vault backup: 2024-08-30 14:45:21
This commit is contained in:
parent
15c59226f3
commit
f8329b1130
49
.obsidian/workspace.json
vendored
49
.obsidian/workspace.json
vendored
|
@ -13,13 +13,38 @@
|
|||
"state": {
|
||||
"type": "markdown",
|
||||
"state": {
|
||||
"file": "01 - Planning Considerations.md",
|
||||
"file": "01 - Planning.md",
|
||||
"mode": "source",
|
||||
"source": false
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "2a670ea5f942fc2d",
|
||||
"type": "leaf",
|
||||
"state": {
|
||||
"type": "markdown",
|
||||
"state": {
|
||||
"file": "02 - Scoping.md",
|
||||
"mode": "source",
|
||||
"source": false
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "b310d53602dfbef1",
|
||||
"type": "leaf",
|
||||
"state": {
|
||||
"type": "markdown",
|
||||
"state": {
|
||||
"file": "README.md",
|
||||
"mode": "source",
|
||||
"source": false
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
],
|
||||
"currentTab": 2
|
||||
}
|
||||
],
|
||||
"direction": "vertical"
|
||||
|
@ -86,7 +111,7 @@
|
|||
"state": {
|
||||
"type": "backlink",
|
||||
"state": {
|
||||
"file": "01 - Planning Considerations.md",
|
||||
"file": "README.md",
|
||||
"collapseAll": false,
|
||||
"extraContext": false,
|
||||
"sortOrder": "alphabetical",
|
||||
|
@ -103,7 +128,7 @@
|
|||
"state": {
|
||||
"type": "outgoing-link",
|
||||
"state": {
|
||||
"file": "01 - Planning Considerations.md",
|
||||
"file": "README.md",
|
||||
"linksCollapsed": false,
|
||||
"unlinkedCollapsed": true
|
||||
}
|
||||
|
@ -126,7 +151,7 @@
|
|||
"state": {
|
||||
"type": "outline",
|
||||
"state": {
|
||||
"file": "01 - Planning Considerations.md"
|
||||
"file": "README.md"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -147,13 +172,19 @@
|
|||
"command-palette:Open command palette": false
|
||||
}
|
||||
},
|
||||
"active": "21b5784e2023f491",
|
||||
"active": "b310d53602dfbef1",
|
||||
"lastOpenFiles": [
|
||||
"templates/ASSET INVENTORY.md",
|
||||
"02 - Scoping.md",
|
||||
"README.md",
|
||||
"tools/OSINT TOOLS.md",
|
||||
"templates/VULNERABILITY ASSESMENT REPORT.md",
|
||||
"templates/PASTA.md",
|
||||
"tools",
|
||||
"01 - Planning.md",
|
||||
"templates/RISK REGISTER.md",
|
||||
"01 - Planning Considerations.md",
|
||||
"templates/PENTEST REPORT TEMPLATE.md",
|
||||
"templates/INCIDENT REPORT TEMPLATE.md",
|
||||
"templates/ASSET INVENTORY.md",
|
||||
"templates/legal/Non-Disclosure Agreement.md",
|
||||
"templates/legal/Request for Information (RFI).md",
|
||||
"templates/legal/Statement of Work.md",
|
||||
|
@ -161,13 +192,11 @@
|
|||
"templates/METHODOLOGY.svg",
|
||||
"Pasted image 20240824205517.png",
|
||||
"2024-08-24.md",
|
||||
"Untitled.md",
|
||||
"templates/legal/DPA-en.odt",
|
||||
"templates/legal/MSA-en.odt",
|
||||
"templates/legal/NDA-en.odt",
|
||||
"templates/legal/NDA.md",
|
||||
"templates/legal",
|
||||
"Untitled",
|
||||
"templates",
|
||||
"().md",
|
||||
"Welcome.md"
|
||||
|
|
|
@ -16,8 +16,8 @@ Identify Protected Assets
|
|||
|
||||
## Compliance
|
||||
|
||||
Establish guidelines (or necessity) for compliance with internal and external regulations.
|
||||
Example: PCI DSS
|
||||
Establish guidelines (or necessity) for compliance with internal and external regulations or standards.
|
||||
Example: PCI DSS, GDPR, HIPPA, etc
|
||||
- Strictly defined surface area of engagement
|
||||
|
||||
[[Statement of Work]]
|
||||
|
@ -36,6 +36,7 @@ Example: PCI DSS
|
|||
|
||||
1. Aquire Trusted Agent(s) within the company for trusted communication
|
||||
2. Establish communication guidelines and information access control rules during engagement (who knows what)
|
||||
3. Establish escalation procedures
|
||||
|
||||
|
||||
## Product/Report
|
2
02 - Scoping.md
Normal file
2
02 - Scoping.md
Normal file
|
@ -0,0 +1,2 @@
|
|||
|
||||
Requirements and objectives that are needed to complete engagement.
|
13
README.md
Normal file
13
README.md
Normal file
|
@ -0,0 +1,13 @@
|
|||
|
||||
This is a security handbook I complile for pentest and vulnerabilty analysis purposes.
|
||||
It is meant to be used with Obsidian.
|
||||
|
||||
## Current Progress
|
||||
|
||||
- Planning [100%]
|
||||
- Scoping [10%]
|
||||
- Engagement [0%]
|
||||
- Exploitation [0%]
|
||||
- Reporting [0%]
|
||||
- Mitigation [0%]
|
||||
|
20
templates/PASTA.md
Normal file
20
templates/PASTA.md
Normal file
|
@ -0,0 +1,20 @@
|
|||
|
||||
---
|
||||
|
||||
|
||||
|
||||
|
||||
| | |
|
||||
| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| **Stages** | **Sneaker company** |
|
||||
| I. Define business and security objectives | Make 2-3 notes of specific business requirements that will be analyzed.<br><br>- Will the app process transactions?<br> <br>- Does it do a lot of back-end processing?<br> <br>- Are there industry regulations that need to be considered? |
|
||||
| II. Define the technical scope | List of technologies used by the application:<br><br>- Application programming interface (API)<br> <br>- Public key infrastructure (PKI)<br> <br>- SHA-256<br> <br>- SQL<br> <br><br> <br><br>Write 2-3 sentences (40-60 words) that describe why you choose to prioritize that technology over the others. |
|
||||
| III. Decompose application | [Sample data flow diagram](https://docs.google.com/presentation/d/1ol7y79popTFfNHM-90ES-H-i1Lpd0YNvPShxBlXozjg/template/preview?resourcekey=0-DZAkf7Vzh2PXsP-j3oXV-g) |
|
||||
| IV. Threat analysis | List 2 types of threats in the PASTA worksheet that are risks to the information being handled by the application.<br><br>- What are the internal threats?<br> <br>- What are the external threats? |
|
||||
| V. Vulnerability analysis | List 2 vulnerabilities in the PASTA worksheet that could be exploited.<br><br>- Could there be things wrong with the codebase?<br> <br>- Could there be weaknesses in the database?<br> <br>- Could there be flaws in the network? |
|
||||
| VI. Attack modeling | [Sample attack tree diagram](https://docs.google.com/presentation/d/1FmWLyHgmq9XQoVuMxOym2PHO8IuedCkan4moYnI-EJ0/template/preview?usp=sharing&resourcekey=0-zYPY7AhPJdcClXamlAfOag) |
|
||||
| VII. Risk analysis and impact | List 4 security controls that you’ve learned about that can reduce risk. |
|
||||
|
||||
|
||||
|
||||
---
|
44
templates/VULNERABILITY ASSESMENT REPORT.md
Normal file
44
templates/VULNERABILITY ASSESMENT REPORT.md
Normal file
|
@ -0,0 +1,44 @@
|
|||
|
||||
1st January 20XX
|
||||
|
||||
---
|
||||
|
||||
# System Description
|
||||
|
||||
The server hardware consists of a powerful CPU processor and 128GB of memory. It runs on the latest version of Linux operating system and hosts a MySQL database management system. It is configured with a stable network connection using IPv4 addresses and interacts with other servers on the network. Security measures include SSL/TLS encrypted connections.
|
||||
|
||||
# Scope
|
||||
|
||||
The scope of this vulnerability assessment relates to the current access controls of the system. The assessment will cover a period of three months, from June 20XX to August 20XX. [NIST SP 800-30 Rev. 1](https://docs.google.com/document/d/1pRpdpQMEWskxSkwqEMv8W7A7x8GXQlcn0hEcDzWet3Y/template/preview?usp=sharing&resourcekey=0-3GRRWAd8HryVgof-Jc33yA) is used to guide the risk analysis of the information system.
|
||||
|
||||
# Purpose
|
||||
|
||||
Consider the following questions to help you write:
|
||||
|
||||
- How is the database server valuable to the business?
|
||||
|
||||
- Why is it important for the business to secure the data on the server?
|
||||
|
||||
- How might the server impact the business if it were disabled?
|
||||
|
||||
|
||||
# Risk Assessment
|
||||
|
||||
|
||||
|
||||
| | | | | |
|
||||
|---|---|---|---|---|
|
||||
|Threat source|Threat event|Likelihood|Severity|Risk|
|
||||
|E.g. Competitor|Obtain sensitive information via exfiltration|1|3|3|
|
||||
||||||
|
||||
||||||
|
||||
|
||||
|
||||
|
||||
# Approach
|
||||
|
||||
Risks considered the data storage and management methods of the business. The likelihood of a threat occurrence and the impact of these potential events were weighed against the risks to day-to-day operational needs.
|
||||
|
||||
# Remediation Strategy
|
||||
|
||||
Implementation of authentication, authorization, and auditing mechanisms to ensure that only authorized users access the database server. This includes using strong passwords, role-based access controls, and multi-factor authentication to limit user privileges. Encryption of data in motion using TLS instead of SSL. IP allow-listing to corporate offices to prevent random users from the internet from connecting to the database.
|
22
tools/OSINT TOOLS.md
Normal file
22
tools/OSINT TOOLS.md
Normal file
|
@ -0,0 +1,22 @@
|
|||
|
||||
There's an enormous amount of open-source information online. Finding relevant information that can be used to gather intelligence is a challenge. Information can be gathered from a variety of sources, such as search engines, social media, discussion boards, blogs, and more. Several tools also exist that can be used in your intelligence gathering process. Here are just a few examples of tools that you can explore:
|
||||
|
||||
- [VirusTotal](https://www.virustotal.com/gui/home/upload)
|
||||
|
||||
- is a service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content.
|
||||
|
||||
- [MITRE ATT&CK®](https://attack.mitre.org/)
|
||||
|
||||
- is a knowledge base of adversary tactics and techniques based on real-world observations.
|
||||
|
||||
- [OSINT Framework](https://osintframework.com/)
|
||||
|
||||
- is a web-based interface where you can find OSINT tools for almost any kind of source or platform.
|
||||
|
||||
- [Have I been Pwned](https://haveibeenpwned.com/)
|
||||
|
||||
|
||||
- is a tool that can be used to search for breached email accounts.
|
||||
|
||||
|
||||
There are numerous other OSINT tools that can be used to find specific types of information. Remember, information can be gathered from a variety of sources. Ultimately, it's your responsibility to thoroughly research any available information that's relevant to the problem you’re trying to solve.
|
Loading…
Reference in a new issue