Video Courses
Jason Dion - Sec+ Udemy Course
https://mega.nz/#F!DnZWBCYb!vAjXcKf90Pn3w5y4iPrdxg
CBT Nuggets Sec+
https://mega.nz/#F!ezYD3AYT!Jq9LbN6xtRNhAEcwO7eAAg
Mike Chapple Sec+
https://mega.nz/#F!rrQwwSbC!5p1iPrU2MdBwp2O3IRdbaA
Jason Dion - Sec+ Udemy Course
https://mega.nz/#F!DnZWBCYb!vAjXcKf90Pn3w5y4iPrdxg
CBT Nuggets Sec+
https://mega.nz/#F!ezYD3AYT!Jq9LbN6xtRNhAEcwO7eAAg
Mike Chapple Sec+
https://mega.nz/#F!rrQwwSbC!5p1iPrU2MdBwp2O3IRdbaA
mega.nz
MEGA provides free cloud storage with convenient and powerful always-on privacy. Claim your free 20GB now
https://drive.google.com/drive/folders/1x1z_qAA7ZsyeG_pAZTZSjOFunaxvpg-E
All security books, CISSP, CISM, CISA and Cloud etc
All security books, CISSP, CISM, CISA and Cloud etc
How to Spot Phishing Sites in 4 Simple Steps
1. Examine the connection type:
All you have to do is click on the URL in the address bar and check whether the site has an “HTTP” or “HTTPS” tag. The “https” tag is what you should be aiming for if you’re on a page that requires to enter any confidential information.
2. Run a quick check on SSL certificate:
You can check the validity and issuer of SSL certificate by clicking on the padlock icon in the address bar. This will show you whether the certificate is valid and the name of the issuer.
However, keep in mind that scammers who go a long way to appear legitimate are capable of forging permits and tax forms required by certificate providers. On top of that, there is software that can enable them to get their hands on free SSL certificates.
3. Examine the URL:
The usual address looks like this:
https:// (security protocol) www (subdomain) brand name (domain) com (domain extension)
4. Inspect website content:
If a single webpage you landed on seems suspicious, a good way to identify a phishing site is to simply take a look at the entire website.
Some of the red flags include low-resolution photos, bad grammar, empty pages, excessive advertising, and clickbait headlines.
1. Examine the connection type:
All you have to do is click on the URL in the address bar and check whether the site has an “HTTP” or “HTTPS” tag. The “https” tag is what you should be aiming for if you’re on a page that requires to enter any confidential information.
2. Run a quick check on SSL certificate:
You can check the validity and issuer of SSL certificate by clicking on the padlock icon in the address bar. This will show you whether the certificate is valid and the name of the issuer.
However, keep in mind that scammers who go a long way to appear legitimate are capable of forging permits and tax forms required by certificate providers. On top of that, there is software that can enable them to get their hands on free SSL certificates.
3. Examine the URL:
The usual address looks like this:
https:// (security protocol) www (subdomain) brand name (domain) com (domain extension)
4. Inspect website content:
If a single webpage you landed on seems suspicious, a good way to identify a phishing site is to simply take a look at the entire website.
Some of the red flags include low-resolution photos, bad grammar, empty pages, excessive advertising, and clickbait headlines.
Software Development Lifecycle (SDLC)
Static Analysis: At the foundational level is the security of the application code as it is being developed, which is often an area where static code analysis tools (SCAT) can play a role. This area is called static application security testing, or SAST.
Dynamic Analysis: For code that is running, dynamic application security testing (DAST) enables the detection of different types of security risks.
Interactive Application Security Testing: Combining both DAST and SAST approaches is the domain of Interactive Application Security Testing (IAS).
Software Composition Analysis (SCA): There can also be configuration issues with applications that can potentially be exploited. There are also software dependency and libraries that have known vulnerabilities, which is where vulnerability management capabilities fit in.
1.Acunetix
2.Checkmarx
3.Micro Focus Fortify
4.NowSecure
5.Rapid7
6.Snyk
7.Synopsys
8.Veracode
9.Whiteha
Static Analysis: At the foundational level is the security of the application code as it is being developed, which is often an area where static code analysis tools (SCAT) can play a role. This area is called static application security testing, or SAST.
Dynamic Analysis: For code that is running, dynamic application security testing (DAST) enables the detection of different types of security risks.
Interactive Application Security Testing: Combining both DAST and SAST approaches is the domain of Interactive Application Security Testing (IAS).
Software Composition Analysis (SCA): There can also be configuration issues with applications that can potentially be exploited. There are also software dependency and libraries that have known vulnerabilities, which is where vulnerability management capabilities fit in.
1.Acunetix
2.Checkmarx
3.Micro Focus Fortify
4.NowSecure
5.Rapid7
6.Snyk
7.Synopsys
8.Veracode
9.Whiteha
Forwarded from cissp (Alireza Ghahrood)
https://t.me/cissp
International channel for Transmission Knowledge In the field of Cyber Security with a Focus on the Content of the CISSP-ISC2 course
+also group:
@cisspgroup
International channel for Transmission Knowledge In the field of Cyber Security with a Focus on the Content of the CISSP-ISC2 course
+also group:
@cisspgroup
Telegram
cissp
@cissp
International channel 4 Transmission Knowledge In the Field of Cyber Security with a Focus on the Content of the CISSP-ISC2 Course
- - - - - - - - - -
+also group: https://t.me/cisspgroup
—————————
@alirezaghahrood
International channel 4 Transmission Knowledge In the Field of Cyber Security with a Focus on the Content of the CISSP-ISC2 Course
- - - - - - - - - -
+also group: https://t.me/cisspgroup
—————————
@alirezaghahrood
Google's Threat Analysis Group (TAG) delivered thousands of alerts of government-backed attempts to spearphish Gmail users over just a three-month period earlier this year.
TAG director Shane Huntley revealed that from July to September 2019 his team sent 12,000 warnings to users in 149 countries. From a heat map attached to the blog post, you can see that most were located in the US, South Korea, Pakistan and Vietnam.
“Over 90% of these users were targeted via ‘credential phishing emails’... attempts to obtain the target’s password or other account credentials to hijack their account,” he added.
“We encourage high-risk users — like journalists, human rights activists, and political campaigns — to enroll in our Advanced Protection Program (APP), which utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings. APP is designed specifically for the highest-risk accounts.”
Google's TAG tracks over 270 targeted and government-backed threat groups across 50+ countries in an attempt to detect a variety of dodgy activities like intel collection, IP theft, targeting of dissidents and activists, destructive cyber-attacks, and spreading coordinated disinformation.
He also detailed efforts to detect and remove coordinated influence operations by Russian state hackers in Africa using “inauthentic news outlets to disseminate messages promoting Russian interests in Africa.” A total of 15 YouTube channels were removed as a result.
TAG director Shane Huntley revealed that from July to September 2019 his team sent 12,000 warnings to users in 149 countries. From a heat map attached to the blog post, you can see that most were located in the US, South Korea, Pakistan and Vietnam.
“Over 90% of these users were targeted via ‘credential phishing emails’... attempts to obtain the target’s password or other account credentials to hijack their account,” he added.
“We encourage high-risk users — like journalists, human rights activists, and political campaigns — to enroll in our Advanced Protection Program (APP), which utilizes hardware security keys and provides the strongest protections available against phishing and account hijackings. APP is designed specifically for the highest-risk accounts.”
Google's TAG tracks over 270 targeted and government-backed threat groups across 50+ countries in an attempt to detect a variety of dodgy activities like intel collection, IP theft, targeting of dissidents and activists, destructive cyber-attacks, and spreading coordinated disinformation.
He also detailed efforts to detect and remove coordinated influence operations by Russian state hackers in Africa using “inauthentic news outlets to disseminate messages promoting Russian interests in Africa.” A total of 15 YouTube channels were removed as a result.
Best of Command & Control
4 (Red Teaming)
•Command & Control: Ares
•Command & Control: WebDav C2
•Command & Control: WebSocket C2
•Command and Control with DropboxC2
•dnscat2: Command and Control over the DNS
•Command & Control: Silenttrinity Post-Exploitation Agent
•Command & Control Tool: Pupy
•Command and Control Guide to Merlin
•Command and Control with HTTP Shell using JSRat
•Koadic – COM Command & Control Framework
•TrevorC2 – Command and Control
https://lnkd.in/fCua_6e
4 (Red Teaming)
•Command & Control: Ares
•Command & Control: WebDav C2
•Command & Control: WebSocket C2
•Command and Control with DropboxC2
•dnscat2: Command and Control over the DNS
•Command & Control: Silenttrinity Post-Exploitation Agent
•Command & Control Tool: Pupy
•Command and Control Guide to Merlin
•Command and Control with HTTP Shell using JSRat
•Koadic – COM Command & Control Framework
•TrevorC2 – Command and Control
https://lnkd.in/fCua_6e
lnkd.in
LinkedIn
This link will take you to a page that’s not on LinkedIn
What's the difference between bagging and boosting?
Bagging and boosting are both ensemble methods, meaning they combine many weak predictors to create a strong predictor.
One key difference is that bagging builds independent models in parallel and "averages" their results in the end, whereas boosting builds models sequentially, at each step emphasizing reducing error that remains in the model by better fitting to the observations that were missed in previous steps.
Bagging and boosting are both ensemble methods, meaning they combine many weak predictors to create a strong predictor.
One key difference is that bagging builds independent models in parallel and "averages" their results in the end, whereas boosting builds models sequentially, at each step emphasizing reducing error that remains in the model by better fitting to the observations that were missed in previous steps.