Category: Cisco

This is the second post in a series about the new CCNA DevNet certification (Previous Post Here). In this post, we will look at how to manage in Python the three formats that we previously discussed.

Example of XML parsing in Python

from __future__ import print_function
import xml.etree.ElementTree as ET
def main():
    # create element tree object
    with open('xmlfile.xml', 'r') as xmlFile:
        tree = ET.parse(xmlFile)
    # get root element
    root = tree.getroot()
    print("Root Tag: " + root.tag)
    print("Using a for Loop:")
    for child in root:
        print(child.tag)
        for attrib in child:
            print(attrib.tag, end=' ')
            print(attrib.text)

    print("Using Indexes:")
    print(root[0].tag)
    print(root[0][0].tag,end=' ')
    print(root[0][0].text)
    print(root[0][1].tag,end=' ')
    print(root[0][1].text)

    print(root[1].tag)
    print(root[1][0].tag,end=' ')
    print(root[1][0].text)
    print(root[1][1].tag,end=' ')
    print(root[1][1].text)

    print(root[2].tag)
    print(root[2][0].tag,end=' ')
    print(root[2][0].text)
    print(root[2][1].tag,end=' ')
    print(root[2][1].text)

    print("Other:")
    for hostname in root.iter('hostname'):
        print(hostname.tag,end=' ')
        print(hostname.text)

if __name__ == "__main__":
    # calling main function
    main()

Example run of the previous code:

Root Tag: esx
Using a for Loop:
XX1
hostname ESXi01
ipaddress 10.10.10.101
XX2
hostname ESXi02
ipaddress 10.10.10.102
XX3
hostname ESXi03
ipaddress 10.10.10.103
Using Indexes:
XX1
hostname ESXi01
ipaddress 10.10.10.101
XX2
hostname ESXi02
ipaddress 10.10.10.102
XX3
hostname ESXi03
ipaddress 10.10.10.103
Other:
hostname ESXi01
hostname ESXi02
hostname ESXi03

This is the XML file we used:

<?xml version="1.0" encoding="UTF-8"?>
<esx>
<XX1>
<hostname>ESXi01</hostname>
<ipaddress>10.10.10.101</ipaddress>
</XX1>
<XX2>
<hostname>ESXi02</hostname>
<ipaddress>10.10.10.102</ipaddress>
</XX2>
<XX3>
<hostname>ESXi03</hostname>
<ipaddress>10.10.10.103</ipaddress>
</XX3>
</esx>

To achieve something similar with the .json file we would use “import json”

import json

def main():
    with open('jason.json', 'r') as jsonFile:
        #load jason file
        myJasonFile = json.load(jsonFile)
    print(myJasonFile)

if __name__ == "__main__":
    # calling main function
    main()

And to parse YAML

import yaml

with open("yamlfile.yaml", 'r') as yamlFile:
    try:
        print(yaml.safe_load(yamlFile))
    except yaml.YAMLError as exc:
        print(exc)

Let us read the RSS feed (XML) directly from a Website (https://vwannabe.com/feed/)*

from urllib.request import urlopen
from xml.etree.ElementTree import parse

myURL = urlopen("https://vwannabe.com/feed/")
myXML=parse(myURL)

for item in myXML.iterfind('channel/item'):
    title = item.findtext('title')
    date = item.findtext('pubDate')
    link = item.findtext('link')

    print(title)
    print(date)
    print(link)
    print()

*adapted from “Python – How to Read XML from URL?” by Vinish Kapoor

This is the result of the previous code:

CCNA DevNet Study Guide – Part 1
Sun, 19 Jan 2020 17:17:45 +0000
CCNA DevNet Study Guide – Part 1

vSphere Upgrade 6.0 to 6.5 Fails with Replace Process Level Token error.
Wed, 19 Jun 2019 15:32:13 +0000
vSphere Upgrade 6.0 to 6.5 Fails with Replace Process Level Token error.

Vembu now supports Hyper-V Cluster
Thu, 01 Nov 2018 12:25:42 +0000
Vembu now supports Hyper-V Cluster

vCenter 6.7 upgrade walkthrough
Fri, 20 Apr 2018 19:26:54 +0000
vCenter 6.7 upgrade walkthrough

Vembu
Wed, 28 Mar 2018 19:11:09 +0000
Vembu

How to re-register the embedded VMware Update Manager (VUM) to its vCenter (VCSA) 6.5
Wed, 21 Feb 2018 23:06:36 +0000
How to re-register the embedded VMware Update Manager (VUM) to its vCenter (VCSA) 6.5

How to spin up a Linux instance in AWS
Thu, 08 Feb 2018 20:57:06 +0000
How to spin up a Linux instance in AWS

CCNA Cyber Ops – SECOPS 1.0
Tue, 02 Jan 2018 20:23:21 +0000
CCNA Cyber Ops – SECOPS 1.0

Hacking Public Speaking
Wed, 30 Aug 2017 16:50:28 +0000
Hacking Public Speaking

VMworld 2017 General Session Day Two
Tue, 29 Aug 2017 17:44:05 +0000
https://vwannabe.com/2017/08/29/vmworld-2017-general-session-day-two/

The CISCO Blueprint uses REST calls to a site and parses the JSON. You can find the example here. In the next port for this series, I will talk about “Describe the concepts of test-driven development”.

Vembu is a Backup and Disaster Recovery company which extends it support to both physical and virtual environments at affordable pricing thus ensuring high availability of resources to data centers. Vembu BDR Suite is their current software offering that provides free Backup & DR solutions for VMware vSphere, Microsoft Hyper-V Virtual Machines, Physical Servers, Workstations, MS-Applications and SaaS applications (Office 365 and G Suite).

Vembu BDR Suite of Products – categorized based on following environments

Vembu VMBackup is an agentless backup solution for VMware vSphere Backup and Microsoft Hyper-V Backup. Vembu CBT driver along with the VSS technology for application consistency ensures up to 5 times improvement in performance over any other backup software.

Vembu ImageBackup, a part of Vembu BDR Suite, provides backup and disaster recovery solution for Windows IT environments. Quick VM Recovery helps the businesses to achieve an RTO of less than 15 mins.

Vembu NetworkBackup protects business data across File servers, Application servers and Endpoints can be protected. Vembu Universal Explorer is a free tool that is devised to provide Backup and Recovery to application files and folders.

Vembu OffsiteDR allows users to replicate the backed up data from their primary on-site backup server to an offsite server location in a highly secure and reliable manner through  AES 256-bit encryption.

Following are the collection of products under Vembu Cloud Services:

Vembu CloudDR allows users to replicate your VMware, Hyper-V and Windows Server backup to Vembu cloud storage thus ensuring high protectivity.

Vembu OnlineBackup lets you backup the data across File Servers, Application Servers and Endpoints in Vembu cloud residing on Amazon Web Services (AWS) through AES 256-bit encryption.

Vembu SaaSBackup is designed to backup the Mails, Calendars, Contacts and Drives content of Office 365 and Google Apps. The data after the backup will be sent to the Vembu Cloud for storage over a secured network.

Vembu BDR360  significantly increases administrator’s productivity by providing end to end visibility to all your IT environments. Thus, making it easier for the business to manage their overall  IT setup through an efficient report generation process.

To Download the free trial version of Vembu BDR Suite click below: https://www.vembu.com/vembu-bdr-suite-download/

 Other Free Products offered by Vembu are as follows:

Free Windows Workstations Backup

Free File Backup of Workstations

Free Vembu Universal Explorer

Free Vembu Recovery CD

Product Presentations and Webinars:

• Presentations
• Webinars

Download the following Whitepapers for Free:

• True 15-Minute RTO for Mission-Critical VM Systems.
• Optimize RPO & RTO While Enhancing DR Resilience
• By Virtualizing Its Backup Repository as a File System, Vembu Changes the Dynamics of Data Protection for Business Applications in a vSphere Environment
• Does Backup Need a File System of its Own? A Deep Dive Into VembuHIVE File Systems.

I started the study guide for the first part of this certification last year. You can check it out here. After some great feedback, I’ve decided to start the Study Guide for the second part of the certification, Implementing Cisco Cybersecurity Operations (SECOPS).  I also was accepted on cohort 7 for the scholarship. The scholarship is still available at the time of this post, and it can be accessed here. I will try to follow the blueprint as close as possible, but I will leave some topics for later in the year after I learned a little more about them.

1.0 Endpoint Threat Analysis and Computer Forensics

1.1 Interpret the output report of a malware analysis tool such as AMP Threat Grid and Cuckoo Sandbox.

1.2 Describe these terms as they are defined in the Common Vulnerability Scoring System (CVSS 3.0):

a. Attack Vector (AV): This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score. The list of possible values is presented in Figure 1.

Figure 1: Attack Vector

b. Attack Complexity (AC): This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). This metric value is largest for the least complex attacks. The list of possible values is presented in Figure 2.

Figure 2: Attack Complexity

c. Privileges Required (PR): This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric is greatest if no privileges are required. The list of possible values is presented in Figure 3.

Figure 3: Privileges Required

d. User interaction (UI): This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. This metric value is greatest when no user interaction is required. The list of possible values is presented in Figure 4.

Figure 4: User Interaction

e. Scope (S): An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means or privileges. This consequence is represented by the metric Authorization Scope, or simply Scope. Formally, Scope refers to the collection of privileges defined by a computing authority (e.g., an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g., files, CPU, memory, etc.). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based on predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. When the vulnerability of a software component governed by one authorization scope can affect resources governed by another authorization scope, a Scope change has occurred. Intuitively, one may think of a scope change as breaking out of a sandbox, and an example would be a vulnerability in a virtual machine that enables an attacker to delete files on the host OS (perhaps even its own VM). In this example, there are two separate authorization authorities: one that defines and enforces privileges for the virtual machine and its users, and one that defines and enforces privileges for the host system within which the virtual machine runs. A scope change would not occur, for example, with a vulnerability in Microsoft Word that allows an attacker to compromise all system files of the host OS, because the same authority enforces privileges of the user’s instance of Word, and the host’s system files. The Base score is greater when a scope change has occurred. The list of possible values is presented in Figure 5.

Figure 5: Scope

1.3 Describe these terms as they are defined in the Common Vulnerability Scoring System (CVSS 3.0):

a. Confidentiality Impact (C): This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The list of possible values is presented in Figure 6. This metric value increases with the degree of loss to the impacted component.

Figure 6: Confidentiality Impact

b. Integrity Impact (I): This metric measures the impact on the integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The list of possible values is presented in Figure 7. This metric value increases with the consequence to the impacted component.

Figure 7: Integrity Impact

c. Availability Impact (A): This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. The list of possible values is presented in Figure 8. This metric value increases with the consequence to the impacted component.

Figure 8: Availability Impact

1.4 Define these items as they pertain to the Microsoft Windows file system

a. FAT32: is an updated version of the FAT (File Allocation Table) file system created in 1977 by Microsoft. It is a computer file system architecture and a family of industry-standard file systems utilizing it. With FAT32 you’re limited to 2TB FAT32 partitions and 4GB maximum size files.

b. NTFS (New Technology Files System): is a proprietary file system developed by Microsoft.

c. Alternative data streams:Alternate Data Streams (ADS) is a file attribute only found on the NTFS file system. You’ll need a tool like streams to view this data. Here is an example.

d. MACE: NTFS keeps track of lots of time stamps. Each file has a time stamp for ‘Create’, ‘Modify’, ‘Access’, and ‘Entry Modified’. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the ‘MACE’ values. Note that other attributes in each MFT record may also contain timestamps that are of forensic value.

1. MFT (Master File Table): The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and date stamps, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.

e. EFI: The EFI system partition (ESP) is a partition on a data storage device (usually a hard disk drive or solid-state drive) that is used by computers adhering to the Unified Extensible Firmware Interface (UEFI).

1. 1. UEFI: The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating system and platform firmware.

f. Free space: See File system, it refers to the unallocated space in a file system.

g. Timestamps on a file system: File properties in regards of date and time.

1.5 Define these terms as they pertain to the Linux file system

a. EXT4: The ext4 or fourth extended filesystem is a journaling file system for Linux, developed as the successor to ext3.

b. Journaling: A journaling file system is a file system that keeps track of changes not yet committed to the file system’s main part by recording the intentions of such changes in a data structure known as a “journal”, which is usually a circular log.

c. Master Boot Record (MBR): is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The MBR holds the information on how the logical partitions, containing file systems, are organized on that medium. The MBR also contains executable code to function as a loader for the installed operating system—usually by passing control over to the loader’s second stage, or in conjunction with each partition’s volume boot record (VBR). This MBR code is usually referred to as a boot loader.

d. Swap filesystem: Swap space in Linux is used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM. Swap space is located on hard drives, which have a slower access time than physical memory.

e. MAC: In cryptography, a message authentication code (MAC), sometimes known as a tag, is a short piece of information used to authenticate a message—in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed. The MAC value protects both a message’s data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.

1.6 Compare and contrast three types of evidence

a. Best evidence: Original, unaltered evidence. In court, this is preferred over secondary evidence.The best evidence rule is a legal principle that holds an original copy of a document as superior evidence.

b. Corroborative evidence: (or corroboration) is evidence that supports a proposition already supported by initial evidence, therefore confirming the original proposition.

c. Indirect Evidence (Circumstantial): Circumstantial evidence is evidence that relies on an inference to connect it to a conclusion of fact—like a fingerprint at the scene of a crime. By contrast, direct evidence supports the truth of an assertion directly—i.e., without need for any additional evidence or inference.

1.7 Compare and contrast two types of image (both refer to Integrity, see above)

a. Altered disk image: A system image with a compromised integrity.

b. Unaltered disk image: An image that has not been tampered with and that will provide the same result as the original when applied a hash algorithm like MD5.

1.8 Describe the role of attribution (“action of bestowing or assigning”) in an investigation. (Cyber attribution is the process of tracking, identifying and laying blame on the perpetrator of a cyberattack or other hacking exploit). This  a nice read on the problem of attribution.

a. Assets: In information security, computer security and network security, an asset is any data, device, or other component of the environment that supports information-related activities.

b. Threat actor: Responsible for the cyberattack.

In future posts I will try to cover the following topics:

• Network Intrusion Analysis
• Incident Response
• Data and Event Analysis
• Incident Handling

Llevo mucho tiempo pensando en como hacer el Camino de Santiago (Francés). Yo quiero empezar en St. Jean Pied dePort en Francia, y caminar las 515 millas hasta Santiago, y si tengo tiempo llegar al fin del mundo (Finisterre).

El primer paso en tan grande aspiración es el plan. Como todo en la vida se necesita salud, dinero y tiempo. Confiado en Dios que dará salud para llegar, y dado que me va a tomar unos años ir (lo que significa que tengo tiempo para ahorrar dinero), vamos a hablar del tiempo.

Estoy planificando mi Camino para terminar en Santiago el 25 de junio del 2021, en este año la fiesta de Santiago es celebrada en domingo. Tomando en cuenta que son 515 millas (830km) y que tengo 26 días (36 con los fines de semana) de vacaciones (que las pueda tomar todas de corrido será una lucha para otro día), tendría que caminar 16-18 millas (25 – 28 km) diarias. Esto tomando en consideración dos días al principio y dos días al final para viajar y dejando un día realengo para algún evento sorpresa. La distancia actual con la que me siento cómodo es de 7 a 12 millas, y nunca he caminado por varios días de corrido. Así que una vez tenga el equipo tengo que ponerme a entrenar.

El segundo punto en la planificación es el equipo. Mi equipo lo estoy adquiriendo poco a poco, entre Walmart, Amazon y REI. Pienso que los mas importante son los zapatos y las medias. Luego de hacer un estudio de las opciones encontré dos zapatos que me funcionan. Estos son:

• Salomon Men’s XA Pro 3D CS WP Trail Running Shoe ($115)

• La Sportiva Synthesis Mid GTX Men’s Ultralight Hiking Boot ($186)

Me gusta mas La Sportiva porque se vé menos bodrogo, ambos son muy cómodos, resistentes al agua y tienen el sistema de amarrar que es fácil.

Las medias que me han funcionado mejor hasta ahora son las “WRIGHTSOCK CoolMesh“, también estoy experimentando con “Merino Wool“, y un día me puse la de lana sobre la Wrightsock, pero el zapato me apretó un poco, así que si encuentras que esa es la solución para evitar la lesiones entonces planifica comprar el zapato un poco mas grande. La ventaja de comprar en REI es que tiene garantía y los puedes llevar a cambiar.

El próximo artículo que es bien importante es el backpack. Hay tantas opciones y tantos blogs que al final del día decidí ir personalmente a REI y pedir consejo. Esto fue lo mejor que hice porque allí me midieron el torso y pude probar varios modelos. Recuerda que aunque es un largo caminar, es diario. Es decir, que al final del día tienes todo lo que necesitas como comida, cama y puedes lavar tu ropa de ser necesario. Luego de explicarle al encargado la razón por la que quería adquirir un backpack, llegamos a un modelo de tamaño correcto. El backpack debe ser liviano, de 35 a 45 L, donde se pueda cargar como de 20 a 30 libras (aproximadamente el 10% de tu peso). Este fue el modelo que llenó los requisitos y que también esta en mi presupuesto: Osprey Stratos 36 Pack junto con el aditamento para el agua: Osprey Hydraulics LT Reservoir – 2.5 Liters

Bueno hasta ahora eso es lo que tengo, voy a probarlo con un par de caminatas de mas de 10 millas a ver como me va. La ropa debe ser de secado rápido y muy liviana, encontré que la ropa interior, camisas y pantalones Under Armour pesan sólo onzas y es muy cómoda. Compré en amazon una toalla de microfibra (Beach Towel) para probar como se siente y como seca.

Es bien importante que al escoger el resto de equipo siempre tener en cuenta que mientras más liviano mejor. Entre el agua y en backpack ya son 8 libras, solo me quedan 12-20 libras más y todavía no he contado la cámara o el teléfono. Esta es una lista que todavía tengo en proceso de lo que necesito:

• Pasaporte, tarjeta de crédito, cash.
• Bolsas impermeables: para organizar dentro del backpack
• Bolsa para Laundry: por si comparto la lavadora con otros caminantes.
• Adaptador para el teléfono (o la cámara).
• Kit para dormir: no puedo dormir cuando la gente esta roncando a mi lado 🙂
• Jabón, cepillo de dientes y pasta, desodorante, etc.
• Aleve, Advil o Tylenol.
• Jacket que sea impermeable y también proteja del frío en las mañanas.
• Sunscreen
• Gorra o sombrero impermeable
• Sleeping Bag Liner con protección contra insectos: chinches en los albergues es común, según lo que he leído.
• Algún tipo de prevención de ampollas (blisters) en los pies.
• Pequeña linterna.

Poco a poco iré modificando la lista y espero algún día escribir una pequeña reseña sobre qué funcionó o que me hizo falta.

UPDATE

Cumplí mi sueño, caminé a Santiago de Compostela en Agosto del 2018. Viajé de Baltimore (BWI) a Paris haciendo escala en Iceland y de vuelta fue Madrid-Germany-BWI. Desde Paris viajé a Biarritz en avión usando Easyjet y luego nos fuimos en taxi de Biarritz a SJPP. EL viaje en taxi para tres costó 99 euros. Caminamos desde SJPP al pié de los Pirineos en Francia hasta una etapa antes de Logroño en el mapa que está al principio de este post. De Logroño tomamos transportacion en bus y tren hasta Piedrafita (la parada del bus antes de O’Cebreiro) y luego caminamos hasta Santiado de Compostela. También pasamos un día en Madrid al final. La pregrinación fué mágica, la mejor experiencia de mi vida. Usé las zapatillas La Sportiva y no tuve problemas, siempre usaba Leukotape cuando sentia “hot spots”. Pienso que me hicieron flata unos buenos Walking Poles, me dolian (duelen 6 meses después) las rodillas mientras bajaba. Todo el equipo que llevé fué muy útil, excepto la linterna y los libros guía. En agosto no necesitaba el jacket porque estaba super caliente y además tuve la suerte de que nunca llovió. Me gasté menos de $3000 por persona, incluyendo toda la transportacion, visitas al Prado, un tatuaje de $240 y una glotonería increible porque fuí con mis hijos adolescentes que comían cinco veces al día. Viví una fantasía en la tierra, no puedo esperar a volver.

This is the last of a series of posts about the CCNA Cyber Ops certification, you can find the fifth part here.

6.1 Compare and contrast an attack surface and vulnerability: The attack surface of a software environment is the sum of the different points (the “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment. A vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

6.2 Describe these network attacks

• 6.2.a Denial of service: (DoS attack) is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
• 6.2.b Distributed denial of service: A distributed denial-of-service (DDoS) is a cyber-attack where the perpetrator uses more than one, often thousands of, unique IP addresses.
• 6.2.c Man-in-the-middle: an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

6.3 Describe these web application attacks

• 6.3.a SQL injection: is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
• 6.3.b Command injections: Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.
• 6.3.c Cross-site scripting: (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites.

6.4 Describe these attacks

• 6.4.a Social engineering: An attack based on deceiving end users or administrators at a target site. Social engineering attacks are typically carried out by email or by contacting users by phone and impersonating an authorized user, in an attempt to gain unauthorized access to a system or application.
• 6.4.b Phishing: Phishing is misrepresentation where the criminal uses social engineering to appear as a trusted identity.
• 6.4.c Evasion methods: bypassing an information security device in order to deliver an exploit, attack, or another form of malware to a target network or system, without detection.

6.5 Describe these endpoint-based attacks

• 6.5.a Buffer overflows: is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations.
• 6.5.b Command and control (C2): the term refers to the influence an attacker has over a compromised computer system that they control.
• 6.5.c Malware: short for malicious software, is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.
• 6.5.d Rootkit: is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
• 6.5.e Port scanning: probing a server or host for open ports.
• 6.5.f Host profiling: Identifying groups of Internet hosts with a similar behavior or configuration.

6.6 Describe these evasion methods

• 6.6.a Encryption and tunneling: One common method of evasion used by attackers is to avoid detection simply by encrypting the packets or putting them in a secure tunnel.
• 6.6.b Resource exhaustion: A common method of evasion used by attackers is extreme resource consumption, though this subtle method doesn’t matter if such a denial is against the device or the personnel managing the device. Specialized tools can be used to create a large number of alarms that consume the resources of the IPS device and prevent attacks from being logged.
• 6.6.c Traffic fragmentation: Fragmentation of traffic was one of the early network IPS evasion techniques used to attempt to bypass the network IPS sensor.
• 6.6.d Protocol-level misinterpretation: Attackers also evade detection by causing the network IPS sensor to misinterpret the end-to-end meaning of network protocols.
• 6.6.e Traffic substitution and insertion: is when that attacker attempts to substitute payload data with other data in a different format, but the same meaning. A network IPS sensor may miss such malicious payloads if it looks for data in a particular format and doesn’t recognize the true meaning of the data.
• 6.6.f Pivot: refers to a method used by penetration testers that use the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines.

6.7 Define privilege escalation

Privilege Escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

6.8 Compare and contrast remote exploit and a local exploit

A remote exploit works over a network and exploits the security vulnerability without any prior access to the vulnerable system. A local exploit requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit past those granted by the system administrator.

Well, that is all for now and please, don’t open that link on your inbox if you don’t know who the sender is.

This is part five of a series of posts about the CCNA Cyber Ops certification, you can find the fourth part here. This post presents a few concepts used to help us secure our systems.

5.1 Identify the types of data provided by these technologies

• 5.1.a TCP Dump: a tool that displays network traffic
• 5.1.b NetFlow: NetFlow provides valuable information about network users and applications, peak usage times, and traffic routing. The basic output of NetFlow is a flow record.
• 5.1.c Next-Gen firewall:Cisco Firepower NGFW appliances combine our proven network firewall with the industry’s most effective next-gen IPS and advanced malware protection.
• 5.1.d Traditional stateful firewall: is a network firewall that tracks the operating state and characteristics of network connections traversing it.
• 5.1.e Application visibility and control: The Cisco Application Visibility and Control (AVC) solution is a suite of services in Cisco network devices that provides application-level classification, monitoring, and traffic control, to:
  • Improve business-critical application performance
  • Support capacity management and planning
  • Reduce network operating costs

• 5.1.f Web content filtering: A Web filter is a program that can screen an incoming Web page to determine whether some or all of it should not be displayed to the user. The data here comes in the form of a URL by browsing or a click on a link.
• 5.1.g Email content filtering: Cisco Email Security protects against ransomware, business email compromise, spoofing, and phishing. It uses advanced threat intelligence and a multilayered approach to protect inbound messages and sensitive outbound data. The data or message here comes in the form of an email.

5.2 Describe these types of data used in security monitoring

• 5.2.a Full packet capture: A packet consists of control information and user data, which is also known as the payload. Control information provides data for delivering the payload, for example: source and destination network addresses, error detection codes, and sequencing information. Typically, control information is found in packet headers and trailers. Actual packets collected by storing network traffic.
• 5.2.b Session data: Session data is the summary of the communication between two network devices. Also known as a conversation or a flow, this summary data is one of the most flexible and useful forms of NSM (Network Security Monitoring) data.
• 5.2.c Transaction data: application-specific records generated from network traffic. Logs deeper connection-level information, which may span multiple packets within a connection. Must have predefined templates for protocol formatting. Common for logging HTTP header/request information, SMTP command data, etc.
• 5.2.d Statistical data: Overall summaries or profiles of network traffic.
• 5.2.f Extracted content: Metadata. In a typical NSM deployment, this data would be captured through a network tap or switch. This type of data includes data streams, files, web pages contrary to the full content that would refer to the unfiltered collection of packets.
• 5.2.g Alert data: Judgments made by tools that inspect network traffic. Typically the result of finely-tuned signatures matching against packet content, and similar in nature to transaction data. This information, rather than being for logging purposes is intended to indicate discrete events which might be attacks.

5.3 Describe these concepts as they relate to security monitoring

• 5.3.a Access control list (ACL): specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. IP ACLs control whether routed packets are forwarded or blocked at the router interface. Your router examines each packet in order to determine whether to forward or drop the packet based on the criteria that you specify within the ACL. A Filesystem ACLs is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files.
• 5.3.b NAT/PAT: NAT (Network Address Translation) replaces a private IP address with a public IP address, translating the private addresses in the internal private network into legal, routable addresses that can be used on the public Internet. Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.
• 5.3.c Tunneling: Tunneling is a technique that enables remote access users to connect to a variety of network resources (Corporate Home Gateways or an Internet Service Provider) through a public data network. In general, tunnels established through the public network are point-to-point (though a multipoint tunnel is possible) and link a remote user to some resource at the far end of the tunnel. Major tunneling protocols (ie: Layer 2 Tunneling Protocol (L2TP), Point to Point Tunneling Protocol (PPTP), and Layer 2 Forwarding (L2F)) encapsulate Layer 2 traffic from the remote user and send it across the public network to the far end of the tunnel where it is de-encapsulated and sent to its destination. The most significant benefit of Tunneling is that it allows for the creation of VPNs over public data networks to provide cost savings for both end users, who do not have to create dedicated networks, and for Service Providers, who can leverage their network investments across many VPN customers.
• 5.3.d TOR (The Onion Router): Tor aims to conceal its users’ identities and their online activity from surveillance and traffic analysis by separating identification and routing. It is an implementation of onion routing, which encrypts and then randomly bounces communications through a network of relays run by volunteers around the globe.
• 5.3.e Encryption: is the process of encoding messages or information in such a way that only authorized parties can access it.
• 5.3.f P2P (Peer to Peer): in computing or networking is a distributed application architecture that partitions tasks or workloads between peers.
• 5.3.g Encapsulation: is a method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher level objects.

• 5.3.h Load balancing: When a router learns multiple routes to a specific network via multiple routing processes (or routing protocols, such as RIP, RIPv2, IGRP, EIGRP, and OSPF), it installs the route with the lowest administrative distance in the routing table. In a more general sense it improves the distribution of workloads across multiple computing resources, such as computers, a computer cluster, network links, central processing units, or disk drives.

5.4 Describe these NextGen IPS event types

• 5.4.a Connection event: Connection events are the records of any connection that occurs in a monitored network.
• 5.4.b Intrusion event: When the system recognizes a packet that is potentially malicious.
• 5.4.c Host or endpoint event: events that happen the endpoints connected to your network.
• 5.4.d Network discovery event: Discovery events alert you to the activity on your network and provide you with the information you need to respond appropriately. They are triggered by the changes that your managed devices detect in the network segments they monitor.
• 5.4.e NetFlow event: significant events in the life of a flow, like creation tear-down, and flows denied by an access rule.

5.5 Describe the function of these protocols in the context of security monitoring

• 5.5.a DNS: is a globally distributed, scalable, hierarchical, and dynamic database that provides a mapping between hostnames, IP addresses (both IPv4 and IPv6), text records, mail exchange information (MX records), name server information (NS records), and security key information defined in Resource Records (RRs). DNS primarily translates hostnames to IP addresses or IP addresses to hostnames. Flaws in the implementation of the DNS protocol allow it to be exploited and used for malicious activities like DOS and DDOS.
• 5.5.b NTP: Network Time Protocol (NTP) is a protocol designed to time-synchronize devices within a network. It is very valuable to have the correct time settings in the events logging systems, in this way the analysis of the events will be accurate.
• 5.5.c SMTP/POP/IMAP: The email servers and the way to connect to them influence heavily in the way monitoring and intrusion prevention are configured. The server that provides the service must be hardened and the connection and download method should be secured with the different methods we’ve read through the post.
• 5.5.d HTTP/HTTPS: The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, and hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web. HTTPS (also called HTTP over TLS, HTTP over SSL, and HTTP Secure) is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security, or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data.

This is part four of a series of posts about the CCNA Cyber Ops certification, you can find the third part here. We will jump out of the network and get into the application server or host.

4.1 Define these terms as they pertain to Microsoft Windows

4.1.a Processes: A process is an executing program.
4.1.b Thread: is the basic unit to which the operating system allocates processor time.
4.1.c Memory allocation: The task of fulfilling an allocation request consists of locating a block of unused memory of sufficient size. Memory requests are satisfied by allocating portions from a large pool of memory called the heap or free store.
4.1.d Windows Registry: Windows stores its configuration information in a database called the registry. The registry contains profiles for each user of the computer and information about system hardware, installed programs, and property settings. Windows continually reference this information during its operation.
4.1.e WMI: Windows Management Instrumentation (WMI) is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from Windows computing systems. WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is built on the Common Information Model (CIM), a computer industry standard for defining device and application characteristics so that system administrators and management programs can control devices and applications from multiple manufacturers or sources in the same way.
4.1.f Handles: An object is a data structure that represents a system resource, such as a file, thread, or graphic image. An application cannot directly access object data or the system resource that an object represents. Instead, an application must obtain an object handle, which it can use to examine or modify the system resource. Each handle has an entry in an internally maintained table. These entries contain the addresses of the resources and the means to identify the resource type.
4.1.g Services: Microsoft Windows services, formerly known as NT services, enable you to create long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface. These features make services ideal for use on a server or whenever you need long-running functionality that does not interfere with other users who are working on the same computer. You can also run services in the security context of a specific user account that is different from the logged-on user or the default computer account. For more information about services and Windows sessions, see the Windows SDK documentation in the MSDN Library. A Windows service is a computer program that operates in the background.
4.2 Define these terms as they pertain to Linux

4.2.a Processes: An instance of a program that is being executed. Each process has a unique PID, which is that process’s entry in the kernel’s process table.
4.2.b Fork: creates a new process by duplicating the calling process. The new process is referred to as the child process. The calling process is referred to as the parent process.
4.2.c Permissions: a system to control the ability of the users and processes to view or make changes to the contents of the filesystem.
4.2.d Symlink: is the nickname for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.
4.2.e Daemon: In multitasking computer operating systems, a daemon is a computer program that runs as a background process, rather than being under the direct control of an interactive user.

4.3 Describe the functionality of these endpoint technologies in regards to security monitoring

4.3.a Host-based intrusion detection: Intrusion detection (or prevention) software installed on the endpoints as opposed to the network.
4.3.b Antimalware and antivirus: Let’s start with the differences between “viruses” and “malware.” Viruses are a specific type of malware (designed to replicate and spread), while malware is a broad term used to describe all sorts of unwanted or malicious code. Malware can include viruses, spyware, adware, nagware, trojans, worms, and more.
4.3.c Host-based firewall: A host-based firewall is a piece of software running on a single host that can restrict incoming and outgoing network activity for that host only. They can prevent a host from becoming infected and stop infected hosts from spreading malware to other hosts.
4.3.d Application-level whitelisting/blacklisting: In Windows, it is possible to configure two different methods that determine whether an application should be allowed to run. The first method, known as blacklisting, is when you allow all applications to run by default except for those you specifically do not allow. The other and more secure method is called whitelisting, which blocks every application from running by default, except for those you explicitly allow.
4.3.e Systems-based sandboxing (such as Chrome, Java, Adobe reader): Sandboxing is a technique for creating confined execution environments to protect sensitive resources from illegal access. A sandbox, as a container, limits or reduces the level of access its applications have.

4.4 Interpret these operating system log data to identify an event

4.4.a Windows security event logs: Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Whenever these types of events occur, Windows records the event in an event log that you can read by using Event Viewer.The Security log is designed for use by the system. However, users can read and clear the Security log if they have been granted the SE_SECURITY_NAME privilege (the “manage auditing and security log” user right).
4.4.b Unix-based syslog: Syslog is a way for network devices to send event messages to a logging server – usually known as a Syslog server. The Syslog protocol is supported by a wide range of devices and can be used to log different types of events.

4.4.c Apache access logs: In order to effectively manage a web server, it is necessary to get feedback about the activity and performance of the server as well as any problems that may be occurring. The Apache HTTP Server provides very comprehensive and flexible logging capabilities.
4.4.d IIS access logs: IIS uses a flexible and efficient logging architecture. When a loggable event, usually an HTTP transaction, occurs, IIS calls the selected logging module, which then writes to one of the logs stored in %SystemRoot%\system32\Logfiles\<service_name>.