On August 29th, 2023, the PostgreSQL Security Team ruled that CVE-2020-21469 is not a valid security vulnerability.

The CVE, originally discovered in PostgreSQL 12.2, purportedly allowed attackers to cause a Denial of Service (DoS) by repeatedly sending SIGHUP signals to the primary PostgreSQL process. In Linux environments, SIGHUP (Signal Hang Up) is typically used by daemons - such as web or database servers - to trigger a configuration file reload without stopping the process.

The security team disputed the vulnerability classification because the attack vector requires an account with explicitly granted elevated privileges. To execute this attack, a user must be:

• A PostgreSQL superuser

• A user explicitly granted permission to execute pg_reload_conf by a superuser

• An operating system user with privileged access to the server process

As noted by Eugene Lim in From Day Zero to Zero Day, if an attacker already possesses these privileges, they can compromise or halt the database using standard functionality without needing to exploit this specific “vulnerability”.

The PostgreSQL Security Team’s stance relies on the principle that superuser access implies total control. If a user can send process signals (like SIGHUP) or execute pg_reload_conf, they have administrative control. A DoS by an administrator is considered a configuration or personnel issue, not a software vulnerability.

The world of cybersecurity is ever evolving and landing an internship is an incredible opportunity. You may gain real-world experience on how things are getting done or how threat actors launch attacks towards an organisation. Putting aside those practical experience, you even may expand your knowledge, and set a solid foundation for  your future career. As a cybersecurity administrator, I have traversed the cybersecurity landscape, and I would like to share some valuable advice with you, the current crop of cybersecurity interns. So buckle up, put on your virtual armor, and let's dive into the world of cybersecurity internships!

Communication is the key

"As they always say"

One of the most crucial aspects of being a successful cybersecurity intern is effective communication. Cybersecurity is a team sport, and keeping an open line of communication with your colleagues is essential. Whether you have a question, need clarification, or want to share your insights, don't hesitate to reach out. Regularly engage in team meetings, discussions, and brainstorming sessions to collaborate effectively. By fostering a culture of communication, you not only contribute to the team's success but also enhance your own learning experience.

Do not be dependent. Show that you are more than their expectations

Captain Yami: Push your limits! Right Now, Right Here

Internships are the perfect opportunity to showcase your skills and prove that you are capable of going above and beyond expectations. Don't limit yourself to the tasks assigned to you; instead, take initiative and explore areas that interest you. Show your supervisors and colleagues that you are eager to learn and contribute in ways they may not have anticipated. Take on additional responsibilities, offer assistance where needed, and demonstrate your ability to take charge when required. Remember, the cybersecurity landscape is constantly evolving, and being adaptable and proactive will set you apart from the rest.

Subscribe to my weekly newsletter! 🫶

Subscribe

Always be humble

"GaryVee's favorite ingredient"

Humility is a quality that goes a long way in the field of cybersecurity. While your internship is undoubtedly a stepping stone toward your future career, it's important to approach it with humility. Recognize that you still have much to learn and embrace every opportunity as a chance to grow. Be open to feedback, listen attentively, and learn from the experiences of your mentors and team members. Remember, the world of cybersecurity is vast and complex, and maintaining a humble attitude will not only earn you respect but also help you acquire knowledge and skills that can't be taught in a classroom.

Even if you're just an intern, do not be afraid of giving out ideas

Even flat-earthers giving out their idea 🌎

Internships are not just about completing assigned tasks; they are also a platform for you to share your unique perspectives and ideas. Don't underestimate the value of your insights, even as an intern. Cybersecurity is an ever-changing field that thrives on innovation and out-of-the-box thinking. Your fresh perspective may uncover vulnerabilities, suggest novel approaches, or contribute to process improvements. So, don't be afraid to speak up and share your ideas. Your voice matters, and your unique perspective could make a significant impact on the team.

As you embark on your cybersecurity internship journey, remember that you are part of a dynamic and rapidly growing field. Embrace the challenges, stay curious, and seize every opportunity to learn. Cybersecurity is not just a job; it's a mindset, a commitment to protecting critical information and infrastructure in an increasingly digital world. By following these pieces of advice, you will not only make the most of your internship experience but also set yourself up for a promising career in the realm of cybersecurity.

File sharing has become a fundamental part of our lives, allowing us to transfer data quickly and efficiently. With the rise of the Internet and the advent of digital technology, sharing files has become easier than ever before. To enable file sharing, various protocols have been developed over time that govern how data is transmitted and received between computers.

One of the most widely used file sharing protocols is FTP, which has been in use since the 1970s. It is simple to use, and its client-server model makes it easy for users to share files between computers over the Internet. FTP supports various transfer modes, allowing users to transfer different types of files with ease. However, one of the downsides of FTP is that it is not secure, meaning that data can be intercepted and accessed by unauthorized users.

To address this issue, Secure File Transfer Protocol (SFTP) was developed. SFTP provides added security to the file transfer process by encrypting the data during transmission, making it more challenging for hackers to intercept and access the files being transferred. SFTP is commonly used for transferring sensitive data such as financial records, medical records, and personal data. SFTP's security features make it a preferred protocol for organizations and individuals who need to ensure that their data is protected during transmission.

Server Message Block (SMB) is another popular file sharing protocol used for sharing files, printers, and other resources between computers on a network. It is most commonly used on Windows-based systems and allows users to access files stored on a remote server as if they were stored locally. SMB is also used by some network-attached storage devices, making it an essential protocol for organizations that need to share files across multiple devices.

Web Distributed Authoring and Versioning (WebDAV) is a protocol used for sharing files over the Internet. It allows users to edit and manage files stored on remote servers, making it an ideal choice for teams collaborating on a project. WebDAV is commonly used in web applications, content management systems, and other online collaboration tools.

Peer-to-peer (P2P) file sharing protocols such as BitTorrent and eDonkey Network are used for sharing large files over the Internet. P2P file sharing does not rely on a central server; instead, users connect directly to one another to exchange data. This approach allows for faster file transfers and better bandwidth utilization, but it also raises concerns about piracy and copyright infringement.

In conclusion, file sharing protocols play a vital role in enabling the transfer of data between computers over networks and the Internet. Each protocol has its own set of features and benefits, allowing users to choose the one that best suits their needs. While file sharing protocols have made file sharing easier than ever, it is important to ensure that file sharing practices are legal and comply with all relevant laws and regulations.

Pain and suffering is the last thing you wish happen to you. This goes to information security as well. As a security professional who are in the domain of threat intelligence often face cyberthreat on daily basis. Given these challenges, security professionals have to stay ahead in detecting, preventing, and mitigating threats to defend their organizations.

In this blog post, we will uncover "Pyramid of Pain", a cyber defense frameworks that will help security professionals to help with threat detection and mitigation.

💡 Learning Advice: Whenever you want to learn any frameworks, it is important to know what is the framework, for whom the framework is designed, what is the need for the framework to exist, and how the framework contribute in the industry.

What is "Pyramid of Pain"?

Defining the concept of the framework.

Pyramid of Pain is an information security framework that emphasize in defending the security posture of IT infrastrure within an organization. The framework is designed by DavidJBianco in 2013. The term pyramid is choosen due to the framework is illustrated in the shape of pyramid. It symbolizes IOCs from the less painful to most painful - from bottom to the top level. An Indicator of Compromise (IoC) is a piece of evidence or artifact that suggests a security breach or cyber attack may have occurred.

Image below illustrates "Pyramid of Pain".

As seen in the image above, there are six levels of Indicator of Compromise (IOC). The six levels of IOCs in the Pyramid of Pain are arranged in a way how "painful" it would be for the attacker if the victim detected them and took action against them. Those six levels of IOCs are listed and explained below:

1. Hash Values (Trivial): A hash value is a piece of cryptographic output that derives by inputting a file. The output is uniquely assigned to a file which we call it as a file signature. No two files should have the same cryptographic hashes.

2. IP Addresses (Easy): Internet Protocol (IP) Addresses are the symbolisation of a device connected to the Internet. There are no scenarios where a device can be connected to the Internet without an IP address assigned to it.

3. Domain Names (Simple): Domain name is a string of text that used to identify a resource available on Internet such as website and server.

4. Network/Host Artifacts (Annoying): A network artifact is a product of network activity, while a host artifact is a product of host activity on a host endpoint.

5. Tools (Challenging): Tools are used by attackers to carry out scanning or exploitation such as scripts and backdoors.

6. TTPs (Tough): Tactics, Techniques, and Procedures (TTPs) is a modus operandi that identify attackers. It consists from the initial method of entry, all the way to laterally moving across the victim's network and exfiltrating data.

Who is this framework for?

Highlighting who should use this framework to better the security posture.

"Pyramid of Pain" is undeniably a valuable conceptual model that can be referred by security professionals. Though this framework often utilised by security analyst and security architect, the framework itself is not restrictive to any particular domain within information security. It is possible for both red and blue team people to make use of this framework.

Red Team

Red teams can use the Pyramid of Pain as a guide for developing and executing their penetration testing or adversary simulation campaigns. By focusing on the higher levels of the pyramid, red teams can test an organization's ability to detect and respond to advanced threats and attacks.

For example, if a red team is able to successfully use a low-level IOC, such as a hash value or an IP address, to gain access to an organization's network, it may not be a good indicator of the organization's security posture. However, if the red team is able to use a higher-level IOC, such as a specific domain name or a unique file name, it is a stronger indicator that the organization has weaknesses in their security defenses.

Moreover, the red team can use the Pyramid of Pain to identify the most effective tactics, techniques, and procedures (TTPs) to use during their engagement. By using the higher-level IOCs, the red team can identify which TTPs are most effective in evading detection and response.

Blue Team

Blue teams can focus their efforts on identifying and monitoring the higher-level IOCs, which are more difficult to detect and respond to. For example, if a blue team identifies a specific domain name or file name associated with a threat actor, they can use that information to hunt for other related indicators, such as IP addresses or command-and-control (C2) servers, which may be less obvious and more difficult to detect.

By understanding the difficulty level of various IOCs, blue teams can also better assess the effectiveness of their defensive measures. For example, if a blue team has deployed a security solution that is able to detect low-level IOCs such as IP addresses, but is ineffective against higher-level IOCs such as specific domain names or file names, they can use that information to improve their defenses and prioritize the deployment of more effective security controls.

Why this framework need to exist?

Explaining the existence of this framework even there were many framework serve the same purpose.

Indeed there are many other frameworks in existence, each framework may have its own unique perspective or methodology for identifying and prioritizing IOCs based on various factors such as the difficulty of detection, the level of sophistication of the attacker, or the potential impact of the attack.

One reason why the Pyramid of Pain has gained popularity is its simplicity and intuitive nature. It provides a clear visual hierarchy of IOC difficulty that can be easily understood and communicated to stakeholders across an organization. This framework has also been embraced by the cybersecurity community, and many security vendors and organizations have adopted it as a way to prioritize and categorize IOCs in their products and services.

How this framework contributes to the industry?

Each framework should contribute a purpose to the industry.

The Pyramid of Pain framework can contribute significantly to the information security industry by providing a standardized approach to the classification and prioritization of indicators of compromise (IOCs). By understanding the difficulty level of different IOCs, organizations can prioritize their defense efforts and allocate their resources more effectively to protect against advanced threats.

Additionally, the Pyramid of Pain can guide incident response efforts by helping security teams to determine the level of sophistication of the attacker and the potential impact of the attack.

As a security analyst, you know the importance of having a comprehensive understanding of the network infrastructure you are trying to protect. This includes knowing which ports are open, which services are running, and what vulnerabilities may exist. One tool that can help you gain this understanding is Nmap.

Nmap is a free and open-source network exploration and security auditing tool. It uses various techniques, such as port scanning and OS detection, to gather information about network hosts and services. In this blog post, we'll explore Nmap from its internals to advanced usage.

My personal note: Please learn basic computer networking concepts to understand what is happening behind each Nmap command.

Understanding Nmap's Internal Operations

At its core, Nmap is a command-line tool that sends packets to a target machine and listens for their responses. The packets sent and received by Nmap can be customized using various options and arguments, allowing for a wide range of scanning techniques.

Nmap uses different scan types, including SYN, TCP connect, UDP, and others. Each scan type has its advantages and disadvantages, and the selection depends on the type of network you are scanning and the desired outcome. For example, a SYN scan is faster than a TCP connect scan but may miss open ports that only respond to a full TCP handshake.

Nmap also includes advanced techniques, such as OS detection, version detection, and script scanning. These techniques allow Nmap to determine the operating system and the software versions running on target machines, as well as identify potential vulnerabilities.

Basic Usage of Nmap

Using Nmap is relatively easy. To get started, you need to install Nmap on your machine, which is available for Windows, Linux, and macOS. Once installed, you can run Nmap from the command line.

The most basic scan using Nmap is a ping scan. This scan simply sends an ICMP echo request to the target host and waits for a response. To perform a ping scan, run the following command:

nmap -sn <target IP>

This command sends an ICMP echo request to the target IP and waits for a response. If the target responds, Nmap returns the IP address and the status of the host.

Advanced Usage of Nmap

Nmap offers many advanced features that can provide more comprehensive information about the target network. One of the most useful features is script scanning, which allows you to run custom scripts against the target host.

For example, you can run a script that checks for the presence of a specific vulnerability or identifies the software running on the target machine. To use script scanning, use the following command:

nmap -sC <target IP>

This command instructs Nmap to run all the default scripts against the target host. You can also run specific scripts using the -script option.

Another advanced feature of Nmap is OS detection. Nmap uses a variety of techniques, including TCP/IP fingerprinting and packet analysis, to identify the operating system running on the target machine. To use OS detection, run the following command:

nmap -O <target IP>

This command instructs Nmap to perform an OS detection scan against the target IP.

Conclusion

Nmap is a powerful tool for network exploration and security auditing. By understanding the internals of Nmap and its various scanning techniques, you can gain a comprehensive understanding of the target network and identify potential vulnerabilities. Whether you're a beginner or an experienced security analyst, Nmap is a must-have tool in your arsenal.

Cybersecurity has emerged within the CIA Triad.

In case this is your first time coming across with the term "cybersecurity", then I suggest you to read my first article. Click here!

As the world becomes increasingly interconnected and reliant on digital technology, protecting sensitive information has become a critical concern for individuals and organizations alike.

Cybersecurity has emerged as a crucial field, and the CIA triad is one of the fundamental concepts that underpins it. In this blog, we will explore what the CIA triad is, why it is essential, and how it can help us better understand the importance of information security.

Let's Define CIA

CIA stands for Confidentiality, Integrity, and Availability. It is a framework that organizations use to evaluate and protect their data, systems, and networks from threats.

Confidentiality refers to ensuring that sensitive information is only accessible to authorized individuals or systems. This includes protecting against unauthorized access, disclosure, and theft. Confidentiality is essential for protecting sensitive information such as trade secrets, personal data, and financial information.

Integrity is concerned with ensuring that information is accurate, complete, and trustworthy. This involves protecting against unauthorized modification, deletion, or corruption of data. Integrity is essential for maintaining the trustworthiness and reliability of information, such as financial records, legal documents, and medical records.

Availability refers to ensuring that information is accessible and usable when needed. This includes protecting against denial-of-service attacks, system failures, and other events that could disrupt access to information. Availability is essential for ensuring that critical systems and services remain operational, such as online banking, healthcare systems, and emergency services.

The Importance of CIA Triad

Well you may ask me why is it so important to know the CIA Triad. The reason behind it is the CIA covers the structure of most all the frameworks, technologies, and policies in information security. With that being said, focusing on the key aspects of confidentiality, integrity, and availability, organizations can create a comprehensive security strategy that covers all aspects of their operations.

The CIA triad also provides a useful framework for evaluating and prioritizing security measures. By understanding the potential threats to their data, systems, and networks, organizations can develop an effective security strategy that addresses the most significant risks. This could involve implementing access controls, encryption, backup and recovery procedures, and other security measures that align with the principles of the CIA triad.

Moreover, the CIA triad is also a useful concept for individuals to understand. In today's digital age, we all have a responsibility to protect our own data and privacy. By understanding the importance of confidentiality, integrity, and availability, we can take steps to protect our personal information, such as using strong passwords, keeping software up-to-date, and being cautious about sharing personal information online.

Conclusion

The CIA triad is a fundamental concept in information security that provides a comprehensive framework for protecting data, systems, and networks. By understanding the principles of confidentiality, integrity, and availability, organizations and individuals can develop effective security strategies that address the most significant risks. In today's digital age, cybersecurity is more critical than ever, and the CIA triad is an essential tool for protecting sensitive information from a wide range of threats.