Difference between revisions of "Core Image Mechanics"

Readme[edit | edit source]

The readme is a file that includes instructions about how the system is supposed to be configured, it spells out where most of the points to be gained are going to be. You can view a past readme here.

Forensics Questions[edit | edit source]

Each image has multiple forensics questions, these forensics questions are often about things specific to the image, there are also some that ask about broader cybersecurity topics. Because of this there really is no way to prepare for them, the best way to take care of them is abusing google and asking your team mates for help.

Example Forensics Questions[edit | edit source]

• What Windows Service is affected by CVE-2019-0708¹?
• User passwords are stored in the SAM registry hive; what is the full file path for the SAM registry hive file on this machine?

Reasoning[edit | edit source]

In the cyber security space it is very important to have problem solving skills and to be able to chase down niche problems, these questions help foster this skill.

User Management (and passwords)[edit | edit source]

In the readme there is a list of approved users and administrators; all accounts not on that list need to be deleted and accounts on that list but not on the machine need to be added, ditto for administrators, but rather then adding or deleting just adding and removing from the administrators group. You will also be able to see the original passwords for those accounts, you will gain points for changing insecure ones. Instruction on how to do that is on the OS specific pages.

Reasoning[edit | edit source]

One of the key tenets of risk minimization is to revoke rights where they are not need, deleting/de-modding accounts is just this; it is also critical that everyone has the permissions necessary to do their jobs whether that just being able to sign on or having administrator rights.

Critical Services (and other software)[edit | edit source]

The readme also lists various "Critical Services", these service may not always be working, it is your job to ensure they are set to run automatically and work properly (this includes preventing or solving software conflicts). They often also mention things along the lines of "firefox should be the default browser" or "Company policy states that Windows Action Center should be enabled" in the case of that make sure that those applications are running, updated, and the default when applicable. You may also gain points for enabling certain security settings within these applications (e.g. pop up blocker in firefox).

Examples of Services and Software[edit | edit source]

• IIS Webserver (service)
• Active Directory and Domain Name Services (services)
• Samba (service)
• Firefox (software)

Reasoning[edit | edit source]

Maintaining services is critical as without them the system would have no reason for existing, remember, foremost a computer is a tool, not an item to be secured. Maintaining software currency is also vital as vulnerabilities in old software are a primary attack vector for viruses and other undesirables.

Unwanted Services[edit | edit source]

There are a few services that are security risks and not mentioned in the readme, I do not believe that we have got points for these in recent rounds but it is always good to be prudent.

Example Unwanted Services[edit | edit source]

• FTP

Prohibited Files (and "Hacking Tools")[edit | edit source]

The readme always mentions something about "hacking tools" and "media files" being prohibited; quite often you will see a program you have never come across before the only real course of action here is to google it and make a call on whether or not you should delete it.

Example Prohibited Files[edit | edit source]

• .mp3
• .mp4
• .mov
• .png
• .jpg
• Games

Example "Hacking Tools"[edit | edit source]

• Nmap
• Steghide
• Wireshark
• Hashcat
• Jack the Ripper

Updates[edit | edit source]

automatic checks and install

Security Policy[edit | edit source]

Password requirements

Penalties[edit | edit source]

deleting good users

removing good software

disabling critical services

¹Probably not a CVE affecting any windows service, I kinda just grabbed the first CVE number that I saw; in short, don't practice with these questions