99% of malware is sent by either web server or email

Did you know?
More than 99% of malware is sent by either web server or email

 

 

New CyberOps Associate Course

During the summer a new CyberOps Course will be released focussing on the new CyberOps Associate certification. BiASC is ready to support all Cisco Academies and instructors interested in CyberSecurity Operations.

The CyberOps Associate Course aligns with the new CBROPS 200-201 Certification Exam. The major difference between the previous CCNA CyberOps and the CyberOps Associate certification is the shift in the requirement for two exams to certify to one exam. The new, consolidated CyberOps Associate has been updated to cover the latest fundamentals for entry-level cybersecurity operations job roles (SOC analyst).

The course covers: Security concepts, security monitoring, host-based analysis, network intrusion analysis, and security policies and procedures. This includes some new topics such as: access control models for digital assets, malware analysis and interpretation, identifying protected data, and understanding key SOC metrics to expedite detection and containment of breaches. Networking fundamentals have been removed and are part of the CCNA certification.

Torchlight's Academic Cybersecurity Tournament February 2020

What is Torchlight's Academic CyberSecurity Tournament?

A CyberSecurity Tournament is being organized in February for IT students in Information Security.

Several partners within the industry will be challenging the participants within their respective arenas.

This is an opportunity to meet and challenge your potential future colleagues, to have fun, to win prizes and to learn and gain lots of experience.

A ceremony will be held after the tournament to congratulate the participants, thank the partners and distribute their prizes. Additionally the winner of the tournament will receive a certificate of accomplishment.

 

More information: https://docs.google.com/forms/d/e/1FAIpQLSen6cT-AhqZGIV6Xo6HeSvx9iS8ereZiNlDgp4-Ji0CqsZ8mg/viewform

European Cybersecurity Awareness Month 2019

This Month is a Cyber Security Awareness Month. Cisco has prepared a special page with useful resources. They have posted two Cybersecurity courses on it.

Getting into Cyber

If you’re thinking about exploring a path in cyber, read our experts' personal stories on how they did it, and sign up to free online training.

• Blog: Tales from the front line
 
• Free online course option 1: Introduction to cybersecurity
 
• Free online course option 2: Cybersecurity essentials

Your Personal Online Security

Want to know how to protect yourself and your loved ones online? Here are some tips.

• Free phishing simulator: Create phishing campaigns to create more awareness
 
• Blog: Top 5 online scams and how to spot them 

The Threat Landscape

Get the latest cyber threat information from Cisco’s dedicated threat intelligence team, Cisco Talos

• International Threat Map: Search for real-time threat data
 
• Blog: The 5 biggest threats you need to know about
 
• Video: Fighting the good fight: How Cisco Talos combats cybercrime

The Future of the Cybersecurity

Get the latest insights into how to keep cyber criminals at bay

• Blog: Tools to fight cybercrime
• On demand webinar: Zero Trust for dummies

Palo Alto Cybersecurity Academy Overview

Palo Alto Cybersecurity Academy Overview

PDF: Download Palo Alto Networks Cybersecurity Academy Overview - BENELUX IT ACADEMY SHOW EXPLORATION DAY 23 MAY 2019 (1)

Getting to know DNS security

More than 91% of malware uses DNS to gain command and control, exfiltrate data, or redirect web traffic.

Watch this webinar session to learn how DNS-layer security can help you block threats before they can reach your network or endpoints.
URL: https://learn-umbrella.cisco.com/webcasts/getting-to-know-dns-security-again-2

Before, During, and After a Security Attack -- Online Webinar

Before, During, and After a Security Attack, 17 April, 9:00 a.m. Pacific Daylight Time: Register Here

Have you ever wondered what happens before a bad actor attacks a network? The hope is that their attempt to infiltrate the infrastructure will be eliminated by the layers of security protection built into the network. However, sometimes the attackers exploit an unknown, so-called, 0-day vulnerability to get inside. Do not panic – even during the attack, we can collect valuable information and learn how the attack is being-executed and if or where it is spreading.

Moreover, based on the collected information, we know where we should concentrate our cleaning efforts after the attack has been discovered and eliminated. Join this session to learn more about threat protection, and how simple scripts with programmability and automation can turn your response time to an attack from minutes to seconds.

If you register, you will get access to the recording.

 

OAuth Architecture

The diagram shows the OAuth architecture, and the relationships between the Resource Owner (you, the user), the Resource Provider (which authenticates users and authorizes the third-party applications), and the Third-Party Application (such as a money management app, an online shopping cart, a mobile phone ticket repository, online storage, and more). If you have ever used the feature, “Log in with Facebook,” or “Sign in with Google,” on web sites that are not administered by Facebook or Google, then you have used OAuth. Facebook or Google is the “resource provider,” verifying that you, the “resource owner,” have successfully authenticated; after successful authentication, the “resource provider,” can provide access to the “third party,” based on what the “resource owner” (you) have authorized the resource provider to provide. This fragment is based on the Cisco Learning Library, interactive online course materials: Introducing Cloud Consumer Security (SECICC) v1.0

OAuth is an open authorization protocol, which allows access to application environments without the explicit sharing of login credentials. You can think of OAuth as a “go-between” authenticator, similar to RADIUS or TACACS, except that usernames and passwords are never exchanged in an OAuth framework.

Implementing OAuth

It’s important to keep in mind that OAuth is a protocol, not an application service itself. Using OAuth requires an application. This is very similar to SSH.

Simply building OAuth into an application does not guarantee integration or support. In the OAuth framework, the Third-Party Application needs to “register” with the Resource Provider in order to exchange Authorization Grants and Tokens.

 

Being BiASC, Trusted Advisor

Being BiASC, a trusted advisor in innovation in IT education, we are in frequent contact with IT Vendors and other partners offering or supporting IT academy programmes.

All BiASC academy members have the right to be informed of developments and opportunities.

Evaluating New Cisco IoT Security Course

A new course called IoT Security will be available soon. With BiASC we are currently evaluating this course, which is still under limited availability.

What is IoT Security about?

Internet of Things is one of the key pillars in the forces of digital disruption that enable digital transformation in every industry. At the same time, the enormous increase of connected IoT devices is not only enabling the digitization of industries, but also increases the landscape of possible security threats. The IoT Security course provides the learner with introductory skills to perform Vulnerability and Risk Assessments on IoT solutions in a specific business context. Students who complete the IoT Security course will be able to assess, research, and provide risk mitigation strategies for common security vulnerabilities in IoT systems. Students seeking a career in the rapidly growing IoT and Security domains will learn practical tools for evaluating security vulnerabilities in IoT solutions, perform threat modeling, and use risk management frameworks to recommend threat mitigation measures.

Research practice and ethical hacking

As in the CyberOperations course students have to accept the ethical hacking agreement.

One of the practice labs is with Shodan explained on the SANS Penetration Testing Website. Also Kali Linux will be used.

Shodan is a search engine that takes a distinct departure from most Internet search engines. Instead of searching through content intentionally served up and delivered to web browsers, Shodan allows us to search for Internet-connected devices.

URL: https://pen-testing.sans.org/blog/2015/12/08/effective-shodan-searches

Next Steps

If instructors in Belgium are interested, we will organise an IoT Security initial training between October and December 2018, as well as in May 2019. Please send a mail to <yvan@biasc.be> if you would like to receive more information

 

 

Cisco ASA NAT – Configuration Guide

The Cisco ASA and Cisco ASA-X firewalls provides nearly infinite flexibility in so far as their NAT configuration. From the modularity of using objects, to the simplicity of configuring Auto NAT, to the granularity of Manual NAT, to the precision of NAT precedence  — the ASA can do it all.

This article covers each of these concepts in detail, explaining what they mean, when to use them, and how to apply them. If you read it from start to finish, and were able to follow with the examples and illustrations, then you can decidedly consider yourself an address translation expert on the Cisco ASA platform.

Part 1 – NAT Syntax
Objects - Real and Mapped - Auto NAT  - Manual NAT 

Part 2 – NAT Configuration Examples
Static NAT - Static PAT - Dynamic PAT - Dynamic NAT

Part 3 – Advanced NAT
Policy NAT - Twice NAT - NAT Precedence - Identity NAT

Here is the complete guide: http://www.practicalnetworking.net/stand-alone/cisco-asa-nat/

April 16, 2018 By Ed Harmoush

Workshop | Adaptive Security Appliance ASA | Configuration using CLI

Here is the presentation for the ASA workshop prepared by Nico Declerck. The materials were used at the recent BiASC Workshop Day at Cisco Diegem on 20 April 2018.

• Download Cisco Benelux Forum - ASA CLI

Cybersecurity Essentials Course Deep Dive Training (Free!)

OPEN SESSION! 

BiASC and Cisco Netacad are offering a Cybersecurity Essentials Course Deep Dive in English for existing as well as new and potential instructors.

More information and Registration: http://cs.co/netacadcyber/  

CyberSecurity Webinars - maart & april 2018 - Cisco DVN

In het kader van Digitale Versnelling Nederland worden in maart en april webinars georganiseerd met sprekers die ervaring hebben in de verschillende domeinen van CyberSecurity. De doelgroep voor de Cyber Security webinars is iedereen (binnen en buiten het securitydomein) die interesse heeft in hacken, innovatie en overheidsbeleid ten aanzien van CyberSecurity in Nederland. De Netacad cursus Introduction to CyberSecurity wordt gekoppeld aan de webinars. 

The State of CyberSecurity - Cisco Live 2018

   

PDF: Download BRKSEC-2010

Case Study: http://blog.talosintelligence.com/2017/10/bad-rabbit.html

Botnet explained in CyberSecurity Operations

After the CyberSecurity Operations course you will be able to analyse and explain the actions of a botnet.

A botnet consists of a group of "zombie" computers that run robots (or bots) and a master control mechanism that provides direction and control for the zombies. The originator of a botnet uses the master control mechanism on a command-and-control server to control the zombie computers remotely using IRC or other means.

A botnet typically operates as follows:

A botnet operator infects computers by sending them malicious bots. A malicious bot is self-propagating malware that is designed to infect a host and connect back to the command-and-control server. In addition to its worm-like ability to self-propagate, a bot can include the ability to log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host.

Bots have all the advantages of worms, but are generally much more versatile in their infection vector, and are often modified within hours of publication of a new exploit. Bots have been known to exploit back doors that are opened by worms and viruses, which allows the bots to access networks that have good perimeter control. Bots can infect networks in a way that escapes immediate detection.

The bot on the newly infected host logs in to the command-and-control server and awaits for the commands. Often, the CnC traffic is sent using either IRC, P2P, DNS, HTTP, and HTTPS. When using HTTPS, the CnC traffic will be encrypted using TLS or SSL, making it harder to detect.

Instructions are sent from the CnC server to each bot (zombie) in the botnet to execute actions. When the zombies receive the instructions, they begin generating malicious traffic that is aimed at the victim. Zombies mostly run a covert channel to communicate with the command-and-control server that the attacker controls.

Typical Attack Compromising a Victim's Computer

In the new CCNA CyberSecurity Operations course you learn how to understand attack patterns and how to deal with it as a network defender. Only six steps are necessary to start malicious activity in which a command and control (C2) server is involved. In the image above you see a typical  network attack in which a victim's computer is being compromized step by step. 

Source

Chris Sanders, Security Onion 2016: The Investigators Labyrinth: A Data-Driven Perspective, 29:38
Published on Youtube 12  SEP 2016 
URL: https://www.youtube.com/watch?v=nW9g2K69qOA

 

VERIS Framework for CyberSecurity Incidents

- - -

How to describe security incidents is an important part in the CCNA CyberSecurity Operations course.
URL: http://veriscommunity.net/index.html

VERIS means"Vocabulary for Event Recording and Incident Sharing"

• Vocabulary for event recording and incident sharing
• Common language for describing security incidents in a structured and repeatable manner

 The VERIS Community Database (VCDB) is an open and free repository of publicly-reported security incidents in VERIS format. 

Example

URL: https://incident.veriscommunity.net/s3/example

More information

GitHub: https://github.com/vz-risk/veris

Common Attack Pattern Enumeration and Classification (CAPEC™)

In the CyberSecurity Operations course there are mutiple descriptions of attack patterns. CAPEC is a good source to understand cyber attacks.

The objective of the Common Attack Pattern Enumeration and Classification (CAPEC™) effort is to provide a publicly available catalog of common attack patterns classified in an intuitive manner, along with a comprehensive schema for describing related attacks and sharing information about them.

Some Well-Known Attack Patterns:
HTTP Response Splitting (CAPEC-34) Session Fixation (CAPEC-61) Cross Site Request Forgery (CAPEC-62) SQL Injection (CAPEC-66) Cross-Site Scripting (CAPEC-63) Buffer Overflow (CAPEC-100) Clickjacking (CAPEC-103) Relative Path Traversal (CAPEC-139) XML Attribute Blowup (CAPEC-229)

 For an experienced security engineer, the value of an attack pattern is not that it presents a new idea, but that it helps communicate a common idea with others. If you and a colleague all know what clickjacking is, then you can communicate a lot by saying: "This attack leverages clickjacking."

This information when captured in such a formalized way can bring considerable value to security considerations for cyber-enabled capabilities through all phases of the development lifecycle and other security-related activities, including:

• Requirements Gathering – Identification of relevant security requirements, misuse and abuse cases.
• Architecture and Design – Provide context for architectural risk analysis and guidance for security architecture.
• Implementation and Development – Prioritize and guide review activities.
• Testing and Quality Assurance – Provide context for appropriate risk-based and penetration testing.
• System Operation – Leverage lessons learned from security incidents into preventative guidance
• Policy and Standard Generation – Guide the identification of appropriate prescriptive organizational policies and standards.

Of course, attack patterns are not the only useful tool for building secure cyber-enabled capabilities. Many other tools, such as misuse/abuse cases, security requirements, threat models, knowledge of common weaknesses and vulnerabilities, and attack trees, can help. Attack patterns play a unique role amid this larger architecture of security knowledge and techniques.

 

Source URL: http://capec.mitre.org/about/index.html

Malware Analysis with SecurityOnion (Video)

This video demonstrates how one could use the SecurityOnion distribution to analyze a pcap, captured during a malware infection. This video will demonstrate this by using tcpreplay to "replay" a pcap of an Angler EK infection. Using various tools provided in the SecurityOnion distribution you will discover the chain of events that led up to the compromise.

Tools used are SecurityOnion, SGUIL, WHOIS, SNORT, ELSA, BRO and more

PCAP provided by http://www.malware-traffic-analysis.net/

More videos: https://github.com/Security-Onion-Solutions/security-onion/wiki/Videos

This video is a demo used in the workshops of the CyberSecurity Operations Networking Academy course.