ITEL412 - Prelims.pdf

Full Transcript

IT PROFESSIONAL ELECTIVE

ITEL412 - Prelims
4TH YEAR, 1ST SEMESTER
KYLA MARIE LOPEZ | BSIT 4-Y1-3

Cyberattacks are intentional malicious acts meant to
WEEK 1: THE DANGER negatively impact another individual or organization.
Financial Gain:
WAR STORIES ○ Much of the hacking activity that consistently
threatens our security is motivated by financial
HIJACKED PEOPLE gain.
Hackers can set up open “rogue” wireless hotspots ○ Cybercriminals want to gain access to bank
posing as a genuine wireless network. accounts, personal data, and anything else they
Rogue wireless hotspots are also known as “evil twin” can leverage to generate cash flow.
hotspots. Trade Secrets and Global Politics
○ At times, nation states hack other countries, or
RANSOMED COMPANIES interfere with their internal politics.
Employees of an organization are often lured into opening ○ Often, they may be interested in using
attachments that install ransomware on the employees’ cyberspace for industrial espionage.
computers. ○ The theft of intellectual property can give a
This ransomware, when installed, begins the process of country a significant advantage in international
gathering and encrypting corporate data. trade.
The goal of the attackers is financial gain, because they
hold the company’s data for ransom until they are paid. HOW SECURE IS THE INTERNET OF THINGS?
The Internet of Things (IoT) helps individuals connect
TARGETED NATIONS things to improve their quality of life.
Some of today’s malware is so sophisticated Many devices on the internet are not updated with
and expensive to create that security experts believe only the latest firmware. Some older devices were not even
a nation state or group of nations could possibly have the developed to be updated with patches. These two
influence and funding to create it. situations create opportunity for threat actors and
Such malware can be targeted to attack a security risks for the owners of these devices.
nation’s vulnerable infrastructure, such as
the water system or power grid. THREAT IMPACT
One such malware was the Stuxnet worm
that infected USB drives and infiltrated PII, PHI, and PSI
Windows operating systems. It then targeted Step 7 Personally Identifiable Information (PII) is any information
software that was developed by Siemens for their that can be used to positively identify an individual, for
Programmable Logic Controllers (PLCs). example, name, social security number, birthdate, credit
card numbers etc.
THREAT ACTORS Cybercriminals aim to obtain these lists of PII that can
then be sold on the dark web. Stolen PII can be used to
THREAT ACTORS create fake financial accounts, such as credit cards and
Threat actors are individuals or groups of individuals who short-term loans.
perform cyberattacks. They include, but are not limited to: The medical community creates and maintains Electronic
○ Amateurs Medical Records (EMRs) that contain Protected Health
They are also known as script kiddies Information (PHI), a subset of PII.
and have little or no skill. Personal Security Information (PSI), another type of PII,
They often use existing tools or includes usernames, passwords, and other
instructions found on security-related information that individuals use to access
the internet to launch attacks. information or services on the network.
Even though they use basic tools, the
results can still be devastating. LOST COMPETITIVE ADVANTAGE
○ Hacktivists The loss of intellectual property to competitors is a
These are hackers who publicly protest serious concern.
against a variety of political and social An additional major concern is the loss of trust that
ideas. comes when a company is unable to protect its
They post articles and videos, leaking customers’ personal data.
sensitive information, and disrupting The loss of competitive advantage may come from this
web services with illegitimate traffic in loss of trust rather than another company or country
Distributed Denial of Service (DDoS) stealing trade secrets.
attacks.
○ Organized crime groups POLITICS AND NATIONAL SECURITY
○ State-sponsored groups It is not just businesses that get hacked.
○ Terrorist groups State-supported hacker warriors can cause disruption and
destruction of vital services and resources within an
enemy nation.
1
 The internet has become essential as a medium for ○ RESPONSIBILITY: Monitor incoming alerts, verify
commercial and financial activities. Disruption of these that a true incident has occurred, and forward
activities can devastate a nation’s economy. tickets to Tier 2, if necessary.
○ Monitors incidents, opens ticket, basic threat
SUMMARY mitigation
Threat actors can hijack banking sessions and other Tier 2 Incident Responder
personal information by using “evil twin” hotspots. ○ RESPONSIBILITY: Responsible for deep
Threat actors include, but are not limited to, amateurs, investigation of incidents and advise remediation
hacktivists, organized crime groups, state sponsored, and or action to be taken.
terrorist groups. ○ Deep investigation, Advises remediation
As the Internet of Things (IoT) expands, webcams, Tier 3 Threat Hunter
routers, and other devices in our homes are also under ○ RESPONSIBILITY: Experts in network, endpoint,
attack. threat intelligence, malware reverse engineering
Personally Identifiable Information (PII) is any information and tracing the processes of the malware to
that can be used to positively identify an individual. determine its impact and how it can be removed.
The medical community creates and maintains Electronic They are also deeply involved in hunting for
Medical Records (EMRs) that contain Protected Health potential threats and implementing threat
Information (PHI), a subset of PII. detection tools. Threat hunters search for cyber
Personal Security Information (PSI) includes usernames, threats that are present in the network but have
passwords, and other security-related information that not yet been detected.
individuals use to access information or services on the ○ In-depth knowledge, Threat hunting, preventive
network. measures
SOC Manager
WEEK 2: FIGHTERS IN THE WAR AGAINST CYBERCRIME ○ RESPONSIBILITY: Manages all the resources of
the SOC and serves as the point of contact for
THE MODERN SECURITY OPERATIONS CENTER the larger organization or customer.

ELEMENTS OF A SOC PROCESS IN THE SOC
To use a formalized, structured, and disciplined approach A Cybersecurity Analyst is required to monitor security
for defending against cyber threats, organizations alert queues and investigate the assigned alerts. A
typically use the services of professionals from a Security ticketing system is used to assign these alerts to the
Operations Center (SOC). analyst’s queue.
SOCs provide a broad range of services, from monitoring The software that generates the alerts can trigger false
and management, to comprehensive alarms. The analyst, therefore, needs to verify that an
threat solutions and customized hosted security. assigned alert represents a true security incident.
SOCs can be wholly in-house, owned and operated by a When this verification is established, the incident can be
business, or elements of a SOC can be contracted out to forwarded to investigators or other security personnel to
security vendors, such as Cisco’s Managed Security be acted upon. Otherwise, the alert is dismissed as a false
Services. alarm.
If a ticket cannot be resolved, the Cybersecurity Analyst
PEOPLE IN THE SOC forwards the ticket to a Tier 2 Incident Responder for
SOCs assign job roles by tiers, according to the expertise deeper investigation and remediation.
and responsibilities required for each. If the Incident Responder cannot resolve the ticket, it is
First tier jobs are more entry level, while third tier jobs forwarded to a Tier 3 personnel.
require extensive expertise.
The figure, which is originally from the SANS Institute, TECHNOLOGIES IN THE SOC: SIEM
graphically represents how these roles interact with each An SOC needs a Security Information and Event
other. Management (SIEM) system to understand the data that
firewalls, network appliances, intrusion detection
systems, and other devices generate.
SIEM systems collect and filter data, and detect, classify,
analyze and investigate threats. They may also manage
resources to implement preventive measures and address
future threats.

TECHNOLOGIES IN THE SOC: SOAR
SIEM and Security Orchestration, Automation and
Response (SOAR) are often paired together as they have
capabilities that complement each other.
Large security operations (SecOps) teams use both
technologies to optimize their SOC.
SOAR platforms are similar to SIEMs as they aggregate,
correlate, and analyze alerts. In addition, SOAR
technology integrate threat intelligence and automate
TIERS incident investigation and response workflows based on
Tier 1 Alert Analyst playbooks developed by the security team.
SOAR security platforms:
2
 ○ Gather alarm data from each component of the Security personnel understand that for the organization to
system. accomplish its priorities, network availability must be
○ Provide tools that enable cases to be researched, preserved.
assessed, and investigated. Each business or industry has a limited tolerance for
○ Emphasize integration as a means of automating network downtime. That tolerance is usually based upon a
complex incident response workflows that comparison of the cost of the downtime in relation to the
enable more rapid response and adaptive cost of ensuring against downtime.
defense strategies. Security cannot be so strong that it interferes with the
○ Include pre-defined playbooks that enable needs of employees or business functions. It is always a
automatic response to specific threats. tradeoff between strong security and permitting efficient
Playbooks can be initiated automatically based business functioning.
on predefined rules or may be triggered by
security personnel. BECOMING A DEFENDER

SOC METRICS CERTIFICATIONS
Whether internal to an organization or providing services A variety of cybersecurity certifications that are relevant
to multiple organizations, it is important to understand to careers in SOCs are available:
how well the SOC is functioning, so that improvements ○ Cisco Certified CyberOps Associate
can be made to the people, processes, and technologies ○ CompTIA Cybersecurity Analyst Certification
that comprise the SOC. ○ (ISC)² Information Security Certifications
Many metrics or Key Performance Indicators (KPI) can be ○ Global Information Assurance Certification
devised to measure different aspects of SOC (GIAC)
performance. However, five metrics are commonly used Search for “cybersecurity certifications” on the
as SOC metrics by SOC managers. Internet to know more about other vendor
and vendor-neutral certifications.
METRICS
Dwell Time FURTHER EDUCATION
○ The length of time that threat actors have access Degrees: When considering a career in the cybersecurity
to a network before they are detected, and their field, one should seriously consider pursuing a technical
access is stopped degree or bachelor’s degree in computer science,
Mean Time to Detect (MTTD) electrical engineering, information technology, or
○ The average time that it takes for the SOC information security.
personnel to identify valid security incidents Python Programming: Computer programming is an
have occurred in the network essential skill for anyone who wishes to pursue a career in
Mean Time to Respond (MTTR) cybersecurity. If you have never learned how to program,
○ The average time it takes to stop and remediate then Python might be the first language to learn.
a security incident Linux Skills: Linux is widely used in SOCs and other
Mean Time to Contain (MTTC) networking and security environments. Linux skills are a
○ The time required to stop the incident from valuable addition to your skillset as you work to develop a
causing further damage to systems or data career in cybersecurity.
Time to Control
○ The time required to stop the spread of malware SOURCES OF CAREER INFORMATION
in the network A variety of websites and mobile applications advertise
information technology jobs. Each site targets a variety of
ENTERPRISE AND MANAGED SECURITY job applicants and provides different tools for candidates
For medium and large networks, the organization will to research their ideal job position.
benefit from implementing an enterprise-level SOC, which Many sites are job site aggregators that gather listings
is a complete in-house solution. from other job boards and company career sites and
Larger organizations may outsource at least a part of the display them in a single location.
SOC operations to a security solutions provider. ○ Indeed.com
Cisco offers a wide range of incident response, ○ CareerBuilder.com
preparedness, and management capabilities including: ○ USAJobs.gov
○ Cisco Smart Net Total Care Service for Rapid ○ Glassdoor
Problem Resolution ○ LinkedIn
○ Cisco Product Security Incident Response Team
(PSIRT) GETTING EXPERIENCE
○ Cisco Computer Security Incident Response Internships: Internships are an excellent method for
Team (CSIRT) entering the cybersecurity field. Sometimes, internships
○ Cisco Managed Services turn into an offer of full time employment. However, even
○ Cisco Tactical Operations (TacOps) a temporary internship allows you the opportunity to gain
○ Cisco’s Safety and Physical Security Program experience in the inner workings of a cybersecurity
organization
Scholarships and Awards: To help close the security
skills gap, organizations like Cisco and INFOSEC have
SECURITY VS. AVAILABILITY introduced scholarship and awards programs.
Temporary Agencies: Many organizations use temporary
agencies to fill job openings for the first 90 days. If the
3
 employee is a good match, the organization may convert Dir
the employee to a full-time, permanent position. ○ Shows a listing of all the files in the current
Your First Job: If you have no experience in the directory (folder)
cybersecurity field, working for a call center or support cd directory
desk may be your first step into gaining the experience ○ Changes the directory to the indicated directory
you need to move ahead in your career. cd..
○ Changes the directory to the directory above the
SUMMARY current directory
Major elements of the SOC include people, processes, and cd \
technologies. ○ Changes the directory to the root directory (often
The job roles include a Tier 1 Alert Analyst, a Tier 2 C:)
Incident Responder, a Tier 3 Threat hunter, and an SOC copy source destination
Manager. ○ Copies files to another location
A Tier 1 Analyst monitors incidents, open tickets, and del filename
performs basic threat mitigation. ○ Deletes one or more files
SEIM systems are used for collecting and filtering data, Find
detecting and classifying threats, and analyzing and ○ Searches for text in files
investigating threats. mkdir directory
SOAR integrates threat intelligence and automates ○ Creates a new directory
incident investigation and response workflows based on ren oldname newname
playbooks developed by the security team. ○ Renames a file
KPIs are devised to measure different aspects of SOC Help
performance. Common metrics include Dwell Time, ○ Displays all the commands that can be used,
Meant Time to Detect (MTTD), Mean Time to Respond with a brief description
(MTTR), Mean Time to Contain (MTTC), and Time to help command
Control. ○ Displays extensive help for the indicated
There must be a balance between security and availability command
of the networks. Security cannot be so strong that it
interferes with employees or business functions. WINDOWS VERSIONS
A variety of cybersecurity certifications that are relevant Since 1993, there have been more than 20 releases of
to careers in SOCs are available from different Windows that are based on the NT operating system (OS).
organizations. Many editions were built specifically for workstation,
professional, server, advanced server, and datacenter
WEEK 3: THE WINDOWS OPERATING SYSTEM server, to name just a few of the many purpose-built
versions.
WINDOWS HISTORY The 64-bit operating system was an entirely new
architecture. It had a 64-bit address space instead of a
DISK OPERATING SYSTEM 32-bit address space.
The Disk Operating System (DOS) is an operating system 64-bit computers and operating systems are
that the computer uses to enable the data storage devices backward-compatible with older, 32-bit programs, but
to read and write files. 64-bit programs cannot be run on older, 32-bit hardware.
DOS provides a file system which organizes the files in a With each subsequent release of Windows, the operating
specific way on the disk. system has become more refined by incorporating more
MS-DOS, created by Microsoft, used a command line as features.
the interface for people to create programs and Microsoft has announced that Windows 10 is the last
manipulate data files. DOS commands are shown in bold version of Windows. Rather than purchasing new
text in the given command output. operating systems, users will just update Windows 10
With MS-DOS, the computer had a basic working instead.
knowledge of accessing the disk drive and loading the
operating system files directly from disk as part of the OS Version
boot process. Windows 7
Early versions of Windows consisted of a Graphical User ○ Starter, Home Basic, Home Premium,
Interface (GUI) that ran over MS-DOS, starting with Professional, Enterprise, Ultimate
Windows 1.0 in 1985. Windows Server 2008 R2
In newer versions of Windows, built on New Technologies ○ Foundation, Standard, Enterprise, Datacenter,
(NT), the operating system itself is in direct control of the Web Server, HPC Server, Itanium-Based Systems
computer and its hardware. Windows Home Server 2011
Today, many things that used to be accomplished through ○ None
the command line interface of MS-DOS can be Windows 8
accomplished in the Windows GUI. ○ Windows 8, Windows 8 Pro, Windows 8
To experience a little of MS-DOS, open a command Enterprise, Windows RT
window by typing cmd in Windows Search and pressing Windows Server 2012
Enter. ○ Foundation, Essentials, Standard, Datacenter
Windows 8.1
○ Windows 8.1, Windows 8.1 Pro, Windows 8.1
Enterprise, Windows RT 8.1
MS-DOS Command Windows Server 2012 R2
4
 ○ Foundation, Essentials, Standard, Datacenter ○ There are many services that run behind the
Windows 10 scenes.
○ Home, Pro, Pro Education, Enterprise, Education, ○ It is important to make sure that each service is
loT Core, Mobile, Mobile Enterprise identifiable and safe.
Windows Server 2016 ○ With an unknown service running in the
○ Essentials, Standard, Datacenter, Multipoint background, the computer can be vulnerable to
Premium Server, Storage Server, Hyper-V Server attack.
Encryption
WINDOWS GUI ○ When data is not encrypted, it can easily be
Windows has a graphical user interface (GUI) for users to gathered and exploited.
work with data files and software. ○ This is not only important for desktop
The GUI has a main area that is known as the Desktop. computers, but especially mobile devices.
The Desktop can be customized with various colors and Security policy
background images. ○ A good security policy must be configured and
Windows supports multiple users, so each user can followed.
customize the Desktop. ○ Many settings in the Windows Security Policy
The Desktop can store files, folders, shortcuts to control can prevent attacks.
locations and programs, and applications. Firewall
The Desktop also has a recycle bin icon, where files are ○ By default, Windows uses Windows Firewall to
stored when the user deletes them. Files can be restored limit communication with devices on the
from the recycle bin or the recycle bin can be emptied of network. Over time, rules may no longer apply.
files, which truly deletes them. ○ It is important to review firewall settings
At the bottom of the desktop, is the Task Bar. periodically to ensure that the rules are still
At the left is the Start menu which is used to access all of applicable and remove any that no longer apply.
the installed programs, configuration options, and the File and share permissions
search feature. ○ These permissions must be set correctly. It is
At the center, users place quick launch icons that run easy to give the “Everyone” group Full Control,
specific programs or open specific folders when they are but this allows all people to access all files.
clicked. ○ It is best to provide each user or group with the
On the right of the Task Bar is the notification area. The minimum necessary permissions for all files and
notification area shows, at a glance, the functionality of folders.
many different programs and features. Weak or no password
Mostly right-clicking an icon will bring up additional ○ Many people choose weak passwords or do not
functions that can be used. This list is known as the use a password at all.
Context Menu. ○ It is especially important to make sure that all
There are Context Menus for the icons in the notification accounts, especially the Administrator account,
area, for quick launch icons, system configuration icons, have a very strong password.
and for files and folders. Login as Administrator
The Context Menu provides many of the most commonly ○ When a user logs in as an administrator, any
used functions by just clicking. program that they run will have the privileges of
that account.
OPERATING SYSTEM VULNERABILITIES ○ It is best to log in as a Standard User and only
Operating systems consist of millions of lines of code. use the administrator password to accomplish
With all this code comes vulnerabilities. certain tasks
A vulnerability is some flaw or weakness that can be
exploited by an attacker to reduce the viability of a WINDOWS ARCHITECTURE AND OPERATIONS
computer’s information.
To take advantage of an operating system vulnerability, HARDWARE ABSTRACTION LAYER
the attacker must use a technique or a tool to exploit the A hardware abstraction layer (HAL) is software that
vulnerability. handles all of the communication between the hardware
The attacker can then use the vulnerability to get the and the kernel.
computer to act in a fashion outside of its intended The kernel is the core of the operating system and has
design. control over the entire computer.
In general, the goal is to gain unauthorized control of the The kernel handles all of the input and output requests,
computer, change permissions, or to manipulate or steal memory, and all of the peripherals connected to the
data. computer.
The basic Windows architecture is shown in the figure.
Windows OS Security recommendations
Virus or malware protection USER MODE AND KERNEL MODE
○ By default, Windows uses Windows Defender for The two different modes in which a CPU operates when
malware protection. the computer has Windows installed are the user mode
○ Windows Defender provides a suite of protection and the kernel mode.
tools built into the system. Installed applications run in user mode, and operating
○ If Windows Defender is turned off, the system system code runs in kernel mode.
becomes more vulnerable to attacks and All of the code that runs in kernel mode uses the same
malware. address space.
Unknown or unmanaged services
5
 When user mode code runs, it is granted its own restricted An attacker could store malicious code within an ADS that
address space by the kernel, along with a process created can then be called from a different file.
specifically for the application. In the NTFS file system, a file with an ADS is identified
after the filename and a colon, for example,
WINDOWS FILE SYSTEMS Testfile.txt:ADS. This filename indicates an ADS called
NTFS formatting creates important structures on the disk ADS is associated with the file called Testfile.txt.
for file storage, and tables for recording the locations of
files: WINDOWS BOOT PROCESS
○ Partition Boot Sector: This is the first 16 sectors Many actions occur between the power button is pressed
of the drive. It contains the location of the and Windows is fully loaded. This is the Windows Boot
Master File Table (MFT). The last 16 sectors process. Two types of computer firmware exist:
contain a copy of the boot sector. ○ Basic Input-Output System (BIOS): The process
○ Master File Table (MFT): This table contains the begins with the BIOS initialization phase in which
locations of all the files and directories on the the hardware devices are initialized and a POST
partition, including file attributes such as is performed. When the system disk is
security information and timestamps. discovered, the POST ends and looks for the
○ System Files: These are hidden files that store master boot record (MBR).The BIOS executes
information about other volumes and file the MBR code and the operating system starts to
attributes. load.
○ File Area: The main area of the partition where ○ Unified Extensible Firmware Interface (UEFI): UEFI
files and directories are stored. firmware boots by loading EFI program files (.efi)
Note: When formatting a partition, the previous data may stored in a special disk partition, known as the
still be recoverable because not all the data is completely EFI System Partition (ESP).
removed. It is recommended to perform a secure wipe on Whether the firmware is BIOS or UEFI, after a valid
a drive that is being reused. The secure wipe will write Windows installation is located, the Bootmgr.exe file is
data to the entire drive multiple times to ensure there is run.
no remaining data. Bootmgr.exe reads the Boot Configuration Database
(BCD).
Windows File System If the computer is coming out of hibernation, the boot
exFAT process continues with Winresume.exe.
○ This is a simple file system supported by many If the computer is being booted from a cold start, then the
different operating systems. Winload.exe file is loaded.
○ FAT has limitations to the number of partitions, Winload.exe also uses Kernel Mode Code Signing (KMCS)
partition sizes, and file sizes that it can address, to make sure that all drivers are digitally signed.
so it is not usually used for hard drives or After the drivers have been examined, Winload.exe runs
solid-state drives anymore. Ntoskrnl.exe that starts the Windows kernel and sets up
○ Both FAT16 and FAT32 are available to use, with the HAL.
FAT32 being the most common as it has many Note: A computer that uses UEFI stores boot code in the
fewer restrictions than FAT16. firmware. This helps to increase the security of the
Hierarchical File System Plus (HFS+) computer at boot time because the computer goes
○ This file system is used on MAC OS X computers directly into protected mode.
and allows much longer filenames, file sizes, and
partition sizes. WINDOWS STARTUP
○ Although it is not supported by Windows without There are two important registry items that are used to
special software, Windows is able to read data automatically start applications and services:
from HFS+ partitions. ○ HKEY_LOCAL_MACHINE - Several aspects of
Extended File System (EXT) Windows configuration are stored in this key,
○ This file system is used with Linux-based including information about services that start
computers. with each boot.
○ Although it is not supported by Windows, ○ HKEY_CURRENT_USER - Several aspects related
Windows is able to read data from EXT partitions to the logged in user are stored in this key,
with special software. including information about services that start
New Technology File System (NTFS) only when the user logs on to the computer.
○ This is the most commonly used file system Different entries in these registry locations define which
when installing Windows. All versions of services and applications will start, as indicated by their
Windows and Linux support NTFS. entry type.
○ Mac-OS X computers can only read an NTFS These types include Run, RunOnce, RunServices,
partition. They are able to write to an NTFS RunServicesOnce, and Userinit. These entries can be
partition after installing special drivers. manually entered into the registry, but it is much safer to
use the Msconfig.exe tool.
ALTERNATE DATA STREAMS The Msconfig tool is used to view and change all of the
NTFS stores files as a series of attributes, such as the start-up options for the computer. It opens the System
name of the file, or a timestamp. Configuration window.
The data which the file contains is stored in the attribute There are five tabs that contain the configuration options.
$DATA, and is known as a data stream. ○ General
By using NTFS, Alternate Data Streams (ADSs) can be Three different startup types can be
connected to the file. chosen here:
6
 Normal loads all drivers and services. Be very careful when manipulating the settings of these
Diagnostic loads only basic drivers and services. Shutting down a service may adversely affect
services. applications or other services.
Selective allows the user to choose
what to load on startup. MEMORY ALLOCATION AND HANDLES
○ Boot The virtual address space for a process is the set of
Any installed operating system can be virtual addresses that the process
chosen here to start. can use.
There are also options for Safe boot, The virtual address is not the actual physical location in
which is used to troubleshoot startup. memory, but an entry in a page table that is used to
○ Services translate the virtual address into the physical address.
All the installed services are listed here Each process in a 32-bit Windows computer supports a
so that they can be chosen to start at virtual address space that enables addressing up to 4
startup. gigabytes.
○ Startup Each process in a 64-bit Windows computer supports a
All the applications and services virtual address space of 8 terabytes.
that are configured to automatically Each user space process runs in a private address space,
begin at startup can be enabled or separate from other user space processes.
disabled by opening the task manager When the user space process needs to access kernel
from this tab. resources, it must use a process handle.
○ Tools As the user space process is not allowed to directly
Many common operating system tools access these kernel resources, the process handle
can be launched directly from this tab. provides the access needed by the user space process
without a direct connection to it.
WINDOWS SHUTDOWN A powerful tool for viewing memory allocation is
It is always best to perform a proper shutdown to turn off RAMMap, which is shown in the figure.
the computer. The computer needs time to close each RAMMap is part of the Windows Sysinternals Suite of
application, shut down each service, and record any tools. It can be downloaded from Microsoft.
configuration changes before power is lost. RAMMap provides information regarding how Windows
During shutdown, the computer will close user mode has allocated system memory to the kernel, processes,
applications first, followed by kernel mode processes. drivers, and applications.
There are several ways to shut down a Windows
computer: Start menu power options, the command line THE WINDOWS REGISTRY
command shutdown, and using Ctrl+Alt+Delete and Windows stores all of the information about hardware,
clicking the power icon. applications, users, and system settings in a large
There are three different options from which to choose database known as the registry.
when shutting down the computer: The registry is a hierarchical database where the highest
○ Shutdown: Turns the computer off (power off). level is known as a hive, below that there are keys,
○ Restart: Re-boots the computer (power off and followed by subkeys.
power on). Values store data and are stored in the keys and subkeys.
○ Hibernate: Records the current state of the A registry key can be up to 512 levels deep.
computer and user environment and stores it in a New hives cannot be created. The registry keys and
file. Hibernation allows the user to pick up right values in the hives can be created, modified, or deleted by
where they left off very quickly with all their files an account with administrative privileges.
and programs still open. As shown in the figure, the tool regedit.exe is used to
modify the registry.
PROCESSES, THREADS, AND SERVICES Be very careful when using this tool. Minor changes to the
A Windows application is made up of processes. A registry can have massive or even catastrophic effects.
process is any program that is currently executing. Navigation in the registry is very similar to Windows file
Each process that runs is made up of at least one thread. explorer.
A thread is a part of the process that can be executed. Use the left panel to navigate the hives and the structure
To configure Windows processes, search for Task below it and use the right panel to see the contents of the
Manager. The Processes tab of the Task Manager is highlighted item in the left panel.
shown in the figure. The path is displayed at the bottom of the window for
All of the threads dedicated to a process are contained reference.
within the same address space which means that these Registry keys can contain either a subkey or a value. The
threads may not access the address space of any other different values that keys can contain are as follows:
process. This prevents corruption of other processes. ○ REG_BINARY: Numbers or Boolean values
Some of the processes that Windows runs are services. ○ REG_DWORD: Numbers greater than 32 bits or
These are programs that run in the background to support raw data
the operating system and applications. ○ REG_SZ: String values
Services provide long-running functionality, such as The registry also contains the activity that a user
wireless or access to an FTP server. performs during normal day-to-day computer use.
To configure Windows Services, search for services. The This includes the history of hardware devices, including
Windows Services control panel applet is shown in the all devices that have been connected to the computer
figure. including the name, manufacturer and serial number.

7
 Registry Hive CLI AND POWERSHELL
HKEY_CURRENT_USER (HKCU) The Windows command line interface (CLI) can be used
○ Holds information concerning the currently to run programs, navigate the file system, and manage
logged in user. files and folders.
HKEY_USERS (HKU) To open the Windows CLI, search for cmd.exe and click
○ Holds information concerning all the user the program. These are a few things to remember when
accounts on the host. using the CLI:
HKEY_CLASSES_ROOT (HKCR) ○ The file names and paths are not case-sensitive,
○ Holds information about object linking and by default.
embedding (OLE) registrations. It allows users to ○ Storage devices are assigned a letter for
embed objects from other applications into a reference. This followed by a colon and
single document. backslash (\).
HKEY_LOCAL_MACHINE (HKLM) ○ Commands that have optional switches use the
○ Holds system-related information. forward slash (/) to delineate between the
HKEY_CURRENT_CONFIG (HKCC) command and the switch option.
○ Holds information about the current hardware ○ You can use the Tab key to auto-complete
profile. commands when directories or files are
referenced.
WINDOWS CONFIGURATION AND MONITORING ○ Windows keeps a history of the commands that
were entered during a CLI session. Access
RUN AS ADMINISTRATOR previously entered commands by using the up
As a security best practice, it is not advisable to log on to and down arrow keys.
Windows using the Administrator account or an account ○ To switch between storage devices, type the
with administrative privileges. letter of the device, followed by a colon, and then
There are two different ways to run or install press Enter.
a software that requires the privileges of the Another environment, called the Windows PowerShell, can
Administrator. be used to create scripts to automate tasks that the
regular CLI is unable to create.
Administrator PowerShell also provides a CLI for initiating commands.
○ Right-click the command in the Windows File PowerShell is an integrated program within Windows.
Explorer and choose Run as Administrator Like the CLI, PowerShell can also be run with
from the Context Menu. administrative privileges.
These are the types of commands that PowerShell can
Administrator Command Prompt execute:
○ Search for command, right-click the ○ cmdlets - These commands perform an action
executable file, and choose Run as Administrator and return an output or object to the next
from the Context Menu. command that will be executed.
○ Every command that is executed from this ○ PowerShell scripts - These are files with a.ps1
command line will be carried out with the extension that contain PowerShell commands
Administrator privileges, including installation of that are executed.
software. ○ PowerShell functions - These are pieces of code
that can be referenced in a script.
LOCAL USERS AND DOMAINS To see more information about PowerShell and get
When a new computer is started for the first time, or started using it, type help, as shown in the command
Windows is installed, there will be a prompt to create a output.
user account. This is known as a local user. There are four levels of help in Windows PowerShell:
This account contains all the customization settings, ○ get-help PS command - Displays basic help for a
access permissions, file locations, and many other command
user-specific data. ○ get-help PS command [-examples] - Displays
To make administration of users easier, Windows uses basic help for a command with examples
groups. A group will have a name and a specific set of ○ get-help PS command [-detailed] - Displays
permissions associated with it. detailed help for a command with examples
When a user is placed into a group, the permissions of ○ get-help PS command [-full] - Displays all help
that group are given to that user. information for a command with examples in
A user can be placed into multiple groups to be provided greater depth
with many different permissions. When the permissions
overlap, certain permissions, like “explicitly deny” will WINDOWS MANAGEMENT INSTRUMENTATION
override the permission provided by a different group. Windows Management Instrumentation (WMI) is used to
There are many different user groups built into Windows manage remote computers.
that are used for specific tasks. It can retrieve information about computer components,
Local users and groups are managed with the hardware and software statistics, and monitor the health
lusrmgr.msc control panel applet, as shown in the figure. of remote computers.
Windows also use domains to set permissions. A domain To open the WMI control from the Control Panel,
is a type of network service where all of the users, groups, double-click Administrative Tools > Computer
computers, peripherals, and security settings are stored Management to open the Computer Management window,
on and controlled by a database. expand the Services and Applications tree and right-click
the WMI Control icon > Properties.
8
 The WMI Control Properties window is shown in the A view of the performance statistics
figure. Four tabs in the WMI Control Properties window provides a overview of the CPU,
are: memory, disk, and network
○ General - Summary information about the local performance.
computer and WMI Clicking each item in the left pane will
○ Backup/Restore - Allows manual backup of show detailed statistics of that item in
statistics gathered by WMI the right pane.
○ Security - Settings to configure who has access ○ App history
to different WMI statistics The use of resources by application
○ Advanced - Settings to configure the default over time provides insight into
namespace for WMI applications that are consuming more
resources.
THE NET COMMAND Click Options and Show history for all
The net command is used in the administration and processes to see the history of every
maintenance of the OS. process that has run since the
The net command supports many subcommands that computer was started.
follow it and can be combined with switches to focus on ○ Startup
specific output. All the applications and services that
To see a list of the many net commands, type net help at start when the computer is booted are
the command prompt. shown in this tab.
The command output shows the commands that the net To disable a program from starting at
command can use. startup, right-click the item and choose
To see verbose help about any of the net commands, type Disable.
C:\> net help. ○ Users
All of the users that are logged on to the
Common net commands computer and all the resources that
net accounts each user’s applications and processes
○ Sets password and logon requirements for users are using are shown in this tab.
net session From this tab, an administrator can
○ Lists or disconnects sessions between a disconnect a user from the computer.
computer and other computers on the network ○ Details
net share This tab provides additional
○ Creates, removes, or manages shared resources management options for processes
net start such as setting a priority to make the
○ Starts a network service or lists running network processor devote more or less time to a
services process.
net stop CPU affinity can also be set which
○ Stops a network service determines which core or CPU a
net use program will use.
○ Connects, disconnects, and displays information A useful feature called Analyze wait
about shared network resources chain shows any process for which
net view another process is waiting. This feature
○ Shows a list of computers and network devices helps to determine if a process is
on the network simply waiting or is stalled.
○ Services
TASK MANAGER AND RESOURCE MONITOR All the services that are loaded are
There are two useful tools to help an administrator to shown in this tab.
understand the different applications, services, and The process ID (PID) and a short
processes that are running on a Windows computer. description are also shown along with
the status of either Running or Stopped.
Task Manager At the bottom, there is a button to open
○ The Task Manager, which is shown in the figure, the Services console which provides
provides a lot of information about the software additional management of services.
that is running and the general performance of
the computer. Resource Monitor
○ The Task Manager has seven tabs. ○ When more detailed information about resource
usage is needed, the Resource Monitor can be
Task Manager tabs used.
○ Processes ○ When searching for the reason a computer may
Lists all of the programs and processes be acting erratically, the Resource Monitor can
that are currently running. help to find the source of the problem.
Displays the CPU, memory, disk, and ○ Resource Monitor has Five tabs.
network utilization of each process.
The properties can be examined or Resource Monitor tabs
ended if it is not behaving properly or Overview
has stalled. ○ The tab displays the general usage for each
○ Performance resource.
9
 CPU In the Properties dialogue box,
○ The PID, number of threads, which the process is choose to Obtain an address
using, and the average CPU usage of each automatically if there is a
process is shown. DHCP server available on the
○ Additional information about any services and network or if the user wish to
the associated handles and modules can be seen configure addressing manually,
by expanding the lower rows. fill in the address, subnet,
Memory default gateway, and DNS
○ All the statistical information about how each servers.
process uses memory is shown in this tab and an Click OK to accept the
overview of usage of all the RAM is shown below changes.
the Processes row. You can also use the netsh.exe
Disk tool to configure networking
○ All the processes that are using a disk are shown parameters from a command
in this tab, with read/write statistics and an prompt.
overview of each storage device. This program can display and
Network modify the network
○ All the processes that are using the network are configuration.
shown in this tab, with read/write statistics. Type netsh /? at the command
○ It is very useful when trying to determine which prompt to see a list of all the
applications and processes are communicating switches.
over the network. Also, tell if an unauthorized
process is accessing the network. nslookup and netstat
○ Domain Name System (DNS) should also be
NETWORKING tested because it is essential to finding the
One of the most important features of any operating address of hosts by translating it from a name,
system is the ability for the computer to connect to a such as a URL.
network. ○ Use the nslookup command to test DNS.
To configure Windows networking properties and test ○ Type nslookup cisco.com at the command
networking settings, the Network and Sharing Center is prompt to find the address of the Cisco
used. webserver. If the address is returned, the DNS is
functioning correctly.
Network and Sharing Center ○ Type netstat at the command line to see details
○ It is used to verify or create network connections, of active network connections.
configure network sharing, and change network
adapter settings. ACCESSING NETWORK RESOURCES
○ The initial view shows an overview of the active Windows uses networking for many different applications
network. such as web, email, and file services.
○ From the window, you can see the HomeGroup Server Message Block (SMB) protocol is used to share
the computer belongs to, or create one if it is not network resources. It is mostly used for accessing files on
already part of a HomeGroup. Note that remote hosts.
HomeGroup was removed from Windows 10 in The Universal Naming Convention (UNC) format is used to
version 1803. connect to resources such as
\\servername\sharename\file.
Change Adapter Settings In the UNC, servername is the server that is hosting the
○ To configure a network adapter, choose Change resource. The sharename is the root of the folder in the
adapter settings in the Networking and Sharing file system on the remote host, while the file is the
Center to show all of the network connections resource that the local host is trying to find.
that are available. Select the adapter that is to be When sharing resources on the network, the area of the
configured. file system that will be shared will need to be identified.
○ Following are the steps to change an Ethernet Access control can be applied to the files to restrict users
adapter to acquire its IPv4 address automatically and groups to specific functions.
from the network: There are also special shares that are automatically
Step 1: Access Adaptor Properties created by Windows. These shares are called
Right-click the adapter you administrative shares and are identified by a dollar sign
wish to configure and choose ($) that comes after the share name.
Properties. Besides accessing shares on remote hosts, the user can
Step 2: Access TCP/IPv4 properties also log in to a remote host and manipulate that
This connection uses Internet computer, as if it were local, to make configuration
Protocol Version 4 (TCP/IPv4) changes, install software, or troubleshoot an issue.
or Internet Protocol Version 6 In Windows, this feature uses the Remote Desktop
(TCP/IPv6) depending on Protocol (RDP). The Remote Desktop Connection window
which version the user wish to is shown in the figure.
use. Since Remote Desktop Protocol (RDP) is designed to
Step 3: Change Settings permit remote users to control individual hosts, it is a
Click Properties to configure natural target for threat actors.
the adapter.
10
WINDOWS SERVER To ensure the highest level of protection against the
Most Windows installations are performed as desktop attacks, always ensure Windows is up to date with the
installations on desktops and laptops. latest service packs and security patches.
There is another edition of Windows that is mainly used in Update status, shown in the figure, allows you to check for
data centers called Windows Server. This is a family of updates manually and see the update history of the
Microsoft products that began with Windows Server 2003. computer.
Windows Server hosts many different services and can Patches are code updates that manufacturers provide to
fulfill different roles within a company. prevent a newly discovered virus or worm from making a
These are some of the services that Windows Server successful attack.
provides: From time to time, manufacturers combine patches and
○ Network Services: DNS, DHCP, Terminal services, upgrades into a comprehensive update application called
Network Controller, and Hyper-V Network a service pack.
virtualization Many devastating virus attacks could have been much
○ File Services: SMB, NFS, and DFS less severe if more users had downloaded and installed
○ Web Services: FTP, HTTP, and HTTPS the latest service pack.
○ Management: Group policy and Active Directory It is highly desirable that enterprises utilize systems that
domain services control automatically distribute, install, and track security
Note: Although there is a Windows Server 2000, it is updates.
considered a client version of Windows NT 5.0. Windows Windows routinely checks the Windows Update website
Server 2003 is a server based on NT 5.2 and begins a new for high-priority updates that can help protect a computer
family of Windows Server versions. from the latest security threats.
There are also settings for the hours where the computer
WINDOWS SECURITY will not automatically restart, for example during regular
business hours.
THE NETSTAT COMMAND Advanced options are also available to choose how
The netstat command is used to look for inbound or updates are installed how other Microsoft products are
outbound connections that are not authorized. updated.
The netstat command will display all of the active TCP
connections. LOCAL SECURITY POLICY
By examining these connections, it is possible to A security policy is a set of objectives that ensures the
determine the programs which are listening for security of a network, the data, and the computer systems
connections that are not authorized. in an organization.
When a program is suspected of being malware, the In most networks that use Windows computers, Active
process can be shut down with Task Manager, and Directory is configured with Domains on a Windows
malware removal software can be used to clean the Server. Windows computers join the domain.
computer. Windows Local Security Policy can be used for
To make this process easier, the connections can be stand-alone computers that are not part of an Active
linked to the running processes that were created by them Directory domain.
in Task Manager. Password guidelines are an important component of a
To do this, open a command prompt with administrative security policy.
privileges and enter the netstat -abno command. In the Local Security Policy, Password Policy is found
By examining the active TCP connections, an analyst under Account Policies and defines the criteria for the
should be able to determine if there are any suspicious passwords for all of the users on the local computer.
programs that are listening for incoming connections on Use the Account Lockout Policy in Account Policies to
the host. prevent brute-force login attempts.
There may be more than one process listed with the same It is important to ensure that computers are secure when
name. If this is the case, use the unique PID to find the users are away. A security policy should contain a rule
correct process. To display the PIDs for the processes in about requiring a computer to lock when the screensaver
the Task Manager, open the Task Manager, right-click the starts.
table heading and select PID. If the Local Security Policy on every stand-alone computer
is the same, then use the Export Policy feature. This is
EVENT VIEWER particularly helpful if the administrator needs to configure
Windows Event Viewer logs the history of application, extensive local policies for user rights and security
security, and system events. options.
These log files are a troubleshooting tool as they provide The Local Security Policy applet contains security
information necessary to identify a problem. settings that apply specifically to the local computer. The
Windows includes two categories of event logs: Windows user can configure User Rights, Firewall Rules, and the
Logs and Application and Services Logs. ability to restrict the files that users or groups are allowed
A built-in custom view called Administrative Events shows to run with the AppLocker.
all critical, error, and warning events from all the
administrative logs. WINDOWS DEFENDER
Security event logs are found under Windows Logs. They Malware includes viruses, worms, Trojan horses,
use event IDs to identify the type of event. keyloggers, spyware, and adware. These are designed to
invade privacy, steal information, damage the computer,
WINDOWS UPDATE MANAGEMENT or corrupt data.

11
 It is important to protect computers and mobile devices gigabytes. Each process in a 64-bit Windows computer
using reputable antimalware software. The following supports a virtual address space of up to eight terabytes.
types of antimalware programs are available: Windows stores all of the information about hardware,
○ Antivirus protection: This program continuously applications, users, and system settings in a large
monitors for viruses. When a virus is detected, database known as the registry.
the user is warned, and the program attempts to The registry is a hierarchical database where the highest
quarantine or delete the virus. level is known as a hive, below that there are keys,
○ Adware protection: This program continuously followed by subkeys.
looks for programs that display advertising on There are five registry hives that contain data regarding
the computer. the configuration and operation of Windows. There are
○ Phishing protection: This program blocks the IP hundreds of keys and subkeys.
addresses of known phishing websites and For security reasons, it is not advisable to log on to
warns the user about suspicious sites. Windows using the Administrator account or an account
○ Spyware protection: This program scans for with administrative privileges.
keyloggers and other spyware. Use Windows groups to make administration of users
○ Trusted / untrusted sources: This program warns easier. Local users and groups are managed with the
about unsafe programs about to be installed or lusrmgr.msc control panel applet.
unsafe websites. You can use the CLI or the Windows PowerShell to
It may take multiple scans to completely remove all execute commands. PowerShell can be used to create
malicious software. Run only one malware protection scripts to automate tasks that the regular CLI is unable to
program at a time. automate.
Several security organizations such as McAfee, Windows Management Instrumentation (WMI) is used to
Symantec, and Kaspersky offer all-inclusive malware manage remote computers.
protection for computers and mobile devices. The net command can be combined with switches to
Windows has built-in virus and spyware protection called focus on specific output.
Windows Defender. Task Manager provides a lot of information about what is
Windows Defender is turned on by default to provide running, and the general performance of the computer.
real-time protection against infection. The Resource Monitor provides more detailed information
Although Windows Defender works in the background, the about resource usage.
user can perform manual scans of the computer and The Server Message Block (SMB) protocol is used to
storage devices. share network resources such as files on remote hosts.
The Windows netstat command displays all open
WINDOWS DEFENDER FIREWALL communication ports on a computer and can also display
A firewall selectively denies traffic to a computer or the software processes that are associated with the ports.
network segment. Windows Event Viewer provides access to numerous
To allow program access through the Windows Defender logged events regarding the operation of a computer.
Firewall, search for Control Panels. Under Systems and It is very important to keep Windows up to date to guard
Security, locate Windows Defender Firewall. Click Allow against new security threats.
an app or feature through Windows Defender Firewall, as Windows should be configured to automatically download
shown in the figure. and install updates as they become available.
To disable the Windows Firewall and use a different
software firewall, click Turn Windows Firewall on or off. WEEK 4: LINUX OVERVIEW
Many additional settings can be found under
Advanced settings. Here, inbound or outbound traffic LINUX BASICS
rules can be created and different aspects of the firewall
can be monitored. WHAT IS LINUX?
Linux is an operating system that was created in 1991.
SUMMARY Linux is open source, fast, reliable, and small. It requires
The first computers required a Disk Operating System very little hardware resources to run and is highly
(DOS) to create and manage files. customizable.
Microsoft developed MS-DOS as a command line Linux is part of several platforms and can be found on
interface (CLI) to access the disk drive and load the devices anywhere from wristwatches to supercomputers.
operating system files. Early versions of Windows Linux is designed to be connected to the network, which
consisted of a Graphical User Interface (GUI) that ran over makes it much simpler to write and use network-based
MS-DOS. applications.
Windows consists of a hardware abstraction layer (HAL) A Linux distribution is the term used to describe packages
which handles all the communication between the created by different organizations and include the Linux
hardware and the kernel. kernel with customized tools and software packages.
Windows operates in two different modes, the user mode
and kernel mode. Most Windows programs run in user THE VALUE OF LINUX
mode. The kernel mode allows operating system code Linux is often the operating system of choice in the
direct access to the computer hardware. Security Operations Center (SOC). These are some of the
A computer works by storing instructions in RAM until the reasons to choose Linux:
CPU processes them. ○ Linux is open source - Any person can acquire
Each process in a 32-bit Windows computer supports a Linux at no charge and modify it to fit specific
virtual address space that enables addressing up to four needs.

12
 ○ The Linux CLI is very powerful - The Linux A penetration test, also known as PenTesting, is the
Command Line Interface (CLI) is extremely process of looking for vulnerabilities in a network or
powerful and enables analysts to perform tasks computer by attacking it.
not only directly on a terminal, but also remotely. Packet generators, port scanners, and proof-of-concept
○ The user has more control over the OS - The exploits are examples of PenTesting tools.
administrator user in Linux, known as the root Kali Linux is a Linux distribution which contains many
user, or superuser, can modify any aspect of the penetration tools together in a single Linux distribution.
computer with a few keystrokes. Notice all the major categories of penetration testing
○ It allows for better network communication tools of Kali Linux.
control - Control is an inherent part of Linux.
WORKING IN THE LINUX SHELL
LINUX IN THE SOC
The flexibility provided by Linux is a great feature for the THE LINUX SHELL
SOC. The entire operating system can be tailored to In Linux, the user communicates with the OS by using the
become the perfect security analysis platform. CLI or the GUI.
Sguil is the cybersecurity analyst console in a special Linux often starts in the GUI by default. This hides the CLI
version of Linux called Security Onion. from the user.
Security Onion is an open source suite of tools that work One way to access the CLI from the GUI is through a
together for network security analysis. terminal emulator application. These applications provide
user access to the CLI and are named as some variation
SOC Tool of the word terminal.
○ Network packet capture software In Linux, popular terminal emulators are Terminator,
A crucial tool for a SOC analyst as it eterm, xterm, konsole, and gnome-terminal.
makes it possible to observe and Fabrice Bellard has created JSLinux which allows an
understand every detail of a network emulated version of Linux to run in a browser.
transaction. Note: The terms shell, console, console window, CLI
Wireshark is a popular packet capture terminal, and terminal window are often used
tool. interchangeably.
○ Malware analysis tools
These tools allow analysts to safely run BASIC COMMANDS
and observe malware execution without Linux commands are programs created to perform a
the risk of compromising the underlying specific task.
system. As the commands are programs stored on the disk, when
○ Intrusion detection systems (IDSs) a user types a command, the shell must find it on the disk
These tools are used for real-time traffic before it can be executed.
monitoring and inspection.
If any aspect of the currently flowing Command
traffic matches any of the established ○ Mv
rules, a pre-defined action is taken. Moves or renames files and directories.
○ Firewalls ○ Chmod
This software is used to specify, based Modifies file permissions.
on pre-defined rules, whether traffic is ○ Chown
allowed to enter or leave a network or Changes the ownership of a file.
device. ○ Dd
○ Log managers Copies data from an input to an output.
Log files are used to record events. ○ Pwd
Because a network can generate a very Displays the name of the current
large number of log entries, log directory.
manager software is employed to ○ Ps
facilitate log monitoring. Lists the processes that are currently
○ Security information and event management running in the system.