* (asterisks), 172
. (dot), 210
- (dash), 94
1xx, HTTP (Hypertext Transfer Protocol), 228
2xx, HTTP (Hypertext Transfer Protocol), 228
3DES (Triple DES), 419
3xx, HTTP (Hypertext Transfer Protocol), 228
4 As, 595
4xx, HTTP (Hypertext Transfer Protocol), 228
5xx, HTTP (Hypertext Transfer Protocol), 228
802.11 standard, authentication, 258
802.11 wireless frames, 255–256
802.3 Ethernet LAN, 255
802.3 wireless association, 256
A, DNS (Domain Name System), 214
A (Availability Impact), 476
A4 threat model, 595
AAA (Authentication, Authorization, and Accounting), 385–387
RADIUS (Remote Authentication Dial-in User Service), 388
TACACS+ (Terminal Access Controller Access-Control System Plus), 388
AAAA, DNS (Domain Name System), 214
ABAC (attribute-based access control), 385
AC (Attack Complexity), 475
acceptable use policy (AUP), 382
access attacks, 314
social engineering attacks, 317–318
AAA (Authentication, Authorization, and Accounting), 385–387
access control models, 385
access control lists. See ACLs (access control lists)
access control models, 385
accessing network resources, 56–57
Account Lockout Policy, 62
accounting and auditing, AAA servers, 279
accounting logs, AAA (Authentication, Authorization, and Accounting), 388–390
ACK, 195
ACLs (access control lists), 508–509
communications security, 384
actions on objectives, Cyber Kill Chain, 587
active mode, wireless devices, 258
address classes, IPv4, 155–156
address formatting, IPv6, 162
address notation, IPv4, 148–149
address resolution, IPv6, 167
Address Resolution Protocol (ARP), 127, 179
ARP tables, on networking devices, 181–182
IP (Internet Protocol)
destination on remote networks, 178
destination on same network, 176–177
issues
ARP spoofing, 183
MAC (Media Access Control)
destination on remote networks, 178
destination on same network, 176–177
removing entries from ARP tables, 181
address spoofing attacks, 343, 348–349
network addresses, IPv4, 151–152
IPv4
host address structure, 149–150
subnetting broadcast domains, 152–153
hard links and symbolic links, 96–97
monitoring service logs, 89–91
roles and file permissions, 94–96
service configuration files, 84–88
administrative shares, 56
Administrator Command Prompt, Windows, 41–42
administrators, running as administrator (Windows), 41–42
ADSs (Alternate Data Streams), 29–31
Advanced Encryption Standard (AES), 419–420
Advanced Malware Protection (AMP), 271
Advanced Packaging Tool (APT), 99–101
IDSs (intrusion detection systems), 268–269
IPSs (intrusion protection systems), 268–269
adware, 310
AES (Advanced Encryption Standard), 419–420
agent-based antivirus, 460
agent-based patch management, 488–489
agentless antivirus protection, 460
agentless scanning, patch management, 489–490
aggregation, SIEM (security information and event management), 339
AIS (Automated Indicator Sharing), 301, 393
alert data, 514
alert evaluation, 550–551, 552
deterministic analysis, 552–553
probabilistic analysis, 552–553
deterministic analysis, 552–553
probabilistic analysis, 552–553
sources of alerts
analysis tools, 544
detection tools for collecting alert data, 543–544
Security Onion, 542
allocating ports, TCP (Transmission Control Protocol), 196–198
Alternate Data Streams (ADSs), 29–31
amateurs, 4
AMD, IPv4, 151
AMP (Advanced Malware Protection), 271, 461, 462–463
ESA (Email Security Appliance), 272
amplification and reflection attacks, 346–347
digital forensics, 572
NIST incident response life cycle, 606
analysis centers, 600
analysis tools, sources of alerts, 544
AND, 152
anomaly detection, 472
anomaly-based HIDS, 465
host-based malware protection, 459
antivirus/antimalware software, 459–461
host-based firewalls, 460
host-based security sites, 460–461
antivirus/antimalware software, 459–461
APs, 262
client to AP association process, 258–260
Apache access log, 522
Apache HTTP Server access logs, 522–523
API calls, investigating, 567–568
App history tab, Task Manager, 49
application gateway firewalls, 265
application layer, OSI (Open Systems Interconnection) model, 131
application logs, Event Viewer, 519
system-based sandboxing, 469
identifying with transport layer protocols, 185
installing on Linux hosts, 100–101
PKI (public key infrastructure), 447
apt-get command, Linux, 78
apt-get update command, Linux, 102
apt-get upgrade command, Linux, 102
HAL (hardware and abstraction layer), 27–28
kernel, 28
user mode, 28
ARP. See Address Resolution Protocol (ARP)
arp -a command, 181
ARP Reply, 355
ARP Request, 354
ARP spoofing, 183
ARP tables, on networking devices, 181–182
association, client and AP association, 260
asterisk (*), 172
asymmetric encryption algorithms, 416, 417, 421–423
ATP (Advanced Packaging Tool), 99–101
attachment-based attacks, 366
attack attribution, digital forensics, 575–576
Attack Complexity (AC), 475
attack indicators, 300
Attack Vector (AV), 475
attack vectors, NIST incident response life cycle, 605
attacker identification, NIST incident response life cycle, 608–609
address spoofing attacks, 343, 348–349
amplification and reflection attacks, 346–347
attachment-based attacks, 366
buffer overflow attacks, 322–323
categories of attacks, 304–305
compromised-key attacks, 305
data modification attacks, 304
Dyn, 5
DHCP spoofing attacks, 359
DHCP starvation attacks, 362
DNS amplification and reflection attacks, 357
DNS cache poisoning attacks, 357
DNS resource utilization attacks, 357
domain shadowing, 365
DoS (denial-of-service) attacks, 305, 319–322, 343, 345–346
eavesdropping attacks, 304
email spoofing, 366
homoglyphs, 367
HTTP 302 cushioning attack, 364–365
ICMP flood attacks, 344
IP address spoofing attacks, 304
adware, 310
phishing, 310
ransomware, 309
rootkits, 310
scareware, 310
spyware, 310
viruses, 306
man-in-the-middle attacks, 305, 315, 317, 343
network attacks. See network attacks
open mil, 366
pass-the-hash, 315
password attacks, 315
password-based attacks, 304–305
PHI (protected health information), 6
PII (personally identifiable information, 6
port redirection, 315, 316–317
session hijacking, 343
TCP (Transmission Control Protocol), 352
Smurf attacks, 346
sniffer attacks, 305
social engineering attacks, 317–318
spam email, 366
spoofing attacks, 315
TCP reset attacks, 352
TCP SYN flood attacks, 351–352
UDP (User Datagram Protocol), 353
UDP flood attack, 353
defending against, 364
attribute-based access control (ABAC), 385
AUP (acceptable use policy), 382
802.11 standard, 258
AAA (Authentication, Authorization, and Accounting), 386–388
AAA servers, 279
asymmetric encryption algorithms, 425–426
client and AP authentication, 260
origin authentication, 402
peer authentication, 446
PKI (public key infrastructure), 444–446
authoritative servers, DNS (Domain Name System), 211
authorities, 474
authorities system, PKI (public key infrastructure), 439–441
authorization, AAA servers, 279
Automated Indicator Sharing (AIS), 301, 393
AV (Attack Vector), 475
downtime, 11
versus security, SOC (Security Operations Centers), 11
Availability Impact (A), 476
AVC (Application Visibility and Control), 529
AV-TEST, 461
baiting, 318
Base metric group, CVSS (Common Vulnerability Scoring System), 475–476
Impact metrics, 476
Basic Input-Output System (BIOS), 31–32
BCD (Boot Configuration Database), 32–33
behavior-based malware, 459
best effort process, IPv4, 145
best evidence, 573
BGP (Border Gateway Protocol), 244
binary, converting to dotted decimal, 148
binary addresses, 151
BIOS (Basic Input-Output System), 31–32
bitcoin, 309
bits, encapsulation, 136
black hat hackers, 299
blind spoofing, 348
block ciphers, 418
blogs, security blogs and podcasts, 392
Boot Configuration Database (BCD), 32–33
boot processes for Windows, 31–33
Boot tab, system configuration, 34
BOOTP (bootstrap protocol), 126
Border Gateway Protocol (BGP), 244
border routers, NAT (Network Address Translation), 218
botmasters, 321
Bring Your Own Device (BYOD) policies, 382–383
broadcast, communication protocols, 130
brute-force method, 407
buffer overflow attacks, 322–323
bus, LAN topologies, 285
business continuity planning, incident response, 603
business policies, 381
BYOD (Bring Your Own Device) policies, 382–383
C (Confidentiality Impact), 476
C2 (command and control), Cyber Kill Chain, 586–587
CA (certificate authority), 438
Caesar substitution cipher, 404
CAM (content addressable memory), 245
CapME, 543
CareerBuilder.com, 13
finding jobs, 14
first jobs, 14
cat command, Linux, 79
categories of attacks, 304–305
CCNA Cyber Ops certification, 12
cd command, Linux, 79
CDFS (Compact Disc File System), Linux, 92
centralized AAA, 388
CERT (Computer Emergency Response Team), 391, 600
certificate authority (CA), 438
certificate database, 439
certificate enrollment, PKI (public key infrastructure), 444–446
certificate requests, submitting, 445
certificate revocation list (CRL), 446
certificate store, 439
classes of, 440
PKI (public key infrastructure), 439
retrieving, 444
certifications, 493
CCNA Cyber Ops, 12
CompTIA Cybersecurity Analyst (CSA+), 12
GIAC (Global Information Assurance Certification), 12
(ISC)2 Information security, 12
chain of custody, digital forensics, 574
channel settings, 257
characteristics, IPv4, 144–147
best effort process, 145
checking IP configuration on Windows PCs, 149
chkrootkit command, Linux, 106–109
chmod command, Linux, 78
chosen-ciphertext method, 407
chosen-plaintext method, 407
chown command, Linux, 78
CIA (Confidentiality, Integrity, Availability), 384
cipher suites, 448
block ciphers, 418
polyalphabetic ciphers, 406–407
rail fence ciphers, 405
stream ciphers, 418
substitution ciphers, 404
transposition ciphers, 405–406
ciphertext method, 407
Cisco 2960-X Series switches, 245
Cisco Advanced Malware Protection (AMP), 271, 462–463
Cisco Application Visibility and Control (AVC), 529
Cisco Cloud Email Security, 271–272
Cisco Cloud Web Security (CWS), 271
Cisco Cognitive Threat Analytics, 517–518
Cisco content filtering devices, 531
Cisco Cybersecurity Reports, 392
Cisco Cybersecurity Scholarship, 14
Cisco devices, logging from, 531–532
Cisco Email Security Appliance (ESA), 271–272
Cisco Meraki Systems Manager, 487
Cisco SSL Appliance, 449
Cisco Stealthwatch, 338
Cisco syslog message formats, 532
Cisco Talos Security Intelligence and Research Group, 271
Cisco Web Security Appliance (WSA), 271
Cisco wireless router WRP500, 261
Class A, IPv4, 155
Class B, IPv4, 155
Class C, IPv4, 155
Class D, IPv4, 155
classes of certificates, 440
classful addressing, IPv4, 156
Trojan horses, 307
CLF (common log format), 522
CLI (command line interface), 41, 44–46
client error 4xx, 363
client to AP association process, wireless network operations, 258–260
clients, 119
uploading files to servers, 84
client-server communications, 119
Linux, 82
services and ports, 83
Cloud Web Security (CWS), 271
cmdlets, 45
CnC (command and control), Cyber Kill Chain, 586–587
code signing, digital signatures, 430, 432–435
Cognitive Threat Analytics, 517–518
collapsed core, LAN topologies, 287
collision fragments, 140
command accounting, 389
command and control (CnC), Cyber Kill Chain, 586–587
command injection, 367
command line interface. See CLI (command line interface)
command line-based text editors, 80
apt-get command, Linux, 78
apt-get update command, Linux, 102
apt-get upgrade command, Linux, 102
arp -a command, 181
cat command, Linux, 79
cd command, Linux, 79
chkrootkit command, Linux, 106–109
chmod command, Linux, 78
chown command, 78
cp command, Linux, 79
dd command, Linux, 78
grep command, Linux, 78, 79, 110
ifconfig command, Linux, 78
ipconfig/displaydns command, 214
iwconfig command, Linux, 78
kill command, Linux, 103
ls command, Linux, 77, 79, 94, 110
man ls command, Linux, 77
mkdir command, Linux, 79
net accounts, 48
net session, 48
net share, 48
net start, 48
net stop, 48
net use, 48
net view, 48
nslookup command, 55
passwd command, Linux, 79
ping command, 53–54, 55, 168, 343–344
piping commands, Linux, 110
PowerShell, 45
pwd command, Linux, 78
rm command, Linux, 79
shutdown, Linux, 78
su command, Linux, 78
sudo command, Linux, 78
common log format (CLF), 522
common security architectures, 288–289
Common Vulnerabilities and Exposures (CVE), 391, 393, 479
Common Vulnerability Scoring System. See CVSS (Common Vulnerability Scoring System)
communication processes, tracing paths, 121–122
communication protocols, 123
broadcast, 130
formatting, 128
multicast, 129
reference models, 130
OSI (Open Systems Interconnection) model, 131
size, 128
timing, 129
unicast, 129
communications, securing, 400–402
communications security, 384
Compact Disc File System (CDFS), Linux, 92
companies, ransomed companies, 3
company policies, 381
attack tools and technical knowledge, 302
host-based IPS versus network-based IPS, 269
IDS and IPS, 268
OSI (Open Systems Interconnection) model versus TCP/IP model, 130
TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), 194
competitive advantage, loss of competitive advantage, 6
compliance regulations, 383, 480
FISMA (Federal Information Security Management Act of 2002), 481–482
GLBA (Gramm-Leach-Bliley Act), 482
HIPAA (Health Insurance Portability and Accountability Act), 482
PCI DSS (Payment Card Industry Data Security Standard), 480–481
SOX (Sarbanes-Oxley Act of 2002), 482
compressing addresses, IPv6, 162–163
compromised-key attacks, 305
CompTIA Cybersecurity Analyst (CSA+) certification, 12
Computer Emergency Response Team (CERT), 391, 600
computer programming, Python programming, 13
Computer Security Incident Response Team. See CSIRT (Computer Security Incident Response Team)
asymmetric encryption algorithms, 423–424
encryption, 416
Confidentiality Impact (C), 476
configuration files, Linux, 80–81
configuration management, 487–488
Windows administration
accessing network resources, 56–57
CLI and PowerShell
local users and domains
Run as Administrator
WMI (Windows Management Instrumentation), 46–47
configuration options, Windows, 33–36
network adapters, 51
networking properties, 51
Nginx web server, Linux, 85–86
NTP, Linux, 86
Snort configuration file, 86–88
Windows, 41
CONNECT, HTTP (Hypertext Transfer Protocol), 227
connection accounting, 389
connection establishment, TCP (Transmission Control Protocol), 199
connection events, NGIPS (NextGen IPS), 535
connection termination, TCP (Transmission Control Protocol), 200–201
connectivity to local LAN, testing, with ping, 169–170
connectivity to remote hosts, testing, with ping, 170–171
ICMPv6 RS and RA messages, 166–168
ping
testing connectivity to local LAN, 169–170
testing connectivity to remote hosts, 170–171
traceroute, testing paths, 172–175
containment, eradication, and recovery (NIST incident response life cycle), 607–609
containment strategies, NIST incident response life cycle, 607–608
content addressable memory (CAM), 245
content filtering devices, 531
control bits, TCP (Transmission Control Protocol), 350
converting, binary to dotted-decimal, 148
corporate espionage, 6
correlation, SIEM (security information and event management), 338
corroborating evidence, 573
cost, incident data collection and retention, 611
cp command, Linux, 79
CPU tab, Resource Monitor, 51
CRC (cyclic redundancy check), 141
CRL (certificate revocation list), 446
Cron, 90
cross-certified CA topologies, 441–442
cross-site scripting (XSS), 368
cryptanalysts, 407
confidentiality. See confidentiality
encrypting, network transactions, 447–448
encryption, and security monitoring, 448–449
hash functions, 409–410, 411, 411–412
HMAC (hash message authentication code), 413–416
MD5 (Message Digest 5), 412
SHA-1 (Secure Hash Algorithm 1), 412–413
SHA-2 (Secure Hash Algorithm 2), 413
keys, 408
PKI (public key infrastructure). See PKI (public key infrastructure)
CSIRT (Computer Security Incident Response Team), 599
Cuckoo Sandbox, 469
CVE (Common Vulnerabilities and Exposures), 391, 393, 479
CVSS (Common Vulnerability Scoring System), 473–474
CWS (Cloud Web Security), 271
actions on objectives, 587
command and control (CnC), 586–587
delivery, 585
installation, 586
dashboards and visualizations, 570
workflow management, 570
cyber threat indicators, 300–301
cyberattacks, 4
economic impact of cyberattacks, 5
cybercriminals, 300
CyberOPS, output of mount, 93–94
cybersecurity analysts, 118
Cybersecurity Awareness Month, 301
cybersecurity tasks, 300
cyberthreat intelligence (CTI), 394
cyclic redundancy check (CRC), 141
DAC (discretionary access control), 385
DAD (Duplicate Address Detection), 167, 168
IPv6, 168
dash (-), 94
dashboards, 570
$DATA, 29
data, segmenting (transport layer protocols), 185
data collection, digital forensics, 572
data confidentiality, 402
data encapsulation, Ethernet, 140
Data Encryption Standard (DES), 418–419
Data field, Ethernet frames, 141
data integrity, 402
data layer, encapsulation, 135
data link layer, OSI (Open Systems Interconnection) model, 131
data loss prevention, 532
data modification attacks, 304
data non-repudiation, 402
ELSA (Enterprise Log Search and Archive), 554
data protection, 6
data retention, 611
data streams, 29
data transfer, TCP (Transmission Control Protocol), 201–204
datagrams, UDP (User Datagram Protocol), 196
data-sending Trojan horses, 307
DCs (domain controllers), 44
dd command, Linux, 78
DDoS (distributed DoS) attacks, 320, 343, 345–346, 347–348
Dyn, 5
debuggers, 304
de-encapsulating, packets, 240
host forwarding decision, 157–158
defending against, web-based attacks, 364
defense-in-depth, 376
identifying
security artichoke, 380
security onion, 379
DELETE, HTTP (Hypertext Transfer Protocol), 227
delivery, Cyber Kill Chain, 585
demilitarized zone (DMZ), firewalls, 288–289
Deming cycle, 491
denial-of-service (DoS) attacks, 305
IDSs (intrusion detection systems), 269
IPSs (intrusion protection systems), 269
DES (Data Encryption Standard), 418–419
destination (SPAN) port, 334
Destination MAC Address field, Ethernet frames, 141
destination MAC addresses, switches, 247
destination on remote networks
IP (Internet Protocol), address resolution protocol, 178
MAC (Media Access Control), address resolution protocol, 178
destination on same network, MAC (Media Access Control), 176–177
destination port, TCP (Transmission Control Protocol), 188
Destination Unreachable, ICMPv4 messages, 165–166
destructive Trojan horses, 307
Details tab, Task Manager, 50
detection, NIST incident response life cycle, 606
detection and analysis, NIST incident response life cycle, 605–607
deterministic analysis, alert evaluation, 552–553
device hardening, Linux, 88–89
network components, 282
DH (Diffie-Hellman), 422, 428–429, 432
DHCP (Dynamic Host Configuration Protocol), 126, 206–208
DHCPv4 message format, 208–209
DHCP spoofing attacks, 359
DHCP starvation attack, 362
DHCPv4 message format, 208–209
DHS (U.S Department of Homeland Security), 301
pivoting across, 589
Diffie-Hellman (DH), 422, 428–429, 432
digital certificates, 430
digital fingerprints, 410
digital forensics, 571
chain of custody, 574
evidence, 573
evidence collection order, 573–574
processes, 572
Digital Signature Algorithm (DSA), 422, 431
Digital Signature Standard (DSS), 422, 431
DSA (Digital Signature Algorithm), 431
ECDSA (Elliptic Curve Digital Signature Algorithm), 431
RSA (Rivest-Shamir-Adleman Algorithm), 431
for digital certificates, 435–437
directly connected interfaces, 243
directly connected routes, 242
directory commands, Linux, 79
IDSs (intrusion detection systems), 268–269
IPS (intrusion protection systems), 268–269
discovery and response, VERIS, 595
discretionary access control (DAC), 385
Disk Operating System (DOS), Windows, 21–23
Disk tab, Resource Monitor, 51
PIDs, 59
web pages, 137
distributed DoS (DDoS) attacks. See DDoS attacks
distributed firewalls, 464
DLP (data loss prevention), 532
DMZ (demilitarized zone), firewalls, 288–289
DNS (Domain Name System), 126, 209–210
exfiltration, 504
load balancing, 513
security monitoring, 504
testing, 55
DNS amplification and reflection attacks, 357
DNS cache poisoning attacks, 357
DNS resource utilization attacks, 357
DNS Zone, 211
domain controllers (DCs), 44
domain generation algorithms, 358
domain hierarchy, DNS (Domain Name System), 210–211
Domain Name System. See DNS (Domain Name System)
DoS (denial-of-service) attacks, 305, 319–322, 343, 345–346
buffer overflow attacks, 322–323
DOS (Disk Operating System), Windows, 21–23
DoS Trojan horses, 307
dot (.), 210
dotted-decimal notation, 148
converting from binary, 148
double IP flux, 358
downtime, availability, 11
dropped frames, Ethernet, 140
DSA (Digital Signature Algorithm), 422, 431
DSS (Digital Signature Standard), 422, 431
DSA (Digital Signature Algorithm), 431
ECDSA (Elliptic Curve Digital Signature Algorithm), 431
RSA (Rivest-Shamir-Adleman Algorithm), 431
Duplicate Address Detection (DAD), 167, 168
IPv6, 168
Dyn, 5
Dynamic Host Configuration Protocol. See DHCP (Dynamic Host Configuration Protocol)
dynamic routing protocol, 243–244
eavesdropping attack, 304
ECDSA (Elliptic Curve Digital Signature Algorithm), 431
economic impact of cyberattacks, 5
edge routers, 379
editing text files in nano (Linux, 81
education, 12
certifications, 12
.efi files, 32
EFI System Partition), 32
egress traffic, 334
EIGamal, 423
EIGRP (Enhanced Interior Gateway Routing Protocol), 127
Elasticsearch, 339
electronic banking, threats, 377
electronic medical records (EMR), 6
elements of SOC (Security Operations Centers), 7
enterprise and managed security, 10
people, 8
ELK (Elasticsearch, Logstash, Kibana), 339
Elliptic Curve Digital Signature Algorithm (ECDSA), 431
elliptical curve techniques, 423
ELSA (Enterprise Log Search and Archive), 544, 554, 564
data normalization, 557
IMAP (Internet Message Access Protocol), 224–225
POP3 (Post Office Protocol version 3), 223–224
SMTP (Simple Mail Transfer Protocol), 223
email protocols, security monitoring, 507
Email Security Appliance (ESA), 271–272
email spoofing, 366
email viruses, 306
employee policies, 381
EMR (electronic medical records), 6
encapsulating packets, 240
encapsulation, 134
bits, 136
communication protocols, 132–137
data layer, 135
Ethernet, 136
IP (Internet Protocol), 135
TCP (Transmission Control Protocol), 135
encrypting network transactions, 447–448
asymmetric encryption algorithms, 416, 417, 421–423
keys, 408
security monitoring and, 448–449
symmetric encryption algorithms, 416–417, 418–421
wireless devices, 257
encryption tools, 304
Apache HTTP Server access logs, 522–523
SIEM (security information and event management), log collection, 525–526
endpoint events, NGIPS (NextGen IPS), 536
antimalware protection
host-based malware protection, 459–460
application security
system-based sandboxing, 469
host-based intrusion protection
HIDS products, 466
host-based intrusion detection, 464–465
host-based malware protection
AMP (Advanced Malware Protection (AMP), 462–463
network-based malware protection, 461–462
endpoint vulnerability assessment
network anomaly detection, 472
network vulnerability testing, 473
server profiling, 471
endpoints, 456
Enhanced Interior Gateway Routing Protocol (EIGRP), 127
enterprise patch management, 488–489
enterprise security, SOC (Security Operations Centers), 10
domain shadowing, 365
HTTP (Hypertext Transfer Protocol), 362–364
HTTP 302 cushioning attack, 364–365
iFrame (inline frames), 364
web-exposed databases. See web-exposed databases
entries from ARP tables, removing, 181
environmental metric group, CVSS (Common Vulnerability Scoring System), 475
eradication, NIST incident response life cycle, 609
error messages, role of protocols, 125
ESA (Email Security Appliance), 271–272, 461, 530–531
ESP (EFI System Partition), 32
host forwarding decision, 157–158
encapsulation, 136
IPv4
addressing. See addressing
IPv6. See IPv6
Ethernet properties, Windows 10, 53
EtherType field, Ethernet frames, 141
ethical hacking, 302
deterministic analysis, 552–553
probabilistic analysis, 552–553
sources of alerts
analysis tools, 544
detection tools for collecting alert data, 543–544
Security Onion, 542
event handling, Sguil, 563
Event Table fields, Sguil, 560
host logs, 519
IIS access log, 523
digital forensics, 573
NIST incident response life cycle, 608
evidence collection order, digital forensics, 573–574
examination, digital forensics, 572
EXEC accounting, 389
exFAT (Extended FAT), 29
exfiltration, DNS (Domain Name System), 504
exploitation, Cyber Kill Chain, 585–586
EXT (Extended File System), 29
ext2 (second extended file system), Linux, 92
ext3 (third extended file system), Linux, 92
ext4 (fourth extended file system), Linux, 92
Extended FAT (exFAT), 29
Extended File System (EXT), 29
extended star, LAN topologies, 285
FAT (File Allocation Table), 28–29
FCS (Frame Check Sequence) field, Ethernet frames, 141
ACLs (access control lists), 273–274
wireless communications, 254–256
Federal Information Processing Standard (FIPS), 432
Federal Information Security Management Act of 2002 (FISMA), 481–482
fields, Ethernet II frames, 140–141
File Allocation Table (FAT), 28–29
file commands, Linux, 79
file details, investigating, 568–569
file sharing, SMB (Server Message Block), 220–221
File Transfer Protocol (FTP). See FTP (File Transfer Protocol), 83, 126
FTP (File Transfer Protocol), 219–220
TFTP (Trivial File Transfer Protocol), 220
financial gain, threat actors, 4
FIPS (Federal Information Processing Standard), 432
FirePOWER, 535
application gateway firewalls, 265
distributed firewalls, 464
host-based firewalls, 265, 460, 463–464
hybrid firewalls, 265
next-generation firewalls, 266
packet filtering firewalls, 264, 265–266
SOC (Security Operations Centers), Linux, 75
transparent firewalls, 265
Windows, 64
ZPFs (zone-based policy firewalls), 289
firmware rootkits, 106
FIRST (Forum of Incident Response and Security Teams), 391, 474
first jobs, 14
FISMA (Federal Information Security Management Act of 2002), 481–482
flow control, TCP (Transmission Control Protocol), 202–204, 351
flow deduplication, 338
flow stitching, 338
FlowViewer, NetFlow, 528
forensic analysis, SIEM (security information and event management), 338
forensic tools, 303
format and structure, role of protocols, 124
NTFS (New Technology File System), 31
partitions, 31
protocols, 128
Forum of Incident Response and Security Teams (FIRST), 391, 474
fourth extended file system (ext4), Linux, 92
FQDN (fully qualified domain name), DNS (Domain Name System), 211
Frame Check Sequence field, Ethernet frames, 141
frames, 128
FTP (File Transfer Protocol), 83, 126, 219–220
FTP Trojan horses, 307
functions, address resolution protocol (ARP), 179–180
fuzzers, 303
gamers, typical session for gamers, 120
General tab, system configuration, 33–34
Generic Routing Encapsulation (GRE), 281
GET, HTTP (Hypertext Transfer Protocol), 227
GIAC (Global Information Assurance Certification), 12
glassdoor.com, 13
GLBA (Gramm-Leach-Bliley Act), 482
Global Cybersecurity Scholarship, 14
Global Information Assurance Certification (GIAC), 12
global politics, 4
global threat intelligence, ESA (Email Security Appliance), 272
gnome terminal, Linux, 77
Gnome window manager, 98
GNU nano text editor, 80
Gramm-Leach-Bliley Act (GLBA), 482
graphical user interface (GUI), Windows, 24–26
gratuitous ARP, 354
gray hat hackers, 299
GRE (Generic Routing Encapsulation), 281
grep command, Linux, 78, 79, 110
group permissions (r--), 95
Guest account, 43
GUI (graphical user interface)
Linux hosts
hacking operating systems, 304
hacktivists, 300
hactivists, 4
HAL (hardware and abstraction layer), Windows, 27–28
handlers, 321
hard links, Linux, 96
hardening, devices, Linux, 88–89
hardware abstraction layer (HAL), 27–28
hash functions, 409–410, 411, 411–412
HMAC (hash message authentication code), 413–416
MD5 (Message Digest 5), 412
SHA-1 (Secure Hash Algorithm 1), 412–413
SHA-2 (Secure Hash Algorithm 2), 413
hash message authentication code (HMAC), 413–416
hashes, creating, 410
TCP (Transmission Control Protocol), 194–195
UDP (User Datagram Protocol), 196
Health Insurance Portability and Accountability Act (HIPAA), 6, 482, 571
heuristics-based malware, 459
hexadecimal, 141
hextets, 162
HFS+ (Hierarchical File System Plus), 29
Linux, 93
hibernation, Windows, 36
HIDS (host-based intrusion detection system), 464–465, 518–519, 568
HIDS products, 466
hierarchical CA topologies, 441–442
hierarchical design model, 286–287
Hierarchical File System Plus (HFS+), Linux, 29, 93
hijacked people, 2
HIPAA (Health Insurance Portability and Accountability Act), 6, 482, 571
HIPDS (host-based intrusion detection and prevention systems), 464
HIPS (host-based IPS), 270
DOS (Disk Operating System), 21–23
GUI (graphical user interface), 24–26
HKEY_CLASSES_ROOT (HKCR), 39
HKEY_CURREN_USER (HKCU), 39
HKEY_CURRENT_CONFIG (HKCC), 39
HKEY_CURRENT_USER, 33
HKEY_LOCAL_MACHINE, 33
HKEY_LOCAL_MACHINE (HKLM), 39
HKEY_USERS (HKU), 39
HMAC (hash message authentication code), 413–416
homoglyphs, 367
host address structure, IPv4, 149–150
host confirmation, ICMPv4 messages, 164–165
host default gateways, 159
host events, NGIPS (NextGen IPS), 536
host forwarding, default gateways, 157–158
host IP binary address, 151
host-based firewalls, 265, 460, 463–464
host-based intrusion detection, 464–465
host-based intrusion protection
HIDS products, 466
host-based intrusion detection, 464–465
host-based intrusion detection system. See HIDS (host-based intrusion detection system)
host-based malware protection, 459
AMP (Advanced Malware Protection (AMP), 462–463
antivirus/antimalware software, 459–461
host-based firewalls, 460
host-based security sites, 460–461
network-based malware protection, 461–462
host-based security sites, 460–461
HTTP (Hypertext Transfer Protocol), 83, 127, 136, 225–226, 362–364
HTTPS (HTTP Secure), 228
security monitoring, 505
HTTP 302 cushioning attack, 364–365
HTTP Secure (HTTPS), 228
HTTP URL, 227
HTTPS (HTTP Secure), 228, 362–364
hub and spoke, WAN topologies, 285
human attack surfaces, 467
human resources, incident response, 603
hybrid, WAN topologies, 285
hybrid firewalls, 265
Hypertext Transfer Protocol. See HTTP (Hypertext Transfer Protocol)
I (Integrity Impact), 476
ICMP (Internet Control Message Protocol), 127
mitigating abuse, 508
rules for R1 traffic, 509
ICMP Echo messages, 164
ICMP flood attack, 344
ICMPv6 (Internet Control Message Protocol version 6), 161
ICMPv6 RS and RA messages, 166–168
identification and authentication policies, 382
applications, transport layer protocols, 185
assets, defense-in-depth, 376–377
threats, defense-in-depth, 378–379
vulnerabilities, defense-in-depth, 377–378
IDS sensors, 268
IDSs (intrusion detection systems), 267, 363
advantages/disadvantages, 268–269
SOC (Security Operations Centers), Linux, 75
IETF (Internet Engineering Task Force), 161
ifconfig command, Linux, 78
iFrame (inline frames), 364, 505
IKE (Internet Key Exchange), 422
IM (instant messaging), 511
IMAP (Internet Message Access Protocol), 126, 224–225
security monitoring, 507
impact assessment, VERIS, 595
Impact metrics, Base metric group, 476
incident analysis, 606
incident data collection and retention, 610–611
incident description, VERIS, 595–597
CERT (Computer Emergency Response Team), 600
CSIRT (Computer Security Incident Response Team), 599
NIST 800-61r2. See NIST 800-61r2
reporting requirements and information sharing, 612
incident handling procedures, 382
incident notification, NIST incident response life cycle, 607
incident response capabilities, NIST 800-61r2, 594–601
incident response life cycle, NIST, 603–604
containment, eradication, and recovery, 607–609
detection and analysis, 605–607
post-incident activities, 609–610
actions on objectives, 587
command and control (CnC), 586–587
delivery, 585
installation, 586
pivoting across, 589
VERIS, 592
schema elements. See schema elements
VCDB (VERIS Community Database), 598
incident response stakeholders, NIST 800-61r2, 602–603
incident tracking, VERIS, 598
Indeed.com, 13
indicators, 606
indirect evidence, 573
individual conversations, tracking, with transport layer protocols, 184–185
individuals, hijacked people, 2
INET_ATON() function, 560
information assurance, incident response, 603
information sharing, NIST 800-61r2, 612
information sources, network intelligence communities, 390–392
Information Systems Security (InfoSysSec), 391
informational 1xx, 363
INFOSYSSEC (Information Systems Security), 391
ingress traffic, 334
initial sequence number (ISN), 201
installation, Cyber Kill Chain, 586
installing applications on Linux hosts, 100–101
instant messaging (IM), 511
integrity, asymmetric encryption algorithms, 426–428
Integrity Impact (I), 476
Interface drivers, 127
intermediary network devices, 238
internal CSIRTs, 600
internal LAN elements, 458
internal routers, 379
International Information Systems Security Certification Consortium (ISC)2, 391
Internet, 119
Internet Control Message. See ICMP (Internet Control Message)
Internet Engineering Task Force (IETF), 161
Internet Exchange Point (IXP), 122
Internet Key Exchange (IKE), 422
Internet Message Access Protocol (IMAP), 126
Internet Protocol Flow Information Export (IPFIX), 517
Internet Protocol. See IP (Internet Protocol)
Internet Relay Chat (IRC), 586–587
Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (RFC 2527), 443
internships, 14
interoperability of different PKI vendors, 442–443
intrusion detection systems. See IDSs (intrusion detection systems)
Diamond Model. See Diamond Model
processes or API calls, 567–568
IP (Internet Protocol), 127, 137, 186
address resolution protocol
destination on remote networks, 178
destination on same network, 176–177
encapsulation, 135
IP address spoofing attack, 304
IP addresses, querying, in ELSA, 566
IP configuration, checking on Windows PCs, 149
vulnerabilities
ARP (Address Resolution Protocol), 354–355
DHCP (Dynamic Host Configuration Protocol), 359–362
address spoofing attacks, 348–349
amplification and reflection attacks, 346–347
DDoS (distributed DoS) attacks, 345–346, 347–348
DoS (denial-of-service) attacks, 345–346
ipconfig/displaydns command, 214
IPFIX (Internet Protocol Flow Information Export), 517
iPhone IPv4 address, 150
IPS (intrusion protection systems), 267
advantages/disadvantages, 268–269
IPS sensors, 269
iptables, 464
addresses, 160
addressing
host address structure, 149–150
subnetting broadcast domains, 152–153
best effort process, 145
classful addressing, 156
packet headers, 147–148, 340–342
properties, Windows 10, 52
routing protocols, 244
routing tables, 160
testing connectivity to local LAN, 170
types of addresses
reserved private addresses, 156–157
address formatting, 162
compressing addresses, 162–163
prefix length, 163
routing protocols, 244
size and representation, 161
IRC (Internet Relay Chat), 586–587
(ISC)2 Information security certifications, 12
(ISC)2 International Information Systems Security Certification Consortium, 391
ISMS (Information Security Management System), 491
NIST Cybersecurity Framework, 493–495
security management systems, 491
ISN (initial sequence number), 201
IT support, incident response, 603
iwconfig command, Linux, 78
IXP (Internet Exchange Point), 122
finding, 14
first jobs, 14
Kali Linux, 76
KDE window manager, 99
kernel, 27
kernel mode, Windows, 28
Kernel Mode Code Signing (KMCS), 33
key length, 408
key size, 408
keyed-hash message authentication code (HMAC), 413
keyloggers, 40
keys, 408
PKI (public key infrastructure). See PKI (public key infrastructure)
KHMAC (key-hashed message authentication code), 413
Kibana, 124
kill command, Linux, 103
KMCS (Kernel Mode Code Signing), 33
known-plaintext method, 407
creating user accounts, 57
monitoring and managing system resources in Windows, 58
using Windows PowerShell, 57
Windows Task Manager, 58
LANs, internal LAN elements, 458
Layer 3 switches, 253
LBM (load balancing manager), 513
lease origination, DHCPv4, 207
lease renewal, DHCPv4, 207
legal department, incident response, 603
lesson-based hardening, post-incident activities, 609–610
lightweight APs (LWAPs), 262
hard links, Linux, 96
Linux, 73
administration
hard links and symbolic links, 96–97
monitoring service logs, 89–91
roles and file permissions, 94–96
service configuration files, 84–88
CLI (command line interface), 74
client-server communications, 82
services and ports, 83
file and directory commands, 79
hard links, 96
paths, 77
penetration testing tools, 76
shell, 77
SOC (Security Operations Centers), 74–75
tools, 76
value of, 74
Linux CLI, 77
GUI (graphical user interface)
installing applications, 100–101
patches, 102
piping commands, 110
LLC (Logical Link Control), 139, 140
load balancing manager (LBM), 513
local AAA authentication, 386–387
local exploits, 298
local host, host forwarding, 158
local loopbacks, pinging, 169
local ports, TCP (Transmission Control Protocol), 187–188
local route interfaces, 243
Local Security Authority Subsystem Service (LSASS), 520
local stacks, testing with ping, 168–169
local TCP/IP stacks, testing, 169
log collection, SIEM (security information and event management), 525–526
log entries, 558
log file analysis, 89
log files, 558
alert data, 514
end device logs
Apache HTTP Server access logs, 522–523
SIEM (security information and event management), 525–526
network logs
AVC (Application Visibility and Control), 529
proxy logs, 532
session data, 515
log managers, SOC (Security Operations Centers), Linux, 75
logical AND operation, IPv4, 151
Logical Link Control (LLC), 139, 140
logical topology, networks, 284
logs, AAA (Authentication, Authorization, and Accounting), 388–390
Logstash, 124
LOIC (Low Orbit Ion Cannon), 353
lookup processes, DNS (Domain Name System), 211–213
loopback addresses, pinging, 54
loss of competitive advantage, 6
Low Orbit Ion Cannon (LOIC), 353
ls command, Linux, 77, 79, 94, 110
LSASS (Local Security Authority Subsystem Service), 520
lusrmgr.msc, 43
LWAPs (lightweight APs), 262
MAC (mandatory access control), 385
MAC (Media Access Control), 139, 140
address resolution protocol
destination on remote networks, 178
destination on same network, 176–177
Ethernet, 140
MAC address format, Ethernet, 141–142
MAC addresses, switches, 245–247
MACE (Modify, Access, Create, and Entry Modified), 29
MAC-to-IP address mapping, removing, 181
malicious iFrames, 364
malvertising, 309
adware, 310
phishing, 310
ransomware, 309
rootkits, 310
scareware, 310
spyware, 310
classifications, 307
viruses, 306
malware analysis tools, SOC (Security Operations Centers), Linux, 75
malware protection programs, 63
man ls command, Linux, 77
managed security, SOC (Security Operations Centers), 10
managed security service provider (MSSP), 600
management, incident response, 603
management frames, 256
Management Information Base (MIB), 274
mandatory access control (MAC), 385
man-in-the-middle attacks, 305, 315, 317, 343
master boot record (MBR), 31–32
Linux, 93
Master File Table (MFT), 31
maximum transmission unit (MTU), 147
MBR (master boot record), 31–32
Linux, 93
MD5 (Message Digest 5), hash functions, 412
MDM (Mobile Device Management), 486–487
MDM (Mobile Device Management) software, 383
mechanisms, transport layer protocols, 186
media, network components, 283
Media Access Control (MAC). See MAC (Media Access Control)
media independent, IPv4, 146–147
media relations, incident response, 603
meet-in-the-middle method, 407
memory allocation, Windows, 38–39
Memory tab, Resource Monitor, 51
mesh, WAN topologies, 285
Message Digest 5 (MD5), 412
message multiplexing, 133
message segmentation, 133
ICMPv6 RS and RA messages, 166–168
NA (Neighbor Advertisement) messages, 166
NS (Neighbor Solicitation) messages, 166
RA (Router Advertisement) messages, 166
receiving, 137
RS (Router Solicitation) messages, 166
meta-features, Diamond Model, 589
metric groups, CVSS (Common Vulnerability Scoring System), 474–475
MFT (Master File Table), 31
MIB (Management Information Base), 274
Microsoft Windows, host logs, 519
Mime Types, 568
MITRE Corporation, 391
mkdir command, Linux, 79
Mobile Device Management (MDM), 486–487
Mobile Device Management (MDM) software, 383
access control models, 385
reference models. See reference models
networks. See network monitoring
monitoring systems, SOC (Security Operations Centers), 10
mounting, 93
MPLS (Multiprotocol Label Switching), 281
Msconfig tool, 33
MS-ISAC (Multi-State Information Sharing & Analysis Center), 391
MSSP (managed security service provider), 600
MTU (maximum transmission unit), 147
multicast, communication protocols, 129
multiplexing, 133
Multiprotocol Label Switching (MPLS), 281
Multi-State Information Sharing & Analysis Center (MS-ISAC), 391
MX, DNS (Domain Name System), 214
MySQL log file, 326
NA (Neighbor Advertisement) messages, 166
NAC (Network Admission Control), 462
nano text editor, 80
NAT (Network Address Translation), 127, 157, 216–217, 509–510
FTP (File Transfer Protocol), 219–220
PAT (Port Address Translation), 218–219
routers, 217
SMB (Server Message Block), 220–221
TFTP (Trivial File Transfer Protocol), 220
NAT stitching, 338
NAT-enabled routers, 217
national CSIRTs, 600
national security, politics, 6–7
National Vulnerability Database (NVD), 480
nations, sophisticated malware, 3
NBA (Network Behavior Analysis), 517
NBAD (Network Behavior Anomaly Detection), 517
NDP (Neighbor Discovery Protocol), 166
Neighbor Advertisement (NA) messages, 166
Neighbor Discovery Protocol (NDP), 166
Neighbor Solicitation (NS) messages, 166
net accounts, 48
net session, 48
net share, 48
net start, 48
net stop, 48
net use, 48
net view, 48
NetFlow, 275–276, 335, 337–338, 510, 527–529
events, 536
network adapters, configuration management, 51
Network Address Translation (NAT). See NAT (Network Address Translation)
network addresses, IPv4, 151–152
Network Admission Control (NAC), 462
Network and Sharing Center, 51–52
network anomaly detection, 472
network attack surfaces, 467
access attacks, 314
DoS (denial-of-service) attacks, 319–322
network monitoring. See network monitoring
reconnaissance attacks, 312–314
Network Behavior Analysis (NBA), 517
Network Behavior Anomaly Detection (NBAD), 517
network communication, Ethernet. See Ethernet
network devices
STP (Spanning Tree Protocol), 248–252
wireless communications. See wireless communications
network communications processes. See also communication protocols
client-server communications, 119
typical session for gamers, 120
typical session for students, 119–120
typical session for surgeons, 121
STP (Spanning Tree Protocol), 248–252
network discovery events, NGIPS (NextGen IPS), 536
Network File System (NFS), Linux, 92
network intelligence communities, 390–392
network interface card (NIC), 276
network layer, OSI (Open Systems Interconnection) model, 131
AVC (Application Visibility and Control), 529
network maintenance policies, 382
network mode, 257
network monitoring, 333
network security topology, 332–333
TAPs (Terminal Access Points), 333–334
tools, 335
network protocol analyzers, 335–339
traffic monitoring and SPAN, 334
network packet capture software, SOC (Security Operations Centers), Linux, 74
network penetration tests, 303
network protocol analyzers, 335–339
network protocol communication, 123
network protocol suites, 124–125
Address Resolution Protocol. See Address Resolution Protocol (ARP)
communication processes
client-server communications, 119
typical session for gamers, 120
typical session for students, 119–120
typical session for surgeons, 121
connectivity verification. See connectivity verification
TCP/IP protocol suite, 126–128
transport layer protocols. See transport layer protocols
network representations, network topologies
common security architectures, 288–289
logical topology, 284
three-layer network design model, 286–287
WAN topologies, 285
network resources, accessing, 56–57
network scanning tools, 303
attacks. See attacks
cyber threat indicators, 300–301
cybercriminals, 300
cybersecurity tasks, 300
threat actor tools. See threat actor tools
threat actors, evolution of, 299–300
ELSA (Enterprise Log Search and Archive), 554, 564
investigating
processes or API calls, 567–568
event handling, 563
network security infrastructure
security devices
intrusion protection and detection devices, 267
next-generation firewalls, 266
packet filtering firewalls, 265–266
specialized security appliances, 271–272
stateful firewalls, 266
security services
NTP (Network Time Protocol), 277–279
packet tracers, 274
port mirroring, 276
SNMP (Simple Network Management Protocol), 274
syslog servers, 277
traffic control with ACLs, 272–273
VPNs (virtual private networks), 280–282
network security monitoring (NSM), 502
network security organizations, 390
network security topology, 332–333
DHCP (Dynamic Host Configuration Protocol), 206–208
DHCPv4 message format, 208–209
DNS (Domain Name System), 209–210
email. See email
HTTP (Hypertext Transfer Protocol), 225–226, 227
HTTP URL, 227
HTTPS (HTTP Secure), 228
NAT. See NAT (Network Address Translation)
Network tab, Resource Monitor, 51
network TAPs (Terminal Access Points), 333–334
Network Time Protocol (NTP), 277–279
security monitoring, 503
common security architectures, 288–289
logical topology, 284
three-layer network design model, 286–287
WAN topologies, 285
network transactions, encrypting, 447–448
network vulnerability testing, 473
CVSS (Common Vulnerability Scoring System), 473–474
network-based malware protection, 461–462
networking accounting, 389
networking devices, ARP tables, 181–182
networks, 153
stub networks, 217
New Technology File System. See NTFS (New Technology File System)
next-generation firewalls, 266
nfdump, 527
NFS (Network File System), Linux, 92
nftables, 464
Nginx web server configuration, Linux, 85–86
NIC (network interface card), 276
NIDS (network-based IDS), 514
NIST 800-61r2, 599
incident response capabilities, 594–601
incident response life cycle, 603–604
containment, eradication, and recovery, 607–609
detection and analysis, 605–607
post-incident activities, 609–610
incident response stakeholders, 602–603
objective assessments of incidents, 610–611
plans, 602
procedures, 602
reporting requirements and information sharing, 612
NIST Cybersecurity Framework, 493–495
non-blind spoofing, 348
non-discretionary access control, 385
non-repudiation, 402
normalization, 558
NS, DNS (Domain Name System), 214
NS (Neighbor Solicitation) messages, 166
nslookup command, 55
NSM (network security monitoring), 502
NTFS (New Technology File System), 29
ADSs (Alternate Data Streams), 29–31
formatting, 31
Ntoskrnl.exe, 33
NTP (Network Time Protocol), 277–279
security monitoring, 503
NTP configuration file, Linux, 86
numbered ACLs, 274
NVD (National Vulnerability Database), 480
ocatal values, for permissions, Linux, 95
OCSP (online certificate status protocol), 446
octets, 148
online certificate status protocol (OCSP), 446
open authentication, 258
open mail relay server, 366
open revolvers, 357
Open Shortest Path First (OSPF), 127
Open Systems Interconnection model (OSI) model, 130, 131
stateful firewalls, 266
versus TCP/IP model, 130
open web proxies, 533
operating system vulnerabilities, Windows, 26–27
transport layer protocols
UDP (User Datagram Protocol), 204–205
wireless network operations, 256–258
OPTIONS, HTTP (Hypertext Transfer Protocol), 227
origin authentication, 402
OS updates, Linux, 102
OSI (Open Systems Interconnection) model, 130, 131
stateful firewalls, 266
versus TCP/IP model, 130
OSPF (Open Shortest Path First), 127
OSSEC (Open Source HIDS SECurity), 466, 519, 544, 568
outbound message control, ESA (Email Security Appliance), 272
output of mount in the CyberOPS VM, 93–94
output of /var/log/syslog, 91
Overview tab, Resource Monitor, 51
P2P (peer-to-peer) networking, 511–512
ATP (Advanced Packaging Tool), 99–101
packet analyzers, 276
packet crafting tools, 303
packet filtering firewall, 264, 265–266
packet format, ICMP (Internet Control Message Protocol), 175–176
packet forwarding, 241
routers, 239
packet sniffers, 276, 303, 335–336
packet tracers, ACLs (access control lists), 274
de-encapsulating, 240
encapsulating, 240
PADS, 563
parameters, wireless parameters, 257–258
Partition Boot Sector, 31
formatting, 31
mounting, 93
passive mode, wireless devices, 258
passive network monitoring, patch management, 490
Passive Real-time Asset Detection System (PRADS), 562–563
pass-the-hash, 315
passwd command, Linux, 79
password attacks, 315
password crackers, 303
password guidelines, 62
password policies, 382
password-based attacks, 304–305
passwords, wireless devices, 258
PAT (Port Address Translation), 218–219, 509–510
patches, 60
Linux, 102
path determination, routers, 239
Linux, 77
testing with traceroute, 172–175
tracing, communication processes, 121–122
PCI DSS (Payment Card Industry Data Security Standard), 480–481
PDU (protocol data unit), 134
peer authentication, 446
peer-to-peer (P2P) networking, 511–512
penetration testing, 473
penetration testing tools, Linux, 76
pentesting, Linux, 76
people, SOC (Security Operations Centers), 8
octal values, Linux, 95
viewing for Linux files, 94
personally identifiable information (PII), 5–6
PGP (Pretty Good Privacy), 422
pharming, 318
PHI (protected health information), 6
social engineering attacks, 318–319
phreaking, 299
physical layer, OSI (Open Systems Interconnection) model, 131
physical security and facilities management, incident response, 603
physical topology, networks, 283–284
PIDs, displaying, 59
PII (personally identifiable information), 5–6
connectivity to local LAN, 169–170
connectivity to remote hosts, 170–171
ping command, 53–54, 55, 168, 343–344
Ping of Death, 322
local loopbacks, 169
loopback addresses, 54
piping commands, Linux, 110
across Diamond Model, 589
PKCS (public key cryptography standards), 432
PKI (public key infrastructure), 438–439
applications, 447
certificate enrollment, 444–446
interoperability of different PKI vendors, 442–443
public key cryptography
digital signatures for code signing, 432–435
digital signatures for digital certificates, 435–437
public key management, 437–438
PKI certificates, 439
Plan-Do-Check-Act cycle, ISO-27001, 492–493
plans, NIST 800-61r2, 602
PLC (programmable logic controllers), 3
podcasts, security blogs and podcasts, 392
Point of Presence (PoP), 122
point-to-point, WAN topologies, 285
Point-to-Point Protocol (PPP), 127
AUP (acceptable use policy), 382
business policies, 381
BYOD (Bring Your Own Device) policies, 382–383
company policies, 381
employee policies, 381
identification and authentication policies, 382
network maintenance policies, 382
password policies, 382
remote access policy, 382
policy-based HIDS, 466
politics, national security, 6–7
polyalphabetic ciphers, 406–407
PoP (Point of Presence), 122
POP3 (Post Office Protocol version 3), 126, 223–224
security monitoring, 507
Port Address Translation (PAT), 218–219, 509–510
port allocation, TCP (Transmission Control Protocol), 196–198
port redirection, 315, 316–317
port scanning, 205
destination (SPAN) port, 334
Linux, 83
routed ports, 253
source (SPAN) port, 334
TCP (Transmission Control Protocol), 187–188
POST (power-on self-test), 31–32
HTTP (Hypertext Transfer Protocol), 227
Post Office Protocol version 3 (POP3), 126, 223–224
security monitoring, 507
post-incident activities, 609–610
power-on self-test (POST), 31–32
commands, 45
PowerShell functions, 45
PowerShell scripts, 45
PPP (Point-to-Point Protocol), 127
PR (Privileges Required), 475
PRADS (Passive Real-time Asset Detection System), 562–563
Preamble field, Ethernet frames, 141
precursors, 606
preferred uptime, 11
prefix length, IPv6, 163
preparation, incident response life cycle, NIST, 604–605
presentation layer, OSI (Open Systems Interconnection) model, 131
preservation, digital forensics, 574–575
pretexting, 318
Pretty Good Privacy (PGP), 422
principle of least privilege, 385
private IPv4 addresses, 156
NAT (Network Address Translation), 217
privilege escalation, 385
Privileges Required (PR), 475
probabilistic analysis, alert evaluation, 552–553
probing, web servers, with telnet, 105–106
procedures, NIST 800-61r2, 602
CVSS (Common Vulnerability Scoring System), 476–478
digital forensics, 572
SOC (Security Operations Centers), 8–9
Task Manager, 49
Windows Task Manager, 37
processor-sharing P2P networks, 511
profiling, 606
programmable logic controllers (PLC), 3
properties, of hash functions, 411
Properties dialog box, 52
prosecution, 611
protected health information (PHI), 6
protocol data unit (PDU), 134
TCP/IP protocol suite, 126–128
protocol-level misinterpretation, 323
protocols, 123
address resolution protocol. See Address Resolution Protocol
BGP (Border Gateway Protocol), 244
BOOTP (bootstrap protocol), 126
communications protocols. See communications protocols
DHCP. See DHCP (Dynamic Host Configuration Protocol)
dynamic routing protocol, 243–244
EIRGRP (Enhanced Interior Gateway Routing Protocol), 127
Hypertext Transfer Protocol. See HTTP (Hypertext Transfer Protocol)
ICMP. See ICMP (Internet Control Message Protocol)
IMAP. See IMAP (Internet Message Access Protocol)
IP. See IP (Internet Protocol)
network protocols. See network protocols
NTP. See NTP (Network Time Protocol)
POP3. See POP3 (Post Office Protocol version 3)
PPP (Point-to-Point Protocol), 127
RDP (Remote Desk Protocol), 56
SMTP (Simple Mail Transfer Protocol), 126, 223
SNMP (Simple Network Management Protocol), 274, 335
STP (Spanning Tree Protocol), 248–252
TCP. See TCP (Transmission Control Protocol)
TFTP (Trivial File Transfer Protocol), 127, 220
transport layer protocols. See transport layer protocols
UDP. See UDP (User Datagram Protocol)
for wireless communications, 254–256
proxy logs, 532
proxy servers, 532
proxy Trojan horses, 307
PSH, 195
public affairs, incident response, 603
public IPv4 addresses, 156
public key cryptography, digital signatures, 430–432
for digital certificates, 435–437
public key cryptography standards (PKCS), 432
public key infrastructure. See PKI (public key infrastructure)
public key management, 437–438
PulledPork rule management utility, 550
PUT, HTTP (Hypertext Transfer Protocol), 227
pwd command, Linux, 78
Python programming, 13
ELSA (Enterprise Log Search and Archive), 565–567
Query Builder, Sguil, 560, 561
r-- (group permissions), 95
RA (Router Advertisement) messages, 166
radio frequencies (RF), 255
RADIUS (Remote Authentication Dial-in User Service), 205, 279–280
AAA (Authentication, Authorization, and Accounting), 388
ransomed companies, 3
ransomware, 309
RBAC (role-based access control), 385
RDP (Remote Desk Protocol), 56
reassembling segments, transport layer protocols, 185
messages, 137
reconnaissance, Cyber Kill Chain, 583–584
reconnaissance attacks, 312–314
record types, DNS (Domain Name System), 214
recovery, NIST incident response life cycle, 609
recursion, DNS (Domain Name System), 211
recursive resolvers, DNS (Domain Name System), 211
redirection 3xx, 363
redundancy, STP (Spanning Tree Protocol), 248–249
reference models, 130
OSI (Open Systems Interconnection) model, 131
REG_BINARY, 40
REG_DWORD, 40
REG_SZ, 40
Regional Internet Registries (RIRs), 160
registry keys, 40
regular expressions, 569
regulations. See compliance regulations
regulatory compliance, 383
remediation, NIST incident response life cycle, 609
remote access policy, 382
Remote Authentication Dial-in User Service (RADIUS), 205, 279–280
Remote Desk Protocol (RDP), 56
remote exploits, 298
host forwarding, 158
testing connectivity with ping, 170–171
remote ports, TCP (Transmission Control Protocol), 187–188
remote routes, 242
Remote SPAN (RSPAN), 334
remote-access Trojan horses, 307
entries from ARP tables, 181
MAC-to-IP address mapping, 181
digital forensics, 572
SIEM (security information and event management), 339
reporting requirements, NIST 800-61r2, 612
reports, CVSS (Common Vulnerability Scoring System), 478–479
Request Tracker for Incident Response (RTIR), 545
reserved private addresses, IPv4, 156–157
resolvers, DNS (Domain Name System), 211
resource accounting, 390
resource exhaustion, 323
retrieving CA certificates, 444
retrospective security analysis (RSA), 552
revocation, PKI (public key infrastructure), 444–446
RF (radio frequencies), 255
ring, LAN topologies, 286
RIRs (Regional Internet Registries), 160
risk acceptance, 298
risk analysis, 473
risk assessment, 483
risk limitation, 298
risk reduction, 484
risk retention, 484
risk sharing, 484
risk transfer, 298
Rivest, Ron, 412
Rivest-Shamir-Adleman Algorithm (RSA), 431
rm command, Linux, 79
transport layer protocols, 184–185
role-based access control (RBAC), 385
roles of, people at SOC, 8
root CA, 441
rootkit detectors, 303
round-trip time (RTT), testing paths with traceroute, 172
routed ports, 253
Router Advertisement (RA) messages, 166
Router Solicitation (RS) messages, 166
internal routers, 379
NAT (Network Address Translation), 217
packet forwarding, 241
routers sharing path information, role of protocols, 125
routing protocol classification, 244
RR, DNS (Domain Name System), 211
RS (Router Solicitation) messages, 166
RSA (retrospective security analysis), 552
RSA encryption algorithms, 423
RSPAN (Remote Span), 334
RST, 195
RTIR (Request Tracker for Incident Response), 545
RTT (round-trip time), testing paths with traceroute, 172
rule headers, Snort, 548
rule location, 548
rule options, Snort, 549
for compressing IPv6 addresses, 163
Run as Administrator, Windows, 41–42
runbook automation, 570
running applications on Linux hosts, 100–101
runt frames, 140
rw- (group permissions), 94
rwx (user permissions), 94
S (Scope), 475
salary information, 13
SANCP (Security Analyst Network Connection Profiler), 562, 563
sandboxing, 469
SANS (SysAdmin, Audit, Network, Security), 391
Sarbanes-Oxley Act of 2002 (SOX, 482
scareware, 310
schema elements, VERIS, 594
discovery and response, 595
impact assessment, 595
incident tracking, 598
victim demographics, 597
Scope (S), 475
scoping, NIST incident response life cycle, 606–607
scores, CVSS (Common Vulnerability Scoring System), 478–479
SEAL (Software-Optimized Encryption Algorithm), 420
second extended file system (ext2), Linux, 92
second-level elements, VERIS, 594
secure communications, 401–402
Secure Hash Algorithm 1 (SHA-1), 412–413
Secure Hash Algorithm 2 (SHA-2), 413
secure network topology, 401
Secure Shell (SSH), 422
Secure Sockets Layer (SSL), 422
securing communications, 400–402
versus availability, SOC (Security Operations Centers), 11
common security architectures, 288–289
Windows
Windows Update Management, 60–61
Security Analyst Network Connection Profiler (SANCP), 562, 563
security artichoke, 380
security blogs and podcasts, 392
security descriptors, 29
asset management, 486
configuration management, 487–488
enterprise patch management, 488–489
mobile device management (MDM), 486–487
vulnerability management, 484–485
application gateway firewalls, 265
packet filtering firewall, 264
stateful firewalls, 264
IDSs (intrusion detection systems), 267
IPS (intrusion protection systems), 267
next-generation firewalls, 266
packet filtering firewall, 265–266
specialized security appliances, 271–272
stateful firewalls, 266
security information and event management. See SIEM (security information and event management)
security logs, Event Viewer, 519
security management systems, 491
security mode, 257
common protocols
DNS (Domain Name System), 504
HTTP (Hypertext Transfer Protocol), 505
NTP (Network Time Protocol), 503
email protocols, 507
ICMP (Internet Control Message Protocol), 507–508
log files. See log files
analysis tools, 544
Sguil, 545
security onion, 379
Security Operations Centers. See SOC (Security Operations Centers)
security policies, 61, 381–382
BYOD (Bring Your Own Device) policies, 382–383
regulatory and standard compliance, 383
security recommendations, for Windows, 26–27
NTP (Network Time Protocol), 277–279
port mirroring, 276
SNMP (Simple Network Management Protocol), 274
syslog servers, 277
traffic control with ACLs, 272–273
VPNs (virtual private networks), 280–282
security software disabler Trojan horses, 307
ACLs (access control lists), 508–509
encryption, 510
NAT (Network Address Translation), 509–510
P2P (peer-to-peer) networking, 511–512
PAT (Port Address Translation), 509–510
tunneling, 510
security tools, evolution of, 302–304
security wipes, 31
security-aware culture, 319
segment sequence numbers, 202
segmenting, data, transport layer protocols, 185
segments, reassembling, transport layer protocols, 185
self zone, 289
server error 5xx, 363
Server Message Block (SMB), 56
server profiling, 471
server-based AAA authentication, 387–388
servername, UNC (Universal Naming Convention), 56
servers, 119
service configuration files, Linux, 84–88
service logs, monitoring (Linux), 89–91
service packs, 60
service set identifier (SSID), 257
Linux, 83
network components, 283
Task Manager, 50
session data, 515
session hijacking, 343
TCP (Transmission Control Protocol), 352
session layer, OSI (Open Systems Interconnection) model, 131
Session Manager Subsystem (SMSS), 33
session setup and termination, role of protocols, 125
SET (Social Engineering Toolkit), 319
setup logs, Event Viewer, 519
SFD (Start Frame Delimiter) fields, Ethernet frames, 141
Sguil, 544, 545, 545, 547, 559–560
event handling, 563
SHA-1 (Secure Hash Algorithm 1), 412–413
SHA-2 (Secure Hash Algorithm 2), 413
shared key authentication, 258, 260
sharename, UNC (Universal Naming Convention), 56
shares, 56
shell, Linux, 77
shutdown, Windows, 36
shutdown command, Linux, 78
SIEM (security information and event management), 335, 338–339
SOC (Security Operations Centers), Linux, 75
signature validation error, 448
signature-based antimalware, 459
signatures, 267
digital signatures. See digital signatures
Simple Mail Transfer Protocol (SMTP), 126, 223
Simple Network Management Protocol (SNMP), 274, 335
single-root PKI topology, 441
IPv6, 161
protocols, 128
SMB (Server Message Block), 56, 220–221
smishing, 319
SMSS (Session Manager Subsystem), 33
SMTP (Simple Mail Transfer Protocol), 126, 223
security monitoring, 507
Smurf attacks, 346
sniffer attacks, 305
SNMP (Simple Network Management Protocol), 274, 335
Snort configuration file, 86–88
SOC (Security Operations Centers), 2, 5
elements of, 7
enterprise and managed security, 10
monitoring systems, 10
security versus availability, 11
SOC Manager, 8
social engineering attacks, 317–318
Social Engineering Toolkit (SET), 319
socket pairs, transport layer protocols, 189
sockets, 189
software attack surfaces, 467
Software-Optimized Encryption Algorithm (SEAL), 420
SolarWinds Patch Manager, 489
solid state drives (SSDs), 28–29
something for something (quid pro quo), 318
SOPs (standard operating procedures), 602
source (SPAN) port, 334
Source MAC address field, Ethernet frames, 141
source MAC addresses, switches, 246
source port, TCP (Transmission Control Protocol), 187
analysis tools, 544
detection tools for collecting alert data, 543–544
Security Onion, 542
Snort, rule structure, 547–550
sources of career information, 13
SOX (Sarbanes-Oxley Act of 2002), 482
spam, 318
spam blocking, ESA (Email Security Appliance), 272
spam email, 366
SPAN (Switched Port Analyzer), 333
traffic monitoring, 334
SPAN sessions, 334
Spanning Tree Protocol (STP), 248–252
spear fishing, 318
specialized security appliances, 271–272
Splunk, 525
spoofing attacks, 315, 348–349
spyware, 310
SQL Slammer worm, 308
Squid web proxy logs, 533
SSDs (solid state drives), 28–29
SSH (Secure Shell), 422
SSH File Transfer Protocol, 220
SSID (service set identifier), 257
SSL (Secure Sockets Layer), 422
SSSD (System Security Services Daemon), 90
standard compliance, 383
standard operating procedures (SOPs), 602
standards, threat intelligence communication standards, 394
star, LAN topologies, 285
Start Frame Delimiter (SFD) field, Ethernet frames, 141
system configuration, 35
Task Manager, 50
stateful communication, TCP (Transmission Control Protocol), 351
state-sponsored hacking, 300
status codes, HTTP (Hypertext Transfer Protocol), 228–229
Step 7 software, 3
STIX (Structured Threat Information Expression), 394
“Stop. Think. Connect.”, 301
STP (Spanning Tree Protocol), 248–252
stratum, NTP (Network Time Protocol), 278
stream ciphers, 418
Structured Threat Information Expression (STIX), 394
stub networks, 217
students, typical sessions for, 119–120
su command, Linux, 78
submitting, certificate requests, 445
subnet, 153
subnets, 241
subnetting, 153
subnetting broadcast domains, IPv4, 152–153
substitution ciphers, 404
successful 2xx, 363
sudo command, Linux, 78
surgeons, typical session for, 121
Suricata, 544
SVI (switch virtual interface), 253–254
swap file system, Linux, 92
switch virtual interfaces (SVI), 253–254
Switched Port Analyzer (SPAN), 333
LAN switches, 245
traffic sniffing, 276
symmetric encryption algorithms, 416–417, 418–421
SYN, 195
SysAdmin, Audit, Network, Security (SANS) Institute, 391
syslog servers, 277
system accounting, 389
system calls, 567
System Files, 31
system logs, Event Viewer, 519
System Security Services Daemon (SSSD), 90
system-based sandboxing, 469
TACACS+ (Terminal Access Controller Access-Control System Plus), 279–280
AAA (Authentication, Authorization, and Accounting), 388
Tactics, Techniques, and Procedures (TTP), 575
tailgating, 318
Talos, 271
TAPs (Terminal Access Points), 333–334
Task Bar, Windows 10, 24
Processes tab, 37
TAXII (Trusted Automated Exchange of Indicator Information (TAXII), 394
TCP (Transmission Control Protocol), 127, 137
comparing to UDP (User Datagram Protocol), 194
connection establishment, 199
connection termination, 200–201
encapsulation, 135
local and remote ports, 187–188
segments, 350
stateful communication, 351
terminating connections, 352
transport layer protocols, 190–191
session hijacking, 352
window size, 203
TCP reset attack, 352
TCP SYN flood attacks, 351–352
TCP Wrapper, 464
versus, OSI (Open Systems Interconnection) model, 130
TCP/IP protocol suite, 126–128
formatting, 128
techniques for patch management, 488–490
technologies, SOC (Security Operations Centers), 9–10
telnet, probing, web servers, 105–106
temporal metric group, CVSS (Common Vulnerability Scoring System), 475
temporary agencies, 14
terminal, Linux, 77
Terminal Access Controller Access-Control System Plus (TACACS+), 279–280
Terminal Access Points (TAPs), 333–334
terminating TCP connections, 352
connectivity to local LAN with ping, 169–170
connectivity to remote hosts with ping, 170–171
DNS (Domain Name System), 55
local TCP/IP stacks, 169
network vulnerability testing, 473
paths with traceroute, 172–175
penetration testing, 473
TFTP (Trivial File Transfer Protocol), 127, 220
third extended file system (ext3), Linux, 92
security tools, evolution of, 302–304
threat actors, 297
amateurs, 4
financial gain, 4
global politics, 4
hacktivists, 4
trade secrets, 4
threat incident escalation process, 9
Cisco Cybersecurity Reports, 392
information sources, network intelligence communities, 390–392
security blogs and podcasts, 392
AIS (Automated Indicator Sharing), 393
communication standards, 394
CVE (Common Vulnerabilities and Exposures), 393
FireEye, 393
three addresses, network protocols, 131–132
three-layer network design model, LAN topologies, 286–287
three-way handshake, TCP (Transmission Control Protocol), 199
ticketing systems, SOC (Security Operations Centers), Linux, 75
Tier 1 Alert Analyst, SOC (Security Operations Centers), 8
Tier 2 Incident Responder, SOC (Security Operations Centers), 8
Tier 3 Subject Matter Expert (SME)/Hunter, SOC (Security Operations Centers), 8
Time Exceeded messages, ICMPv4 messages, 166
Time to Live (TTL), IPv4, 172–175
time to live (TTL), 55
timestamps, 29
timing, protocols, 129
Linux, 76
Msconfig tool, 33
for network monitoring, 335
network protocol analyzers, 335–339
Tools tab, system configuration, 35–36
top-level elements, VERIS, 594
Tor network, 512
Torvalds, Linus, 73
traceroute, testing, paths, 172–175
traces, 118
tracing paths, communication processes, 121–122
tracking individual conversations, transport layer protocols, 184–185
trade secrets, threat actors, 4
traffic control with ACLs, 272–273
traffic fragmentation, 323
traffic insertion, 323
traffic mirroring, 333
traffic monitoring. See network monitoring
traffic sniffers, 276
traffic sniffing with switches, 276
traffic substitution, 323
Transmission Control Protocol. See TCP (Transmission Control Protocol)
transparent firewalls, 265
transport layer, OSI (Open Systems Interconnection) model, 131
mechanisms, 186
operations
UDP (User Datagram Protocol), 204–205
socket pairs, 189
TCP (Transmission Control Protocol), 190–191
TCP local and remote ports, 187–188
tracking individual conversations, 184–185
UDP (User Datagram Protocol), 191–193
headers, 196
transport layer services, 186
Triple DES (3DES), 419
Trivial File Transfer Protocol (TFTP), 127, 220
classifications, 307
trust system, PKI (public key infrastructure), 441–442
Trusted Automated Exchange of Indicator Information (TAXII), 394
TTL (Time to Live), 166
TTL (time to live), 55
TTP (Tactics, Techniques, and Procedures), 575
reserved private addresses, 156–157
Ubuntu GUI-based software updater, 102
Ubuntu Linux, 99
UDP (User Datagram Protocol), 127, 204–205
attacks, 353
comparing, to TCP (Transmission Control Protocol), 194
headers, 196
transport layer protocols, 191–193
vulnerabilities, 353
UDP flood attack, 353
UDP Unicorn, 353
UEFI (Unified Extensible Firmware Interface), 31–32
UI (User Interaction), 475
UNC (Universal Naming Convention), 56
unicast, communication protocols, 129
Unified Extensible Firmware Interface (UEFI), 31–32
Uniform Resource Identifier (URI), 523
Uniform Resource Locator (URL), 523
Universal Naming Convention (UNC), 56
UNIX, 304
unreliable, 145
Update status, 61
URG, 195
URI (Uniform Resource Identifier), 523
URL (Uniform Resource Locator), 523
HTTP URL, 227
U.S. Computer Emergency Readiness Team), (US-CERT), 301
U.S. Department of Homeland Security (DHS), 301
USAJobs.gov, 13
US-CERT (U.S. Computer Emergency Readiness Team), 301
User Datagram Protocol. See UDP (User Datagram Protocol)
User Interaction (UI), 475
user mode, Windows, 28
user permissions (rwx), 94
user spaces, 38
administration of, 43
Users tab, Task Manager, 50
/var/log/auth.log, Linux, 90
/var/log/boot.log, Linux, 90
/var/log/cron, Linux, 90
/var/log/dmesg, Linux, 90
/var/log/kern.log, Linux, 90
/var/log/messages, Linux, 90
/var/log/mysqld.log, Linux, 326
/var/log/secure, Linux, 90
/var/log/syslog, output, 91
VCDB (VERIS Community Database), 598
vendor teams, 600
verifying Windows blacklisted applications, 469
VERIS (Vocabulary for Event Recording and Incident Sharing), 592
schema elements, 594
discovery and response, 595
impact assessment, 595
incident tracking, 598
victim demographics, 597
VCDB (VERIS Community Database), 598
VERIS Community Database (VCDB), 598
VeriSign certificates, 440
victim demographics, VERIS, 597
viewing, permissions, for Linux files, 94
Vigenère cipher, 407
virtual address space, 38
virtual addresses, 38
virtual private networks (VPNs), 280–282
viruses, 306
vishing, 319
visual hacking, 318
visualizations, 570
Vocabulary for Event Recording and Incident Sharing. See VERIS
VPNs (virtual private networks), 280–282
ARP (Address Resolution Protocol), 354–355
IP services
DHCP (Dynamic Host Configuration Protocol), 359–362
address spoofing attacks, 348–349
amplification and reflection attacks, 346–347
DDoS attacks, 345–346, 347–348
DoS (denial-of-service) attacks, 345–346
Linux, 105
operating system vulnerabilities, Windows, 26–27
TCP (Transmission Control Protocol), 350–351
session hijacking, 352
UDP (User Datagram Protocol), 353
vulnerability assessment, 473
vulnerability brokers, 299
vulnerability exploitation tools, 304
vulnerability management, 484–485
Vulnerability Management Life Cycle, 485
vulnerability scanners, 304
WAN topologies, 285
war dialing programs, 299
watering hole, 319
weaponization, Cyber Kill Chain, 584–585
web browsers, 83
displaying, 137
sending and receiving, 136–139
Web Security Appliance (WSA), 271
web servers, probing with telnet, 105–106
defending against, 364
web-exposed databases, 367
command injection, 367
cross-site scripting (XSS), 368
whaling, 318
white hat hackers, 299
WHOIS, DNS (Domain Name System), 215–216
window size, TCP (Transmission Control Protocol), 203
administration, configuration management
accessing network resources, 56–57
local users and domains, 42–44
WMI (Windows Management Instrumentation), 46–47
architecture
HAL (hardware and abstraction layer), 27–28
kernel mode, 28
user mode, 28
history of
DOS (Disk Operating System), 21–23
GUI (graphical user interface), 24–26
operating system vulnerabilities, 26–27
Remote Desktop Connection, 56–57
shutdown, 36
windows, WMI Control Properties window, 46–47
Windows 7, 24
Windows 8, 24
Windows 8.1, 24
Ethernet properties, 53
GUI (graphical user interface), 25
IPv4 properties, 53
Network and Sharing Center, 52
network connections, 52
Resource Monitor, 50
Task Manager, 49
Windows Firewall, 64–65, 460, 464
Windows Home Server 2011, 24
Windows Management Instrumentation. See WMI
Windows NT, 23
Windows PCs, checking IP configuration, 149
Windows PowerShell. See PowerShell
Windows Registry Editor, 40
Windows Update Management, 60–61
Windows Server 2000, 57
Windows Server 2008 R2, 24
Windows Server 2012, 24
Windows Server 2012 R2, 24
Windows Server 2016, 24
Windows Services control panel, 37–38
Windows Task Manager, Processes tab, 37
Windows Update Management, 60–61
Windows XP, 23
windump, 337
protocols and features, 254–256
wireless network operations, 256–258
client to AP association process, 258–260
wireless hacking tools, 303
Wireless LAN Controller (WLC), 262
wireless LANs (WLANs), 254–256
wireless network operations, 256–258
client to AP association process, 258–260
capture of web page requests, Linux, 75
WLANs (wireless LANs), 254–256
WLC (Wireless LAN Controller), 262
WMI (Windows Management Instrumentation), 41, 46–47
WMI Control Properties window, 46–47
workflow management, 570
WSA (Web Security Appliance), 271, 462, 531
X Window System, Linux GUI, 98–99
Xbox One, IPv4 address, 150
XSS (cross-site scripting), 368
Zero Days, 3
zero-day exploits, 60
zombies, 321
ZPFs (zone-based policy fireeszdwalls), 289
3.137.192.3