Browse Source

Fix Basic page

lanjelot 1 year ago
1 changed files with 93 additions and 86 deletions
  1. +93

+ 93
- 86
Draft/ View File

@ -1,47 +1,57 @@
# Basic Security Principles/Information
## Table of Contents
- [101](#101)
- [Basics](#basics)
- [Principles](#principles)
- [Advice](#advice)
- [Classes/Types of Vulnerabilities](#classes)
- [How to suck at infosec](#suck)
- [Getting started with infosec](#getstart)
- [Being the First Security Person/Starting a Security Program](#fps)
- [How to Suck at InfoSec](#suck)
- [Getting Started with InfoSec](#getstart)
- [Background](#background)
- [Being the First Security Person/Starting a Security Program/Growing it](#fps)
- [Briefing and Reporting](#briefing)
- [Scaling a Security Program](#scalingsec)
- [Building a Security Team](#buildteam)
- [Red Team, Blue Team, Purple Team, Green Team](#team)
- [Cognitive Biases](#bias)
- [Cognitive Bias](#cbias)
- [Mental Models](#mm)
- [Comedy](#comedy)
- [Command Line](#cli)
- [Critical Thinking](#crittihnk)
- [Common Vulnerability Scoring System](#cvss)
- [Data Breaches](#db)
- [Command Lines & OS Basics](#cli)
- [Critical Thinking](#critthink)
- [Common Vulnerability Scoring System(CVSS)](#cvss)
- [Data Breaches](#breaches)
- [Fundamental Papers](#fund)
- [General Good Stuff](#general)
- [General Good Stuff](#ggs)
- [Helping Others](#helpo)
- [History](#history)
- [How to ask better questions](#bq)
- [How to Ask Better Questions](#bq)
- [Information Processing](#ip)
- [Learning](#learning)
- [Metrics](#metrics)
- [Networking](#networking)
- [Normalization of Deviance](#nom)
- [Problem Solving](#ps)
- [Regular Expressions](#rex)
- [Project Management](#pms)
- [Ransomware](#ransomware)
- [Regular Expressions](#regex)
- [Research](#research)
- [Request for Proposal/Service](#rfp)
- [Request for Service/Product](#rfsp)
- [Risk](#risk)
- [Securing yourself](#secself)
- [Software Testing](#softwaretesting)
- [Statistics](#statistics)
- [System Design](#systemdesign)
- [TableTop Exercises](#ttx)
- [Task Automation](#automation)
- [Tools to Know About](#ttka)
- [Vendor Security](#vensec)
- [The Web](#web)
- [Zero Trust](#zerotrust)
- [Fun](#fun)
### General Information
* **101**<a name="101"></a>
## Contents
* **Basics** <a name="basics"></a>
* **101**
* [Primum non nocere - Wikipedia](
* Primum non nocere (Classical Latin: [ˈpriːmũː noːn nɔˈkeːrɛ]) is a Latin phrase that means "first, do no harm."
@ -50,18 +60,19 @@
* You can learn security as a discipline, or you can learn general basic concepts and then apply that to a line of code/function/program/Architecture/Design/etc.
* There isn't a single path to take, and not all paths go straight forward, you may go down one path only to find you end up reading about the basics for something you considered ignorable/not worth your time, because in a new perspective, you've seen the 'hidden' value.
* The "I wanna be a hacker!" advice:
0. Learn basic security concepts, check out the Security+ syllabus by Comptia for ideas.
00. Learn Basic CS concepts: [Computer Science Distilled: Learn the Art of Solving Computational Problems - Wladston Ferreira Filho](, Plus plenty of reading on Wikipedia: [Computer Science - Wikipedia](
1. Learn x86(-64) or ARM ASM. - I recommend [Programming from the Ground Up](, [Azeria's series on writing ARM ASM](, and the [Intel® 64 and IA-32 Architectures Software Developer Manuals](
2. Learn C. Read [The C Programming Language(K&R)](, but learn C elsewhere.
3. Congratulations! You now have the skills and abilities(at least the basics) to start doing your own research and identifiying where you want to further develop your skills.
* Further reading I could recommend:
1. Learn basic security concepts
* check out the Security+ syllabus by Comptia for ideas.
* [Computer Science Distilled: Learn the Art of Solving Computational Problems - Wladston Ferreira Filho](, Plus plenty of reading on Wikipedia: [Computer Science - Wikipedia](
2. Learn x86(-64) or ARM ASM. - I recommend [Programming from the Ground Up](, [Azeria's series on writing ARM ASM](, and the [Intel® 64 and IA-32 Architectures Software Developer Manuals](
3. Learn C. Read [The C Programming Language(K&R)](, but learn C elsewhere.
4. Congratulations! You now have the skills and abilities(at least the basics) to start doing your own research and identifiying where you want to further develop your skills.
5. Further reading I could recommend:
* Linux([Understanding the Linux Kernel - Daniel P. Bovet, Marco Cesati](
* macOS([MacOS and `*`OS Internals - Jonathan Levin](
* Windows([Windows Internals Book series]( & [Windows Via C/C++](
* Also this list: [Information security / Hacking for noobs](
* Also [Why Cyber Security is Hard to Learn (Tips For Success!)](
* **General**
* **Intros**
* [Alice and Bob - Wikipedia](
* [Security Engineering (3rd ed) - Ross Anderson](
* [10 Immutable Laws of Security Administration - Scott Culp(](
@ -107,7 +118,7 @@
* [Real Software Engineering by Glenn Vanderburg(Lone Star Ruby Conference(2010)](
* Software engineering as it's taught in universities simply doesn't work. It doesn't produce software systems of high quality, and it doesn't produce them for low cost. Sometimes, even when practiced rigorously, it doesn't produce systems at all. That's odd, because in every other field, the term "engineering" is reserved for methods that work. What then, does real software engineering look like? How can we consistently deliver high-quality systems to our customers and employers in a timely fashion and for a reasonable cost? In this session, we'll discuss where software engineering went wrong, and build the case that disciplined Agile methods, far from being "anti-engineering" (as they are often described), actually represent the best of engineering principles applied to the task of software development.
* [Software Security Field Guide for the Bewildered - zwischenzugs](
* **101 Principles**
* **Principles** <a name="principles"></a>
* [Akin's Laws of Spacecraft Design - David L. Akin](
* [Types of Authentication](
* [Access control best practices](
@ -117,25 +128,25 @@
* [10 Immutable Laws of Security (Microsoft TechNet) Non-original](
* [Ten Immutable Laws Of Security (Version 2.0) -](
* [You Can’t Do Everything: The Importance of Prioritization in Security - RecordedFuture](
* **Advice**<a name="advice"></a>
* **Advice** <a name="advice"></a>
* [Every thought about giving and taking advice I’ve ever had, as concisely as possible - Alexey Guzey(2020)](
* **Classes/Types of Vulnerabilities**<a name="classes"></a>
* **Classes/Types of Vulnerabilities** <a name="classes"></a>
* [MITRE Common Attack Pattern Enumeration and Classification(CAPEC)](
* [Race Condition Exploits - Prabhaker Mateti](
* **How to Suck at InfoSec**<a name="suck"></a>
* **How to Suck at InfoSec** <a name="suck"></a>
* [How to Suck at Information Security – A Cheat Sheet](
* [How not to Infosec - Dan Tentler](
* **Getting Started with InfoSec**<a name="getstart"></a>
* **Getting Started with InfoSec** <a name="getstart"></a>
* [ - mubix](
* List of links on getting started in InfoSec/Starting a career.
* [Breaking Into Information Security A Modern Guide - 0xsha](
* [Passwords in a file - erratasec](
* **Background**
* **Background** <a name="background"></a>
* [The Shoulders of InfoSec - Jack Daniels(BSides Tampa 2018)](
* If I have seen further it is by standing on the shoulders of giants; Most famously attributed to Sir Isaac Newton, this quote reflects the sentiment of this project. All of us in the field of information security stand on the shoulders of giants, this project is dedicated to shining a light on those shoulders- the known and unknown. In this presentation I will tell the stories some foundation figures in our industry and communities, some famous, some infamous, some unknown.
* [ Lessons Learned - A 15 year Retrospective - Price McDonald(BSides Indy 2018)](
* [Lessons Learned - A 15 year Retrospective - Price McDonald(BSides Indy 2018)](
* Life is full of blessings and pitfalls. This is my attempt to let others learn from my past mistakes and hopefully keep working and pressing on towards their goals.
* **Being the First Security Person/Starting a Security Program/Growing it**<a name="fps"></a>
* **Being the First Security Person/Starting a Security Program/Growing it** <a name="fps"></a>
* **101**
* Asset Inventory
* Baseline Hardening
@ -232,9 +243,9 @@
* **DFIR Program**
* [0Day to HeroDay: Bringing a company from scorched earth to a modern security organization - Ryan Wisniewski(ShowMeCon2019)](
* This talk will outline how a company was brought down to its knees from a ransomware attack, how it rose from the ashes, and how it now has a full security organization. Ryan will take you through the thrilling adventure of building incident response, system architecture, disaster recovery, and system operations on the fly while the business was down - and how the group ensured the business could come back online without risk of reinfection. Then, he will discuss how he started a security organization from scratch and talk through the challenges of maturing an organization that was on the brink of destruction just a few months ago.
* **Briefing and Reporting**<a name="briefing">
* See [./](./ or [./Docs_and_Reports.html](./Docs_and_Reports.html)
* **Scaling a Security Program**<a name="scalingsec"></a>
* **Briefing and Reporting** <a name="briefing"></a>
* See [Docs and Reports](./
* **Scaling a Security Program** <a name="scalingsec"></a>
* **101**
* [How to 10X Your Company’s Security (Without a Series D) - Clint Gibler(BSidesSF2020)](
* [Slides](
@ -261,11 +272,11 @@
* [The Call is Coming From Inside the House: Lessons in Securing Internal Apps - Hongyi Hu(OWASP AppSec Cali 2019)](
* Come hear a dramatic and humorous tale of internal appsec and the technical and management lessons we learned along the way. Even if your focus is on securing external apps, this talk will be relevant for you. You’ll hear about what worked well for us and what didn’t, including: Finding a useful mental model to organize your roadmap; Starting with the basics: authn/z, TLS, etc.; Rolling out Content Security Policy; Using SameSite cookies as a powerful entry point regulation mechanism; Leveraging WAFs for useful detection and response; Using internal apps as a training ground for new security engineers
* [Jumpstarting Your Appsec Program - Julia Knecht & Jacob Lords(BSidesSLC 2020)](
* **Building a Security Team**<a name="buildteam"></a>
* **Building a Security Team** <a name="buildteam"></a>
* [How to Build a Security Team and Program - Coleen Coolidge(BSidesSF2017)](
* [This is not fine - Surviving Cynicism and Building Happy Security Teams - Chris Deibler(BlueHat v18 2018)](
* **Red Team, Blue Team, Purple Team, Green Team**<a name='team'></a>
* See [RedTeam Page](./
* **Red Team, Blue Team, Purple Team, Green Team** <a name="team"></a>
* See [RedTeam](./
* [The Difference Between Red, Blue, and Purple Teams - Daniel Miessler](
* [Red Teams - Ryan McGeehan(2015)](
* [Bridging the gaps between Red and Blue teaming - Andy Gill(2020)](
@ -285,7 +296,7 @@
* **Measuring Results of a Red Team/Pentest**
* [Measuring a red team or penetration test. - Ryan McGeehan](
* [A Red Team Maturity Model -](
* **Cognitive Bias**<a name="cbias"></a>
* **Cognitive Bias** <a name="cbias"></a>
* [List of cognitive biases - Wikipedia](
* [58 cognitive biases that screw up everything we do - Business Insider](
* [Mental Models: The Best Way to Make Intelligent Decisions (109 Models Explained) - Farnam Street](
@ -295,11 +306,10 @@
* [Kuleshov effect](
* The Kuleshov effect is a film editing (montage) effect demonstrated by Soviet filmmaker Lev Kuleshov in the 1910s and 1920s. It is a mental phenomenon by which viewers derive more meaning from the interaction of two sequential shots than from a single shot in isolation.
* [Asch conformity experiments - Wikipedia](
* [Automation bias - Wikipedia](
* Automation bias is the propensity for humans to favor suggestions from automated decision-making systems and to ignore contradictory information made without automation, even if it is correct.
* [Why Do People Neglect Maintenance? - Andy, Jess, Lee(The Maintainers 2019)](
* **Mental Models**<a name="mm"></a>
* **Mental Models** <a name="mm"></a>
* [The Map Is Not the Territory - Farnam Street](
* The map of reality is not reality. Even the best maps are imperfect. That’s because they are reductions of what they represent. If a map were to represent the territory with perfect fidelity, it would no longer be a reduction and thus would no longer be useful to us. A map can also be a snapshot of a point in time, representing something that no longer exists. This is important to keep in mind as we think through problems and make better decisions.
* [Coastline paradox - Wikipedia](
@ -307,13 +317,13 @@
* [Information Security Mental Models - Chris Sanders](
* [The Mechanics of Modern Thievery (Part 1 of 3) - Greg Johnson(2020)](
* Specifically the metaphor the preface provides. If you look at credentials stored within repositories as similar to keys dropped on the street, it becomes easier to understand how and why passwords & credentials are left in code, beyond 'Developers are lazy/stupid'.
* **Comedy**<a name="comedy"></a>
* **Comedy** <a name="comedy"></a>
* [The Website is Down #1: Sales Guy vs. Web Dude](
* [BOFH Index](
* This is a collection of links to most of the BOFH stories from 2000 to 2016 (For BOFH episodes from before 2000, please see the [Official Archive)](
* [Microservices](
* Satire or documentary.
* **Command Lines & OS Basics**<a name="cli"><</a>
* **Command Lines & OS Basics** <a name="cli"></a>
* **Linux/MacOS**
* **Articles/Resources**
* **System Basics**
@ -404,16 +414,16 @@
3. [Windows Command-Line: Inside the Windows Console](
4. [Windows Command-Line: Introducing the Windows Pseudo Console (ConPTY)](
5. [Windows Command-Line: Unicode and UTF-8 Output Text Buffer](
* **Critical Thinking**<a name="critthink"></a>
* **Critical Thinking** <a name="critthink"></a>
* [How to Apply Critical Thinking Using Paul-Elder Framework - designorate](
* [Paul-Elder Critical Thinking Framework - University of Louisville](
* **Common Vulnerability Scoring System(CVSS)**<a name="cvss"></a>
* **Common Vulnerability Scoring System(CVSS)** <a name="cvss"></a>
* [Common Vulnerability Scoring System version 3.1: User Guide -](
* [Common Vulnerability Scoring System version 3.1: Specification Document -](
* **Data Breaches**
* **Data Breaches** <a name="breaches"></a>
* [SecurityBreach](
* Crowdsourced catalog of security breaches.
* **Fundamental Papers**<a name="fund"></a>
* **Fundamental Papers** <a name="fund"></a>
* [END-TO-END ARGUMENTS IN SYSTEM DESIGN - J.H. Saltzer, D.P. Reed and D.D. Clark](
* This paper presents a design principle that helps guide placement of functions among the modules of a distributed computer system. The principle, called the end-to-end argument, suggests that functions placed at low levels of a system may be redundant or of little value when compared with the cost of providing them at that low level. Examples discussed in the paper include bit error recovery, security using encryption, duplicate message suppression, recovery from system crashes, and delivery acknowledgement. Low level mechanisms to support these functions are justified only as performance enhancements.
* [Ceremony Design and Analysis - Carl Ellison](
@ -430,15 +440,14 @@
* [Part 4](
* [BeyondCorp: A New Approach to Enterprise Security - Rory Ward, Betsy Beyer](
* Virtually every company today uses firewalls to enforce perimeter security. However, this security model is problematic because, when that perimeter is breached, an attacker has relatively easy access to a company’s privileged intranet. As companies adopt mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce. Google is taking a different approach to network security. We are removing the requirement for a privileged intranet and moving our corporate applications to the Internet.
* **General**<a name="general"></a>
* **General Good Stuff** <a name="ggs"></a>
* [Mozilla Enterprise Information Security](
* [Rating Infosec Relevant Masters Programs - netsecfocus](
* [Salted Hash Ep 34: Red Team vs. Vulnerability Assessments - CSO Online](
* Words matter. This week on Salted Hash, we talk to Phil Grimes about the differences between full Red Team engagements and vulnerability assessments
* **General Good Stuff**
* [Words Have Meanings - Dan Tentler - CircleCityCon 2017](
* [C2 Wiki - Security](
* [Not Even Close, The State of Computer Security w/ slides - James Mickens](
* [Words Have Meanings - Dan Tentler - CircleCityCon 2017]
* [(Deliberate) practice makes perfect: how to become an expert in anything - Aytekin Tank](
* [Information Security Mental Models - Chris Sanders](
* [The Submarine (Article)- Paul Graham](
@ -446,7 +455,7 @@
* [](
* [Art as a Methodology for Security Research - Leigh-Anne Galloway](
* [The Natural Life Cycle of Mailing Lists - Kat Nagel](
* **Helping Others**<a name="helpo"></a>
* **Helping Others** <a name="helpo"></a>
* [Internet Safety for Teens, Kids, and Students -](
* [STOP. THINK. CONNECT. ™ Toolkit - DHS](
* [What I Learned Trying To Secure Congressional Campaigns - idlewords](
@ -459,17 +468,17 @@
* [The Hacker Crackdown - Wikipedia](
* The book discusses watershed events in the hacker subculture in the early 1990s. The most notable topic covered is Operation Sundevil and the events surrounding the 1987–1990 war on the Legion of Doom network: the raid on Steve Jackson Games, the trial of "Knight Lightning" (one of the original journalists of Phrack), and the subsequent formation of the Electronic Frontier Foundation. The book also profiles the likes of "Emmanuel Goldstein" (publisher of 2600: The Hacker Quarterly), the former assistant attorney general of Arizona Gail Thackeray, FLETC instructor Carlton Fitzpatrick, Mitch Kapor, and John Perry Barlow.
* [The Hacker Crackdown: Law and Disorder on the Electronic Frontier by Bruce Sterling - Project Gutenberg](
* **How to Ask Better Questions**<a name="bq"></a>
* **How to Ask Better Questions** <a name="bq"></a>
* [How To Ask Questions The Smart Way - Eric Raymond](
* [Socratic questioning - Wikipedia](
* [The Six Types Of Socratic Questions -](
* [Ask Good Questions: Deep Dive - Yousef Kazerooni](
* [Relearning the Art of Asking Questions - HBR](
* [How To Ask Questions The Smart Way -](
* **Information Processing**<a name="ip"></a>
* **Information Processing** <a name="ip"></a>
* [Drinking from the Fire Hose: Making Smarter Decisions Without Drowning in Information - Book](
* [How to make sense of any mess - Abby Covert](
* **Learning:**<a name="learning"></a>
* **Learning** <a name="learning"></a>
* **101**
* [Autodidacticism - Wikipedia](
* [Effective learning: Twenty rules of formulating knowledge - SuperMemo](
@ -513,29 +522,29 @@
* Cut the crap is an automatic video editing program for streamers. It can cut out uninteresting parts by detecting silences. This was inspired by jumpcutter, where this program can get better quality results by using an (optional) dedicated microphone track. This prevents cutting of quieter consonants for example. Using ffmpeg more efficiently also produces faster results and is less error prone.
* **Learning New Things**
* [The Paradox of Choice: Learning new skills in InfoSec without getting overwhelmed - AzeriaLabs](
* **Metrics**<a name="metrics"></a>
* **Metrics** <a name="metrics"></a>
* [Be Careful What You Measure - Mark Graham Brown](
* [How to Use Metrics - George K. Campbell(2006)](
* [Security metric techniques: How to answer the 'so what?' - Bill Brenner](
* [Security Value Made Visible: How American Water's Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time - Scott Berinato](
* [A key performance indicator for infosec organizations: Using probabilistic risk KPIs to direct complex risk engineering efforts - Ryan McGeehan(2019)](
* **Networking**<a name="networking"></a>
* **Networking** <a name="networking"></a>
* [The Bits and Bytes of Computer Networking - Google/Coursera](
* This course is designed to provide a full overview of computer networking. We’ll cover everything from the fundamentals of modern networking technologies and protocols to an overview of the cloud to practical applications and network troubleshooting. By the end of this course, you’ll be able to: describe computer networks in terms of a five-layer model; understand all of the standard protocols involved with TCP/IP communications; grasp powerful network troubleshooting tools and techniques; learn network services like DNS and DHCP that help make computer networks run; understand cloud computing, everything as a service, and cloud storage
* [Linux Network Administration -](
* One(really long) page reference
* [IPv4/v6 Subnet Mask cheatsheet -](
* **Normalization of Deviance**<a name="nom"></a>
* **Normalization of Deviance** <a name="nom"></a>
* [The normalization of deviance in healthcare delivery - John Hanja](
* Many serious medical errors result from violations of recognized standards of practice. Over time, even egregious violations of standards of practice may become “normalized” in healthcare delivery systems. This article describes what leads to this normalization and explains why flagrant practice deviations can persist for years, despite the importance of the standards at issue. This article also provides recommendations to aid healthcare organizations in identifying and managing unsafe practice deviations before they become normalized and pose genuine risks to patient safety, quality care, and employee morale.
* **Problem Solving**<a name="ps"></a>
* **Problem Solving** <a name="ps"></a>
* [Software Problem Solving Cheat Sheet - Florian Roth](
* [The XY Problem](
* The XY problem is asking about your attempted solution rather than your actual problem. This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.
* [The AZ Problem](
* This website introduces the AZ Problem: a generalization of the XY Problem. To wit, if we agree that the XY Problem is a problem, than the AZ Problem is a metaproblem. And while the XY Problem is often technical, the AZ Problem is procedural. The AZ Problem is when business requirements are misunderstood or decontextualized. These requirements end up being the root cause of brittle, ill-suited, or frivolous features. An AZ Problem will often give rise to several XY Problems.
* [SCQA – A Framework For Defining Problems & Hypotheses - Paul(](
* **Project Management**<a name="pms"></a>
* **Project Management** <a name="pms"></a>
* **101**
* [Project management - Wikipedia](
* [What is Project Management? - Project Management Institute](
@ -550,14 +559,14 @@
* The Goal, The Phoenix Project
* **Tools**
* [A simplified Jira clone built with React and Node](
* **Ransomware**<a name="ransomware"></a>
* **Ransomware** <a name="ransomware"></a>
* [The Trade Secret: Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers - Renee Dudley and Jeff Kao(2019)](
* **Regular Expressions**<a name="regex"></a>
* **Regular Expressions** <a name="regex"></a>
* [Regular Expressions | A Complete Beginners Tutorial - Atmanand Nagpure](
* [Fall in love with Regex — Why don’t you marry them? - Sarvagya Sagar(2019)](
* [Regular Expressions (Regex) Overview - Matt Scheurer(Derbycon 2017)](
* Writing Regular Expressions (Regex) is a versatile skill set to have across the IT landscape. Regex has a number of information security related uses and applications. We are going to provide an overview and show examples of writing Regex for pattern matching and file content analysis using sample threat feed data in this presentation. Along with a healthy dose of motherly advice, we cover Regex syntax, character classes, capture groups, and sub-capture groups. Whether Regex is something completely new or worth brushing up on, this talk is geared toward you.
* **Research**<a name="research"></a>
* **Research** <a name="research"></a>
* **Doing/Performing Research**
* [Research Debt - Chris Olah, Shan Carter](
* [Ten Simple Rules for Doing Your Best Research, According to Hamming](
@ -567,20 +576,19 @@
* **Legalities**
* [A Researcher’s Guide to SomeLegal Risks of Security Research - Sunoo Park, Kendra Albert(2020)]()
* What does it cover? This guide overviews broad areas of potential legal riskrelated to security research, and the types of security research likely implicated.We hope it will serve as a useful starting point for concerned researchers andothers. While the guide covers what we see as the main areas of legal risk forsecurity researchers, it is not exhaustive. It also doesn’t create a lawyer-clientrelationship between you and the authors. This guide focuses on U.S. law, and mostly federal law.Different U.S. statesand jurisdictions may have different laws, and even different interpretations ofthe same federal law. This guide does not do a state-by-state analysis, butrather focuses on federal law and how it is interpreted by most states. Todetermine which states’ law applies to your specific situation, consult a lawyer.This guide doesnotdiscuss risks associated with security research undernon-U.S. legal systems. Your activity may raise legal risks in legal systemsoutside of the U.S. if it takes place or has impacts outside the U.S., or involvesor impacts people who are governed by non-U.S. legal systems. Similarly, youractivity may be subject to U.S. legal liability (as well as liability under yourlocal law) even if it occurs primarily outside the U.S., if it has impacts in theU.S. or involves or involves U.S. people and/or equipment.2Finally, if your research involves human subjects and is aiming to pro-duce generalizable knowledge,3you should consult an institutional review board(IRB) or ethical review committee to ensure that you are in compliance withhuman testing rules, which are outside the scope of this Guide
* **Request for Service/Product**
* **Request for Service/Product** <a name="rfsp"></a>
* [Information Security Assessment RFP Cheat Sheet - Lenny Zeltser](
* **Risk**<a name="risk"></a>
* See [.\](#./ or [./Threat_Modeling.html](#./Threat_Modeling.html)
* **FAIR**
* [Factor analysis of information risk - Wikipedia](
* Factor Analysis of Information Risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events. It is not a methodology for performing an enterprise (or individual) risk assessment.
* **Securing yourself**<a name="secself"></a>
* **Risk** <a name="risk"></a>
* See [Threat Modeling](./
* [Factor analysis of information risk (FAIR)- Wikipedia](
* Factor Analysis of Information Risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events. It is not a methodology for performing an enterprise (or individual) risk assessment.
* **Securing yourself** <a name="secself"></a>
* [Operation Luigi: How I hacked my friend without her noticing](
* My friend gave me permission to "hack all her stuff" and this is my story. It's about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.
* [Blogpost](
* **Software Testing**<a name="softwaretesting"></a>
* **Software Testing** <a name="softwaretesting"></a>
* **Articles/Blogposts/Writeups**
* [What broke the bank - Chris Stokel-Walker(2019)](
* [What broke the bank - Chris Stokel-Walker(2019)](
* A disastrous IT migration corrupted 1.3 billion customer records. The culprit was insufficient testing.
* **Talks/Presentations**
* [When to Test and How to Test It - Bruce Potter - Derbycon7](
@ -599,31 +607,35 @@
* **Vulnerability Assesssment**
* [Vulnerability Assessment 2.0 - John Askew(Derbycon 2014)](
* What can you do to step up your game as a security analyst? Vulnerability scanners and other security assessment tools can be extremely useful for collecting information quickly and efficiently, but what are some good next steps for analyzing and using that information? How much value does a raw vulnerability scan report provide (hint: don’t just hand this to a client or supervisor), and how much more value can we get out of our tools with a little bit of effort? What do you do when you need data that an existing tool can’t provide? John will discuss some areas in the security asssessment process that are ripe for easy wins through custom scripting, including data aggregation, diffing, false,positive identification, and visualization. As an example, John will release a tool for slicing and dicing the results from assessment tools in interesting ways, based on various techniques used in previous consulting engagements.
* **Statistics**
* **Statistics** <a name="statistics"></a>
* [How to Lie with Statistics, Information Security Edition - Tony Martin-Vegue(Circle City Con2018)](
* Stiff statistics, prismatic pie charts, and questionable survey results drown the Information Security space in a sea of never-ending numbers that can be difficult to sift through. Have you ever finished reading a research institution's annual security report and felt your Spidey sense begin to tingle with doubt or disbelief? What you are probably sensing is a manipulation of statistics, an age-old hoodwink that has been occurring as long as numbers have been used to convey information. This critical subject was first examined over 60 years ago, when Darrell Huff first published the groundbreaking book "How to Lie with Statistics," over 60 years ago. This presentation takes the foundation Huff created and updates the core concepts for the contemporary Information Security field. Most people would be shocked to find that data is often manipulated to lead the reader to a particular conclusion. Several areas are examined: bias in vendor-sponsored security reports, data visualization misuse and common security fallacies. There is a silver lining - once you are aware of the subtle ways data is manipulated, it's easy to spot. Attendees will walk away with a new understanding of ways to identify and avoid unintentionally using some of the methods described.
* **System Design**<a name="systemdesign"></a>
* **System Design** <a name="systemdesign"></a>
* [The System Design Primer](
* Learning how to design scalable systems will help you become a better engineer. System design is a broad topic. There is a vast amount of resources scattered throughout the web on system design principles. This repo is an organized collection of resources to help you learn how to build systems at scale.
* **TableTop Exercises**<a name="ttx"></a>
* **TableTop Exercises** <a name="ttx"></a>
* [Why Crisis management exercises (still) work - Mercedes M Diaz(2020)](
* [Intro to Tabletop Exercises with Amanda Berlin & Jeremy Mio(2020)](
* When testing responses, defenses, and detections of an environment one of the main tools that can be used is a tabletop exercise. A tabletop exercise is a meeting of key stakeholders and staff who walk step by step through the mitigation of some type of disaster, malfunction, attack, or other emergency in a low stress situation. In this short training webinar, we walk through two basic exercises from beginning to end, covering what helpful structure, items, and activities should be included. We then follow up each exercise with an after action report to recap.
* **Task Automation**<a name="automation"></a>
* **Task Automation** <a name="automation"></a>
* WALKOFF is a flexible, easy to use, automation framework allowing users to integrate their capabilities and devices to cut through the repetitive, tedious tasks slowing them down,
* [StackStorm](
* [Robot Framework](
* Robot Framework is a generic open source automation framework for acceptance testing, acceptance test driven development (ATDD), and robotic process automation (RPA). It has simple plain text syntax and it can be extended easily with libraries implemented using Python or Java. Robot Framework is operating system and application independent. The core framework is implemented using Python, supports both Python 2 and Python 3, and runs also on Jython (JVM), IronPython (.NET) and PyPy. The framework has a rich ecosystem around it consisting of various generic libraries and tools that are developed as separate projects. For more information about Robot Framework and the ecosystem, see
* **Tools to Know About**<a name="ttka"></a>
* **Tools to Know About** <a name="ttka"></a>
* [Process Monitor X v2](
* Procmon-like tool that uses Event Tracing for Windows (ETW) instead of a kernel driver to provide event information.
* [rga: ripgrep, but also search in PDFs, E-Books, Office documents, zip, tar.gz, etc. - phiresky](
* **Vendor Security**<a name="vensec"></a>
* [Introduction To Metasploit – The Basics](
* [Shodan](
* [agrep](
* print lines approximately matching a pattern
* **Vendor Security** <a name="vensec"></a>
* [UC Berkely Vendor Security Assessment Program](
* [VSAQ: Vendor Security Assessment Questionnaire](
* VSAQ is an interactive questionnaire application. Its initial purpose was to support security reviews by facilitating not only the collection of information, but also the redisplay of collected data in templated form. At Google, questionnaires like the ones in this repository are used to assess the security programs of third parties. But the templates provided can be used for a variety of purposes, including doing a self-assessment of your own security program, or simply becoming familiar with issues affecting the security of web applications.
* **The Web**<a name='web'></a>
* **The Web** <a name="web"></a>
* [Web Architecture 101 - Jonathan Fulton](
* [The Tangled Web - Michal Zalewski(book)](
* "The Tangled Web is my second book, a lovingly crafted guide to the world of browser security. It enters an overcrowded market, but there are two reasons why you may want to care. First of all, where other books simply dispense old and tired advice on remediating common vulnerabilities, The Tangled Web offers a detailed and thoroughly enjoyable account of both the "how" and the "why" of the modern web. In doing so, it enables you to deal with the seedy underbelly of contemporary, incredibly complex web apps. The other reason is that it is based on years of original research - including, of course, my Browser Security Handbook (2008). I think it is simply unmatched when it comes to the breadth and the quality of the material presented. It outlines dozens of obscure but remarkably important security policies, governing everything from content rendering to frame navigation - and affecting your applications in more ways than you may expect."
@ -633,16 +645,11 @@
* [Chrome DevTools -](
* [Discover DevTools](
* Learn how Chrome DevTools can sharpen your dev process and discover the tools that can optimize your workflow and make life easier.
* **Zero Trust**<a name="zerotrust"></a>
* **Zero Trust** <a name="zerotrust"></a>
* **Articles/Blogposts/Writeups**
* [Exploring The Zero Trust Model -](
* [Awesome Zero trust](
* **Talks/Presentations/Videos**
* **Tools you should probably know exist**
* [Introduction To Metasploit – The Basics](
* [Shodan](
* [agrep - tool](
* print lines approximately matching a pattern
* **Fun**
* **Fun** <a name="fun"></a>
* [Welcome to Infosec (Choose your own Adventure) - primarytyler](
* [Choose Your Own Red Team Adventure - Tim Malcomvetter](