Changes #50
Open
Changes #50
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
binarymist
requested changes
Jul 7, 2017
manuscript/markdown/main/chapter1.md
Outdated
| @@ -123,7 +123,7 @@ Keep your eye on the vulnerability advisories, as that is part of what an attack | |||
|  | |||
| <!---This is where the images live: https://raw.githubusercontent.com/wiki/binarymist/HolisticInfoSec-For-WebDevelopers/BinaryMist-Approach-To-Threat-Modelling-Assets/BobTheBuilder.jpg--> | |||
|
|
|||
| Here is where you work through collaboratively creating countermeasure Product Backlog Items (PBIs). Countermeasure PBIs are like any other PBI. PBI qualities: | |||
| Here is where you work through collaboratively creating countermeasure **Product Backlog Items (PBIs)**. Countermeasure PBIs are like any other PBI. PBI qualities: | |||
There was a problem hiding this comment.
Not sure why the bold has been added back in? Please undo this.
|
|
||
| * `msf >` [help](https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/#help) | ||
| * `msf >` [show](https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/#show) | ||
| * Valid options to add to show are: `all`, `encoders`, `nops`, `exploits`, `payloads`, `auxiliary`, `plugins`, `options` | ||
| * Additional module specific parameters are: `missing`, `advanced`, `evasion`, `targets`, `actions` | ||
| * `msf > show options` | ||
| * `msf > info <module name>` [info](https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/#info) | ||
|
|
||
| Refer the following link for more insight :https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/ | ||
| <!--- I have removed the link from the heading and placed it here as the font looks different when this URl was applied ---> |
There was a problem hiding this comment.
And there in lies the problem. The resource is listed in the Attributions, the link is also part of the heading so it's obvious that there is a resource available. Adding hrefs everywhere in text is just scruffy, it needs to be obvious to the reader that there is a link and maybe if they want to check it out, then view it in the Attributions chapter.
| @@ -216,8 +217,7 @@ If you need Metasploit integration in BeEF (in most cases you will want this), s | |||
| `extension: metasploit: enable: true` | |||
| in the `/etc/beef-xss/config.yaml` file. | |||
| Also make sure | |||
| `enable` | |||
| is set to `true` in `/usr/share/beef-xss/extensions/metasploit/config.yaml` | |||
| `enable` is set to `true` in `/usr/share/beef-xss/extensions/metasploit/config.yaml` | |||
There was a problem hiding this comment.
The reason for the new line is so that it stands out, as in one line per instruction. Everything is intentional, unless you have a really good reason to change this, please leave it as is.
Thoughts @holisticinfosec?
| @@ -325,16 +325,16 @@ or see the documentation for more details | |||
| %% Errors installing. Submitted issue here: https://github.com/michenriksen/gitrob/issues/62 | |||
| %% Error running. Didn't like my password: https://github.com/michenriksen/gitrob/issues/63 | |||
|
|
|||
| #### [CMSmap](https://github.com/Dionach/CMSmap) | |||
| #### CMSmap | |||
There was a problem hiding this comment.
As per "Useful metasploit commands" link above. I'd suggest chaning your link font, as I've already mentioned to something that works with the heading.
|
|
||
| CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular Content Management Systems (CMSs). | ||
| [CMSmap] (https://github.com/Dionach/CMSmap) is a python open source CMS scanner that automates the process of detecting security flaws of the most popular Content Management Systems (CMSs). |
There was a problem hiding this comment.
Same again, change link font to work with heading.
manuscript/markdown/main/chapter4.md
Outdated
| @@ -21,7 +21,7 @@ This allows us to create effective attack strategies, including non-technical as | |||
|
|
|||
| #### Reconnaissance Forms {#process-and-practises-penetration-testing-reconnaissance-reconnaissance-forms} | |||
|
|
|||
| Information gathering can and should be done (initially) in such a way that the target does not know you are doing it (passive). However, reconnaissance can achieve "noise" levels so loud that the target *should* absolutely know you are doing it (active). Unfortunately, all too often target organisations do not notice more active assessment due to insufficient logging, monitoring, and alerting, as discussed in several of the following chapters. These activities also require that someone actually take notice, as discussed in the People chapter specific to engagement. | |||
| Information gathering can and should be done (initially) in such a way that the target does not know you are doing it (passive). However, reconnaissance can achieve "noise" levels so loud that the target *should* absolutely know you are doing it (active). Unfortunately, all too often target organisations do not notice more active assessment due to insufficient logging, monitoring, and alerting, as discussed in several of the following chapters. These activities also require that someone actually take notice, as discussed in Chapter 5, People specific to engagement. | |||
There was a problem hiding this comment.
Why is People not in italics as you have for many other chapter names?
Where is your consistency?
manuscript/markdown/main/chapter5.md
Outdated
| @@ -328,7 +325,7 @@ Again, company policy and culture may require some work as well. | |||
|
|
|||
| #### Cameras, Sensors and Alarms | |||
|
|
|||
| Detection is an important part of the overall security of your premises. When your prevention fails, you are going to want to know about it so that you can react appropriately. Ideally, surveillance systems should also be configured to send alerts to someone who is going to take notice of them. I have addressed some of the concerns about alerts that fail to trigger human reaction specifically in the "Morale, Productivity and Engagement Killers" section of the [People](#people) chapter. I have found ZoneMinder, an open source video surveillance solution, to be excellent at recording, detecting motion, and providing events. You can then do what ever you like with the events, including email, SMS, push notifications, etc. Be prepared to get your hands dirty here though as this is an open and extensible platform. I have also noticed NodeMinder, which was of interest to me, but at the time of this writing, was not being maintained, like so many NPM packages. | |||
| Detection is an important part of the overall security of your premises. When your prevention fails, you are going to want to know about it so that you can react appropriately. Ideally, surveillance systems should also be configured to send alerts to someone who is going to take notice of them. I have addressed some of the concerns about alerts that fail to trigger human reaction specifically section *Morale, Productivity and Engagement Killers* of the Chapter 6, *People*. I have found ZoneMinder. I have found ZoneMinder, an open source video surveillance solution, to be excellent at recording, detecting motion, and providing events. You can then do what ever you like with the events, including email, SMS, push notifications, etc. Be prepared to get your hands dirty here though as this is an open and extensible platform. I have also noticed NodeMinder, which was of interest to me, but at the time of this writing, was not being maintained, like so many NPM packages. | |||
There was a problem hiding this comment.
of the Chapter 6
Is "the" really needed?
Thoughts @holisticinfosec?
manuscript/markdown/main/chapter4.md
Outdated
| @@ -1171,7 +1186,7 @@ During this stage, contemplating and capturing countermeasures for vulnerabiliti | |||
|
|
|||
| Hammer your own systems and watch logs. Become familiar with the signatures and indicators of different tools and attacks, you will then know when you are actually under attack. You can take the same steps with active and semi-active reconnaissance. In this manner, you will be able to pre-empt your attacker's attempts at exploitation. | |||
|
|
|||
| We will go through actual exploitation that would be carried out by an attacker or penetration tester in each of the following chapter's Identify Risks sections. | |||
| We will go through actual exploitation that would be carried out by an attacker or penetration tester in each of the following chapter's *Identify Risks* sections. | |||
There was a problem hiding this comment.
@holisticinfosec I've noticed that we have ' in "chapters" in some places and not in others, I'm assuming the ' shouldn't be there?
| @@ -458,7 +455,7 @@ This technically does not provide any increased security, but reduces convenienc | |||
|
|
|||
| #### Wi-Fi Protected Set-up (WPS) | |||
|
|
|||
| This leads to a little increase in effort to establish a wireless connection. Those who are provided with access should also be recorded as having access, discussed below in the [Transient Devices](#physical-costs-and-trade-offs-transient-devices) section. | |||
| This leads to a little increase in effort to establish a wireless connection. Those who are provided with access should also be recorded as having access, discussed below in the section *ransient Devices* of Chapter 5, *Physical*. | |||
There was a problem hiding this comment.
Can we please keep using underscores for _italic text_?
| @@ -1382,7 +1397,7 @@ BSIMM also has some good [guidance on security testing](https://www.bsimm.com/on | |||
|
|
|||
| ### Security Regression Testing {#process-agile-development-and-practices-security-regression-testing} | |||
|
|
|||
| If you are using NodeJS, and have not already gotten your tests running as part of a CI build or pre-commit hook, check out the Consuming Free and Open Source Tooling section in [Fascicle 1](https://leanpub.com/holistic-infosec-for-web-developers-fascicle1-vps-network-cloud-webapplications) for some information on how to set this up. | |||
| If you are using NodeJS, and have not already gotten your tests running as part of a CI build or pre-commit hook, check out the *Consuming Free* and *Open Source Tooling* section in *Holistic InfoSec For Web Developers, Part 1: VPS, Network, Cloud and Web Applications, Kim Carter, Leanpub* for some information on how to set this up. | |||
There was a problem hiding this comment.
Can we please keep using underscores for _italic text_?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Will send you the PDF files . A few Chapters have not been Layouted. Will get them done as well. Mean while you could start reviewing the changes