Part 1 Threats, Attacks, and Vulnerabilities

A smurf attack is an example of a DDoS attack. It involves the

hacker spoofing the IP address so that ping messages appear to come
from the victim. When all of the systems that were pinged reply to the
ping message, they overburden the victim’s system.

Spear phishing A type of phishing (form of social engineering

attack) where the e-mail message sent is spoofed and looks like it
comes from a trusted source such as a fellow employee. The e-mail
message tries to get the recipient to divulge sensitive information

Trusted platform module : TPM Trusted Platform Module is a computer chip

on a system that stores the cryptographic keys that are used to encrypt data.
Applications that use passwords to encrypt data are susceptible to
dictionary attacks, while TPM has a dictionary attack prevention
module built in. In Windows, BitLocker supports using TPM to store
the key. Keep in mind that to use it, you must have a TPM-supported
BIOS

Which of the following devices is BEST suited to protect an HTTP-based

application that is susceptible to injection attacks?
Layer 7 firewall

cross-site scripting (XSS)

Worm: A worm is a program that replicates itself to spread to other computers,

exploiting security weaknesses. Common ports are 1098, 4444, and those in the
5000 range

Rainbow tables: Rainbow tables are lists of pre-computed passwords with a

corresponding hash; you can obtain free rainbow tables from the internet. Some
larger rainbow tables are 460 GB in size. These tables speed up the cracking of
passwords that have been hashed.
Collision attack: A collision attack on a cryptographic hash tries to find two
inputs producing the same hash value; this is known as a hash collision

Impersonation: Impersonation can involve someone putting on a uniform—of a

traffic warden or police officer, for example. Imagine you are driving down the
street and get flagged down by a police officer—they are holding something
that

1/38
 looks like a speed gun. They tell you that you have been speeding and that it
will result in penalty points on your license if it goes to court, or you can pay
an onthe-spot fine of $40. You pay the fine and they give you a receipt. This
type of attack is effective as the victim was not expecting this to happen, and
most people in that situation panic and pay the fine.

Hoaxes
When it comes to security, make sure you educate your users about e-mail
hoaxes. E-mail hoaxes are e-mail messages that users receive giving a false
story and asking the user to take some type of action. For example, the hoax
could say a certain file is causing a serious flaw in the operating system.
The e-mail could tell the reader they should delete the file, but in reality
there is nothing wrong with the file, and it may be needed for information
on important features of the operating system.
If you receive an e-mail that makes certain claims you are unsure of,
check out the Hoax Slayer web site at www.hoax-slayer.net/, and see if the
e-mail is reported as a hoax

Man-in-the-middle attack. ... In cryptography and computer security, a man-in-

the-middle attack (MITM) is an attack where the attacker secretly relays and
possibly alters the communications between two parties who believe they are
directly communicating with each other.
Man in the middle attacks OWASP has one of the simplest and best definitions
of a MiTM attack. “The man-in-the middle attack intercepts a communication
between two systems.” You might also hear this referenced as a malicious
proxy.
An administrator discovers the following log entry on a server:
Nov 12 2013 00:23:45 httpd[2342]: GET
/app2/prod/proc/process.php?input=change;cd%20../../../etc;cat%20shadow
Which of the following attacks is being attempted?

A. Command injection
B. Password attack
For me A
Jamming/interference As mentioned earlier, you could experience
interference on the wireless network from components such as
cordless phones. This is a security issue because interference can
make the wireless network go down, a violation of availability
(remember the CIA discussions in Chapter 2).

War Driving and War Chalking

Another common vulnerability with wireless networks is war driving. War
driving is when someone drives around with a laptop and tries to locate
wireless networks that they can connect to.

2/38
 Another term you should know that is associated with war driving is war
chalking. In war chalking, when someone discovers a wireless network,
they chalk a symbol outside the building notifying the rest of the wardriving
community that a wireless network is inside

Decreasing your beacon interval means that the router is using more of its

capacity to send out beacons, which leaves less bandwidth for network
traffic. Lower intervals are recommended for use with multiple access points,
as the more frequent broadcasts allow devices to decide on the better AP for
connection.
Concept: The password history is the number of passwords that you need to
remember before you can reuse them. Password complexity requires users to
use three of the four following characters in the password: lowercase,
uppercase, numbers, and special characters not used in programming. A
minimum password age set to 1 means that you can change the password
only once a day, preventing password rotation until you get back to the
original password.
Wrong answers:
B. Password length was a requirement, but the longer the password
length, the longer it will take a brute force attack to crack.
E. In a Group Policy, there is no option for maximum password length

Password Authentication Protocol (PAP)

Challenge-Handshake Authentication Protocol (CHAP): Challenge-Handshake
and Response (CHAP) was used to connect to an RAS server with a four-stage
process:

MS CHAP/MSCHAP version 2: MS CHAP/MSCHAP version 2 are

Microsoft's
version of MS CHAP. MS CHAP has been superseded by MS CHAP v 2 and
can
be used by both VPN and RAS

Protected Extensible Authentication Protocol (PEAP): The Protected Extensible

Authentication Protocol is a version of EAP that encapsulated the EAP data and
made it more secure for WLANS.

Telnet: A protocol that was first used in 1973 to run remote commands on
devices, such as routers. Unfortunately the session is in clear text and therefore
not secure. If you want to know whether port 25 is opening on a mail server
called Mail1, you could run telnet Mail1 25. It is no longer used as it is

3/38
 unsecure
but may be tested.

Secure Shell (SSH): Invented in 1991 to replace Telnet so that it could run
commands securely; it is commonly used when you want to perform remote
access onto routers.

Remote Desktop Protocol (RDP): A Microsoft product that allows you to run a
secure remote access session on a Windows desktop or server. When you set up
a
remote access using RDP, the service obtaining the session needs to allow
access
for incoming remote sessions and then place the users into the remote desktop
users group. If these two actions are not taken, it will not work. As most routers
are CISCO products, RDP cannot be used to remote into a router.

Remote Access Server (RAS): A legacy server that allows remote access via a
modem and telephone line and therefore is very rarely used.

Virtual Private Network (VPN): Used to create a secure tunnel from home or a
remote location into your work. The most common protocol is L2TP/IPSec,
which
is used in tunnel mode across the internet. If you have a legacy system pre-
2000,
you would use an SSL VPN that requires an SSL certificate

The winserver.exe file is a remote access Trojan (RAT). All of the other executable
names displayed by netstat are valid.

I think it is a Backdoor, she had to click several security warnings. I read that a
backdoor can be used to install additional malware (Adware, Spyware, Ransomware,
etc). In this case, she gets popups (adware), her pc is slow (rootkit), cant open files
(cryptomal) seems to be the case? Please correct me if I am wrong.

1   = /32 = 255.255.255.255

2   = /31 = 255.255.255.254
4   = /30 = 255.255.255.252
8   = /29 = 255.255.255.248
16  = /28 = 255.255.255.240
32  = /27 = 255.255.255.224
64  = /26 = 255.255.255.192
128 = /25 = 255.255.255.128
256 = /24 = 255.255.255.0

4/38
 2^0 = 1   = /32 = 255.255.255.255 ==> 256-255 = 1
2^1 = 2   = /31 = 255.255.255.254 ==> 256-254 = 2
2^2 = 4   = /30 = 255.255.255.252 ==> 256-252 = 4
2^3 = 8   = /29 = 255.255.255.248 ==> 256-248 = 8
2^4 = 16  = /28 = 255.255.255.240 ==> 256-240 = 16
2^5 = 32  = /27 = 255.255.255.224 ==> 256-244 = 32
2^6 = 64  = /26 = 255.255.255.192 ==> 256-192 = 64
2^7 = 128 = /25 = 255.255.255.128 ==> 256-128 = 128
2^8 = 256 = /24 = 255.255.255.0 ==> 256-0 = 256

Pharming is the term used for leading someone to the wrong site by modifying
DNS or the hosts file

Bluesnarfing A Bluetooth exploit that allows the hacker to connect

to a Bluetooth-enabled phone and to retrieve data off the phone

Bluejacking The sending of unsolicited messages from one

Bluetooth device to another Bluetooth device

Bluebugging A Bluetooth exploit that involves the hacker gaining

access to the phone and leveraging its full capabilities, including
making calls using the AT command set on the phone

rainbow table uses hashes and bybass account lockouts

Part 2 Technologies and Tools

the administrator does not want to provide the wireless password or he

certificate to the employees?
A. WPS
B. 802.1x
C. WPA2-PSK
D. TKIP

5/38
 wireless access point (WAP)
which of the following encryption technologies is MOST likely to be
configured when connecting to WPA2-PSK?
AES
Which of the following technologies BEST supports the deployment of
DNSSEC
at the organization?
PKI

manufactured prior to the release of the 802.11i standard. Which of the

following
configuration options should the administrator select for the new wireless
router?
A. WPA+CCMP
B. WPA2+CCMP
C. WPA+TKIP
D. WPA2+TKIP

An application developer is designing an application involving secure

transports from one service to another that will pass over port 80 for a request.
Which of the following secure protocols is the developer MOST likely to use?
SSL

SCP
The Secure Copy Protocol (SCP) is responsible for copying files from a
remote server to the local system over a secure connection, ensuring that
data in transit is kept confidential. A number of SCP products use an SSH
connection to ensure the security of the secure copy operation.

D. Containerization is where data is isolated in a mobile phone to

separate business data from personal data, such as pictures of family
and friends.
The components of NAC are as follows:
Host health checks: The HAuth checks the health of the incoming device to
ensure that it is fully patched.
Compliant/noncompliant device: A device that is fully patched is a compliant
device, but a device that has missing patches is deemed noncompliant.
Agents: Each device has an agent installed so that the HAuth can carry out
health checks. The two types of agents are as follows:
- Permanent: The agent is installed on the host
- Dissolvable: A dissolvable agent is known as temporary and

6/38
 agentless and is installed for a single use

Remediation server: Sits on the boundary or quarantine network. When the

noncompliant machine is connected to the boundary network, it can obtain the
missing updates from the remediation server. Once the device is fully patched,
it
is then allowed to access the LAN.

RADIUS clients: RADIUS clients are VPN servers, RAS server, and the
802.1x
authentication switch. Every RADIUS client needs the secret key that is
sometimes called the session key to join the RADIUS environment. RADIUS
communicates over the UDP port 1812. It is also known as non-proprietary.

Diameter: Diameter is the more modern version of RADIUS that works on

TCP.
For the exam, remember, Diameter is the AAA server that uses the EAP.
TACACS+: This is a CISCO AAA server that used TCP so it is more secure
than
RADIUS and it uses TCP port 49.
RADIUS is an AAA protocol that uses UDP as the transport layer
protocol and uses the following UDP ports:
UDP port 1812 for authentication and authorization services
UDP port 1813 for accounting services
TACACS+ has been improved over RADIUS from a security standpoint
because it encrypts all information between the TACACS client and the
TACACS server, whereas RADIUS encrypts only the password between the
RADIUS client and the RADIUS server.

7/38
 B. Ipconfig
•C. Tracert
both show gatway information

8/38
 nbtstat
nbtstat is used to troubleshoot
NetBIOS over TCP/IP, while the
netstat command by itself will show
only current connections and not listening ports.

Intrusion-prevention system
There are two types of Intrusion-Prevention Systems (IPS), the first is the
Network
Intrusion Prevention System (NIPS), which can only operate on your network
and cannot

9/38
 work inside a host. The second is called the Host Intrusion Prevention System
(HIPS), and
it operates inside a host machine and cannot operate on the network.
NIPS is an internal network device whose role is to prevent access to the
network, and it is
placed on the perimeter of your network behind your firewall. Think of NIPS
as Rambo
with a big gun whose job it is to shoot the bad guys.

Intrusion-detection system
The Intrusion-Detection System (IDS) is the same as the IPS; there is the
HIDS, which only
works on a host, and the NIDS, which only works on the network. Think of the
IDS as
Sherlock Holmes, the famous detective; his job is to find different traffic
patterns on the
network and then inform Rambo, the NIPS, who will then remove them from
the network.
Exam tip: NIPS has the capability to detect as well as protect if there are
no NIDS on your network. To protect a virtual machine from attack, you
will install a HIPS.

Modes of detection
There are three modes of detection used by the NIPS/NIDS. For the purpose of
the exam,
you must know them thoroughly:
Signature-based: Works off a known database of known exploits and cannot
identify new patterns. If the database is not up to date, they will not operate
efficiently.
Anomaly-based: Starts off the same as the signature-based with the known
database but they have the ability to identify new variants.

Heuristic/behavioral-based: Instead of trying to match known variants, the

heuristic/behavioral starts off with a baseline and matches traffic patterns
against
the baseline. It could also be known as anomaly-based.
Exam tip: Anomaly-based NIPS/NIDS detect new patterns and are much
more efficient than signature-based, which can only work with known
variants.

Modes of operation
There are different modes of operation for the sensors of the NIPS/NIDS:
Inline: The NIPS will be placed on or very near to the firewall as an additional
layer of security; when the NIPS has been set up in inline mode, the flow of
traffic goes through the NIPS. This is known as in-band.

10/38
 Passive: The traffic does not go through the NIPS; this mode is normally used
by
the NIDS as it detects changes in traffic patterns in the local network. This is
known as out-of-band.
When sensors are placed inside the network, they can only detect traffic once it
is inside
your network and has passed through your firewall. If you wish to detect
attacks before
they come into your network, the sensor must be placed on the external
network to the
firewall

Enterprises may deploy mobile devices in a variety models. In a strict

corporateowned model, devices are 4or business use only. Users mix personal
and
business use in a bring your own device (BYOD) or
corporate owned, personally enabled (COPE) model.
Companies should use mobile device management
(MDM) tools to enorce a variety o4 mobile security controls, including:
Restricting applications
Remote wiping o4 lost/stolen devices
Geolocation and geo4encing services
Screen locking and password/PIN requirements
Full device encryption

Trivial File Transfer Protocol (TFTP) Similar to the File Transfer

Protocol, but does not require user authentication.

Replace FTP with FTPS and replaces HTTP with TFTP

Trivial File Transfer Protocol (TFTP) uses UDP port 69
Trivial File Transfer Protocol (TFTP) uses UDP port 69

NTP
The Network Time Protocol (NTP) is used to synchronize the clocks of PCs
on a network or the Internet. This is accomplished by configuring a server
to be the time server, which then is the server from which all other PCs on
the network synchronize their time.

11/38
 BYOD The “bring your own device” model encourages users to
connect to the corporate network with their personal mobile devices
for work purposes. While the benefit is that the organization can
avoid the cost of purchasing the mobile devices, you will need to be
clear on the policy and if the organization will push settings down to
the devices. To learn more about the security concerns of BYOD,
check out the section titled “BYOD Security Concerns,” later in this
chapter.
COPE A “corporate-owned, personally enabled” (COPE) model can
work better from a security standpoint than a BYOD model because
it is hard for companies to control a device when they do not own the
device. With COPE, the company supplies the device to the user, so
it is managed by the IT department, but the company allows and
promotes personal usage of the device as well.
CYOD A “choose your own device” model involves the
organization providing users with a list of approved devices and
allowing each user to choose which device they would like to use.
Corporate-owned With a “corporate-owned device” model, the
company fully manages the devices and employees must follow
company policy when using the devices.
VDI Virtual desktop infrastructure is a model where the user uses a
thin client to connect to their desktop environment running in a data
center. With VDI you can introduce the mobile device as the thin
client so that the user can access their desktop environment from
anywhere. The benefit is that the resources are not on the mobile
device—it simply connects to a virtual desktop within the company.

Onboarding/offboarding Onboarding refers to the interview and

orientation process new hires go through and includes all of the steps
right from the candidate selection process for the job. Once an
employee is hired, the onboarding process should continue with
ensuring the employee has an account and has access to all resources
needed for the job. The onboarding process should also include
training for the specific job role so that the employee is geared for
success within your organization from the start. Offboarding is the
process that needs to be followed when an employee leaves the
organization. This includes an exit interview, reminding them of the
nondisclosure agreement (NDA) they signed when they were hired
(if applicable), disabling their account, and collecting any assets of
the organization they may have.

12/38
 Systems Hardening to Reduce the “Attack Surface”
The “attack surface” is the combination of all the potential flaws and backdoors
in technology that can be exploited by hackers. These vulnerabilities can occur
in multiple ways, including:
•Default and hardcoded passwords
•Passwords and other credentials stored in plain text files
•Unpatched software and firmware vulnerabilities
•Poorly configured BIOS, firewalls, ports, servers, switches, routers, or
other parts of the infrastructure
•Unencrypted network traffic or data at rest
•Lack of privileged access

A non-credentialed scan is also passive but can only identify

missing patches

DNSSEC
Evaluates MX record lookup,
Can perform authenticated requests for A and AAA records
Uses RRSIG

Explanation:
DNS Security Extensions (DNSSEC) provides, among other things,
cryptographic authenticity of responses using Resource Record Signatures
(RRSIG) and authenticated denial of existence using Next-Secure (NSEC) and
Hashed-NSEC records (NSEC3).

Systems hardening demands a methodical approach to audit,

identify, close, and control potential security vulnerabilities
throughout your organization. There are several types of system
hardening activities, including:
•Application hardening
•Operating system hardening
•Server hardening

13/38
 •Database hardening
•Network hardening

Part 3 Architecture and Design

Ensure that a memorandum of understanding (MOU),

sometimes referred to as memorandum of agreement (MOA), exists.
A MOU/MOA is a document that establishes an agreement between
the two parties and specifies their relationship to one another

Also
ensure that you are familiar with your Internet service agreement
(ISA) and ensure that you are comfortable with any data limits and
the guaranteed uptime of the Internet connection. This is critical if
you are taking advantage of cloud services, as you need Internet
connectivity to access any services or data in the cloud

Non-Disclosure Agreement (NDA) – legal agreement to not discuss company

business
Service Level Agreement
A service level agreement (SLA) is a contract, or agreement, between your
organization and anyone providing services to the organization. The SLA
sets the maximum amount of downtime that is allowed for assets such as
Internet service and e-mail service and is an important element of the
security policy. It is important to ensure that you have an SLA in place with
all providers

Understanding HVAC
Heating, Ventilation, and Air Conditioning (HVAC) is a system to provide

14/38
 or reduce heat, humidity, and outdoor air. The goal of the HVAC system is
to provide climate control to help maintain quality conditions in the
workplace.

The HVAC controls the temperature and the humidity within the
building. This helps computer systems run optimally. The temperature in
the building should be around 70 to 74 degrees Fahrenheit. If the
temperature gets too warm, it could cause the systems to overheat and shut
down. The humidity levels should be between 40 and 60 percent.

If you have humidity levels less than 40 percent, then you could experience a
lot
of electrostatic discharge (ESD). ESD can destroy computer components
and computer chips. Humidity levels above 60 percent can corrode
computer components.
When working with environmental systems such as HVAC, some
common components include environment monitoring, hot and cold aisles,
and temperature and humidity controls. The following list describes each of
these components:

Environmental monitoring It is important to ensure that you have

mechanisms in place to monitor environmental systems and that you
include methods of detecting issues related to heat, humidity, and air
quality. Monitoring temperature and humidity levels within the data
center can allow you to detect failures in the HVAC system before
your equipment starts overheating and failing.

Hot and cold aisles To keep the systems cool in a data center, the
racks are configured in a hot/cold aisles configuration. This
configuration involves breaking the racks into rows with the fronts of
the racks facing each other to create cold aisles, and the backs
creating the hot aisles (hot air goes out the back of the racks). The
HVAC airflow would be designed to take the warm air from the hot
aisle and exhaust it outside, away from the data center, while
bringing in new cool air in the cold aisle from the front of the racks.

Temperature and humidity controls The environmental systems

should have controls in place to allow you to adjust the temperature
and humidity levels.

Household items: These include microwave ovens, washing machines,

dishwashers, refrigerators, baby monitors, printers, MP3 players, video game
consoles and cameras, and audio/video surveillance to wireless devices that
control lighting.

15/38
 IT infrastructure: These include telephone switches at the network end to cell
phones at the consumer end; dedicated routers and network bridges to route
data; and HVAC systems that use networked thermostats to control temperature
and CCTV security systems

Smart devices/IoT: Smart devices, such as a smart TV, can connect to a home
network and gain access to the internet. IoT comprises small devices, such as
ATM cash machines, small robots, and wearable technologies, that can use an
IP
address and connect to internet-capable devices. We must ensure that we
change
the default usernames and passwords for these devices to prevent someone
hacking them. From a security point of view, supporting IoT items is a
nightmare
because of the diversity of the devices:
Figure 3: IoT devices
Home automation: A home automation system will control lighting, climate,
entertainment systems, alarm systems, and appliances.
Wearable technology: The use of wearable technology has increased in recent
years from monitoring health and performance to sending texts and receiving
calls on your watch.
System On a Chip (SoC): An integrated circuit (https://en.wikipedia.org/
wiki/Integrated_circuit) that integrates all components of a computer or other
electronic systems. Wearable technology and most embedded systems may
include a SoC

Real Time Operating System (RTOS): Intended to serve real-time applications

that process data as it comes in, typically without buffer delays. Processing
time requirements are measured in tenths of seconds or shorter increments of
time. If a task or process does not complete within a certain time, the process
will fail.
This could be employed when robots are being used in production to ensure
that the processes are being completed in a timely fashion.
Multifunctional Devices (MFD): Consists of at least two of the following:
printer, scanner, fax, or photocopier in an all-in-one device. The weakness of
each of these is that they all have a network interface and could be attacked
through
that interface. Any default setting or passwords must be changed.
Camera systems: Camera systems now tend to be networked and used for home
automation or for security systems to protect premises. For example, the police
are dealing with a riot. As well as the police dressed in riot gear, there are vans
with camera systems installed that are being used to tape the event in real time.
The footage can be sent back to an incident control room where the police can
see whether any of the rioters are on their internal police systems. This footage
may be used in court.

16/38
 System sprawl/undocumented assets System sprawl refers to
when an organization adds more and more servers or systems to the
network without properly documenting their maintenance
requirements, or perhaps even their existence. Eventually, systems
are forgotten about and as a result become vulnerable because they
are not maintained

Part 4 Identity and Access Management

How often, at a MINIMUM, should Sara, an administrator, review the accesses

and right of the users on her system?
→ Annually
Which of the following protocols uses TCP instead of UDP and is incompatible
with all previous versions?
TACACS+
Which of the following is best practice to put at the end of an ACL?
Implicit deny

Which of the following technologies employ the use of SAML? (Select two.)
A. Single sign-on
B. Federation

 system administrator wants to provide for and enforce wireless access

accountability during events where external speakers are invited to make
presentations to a mixed audience of employees and non-employees. Which of
the following should the administrator implement?

Sponsored guest

The sponsor approved guest access provides access to the guest user only if it is
approved by the Guest Sponsorer. The Sponsorer validates the guest user
before giving the required access. This feature provides additional security by
providing access only to valid guest users. The Sponsor takes the responsibility
for the actions of the Guest and thus it brings accountability for the network
usage and enhances the security of the network.

17/38
 Authentication Factors
Something you know: Password, PIN, birth date
Something you are: Iris, retina, fingerprint, palm, voice
Something you do: Swipe, gait, signature
Somewhere you are: Location, London, Poland
Single factor: All from the same group
Dual factor: From more than one group

authentication services of authentication,

authorization, and accounting are collectively known in the industry as
AAA. Many AAA services have come out over the years, such as RADIUS,
DIAMETER, and TACACS+

New magnetic locks were ordered for an entire building. In accordance with
company policy, employee safety is the top priority.
In case of a fire where electricity is cut, which of the following should be taken
into consideration when installing the new locks?

Fail safe
Fail safe The lock unlocks when power is removed
Fail secure: The lock unlocks when power is applied

discretionary access control (DAC) Access control when the person who
created the file or folder is the owner and is responsible for securing those
files and folders.
mandatory access control (MAC) Access to resources is based on the
employee’s clearance level and the data classification label assigned to the
resource.
Role based access control
Rule-based access control

A wireless ad hoc network[1] (WANET) or Mobile ad hoc

network (MANET) is a decentralized type of wireless network.[2][3][4][5]
[6] The network is ad hoc because it does not rely on a pre-existing
infrastructure, such as routers in wired networks or access points in managed
(infrastructure) wireless networks.[7] Instead, each node participates in routing
by forwarding data for other nodes, so the determination of which nodes
forward data is made dynamically on the basis of network connectivity and
the routing algorithm in use.[8

Le Tethering est une technique qui permet de partager la connexion Internet

d'un appareil mobile, avec d'autres périphériques comme les ordinateurs

18/38
 portables. Vous utilisez ainsi votre téléphone comme un modem, et ce procédé
est possible nativement depuis la version 2.2 d'Android.
Sideloading is a term used mostly on the Internet, similar to "upload" and
"download", but in reference to the process of transferring files between two
local devices, in particular between a computer and a mobile device such as
a mobile phone, smartphone, PDA, tablet, portable media player or e-reader.
Sideloading typically refers to media file transfer to a mobile
device via USB, Bluetooth, WiFi or by writing to a memory card for insertion
into the mobile device.

Jailbreak is for iOS

Removing software restrictions put into place by Apple on devices that run the
iOS operating system

Root is for AndroidRemoving software restrictions put into place by Google,

and gaining the ability to replace the entire operating system
Identification Identification is the process of presenting
identification information about yourself to the system. The
identification service typically requires the user to type a username,
but could require the user to insert a smartcard into a card reader, for
example.

Authentication The authentication service is responsible for

validating the credentials presented by the user and typically involves
having an authentication database of criteria. For example, when a
user logs on with a username and password, that information is then
verified against an account database.

Authorization Once the account information has been verified, the

user is granted access to the network. The authorization component
may need other criteria besides account information before granting
access. For example, the authorization service may require that the
authentication request come from a specific subnet.

Accounting The fourth service offered as an authentication service

is accounting. Accounting deals with logging activity so that you can
bill different departments for their usage of the different services.
It is important to note that the authentication services of authentication,
authorization, and accounting are collectively known in the industry as
AAA. Many AAA services have come out over the years, such as RADIUS,
DIAMETER, and TACACS+. These services offer the benefit of a central
authentication system that can offer authentication, authorization, and

19/38
 accounting for many types of environments, such as wireless, RAS, or
VPNs.

Role-Based Access Control

Role-based access control (RBAC) takes a different approach than MAC to
controlling access to resources and privileges: the system grants special
privileges to different roles. A role is a container object that has predefined
privileges in the system. When you place users into the role, the user
receives the privileges or access control permissions assigned to the role.

Something you have includes smart card, USB token, hardware/software token,
and your phone that generates SMS codes or any other code.

Public Key Infrastructure (PKI) uses a combination of asymmetric and symmetric

processes. An initial “handshake” between communicating parties uses asymmetric
encryption to protect the secret key which is exchanged to enable symmetric
encryption

Remember this
Enterprise mode requires an 802.1x server. EAP-FAST
supports certificates. PEAP and EAP-TTLS require a certificate on
the 802.1x server. EAP-TLS also uses TLS, but it requires
certificates on both the 802.1x server and each of the clients.

acceptable use
policy (AUP)

Session Initiation Protocol (SIP) and Real-time Transport

Protocol (RTP) are protocols used by Voice over IP (VoIP)

Session Initiated Protocol (SIP): Allows people from all over the internet, and
those with VoIP, to communicate using their computers, tablets, and
smartphones. An example would be of a secretary who could receive a Skype
call for the boss: SIP allows them to put the caller on hold, speak to their boss,
and, if needs be, put the person through.

Real Time Protocol (RTP): Once SIP has established the session, RTP transfers

20/38
 the videoconferencing traffic.

Secure Real Time Protocol (SRTP): Used to secure the videoconferencing

traffic—it normally uses TCP port 5061.

VLAN: Voice traffic being placed in a VLAN segments it from the rest of the
network.

Media gateway: Allows different methods of video and voice to communicate

with each other, for example, if you use an XMPP gateway, you can connect
Jabber clients to a Skype session.

fall safe for humanity health fall secure for Data protection

Due care is the concept of doing the right thing. When it relates to
security, due care is about implementing the correct security controls to
ensure the protection of the organization’s assets. Examples include the
creation of the security policy, performing regular backups, and performing
regular virus scans. The key thing to note with due care is that you are
implementing an action.

Due diligence is about identifying your risk so that you know what
security controls to put in place (due care). Due diligence involves
performing regular assessments and analyzing the assessment results to
identify security issues in the environment.

Owner The data owner is typically the company owner, executive

team, or department head who decides which data is considered an
asset and how that data should be protected.

Steward/custodian The custodian (aka steward) is the person who

implements the security control based on the value of the asset
determined by the owner. The custodian is the IT administrator who
performs common tasks such as backups, configuring permissions,
configuring firewalls, and hardening systems. Remember that the
owner determines the controls needed, while the custodian actually
secures the asset by implementing those controls.

Privacy officer The privacy officer, also known as the chief privacy
officer (CPO), is responsible for developing policies that address
employee personal data and customer personal data. The privacy
policy should specify how personal data is to be handled and stored

21/38
 within the organization.

A captive portal is a Web page that the user of a public-access network is obliged to
view and interact with before access is granted. Captive portals are typically used by
business centers, airports, hotel lobbies, coffee shops, and other venues that offer
free Wi-Fi hot spots for Internet users.

Part 5 Risk Management

Iris An iris scanner scans the colored part of your eye that surrounds
the pupil and compares it with the system-stored image.
>>> Physical scan
6 STEPS OF INCIDENT RESPONSE
Preparation
Detection & Identification
Containment
Remediation & Eradication
Recovery
Lessons Learned (Documentation)

1. Preparation: The preparation phase is where the different incident

response
plans are written and kept up to date.
2. Identification: Once an incident has occurred, it is important that the
appropriate incident response plan is invoked and the necessary personnel
are
notified.
3. Containment: When dealing with the incident, it is important that the
volatile
evidence is secured and the incident is prevented from spreading any
further.
4. Eradication: In the eradication phase, we want to destroy the source of
the

22/38
 incident. For example, if it is a virus, we want it totally removed.
5. Recovery: In the recovery phase, we are getting the company back to an
operational state, hopefully within the RPO. For example, imaging
machines and
restoring data within one day.
6. Lessons learned: Lessons learned is a detective phase where we pull
together all
of the facts and plan to prevent a re-occurrence in the future. Failure to
carry this
out will lead to a re-occurrence. The incident response process is shown
here:

Quantitative risk assessment uses the 4ollowing 4ormulas:

SingleLossExpectancy = AssetValue * ExposureFactor = SLE = AV*EF
AnnualizedLossExpectancy = ALE = ARO*SLE
AnnualizedRateofOccurence * SLE
Return on Investment (ROI)

A security analyst notices anomalous activity coming from several

workstations in the organizations. Upon identifying and containing the issue,
which of the
following should the security analyst do NEXT?
A. Document and lock the workstations in a secure area to establish chain of
custody
B. Notify the IT department that the workstations are to be reimaged and the
data restored for reuse
C. Notify the IT department that the workstations may be reconnected to the
network for the users to continue working
D. Document findings and processes in the after-action and lessons learned
report

Recovery Point Object (RPO): RPO is how much time a company can last
without its data before it affects operations. This is also known as acceptable
downtime; if a company agrees that it can be without data for three hours, then
the RPO is three hours. If the IT systems in a company suffer a loss of service
at 13:00 hours, then the RPO would be 16:00 hours. Any repair beyond that
time would have an adverse impact on the business.

Recovery Time Object (RTO): RTO is the time that the company has been
returned to an operational state. In the RPO scenario, we would like the RTO to
be before 16:00 hours. If the RTO is beyond 16:00 hours, then once again it has
an adverse impact on the business.

23/38
 Mean Time to Repair (MTTR): MTTR is the average amount of time it takes to
repair a system. If my car broke down at 14:00 hours and it was repaired at
16:00
hours the MTTR would be two hours.

Mean Time Between Failures (MTBF): MTBF shows the reliability of a

system. If
I purchase a new car for $50,000 on January 1 then it breaks down on January
2, 4, 6, and 8, I would take it back to the garage as the MTBF would be pretty
high and for $50,000, I want a car that is more reliable.

Mean Time to Failure (MTTF): MTTF is the predicted lifespan of a system.

Normally, an IT system is expected to last about five years, therefore its MTTF
is five years. If I bought a car in 1960 and I had to scrap it in 1992, the MTTF
of the car would be 32 years

RPO is the acceptable downtime, whereas RTO is the return to an

operational state.

For the Security+ exam, remember how to calculate single loss

expectancy: SLE = value of asset × exposure factor.
SLE = value ($) × EF (%)

annual loss
expectancy ALE = SLE × ARO

For the certification exam, remember that annual loss

expectancy is calculated by the SLE × annual rate of occurrence.

Standard operating procedures (SOP) give us step-by-step instructions about

how an
activity is to be carried out

Business Partnership Agreement (BPA): A BPA is used between two companies

who want to participate in a business venture to make a profit. It sets out how
much each partner should contribute, their rights and responsibilities, the rules
for the day-to-day running of the business, who makes the decisions, and how
the profits are agreed and shared. It also has rules for the partnership ending
either over time or if one of the partners dies.
Service-Level Agreement (SLA): A SLA is a contract between a service
provider
and a company receiving the service that defines the level of service expected

24/38
 from the service provider; it is based on metrics within a specific time frame.
The
agreement can be either a fix or a response over a certain period of time.

Federation A term used to describe authenticating and authorizing

users across organizations and application boundaries.

SAML Security Assertion Markup Language is an XML standard

that is designed to allow systems to exchange authentication and
authorization information. This is often used with identity federation
and claims-based authentication

Business Impact Analysis (BIA): A BIA looks at the monetary loss if a

company is not up and running, coupled with the purchase of new equipment
so that the
business can continue to operate.

A business continuity plan (BCP) is an important element in the security of

your organization because it is a plan that helps ensure that business
operations can continue when disaster strikes by implementing failover not
only in your technology, but in your business operations

Check to see if a blanket purchase agreement

(BPA) is needed, which is used to cover repetitive needs for a product
or service

Ensure that a memorandum of understanding (MOU),

sometimes referred to as memorandum of agreement (MOA), exists.
A MOU/MOA is a document that establishes an agreement between
the two parties and specifies their relationship to one another

Also ensure that you are familiar with your Internet service agreement
(ISA) and ensure that you are comfortable with any data limits and
the guaranteed uptime of the Internet connection. This is critical if
you are taking advantage of cloud services, as you need Internet
connectivity to access any services or data in the cloud

25/38
 Banner grabbing: Banner grabbing is a technique used to gain information
about a remote server and is often used as part of a fingerprinting attack. This
could be where you are looking for details on remote systems such as a web
server. If you are looking for the patch level of a web server, we would use
banner grabbing to collect this information.

Part 6 Cryptography and PKI

Which of the following symmetric key algorithms are examples of block

ciphers? (Select THREE)
3DES
AES
Blowfish

Which of the following encryption methods does PKI typically use to securely
project keys?
Digital signatures

Which of the following cryptographic attacks would salting of passwords

render ineffective?
B. Dictionary
C. Rainbow tables
D. Birthday

Password attacks
Dictionary attack, Brute force attack

Cryptographic attacks
Birthday , Digital signatures Rainbow tables Collision attack

Salting passwords: Salting password values is where a random set of characters

is inserted into a password hash. This prevents duplicate passwords being
stored
and prevents rainbow tables and collision attacks. This also creates a longer
password, slowing down brute force attacks.
Key stretching: Key stretching is similar to salting a password by inserting
random strings to prevent rainbow table and collision attacks. Bcrypt and
PBKDF2 can be used for key stretching. For example, a company has a
password
policy of not using complex passwords and have therefore suffered many
attacks. To prevent this in future, they use Bcrypt to key stretch weak

26/38
 passwords, making them more difficult to crack. They should have introduced
both complex passwords and key stretching to make passwords more secure.

Confusion is the principle of ensuring that the relationship between the

encryption key and the data after it is encrypted is as complex as possible so
it is difficult to figure out. Substitution is an example of a cryptography
feature that implements confusion.

Diffusion is ensuring that the repeating of characters in the plain text will
not help someone decipher the cipher text (data after it is encrypted).
Transposition is a feature that provides diffusion.

Obfuscation is the concept of making something complicated on purpose

to make it difficult to understand. For example, in order to hide the details
of the cryptographic implementation of a product, you could make sure that
the documentation for that product is hard to understand.

Non-repudiation means that I cannot deny that it was me who

signed the document

A security analyst is hardening a web server, which should allow a secure

certificate-based session using the organization’s PKI infrastructure. The web
server
should also utilize the latest security techniques and standards. Given this set of
requirements, which of the following techniques should the analyst implement
to
BEST meet these requirements?

A. Install an X- 509-compliant certificate.

C. Enable and configure TLS on the server.

For the exam, be sure to know the hashing algorithms listed

here. Also remember that MD5 creates a 128-bit hash value, while
SHA-1 creates a 160-bit hash value.

IPSec
b. Tunnel mode

d. Transport mode

27/38
 Internet Key Exchange use UDP 500, SSL use 443, SSH 22, 8080 used for
proxy server or other device

Which of the following should be configured on the VPN concentrator during

the IKE phase?
Diffie-Hellman

Key escrow: The key escrow holds the private keys for third parties and
stores
them in a Hardware Security Module (HSM).

Hardware Security Module (HSM): The HSM can be a piece of hardware

attached to the server or a portable device that is attached to store the keys. See
the preceding diagram for more on this.

Data Recovery Agent (DRA): If a user cannot access their data because their
private key is corrupted, the DRA will recover the data. The DRA needs to get
the private key from the key escrow.

most volatile date first

CPU, cache, and register contents (collect first)
Routing tables, ARP cache, process tables, kernel statistics
Live network connections and data flows
Memory (RAM)
Temporary file system/swap space
Data on hard disk
Remotely logged data
Data stored on archival media/backups (collect last)

The Security+ exam is sure to test your knowledge of the CRL.

Know that the CRL is published by the CA on a regular basis, and

28/38
 that applications will check the CRL to verify that a certifiate being
used has not been revoked.

Another method that systems and applications can use to verify whether
a certificate has been revoked relies on the Online Certificate Status
Protocol (OCSP). OCSP is an Internet protocol that uses HTTP to
communicate with the CA and check the status of a certificate. OCSP is
designed as an alternative to the CRL
For the Security+ exam, know that M of N control is ensuring
that a minimum number of persons are required in order to
recover a key. For example, you may require two out of three
authorized persons to perform key recovery.

Trust Models, Trust Paths, and Certificate Chaining

When you create a PKI, you control access to information based on the key
pairs that are generated. But what if you want to share information with
another business? If you are going to share the information with another
business, it will need to have keys within the PKI. However, realistically,
your CA should not be burdened with creating certificates for another
company.
Within PKI, you can create a trust between two different CAs so that
each CA trusts the certificates that have been generated by the other CA

Key Escrow
Key escrow is the process of handing cryptography keys over to a third
party who can use the cryptography keys to decrypt information within your
organization at any point in time. For example, you may be required to give
cryptography keys to a government agency or to law enforcement for an
investigation.
The concept of key escrow is a controversial topic due to the obvious
security risks of having keys that can decrypt information within your
organization located outside the organization.

IPSEC TUNNEL MODE site-to-site VPN tunnel

IPSec tunnel mode is the default mode. With tunnel mode, the entire original
IP packet is protected by IPSec. This means IPSec wraps the original packet,
encrypts it, adds a new IP header and sends it to the other side of the VPN
tunnel (IPSec peer).

29/38
 Tunnel mode is most commonly used between gateways (Cisco routers or ASA
firewalls), or at an end-station to a gateway, the gateway acting as a proxy for
the hosts behind it.

IPSEC TRANSPORT MODE

IPSec Transport mode is used for end-to-end communications, for example, for
communication between a client and a server or between a workstation and a
gateway (if the gateway is being treated as a host).  A good example would be
an encrypted Telnet or Remote Desktop session from a workstation to a server.

Peer review is the evaluation of work by one or more people with similar
competencies as the producers of the work

HMAC authentication: In cryptography, an HMAC (sometimes known as either

keyed-hash message authentication code or hash-based message authentication
code) is a specific type of Message Authentication Code (MAC) involving a
cryptographic hash function and a secret cryptographic key. We can have
HMAC-MD5 or HMAC-SHA1; the exam looks at both data integrity and data
authentication

Modes of Operation
Block ciphers are offered in different modes, such as Electronic Code Book
(ECB), Cipher Block Chaining (CBC), and Output FeedBack (OFB). Table
12-1 lists some of the block cipher modes currently available.

For the Security+ exam, be familiar with the terms work factor,
one-time pad (OTP), and exclusive OR (XOR).

30/38
 Pretty Good Privacy (PGP)

DH creates the keys used in the Internet Key Exchange (IKE); it uses UDP port
500 to set up the secure session for the L2TP/IPSec VPN. Once the secure
tunnel has been created, then the symmetric encrypted data flows down the
tunnel.

Rivest, Shamir, and Adelman (RSA): RSA is named after the three people
who
invented the algorithm. The keys were the first private and public key pairs,
and
they start at 1,024, 2046, 3,072 and 4,096 bits. They are used for encryption
and

31/38
 digital signatures.

Digital Signature Algorithm (DSA): DSA keys are used for digital signatures;
they start at 512 bits, but their 1,024-bit and 2046-bit keys are faster than RSA
for
digital signatures.

Elliptic Curve Cryptography (ECC): ECC is a small, fast key that is used for
encryption in small mobile devices; however, AES-256 is used in military
mobile
telephones.

Ephemeral keys: Ephemeral keys are short-lived keys; they are used for a
single
session, and there are two of them:
- Diffie Hellman Ephemeral (DHE)
- Elliptic Curve Diffie Hellman Ephemeral (ECDHE)

Pretty Good Privacy (PGP): PGP is used between two users to set up an
asymmetric encryption and digital signatures. For PGP to operate, you need a
private and public key pair. The first stage in using PGP is to exchange the
keys.
It uses RSA keys.

GnuPG: GnuPG is a free version of the OpenPGP; it is also known as PGP. It

uses RSA keys.

Hardware root of trust: When we use certificates for FDE, they use a
hardware
root of trust that verifies that the keys match before the secure boot process
takes
place

For the Security+ exam, remember that a PKI is made up of a

hierarchy of CAs. The root CA has a self-signed certificate. Also
note that all objects in a PKI use object identifiers, or OIDs. An
OID is a globally unique name assigned to each object.

Depending on the size of the organization, you can create one or more
subordinate CAs, also known as intermediate CAs. These CAs have their
own certificate—issued and digitally signed by the root CA—that they will
use to digitally sign any certificates that they create. You might use
subordinate CAs so that each office location has its own CA to issue

32/38
 certificates for that location, for example

Registration Authority
The registration authority (RA) is an important part of a PKI, as it is
responsible for accepting certificate requests from clients and then
validating the entity requesting the certificate. The RA will follow the
process determined by the security policy to validate any employee or
device requesting a certificate. This typically involves the employee filling
out an application for a certificate and then presenting identification and a
reason for the request. Once the RA validates the request, it is passed to the
CA to create the certificate.

A small company may combine the roles of the RA and the CA,
but would still ensure that the request is validated before creating
the certificate.
Repository
The repository is the database that stores the certificates and public keys.
The repository should be available to all participants in the PKI structure so
that they can obtain the public keys when needed.
The repository is usually an LDAP-compliant directory, which allows
you to query the directory through LDAP. The database should be backed
up on a regular basis.

Hashing algorithms
A hashing algorithm takes the data from a document and generates a
hexadecimal value from that input. If you take the same data and hash it with
the same algorithm, it will generate the same hash. In the Security + exam, the
hashing algorithms are SHA-1, which is 160 bits, and MD5, which is 128 bits.
Hashing is a one-way function to ensure that the integrity of the data is intact.
MD5 fails the collision test too often, where two files will produce the same
hash. If you are going to rely on it to find and delete duplicate files, that's
an unacceptable level of risk that you'll delete a file that actually contains
unique data.

MD5 is slower than SHA.

33/38
 Concept: Traffic between network devices uses a simple network transport
protocol; the secure version is SMTPv3.
Wrong answers:
B. SNMP is not secure.
C. SCP copies files securely.
D. SFTP secures downloaded traffic from FTP sites.

Digital signature A digital signature is created on a message in

order to prove the integrity of the sender of the message. Because the
signature is created using a person’s private key and only that person
has access to their private key, it proves the sender is who they say
they are. You will learn more about digital signatures and
cryptography in Chapter 13.

Digital certificate A digital certificate is an electronic file used to

transport keys used to encrypt or digitally sign messages. You will
learn more about certificates and cryptography in Chapter 13.

Nonrepudiation Nonrepudiation is the concept of ensuring that

someone cannot dispute that they sent a message or made a change,
which adds to the integrity of the system. You can use digital
signatures or auditing as a method to implement nonrepudiation.

For the Security+ exam, remember that nonrepudiation is the

term for ensuring that senders cannot say they did not send a
message. Digitally signing a message with the sender’s private key
is a method to ensure nonrepudiation.

34/38
 A systems administrator is reviewing the following information from a
compromised server:

Given the above information, which of the following processes was MOST likely
exploited via a remote buffer overflow attack?

• A. Apache
• B. LSASS
• C. MySQL
• D. TFTP

Data Execution Prevention can prevent buffer overflow attacks so that rules out B
and D. C only has a connection with the loopback address (127.0.0.1) So that only
leave answer A.

Certificate pinning: Certificate pinning prevents the compromise of the CA and

the issuing of fraudulent X509 certificates

Online Certificate Status Protocol (OCSP): Only when the CRL is going slow
will the OCSP come into play; it is much faster than the CRL and can take a load from
the CRL in a very busy environment.

OCSP stapling/certificate stapling: Certificate stapling, also known as OCSP

stapling, is used when a web server bypasses the CRL to use the OCSP for a
faster confirmation when its certificate is valid.

The validation of a certificate is done by the CRL unless it is going

slow—then it will be the OCSP doing this

35/38
 Certificate architect: The certificate architect builds the CA, and if it is already
present, he will build the intermediary authority.
Certificate chaining: Certificates in computer security are digital certificates that are
verified using a chain of trust where the trust anchor for the digital certificate is the root
CA. This chain of trust is used to verify the validity of a certificate as it includes details
of the CRL.

A public salt does two things: makes it more time-consuming to crack a large list of
passwords, and makes it infeasible to use a rainbow table.

Kerberos
Only Kerberos that can do Mutual Auth and Delegation.

LDAPs

A. Generate an X.509-compliant certificate that is signed by a trusted CA.

D. Ensure port 636 is open between the clients and the servers using the
communication

1. Create the request. The first step is to create the certificate

request, also known as the certificate signing request (CSR). You
typically navigate to the web site of the CA to fill out a web form
to create the request or create the request from the actual
application. For example, Microsoft’s IIS and Exchange Server
have wizards to create the certificate request. Once the request is
made, it is stored in a text file. You can also create a certificate
request from the Certificates snap-in within MMC.

2. Submit the request. Once you have the request stored in a text
file, you are then ready to submit the request (contents of the text
file) to the CA. Again, you do this by navigating to the CA’s web
site.

36/38
 3. Download the certificate. After submitting the request through
the web site, you need to download the resulting certificate to your
computer. You typically are provided a link at the end of the
“submit the request” phase to download the certificate.

4. Install the certificate. Once the certificate has been downloaded,

you can install it in your application

The Security+ exam is sure to test your knowledge of the CRL.

Know that the CRL is published by the CA on a regular basis, and
that applications will check the CRL to verify that a certifiate being
used has not been revoked.

Common hashing algorithms include SHA, HMAC, and

RIPEMD. The MD5 hashing algorithm is still widely used
but has signiNicant security vulnerabilities.
Which of the following AES modes of operation would meet this integrity-only
requirement
A. HMAC
B. PCBC
C. CBC
D. GCM
E. CFB

Certificate stapling
OCSP est un protocole Internet permettant de vérifier la validité d'un certificat numérique
TLS en temps-réel auprès de l'autorité ayant émis le certificat.
OCSP is an Internet protocol that uses HTTP to
communicate with the CA and check the status of a certificate. OCSP is
designed as an alternative to the CRL. It should be noted that when using
OCSP, the revocation status can be communicated to clients using a feature
called stapling

Certificate pinning is a control that provides the client browser with

instructions about the certificate(s) that it may accept from a specific web server.
Certificates not matching the pinned certificate are rejected.

37/38
 Symmetric algorithm – modes of operation
Symmetric encryption involves a stream cipher that encrypts data one bit at a time;
this is easy to crack and is much slower than a block cipher. Block cipher mode takes
blocks of data depending on the key and encrypts that data in blocks—this makes the
encryption of a large amount of data much faster

38/38