Fortinet, Checkpoint, McAfee, Backbox, Misrosoft, İBM Security

TCP(segment, netstat cmd to see connections between servers) - Connection

before transmission(3 way handshake), reliable(Packet sequence Order,
retransmission, error checking), slow data transfer, Congestion & Flow
Control(reduce if overload). Use: Web browse(HTTPS), Emails(SMTP,IMAP) or
text, FTP. Syn- Client sends Sequence number(which data package server has
to send). Faulty packets get discarded. FIN-ACK

UDP(datagram)- Connectionless, unreliable, quick transfer. Use:

Streaming,online gaming, voice and video calls,Voip, DNS queries, DHCP
Broadcasting. No delivery confirmation

DHCP (DORA) - When device connects to network or boot up(if there's no

Static ip), it broadcasts "DHCP Discover" packets to all devices on
network(usually router acts as DHCP server). Server sends back "DHCP
Offer"- available IP address from the pool. Client sends "DHCP Request"
accepts ip. Server sends "DHCP Ack" confirming assignment. The Ip address
is assigned to device for specific lease time(f.e 24 hours), then renew Ip

OSI - Physical(raw bit electric signals through WiFi, Bluetooth, fiver optic),
Data-link(Frames, Mac Address, Error detection and correction),
Network(packets), Transport(segments), Session(Netbios,netstat),
Presentation(Encryption), Application

SMTP - (when u click send)sends emails and check recipient address through
DNS, İMAP - receives(access), stores and manages emails, POP3 -Downloads
emails

Firewalls:Packet filtering, NGFW, Hardware, Software, Cloud based, NAT,

Proxy(Application layer inspection), Stateful

Smart İT, DefScope, Caspian İnnovation Center, Azİntelecom, Prosol,

CyberPoint, Bnb Security, KPMG,İnseco, Lukoil, Eurodesign

careers@defscope.com

cv@bnbsecurity.az

CISSP, CEH certificates for Security engineers

NGFW - IPS, Application layer inspection (not only headers, but content
based exploit prevent, http,ftp), web filtering (urls, content, tag), DLP(role
based access control), multiple cihazların işi(sandboxing, antivirus,malware
detection), Filter users and their roles or GpU, VPN encrypted traffic-Palo Alto

Traditional - ACL- Packet header: Source, Destination Ip, port, protocol

Statefull FW- history, connections and content of packets

Stateless -only individual packets

Xdr Edr fərqi- Expands coverage beyond endpoints to include multiple

security layers like network, email, cloud, servers, applications, and
endpoints. Xdr - Ids, Ips, Firewall, cloud security integrate etmək olur

Antivirus- signature based scans against a database, quarantines or deletes

file.

Edr - behaviour analysis (login attempts, data transfer), Ai- machine learning,
can prevent even unknown threats(RESPONSE). Isolate infected endpoints,
files, processes, use pre-defined rules, Network analysis, Can roll back
system changes malwares done.

IPS - Signature based, behavioral anomalies. Application layer control, packet

inspection.Malware, DOS blocks. Firewall- Security rules. IDS needs human
action, not IPS

SIEM - Security Information and Event Management. Collects logs from

antivirus, firewall, apps etc.

SOAR - Automatic Incident response

Malware - malicious software. Inc: Ransomware,Virus,Trojan,Worm,Spyware,

Adware.

Virus- Attach to legitimate programs or files(need host file) and Spread to

other computers while sharing.(Unlike ransom and adware). Initiated when
run or execute file.

Trojan - Disguised as legitimate program.

Identity theft Protection - Strong password, don't share info, check what u
click and where u shop, install malware tools

Worm- like virus replicate, but target whole network. Enter by vulnerability or
email
Qradar- Applications: UBA(User behaviour analytics)-inside threats, SOAR

Rule wizard: offence, event, flow(network) and common rules. Common

rules-default attacks(data exfiltration, brute force, firewall denies). Default -5
failed login attempts, but can be changed

Why vlans(virtual) are used? *For congestion& bandwidth, Security , Prioritize

certain traffic(VoIp)

Domain controller -DNS

How to stop zero day? Sandboxing

Active directory - database

Domain Controller - A Server to authenticate and authorise users during login

and provide access to proper resources in AD. Store domain user, computer
accounts and security policies. Logs user events, distribution of group
policies. Usually there's at least 2 domain controllers. One is for backup when
the other fails. We install domain controller to every endpoint and join them
at the same domain. Trees&forests and trust relationships.
Workgroups(separate) and Domain(group)

Kerberos - Authentication protocol

Password spraying - Trying a few common passwords or a list of commonly

used ones against many Usernames acquired through reconnaissance.

SQL Injection - focuses on manipulating a web application's database by

injecting malicious SQL code

Cross-Site Scripting - targets users by injecting malicious scripts into web

pages they visit and steals their session. Prevent: Ensure all input fields
accept only expected types of input such as numbers or letters to prevent
scripts. Use HTML sanitization. Encode outputs.

DNS - U click domain and first it checks Cache , if doesn’t find 1)Query is sent
to Local Dns Resolver(İSP provided) 2) If it doesn't find, sends
Recursive(Google DNS 8.8.8.8 or Cloudflare 1.1.1.1) query to Root server(13
in the world) and this server 3)refers query to TLD(.com) server and 4)this
server refers it to Authoritative server which maintains ip records.5) And it
returns ip to Recursive Dns Resolver 6) And this returns to Local Resolver 7)
Browser uses Ip address to connect to Web server hosting the website. 8)
Web server sends the content to browser which displays on the screen.
NetBİOS - Name resolution (ip,mac), Session establish, terminate

NIC- Network Interface card : has own Mac address. Convert data to electric
signals. Enable to connect to internet

Hub - send data to all regardless of they need it or not, causes congestion,
low performance

Sniffing attack- Wireshark (not encrypted pack)

MAC spoofing- Fake ur MAC address

ARP poisoning - Connect ur Mac with other Ip address for e. default gateway.
Good for Man in the middle and session hijacking

ARP requests - if can't find in cache, broadcasts to learn the MAC address of
a device associated with a particular IP.

VLAN: Helps to group work stations that are not within the same locations
into the same broadcast domain

VLANs reduce broadcast traffic by confining broadcasts within the VLAN.

İmproved security : HR and finance departments can be assigned separate
VLANs to prevent unauthorized access.

National vulnerability database(NVD) and CVE (common vulnerabilities and

exposures). CVSS score

Notorious attacks - Wannacry (2017 ransomware): vulnerability Eternalblue.

Stuxnet(2010): Warm used by Israil and US which later spread . Linkedin
breach(117 million personal data and password: 2012)

*Antivirus targets malware on endpoints and operates at the device level,

But IPS targets network-based attacks and operates on network traffic to
stop attacks in real-time before they reach devices.

Types of NAT(Network Address Translation):

1) Static NAT: Maps a single private IP address to a single public IP address,

often used for web servers.

2) Dynamic NAT: Uses a pool of public IP addresses and assigns them

dynamically to internal devices as needed.

3) PAT (Port Address Translation): Also known as NAT Overload, it allows

multiple devices to share a single public IP address by mapping different port
numbers to each request. This is the most common form of NAT used in
home networks.

IP address 192.168.1.10 with a subnet mask of 255.255.255.0 means:

CIDR : 192.168.1.0/24 means the first 24 bits are the Network portion, and
the rest 8 bits are for Hosts.

Ipv4 -32 bit(32:4=8 bit every part) IPV6 - 128 bit

/24 (8 host bits): 2^8 - 2 = 254 usable addresses (subtracting 2 for network
and broadcast addresses).

/29 (3 host bits): 8 usable; 2^3(remaining host bits)- 2 = 6 host addresses.

Possible subnets: 192.168.1.0-1.7, 192.168.1.8-1.15, 192.168.1.16-1.23 and
so on. Number of subnets: 2^5 (borrowed bits)

/24 - 254 hosts

/25 – 126

/26 – 62

/27 – 30

/28 – 14

/29 – 6

/30 – 2

/31 - 0

Ipv6 example (8 section each 16 bit)-

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Types of Encryption Keys:

1. Symmetric Keys: The same key is used for both encryption and decryption.
Example algorithms include AES and DES.

2. Asymmetric Keys: Uses a public key for encryption and a private key for
decryption. RSA is a common example.(PKI-Public Key Infrastructure+Digital
Certificate)

Hashing - MD5, SHA-1, SHA256, Argon2, bcrypt

Salting : user pass- mypassword, salt- salt123, combined value -
salt123mypassword. And then hashes the combined value e7b1b8cd..

Network management protocols:

1)SNMP(Simple net management pro)- Network management, device

monitoring

2)ICMP - Internet Control Massage Protocol : Diagnostic functions, network

error (ex:ping,traceroute)

How to defend against ransomware? -Network segmentation (Vlan)

TTL - Time to live - how many hops before give "ICMP time exceeded".
Prevents loops (usually:64,128,255)

DMZ - Demilitarized Zone. Places public-facing servers in the DMZ. Even if an

attacker breaches the DMZ, they are still blocked from accessing the internal
network directly.

Threat intelligence - identify vulnerabilities, IOC(indicator of compromise) -

recognize patterns: ip address, domain names, malware hashes,tool.
TTP(Tactic, Technique, Procedure). Tools - Any.run, Virustotal(hash,ip)

Cyber Kill Chain:

Reconnaissance(OSINT,Nmap,Shodan), Weaponization(Metasploit, Cobalt

Strike, PowerShell Empire), Delivery (USB, Phishing, Websites), Exploitation,
Installation(backdoor), Command and Control(C2)-hands on keyboard,
Action- Data exfiltration, encryption for ransom

Prevent data breach - Train employes, strong password, monitor traffic, limit
access(ACL), patch vulnerability, encrypt data, 2FA,breach recovery
plan(cloud)

RADIUS(UDP) -Networking protocol to do(AAA) accounting, to authenticate

and authorize users who connect to network remotely(WiFi or VPN) + tracks
user activity (loginout etc)

TACACS+ -Network device(routers or switch) administration. Command

authorization- Restrict commands users can execute.(AAA)

WAF(Web Application Firewall) - Web Application scanning, filtering,

inspection

MDM - Mobile Device Management, Remote Configuration, enforce security

policies
PAM - Privileged access management (least privilege principle),role-based
access

SMB (Server Message Block)- Centralized File sharing, collaborative access,

printing services. SMB2(3)-improved versions with encryption and
performance

NTLM (NT LAN Manager) - security protocols used by Microsoft for

authenticating users and ensuring the integrity and confidentiality of their
interactions with Windows systems. Newer Windows versions now rely on
Kerberos

NTFS, FAT32, exFat - File systems

NTFS - Supports ACL(file, folder permission), File Encryption (EFS),

Compression to save disk space

SMPT- Simple Message Transfer Protocol

Subnet:

Magic number- Subnetin növbəti network-ə keçirəcək oktetinin adresinə neçə

gəliriksə o

Networkun son adresi=Broadcast

Broadcast- Magic+İpnin həmin octetə gəlinən cəmi

Last host=Broadcast -1(4th octet)

First host= Network Id + 1

IP: 192.168.1.100/24; Network ID: 192.168.1.0

Broadcast: 192.168.1.255

The magic number is the place value of the last 1 in the subnet mask. For
example, in a /25 subnet mask the last 1 of the subnet mask is in the 128
place value, and that tells us that the network will increase in jumps of 128 in
the fourth octet where the magic number is. For /26 the last 1 would be at
the 64 place value, and the networks will increase in jumps of 64.

The range of link-local addresses in IPv4 is 169.254.0.0/16, which means that

any IP address in the range 169.254.0.1 to 169.254.255.254 can be assigned
as a link-local address. In IPv6, the link-local address range is fe80::/10.
To find the NETwork address of the given IP and subnet mask, we use And
process. Ikisni də binaryə çevirib alt alta 1-0 elə. Sora yenidən decimala
çevir.

Available Ip range for hosts: 192.168.1.1-192.168.1.254

Magic number=Aralıq. 128 magic yəni 0-128 arası

Borrow bits to create subnet. Borc aldığının üstü 2 qədər subnet

yaradırsan.Qalanı üstü 2 qədər -2 qədər də host olur. Əvvəlki network
bitlərinə baxma

/8,16,24 bölünə bilir. 16 bölünəndə /17-23 arası gedir

Magic 64dürsə 32 eliyirsən. Prefixidə uyğun eliyib bir artırırsan məsələn

*Subnet üçün ilk subnet maskın host hissəsindən tələblərə uyğun borc
alırsan, sonra magic number ə baxıb aralıq verirsən. Onunla da neçə subnet
istiyirsə yaradırsan

Last hostuu düz hesabla, 2 çıx

Hər bit 32 ip adres verir:

/24 – 1 subnet 254 host 00000000 =0

/25 -2 subnet 126 host 10000000=128 magic

/26 -4 subnet 2^6=62 host 11000000 =192

/27 -8 subnet 30 host 11100000 =224

/28 -16 subnet 14 host 11110000=240

/29 -32 subnet 6 host 11111000=248

/30 -64 subnet 2 host 11111100=252

Vlsmdə fərqli hərənin özünə uyğun prefixləri olur və hər subnet yenə
digərinin ardınca gəlir

Vlsm: 192.168.72.0 Subnets: .. .0, .64, .96, .128, .144

/25 = … .10000000(binary)

Subnet= 2^1=2 Hosts=2^7=128-2=126 hosts per subnet

Səndən tələb olunan host görə Yuxarıdakı düsturla verilən host və subnetləri
binarydə yerləşdirə bilən prefix axtarırıq

Subnetlərə böl= 26/=255.255.255.192(110..) – 4 subnet istiyirsə 2^6=64

adres 62 host(192=2subnet,6 host). Ya

.. .0; .. .64; .. .128; .. .192;

Sənə subnet üçün verilən prefixlə sənin hostlar üçün Verəcəyin prefix
fərqlidir. Neçə bit borrow eliyəndə neçə prefix olur ona bax

Number of hosts və usable hostsa fikir ver

Birinci və sonuncu adresləri assign eləmə,network and broadcast

Sonda ipləri qoymaq üçün : -ip address #ip #subnet -no shutdown

Binary- Tamları 2yə böl, Hexadecimal – 16ya böl. İkisində də remainingsləri

götür,birində 1,0 olur, digərində 1-9,A-F olur. Ama qeyddə tərsinə, aşağıdan
yuxarıya remainingsləri götür. Remainder(binary) ən altda bölünmürsə özü
olur

Hexa to decimal –(AD5)₁₆ = (10 × 16²) + (13 × 16¹) + (5 × 16⁰) = (2773)₁₀

Mac 48 bit 6 byte

Here are the matching protocols for the following ports:

• Port 20 – File Transfer Protocol (FTP) data transfer

• Port 21 – File Transfer Protocol (FTP) control

• Port 22 – Secure Shell (SSH) remote login protocol

• Port 23 – Telnet remote login protocol

• Port 53 – Domain Name System (DNS) service

• Port 80 – Hypertext Transfer Protocol (HTTP) used for web traffic

• Port 443 – HTTP Secure (HTTPS) used for secure web traffic

Google Dork – allintext:password filetype:log after:2010

Intitle:”index of” inurl:http after:2015

Inurl:top.htm inurl:currenttime
Microsoft:

NTFS – Journaling system- log file storing against failure:Repair file-folders,

4GB+, Set permissions(read,write,execute,full control), Compression,
EncryptedFS, ADS(Alternate data stream) mostly hidden malicious file
atributları

Active directory users and computers- to see and edit everything

Control Panel(göy settings)- Programs- Turn Windows features on off-Server

manager

Task manager (komp) – Programlar, End tasks if frozen

Type – “Other Users” in Windows 10 or on “run” type lusrmgr.msc

UAC(user account control)= sudo in linux. Prevents malware installation in

account

Msconfig-Tools-Computer Management: Task Scheduler, Event Viewer,Shared

folder,Local Users and Groups, Performance Monitor,Device manager

Fsmgmt.msc -Run to open Shared file & folder