Contents

• Assessment
• Tools
• Logging
• Resources

Security is about protecting data. Specifically it is about 3 aspects of data (The CIA Triad):

• confidentiality - only authorized parties can access data; examples are encryption, ACLs, principle of least privilege
• integrity - deny improper modification at rest and in transit; verify that data has not been modified (f.e. supply one-way hash of data, which receiver can calculate and compare)
• availability - protecting systems that store, process, and deliver data

Assessment

5 types of assessments

1. risk
2. security control
3. compliance
4. vulnarability
5. penetration test

• Penetration Testing Execution Standard
• Opne Source Security Testing Methodology Manual

Risk assessment

Determine where an organization may be exposed to attack. Gauge lidership risk appetite and identify likelihood and impact.

National Institute of Standards and Technology - good place to find definitions.

Threat is a circumstance or event that could damage the confidentiality, integrity, and availability of information or information systems (f.e. possibility to take application offline or make changes without proper approvals).

Vulnarability is a weakness that enables the threat to be successful (f.e. missing security patch or default admin password).

NIST SP 800-30 Rev.1 (more qualitive approach) and FAIR, Factor Analysis of Information Risk (more quantitive approach), are good places to start.

Calculating risk score

• likelihood - the probability that a threat might actually succeed in exploiting the vulnarability
• impact - the amount of damage inflicted by a threat

Information Sharing and Analysis Centers.

Security control assessment

Identify existing controls. Evaluate control strength, cost, and complexity. Make use of security control frameworks. Often includes conducting interviews with technical stuff and config files analysis. End result is prioritized list of control gaps.

International Organization of Standardization. ISO 27000 family contains standards regarding Information security management system (ISMS) and over 45 published standards. Reviewed and updated every 5 years. ISO 27002 is about code of practice for information security control with 114 controls (14 categories). ISO 27001 security.

NIST publications

Subseries	Topics
SP 800	Computer security
SP 1800	Cybersecurity practice guides
SP 500	Information technology

NIST Cybersecurity framework. NIST 800-53 Rev. 4 is similar to ISO 27002:2013.

Use ISO for organizing security program and NIST for technical implementation.

Comlpiance assessment

Determine weither your security program meets specific requirements outlines by external authority. One of most well known is Payment Card Industry Data Security Standard (PCI DSS).

Vulnarability assessment

Validate that technical vulnarabilities are being identified and remediated on a regular basis. End result are prioritized vulnarabilities, information regarding potential exploits, remediation recommendations.

Differents scanning tools based on objects

• hosts - Nessus
• databases - Scuba
• applications - OWASP ZAP

NISP SP 800-15 provides guidance on manual assessments.

• Common Vulnarability Scoring System - focuses on OS vulnarabilities
• Common Weakness Enumeration - focuses on software vulnarabilities

Penetration assessment

Exploit weaknesses identified by previous assessments.

Types of testing

Type	Description
White box	full knowledge (insider) - network diagrams, internal vulnarability reports, firewall rule sets; focus on exploiting known weaknesses
Black box	perspective on unauthorized outsider; focus on finding and expliting weaknesses
Grey box	Some internal knowledge; test known weaknesses from a perspective of unauthorized outsider

Goals of tests:

• domain admin
• email access
• intellectual property
• customer information

Tooling

https://www.offensive-security.com/

https://sectools.org/

Nmap

Networking mapping

• Nnap Scripting Engine (NSE)
• nmap cheat sheet
• scanme.nmap.org - server hosted by nmap for test queries

Scan all hosts on a particular network (-Pn treats all hosts as online, since icmp might be disabled and not be discovered)

$ nmap -Pn 192.168.1.0/24

OS and version detection

$ nmap -A target

Interesting areas:

• unencrypted protocols (telnet, FTP)
• administrative services (SSH, RDP, VNC, HTTPS)

Nessus

Technical vulnarability scanner

Wireshark

Capture and analyse network packets

Lynis

Security configuration assessment for Unix-based systems.

Scan report is saved to /var/log/lynis-report.dat. Preferences are stored in default.prf. Center for Internet Security can be used to interpret results.

CIS-CAT Lite

Security configuration benchmark

Configuration Assessment Tool Lite (requires java) can only scan the following technologies (Pro version supports all benchmarks):

• Windows 10
• Ubuntu
• macOS
• Google Chrome

Aircrack-ng

Wireless network security testing

Need to connect another wireless adapter, for example, Alfa AWUSO36NH.

cli

# display wireless interfaces and chipsets
$ airmon-ng

# monitor wlan0 on channel 9
$ airmon-ng start wlan0 9

# capture traffic
# channel 9 + AP MAC address + interface in monitor mode
$ airodump-ng -c --bssid 00:11:33:33:77:00 -w psk mon0 

# deathenticate wireless client
# -0 - death, 1 - number of death to send
# -a - MAC address of wireless AP, -c - MAC of client
$ aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0

Hashcat

Password cracking

RockYou breach (Dec 2009) exposed 32 million credentials and created largest password wordlist (/usr/share/wordlists/rockyou.txt.gz in Kali).

$ echo -n "password1" | md5sum | tr -d "  -" >> captured.txt

# add --force option while running on not specialized hardware
$ hashcat -m 0 -a 0 -o output.txt captured.txt output.txt

OWASP ZAP

Open Web Application Security Project hosts multiple multiple open source projects. Zep Attack Proxy scans for basic web application security vulnarabilities. OWASP also includes intentionally vulnarable web apps to practice assessors - Juice Shop.

cli wrapper, needs ZAP to be installed.

OWASP top 10

2017 RC version

1. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML External Entity (XXE)
5. Broken access control - for example, Insecure Direct Object Reference (application doesn't check address, thus, changing URL allows to access other resources)
6. Security misconfiguration
7. Cross-Site scripting
8. Insecure deserialization
9. Using components with known vulnarabilities
10. Insufficient logging and monitoring

Nipper

Firewall and network configuration audit tool

Logging

Commercial

• Splunk
• Qradar
• LogRhythm
• AlienVault

Open source

• Syslog - native in Linux systems
• Syslog-ng
• Graylog
• ELK stack

Critical Log Review Checklist for Security Incidents

Resources

• Red Team Field Manual
• Blue Team Field Manual
• Social Engineer Toolkit
• Intentionally vulnarable linux virtual machines