SIEM

Security Information and Event Management (SIEM) is a solution that helps organizations detect, analyze, and respond to security threats in real time. It combines two key functions: Security Information Management (SIM) and Security Event Management (SEM).

Here are some core features of SIEM:

Log Management: Collects and aggregates log data from servers, applications, and network devices.

Event Correlation: Analyzes log data to identify patterns and correlations that may indicate security threats.

Real-Time Monitoring: Provides continuous monitoring of security events to quickly detect and respond to threats.

Incident Response: Helps manage and respond to security incidents by providing alerts and detailed reports.

Compliance Reporting: Assists organizations meet regulatory compliance requirements by generating necessary reports.

Keys to the exam:

Aggregates, Correlates, is a Detective Control

SIEM systems are essential for maintaining a robust security posture and ensuring that potential threats are identified and mitigated before they can cause significant harm.

 PAM (Privilege Access Management)

Privileged Access Management (PAM) is a cybersecurity strategy that protects organizations from cyberthreats by managing and securing accounts with elevated access to sensitive data and systems:

What it does

PAM monitors, detects, and prevents unauthorized access to critical resources. It also provides visibility into who uses privileged accounts and what they do.

Here are some key aspects of PAM:

• Principle of Least Privilege: Ensures users only have the minimum level of access necessary to perform their jobs.
• Monitoring and Auditing: Tracks and records activities of privileged accounts to detect and respond to suspicious behavior.
• Credential Management: Automates the management of passwords and other credentials to reduce the risk of misuse.
• Just-in-Time Access: This feature provides temporary access to critical resources as needed, reducing the window of opportunity for potential attacks.

 How it works

PAM uses a combination of people, processes, and technology. It's based on the principle of least privilege, which limits access to the minimum required to perform a user's job functions.

Why it's important

PAM is considered a critical security discipline for reducing cyber risk and mitigating the damage from external attacks and insider threats. Verizon estimates that 49% of security breaches involve compromised privileged credentials.

Other names

PAM is also known as privileged identity management (PIM) or privileged access security (PAS).

Some examples of privileged users include System and account administrators, Upper management, Security personnel, HR professionals, and Finance employees.

 Mimikatz

Mimikatz is an open-source tool that allows users to extract sensitive data from Windows computers, such as passwords, Kerberos tickets, and NTLM hashes:

How it works

Mimikatz can extract unencrypted passwords from Windows memory, which allows malicious actors to access a system's security tokens and restricted information.

Here are some key capabilities of Mimikatz:

• Credential Dumping: Extracts passwords, hashes, PINs, and Kerberos tickets from memory.
• Pass-the-Hash: Uses hashed passwords to authenticate without needing the plaintext password.
• Pass-the-Ticket: Uses Kerberos tickets to authenticate to other systems.
• Golden Ticket: Creates Kerberos tickets that provide domain admin access.

How it's delivered

Mimikatz is often delivered and executed without writing to disk, which helps it avoid detection.

How it's been used

Mimikatz was a component of the NotPetya ransomware worm, which is believed to have caused over a billion dollars in damages.

How to protect against it

Companies and organizations can protect their systems against Mimikatz using security patches, up-to-date software, and multi-factor authentication.

Mimikatz was developed in 2007 by French ethical hacker Benjamin Delpy to demonstrate vulnerabilities in Windows authentication systems.

 IPv4 Address Class Ranges

IPv4 addresses are divided into five classes, each with a specific range and purpose. Here are the details:

Class A:

• Range: 1.0.0.0 to 126.0.0.0
• Purpose: Designed for very large networks.
• Private Range: 10.0.0.0 to 10.255.255.2551.

Class B:

• Range: 128.0.0.0 to 191.255.0.0
• Purpose: Suitable for medium-sized networks.
• Private Range: 172.16.0.0 to 172.31.255.2551.

Class C:

• Range: 192.0.0.0 to 223.255.255.0
• Purpose: Used for small networks.
• Private Range: 192.168.0.0 to 192.168.255.2551.

Class D:

• Range: 224.0.0.0 to 239.255.255.255
• Purpose: Reserved for multicast groups.

Class E:

• Range: 240.0.0.0 to 255.255.255.255
• Purpose: Reserved for experimental use.

These classes help organize and allocate IP addresses efficiently across different types of networks.

You can use Class A, B, or C on your internal network regardless of its size. These are just recommendations.

This is covered in A+, Network+, and Server+.

 APFS (Apple File System)

Apple File System (APFS) is a file system that's used for encryption, data storage, and file sharing on Apple devices:

Encryption

APFS uses advanced encryption technology to protect data from unauthorized access.

Data storage

APFS is optimized for solid-state drives (SSDs) used in most modern Mac computers. APFS allocates storage space on demand and can share space between multiple volumes within a container.

File sharing

APFS allows users to duplicate files instantaneously, so the duplicate doesn't take up more storage space.

APFS is the default file system for Mac computers running macOS 10.13 or later. It is also used on iOS, tvOS, and watchOS. APFS is generally considered the better choice for Mac users, but exFAT might be more suitable if you need to share files with Windows computers.

ext3 & ext4

 ext3 vs ext4

Ext4 is an advanced version of the ext3 file system for Linux that offers several improvements, including:

File and partition sizes:

Ext4 supports files up to 16 terabytes and partitions up to 1 exabyte, while ext3 supports files up to 2 terabytes and partitions up to 16 terabytes.

Sub-directories:

Ext4 supports unlimited sub-directories, while ext3 only supports up to 32,000.

Performance:

Ext4 is faster due to extents, contiguous blocks of data, and delayed allocation, which optimizes write operations.

Reliability:

Ext4 is more reliable due to checksums for the journal and metadata, as well as multi-block allocation.

Flexibility:

Ext4 has more flexibility with subvolumes and online defragmentation.

Scalability:

Ext4 is designed to support large file systems and keep up with increasing disk capacities.

Ext3 was the default file system for many Linux distributions, but ext4 is now the default for many.

 ExFat File System

ExFAT (Extended File Allocation Table) is a file system used for storing data on devices like flash drives, digital cameras, and mobile phones:

Storage capacity

ExFAT can store larger files than the FAT32 file system, with a 4 GB file size limit.

Compatibility

ExFAT is compatible with most Windows and Mac operating systems, though older versions may need an update.

Default file system

ExFAT is the default file system for SDXC and SDUC cards larger than 32 GB.

Other devices

ExFAT is also used in smart televisions, portable music and video players, and media centers.

Some things to keep in mind about exFAT include:

Not journaled

ExFAT is not journaled, so if you eject the drive incorrectly while reading or writing, you might lose data or corrupt the drive.

Not compatible with some older devices

ExFAT isn't compatible with some older devices.

Not suitable for intensive applications

ExFAT can have problems with intensive applications, and it can take several attempts to transfer data correctly.

Data loss

Since exFAT doesn't redundantly store master data, you should carefully remove storage media with the exFAT file system.