x/handbook
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

vault backup: 2024-08-30 14:45:21

Browse source
This commit is contained in:
Anton Nesterov 2024-08-30 14:45:22 +02:00
parent 15c59226f3
commit f8329b1130
No known key found for this signature in database
GPG key ID: 59121E8AE2851FB5
7 changed files with 143 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
.obsidian/workspace.json vendored
View file

@ -13,13 +13,38 @@
"state": {
"type": "markdown",
"state": {
"file": "01 - Planning Considerations.md",
"file": "01 - Planning.md",
"mode": "source",
"source": false
}
}
},
{
"id": "2a670ea5f942fc2d",
"type": "leaf",
"state": {
"type": "markdown",
"state": {
"file": "02 - Scoping.md",
"mode": "source",
"source": false
}
}
},
{
"id": "b310d53602dfbef1",
"type": "leaf",
"state": {
"type": "markdown",
"state": {
"file": "README.md",
"mode": "source",
"source": false
}
}
}
]
],
"currentTab": 2
}
],
"direction": "vertical"
@ -86,7 +111,7 @@
"state": {
"type": "backlink",
"state": {
"file": "01 - Planning Considerations.md",
"file": "README.md",
"collapseAll": false,
"extraContext": false,
"sortOrder": "alphabetical",
@ -103,7 +128,7 @@
"state": {
"type": "outgoing-link",
"state": {
"file": "01 - Planning Considerations.md",
"file": "README.md",
"linksCollapsed": false,
"unlinkedCollapsed": true
}
@ -126,7 +151,7 @@
"state": {
"type": "outline",
"state": {
"file": "01 - Planning Considerations.md"
"file": "README.md"
}
}
}
@ -147,13 +172,19 @@
"command-palette:Open command palette": false
}
},
"active": "21b5784e2023f491",
"active": "b310d53602dfbef1",
"lastOpenFiles": [
"templates/ASSET INVENTORY.md",
"02 - Scoping.md",
"README.md",
"tools/OSINT TOOLS.md",
"templates/VULNERABILITY ASSESMENT REPORT.md",
"templates/PASTA.md",
"tools",
"01 - Planning.md",
"templates/RISK REGISTER.md",
"01 - Planning Considerations.md",
"templates/PENTEST REPORT TEMPLATE.md",
"templates/INCIDENT REPORT TEMPLATE.md",
"templates/ASSET INVENTORY.md",
"templates/legal/Non-Disclosure Agreement.md",
"templates/legal/Request for Information (RFI).md",
"templates/legal/Statement of Work.md",
@ -161,13 +192,11 @@
"templates/METHODOLOGY.svg",
"Pasted image 20240824205517.png",
"2024-08-24.md",
"Untitled.md",
"templates/legal/DPA-en.odt",
"templates/legal/MSA-en.odt",
"templates/legal/NDA-en.odt",
"templates/legal/NDA.md",
"templates/legal",
"Untitled",
"templates",
"().md",
"Welcome.md"

5
01 - Planning Considerations.md → 01 - Planning.md
View file

@ -16,8 +16,8 @@ Identify Protected Assets
## Compliance
Establish guidelines (or necessity) for compliance with internal and external regulations.
Example: PCI DSS
Establish guidelines (or necessity) for compliance with internal and external regulations or standards.
Example: PCI DSS, GDPR, HIPPA, etc
- Strictly defined surface area of engagement
[[Statement of Work]]
@ -36,6 +36,7 @@ Example: PCI DSS
1. Aquire Trusted Agent(s) within the company for trusted communication
2. Establish communication guidelines and information access control rules during engagement (who knows what)
3. Establish escalation procedures
## Product/Report

2
02 - Scoping.md Normal file
View file

@ -0,0 +1,2 @@
Requirements and objectives that are needed to complete engagement.

13
README.md Normal file
View file

@ -0,0 +1,13 @@
This is a security handbook I complile for pentest and vulnerabilty analysis purposes.
It is meant to be used with Obsidian.
## Current Progress
- Planning [100%]
- Scoping [10%]
- Engagement [0%]
- Exploitation [0%]
- Reporting [0%]
- Mitigation [0%]

20
templates/PASTA.md Normal file
View file

@ -0,0 +1,20 @@
---
| | |
| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Stages** | **Sneaker company** |
| I. Define business and security objectives | Make 2-3 notes of specific business requirements that will be analyzed.<br><br>- Will the app process transactions?<br> <br>- Does it do a lot of back-end processing?<br> <br>- Are there industry regulations that need to be considered? |
| II. Define the technical scope | List of technologies used by the application:<br><br>- Application programming interface (API)<br> <br>- Public key infrastructure (PKI)<br> <br>- SHA-256<br> <br>- SQL<br> <br><br> <br><br>Write 2-3 sentences (40-60 words) that describe why you choose to prioritize that technology over the others. |
| III. Decompose application | [Sample data flow diagram](https://docs.google.com/presentation/d/1ol7y79popTFfNHM-90ES-H-i1Lpd0YNvPShxBlXozjg/template/preview?resourcekey=0-DZAkf7Vzh2PXsP-j3oXV-g) |
| IV. Threat analysis | List 2 types of threats in the PASTA worksheet that are risks to the information being handled by the application.<br><br>- What are the internal threats?<br> <br>- What are the external threats? |
| V. Vulnerability analysis | List 2 vulnerabilities in the PASTA worksheet that could be exploited.<br><br>- Could there be things wrong with the codebase?<br> <br>- Could there be weaknesses in the database?<br> <br>- Could there be flaws in the network? |
| VI. Attack modeling | [Sample attack tree diagram](https://docs.google.com/presentation/d/1FmWLyHgmq9XQoVuMxOym2PHO8IuedCkan4moYnI-EJ0/template/preview?usp=sharing&resourcekey=0-zYPY7AhPJdcClXamlAfOag) |
| VII. Risk analysis and impact | List 4 security controls that youve learned about that can reduce risk. |
---

44
templates/VULNERABILITY ASSESMENT REPORT.md Normal file
View file

@ -0,0 +1,44 @@
1st January 20XX
---
# System Description
The server hardware consists of a powerful CPU processor and 128GB of memory. It runs on the latest version of Linux operating system and hosts a MySQL database management system. It is configured with a stable network connection using IPv4 addresses and interacts with other servers on the network. Security measures include SSL/TLS encrypted connections.
# Scope
The scope of this vulnerability assessment relates to the current access controls of the system. The assessment will cover a period of three months, from June 20XX to August 20XX. [NIST SP 800-30 Rev. 1](https://docs.google.com/document/d/1pRpdpQMEWskxSkwqEMv8W7A7x8GXQlcn0hEcDzWet3Y/template/preview?usp=sharing&resourcekey=0-3GRRWAd8HryVgof-Jc33yA) is used to guide the risk analysis of the information system.
# Purpose
Consider the following questions to help you write:
- How is the database server valuable to the business?
- Why is it important for the business to secure the data on the server?
- How might the server impact the business if it were disabled?
# Risk Assessment
| | | | | |
|---|---|---|---|---|
|Threat source|Threat event|Likelihood|Severity|Risk|
|E.g. Competitor|Obtain sensitive information via exfiltration|1|3|3|
||||||
||||||
# Approach
Risks considered the data storage and management methods of the business. The likelihood of a threat occurrence and the impact of these potential events were weighed against the risks to day-to-day operational needs.
# Remediation Strategy
Implementation of authentication, authorization, and auditing mechanisms to ensure that only authorized users access the database server. This includes using strong passwords, role-based access controls, and multi-factor authentication to limit user privileges. Encryption of data in motion using TLS instead of SSL. IP allow-listing to corporate offices to prevent random users from the internet from connecting to the database.

22
tools/OSINT TOOLS.md Normal file
View file

@ -0,0 +1,22 @@
There's an enormous amount of open-source information online. Finding relevant information that can be used to gather intelligence is a challenge. Information can be gathered from a variety of sources, such as search engines, social media, discussion boards, blogs, and more. Several tools also exist that can be used in your intelligence gathering process. Here are just a few examples of tools that you can explore:
- [VirusTotal](https://www.virustotal.com/gui/home/upload)
- is a service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content.
- [MITRE ATT&CK®](https://attack.mitre.org/)
- is a knowledge base of adversary tactics and techniques based on real-world observations.
- [OSINT Framework](https://osintframework.com/)
- is a web-based interface where you can find OSINT tools for almost any kind of source or platform.
- [Have I been Pwned](https://haveibeenpwned.com/)
- is a tool that can be used to search for breached email accounts.
There are numerous other OSINT tools that can be used to find specific types of information. Remember, information can be gathered from a variety of sources. Ultimately, it's your responsibility to thoroughly research any available information that's relevant to the problem youre trying to solve.