SandPaper @SandPaper@infosec.exchange

I'm compiling a list of interview questions & links of q&a for people trying to get into infosec roles. What are some basic/moderate/advanced questions you'd expect to ask or be asked on an interview? From what is port 25? How does a reflection attack work and how can you mitigate it? Over which port does ICMP function? Please give me your questions, your links, your huddled masses.

@stuarttempleton how'd your game jam go?

Happy #patchfriday

https://www.us-cert.gov/ncas/current-activity/2019/01/04/CERTCC-Reports-Critical-Vulnerabilities-Microsoft-Windows-Server

I'm curious about recommended documentation specifically on API best practices. OWASP seems to have a dead project and some other REST risk documents. I found NIST 800-95 circa 2007. I'm just wondering if a NIST document or other resources are eluding my first attempts. I'm looking to set up a high level policy on API/API gateway requirements.

Dumb question for anyone with experience with Mac OSX STIGs. I have 10.13 High Sierra I need to apply STIGs to. NIST and DISA are for 10.12 Sierra. Can those be applied to 10.13 or will something break? Looks like CIS has 10.13; might just go with that. My experience with Apple is limited hence the question.

Above doesn't require priv escalation. You could also run netstat -naob as admin to get the process name from the start along with other variations of the commands. Some require priv escalation. Listing parentprocessid helps follow the trail of what invoked that process. Some services run under svchost process and you need service details to figure out what it is. Know what's normal to find the bad.

Hmmm svchost.exe?

What's running under svchost besides everything?

C:\wmic service where processid=3392 get name, servicetype, pathname

Name CDPSvc PathName C:\WINDOWS\system32\svchost.exe -k LocalService -p ServiceType Share Process

Ok. CDPSvc syncs mail, calendar, contact info.

Some helpful blue team commands?:

C:\netstat -nao

TCP [Local address]:55824 [Dest address]:443 ESTABLISHED 5748

What's that lil guy connecting out under Process ID PID 5748?

C:\wmic process where processid=5748 get name, parentprocessid

Name Firefox.exe

Cool. My browser IS running right now. But what's that other guy LISTENING on port 5040?

C:\wmic process where processid=3392 get name, parentprocessid

Name svchost.exe

PCI-DSS 8.1.8 lists 15 min but I'm assuming this is related to anything in scope of processing, storing, etc PCI data. 12.3.8 goes into automatic disconnect of sessions for remote-access technologies, but doesn't establish a timeframe; just that a timeframe exists.

Maybe I'm looking in the wrong places?

I'm curious what people would recommend for VPN session lengths and timeout periods for remote workers and why.

Looking at NIST SP 800-53r4 AC-11, it goes into session lock in general as defined by org by risk; sometimes no session lengths if org determines a session is mission critical.

...

When you submit IP ranges involved with coinmining malware to a cloud security company and they categorize it as "financial services." That's some "next-gen" right there. 🤔

@FlyingLawyer found these blogs related to backup tapes not being included in scope of erasure with certain stipulations. Opinion provided by French data protection authority (CNIL).

http://blog.quantum.com/the-general-data-protection-regulation-and-tape-the-elephant-in-the-room-is-ransomware/

http://blog.quantum.com/backup-administrators-the-1-advice-to-deal-with-gdpr-and-the-right-of-erasure/?utm_source=blog&utm_medium=direct_marketing&utm_campaign=blog#.Wm-_Mq6nGUk

Must find time to dig into this. Maybe I'll set an OOO. That'll surely prevent new work from coming in.

https://twitter.com/Viss/status/1016445316772462593?s=19

https://lmgsecurity.com/exposing-the-secret-office-365-forensics-tool/

https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/