first commit

areas/CyberSec/Common-Vulnerabilities-and-Exposures.md

@@ -0,0 +1 @@
+The **Common Vulnerabilites and Exposures (CVE)** system provides a reference method for publicly known information-security vulnerabilities and exposures.

areas/CyberSec/Virus_and_Spam_Test.md

@@ -0,0 +1,10 @@
+
+## Spam
+
+Put this string into the body of a mail and it should be detected as spam:
+`XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X`
+
+## Antivirus
+
+Put this string into the body of a mail and it should be detected as anti-virus:
+`X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`

areas/CyberSec/ZeroTrust.md

@@ -0,0 +1,9 @@
+## Introduction
+
+> "VPNs are increasingly the target of attacks and increasingly vulnerable to painful breaches."
+> "Bad actors with VPN credentials have the 'keys to the kingdom' to go anywhere and take anything."
+> "VPNs can be frustrating for administrators to configure, and clunky for users to handle."
+
+## Resources
+
+- <https://www.cloudflare.com/products/zero-trust/vpn-replacement/>

areas/CyberSec/cyberCNS-globalview-settings.md

@@ -0,0 +1,18 @@
+[[cyberCNS]]
+
+Here we list all available settings shown in the left site when being in the global view.
+
+## Scheduler
+
+There are 4 rules here:
+- **Scan Scheduler:** Schedule scans at chosen time, scan type, company and tags(Server, Workstations, Windows 11,...).
+- **Report Scheduler:** Schedule the a report notification via Mail. Choose Name, Companies, excluded Companies, Report and its type, optional password, time and mail recipient. In addition, one can set filter rules.
+- **Auto Patch:** Automatically patch specific applications for specified companies and tags. ??How does it patch???
+- **Report Builder Scheduler:** Seems equal to report scheduler with the exception that their predefined reports are not selected. Maybe here we can trigger custom reports.
+
+## Application Baseline
+
+Here one can add application baseline rules. These rules are os specific. One can select as type either **applications** or **services** and then either _deny_ those or set specific ones as _mandatory_.
+Denying or setting applications/services as mandatory can be done via regex. 
+
+## Notification Rules

areas/CyberSec/cyberCNS.md

@@ -0,0 +1,16 @@
+<https://portaleucentral1.mycybercns.com/login>
+
+## Files
+
+[[cybercns-testphase-structure]]
+[[cyberCNS-globalview-settings]]
+
+## Abbreviations
+
+| Abbreviation |                   Full                   |                                                  Description                                                  | Links for further reading    |
+|:------------:|:----------------------------------------:|:-------------------------------------------------------------------------------------------------------------:| ---------------------------- |
+|     CVE      | [[Common-Vulnerabilities-and-Exposures]] |    Provides a reference method for publicly known information-security <br> vulnerabilities and exposures.    |                              |
+|     CVSS     |   Common Vulnerability Scoring System    | A free and open industry standard for assessing the severity <br> of computer system security vulnerabilities |                              |
+|     EPSS     |    Exploit Prediction Scoring System     |           Attempt to quantify how likely a given CVE is,<br> to actually be exploited by attackers.           | <https://www.first.org/epss> |
+
+

areas/CyberSec/cybercns-deployment.md

@@ -0,0 +1,15 @@
+The deployment happens _company_ and _device_ specific.
+One can get a simple powershell/shell script to download a MSI,EXE/DEB,RPM and start the install process for Windows/Linux, respectively.
+
+**TODO:** It would be nice to setup a generic script in Ninja to deploy it on arbitrary devices.
+
+The cybercns deployment method uses the following IDs for new devices: 
+- CompanyID
+- ClientID
+- Client Secret
+
+The possible targets for their deployment method are:
+- Windows Clients (msi or exe file)
+- Mac Clients
+- Linux Clients (NOT OS SPECIFIC???)
+- ARM devices

areas/CyberSec/cybercns-testphase-structure.md

@@ -0,0 +1,15 @@
+The cost model is 2500 devices / bill. (very cheap)
+
+## TODO:
+
+- integrate [[autotask]] (Autotask API: create separate user)
+- test the modules
+- analyze possibilities of the software
+- maybe itglue integration
+
+## Cooking Receipe
+
+- [[cybercns-deployment|Deployment]]
+- [[cybercns-integration|Integration]]
+- [[cybercns-credentials|Credentials]]
+- [[cybercns-analysis|Analysis]]

areas/CyberSec/cybersec-notions.md

@@ -0,0 +1,3 @@
+
+- *Command-and-control (C2)*:
+- *Beacon*: Beaconing in networking is a periodic digital signal which go between an infected device and a C2

areas/CyberSec/digital-forensics-and-incident-response.md

@@ -0,0 +1,7 @@
+## Incident Response
+
+The four major phases of the incident response process are:
+1. **Preparation:** This requires a team trained and ready to handle incidents. Ideally, various measures are put in place to prevent incidents from happening in the first place.
+1. **Detection and Analysis:** The team has the necessary resources to detect any incident; moreover, it is essential to further analyze any detected incident to learn about its severity.
+1. **Containment, Eradication, and Recovery:** Once an incident is detected, it is crucial to stop it from affecting other systems, eliminate it, and recover the affected systems. For instance, when we notice that a system is infected with a computer virus, we would like to stop (contain) the virus form spreading to other systems, clean (eradicate) the virus, and ensure proper system recovery.
+1. **Post-Incident Activity:** After successful recovery, a report is produced, and the learned lesson is shared to prevent similar future incidents.

areas/CyberSec/security-information-and-event-management.md

@@ -0,0 +1,3 @@
+A SIEM gathers security-related information and events from various sources and presents them via one system. For instance, you would be notified if there is a failed login attempt or a login attempt from an unexpected geographic location. Moreover, with the advent of machine learning, a SIEM might detect unusual behavior, such as a user logging in at 3 AM when he usually logs in only during work hours.
+
+143.110.250.149

areas/CyberSec/security-operations-center.md

@@ -0,0 +1,6 @@
+A _Security Operations Center_ (SOC) is a team of cyber security professionals that monitors the network and its systems to detect malicious cyber security events. Some of the main areas of interest for a SOC are:
+
+- [[vulnerabilites|Vulnerabilties]]: Whenever a system vulnerability (weakness) is discovered, it is essential to fix it by installing a proper update or patch. When a fix is not available, the necessary measures should be taken to prevent an attacker from exploiting it. Although remediating vulnerabilities is of vital interest to a SOC, it is not necessarily assigned to them.
+- [[policy-violations|Policy violations]]: We can think of a security as a set of rules required for the protection of the network and systems. For example, it might be a policy violation if users start uploading confidential company data to an online storage service.
+- [[unauthorized-activy|Unauthorized activity]]: Consider the case where a user's login name and password are stolen, and the attacker uses them to log into the network. A SOC needs to detect such an event and block it as soon as possible before further damage is done.
+- [[network-intrusions|Network intrusions]]: No matter how good your security, there is always a chance for an intrusion. An intrusion can occur when a user clicks on a malicious link or when an attacker exploits a public server. Either way, when an intrusion occurs, we must detect it as soon as possible to prevent further damage.

areas/CyberSec/threat-intelligence.md

@@ -0,0 +1,9 @@
+- _intelligence_ refers to information you gather about actual and potential enemies
+- _threat_ is any action that can disrupt or adversely affect a system
+
+- Threat intelligence aims to gather information to help the company better prepare against potential adversaries. 
+- The purpose would be to achieve a _threat-informed defense_
+
+Intelligence needs data. Data has to be collected, processed, and analyzed. Data collection is done from local sources such as network logs and public sources such as forums. Processing of data aims to arrange them into a format suitable for analysis. The analysis phase seeks to find more information about the attackers and their motives; moreover, it aims to create a list of recommendations and actionable steps.
+
+Learning about your adversaries allows you to know their tactics, technics, and procedures. As a result of threat intelligence, we identify the threat actor (adversary), predict their activity, and consequently, we will be able to mitigate their attacks and prepare a response strategy.

areas/CyberSec/tryhackme-careers-in-cyber.md

@@ -0,0 +1,78 @@
+## Intro
+
+Why get a career in cyber:
+- High Pay - jobs in security have high starting salaries
+- Exciting - work can include legally hacking systems or defending against cyber attacks
+- Be in demand - there are over 3.5 million unfilled cyber positions
+
+## Security Analyst
+
+Responsible for maintaining the security of an organization's data
+
+### Responsibilities 
+
+- Working with various stakeholders to analyze the cyber security throughout the company
+- Compile ongoing reports about the safety of networks, documenting security issues and measures taken in response
+- Develop security plans, incorporating research on new attack tools and trends, and measures needed across teams to maintain data security
+
+## Security Engineer 
+
+Design, monitor and maintain security controls, networks, and systems to help prevent cyberattacks
+
+### Responsibilities 
+
+- Testing and screening security measures across software
+- Monitor networks and reports to update systems and mitigate vulnerabilities
+- Identify and implement systems needed for optimal security
+
+## Incident Responder
+
+Identifies and mitigates attacks whilst an attackers operations are still unfolding
+
+### Responsibilities 
+
+- Developing and adopting a thorough, actionable incident response plan
+- Maintaining strong security best practices and supporting incident response measures
+- Post-incident reporting and preparation for future attacks, considering learnings and adaptations to take from incidents
+
+## Digital Forensics Examiner
+
+Responsible for using digital forensics to investigate incidents and crimes
+
+### Responsibilities
+
+- Collect digital evidence while observing legal procedures
+- Analyze digital evidence to find answers related to the case
+- Document your findings and report on the case
+
+## Malware Analyst
+
+Analyzes all types of malware to learn more about how they work and what they do
+
+### Responsibilities
+
+- Carry out static analysis of malicious programs, which entails reverse-engineering
+- Conduct dynamic analysis of malware samples by observing their activities in a controlled environment
+- Document and report all the findings
+
+
+## Penetration Tester
+
+Responsible for testing technology products for security loopholes
+
+### Responsibilities
+
+- Conduct tests on computer systems, networks, and web-based applications
+- Perform security assessments, audits, and analyze policies
+- Evaluate and report on insights, recommending actions for attack prevention
+
+
+## Red Teamer
+
+Plays the role of an adversary, attacking an organization and providing feedback from an enemies perspective
+
+### Responsibilities
+
+- Emulate the role of threat actor to uncover exploitable vulnerabilities, maintain access and avoid detection
+- Assess organizations' security controls, threat intelligence, and incident response procedures
+- Evaluate and report on insights, with actionable data for companies to avoid real-world instances

areas/CyberSec/tryhackme-intro-to-defensive-security.md

@@ -0,0 +1,18 @@
+Keywords: [[security-operations-center]] (SOC), [[threat-intelligence]], [[digital-forensics-and-incident-response]] (DFIR), [[malware]], [[security-information-and-event-management]] (SIEM)
+
+
+Defensive security is concerned with two main tasks:
+
+1. Preventing intrusions from occurring 
+2. Detecting intrusions when they occur and responding properly
+
+Blue teams are part of the defensive security landscape.
+
+Some of the tasks that are related to defensive security include:
+- **User cyber security awareness:** Training users about cyber security helps protect against various attacks that target their systems
+- **Documenting and managing assets:** We need to know the types of systems and devices that we have to manage and protect properly.
+- **Updating and patching systems:** Ensuring that computers, servers, and network devices are correctly updated and patched against any known vulnerability (weakness).
+- **Setting up preventative security devices:** [[firewall]] and [[intrusion-prevention-systems]] (IPS) are critical components of preventative security. Firewalls control what network traffic can go inside and what can leave the system or network. IPS blocks any network traffic that matches present rules and attack signatures.
+- **Setting up logging and monitoring devices:** Without proper [[logging]] and [[monitoring]] of the network, it won't be possible to detect malicious activities and intrusions. If a new unauthorized device appears on our network, we should be able to know.
+
+There is much more to defensive security, and the list above only covers a few common topics.

areas/CyberSec/tryhackme.md

@@ -0,0 +1,2 @@
+[[tryhackme-intro-to-defensive-security]]
+[[tryhackme-careers-in-cyber]]