Infosec

Ref:

Color Wheel Team

InfoSec colour wheel

  • Red Team: Offensive security
  • Blue Team: Defensive security
  • Yellow Team: the builder
  • Purple Team (Red + Blue): Integrating defensive tactics with offensive result
  • Orange Team (Red + Yellow):
  • Green Team (Blue + Yellow)
  • White Team

Domain

Type of InfoSec:

  • Application security
  • Cloud security
  • Cryptography
  • Infrastructure security
  • Incident response: monitors for and investigates potentially malicious behavior
  • Vulnerability management: scanning an environment for weak points (such as unpatched software) and prioritizing remediation based on risk

Certificate

  • CompTIA
  • CISSP (Certified Information Systems Security Professional)

Web Application

OWASP Top 10 Application Security Risks:

  • A1: Injection
  • A2: Broken authentication
  • A3: Sensitive data exposure
  • A4: XML external entities (XXE)
  • A5: Broken access control
  • A6: Security misconfiguration
  • A7: Cross-site scripting (XSS)
  • A8: Insecure deserialization
  • A9: Using components with known vulnerabilities
  • A10: Insufficient logging and monitoring

Networking

  • sshguard: protect brute-force by monitoring system logs, defecting attack, block attack using firewall
  • DNS Blocklists

Secure Coding

Penetration Test

Vulnerability assessments and penetration tests follow much of the same process, as they both start with the:

  1. Reconnaissance: This involves gathering information about the web application through direct and indirect means, such as analysing DNS records, web search results and other information that is available. The objective is to identify the attack surface.
  2. Application Mapping: This involves spidering or accessing the web/mobile app and identifying deficiencies in the web server and software configuration.
  3. Discovery: Vulnerabilities such as information leakage, insecure authentication are identified. At this point a vulnerability assessment is complete, but the penetration test takes the process a step further.
  4. Exploitation: This is where attempts are made to exploit the identified vulnerabilities to simulate real world attacks.
  5. Reporting: Writing down the proof of concept, severity of the issues and impact on the system to document.
  6. Mitigation: Follow up with dev team, providing recommendation and other protective measures to fix the security issues.

Tools

  • burpsuite, owasp ZAP: MiTM (Man in the middle) Proxy Tool
  • apktool, dex2jar, JD-gui: Android apps reverse engineering toolkits
  • sqlmap: Automated tool for testing SQL Injections
  • drozer, qark: Android app components security testing tools
  • DirBuster: Tool for Brute-forcing directories in web applications
  • nmap: Discovering services, open ports running on remote system
  • arachni: Web based automated security scanner

STRIDE (Threat Modeling)

  • (Threat Modeling: uncover vulnerabilities without looking at code)[https://www.youtube.com/watch?v=Fmp9UFjPiJs]

Reference: (Wiki)[https://en.wikipedia.org/wiki/STRIDE_(security)]

Description:

  • Spoofing: Pretending to be someone you are not
  • Tampering: Modifying Data
  • Repudiation: “I didn’t do it, nobody saw me do it, can’t prove anything”
  • Information Disclosure: Leakage of Information that should be private
  • Denial of Service: Stopping something from working or responding
  • Elevation of Privilage: Upgrading from user to administrator access

Mitigation Perfective:

  • Spoofing: Strong authentication
  • Tampering: Encryption
  • Repudiation: Strong authentication and authorization
  • Information Disclosure: Encryption
  • Denial of Service: Resilience
  • Elevation of Privilage: Authorization

Root Cause Analysis

Other names:

  • post-mortem: (literal: after death)

Ref:

Investigation Method:

  1. The “5-Whys” Analysis
  2. Barrier Analysis
  3. Change Analysis
  4. Causal Factor Tree Analysis
  5. Failure Mode and Effects Analysis
  6. Fish-Bone Diagram or Ishikawa Diagram
  7. Pareto Analysis
  8. Fault Tree Analysis