Professional Documents
Culture Documents
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
1
○ Role Based Access Control: Access Decisions are based on the roles that
individual users have as part of an organization.
■ People in certain departments can only access information that pertains
to that department.
● Content-Dependent Access Control: Works by permitting or denying the subjects to
access objects based on the content within the object.
● Only concerns itself of what’s (the information) inside the object
● Context-Based Access Control: Concerns only with the context or sequence of events
surrounding the access attempts.
● Time-Based Access Control: Applies a time limitation to when a given role can be
activated for a given access control subject.
○ Only allow users to access information between 9AM – 5pm
● Mandatory Access Control: Subjects are given clearance labels and objects are given
sensitivity labels. Access rights are given based on the comparison of clearance and
sensitivity labels.
○ Implements the concept of “Need to Know”
■ Clearance Labels: Confidential, Secret and Top secret.
Objects: Have sensitivity labels and access rights are given depending
on the comparison.
IMPORTANT: It is a common mistake to get these confused so know the difference.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
2
● File A is labeled “Top-Secret”. John cannot read File A because its (No read up) John
can’t read anything above the secret clearance level.
● File B is labeled “Confidential”. John can read File B, but can’t write to it (No write
down)
● File C is labeled “Secret”. John can read File C, but cannot write to it (No write down)
● Identification: (Who is the subject?) Assets a unique user or process identity and
provides for accountability.
○ A person claims they are somebody and they need access to a certain system.
■ Most common types of identification are: UserID, PIN#, Account#
● Authentication: (Proof of Identity) The process of verification that the identity presented
to the access control system belongs to the party that has presented it. Is the action, a
person proving who they say they are.
● The (3) main kinds of identification:
● Knowledge based authentication
● something you know – Passwords, Pins etc.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
3
● A physical device (smart cards and tokens) which the user has in their possession
○ Something you have
● Types of tokens:
■ Static passwords token: The device contains a password that is
physically hidden (not visible to the possessor) but that is transmitted for
each authentication.
■ There is a password hidden inside the token and when a person wants to
be authenticated, they take that token and that token sends the password
from the token to the server. The person can’t see the password on the
server can
■ Synchronous Password Token: A timer use of a clock is used to rotate
through various combinations produced by cryptographic algorithms. The
token and the authentication server must have synchronized clocks.
■ A clock time is combined with the password token through a
cryptographic algorithm to create a different password every single
time. The only way this will work, both the token and the server
have the same time. When the token is ready to be authenticated,
the server sends the clock time to the token. The token then takes
the password inside and combines it with the clock time, then
sends that result to the server for authentication.
■ Asynchronous Password Token: A one-time password is generated
without the use of a clock, from either a one-time pad or a cryptographic
algorithm.
■ Step1: The challenge value displayed on the computer
Step2: User enters the challenge value and enter it into the token device
Step3: The token device combines it with the password gives is back to the
person.
Step4: The person then takes that value and puts into the computer
Step5: Which sends it to the server for authentication if all is correct
authentication happens.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
4
Remember: The server sends an encrypted key to the token, the token decrypts it and sends it
back to the server.
WARNING: Your signature can change depending on circumstances and time, so this is not
always the most accurate of biometric readers.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
5
● Voice pattern recognition (the way you speak): Works by creating a collection of
unique characters of the subject’s voice. The subject then speaks, and the voices are
compared.
WARNING: Your voice can change with circumstances and time, so this is not the most
accurate form of authentication. There is a high probability of error.
● Keyboard dynamic (the way you type on a keyboard). Measures the keystrokes of the
subject as they type in their username and password.
○ The length of time each key is held down
○ The length of time between keystrokes
○ The typing speeds
○ The tendencies to switch between a numeric keypad and keyboard numbers
○ The keystroke tendencies involved in capitalization
● Physiological Biometrics: Things you are born with
○ Consist of the following recognition technologies
● Fingerprints: Creates a geometric relationship of 30-40 points on the finger.
● Hand: Based on the location of several key points on the hand and fingers.
○ Length of fingers, position of knuckles, dimensions of hands and fingers. To
determine who you are.
● Vascular: The ultimate palm reader; best described as an image of the veins in the
subject’s hand
○ Unique to the individual and does not change
● Eye: One of the oldest and most accurate biometric authentication mechanisms.
○ Only (2) kinds of Eye scans:
■ Retina scan
■ Iris scan
● Facial Recognition: Uses a geometric model od 14-22 characteristics to perform
recognition
○ Different point represents, different features on the grid of your face. Once that is
transferred to the computer system, it looks through its database of facial
comparison to find one that best matches.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
6
Or
Dual Control: Also known as “Split-knowledge”. Requiring two people to perform an action
Single sign-on: An authentication mechanism that allows a single identity to be shared across
multiple applications. It allows a user to authenticate once and gain access to multiple resources
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
7
● Example: Google
● Dictates what a person can or cannot do, once they have been authenticated. Which is
decided by the authorization table.
● Trust Architecture
● Intranet: is a localized network that belonging to an organization
● Extranet: is a computer network that allows controlled computer access from the outside
for specific business for educational purposes.
● DMZ: This architecture sits between the internet and extranet. It prevents outside users
from getting direct access to a server that has company data.
● Internet: Is a global system of interconnected computer networks that use the TCP/IP
suite to link the voice all around the world.
● Trust: The belief in the security of a connection between domains
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
8
● Trusted Path: A series of trust relationships that authentication requests must follow
between domains. (A software channel that is used for communication between two
processes that cannot be circumvented)
● There (3) Kinds of trust:
○ One-Way trust – (Trust is on in one direction) Domain A has access to D omain
B
○ Two-Way trust (Trust can go in any direction) – Domain A has access to
Domain B and D omain B has access to Domain A
○ Trust Transitivity – (Determines whether a trust can be extended outside the two
domains between which the trust was for. – (Domain A has access to Domain
B and Domain B has access to Domain C therefore Domain A has access to
Domain C for Domain B without the access being direct.
● Identify Management Life Cycle: there are five areas that make up this life cycle.
Which manage users and people who are a part of an organization.
● Authorization: Determines whether user is permitted to access a resource.
● Proofing: Verifies people’s identities before they are issued accounts and credentials.
● Provisioning: Automation of all procedures and tools.
● Maintenance: Comprised of user management, password management, and role/group
management.
● Entitlement: A set of rules for managing access to a resource and for what purpose.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
9
There are serious consequences of any violations of conduct or subject to disciplinary actions
by the ISC2 Ethics committee. Your SSCP could be revoked!
● CIA Triad and Beyond: Is the main principle of cybersecurity, it’s the fundamental thing
in cyber security everything can come back to CIA Triad.
● Three major components of CIA Triad:
○ Confidentiality: Information is made available on a need to know basis. This is
dictated by the organizations conduct and principles.
● If Confidentiality is breached then you will find, legal trouble and loss of confidence.
● Confidentiality supports the principles of Least Privilege to do your job.
● Information is kept confidential using Access Control Systems and security models.
(Review Domain 1)
○ The most important aspect of information Security
● Integrity: The way that information is recorded, used and maintained. Keep the data
pure and not allowing it to get tarnished, is the main job of Integrity.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
10
● The key to ensuring integrity, is always to have knowledge of the state of the information.
(Create a baseline of what the data should look like on a normal basis. Once you have
this baseline then you check the data against the baseline at any given time. If the
conditions of the data are the same in both the baseline and the current state, then
integrity is maintained. If they are different then integrity is not being maintained.
● It’s impossible to talk about Integrity without reflecting on Sarbanes-Oxley Act
This act mandates controls over financial reporting. Integrity is dictated by Laws
and regulations.
● SLAs: Service level agreements, which is the amount of uptime that a system is
guaranteed.
● RTOs: Recovery Time Objective, which focus on once the system or data is unavailable
what is the maximum period to resume and be available again.
● RAID: Redundant Array of Independent Disc, which is a backup in case data gets
destroyed or becomes unusable, the backup data can be inserted in place and take the
place of the data that was destroyed or is no longer usable.
● Consequences: includes service interruption, and loss of revenue.
(BEYOND)
● Non- Repudiation: A service that cannot deny a message was sent and the integrity of
the message is intact.
■ This is accomplished through digital signatures and public key
infrastructure.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
11
● Best Practices: Is a defined method that has been tested and proven to consistently
lead to a desired result.
● There is a “best practices” for every aspect of cybersecurity.
○ Email security
○ Web security etc.
● Best Practices are flexible enough to be modeled for your organization.
● Most important is to address the needs of your organization first.
● Security Architecture: The practice of designing a framework for the structure and
function of all information security systems and practices in the organization.
● Components of a Security Architecture are:
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
12
● Authorization: Determines what a person can do once authenticated which is the third
best in the access control system.
○ Authorization records are kept for validation purposes: These records are kept
determining if the process of accessing data is working as intended. Also, kept
for determining breaches and forensic evidence.
● Accountability: A principle that ties authorized users to their actions.
○ This is enforced through user accounts and event logs. (Always protect your
credentials from unauthorized use). Even if it was not you this action will be
traced back to you.
● Separation of Duties: A security mechanism for preventing fraud and unauthorized use
that requires two or more individuals to complete a task or perform a specific function.
● This is when a task is broken up into two separate parts and two people are required to
complete the entire task.
● A key concept of internal control: If a person submits a request to look at a document,
they cannot be the same person to approve that request. (One person to access it and
the other person to approve it).
● Is used with dual control, mandatory vacation, and job rotation. Two people must
simultaneously participate to allow access.
● Controls: Safeguards and countermeasures that are implemented to mitigate, lessen, or
avoid a risk.
● Three Categories of controls:
■ Management: Based on the management of risk and the
management of information system security. Controls created by
people which exist in the form of (Policies and Procedures).
■ Technical: Controls that are executed through mechanisms
contained in the hardware, software and firmware of the
components of the system. The human only sets it up by the
human and the system does the rest. (ex. Access Controls)
■ Operational: primarily implemented and executed by people (ex.
Personal Security). As a security guard, who verifying badges to
make sure no one gets in to an organization.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
14
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
15
Physically and actively participate in the development of a system, it is important for the
practitioner to know and understand how these systems are developed. The most popular
secure development system is the waterfall method.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
16
● Spiral method – Very similar to the waterfall method and that their (six) different steps
starting from the requirement down to the maintenance. What makes this method
unique there is a loop (Plan-Do-Check-Act PDCA) as many times needed in each step
until thoroughly completed.
○ (Step 1- 6) Requirements are Gathered everything is written down their checked
to make sure they are all there then they start acting upon. If the loop is needed
to be done again then it will if not the system design can be started.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
17
- Authentication
Authorization
Session Management
Encryption of Sensitive Data
Input Validation
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
18
● Hardware / Software
○ IT Asset Management (ITAM) – Process of collecting Inventory, Financial, and
contractual data to manage the IT asset throughout its life cycle.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
19
● Data Scrubbing – Using security controls to protect the integrity of the data, so when
copying production data for use in testing. This is accomplished by overwriting sensitive
data values with meaningless ones.
● Data Deduplication – Is to make the data smaller. The process that scans the entire
collection of information looking for similar chunks of data that can be consolidated.
Data needs to be protected. The way its best protected, is to have it encrypted. To encrypt and
decrypt data you need encryption keys and decryption keys. These keys are only effective as
the organization ability to securely manage the keys.
● Roles and responsibilities – which is who has access to the keys and who can use the
keys.
● Key generation – is how the keys are generated through random numbers of
generators and using systems desired key lengths and make sure they are sufficiently
random so they cannot guess.
● Distribution – How keys are given to other people, how they are authorized and
authenticated.
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
20
● Expiration – Make sure the keys are deactivated and tossed away when they are no
longer needed or after a certain period of time.
● Revocation and Destruction – Getting rid of keys that have been compromised or no
longer valid.
● Audit and Tracking – Which all key management operations should be written down
and in event logs or record to prevent unauthorized access and modification.
● Emergence Management – A key management policy which specify emergency
replacement and revocation of encryption key.
● Information Rights Management (IRM) Assign specific properties to an object such as
how long the object may exist, and who/what may access it.
● Data Retention and Disposal – once data has reached the end of its time. It is
important to dispose of the data so that it is no longer seen by anyone else. There are
several different ways to dispose of data, depending on the policy of your organization
one of the ways to dispose of data is shredding. To get rid of data on a hard disc you
reformat it.
■ lockout
■ The procedures for key management
■ Documentation for distribution storage entry and disposal
of decrypted & encrypted keys
■ How biometric & token controls are to be used
■ Logical Access Controls
■ Authorize or restrict the activities of users
■ Topics
■ Granting of access rights & privileges
■ What do users get to do when authenticated?
■ Temporal restrictions
■ Time of day hardware/software can be accessed
■ Detection mechanisms for unauthorized people & actions
■ Timeout periods
■ Lockout after max login attempts reached
■ Encryption of sensitive files
■ How separation of duties is enforced
■ How often ACLS are reviewed?
■ Regulation of the delegation of access permissions
■ Who can give access permission to who?
■ Public Access Controls
■ Controls for the general public
■ What the general public can and can’t do with data?
■ Topics
■ Information classification
■ What data is public, private, confidential, or secret?
■ Forms of identification & authentication
■ Limitations on read/write privileges
■ Seperation of public & private systems
■ Audits trails & user confidentiality
■ Always keep an audit trail of what everyone does
■ Requirements for system & data availability
■ Audit Trails
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
23
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
24
■ encryption
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
25
● Management
○ Controlling actions of a system
○ Implemented through policies & procedures
● Management Types
○ Release management
■ Release of software from the testing environment to the production
■ Seeks to ensure timeliness goals, minimize disruption, & issue all relating
documentation & communication
○ Change control management
■ Determines whether controls are still effective and update if needed
■ System assurance
■ Process of validating that existing security controls are configured
& functioning as expected, both during initial implementation & on
an ongoing basis
■ Change control
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
26
● Configuration management
○ Discipline that seeks to manage configuration changes so that they are
appropriately approved and documented, so that the integrity of the security state
is maintained
● Maintains the integrity of hardware & software across releases inversion
● Change management vs Configuration management
○ Change management
■ Focuses on changes to project processes or project baselines
■ Ex.
■ Changes in the budget changed in the schedule
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
28
○ Configuration management
■ Focuses on project specifications
■ Ex.
■ Extra features, may be added or subtracted to particular
project
● Configuration management consists of:
○ Automated tools
■ Tools that will handle version checking any type of conflict
○ Documentation
■ Hardware list of information
■ Make
■ Model
■ MAC address
■ # of licenses
■ Expiration date
■ Software name
○ Procedures
■ Step by step process for properly configuring the hardware & software so
that # of conflicts are reduced
● Operational aspects
○ Identification
■ Captures & maintains information about the structure of the system,
usually in a Configuration Management Database (CMD)
○ Control
■ Configuration changes are controlled through the lifecycle
○ Accounting
■ Captures, tracks, & reports on the status of the configuration history
○ Auditing
■ Process of logging, reviewing, & validating configuration items
● Inventories
○ Kept for integrity & validation
● Patch Management
○ Process of applying system changes to correct software & firmware
vulnerabilities
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
29
○ Process
■ Acquisition
■ Patches are supplied via download
■ Testing
■ Patches are tested
■ Approval
■ Patches can’t be applied until they are approved
■ Packaging
■ Patches must be packaged for distribution & installation
■ Deployment
■ The path is applied to the target system
■ Verification
■ The success or failure of the patch application is recorded
● Security Impact Assessment
○ The analysis conducted w/in an organization to determine the extent of the
changes to the information system affect the security posture of the system
○ Does it differ from the baseline?
● Interoperability
○ The extent to which systems & devices can exchange data & interpret that
shared data
○ Open system
■ Lot of data can be passed back & forth between systems
○ Closed system
■ Very little data can be passed back & forth between systems
● Security Awareness
○ Seeks to reduce human error by educating people about cybersecurity
○ Security is only as strong as its weakest link
○ Critical success factors
■ Senior management support
■ Cultural awareness
■ Communication goals
■ Taking a change management approach
■ Measurement
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
30
● Interior IDS
○ Limit employees only to areas they need access to
○ Intrusion Detection Systems
■ Balanced Magnetic Switch (BMS)
■ Uses a magnetic field or mechanical contact to determine if an
alarm signal is initiated
■ Reed Switches
■ Motion-Activated Cameras
■ A fixed camera w/ a video motion feature that signals an alarm
when something enters the field of view
■ Acoustic Sensors
■ A device that uses passive listening devices to monitor building
spaces
■ Designed to detect intruders who stay around after building
has closed
■ Infrared Linear Beam Sensors
■ Focused light beam is projected & bounced off a reflector on either
side of the detection area, when someone walks across the beam
an alarm sounds off
■ Passive Infrared (PIR) Sensors
■ Set to a specific temp, when an increase in heat is detected, alarm
sounds
■ Also used as an automatic request to exit (REX) device
■ Door locked - when sensor senses heat increase, it will
auto unlock
■ Dual-Technology Sensors
■ 2 different sensors used to reduce false alarms
■ Visitor Control
■ Consideration factors:
■ Controlled waiting room
■ Temp. badges or passes
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
31
● Risk
○ A function of the likelihood of a given threat source exercising a potential
vulnerability, and the resulting impact of that adverse event on the organization
○ What is the possibility that something is going to happen?
○ How bad is it going to be?
● Likelihood
○ Probability that a potential vulnerability may be exercised w/in the construct of the
associated threat environment
○ What are the chances that a potential vulnerability will be exploited?
● Threat source
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
33
● Risk Treatment
○ Goal
■ Reduce risk to an acceptable level
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
35
○ Risk treatment
■ Risk Mitigation
■ Implement technical, managerial, and operational controls
■ Risk Transference
■ Transfer risk to a third party
■ Risk Avoidance
■ Avoid risk
○ Risk Acceptance
■ Accept risk
● Risk Visibility and Reporting
○ Risk should always be recorded & reported
○ Risk needs to be aggregated in a Risk Register
■ Risk Register
■ Gives info about risk in organization
■ Risk management steps:
■ Step 1: Identify the risk
■ Step 2: Evaluate the severity of any identified risks
■ Step 3: Apply possible solutions to risks
■ Step 4: Monitor & analyze the effectiveness of any
subsequent steps taken
● Auditing
○ Security Audit
■ An evaluation of how well the objectives of a security framework are met
& a verification to ensure the security framework is appropriate for the
organization
○ Purposes:
■ Point out where security is lacking
■ Emphasize what is being done correctly in security
○ Types of auditors:
■ Internal
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
36
■ External
● Audit Types:
○ Annual
■ Performed on an annual basis as dictated by policy
○ Event-Triggered
■ Conducted after an incident
○ Merger/Acquisition
■ Performed to determine security standards of the company being
acquired
○ Regulation Compliance
■ Performed to confirm compliance w/ security aspects of regulations
○ Ordered
■ Performed when commanded by court
● COBIT
○ Control Objectives for Information and related Technology
■ A set of control objectives used as a framework for IT governance
developed by Information System Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI)
● Auditors
○ Collect info about an organization's security processes
○ Responsibilities:
■ Provide independent assurance about security systems
■ 3rd party assurance
■ Analyze organizational security objectives
■ Analyze policies, standards, baseline, procedures and guidelines
■ Analyze the effectiveness of controls
■ Stating and explaining the scope of the system
● Auditing Domains
○ User
■ Users & their authentication methods
■ How do users log into workstations?
○ Workstation
■ End-user systems
■ What kind of security on system?
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
37
○Application
■ E-mail, database, web applications
■ What kind of security to protection unauthorized access to application?
○ LAN
■ Equipment necessary for LANs
○ LAN to WAN
■ Area where the DMZ resides
○ WAN
■ Things outside of the firewall
○ Remote
■ How remote users access the network
○ Cloud & Outsourced
■ Moving data to other entities
■ How do you protect your data?
● System Documentation
○ Disaster/Business Recovery
○ Host Configuration Baseline
○ Security Configuration
○ Acceptable Use Policy
○ Change Management Process
○ Data Classification
■ Not all data is the same
■ Ex. unrestricted, sensitive, confidential
○ Business Flow
● Responding to an Audit
○ Exit interview
■ Issues will be addressed
○ Presentation of findings
■ Findings presented to management
○ Management response
■ Written response to auditors
Skills Learned From This Lesson: Vulnerability Scanning, Securing Hosts, Security Monitoring
Testing, Wireless Networking Testing, War Dialing/War Driving
● Vulnerability scanning
○ The process of checking a system for weaknesses
○ Goal
■ Study security levels
■ Find problems
■ Improve
○ Advantages
■ Identify system vulnerabilities
■ Allows for the prioritization of mitigation
■ Good for comparing security positions
○ Disadvantages
■ Cannot always focus efforts
■ Could crash the network
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
39
○ Update capability
■ Scanners need the latest signatures
○ Reporting capability
■ Report on the findings
● Vulnerability testing issues
○ False positives
○ Crash exposure
○ Temporal information
■ Just because a scan is good today doesn’t mean the next scan will be
● Scanner tools
● Securing Hosts
○ Disabling unneeded services
○ Disabling insecure services
○ Ensuring least privilege file system permissions
○ File system permissions
■ Share only w/ those who need
○ Establish & enforce a patching policy
○ Examine applications for weakness
○ Firewall & router testing
● Security Monitoring Testing
○ Ensure systems are working as expected
○ Out of the box Intrusion Detection System (IDS) systems need to be tuned to
organization
○ IDS testing
■ Data patterns w/in a single packet
■ Data patterns w/in multiple packets
■ Obfuscated data
■ Fragmented data
■ Protocol embedded attacks
■ Flooding detection
● Wireless Networking Testing
○ Wireless technology > Wireless Access Points > Problems!
○ Security Testers
■ Test for effectiveness of wireless security
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
40
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
41
■ Superscan
■ Lanspy
■
○ Step 3: Information Evaluation & Risk Analysis
■ Evaluate the findings & perform risk analysis
■ Potential risks must be identified
■ Decide which devices should be penetration tested
○ Step 4: Active Penetration
■ WARNING!!
■ Think twice before attempting to exploit a possible vulnerability
that may harm the system
■ Sometimes its better to identify the vulnerability w/o actively
working to break it
○ Step 5: Analysis & Reporting
■ Documentation & analysis should be reported to management
■ Always give solutions/ideas to the problems
■ Tailor the report to the person who will be looking at it
● Penetration Testing modes
○ White Box testing
■ Knowledge of security & IT staff
■ Given network blueprints, planned test times, & assistance from the
organization
■ Pros
■ Good support from the organization
■ Fixes can occur quicker
■ Good for testing incident response procedures
■ Cons
■ An inaccurate picture of the network is produced
○ Grey Box testing
■ Some information is known
■ Focus
■ Accessing system
■ Pros
■ Combines benefits of white & black box testing
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
43
● Safeguard
○ A built-in proactive security control implemented to provide protection against
threats
● Countermeasure
○ An add-on reactive security controls
○ Helps to fight off attacks
● Vulnerability
○ System weakness
● Exploit
○ A particular attack
● Signature
○ A string of characters or activities found w/in processes or data communications
that describes a known system attack
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
44
● Tuning
○ Customizing a monitoring system to your environment
● Promiscuous interface
○ A network interface that collects & processes all of the packets sent to it
regardless of the destination MAC address
● False positive
○ Monitoring triggered an event, but nothing was wrong
● False negative
○ Monitoring system missed reporting an exploit event by not signaling an alarm
● True positive
○ The system recognized an exploit event correctly
● True negative
○ The system has not recognized benign traffic as cause for concern
● IDS
○ A passive system
○ Only signals an alarm
○ IDS/IDPS Types
■ Network based IDS (NIDS)
■ Monitors network traffic
■ Should be placed at network entrances
■ Host based IDS (HIDS)
■ Monitors system calls
■ Should be placed on systems where protection is mandated
● IDPS
○ An active system
○ Signals an alarm & tries to stop an incident
● Implementation Issues
○ Collecting data for incident response
■ How will the organization respond to events?
○ Monitoring response techniques
■ Passive response
■ Notes the event, but does not take evasive action
■ Ex.
■ Logging the event to a file
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
45
■ Displaying an alert
■ Sending alerts to an administrator
■ Active response
■ Notes the event & performs a reaction
■ Ex.
■ Block transactions
■ Disallow access to system calls
■ drop/reset connections
● Types of Monitoring
○ Real-Time monitoring
■ Provides a means for immediately identifying & sometimes stopping
covert & overt events
○ Non-Real Time Monitoring
■ Provides a means for saving important information about system events &
monitoring integrity of system configurations
○ Continuous/Compliance Monitoring
■ Represents the desire to have real-time risk information available at any
time to make organizational decisions
● Log Files
○ Reviewing Incident Logs
■ Save all log files from a device after an incident
○ Log Anomalies
■ Anything out of the ordinary
○ Log Management
■ Don’t let log files get out of control
■ Clipping levels
○ Filtering
■ Reduces amount of data reviewed
○ Log Consolidation
■ Happens on SIEM systems
■ Good for tracking devices across systems
○ Log Retention
■ How long should logs be kept?
○ Centralized Logging
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
46
● Crime Scene
○ Needs to be defined before evidence can be identified
○ Principles of Criminalistics:
■ Identify the scene
■ Protect the environment
■ Identify evidence
■ Collect evidence
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
49
■ Minimize contamination
● Evidence
○ Live evidence
■ Data that is in a very dynamic & exists in running processes or other
volatile locations (e.g. RAM) that disappear in a relatively short time once
the system is powered down
○ Locard’s Principle of Exchange
■ When a crime is committed, the perpetrators leave something behind &
take something w/ them
■ Allows aspects of the responsible person to be identified
● Guidelines for Handling Evidence
○ Anyone who accesses digital evidence needs to be properly trained
○ Anyone who possesses evidence is responsible
○ Evidence must not be changed
○ Evidence must be fully documented
○ Anyone who has evidence is responsible for following forensics & procedural
principles
● Forensics Procedures
○ EVERYTHING must be documented
○ Ensure data cannot be altered
■ Disk Image & Hash algorithms
○ Establish a chain of custody
■ Document everyone who has touched evidence
● Five Rules of Evidence
○ Be Authentic
○ Be Accurate
○ Be Complete
○ Be Convincing
○ Be Admissible
● Analysis
○ Media Analysis
■ The recovery of information from information media such as hard drive
○ Network Analysis
■ Examination of data from network logs & network activity
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
50
○ Software Analysis
■ Analysis & examination of program code
○ Hardware/Embedded Device Analysis
■ Analysis of mobile devices & hardware & firmware found in computers
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
51
○ The max amount of time that a business function can be unavailable before the
organization is harmed to a degree that puts the survivability of the organization
at risk
○ What is the longest time a resource can be unavailable before the organization
fail?
● Recovery Time Objective (RTO)
○ The earliest time period & a service level w/in which a business process must be
restored after a disaster to avoid unacceptable consequences
○ What is the earliest time period that a resource can come back from being
disrupted?
● Recovery Point Objective (RPO)
○ A measurement of the point prior to an outage to which data are to be restored
○ The last time the system was backuped
● Disaster Recovery Plan (DRP)
○ A document that details the steps that should be performed to restore critical IT
systems in the event of a disaster
○ Considerations
■ Different types of disasters
■ Intentional acts of sabotage
■ Potential threats
○ Assets
■ Data
■ Information systems
■ Network devices
■ Facilities
■ Personnel
● Recovery Strategy Alternatives
○ Cold Site
■ A building w/ power, raised floors & utilities
■ No devices are available
■ Cheapest
■ Longest to get back online
○ Warm Site
■ Does not have computers but has peripherals
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
52
○ Offsite Storage
■ Backups should be stored off-site at a secure location
○ Electronic Vaulting
■ Allows backups across the internet to an offsite location
○ Remote Journaling
■ Journals & transaction logs are transmitted electronically to an offsite
location
● Availability
○ Clustering
■ A method of configuring multiple computers so they effectively operate as
a single system
○ High Availability Clustering
■ A clustering method that uses multiple systems to reduce the risk
associated w/ a single point of failure
○ Load-Balancing Clustering
■ All cluster nodes are active
■ If a system fails, the others take its place
● Redundant Array of Independent Disks
○ Mirroring
■ The system writes data simultaneously to separate hard drives or drive
arrays
■ RAID 1
■ Identical copies of data are stored on two separate drives
○ Parity
■ The technique of determining whether data had been lost or overwritten
○ Striping
■ A data element is broken into multiple pieces, & a piece is distributed to
each hard drive
■ RAID 0
■ Relies on striping data across multiple disks
■ RAID 2
■ Striping is performed at the bit level
■ Not used in practice
■ RAID 3
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
54
Domain 5: Cryptography
Lesson 5.1: Cryptography Fundamentals Concepts (SC)
Skills Learned From This Lesson: Fundamental cryptography concepts
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
55
● Block Ciphers
○ Operate on chunks of text instead of one byte at a time
■ Blocks are often 64,128,192, bit sizes
○ Stronger
○ Computationally intensive
○ Used in software
○ Use a combination of substitution & transposition
■ Substitution
■ The process of exchanging one letter or byte for another
■ Transposition
■ The process of reordering the plaintext to hide the message
○ Modes
■ Electronic Code Book (ECB)
■ Each block is encrypted independently
■ Cipher Block Chaining (CBC)
■ The result of encrypting one block of data is fed back into the
process to encrypt the next block
■ Cipher Feedback
■ Each block of keystream comes from encrypting the previous
block of ciphertext
■ Output Feedback (OFB)
■ The keystream is generated independently of the message
■ Counter (CTR)
■ Uses the formula Encrypt (Base+N) as a keystream generator
where Base is a starting 64 bit number & N is a simple
incrementing function
● Key Length
○ The size of the key, measured in bits or bytes
■ The security of an algorithm cannot exceed its key length
■ The key’s length is distinct from its cryptographic security
● Block Size
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
56
● Symmetric Cryptography
○ Operates a single cryptographic key that is used for both encryption & decryption
○ Key management is a challenge, must be sent out-to-date
■ Out-of-band
■ Using a different channel to transmit the key
○ Advantages
■ Very fast
■ Affordable
■ Secure
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
57
○ Disadvantages
■ Key management
■ No non-repudiation
○ Data Encryption Standard (DES)
■ 64 bits in length, every 8th bit is ignored
■ Key space is 256 or 72x1016
■ Disadvantage
■ Key is too short
■ Breakable by a brute force attack
■ Solutions
■ Double DES
■ DES twice w/ 2112 key space
■ Flaw
1. Victim of the Meet-in-the-middle attack
● Triple DES (3DES)
○ Key space of 2112 using two different keys
1. Encrypt w/ key 1, re-encrypt w/ key 2, re-encrypt w/ key 3
● Disadvantage
1. Too slow for software,
1. Advanced Encryption Standard (AES) is needed
1. Algorithm chosen for AES is Rijndael
● Rijndael
○ Very versatile
■ Block size can be 128,192, 256 bits
■ Key size can be 128,192, 256 bits
■ Multiple rounds of operation depending on the key size
○ Four Major Operations
■ Substitute bytes
■ Shift rows
■ Mix columns
■ Add round key
● Other Symmetric Algorithms
○ International Data Encryption Algorithm (IDEA)
■ Key Size (bits): 128
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
58
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
59
● Asymmetric Cryptography
○ Created to address the practical limitations of symmetric cryptography
○ Uses two keys that are mathematically related, but are mutually exclusive
■ One key to encrypt, the other to decrypt
○ Algorithms are one way functions
■ Private key ⇒ Public key
■ Private key belongs to only you
■ Public key belongs to everyone
○ Good for confidential messages, open messages, and non-repudiation
● Asymmetric Encryption Algorithms
○ RSA
■ Algorithm based on the mathematical challenge of factoring the product of
two large prime numbers
○ Diffie-Hellman Algorithm
■ A key exchange algorithm
■ Used to enable two users to exchange symmetric keys which will be used
for message encryption
■ Use for public key infrastructure
○ El Gamal
■ Based on the work of Diffie-Hellman, but includes message confidentiality
& digital signatures
○ Elliptic Curve Cryptography (ECC)
■ Based on the mathematics of elliptic curves
■ Has the highest strength per bit of key length of any of the asymmetric
algorithms
■ Provides confidentiality, digital signatures, & message
authentication
● Asymmetric Key Algorithms
○ Advantages
■ Can send messages w/o key exchange
■ Offers non repudiation, access control, & integrity
○ Disadvantages
■ Slow
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
60
● Common Attacks
○ Chosen Plaintext
■ Attack where the attacker can choose arbitrary plaintexts to be encrypted
& obtain the corresponding ciphertexts
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
61
■
Attack where the attacker chooses a ciphertext & obtains its decryption
under an unknown key
○ Birthday attack
■ Attack that exploits the mathematics behind the birthday problem in
probability theory forces collisions w/in hashing functions
○ Dictionary attack
■ Encrypts all of the words in a dictionary & checks if the hash matches the
passwords hash
○ Replay attack
■ Occurs when an attack intercepts authentication information & replays the
information to gain access to a security system
○ Factoring attack
■ Developed to break the RSA algorithm
■ Tries to break down large prime numbers through factoring
○ Reverse Engineering
■ A product is reverse engineered to find weaknesses in the system or gain
information
○ Implementation attack
■ Popular due to ease on system elements outside of the algorithm
■ Side -channel analysis
■ Uses information that has been gathered to uncover
sensitive data or processing functions
■ Fault analysis
■ Attempts to force the system into an error state to gain
erroneous results
■ Probing attacks
1. Attempts to watch the circuitry surrounding the cryptographic module hoping that
new components will disclose information
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
63
○ A set of system, software, & communication protocols required for public key
cryptography
○ Primary purpose
■ Publish public keys/certificates
■ Certify that a key is tied to an individual or entity
■ Provide verification of the validity of a public key
● Certificate Authority
○ A component of a PKI that creates & maintains digital certificates throughout their
life cycles
● Registration Authority
○ Verifies an entity’s identity & determines whether they are entitled to have a
public key certificate issued
● Certificate Revocation List (CRL)
○ List that is maintained by the CA of a PKI that contains information revoked
digital certificates
● Key Management
○ Most important part of any cryptographic implementation
○ A cryptosystem should be secure even if everything about the system, except the
key, is public knowledge” ~Auguste Kerckhoff
■ Everything about the encryption algorithm should be known except the
key
● Key Management Applications
○ XML Key Management specification 2.0
■ Protocols for distributing & registering public keys
○ ANSI X9.17
■ Developed to address the need of financial institutions
■ Uses Data Keys (DKs) & Key-encrypting keys (KKMs)
● Key Distribution and Management
○ Secure keys depend on Automated Key Generation, Randomness, & Length
■ Automated Key Generation
■ Key policy enforcement
■ Randomness
■ 0’s & 1’s
■ Key length
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
64
■ Used to identify the sender & ensure the transmitted data has not
been altered
■ Uses hashes & sequence #’s
■ Encapsulating Security Payload (ESP)
■ Header
■ Seq. # & Security Associations
■ Payload
1. Encrypted part of the packet
● Trailer
1. Padding if required
● Authentication
1. Hash value of the packet
● Endpoints talk w/ IPSec by using transport or tunnel mode
○ Transport
■ The payload is protected
○ Tunnel
■ The payload & header are protected
● Internet Key Exchange (IKE)
○ Authentication part of IPSec
■ Phase 1: Establish authentication
1. Shared secret
2. Public Key Encryption
3. Revised mode of Public Key Encryption
● Phase 2: Security Associations are established
1. Use secure tunnel & secure associate method at the end of phase 1
● Secure Sockets Layer/Transport Layer Security (SSL/TLS)
○ Used to encrypt confidential data over an unsecured network
○ Sits between the Transport layer & the Application layer
● Secure/Multipurpose Internet Mail Extensions (S/MIME)
○ Used to sending digitally signed & encrypted messages
○ Provides authentication, integrity, & non-repudiation
● OSI Model
○ Layer 1: Physical Layer
■ Network topologies
■ Most physical devices are at this level
■ Bits on a wire
○ Layer 2: Data Link Layer
■ Receives the packet it gets from the wire & formats it for the network
■ Logical Link Control (LLC)
■ Manages connections between two peers
■ Proves error & flow control
■ Media Access Control (MAC)
■ Transmits & receives frames from peers
■ Hardware addresses are defined at this sublayer
○ Layer 3: Network Layer
■ Moves information between two hosts
■ Uses logical addressing & Internet Protocol (IP)
■ Addressing
■ Uses destination IP address to send packets
■ Fragmentation
■ Subdivides packets if its size is greater than maximum size
on a network
○ IP is a connectionless protocol that does not guarantee error-free delivery
○ Routers work at this level & send packets from place to place
■ Static Routing Tables
■ Updated manually
■ Dynamic Routing Tables
■ Routers share information
○ Network Routing Protocols
■ Internet Control Message Protocol (ICMP)
■ Network errors
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
67
■ Network congestion
■ Troubleshooting
■ Timeouts
■ Internet Group Management Protocol (IGMP)
■ Manages multicasting groups
■ Other Layer 3 Protocols
■ IPv4/IPv6
■ Internet Protocol
■ DVMRP
■ Distance Vector Multicast Routing Protocol
■ IPsec
■ Internet Protocol Exchange
■ DDP
■ Datagram Delivery Protocol
■ SPB
■ Shortest Path Bridging
○ Layer 4: Transport Layer
■ Creates an end-to-end connection between hosts
■ Transmission Control Protocol
■ Provides error-free transmission
■ User Datagram Control
■ A connectionless unreliable protocol
○ Other layer 4 protocols
■ FCP
■ Fiber Channel Protocol
■ RDP
■ Reliable Datagram Protocol
■ SCTP
■ Stream Control Transmission Protocol
■ SPX
■ Sequenced Packet Exchange
■ SST
■ Structured Stream Transport
○ Layer 5: Session Layer
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
68
■ DHCP
■ Dynamic Host Configuration Protocol
■ DNS
■ Domain Name System
■ HTTP
■ Hypertext Transfer Protocol
■ IMAP
■ Instant Message Access Protocol
■ LDAP
■ Lightweight Directory Access Protocol
■ SMTP
■ Simple Mail Transfer Protocol
■ FTP
■ File Transfer Protocol
O
SI Model vs TCP/IP Model
● Network Classes
○ Hosts are distinguished by IP addresses: 192.168.145.123
○ IP Addresses are divided into a network number & a host number
○ ICANN
■ Internet Corporation for Assigned Names and Numbers
Network Classes
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
70
● Subnet Mask
○ Used to define the part of the address that is used for the subnet
● Ex.
○ 192.168.145.123/24
■ 24 is the subnet mask
■ Subnet mask = 11111111 11111111 11111111 00000000 or
255.255.255.0
● IP Networking
○ IPv6
■ A modernization of IPv4
■ Much larger address field - 128 bits
■ Improved security
■ More concise IP packet header
■ Quality of service improved
○ Border Gateway Protocol (BGP)
■ Exchanges routing information between gateway hosts
■ Protocol used between the hosts & the internet
● TCP/UDP
○ Map data connections through port numbers which are associated w/ devices
○ Port numbers are managed by the Internet Assigned Numbers Authority
○ There are 65,536 ports broken into three categories
■ Well-known ports
■ 0 - 1023
■ Registered Ports
■ 1024 - 49,151
■ Dynamic Ports
■ 49,152 - 65,535
○ TCP
■ Provides a connection
■ Has error-handling
■ Tracks packets
■ Ex.
■ HTTP, SMTP
○ UDP
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
71
■ Connectionless
■ No error-handling
■ “Best Effort”
■ Ex.
■ VOIP
● DHCP
○ Dynamic Host Configuration Protocol
○ Automatically assigns IP addresses to workstations
○ The address given is leased for a period of time
○ Address lease is referred to as a TTL (Time To Live)
● ICMP
○ Internet Control Message Protocol
○ Used for the exchange of control messages between hosts & gateways &
diagnostic tools
○ Ping of death
■ A packet echo that is greater than 65,536 bytes
○ ICMP redirect attacks
■ A victim’s computer redirects sending information through an attacker’s
computer w/o them knowing
○ Ping scanning
■ If a host replies to a ping, then the attacker knows a host exists at that
address
○ Traceroute Exploitation
■ Used to map a victim’s network & learn about the routing
○ Remote procedure calls
■ The ability to allow for the executing of objects across hosts
■ Client sends instructions to an application
● Bus
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
72
○ Disadvantages
■ The central piece is a single point of failure
● Unicast, Multicast, & Broadcast
○ Unicast
■ Send a packet to one person
○ Multicast
■ Send a packet to selected people
○ Broadcast
■ Send a packet to everybody
● Circuit-Switched Network
○ Dedicated circuit between end points
○ Endpoints have exclusive use of the circuit & bandwidth
○ Ex.
■ Telephones
● Packet-Switched Network
○ Do not use dedicated connections
○ Packets are transmitted on a shared network
○ Network devices find the best path
○ All packets (eventually) need to be in the correct order
■ Not every packet take the same path
● Virtual Circuits
○ Provides a connection between endpoints that acts as if it was a physical circuit
■ Permanent virtual circuit
■ The carrier configures the circuit’s routes
■ Switched virtual circuit
■ Configured dynamically by the routers
● Topology Concept
○ Carrier Sense Multiple Access
■ A protocol which uses the absence/presence of a signal on a medium as
permission to speak
■ Variations
■ CSMA/CA
■ Carrier Sense Multiple Access w/ Collision Avoidance
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
74
● DNS
○ Domain Name System
○ A hierarchical distributed naming system for any resource connected to the
internet or a private network
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
75
○ Zone Enumeration
■ Users use DNS diagnostic commands to learn about the websites
architecture
■ Common commands used
■ dig & nslookup
○ DNS Fast Flux
■ The ability to move distributed services to different computers quickly
■ Primarily used by botnets & phishing attacks
○ Registration of a domain takeover
■ Change of the authoritative DNS server
■ Attackers send back different IP addresses
○ DNS ports
■ 53/TCP
■ 53/UDP
● LDAP
○ Client/Server based directory for managing user information
○ Allows anyone to locate users, information, & resources on a network
○ Ports
■ 389/TCP
■ 389/UDP
● Services & Protocol
○ NetBIOS
■ A program which allows applications on different computers interact w/in
a LAN
■ Ports
■ 135 & 139/UDP, 137 & 138/TCP
○ NIS/NIS+
■ Network Information Service
■ Directory services used for managing user credentials in a group
of machines
■ Mostly used in UNIX
○ CIFS/SMB
■ Common Internet File System/Server Message Block
■ A file sharing protocol on Windows Systems
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
77
■ Ex.
1. xxvii.Scanning from a printer to a computer
● Ports
1. xxviii.445/TCP
● SMTP
○ Simple Mail Transfer Protocol
■ A client/server protocol utilized to route email on the internet
■ No authentication or encryption
■ Port
1. 25/TCP
● FTP
○ File Transfer Protocol
○ Uploading spreading information to the internet
■ Ports
■ 20 & 21/TCP
● TFTP
○ Trivial File Transfer Protocol
○ Simplified version of FTP
○ Use only on trusted networks
○ Port
■ 69/UDP
● HTTP
○ Hypertext Transfer Protocol
○ The foundational protocol of the web
○ Port
■ 80/TCP
● IP Convergence
○ Using the Internet Protocol (IP) to transmit all of the information that transits a
network
○ Benefits
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
78
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
80
○ Bastion host
■ A highly exposed device that will most likely be targeted for attacks
■ Usually placed on the public side of a firewall or DMZ area if there are two
firewalls
■ Focus on one application
■ Ex.
■ Mail server, DNS server, FTP server
● Network Access Technologies
○ DMZ
■ Demilitarized zone
■ Area between firewalls
■ Servers are placed here to give external hosts access to some
resources
● Hardware
○ Modems
■ Allows users to a network via analog phone lines
■ Converters between digital & analog signals
○ Multiplexers
■ Combine multiple signals into one signal to be transmitted on a network
○ Hubs and Repeaters
■ A device in which all other devices connect
■ Central piece in a star topology
■ Don’t let the hub become inoperable
○ Switches
■ Devices which connect network segments together
○ Bridges
■ Processes packets based on MAC addresses
■ Connects LANs w/ different media types
○ Routers
■ Receive & send packets throughout the network
● Wire Transmission Media
○ Considerations
■ Throughput
■ How much data is going to be sent through the wire?
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
81
● Multimedia Technologies
○ Peer-to-Peer Applications
■ Designed to open an uncontrolled channel through network boundaries
○ Remote Meeting
■ Web-based applications which allow individuals to meet virtually
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
82
■ Ex.
■ Skype, Zoom, Team Viewer
○Instant Messaging
■ Chat services that offer file exchange, video conversation, & screen
sharing
● Remote Access
○ VPN
■ Virtual Private Network
■ An encrypted tunnel between two hosts that allows them to
communicate over an untrusted network
■ Tunneling
■ A communication channel between two networks that is used to
transport another network protocol
■ Point-to-Point Tunneling (PPTP) & L2TP
■ RADIUS
■ Remote Authentication Dial-In User Service
■ Authentication protocol used in network environments for single
sign-on for network devices
■ SNMP
■ Simple Network Management Protocol
■ Consists of a server & a client installed on devices which can be
used to retrieve & set values
■ Ports
■ 161/TCP & UDP
■ 162/TCP & UDP
■ TCP/IP Terminal Emulation Protocol (Telnet)
■ Command line protocol which gives command line access
■ Very Risky!!
■ Disable unless you absolutely need it
● LAN-Based Security
○ Control Plane
■ Where forwarding & routing decisions are made
■ Exchange information w/ neighbors
○ Data Plane
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
83
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
84
● Firewalls
○ A gateway protection device
■ Enforces administrative policies
○ Filter by a rule set
■ By address or by service
○ NAT
■ Network Address Translation
■ Changing the source IP of outgoing traffic
■ Gives anonymity
● Proxies
○ Mediates communications between untrusted endpoints & trusted endpoints
○ Proxy types
■ Circuit
■ Allows trusted hosts to talk w/ untrusted ones
■ Application-Level
■ Relays information between a trusted endpoint & an untrusted one
w/ a specific application
● Denial-of-Service
○ An attack which denies services to a computer by overloading it w/ traffic
○ Types
■ Volume Based attack
■ Protocol attack
■ Application Layer attack
○ Common attack types
■ Syn Flooding
■ An attack against the initial handshake in a TCP connection
■ Smurf
■ Misuses ICMP echo requests
■ Fraggle
■ Misuses UDP echo traffic
● Spoofing
○ The act of impersonating someone, even if you are not
○ Most common spoofing types
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
85
■ IP address
■ Email
■ DNS
● Wireless Technologies
○ Most common
■ Wi-Fi
■ Bluetooth
■ Cellular
○ Disadvantage
■ Transmission security of wireless networks
■ Wireless networks are only as strong as their authentication
methods & protocols
● Wireless Security Methods and Issues
○ Open System Authentication
■ The default authentication protocol for the 802.11 standard
○ WEP
■ Wired Equivalent Privacy Protocol
■ A basic security feature in 802.11
■ Insecure
■ Shouldn’t be used
○ WPA and WPA2
■ Wi-Fi Protected Access
■ Improves user authentication & data encryption
● Wireless Security Attacks
○ Parking lot
■ Attackers sit near an organization & try to access internal hosts via the
wireless network
○ Shared key authentication flaw
■ A passive attack that allows eavesdropping on both the challenge &
response
○ SSID flaw
■ Service set identifier
■ Attackers can attack access points due to default configuration
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
86
■ Persistent-mode
■ Activates every time the system starts
■ Memory-based
■ No persistent code
■ User-mode
■ System hooks in the user or application space
■ Kernel-mode
■ Gives same privileges as an admin
● Scanners
○ Work to detect & remove malicious code
○ First Generation
■ Simple scanners
■ Malware signature required
○ Second Generation
■ Heuristic scanners
○ Third Generation
■ Activity traps
○ Fourth Generation
■ Full-featured protection
● Malware Countermeasures
○ Code signing
■ Confirms the authenticity & integrity of software through the use of digital
signatures
○ Sandboxing
■ An isolated environment where suspicious code can be executed to see
how it will react
○ Static code analysis
■ Code is looked at to find security errors which cannot be detected w/
compilers
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
88
● Social Engineering
○ Methods which an attacker can use to trick a victim into doing things or giving
information
○ Examples
■ Baiting
■ Attracting victims by dangling something in front of them
■ Vishing
■ Uses an IVR system trick victims into giving passwords
■ Pretexting
■ Someone impersonates an authority figure
■ Quid Pro Quo
■ A request for information in exchange for compensation
■ Tailgating
■ Someone follows you into a restricted area
● File Extensions
○ Can be up to 255 characters long
○ Only the last file extension counts
○ File icons can be changed too
● Insider Threats
○ Patterns
■ Remote access at odd times
■ Unnecessarily copying material
■ Works odd hours w/o authorization
○ Countermeasures
■ Monitor logs & accounts
■ Control external access & data downloads
■ Protect critical information
● Phishing
○ The attempt to acquire sensitive information by masquerading as a trustworthy
entity
■ Common types
■ General phishing
■ Spear phishing
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
89
● Attacks
○ XSS
■ Cross-Site Scripting
■ A vulnerability is found on a website that allows an attacker to inject
malicious code into an application
○ Zero-Day Exploits
■ An attack that exploits a previously unknown vulnerability
○ APT
■ Advanced Persistent Threats
■ Uses multiple phases to break in, avoid detection, and collect information
for a long period of time
■ The Five Stages of ATP attack
■ Reconnaissance
■ Incursion
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
90
■ Discovery
■ Capture
■ Exfiltration
○ Brute Force
■ The act of trying every possible combination of passwords until the
correct one is found
● Payloads
○ Backdoor Trojans
■ Programs that share the primary functionality of enabling a remote
attacker to have access to a compromised computer
○ Man-in-the-Middle Malcode
■ An attacker gets in the middle of a conversation between parties & gains
access to the information they were trying to send to each other
● Malicious Activity Countermeasures
○ Third party certifications: use products which are certified by third party
■ AV-TEST
○ Inspection of processes
■ Look for new or unexpected processes
■ Explorer.exe
○ Inspection of Windows Registry
■ Database that stores OS settings
● Behavioral Analysis of Malware
○ Static file analysis
■ Looking at file details & characteristics to identify & investigate code
■ File properties
■ File size & time stamp
■ Hash
■ Determines if a file has been modified
■ Hex editor
■ Looks at bits of a file to see information
○ Virtual environments
● Malware mitigation
○ Strategic
■ Management support
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
91
■ Defense-in-depth
■ Incident Response teams (CERT)
○ Tactical
■ Hardening systems
■ Backing up data
■ Using security tools
● Essential Characteristics
○ On-Demand self service
○ Broad network access
■ Able to access cloud anywhere around the world
○ Resource pooling
○ Rapid elasticity
■ Set and get more resources in cloud, as soon as possible
○ Measured service
● Deployment Models
○ Public
■ Open for used by the public
■ Ex.
■ Amazon, Microsoft, Google
○ Private
■ Use for a single organization
○ Hybrid
■ Combines two or more different cloud infrastructures
○ Community
■ Used by a group of organizations that have shared concerns
● Service Models
○ SaaS
■ Software as a Service
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
92
○ Storage virulization
■ Abstract disks & flash drives
● Legal & Privacy concerns
○ Applicable law
■ Determines the legal regime applicable to a certain matter
○ Jurisdiction
■ Determines the ability of a national court to decide a case or enforce a
judgement or order
● Cloud Storage
○ IaaS
■ Infrastructure as a Service
■ Volume storage
■ A virtual hard drive
■ Object storage
■ A file share accessed via APIs or web interface
○ PaaS
■ Platform as a Service
■ Structured
■ Information w/ a high degree of organization
■ Unstructured
■ Information that does not reside in a database
○ SaaS
■ Software as a Service
■ Information Storage & Management
■ Utilizes databases
■ Content/File Storage
■ Utilizes object/volume storage
● Data Loss Prevention
○ Cloud storage is subject to leakage
■ Administrator access
■ Configuration changes
■ Lack of controls
○ DLP attempts to protect the data through
■ Discovery & classification
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
94
■ Monitoring
■ Enforcement
● Cloud Encryption
○ Encryption implementation at various phases
■ Data in motion
■ IPSEC
■ VPN
■ TLS/SSL
■ Data in rest
■ Data in use
○ Components of cloud encryption
■ Data which needs to be encrypted
■ Encryption engine
■ Encrypting keys
● Data Encryption in IaaS
○ It is necessary to be responsible for encryption in IaaS
○ Volume Storage Encryption
■ Instance based
■ The encryption engine is located in the instance
■ Proxy-Based
■ Encryption is used on a proxy appliance
○ Object Storage Encryption
■ File-level encryption
■ Files are encrypted
■ Application-Level Encryption
■ Encryption engine is in the application
● Other Approaches to Data Protection
○ Data Masking/Obfuscation
■ Random Substitution
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
95
Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and
competency analytics.
96