SSCP Study Guide: Access Control and Security Models

SSCP Study Guide

Created By: Kathleen Gillette and Makeia Jackson, Teaching Assistants
Domain 1: Access Control

Lesson 1.1: Access Control Concepts (SC)
Skills Learned from This Lesson: Access control fundamental concepts, Different Types of
Access Control.
● Access Control Fundamental Concepts

○ Object: A passive entity that contains information.
■ Such as Applications, Data, Systems and Networks
○ Subject: An active entity that requests access to an object or data within an
object.
■ Authorized and Unauthorized users, Applications, Systems and Networks
■ The Applications and Networks are considered to be both objects and
subjects dependent on what they are doing.
○ How they interact: The subject is the entity doing the accessing and the Object
is that entity that is being accessed or pulled.
● Different Types of Access Control
○ Discretionary Access Control: A means of assigning access rights based on
rules specified by users.
■ The owner sets the permissions
○ Rule Set-Based Access Control: An Access control framework which give data
owners that discretion to determine the rules necessary to facilitate access.
■ The subject enters the enforcement area and request access to an object.
The enforcement area checks the rules that have been written or
constructed by the data owner to determine whether the subject should
be granted access. The rules come back with a yes or no and then the
enforcement area, will returns with a yes or no to the subject. if it’s a yes,
the access is granted to the object. If it’s a no the subject access is not
granted to the object.
○ Non-Discretionary Access Control: Controls that can’t be changed by users,
but they must be changed by the administrator.

Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and

competency analytics.
1

○ Role Based Access Control: Access Decisions are based on the roles that
individual users have as part of an organization.
■ People in certain departments can only access information that pertains
to that department.
● Content-Dependent Access Control: Works by permitting or denying the subjects to
access objects based on the content within the object.
● Only concerns itself of what’s (the information) inside the object
● Context-Based Access Control: Concerns only with the context or sequence of events
surrounding the access attempts.
● Time-Based Access Control: Applies a time limitation to when a given role can be
activated for a given access control subject.
○ Only allow users to access information between 9AM – 5pm
● Mandatory Access Control: Subjects are given clearance labels and objects are given
sensitivity labels. Access rights are given based on the comparison of clearance and
sensitivity labels.
○ Implements the concept of “Need to Know”
■ Clearance Labels: Confidential, Secret and Top secret.
Objects: Have sensitivity labels and access rights are given depending
on the comparison.
IMPORTANT: It is a common mistake to get these confused so know the difference.
● Attribute-Based Access Control: An access control method where the subject

requests to perform operations on objects are granted or denied based on assigned
attributes of the subject, assigned attributes of the object, environment conditions, and a
set of policies that are specified in terms of those attributes and conditions.
○ The user comes in and looks at the characteristics or the description a if there
are the correct environment conditions if they are allowed to access it and the
policy say they are allowed to access it then they will be allowed to access these
objects.


2

Lesson 1.2: Security Models (SC)

onfidentiality
Skills Learned from This Lesson: C
● Bell-LaPadula model: Is used mostly in government or military institutions.

○ With (2) properties
○ Simple security property otherwise known as No Read Up
○ And the Star property known as No Write Down
○ There are (4) different security level clearances, that the military uses
■ Unclassified, Confidential, Secret and Top-Secret.
One example: John from the FBI has “Secret” clearance
● File A is labeled “Top-Secret”. John cannot read File A because its (No read up) John
can’t read anything above the secret clearance level.
● File B is labeled “Confidential”. John can read File B, but can’t write to it (No write
down)
● File C is labeled “Secret”. John can read File C, but cannot write to it (No write down)
Lesson 1.3: Authentication Mechanisms (SC)

Skills Learned from This Lesson: I dentification, Authentication, Authorization
● Identification: (Who is the subject?) Assets a unique user or process identity and
provides for accountability.
○ A person claims they are somebody and they need access to a certain system.
■ Most common types of identification are: UserID, PIN#, Account#
● Authentication: (Proof of Identity) The process of verification that the identity presented
to the access control system belongs to the party that has presented it. Is the action, a
person proving who they say they are.
● The (3) main kinds of identification:
● Knowledge based authentication
● something you know – Passwords, Pins etc.
WARNING: Knowledge based authentication is insecure and difficult to keep safe.


3

● A physical device (smart cards and tokens) which the user has in their possession
○ Something you have
● Types of tokens:
■ Static passwords token: The device contains a password that is
physically hidden (not visible to the possessor) but that is transmitted for
each authentication.
■ There is a password hidden inside the token and when a person wants to
be authenticated, they take that token and that token sends the password
from the token to the server. The person can’t see the password on the
server can
■ Synchronous Password Token: A timer use of a clock is used to rotate
through various combinations produced by cryptographic algorithms. The
token and the authentication server must have synchronized clocks.
■ A clock time is combined with the password token through a
cryptographic algorithm to create a different password every single
time. The only way this will work, both the token and the server
have the same time. When the token is ready to be authenticated,
the server sends the clock time to the token. The token then takes
the password inside and combines it with the clock time, then
sends that result to the server for authentication.
■ Asynchronous Password Token: A one-time password is generated
without the use of a clock, from either a one-time pad or a cryptographic
algorithm.
■ Step1: The challenge value displayed on the computer
Step2: User enters the challenge value and enter it into the token device
Step3: The token device combines it with the password gives is back to the
person.
Step4: The person then takes that value and puts into the computer
Step5: Which sends it to the server for authentication if all is correct
authentication happens.


4

■ Challenge Response Token: The authentication server encrypts a

challenge with a public key; the device proves it possesses a copy of the
matching private key by providing the decrypted challenge.
■ The server sends an encrypted key to the token, then the token decrypts
the key and sends the key back to the server. The server then looks at it
and if it’s the original key before encryption that the server sent then
authentication is granted.
Remember: The server sends an encrypted key to the token, the token decrypts it and sends it
back to the server.
● Types of smart cards are:

○ Contact Cards: Need to be inserted into a smart card reader with a direct
connection. (Examples: Credit card with chip reader).
○ Contactless Cards: Requires proximity to a reader. Both have antennae and
used radio frequency. (Examples: Apple pay, Tap to pay).
● Something you are.
○ Biometrics: Technologies that measure and analyze human body
characteristics, such as DNA, Fingerprints, voice patterns, facial patterns, and
hand measurements, for authentication purposes.
● Two main kinds of biometrics:
● Behavioral Biometrics: Are things that you have learned or acquired as you have
developed since you were born.
● Signature analysis (the way your write your signature).
● Pressure and form
● The series of movements: acceleration, rhythm, and flow
WARNING: Your signature can change depending on circumstances and time, so this is not
always the most accurate of biometric readers.


5

● Voice pattern recognition (the way you speak): Works by creating a collection of
unique characters of the subject’s voice. The subject then speaks, and the voices are
compared.
WARNING: Your voice can change with circumstances and time, so this is not the most
accurate form of authentication. There is a high probability of error.
● Keyboard dynamic (the way you type on a keyboard). Measures the keystrokes of the
subject as they type in their username and password.
○ The length of time each key is held down
○ The length of time between keystrokes
○ The typing speeds
○ The tendencies to switch between a numeric keypad and keyboard numbers
○ The keystroke tendencies involved in capitalization
● Physiological Biometrics: Things you are born with
○ Consist of the following recognition technologies
● Fingerprints: Creates a geometric relationship of 30-40 points on the finger.
● Hand: Based on the location of several key points on the hand and fingers.
○ Length of fingers, position of knuckles, dimensions of hands and fingers. To
determine who you are.
● Vascular: The ultimate palm reader; best described as an image of the veins in the
subject’s hand
○ Unique to the individual and does not change
● Eye: One of the oldest and most accurate biometric authentication mechanisms.
○ Only (2) kinds of Eye scans:
■ Retina scan
■ Iris scan
● Facial Recognition: Uses a geometric model od 14-22 characteristics to perform
recognition
○ Different point represents, different features on the grid of your face. Once that is
transferred to the computer system, it looks through its database of facial
comparison to find one that best matches.


6

● Biometric Implementation Issues:

● Type I Error (False Rejection Rate): When a biometric system rejects an authorized
individual (FRR)
● Type II Error (False Acceptance Rate): When the system accepts imposters, who
should be rejected. (FAR) more dangerous)
WARNING: TYPE II ERRORS IS MORE DANGEROUS THAN TYPE I
Remember: Authentication consists of three categories
● Something you know

● Something you have
● Something you are
Multi Factor Authentication: Any two or three of the categories

● Something you have
Or

● Something you are
Multi Factor Authentication: Using a password and a smartcard
● Using a password is something you know

● Using a smartcard something you have
NOT Multifactor Authentication: Using a retina scan and voice recognition
● These are both something you are.
Dual Control: Also known as “Split-knowledge”. Requiring two people to perform an action
Single sign-on: An authentication mechanism that allows a single identity to be shared across
multiple applications. It allows a user to authenticate once and gain access to multiple resources


7

● Example: Google
Authentication with Kerberos is designed to provide strong authentication using secret-key

cryptography.
● Provides support for Authentication, Authorization, Confidentiality, Integrity and

Nonrepudiation.
● Kerberos uses ports 53 and 88 for TCP and UDP
● The way Kerberos works: the client sends a request for a ticket from the Authentication
service. Then the Authentication service sends a ticket and a session key back to the
client. The client requests access to the server, by going to the ticket granting service
with a key. If the granting service accepts the ticket, it will send the encrypted session
key and the ticket back to the client. The client then sends the ticket and the session key
to the server and the server responds by sending the encrypted time stamp for client
validation.
Authorization: What a user can do once they have been authenticated
● Dictates what a person can or cannot do, once they have been authenticated. Which is
decided by the authorization table.
Lesson 1.4: Trust Architectures (SC)

Skills Learned from This Lesson: Identity Management Life Cycle, Trust Architectures, Trust
Direction
● Trust Architecture
● Intranet: is a localized network that belonging to an organization
● Extranet: is a computer network that allows controlled computer access from the outside
for specific business for educational purposes.
● DMZ: This architecture sits between the internet and extranet. It prevents outside users
from getting direct access to a server that has company data.
● Internet: Is a global system of interconnected computer networks that use the TCP/IP
suite to link the voice all around the world.
● Trust: The belief in the security of a connection between domains


8

● Trusted Path: A series of trust relationships that authentication requests must follow
between domains. (A software channel that is used for communication between two
processes that cannot be circumvented)
● There (3) Kinds of trust:
○ One-Way trust – (Trust is on in one direction) Domain A has access to D omain
B
○ Two-Way trust (Trust can go in any direction) – Domain A has access to
Domain B and D omain B has access to Domain A
○ Trust Transitivity – (Determines whether a trust can be extended outside the two
domains between which the trust was for. – (Domain A has access to Domain
B and Domain B has access to Domain C therefore Domain A has access to
Domain C for Domain B without the access being direct.
● Identify Management Life Cycle: there are five areas that make up this life cycle.
Which manage users and people who are a part of an organization.
● Authorization: Determines whether user is permitted to access a resource.
● Proofing: Verifies people’s identities before they are issued accounts and credentials.
● Provisioning: Automation of all procedures and tools.
● Maintenance: Comprised of user management, password management, and role/group
management.
● Entitlement: A set of rules for managing access to a resource and for what purpose.
Domain 2: Security Operations


9

Lesson 2.1: Code of Ethics (SC)

Skills Learned from This Lesson: ISC2 Code of Ethics, CIA Triad, Non-Repudiation & Privacy,
Security Best Practices
● Code of Ethics: Is the absolute standard of professionalism, and the necessary

qualifications for being an SSCP (It separates us from the bad guys).
● The four tenets as a Practitioner, the minimum requirements are:
● Protect Society, the commonwealth, and the infrastructure.
● Act honorably, honestly, justly, responsibly, and legally.
● Provide diligent and competent service to principals.
● Advance and protect the profession.
● The Ethics canons:
● Tell the truth
● Be confident
● Be respectful
● Honor and trust the privilege given to you.
● Both the Code of Ethics and Ethics Canons MUST be followed:
There are serious consequences of any violations of conduct or subject to disciplinary actions
by the ISC2 Ethics committee. Your SSCP could be revoked!
● CIA Triad and Beyond: Is the main principle of cybersecurity, it’s the fundamental thing
in cyber security everything can come back to CIA Triad.
● Three major components of CIA Triad:
○ Confidentiality: Information is made available on a need to know basis. This is
dictated by the organizations conduct and principles.
● If Confidentiality is breached then you will find, legal trouble and loss of confidence.
● Confidentiality supports the principles of Least Privilege to do your job.
● Information is kept confidential using Access Control Systems and security models.
(Review Domain 1)
○ The most important aspect of information Security
● Integrity: The way that information is recorded, used and maintained. Keep the data
pure and not allowing it to get tarnished, is the main job of Integrity.



10

● The key to ensuring integrity, is always to have knowledge of the state of the information.
(Create a baseline of what the data should look like on a normal basis. Once you have
this baseline then you check the data against the baseline at any given time. If the
conditions of the data are the same in both the baseline and the current state, then
integrity is maintained. If they are different then integrity is not being maintained.
● It’s impossible to talk about Integrity without reflecting on Sarbanes-Oxley Act
This act mandates controls over financial reporting. Integrity is dictated by Laws
and regulations.
● Consequences of integrity is not enforced. Which includes calculation errors and

inaccurate reporting, that leads to uninformed business decisions and inadmissible
evidence in court.
● Availability: Being able to access information when you need it.
Availability is defined in the form of
● SLAs: Service level agreements, which is the amount of uptime that a system is
guaranteed.
● RTOs: Recovery Time Objective, which focus on once the system or data is unavailable
what is the maximum period to resume and be available again.
● RAID: Redundant Array of Independent Disc, which is a backup in case data gets
destroyed or becomes unusable, the backup data can be inserted in place and take the
place of the data that was destroyed or is no longer usable.
● Consequences: includes service interruption, and loss of revenue.
(BEYOND)
● Non- Repudiation: A service that cannot deny a message was sent and the integrity of
the message is intact.
■ This is accomplished through digital signatures and public key
infrastructure.


11

■ Overview of Public key Infrastructure: Think of two keys, Key A

and Key B if something is encrypted with Key A it can only be
decrypted with Key B and vice versa, the keys only work with
each other.
■ So, when a person signs a document the signature is encrypted
with one of the keys so then when the message is sent to the
other person, they can decrypt it with the other key. The two keys
can only encrypt and decrypt each other that ensures that the
sender cannot deny that the message was sent. Because it was
encrypted with their key.
○ Privacy: The rights and obligations of the individuals and organizations with
respect to the collection, use, retention, and disclosure of personal information.
○ Privacy is a high-level concept about any information about or on an individual.
● The “How-To” guide for personal data
● GDPR
● Best Practices: Is a defined method that has been tested and proven to consistently
lead to a desired result.
● There is a “best practices” for every aspect of cybersecurity.
○ Email security
○ Web security etc.
● Best Practices are flexible enough to be modeled for your organization.
● Most important is to address the needs of your organization first.
Lesson 2.2: Security Architecture (SC)

ecurity Architectures, Controls, System Security Plan
Skills Learned from This Lesson: S
● Security Architecture: The practice of designing a framework for the structure and
function of all information security systems and practices in the organization.
● Components of a Security Architecture are:



12

● Defense-In-Depth: Implementation of multiple controls so that successful penetration

and compromise is more difficult to attain.
○ It’s important to add layers to make up for the imperfections in security defenses.
● Overlaps defenses are effective because it minimizes the different ways an attack can
occur.
○ When there is an email security for email attack factors or Web security for
browser attack factors.
● Defense-In-Depth avoids single points of failure.
○ This also applies to outside attacks and inside out attack; Defense-In-Depth
prevents attacks from the outside coming into your organization and insider
threats.
● Second component for security architecture:
● Risk-Based Controls: Defined as the combination of Threat + Vulnerability + Impact.
● Risk: basically, shows the damage that could be done if security controls do not exist.
● Tangible Risk: Stolen assets, Intangible Risk: loss of investor confidence
● Controls: are implemented based on risk assessments and analysis and the value of
the assets.
○ Management needs to be able to correctly assess the risk using a standard
process which is needed for consistent results.
○ Such as:
■ OCTAVE: (Operationally Critical Threat, Asset, and Vulnerability
Evaluation and COBRA (Consultative, Objective and Bi-Functional Risk
Analysis).
■ These are standard processes for determining risk and provide consistent
results time after time. Accurate results are consistent success factors in
getting an organization buy-in for security measures.
● Least Privilege: The concept of “Need to Know”. People can only access enough
information to do their job properly.
● Reduces the number of authorized users: doing unauthorized actions. Also, reduced
accidental errors as well. (You can’t delete a file you don’t have access to).
● Makes a hacker’s job much more difficult: The hacker ability to maneuver about the
network is much harder.
● Can be implemented at the different security layers: such as the OS level,
application, process file or physical levels.



13

● Authorization: Determines what a person can do once authenticated which is the third
best in the access control system.
○ Authorization records are kept for validation purposes: These records are kept
determining if the process of accessing data is working as intended. Also, kept
for determining breaches and forensic evidence.
● Accountability: A principle that ties authorized users to their actions.
○ This is enforced through user accounts and event logs. (Always protect your
credentials from unauthorized use). Even if it was not you this action will be
traced back to you.
● Separation of Duties: A security mechanism for preventing fraud and unauthorized use
that requires two or more individuals to complete a task or perform a specific function.
● This is when a task is broken up into two separate parts and two people are required to
complete the entire task.
● A key concept of internal control: If a person submits a request to look at a document,
they cannot be the same person to approve that request. (One person to access it and
the other person to approve it).
● Is used with dual control, mandatory vacation, and job rotation. Two people must
simultaneously participate to allow access.
● Controls: Safeguards and countermeasures that are implemented to mitigate, lessen, or
avoid a risk.
● Three Categories of controls:
■ Management: Based on the management of risk and the
management of information system security. Controls created by
people which exist in the form of (Policies and Procedures).
■ Technical: Controls that are executed through mechanisms
contained in the hardware, software and firmware of the
components of the system. The human only sets it up by the
human and the system does the rest. (ex. Access Controls)
■ Operational: primarily implemented and executed by people (ex.
Personal Security). As a security guard, who verifying badges to
make sure no one gets in to an organization.



14

■ Within the three categories of Management, Technical, and

Operational are seven different control types which apply to each
category.
■ Directive: specify acceptable rules
behaviors
■ Deterrent: discourages people from
violated security direction
■ Preventive: controls for stopping a security
incident
■ Compensating: substitute controls for loss
of primary controls
■ Corrective: Implemented to mitigate any
damage
■ Detective: signal warning when something
has been breached
■ Recovery: restore conditions back to
normal
● System Security Plan: A comprehensive document that details the security

requirements for a system, the controls established to meet those requirements, and the
responsibilities of those administering and accessing the system.
● Roles and Responsibilities of a system security plan include:
○ System Owner: person responsible for the creation of the system,
Implementation, integration and maintenance. (Overall responsibility for the
system).
○ Information Owner: has the overall authority on the information stored, processed
or transmitted by the system.
○ Security Officer: who is responsibility for coordinating development, review and
the acceptance of the security plan



15

○ Authorizing Official: A manager or a senior executive with the authority to assume

full responsibility for the system covered in the system security plan.
● System Security Plan need to include:
● People and their roles: (Review above)
● Contacts: people who have knowledge of the configuration or the operation of the
system.
● Requirements: which is the requirement for confidentiality, integrity and availability of
the resources of that system.
● Controls: any type of controls which have been implemented to backup and force the
requirements of this system
● Procedures: for maintenance and review
Lesson 2.3: Secure Development and Acquisition Lifecycle (SC)

Skills Learned from This Lesson: System Vulnerabilities, Secure Development, Acquisition
Practices
How to securely design computer systems. A secure development reduces system

vulnerabilities and when we make this a habit there will be a perfect opportunity to design a
secure system
Physically and actively participate in the development of a system, it is important for the
practitioner to know and understand how these systems are developed. The most popular
secure development system is the waterfall method.
● Waterfall Methodology – Used in most organization world-wide. How it works, it starts

at the top of the first step of Requirements through to the last step systematically. It
goes down through all (six) step until completed. It’s a one directional path, you cannot
go back up. So, make sure each step is completed, before you go onto the next step.
○ (Step 1) Requirements Gathering & Analysis
■ Functional and Non-Functional Requirements are documented
■ Functional is User interaction and processing steps
■ Non-Functional is Performance and System constraints



16

■ Security Requirements are defined

■ Requirements are turned into system diagrams and presented to the
stakeholder or the people who have an interest in the system.
● (Step 2) System Design
○ Requirements are turned into flow charts & narratives
○ Design walkthroughs are held to ensure all requirements are there
■ Once they pass the approval of all the stakeholders to make sure all the
requirements are there this is when the system is beginning to be
implemented.
● (Step 3) Implementation
○ Programming is done and modules are created
■ In small blocks of code to easily tested, applied and edited
○ The security practitioner is responsible for the correct implementation of all the
security concepts
● (Step 4) Integration
○ Modules are combined and tested
● (Step 5) Deployment of System
○ The application is sent to a controlled environment for quality assurance
○ The application is then put into production
● (Step 6) Maintenance
○ Bugs and vulnerabilities are patched up and fixed to maintain the integrity of the
system
● Spiral method – Very similar to the waterfall method and that their (six) different steps
starting from the requirement down to the maintenance. What makes this method
unique there is a loop (Plan-Do-Check-Act PDCA) as many times needed in each step
until thoroughly completed.
○ (Step 1- 6) Requirements are Gathered everything is written down their checked
to make sure they are all there then they start acting upon. If the loop is needed
to be done again then it will if not the system design can be started.



17

● Rapid Application Development (RAD) – Designed to quickly build user interface

components as requirements are gathered.
○ To detect errors early, small prototypes are built as they get requirements
gathered then modify it and build another small prototype for it. The system gets
repeated until all requirements are taken care of.
○ The issue with building to many prototypes takes you away from what the true
purpose of the system is for.
● Agile Development – The requirements are gathered, and the design is started. The
programmers go back and look at the requirements and teak the design. This process
will continue until a good design is built, then they start to code. This process will
continue until thoroughly tested and put into production.
Exposing applications, infrastructure information to external abusers creates the opportunities

for compromise by attackers who wish to steal customer data, private information and damage
organizations reputation. There are many vulnerabilities that face web facing application, which
provides excellent opportunities for malicious attacks by unauthorized users. Internal
development projects should combine secure coding practices to reduce the vulnerability. The
best way to participate is to use OWASP.
● System Vulnerabilities and Secure Development – The Open Web Application

Security Project (OWASP) Provides a freely available listing of the top vulnerabilities
found in web applications.
● Guidelines exist for developers in the following areas:
- Authentication
Authorization
Session Management
Encryption of Sensitive Data
Input Validation



18

Disallow Dynamic Queries

Out- of -band Confirmations
Avoid Exposing System Information
Error Handling
● Check it out! https://www.owasp.org/index.php/Main_Page
● Hardware / Software
○ IT Asset Management (ITAM) – Process of collecting Inventory, Financial, and
contractual data to manage the IT asset throughout its life cycle.
1. Four device management capabilities:

1. Hardware Asset Management – Anything that has an address
2. Software Inventory Management – What software on printers, servers etc.
3. Configuration Settings Management – How are these assets configured
4. Vulnerability (Patch) Management – When a vulnerability is found code is
updated
Lesson 2.4: Data (SC)

Skills Learned from This Lesson: Data management, Maintain Data, Encryption Data, destroy
Data
● Data Management – The development, execution and supervision of plans, policies,

programs and practices that control, protect, deliver and enhance the value of data and
information assets. This is to ensure the Triad: Confidentiality, Integrity and Availability of
the data.



19

● Secure information Storage – Encryption with respect to

● Data size
● Performance
● Application Compatibility
● Data Scrubbing – Using security controls to protect the integrity of the data, so when
copying production data for use in testing. This is accomplished by overwriting sensitive
data values with meaningless ones.
● Data Deduplication – Is to make the data smaller. The process that scans the entire
collection of information looking for similar chunks of data that can be consolidated.
Data needs to be protected. The way its best protected, is to have it encrypted. To encrypt and
decrypt data you need encryption keys and decryption keys. These keys are only effective as
the organization ability to securely manage the keys.
● Managing Encryption keys (Key management) refers to a set of systems and

procedures used to securely generate storage, distribute, use archive, revoke and delete
keys. Key management policies are very important, consideration include:
● Roles and responsibilities – which is who has access to the keys and who can use the
keys.
● Key generation – is how the keys are generated through random numbers of
generators and using systems desired key lengths and make sure they are sufficiently
random so they cannot guess.
● Distribution – How keys are given to other people, how they are authorized and
authenticated.



20

● Expiration – Make sure the keys are deactivated and tossed away when they are no
longer needed or after a certain period of time.
● Revocation and Destruction – Getting rid of keys that have been compromised or no
longer valid.
● Audit and Tracking – Which all key management operations should be written down
and in event logs or record to prevent unauthorized access and modification.
● Emergence Management – A key management policy which specify emergency
replacement and revocation of encryption key.
● Information Rights Management (IRM) Assign specific properties to an object such as
how long the object may exist, and who/what may access it.
● Data Retention and Disposal – once data has reached the end of its time. It is
important to dispose of the data so that it is no longer seen by anyone else. There are
several different ways to dispose of data, depending on the policy of your organization
one of the ways to dispose of data is shredding. To get rid of data on a hard disc you
reformat it.
● Shredding – Cutting documents into tiny pieces

● Erasure or reformatting – Removes the pointers to data so that OS can no longer see
the data
● Disk wiping/Overwriting – Writing over existing data with a stream or zeros, ones, or
both
● Degaussing – Erases magnetic data on a disk or tape using a degausser.
Lesson 2.5: Data Leakage Prevention (SC)

Skills Learned From This Lesson: Data Leakage Prevention, DLP system types, DLP Controls
● Data Leakage Prevention (DLP)

○ Prevention of data from leaking out of the organization



21

○ Maintain integrity of data

● Kinds of DLP strategies:
○ Prevent transfer of data to mobile devices
○ Prevent leakage via internet & e-mail
● DLP strategies use host & network components to perform functions:
○ Data Discovery
■ Process of discovering where sensitive data is stored on the network
○ Labeling
■ Give data an ID # to monitor it across the network
○ Policy Creation
■ Determines which data is sensitive
■ Defines rules for the transfer of data
○ Content Detection/Monitoring
■ Inspection of data as it travels through perimeter devices & as it leaves
local computers
○ Prevention or Blocking
■ Transfer of data is blocked if policy violation is detected
○ Reporting
■ Violations of the data disclosure policies are reported
■ What policy was violated?
■ Source IP
■ Login account which violation occurred
● Technical Controls
○ Controls that the computer system executes
○ Provide automated protection from unauthorized use & misuse
○ Categories
■ Identification and Authentication (who are allowed or not allowed)
■ Authentication control mechanisms & how to control changes
■ If passwords are the authentication mechanism then password
actions need to be defined
■ Password complexity
■ Policies for bypassing the authentication system should be in
place
■ # of invalid access attempts



22

■ lockout
■ The procedures for key management
■ Documentation for distribution storage entry and disposal
of decrypted & encrypted keys
■ How biometric & token controls are to be used
■ Logical Access Controls
■ Authorize or restrict the activities of users
■ Topics
■ Granting of access rights & privileges
■ What do users get to do when authenticated?
■ Temporal restrictions
■ Time of day hardware/software can be accessed
■ Detection mechanisms for unauthorized people & actions
■ Timeout periods
■ Lockout after max login attempts reached
■ Encryption of sensitive files
■ How separation of duties is enforced
■ How often ACLS are reviewed?
■ Regulation of the delegation of access permissions
■ Who can give access permission to who?
■ Public Access Controls
■ Controls for the general public
■ What the general public can and can’t do with data?
■ Topics
■ Information classification
■ What data is public, private, confidential, or secret?
■ Forms of identification & authentication
■ Limitations on read/write privileges
■ Seperation of public & private systems
■ Audits trails & user confidentiality
■ Always keep an audit trail of what everyone does
■ Requirements for system & data availability
■ Audit Trails



23

■ Description of security controls used to protect the integrity of the

system
■ Topics
■ Process of audit trail reviews
■ How often reviewed?
■ What conditions?
■ Tracing user actions
■ Are users actions aligned w/ policies & procedures
of system?
■ Safeguards
■ Protect confidentiality & integrity of user data
■ SSN, password or birthplace marked out
■ Recording or of appropriate information in intrusion
■ Separation of duties
■ Are they the same or different person?
● Operational Controls
○ Controls executed by people in DLP
■ Change management processes
■ Configuration management processes
■ Authorization processes
● Managerial Controls
○ Focuses
■ Management of the computer security program
■ Management of risk through security policies
○ Security policies
■ Formal written document that sets expectations for how security will be
implemented & managed in an organization
○ Policies
■ How to guides:
■ Email & Internet usage
■ Antivirus
■ Remote access
■ Information classification



24

■ encryption
Lesson 2.6: Policy Document Format (SC)

Skills Learned From This Lesson: Policy document format, Policy document elements,
Standards
● Policy Document Format

○ Elements
■ Objective
■ Provides policy context
■ Policy statement
■ What must be done to meet objectives?
■ Applicability
■ Who the policy applies to?
■ Enforcement
■ How the policy will be applied?
■ Roles & responsibilities
■ Who is responsible for the policy?
■ Review
■ Timeframe
● Standards
○ Formal, documented requirements that sets uniform criterias or a specific
technology, configuration, or method
○ Common practice but not always formal unless company becomes bigger
● Baseline
○ Detailed configuration standards that includes specific security settings
○ Like a checklist, it’s the norm
● Guidelines
○ Recommended practices to be followed to achieve a desired result
○ Not mandatory, like standards
● Procedures
○ Step-by-step implementation instructions for performing a specific task or goal
○ Components
■ Purpose



25

■ Why is this procedure being performed?

■ Applicability
■ Who is responsible for following the procedure?
■ What are the circumstances surrounding it?
■ Steps
■ What are the steps taken to perform the procedure?
■ Figures
■ Diagrams to depict a workflow & screenshots
■ Decision points
■ yes/no questions whose answers result in branching to different
steps in the procedure
Lesson 2.7: Management (SC)

Skills Learned From This Lesson: Management types, Release management, Change
management
● Management
○ Controlling actions of a system
○ Implemented through policies & procedures
● Management Types
○ Release management
■ Release of software from the testing environment to the production
■ Seeks to ensure timeliness goals, minimize disruption, & issue all relating
documentation & communication
○ Change control management
■ Determines whether controls are still effective and update if needed
■ System assurance
■ Process of validating that existing security controls are configured
& functioning as expected, both during initial implementation & on
an ongoing basis
■ Change control



26

■ Formal procedures adopted by an organization to ensure that all

changes to system & application software are subject to the
appropriate level of management control.
■ Seeks to eliminate unauthorized changes & reduce defects
■ Change control steps
■ Request submission
■ Recording
■ Details of request are recorded
■ Analysis/Impact
■ Changes are analyzed
■ Decision
■ Approval
■ Status tracking
■ Operational aspects
■ Requests
■ Changes are proposed to the committee
■ Impact assessment
■ Committee members determine impact
■ Approval/disapproval
■ Requests are officially answered
■ Build & Test
■ Approvals are built & tested
■ Security impact assessment
■ Security risk is determined
■ Notification
■ System users are notified of the coming change
■ Implementation
■ Change is deployed incrementally
■ Validation
■ Change is confirmed
■ Documentation
■ Outcome of the system change is documented
■ People involved
■ Change manager



27

■ Charge of policies & procedures

■ Change control board
■ Responsible for approving system changes
■ Project manager
■ Manages budgets, resources, & tasks for the system
creation
■ Architects
■ Develop security context & systems design
■ Engineers & analysts
■ Develop, build, & test system changes
■ Customer
■ Requests changes & approves functional changes
■ System security officer
■ Ensures changes to not have security impacts
○ Configuration management
■ Updating versions
○ Patch management
■ Applying of patches to secure system
Lesson 2.8: Configuration Management (SC)

Skills Learned From This Lesson: Configuration management, Patch management, Security
Awareness and Training
● Configuration management
○ Discipline that seeks to manage configuration changes so that they are
appropriately approved and documented, so that the integrity of the security state
is maintained
● Maintains the integrity of hardware & software across releases inversion
● Change management vs Configuration management
○ Change management
■ Focuses on changes to project processes or project baselines
■ Ex.
■ Changes in the budget changed in the schedule



28

○ Configuration management
■ Focuses on project specifications
■ Ex.
■ Extra features, may be added or subtracted to particular
project
● Configuration management consists of:
○ Automated tools
■ Tools that will handle version checking any type of conflict
○ Documentation
■ Hardware list of information
■ Make
■ Model
■ MAC address
■ # of licenses
■ Expiration date
■ Software name
○ Procedures
■ Step by step process for properly configuring the hardware & software so
that # of conflicts are reduced
● Operational aspects
○ Identification
■ Captures & maintains information about the structure of the system,
usually in a Configuration Management Database (CMD)
○ Control
■ Configuration changes are controlled through the lifecycle
○ Accounting
■ Captures, tracks, & reports on the status of the configuration history
○ Auditing
■ Process of logging, reviewing, & validating configuration items
● Inventories
○ Kept for integrity & validation
● Patch Management
○ Process of applying system changes to correct software & firmware
vulnerabilities



29

○ Process
■ Acquisition
■ Patches are supplied via download
■ Testing
■ Patches are tested
■ Approval
■ Patches can’t be applied until they are approved
■ Packaging
■ Patches must be packaged for distribution & installation
■ Deployment
■ The path is applied to the target system
■ Verification
■ The success or failure of the patch application is recorded
● Security Impact Assessment
○ The analysis conducted w/in an organization to determine the extent of the
changes to the information system affect the security posture of the system
○ Does it differ from the baseline?
● Interoperability
○ The extent to which systems & devices can exchange data & interpret that
shared data
○ Open system
■ Lot of data can be passed back & forth between systems
○ Closed system
■ Very little data can be passed back & forth between systems
● Security Awareness
○ Seeks to reduce human error by educating people about cybersecurity
○ Security is only as strong as its weakest link
○ Critical success factors
■ Senior management support
■ Cultural awareness
■ Communication goals
■ Taking a change management approach
■ Measurement



30

Lesson 2.9: Interior Intrusion Detection Systems (SC)

Skills Learned From This Lesson: Interior IDS, Building Security
● Interior IDS
○ Limit employees only to areas they need access to
○ Intrusion Detection Systems
■ Balanced Magnetic Switch (BMS)
■ Uses a magnetic field or mechanical contact to determine if an
alarm signal is initiated
■ Reed Switches
■ Motion-Activated Cameras
■ A fixed camera w/ a video motion feature that signals an alarm
when something enters the field of view
■ Acoustic Sensors
■ A device that uses passive listening devices to monitor building
spaces
■ Designed to detect intruders who stay around after building
has closed
■ Infrared Linear Beam Sensors
■ Focused light beam is projected & bounced off a reflector on either
side of the detection area, when someone walks across the beam
an alarm sounds off
■ Passive Infrared (PIR) Sensors
■ Set to a specific temp, when an increase in heat is detected, alarm
sounds
■ Also used as an automatic request to exit (REX) device
■ Door locked - when sensor senses heat increase, it will
auto unlock
■ Dual-Technology Sensors
■ 2 different sensors used to reduce false alarms
■ Visitor Control
■ Consideration factors:
■ Controlled waiting room
■ Temp. badges or passes



31

■ Escorted around organization

● Building Security
○ Electric locks
■ Moves the door bolt
○ Electric strike
■ Lock that moves the strike, the bolt does not move
○ Magnetic locks
■ Surface mounted magnets to hold the door closed
○ Anti-passback
■ Strategy where a person must present a credential to enter & exit a facility
○ Turnstiles
■ Allows one person to pass at a time
■ May have to insert coin, ticket, pass, swipe card, etc
○ Mantraps
■ Prevents multiple people from entering an area at the same time
■ First set of doors must close before the second set opens
○ Rim lock
■ Lock mounted on the surface of the door
■ Ex.
■ Front door lock
○ Mortise lock
■ Lock that is built into the edge of the door
■ Embedded into door
● Data Center Security
○ Considerations:
■ Utilities and Power
■ HVAC
■ Air Contamination
■ Water Issues
■ Fire Detection and Suppression
■ Water Suppression Systems
■ Used for physical areas
■ Wet Systems
1. constant supply of water



32

2. Will not shut off until water source is shut off

■ Dry Systems
1. Do not have water in them
2. Valve will not release until it is stimulated by excess heat
● Pre-Action Systems
1. Incorporates a detection system
2. Water is held back until the detectors are activated
● Deluge Systems
1. Operates the same as the Pre-Action system except the sprinkler heads are in
the open position
● Gas Suppression Systems
○ For computer equipment
○ Aero-K
1. An aerosol of microscopic potassium compounds
● FM-200
1. A colorless, liquefied compressed gas
Domain 3: Risk Identification, Monitoring, and Analysis

Lesson 3.1: Intro to Risk Management (SC)
Skills Learned From This Lesson: Risk Management Process, Risk Concepts, Risk Security
Assessments
● Risk
○ A function of the likelihood of a given threat source exercising a potential
vulnerability, and the resulting impact of that adverse event on the organization
○ What is the possibility that something is going to happen?
○ How bad is it going to be?
● Likelihood
○ Probability that a potential vulnerability may be exercised w/in the construct of the
associated threat environment
○ What are the chances that a potential vulnerability will be exploited?
● Threat source



33

○ Either intent & method targeted at the intentional exploitation of a vulnerability or

a situation or method that may accidentally trigger a vulnerability
○ Where is it coming from?
○ How bad is it going to be?
● Threat
○ The potential for a threat source to exercise a specific vulnerability
○ What is the possibility that an attacker will exploit a specific part of a system?
● Vulnerability
○ A flaw or weakness in system security procedures, design, implementation, or
internal controls that could be exercised & result in a security breach or a
violation of the system’s security policy
● Impact
○ The magnitude of harm that could be caused by a threat’s exercise of a
vulnerability
● Asset
○ Anything of value that is owned by an organization
● Risk Assessment Steps:
○ Step 1: Prepare for the Assessment
■ Identify the purpose
■ Why are we performing assessment?
■ Identify the scope
■ How deep is the assessment going to go?
■ What part of organization will assessment apply too?
■ Identify any assumptions
■ Will assessment be for part or whole organization?
■ Identify sources of info
■ Identify the risk model
■ How are we going to measure our results?
○ Step 2: Conduct Assessment
■ Produce list of risk
■ Gather essential information
■ Assess impact through formulas
■ Measuring the damage
■ Single Loss Expectancy (SLE)



34

■ SLE = Asset Value x Exposure Factor (%)

■ Annualized Loss Expectancy (ALE)
■ ALE = Single Loss Expectancy x Annualized Rate of
Occurrence
■ How many times will this happen in a year?
■ Annualized Rate of Occurrence
■ Represents the expected # of exploitation by a specific
threat of a vulnerability to an asset in a given year
■ Determine risk
■ Risk Assessment tables
■ Determines what kind of risk dealing with
■ Measures:
■ HIgh Risk
1. Corrective actions should be implemented ASAP
● Medium Risk
1. Corrective actions should be implemented w/in a reasonable time frame
● Low Risk
1. An evaluation should be performed to determine if any action should be taken to
address the risk
● Step 3: Communicate Results
○ Talk about the results
○ Share info to support risk management activities
● Step 4: Maintain Assessment
○ Stay current w/ the risk knowledge
○ Incorporate Risk Monitoring
Lesson 3.2: Risk Treatment (SC)

Skills Learned From This Lesson: Risk Treatment, Risk Management
● Risk Treatment
○ Goal
■ Reduce risk to an acceptable level



35

○ Risk treatment
■ Risk Mitigation
■ Implement technical, managerial, and operational controls
■ Risk Transference
■ Transfer risk to a third party
■ Risk Avoidance
■ Avoid risk
○ Risk Acceptance
■ Accept risk
● Risk Visibility and Reporting
○ Risk should always be recorded & reported
○ Risk needs to be aggregated in a Risk Register
■ Risk Register
■ Gives info about risk in organization
■ Risk management steps:
■ Step 1: Identify the risk
■ Step 2: Evaluate the severity of any identified risks
■ Step 3: Apply possible solutions to risks
■ Step 4: Monitor & analyze the effectiveness of any
subsequent steps taken
Lesson 3.3: Auditing (SC)

Skills Learned From This Lesson: Auditing
● Auditing
○ Security Audit
■ An evaluation of how well the objectives of a security framework are met
& a verification to ensure the security framework is appropriate for the
organization
○ Purposes:
■ Point out where security is lacking
■ Emphasize what is being done correctly in security
○ Types of auditors:
■ Internal



36

■ External
● Audit Types:
○ Annual
■ Performed on an annual basis as dictated by policy
○ Event-Triggered
■ Conducted after an incident
○ Merger/Acquisition
■ Performed to determine security standards of the company being
acquired
○ Regulation Compliance
■ Performed to confirm compliance w/ security aspects of regulations
○ Ordered
■ Performed when commanded by court
● COBIT
○ Control Objectives for Information and related Technology
■ A set of control objectives used as a framework for IT governance
developed by Information System Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI)
● Auditors
○ Collect info about an organization's security processes
○ Responsibilities:
■ Provide independent assurance about security systems
■ 3rd party assurance
■ Analyze organizational security objectives
■ Analyze policies, standards, baseline, procedures and guidelines
■ Analyze the effectiveness of controls
■ Stating and explaining the scope of the system
● Auditing Domains
○ User
■ Users & their authentication methods
■ How do users log into workstations?
○ Workstation
■ End-user systems
■ What kind of security on system?



37

○Application
■ E-mail, database, web applications
■ What kind of security to protection unauthorized access to application?
○ LAN
■ Equipment necessary for LANs
○ LAN to WAN
■ Area where the DMZ resides
○ WAN
■ Things outside of the firewall
○ Remote
■ How remote users access the network
○ Cloud & Outsourced
■ Moving data to other entities
■ How do you protect your data?
● System Documentation
○ Disaster/Business Recovery
○ Host Configuration Baseline
○ Security Configuration
○ Acceptable Use Policy
○ Change Management Process
○ Data Classification
■ Not all data is the same
■ Ex. unrestricted, sensitive, confidential
○ Business Flow
● Responding to an Audit
○ Exit interview
■ Issues will be addressed
○ Presentation of findings
■ Findings presented to management
○ Management response
■ Written response to auditors
Lesson 3.4: Vulnerability Scanning and Analysis



38

Skills Learned From This Lesson: Vulnerability Scanning, Securing Hosts, Security Monitoring
Testing, Wireless Networking Testing, War Dialing/War Driving
● Vulnerability scanning
○ The process of checking a system for weaknesses
○ Goal
■ Study security levels
■ Find problems
■ Improve
○ Advantages
■ Identify system vulnerabilities
■ Allows for the prioritization of mitigation
■ Good for comparing security positions
○ Disadvantages
■ Cannot always focus efforts
■ Could crash the network
● Vulnerability scanning types

○ General
■ Probes host & OS
■ Looks for known flaws & typical attacks
○ Application specific
■ Use tools to look at specific applications
● Vulnerability testing qualities
○ OS Fingerprinting
■ Used to identify the OS
○ Stimulus & Respons algorithms
■ Techniques to identify software versions
○ Privileged logon ability
■ Log onto a host w/ Admin credentials
○ Cross-referencing
■ Identify possible vulnerabilities



39

○ Update capability
■ Scanners need the latest signatures
○ Reporting capability
■ Report on the findings
● Vulnerability testing issues
○ False positives
○ Crash exposure
○ Temporal information
■ Just because a scan is good today doesn’t mean the next scan will be
● Scanner tools
● Securing Hosts
○ Disabling unneeded services
○ Disabling insecure services
○ Ensuring least privilege file system permissions
○ File system permissions
■ Share only w/ those who need
○ Establish & enforce a patching policy
○ Examine applications for weakness
○ Firewall & router testing
● Security Monitoring Testing
○ Ensure systems are working as expected
○ Out of the box Intrusion Detection System (IDS) systems need to be tuned to
organization
○ IDS testing
■ Data patterns w/in a single packet
■ Data patterns w/in multiple packets
■ Obfuscated data
■ Fragmented data
■ Protocol embedded attacks
■ Flooding detection
● Wireless Networking Testing
○ Wireless technology > Wireless Access Points > Problems!
○ Security Testers
■ Test for effectiveness of wireless security



40

■ Detect unauthorized access points

○ Wireless tools
■ Netstumbler
■ Kismet
■ Nessus
■ Aircrack-NG
● War Dialing/War Driving
○ War dialing
■ Attempts to locate unauthorized modems connected to computers that
are connected to networks
■ A specialized program is used to scan a list of telephone #’s to search for
computers for the purpose of hacking
■ Not used as much
○ War driving
■ The act of searching for open wireless networks while driving around
Lesson 3.5: Penetration Testing (SC)

Skills Learned From This Lesson: Penetration Testing, White Box Testing, Grey Box Testing
● Penetration Testing Phases

○ Step 1: Preparation
■ Define goals (scope)
■ Choose the right penetration tools
■ Do not let tools drive testing
■ Use tools which match environment
■ Analyze testing results
■ Use graphics, ratings, & vulnerability index when possible
○ Step 2: Information Gathering
■ Reconnaissance
■ Collecting information about the organization from publicly
available sources, social engineering, & low-tech methods
■ Needed by a pen tester who has not been granted regular access
to the system



41

■ Social engineering & Low-Tech Reconnaissance

■ An activity that involves the manipulation of people to get
information
■ Acquire information from websites, social media, &
googling
■ Mid-Tech reconnaissance
■ Whois
1. A system that records internet registration information
■ DNS Zone Transfers
■ A request directed at a DNS server that asks the server for
information of the domain that it serves
■ Network mapping
■ Collecting information about the organization’s internet
connectivity & available hosts through automated software
■ Paints a picture of which hosts are up & running & what
services are available
■ Should be limited to the scope of the project
■ Precursor to vulnerability testing
■ Techniques
■ ICMP Echo Requests (ping)
■ TCP Connect Scan
■ TCP SYN Scan
■ TCP FIN Scan
■ TCP XMAS Scan
■ TCP NULL Scan
■ UDP Scan
■ Basic built-in OS commands
■ Traceroute
■ Ping
■ Telnet
■ Whois
■ Tools
■ Nmap
■ Solarwinds



42

■ Superscan
■ Lanspy
■
○ Step 3: Information Evaluation & Risk Analysis
■ Evaluate the findings & perform risk analysis
■ Potential risks must be identified
■ Decide which devices should be penetration tested
○ Step 4: Active Penetration
■ WARNING!!
■ Think twice before attempting to exploit a possible vulnerability
that may harm the system
■ Sometimes its better to identify the vulnerability w/o actively
working to break it
○ Step 5: Analysis & Reporting
■ Documentation & analysis should be reported to management
■ Always give solutions/ideas to the problems
■ Tailor the report to the person who will be looking at it
● Penetration Testing modes
○ White Box testing
■ Knowledge of security & IT staff
■ Given network blueprints, planned test times, & assistance from the
organization
■ Pros
■ Good support from the organization
■ Fixes can occur quicker
■ Good for testing incident response procedures
■ Cons
■ An inaccurate picture of the network is produced
○ Grey Box testing
■ Some information is known
■ Focus
■ Accessing system
■ Pros
■ Combines benefits of white & black box testing



43

■ Allows for focused testing scenarios

■ Cons
■ Testing coverage may be limited
○ Black Box Testing
■ Internals not known
■ Testers perform unannounced tests
■ Upper management aware
■ Security & IT staff are unaware
■ Gives point of view from attackers
■ Objective
■ Get into whatever they can, w/o causing harm
■ Pros
■ Good look of the organization’s true responses
■ Cons
■ Staff might get their feelings hurt
Lesson 3.6: Operating and Maintaining Monitoring Systems (SC)

Skills Learned From This Lesson: IDS & IDPS, Types of monitoring, Log files, Event
Configuration & Correlation, SIEM
● Safeguard
○ A built-in proactive security control implemented to provide protection against
threats
● Countermeasure
○ An add-on reactive security controls
○ Helps to fight off attacks
● Vulnerability
○ System weakness
● Exploit
○ A particular attack
● Signature
○ A string of characters or activities found w/in processes or data communications
that describes a known system attack



44

● Tuning
○ Customizing a monitoring system to your environment
● Promiscuous interface
○ A network interface that collects & processes all of the packets sent to it
regardless of the destination MAC address
● False positive
○ Monitoring triggered an event, but nothing was wrong
● False negative
○ Monitoring system missed reporting an exploit event by not signaling an alarm
● True positive
○ The system recognized an exploit event correctly
● True negative
○ The system has not recognized benign traffic as cause for concern
● IDS
○ A passive system
○ Only signals an alarm
○ IDS/IDPS Types
■ Network based IDS (NIDS)
■ Monitors network traffic
■ Should be placed at network entrances
■ Host based IDS (HIDS)
■ Monitors system calls
■ Should be placed on systems where protection is mandated
● IDPS
○ An active system
○ Signals an alarm & tries to stop an incident
● Implementation Issues
○ Collecting data for incident response
■ How will the organization respond to events?
○ Monitoring response techniques
■ Passive response
■ Notes the event, but does not take evasive action
■ Ex.
■ Logging the event to a file



45

■ Displaying an alert
■ Sending alerts to an administrator
■ Active response
■ Notes the event & performs a reaction
■ Ex.
■ Block transactions
■ Disallow access to system calls
■ drop/reset connections
● Types of Monitoring
○ Real-Time monitoring
■ Provides a means for immediately identifying & sometimes stopping
covert & overt events
○ Non-Real Time Monitoring
■ Provides a means for saving important information about system events &
monitoring integrity of system configurations
○ Continuous/Compliance Monitoring
■ Represents the desire to have real-time risk information available at any
time to make organizational decisions
● Log Files
○ Reviewing Incident Logs
■ Save all log files from a device after an incident
○ Log Anomalies
■ Anything out of the ordinary
○ Log Management
■ Don’t let log files get out of control
■ Clipping levels
○ Filtering
■ Reduces amount of data reviewed
○ Log Consolidation
■ Happens on SIEM systems
■ Good for tracking devices across systems
○ Log Retention
■ How long should logs be kept?
○ Centralized Logging



46

■ Ensuring the logs are in on place

● Event Configuration & Correlation
○ Netflow
■ Collects network traffic which can be analyzed to create a picture of the
traffic flow
○ sFlow
■ Technology for monitoring traffic in data networks containing switches &
routers
○ Security Event Management (SEM)
■ Analyzes event data in real time to provide monitoring, event correlation,
& incident response
○ Security Information Management (SIM)
■ Collects & analyzes on log data to support compliance & threat
management
○ SIEM
■ Security Information & Event Management
■ Compliance
■ Enhanced Network Security
■ Can correlate many different events
■ Full Packet Capture
■ Captures every single packet that it finds
■ Security Analytics, Metrics, & Trends
Domain 4: Incident Response and Recovery

Lesson 4.1: Incident Handling (SC)
Skills Learned From This Lesson: Incident Response Process,
● Incident Response Process

○ Step 1: Preparation
■ Comprised of a corporate incident handling & response policy &
procedure
■ Incident Response Policy
■ Establishes a phased approach to incident response



47

■ Details steps to incident response handling

■ Incident response team
■ Incident Response Policy should cover:
■ Management Support
1. Know what they are supposed to be doing when an incident happens
● Aligned w/ the organization
● Objectives
● Scope & Limitations
● Definitions of Terms
● Roles & Responsibilities
● Prioritization of Risk
● Metrics & Performance
1. Determine how effective policy is
■ Communications Planning
■ Mandatory Adherence
■ Compliance
○ Incident Response Team
■ Customers, Constituents, & Media
■ Something to lose in the organization if an incident was to occur
■ Other Incident Response Teams
■ May or may not be part of the organization
■ Internet Service Providers
■ Can isolate network to prevent it from getting worse
■ Incident Reporters
■ People who track, follow, or discovered incident
■ Law Enforcement Agencies
■ Software & Support Vendors
● Step 2: Detection & Analysis
○ Intrusion systems techniques to determine attacks
■ Signature or Pattern Matching Systems
■ Snippet of code that identifies the system
■ Protocol Anomaly-Based Systems
■ Protocol or something in the system not working as it should
■ Statistically Anomaly-Based Systems



48

■ Establish a baseline, to identify deviation from the baseline

○ Incident analysis focuses on what constitutes an incident in the organization
● Step 3: Containment, Eradication & Recovery
○ Containment
■ Limit the damage caused by the security incident
○ Eradication
■ Performed to remove malicious code, tools, & backdoors that may have
been used
■ May or may not happen depending on the incident
■ Sometimes reimaging is quicker & more reliable
● Step 4: Post-Incident Activity
○ Implementation of Countermeasures
■ What happen & how it can be prevented from happening again
■ Increase user awareness
■ Implement overall improvements for risk
■ Provide disincentives for bad behavior
■ Improve user training
■ Understand the benefits of better technology
○ Forensics
■ Identifying evidence
■ Collecting or acquiring evidence
■ Examining or analyzing evidence
Lesson 4.2: Forensic Investigation (SC)

Skills Learned From This Lesson: Crime Scenes, Locard’s Principle of Exchange, Analysis
● Crime Scene
○ Needs to be defined before evidence can be identified
○ Principles of Criminalistics:
■ Identify the scene
■ Protect the environment
■ Identify evidence
■ Collect evidence



49

■ Minimize contamination
● Evidence
○ Live evidence
■ Data that is in a very dynamic & exists in running processes or other
volatile locations (e.g. RAM) that disappear in a relatively short time once
the system is powered down
○ Locard’s Principle of Exchange
■ When a crime is committed, the perpetrators leave something behind &
take something w/ them
■ Allows aspects of the responsible person to be identified
● Guidelines for Handling Evidence
○ Anyone who accesses digital evidence needs to be properly trained
○ Anyone who possesses evidence is responsible
○ Evidence must not be changed
○ Evidence must be fully documented
○ Anyone who has evidence is responsible for following forensics & procedural
principles
● Forensics Procedures
○ EVERYTHING must be documented
○ Ensure data cannot be altered
■ Disk Image & Hash algorithms
○ Establish a chain of custody
■ Document everyone who has touched evidence
● Five Rules of Evidence
○ Be Authentic
○ Be Accurate
○ Be Complete
○ Be Convincing
○ Be Admissible
● Analysis
○ Media Analysis
■ The recovery of information from information media such as hard drive
○ Network Analysis
■ Examination of data from network logs & network activity



50

○ Software Analysis
■ Analysis & examination of program code
○ Hardware/Embedded Device Analysis
■ Analysis of mobile devices & hardware & firmware found in computers
Lesson 4.3: Business Continuity Plans (SC)

Skills Learned From This Lesson: BCP, DRP, Availability and Redundancy
● Business Continuity Plan (BCP)

○ Focuses on the continuity & recovery of critical business functions during & after
a disaster
■ Helps organization get back to normal operation as quickly & smoothly as
possible
■ Focuses on the company as a whole
○ Proactive development of a plan that can be executed to restore business
operations
○ Significant organizational commitment in terms of people of resources
○ Establish the business continuity program & the directly related business
continuity policy
■ Key participants of the BCP are defined
○ Conduct a Business Impact Analysis
○ Determine potential impacts that would result if supporting resources were
unavailable
■ Impacts may be tangible or intangible
● Business Impact Analysis (BIA)
○ An exercise that determines the impact of losing the support of any resource to
an organization, establishes the escalation of that loss over time, identifies the
minimum resources needed to recover, & prioritizes the recovery or processes &
supporting systems
○ How much impact will a business take if resources isn’t available?
● Maximum Tolerance Downtime (MTD/MTPOD)



51

○ The max amount of time that a business function can be unavailable before the
organization is harmed to a degree that puts the survivability of the organization
at risk
○ What is the longest time a resource can be unavailable before the organization
fail?
● Recovery Time Objective (RTO)
○ The earliest time period & a service level w/in which a business process must be
restored after a disaster to avoid unacceptable consequences
○ What is the earliest time period that a resource can come back from being
disrupted?
● Recovery Point Objective (RPO)
○ A measurement of the point prior to an outage to which data are to be restored
○ The last time the system was backuped
● Disaster Recovery Plan (DRP)
○ A document that details the steps that should be performed to restore critical IT
systems in the event of a disaster
○ Considerations
■ Different types of disasters
■ Intentional acts of sabotage
■ Potential threats
○ Assets
■ Data
■ Information systems
■ Network devices
■ Facilities
■ Personnel
● Recovery Strategy Alternatives
○ Cold Site
■ A building w/ power, raised floors & utilities
■ No devices are available
■ Cheapest
■ Longest to get back online
○ Warm Site
■ Does not have computers but has peripherals



52

■ Disk drives, controllers, & tape drives

○ Hot Site
■ Fully configured w/ hardware, software, & environmental needs
■ Most expensive
■ Quickest to get organization back online
○ Multiple Processing Sites
■ Supports 100% availability
■ Data is processed simultaneously
○ Mobile Site
■ Can be deployed to any location based on the circumstances of the
disaster
● Plan Testing
○ BCPs & DRPs must be tested to ensure they are accurate
○ Test Types
■ Checklist Test
■ Each participant review their section of the plan to validate that it
is still accurate
■ Structured Walkthrough Test
■ Representative from each business unit gather together to review
■ Simulation Test
■ An actual disaster is simulated
■ Parallel Test
■ Performing processing at an alternative site
■ Full Interruption Test
■ Regular operations are stopped & processing is moved to the
alternate site
● Backups & Restoration
○ Backup Types
■ Full Backup
■ Entire system is copied to backup media
■ Differential Backup
■ Record differences in data since the most recent full backup
■ Incremental Backup
■ Record changes that are made to the system on a daily basis



53

○ Offsite Storage
■ Backups should be stored off-site at a secure location
○ Electronic Vaulting
■ Allows backups across the internet to an offsite location
○ Remote Journaling
■ Journals & transaction logs are transmitted electronically to an offsite
location
● Availability
○ Clustering
■ A method of configuring multiple computers so they effectively operate as
a single system
○ High Availability Clustering
■ A clustering method that uses multiple systems to reduce the risk
associated w/ a single point of failure
○ Load-Balancing Clustering
■ All cluster nodes are active
■ If a system fails, the others take its place
● Redundant Array of Independent Disks
○ Mirroring
■ The system writes data simultaneously to separate hard drives or drive
arrays
■ RAID 1
■ Identical copies of data are stored on two separate drives
○ Parity
■ The technique of determining whether data had been lost or overwritten
○ Striping
■ A data element is broken into multiple pieces, & a piece is distributed to
each hard drive
■ RAID 0
■ Relies on striping data across multiple disks
■ RAID 2
■ Striping is performed at the bit level
■ Not used in practice
■ RAID 3



54

■ Striping is performed at the byte level

■ Uses a dedicated parity disk
■ RAID 4
■ Striping is performed at the block level
■ Use a dedicated parity disk
■ RAID 5
■ Block-level striping w/ parity information that is distributed across
multiple disks
■ Popular
■ RAID levels can be combined to gain benefits from both levels
Domain 5: Cryptography
Lesson 5.1: Cryptography Fundamentals Concepts (SC)
Skills Learned From This Lesson: Fundamental cryptography concepts
● High Work Factor

○ The average amount of effort or work required to break an encryption system
■ Measured in units such as hours or cost in dollars
■ If the encryption work factor is high enough, then the system is
considered “economically infeasible” to break
● Stream-Based Ciphers
○ When encryption is performed, it happens on a bit-by-bit basis
○ Weaker
○ Less intensive
○ Used in hardware
○ Mix the plaintext w/ a keystream to produce the ciphertext
■ The operation is usually an XOR because its speed
■ Ex.
Input plaintext: 0101 0001

Keystream: +0111 0011



55

Output of XOR 0010 0010
● Block Ciphers
○ Operate on chunks of text instead of one byte at a time
■ Blocks are often 64,128,192, bit sizes
○ Stronger
○ Computationally intensive
○ Used in software
○ Use a combination of substitution & transposition
■ Substitution
■ The process of exchanging one letter or byte for another
■ Transposition
■ The process of reordering the plaintext to hide the message
○ Modes
■ Electronic Code Book (ECB)
■ Each block is encrypted independently
■ Cipher Block Chaining (CBC)
■ The result of encrypting one block of data is fed back into the
process to encrypt the next block
■ Cipher Feedback
■ Each block of keystream comes from encrypting the previous
block of ciphertext
■ Output Feedback (OFB)
■ The keystream is generated independently of the message
■ Counter (CTR)
■ Uses the formula Encrypt (Base+N) as a keystream generator
where Base is a starting 64 bit number & N is a simple
incrementing function
● Key Length
○ The size of the key, measured in bits or bytes
■ The security of an algorithm cannot exceed its key length
■ The key’s length is distinct from its cryptographic security
● Block Size



56

○ The size of the block used in block ciphers

○ Blocks are fixed lengths, padding is sometimes necessary
○ Block size is directly related to the security of the key
● Initialization Vectors (IVs)
○ An initial value to start some process
● Hashing
○ A cryptographic function that is considered practically impossible to invert
○ Specific Hashes
■ Message Digest 2,4,5
■ Secure Hash Algorithm 0,1,2
■ RIPEMD-160
● Birthday Paradox
○ >50% chance two people share a birthday w/in a group of 23 people
■ (n(n-1)/2)
■ Hashes must not be susceptible to this
● Salting
○ Random data used as an additional input to a hashing function
■ Prevents Dictionary attacks & Rainbow Table attacks
○ Password + salt = new password to be hashed
■ Password123 + ET2FE6T4G=Password123ET2FE6T4G
Lesson 5.2: Cryptography and Ciphers (SC)

ijndael
Skills Learned From This Lesson: Symmetric Cipher, R
● Symmetric Cryptography
○ Operates a single cryptographic key that is used for both encryption & decryption
○ Key management is a challenge, must be sent out-to-date
■ Out-of-band
■ Using a different channel to transmit the key
○ Advantages
■ Very fast
■ Affordable
■ Secure



57

○ Disadvantages
■ Key management
■ No non-repudiation
○ Data Encryption Standard (DES)
■ 64 bits in length, every 8th bit is ignored
■ Key space is 256 or 72x1016
■ Disadvantage
■ Key is too short
■ Breakable by a brute force attack
■ Solutions
■ Double DES
■ DES twice w/ 2112 key space
■ Flaw
1. Victim of the Meet-in-the-middle attack
● Triple DES (3DES)
○ Key space of 2112 using two different keys
1. Encrypt w/ key 1, re-encrypt w/ key 2, re-encrypt w/ key 3
● Disadvantage
1. Too slow for software,
1. Advanced Encryption Standard (AES) is needed
1. Algorithm chosen for AES is Rijndael
● Rijndael
○ Very versatile
■ Block size can be 128,192, 256 bits
■ Key size can be 128,192, 256 bits
■ Multiple rounds of operation depending on the key size
○ Four Major Operations
■ Substitute bytes
■ Shift rows
■ Mix columns
■ Add round key
● Other Symmetric Algorithms
○ International Data Encryption Algorithm (IDEA)
■ Key Size (bits): 128



58

■ Block Size (bits): 64

■ Rounds of encryption: 8
○ CAST
■ Key Size (bits): 40-128
■ Rounds of encryption: 12-16
○ Secure and Fast Encryption Routine
■ Key Size (bits): 64
■ Block Size (bits): 64 or 128
○ Blowfish
○ RC2
○ RC4
■ Block Size (bits): Stream Cipher
○ RC5
■ Block Size (bits): 16, 32, 64
■ Rounds of encryption: 0-255
○ RC6
■ Key Size (bits): 128, 192, 256
○ Twofish
■ Key Size (bits): 128, 192, 256
■ Rounds of encryption: 16
Lesson 5.3: Asymmetric Cryptography (SC)

Skills Learned From This Lesson: Asymmetric Cryptography, Hybrid Cryptography



59

● Asymmetric Cryptography
○ Created to address the practical limitations of symmetric cryptography
○ Uses two keys that are mathematically related, but are mutually exclusive
■ One key to encrypt, the other to decrypt
○ Algorithms are one way functions
■ Private key ⇒ Public key
■ Private key belongs to only you
■ Public key belongs to everyone
○ Good for confidential messages, open messages, and non-repudiation
● Asymmetric Encryption Algorithms
○ RSA
■ Algorithm based on the mathematical challenge of factoring the product of
two large prime numbers
○ Diffie-Hellman Algorithm
■ A key exchange algorithm
■ Used to enable two users to exchange symmetric keys which will be used
for message encryption
■ Use for public key infrastructure
○ El Gamal
■ Based on the work of Diffie-Hellman, but includes message confidentiality
& digital signatures
○ Elliptic Curve Cryptography (ECC)
■ Based on the mathematics of elliptic curves
■ Has the highest strength per bit of key length of any of the asymmetric
algorithms
■ Provides confidentiality, digital signatures, & message
authentication
● Asymmetric Key Algorithms
○ Advantages
■ Can send messages w/o key exchange
■ Offers non repudiation, access control, & integrity
○ Disadvantages
■ Slow



60

■ Impractical for frequent transactions

■ Ciphertext larger than the plaintext
● Hybrid Cryptography
○ Combines the best of both Symmetric & Asymmetric
■ Asymmetric
■ Key exchange, nonrepudiation, & message authentication
■ Symmetric
■ Speed
■ Security of algorithms
● Cryptography Concepts
○ Message digest
■ A small representation of a larger message
■ Used to ensure the authentication & integrity of information
○ Message Authentication Code
■ A small block of data that is generated using a secret key & then
appended to the message
○ Hashed Message Authentication Code (HMAC)
■ Cryptographic hash function that uses a symmetric key value
■ Used for data integrity & origin authentication
○ Digital Signatures
■ Ensures the authenticity & integrity of a message through the use of
hashing algorithms & asymmetric algorithms
■ Message digest is encrypted w/ the sender’s private key
○ Non-repudiation
■ A service that ensures the sender cannot deny a message was sent & the
integrity of the message is intact
Lesson 5.4: Methods of a Cryptanalytic Attack (SC)

Skills Learned From This Lesson: Common Algorithm Attacks
● Common Attacks
○ Chosen Plaintext
■ Attack where the attacker can choose arbitrary plaintexts to be encrypted
& obtain the corresponding ciphertexts



61

○ Social Engineering attack

■ Manipulating individuals so that they will divulge confidential information
○ Brute Force Attack
■ Trying all possible keys until one is found that decrypts the ciphertext
■ Graphical Processing Units (GPUs) have made this possible
○ Differential Cryptanalysis
■ AKA side channel attack
■ Uses the study of how differences in an input can affect the resultant
difference at the output
○ Linear Cryptanalysis
■ A known plaintext attack that uses linear approximations to describe the
behavior of the block cipher
○ Algebraic attack
■ Exploits vulnerabilities w/in the intrinsic algebraix structure of
mathematical functions
○ Rainbow Table
■ A lookup table of sorted hash outputs.
■ Hash values are saved to refer to at a later time
■ Common dictionary words
○ Ciphertext-Only attack
■ Cryptanalysis attack where the attacker is assumed to have access only
to a set of ciphertexts
■ One of the hardest for attacker, they don’t have much information to go off
of
○ Known-Plaintext
■ Attack where the attacker is assumed to have access to sets of
corresponding plaintext & ciphertext
■ Goal
■ Find the link
○ Frequency Analysis
■ Used to identify weaknesses w/in cryptosystems by locating patterns in
resulting ciphertext
■ Works well w/ other types of attacks
○ Chosen -Ciphertext



62

■
Attack where the attacker chooses a ciphertext & obtains its decryption
under an unknown key
○ Birthday attack
■ Attack that exploits the mathematics behind the birthday problem in
probability theory forces collisions w/in hashing functions
○ Dictionary attack
■ Encrypts all of the words in a dictionary & checks if the hash matches the
passwords hash
○ Replay attack
■ Occurs when an attack intercepts authentication information & replays the
information to gain access to a security system
○ Factoring attack
■ Developed to break the RSA algorithm
■ Tries to break down large prime numbers through factoring
○ Reverse Engineering
■ A product is reverse engineered to find weaknesses in the system or gain
information
○ Implementation attack
■ Popular due to ease on system elements outside of the algorithm
■ Side -channel analysis
■ Uses information that has been gathered to uncover
sensitive data or processing functions
■ Fault analysis
■ Attempts to force the system into an error state to gain
erroneous results
■ Probing attacks
1. Attempts to watch the circuitry surrounding the cryptographic module hoping that
new components will disclose information
Lesson 5.5: Key Management Concepts (SC)

Skills Learned From This Lesson: Key management Concepts, Secure Protocols
● Public Key Infrastructure



63

○ A set of system, software, & communication protocols required for public key
cryptography
○ Primary purpose
■ Publish public keys/certificates
■ Certify that a key is tied to an individual or entity
■ Provide verification of the validity of a public key
● Certificate Authority
○ A component of a PKI that creates & maintains digital certificates throughout their
life cycles
● Registration Authority
○ Verifies an entity’s identity & determines whether they are entitled to have a
public key certificate issued
● Certificate Revocation List (CRL)
○ List that is maintained by the CA of a PKI that contains information revoked
digital certificates
● Key Management
○ Most important part of any cryptographic implementation
○ A cryptosystem should be secure even if everything about the system, except the
key, is public knowledge” ~Auguste Kerckhoff
■ Everything about the encryption algorithm should be known except the
key
● Key Management Applications
○ XML Key Management specification 2.0
■ Protocols for distributing & registering public keys
○ ANSI X9.17
■ Developed to address the need of financial institutions
■ Uses Data Keys (DKs) & Key-encrypting keys (KKMs)
● Key Distribution and Management
○ Secure keys depend on Automated Key Generation, Randomness, & Length
■ Automated Key Generation
■ Key policy enforcement
■ Randomness
■ 0’s & 1’s
■ Key length



64

■ The longer the key, the more difficult it is

○ Key Wrapping
■ The process of using key encrypting keys (KEK) to protect session keys
■ Good for sending keys over an untrusted transport
■ Supports symmetric & asymmetric ciphers
○ Out-of-band
■ Key exchange that uses a medium other than that through which secure
messages will be sent
■ Not very scalable
○ Key Distribution Center (KDC)
■ Contains users public keys w/ a valid certificate
■ Two keys
■ Master keys & Session keys
■ Ex.
■ Kerberos
● Key Aspects
○ Key Storage
■ Encryption
■ Expiration Date
■ Backups
■ Recovery
○ Key Recovery
■ Multiparty
■ Common directories
■ Password wallets
○ Key Escrow
■ 3rd party holds key
○ Web of Trust
■ Authenticity of a public key & its owner
● Secure Protocols
○ IP Security (IPSec)
■ A suite of protocols for communicating securely w/ IP by giving
mechanisms for authentication & encryption
■ Authentication Header



65

■ Used to identify the sender & ensure the transmitted data has not
been altered
■ Uses hashes & sequence #’s
■ Encapsulating Security Payload (ESP)
■ Header
■ Seq. # & Security Associations
■ Payload
1. Encrypted part of the packet
● Trailer
1. Padding if required
● Authentication
1. Hash value of the packet
● Endpoints talk w/ IPSec by using transport or tunnel mode
○ Transport
■ The payload is protected
○ Tunnel
■ The payload & header are protected
● Internet Key Exchange (IKE)
○ Authentication part of IPSec
■ Phase 1: Establish authentication
1. Shared secret
2. Public Key Encryption
3. Revised mode of Public Key Encryption
● Phase 2: Security Associations are established
1. Use secure tunnel & secure associate method at the end of phase 1
● Secure Sockets Layer/Transport Layer Security (SSL/TLS)
○ Used to encrypt confidential data over an unsecured network
○ Sits between the Transport layer & the Application layer
● Secure/Multipurpose Internet Mail Extensions (S/MIME)
○ Used to sending digitally signed & encrypted messages
○ Provides authentication, integrity, & non-repudiation
Domain 6: Networks and Communications Security

Lesson 6.1: ISO and DoD Models (SC)



66

Skills Learned From This Lesson: OSI, TCP/IP
The 7 Layers of OSI The OSI Model
● OSI Model
○ Layer 1: Physical Layer
■ Network topologies
■ Most physical devices are at this level
■ Bits on a wire
○ Layer 2: Data Link Layer
■ Receives the packet it gets from the wire & formats it for the network
■ Logical Link Control (LLC)
■ Manages connections between two peers
■ Proves error & flow control
■ Media Access Control (MAC)
■ Transmits & receives frames from peers
■ Hardware addresses are defined at this sublayer
○ Layer 3: Network Layer
■ Moves information between two hosts
■ Uses logical addressing & Internet Protocol (IP)
■ Addressing
■ Uses destination IP address to send packets
■ Fragmentation
■ Subdivides packets if its size is greater than maximum size
on a network
○ IP is a connectionless protocol that does not guarantee error-free delivery
○ Routers work at this level & send packets from place to place
■ Static Routing Tables
■ Updated manually
■ Dynamic Routing Tables
■ Routers share information
○ Network Routing Protocols
■ Internet Control Message Protocol (ICMP)
■ Network errors



67

■ Network congestion
■ Troubleshooting
■ Timeouts
■ Internet Group Management Protocol (IGMP)
■ Manages multicasting groups
■ Other Layer 3 Protocols
■ IPv4/IPv6
■ Internet Protocol
■ DVMRP
■ Distance Vector Multicast Routing Protocol
■ IPsec
■ Internet Protocol Exchange
■ DDP
■ Datagram Delivery Protocol
■ SPB
■ Shortest Path Bridging
○ Layer 4: Transport Layer
■ Creates an end-to-end connection between hosts
■ Transmission Control Protocol
■ Provides error-free transmission
■ User Datagram Control
■ A connectionless unreliable protocol
○ Other layer 4 protocols
■ FCP
■ Fiber Channel Protocol
■ RDP
■ Reliable Datagram Protocol
■ SCTP
■ Stream Control Transmission Protocol
■ SPX
■ Sequenced Packet Exchange
■ SST
■ Structured Stream Transport
○ Layer 5: Session Layer



68

■ Provides a logical, persistent connection between peer hosts

○ Types of sessions
■ Full Duplex
■ Both hosts can pass information at the same time
■ Half duplex
■ Both hosts can pass information, but only one at a time
■ Simplex
■ Only one host can send information to its peer in one direction
only
○ Other Layer 5 Protocols
■ H.245
■ Call control protocol for multimedia communication
■ iSNS
■ Internet Storage Name SErvice
■ PAP
■ Password Authentication Protocol
■ PPTP
■ Point-to-Point Tunneling Protocol
■ RPC
■ Remote Procedure Call Protocol
■ RTCP
■ Real -time Transport Control Protocol
■ SMPP
■ Short Message Peer-to-Peer
○ Layer 6: Presentation Layer
■ Provides services to ensure that peer applications use a common format
to represent data
■ Ex.
■ If an application can only read ASCII values & it receives Unicode
data, then the Presentation Layer will convert it to ASCII
○ Layer 7: Application Layer
■ Application’s portal to network-based services
■ Used to transmit or receive data over a network
○ Protocols that work in Layer 7



69

■ DHCP
■ Dynamic Host Configuration Protocol
■ DNS
■ Domain Name System
■ HTTP
■ Hypertext Transfer Protocol
■ IMAP
■ Instant Message Access Protocol
■ LDAP
■ Lightweight Directory Access Protocol
■ SMTP
■ Simple Mail Transfer Protocol
■ FTP
■ File Transfer Protocol
O
SI Model vs TCP/IP Model
Lesson 6.2: IP Networking (SC)

Skills Learned From This Lesson: IP networking
● Network Classes
○ Hosts are distinguished by IP addresses: 192.168.145.123
○ IP Addresses are divided into a network number & a host number
○ ICANN
■ Internet Corporation for Assigned Names and Numbers
Network Classes
● Classes Inter-Domain Routing (CIDR)

○ Allows flexibility to access more IP addresses
● Subnets
○ Logical subdivision of a network



70

● Subnet Mask
○ Used to define the part of the address that is used for the subnet
● Ex.
○ 192.168.145.123/24
■ 24 is the subnet mask
■ Subnet mask = 11111111 11111111 11111111 00000000 or
255.255.255.0
● IP Networking
○ IPv6
■ A modernization of IPv4
■ Much larger address field - 128 bits
■ Improved security
■ More concise IP packet header
■ Quality of service improved
○ Border Gateway Protocol (BGP)
■ Exchanges routing information between gateway hosts
■ Protocol used between the hosts & the internet
● TCP/UDP
○ Map data connections through port numbers which are associated w/ devices
○ Port numbers are managed by the Internet Assigned Numbers Authority
○ There are 65,536 ports broken into three categories
■ Well-known ports
■ 0 - 1023
■ Registered Ports
■ 1024 - 49,151
■ Dynamic Ports
■ 49,152 - 65,535
○ TCP
■ Provides a connection
■ Has error-handling
■ Tracks packets
■ Ex.
■ HTTP, SMTP
○ UDP



71

■ Connectionless
■ No error-handling
■ “Best Effort”
■ Ex.
■ VOIP
● DHCP
○ Dynamic Host Configuration Protocol
○ Automatically assigns IP addresses to workstations
○ The address given is leased for a period of time
○ Address lease is referred to as a TTL (Time To Live)
● ICMP
○ Internet Control Message Protocol
○ Used for the exchange of control messages between hosts & gateways &
diagnostic tools
○ Ping of death
■ A packet echo that is greater than 65,536 bytes
○ ICMP redirect attacks
■ A victim’s computer redirects sending information through an attacker’s
computer w/o them knowing
○ Ping scanning
■ If a host replies to a ping, then the attacker knows a host exists at that
address
○ Traceroute Exploitation
■ Used to map a victim’s network & learn about the routing
○ Remote procedure calls
■ The ability to allow for the executing of objects across hosts
■ Client sends instructions to an application
Lesson 6.3: Network Topologies (SC)

Skills Learned From This Lesson: Network Topologies and Concepts
● Bus



72

○ A LAN w/ a central cable (bus) to which all nodes connect

○ Advantages
■ Adding nodes
■ Node failures don’t affect the rest
○ Disadvantages
■ Cable failure, all nodes will go down
● Tree
○ All devices connect to a branching cable
■ Advantages
■ Adding nodes
■ Node failures don’t affect the rest
■ Disadvantages
■ Cable failure, only the nodes connected to failed cable will go
down
● Ring
○ A closed loop topology
○ Data is transmitted in one direction only
○ Advantages
■ Maximum wait time
■ Can be used as LAN or Network backbone
○ Disadvantages
■ Single point of failure
● Mesh
○ All nodes are connected to every other node
■ Advantages
■ High level of redundancy
■ Disadvantages
■ Very expensive
● Star
○ All nodes are connected to a central device such as a hub, switch, or router
○ Advantages
■ Few cables
■ Easy to deploy
■ Nodes can easily be added or removed



73

○ Disadvantages
■ The central piece is a single point of failure
● Unicast, Multicast, & Broadcast
○ Unicast
■ Send a packet to one person
○ Multicast
■ Send a packet to selected people
○ Broadcast
■ Send a packet to everybody
● Circuit-Switched Network
○ Dedicated circuit between end points
○ Endpoints have exclusive use of the circuit & bandwidth
○ Ex.
■ Telephones
● Packet-Switched Network
○ Do not use dedicated connections
○ Packets are transmitted on a shared network
○ Network devices find the best path
○ All packets (eventually) need to be in the correct order
■ Not every packet take the same path
● Virtual Circuits
○ Provides a connection between endpoints that acts as if it was a physical circuit
■ Permanent virtual circuit
■ The carrier configures the circuit’s routes
■ Switched virtual circuit
■ Configured dynamically by the routers
● Topology Concept
○ Carrier Sense Multiple Access
■ A protocol which uses the absence/presence of a signal on a medium as
permission to speak
■ Variations
■ CSMA/CA
■ Carrier Sense Multiple Access w/ Collision Avoidance



74

■Requires devices to announce transmitting by using a

jamming signal
■ CSMA/CD
■ Carrier Sense Multiple Access w/ Collision Detection
■ Listens for a carrier before transmitting data
■ Token Passing
■ Only one device may transmit at a time
■ Devices can only transmit if they possess the token
■ Ethernet (IEEE 802.3)
■ Played a major role of LANs in the 1980s
■ Supports coaxial cable, unshielded twisted pair, & fiber optics
■ Token Ring (IEEE 802.5)
■ Each device gets data from it neighbor upstream & passes it
downstream
■ Devices can only transmit when they have the ring
● FDDI
○ Fiber Distributed Data Interface
○ Token passing architecture using two rings
○ Information flows in opposite directions
● MPLS
○ Multiprotocol Label Switching
○ Offers mechanisms for packet traffic, & multi-service functionality
● Guidelines for MLPS
○ Site availability
○ End-to-End network availability
○ Provisioning
Lesson 6.4: DNS and LDAP (SC)

Skills Learned From This Lesson: DNS & LDAP, Commonly used ports & protocols
● DNS
○ Domain Name System
○ A hierarchical distributed naming system for any resource connected to the
internet or a private network



75

○ A global database, scalable, dynamic database that translates domain names to

IP addresses
○ Common domains
■ .com
■ .edu
■ .gov
■ .mil
● Resolver
○ A DNS client that sends DNS messages to obtain information about the
requested domain name space
● Recursion
○ The action taken when a DNS server is asked to query on behalf of a DNS
resolver
● Authoritative Server
○ A DNS server that responds to query messages w/ information stored in RRs for
a domain name space stored on the server
● Recursive resolver
○ A DNS server that recursively queries for the information asked in the DNS query
● FQDN
○ Fully Qualified Domain Name
○ The absolute name of a device w/in the distributed DNS database
● RR
○ Resource record
● Zone
○ A database that contains information about the domain name space stored on an
authoritative server
● DNS Attacks
○ DNS Denial-of-Service (DOS)
■ An attacker delivers traffic to the victim by reflecting it off of a third party
○ Query or Request Redirection
■ The DNS query is intercepted & modified in transit to the DNS server
■ Send user to wrong website
○ DNS Cache-Poisoning
■ Malicious data is injected into DNS servers



76

○ Zone Enumeration
■ Users use DNS diagnostic commands to learn about the websites
architecture
■ Common commands used
■ dig & nslookup
○ DNS Fast Flux
■ The ability to move distributed services to different computers quickly
■ Primarily used by botnets & phishing attacks
○ Registration of a domain takeover
■ Change of the authoritative DNS server
■ Attackers send back different IP addresses
○ DNS ports
■ 53/TCP
■ 53/UDP
● LDAP
○ Client/Server based directory for managing user information
○ Allows anyone to locate users, information, & resources on a network
○ Ports
■ 389/TCP
■ 389/UDP
● Services & Protocol
○ NetBIOS
■ A program which allows applications on different computers interact w/in
a LAN
■ Ports
■ 135 & 139/UDP, 137 & 138/TCP
○ NIS/NIS+
■ Network Information Service
■ Directory services used for managing user credentials in a group
of machines
■ Mostly used in UNIX
○ CIFS/SMB
■ Common Internet File System/Server Message Block
■ A file sharing protocol on Windows Systems



77

■ Ex.
1. xxvii.Scanning from a printer to a computer
● Ports
1. xxviii.445/TCP
● SMTP
○ Simple Mail Transfer Protocol
■ A client/server protocol utilized to route email on the internet
■ No authentication or encryption
■ Port
1. 25/TCP
● FTP
○ File Transfer Protocol
○ Uploading spreading information to the internet
■ Ports
■ 20 & 21/TCP
● TFTP
○ Trivial File Transfer Protocol
○ Simplified version of FTP
○ Use only on trusted networks
○ Port
■ 69/UDP
● HTTP
○ Hypertext Transfer Protocol
○ The foundational protocol of the web
○ Port
■ 80/TCP
Lesson 6.5: Telecommunications Technologies (SC)

Skills Learned From This Lesson: Telecommunications technologies
● IP Convergence
○ Using the Internet Protocol (IP) to transmit all of the information that transits a
network
○ Benefits



78

■ Excellent support for multimedia

■ Devices can be run in innovative ways
■ Easy to manage
■ Fewer components
■ Simplifies security management
● Enabling Technologies
○ iSCSI
■ Internet Small Computer System Interface
■ Facilitates data transfers over networks & manages storage over long
distance
■ Links data storage facilities
■ Doesn’t need cable
○ MPLS
■ Multi-Protocol Label Switching
■ Networking protocol for helping route packets from source to destination
■ The source router applies a “label” on how to get to the destination
■ Other routers just follow the label
○ VoIP
■ A technology that allows you to make voice calls over the internet instead
of a phone line
■ Video conferencing
■ Based on SIP
■ Session Initiation Protocol
■ Quality problems
■ UDP
■ “best effort”
■ Packet loss
■ The worse the sound quality, the more packets that are
being lost
■ Jitter
■ A variation of packet delays
■ Sequence errors
■ Packets are received
● SIP



79

○ Session Initiation Protocol

○ Responsible for setting up, maintaining, & tearing down voice connection
○ Manage multimedia connections
○ Supports encryptions & integrity
● Phone system communications
○ POTS
■ Plain Old Telephone Service
■ A bidirectional analog telephone designed to carry the sound of the
human voice
■ The “last mile” of residential & business telephone services
● PBX
○ Private Branch Exchange
■ An enterprise-class phone system typically used in businesses or large
organizations
■ Internal switching network
● Cellular
○ A network over a land area, served by a cell site
Lesson 6.6: Network Access Controls (SC)

Skills Learned From This Lesson: Network Access Controls, Hardware, Wired Transmission
● Network Access Controls

○ Boundary Router
■ Routers on the edge that advertise routes that external hosts can use to
reach internal hosts
■ Filter traffic
■ Prevents spoofing
○ Security perimeter
■ First line of protection between trusted & untrusted networks
■ Firewalls & IDS systems
○ Network Partitioning
■ Segments networks into different areas
○ Dual-homed host
■ Has two NICs on a separate network



80

○ Bastion host
■ A highly exposed device that will most likely be targeted for attacks
■ Usually placed on the public side of a firewall or DMZ area if there are two
firewalls
■ Focus on one application
■ Ex.
■ Mail server, DNS server, FTP server
● Network Access Technologies
○ DMZ
■ Demilitarized zone
■ Area between firewalls
■ Servers are placed here to give external hosts access to some
resources
● Hardware
○ Modems
■ Allows users to a network via analog phone lines
■ Converters between digital & analog signals
○ Multiplexers
■ Combine multiple signals into one signal to be transmitted on a network
○ Hubs and Repeaters
■ A device in which all other devices connect
■ Central piece in a star topology
■ Don’t let the hub become inoperable
○ Switches
■ Devices which connect network segments together
○ Bridges
■ Processes packets based on MAC addresses
■ Connects LANs w/ different media types
○ Routers
■ Receive & send packets throughout the network
● Wire Transmission Media
○ Considerations
■ Throughput
■ How much data is going to be sent through the wire?



81

■ Distance between devices

■ Data sensitivity
■ Is it okay that data is listened too?
■ Is it okay that data loses some clarity?
■ Environment
○ Twisted pair
■ Copper wires twisted together to reduce electromagnetic interference
■ Unshielded
■ Susceptible to interference
■ Covering over wire
■ Easily bent
■ Inexpensive
■ Shielded
■ Uses an electronically grounded shield to protect the signal
■ More bulky
■ Harder to bend
○ Coaxial cable
■ Uses a thick conductor that is surrounded by a grounding wire
■ Very thick & expensive
■ Used in cable TV
○ Fiber optic
■ Uses light pulses to transmit information down fiber lines instead of
electronic pulses
Lesson 6.7: Multimedia Services and Technologies (SC)

Skills Learned From This Lesson: Remote Access and Technologies, LAN Security, Virtual
LANs
● Multimedia Technologies
○ Peer-to-Peer Applications
■ Designed to open an uncontrolled channel through network boundaries
○ Remote Meeting
■ Web-based applications which allow individuals to meet virtually



82

■ Ex.
■ Skype, Zoom, Team Viewer
○Instant Messaging
■ Chat services that offer file exchange, video conversation, & screen
sharing
● Remote Access
○ VPN
■ Virtual Private Network
■ An encrypted tunnel between two hosts that allows them to
communicate over an untrusted network
■ Tunneling
■ A communication channel between two networks that is used to
transport another network protocol
■ Point-to-Point Tunneling (PPTP) & L2TP
■ RADIUS
■ Remote Authentication Dial-In User Service
■ Authentication protocol used in network environments for single
sign-on for network devices
■ SNMP
■ Simple Network Management Protocol
■ Consists of a server & a client installed on devices which can be
used to retrieve & set values
■ Ports
■ 161/TCP & UDP
■ 162/TCP & UDP
■ TCP/IP Terminal Emulation Protocol (Telnet)
■ Command line protocol which gives command line access
■ Very Risky!!
■ Disable unless you absolutely need it
● LAN-Based Security
○ Control Plane
■ Where forwarding & routing decisions are made
■ Exchange information w/ neighbors
○ Data Plane



83

■ Where the action takes place

■ Carries out the commands of the control plane
■ Forwarding & routing tables
● Virtual LANs
○ A set of workstations w/in a LAN that communicate if they were on a single LAN
■ Logical boundaries over a physical network
○ Advantages
■ Performance
■ Flexibility
■ Virtual workgroups
■ Partitioning resources
○ VLAN Hopping
■ Devices on VLANs gaining access to traffic on other VLANs
● Secure Device Management
○ MACsec
■ Media Access Control Security
■ Provides point-to-point security on Ethernet links between directly
connected nodes
■ Uses matching security keys at the end of each link
■ Can support data integrity & encryption
○ SSH
■ Secure Shell
■ A network protocol which allows a person to operate devices
securely over an unsecure network
■ Protects the integrity of communication
■ Includes remote log-on, file transfer, & command execution
○ DNSSEC
■ A sequence of records that identify either a public key or a signature of a
set of records
■ Provides a way for DNS records to be trusted
Lesson 6.8: Network Based Security Devices (SC)

Skills Learned From This Lesson: Network Based Attacks, Wireless Technologies



84

● Firewalls
○ A gateway protection device
■ Enforces administrative policies
○ Filter by a rule set
■ By address or by service
○ NAT
■ Network Address Translation
■ Changing the source IP of outgoing traffic
■ Gives anonymity
● Proxies
○ Mediates communications between untrusted endpoints & trusted endpoints
○ Proxy types
■ Circuit
■ Allows trusted hosts to talk w/ untrusted ones
■ Application-Level
■ Relays information between a trusted endpoint & an untrusted one
w/ a specific application
● Denial-of-Service
○ An attack which denies services to a computer by overloading it w/ traffic
○ Types
■ Volume Based attack
■ Protocol attack
■ Application Layer attack
○ Common attack types
■ Syn Flooding
■ An attack against the initial handshake in a TCP connection
■ Smurf
■ Misuses ICMP echo requests
■ Fraggle
■ Misuses UDP echo traffic
● Spoofing
○ The act of impersonating someone, even if you are not
○ Most common spoofing types



85

■ IP address
■ Email
■ DNS
● Wireless Technologies
○ Most common
■ Wi-Fi
■ Bluetooth
■ Cellular
○ Disadvantage
■ Transmission security of wireless networks
■ Wireless networks are only as strong as their authentication
methods & protocols
● Wireless Security Methods and Issues
○ Open System Authentication
■ The default authentication protocol for the 802.11 standard
○ WEP
■ Wired Equivalent Privacy Protocol
■ A basic security feature in 802.11
■ Insecure
■ Shouldn’t be used
○ WPA and WPA2
■ Wi-Fi Protected Access
■ Improves user authentication & data encryption
● Wireless Security Attacks
○ Parking lot
■ Attackers sit near an organization & try to access internal hosts via the
wireless network
○ Shared key authentication flaw
■ A passive attack that allows eavesdropping on both the challenge &
response
○ SSID flaw
■ Service set identifier
■ Attackers can attack access points due to default configuration



86

Domain 7: Systems and Application Security

Lesson 7.1: Triad – Applicability to Malcode (SC)
Skills Learned From This Lesson: Applications with malware
● CIA Triad: Applicability to Malcode

○ Confidentiality
■ Malware infects a computer & gives an attacker sensitive information
○ Integrity
■ Malware infects a computer & payloads are dropped
○ Availability
■ Malware denies other people access to a computer
● Malware Naming Standards
○ No international standard for malcode naming conventions
○ CARO
■ Computer Antivirus Research Organization
■ Established to help organize & classify malicious code
■ Classification
■ Platform.Type.Family_Name.Variant[:Modifier]@Suffix
● Malware Types
○ Vector
■ How the transmission of malware happens
○ Payload
■ Primary action of a malicious code attack
○ Virus
■ Malicious software which infects a host file
○ Logic Bomb
■ Malware that executes when conditions are met
○ Worm
■ Malware that clones itself in order to spread
○ Trojan
■ Malware which pretends it is something it is not
● Rootkits
○ Malware which maintains elevated privileges on a computer by being stealthy
○ Types



87

■ Persistent-mode
■ Activates every time the system starts
■ Memory-based
■ No persistent code
■ User-mode
■ System hooks in the user or application space
■ Kernel-mode
■ Gives same privileges as an admin
● Scanners
○ Work to detect & remove malicious code
○ First Generation
■ Simple scanners
■ Malware signature required
○ Second Generation
■ Heuristic scanners
○ Third Generation
■ Activity traps
○ Fourth Generation
■ Full-featured protection
● Malware Countermeasures
○ Code signing
■ Confirms the authenticity & integrity of software through the use of digital
signatures
○ Sandboxing
■ An isolated environment where suspicious code can be executed to see
how it will react
○ Static code analysis
■ Code is looked at to find security errors which cannot be detected w/
compilers
Lesson 7.2: Vectors Infection (SC)

Skills Learned From This Lesson: Vectors of Infection



88

● Social Engineering
○ Methods which an attacker can use to trick a victim into doing things or giving
information
○ Examples
■ Baiting
■ Attracting victims by dangling something in front of them
■ Vishing
■ Uses an IVR system trick victims into giving passwords
■ Pretexting
■ Someone impersonates an authority figure
■ Quid Pro Quo
■ A request for information in exchange for compensation
■ Tailgating
■ Someone follows you into a restricted area
● File Extensions
○ Can be up to 255 characters long
○ Only the last file extension counts
○ File icons can be changed too
● Insider Threats
○ Patterns
■ Remote access at odd times
■ Unnecessarily copying material
■ Works odd hours w/o authorization
○ Countermeasures
■ Monitor logs & accounts
■ Control external access & data downloads
■ Protect critical information
● Phishing
○ The attempt to acquire sensitive information by masquerading as a trustworthy
entity
■ Common types
■ General phishing
■ Spear phishing



89

■ Most phishing is through email

● Bots
○ Botnet
■ An army of compromised machines that are under the command & control
of a bot master
■ Exploits
■ DDOS
■ Spyware
■ Identity Theft
■ Adware
■ Email Spam
■ Phishing
■ Mitigation
■ Data monitoring
■ Anomaly detection
Lesson 7.3: Malicious Web Activity (SC)

Skills Learned From This Lesson: Web Attacks, Malicious Activity Countermeasures, Analysis of
Malware, Malware Mitigation
● Attacks
○ XSS
■ Cross-Site Scripting
■ A vulnerability is found on a website that allows an attacker to inject
malicious code into an application
○ Zero-Day Exploits
■ An attack that exploits a previously unknown vulnerability
○ APT
■ Advanced Persistent Threats
■ Uses multiple phases to break in, avoid detection, and collect information
for a long period of time
■ The Five Stages of ATP attack
■ Reconnaissance
■ Incursion



90

■ Discovery
■ Capture
■ Exfiltration
○ Brute Force
■ The act of trying every possible combination of passwords until the
correct one is found
● Payloads
○ Backdoor Trojans
■ Programs that share the primary functionality of enabling a remote
attacker to have access to a compromised computer
○ Man-in-the-Middle Malcode
■ An attacker gets in the middle of a conversation between parties & gains
access to the information they were trying to send to each other
● Malicious Activity Countermeasures
○ Third party certifications: use products which are certified by third party
■ AV-TEST
○ Inspection of processes
■ Look for new or unexpected processes
■ Explorer.exe
○ Inspection of Windows Registry
■ Database that stores OS settings
● Behavioral Analysis of Malware
○ Static file analysis
■ Looking at file details & characteristics to identify & investigate code
■ File properties
■ File size & time stamp
■ Hash
■ Determines if a file has been modified
■ Hex editor
■ Looks at bits of a file to see information
○ Virtual environments
● Malware mitigation
○ Strategic
■ Management support



91

■ Defense-in-depth
■ Incident Response teams (CERT)
○ Tactical
■ Hardening systems
■ Backing up data
■ Using security tools
Lesson 7.4: Cloud Security (SC)

Skills Learned From This Lesson: Cloud Characteristics, Virtualization, Data Storage, Data Loss
Prevention
● Essential Characteristics
○ On-Demand self service
○ Broad network access
■ Able to access cloud anywhere around the world
○ Resource pooling
○ Rapid elasticity
■ Set and get more resources in cloud, as soon as possible
○ Measured service
● Deployment Models
○ Public
■ Open for used by the public
■ Ex.
■ Amazon, Microsoft, Google
○ Private
■ Use for a single organization
○ Hybrid
■ Combines two or more different cloud infrastructures
○ Community
■ Used by a group of organizations that have shared concerns
● Service Models
○ SaaS
■ Software as a Service



92

■ Directed toward End Users

■ Applications are run on the cloud
■ Hosted Application Management (hosted AM)
■ Software on Demand
○ PaaS
■ Platform as a Service
■ Mainly for Developers
■ Capability for the user to develop applications on the cloud
○ IaaS
■ Infrastructure as a Service
■ Mainly used for IT professional
■ Fundamental resources are available for the user to run applications
● Virtualization
○ The foundation for a scalable cloud & the first step for building infrastructure
○ Hypervisor
■ A piece of software, hardware, or firmware that runs virtual machines
■ Type 1: Native or Bare-Metal
■ Type 2: Hosted
○ Types of virtualization
■ Server virtualization
■ Multiple OS can run on one server
■ Network virtualization
■ Reproduction of a physical network in software
■ Desktop virtualization
■ Deploying desktops
● Types of Virtualization
○ Server virtualization
■ Multiple OS can run on one server
○ Network virtualization
■ Reproduction of a physical network in software
○ Desktop virtualization
■ Deploying Desktops
○ Application virtualization
■ Applications as a managed service



93

○ Storage virulization
■ Abstract disks & flash drives
● Legal & Privacy concerns
○ Applicable law
■ Determines the legal regime applicable to a certain matter
○ Jurisdiction
■ Determines the ability of a national court to decide a case or enforce a
judgement or order
● Cloud Storage
○ IaaS
■ Infrastructure as a Service
■ Volume storage
■ A virtual hard drive
■ Object storage
■ A file share accessed via APIs or web interface
○ PaaS
■ Platform as a Service
■ Structured
■ Information w/ a high degree of organization
■ Unstructured
■ Information that does not reside in a database
○ SaaS
■ Software as a Service
■ Information Storage & Management
■ Utilizes databases
■ Content/File Storage
■ Utilizes object/volume storage
● Data Loss Prevention
○ Cloud storage is subject to leakage
■ Administrator access
■ Configuration changes
■ Lack of controls
○ DLP attempts to protect the data through
■ Discovery & classification



94

■ Monitoring
■ Enforcement
Lesson 7.5: Encryption in the Cloud (SC)

Skills Learned From This Lesson: Cloud Encryption, Data Protection, Software Defined Network
● Cloud Encryption
○ Encryption implementation at various phases
■ Data in motion
■ IPSEC
■ VPN
■ TLS/SSL
■ Data in rest
■ Data in use
○ Components of cloud encryption
■ Data which needs to be encrypted
■ Encryption engine
■ Encrypting keys
● Data Encryption in IaaS
○ It is necessary to be responsible for encryption in IaaS
○ Volume Storage Encryption
■ Instance based
■ The encryption engine is located in the instance
■ Proxy-Based
■ Encryption is used on a proxy appliance
○ Object Storage Encryption
■ File-level encryption
■ Files are encrypted
■ Application-Level Encryption
■ Encryption engine is in the application
● Other Approaches to Data Protection
○ Data Masking/Obfuscation
■ Random Substitution



95

■ A value is replaced w/ a random value

■ Shuffle
■ Moves order of values
■ Masking
■ Hiding certain parts of the data
■ Ex. xxxx xxxx xx98 6346
■ Deletion
■ Removing the data
○ Data Anonymization
■ Personal information is removed
○ Tokenization
■ Substituting a sensitive data element for a non-sensitive one
● Virtual Environments
○ Software-Defined Network
■ Centralized network control by separating controls to computer resources
■ Controllers
■ The “brains” of the network
■ Southbound APIs
■ Relay information to routers & switches
■ Northbound APIs
■ Send information to applications



96

SSCP Study Guide: Access Control and Security Models

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SSCP Study Guide: Access Control and Security Models

Uploaded by

Copyright:

Available Formats

SSCP Study Guide

Domain 1: ​Access Control

● Access Control Fundamental Concepts

● Attribute-Based Access Control​: An access control method where the subject

Lesson 1.2: Security Models (SC)

● Bell-LaPadula model: Is used mostly in government or military institutions.

One example​: John from the FBI has “Secret” clearance

Lesson 1.3: Authentication Mechanisms (SC)

WARNING​: Knowledge based authentication is insecure and difficult to keep safe.

■ Challenge Response Token​: The authentication server encrypts a

● Types of smart cards are:

● Biometric Implementation Issues:

WARNING: TYPE II ERRORS IS MORE DANGEROUS THAN TYPE I

Remember​: Authentication consists of three categories

● Something you know

Multi Factor Authentication​: Any two or three of the categories

● Something you know

● Something you know

Multi Factor Authentication​: Using a password and a smartcard

● Using a password is something you know

NOT Multifactor Authentication​: Using a retina scan and voice recognition

● These are both something you are.

Authentication with Kerberos​ is designed to provide strong authentication using secret-key

● Provides support for Authentication, Authorization, Confidentiality, Integrity and

Authorization​: What a user can do once they have been authenticated

Lesson 1.4: ​Trust Architectures​ (SC)

Domain 2: ​Security Operations

Lesson 2.1: Code of Ethics (SC)

● Code of Ethics:​ Is the absolute standard of professionalism, and the necessary

● Consequences​ of integrity is not enforced. Which includes calculation errors and

● Availability: ​Being able to access information when you need it.

Availability is defined in the form of

■ Overview of Public key Infrastructure: Think of two keys, ​Key A

Lesson 2.2: Security Architecture (SC)

● Defense-In-Depth: Implementation of multiple controls so that successful penetration

■ Within the three categories of Management, Technical, and

● System Security Plan: ​A comprehensive document that details the security

○ Authorizing Official: A manager or a senior executive with the authority to assume

Lesson 2.3: Secure Development and Acquisition Lifecycle (SC)

How to securely design computer systems. A secure development reduces system

● Waterfall Methodology​ – Used in most organization world-wide. How it works, it starts

■ Security Requirements are defined

● Rapid Application Development (RAD)​ – Designed to quickly build user interface

Exposing applications, infrastructure information to external abusers creates the opportunities

● System Vulnerabilities and Secure Development​ – The Open Web Application

● Guidelines exist for developers in the following areas:

Disallow Dynamic Queries

● Check it out!​ ​https://www.owasp.org/index.php/Main_Page

1. Four device management capabilities:

Lesson 2.4: Data (SC)

● Data Management​ – The development, execution and supervision of plans, policies,

● Secure information Storage​ – Encryption with respect to

● Managing Encryption keys (Key management)​ refers to a set of systems and

● Shredding ​– Cutting documents into tiny pieces

Lesson 2.5: Data Leakage Prevention (SC)

● Data Leakage Prevention (DLP)

○ Maintain integrity of data

■ Description of security controls used to protect the integrity of the

Lesson 2.6: Policy Document Format (SC)

● Policy Document Format

■ Why is this procedure being performed?

Lesson 2.7: Management (SC)

■ Formal procedures adopted by an organization to ensure that all

Domain 1: Access Control

● Attribute-Based Access Control: An access control method where the subject

One example: John from the FBI has “Secret” clearance

WARNING: Knowledge based authentication is insecure and difficult to keep safe.

■ Challenge Response Token: The authentication server encrypts a

Remember: Authentication consists of three categories

Multi Factor Authentication: Any two or three of the categories

Multi Factor Authentication: Using a password and a smartcard

NOT Multifactor Authentication: Using a retina scan and voice recognition

Authentication with Kerberos is designed to provide strong authentication using secret-key

Authorization: What a user can do once they have been authenticated

Lesson 1.4: Trust Architectures (SC)

Domain 2: Security Operations

● Code of Ethics: Is the absolute standard of professionalism, and the necessary

● Consequences of integrity is not enforced. Which includes calculation errors and

● Availability: Being able to access information when you need it.

■ Overview of Public key Infrastructure: Think of two keys, Key A

● System Security Plan: A comprehensive document that details the security

● Waterfall Methodology – Used in most organization world-wide. How it works, it starts

● Rapid Application Development (RAD) – Designed to quickly build user interface

● System Vulnerabilities and Secure Development – The Open Web Application

● Check it out! https://www.owasp.org/index.php/Main_Page

● Data Management – The development, execution and supervision of plans, policies,

● Secure information Storage – Encryption with respect to

● Managing Encryption keys (Key management) refers to a set of systems and

● Shredding – Cutting documents into tiny pieces

Domain 3: Risk Identification, Monitoring, and Analysis

Domain 4: Incident Response and Recovery

Domain 6: Networks and Communications Security

The 7 Layers of OSI The OSI Model

Domain 7: Systems and Application Security