Cybersecurity Managing Systems, Conducting Testing, and Investigating Intrusions

A must-have, hands-on guide for working in the cybersecurity profession

Cybersecurity involves preventative methods to protect information from attacks. It requires a thorough understanding of potential threats, such as viruses and other malicious code, as well as system vulnerability and security architecture. This essential book addresses cybersecurity strategies that include identity management, risk management, and incident management, and also serves as a detailed guide for anyone looking to enter the security profession. Doubling as the text for a cybersecurity course, it is also a useful reference for cybersecurity testing, IT test/development, and system/network administration.

• Covers everything from basic network administration security skills through advanced command line scripting, tool customization, and log analysis skills
• Dives deeper into such intense topics as wireshark/tcpdump filtering, Google hacks, Windows/Linux scripting, Metasploit command line, and tool customizations
• Delves into network administration for Windows, Linux, and VMware
• Examines penetration testing, cyber investigations, firewall configuration, and security tool customization
• Shares techniques for cybersecurity testing, planning, and reporting

Cybersecurity: Managing Systems, Conducting Testing, and Investigating Intrusions is a comprehensive and authoritative look at the critical topic of cybersecurity from start to finish.

Introduction xix

Part I Cyber Network Security Concepts 1

Chapter 1 Executive Summary 3

Why Start with Antipatterns? 4

Security Architecture 5

Antipattern: Signature-Based Malware Detection versus Polymorphic Threats 6

Refactored Solution: Reputational-, Behavioral-, and Entropy-Based Malware Detection 6

Antipattern: Document-Driven Certification and Accreditation 7

Antipattern: Proliferating IA Standards with No Proven Benefits 8

Antipattern: Policy-Driven Security Certifications Do Not Address the Threat 10

Refactored Solution: Security Training Roadmap 10

Summary 13

Assignments 14

Chapter 2 The Problems: Cyber Antipatterns 15

Antipatterns Concept 16

Forces in Cyber Antipatterns 16

Cyber Antipattern Templates 18

Micro-Antipattern Templates 18

Full Cyber Antipattern Template 19

Cybersecurity Antipattern Catalog 20

Can’t Patch Dumb 21

Unpatched Applications 23

Never Read the Logs 25

Networks Always Play by the Rules 26

Hard on the Outside, Gooey in the Middle 28

Webify Everything 30

No Time for Security 32

Summary 34

Assignments 35

Chapter 3 Enterprise Security Using the Zachman Framework 37

What Is Architecture? Why Do We Need It? 37

Enterprises Are Complex and Changing 38

The Zachman Framework for Enterprise Architecture 38

Primitive Models versus Composite Models 40

How Does the Zachman Framework Help with Cybersecurity? 40

Everyone Has Their Own Specifications 41

The Goldmine Is in Row 2 42

Frameworks for Row 3 42

Architectural Problem Solving Patterns 43

Business Question Analysis 44

Document Mining 45

Hierarchy Formation 46

Enterprise Workshop 52

Matrix Mining 53

Nominal Group Technique 54

Minipatterns for Problem Solving Meetings 55

Summary 56

Assignments 57

Part II Cyber Network Security Hands-On 59

Chapter 4 Network Administration for Security Professionals 61

Managing Administrator and Root Accounts 62

Windows 63

Linux and Unix 64

VMware 64

Installing Hardware 64

Re-Imaging Operating Systems 67

Windows 67

Linux 68

VMware 69

Other OSes 69

Burning and Copying CDs and DVDs 69

Windows 70

Linux 70

VMware 71

Installing System Protection/Anti-Malware 71

Windows 74

Linux 74

VMware 75

Setting Up Networks 75

Windows 76

Linux 77

VMware 78

Other OSes 79

Installing Applications and Archiving 80

Windows 80

Linux 81

VMware 82

Other OSes 82

Customizing System Management Controls and Settings 82

Windows 82

Linux 83

VMware 83

Other OSes 83

Managing Remote Login 83

Windows 84

Linux 84

VMware 84

Managing User Administration 85

Windows 85

Linux 86

VMware 86

Managing Services 87

Windows 87

Linux 88

Other OSes 88

Mounting Disks 89

Windows 89

Linux 90

VMware 90

Moving Data Between Systems on Networks 90

Windows File Sharing 91

Secure File Transfer Protocol (SFTP) 91

VMware 91

Other Techniques 92

Converting Text Files Between OSes 92

Making Backup Disks 92

Formatting Disks 93

Windows 93

Linux 94

Configuring Firewalls 94

Converting and Migrating VMs 97

Additional Network Administration Knowledge 99

Summary 99

Assignments 101

Chapter 5 Customizing BackTrack and Security Tools 103

Creating and Running BackTrack Images 104

Customizing BackTrack with VM 105

Updating and Upgrading BackTrack and Pen Test Tools 106

Adding Windows to BackTrack with VMware 106

Disk Partitioning 107

Performing Multi-Boot Disk Setup 108

Results of the New Pen Test Architecture 110

Alternative Pen Test Architectures 111

Licensing Challenges for Network Administrators 111

Perpetual License 111

Annual License 111

Time Limited per Instance License 112

Time Hold Renewal License 112

Summary 112

Assignments 113

Chapter 6 Protocol Analysis and Network Programming 115

Networking Theory and Practice 116

Frequently Encountered Network Protocols 117

ARP and Layer 2 Headers 118

IP Header 120

ICMP Header 120

UDP Header 121

TCP Header 122

Network Programming: Bash 124

Bash for Basic Network Programming 125

Bash Network Sweep: Packaging a Script 126

Bash Network Scanning Using While 127

Bash Banner Grabbing 128

Network Programming: Windows Command-Line Interface (CLI) 130

Windows Command Line: Network Programming Using For /L 131

Windows Command Line: Password Attack Using For /F 132

Python Programming: Accelerated Network Scanning 133

Summary 136

Assignments 137

Chapter 7 Reconnaissance, Vulnerability Assessment, and Cyber Testing 139

Types of Cybersecurity Evaluations 139

Body of Evidence (BOE) Review 140

Penetration Tests 141

Vulnerability Assessment 141

Security Controls Audit 141

Software Inspection 141

Iterative/Incremental Testing 142

Understanding the Cybersecurity Testing Methodology 142

Reconnaissance 144

Network and Port Scanning 150

Policy Scanning 153

Vulnerability Probes and Fingerprinting 155

Test Planning and Reporting 159

Summary 162

Assignments 163

Chapter 8 Penetration Testing 165

Forms of Cyber Attacks 166

Buffer Overflows 166

Command Injection Attacks 167

SQL Injection Attacks 167

Network Penetration 167

Commercial Pen Testing Tools 170

Using IMPACT 170

Using CANVAS 171

Using Netcat to Create Connections and Move Data and Binaries 172

Using Netcat to Create Relays and Pivots 173

Using SQL Injection and Cross-Site Techniques to Perform Web Application and Database Attacks 175

Collecting User Identities with Enumeration and Hash Grabbing 177

Enumeration and Hash Grabbing on Windows 178

Enumeration and Hash Grabbing on Linux 179

Password Cracking 179

John the Ripper 181

Rainbow Tables 181

Cain & Abel 181

Privilege Escalation 182

Final Malicious Phases 183

Backdoors 183

Entrenchment 184

Hidden Files 184

Rootkits 184

Rootkit Removal 185

Summary 185

Assignments 187

Chapter 9 Cyber Network Defense Using Advanced Log Analysis 189

Introduction to Cyber Network Defense 190

General Methods and Tools for Cyber Investigations 191

Observation 192

Hypothesis 192

Evaluation 193

Continuous Cyber Investigation Strategy 193

A Summary of the Cyber Investigation Process 195

Network Monitoring 197

The daycap script 199

The pscap Script 200

Text Log Analysis 200

The snortcap Script 201

The headcap Script 201

The statcap Script 202

The hostcap Script 202

The alteripcap Script 203

The orgcap Script 204

The iporgcap Script 205

The archcap Script 205

Binary Log Analysis 206

Advanced Wireshark Filters 206

Data Carving 207

Advanced tcpdump Filtering and Techniques 208

Analyzing Beacons 209

Reporting Cyber Investigations 210

Elimination of Cyber Threats 211

Intrusion Discovery on Windows 214

Summary 215

Assignments 216

Part III Cyber Network Application Domains 217

Chapter 10 Cybersecurity for End Users, Social Media, and Virtual Worlds 219

Doing an Ego Search 219

Protecting Laptops, PCs, and Mobile Devices 220

Staying Current with Anti-Malware and Software Updates 222

Managing Passwords 223

Guarding against Drive-By Malware 224

Staying Safe with E‐mail 225

Securely Banking and Buying Online 226

Understanding Scareware and Ransomware 227

Is Your Machine p0wned? 227

Being Careful with Social Media 228

Staying Safe in Virtual Worlds 229

Summary 230

Assignments 231

Chapter 11 Cybersecurity Essentials for Small Business 233

Install Anti-Malware Protection 234

Update Operating Systems 234

Update Applications 235

Change Default Passwords 235

Educate Your End Users 236

Small Enterprise System Administration 236

Wireless Security Basics for Small Business 237

Tips for Apple Macintosh Users 238

Summary 239

Assignments 239

Chapter 12 Large Enterprise Cybersecurity: Data Centers and Clouds 241

Critical Security Controls 242

Scanning Enterprise IP Address Range (Critical Control 1) 243

Drive-By Malware (Critical Controls 2 & 3) 244

Unpatched Applications in Large Enterprises (Critical Controls 2 & 4) 246

Internal Pivot from Compromised Machines (Critical Controls 2 & 10) 247

Weak System Configurations (Critical Controls 3 & 10) 248

Unpatched Systems (Critical Controls 4 & 5) 250

Lack of Security Improvement (Critical Controls 4, 5, 11, & 20) 250

Vulnerable Web Applications and Databases (Critical Controls 6 & 20) 251

Wireless Vulnerability (Critical Control 7) 252

Social Engineering (Critical Controls 9, 12, & 16) 253

Temporary Open Ports (Critical Controls 10 & 13) 254

Weak Network Architectures (Critical Controls 13 & 19) 255

Lack of Logging and Log Reviews (Critical Control 14) 256

Lack of Risk Assessment and Data Protection (Critical Controls 15 & 17) 257

Data Loss via Undetected Exfiltration (Critical Control 17) 259

Poor Incident Response — APT (Critical Control 18) 260

Cloud Security 261

How Do Clouds Form? How Do Clouds Work? 262

Stovepiped Widgets in the Cloud 263

Special Security Implications 264

Consolidation into Clouds Can Magnify Risks 264

Clouds Require Stronger Trust Relationships 264

Clouds Change Security Assumptions 265

Cloud Indexing Changes Security Semantics 265

Data Mashups Increase Data Sensitivity 265

Cloud Security Technology Maturity 266

New Governance and Quality Assurance for Cloud Computing 266

Summary 267

Assignments 268

Chapter 13 Healthcare Information Technology Security 269

Hipaa 270

Healthcare Risk Assessment 270

Healthcare Records Management 271

Healthcare IT and the Judicial Process 272

Data Loss 272

Managing Logs in Healthcare Organizations 273

Authentication and Access Control 274

Summary 275

Assignments 276

Chapter 14 Cyber Warfare: An Architecture for Deterrence 277

Introduction to Cyber Deterrence 278

Cyber Warfare 278

Comprehensive National Cybersecurity Initiative 279

Methodology and Assumptions 280

Cyber Deterrence Challenges 283

Legal and Treaty Assumptions 284

Cyber Deterrence Strategy 286

Reference Model 290

Solution Architecture 291

Architectural Prototypes 296

Baseline Code: Threaded Scanning 297

Botnet for Distributed Scanning 298

Performance Benchmarks 300

Deterministic Models of Performance 302

Projections for Military Botnets 303

Summary 304

Assignments 305

Glossary 307

Bibliography 317

Index 323

Thomas J. Mowbray,PhD, holds gold-level certification from the SANS Institute in network penetration and ethical hacking. Dr. Mowbray, who has earned a doctorate in computer science, has co-authored five other professional books, including Wiley's bestseller Antipatterns: Refactoring Software, Architectures, and Projects in Crisis. After founding the Northrup Grumman Cyber Warfare Community of Practice, Dr. Mowbray joined the Certification and Accreditation Team (an elite cybersecurity test group) as their network administrator, security tools customizer, and hands-on penetration tester. At the time of writing, Dr. Mowbray is the Chief Enterprise Architect of The Ohio State University.