks can restrict the movement of sensitive equipment, like servers, storage media, or terminals, by anchoring them to a less mobile structure. Only people with an authorized unlocking mechanism, like a key or security badge, can release the controlled equipment from its anchored location.
  4. Video surveillance
    1. Video cameras allow continuous observation and recorded activity playback within controlled areas. Video surveillance can document who accesses a controlled area, how they access it, and what they do there.
  5. Alarm systems
    1. Alarm systems notify security by sounding an alarm or sending a message when a controlled area is accessed.
  6. Motion sensors
    1. Motion sensors are devices that detect movement within a controlled area. Motion sensors can trigger alarm systems or video surveillance.
  7. Protecting the entry points of a building
    1. Access control vestibules
      1. Access control vestibules create a space between two sets of interlocking doors or gateways to prevent unauthorized individuals from following authorized individuals into controlled facilities.
    2. Badge readers
      1. Badge readers are devices that read information encoded into a plastic card. They identify each user by the badge they present to the device. Badge readers can be used to control electrically operated door locks and can be built into computer terminals to control access to information.
  8. Protecting the outside of a building
    1. Bollards
      1. Bollards are sturdy, short, vertical posts placed to restrict access of vehicles to a controlled area.
    2. Fences
      1. Fences are physical barriers, with many different designs, that enclose controlled areas to establish a perimeter and keep out external threats.
3. Attacks
  1. Network Attacks
    1. types
      1. Denial of Service (DoS)
      2. Overwhelms a system to make it unavailable.
      3. Bandwidth exhaustion, resource depletion.
      4. Distributed Denial of Service (DDoS)
      5. DoS attack from multiple sources
      6. Multiple origins, high traffic volume.
      7. Man-in-the-Middle (MitM)
      8. Intercepts and alters communication between two parties.
      9. Eavesdropping, data tampering.
      10. Packet Sniffing
      11. Captures data packets to analyze network traffic.
      12. Passive, data capture.
      13. Port Scanning
      14. Identifies open ports on a network.
      15. Reconnaissance, vulnerability assessment.
      16. IP Spoofing
      17. Fakes the source IP address in data packets.
      18. Deceptive, identity masking.
      19. ARP Poisoning
      20. Links an attacker's MAC address with an IP address.
      21. Deceptive, local network attack.
      22. SQL Injection
      23. Injects malicious SQL code into a database query.
      24. Data manipulation, unauthorized access.
      25. Phishing
      26. Uses fake websites or emails to collect sensitive info.
      27. Deceptive, social engineering.
      28. Zero-Day Exploit
      29. Attacks a vulnerability before it's patched.
      30. Opportunistic, high impact.
      31. Session Hijacking
      32. Unauthorized takeover of an established user session.
      33. Eavesdropping, unauthorized access, data theft.
      34. Rogue AP (Access Point) Attack
      35. An unauthorized access point is set up to capture network traffic.
      36. Deceptive, unauthorized access, data capture.
  2. Client-Side Attacks
    1. Targets vulnerabilities in client software like browsers and plugins.
    2. Exploitative, user-focused, often requires user interaction.
    3. Cross-Site Scripting (XSS) Attacks
      1. Injects malicious scripts into web pages viewed by others.
      2. Script injection, user-focused, web application vulnerability.
      3. types
      4. Stored XSS
      5. The script is permanently stored on the target server.
      6. Reflected XSS
      7. The script is embedded in a URL and only affects users who click the link.
      8. DOM-based XSS
      9. Manipulates the Document Object Model (DOM) of a web page.
  3. Password Attacks
    1. Attempts to crack or bypass authentication mechanisms
    2. Brute-force, dictionary attacks, credential stuffing.
    3. types
      1. Brute-Force: Tries all possible combinations.
      2. Dictionary Attack: Uses a pre-defined list of words.
      3. Credential Stuffing: Uses previously leaked usernames and passwords.
      4. Rainbow Table: Uses precomputed hashes to crack passwords.
      5. Phishing: Tricks users into revealing their passwords.
      6. Keylogging: Captures keystrokes to find passwords.
  4. Deceptive Attacks
    1. Uses social engineering or misleading tactics to gain unauthorized access.
    2. Manipulative, relies on human error, often non-technical.
    3. types
      1. Phishing: Sends fake emails to collect sensitive info.
      2. Spear Phishing: Targets specific individuals with personalized emails.
      3. Baiting: Offers something enticing to lure victims into a trap.
      4. Pretexting: Creates a fabricated scenario to obtain information.
      5. Quid Pro Quo: Offers a service in exchange for information or acces
      6. Whaling
      7. Targets high-profile individuals like executives for phishing attacks, aiming for high-value gains like ransom or confidential data.
      8. Vishing
      9. Uses VoIP calls to impersonate reputable companies, tricking people into revealing personal info like bank and credit card details.
      10. Shoulder Surfing
      11. Observing someone's screen or keypad to steal login credentials or other sensitive info, often in workplaces.
      12. Tailgating
      13. Gaining physical access to a secure area by following authorized personnel, often using social engineering tricks like fake IDs.
      14. Tailgating: Gains physical access by following authorized personnel.
      15. Impersonation
      16. Posing as a trusted figure via email, text, or call to trick people into granting network access or revealing sensitive info.
      17. Dumpster Diving
      18. Searching through trash to find confidential documents or information, often targeting organizations.
      19. Evil Twin
      20. Setting up a rogue Wi-Fi access point that mimics a legitimate one to capture data from connected devices.
4. Base
  1. CIA
    1. Confidentiality
      1. Keeping things hidden
    2. Integrity
      1. Keeping our data accurate and untampered with
    3. Availability
      1. The information we have is readily accessible to those people that should have it
    4. CIA triad
      1. A guiding model for designing information security policies
  2. Risk
    1. The possibility of suffering a loss in the event of an attack on the system
  3. Vulnerability
    1. A flaw in a system that could be expoited to compromise the system
    2. 0-day vulnerability (zero day)
      1. A vulnerability that is not known to the software developer or vendor, but is known to an attaker
  4. Exploit
    1. Software that is used to take advantage of a security bug or vulnerability
  5. Threat
    1. The possibility of a danger that could exploit a vulnerability
  6. Hacker
    1. A hacker in the security world is someone who attempts to break into or exploit a system
  7. Attack
    1. An actual attempt at causing harm to a system
AAA
1. Authentication
  1. Verifies the identity of a user, device, or service.
  2. How It Works
    1. Uses credentials like usernames, passwords, or tokens to confirm identity.
  3. Examples
    1. Password-based login
    2. Two-factor authentication (2FA)
    3. U2F Tokens (Universal 2nd Factor)
      1. How They Work
      2. Physical hardware token that you plug into your device.
      3. Uses public-key cryptography for authentication.
      4. Security Features
      5. Phishing Resistance: The token is bound to the website's domain, making it resistant to phishing attacks.
      6. No Shared Secret: Uses asymmetric encryption, so there's no shared secret that could be compromised.
      7. Physical Presence: Requires the user to physically touch the token, adding an extra layer of security.
      8. Why U2F Tokens Are More Secure
      9. Phishing Protection: U2F tokens are bound to a specific site, making them more resistant to phishing.
      10. Multi-Factor: Requires something you have (the token) and something you are (physical presence) for authentication.
      11. No Man-in-the-Middle: The cryptographic handshake makes it extremely difficult for attackers to intercept or modify data.
    4. OTP Generators (One-Time Password)
      1. How They Work
      2. Generates a temporary, time-based or counter-based code.
      3. The server knows the algorithm and shared secret, so it can verify the code.
      4. Security Features
      5. Time-Limited: OTPs expire after a short period, reducing the window for unauthorized access.
      6. No Reuse: Each password is unique and can't be reused.
  4. Biometrics
    1. Fingerprint scanning
    2. Facial recognition
    3. Iris and Retinal scanning
      1. Iris scanning is not a secure form of biometric authentication because a photograph of the user’s iris can be used to gain access.
  5. Geolocation
    1. Geofencing
      1. Geofencing is used to authenticate users who are physically within a certain radius of a specific location.
    2. Global Positioning Systems (GPS)
      1. Global Positioning Systems (GPS) use satellites orbiting Earth to map a device's longitude and latitude.
    3. Indoor Positioning Systems (IPS)
      1. Indoor Positioning Systems (IPS) triangulate a device’s location by using WiFi access points, cell phone towers, and/or Bluetooth beacons.
    4. Near-field communication (NFC) and scanners
      1. You may have interacted with a near-field communication (NFC) scanner by using contactless payments with a credit card, bank card, or smartphone.
2. Authorization
  1. Determines what an authenticated user is allowed to do.
  2. How It Works
    1. Sets permissions and access levels based on roles or attributes.
  3. Examples
    1. Role-based access control (RBAC)
    2. Attribute-based access control (ABAC)
  4. OAuth (Open Authorization)
    1. A standard for access delegation commonly used for token-based authentication.
    2. How It Works
      1. Authorization Request: You ask for permission to access a specific service.
      2. Token Issued: If approved, you get a token instead of a username/password combo.
      3. Token Used: You use this token to access the service.
    3. Components
      1. Resource Owner
      2. That's you, the user!
      3. Client
      4. The app or service you want to use.
      5. Authorization Server
      6. The server that authenticates you and issues tokens.
      7. Resource Server
      8. The server hosting the resource you want to access.
    4. What It Provides
      1. Delegated Authorization: You can grant limited access to your data on one service to another service, without sharing your credentials.
      2. Token-Based: Uses tokens, which are more secure and versatile than basic authentication.
      3. Scalability: Easy to implement across various platforms and languages.
3. Accounting
  1. Tracks what users do after they are authenticated and authorized.
  2. How It Works
    1. Logs activities like login times, accessed resources, and modifications made.
  3. Examples
    1. Audit logs
    2. Usage reports
4. AAA in Action
  1. RADIUS and TACACS+
    1. Commonly used protocols that provide AAA services, often in network security.
  2. RADIUS
    1. RADIUS (Remote Authentication Dial-In User Service)
    2. A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) for users connecting to a network.
    3. How It Works
      1. Authentication: Verifies user credentials.
      2. Authorization: Grants appropriate network access based on user profile.
      3. Accounting: Logs user activity for billing or auditing.
    4. Components
      1. RADIUS Server
      2. The central device that performs AAA functions.
      3. RADIUS Client
      4. A network device like a router or switch that forwards authentication requests to the RADIUS server.
      5. Supplicant
      6. The end user or device trying to gain network access.
    5. Use Cases
      1. VPN Access
      2. Authenticates users trying to access a Virtual Private Network.
      3. Wireless Networks
      4. Commonly used in enterprise Wi-Fi solutions.
      5. ISP Authentication
      6. Used by Internet Service Providers to authenticate dial-up or broadband users.
    6. Advantages
      1. Centralized Management
      2. All authentication data is stored in one place, making it easier to manage.
      3. Scalability
      4. Easily handles a large number of authentication requests.
      5. Flexibility
      6. Supports various authentication methods like PAP, CHAP, and EAP.
    7. Disadvantages
      1. Security Concerns
      2. Earlier versions have vulnerabilities; it's advisable to use it with other security measures.
      3. Complex Setup
      4. Can be complex to set up and manage, especially for small networks.
  3. Kerberos
    1. A network authentication protocol designed to provide secure authentication for users and services over a non-secure network, like the internet.
    2. How It Works
      1. Initial Authentication: User logs in, and a Ticket Granting Ticket (TGT) is issued.
      2. Service Access: When accessing a network service, the TGT is used to request a service ticket.
    3. Components
      1. AS (Authentication Server)
      2. Verifies user credentials and issues a TGT.
      3. TGS (Ticket Granting Server)
      4. Issues service tickets based on the TGT.
      5. Service Server
      6. The actual service (like a file server) that the user wants to access.
    4. Use Cases
      1. Single Sign-On (SSO)
      2. Allows users to authenticate once and gain access to multiple services.
      3. Secure File Sharing
      4. Used in network file systems like NFS for secure access.
      5. Database Access
      6. Protects database systems by ensuring only authorized users can access them.
    5. Advantages
      1. Time-Bound Tickets
      2. Tickets have a short lifespan, reducing the chance of unauthorized access.
      3. Mutual Authentication
      4. Both the user and the service have to prove their identity.
      5. Scalability
      6. Well-suited for large, complex networks.
    6. Disadvantages
      1. Initial Complexity
      2. Setup can be complex and requires careful planning.
      3. Time Sensitivity
      4. Because it's time-based, clock synchronization between systems is crucial.
    7. Best Practices
      1. Regular Audits
      2. Keep an eye on authentication logs for any suspicious activity.
      3. Strong Encryption
      4. Always use strong encryption algorithms to protect ticket data.
  4. TACACS+
    1. TACACS+ (Terminal Access Controller Access-Control System Plus)
    2. A security protocol designed to provide centralized validation of users who are trying to gain access to network resources.
    3. How It Works
      1. Authentication: Verifies user identity.
      2. Authorization: Grants specific permissions to users.
      3. Accounting: Keeps a detailed record of user activity.
    4. Components
      1. TACACS+ Server
      2. The central authority that performs Authentication, Authorization, and Accounting (AAA).
      3. Network Device
      4. Routers, switches, or firewalls that act as the TACACS+ client, forwarding user requests to the server.
    5. Use Cases
      1. Enterprise Networks
      2. Commonly used in large corporate networks for robust security.
      3. ISP Networks
      4. Used by Internet Service Providers to manage customer access and keep logs.
    6. Advantages
      1. Granular Control
      2. Offers more detailed control over commands and activities users can perform.
      3. Separate AAA Functions
      4. Allows for the separation of Authentication, Authorization, and Accounting, which can be beneficial for complex setups.
      5. Encryption
      6. Encrypts the entire body of the packet for enhanced security.
    7. Disadvantages
      1. Complexity
      2. Can be more complex to set up compared to RADIUS.
      3. Limited Adoption
      4. Not as widely supported as RADIUS, especially in non-Cisco devices.
    8. Best Practices
      1. Use Strong Encryption
      2. Always opt for strong encryption methods.
      3. Regular Audits
      4. Frequently review logs and settings to maintain security.
  5. Single Sign-On (SSO)
    1. An authentication process that allows a user to access multiple services with a single set of credentials.
    2. How It Works
      1. Initial Login: User logs in once to an authentication server.
      2. Token Issued: A token or certificate is issued to the user.
      3. Access Multiple Services: The token is used to gain access to various services without requiring additional logins.
    3. Components
      1. Identity Provider (IdP)
      2. The service that verifies the user's identity and issues tokens.
      3. Service Provider (SP)
      4. The individual services or applications that trust the IdP and accept its tokens.
    4. Use Cases
      1. Enterprise Environments
      2. Allows employees to access various internal services with a single login.
      3. Consumer Services
      4. Like using your Google or Facebook account to log into different websites.
    5. Advantages
      1. User Convenience
      2. No need to remember multiple usernames and passwords.
      3. Reduced Password Fatigue
      4. Lessens the chances of insecure password practices.
      5. Streamlined User Management
      6. Easier for admins to manage permissions and monitor activity.
    6. Disadvantages
      1. Single Point of Failure
      2. If someone gains access to the SSO account, they potentially have access to all linked services.
      3. Implementation Complexity
      4. Can be challenging to set up, especially for legacy systems.
    7. Best Practices
      1. Multi-Factor Authentication (MFA)
      2. Always use MFA for added security.
      3. Regular Audits
      4. Frequently review and update permission settings.