Full Transcript

IT PROFESSIONAL ELECTIVE ITEL412 - Prelims 4TH YEAR, 1ST SEMESTER KYLA MARIE LOPEZ | BSIT 4-Y1-3 Cyberattacks are intentional malicious acts meant to WEEK 1: THE DANGER...

IT PROFESSIONAL ELECTIVE ITEL412 - Prelims 4TH YEAR, 1ST SEMESTER KYLA MARIE LOPEZ | BSIT 4-Y1-3 Cyberattacks are intentional malicious acts meant to WEEK 1: THE DANGER negatively impact another individual or organization. Financial Gain: WAR STORIES ○ Much of the hacking activity that consistently threatens our security is motivated by financial HIJACKED PEOPLE gain. Hackers can set up open “rogue” wireless hotspots ○ Cybercriminals want to gain access to bank posing as a genuine wireless network. accounts, personal data, and anything else they Rogue wireless hotspots are also known as “evil twin” can leverage to generate cash flow. hotspots. Trade Secrets and Global Politics ○ At times, nation states hack other countries, or RANSOMED COMPANIES interfere with their internal politics. Employees of an organization are often lured into opening ○ Often, they may be interested in using attachments that install ransomware on the employees’ cyberspace for industrial espionage. computers. ○ The theft of intellectual property can give a This ransomware, when installed, begins the process of country a significant advantage in international gathering and encrypting corporate data. trade. The goal of the attackers is financial gain, because they hold the company’s data for ransom until they are paid. HOW SECURE IS THE INTERNET OF THINGS? The Internet of Things (IoT) helps individuals connect TARGETED NATIONS things to improve their quality of life. Some of today’s malware is so sophisticated Many devices on the internet are not updated with and expensive to create that security experts believe only the latest firmware. Some older devices were not even a nation state or group of nations could possibly have the developed to be updated with patches. These two influence and funding to create it. situations create opportunity for threat actors and Such malware can be targeted to attack a security risks for the owners of these devices. nation’s vulnerable infrastructure, such as the water system or power grid. THREAT IMPACT One such malware was the Stuxnet worm that infected USB drives and infiltrated PII, PHI, and PSI Windows operating systems. It then targeted Step 7 Personally Identifiable Information (PII) is any information software that was developed by Siemens for their that can be used to positively identify an individual, for Programmable Logic Controllers (PLCs). example, name, social security number, birthdate, credit card numbers etc. THREAT ACTORS Cybercriminals aim to obtain these lists of PII that can then be sold on the dark web. Stolen PII can be used to THREAT ACTORS create fake financial accounts, such as credit cards and Threat actors are individuals or groups of individuals who short-term loans. perform cyberattacks. They include, but are not limited to: The medical community creates and maintains Electronic ○ Amateurs Medical Records (EMRs) that contain Protected Health They are also known as script kiddies Information (PHI), a subset of PII. and have little or no skill. Personal Security Information (PSI), another type of PII, They often use existing tools or includes usernames, passwords, and other instructions found on security-related information that individuals use to access the internet to launch attacks. information or services on the network. Even though they use basic tools, the results can still be devastating. LOST COMPETITIVE ADVANTAGE ○ Hacktivists The loss of intellectual property to competitors is a These are hackers who publicly protest serious concern. against a variety of political and social An additional major concern is the loss of trust that ideas. comes when a company is unable to protect its They post articles and videos, leaking customers’ personal data. sensitive information, and disrupting The loss of competitive advantage may come from this web services with illegitimate traffic in loss of trust rather than another company or country Distributed Denial of Service (DDoS) stealing trade secrets. attacks. ○ Organized crime groups POLITICS AND NATIONAL SECURITY ○ State-sponsored groups It is not just businesses that get hacked. ○ Terrorist groups State-supported hacker warriors can cause disruption and destruction of vital services and resources within an enemy nation. 1 The internet has become essential as a medium for ○ RESPONSIBILITY: Monitor incoming alerts, verify commercial and financial activities. Disruption of these that a true incident has occurred, and forward activities can devastate a nation’s economy. tickets to Tier 2, if necessary. ○ Monitors incidents, opens ticket, basic threat SUMMARY mitigation Threat actors can hijack banking sessions and other Tier 2 Incident Responder personal information by using “evil twin” hotspots. ○ RESPONSIBILITY: Responsible for deep Threat actors include, but are not limited to, amateurs, investigation of incidents and advise remediation hacktivists, organized crime groups, state sponsored, and or action to be taken. terrorist groups. ○ Deep investigation, Advises remediation As the Internet of Things (IoT) expands, webcams, Tier 3 Threat Hunter routers, and other devices in our homes are also under ○ RESPONSIBILITY: Experts in network, endpoint, attack. threat intelligence, malware reverse engineering Personally Identifiable Information (PII) is any information and tracing the processes of the malware to that can be used to positively identify an individual. determine its impact and how it can be removed. The medical community creates and maintains Electronic They are also deeply involved in hunting for Medical Records (EMRs) that contain Protected Health potential threats and implementing threat Information (PHI), a subset of PII. detection tools. Threat hunters search for cyber Personal Security Information (PSI) includes usernames, threats that are present in the network but have passwords, and other security-related information that not yet been detected. individuals use to access information or services on the ○ In-depth knowledge, Threat hunting, preventive network. measures SOC Manager WEEK 2: FIGHTERS IN THE WAR AGAINST CYBERCRIME ○ RESPONSIBILITY: Manages all the resources of the SOC and serves as the point of contact for THE MODERN SECURITY OPERATIONS CENTER the larger organization or customer. ELEMENTS OF A SOC PROCESS IN THE SOC To use a formalized, structured, and disciplined approach A Cybersecurity Analyst is required to monitor security for defending against cyber threats, organizations alert queues and investigate the assigned alerts. A typically use the services of professionals from a Security ticketing system is used to assign these alerts to the Operations Center (SOC). analyst’s queue. SOCs provide a broad range of services, from monitoring The software that generates the alerts can trigger false and management, to comprehensive alarms. The analyst, therefore, needs to verify that an threat solutions and customized hosted security. assigned alert represents a true security incident. SOCs can be wholly in-house, owned and operated by a When this verification is established, the incident can be business, or elements of a SOC can be contracted out to forwarded to investigators or other security personnel to security vendors, such as Cisco’s Managed Security be acted upon. Otherwise, the alert is dismissed as a false Services. alarm. If a ticket cannot be resolved, the Cybersecurity Analyst PEOPLE IN THE SOC forwards the ticket to a Tier 2 Incident Responder for SOCs assign job roles by tiers, according to the expertise deeper investigation and remediation. and responsibilities required for each. If the Incident Responder cannot resolve the ticket, it is First tier jobs are more entry level, while third tier jobs forwarded to a Tier 3 personnel. require extensive expertise. The figure, which is originally from the SANS Institute, TECHNOLOGIES IN THE SOC: SIEM graphically represents how these roles interact with each An SOC needs a Security Information and Event other. Management (SIEM) system to understand the data that firewalls, network appliances, intrusion detection systems, and other devices generate. SIEM systems collect and filter data, and detect, classify, analyze and investigate threats. They may also manage resources to implement preventive measures and address future threats. TECHNOLOGIES IN THE SOC: SOAR SIEM and Security Orchestration, Automation and Response (SOAR) are often paired together as they have capabilities that complement each other. Large security operations (SecOps) teams use both technologies to optimize their SOC. SOAR platforms are similar to SIEMs as they aggregate, correlate, and analyze alerts. In addition, SOAR technology integrate threat intelligence and automate TIERS incident investigation and response workflows based on Tier 1 Alert Analyst playbooks developed by the security team. SOAR security platforms: 2 ○ Gather alarm data from each component of the Security personnel understand that for the organization to system. accomplish its priorities, network availability must be ○ Provide tools that enable cases to be researched, preserved. assessed, and investigated. Each business or industry has a limited tolerance for ○ Emphasize integration as a means of automating network downtime. That tolerance is usually based upon a complex incident response workflows that comparison of the cost of the downtime in relation to the enable more rapid response and adaptive cost of ensuring against downtime. defense strategies. Security cannot be so strong that it interferes with the ○ Include pre-defined playbooks that enable needs of employees or business functions. It is always a automatic response to specific threats. tradeoff between strong security and permitting efficient Playbooks can be initiated automatically based business functioning. on predefined rules or may be triggered by security personnel. BECOMING A DEFENDER SOC METRICS CERTIFICATIONS Whether internal to an organization or providing services A variety of cybersecurity certifications that are relevant to multiple organizations, it is important to understand to careers in SOCs are available: how well the SOC is functioning, so that improvements ○ Cisco Certified CyberOps Associate can be made to the people, processes, and technologies ○ CompTIA Cybersecurity Analyst Certification that comprise the SOC. ○ (ISC)² Information Security Certifications Many metrics or Key Performance Indicators (KPI) can be ○ Global Information Assurance Certification devised to measure different aspects of SOC (GIAC) performance. However, five metrics are commonly used Search for “cybersecurity certifications” on the as SOC metrics by SOC managers. Internet to know more about other vendor and vendor-neutral certifications. METRICS Dwell Time FURTHER EDUCATION ○ The length of time that threat actors have access Degrees: When considering a career in the cybersecurity to a network before they are detected, and their field, one should seriously consider pursuing a technical access is stopped degree or bachelor’s degree in computer science, Mean Time to Detect (MTTD) electrical engineering, information technology, or ○ The average time that it takes for the SOC information security. personnel to identify valid security incidents Python Programming: Computer programming is an have occurred in the network essential skill for anyone who wishes to pursue a career in Mean Time to Respond (MTTR) cybersecurity. If you have never learned how to program, ○ The average time it takes to stop and remediate then Python might be the first language to learn. a security incident Linux Skills: Linux is widely used in SOCs and other Mean Time to Contain (MTTC) networking and security environments. Linux skills are a ○ The time required to stop the incident from valuable addition to your skillset as you work to develop a causing further damage to systems or data career in cybersecurity. Time to Control ○ The time required to stop the spread of malware SOURCES OF CAREER INFORMATION in the network A variety of websites and mobile applications advertise information technology jobs. Each site targets a variety of ENTERPRISE AND MANAGED SECURITY job applicants and provides different tools for candidates For medium and large networks, the organization will to research their ideal job position. benefit from implementing an enterprise-level SOC, which Many sites are job site aggregators that gather listings is a complete in-house solution. from other job boards and company career sites and Larger organizations may outsource at least a part of the display them in a single location. SOC operations to a security solutions provider. ○ Indeed.com Cisco offers a wide range of incident response, ○ CareerBuilder.com preparedness, and management capabilities including: ○ USAJobs.gov ○ Cisco Smart Net Total Care Service for Rapid ○ Glassdoor Problem Resolution ○ LinkedIn ○ Cisco Product Security Incident Response Team (PSIRT) GETTING EXPERIENCE ○ Cisco Computer Security Incident Response Internships: Internships are an excellent method for Team (CSIRT) entering the cybersecurity field. Sometimes, internships ○ Cisco Managed Services turn into an offer of full time employment. However, even ○ Cisco Tactical Operations (TacOps) a temporary internship allows you the opportunity to gain ○ Cisco’s Safety and Physical Security Program experience in the inner workings of a cybersecurity organization Scholarships and Awards: To help close the security skills gap, organizations like Cisco and INFOSEC have SECURITY VS. AVAILABILITY introduced scholarship and awards programs. Temporary Agencies: Many organizations use temporary agencies to fill job openings for the first 90 days. If the 3 employee is a good match, the organization may convert Dir the employee to a full-time, permanent position. ○ Shows a listing of all the files in the current Your First Job: If you have no experience in the directory (folder) cybersecurity field, working for a call center or support cd directory desk may be your first step into gaining the experience ○ Changes the directory to the indicated directory you need to move ahead in your career. cd.. ○ Changes the directory to the directory above the SUMMARY current directory Major elements of the SOC include people, processes, and cd \ technologies. ○ Changes the directory to the root directory (often The job roles include a Tier 1 Alert Analyst, a Tier 2 C:) Incident Responder, a Tier 3 Threat hunter, and an SOC copy source destination Manager. ○ Copies files to another location A Tier 1 Analyst monitors incidents, open tickets, and del filename performs basic threat mitigation. ○ Deletes one or more files SEIM systems are used for collecting and filtering data, Find detecting and classifying threats, and analyzing and ○ Searches for text in files investigating threats. mkdir directory SOAR integrates threat intelligence and automates ○ Creates a new directory incident investigation and response workflows based on ren oldname newname playbooks developed by the security team. ○ Renames a file KPIs are devised to measure different aspects of SOC Help performance. Common metrics include Dwell Time, ○ Displays all the commands that can be used, Meant Time to Detect (MTTD), Mean Time to Respond with a brief description (MTTR), Mean Time to Contain (MTTC), and Time to help command Control. ○ Displays extensive help for the indicated There must be a balance between security and availability command of the networks. Security cannot be so strong that it interferes with employees or business functions. WINDOWS VERSIONS A variety of cybersecurity certifications that are relevant Since 1993, there have been more than 20 releases of to careers in SOCs are available from different Windows that are based on the NT operating system (OS). organizations. Many editions were built specifically for workstation, professional, server, advanced server, and datacenter WEEK 3: THE WINDOWS OPERATING SYSTEM server, to name just a few of the many purpose-built versions. WINDOWS HISTORY The 64-bit operating system was an entirely new architecture. It had a 64-bit address space instead of a DISK OPERATING SYSTEM 32-bit address space. The Disk Operating System (DOS) is an operating system 64-bit computers and operating systems are that the computer uses to enable the data storage devices backward-compatible with older, 32-bit programs, but to read and write files. 64-bit programs cannot be run on older, 32-bit hardware. DOS provides a file system which organizes the files in a With each subsequent release of Windows, the operating specific way on the disk. system has become more refined by incorporating more MS-DOS, created by Microsoft, used a command line as features. the interface for people to create programs and Microsoft has announced that Windows 10 is the last manipulate data files. DOS commands are shown in bold version of Windows. Rather than purchasing new text in the given command output. operating systems, users will just update Windows 10 With MS-DOS, the computer had a basic working instead. knowledge of accessing the disk drive and loading the operating system files directly from disk as part of the OS Version boot process. Windows 7 Early versions of Windows consisted of a Graphical User ○ Starter, Home Basic, Home Premium, Interface (GUI) that ran over MS-DOS, starting with Professional, Enterprise, Ultimate Windows 1.0 in 1985. Windows Server 2008 R2 In newer versions of Windows, built on New Technologies ○ Foundation, Standard, Enterprise, Datacenter, (NT), the operating system itself is in direct control of the Web Server, HPC Server, Itanium-Based Systems computer and its hardware. Windows Home Server 2011 Today, many things that used to be accomplished through ○ None the command line interface of MS-DOS can be Windows 8 accomplished in the Windows GUI. ○ Windows 8, Windows 8 Pro, Windows 8 To experience a little of MS-DOS, open a command Enterprise, Windows RT window by typing cmd in Windows Search and pressing Windows Server 2012 Enter. ○ Foundation, Essentials, Standard, Datacenter Windows 8.1 ○ Windows 8.1, Windows 8.1 Pro, Windows 8.1 Enterprise, Windows RT 8.1 MS-DOS Command Windows Server 2012 R2 4 ○ Foundation, Essentials, Standard, Datacenter ○ There are many services that run behind the Windows 10 scenes. ○ Home, Pro, Pro Education, Enterprise, Education, ○ It is important to make sure that each service is loT Core, Mobile, Mobile Enterprise identifiable and safe. Windows Server 2016 ○ With an unknown service running in the ○ Essentials, Standard, Datacenter, Multipoint background, the computer can be vulnerable to Premium Server, Storage Server, Hyper-V Server attack. Encryption WINDOWS GUI ○ When data is not encrypted, it can easily be Windows has a graphical user interface (GUI) for users to gathered and exploited. work with data files and software. ○ This is not only important for desktop The GUI has a main area that is known as the Desktop. computers, but especially mobile devices. The Desktop can be customized with various colors and Security policy background images. ○ A good security policy must be configured and Windows supports multiple users, so each user can followed. customize the Desktop. ○ Many settings in the Windows Security Policy The Desktop can store files, folders, shortcuts to control can prevent attacks. locations and programs, and applications. Firewall The Desktop also has a recycle bin icon, where files are ○ By default, Windows uses Windows Firewall to stored when the user deletes them. Files can be restored limit communication with devices on the from the recycle bin or the recycle bin can be emptied of network. Over time, rules may no longer apply. files, which truly deletes them. ○ It is important to review firewall settings At the bottom of the desktop, is the Task Bar. periodically to ensure that the rules are still At the left is the Start menu which is used to access all of applicable and remove any that no longer apply. the installed programs, configuration options, and the File and share permissions search feature. ○ These permissions must be set correctly. It is At the center, users place quick launch icons that run easy to give the “Everyone” group Full Control, specific programs or open specific folders when they are but this allows all people to access all files. clicked. ○ It is best to provide each user or group with the On the right of the Task Bar is the notification area. The minimum necessary permissions for all files and notification area shows, at a glance, the functionality of folders. many different programs and features. Weak or no password Mostly right-clicking an icon will bring up additional ○ Many people choose weak passwords or do not functions that can be used. This list is known as the use a password at all. Context Menu. ○ It is especially important to make sure that all There are Context Menus for the icons in the notification accounts, especially the Administrator account, area, for quick launch icons, system configuration icons, have a very strong password. and for files and folders. Login as Administrator The Context Menu provides many of the most commonly ○ When a user logs in as an administrator, any used functions by just clicking. program that they run will have the privileges of that account. OPERATING SYSTEM VULNERABILITIES ○ It is best to log in as a Standard User and only Operating systems consist of millions of lines of code. use the administrator password to accomplish With all this code comes vulnerabilities. certain tasks A vulnerability is some flaw or weakness that can be exploited by an attacker to reduce the viability of a WINDOWS ARCHITECTURE AND OPERATIONS computer’s information. To take advantage of an operating system vulnerability, HARDWARE ABSTRACTION LAYER the attacker must use a technique or a tool to exploit the A hardware abstraction layer (HAL) is software that vulnerability. handles all of the communication between the hardware The attacker can then use the vulnerability to get the and the kernel. computer to act in a fashion outside of its intended The kernel is the core of the operating system and has design. control over the entire computer. In general, the goal is to gain unauthorized control of the The kernel handles all of the input and output requests, computer, change permissions, or to manipulate or steal memory, and all of the peripherals connected to the data. computer. The basic Windows architecture is shown in the figure. Windows OS Security recommendations Virus or malware protection USER MODE AND KERNEL MODE ○ By default, Windows uses Windows Defender for The two different modes in which a CPU operates when malware protection. the computer has Windows installed are the user mode ○ Windows Defender provides a suite of protection and the kernel mode. tools built into the system. Installed applications run in user mode, and operating ○ If Windows Defender is turned off, the system system code runs in kernel mode. becomes more vulnerable to attacks and All of the code that runs in kernel mode uses the same malware. address space. Unknown or unmanaged services 5 When user mode code runs, it is granted its own restricted An attacker could store malicious code within an ADS that address space by the kernel, along with a process created can then be called from a different file. specifically for the application. In the NTFS file system, a file with an ADS is identified after the filename and a colon, for example, WINDOWS FILE SYSTEMS Testfile.txt:ADS. This filename indicates an ADS called NTFS formatting creates important structures on the disk ADS is associated with the file called Testfile.txt. for file storage, and tables for recording the locations of files: WINDOWS BOOT PROCESS ○ Partition Boot Sector: This is the first 16 sectors Many actions occur between the power button is pressed of the drive. It contains the location of the and Windows is fully loaded. This is the Windows Boot Master File Table (MFT). The last 16 sectors process. Two types of computer firmware exist: contain a copy of the boot sector. ○ Basic Input-Output System (BIOS): The process ○ Master File Table (MFT): This table contains the begins with the BIOS initialization phase in which locations of all the files and directories on the the hardware devices are initialized and a POST partition, including file attributes such as is performed. When the system disk is security information and timestamps. discovered, the POST ends and looks for the ○ System Files: These are hidden files that store master boot record (MBR).The BIOS executes information about other volumes and file the MBR code and the operating system starts to attributes. load. ○ File Area: The main area of the partition where ○ Unified Extensible Firmware Interface (UEFI): UEFI files and directories are stored. firmware boots by loading EFI program files (.efi) Note: When formatting a partition, the previous data may stored in a special disk partition, known as the still be recoverable because not all the data is completely EFI System Partition (ESP). removed. It is recommended to perform a secure wipe on Whether the firmware is BIOS or UEFI, after a valid a drive that is being reused. The secure wipe will write Windows installation is located, the Bootmgr.exe file is data to the entire drive multiple times to ensure there is run. no remaining data. Bootmgr.exe reads the Boot Configuration Database (BCD). Windows File System If the computer is coming out of hibernation, the boot exFAT process continues with Winresume.exe. ○ This is a simple file system supported by many If the computer is being booted from a cold start, then the different operating systems. Winload.exe file is loaded. ○ FAT has limitations to the number of partitions, Winload.exe also uses Kernel Mode Code Signing (KMCS) partition sizes, and file sizes that it can address, to make sure that all drivers are digitally signed. so it is not usually used for hard drives or After the drivers have been examined, Winload.exe runs solid-state drives anymore. Ntoskrnl.exe that starts the Windows kernel and sets up ○ Both FAT16 and FAT32 are available to use, with the HAL. FAT32 being the most common as it has many Note: A computer that uses UEFI stores boot code in the fewer restrictions than FAT16. firmware. This helps to increase the security of the Hierarchical File System Plus (HFS+) computer at boot time because the computer goes ○ This file system is used on MAC OS X computers directly into protected mode. and allows much longer filenames, file sizes, and partition sizes. WINDOWS STARTUP ○ Although it is not supported by Windows without There are two important registry items that are used to special software, Windows is able to read data automatically start applications and services: from HFS+ partitions. ○ HKEY_LOCAL_MACHINE - Several aspects of Extended File System (EXT) Windows configuration are stored in this key, ○ This file system is used with Linux-based including information about services that start computers. with each boot. ○ Although it is not supported by Windows, ○ HKEY_CURRENT_USER - Several aspects related Windows is able to read data from EXT partitions to the logged in user are stored in this key, with special software. including information about services that start New Technology File System (NTFS) only when the user logs on to the computer. ○ This is the most commonly used file system Different entries in these registry locations define which when installing Windows. All versions of services and applications will start, as indicated by their Windows and Linux support NTFS. entry type. ○ Mac-OS X computers can only read an NTFS These types include Run, RunOnce, RunServices, partition. They are able to write to an NTFS RunServicesOnce, and Userinit. These entries can be partition after installing special drivers. manually entered into the registry, but it is much safer to use the Msconfig.exe tool. ALTERNATE DATA STREAMS The Msconfig tool is used to view and change all of the NTFS stores files as a series of attributes, such as the start-up options for the computer. It opens the System name of the file, or a timestamp. Configuration window. The data which the file contains is stored in the attribute There are five tabs that contain the configuration options. $DATA, and is known as a data stream. ○ General By using NTFS, Alternate Data Streams (ADSs) can be Three different startup types can be connected to the file. chosen here: 6 Normal loads all drivers and services. Be very careful when manipulating the settings of these Diagnostic loads only basic drivers and services. Shutting down a service may adversely affect services. applications or other services. Selective allows the user to choose what to load on startup. MEMORY ALLOCATION AND HANDLES ○ Boot The virtual address space for a process is the set of Any installed operating system can be virtual addresses that the process chosen here to start. can use. There are also options for Safe boot, The virtual address is not the actual physical location in which is used to troubleshoot startup. memory, but an entry in a page table that is used to ○ Services translate the virtual address into the physical address. All the installed services are listed here Each process in a 32-bit Windows computer supports a so that they can be chosen to start at virtual address space that enables addressing up to 4 startup. gigabytes. ○ Startup Each process in a 64-bit Windows computer supports a All the applications and services virtual address space of 8 terabytes. that are configured to automatically Each user space process runs in a private address space, begin at startup can be enabled or separate from other user space processes. disabled by opening the task manager When the user space process needs to access kernel from this tab. resources, it must use a process handle. ○ Tools As the user space process is not allowed to directly Many common operating system tools access these kernel resources, the process handle can be launched directly from this tab. provides the access needed by the user space process without a direct connection to it. WINDOWS SHUTDOWN A powerful tool for viewing memory allocation is It is always best to perform a proper shutdown to turn off RAMMap, which is shown in the figure. the computer. The computer needs time to close each RAMMap is part of the Windows Sysinternals Suite of application, shut down each service, and record any tools. It can be downloaded from Microsoft. configuration changes before power is lost. RAMMap provides information regarding how Windows During shutdown, the computer will close user mode has allocated system memory to the kernel, processes, applications first, followed by kernel mode processes. drivers, and applications. There are several ways to shut down a Windows computer: Start menu power options, the command line THE WINDOWS REGISTRY command shutdown, and using Ctrl+Alt+Delete and Windows stores all of the information about hardware, clicking the power icon. applications, users, and system settings in a large There are three different options from which to choose database known as the registry. when shutting down the computer: The registry is a hierarchical database where the highest ○ Shutdown: Turns the computer off (power off). level is known as a hive, below that there are keys, ○ Restart: Re-boots the computer (power off and followed by subkeys. power on). Values store data and are stored in the keys and subkeys. ○ Hibernate: Records the current state of the A registry key can be up to 512 levels deep. computer and user environment and stores it in a New hives cannot be created. The registry keys and file. Hibernation allows the user to pick up right values in the hives can be created, modified, or deleted by where they left off very quickly with all their files an account with administrative privileges. and programs still open. As shown in the figure, the tool regedit.exe is used to modify the registry. PROCESSES, THREADS, AND SERVICES Be very careful when using this tool. Minor changes to the A Windows application is made up of processes. A registry can have massive or even catastrophic effects. process is any program that is currently executing. Navigation in the registry is very similar to Windows file Each process that runs is made up of at least one thread. explorer. A thread is a part of the process that can be executed. Use the left panel to navigate the hives and the structure To configure Windows processes, search for Task below it and use the right panel to see the contents of the Manager. The Processes tab of the Task Manager is highlighted item in the left panel. shown in the figure. The path is displayed at the bottom of the window for All of the threads dedicated to a process are contained reference. within the same address space which means that these Registry keys can contain either a subkey or a value. The threads may not access the address space of any other different values that keys can contain are as follows: process. This prevents corruption of other processes. ○ REG_BINARY: Numbers or Boolean values Some of the processes that Windows runs are services. ○ REG_DWORD: Numbers greater than 32 bits or These are programs that run in the background to support raw data the operating system and applications. ○ REG_SZ: String values Services provide long-running functionality, such as The registry also contains the activity that a user wireless or access to an FTP server. performs during normal day-to-day computer use. To configure Windows Services, search for services. The This includes the history of hardware devices, including Windows Services control panel applet is shown in the all devices that have been connected to the computer figure. including the name, manufacturer and serial number. 7 Registry Hive CLI AND POWERSHELL HKEY_CURRENT_USER (HKCU) The Windows command line interface (CLI) can be used ○ Holds information concerning the currently to run programs, navigate the file system, and manage logged in user. files and folders. HKEY_USERS (HKU) To open the Windows CLI, search for cmd.exe and click ○ Holds information concerning all the user the program. These are a few things to remember when accounts on the host. using the CLI: HKEY_CLASSES_ROOT (HKCR) ○ The file names and paths are not case-sensitive, ○ Holds information about object linking and by default. embedding (OLE) registrations. It allows users to ○ Storage devices are assigned a letter for embed objects from other applications into a reference. This followed by a colon and single document. backslash (\). HKEY_LOCAL_MACHINE (HKLM) ○ Commands that have optional switches use the ○ Holds system-related information. forward slash (/) to delineate between the HKEY_CURRENT_CONFIG (HKCC) command and the switch option. ○ Holds information about the current hardware ○ You can use the Tab key to auto-complete profile. commands when directories or files are referenced. WINDOWS CONFIGURATION AND MONITORING ○ Windows keeps a history of the commands that were entered during a CLI session. Access RUN AS ADMINISTRATOR previously entered commands by using the up As a security best practice, it is not advisable to log on to and down arrow keys. Windows using the Administrator account or an account ○ To switch between storage devices, type the with administrative privileges. letter of the device, followed by a colon, and then There are two different ways to run or install press Enter. a software that requires the privileges of the Another environment, called the Windows PowerShell, can Administrator. be used to create scripts to automate tasks that the regular CLI is unable to create. Administrator PowerShell also provides a CLI for initiating commands. ○ Right-click the command in the Windows File PowerShell is an integrated program within Windows. Explorer and choose Run as Administrator Like the CLI, PowerShell can also be run with from the Context Menu. administrative privileges. These are the types of commands that PowerShell can Administrator Command Prompt execute: ○ Search for command, right-click the ○ cmdlets - These commands perform an action executable file, and choose Run as Administrator and return an output or object to the next from the Context Menu. command that will be executed. ○ Every command that is executed from this ○ PowerShell scripts - These are files with a.ps1 command line will be carried out with the extension that contain PowerShell commands Administrator privileges, including installation of that are executed. software. ○ PowerShell functions - These are pieces of code that can be referenced in a script. LOCAL USERS AND DOMAINS To see more information about PowerShell and get When a new computer is started for the first time, or started using it, type help, as shown in the command Windows is installed, there will be a prompt to create a output. user account. This is known as a local user. There are four levels of help in Windows PowerShell: This account contains all the customization settings, ○ get-help PS command - Displays basic help for a access permissions, file locations, and many other command user-specific data. ○ get-help PS command [-examples] - Displays To make administration of users easier, Windows uses basic help for a command with examples groups. A group will have a name and a specific set of ○ get-help PS command [-detailed] - Displays permissions associated with it. detailed help for a command with examples When a user is placed into a group, the permissions of ○ get-help PS command [-full] - Displays all help that group are given to that user. information for a command with examples in A user can be placed into multiple groups to be provided greater depth with many different permissions. When the permissions overlap, certain permissions, like “explicitly deny” will WINDOWS MANAGEMENT INSTRUMENTATION override the permission provided by a different group. Windows Management Instrumentation (WMI) is used to There are many different user groups built into Windows manage remote computers. that are used for specific tasks. It can retrieve information about computer components, Local users and groups are managed with the hardware and software statistics, and monitor the health lusrmgr.msc control panel applet, as shown in the figure. of remote computers. Windows also use domains to set permissions. A domain To open the WMI control from the Control Panel, is a type of network service where all of the users, groups, double-click Administrative Tools > Computer computers, peripherals, and security settings are stored Management to open the Computer Management window, on and controlled by a database. expand the Services and Applications tree and right-click the WMI Control icon > Properties. 8 The WMI Control Properties window is shown in the A view of the performance statistics figure. Four tabs in the WMI Control Properties window provides a overview of the CPU, are: memory, disk, and network ○ General - Summary information about the local performance. computer and WMI Clicking each item in the left pane will ○ Backup/Restore - Allows manual backup of show detailed statistics of that item in statistics gathered by WMI the right pane. ○ Security - Settings to configure who has access ○ App history to different WMI statistics The use of resources by application ○ Advanced - Settings to configure the default over time provides insight into namespace for WMI applications that are consuming more resources. THE NET COMMAND Click Options and Show history for all The net command is used in the administration and processes to see the history of every maintenance of the OS. process that has run since the The net command supports many subcommands that computer was started. follow it and can be combined with switches to focus on ○ Startup specific output. All the applications and services that To see a list of the many net commands, type net help at start when the computer is booted are the command prompt. shown in this tab. The command output shows the commands that the net To disable a program from starting at command can use. startup, right-click the item and choose To see verbose help about any of the net commands, type Disable. C:\> net help. ○ Users All of the users that are logged on to the Common net commands computer and all the resources that net accounts each user’s applications and processes ○ Sets password and logon requirements for users are using are shown in this tab. net session From this tab, an administrator can ○ Lists or disconnects sessions between a disconnect a user from the computer. computer and other computers on the network ○ Details net share This tab provides additional ○ Creates, removes, or manages shared resources management options for processes net start such as setting a priority to make the ○ Starts a network service or lists running network processor devote more or less time to a services process. net stop CPU affinity can also be set which ○ Stops a network service determines which core or CPU a net use program will use. ○ Connects, disconnects, and displays information A useful feature called Analyze wait about shared network resources chain shows any process for which net view another process is waiting. This feature ○ Shows a list of computers and network devices helps to determine if a process is on the network simply waiting or is stalled. ○ Services TASK MANAGER AND RESOURCE MONITOR All the services that are loaded are There are two useful tools to help an administrator to shown in this tab. understand the different applications, services, and The process ID (PID) and a short processes that are running on a Windows computer. description are also shown along with the status of either Running or Stopped. Task Manager At the bottom, there is a button to open ○ The Task Manager, which is shown in the figure, the Services console which provides provides a lot of information about the software additional management of services. that is running and the general performance of the computer. Resource Monitor ○ The Task Manager has seven tabs. ○ When more detailed information about resource usage is needed, the Resource Monitor can be Task Manager tabs used. ○ Processes ○ When searching for the reason a computer may Lists all of the programs and processes be acting erratically, the Resource Monitor can that are currently running. help to find the source of the problem. Displays the CPU, memory, disk, and ○ Resource Monitor has Five tabs. network utilization of each process. The properties can be examined or Resource Monitor tabs ended if it is not behaving properly or Overview has stalled. ○ The tab displays the general usage for each ○ Performance resource. 9 CPU In the Properties dialogue box, ○ The PID, number of threads, which the process is choose to Obtain an address using, and the average CPU usage of each automatically if there is a process is shown. DHCP server available on the ○ Additional information about any services and network or if the user wish to the associated handles and modules can be seen configure addressing manually, by expanding the lower rows. fill in the address, subnet, Memory default gateway, and DNS ○ All the statistical information about how each servers. process uses memory is shown in this tab and an Click OK to accept the overview of usage of all the RAM is shown below changes. the Processes row. You can also use the netsh.exe Disk tool to configure networking ○ All the processes that are using a disk are shown parameters from a command in this tab, with read/write statistics and an prompt. overview of each storage device. This program can display and Network modify the network ○ All the processes that are using the network are configuration. shown in this tab, with read/write statistics. Type netsh /? at the command ○ It is very useful when trying to determine which prompt to see a list of all the applications and processes are communicating switches. over the network. Also, tell if an unauthorized process is accessing the network. nslookup and netstat ○ Domain Name System (DNS) should also be NETWORKING tested because it is essential to finding the One of the most important features of any operating address of hosts by translating it from a name, system is the ability for the computer to connect to a such as a URL. network. ○ Use the nslookup command to test DNS. To configure Windows networking properties and test ○ Type nslookup cisco.com at the command networking settings, the Network and Sharing Center is prompt to find the address of the Cisco used. webserver. If the address is returned, the DNS is functioning correctly. Network and Sharing Center ○ Type netstat at the command line to see details ○ It is used to verify or create network connections, of active network connections. configure network sharing, and change network adapter settings. ACCESSING NETWORK RESOURCES ○ The initial view shows an overview of the active Windows uses networking for many different applications network. such as web, email, and file services. ○ From the window, you can see the HomeGroup Server Message Block (SMB) protocol is used to share the computer belongs to, or create one if it is not network resources. It is mostly used for accessing files on already part of a HomeGroup. Note that remote hosts. HomeGroup was removed from Windows 10 in The Universal Naming Convention (UNC) format is used to version 1803. connect to resources such as \\servername\sharename\file. Change Adapter Settings In the UNC, servername is the server that is hosting the ○ To configure a network adapter, choose Change resource. The sharename is the root of the folder in the adapter settings in the Networking and Sharing file system on the remote host, while the file is the Center to show all of the network connections resource that the local host is trying to find. that are available. Select the adapter that is to be When sharing resources on the network, the area of the configured. file system that will be shared will need to be identified. ○ Following are the steps to change an Ethernet Access control can be applied to the files to restrict users adapter to acquire its IPv4 address automatically and groups to specific functions. from the network: There are also special shares that are automatically Step 1: Access Adaptor Properties created by Windows. These shares are called Right-click the adapter you administrative shares and are identified by a dollar sign wish to configure and choose ($) that comes after the share name. Properties. Besides accessing shares on remote hosts, the user can Step 2: Access TCP/IPv4 properties also log in to a remote host and manipulate that This connection uses Internet computer, as if it were local, to make configuration Protocol Version 4 (TCP/IPv4) changes, install software, or troubleshoot an issue. or Internet Protocol Version 6 In Windows, this feature uses the Remote Desktop (TCP/IPv6) depending on Protocol (RDP). The Remote Desktop Connection window which version the user wish to is shown in the figure. use. Since Remote Desktop Protocol (RDP) is designed to Step 3: Change Settings permit remote users to control individual hosts, it is a Click Properties to configure natural target for threat actors. the adapter. 10 WINDOWS SERVER To ensure the highest level of protection against the Most Windows installations are performed as desktop attacks, always ensure Windows is up to date with the installations on desktops and laptops. latest service packs and security patches. There is another edition of Windows that is mainly used in Update status, shown in the figure, allows you to check for data centers called Windows Server. This is a family of updates manually and see the update history of the Microsoft products that began with Windows Server 2003. computer. Windows Server hosts many different services and can Patches are code updates that manufacturers provide to fulfill different roles within a company. prevent a newly discovered virus or worm from making a These are some of the services that Windows Server successful attack. provides: From time to time, manufacturers combine patches and ○ Network Services: DNS, DHCP, Terminal services, upgrades into a comprehensive update application called Network Controller, and Hyper-V Network a service pack. virtualization Many devastating virus attacks could have been much ○ File Services: SMB, NFS, and DFS less severe if more users had downloaded and installed ○ Web Services: FTP, HTTP, and HTTPS the latest service pack. ○ Management: Group policy and Active Directory It is highly desirable that enterprises utilize systems that domain services control automatically distribute, install, and track security Note: Although there is a Windows Server 2000, it is updates. considered a client version of Windows NT 5.0. Windows Windows routinely checks the Windows Update website Server 2003 is a server based on NT 5.2 and begins a new for high-priority updates that can help protect a computer family of Windows Server versions. from the latest security threats. There are also settings for the hours where the computer WINDOWS SECURITY will not automatically restart, for example during regular business hours. THE NETSTAT COMMAND Advanced options are also available to choose how The netstat command is used to look for inbound or updates are installed how other Microsoft products are outbound connections that are not authorized. updated. The netstat command will display all of the active TCP connections. LOCAL SECURITY POLICY By examining these connections, it is possible to A security policy is a set of objectives that ensures the determine the programs which are listening for security of a network, the data, and the computer systems connections that are not authorized. in an organization. When a program is suspected of being malware, the In most networks that use Windows computers, Active process can be shut down with Task Manager, and Directory is configured with Domains on a Windows malware removal software can be used to clean the Server. Windows computers join the domain. computer. Windows Local Security Policy can be used for To make this process easier, the connections can be stand-alone computers that are not part of an Active linked to the running processes that were created by them Directory domain. in Task Manager. Password guidelines are an important component of a To do this, open a command prompt with administrative security policy. privileges and enter the netstat -abno command. In the Local Security Policy, Password Policy is found By examining the active TCP connections, an analyst under Account Policies and defines the criteria for the should be able to determine if there are any suspicious passwords for all of the users on the local computer. programs that are listening for incoming connections on Use the Account Lockout Policy in Account Policies to the host. prevent brute-force login attempts. There may be more than one process listed with the same It is important to ensure that computers are secure when name. If this is the case, use the unique PID to find the users are away. A security policy should contain a rule correct process. To display the PIDs for the processes in about requiring a computer to lock when the screensaver the Task Manager, open the Task Manager, right-click the starts. table heading and select PID. If the Local Security Policy on every stand-alone computer is the same, then use the Export Policy feature. This is EVENT VIEWER particularly helpful if the administrator needs to configure Windows Event Viewer logs the history of application, extensive local policies for user rights and security security, and system events. options. These log files are a troubleshooting tool as they provide The Local Security Policy applet contains security information necessary to identify a problem. settings that apply specifically to the local computer. The Windows includes two categories of event logs: Windows user can configure User Rights, Firewall Rules, and the Logs and Application and Services Logs. ability to restrict the files that users or groups are allowed A built-in custom view called Administrative Events shows to run with the AppLocker. all critical, error, and warning events from all the administrative logs. WINDOWS DEFENDER Security event logs are found under Windows Logs. They Malware includes viruses, worms, Trojan horses, use event IDs to identify the type of event. keyloggers, spyware, and adware. These are designed to invade privacy, steal information, damage the computer, WINDOWS UPDATE MANAGEMENT or corrupt data. 11 It is important to protect computers and mobile devices gigabytes. Each process in a 64-bit Windows computer using reputable antimalware software. The following supports a virtual address space of up to eight terabytes. types of antimalware programs are available: Windows stores all of the information about hardware, ○ Antivirus protection: This program continuously applications, users, and system settings in a large monitors for viruses. When a virus is detected, database known as the registry. the user is warned, and the program attempts to The registry is a hierarchical database where the highest quarantine or delete the virus. level is known as a hive, below that there are keys, ○ Adware protection: This program continuously followed by subkeys. looks for programs that display advertising on There are five registry hives that contain data regarding the computer. the configuration and operation of Windows. There are ○ Phishing protection: This program blocks the IP hundreds of keys and subkeys. addresses of known phishing websites and For security reasons, it is not advisable to log on to warns the user about suspicious sites. Windows using the Administrator account or an account ○ Spyware protection: This program scans for with administrative privileges. keyloggers and other spyware. Use Windows groups to make administration of users ○ Trusted / untrusted sources: This program warns easier. Local users and groups are managed with the about unsafe programs about to be installed or lusrmgr.msc control panel applet. unsafe websites. You can use the CLI or the Windows PowerShell to It may take multiple scans to completely remove all execute commands. PowerShell can be used to create malicious software. Run only one malware protection scripts to automate tasks that the regular CLI is unable to program at a time. automate. Several security organizations such as McAfee, Windows Management Instrumentation (WMI) is used to Symantec, and Kaspersky offer all-inclusive malware manage remote computers. protection for computers and mobile devices. The net command can be combined with switches to Windows has built-in virus and spyware protection called focus on specific output. Windows Defender. Task Manager provides a lot of information about what is Windows Defender is turned on by default to provide running, and the general performance of the computer. real-time protection against infection. The Resource Monitor provides more detailed information Although Windows Defender works in the background, the about resource usage. user can perform manual scans of the computer and The Server Message Block (SMB) protocol is used to storage devices. share network resources such as files on remote hosts. The Windows netstat command displays all open WINDOWS DEFENDER FIREWALL communication ports on a computer and can also display A firewall selectively denies traffic to a computer or the software processes that are associated with the ports. network segment. Windows Event Viewer provides access to numerous To allow program access through the Windows Defender logged events regarding the operation of a computer. Firewall, search for Control Panels. Under Systems and It is very important to keep Windows up to date to guard Security, locate Windows Defender Firewall. Click Allow against new security threats. an app or feature through Windows Defender Firewall, as Windows should be configured to automatically download shown in the figure. and install updates as they become available. To disable the Windows Firewall and use a different software firewall, click Turn Windows Firewall on or off. WEEK 4: LINUX OVERVIEW Many additional settings can be found under Advanced settings. Here, inbound or outbound traffic LINUX BASICS rules can be created and different aspects of the firewall can be monitored. WHAT IS LINUX? Linux is an operating system that was created in 1991. SUMMARY Linux is open source, fast, reliable, and small. It requires The first computers required a Disk Operating System very little hardware resources to run and is highly (DOS) to create and manage files. customizable. Microsoft developed MS-DOS as a command line Linux is part of several platforms and can be found on interface (CLI) to access the disk drive and load the devices anywhere from wristwatches to supercomputers. operating system files. Early versions of Windows Linux is designed to be connected to the network, which consisted of a Graphical User Interface (GUI) that ran over makes it much simpler to write and use network-based MS-DOS. applications. Windows consists of a hardware abstraction layer (HAL) A Linux distribution is the term used to describe packages which handles all the communication between the created by different organizations and include the Linux hardware and the kernel. kernel with customized tools and software packages. Windows operates in two different modes, the user mode and kernel mode. Most Windows programs run in user THE VALUE OF LINUX mode. The kernel mode allows operating system code Linux is often the operating system of choice in the direct access to the computer hardware. Security Operations Center (SOC). These are some of the A computer works by storing instructions in RAM until the reasons to choose Linux: CPU processes them. ○ Linux is open source - Any person can acquire Each process in a 32-bit Windows computer supports a Linux at no charge and modify it to fit specific virtual address space that enables addressing up to four needs. 12 ○ The Linux CLI is very powerful - The Linux A penetration test, also known as PenTesting, is the Command Line Interface (CLI) is extremely process of looking for vulnerabilities in a network or powerful and enables analysts to perform tasks computer by attacking it. not only directly on a terminal, but also remotely. Packet generators, port scanners, and proof-of-concept ○ The user has more control over the OS - The exploits are examples of PenTesting tools. administrator user in Linux, known as the root Kali Linux is a Linux distribution which contains many user, or superuser, can modify any aspect of the penetration tools together in a single Linux distribution. computer with a few keystrokes. Notice all the major categories of penetration testing ○ It allows for better network communication tools of Kali Linux. control - Control is an inherent part of Linux. WORKING IN THE LINUX SHELL LINUX IN THE SOC The flexibility provided by Linux is a great feature for the THE LINUX SHELL SOC. The entire operating system can be tailored to In Linux, the user communicates with the OS by using the become the perfect security analysis platform. CLI or the GUI. Sguil is the cybersecurity analyst console in a special Linux often starts in the GUI by default. This hides the CLI version of Linux called Security Onion. from the user. Security Onion is an open source suite of tools that work One way to access the CLI from the GUI is through a together for network security analysis. terminal emulator application. These applications provide user access to the CLI and are named as some variation SOC Tool of the word terminal. ○ Network packet capture software In Linux, popular terminal emulators are Terminator, A crucial tool for a SOC analyst as it eterm, xterm, konsole, and gnome-terminal. makes it possible to observe and Fabrice Bellard has created JSLinux which allows an understand every detail of a network emulated version of Linux to run in a browser. transaction. Note: The terms shell, console, console window, CLI Wireshark is a popular packet capture terminal, and terminal window are often used tool. interchangeably. ○ Malware analysis tools These tools allow analysts to safely run BASIC COMMANDS and observe malware execution without Linux commands are programs created to perform a the risk of compromising the underlying specific task. system. As the commands are programs stored on the disk, when ○ Intrusion detection systems (IDSs) a user types a command, the shell must find it on the disk These tools are used for real-time traffic before it can be executed. monitoring and inspection. If any aspect of the currently flowing Command traffic matches any of the established ○ Mv rules, a pre-defined action is taken. Moves or renames files and directories. ○ Firewalls ○ Chmod This software is used to specify, based Modifies file permissions. on pre-defined rules, whether traffic is ○ Chown allowed to enter or leave a network or Changes the ownership of a file. device. ○ Dd ○ Log managers Copies data from an input to an output. Log files are used to record events. ○ Pwd Because a network can generate a very Displays the name of the current large number of log entries, log directory. manager software is employed to ○ Ps facilitate log monitoring. Lists the processes that are currently ○ Security information and event management running in the system.

Use Quizgecko on...
Browser
Browser