PortfolioTable of Contents
(Cade Gray)
Professional Statement (pg. 2 – 3)
Conducting a security audit (pg. 3 – 7)
Analyzing network structure and security (Incident Reports & Incident Report Analysis) (pg. 8 – 25)
Using Linux commands to manage file permissions (pg. 26 – 29)
Applying filters to SQL queries (pg. 30 – 36)
Identifying vulnerabilities for a small business (pg. 37 – 39)
Documenting incidents with an incident handler’s journal (pg. 40 – 43)
Importing and parsing a text file in a security-related scenario (Algorithm for file updates in Python) (pg. 44 – 47)
Splunk (pg. 48 – 49)
Changing Permissions in Linux (pg. 50)
SQL (pg. 51 – 54)
Windows Course End Project (pg. 55 – 63)
Page 2
Professional Statement
As a cybersecurity professional, I am driven by a passion for safeguarding organizations against evolving threats and ensuring the integrity of their systems. With a foundation built on rigorous training and hands-on experience, I bring a blend of technical expertise and strategic thinking to the table.
Strengths:
- Network Systems: Proficient in designing and maintaining secure network infrastructures to defend against intrusions and unauthorized access.
- Programming with Python: Skilled in leveraging Python for automation, data analysis, and developing custom security solutions.
- System Administration: Built skillsets in managing and securing diverse IT environments to uphold operational resilience and data integrity.
Values:
- Protecting Organizations: Committed to fortifying organizational defenses and mitigating cyber risks to safeguard sensitive data and assets.
- Ensuring Equitable Access: Dedicated to promoting inclusivity and accessibility in cybersecurity practices to empower all stakeholders in protecting their digital resources.
Interests in Cybersecurity:
- Continuous Learning: I am intrigued by the dynamic nature of cybersecurity, where new challenges emerge regularly, fostering a culture of continuous learning and adaptation.
- Innovative Solutions: I am fascinated by the opportunity to explore innovative technologies and strategies to stay ahead of cyber threats and anticipate future risks.
Through my strengths, values, and passion for cybersecurity, I am equipped to support organizations in achieving their security objectives. Whether implementing robust network defenses, conducting thorough risk assessments, or collaborating with cross-functional teams, I am committed to contributing to the success of organizations in their cybersecurity endeavors.
Page 3
(Conducting a Security Audit)
Botium Toys: Audit Scope, Objectives, and Risk Assessment
Audit Scope and Objectives
Scope: This audit encompasses the entire security framework within Botium Toys, covering assets such as employee devices, internal networks, and systems. The assessment will review existing assets and evaluate the controls and compliance practices in place.
Objectives: The goal is to evaluate current assets and complete a comprehensive checklist to identify areas for improvement in security controls and compliance practices.
Current Assets
Assets managed by the IT Department include:
- On-premises equipment for office use
- Employee devices: desktops/laptops, smartphones, etc.
- Storefront products for retail sale, both onsite and online
- Management systems for accounting, telecommunications, etc.
- Internet access and internal network
- Data storage and retention
- Maintenance of legacy systems
Risk Assessment
Risk Description:
There’s insufficient asset management and potential non-compliance with regulations.
Control Best Practices:
Botium Toys needs to focus on asset identification, classification, and assessing the impact of asset loss on business continuity.
Risk Score:
The risk is rated 8 out of 10 due to inadequate controls and compliance practices.
Additional Comments
- Employees have access to sensitive data without proper access controls.
- Encryption isn’t utilized for customer credit card data.
- Access controls and separation of duties aren’t implemented.
- Availability and integrity controls are in place.
- Firewall and antivirus are deployed, but no intrusion detection system is installed.
- Lack of disaster recovery plans and data backups.
- EU customer breach notification plan exists.
- Password policy doesn’t meet current standards.
- No centralized password management system.
- Legacy systems are monitored irregularly.
- Physical security measures at Botium Toys’ premises are sufficient.
Controls and compliance checklist
Does Botium Toys currently have this control in place?
Controls assessment checklist
| Yes | No | Control |
| Least Privilege | ||
| Disaster recovery plans | ||
| Password policies (Has policies in place it does not meet min. password requirements. | ||
| Separation of duties | ||
| Firewall | ||
| Intrusion detection system (IDS) | ||
| Backups | ||
| Antivirus software | ||
| Manual monitoring, maintenance, and intervention for legacy systems (While legacy systems are monitored and maintained, there is no regular schedule in place for these tasks, and intervention methods are unclear.) | ||
| Encryption | ||
| Password management system | ||
| Locks (offices, storefront, warehouse) | ||
| Closed-circuit television (CCTV) surveillance | ||
| Fire detection/prevention (fire alarm, sprinkler system, etc.) |
Does Botium Toys currently adhere to this compliance best practice?
Compliance checklist
Payment Card Industry Data Security Standard (PCI DSS)
| Yes | No | Best practice |
| Only authorized users have access to customers’ credit card information. (Encryption is not currently used to ensure confidentiality of customers’ creditcard information that is accepted, processed, transmitted, and stored locally in the company’s internal database.) | ||
| Credit card information is stored, accepted, processed, and transmitted internally in a secure environment. | ||
| Implement data encryption procedures to better secure credit card transaction touchpoints and data. | ||
| Adopt secure password management policies. (There is no centralized password management system that enforces thepassword policy’s minimum requirements, which sometimes affectsproductivity when employees/vendors submit a ticket to the IT department torecover or reset a password.) |
General Data Protection Regulation (GDPR)
| Yes | No | Best practice |
| E.U. customers’ data is kept private/secured. (The IT department has established a plan to notify E.U. customers within 72 hours if there is a security breach. Additionally, privacy policies, procedures, andprocesses have been developed and are enforced among IT department members/other employees, to properly document and maintain data.) | ||
| There is a plan in place to notify E.U. customers within 72 hours if their data is compromised/there is a breach. | ||
| Ensure data is properly classified and inventoried. | ||
| Enforce privacy policies, procedures, and processes to properly document and maintain data. |
System and Organizations Controls (SOC type 1, SOC type 2)
| Yes | No | Best practice |
| User access policies are established. (Policies are established but do not follow least privileges) | ||
| Sensitive data (PII/SPII) is confidential/private. | ||
| Data integrity ensures the data is consistent, complete, accurate, and has been validated. (The IT department has ensured availability and integrated controls to ensure data integrity.) | ||
| Data is available to individuals authorized to access it. (Policies are established but do not follow least privileges) |
Security Audit Summary
- Implement Access Controls and Segregation of Duties: Establish and enforce access controls to ensure that employees only have access to the data and systems necessary for their roles. Additionally, implement segregation of duties to prevent any single individual from having complete control over critical processes, such as data access and financial transactions.
- Enhance Data Protection Measures: Encrypt sensitive data, especially customer credit card information stored in the internal database, to ensure confidentiality and compliance with data protection regulations. Implement encryption protocols to protect data during transmission and storage.
- Develop and Test Disaster Recovery Plans: Create comprehensive disaster recovery plans to ensure timely recovery of critical systems and data in the event of a disruptive incident. Regularly test these plans to identify weaknesses and ensure readiness to respond to emergencies effectively.
- Strengthen Password Management Practices: Enforce a robust password policy that aligns with current best practices, such as requiring minimum password complexity and regular password updates. Implement a centralized password management system to enforce policy compliance and streamline password-related tasks.
- Deploy Intrusion Detection Systems (IDS): Install intrusion detection systems to monitor network traffic and detect potential security threats or unauthorized access attempts. This will enhance the organization’s ability to identify and respond to security incidents in real-time.
- Establish Data Backup Procedures: Develop and implement regular data backup procedures to ensure the availability and integrity of critical data in the event of data loss or corruption. Store backups securely offsite to mitigate the risk of data loss due to physical damage or cyber-attacks.
- Address Legacy System Maintenance: Establish a regular schedule for monitoring and maintaining legacy systems to ensure they remain secure and functional. Define clear intervention methods, allocate resources to address vulnerabilities, and ensure ongoing support for these systems.
- Enhance Compliance Practices: Ensure compliance with relevant regulatory requirements, such as GDPR for EU customer data protection. Review and update privacy policies, procedures, and processes to maintain compliance with data privacy regulations and standards.
By implementing these recommendations, Botium Toys can enhance its security posture, reduce the risk of data breaches and compliance violations, and ensure the integrity and availability of its IT infrastructure and assets. These measures will contribute to building a resilient and secure environment for the organization’s operations and stakeholders.
Page 8
Incident Report 1:
Network Traffic Analysis
| Part 1: Summary of the problem found in the DNS and ICMP traffic log. | |
| The UDP protocol reveals that: The source IP 192.51.100.15 attempted to make a DNS query to the destination IP 203.0.113.2 using UDP, which is the standard protocol for DNS queries The ICMP error message indicated “UDP port 53 unreachable.” This suggests that the DNS server at 203.0.113.2 is not available on the expected DNS port. The port noted in the error message is used for: UDP port 53, which is used for DNS (Domain Name System) services. The most likely issue is: The most likely issue is that the DNS server at 203.0.113.2 is either down, not running the DNS service, or there is a network issue such as a firewall blocking UDP port 53. This results in the server being unreachable for DNS queries. |
| Part 2: Analysis of data and cause of the incident. |
| When the Problem Was First ReportedThe problem was first reported at 13:24:36.192571, which is when the ICMP error message was logged.Scenario, Events, and Symptoms Identified When the Event Was First ReportedScenario: A DNS query was made from the source IP 192.51.100.15 to the destination IP 203.0.113.2 to resolve the domain name yummyrecipesforme.com. Events:The source IP sent a DNS query using UDP to the destination IP.After approximately 4 seconds, the source IP received an ICMP error message indicating that UDP port 53 on the destination IP was unreachable. Symptoms: Users or applications attempting to resolve yummyrecipesforme.com could not obtain an IP address, resulting in DNS resolution failures.Current Status of the IssueThe issue persists as the DNS server at 203.0.113.2 is not responding to DNS queries. The server is either down, not running the DNS service, or there is a network configuration issue such as a firewall blocking UDP port 53.Information Discovered While Investigating the IssueTimestamp of Incident: 13:24:36.192571Source IP: 192.51.100.15Destination IP: 203.0.113.2DNS Query: The query was for the A record of yummyrecipesforme.com.Error Message: ICMP message indicating “UDP port 53 unreachable.”Affected Port: UDP port 53, used for DNS services.Next Steps in Troubleshooting and Resolving the IssueCheck DNS Server Status: Verify if the DNS server at 203.0.113.2 is up and running.Restart DNS Service: If the server is running, check if the DNS service is active and restart it if necessary.Firewall and Network Configuration: Inspect firewall settings and network configurations to ensure UDP port 53 is open and not being blocked.Server Logs: Review the DNS server logs for any errors or issues that could explain the unavailability.DNS Server Maintenance: Check if the DNS server was undergoing maintenance or if there were any scheduled tasks that might have taken the service offline.Alternative DNS Servers: Configure an alternative DNS server to handle queries if the primary server remains unavailable. Suspected Root Cause of the ProblemThe suspected root cause of the problem is that the DNS server at 203.0.113.2 is either down, the DNS service is not running, or a network configuration issue such as a firewall is blocking UDP port 53. This prevents the server from responding to DNS queries, resulting in the ICMP error message “UDP port 53 unreachable.”Summary for Part Two of the Cybersecurity Incident ReportIncident Summary: The incident involved a DNS query from 192.51.100.15 to 203.0.113.2 for the domain yummyrecipesforme.com. The query did not receive a valid DNS response, and an ICMP error message indicated that UDP port 53 on the DNS server was unreachable.Protocols Involved:UDP: Used for the DNS query.ICMP: Used for the error message indicating the issue.Key Findings:The DNS server at 203.0.113.2 is not responding to queries on UDP port 53.The ICMP error message suggests the port is unreachable due to a potential server issue, DNS service downtime, or network misconfiguration.Likely Cause: The likely cause is that the DNS server at 203.0.113.2 is either down, the DNS service is not running, or there is a network configuration issue such as a firewall blocking UDP port 53. This needs to be addressed to restore proper DNS resolution functionality.By following the next steps outlined, the IT department can systematically troubleshoot and resolve the issue, ensuring the DNS service is restored and functioning correctly. |
Incident Report (2)
Utilizing Wireshark to Analyze TCP/HTTP Traffic Between Employee Website Visitors and the Company’s Web Server
To diagnose and mitigate network issues, it’s crucial to analyze the traffic between employee website visitors and the company’s web server. Wireshark, a powerful network protocol analyzer, is an invaluable tool for this purpose. By capturing and examining TCP/HTTP logs, we can gain detailed insights into the network traffic and identify potential problems.
Here is the TCP/HTTP Traffic between employee website visitors and the company’s web server used in the exercise. (The attacker IP address is highlighted in red)
| Color as text | No. | Time | Source (x = redacted) | Destination (x = redacted) | Protocol | Info |
| red | 52 | 3.390692 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 53 | 3.441926 | 192.0.2.1 | 203.0.113.0 | TCP | 443->54770 [SYN, ACK] Seq=0 Win-5792 Len=120… |
| red | 54 | 3.493160 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [ACK Seq=1 Win=5792 Len=0… |
| green | 55 | 3.544394 | 198.51.100.14 | 192.0.2.1 | TCP | 14785->443 [SYN] Seq=0 Win-5792 Len=120… |
| green | 56 | 3.599628 | 192.0.2.1 | 198.51.100.14 | TCP | 443->14785 [SYN, ACK] Seq=0 Win-5792 Len=120… |
| red | 57 | 3.664863 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| green | 58 | 3.730097 | 198.51.100.14 | 192.0.2.1 | TCP | 14785->443 [ACK] Seq=1 Win-5792 Len=120… |
| red | 59 | 3.795332 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win-5792 Len=120… |
| green | 60 | 3.860567 | 198.51.100.14 | 192.0.2.1 | HTTP | GET /sales.html HTTP/1.1 |
| red | 61 | 3.939499 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win-5792 Len=120… |
| green | 62 | 4.018431 | 192.0.2.1 | 198.51.100.14 | HTTP | HTTP/1.1 200 OK (text/html) |
| green | 63 | 4.097363 | 198.51.100.5 | 192.0.2.1 | TCP | 33638->443 [SYN] Seq=0 Win-5792 Len=120… |
| red | 64 | 4.176295 | 192.0.2.1 | 203.0.113.0 | TCP | 443->54770 [SYN, ACK] Seq=0 Win-5792 Len=120… |
| green | 65 | 4.255227 | 192.0.2.1 | 198.51.100.5 | TCP | 443->33638 [SYN, ACK] Seq=0 Win-5792 Len=120… |
| red | 66 | 4.256159 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| green | 67 | 5.235091 | 198.51.100.5 | 192.0.2.1 | TCP | 33638->443 [ACK] Seq=1 Win-5792 Len=120… |
| red | 68 | 5.236023 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| green | 69 | 5.236955 | 198.51.100.16 | 192.0.2.1 | TCP | 32641->443 [SYN] Seq=0 Win-5792 Len=120… |
| red | 70 | 5.237887 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| green | 71 | 6.228728 | 198.51.100.5 | 192.0.2.1 | HTTP | GET /sales.html HTTP/1.1 |
| red | 72 | 6.229638 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| yellow | 73 | 6.230548 | 192.0.2.1 | 198.51.100.16 | TCP | 443->32641 [RST, ACK] Seq=0 Win-5792 Len=120… |
| red | 74 | 6.330539 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| green | 75 | 6.330885 | 198.51.100.7 | 192.0.2.1 | TCP | 42584->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 76 | 6.331231 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| yellow | 77 | 7.330577 | 192.0.2.1 | 198.51.100.5 | TCP | HTTP/1.1 504 Gateway Time-out (text/html) |
| red | 78 | 7.331323 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| green | 79 | 7.340768 | 198.51.100.22 | 192.0.2.1 | TCP | 6345->443 [SYN] Seq=0 Win=5792 Len=0… |
| yellow | 80 | 7.340773 | 192.0.2.1 | 198.51.100.7 | TCP | 443->42584 [RST, ACK] Seq=1 Win-5792 Len=120… |
| red | 81 | 7.340778 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 82 | 7.340783 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 83 | 7.439658 | 192.0.2.1 | 203.0.113.0 | TCP | 443->54770 [RST, ACK] Seq=1 Win=5792 Len=0… |
| red | 119 | 19.198705 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 120 | 19.521718 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| yellow | 121 | 19.844731 | 192.0.2.1 | 198.51.100.9 | TCP | 443->4631 [RST, ACK] Seq=1 Win=5792 Len=0… |
| red | 122 | 20.167744 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 123 | 20.490757 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 124 | 20.81377 | 192.0.2.1 | 203.0.113.0 | TCP | 443->54770 [RST, ACK] Seq=1 Win=5792 Len=0… |
| red | 125 | 21.136783 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 126 | 21.459796 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 127 | 21.782809 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 128 | 22.105822 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 129 | 22.428835 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 130 | 22.751848 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 131 | 23.074861 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 132 | 23.397874 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 133 | 23.720887 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 134 | 24.0439 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 135 | 24.366913 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 136 | 24.689926 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 137 | 25.012939 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 138 | 25.335952 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 139 | 25.658965 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 140 | 25.981978 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 141 | 26.304991 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 142 | 26.628004 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 143 | 26.951017 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 144 | 27.27403 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 145 | 27.597043 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 146 | 27.920056 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 147 | 28.243069 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 148 | 28.566082 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 149 | 28.889095 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 150 | 29.212108 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 151 | 29.535121 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| red | 152 | 29.858134 | 203.0.113.0 | 192.0.2.1 | TCP | 54770->443 [SYN] Seq=0 Win=5792 Len=0… |
| Identify the type of attack that may have caused this network interruption | |
| The logs show that:The server is being flooded with SYN packets, which is characteristic of a SYN flood attack. This type of attack overwhelms the server by simulating TCP connection requests, consuming its resources and causing legitimate connection attempts to timeout.This event could be:A network-level denial of service (DoS) attack, which aims to exhaust the server’s resources and bandwidth. If the attack originates from a single source, it is a direct DoS attack. However, if it comes from multiple sources, it would be classified as a distributed denial of service (DDoS) attack, making it more challenging to mitigate.SYN Flood AttackOverwhelming SYN Requests:Malicious Activity: The attacker sends a large number of SYN packets to the server. These packets are requests to initiate a TCP connection.Half-Open Connections: Each SYN packet prompts the server to allocate resources to handle a new connection and send back a SYN-ACK response. The server then waits for the final ACK from the client to complete the handshake.Resource Exhaustion:No Final ACK: In a SYN flood attack, the malicious actor doesn’t send back the final ACK. The server is left waiting with numerous half-open connections.Resource Consumption: The server’s resources, such as memory and connection slots, are quickly consumed by these half-open connections, reducing its capacity to handle legitimate traffic.Impact on Website PerformanceSlow Loading Times:Resource Strain: With most of its resources tied up by the half-open connections, the server struggles to process new, legitimate requests efficiently.Delayed Response: The server’s response time increases significantly, causing the website to load slowly.Connection Timeout Errors:Maxed-Out Connections: The server has a finite number of simultaneous connections it can handle. When these are all occupied by the half-open connections from the SYN flood, it can’t accept new connections.Timeouts: Legitimate users attempting to connect to the server experience timeouts because the server is too busy to respond in a timely manner.Logs Indication and Server EffectsLog Analysis:High SYN Packet Count: The server logs show an unusually high number of incoming SYN packets without corresponding ACK packets.Pattern Recognition: This pattern is characteristic of a SYN flood attack, indicating the server is under a DoS attack.Server Effects:Degraded Performance: The continuous flood of SYN packets overwhelms the server, slowing down its performance.Service Unavailability: In severe cases, the server might become completely unresponsive, leading to widespread connection timeout errors for legitimate users.ConclusionThe combination of high SYN packet traffic, resource exhaustion, and the server’s inability to handle legitimate connections leads to slow website loading times and connection timeout errors. These symptoms strongly suggest a SYN flood attack, which is a type of denial of service (DoS) attack. |
| How does the attack cause the website to malfunction |
| When website visitors try to establish a connection with the web server, a three-way handshake occurs using the TCP protocol. The three steps of the handshake are:SYN (Synchronize): The client sends a SYN packet to the server to initiate the connection. This packet includes an initial sequence number that the client will use for communication.SYN-ACK (Synchronize-Acknowledge): The server responds with a SYN-ACK packet. This packet acknowledges the client’s SYN request and includes the server’s own initial sequence number.ACK (Acknowledge): The client sends an ACK packet back to the server, acknowledging the server’s SYN-ACK. This completes the handshake, and a reliable connection is established, allowing data to be transferred.Explain what the logs indicate and how that affects the server:The logs likely show an abnormally high number of incoming SYN packets without corresponding ACK packets. This pattern is indicative of a SYN flood attack. As a result, the server becomes overwhelmed with half-open connections, using up its available connection slots and memory. This can lead to connection timeout errors for legitimate users trying to access the website, as the server is unable to process their requests in a timely manner. The continuous flood of SYN packets effectively disrupts normal traffic, making the website slow or completely inaccessible. How the Attack Affected the Organization’s NetworkA SYN flood attack significantly impacts an organization’s network by disrupting normal traffic and overwhelming server resources. Here’s how it affects the network:Network Congestion:High Traffic Volume: The attack generates a massive amount of SYN packets, consuming available bandwidth and causing network congestion.Delayed Communications: Legitimate network traffic is delayed as the network infrastructure prioritizes processing the flood of SYN packets.Resource Depletion:Server Overload: The server allocates resources for each SYN packet, leading to rapid exhaustion of its capacity to handle new connections.Service Degradation: With server resources tied up, the overall performance of the network deteriorates, affecting all services hosted on the server. Data Loss: Ongoing processes and transactions may be interrupted, leading to data loss or corruption.ConclusionA SYN flood attack causes significant disruption to an organization’s network, leading to slow website performance, connection errors, and potential downtime. The consequences include financial losses, reputational damage, operational disruptions, and heightened security risks. Addressing such an attack promptly and effectively is crucial to minimize its negative impact on the organization. |
Incident report analysis
You are a cybersecurity analyst working for a multimedia company that offers web design services, graphic design, and social media marketing solutions to small businesses. Your organization recently experienced a DDoS attack, which compromised the internal network for two hours until it was resolved.
During the attack, your organization’s network services suddenly stopped responding due to an incoming flood of ICMP packets. Normal internal network traffic could not access any network resources. The incident management team responded by blocking incoming ICMP packets, stopping all non-critical network services offline, and restoring critical network services.
The company’s cybersecurity team then investigated the security event. They found that a malicious actor had sent a flood of ICMP pings into the company’s network through an unconfigured firewall. This vulnerability allowed the malicious attacker to overwhelm the company’s network through a distributed denial of service (DDoS) attack.
As a cybersecurity analyst, you are tasked with using this security event to create a plan to improve your company’s network security, following the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
| Summary | |||
| Identify | Conduct Regular Audits:Perform regular security audits of internal networks, systems, devices, and access privileges.Identify and document potential gaps in security, such as unconfigured firewalls and other network vulnerabilities.Use vulnerability scanning tools to detect potential weaknesses in the infrastructure.Risk Assessment:Carry out risk assessments to understand the potential impact and likelihood of different types of cyber threats, including DDoS attacks.Maintain an inventory of all assets and categorize them based on their criticality and sensitivity. | ||
| Protect | Firewall Configuration:Implement and regularly update firewall rules to limit the rate of incoming ICMP packets.Ensure firewalls are configured to verify the source IP addresses of incoming packets to prevent IP spoofing.Access Control:Review and update access control policies to ensure that only authorized personnel have access to critical network components.Implement least privilege principles for all user accounts and services.Training and Awareness:Conduct regular training sessions for employees on cybersecurity best practices and DDoS attack prevention.Develop and distribute educational materials on recognizing and reporting suspicious activities.Security Policies and Procedures:Develop and enforce comprehensive security policies and procedures.Ensure all policies are regularly reviewed and updated in response to new threats and vulnerabilities. | ||
| Detect | Network Monitoring:Deploy network monitoring software to continuously monitor traffic and detect abnormal patterns indicative of DDoS attacks or other malicious activities.Set up alerts to notify the security team of any detected anomalies in real-time.Intrusion Detection and Prevention Systems (IDS/IPS):Implement IDS/IPS to identify and filter out suspicious ICMP traffic and other potential threats.Regularly update IDS/IPS signatures and rules to keep up with emerging threats.Log Analysis:Regularly analyze logs from firewalls, IDS/IPS, and other security tools to detect and investigate suspicious activities.Use log management solutions to aggregate and correlate logs for better analysis and faster incident response. | ||
| Respond | Incident Response Plan:Develop and maintain an incident response plan that outlines steps to contain, neutralize, and analyze security incidents.Conduct regular drills and simulations to ensure the response team is prepared for real incidents.Containment and Mitigation:In the event of an attack, immediately implement firewall rules to block malicious traffic.Take non-critical services offline if necessary to prioritize the availability of critical network services.Analysis and Improvement:Perform a post-incident analysis to understand the attack vector and identify any weaknesses in the current security posture.Document lessons learned and update security policies, procedures, and technologies to prevent future incidents. | ||
| Recover | System Restoration:Develop a plan for restoring affected systems to normal operation after an incident.Ensure that data backups are regularly performed and stored securely to facilitate quick recovery.Data Recovery:Restore systems data from backups and verify the integrity of restored data.Ensure that all affected systems are thoroughly cleaned and free from malicious code before restoring them to service. | ||
Reflections/Notes: Review and update the recovery plan regularly to ensure it remains effective and aligns with the latest security practices.Conduct post-recovery reviews to identify any areas for improvement and integrate findings into the overall security strategy.By following these steps aligned with the NIST Cybersecurity Framework, the organization can significantly enhance its security posture, better protect against DDoS attacks, and ensure a rapid and effective response to future security incidents. |
Page 26
File permissions in Linux
Project description
As a security professional working with the research team at a large organization, your role is to ensure that file and directory permissions are correctly set to maintain system security. This involves verifying that users have the appropriate permissions and adjusting these permissions as necessary. This project involves examining and updating file system permissions to ensure they match the intended authorization policies.
Check file and directory details
I ran the ‘ls -la’ command to list all contents of the projects directory, including hidden files, and display a detailed listing of each file. The output revealed one directory named ‘drafts,’ one hidden file named ‘.project_x.txt,’ and five other project files. Each line started with a 10-character string representing the permissions set on each file or directory.
Describe the permissions string
(drwxr-xr–)
10-Character Permissions String Explanation
The 10-character permissions string represents the type of file and the permissions granted to the user (owner), group, and others. Here’s a breakdown of what each character represents:
- File Type:
- d (directory) – The first character indicates the type of file. In this case, d signifies that it is a directory.
- User (Owner) Permissions:
- r (read) – The second character indicates that the user has read permission.
- w (write) – The third character indicates that the user has write permission.
- x (execute) – The fourth character indicates that the user has execute permission.
- Group Permissions:
- r (read) – The fifth character indicates that the group has read permission.
- – (no write) – The sixth character indicates that the group does not have write permission.
- x (execute) – The seventh character indicates that the group has execute permission.
- Others Permissions:
- – (no read) – The eighth character indicates that others have no read permission.
- – (no write) – The ninth character indicates that others do not have write permission.
- – (no execute) – The tenth character indicates that others do not have execute permission.
Change file permissions
“I ensured compliance with the organization’s policy by restricting write access for ‘other’ users to any files. Referring to the previously retrieved file permissions, I identified ‘project_k.txt’ as requiring this change. The provided commands depict my use of Linux commands to accomplish this. The ‘chmod’ command was utilized to alter permissions, where the first argument signifies the permissions to be adjusted and the second specifies the file or directory. By removing write permissions for ‘other’ on ‘project_k.txt’, I enforced the organization’s policy. Subsequently, I utilized ‘ls -la’ to confirm the applied updates.”
Change file permissions on a hidden file
To change the permissions of a hidden file I used chmod and checked my progress by using ls -la to list files and directories. The -l: option enables the long listing format, which provides detailed information about each file or directory, including permissions, ownership, size, and modification date. The -a: option includes all files and directories, including hidden ones, in the listing. Hidden files and directories are those whose names begin with a dot (.)
Change directory permissions
“In response to the organization’s directive, I adjusted permissions to restrict access to the ‘drafts’ directory solely to the ‘researcher2’ user, ensuring that only they have execute permissions. The provided output details permissions for various files and directories, highlighting the presence of restricted access for the ‘drafts’ directory. By utilizing the chmod command, I removed execute permissions for the group, aligning with the organization’s requirements. As ‘researcher2’ already possessed execute permissions, no further modifications were necessary.”
Summary
In the previous tasks, I managed file and directory permissions on a Linux system to align with specific security requirements. Using the chmod command, I adjusted permissions to ensure appropriate access for users and groups while restricting unauthorized access. These tasks simulated scenarios where maintaining secure access to sensitive files and directories, such as those within the research team’s project directory, is crucial for organizational security. By setting permissions accordingly, I helped ensure that only authorized users can access the designated resources, safeguarding sensitive information and maintaining data integrity.
Page 30
Apply filters to SQL queries
(Simulated Scenario, IP addresses belong to private ranges with low event ID’s)
Project description
As a security professional at a large organization, my responsibility involves investigating security issues to ensure the system’s safety. Recently, I came across potential security concerns related to login attempts and employee machines. To address these issues, I need to thoroughly examine the organization’s data stored in the employees and log_in_attempts tables. Overall, SQL has enabled me to effectively manage and analyze data, investigate security issues, and take proactive steps to enhance the security posture of the organization. It has provided me with the tools necessary to access, filter, and analyze large datasets, enabling us to make informed decisions and mitigate potential security risks effectively.
Retrieve after-hours failed login attempts
There was a potential security incident that occurred after business hours, specifically after 18:00. To investigate, I needed to identify all failed login attempts made during these after-hours. Below is the SQL query I crafted to filter for failed login attempts that occurred after 18:00.
This query selects all columns from the log_in_attempts table where the login_time is after 18:00 and the success column indicates a failed login attempt.
- SELECT *: Specifies that we want to retrieve all columns from the log_in_attempts table.
- FROM log_in_attempts: Specifies the table from which we are retrieving the data.
- WHERE login_time > ’18:00′: Filters the records to include only those where the login_time is greater than 18:00 (6:00 PM).
- AND success = 0: Further filters the records to include only failed login attempts, where the success column has a value of 0.
This query effectively identifies failed login attempts that occurred after business hours, helping us investigate potential security incidents.
Retrieve login attempts on specific dates
A suspicious event occurred on 2022-05-09, prompting the need to investigate any login activity that occurred on that date or the day before. To address this, I crafted a SQL query to filter for login attempts on both 2022-05-09 and the preceding day.
This query selects all columns from the log_in_attempts table where the login_date matches either ‘2022-05-09’ or ‘2022-05-08’.
- SELECT *: Specifies that we want to retrieve all columns from the log_in_attempts table.
- FROM log_in_attempts: Specifies the table from which we are retrieving the data.
- WHERE login_date IN (‘2022-05-09’, ‘2022-05-08’): Filters the records to include only those where the login_date matches either ‘2022-05-09’ or ‘2022-05-08’.
This query effectively identifies login attempts that occurred on the specified dates, allowing us to investigate the suspicious event in detail.
Retrieve login attempts outside of Mexico
After investigating the organization’s data on login attempts, I discovered a potential issue with login attempts originating outside of Mexico. These login attempts warrant further investigation.
This query selects all columns from the log_in_attempts table where the country does not start with ‘MEX’ (indicating Mexico).
- SELECT *: Specifies that we want to retrieve all columns from the log_in_attempts table.
- FROM log_in_attempts: Specifies the table from which we are retrieving the data.
- WHERE country NOT LIKE ‘MEX%’: Filters the records to include only those where the country does not start with ‘MEX’. The % wildcard matches any sequence of characters following ‘MEX’, ensuring that both ‘MEX’ and ‘MEXICO’ are excluded.
This query effectively identifies login attempts that originated outside of Mexico, helping us investigate suspicious activity further.
Retrieve employees in Marketing
My team aims to update computers for specific employees in the Marketing department. To facilitate this task, I’m responsible for retrieving information about the employee machines that require updates.
This query selects all columns from the employees table where the department is ‘Marketing’ and the office starts with ‘East-‘ (indicating offices in the East building).
- SELECT *: Specifies that we want to retrieve all columns from the employees table.
- FROM employees: Specifies the table from which we are retrieving the data.
- WHERE department = ‘Marketing’: Filters the records to include only those where the department is ‘Marketing’.
- AND office LIKE ‘East-%’: Further filters the records to include only those where the office starts with ‘East-‘, representing offices in the East building.
This query effectively identifies employees in the Marketing department for all offices in the East building, providing the necessary information for security updates on their machines.
Retrieve employees in Finance or Sales
The machines for employees in the Finance and Sales departments also require updates. To facilitate this process, I’m tasked with gathering information specifically for employees within these two departments.
This query selects all columns from the employees table where the department is either ‘Sales’ or ‘Finance’.
- SELECT *: Specifies that we want to retrieve all columns from the employees table.
- FROM employees: Specifies the table from which we are retrieving the data.
- WHERE department = ‘Sales’ OR department = ‘Finance’: Filters the records to include only those where the department is either ‘Sales’ or ‘Finance’.
This query effectively identifies employees in the Sales or Finance departments, providing the necessary information for security updates on their machines.
Retrieve all employees not in IT
My team needs to implement one final security update on employees who are not part of the Information Technology department. To proceed with this update, I’m responsible for gathering information on these employees.
3.5
This query selects all columns from the employees table where the department is not ‘Information Technology’. It effectively identifies all employees not in the IT department, providing the necessary information for the machine update.
- SELECT *: Specifies that we want to retrieve all columns from the employees table.
- FROM employees: Specifies the table from which we are retrieving the data.
- WHERE NOT (department = ‘Information Technology’): Filters the records to include only those where the department is not ‘Information Technology’. The NOT operator negates the condition department = ‘Information Technology’, effectively selecting employees who are not in the IT department
Summary
Through SQL queries, I addressed various security concerns within the organization. By filtering data from the employees and log_in_attempts tables, I identified login attempts outside of business hours, reviewed login activity for specific dates, investigated login attempts originating outside of Mexico, and targeted security updates for employees in specific departments. These tasks helped enhance security measures and mitigate potential risks effectively, demonstrating the power and versatility of SQL in cybersecurity investigations.
Page 37
Vulnerability Assessment Report
1st January 20XX
System Description
The server hardware consists of a powerful CPU processor and 128GB of memory. It runs on the latest version of Linux operating system and hosts a MySQL database management system. It is configured with a stable network connection using IPv4 addresses and interacts with other servers on the network. Security measures include SSL/TLS encrypted connections.
Scope
The scope of this vulnerability assessment relates to the current access controls of the system. The assessment will cover a period of three months, from June 20XX to August 20XX. NIST SP 800-30 Rev. 1 is used to guide the risk analysis of the information system.
Purpose
Purpose Statement: The purpose of this vulnerability assessment is to evaluate and enhance the access controls of the MySQL database server hosted on a robust Linux-based system. By identifying and mitigating potential vulnerabilities within the access controls over the three-month assessment period from June 20XX to August 20XX, we aim to safeguard valuable business data and ensure the server’s continued availability and integrity. This analysis aligns with organizational goals to maintain secure data handling practices, mitigate operational risks associated with unauthorized access, and sustain uninterrupted business operations.
This purpose statement connects the technical objectives of the vulnerability assessment with broader organizational objectives related to data security, operational continuity, and risk management, as outlined in NIST SP 800-30 Rev. 1 guidelines.
Risk Assessment
| Threat source | Threat event | Likelihood | Severity | Risk |
| E.g. Competitor | Obtain sensitive information via exfiltration | 1 | 3 | 3 |
| Advanced Persistent Threat (APT) | APTs are sophisticated threat actors with advanced capabilities and resources. They might target the database server to steal valuable data or disrupt operations. | 2 | 3 | 6 |
| Insider Threat (Employee) | Insiders with malicious intent or compromised credentials could exploit their access privileges to access or manipulate sensitive data stored on the database server. | 2 | 2 | 4 |
| Outsider (Hacker) | Hackers, external to the organization, might exploit vulnerabilities in the MySQL database server to gain unauthorized access, disrupt services, or steal sensitive information. | 2 | 2 | 4 |
These identified threats reflect potential risks that the organization should address through comprehensive security measures, including access controls, monitoring, patch management, and employee awareness training, aligning with best practices outlined in NIST SP 800-30 Rev. 1.
Approach
The selection of Advanced Persistent Threats (APTs), Insider Threats (Employees), and Hackers (Outsiders) as key threat sources in this qualitative vulnerability assessment reflects their potential to significantly impact the organization’s MySQL database server. APTs are chosen due to their advanced capabilities and persistent nature, posing a high risk of sophisticated attacks aimed at exfiltrating sensitive data or disrupting operations. Insider threats are highlighted because of their insider knowledge and potential access privileges, presenting moderate but credible risks to data integrity and confidentiality. Hackers represent external threats with moderate likelihood but significant consequences if successful, including service disruptions and unauthorized access. This approach aims to prioritize risks based on their potential impact on data security and operational continuity, guiding effective resource allocation and security measures.
Remediation Strategy
To address the identified risks from APTs, Insider Threats, and Hackers, implementing a multi-layered approach incorporating security controls is essential. Firstly, enforcing the Principle of Least Privilege ensures that access permissions are strictly aligned with job roles, limiting the impact of insider threats and unauthorized access by external hackers. Secondly, adopting a Defense in Depth strategy involves deploying multiple layers of security controls such as network segmentation, intrusion detection systems (IDS), and regular security patches for the MySQL database server and underlying Linux OS. Additionally, implementing Multi-Factor Authentication (MFA) strengthens access controls, reducing the risk of unauthorized access in case of compromised credentials. This comprehensive approach enhances the overall security posture of the information system, mitigating potential vulnerabilities and safeguarding sensitive data against sophisticated attacks.
Page 40
Documenting Incidents With an Incident Handlers Journal
| Date: Jul 1, 2024 | Entry:1 | ||
| Description | A security incident occurred at a small U.S. health care clinic, disrupting their business operations due to a ransomware attack initiated by a phishing email. | ||
| Tool(s) used | None used at this initial stage. | ||
| The 5 W’s | Who caused the incident?An organized group of unethical hackers.What happened?A phishing email containing a malicious attachment was downloaded, deploying ransomware that encrypted the organization’s computer files. The hackers left a ransom note demanding money for the decryption key.When did the incident occur?The incident occurred on Tuesday at 9:00 a.m.Where did the incident happen?The incident happened at a small health care clinic in the U.S. Why did the incident happen?The incident happened because an employee downloaded a malicious attachment from a phishing email, which allowed the ransomware to be deployed. | ||
| Additional notes | Consider implementing or reinforcing employee training on recognizing phishing emails.Evaluate the current email filtering and security measures to prevent similar incidents in the future.Develop a response plan to handle the ransom demand and to recover encrypted files without paying the ransom if possible.Investigate the specific strain of ransomware used to understand the potential recovery options and any known vulnerabilities. | ||
| Date: July 3 2024 | Entry:2 | ||
| Description | Analyzing a packet capture file | ||
| Tool(s) used | For this task, I utilized Wireshark to examine a packet capture file. Wireshark is a network protocol analyzer with a user-friendly graphical interface. Its significance in cybersecurity lies in its ability to capture and analyze network traffic, which is crucial for detecting and investigating suspicious activities. | ||
| The 5 W’s | Capture the 5 W’s of an incident.Who N/AWhat N/AWhen N/AWhere N/AWhy N/A | ||
| Additional notes | Wireshark is effective because it allows security analysts to capture, visualize, and analyze network traffic in real-time, aiding in the detection and investigation of malicious activities. | ||
| Date: Jul 7, 2024 | Entry:3 | ||
| Description | Capturing a Packet | ||
| Tool(s) used | For this task, I used tcpdump to capture and examine network traffic.Tcpdump is a network protocol analyzer that operates through the command-line interface. Like Wireshark, its value in cybersecurity lies in its ability to capture, filter, and analyze network traffic. | ||
| The 5 W’s | Capture the 5 W’s of an incident.Who N/AWhat N/AWhen N/AWhere N/AWhy N/A | ||
| Additional notes | Tcpdump is useful because it allows security analysts to capture, filter, and analyze network traffic directly from the command line, providing powerful insights for detecting and investigating network issues and malicious activities. | ||
| Date: Jul 8, 2024 | Entry: 4 | ||
| Description | Investigate a Suspicious File Hash | ||
| Tool(s) used | For this task, I used VirusTotal, a tool that checks files and URLs for malicious content like viruses, worms, and trojans. It’s useful for quickly verifying whether a file or website has been flagged as malicious by the cybersecurity community. In this case, I used VirusTotal to analyze a file hash that had been reported as malicious.This incident took place during the Detection and Analysis phase. I was acting as a security analyst in a SOC, investigating a suspicious file hash. After the security systems flagged the file, I conducted a thorough analysis to determine if the alert indicated a genuine threat. | ||
| The 5 W’s | Capture the 5 W’s of an incident.Who An unidentified malicious actorWhat An email sent to an employee contained a malicious file attachment with the SHA-256 hash 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b.When At 1:20 p.m., an alert was triggered and sent to the organization’s SOC after the intrusion detection system flagged the file.Where An employee’s computer at a financial services companyWhy The employee downloaded and executed a malicious file attachment from an email. | ||
| Additional notes | To prevent this incident in the future, we should enhance security awareness training to ensure employees are cautious about the links and attachments they click on. | ||
Page 44
Algorithm for file updates in Python
Project description
At my organization, we manage access to restricted content using an allow list of IP addresses. The IP addresses that have access are stored in the “allow_list.txt” file. There’s also a remove list that specifies IP addresses that should no longer have access. I developed an algorithm to automate the process of updating the “allow_list.txt” file by removing the IP addresses that are on the remove list.
Open the file that contains the allow list
In the first step of the algorithm, I started by opening the “allow_list.txt” file. To do this, I first saved the filename as a string in the import_file variable.
Then, I used a with statement to open the file:
In my algorithm, I use the with statement along with the open() function to access the allow list file in read mode. The goal of opening the file is to retrieve the IP addresses stored in it. The with keyword ensures that the file is automatically closed once the block of code is done executing. In the line with open(import_file, “r”) as file:, the open() function takes two arguments: the first specifies which file to open, and the second, “r”, indicates that the file should be opened for reading. The as keyword assigns the file object to a variable named file, which allows me to work with the file’s contents within the with block.
Read the file contents
To read the contents of the file, I used the .read() method to turn the file into a string.
When the open() function is used with the “r” argument for reading, I can call the .read() method within the with statement. This method converts the file’s content into a string, making it easier to work with. I applied the .read() method to the file variable specified in the with statement, and then I stored the resulting string in the ip_addresses variable.
In short, this code reads the contents of the “allow_list.txt” file and converts it into a string, which I can later manipulate in my Python program to organize and extract the needed data.
Convert the string into a list
To remove specific IP addresses from the allow list, I first needed to convert the ip_addresses string into a list. I did this using the .split() method:
The .split() method is applied directly to a string variable and converts that string into a list. The reason for converting ip_addresses into a list is to make it easier to remove individual IP addresses from the allow list. By default, the .split() method breaks the string into list elements based on whitespace. In this case, the method splits the ip_addresses string, which consists of IP addresses separated by spaces, into a list of individual IP addresses. I then stored this list back into the ip_addresses variable.
Iterate through the remove list
A crucial part of my algorithm is looping through the IP addresses listed in the remove_list. To accomplish this, I used a for loop:
In Python, a for loop is used to repeat a block of code for each item in a sequence. The main purpose of the for loop in this algorithm is to apply certain actions to each element in the sequence. The loop starts with the for keyword, followed by the loop variable element and the in keyword. The in keyword tells Python to iterate through the ip_addresses sequence, assigning each value to the loop variable element one at a time.
Remove IP addresses that are on the remove list
In my algorithm, I needed to remove any IP address from the ip_addresses list that also appeared in the remove_list. Since there were no duplicates in ip_addresses, I used the following approach:
Inside the for loop, I set up a condition to check if the current loop variable element was present in the ip_addresses list. This check was important because trying to use .remove() on an element not found in ip_addresses would cause an error. If the condition was met, I used the .remove() method on ip_addresses, passing the loop variable element as the argument. This ensured that each IP address found in remove_list was removed from ip_addresses.
Update the file with the revised list of IP addresses
The final step of my algorithm involved updating the allow list file with the modified list of IP addresses. To do this, I first needed to convert the list back into a string, which I did using the .join() method:
The .join() method takes all the items in an iterable and merges them into a single string. It’s used with a string that defines how the items will be separated once they are combined. In my algorithm, I applied the .join() method to the ip_addresses list to create a string that I could then use with the .write() method to update the “allow_list.txt” file. I used the string “\n” as the separator so that each IP address would appear on a new line.
Next, I used another with statement along with the .write() method to update the file:
This time, I included “w” as the second argument in the open() function within the with statement, which means the file is opened for writing, allowing me to overwrite its contents. Using the “w” argument, I called the .write() method within the with block. The .write() method writes a string to a specified file and replaces whatever content was previously there. In this case, I wanted to write the updated allow list as a string to the “allow_list.txt” file. This ensures that any IP addresses removed from the list can no longer access the restricted content. To overwrite the file, I called the .write() method on the file object (file) created in the with statement, passing in the ip_addresses variable to replace the file’s content with this updated data.
Summary
I developed an algorithm to remove IP addresses listed in the remove_list from the “allow_list.txt” file of approved IP addresses. The process involved opening the file, reading its contents as a string, and then converting that string into a list stored in the ip_addresses variable. I then looped through each IP address in the remove_list and checked if it was present in the ip_addresses list. If it was, I used the .remove() method to delete it from ip_addresses. Finally, I used the .join() method to convert the ip_addresses list back into a string, which I then wrote back to the “allow_list.txt” file, replacing its original contents with the updated list of IP addresses.
Page 48
Splunk
Alice has given me access to Splunk, but James has changed a configuration file name config.conf which is preventing people from looking at logs. Alice has also told me that Splunk stores all of its files in the opt/splunk directory. It is my job to find the file and configure it so that people can view log files again.
The problem is that a configuration file was made and was changed so I was not able to look at logs. We are going to locate the file and modify it so I can view logs. Once we locate the file in the opt/splunk folder we can make changes from there. It is a good idea to find the hashes of the file we will be working on before and after to show the changes. To make changes to the file we can change the permissions using chmod and or we can use vim to show who has file permissions by stating who are the administrators of this file. We also need a copy of this changed file in the /home/fstack directory for future use.
First, we were asked to locate the config.conf file which is very easy. Use the command locate config.conf and all versions of that file in our directory are going to show up.
We can gather a lot of information from this command, we can see there is a config/neofetch in the home/fstack directory which we will not need. There is a file in the Documents folder in the home/fstack directory which we also do not need. The var files give us information about what apps and packages are installed related to config.conf but we do not need that information either. We can decipher that we will need access to the opt/splunk directory because Alice told us that files are stored there and we do not need any of the other information provided.
Now we will change into that directory
After we change into the directory we need to check the file permissions by using ls -l config.conf
From this command, we can gather a lot of information about the permissions of this file. The User, Group, and Others all have read write, and executable permissions. This means that everyone will have access to this file which is not very secure. There are a couple of things that we can do that were not asked but would be good for security purposes. One option would be using sudo chmod and using g-x or o-x which would take away executable permissions from groups and others. Or using sudo chmod 766 permissions to take away that executable permission or 740 to make the group only able to read and take away all permissions from others.
Now we can use md5sum to check the hash of a file, the hash will show us a unique hash of this file
After we have done this command it would be good to either screenshot or write this down so we can have this information for later.
Next we were asked to edit the file, we can do so by using vim or nano but I prefer vim
Page 50
Changing Permissions in Linux
Page 51
SQL
Page 55
Windows Course End Project
Step 1 Join the computer to the domain (the domain name is contoso.com). The username/password is administrator/Pa$$w0rd.
#Use the ipconfig command to find the DNS for 172.31.59.209
Step 2 Switch to the server. Create a user for the new hire and set a password.
#Create a user called William Gate in the Marketing Group
Step 3 Create a group with the department name and place the user in that group.
#Create a marketing group and include William Gate
Step 4 Create a share on the server with the department name and share it only with people who belong to that department (read and write permissions). In the folder, create a text document called test.txt.
#Create read and write permissions for the Marketing Department
Step 5 Create an OU with the department’s name and place the user, group, and computer in the OU. Attach a GPO to the OU you created.
#Create sub groups called Users and Computer
Step 6
Edit the GPO and apply the following rules:
⦁ A message should appear whenever the computer starts (do not install unauthorized programs).
⦁ Prevent the user’s access to CMD.
⦁ Add script to the user’s login to map the share you created.
⦁ Disable the run command from the start menu.
#Using Group Policy Management, four items were linked or connected with the “Marketing” category
Step 7 Check the Event Viewer on the server machine and write down the last successful login from your user. (Note: You must log in with the domain administrator account).
# By employing the Event Viewer command, only events with the ID 4624 were selected and then filtered to display results within the latest time frame of “12/31/2023 10:56:52 PM,” with the entries sorted accordingly
Step 8 Use PowerShell to check what the latest program installed on the computer was
#Through the Windows PowerShell command, retrieve information about installed products, including their names and versions, using the “wmic product” command.
Step 9 Write a PowerShell script that gives a list of all running services and puts it in a file named running_services.txt.
# By executing the PowerShell command “Get-Service > running_services.txt,” a file was stored in the Windows/System32 folder, containing information about the running services.