first commit

areas/CyberSec/Common-Vulnerabilities-and-Exposures.md

@@ -0,0 +1 @@
+The **Common Vulnerabilites and Exposures (CVE)** system provides a reference method for publicly known information-security vulnerabilities and exposures.

areas/CyberSec/Virus_and_Spam_Test.md

@@ -0,0 +1,10 @@
+
+## Spam
+
+Put this string into the body of a mail and it should be detected as spam:
+`XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X`
+
+## Antivirus
+
+Put this string into the body of a mail and it should be detected as anti-virus:
+`X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`

areas/CyberSec/ZeroTrust.md

@@ -0,0 +1,9 @@
+## Introduction
+
+> "VPNs are increasingly the target of attacks and increasingly vulnerable to painful breaches."
+> "Bad actors with VPN credentials have the 'keys to the kingdom' to go anywhere and take anything."
+> "VPNs can be frustrating for administrators to configure, and clunky for users to handle."
+
+## Resources
+
+- <https://www.cloudflare.com/products/zero-trust/vpn-replacement/>

areas/CyberSec/cyberCNS-globalview-settings.md

@@ -0,0 +1,18 @@
+[[cyberCNS]]
+
+Here we list all available settings shown in the left site when being in the global view.
+
+## Scheduler
+
+There are 4 rules here:
+- **Scan Scheduler:** Schedule scans at chosen time, scan type, company and tags(Server, Workstations, Windows 11,...).
+- **Report Scheduler:** Schedule the a report notification via Mail. Choose Name, Companies, excluded Companies, Report and its type, optional password, time and mail recipient. In addition, one can set filter rules.
+- **Auto Patch:** Automatically patch specific applications for specified companies and tags. ??How does it patch???
+- **Report Builder Scheduler:** Seems equal to report scheduler with the exception that their predefined reports are not selected. Maybe here we can trigger custom reports.
+
+## Application Baseline
+
+Here one can add application baseline rules. These rules are os specific. One can select as type either **applications** or **services** and then either _deny_ those or set specific ones as _mandatory_.
+Denying or setting applications/services as mandatory can be done via regex. 
+
+## Notification Rules

areas/CyberSec/cyberCNS.md

@@ -0,0 +1,16 @@
+<https://portaleucentral1.mycybercns.com/login>
+
+## Files
+
+[[cybercns-testphase-structure]]
+[[cyberCNS-globalview-settings]]
+
+## Abbreviations
+
+| Abbreviation |                   Full                   |                                                  Description                                                  | Links for further reading    |
+|:------------:|:----------------------------------------:|:-------------------------------------------------------------------------------------------------------------:| ---------------------------- |
+|     CVE      | [[Common-Vulnerabilities-and-Exposures]] |    Provides a reference method for publicly known information-security <br> vulnerabilities and exposures.    |                              |
+|     CVSS     |   Common Vulnerability Scoring System    | A free and open industry standard for assessing the severity <br> of computer system security vulnerabilities |                              |
+|     EPSS     |    Exploit Prediction Scoring System     |           Attempt to quantify how likely a given CVE is,<br> to actually be exploited by attackers.           | <https://www.first.org/epss> |
+
+

areas/CyberSec/cybercns-deployment.md

@@ -0,0 +1,15 @@
+The deployment happens _company_ and _device_ specific.
+One can get a simple powershell/shell script to download a MSI,EXE/DEB,RPM and start the install process for Windows/Linux, respectively.
+
+**TODO:** It would be nice to setup a generic script in Ninja to deploy it on arbitrary devices.
+
+The cybercns deployment method uses the following IDs for new devices: 
+- CompanyID
+- ClientID
+- Client Secret
+
+The possible targets for their deployment method are:
+- Windows Clients (msi or exe file)
+- Mac Clients
+- Linux Clients (NOT OS SPECIFIC???)
+- ARM devices

areas/CyberSec/cybercns-testphase-structure.md

@@ -0,0 +1,15 @@
+The cost model is 2500 devices / bill. (very cheap)
+
+## TODO:
+
+- integrate [[autotask]] (Autotask API: create separate user)
+- test the modules
+- analyze possibilities of the software
+- maybe itglue integration
+
+## Cooking Receipe
+
+- [[cybercns-deployment|Deployment]]
+- [[cybercns-integration|Integration]]
+- [[cybercns-credentials|Credentials]]
+- [[cybercns-analysis|Analysis]]

areas/CyberSec/cybersec-notions.md

@@ -0,0 +1,3 @@
+
+- *Command-and-control (C2)*:
+- *Beacon*: Beaconing in networking is a periodic digital signal which go between an infected device and a C2

areas/CyberSec/digital-forensics-and-incident-response.md

@@ -0,0 +1,7 @@
+## Incident Response
+
+The four major phases of the incident response process are:
+1. **Preparation:** This requires a team trained and ready to handle incidents. Ideally, various measures are put in place to prevent incidents from happening in the first place.
+1. **Detection and Analysis:** The team has the necessary resources to detect any incident; moreover, it is essential to further analyze any detected incident to learn about its severity.
+1. **Containment, Eradication, and Recovery:** Once an incident is detected, it is crucial to stop it from affecting other systems, eliminate it, and recover the affected systems. For instance, when we notice that a system is infected with a computer virus, we would like to stop (contain) the virus form spreading to other systems, clean (eradicate) the virus, and ensure proper system recovery.
+1. **Post-Incident Activity:** After successful recovery, a report is produced, and the learned lesson is shared to prevent similar future incidents.

areas/CyberSec/security-information-and-event-management.md

@@ -0,0 +1,3 @@
+A SIEM gathers security-related information and events from various sources and presents them via one system. For instance, you would be notified if there is a failed login attempt or a login attempt from an unexpected geographic location. Moreover, with the advent of machine learning, a SIEM might detect unusual behavior, such as a user logging in at 3 AM when he usually logs in only during work hours.
+
+143.110.250.149

areas/CyberSec/security-operations-center.md

@@ -0,0 +1,6 @@
+A _Security Operations Center_ (SOC) is a team of cyber security professionals that monitors the network and its systems to detect malicious cyber security events. Some of the main areas of interest for a SOC are:
+
+- [[vulnerabilites|Vulnerabilties]]: Whenever a system vulnerability (weakness) is discovered, it is essential to fix it by installing a proper update or patch. When a fix is not available, the necessary measures should be taken to prevent an attacker from exploiting it. Although remediating vulnerabilities is of vital interest to a SOC, it is not necessarily assigned to them.
+- [[policy-violations|Policy violations]]: We can think of a security as a set of rules required for the protection of the network and systems. For example, it might be a policy violation if users start uploading confidential company data to an online storage service.
+- [[unauthorized-activy|Unauthorized activity]]: Consider the case where a user's login name and password are stolen, and the attacker uses them to log into the network. A SOC needs to detect such an event and block it as soon as possible before further damage is done.
+- [[network-intrusions|Network intrusions]]: No matter how good your security, there is always a chance for an intrusion. An intrusion can occur when a user clicks on a malicious link or when an attacker exploits a public server. Either way, when an intrusion occurs, we must detect it as soon as possible to prevent further damage.

areas/CyberSec/threat-intelligence.md

@@ -0,0 +1,9 @@
+- _intelligence_ refers to information you gather about actual and potential enemies
+- _threat_ is any action that can disrupt or adversely affect a system
+
+- Threat intelligence aims to gather information to help the company better prepare against potential adversaries. 
+- The purpose would be to achieve a _threat-informed defense_
+
+Intelligence needs data. Data has to be collected, processed, and analyzed. Data collection is done from local sources such as network logs and public sources such as forums. Processing of data aims to arrange them into a format suitable for analysis. The analysis phase seeks to find more information about the attackers and their motives; moreover, it aims to create a list of recommendations and actionable steps.
+
+Learning about your adversaries allows you to know their tactics, technics, and procedures. As a result of threat intelligence, we identify the threat actor (adversary), predict their activity, and consequently, we will be able to mitigate their attacks and prepare a response strategy.

areas/CyberSec/tryhackme-careers-in-cyber.md

@@ -0,0 +1,78 @@
+## Intro
+
+Why get a career in cyber:
+- High Pay - jobs in security have high starting salaries
+- Exciting - work can include legally hacking systems or defending against cyber attacks
+- Be in demand - there are over 3.5 million unfilled cyber positions
+
+## Security Analyst
+
+Responsible for maintaining the security of an organization's data
+
+### Responsibilities 
+
+- Working with various stakeholders to analyze the cyber security throughout the company
+- Compile ongoing reports about the safety of networks, documenting security issues and measures taken in response
+- Develop security plans, incorporating research on new attack tools and trends, and measures needed across teams to maintain data security
+
+## Security Engineer 
+
+Design, monitor and maintain security controls, networks, and systems to help prevent cyberattacks
+
+### Responsibilities 
+
+- Testing and screening security measures across software
+- Monitor networks and reports to update systems and mitigate vulnerabilities
+- Identify and implement systems needed for optimal security
+
+## Incident Responder
+
+Identifies and mitigates attacks whilst an attackers operations are still unfolding
+
+### Responsibilities 
+
+- Developing and adopting a thorough, actionable incident response plan
+- Maintaining strong security best practices and supporting incident response measures
+- Post-incident reporting and preparation for future attacks, considering learnings and adaptations to take from incidents
+
+## Digital Forensics Examiner
+
+Responsible for using digital forensics to investigate incidents and crimes
+
+### Responsibilities
+
+- Collect digital evidence while observing legal procedures
+- Analyze digital evidence to find answers related to the case
+- Document your findings and report on the case
+
+## Malware Analyst
+
+Analyzes all types of malware to learn more about how they work and what they do
+
+### Responsibilities
+
+- Carry out static analysis of malicious programs, which entails reverse-engineering
+- Conduct dynamic analysis of malware samples by observing their activities in a controlled environment
+- Document and report all the findings
+
+
+## Penetration Tester
+
+Responsible for testing technology products for security loopholes
+
+### Responsibilities
+
+- Conduct tests on computer systems, networks, and web-based applications
+- Perform security assessments, audits, and analyze policies
+- Evaluate and report on insights, recommending actions for attack prevention
+
+
+## Red Teamer
+
+Plays the role of an adversary, attacking an organization and providing feedback from an enemies perspective
+
+### Responsibilities
+
+- Emulate the role of threat actor to uncover exploitable vulnerabilities, maintain access and avoid detection
+- Assess organizations' security controls, threat intelligence, and incident response procedures
+- Evaluate and report on insights, with actionable data for companies to avoid real-world instances

areas/CyberSec/tryhackme-intro-to-defensive-security.md

@@ -0,0 +1,18 @@
+Keywords: [[security-operations-center]] (SOC), [[threat-intelligence]], [[digital-forensics-and-incident-response]] (DFIR), [[malware]], [[security-information-and-event-management]] (SIEM)
+
+
+Defensive security is concerned with two main tasks:
+
+1. Preventing intrusions from occurring 
+2. Detecting intrusions when they occur and responding properly
+
+Blue teams are part of the defensive security landscape.
+
+Some of the tasks that are related to defensive security include:
+- **User cyber security awareness:** Training users about cyber security helps protect against various attacks that target their systems
+- **Documenting and managing assets:** We need to know the types of systems and devices that we have to manage and protect properly.
+- **Updating and patching systems:** Ensuring that computers, servers, and network devices are correctly updated and patched against any known vulnerability (weakness).
+- **Setting up preventative security devices:** [[firewall]] and [[intrusion-prevention-systems]] (IPS) are critical components of preventative security. Firewalls control what network traffic can go inside and what can leave the system or network. IPS blocks any network traffic that matches present rules and attack signatures.
+- **Setting up logging and monitoring devices:** Without proper [[logging]] and [[monitoring]] of the network, it won't be possible to detect malicious activities and intrusions. If a new unauthorized device appears on our network, we should be able to know.
+
+There is much more to defensive security, and the list above only covers a few common topics.

areas/CyberSec/tryhackme.md

@@ -0,0 +1,2 @@
+[[tryhackme-intro-to-defensive-security]]
+[[tryhackme-careers-in-cyber]]

areas/Turtle/20241113-Meeting.md

@@ -0,0 +1,65 @@
+# Turtle Meeting - Summary
+
+- **Simone Mail:** sitimm@live.de
+
+## Teilnehmer/innen
+
+- Simone
+- Marko
+- Jan
+- Volker
+- Petar
+
+## Themen
+
+- Teambuilding
+- Updates (XG, XGS)
+- Migration
+- Sophos Support Kontaktaufnahem
+- VLAN - Netzwerkoptimierung
+- OPNsense
+- Vertrieb
+
+## Updates
+
+- XG's und XGS's nicht alle geupdatet
+- SG's sind alle geupdatet (durch Jan)
+- bei 26 Stueck fehlen Updates, zum Zeitpunkt der Niederschrift   
+- Langfristige Loesung des Update Managements notwendig (moeglischt automatisiert, ueberwacht und zyklisch)
+- Jan und Marko uebernehmen die Updates
+
+## Sophos Support 
+
+- Jan wird Probleme/Fragen/Themen/etc sammeln und gesammelt an Sophos Support schicken
+- Ende 24/Anfang 25
+
+## Teambuilding
+
+- Regelmaessige Schulungstermine einfuehren
+- Jede 2x Woche
+- Mitarbeitende sollen ihr Wissen mit Kollegen teilen (wo notwedig)
+
+## OPNsense
+
+- Petar mach Schulungen fuer Team Bedarf besteht
+- aktuell nur eine OPNsense bei Kunden
+- Updates werden aktuell regelmaessig ueber OPNcentral durchgefuehrt
+
+## Migrationen
+
+- 8/67 fertig - noch 5 Stueck werden bis Ende 2024 _sicher_ gemacht
+- potentiell mehr machbar
+
+## Vertrieb
+
+- mehr Druck gegenueber Kunden (nach 2-3 Tagen nachhaken)
+- Proaktiv Kunden kontaktieren
+- Oefter nach Angebotsversand nachfragen
+- Melissa mehr einbringen (in Bezug zu Migration)
+- Klaeren, Einhalten und Implementieren
+
+## VLAN
+
+- Meeting mit Sebastian, Geschaeftsfuehrern und Turtles vereinbaren
+- Nicht umsetzbar im Rahmen der Migrationen (und manchmal auch nicht sinnvoll)
+- Liste erstellen, bei welchen Kunden VLANs sinvoll sind

areas/nextcloud/00-init.md

@@ -0,0 +1,3 @@
+# Nextcloud install
+
+Here I document my practicing of installing Nextcloud on a linux server (ubuntu 20.04) with different methods.

areas/nextcloud/01-requirements.md

@@ -0,0 +1,21 @@
+# Requirements (20240311)
+
+| Platform    | Options                                                        |
+| ----------- | -------------------------------------------------------------- |
+| OS (64-bit) | - **Ubuntu 22.04 LTS** (recommended)                           |
+|             | - Ubuntu 20.04 LTS                                             |
+|             |                                                                |
+| Database    | - MySQL 8.0+ or MariaDB 10.3/10.5/**10.6** (recommended)/10.11 |
+|             | - PostgresSQL 12/13/14/15/16                                   |
+|             |                                                                |
+| Webserver   | - **Apache 2.4 with `mod_php` or `php-fpm`** (recommended)     |
+|             | - nginx with `php-fpm`                                         |
+|             |                                                                |
+| PHP Runtime | - 8.0 (deprecated)                                             |
+|             | - 8.1                                                          |
+|             | - **8.2 (recommended)**                                        |
+|             | - 8.3                                                          |
+
+## Comments
+
+The package repos of Ubuntu 20.04 LTS only support php up to version 7.4. Higher versions are not delivered by the apt package manager. The latest version of php is 8.3 (20240312).

areas/nextcloud/02-php_modules-and-configuration.md

@@ -0,0 +1,87 @@
+## Source
+
+<https://docs.nextcloud.com/server/latest/admin_manual/installation/php_configuration.html>
+
+## PHP Modules
+
+This section lists all required and optional PHP modules. Consult the
+[PHP manual](https://php.net/manual/en/extensions.php) for more information on modules.
+You can check the presence of a module by typing `php -m | grep -i <module_name>`.
+If you get a result, the module is present.
+
+Required:
+
+- PHP
+- PHP module ctype
+- PHP module curl
+- PHP module dom
+- PHP module fileinfo (included with PHP)
+- PHP module filter (only on Mageia and FreeBSD)
+- PHP module GD
+- PHP module hash (only on FreeBSD)
+- PHP module JSON (included with PHP >= 8.0)
+- PHP module libxml (Linux package libsml2 must be >=2.7.0)
+- PHP module mbstring
+- PHP module openssl (included with PHP >=8.0)
+- PHP module posix
+- PHP module session
+- PHP module SimpleXML
+- PHP module XMLReader
+- PHP module XMLWriter
+- PHP module zip
+- PHP module zlib
+
+Database connectors
+
+- PHP module pdo_mysql (MySQL/MariaDB)
+
+_Recommended_ packages:
+
+- PHP module intl (increases language translation performance and fixes sorting of non-ASCII characters)
+- PHP module sodium (for Argon2 for password hashing, bcrypt is used as fallback,
+  but if passwords were hashed with Argon2 already and the module is missing, your users can't log in.)
+
+Required for specific apps:
+
+...
+
+For preview generation (_optional_):
+
+- PHP module imagick
+- avconv or ffmpeg
+- OpenOffice or LibreOffice
+
+For command line updater (_optional_):
+
+- PHP module phar (upgrades Nextcloud by running `sudo -u www-data php /var/www/nextcloud/updater/updater.phar`)
+
+## ini values
+
+The following ini settings should be adapted if needed for Nextcloud:
+
+- `apc.enable_cli`: see [Memory caching](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html)
+- `disable_funcitons`: avoid disabling functions unless you know exactly what you are doing
+- `max_execution_time`: see [Uploading big files](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/big_file_upload_configuration.html)
+- `memory_limit`: should be at least 512MB. See also [Uploading big files](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/big_file_upload_configuration.html)
+- `opcache.enable` and friends: See [Memory caching](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html) and [Server tuning](https://docs.nextcloud.com/server/latest/admin_manual/installation/server_tuning.html)
+- `open_basedir`: see [Hardening and security](https://docs.nextcloud.com/server/latest/admin_manual/installation/harden_server.html)
+- `upload_tmp_dir`: see [Uploading big files](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/big_file_upload_configuration.html)
+
+## php.ini configuration notes
+
+Keep in mind that chagnes to `php.ini` may have to be configured on more than one ini file. This can be the case, for example, for the `date.timezone` setting. You can search for a parameter with the following command: `grep -r date.timezone /etc/php`.
+
+### php.ini used by the Web server:
+
+```apache2
+/etc/php/8.0/apache2/php.in
+or
+/etc/php/8.0/fpm/php.ini
+or ...
+```
+
+### php.ini used by the php-cli ans so by Nextcloud CRON jobs:
+
+```
+/etc/php/8.0/cli/php.ini
+```

areas/nextcloud/03-required-pkgs.md

@@ -0,0 +1,19 @@
+# Packages to install
+
+## classical LAMP stack
+
+- apache2
+- mariadb-server
+- libapache2-mod-php
+- php
+- php-{bcmath,curl,ctype,dom,gd,gmp,imagick,intl,mbstring,mysql,posix,xml,zip}
+- ffmpeg (video encoding)
+
+## nginx stack (not tested yet)
+
+- nginx
+- mariadb-server or 'mysql'
+- php
+- php-fpm (important)
+- php-{bcmath,curl,ctype,dom,gd,intl,mbstring,posix,xml,zip} (NOT ALL)
+- ffmpeg

areas/nextcloud/04-installation-on-linux.md

@@ -0,0 +1,5 @@
+## Introduction
+
+In case one prefers installing from the source tarball, one can setup Nextcloud from scratch using a classical LAMP stack (Linux, Apache, MySQL/MariaDB, PHP).
+
+Here we note a general overview of required dependencies and their configuration. For a distribution specific setup guide have a look at the [Example installation on Ubuntu 22.04 LTS].

areas/nextcloud/66-command-line-installation-and-upgrade.md

@@ -0,0 +1,3 @@
+## Command Line
+
+<https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/occ_command.html#command-line-installation-label>

areas/nextcloud/66-installing-from-commandline.md

@@ -0,0 +1,3 @@
+## Autoinstall form command line
+
+<https://docs.nextcloud.com/server/stable/admin_manual/installation/command_line_installation.html>