Network & Cyber Security
    • Samba เป็น Software ที่ช่วยให้สามารถ Share File และเครื่องพิมพ์บน Linux ให้กับระบบปฏิบัติการ Windows:
      itguest.blogspot.com/2011/04/file-sharing-samba.html

    • เจาะลึก Snoc กับบริการ Cloud สำหรับป้องกัน DDoS โดยเฉพาะ ที่ทุกองค์กรควรให้ความสนใจ:
      www.techtalkthai.com/snoc-cloud-ddos-protection-service-for-enterprise-and-ecommerce-websites

    • Snoc เปิดตัว Solution Version 3.0 พร้อมให้บริการ Web Application Firewall และ DDoS Protection:
      www.techtalkthai.com/snoc-introduces-snoc-3-0

    • เผย...ตลาดมืด Online รับยิง DDoS!!:
      www.techtalkthai.com/ddos-dark-market

    • นิ่งไปสามวิ! DDoS ติดโผ Datacenter Outage:
      www.techtalkthai.com/data-center-outage-by-ponemon

    • จะรู้ได้อย่างไรว่าเรากำลังถูกโจมตีแบบ DDoS:
      www.techtalkthai.com/how-to-know-you-are-under-ddos-attack

    • Introduction, Build the DDoS response plan with Checklist, How do you know when they DDoS you!, DDoS Mitigation Technique:
      www.snoc.co.th/wp-content/uploads/2015/09/Ebook-Final-V1.pdf

    • App VS Volume รู้ยัง! ตัวไหนโดนงัดมาใช้บ่อยสุด:
      www.snoc.co.th/infographics/app-vs-volume-attack

    • Attack of the year 2014: รู้ยัง! ว่าตัวไหนน:
      www.snoc.co.th/infographics/attack-of-the-year-2014

    • X-Forwarded-For (XFF):
      www.keycdn.com/support/x-forwarded-for

    • TCP 3-Way Handshake:
      www.facebook.com/networks365/posts/1690091114560337

    • www.icez.net/blog/69510/ddos-tcp-fin-flood

    • th.wikipedia.org/wiki/อินเทอร์เน็ตบอต

    • URL vs URI:
      www.bloggang.com/viewdiary.php?id=zkaru&month=08-2009&date=08&group=3&gblog=8

    • Basic Cryptography - Digital Certificate & SSL:
      kungfusecurity.wordpress.com/2011/08/28/basic-cryptography-5-digital-certificate

    • Cache คืออะไร:
      itnews4u.com/How-to-Clear-Cache-Browser.html

    • Penetration Tester:
      • app.cybrary.it/browse/course/comptia-linux-plus
      • app.cybrary.it/browse/course/comptia-security
      • app.cybrary.it/browse/course/ethical-hacking
        www.techworm.net/2016/07/10-youtube-channels-learning-ethical-hacking-course-online.html
      • EC-Council CHFI

    • Security Operations Center (SOC) Analyst - Add below:
      • app.cybrary.it/browse/course/comptia-network-plus
      • app.cybrary.it/browse/course/comptia-casp

    • Cyber Security Engineer - Add below:
      • app.cybrary.it/browse/course/comptia-cloud-plus
      • app.cybrary.it/browse/course/cisco-ccna
      • app.cybrary.it/browse/course/comptia-cysa-2018
      • app.cybrary.it/browse/course/cissp
      • app.cybrary.it/browse/course/cism
      • app.cybrary.it/browse/course/project-management-professional
      • app.cybrary.it/browse/course/isc2-certified-cloud-security-professional-ccsp

    • www.facebook.com/longhackz

    • หลักแห่งการออกแบบระบบอย่างมั่นคงปลอดภัย (Secure Design Principles):
      medium.com/incognitolab/64a5ba0c6142

    • Example Attacks:
      • blog.endace.com/2013/08/27/ddos-attacks-on-port-0-does-it-mean-what-you-think-it-does
      • www.techtalkthai.com/blacknurse-dos-attack-server-firewalls
      • notebookspec.com/ทำความรู้จักกับ-distributed-denial-of-service-ddos/36287
      • arit.rmutsv.ac.th/th/blogs/80-sql-injection-คืออะไร-757
      • www.thaicert.or.th/downloads/presentations/20150507_Seminar_Dataone_.pdf

    Palo Alto:

    • PA-200, PA-3000, PA-5000, and PA-7000 models are the Palo Alto Networks next-generation firewall models.

    • Control and data planes are found in Palo Alto Networks single-pass platform architecture.

    • The strength of the Palo Alto Networks firewall is its Single-Pass Parallel Processing (SP3) engine.

    • PA-5280 new firewall model was introduced with PAN-OS® 8.1 with double the data-plane memory.

    • Palo Alto Networks firewall are built with a dedicated out-of-band management port that has Labeled MGT by default, Passes only management traffic for the device and cannot be configured as a standard traffic port, and Administrators use the out-of-band management port for direct connectivity to the management plane of the firewall attributes.

    • Can revert the candidate configuration to the running configuration, Clicking Save creates a copy of the current candidate configuration, and Choosing Commit updates the running configuration with the contents of the candidate configuration.

    • Firewall administrator accounts can be individualized for user needs, granting or restricting permissions as appropriate.

    • Firewall administration can be done using web interface, Panorama, command line interface, or XML API.

    • Service routes can be used to configure an in-band port to access external services.

    • Virtual routers provide support for static routing and dynamic routing using OSPF, RIPv2, and BGP protocols.

    • Layer 3, Tap, and Virtual Wire interface types are valid on a Palo Alto Networks firewall.

    • Intrazone traffic is allowed by default but interzone traffic is blocked by default.

    • A Virtual Wire (vwire) interface sometimes called a Bump in the Wire or Transparent In-Line, no support for routing or device management, and support NAT, Content-ID, and User-ID.

    • A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses.

    • Source Zone, Username, URL, and Application items are possible network traffic match criteria in a Security policy on a Palo Alto Networks firewall.

    • Universal type of Security policy rules is the default rule type.

    • The intrazone-default and interzone-default rules can be modified.

    • dynamic IP, dynamic IP/Port, and static are names of valid source NAT translation types.

    • Logging on intrazone-default and interzone-default Security policy rules is disabled by default.

    • Logs can be forwarded to Email, Syslog, Panorama, or SNMP the Remote Logging Destinations.

    • A log can be exported to CSV format.

    • A Report Group must be sent as a scheduled email. It cannot be downloaded directly.

    • A SaaS application that formally approve for use on network is sanctioned of application.

    • only one firewall actively processes traffic, no increase in session capacity and throughput, and supports Virtual Wire, Layer 2, and Layer 3 deployments attributes describe an active/passive HA firewall configuration.

    • configuration synchronization, heartbeats, and hellos are types of traffic flow across the HA Control link.

    • On a firewall with dedicated HA ports, Data link describes the function of the HA2 port.

    • A Backup Control link helps prevent split-brain operation in a firewall HA cluster.

    • heartbeats and hellos, internal health checks, link and path groups are failure detection methods in a firewall HA cluster.

    • A Security policy rule displayed in italic font indicates The rule is disabled condition.

    • A Server Profile enables a firewall to locate a server with remote user accounts server type.

    • An Antivirus Security Profile specifies Actions and WildFire Actions. WildFire Actions enable to configure the firewall to perform Block traffic when a WildFire virus signature is detected operation.

    • An Interface Management Profile can be attached to Layer 3 and Loopback interface types.

    • App-ID running on a firewall identifies applications using Program heuristics, Application signature, and Known protocol decoders methods.
    B-)
  • 15 Comments sorted by
    • Finding URLs matched to the not-resolved URL category in the URL Filtering log file might indicate that should take Validate connectivity to the PAN-DB cloud action.

    • If a DNS sinkhole is configured, any sinkhole actions indicating a potentially infected host are recorded in Threat log type.

    • If there is an HA configuration mismatch between firewalls during peer negotiation, NON-FUNCTIONAL will the passive firewall enter.

    • In s Security Profile, The traffic responder is reset and For UDP sessions, the connection is dropped action does a firewall take when the profiles action is configured as Reset Server.

    • In an HA configuration, networks, objects, and policies components are synchronized between the pair of firewalls.

    • In an HA configuration, path monitoring and heartbeats failure detection methods rely on ICMP ping.

    • On a firewall that has 32 Ethernet ports and is configured with a dynamic IP and port (DIPP) NAT oversubscription rate of 2x, 128K is the maximum number of concurrent sessions supported by each available IP address (2x64K layer 4 protocol ports).

    • SSL Inbound Inspection requires that the firewall be configured with server's digital certificate and private key components.

    • The User-ID feature is enabled per firewall security zone.

    • The WildFire Portal website supports upload files to WildFire for analysis, report incorrect verdicts, and view WildFire verdicts operations.

    • dataplane and control/management plane are the separate planes that make up the PAN-OS architecture.

    • Pre-Logon, User-Logon, and On-demand are connection methods for the GlobalProtect agent.

    • untrusted and expired certificate checking are benefits of attaching a Decryption Profile to a Decryption policy no-decrypt rule.

    • When SSL traffic passes through the firewall, Security policy component is evaluated first.

    • GlobalProtect Portal does a GlobalProtect client connect to first when trying to connect to the network.

    • Continue action in a File Blocking Security Profile results in the user being prompted to verify a file transfer.

    • Continue, Block, Override, and Alert actions can be applied to traffic matching a URL Filtering Security Profile.

    • Tab, Layer 2, and Layer 3 interface types require configuration changes to adjacent network devices.

    • It determines which firewall services are accessible from external devices describes a function provided by an Interface Management Profile.

    • There is a single, per-firewall password is a URL Filtering Profile override password.

    • file traversing the firewall, email attachments, and URL links found in email components can be sent to WildFire for analysis.

    • Virtual Wire, Layer 2, and Layer 3 interface types can control or shape network traffic.

    • Default gateway, Netmask, and IP address MGT port configuration settings are required in order to access the WebUI from a remote subnet.

    • .dll and .exe file types can be sent to WildFire for analysis if a firewall has only a standard subscription service.

    • dynamic update antivirus, WildFire antivirus, and dynamic update threat signatures are type of content update have to be scheduled for download on the firewall.

    • GlobalProtect user mapping method is recommended for a highly mobile user base.

    • GlobalProtect clientless VPN provides secure remote access to web applications that use HTML5, JavaScript, and HTML technologies.

    • URL Filtering, Threat Prevention, and WildFire® subscription services are included as part of the GlobalProtect cloud service.


    • 20 is the maximum number of WildFire® appliances that can be grouped in to a WildFire®
      appliance cluster.

    • The decryption broker feature is supported by PA-7000, 3200, and 5200 Palo Alto Networks firewall series.

    • Dropbox, Google, and YouTube HTTP header insertion types are predefined.

    • VM-50 Lite VM-Series model was introduced with the release of PAN-OS® 8.1.


    • docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/policy/use-case-pbf-for-outbound-access-with-dual-isps

    What should be considered when buying a firewall?:
    1. Interface Port: 1G/10G, UTP/SFP
    2. Throughput: Firewall, SSL-VPN
    www.fortinet.com/products/next-generation-firewall.html#models-specs

    •  ทำความรู้จักกับ Palo Alto Networks NGFW:
      running-config.blogspot.com/2014/09/palo-alto-networks-ngfw.html

    • คู่มือการใช้งาน FortiGate:
      www.facebook.com/fortinetthai/posts/1838753912813029
      www.facebook.com/youanyway/posts/2361502337406214

    Fortinet:

    • Attacking systems by exploiting otherwise unknown and unpatched vulnerabilities is also known as Zero-day exploits.

    • Political, social, or moral disagreements are the primary motivations of the "Hacktivist".

    • Command & Control (C&C) Server is central component necessary to form a botnet.

    • Phishing is it called when a fraudulent email masquerades as a legitimate communication in an attempt to get a user to reveal sensitive information.

    • Intimidation through disruption and damage is the goal of the "Cyber Terrorist".

    • Notoriety is the motivation of the bad actor known as the "Explorer".

    • Ideology is the motivation of the "Cyber Terrorist".

    • Money is the motive of the "Cyber Criminal".

    • Ransomware is the name of the malware that takes over a computer system and holds hostage the disk drives or other data.

    • The political interest of their country's government is the primary motivation of the "Cyber Warrior".

    • More complicated and more expensive does implementing multiple security point products from multiple vendors affect managing an environment.

    • Internally to the CIO's company, Productivity is reduced is the overall impact when a cyber attack causes extended downtime, and employees' time is diverted to post-attack activities.

    • On average, CIOs have the shortest tenures among C-level executives.

    • Regulatory fines related to serious breaches can be characterized in They can be enormous and seriously impact the bottom line way.

    • Implementing cyber security is becoming a regular topic between CIOs, the other C-level executives, and the board of directors.

    • Controlling the Information Technology (IT) resources of a company is the primary responsibility of a CIO.

    • Analyze and design the IT infrastructure so that it aligns with those business goals a CIO will do once they understand the company's business goals and priorities.

    • When investments are made in IT infrastructure, Show how these investments deliver measurable results should a CIO do next.

    • When the general public learns of a serious breach, An erosion of trust leading to a decline in business with the breached company is their likely reaction.

    • A CIO must work closely with the other C-level executives To understand the company's business goals and priorities.
    B-)
    • The role of CISO is relatively new present.

    • In many of the breaches, tens of millions of credit cards become compromised, and personally identifiable information for millions of individuals are stolen. Class-action lawsuits is one result.

    • Thought leadership, partnership development, and customer engagement are ways CISOs often expected to represent the company.

    • Originally, the role of CISO was mostly concerned with Compliance topic.

    • It must be secured and protected just the same can be said for a company's data that resides outside their buildings.

    • A concrete assessment of information risk and value do the other C-level executives want from a CISO.

    • Huge fines is the result of these breaches becoming the targets of government regulators.

    • Shadow IT is the term for when departments or individuals go outside the corporate policies and spin up their own applications, utilize unapproved or uncoordinated SaaS services, or otherwise allow what may be key information assets to be stored out of our control.

    • The loss of customer trust and lasting damage to brand reputation results from the loss of control of customers' personally identifiable information.

    • Scattered all over the place are the information assets in a typical company today.

    • A CFO's responsibility is to manage financial risk, and that covers All the information and data in the company.

    • Being trustworthy with customer data is now a part of Building brand loyalty outcome.

    • A CFO treat intangible assets such as intellectual property, trade secrets, manufacturing methods, and the information about customers does Just as responsible for the financial risks to those information assets as any others.

    • Looking into the past, a CFO will create Reporting on the prior financial performance of the company.

    • Since it uses information from every corner of the business, Accurate and trustworthy information does a company's Enterprise Resource Planning (ERP) system require to help the CFO understand what's happening now, and plan for the future.

    • From having to re-state the data, to being found in violation of financial regulations are the consequences if a CFO's reports are not accurate.

    • Access to good information does a CFO rely on to create forecasts of what will happen to the company in the future.

    • To manage the finances and the financial risks of the company is the primary responsibility of a CFO.

    • Cyber threats poses one of the greatest risks to the financial value of a company's information assets.

    • Analyzes the financial impact role does a CFO play in new business initiatives, product launches and/or new service offerings.

    • Launch a browser or app manually, then log into their website to investigate the issue should do if get an unsolicited email from an otherwise trusted source that says to click a link.

    • Two-factor authentication uses the combination of "something know" with "Something have" elements.

    • Many cyber attacks exploit unpatched vulnerabilities is the risky to keep using old, unsupported / no longer supported/updated operating systems.

    • Set up regular backups action can be taken in advance to help protect data from corruption from malware.

    • Use different passwords for each system or website is the recommendation for passwords on all the systems and websites that use.

    • A password manager tool can use to help "remember" all passwords.

    • To prevent spammers from learning that have seen one of their emails, Set email client to not automatically download the images in email messages.

    • When receive an unsolicited email, Don't open the attachment should do if it has an attachment.

    • If the bad guys break into one of the password, they have password for all of them is a security problem if use the same password for all the systems and websites.

    • On a regular basis should change passwords.

    • SaaS mean Software as a Service.

    • Cloud computing is The practice of using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or a personal computer.

    • Google Cloud, Azure, and AWS are the cloud service vendors with the Fortinet Security Fabric integrates.

    • The reason that drove organizations from the traditional network architecture to the cloud was The cost savings that are realized when moving from owning expensive hardware that is only partially utilized to renting only when needed.

    • Virtualization was the technology that made cloud computing possible.

    • When a customer's data and services are moved to the cloud, ultimately The customer has the responsibility for security.

    • Basic cloud security can be achieved by native cloud security tools. Customers are sometimes not aware of the limitations of native cloud security tools is a potential problem should customers rely solely.

    • The attributes identified with an MPLS network:
      • Data packets are assigned a label and each label is associated with a pre-determined path through the network.
      • The data-center is the only conduit to the internet.

    • The weaknesses of SD-WAN:
      • Multiple access points to the internet exposes the network to more points of attack.
      • There is no built-in defense against advanced cyber-attacks.

    • The traditional network that supported multiple geographic locations used dedicated high-speed lines to send data between HQ and its branches. An attribute of this type of network is The data line was not shared with other organizations.

    • Scalability was a major weakness of the traditional network that MPLS solved.

    • FortiGate is the name of the Fortinet product that provides both SD-WAN and NGFW security.

    • The principal architectural difference between MPLS and SD-WAN as it affects latency is In an MPLS network only the data-center has direct internet access, while in an SD-WAN network there are multiple access points.

    • With the rise of the Internet, The rate increased tremendously that new malware variants appear.

    • Anti-virus software were the early forms of endpoint security products known as.

    • An endpoint devices are Smartphone, Laptop, and IoT device.

    • Go beyond simple signature comparisons must modern endpoint solutions do to be effective today.

    • Modern endpoint solutions must identify existing, known and Unknown threats.

    • Compare the signature of the file with a list of known virus signatures method did the early antivirus products use to detect malware.

    • Reasons why should care about the security of endpoint devices:
      • The endpoints hold valuable data.
      • The endpoints can be a way to access other important data and devices on the network.

    • FortiGuard Labs is the name of Fortinet's threat intelligence service.

    • Sand-boxing security technology was created to detect the unknown threats that, for example, don't appear in lists of known malware signatures.

    • Beyond sand-boxing, Artificial Intelligence (AI) and Machine Learning technologies are being developed by the vendors' threat intelligence services.

    • The one-to-one malware signature matching method no longer worked security challenge was created when the malware authors began to make malware that morphs into different forms.
    B-)
  • Lab:

    Palo Alto 1:
    image
    1. Management (MGMT):
      WAN:
      Network > Interfaces > Ethernet > ethernet1/1-2 >
       - Interface Type: Layer3
       - Virtual Router: default
       - IPv4 > Static > x.223.40.139/24
       - Advanced > Management Profile > Add > Name: mgmt, Tick HTTPS, Ping, SSH

      Delete Virtual Wires

      Zones > Add >
       - Name: WAN
       - Type: layer3
       - Interface: ethernet1/1-2

      Commit

    2. Default Route:
      Virtual Router > default > Static Routes > Add
       - Name: WAN1
       - Destination: 0.0.0.0/0
       - Interface: ethernet1/1
       - Next Hop: IP Address: x.223.40.254
       - Metric: like router cost prefer lower

      SSH2:
      > ping source x.223.40.139 host 8.8.8.8
      > ping source x.246.236.100 host 8.8.8.8

      Change password:
      Device > Administrators

    3. Sub-interface:
      LAN:
      Network > Interfaces > Ethernet > ethernet1/3 >
       - Interface Type: Layer3
       - Virtual Router: default

      Network Profiles > Interface Mgmt > Add >
       - Name: Lan
       - Tick: Ping, HTTPS

      Choose ethernet1/3 > Add Subinterface >
       - Interface Name ethernet1/3.40
       - Tag: 40
       - Virtual Router: default
       - IPv4 > Static > 192.168.4.254
       - Advanced > Management Profile: Lan

      Zones > Add >
       - Name: EN
       - Type: Layer3
       - Add: Interface ethernet1/3.40

      DHCP > Add >
       - Interface: ethernet1/3.40
       - Mode: auto
       - Add: 192.168.4.100-192.168.4.200 > Options >
       - Gateway: 192.168.4.254
       - Subnet Mask: 255.255.255.0
       - Primary DNS: 8.8.8.8
       - Secondary DNS: 8.8.4.4

    4. Route back:
      Virtual Routers > delete your interface from another VRouters first or add static route to its skip add a new one below then go to 5.
      > Add > Static Routes > Add >
       - Name: 4
       - Destination: 192.168.4.0/24
       - Interface: ethernet1/3.40
       - Next Hop: None

    5. NAT:
      Objects > Add >
       - Name: EN
       - Type: IP Netmask, 192.168.4.0/24

      Policies > NAT > Add >
       - Name: internet > Original Packet >
       - Source Zone: EN
       - Destination Zone: WAN
       - Source Address: EN > Translated Packet >
       - Translation Type: Dynamic IP & Port
       - Address Type: Interface Address
       - Interface: ethernet1/1 (WAN)
       - IP Address: x.223.40.139

    6. Policy Based Routing/Forwarding (PBR/PBF):
      to access internet via WAN2 & Monitor WAN Links:
      Policy Based Forwarding > Add >
       - Name: internet

    7. Policies > Security > Add >
       - Name: Internet
       - Source: Any
       - Destination Zone: any
       - Service: any

      Block:
       - Name: Block
       - Source Zone: EN
       - Destination Zone: any
       - Application: facebook, youtube
       - Service: any
       - URL Category: adult (can test to see the category here https://urlfiltering.paloaltonetworks.com)
       - Actions: Deny


    Cr: ProEn B-)
    • The various vendors do share their threat information with other vendors Because it's not the threat information that sets vendors apart, it's what they can do with it.

    • The threat intelligence service catalogs the knowledge about existing or emerging attacks, including the specific mechanisms of the attack, the evidence that the attack has happened. This is also known by Indicators of Compromise term.

    • Along with firewalls, most networks rely on a set of network services to function properly or provide different types of network security functions. DHCP, Endpoint control, and Anti-virus are examples of these services.

    • In network security, Control the flow of network traffic is the purpose of a firewall.

    • Second generation firewalls were designed to add more functionality. They observe network connections over time and continuously examine conversations between endpoints did additional functionality they bring.

    • FortiGate is Fortinet's range of firewall devices called.

    • Provide application layer filtering as they understand different protocols is third generation firewalls do that previous generations did not.

    • FortiGuard Labs works closely with FortiGate firewall products to provide the highest level of network security.

    • Block the packet and send a message to the sender and Silently drop the packet are early packet filter firewalls do when they detected a packet that did not comply with their rules.

    • NAC stand for Network Access Control.

    • Reasons why should care about the FortiNAC solution:
      • FortiNAC solution has complete visibility into the network.
      • FortiNAC is integrated into the security framework.
      • FortiNAC can profile headless devices that are not equipped with an agent.

    • BYOD (Bring Your Own Device) is The practice of allowing the employees to use their own computers, smartphones, or other devices for work purposes.

    • BYODs and IoTs connecting to a network are some of business needs that were recently introduced in network security.

    • Some NAC under-performs in wired environments, creating a security vulnerability is one of shortcomings of NAC solutions.

    • When NAC is introduced, Profiles all connected devices is one of the first tasks it does.

    • A "zero-day attack" is Exploiting an unknown deficiency in code.

    • Business problems which FortiSandbox trying to solve are:
      • Presence of malignant code that is designed to exploit a specific weakness in an OS or application.
      • Between security and performance, business often chooses performance.

    • The purpose of the sandbox is To observe the activity of unknown code in a quarantined environment.

    • The problems that network security was experiencing before sandbox are:
      • The security products did not communicate with other security devices on the network.
      • Its inability to handle a coordinated attack using different threat vectors and methods.

    • Reasons why the sandbox solution was added to network security:
      • Unknown threats needed to be quarantined.
      • Firewalls and AVs were helpless against unknown threats.

    • The sandbox characteristics:
      • If something unexpected or wanton happens, it affects only the sandbox.
      • Sandbox confines the actions of code to the sandbox device and in isolation to the rest of the network.

    • The code could be expunged happens to the code if the sandbox detects that it has malicious intent.

    • Data Leak Prevention (DLP) feature can be added to Secure Email Gateway.

    • Reasons why the Sender Policy Framework (SPF) needs to be deployed:
      • SPF is an email authentication method that detects bogus sender addresses and emails.
      • SPF secures the network by strengthening the authentication method.

    • Spam filters identify certain words or patterns in the headers or bodies of the messages in order to validate the email content.

    • Phishing is Practice of tricking unsuspecting people to reveal sensitive information or to extract money.

    • The characteristics of FortiMail:
      • FortiMail integrates with firewalls and sandboxing solutions.
      • FortiMail is a Secure Email Gateway (SEG).

    • The benefits of FortiMail integration are FortiMail can be integrated with edge and segmentation firewalls.

    • The benefits of FortiMail are:
      • FortiMail deploys anti-virus scanners.
      • FortiMail integrates with firewalls and sandboxing solutions.
      • FortiMail adds threat emulation and sandboxing.

    • SIEM is Security Information and Event Management.

    • The Fortinet's SIEM product is FortiSIEM.

    • SIEM evolved from an information platform to a threat intelligence center to a fully integrated and automated center for security and network operations.

    • Tasks technology needs to do to satisfy compliance requirements:
      • Monitor, correlate, and notify events in real-time.
      • Aggregate logs from many network sources.
      • Store log data for a length of time to satisfy auditing requirements.

    • The problems that SIEM solves:
      • Cyber-attacks have become more sophisticated and stealthy.
      • Security teams fail to discover breaches until months after it had occurred.
      • The technology was complex and difficult to tune; it was difficult to identify attacks; and it demanded a high-level of skill on the part of the professional.

    • The requirements that SIEM grew out of:
      • To measure and prove compliance to various legislation.
      • To contend with the flood of alerts issued from IPSs and IDSs.

    • PCI, HIPAA, and GDPR Regulatory standards and acts businesses, hospitals, and other organizations must comply with.

    • FortiSandbox and FortiGate can be integrated with FortiWeb.

    • An application white list is A list of legitimate web applications.

    • A Web Application Firewall does monitors and blocks HTTP traffic to and from a web application.

    • The precursor to the Web Application Firewall was Application Firewall.

    • How does machine learning help to make modern Web Application Firewalls more effective:
      • They can adapt to the ever-changing attributes of the threat.
      • Behaviour analysis can be done at machine speeds.

    • Web Application Firewalls do that traditional edge firewalls do not:
      • Maintain a blacklist of dangerous web applications.
      • Create whitelist of applications over time.

    • Signature-based detection alone can generate many false positives is the signature-based approach of defense obsolete when considering Web Application Firewalls.

    • To protect children from accessing inappropriate content was the initial motivation for Web Filtering.

    • FortiClient, FortiAP, and FortiGate products has Fortinet integrated Web Filters into.

    • Web Filters consult a URL database that lists websites and domains that are known to host harmful tools is a typical method used by them to block web sites.

    • Web Filters use a set of rules to determine which web sites are blocked. The company or individual installing the application sets the rules in place.

    • Prevent users from accessing websites that contain malware and objectionable content do why customers need Web Filters.
    B-)
    • A Web Filter do:
      • Examines incoming web pages to determine if some or all of the content should be blocked.
      • Makes decisions based on rules set in place by the company.

    • Wi-Fi is Technology for radio wireless local area networking.

    • We need wireless security To prevent eavesdropping by bad actors.

    • WPA stand for Wi-Fi Protected Access.

    • Connection to a Wireless Access Point is required to enable a Wi-Fi connection from an end-user's device.

    • IEEE 802.11 standard is Wi-Fi based on.

    • In 1988 year did we see the rise of the first Wireless Local Access Network.

    • EMS is used to deploy, automatically provision, and manage FortiClient endpoint product.

    • Endpoint Protection, Advanced Threat Protection, Secure Remote Access, and Fabric Agent are the four elements of FortiClient's security stack.

    • Endpoint Telemetry & Compliance additional license is required to gain endpoint visibility and enforce compliance on the network.

    • Endpoints remain the targets of attacks should be drawn when 44% of companies admit to having their endpoints compromised, 30% of those breaches included the installation of malware, and 16% were ransomware.

    • FortiClient includes SSL/IPsec VPN client with built-in support for two-factor authentication and single sign-on.

    • FortiClient integrates with The Fortinet Security Fabric security platform to increase visibility and compliance control.

    • FortiClient is a strong competitor due to these factors:
      • Automatic remediation
      • Integration with the Security Fabric
      • Built-in VPN with two-factor authentication and single sign-on

    • FortiClient product is a unified security endpoint that is integrated with the Security Fabric and automates remediation.

    • FortiClient supports Windows, Mac OS, Linux, iOS, and Android platforms and is managed by Enterprise Management Server (EMS) product.

    • In addition to quarantining malicious files, submitting objects to FortiSandbox for analysis, and applying patches, Quarantining entire suspicious or compromised endpoints function can FortiClient automate by integrating with the Security Fabric.

    • Industry analyst groups have identified main endpoint security gaps:
      • Attacks are moving faster then ever.
      • There is a lack of visibility to the endpoints that are connecting to the network.
      • Unpatched vulnerabilities are an issue.

    • Software Inventory FortiClient feature gives an administrator visibility into which software is installed on the endpoint.

    • The word Modular best describes the overall architecture of FortiClient.

    • With the endpoint telemetry and compliance licenses applied, FortiClient can register with FortiGate and FortiAnalyzer types of devices to enforce compliance and share telemetry data with the Security Fabric.

    • FortiGate 5000 and 7000 series are chassis-based.

    • Fortinet vendor has, by far, the highest number of third-party validations and certifications.

    • Modularity, Future growth, High throughput, and Reliability are reasons why customer choose chassis firewalls.

    • Six different hardware configuration combinations are available for the FortiGate 7040E.

    • The FortiGate 5144C chassis firewall is ideally suited for carrier environments as well as Large enterprise networks environment.

    • A customer is experiencing rapid growth and wants to define SLA based on the WAN operating costs and the business importance of an application. Automated WAN path control with granular application transaction SLA FortiGate feature supports these requirements.

    • An integrated NOC and SOC view so that networking and security alerts are in one place is the feature of FortiManager simplifies security and extends centralized management.

    • Businesses are undergoing a profound digital transformation. Greater leasing of Software as a Service and other services in the public cloud does this business trend look like.

    • Business drivers for SD-WAN:
      • Consolidation of branch services
      • Reduced WAN OpEx spending while maintaining high application performance
      • Digital transformation at the enterprise branch

    • Business problems does SD-WAN address:
      • Provides lower SaaS latency
      • Provides visibility into applications so that critical business applications can be prioritized
      • Reduces WAN operating costs for distributed enterprises by leveraging less expensive internet connectivity

    • FortiGate SD-WAN:
      • comes built-in with the FortiGate NGFW.
      • There is no additional cost to activate.
      • comes preinstalled on FortiGate NGFW and requires the purchase of a license to activate.

    • FortiManager device allows to monitor and manage multiple devices through a "single pane of glass".

    • Fortinet's custom security processor component ensures that there is no degradation to VPN performance after SD-WAN is turned on.

    • FortiOS version 5.6 first supported the SD-WAN functionality.

    • If a customer was to say, "SSL inspection is very demanding on CPU resources, won't it slow down network traffic?", No, Fortinet's custom-built processors (SPUs) will enable to turn on this feature without any impact on performance would be the best response.

    • Key characteristics of FortiGate SD WAN differentiates from competitors:
      • Zero touch provisioning makes FortiGate SD-WAN a scalable solution.
      • FortiGate SD-WAN is an integrated single device that has visibility into 3,000+ applications, allowing it to prioritize business critical traffic.
      • FortiGate security processors delivers industry's best IPsec VPN and threat protection performance.

    • Poor cloud application performance because branch traffic must be back-hauled through the data-center are one of the weaknesses of traditional networks that frustrates this digital transformation.

    • Questions are good qualifying questions to ask a customer to gauge their SD-WAN requirements:
      • How is your current WAN infrastructure configured to handle increasing branch traffic?
      • What digital transformation initiatives have you implemented?

    • SD-WAN allows enterprises greater visibility into applications. This mean The type of application can be identified to ensure that business-critical applications have priority over less important applications when connecting to the internet.

    • SSL inspection and Sandboxing security features in the Fortinet NGFW prevent unknown and advanced sophisticated threats.

    • CISSP CISA CISM: วิเคราะห์เจาะลึก แบบ Cert ชน Cert แวดวงประกันภัยและผู้สนใจสอบควรอ่าน!!:
      www.acinfotec.com/2017/03/27/cissp-cisa-cism-cert-comparison

    • www.quora.com/Which-is-easy-CISM-or-CISSP

    Introduction to Ethical Hacking:

    Internet is Integral Part of Business and Personal Life
    - What Happens Online in 60 Seconds

    image
    www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html

    Cybersecurity วางอย่างไรให้ป้องกันได้จริง:
    www.optimus.co.th/Training/OPT-TR-0315

    B-)
  • Foundations of EC-council and CEH (Certified Ethical Hacker):
    www.eccouncil.org/about

    The Importance of Ethics:
    www.eccouncil.org/code-of-ethics
    cert.eccouncil.org/code-of-ethics.html

    Getting Certified:
    www.eccouncil.org/programs/certified-ethical-hacker-ceh

    Exam Topics/Blue Print:
    cert.eccouncil.org/certified-ethical-hacker.html

    Getting permission from the owner is the most important aspect of scoping when it comes to security testing.
    Without permission, testing is unethical and potentially illegal.

    EC-Council was created to ensure certify security professionals had a minimum level of knowledge.

    There is no set passing score for the CEH.
    The passing score varies from one test to the next.

    The purpose of ethical hacking is to improve the overall security posture of companies/organizations by pointing out flaws in their technical controls before they can be exploited.

    EC-Council requires 2 years of experience you need to have before you can attempting/take the exam if you don't take the boot-camp training.

    Background:

    The CIA Triad:
    ส่วนประกอบหนึ่งของ INFOSEC (Information Security) ซึ่งมาจากคำว่า Confidentiality (การรักษาความลับของข้อมูล), Integrity (ความแท้จริงของข้อมูล) และ Availability (การใช้งานได้ของระบบ) ซึ่งเป็นสิ่งที่ Security Professional ต้องรู้และสามารถอธิบายได้

    พื้นฐานที่จำเป็นสำหรับ 'Information Security Professional':
    www.acisonline.net/?p=1340

    Data Communication and Networks - การสื่อสารข้อมูลและเครือข่าย Computer & Network Topology:
    edu.bsru.ac.th/images/204/1211206/Chapter2.pdf

    Communications Models:

    มาทำความรู้จักกับ OSI Model 7 Layers กันดีกว่า !!:
    netprime-system.com/osi-model-7-layers

    en.wikipedia.org/wiki/Internet_protocol_suite

    What are Ethernet, IP, and TCP Headers in Wireshark Captures:
    networkstatic.net/what-are-ethernet-ip-and-tcp-headers-in-wireshark-captures

    Technique การคำนวณ IP Address:
    www.jodoi.com/book/book_technic_cal_IP.pdf

    Have been given an IP address block, 192.168.15.0/24. Need to create subnets that can support as many as 25 hosts. 8 networks can create and The CIDR notation for each of those network is /27. 192.168.15.0-31, 192.168.86.32-63, 192.168.15.64-95,
    192.168.15.96-127, 192.168.15.128-159, 192.168.15.160-191,
    192.168.15.192-223, 192.168.15.224-255.

    IPv6 Trace Analysis using Wireshark:
    sharkfestus.wireshark.org/sharkfest.13/presentations/PA-13_IPv6-Trace-Analysis-Using-Wireshark_Nalini-Elkins.pdf


    Exploring UDP (User Datagram Protocol):
    maxwellsullivan.wordpress.com/2013/03/12/wireshark-lab-5-exploring-udp

    Exploring TCP (Transmission Control Protocol):
    maxwellsullivan.wordpress.com/2013/03/11/wireshark-lab-4-exploring-tcp
    medium.com/@panupong.simto/คุยเรื่อง-tcp-protocol-แบบ-ยาวไป-ยาวไป-ตอนที่-1-2fa601197076

    What is a Firewall?:

    A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing a private network and/or a single computer

    image

    A firewall:
    • Acts as a security gateway between two networks
    • Tracks and controls network communications - Decides whether to pass, reject, encrypt, or log communications (Access Control)
      image


    Hardware Firewalls:
    • Protect an entire network
    • Implemented on the router level
    • Usually more expensive, harder to configure

    Software Firewalls:
    • Protect a single computer
    • Usually less expensive, easier to configure

    Stage of Evolution of Firewalls:
    Packet Filter > Application Proxy > Stateful Inspection

    Packet Filter:

    image

    • Packets examined at the network layer
    • Useful 'first line' of defense - commonly deployed on routers
    • Simple accept or reject decision model
    • No awareness of higher protocol layers
    • Simplest of components
    • Uses transport-layer information only:
      • IP Source Address, Destination Address
      • Protocol/Next Header (TCP, UDP, ICMP, etc.)
      • TCP or UDP source & destination ports
      • TCP Flags (SYN, ACK, FIN, RST, PSH, etc.)
      • ICMP message type
    • Examples:
      • DNS uses port 53 - No incoming port 53 packets except known trusted servers

    How to Configure a Packet Filter:
    • Start with a security policy
    • Specify allowable packets in terms of logical expressions on packet fields
    • Rewrite expressions in syntax supported by your vendor
    • General rules - least privilege
      • All that is not expressly permitted is prohibited
      • If you do not need it, eliminate it

    Packet Filter Configuration:

    Every rule-set is followed by an implicit rule reading like this.


    image

    B-)
  • Suppose we want to allow inbound mail (SMTP, port 25) but only to our gateway machine. Also suppose that mail from some particular site SPIGOT is to be blocked.

    image

    Example 2:
    Now suppose that we want to implement the policy 'any inside host can send mail to the outside'.

    image

    • This solution allows calls from any port on an inside machine, and will direct them to port 25 on an outside machine.
    • So why is it wrong?
    • Our defined restriction is based solely on the destination's port number.
    • With this rule, an enemy can access any internal machines on port 25 from an outside machine.
    • What can be a better solution?

    image

    • The first rule restricts that only inside machines can access to outside machines on port 25.
    • In second rule, the ACK signifies that the packet is part of an ongoing conversation.
      • Packets without ACK are connection establishment messages, which are only permitted from internal hosts by the first rule.
      • With the second rule, outside hosts can send back packets to inside hosts on port 25.

    Application Gateway or Proxy:
    • Packets examined at the application layer
    • Application/Content filtering possible - prevent FTP 'put' commands, for example
    • Modest performance
    • Scalability limited
      image


    Stateful Inspection:
    • Packets Inspected between data link layer and network layer in the OS kernel
    • State tables are created to maintain connection context
    • Invented by Check Point
      image


    Network Address Translation (NAT):

    image
    • Converts a network's illegal IP addresses to legal or public IP addresses
      • Hides the true addresses of individual hosts, protecting them from attack
      • Allows more devices to be connected to the network

    Firewall Deployment:
    • Corporate Network Gateway
    • Internal Segment Gateway
      • Protect sensitive segment (Finance, HR, Product Development)
      • Provide second layer of defense
      • Ensure protection against internal attacks and misuse
      image

    What is a VPN?:
    • A VPN is a private connection over an open network
    • A VPN includes authentication and encryption to protect data integrity and confidentiality
      image

    Types of VPNs:
    1. Remote Access VPN:
      • Provides access to internal corporate network over the Internet
      • Reduces long distance, modem bank, and technical support costs
      • PAP, CHAP, RADIUS
      image

    2. Site-to-Site VPN:
      • Connects multiple offices over Internet
      • Reduces dependencies on frame relay and leased lines
      image

    3. Extranet VPN:
      • Provides business partners access to critical information (leads, sales tools, etc)
      • Reduces transaction and operational costs
      image

    4. Client/Server VPN: Protects sensitive internal communications

    medium.com/@kongruksiamza/เกร็ดความรู้-it-ตอนที่-6-ทำความรู้จักกับการเจาะระบบ-ฉบับบ้านๆ-5b524ec5a58e
    B-)
  • White Hat Hacking for Security:

    Networking:

    Basic Networking:

    ประเภทของเครือข่าย PAN MAN WAN LAN:
    sites.google.com/site/natpornpimon54/2-1-pra-pheth-khxng-kherux-khay-pan-man-wan-lan

    ขั้นตอนการ Encapsulation และ De-encapsulation:
    www.mindphp.com/บทความ/31-ความรู้ทั่วไป/7115-encapsulation-process.html


    en.wikipedia.org/wiki/Internet_of_things

    Cryptocurrency: The digital coin

    www.digitalattackmap.com

    Cyber-crime and Hack-activism on the Rise

    www.i-secure.co.th/2020/06/threat-information-maze-ransomware

    Domain ที่ 5 / โลก Cyber กับ ความมั่นคงของมนุษย์:
    rittee1834.blogspot.com/2013/12/blog-post.html

    image
    resources.infosecinstitute.com/overview-of-the-cyberseek-cybersecurity-career-pathway

    medium.com/taptuit/what-is-devops-fb3d044ef659

    imageimage

    Python 1 - ก้าวแรกสู่ Data Science กับ Python Basic:
    Basic Syntax:

    1. print('Hello Python')
      =>
      Hello Python

    2. ' & ":
      print('สวัสดี python') or print("สวัสดี python")
      =>
      สวัสดี python

    3. +, -, *, /:
      การใส่ # เข้าไปด้านหน้า จะทำให้บรรทัดนั้นกลายเป็น comment
      # Comment 1
      print(5+5)

      # Comment 2
      print(294/2.8)
      =>
      10
      105.0

    4. % => ค่าที่เหลือจากการหาร:
      print(15%4)
      print(350%17)
      =>
      3
      10

    5. ตัวแปร:
      user_name='โค้ดคิท'
      course='python'
      print(user_name)
      print(course)
      =>
      โค้ดคิท
      python

    6. กำหนดค่าตัวแปร:
      x = 3
      print(x)
      x = x + 10
      print(x)
      x += 5
      print(x)
      =>
      3
      13
      18

    7. เปลี่ยนชนิดข้อมูล:
      age = 24
      print('ฉันอายุ '+ str(age) +' ปี')
      count = '5'
      print(int(count)+1)
      =>
      ฉันอายุ 24 ปี
      6

    8. เลขทศนิยม:
      weight = "78.3"
      print(float(weight)*2)
      =>
      156.6

    Cr: codekit.co

    progate.com/languages/commandline

    image

    Red-Team Role and Responsibility:
    Terminology:
    • Penetration Tester
    • Technical Risk Advisory
    • Tiger Team
    • Red-Team

    What is Red-Team:
    • Red or Purple Team is a group of highly skilled Penetration Tester that are summoned (สร้างเหตุการณ์) by an organization to test their defense and improve its effectiveness. Basically, it is the way of utilizing strategies, systems, and methodology to simulate real-world scenarios.
    image
    What difference between "Penetration Testing" and "Red-Team":
    • Pen-Test find the vulnerability, Red-Team use the vulnerability

    How to become Red-Team:
    Knowledge Required:
    • Windows, UNIX, and Linux operating systems
    • C, C++, C#, Java, ASM, PHP, PERL, Python
    • Network servers and networking tools (e.g. Nessus, nmap, Burp, etc.)
    • Computer hardware and software systems
    • Web-based application
    • Security tools and products (Fortify, AppScan, etc.)
    • Vulnerability analysis and reverse engineering
    • Software Exploitation
    • Password Cracking

    Red-Team Skill-set:
    • Think outside the box - like from google, sense of password guessing, company password format etc.
    • Deep knowledge of systems
    • Software development
    • Penetration testing
    • Social engineering - request reset password attacked user, ocean, Italian job, catch me if you can, etc.
    www.hackingarticles.in/guide-to-red-team-operations

    Read-Team Certification:
    Theory:
    • SANS: GPEN, GXPN (not easy)
    • C|EH
    • CompTIA Pentest+
    Practical:
    • OSCP - try to hack, include detailed report > OSCE
    • EC-Council: C|EH Practical > L|PT

    CTF Competitions: ctftime.org/ctfs - to practice mindset

    Real World Penetration Testing Preparation:
    • www.vulnhub.com
    • ctfs.github.io/resources
    • www.hackthebox.eu
    For White Hat:
    • www.facebook.com/BugBounty
    • hackerone.com/directory/programs
    image

    blog.eccouncil.org/5-penetration-testing-methodologies-and-standards-for-better-roi

    medium.com/@infopulseglobal_9037/guide-to-modern-penetration-testing-part-2-fifty-shades-of-grey-box-95198b8e34c3

    Information Systems Security Assessment Framework (ISSAF):
    image
    (3) e.g. delete backdoor
    (4) Fix > (5) Revisit

    github.com/tanprathan/OWASP-Testing-Checklist

    Pen-test vs Vulnerability assessment:
    www.facebook.com/hackandsecbook/posts/2768384233190263

    MITRE ATT&CK Techniques:
    ATT&CK for Enterprise:
    image
    attack.mitre.org/matrices/enterprise

    www.youtube.com/watch?v=0BEf6s1iu5g

    image
    www.techtalkthai.com/introduction-to-cyber-kill-chain

    Report should have:
    • Executive summary
    • Etc.

    image

    nvd.nist.gov/vuln-metrics/cvss/v3-calculator

    Top 9 Cybersecurity Threats and Vulnerabilities:
    1. Malware
    2. Unpatched Security Vulnerabilities
    3. Hidden Backdoor Programs
    4. Superuser or Admin Account Privileges
    5. Automated Running of Scripts without Malware/Virus Checks
    6. Unknown Security Bugs in Software or Programming Interfaces
    7. Phishing (Social Engineering) Attacks
    8. Your IoT Devices
    9. Your Own Employees
    Cr: SoSeCure B-)
  • Cybersecurity Framework (CSF) ที่ถูกพัฒนาขึ้นโดย National Institute of Standards and Technology (NIST) ได้รวบรวมเอาแนวปฏิบัติที่ดีที่สุดอันหลากหลายเข้าไว้ด้วยกัน เพื่อช่วยให้ธุรกิจองค์กรสามารถกำหนดแนวทาง, บังคับใช้งาน และปรับปรุงแนวทางการรักษาความมั่นคงปลอดภัยและมีภาษากลางสำหรับใช้ในการสื่อสารประเด็นปัญหาต่างๆ ที่เกิดขึ้นระหว่างผู้ที่เกี่ยวข้องได้อย่างมีประสิทธิภาพ
    www.tenable.com/webinars/apac-improving-cyber-security-in-thai-organisations




    Information Gathering is important:

    Defining Footprinting:
    • Footprinting is the blueprint of the security profile of an organization, undertaken in a methodological manner
    • Footprinting is one of the three pre-attack phases
    • An attacker spends 90% of the time in profiling an organization and another 10% in launching the attack
    • Footprinting results in a unique organization profile with respect to networks (Internet/intranet/extranet/wireless) and systems involved

    OSINT (Open-Source Intelligent):
    • Search Engine
    • Deep Web / Darkweb: www.techmoblog.com/what-are-deep-web-and-dark-web
    Domain Harvesting:
    • Domain Whois > contact information, location, mail server brand, own / rent, etc.
    • Public IP Range
    • Domain / Sub-Domain
    image
    Personal Info Harvesting:
    • Email Address
    • Contact Information
    Internet Service:
    • Web Application
    • DNS
    • SMTP
    • Internet Devices

    Unearthing Initial Information:
    • Commonly includes:
      • Domain name lookup
      • Locations
      • Contact (telephone / mail)
    • Information Sources:
      • Open source
      • Whois
      • Nslookup

    • RECORDS
    • SHARED:
      • Name servers


    Satellite Picture of a residence > Google Earth, Google Street View

    images.google.com

    Footprinting Through Job Sites:
    • Can gather company's infrastructure details from job posting
    • JobsDB

    Types of DNS Records:
    image

    Exchangeable Image File Format (Exif) is a New Security Threat:
    • Most digital camera
    • EXIF Viewer: http://exif.regex.info/exif.cgi
    • CR2, JPG, etc.
    • Can see which camera, lens, exposure, flash, date, location
    • EXIF Location taged
    • No geolocation in Line, facebook, instragram, messenger, etc.

    • site:go.th inurl:admin|login
    • site:go.th intitle:index.of./admin
    • site:rd.go.th -site:www.rd.go.th -site:rdserver.rd.go.th
    • site:co.th inurl:robots.txt

    www.techtalkthai.com/shodan-monitor-follow-up-exposed-devices

    Information Gathering Tools:

    Dnsenum: ./dnsenum.pl vulnweb.com: trying Zone transfers

    theHarvester:
    • ./theharvester.py -d microsoft.com -l 500 -b google
      Provide the Hosts, Emails
    image
    FOCA - Windows Tool To Find Metadata And Hidden Information, PDF Searching

    SpiderFoot: more than 100 modules, so cool

    Recon-ng

    image


    Google Hacking:

    • Cache : this dork will show you the cached version of any website,
      cache:vulnweb.com

    • Site : will show you the full list of all indexed URLs for the specified domain and subdomain,
      site:vulnweb.com

    • allintext : searches for specific text contained on any web page,
      allintext:vulweb.com

      image
    • intext : useful to locate pages that contain certain characters or strings inside their text,
      intext:enable password site:vulnweb.com
      image
    • allinurl :  it can be used to fetch results whose URL contains all the specified characters,
      allinurl:vulnweb.com

    • inurl: this is exactly the same as allinurl but it is only useful for one single keyword,
      inurl:admin site:vulnweb.com
      inurl:email site:vulnweb.com
      image
      image
    • link: will show the list of web pages that have links to the specified URL,
      link:vulnweb.com

    • filetype: used to search for any kind of file extensions, for example, if you want to search for jpg files you can use: 
      filetype: log site:vulnweb.com
      image
    • Allintitle:  searches for specific text contained on any web page,
      allintitle:index site:vulnweb.com

    • intitle: used to search for various keywords inside the title, for example
      intitle:index site:vulnweb.com

    • Google Dork : sensitive information under Root directory.
      intitle:"index of" "/000~ROOT~000/"

    • Exposed Redis Passwords found in .env files.
      allintext:"redis_password" ext:env

    • This dork detects all IIS version 8 servers in search engine.
      intitle:"Microsoft Internet Information Services 8" -IIS
    Cr: SoSeCure B-)

  • Will see the data about the host on the left, the list of ports that were found at the top right, and then the individual port details and banners from each port as you go down the page.



    Reconnaissance with Havester
    kali@kali:~$ sudo su -
    # cd /etc/theHarvester/
    # theHarvester -d vulnweb.com -v -n -l 500 -b all
    • -d : Domain to search or company name
    • -v : verify host name via dns resolution and search for virtual hosts
    • -n : perform a DNS reverse query on all ranges discovered
    • -l : limit the number of results to work with(bing goes from 50 to 50 results, google 100 to 100, and pgp doesn't use this option)
    • -b : data source: baidu, bing, bingapi, dogpile, google, googleCSE, googleplus, google-profiles, linkedin, pgp, twitter, vhost, virustotal, threatcrowd, crtsh, netcraft, yahoo, all

    [Errno 2] No such file or directory: 'api-keys.yaml'
    apt-get upgrade theharvester



    1. NSLookup, Host tools can be used to perform a zone transfer.

    Scanning & Vulnerability Assessment:

    Scanning - Definition:
    • Scanning is one of the three components of intelligence gathering for an attacker
      • The attacker finds information about Specific IP Address, etc.

    Types of Scanning:
    • Port Scanning:
      • A series of messages sent by someone attempting to break into a computer to learn about the computer's network service
      • Each associated with a 'well-know' port number
    • Network Scanning:
      • A procedure for identifying active on a network
    • Vulnerability Scanning

    Nmap for Pentest:
    • Free Download !!
    • Best Tools for Scanning port
    • Support GUI Mode (Zenmap)
    • Many Service Enumeration Plugin

    tepnetwork.blogspot.com/2010/12/scan-port.html
    • stealth can't use with windows

    image
    Ping เป็น Program ที่ถูกคิด และเขียนขึ้นโดย Mike Muuss หรือ Michael John Muuss ชาว American ขอเรียกว่า “ บิดาแห่งการ Ping ” เลยละกัน ????

    โดยในเดือนกรกฎาคม ปี 1983 มีการประชุม DARPA ขึ้นที่ประเทศ Norway, David L. Mills ( คนนี้ก็โคตรเทพ ) ได้มีการพูดคุย และปรึกษากับ Mike Muuss เกี่ยวกับปัญหาของระบบที่เกิดขึ้น รวมถึงแนวทางในการแก้ไข ในครั้งแรก Mike Muuss ได้ฟัง และตั้งใจเขียน Program ขึ้นมา ใช้สำหรับระบบ UNIX เพื่อนำมาวิเคราะห์ปัญหาดังกล่าว โดยใช้เวลานั่งเขียน Program ในช่วงเย็นๆ หลังเลิกงาน และในเดือนธันวาคม ปี 1983 Program Ping ตัวต้นแบบก็ถูกเขียนจนเสร็จ .. แต่ดั๊นนน .. ปัญหาได้รับการแก้ไข ก่อนที่ Ping ของ Mike Muuss จะถูกนำไปใช้งาน

    หลังจากนั้น Mike Muuss ก็ยังคงพัฒนา และใช้ Program Ping ในการทำงานอยู่เรื่อยไป จนถือได้ว่าเป็น Program สำคัญแบบขาดไม่ได้ และถูกนำมาเป็นมาตรฐานในการใช้งานบน UNIX และ และ .. ด้วยความที่มัน Free .. Ping เลยแพร่หลายไปเป็นมาตรฐานสู่หลายๆ ระบบ เรื่อยไปจนถึง Microsoft Windows95 และ WindowsNT .. จนในปัจจุบันได้กลายเป็นมาตรฐานที่น่าจะมีอยู่ในทุกอุปกรณ์ ที่ต้องใช้งานในการเชื่อมต่อ Network แล้ว

    ปัจจุบัน Mike Muuss เสียชีวิตแล้ว ด้วยอุบัติเหตุทางรถยนต์ ในวันที่ 20 พฤศจิกายน คศ. 2000 ถือว่าเป็นการสูญเสียบุคลากรทาง Technology ที่สำคัญอีกคน ( น่าเสียดายมาก อายุแค่ 42 ปีเอง )

    Program Ping ในตอนนั้น มี Code ประมาณ 1,600 บรรทัด เขียนขึ้นจากภาษา C นะ ลองไปดู Code Ping กันไหม -> ping.shar
    Cr: ลุง 7


    Service Enumeration:
    • DNS Zone Transfer
    • SNMP Enumeration
    • ...

    Vulnerability Assessment:
    image
    image
    image
    Password Cracking:
    Types of Password Attacks:

    • Passive Online Attack: Wire Sniffing
      • Access and record the raw network traffic

    • Active Online Attack - easiest but resultless, Password Guessing
      • Try different passwords until one works
      • Succeeds with:
        • Bad passwords
        • Open authentication points
      • Considerations:
        • Takes a long time
        • Requires huge amounts of network bandwidth
        • Easily detected
        • Core problem: bad passwords

    • Offline Attacks:
      • Time consuming
      • LM Hashes are much more vulnerable due to smaller key space and shorter length
      • Web services are available
      • Distributed password cracking techniques are available
      • Mitigations:
        • Use good passwords
        • Remove LM Hashes
        • Attacker has password database

    • Non-electronic attacks / social engineering

    John the Ripper: It is command-line tool designed to crack

    Hydra:
    hydra -t 5 -V -f -L userlist -P passwordlist ftp://192.168.34.16
    hydra -l admin -P passwordlist ssh://192.168.100.155 -V
    • admin, 1q2w3e4r
    • admin, user12345678

    Vulnerability Database:
    image
    image

    Exploit-db: Manual Exploitation

    The Metasploit Framework but less vulnerable than Exploit-db
    image

    www.nsm.or.th/other-service/671-online-science/knowledge-inventory/sci-vocabulary/sci-vocabulary-information-technology-museum/3239-zero-day.html

    Rainbow Table: คือฐานข้อมูลที่มี Hash และรหัสผ่านจำนวนหนึ่งที่สร้างเก็บเอาไว้


    • This is a command for scanning port on the target server.
      # nmap -sV -A 52.221.245.121

    • scanning all port.
      # nmap -sV -A -p- 52.221.245.121
      press enter to see the status


    Cr: SoSeCure B-)




    1. Run services with least privileged accounts and implement multi-factor authentication and authorization is the best defense against privilege escalation vulnerability.

    2. The 'white box testing' methodology enforces The internal operation of a system is completely known to the tester restriction.
      image
      medium.com/@noharapleng/black-box-testing-and-white-box-testing-179608779a46

    3. Remote access policy defines the use of VPN for gaining access to an internal corporate network.

    4. Performing information gathering for an important penetration test. Found pdf, doc, and images in objective. Decide to extract metadata from these files and analyze it. Metagoofil tool will help with the task.
      Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf, doc, xls, ppt, docx, pptx, xlsx) belonging to a target company.
      www.edge-security.com/metagoofil.php

    5. Half-open Scan is considered as one of the most reliable forms of TCP scanning.

    6. In an internal security audit, the white hat hacker gains control over a user account and attempts to acquire access to another account's confidential files and information by Privilege Escalation.

    7. nmap -sn 192.168.11.200-215. This NMAP command performs A Ping Scan.

    8. C++ programming language is most vulnerable to buffer overflow attacks.

    9. The 'gray box testing' methodology enforces The internal operation of a system is only partly known/accessible to the tester.
      A gray-box tester partially knows the internal structure, which includes access to the documentation of internal data structures as well as the algorithms used. Gray-box testers require both high-level and detailed documents describing the application, which they collect in order to define test cases.
      en.wikipedia.org/wiki/Grayboxtesting

    10. env x='(){:;};echo exploit' bash -c 'cat /etc/passwd' this Shellshock bash vulnerability attempting to Display passwd content to prompt on the vulnerable Linux host.

    11. Active type of OS fingerprinting technique sends specially crafted packets to the remote OS and analyzes the received response.

    12. The Open Web Application Security Project (OWASP) is the worldwide not-for-profit charitable organization focused on improving the security of software. Injection is the primary concern on OWASP’s Top Ten Project Most Critical Web Application Security Risks.
      Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
      https://owasp.org/www-project-top-ten

    13. The Open Web Application Security Project (OWASP) testing methodology addresses the need to secure web applications by providing A list of flaws and how to fix them.

    14. Metagoofil tool should use when need to analyze extracted metadata from files collected when were in the initial stage of penetration test (information gathering).

    15. A hacker is an intelligent individual with excellent computer skills that grant them the ability to explore a computer’s software and hardware without the owner’s permission. Their intention can either be to simply gain knowledge or to illegally make changes. Gray Hat class of hacker refers to an individual who works both offensively and defensively at various times.

    16. During a penetration test, a tester finds that the web application being analyzed is vulnerable to Cross Site Scripting (XSS). The session cookies do not have the HttpOnly flag set condition must be met to exploit this vulnerability.
      In general, can exploit different vulnerabilities with XSS and not only 'cookies stealing'.

    17. A software tester is randomly generating invalid inputs in an attempt to crash the program. Fuzzing is a software testing technique used to determine if a software program properly handles a wide range of invalid input.
      Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks.
      https://en.wikipedia.org/wiki/Fuzzing
      Fuzzing is commonly used to test for security problems in software or computer systems. It is a form of random testing which has been used for testing hardware or software.

    18. IPSEC protocol is used for setting up secured channels between two devices, typically in VPNs.

    19. Matthew received an email with an attachment named 'YouWon$10Grand.zip.' The zip file contains a file named 'HowToClaimYourPrize.docx.exe.' Out of excitement and curiosity, Matthew opened the said file. Without his knowledge, the file copies itself to Matthew's APPDATA\local directory and begins to beacon to a Command-and-control server to download additional malicious binaries. Trojan type of malware has Matthew encountered.

    20. Fuzzing Testing is an adaptive SQL Injection testing technique used to discover coding errors by inputting massive amounts of random data and observing the changes in the output.

    21. A rootkit bypass Windows 7 operating system's kernel mode, code signing policy by Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options.
      Windows 7 boot record never has the opportunity to determine something is awry.

    22. TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. tcpdump tool can be used for passive OS fingerprinting.

    23. The web application should not use random tokens condition must exist to allow a tester to exploit a Cross-Site Request Forgery (CSRF) vulnerable web application.

    24. XML denial of service issues is a common Service Oriented Architecture (SOA) vulnerability.

    25. Metasploit is considered an exploit framework and has the ability to perform automated attacks on services, ports, applications an unpatched security flaws in a computer system.

    26. Brute force method of password cracking takes the most time and effort.

    27. The 'black box testing' methodology enforces Only the external operation of a system is accessible to the tester.
      Black-box testing is a method of software testing that examines the functionality of an application without peering into its internal structures or workings.
      https://en.wikipedia.org/wiki/Black-box_testing

    28. Analyzing service response techniques does a vulnerability scanner use in order to detect a vulnerability on a target service.

    29. A security engineer has been asked to deploy a secure remote access solution that will allow employees to connect to the companys internal network. IPSec can be implemented to minimize the opportunity for the man-in-the-middle attack to occur.

    Cr: SoSeCure B-)

    1. Red Team group of highly skilled Penetration Tester That are summoned by an organization to test their defense and improve its effectiveness.

    2. https://www.Hackthebox.eu, https://www.vulnhub.com, and http://ctfs.github.io/resources are a site for practice Penetration Testing.

    3. All staff members should know / be responsible for some cybersecurity basics to reduce the risk of cyber attacks.

    4. Methodology for Penetration Testing are:
      1. OSSTMM
      2. OWASP Testing Guide
      3. NIST SP800-115
      4. PTES (Penetration Testing Methodologies and Standards)
      5. ISSAF (Information System Security Assessment Framework)

    5. CVSS provides a way to capture the principle characteristics of a vulnerability and produce a numerical score reflecting its severity.

    6. OWASP is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

    7. PTES consists of seven (7) main sections. These cover everything related to a penetration test - from the initial communication and reasoning behind a pen-test, trough the intelligence gathering and threat modeling phases.

    8. ISSAF is produced by the Open Information Systems Security Group, and is intended to comprehensively report on the implementation of existing controls to support IEC/ISO 27001:2005(BS7799), Sarbanes Oxley SOX404, CoBIT, SAS70 and COSO.

    9. Injection, Cross Site Scripting, and Broken Authentication and Session Management are in list of top 10 OWASP vulnerabilities 2017.

    10. Bug Bounty is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs.

    1. Foot-printing is the technique used for gathering information about computer systems and the entities they belong to.

    2. https://archive.org is the site that get all information about a company's website since the time it was launched.

    3. sfp_dnsresolve module in Spider-foot perform gathering target DNS information.

    4. Python3 ./sf.py -m sfp_dnsbrute,sfp_dnsresolve -s tesla.com -q -F IPV6_ADDRESS command in Spider-foot performing filter only for IPv6.

    5. Website Jobs DB, Website Google, theHarvester, and Maltego are Information Gathering Tools.

    6. Whois system consists of a publicly available set of databases that contain domain name registration contact information.

    7. Host and NSLookup tools can be used to perform a zone transfer.

    8. DOCX, PNG, SVG, and JPG file formats can be used to extract metadata.

    9. filetype: google search operator can search only on PDF document.

    10. FOCA can be used to perform metadata analysis.

    11. Contact Information, Sub-Domain, Public IP, and Email Address would be collected when perform Internet Information Gathering.

    12. nslookup, website robtex, and dig are DNS analysis tools.

    13. Google Hacking, E-mail Harvesting, and Metadata Analysis are part of Information Gathering.

    14. Scanning is the next phase of Information Gathering.

    15. https://www.robtex.com/dns-lookup/certifiedhacker.com
      1. AS46606 is BGP Number for 'http://certifiedhacker.com/' Hosting.
      2. ns1.bluehost.com is 1st DNS Server name for 'certifiedhacker.com'

    16. root@kali:/home/kali# amass enum -d certifiedhacker.com
      root@kali:/home/kali# theHarvester -d certifiedhacker.com -l 300 -b google
      soc.certifiedhacker.com, dns.certifiedhacker.com, blog.certifiedhacker.com, sftp.certifiedhacker.com, and ftp.certifiedhacker.com are sub-domain found in http://certifiedhacker.com.

    • # nmap -sV -A 18.141.197.4
      Scanning port on the target server

      # nmap -sV -A -p- 18.141.197.4
      Scanning all port

      # ssh 18.141.197.4 -p 1337

    1. Nmap by default use SYN / half-open scan.

    2. Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies, and classifies the security holes in a computer, network, or communications infrastructure.

    3. Vulnerability Assessment tools can use as a foundation when building a vulnerability assessment report.

    4. Perform a vulnerability assessment is the best way to find out what security holes exist on the network.

    5. After using Nmap to do a port scan of server, several ports are open. Should Examine the services and/or processes that use those ports next.

    6. Nessus is a vulnerability assessment tool.

    7. Ping Sweep technique uses ICMP as its main underlying protocol.

    8. nmap -p 80,443,8080 Command to scan port 80, 443, 8080.

    9. If want Nmap to check all potential ports that are running TLS services, nmap -sV -script ssl-cert <host> command would prefer.

    1. To generate a public/private key pair on local system. Will be prompted for a passphrase which is used to encrypt the private key. By default, the private key and the public key are stored in ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.

    2. John the ripper tool designed to crack both Unix and NT passwords.

    3. Hash-identification, Ncrack, Hydra and RCrack are password cracking tools.

    1. Exploit is a piece of software or a segment of command that usually takes advantage of a bug to cause unintended actions and behaviors.

    2. Can force capabilities upon programs using setcap, and query these using getcap.

    3. Escalation Privileges is a phase of attacking where the attacker focuses on traversing through the system and network in order to find useful information such as password hashes, active connections, etc.

    4. Path Variable is an environmental variable in Linux and Unix-like operating systems which specifies all bin and sbin directories that hold all executable programs are stored.

    5. To list user's privileges or check a specific command to get root using by 'sudo -l' command.

    6. When access the user account and found python3 we can execute python so to find privilege escalation capability command in use is 'getcap -r / 2>/dev/null'.

    7. When get access to the user account which knew sudo version is old, 'sudo -V' command for checking the version list of sudo.

    8. Crontab is referred to if there are any additional privileges given to a file or directory. This can also be manipulated to our own advantage in order to achieve the desired

    Cr: SoSeCure B-)

    1. Web application stores information about many accounts. Insecure direct object reference is Web application susceptible if can manipulate the URL of an account page to access all accounts.

    2. For an indirect reference, Access to sensitive data possible happens if there's no list of limited values authorized for a user in the direct reference.

    3. Regular expressions is most vulnerable to injection attacks.

    4. Insecure direct object reference threat is most likely to occur when a Web application fails to validate a client's access to a resource.

    5. Input validation using an allow list is the best way to protect against injection attacks.

    6. Role-Based Access control helps prevent this OWASP Top 10 weakness is Failure to restrict URL Access.

    7. Burp Suite is most common intercepting tool.

    8. Cross Site Scripting happens when an application takes user inputted data and sends it to a web browser without proper validation and escaping.

    Cr: SoSeCure

    ผลกระทบของการโจมตีทาง Cyber ต่อความปลอดภัยของบุคคลและองค์กร:


    ผลกระทบด้านการเงิน - Financial Cost:
    • Additional expense of credit monitoring and identity protection services provided to customers.
    • Loss of current and future revenue from existing customers.

    ผลกระทบด้านชื่อเสียง (reputational damage):
    • Loss of the trust your customers have for you
    • loss of customers
    • loss of sales
    • reduction in profits
    • Loss of confidence from partners, investors
    • Prolonged court cases which distract from business focus.
    • Loss of focus on product development/competitiveness while time spent cleaning up the mess.

    imageimage
    Security Controls (preventive measures)
    • Administrative
    • Physical

    แนวทางการป้องกันการโจมตีทาง Cyber:
    การกำกับดูแลที่ดีด้าน Technology สารสนเทศ (IT Governance):
    • นโยบายการรักษาความปลอดภัยของระบบ Technology สารสนเทศ (IT Security Policy)
    • นโยบายการบริหารจัดการความเสี่ยงด้าน Technology สารสนเทศ (IT Risk Management)
    แนวทางควบคุมความเสี่ยงของระบบ Technology สารสนเทศ:

    1. การรักษาความถูกต้องปลอดภัยในการปฏิบัติงานที่เกี่ยวข้องกับระบบสารสนเทศ:
      • กำหนดขั้นตอนการปฏิบัติงาน
      • การรับ - ส่งข้อมูลสารสนเทศ (Information transfer)
      กำหนดให้มีการสำรองข้อมูลที่สำคัญทางธุรกิจ โดยกำหนดวิธีปฏิบัติอย่างน้อยดังนี้:
      • ข้อมูลที่ต้องสำรอง และความถี่ในการสำรอง
      • ประเภทสื่อที่ใช้ในการบันทึกข้อมูล (media)
      • จำนวนที่ต้องสำรอง (copy)
      จัดเก็บและบันทึกหลักฐาน (logs) ต่างๆ
      ควบคุมและจำกัดสิทธิการติดตั้ง Software บนระบบงาน รวมถึงทำการทดสอบการเจาะระบบ (penetration test)

    2. การควบคุมการเข้าถึงระบบสารสนเทศ และข้อมูล (access control) เพื่อป้องกันการถูกบุกรุกและเข้าถึงโดยไม่ได้รับอนุญาต
      • การควบคุมการเข้าถึงระบบและข้อมูลสารสนเทศ
      • การกำหนดมาตรการเพื่อสร้างความปลอดภัยทางกายภาพและสภาพแวดล้อมของทรัพย์สินสารสนเทศ

    3. การรักษาความปลอดภัยของข้อมูล (Data Security):
      • ข้อมูลอะไรบ้างที่เป็นข้อมูลที่สำคัญหรือเป็นข้อมูลความลับขององค์กร และมีการจัดประเภทข้อมูลตามระดับชั้นความลับและความสำคัญ
      • กำหนดสิทธิ์ในการเข้าถึง

    4. การติดตามตรวจสอบความผิดปกติและช่องโหว่ของระบบสารสนเทศ:
      • ประเมินช่องโหว่ (vulnerability assessment) กับระบบงานที่มีความสำคัญทุกระบบอย่างน้อยปีละ 1 ครั้ง

    5. การรักษาความพร้อมใช้งานของระบบสารสนเทศ และการบริหารจัดการเหตุการณ์ที่อาจส่งผลกระทบต่อความปลอดภัยของระบบสารสนเทศ:
      • มีการบริหารจัดการเหตุการณ์ที่อาจส่งผลกระทบต่อความมั่นคงปลอดภัย
      • รายงานทันทีเมื่อเกิดเหตุ:
        1. วันเวลาที่เกิดเหตุการณ์
      • ระหว่างดำเนินการแก้ไข
      • แก้ไขปัญหาได้ และเหตุยุติ
      • กำหนดให้มีการบริหารความต่อเนื่องทางธุรกิจในด้านระบบสารสนเทศ (information security of business continuity management)
        • กำหนดแผนการบริหารความต่อเนื่องทางธุรกิจด้าน Technology สารสนเทศ (IT continuity plan) เพื่อให้บริษัทสามารถกู้ระบบสารสนเทศหรือจัดหาระบบมาดำเนินการทดแทนได้โดยเร็ว เพื่อให้เกิดความเสียหายน้อยที่สุด และยังคงดำเนินธุรกิจได้อย่างต่อเนื่อง
      • บริษัทต้องมีการสื่อสารแผน IT continuity plan ให้แก่เจ้าหน้าที่ที่เกี่ยวข้องเพื่อรับทราบและสร้างความเข้าใจที่ตรงกัน เพื่อให้สามารถนำไปปฏิบัติ

    NIST standard security and privacy controls

    Security as a design problem

    22 Security and Privacy Control Families

    1. AC-1: Policy and Procedures
    2. AC-2: Account Management


    1. AU-2: Event Logging



    แนวทางการแก้ไขและรับมือเมื่อถูกโจมตีทาง Cyber:


    How to minimize the impact of cyber attacks on businesses:
    • After an attack happens, an effective cyber security incident response plan can help you:
      • Reduce the impact of the attack
      • Report the incident to the relevant authority
      • Clean up the affected systems
      • Get your business up and running in the shortest time possible

    The Three Element of Incident Response: Plan, Team, and Tools:
    • An incident can be defined as any breach of law, policy or unacceptable act that concerns information assets, such as networks, computers, or smartphones.
    • The goal is to respond to incidents before they become a major setback:
      • The lack of an incident response plan can lead to longer recovery times and increased cost.

    Computer Incident Handling Guide:

    1. Preparation:
      • Develop policies to implement in the event of a cyber attack
      • Review security policy and conduct a risk assessment
      • Prioritize security issues, know your most valuable assets

    Cr: ICTMU B-)

    1. Identification:
      • IT systems gather events from monitoring tools, log files, error messages, firewalls, and intrusion detection systems
      • This data should be analyzed by automated tools and security analyst
      • Identify and assess the incident and gather evidence.

    2. Containment: Once the team isolates a security incident, the aim is to stop further damage.
      • Short term containment
      • Long term containment

    3. Eradication:
      • Identify and fix all affected hosts, including hosts inside and outside your organization
      • Isolate the root of the attack to remove all instances of the software

    4. Lesson Learned:

    The goal is to coordinate team members and resources during a cyber incident to minimize impact and quickly restore operations

    Incident response tool:
    • SIEM (SIEM Tools)
    • Intrusion Detection System
    • Vulnerability Scanners (OpenVAS)
    • Availability Monitoring (Nagios)

    ความรู้เบื้องต้นเกี่ยวกับ พรบ.Computer:

    imageimage

    image

    Information Assurance Fundamentals:

    image

    • Pharming จะพุ่งเป้า ณ เวลาใด ไปที่ผู้ใช้จำนวนมหาศาล ซึ่งผู้ใช้จะไม่รู้ตัว โดยการแก้ไขและตบตา DNS ไม่จัดอยู่ใน Technique การใช้ Social Engineering เหยื่อที่ได้รับการโจมตี จะไม่สามารถสังเกตุได้ว่าตนเชื่อมต่อกับเครื่อง Web Server ใดจากการดูที่ URL ใน Browser

      Phishing เป็นการโจมตีโดยการส่ง Email ทั่วไป (ปลอม) ที่มีเนื้อหาน่าเปิดดูเหมือนมาจากแหล่งที่เชื่อถือได้ไปให้เหยื่อ เช่น Accout มีปัญหา เพื่อให้ Click Link หรือกรอกข้อมูลส่วนตัว เหยื่อที่ได้รับการโจมตีจะสามารถสังเกตุได้ว่าตนเชื่อมต่อกับเครื่อง Web Server ใดจากการดูที่ URL ใน Browser สามารถป้องกันได้โดยการสร้าง Security Awareness ให้ผู้ใช้

      Spear-phishing คือ Phishing ที่เล็งองค์กร หรือบุคคลที่เป็นเป้าหมายไว้ชัดเจนอยู่แล้ว มักมีบทบาทในองค์กร
      Vishing = Voice + Phishing มักเป็นการหลอกลวงให้ได้มาซึ่งข้อมูลส่วนบุคคลผ่านทางโทรศัพท์
      Whaling คุกคามในลักษณะ Spear Phishing โดยมีจุดมุ่งหมายที่บุคคลที่มีตำแหน่งสูง เช่น CEO


    • image
      HTTP Protocol จัดเป็น Protocol ใน Application Layer ใน TCP/IP Model
      Network Layer ทำหน้าที่ส่งต่อข้อมูลจากเครื่องหนึ่ง (ส่ง) ไปสู่อีกเครื่องหนึ่ง (รับ)
      Transport Layer ทำหน้าที่รับส่งข้อมูลในระดับ Process
      Application Layer ทำหน้าที่เชื่อมต่อกับผู้ใช้

    • FBI, CISA Warn of Growing ‘Vishing’ Threat as Hackers Take Advantage of Remote Working Trend

    • ความเสี่ยง A2 Broken Authentication ใน OWASP Top 10:
      • การที่ผู้ใช้ใช้ Computer สาธารณะแล้วไม่ได้ Logout จาก Web Application
      • การที่ Web Application ไม่ได้ตั้ง Session Timeout

    • การเก็บ Password ในฐานข้อมูลโดยไม่มีการใช้ Salt Technique และการที่ Website ไม่ได้ใช้ SSL หรือ TLS หรือการใช้ Encryption Algorithm ที่ไม่เหมาะสม จัดเป็นความเสี่ยง A3 Sensitive Data Exposure

    • การลืมลบ Sample Application จาก Production Application Server จัดเป็นความเสี่ยง A6 Security Misconfiguration

    • ความเสี่ยงใน Cross Site Scripting (XSS) ทำให้ผู้โจมตีสามารถขโมย Session ID หรือ Access Token ของเหยื่อได้

    • Mirai เป็นการโจมตีแบบ DDoS จาก Botnet ที่เป็นอุปกรณ์ IoT จำนวนมาก

    • SQL Injection ทำให้ผู้โจมตีสามารถดูฐานข้อมูลของผู้ใช้คนอื่นๆ ในระบบได้

    • ในการสำรองข้อมูล ต้องมีการเตรียม:
      • สถานที่เก็บข้อมูลสำรอง
      • ประเภทของข้อมูลที่ต้องการสำรอง
      • ความถี่ของการทำสำรองข้อมูล

    • การจำกัดการเข้าถึงข้อมูลเฉพาะผู้ที่มีหน้าที่เท่านั้น ช่วยป้องกันการขโมยข้อมูลขององค์กรอย่างมีประสิทธิภาพมาก

    • พรบ.การรักษาความมั่นคงปลอดภัย Cyber พ.ศ. 2562 'โครงสร้างพื้นฐานสำคัญทางสารสนเทศ (Critical Information Infrastructure)' ได้แก่ โรงพยาบาล, สถานีรถไฟ, etc.

    • การเตรียมการรับมือเมื่อถูกโจมตีทาง Cyber:
      • มีการกำหนดบทบาทและหน้าที่รับผิดชอบของ Team
      • การกำหนดสินทรัพย์ (Asset) ที่มีความสำคัญ
      • มีการกำหนดนโยบายและการประเมินความเสี่ยง

    • การแก้ปัญหาหลังจากถูกโจมตี จำเป็นต้องมีขั้นตอนต่อไปนี้:
      • มีการรายงานสรุปเหตุการณ์และผลกระทบที่เกิดขึ้น
      • มีการประชุมโดยผู้ที่เกี่ยวข้องทุกคน
      • มีการเตรียมความพร้อม เพื่อรับมือกับเหตุการณ์ที่อาจเกิดขึ้นอีกในอนาคต

    • ข้อมูลส่วนตัวของบุคคลที่มีความอ่อนไหว ได้แก่ เลขที่บัตรประชาชน, วันเดือนปีเกิด, เลขที่บัญชีธนาคาร, etc.

    • ตาม พรบ.คุ้มครองข้อมูลส่วนบุคคล พ.ศ. 2562 กำหนดให้ผู้ควบคุมข้อมูลส่วนบุคคลต้องขอความยินยอมจากเจ้าของข้อมูลส่วนบุคคล ยกเว้น:
      • เพื่อการคุ้มครองผู้ประสบภัย
      • สำหรับความจำเป็นในการปฏิบัติงานเพื่อประโยชน์สาธารณะ
      • เพื่อประเมินความสามารถในการทำงาน
      • เพื่อป้องกันสุขภาพของบุคคล

    • กลไกในการควบคุมการเข้าถึงระบบสารสนเทศและข้อมูลที่เรียกว่า Access Control:
      • การกำหนดชื่อผู้ใช้และรหัสผ่านเพื่อการเข้าถึงข้อมูล
      • การกำหนดช่วงเวลาในการเข้าถึงข้อมูล
      • การกำหนด IP Address ในการเข้าถึงข้อมูล
      • การกำหนดหน้าที่และบทบาท (Role) ของผู้ใช้ให้เหมาะสมกับสิทธิ์ในการเข้าถึง

    • กฎหมายคุ้มครองข้อมูลส่วนบุคคล กับบริบท การคุ้มครองข้อมูลส่วนบุคคลในกฎหมายฉบับอื่นๆ

    • จาก GDPR และ NIST สู่ พรบ.Cyber และ พรบ.คุ้มครองข้อมูลส่วนบุคคล (Personal Data Protection Act - PDPA)

    • Extended Validation (EV) คือ ชนิดของ SSL/TLS Certificate ที่มีความน่าเชื่อถือมากที่สุดและต้องส่งหลักฐานให้ CA ตรวจสอบโดยละเอียด

    Cr: ICTMU B-)

    • การโจมตีแบบ Masquerade คือ การส่งข้อมูลโดยปลอมว่ามาจากผู้ส่งอื่น

    • การโจมตีแบบ Replay คือ การดักจับข้อมูลที่ส่งระหว่างสองเครื่องแล้วนำมาส่งใหม่

    • tshark เป็น Command Line ของ Wireshark ที่ใช้ดักจับข้อมูลเหมือน tcpdump ใน Unix

    • capinfos เป็น Command Line ของ Wireshark ที่ใช้ Show ข้อมูลสถิติของข้อมูลที่ดักจับแล้ว

    • องค์กรที่ให้บริการ Free SSL: Let'sEncrypt, ZeroSSL, SSLforFree, Cloudflare, Comodo (30 days)

    • Confidentiality คือ การป้องกันข้อมูลไม่ให้รั่วไหลไปสู่บุคคลอื่น

    • Authenticity คือ การตรวจสอบยืนยันตัวตนว่าบุคคลที่เราติดต่ออยู่ด้วยนั้นเป็นบุคคลนั้นจริง

    • Background on Security Mechanisms:

      • Confidentiality:
        • Encipherment: a process of making data unreadable to unauthorized entities
        • Symmetric vs Asymmetric Encryption

      • ด้าน Integrity:
        • การใช้ Message Authentication Code (MAC) and Digital Signature

      • ด้าน Authenticity:
        • การใช้ Digital Certificate

      • ด้าน Availability:
        • Redundancy in servers, networks, applications, and services, hardware fault tolerance, software patching and การ Backup ข้อมูล และ Upgrade System

    • Packet Sniffer และ Analyzer:
      • Packet Sniffer ส่วนใหญ่จะใช้ Winpcap ซึ่งเป็น Library สำหรับการดักจับข้อมูลบน Windows; libpcap (Unix)
      • Packet Sniffer ใช้เพื่อดักจับข้อมูลในระบบเครือข่ายเพื่อทำการวิเคราะห์ตรวจสอบ/Troubleshooting คุณภาพของระบบเครือข่าย เช่น Bandwidth, Capacity, Efficiency, etc.
      • tcpdump เป็น Packet Sniffer และ Analyzer ที่ใช้กันอย่างแพร่หลายในระบบ Unix

    • ข้อจำกัดของ Packet Filtering Firewall:
      • ไม่สามารถป้องกันการโจมตีที่เกิดจากคนภายในองค์กรได้
      • ไม่มีการตรวจ Payload ของข้อมูลที่ส่งเข้ามา
      • ไม่สามารถป้องกันการโจมตีที่ผ่านมาทาง Personal Hotspot ได้
      • ไม่สามารถป้องกันการโจมตีที่ Bypass มาผ่าน SSL ได้

    • ZAP เป็น Tool ที่ใช้สร้าง Proxy เพื่อแอบดักฟังข้อมูลที่ส่งระหว่างสองเครื่อง

    • Zenmap เป็น Tool ที่ใช้ในการสำรวจว่าเครื่องๆ นั้นเปิด Service อะไรอยู่บ้าง

    • John the Ripper เป็น Tool ที่ใช้ในการ Crack Password

    • การ SSL/TLS: Server ต้องส่ง Digital Certificate ให้ Client เสมอ ก่อนการเริ่มต้น Session แต่ Client ไม่ต้องส่งก็ได้

    • ทำความรู้จักกับ AAA Model

    Cr: ICTMU B-)