google cyber sec cert notes

CIA triad

• Confidentiality 
• Integrity 
• Availability 

CISSP

Certified Information Systems Security Professional

CISSP 8 security domains

• Security and Risk Management: The foundational domain covering governance, compliance, the CIA triad (Confidentiality, Integrity, Availability), legal/regulatory issues, and organizational risk assessment
• Asset Security: Focuses on the protection of assets, data classification, handling requirements, data retention policies, and data lifecycle management
• Security Architecture and Engineering: Encompasses security models, cryptography, hardware/software design, and mitigating vulnerabilities within system architectures
• Communication and Network Security: Deals with secure network design, hardware, transmission methods, and securing communication channels (e.g., VPNs, firewalls)
• Identity and Access Management (IAM): Centers on controlling access to systems and data, covering authentication, authorization, and identity provisioning
• Security Assessment and Testing: Focuses on security testing methodologies, vulnerability assessments, penetration testing, and auditing to evaluate security controls.
• Security Operations: Covers daily operational tasks such as incident management, disaster recovery, patch management, and foundational forensic
• Software Development Security: Applies security controls and coding principles within the Software Development Life Cycle (SDLC) and databases.

Asset 

• A item that has value to an organisation

Threat

• Anything that can negatively impact assets  

Risk

• The likelihood of a threat occurring. We can also take into account low/high risk assets.
• 
  

Vulnerability 

A weakness that can be exploited by a threat. There must be a vuln and a threat for there to be a risk

vuln + threat = risk

Risk management framework

• Prepare 
• Categorize
• Select
• Implement
• Assess
• Authorize
• Monitor

What to do about risk:

• Acceptance: Accepting a risk to avoid disrupting business continuity

• Avoidance: Creating a plan to avoid the risk altogether

• Transference: Transferring risk to a third party to manage

• Mitigation: Lessening the impact of a known risk

NIST RMF terms

• Assess: The fifth step of the NIST RMF that means to determine if established controls are implemented correctly
• Authorize: The sixth step of the NIST RMF that refers to being accountable for the security and privacy risks that may exist in an organization
• Business continuity: An organization's ability to maintain their everyday productivity by establishing risk disaster recovery plans
• Categorize: The second step of the NIST RMF that is used to develop risk management processes and tasks
• External threat: Anything outside the organization that has the potential to harm organizational assets
• Implement: The fourth step of the NIST RMF that means to implement security and privacy plans for an organization
• Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk
• Monitor: The seventh step of the NIST RMF that means be aware of how systems are operating
• Prepare: The first step of the NIST RMF related to activities that are necessary to manage security and privacy risks before a breach occurs
• Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access 
• Risk: Anything that can impact the confidentiality, integrity, or availability of an asset
• Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach
• Security posture: An organization’s ability to manage its defense of critical assets and data and react to change
• Select: The third step of the NIST RMF that means to choose, customize, and capture documentation of the controls that protect an organization
• Shared responsibility: The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security
• Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables 
• Vulnerability: A weakness that can be exploited by a threat

Frameworks

Guidelines to build plans

update palo alto firewall via CLI

When updating from the web gui in a rush its a bit painful

• Do dynamic updates check
• Go to Software
• Unclick Base releases
• wait
• Unclick preferred releases 
• wait
• check for updates
• download the version you need
• install

CLI commands

request system software check (optional, lists all updates without filters)

request system software download version 11.2.7-h16  (download the version we need)

request system software install version 11.2.7-h16 (install the version we need)

palo alto common apps

ssl

web-browsing

dns-base (may need to allow your dns server specifically)

ms-onedrive-business

ms-office365-base

ms-update

ms-teams

windows-push-notifications

outlook-web-online

oscp (for cert info lookups)

windows-defender-atp-endpoint

microsoft-intune

google-base

google-update

youtube-base

dtls (voice)

May need to disable these ones for audits/bpa

stun

quic-base

palo alto user issue

User id wants to see domain\user

need to tick box in user mapping to allow username without domain

 palo dns app rules

add dns-base / dnscrypt etc

debugging dap / hostscan on FTD

Notes:

DAP policy is applied to all anyconnect profiles so your DAP rules must cover all. You can't apply it to just one profile

You need to update to latest CSC but also match the posture package and the SSO (secure external browser package) to the same version.

If CSC is on 5.1.17, then the other two need to be on 5.1.17. You may only need the SSO package if their MFA is redirecting to a webapge.

Secure client section in endpoint criteria can be used to select platform to know if its on widnows or mobile

I hit an issue. The fix was to match the hostscan module to the same version as the secure client.

If you are having issues upgrade to latest/recommended release.

Keep in mind when DAP is switched on its global for all anyconnect profiles so you need to make sure you have DAP rules setup to cover everything.

Posture is only checked once on connection its not a constant thing (like CSA, which is still only checking/enforcing every 5-15 minutes)

If you are still having issues:

• Start a putty session with logging enabled
• sh run all dynamic-access-policy-record
• debug dap trace 255
• debug dap errors
• apply the DAP in FMC and push policy
• sh run all dynamic-access-policy-record
• show tech
• send the output to cisco tac

FMC interface details

 - Go to **System (gear) > Health > Monitor**

- Select the **FTD device**

- Open the **Interfaces** dashboard/widget(s)

- Change the **time range** (top-right time selector) to **Last 12 Hours**, **Last 24 Hours**, or **Custom**

- Select the Interface you are interested in (default is avg of all interfaces)

mib / oids for cisco secure firewall

 Recommended official sources to download/browse MIBs:

- Secure Firewall SNMP MIB Reference Guide (HTML):  

  https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/mib/cisco-secure-firewall-mib-reference-guide.html

- Secure Firewall SNMP MIB Reference Guide (PDF):  

  https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/mib/cisco-secure-firewall-mib-reference-guide.pdf

- Cisco SNMP Object Navigator (look up OIDs/MIB names):  

  https://snmp.cloudapps.cisco.com/Support/SNMP/do/BrowseOID.do?local=en

- Cisco public MIB repository:  

  https://github.com/cisco/cisco-mibs

- SNMP configuration guidance for Firepower/FTD (also includes common OID references):  

  https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/213971-configure-snmp-on-firepower-ngfw-applian.html