Contents

Introduction to Domain 2: Information Security Risk Management ........................................................3

Risk Management – Identification .........................................................................................................3
Risk Management – Assessment............................................................................................................4
Risk Analysis .........................................................................................................................................4
Risk Management – Risk Response and Mitigation.................................................................................7
Types of Attackers ................................................................................................................................7
Software Vulnerabilities and Attacks ................................................................................................... 10
Network Basics and Definitions ........................................................................................................... 14
SIEM and SOAR Systems...................................................................................................................... 16
The OSI model (Open Systems Interconnect) ....................................................................................... 16
The TCP/IP Model (Internet Protocol Suite) ......................................................................................... 19
MAC Address (BIA) .............................................................................................................................. 21
Protocols ............................................................................................................................................ 21
Cables................................................................................................................................................. 30
LAN Technologies and Protocols .......................................................................................................... 32
Legacy Lan Systems ............................................................................................................................. 33
Physical LAN Topologies ...................................................................................................................... 33
Secure Network Devices and Protocols ................................................................................................ 34
Firewalls ............................................................................................................................................. 37
Preventive and Detective Controls (IDS and IPS) .................................................................................. 39
Secure Communications (Authentication Protocols) ............................................................................. 42
Thor’s Study Guide – CISM® Domain 2

WLAN (Wireless LAN) Technologies and Protocols ............................................................................... 44

Preventive and Detective Controls (Honeypots and Honeynets) ........................................................... 49
Secure Communications (IPSEC) .......................................................................................................... 49
Mobile Security................................................................................................................................... 53
Preventive and Detective Controls (Positive Listing and Removable Media Controls) ............................ 54
Virtualization and Distributed Computing ............................................................................................ 54
Software Vulnerabilities and Attacks ................................................................................................... 57
System Vulnerabilities and Attacks ...................................................................................................... 59
Emanations and Covert Channels ........................................................................................................ 60
The Internet of Things (IoT) ................................................................................................................. 61
WLAN (Wireless LAN) Technologies and Protocols ............................................................................... 61
Cellular Networks ............................................................................................................................... 62
What we covered in Domain 2............................................................................................................. 63
The OSI Model Graphics ...................................................................................................................... 64

2 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

Introduction to Domain 2: Information Security Risk

Management
● As the name indicates, in Domain 2 we look at how do we manage our risk?
● What can we do to reduce that risk to an acceptable level?
● 20% of the exam questions on the certification are from this domain.

● We identify all our assets, identify the risks, then we assess the risks with qualitative and
quantitative risk analysis, we respond to the risk, mitigation, and then we monitor controls.
● We talk about attackers, and he attacks in OWASP top 10 (2021).
● We will cover how we secure our communication, software, and systems, by securing our
networking, networking devices.
● We will discuss many networking basics like IP, NAT, PAT, protocols, hardware, and software,
wireless and much more from networking.
● Finally, we will talk about what cloud computing is and what is our responsibility to secure and
IOT.

● This should be what you are tested on for Domain 2 until the next planned CISM curriculum
change in 2027.

Risk Management – Identification

Risk = Threat * Vulnerability
● The Risk Management lifecycle is iterative.
● Identify our Risk Management team.
● What is in and what is out of scope?
● Which methods are we using?
● Which tools are we using?
● What are the acceptable risk levels, which type of risk appetite
do we have in our enterprise?
● Identify our assets:
o Tangible: Physical hardware, buildings, anything you can
touch.
o Intangible: Data, trade secrets, reputation, …

3 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

Risk Management – Assessment

Risk Assessment
● Quantitative and Qualitative Risk Analysis.
● Uncertainty analysis.
● Everything is done on a cost-benefit analysis.
● Risk Mitigation/Risk Transference/Risk Acceptance/Risk
Avoidance.
● Risk Rejection is NEVER acceptable.
● We assess the current countermeasures.
o Are they good enough?
o Do we need to improve on them?
o Do we need to implement entirely new
countermeasures?

Risk Analysis
Qualitative vs. Quantitative Risk Analysis
For any Risk analysis we need to identify our assets. What are we protecting?
● Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is a
vague guess or a feeling, and relatively quick to do. Most often done to know where to focus the
Quantitative Risk Analysis.
● Quantitative Risk Analysis – What will it actually cost us in $? This is fact-based analysis, Total $
value of asset, math is involved.
● Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, ...)
● Vulnerability – A weakness that can allow the Threat to do harm. Having a data center in the
tsunami flood area, not earthquake resistant, not applying patches and antivirus, …
● Risk = Threat x Vulnerability.
● Impact - Can at times be added to give a fuller picture. Risk = Threat x Vulnerability x Impact (How
bad is it?).
● Total Risk = Threat x Vulnerability x Asset Value.
● Residual Risk = Total Risk – Countermeasures.

Qualitative Risk Analysis with the Risk Analysis Matrix

Let’s pick an asset, A laptop.
● How likely is one to get stolen or left somewhere?
I would think possible or likely.
● How bad is it if it happens?
That really depends on a couple of things:
o Is it encrypted? Where the L, M, H, E is for your organization can be different from this.
L = Low, M = Medium, H = High, E = Extreme Risk
o Does it contain classified or PII/PHI content?
● Let’s say it is likely and a minor issue, that puts the loss the high-risk category.

4 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

It is normal to move high and extreme on to quantitative risk analysis. If mitigation is implemented, we
can maybe move the risk level to “Low” or “Medium”.

Risk Registers
● A risk category to group similar risks.
● The risk breakdown structure identification
number
● A brief description or name of the risk to make
the risk easy to discuss.
● The impact (or consequence) if event actually
occurs rated on an integer scale.
● The probability or likelihood of its occurrence rated on an integer scale.
● The Risk Score (or Risk Rating) is the multiplication of Probability and Impact and is often used to
rank the risks.
● Common mitigation steps (e.g., within IT projects) are Identify, Analyze, Plan Response, Monitor
and Control.

Quantitative Risk Analysis

This is where we put a number on our assets and risks.
● We find the asset’s value: How much of it is compromised, how much one incident will cost, how
often the incident occurs and how much that is per year.
o Asset Value (AV) – How much is the asset worth?
o Exposure factor (EF) – Percentage of Asset lost?
o Single Loss Expectancy (SLE) = (AV x EF) – What does it cost if it happens once?
o Annual Rate of Occurrence (ARO) – How often will this happen each year?
o Annualized Loss Expectancy (ALE) – This is what it costs per year if we do nothing.
● Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing cost (Normally
Operational)

Let’s look at a few examples.

For the example let’s use a 4-year tech refresh cycle.

● Full disk encryption software and support = $75,000 initial and $5,000 per year.

5 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● Remote wipe capabilities for the laptop = $20,000 initial and $4,000 per year.
● Staff for encryption and help desk = $25,000 per year

Doing nothing costs us $1,000,000 per tech refresh cycle ($250,000 per year).
Implementing full disk encryption and remote wipe will cost $231,000 per tech refresh cycle
($57,750 per year)
The laptop hardware is a 100% loss, regardless. What we are mitigating is the 25 x $9,000 =
$225,000 by spending $57,750.
This is our ROI (Return on Investment): TCO ($57,750) < ALE ($250,000). This makes fiscal sense,
we should implement.

Types of Risk Responses:

● Accept the Risk – We know the risk is there, but the mitigation is more costly than the cost of the
risk (Low risks). We ensure we have a paper trail, and this was a calculated decision.
● Mitigate the Risk (Reduction) – The laptop encryption/wipe is an example – acceptable level
(Leftover risk = Residual).
● Transfer the Risk – The insurance risk approach – We could get flooding insurance for the data
center, the flooding will still happen, we will still lose 15% of the infrastructure, but we are insured
for cost.
● Risk Avoidance – We don’t issue employees laptops (if possible), or we build the data center in an
area that doesn’t flood. (Most often done before launching new projects – this could be the data
center build).
● Risk Rejection – You know the risk is there, but you are ignoring it. This is never acceptable. (You
are liable).
● Secondary Risk – Mitigating one risk may open another risk.

This is area very testable, learn the formula, the risk responses to differentiate Qualitative and
Quantitative Risk.
Qualitative = Think “quality.” This concept is semi-vague, e.g., “pretty good quality. “
Quantitative = Think “quantity.” How many; a specific number.

NIST 800-30
NIST 800-30 - United States National Institute of Standards and Technology Special Publication
o A 9-step process for Risk Management.
1. System Characterization (Risk Management scope, boundaries, system, and data
sensitivity).
2. Threat Identification (What are the threats to our systems?).
3. Vulnerability Identification (What are the vulnerabilities of our systems?).
4. Control Analysis (Analysis of the current and planned safeguards, controls, and
mitigations).
5. Likelihood Determination (Qualitative – How likely is it to happen)?
6. Impact Analysis (Qualitative – How bad is it if it happens? Loss of CIA).
7. Risk Determination (Look at 5-6 and determine Risk and Associate Risk Levels).
8. Control Recommendations (What can we do to Mitigate, Transfer, … the risk).
9. Results Documentation (Documentation with all the facts and recommendations).

6 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

Risk Management
Risk Response and Mitigation
● Risk mitigation, transference, acceptance, or avoidance.
● We act on senior managements choices, which they made based on
our recommendations from the assessment phase.
● Do we stop issuing laptops, or do we add full-disk encryption and
remote wipe capabilities?
● We update the risk register, with the mitigations, the risk responses
we chose and see if the new risk level is acceptable.

Risk and Control Monitoring and Reporting

● The process is ongoing, we have to keep monitoring both the risk
and the controls we implemented.
● This is where we would use the KRIs (Key Risk Indicators).
● We would also use KPIs (Key Performance Indicators).
● You are the translating link; you have to be able to explain IT and IT
● Security to Senior Management in terms they can understand.
● It is normal to do the Risk Management lifecycle on an annual basis
and do out-of-cycle Risk Management on critical items.

Types of Attackers
● Hackers:
o Now: Anyone trying to get access to or disrupt any leg of the CIA Triad (Confidentiality,
Integrity, Availability).
o Original use: Someone using something in a way not intended.
o White Hat hackers: Professional pen testers trying to find flaws so we can fix it (Ethical
hackers).
o Black Hat hackers: Malicious hackers, trying to find flaws to exploit them (Crackers – they
crack the code).
o Gray/Grey Hat hackers: They are somewhere between the white and black hats, they go
looking for vulnerable code, systems, or products. They often just publicize the
vulnerability (which can lead to black hats using it before a patch is developed). Gray hats
sometimes also approach the company with the vulnerability and ask them to fix it and if
nothing happens, they publish.
o Script Kiddies: They have little or no coding knowledge, but many sophisticated hacking
tools are available and easy to use. They pose a very real threat. They are just as
dangerous as skilled hackers; they often have no clue what they are doing.

7 | Page
https://thorteaches.com/
 Thor’s Study Guide – CISM® Domain 2

Lost or improper disposal

(6%)

Internal theft (8%)

Phishing, hacking and malware
(31%)

Internal threats (38-52%) External threats (48-62%)

Employee actions or mistakes

(24%)

Vendors (14%) External theft (17%)

Can be both

● Outsiders:
o Unauthorized individuals - Trying to gain access; they launch the majority of attacks but
are often mitigated if the organization has good Defense in Depth.
o Interception, malicious code (e.g., virus, logic bomb, trojan horse), sale of personal
information, system bugs, system intrusion, system sabotage or unauthorized system
access.
o 48-62% of risks are from outsiders.
● Insiders:
o Authorized individuals - Not necessarily to the compromised system, who intentionally or
unintentionally compromise the system or data.
o This could be Assault on an employee, blackmail, browsing of proprietary information,
computer abuse, fraud and theft, information bribery, input of falsified or corrupted data.
o 38-52% of risks are from insiders, another reason good Authentication and Authorization
controls are needed.
● Hacktivism/Hacktivist (hacker activist):
o Hacking for political or socially motivated purposes.
o Often aimed at ensuring free speech, human rights, freedom of information movement.

8 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● Governments:
o State sponsored hacking is common; often you see the attacks happening between the
hours of 9 and 5 in that time zone; this is a day job.
o Approximately 120 countries have been developing ways to use the internet as a weapon
to target financial markets, government computer systems and utilities.
o Famous attacks: US elections (Russia), Sony websites (N. Korea), Stuxnet (US/Israel), US
Office of Personnel Management (China), …
● Bots and botnets (short for robot):
o Bots are a system with malware controlled by a botnet.
o The system is compromised by an attack or the user
installing a remote access Trojan (game or application
with a hidden payload).
o They often use IRC, HTTP or HTTPS.
o Some are dormant until activated.
o Others are actively sending data from the system
(Credit card/bank information for instance).
o Active bots can also be used to send spam emails.
● Botnets is a C&C (Command and Control) network, controlled
by people (bot-herders).
o There can often be 1,000’s or even 100,000’s of bots in
a botnet.
● Phishing, spear phishing and whale phishing (Fishing spelled in
hacker speak with Ph not F).
o Phishing (Social engineering email attack):
▪ Click to win, send information to get your
inheritance, …
▪ Sent to hundreds of thousands of people; if just 0.02% follow the instructions they
have 200 victims.
o Spear Phishing: Targeted phishing, not just random spam, but targeted at specific
individuals.
▪ Sent with knowledge about the target (person or company); familiarity increases
success.
o Whale Phishing (Whaling): Spear phishing targeted at senior leadership of an
organization.
▪ This could be: “Your company is being sued if you don’t fill out the attached
documents (with trojan in them) and return them to us within 2 weeks”.
o Vishing (Voice Phishing): Attacks over automated VOIP (Voice over IP) systems, bulk spam
similar to phishing.
▪ These are: “Your taxes are due”, “Your account is locked” or “Enter your PII to
prevent this” types of calls.

9 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

Software Vulnerabilities and Attacks

OWASP (Open Web Application Security Project):
● Top 10 of the most common web security issues

https://owasp.org/www-project-top-ten/
● A01:2021 - Broken Access Control:
o It is not implemented consistently across an entire application.
o It can be done correctly in one location but incorrectly in another.
o We need a centralized access control mechanism, and we write the tricky logic once and
reuse it everywhere.
o This is essential both for writing the code correctly and for making it easy to audit later.
o Many access control schemes were not deliberately designed but have simply evolved
along with the website.
o Inconsistent access control rules are often inserted in various locations all over the code,
making it near impossible to manage.
o One especially dangerous type of access control vulnerability arises from web-accessible
administrative interfaces, frequently used to allow site administrators to efficiently
manage users, data, and content on their site.

o What can we do?

We can deny by default, limit user rights, use role-based access control, strong passwords,
MFA, log/act on access control failures, proper user, and session management, ...
● https://owasp.org/Top10/A01_2021-Broken_Access_Control/

● A02:2021 - Cryptographic Failures:

o Sites are HTTP rather than HTTPS.
o Data is sent in cleartext.
o Backups, data at rest and data in transit are not encrypted (stored/transmitted in plain
text).
o Using older, weaker, and deprecated encryption algorithms.
o Using depreciated hash functions.
o Not monitoring if data is being exfiltrated.
o Improper use of initialization vectors.

10 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o What can we do?

We ensure we do not use depreciated encryption, data is identified and protected
properly, no clear-text, proper implementation of up-to-date encryption/protocols/keys,
no caching for responses with sensitive data, only store sensitive data as long as required,
…
● https://owasp.org/Top10/A02_2021-Cryptographic_Failures/

● A03:2021 – Injection:
o Can be any code injected into user forms. Often seen is SQL/NoSQL/OS command/LDAP.
o Attackers can do this because our software does not use:
▪ Strong enough input validation and data type limitations input fields.
▪ Input length limitations.
o CGI (Common Gateway Interface):
▪ Standard protocol for web servers to execute programs running on a server that
generates web pages dynamically. We use the interface to ensure only proper
input makes it to the database.
▪ The CGI separates the untrusted (user) from the trusted (database).

o What can we do?

▪ The fix is to do just that, we only allow users to input appropriate data into the
fields, only letters in names, numbers in phone number, have dropdowns for
country and state (if applicable), we limit how many characters people can use per
cell, use secure APIs, ...
▪ Separating the data from the web application logic.
▪ Implement settings and/or restrictions to limit data exposure in case of successful
injection attacks.
● https://owasp.org/Top10/A03_2021-Injection/

● A04:2021 - Insecure Design:

o When we design our web applications, we need to design them securely.
o This does not have to be design flaws, it can also be anything that is not secure, any
weakness that an attacker could exploit.
o Not to be confused insecure implementation.
▪ We can have a securely designed app and still implement it insecurely.
▪ However, we can't fix an insecure design with a flawless implementation.
o What can we do?
▪ We have our software developers use secure design patterns and reference
architectures to build applications.
▪ Our organization should have libraries with references and patterns.
▪ Before finalizing our application design, we use a red team to do threat modeling
and penetration testing.
● https://owasp.org/Top10/A04_2021-Insecure_Design/

11 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● A05:2021 - Security Misconfiguration:

o Databases configured wrong.
o Not removing out-of-the-box default access and settings.
o Keeping default usernames and passwords.
o VM, OS, webserver, DBMS, applications, are not patched and up to date.
o Unnecessary features are enabled or installed. This could be open ports, services, pages,
accounts, privileges, ...
o With so much being cloud now, it is only natural that misconfiguration is more prevalent,
so many more options admins can disable.

o What can we do?

o It is simple; server hardening, proper patching, do not disable security features unless we
are completely clear on why and we have done proper risk analysis.
● https://owasp.org/Top10/A05_2021-Security_Misconfiguration/

● A06:2021 - Vulnerable and Outdated Components:

o Vulnerable components can be both client and server-side (OS, web/application server,
database management system (DBMS), applications, APIs and all components, runtime
environments, libraries,).
o Developers use deprecated code or objects that are known to be unsecure.
▪ Mostly happens because developers are used to the old code or the library, they
could be uncertain about new code, or they are afraid to break anything.

o What can we do?

o Proper patch management, scan for vulnerabilities, make sure we don’t use deprecated
code, keep a continuous inventory of both server-side and client-side components and
their dependencies, delete unused programs and features.
● https://owasp.org/Top10/A06_2021-
Vulnerable_and_Outdated_Components/

● 07:2021 - Identification and Authentication Failures:

o Sessions do not expire or take too long to expire.
o Session IDs are predictable or part of the URL; 001, 002,
003, 004, …
o Tokens, Session IDs, Passwords, are kept in plaintext or
are poorly protected (poor encryption and hashing).
o Weak/default passwords and knowledge-based password
recovery.

o What can we do?

o MFA, sessions expire, non-predictable sessions, no
plaintext anywhere, no session ID in URL, proper secure
encryption, no default/weak passwords, log login failures, alert admins when detecting
brute force, credential stuffing, and any other attacks.
● https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/

12 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● A08:2021 - Software and Data Integrity Failures:

o When our applications use code, plugins, libraries, or modules from untrusted sources.
o Insecure CI/CD pipelines or unverified updates.
o Software with automatic updates without enough integrity checks.

o What can we do?

o Use digital signatures/hashes to verify the code/data is from the right source and is
unaltered.
o Make sure libraries and dependencies are using trusted repositories.
o Deploy software supply chain tools to make sure components do not contain known
vulnerabilities.
o Ensure our CI/CD pipeline has proper segregation, configuration, and access control.
▪ This should ensure the integrity of the code throughout the build and deploy
processes.
● https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/

● A09:2021 - Security Logging and Monitoring Failures:

o When our intrusion monitoring and reporting system fail to catch and report signs of
intrusion.
o Result of poor configuration, low thresholds, or logs saved just locally.
o Attacks go unnoticed if we do not act on appropriate logs or alerts.

o What can we do?

o Implement proper monitoring and logging, ensure we log/report all failed login attempts
and server-side validations.
o Logs are generated in a format that our log management system can easily use, logs are
kept long enough.
o Logs are kept secure and protected against injection or any other type of attack.
o Audit trails on high-value transactions.
o Have a proper incident response and recovery plan.
● https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures

● A10:2021 - Server-Side Request Forgery:

o Web applications usually trigger requests between HTTP servers, to fetch remote
resources, such as software updates, or to import metadata from a URL or another web
application.
o Usually benign, but if not implemented correctly, they can make a server vulnerable to
SSRF.
o Normally an attacker can’t access an internal server because it would be blocked by the
firewall. To get around that the attacker can exploit an SSRF vulnerability to launch their
attack using a vulnerable web server.
o The attacker changes a parameter value in the vulnerable web application to create or
control requests from the vulnerable server.

13 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o What can we do?

▪ Network layer: Segment remote resource access
functionality in separate networks. Enforce “deny by
default” to block all non-essential intranet traffic.
▪ Application layer: Sanitize and validate all client-
supplied input data.
▪ Enforce the URL schema, port, and destination with a
positive allow list.
▪ Do not send raw responses to clients. Disable HTTP
redirections.
● https://owasp.org/Top10/A10_2021-Server-
Side_Request_Forgery_%28SSRF%29/

Network Basics and Definitions

● We use defense-in-depth on our internal network and when our data traverses the internet.
o We do this by ensuring all our network devices, protocols and traffic are as secure as
possible.
o Simplex is a one-way communication (One system transmits, the other listen).
o Half-duplex communication sends or receives at one time only (Only one system can
transmit at a time).
o Full-duplex communication sends and receives simultaneously. (Both systems can
transmit/receive simultaneously).
o Baseband networks have one channel and can only send one signal at a time.
▪ Ethernet is baseband: “1000baseT” STP cable is a 1000-megabit, baseband,
Shielded Twisted Pair cable.
o Broadband networks have multiple channels and can send and receive multiple signals at
a time.
o The Internet is a global collection of peered WAN networks, it really is a patchwork of
ISP’s.
o An Intranet is an organization's privately owned network, most larger organizations have
them.
o An Extranet is a connection between
private Intranets, often connecting
business partners' Intranets.
o Circuit switching - Expensive, but always
available, used less often.
o A dedicated communications channel
through the network.
o The circuit guarantees the full bandwidth.
o The circuit functions as if the nodes were
physically connected by a cable.

14 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Packet switching - Cheap, but no capacity

guarantee, very widely used today.
▪ Data is sent in packets but take
multiple different paths to the
destination.
▪ The packets are reassembled at
the destination.
▪ QoS (Quality of Service) gives
specific traffic priority over other
traffic.
▪ Most commonly VOIP (Voice over IP), or other UDP traffic needing close
to real time communication.
▪ Other non-real time traffic is down prioritized, the 0.25 second delay
won’t be noticed.
o PAN (Personal Area Network) - A personal area network is a computer network used for
communication among computer and other information technological devices close to
one person (PCs, printers, scanners, consoles …).
▪ Can include wired (USB and FireWire) and wireless devices (Bluetooth and
infrared).
● LAN (Local Area Network) - A network that connects computers and devices in a limited
geographical area such as a home, school, office building, or campus.
▪ Each computer or device on the network is a node; wired LANs are most likely
based on Ethernet technology.
● MAN (Metropolitan Area Network) – A large computer network that usually spans a city
or a large campus.
● WAN (Wide area network) - A computer network that covers a large geographic area such
as a city, country, or spans even intercontinental distances. Combines many types of
media such as telephone lines, cables, and air waves.
● VPN (Virtual private network) - A VPN network sends private data over an insecure
network, most often the Internet.
▪ Your data is sent across a public network but looks and feels private.
● GAN (Global area network) - A global area network, is a network used for supporting
mobile users across a number of wireless LANs, satellite coverage areas, … the transition
from one to the next can be seamless.

15 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

SIEM and SOAR Systems

SIEM (Security Information and Event Management)
• Often pronounced SEM or SIM.
• Provides a holistic view of our
organization’s events and incidents.
• Gathers from all our systems and looks at
everything
• Centralizes the storage and
interpretation of logs, traffic and allows
near real-time automated identification,
analysis, and recovery of security events.

SOAR (Security Orchestration, Automation, and Response):

• A software solution that uses AI to allows us to respond to some security incidents automatically.
• SOAR vs. SIEM: Very similar, both detect/alert on security events, but using AI, SOAR will also react
to some events.
o SIEMs often generate more alerts than a SOC team can handle, SOAR can reduce that.
• SOAR combines all the comprehensive data we gather, has case management, standardization,
workflows, and analytics, and it can integrate with many of our other solutions (Vulnerability
Management (VM), IT Service Management (ITSM), Threat Intelligence, …).
• All this can help our organization implement a detailed defense-in-depth solution.

The OSI model (Open Systems Interconnect)

● A layered network model that standardizes the communication functions of a telecommunication
or computing system regardless of their underlying internal structure and technology.
● The model partitions a communication system into abstraction layers, the model has 7 layers.
1. Physical
2. Data Link
3. Network
4. Transport
5. Session
6. Presentation
7. Application.
▪ 7-1 All People Seem To Need
Data Processing.
▪ 1-7 Please Do Not Throw
Sausage Pizza Away.
● Know the PDUs (Data, Segments,
Packets, Frames, Bits).
● The model is less used now and used as a reference
point.
● Know it for the exam, it is testable.

16 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● Layer 1 Physical Layer:

o Wires, Fiber, Radio waves, hub, part of NIC, connectors
(wireless).
o Cable types:
▪ Copper TP (Twisted Pair) Least secure,
eavesdropping, interference, easy tap into, but also
cheap.
▪ Fiber is more secure, not susceptible to
eavesdropping, harder to use, can break, higher
cost.
o Topologies:
▪ Bus, Star, Ring, Mesh partial/full.
o Threats:
▪ Data emanation, theft, eavesdropping, sniffing, interference.

● Layer 2 Data Link Layer:

o Transports data between 2 nodes connected to the same network.
o LLC – Logical Link Control – error detection.
o MAC address (BIA) – a unique identifier on the
network card.
▪ Can be spoofed very easily, both for
good and not so good reasons.
▪ 48bit hexadecimal first 24 manufacturer
identifier, last 24 unique.
▪ 64bit hexadecimal first 24 manufacturer identifier, last 40 unique.
▪ Threats - MAC Spoofing, MAC Flooding.
o ARP (Address Resolution Protocol) Layer 2/3.
o CSMA/CD – Ethernet – minimized with switches vs. hubs.
o CSMA/CA – Wireless.
o Token passing – Similar to the talking stick, not really used anymore.

● Layer 3 Network Layer:

o Expands to many different nodes (IP) – The Internet is IP based.
o Isolates traffic into broadcast domains.
o Protocols:
▪ IP, ICMP, IPSEC, IGMP, IGRP, IKE, ISAKMP, IPX.
o Threats:
▪ Ping of Death, Ping Floods, Smurf – spoof source and directed broadcast, IP
modifications, DHCP attacks, …
o If the exam asks which layer a protocol with “I” is and you do not remember, answer layer
3.
▪ IP, IGMP, IGRP, IPSEC, IKE, ISAKMP, … are all layer 3, all except IMAP which is
layer 7.

17 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● Layer 4 Transport Layer:

o SSL/TLS Layer 4 to 7.
o UDP (User Datagram Protocol):
▪ Connectionless protocol,
unreliable, VOIP, Live video, gaming, “real
time’’.
▪ Timing is more important than delivery
confirmation.
▪ Sends message, doesn’t care if it arrives or
in which order.
▪ Attack: Fraggle attack – works the same way as smurf but may be more successful
since it uses UDP and not ICMP.
o TCP (Transmission Control Protocol):
▪ Reliable, Connection oriented, guaranteed delivery, 3-way handshake,
slower/more overhead, data reassembled.
▪ Attacks: SYN floods – half open TCP sessions, client sends 1,000’s of SYN requests,
but never the ACK.
o TCP Flags (9 bits 1-bit flags) (Control bits).
▪ NS: ECN-nonce concealment protection.
▪ CWR (Congestion Window Reduced) flag is set by the sending host to indicate that
it received a TCP segment with the ECE flag set and had responded in a congestion
control mechanism.
▪ ECE: ECN-Echo has a dual role, depending on the value of the SYN flag.
▪ URG (1 bit): indicates that the Urgent pointer field is significant.
▪ ACK (1 bit): indicates that the Acknowledgment field is significant.
▪ PSH (1 bit): Push function. Asks to push the buffered data to the receiving
application.
▪ RST (1 bit): Reset the connection.
▪ SYN (1 bit): Synchronize sequence numbers. Only the first packet sent from each
end have this flag set.
▪ FIN (1 bit): Last package from sender.

● Layer 5 Session Layer:

o Establishes connection between 2 applications: Setup > Maintenance > Tear Down.

● Layer 6 Presentation Layer:

o Only layer with no protocols.
o Formatting, compressing, encryption (file level).

● Layer 7 Application Layer:

o Presents data to user (applications/websites).
o HTTP, HTTPS, FTP, SNMP, IMAP, POP and many more.
o Non-Repudiation, certificates, application proxies, deep packet inspection, content
inspection, AD integration.

18 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● The higher you go up the layers the slower it is, speed is traded for intelligence.
● Threats to level 5-7: Virus, worms, trojans, buffer overflow, application, or OS vulnerabilities.

The TCP/IP Model (Internet Protocol Suite)

● A conceptual model that provides end-to-end data communication.
● Specifying how data should be packetized, addressed, transmitted, routed, and received.
● It has four layers which are used to sort all related protocols according to the scope of networking
involved.
● From lowest to highest:
o The link layer, containing communication methods for data that remains within a single
network segment.
o The internet layer, connecting independent networks, thus providing internetworking.
o The transport layer, handling host-to-host communication. \
o The application layer, which provides process-to-process data exchange for applications.

● The link and physical layer have the networking scope of the local network connection to which a
host is attached.

19 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Used to move packets between the Internet layer interfaces of two different hosts on the
same network.
o The process of transmitting and receiving packets on a given link can be controlled both in
the software device driver for the network card, as well as on firmware or specialized
chipsets.
o These perform functions such as adding a packet header to prepare it for transmission,
then transmits the frame over a physical medium.
o The TCP/IP model includes specifications of translating the network addressing methods
used in the Internet Protocol to link layer addresses, such as Media Access Control (MAC)
addresses.
o The link and physical layer = OSI layer 1-2.

● Internet/Internetwork layer is responsible for sending packets across potentially multiple

networks.
o Requires sending data from the source network to the destination network (routing)
o The Internet Protocol performs two basic functions:
▪ Host addressing and identification: This is done with a hierarchical IP address.
▪ Packet routing: Sending the packets of data (datagrams) from the source to the
destination by forwarding them to the next network router closer to the final
destination.
o Internet/Internetwork layer = OSI layer 3.

● The transport layer establishes basic data channels that applications use for task-specific data
exchange.
o Its responsibility includes end-to-end message transfer independent of the underlying
network, along with error control, segmentation, flow control, congestion control, and
application addressing (port numbers).
o Data is sent connection-oriented (TCP) or connectionless (UDP).
o The transport layer = OSI layer 4.

● The application layer includes the protocols used by applications for providing user services or
exchanging application data over the network (HTTP, FTP, SMTP, DHCP, IMAP).
o Data coded according to application layer protocols are encapsulated into transport layer
protocol units, which then use lower layer protocols for data transfer.
o The transport layer and the lower-level layers are unconcerned with the specifics of
application layer protocols.
o Routers and switches do not typically examine the encapsulated traffic, rather they just
provide a conduit for it. However, some firewall and bandwidth throttling applications
must interpret application data.

20 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o The TCP/IP reference model distinguishes between user protocols and support protocols.
o The application layer = OSI layer 5, 6 and 7.

● Each layer of the model adds or removes encapsulation (encapsulation / de-capsulation).

● The higher we go the slower and smarter the stack is, just like the OSI model.

MAC Address (BIA)

● A unique identifier on the network card.
● Can be spoofed pretty easily, both for good and less good reasons.
● EUI/MAC-48 are 48-bits (original design).
o The first 24 are the manufacturer identifier.
o The last 24 are unique and identify the host.
● EUI-64 Mac Addresses use 24-bit for manufacturer, but 40 for unique ID.
o The first 24 are the manufacturer identifier.
o The last 40 are unique and identify the host.
● Both are widely used today and used by both IPv4 and IPv6.
o For 48bit MAC’s IPv6 modified it into 64-bit MAC’s
by adding FF:FE to the device identifier.

Protocols
● IP Addresses:
o First deployed for production in the ARPANet in 1983, ARPANet later became the
internet.
o IP was developed in the 1970’s for secure closed networks (DARPA - Defense Advanced
Research Projects Agency). Security was not built in but was bolted on later.
o IPv4 is a connectionless protocol for use on packet-switched networks.

21 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o It operates on a best effort delivery model, it does not guarantee delivery, it also does not
assure proper sequencing or avoidance of duplicate delivery. We have added protocols on
top of IP to ensure those.
o IPv4 is the IT route's most Internet traffic today, but we are slowly moving towards IPv6.
▪ The move towards IPv6 is mainly dictated by IPv4 Addresses being depleted years
ago.
o IPv4 has around 4.2 billion IP addresses and of those ~4 billion are usable internet
addresses.
▪ There are currently over 35 billion mobile devices on the internet, 75 billion is
predicted by 2025.
▪ All major cellphone carriers in the US use IPv6 for all cell phones.
▪ IPv4 has 4,294,967,296 addresses where IPv6 has
340,282,366,920,938,463,463,374,607,431,768,211,456.

● IP Addresses and Ports:

o When we send traffic, we use both the Source IP and Port as well as Destination IP and
Port. This ensures we know where we are going, and when the traffic returns it knows
where to return to.
o The IP addresses can be seen as the number of an apartment building.
▪ The Port number is your apartment number.
▪ If you have 50 browser tabs open, each tab has its own port number(s).
o Well-known Ports:
▪ 0-1023 - Mostly used for protocols.
o Registered Ports:
▪ 1024 to 49151 - Mostly used for vendor specific applications.
o Dynamic, Private or Ephemeral Ports:
▪ 49152–65535 - Can be used by anyone for anything.

● Common Ports:
o 20 TCP FTP data transfer.
o 21 TCP FTP control.
o 22 TCP/UDP Secure Shell (SSH).
o 23 TCP Telnet unencrypted text communications.
o 25 TCP Simple Mail Transfer Protocol (SMTP) can also use port 2525.
o 80 TCP/UDP Hypertext Transfer Protocol (HTTP) can also use port 8008 and 8080.
o 110 TCP Post Office Protocol, version 3 (POP3).
o 137 UDP NetBIOS Name Service, used for name registration and resolution.
o 138 TCP/UDP NetBIOS Datagram Service.
o 143 TCP Internet Message Access Protocol (IMAP).
o 443 TCP Hypertext Transfer Protocol over TLS/SSL (HTTPS).
o 3389 TCP/UDP Microsoft Terminal Server (RDP).

22 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● IP Addresses and Ports:

o A Socket:
o 1 set of IP and Port.
o UDP only uses 1 socket (connectionless),
TCP uses 2 in a pair, 2 individual sockets
making the pair.

● Socket Pairs (TCP):

o 2 sets of IP and Port (Source and
Destination).
o My Pair for the top one is: Ports in use while browsing CISSP websites.
▪ Source pair:192.168.0.6:49691
▪ Destination pair:
195.122.177.218:https
▪ Well-known ports are often translated, port 443 is https.

● IPv4/IPv6 Address Space Management:

o IANA (Internet Assigned Numbers Authority)
governs the IP's address allocation.
o IANA is a department of ICANN (Internet
Corporation for Assigned Names and
Numbers).
o The world is divided into RIR (Regional
Internet Registry) regions and organizations
in those areas delegate the address space they
have control over.
▪ AFRINIC (African Network Information Center): Africa.
▪ ARIN (American Registry for Internet Numbers): United States, Canada, several
parts of the Caribbean region, and Antarctica.
▪ APNIC (Asia-Pacific Network Information Centre): Asia, Australia, New Zealand,
and neighboring countries.
▪ LACNIC (Latin America and Caribbean Network Information Centre): Latin America
and parts of the Caribbean region.
▪ RIPE NCC (Réseaux IP Européens Network Coordination Centre) Europe, Russia,
Middle East, and Central Asia.

● IP Address and Traffic Types:

o Unicast, Multicast, and Broadcast Traffic:
o Unicast - one-to-one traffic (Client to Server): The traffic is from a client to a host or
reversed.
▪ To capture all unicast traffic on a network, we use promiscuous mode on specific
clients' network cards (Network IDS'/IPS'), and the switch port they are attached
to has to be configured as a Span-port.
o Multicast -one-to-many (predefined): The traffic is sent to everyone in a predefined list.
o Broadcast - one-to-all (on a LAN network): The traffic is sent to everyone.

23 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

▪ Limited L3 Broadcast: Use the 255.255.255.255 broadcast IP address, routers do

not pass (they drop it).
▪ Limited L2 broadcast: Uses FF:FF:FF:FF:FF:FF broadcast MAC address, routers do
not pass.
▪ Directed broadcast: Sent to anyone logically connected to the same network.
▪ A 192.168.19.12/24 will send to all hosts on that network, regardless of if it is
physically behind the same router or not. Accounting could have a VLAN spanning
3 separate remote buildings, the broadcast would be sent to them all.

● IPv4 (Internet Protocol version 4) Addresses:

o IPv4 addresses are made up of 4 octets (dotted-decimal
notation) and broken further down in a 32bit integer
binary.
o We use IP addresses to make it readable to normal
people, it is easier to read 4 sets of numbers than a 32 bits
string of 0’s and 1’s.
o Similarly, websites are really just IP addresses translated
with DNS, which is then translated into binary.
o It is easier to remember google.com, than it is to
remember 66.102.12.231 or 2607:f8b0:4007:80b::200e.
o Public IP Addresses (Internet routable addresses):
▪ Used to communicate over the internet between
hosts.
o Private Addresses (RFC 1918 – Not routable on the internet): Other notable IP spaces:
▪ 10.0.0.0 10.255.255.255 16777216 127.0.0.0/8 Loopback IP’s
▪ 172.16.0.0 172.31.255.255 1048576 169.254.0.0/16 Link-Local
▪ 192.168.0.0 192.168.255.255 65536 255.255.255.255 Broadcast

o As a Band-Aid solution to extend the depletion of IPv4 Addresses NAT and PAT were
added:
o NAT (Network Address Translation):
▪ Static NAT Translates 1-1, we need 1 Public IP per
Private IP we use, not practical and not sustainable.
▪ Pool NAT: Also, still 1-1, but a pool was available to all
clients not assigned to specific clients.
o PAT (Port Address Translation):
▪ PAT was introduced to solve that issue; it uses IP AND
Port number.
▪ Also called One-to-Many or NAT Overload since it
translates one public IP to many private IPs.

24 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Classful IP Networks were used early on the internet for public

addresses. Networks were VERY large, some with 16 million+ IP’s.
Very inefficient use of IP addresses.
o CIDR (Classless Inter-Domain Routing) (also called slash notation):
▪ We used CIDR to break our addresses into smaller logical
segments, this saves addresses, we can make suitable
sized IP ranges for our subnets, and it is easier to add
security to our subnets if they are logically segmented.
▪ This would be the CIDR notation for our earlier IP address:
172.16.254.1/24.
▪ This was done to the /24, which indicates how many IPs
are in that subnet, from that we know the broadcast and
the range of host addresses.
▪ Our /24 address would have 256 addresses, 255 are
usable for hosts.
▪ Earlier the first (0) and last (255) in a /24 could not be
used, but now with newer technology and protocol use
only 255 is not usable, since it is the broadcast address.

o IP Headers contain:
▪ Version: IP version 4.
▪ IHL: Length of the IP header.
▪ QoS (Quality of Service).
▪ Identification, Flags, Offset: used for IP
fragmentation.
▪ TTL (Time To Live): to prevent routing
loops.
▪ Protocol: Protocol number for TCP, UDP, ...
▪ Source and Destination IP addresses.
▪ Optional: Options and padding.
▪ MTU (Maximum Transmission Unit) - normally 1500 bytes in Ethernet usage.
▪ If a packet exceeds that size, a router along the path may fragment into
smaller packets.
● IPv6
o IPv6 is 128bit in hexadecimal numbers (uses 0-9 and a-f).
o 8 groups of 4 hexadecimals, making addresses look like
this:
▪ fd01:fe91:aa32:342d:74bb:234c:ce19:123b
o The IPv6 address space is huge compared to IPv4.
340,282,366,920,938,463,463,374,607,431,768,211,456
addresses.
▪ 34 with 37 0’s total or 79 with 27 0’s as many addresses as IPv4.
▪ Every square foot on the planet can have 65000 IP addresses.
o IPSec is built in, not bolted on like with IPv4.

25 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Mostly switched behind the scenes today, many organizations do not have Dual Stack
equipment in place.
o Used by major US ISPs for cell phones (and to some extent the connection to your
modem).
o To make the address more manageable 1 set of
0’s can be shortened with:: above you see the
last 16 0’s being shortened to
2001:0DB8:AC10:FE01::
o Our MAC address is 00:fa:22:52:88:8a
o It is a EUI-48 address we add “fffe” (for EUI-64)
00:fa:22:ff:fe:52:88:8a
o Set the U/L bit 20:fa:22:ff:fe:52:88:8a
▪ (The use of the universal/local bit in the
Modified EUI-64 format identifier is to
allow development of future technology
that can take advantage of interface identifiers with universal scope).
o Add our network prefix (2001:0000:0000:00b8)
2001:0000:0000:00b8:20fa:22ff:fe52:888a
▪ Remove largest group of 0’s 2001::b8:20fa:22ff:fe52:888a
▪ Link Local address (only for local) fe80::b8:20fa:22ff:fe52:888a
o IP Headers contain:
▪ Version: IP version 6 (4 bits)
▪ Traffic Class/Priority (8bits).
▪ Flow Label/QoS management
(20 bits).
▪ Payload length in bytes (16
bits).
▪ Next Header (8 bits).
▪ Time To Live (TTL)/Hop Limit (8
bits).
▪ Source IP address (128 bits).
▪ Destination IP address (128 bits).
▪ MTU (Maximum Transmission Unit) - normally 1500 bytes in Ethernet usage.
▪ If a packet exceeds that size, a
router along the path may
fragment into smaller packets.
● ARP (Address Resolution Protocol):
o Translates MAC Addresses into IP Addresses.
▪ OSI Data/Network Layer or
Network/Internet Layer.
o ARP is a simple and trusting protocol, anyone can
respond to an ARP request.
o ARP (cache) Poisoning: An attacker sends fake
responses to ARP requests, often done repeatedly
for critical ARP entries (Default Gateway).

26 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

▪ A countermeasure can be hardcoding ARP entries.

o RARP (Reverse ARP) is used by diskless workstations to get IPs.
● ICMP (Internet Control Message Protocol):
o Used to help with IP, for Ping (Echo
request/reply) and TTL Exceeds in Traceroute.
o Often used for troubleshooting.
o An ICMP Echo Request is sent to the IP, which
then sends an ICMP reply back (or not).
o Originally used (and still) to see if a host is up or
down.
o Today if we get an Echo reply we know the
I ping isc2.org (can be name or IP if you know it).
host is up, but no reply does not mean it is The name is translated into the IP.
down. I get 4 replies from the IP, 32bytes (IPv4 ping size).
It took 73-76ms (milliseconds 1/1000th of a second)
o Firewalls and routers can block ICMP replies.

IPv6 pings are slightly different, since they use the

IPv6 headers, but the payload size is the same.

● Traceroute:
o Uses ICMP to trace a network route.
o Traceroute uses the TTL value in somewhat
reverse.
o We send a message with TTL 1.
▪ The first router decrements the TTL to
0 and sends an ICMP Time Exceed
message back, First Hop is now
identified.
o We send message 2 with TTL 2, 2nd router Traceroute to isc2.org (tracert on windows command line):
does the same, it is identified. My local network > ISP > A few Hawaii hops > a few LA hops > 2x Santa Clara >
2x San Jose > Most likely ISC2 Firewall >
o We do that over and over till the destination is and finally the actual webserver.
reached (maximum 30 hops).

● Telnet:
o Remote access over a network.
o Uses TCP port 23, all data is plaintext including usernames and passwords, should not be
used.
o Attackers with network access can easily sniff credentials and alter data and take control
of telnet sessions.

● SSH (Secure Shell):

o Designed to replace or add security to unsecure protocols such as Telnet, FTP, HTTP...
o V1 had vulnerabilities long ago, and v2 has as well recently.
o Provides a 'secure' connection over an unsecured network (the internet).
o The Snowden leak in 2013 showed the NSA can 'sometimes' decrypt SSL and get access to
the data.

27 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o On July 6th, 2017, WikiLeaks confirmed the CIA (ONLY this one time it is the Central
Intelligence Agency) has developed a tool to crack the SSH protocol.
▪ BothanSpy is an implant that targets the SSH client program Xshell on the
Microsoft Windows platform.
▪ Gyrfalcon is an implant that targets the OpenSSH client on Linux platforms centos,
debian, rhel, suse, ubuntu.

● FTP (File Transfer Protocol): Transfers files to and from servers.

o No confidentiality or Integrity checks.
o Should also not be used since the vast majority of what we transport is over insecure
networks.
o Uses TCP Port 21 for the control collection - commands are sent here.
o Uses TCP Port 20 for the data collection - the actual data is sent here.
● SFTP (SSH /Secure File Transfer Protocol): Uses SSH to add security to FTP.
● FTPS (FTP Secure): Uses TLS and SSL to add security to FTP.
● TFTP (Trivial FTP):
o Uses UDP Port 69.
o No authentication or directory structure, files are written and read from one directory
/tftpboot.
o Used for "Bootstrapping" - Downloading an OS over the network for diskless workstations.
o Used for saving router configuration.

● Email Protocols:
1. The MUA (Mail User Agent) formats the
message and using SMTP sends the message to
the MSA (Mail Submission Agent).
2. The MSA determines the destination address
provided in the SMTP protocol, in this case
[email protected]. The MSA resolves the fully qualified
domain name of the mail server in the DNS.
3. The DNS server for the domain b.org (ns.b.org)
responds with any MX (Mail eXchange) records
listing for that domain, in this case mx.b.org, an
MTA (Message Transfer Agent) server run by the recipient's ISP.
4. smtp.a.org sends the message to mx.b.org using SMTP. This server may need to forward
the message to other MTAs before the message reaches the final MDA.
5. The MDA delivers it to the mailbox of user Jane.
6. Jane's MUA picks up the message using either the Post Office Protocol (POP3) or the
Internet Message Access Protocol (IMAP).

● DNS (Domain Name System):

o Translates server names into IP Addresses, uses TCP and UDP Port 53
o Google.com can get translated into 66.102.12.231 or 2607:f8b0:4007:80b::200e
depending on requester's IP.
o Uses gethostbyname() and gethostbyaddress()

28 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Authoritative name servers - The authority for a given name space.

o Recursive name server - Tries to resolve names it does not already know.
o Cache name server - Keeps previously resolved names in a temporary cache.
o DNS uses UDP for most requests and has no authentication natively.
o DNS Poisoning is similar to ARP poisoning, an attacker sends a fake address/name combo
to another DNS server when asked and the server keeps it in its DNS records until it
expires.

● DNSSEC (DNS Security Extensions):

o Provides Authentication and Integrity using PKI Encryption.
o Does not provide Confidentiality - Think of it as a digital signature for DNS.

● SNMP (Simple Network Management Protocol):

o Mostly used to monitor devices on our network (routers, switches, servers, HVAC, UPS ...).
o An SNMP client agent is enabled or installed on the client.
o The device can report port up/down, traffic utilization, temperature, memory use, HDD
allocation, ...
o SNMPv1 and SNMPv2 sends data in cleartext.
o SNMPv2 is still widely used but should be avoided.
▪ An attacker on the network can sniff the traffic, often the default community
strings are used "public'' and "private".
▪ If an attacker gains access to the private (write) string they can re-configure the
device, shut it or interfaces down ...
o SNMPv3 uses encryption to provide CIA (Confidentiality, Integrity, and Availability).
▪ This should be the standard across any organization.

● HTTP and HTTPS - Transport HTML data.

o HTTP (Hypertext Transfer Protocol):
▪ Uses TCP port 80 (8008 and
8080), unencrypted
website data sent across HTTPS: Connection (notice the Secure) HTTP: Connection.

the internet.
o HTTPS (HTTP Secure):
▪ Uses TCP Port 443 (8443), encrypted
data sent over the internet.
o HTML (Hypertext Markup Language):
▪ The actual language webpages are
written in.
HTML: The basic building block of webpages.
▪ Not to be confused with HTTP/HTTPS.

29 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● BOOTP (Bootstrap Protocol):

o Used for diskless workstations, used to determine OS
(Downloaded with tftp) and IP Address.
o Most system BIOS' support BOOTP, they can then load
the OS without a disk.
● DHCP (Dynamic Host Configuration Protocol):
o The common protocol we use to assign IP’s.
Controlled by a DHCP Server for your environment.
o You most likely already use it on your home network,
this is how when you connect a cable or connect wireless
you are online right away.
● Both BOOTP and DHCP use UDP Port 67 for the BOOTP/DHCP
Server and UDP Port 68 for the Client.

Cables
● Networking Cables:
o When it comes to networking cables, most people think of
RJ45 Copper Ethernet cables; many more types are used
though.
o Networking cables all come with pro's and con's, some are
cheap, some more secure, some faster, ...
o They can also pose different security vulnerabilities
depending on the cable type and the environment.
o EMI (Electromagnetic Interference):
▪ Magnetism that can disrupt data availability and integrity.
o Crosstalk is the signal crossing from one cable to another, this can be a confidentiality
issue.
o Attenuation is the signal getting weaker the farther it travels.
▪ Copper lines have attenuation, with DSL the farther you are from the DSLAM
(Digital Subscriber Line Access Multiplexer) the lower the speed you get.

● Twisted Pair Cables:

o UTP (Unshielded Twisted Pair):
o Pairs of twisted pairs of cable.
▪ Twisting them makes them less susceptible to EMI.
▪ 1 cable sends and 1 receives data.
▪ The tighter the cables are twisted the less susceptible to EMI.
For example, CAT3 pairs (less tight) are more susceptible to
EMI than CAT6 (tighter).

30 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o STP (Shielded Twisted Pair):

▪ Has extra metal mesh shielding around each pair of cables, making them less
susceptible to EMI, but also making the cables thicker, stiffer, and more
expensive.

● Coax (Coaxial) Cables:

o Most commonly used for cable TV and Internet services.
o Coax Cables have built in layers:
▪ Copper core in the middle.
▪ A plastic insulator around the middle core.
▪ A copper braid/shield around the insulator.
▪ A plastic outer layer.
o The braid/shield makes it less susceptible to EMI, and the
thicker core can provide higher speeds.

● Fiber Optic Cables Use light to carry data (vs. electricity for copper
cables):
o Pros: Speed 1 Petabit per second, 35miles/50 km over a single
fiber.
▪ It has no attenuation like copper; a single uninterrupted
cable can be 150 miles+ (240km+) long.
▪ Not susceptible to EMI.
▪ More secure than copper since it can't be sniffed as easily
as copper.
o Cons: Price, more difficult to use, you can break the glass in the
Single-Mode fiber.
cable if you are not careful.
o Single-Mode fiber - A Single strand of fiber carries a single mode of
light (down the center), used for long distance cables (Often used in
IP-Backbones).
o Multi-Mode fiber - Uses multiple modes (light colors) to carry
multiple data streams simultaneously, this is done with WDM
(Wavelength Division Multiplexing).
● All cable measurements are in metric (m/km). Light through fiber strands.
● Only 3 countries in the world do not use metric (Burma, Liberia, and the
United States).
o 1Kbps - Kilobits per second
▪ 1,000 bps (103)
o 1Mbps - Megabit per second
▪ 1,000,000 bps (106)
o 1Gbps - Gigabit per second
▪ 1,000,000,000 bps (109)
o 1Tbps - Terabit per second
▪ 1,000,000,000,000 bps (1012)
o 1Pbps - Petabit per second
▪ 1,000,000,000,000,000 bps (1015)

31 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

LAN Technologies and Protocols

● Network topology describes the layout and topologies of interconnections between devices and
network segments.
● Ethernet and Wi-Fi are the two most common transmission technologies in use for local area
networks.
● At the data link layer and physical layer, a wide variety of LAN topologies have been used,
including ring, bus, mesh, and star.
● At the higher layers, NetBEUI, IPX/SPX, and AppleTalk used to be common, but TCP/IP is now the
de facto standard.
● Fiber-optic is commonly used between switches to servers and for backbone data transfers; rarely
used for desktops.
● Ethernet is baseband and uses copper TP, coax, and fiber cables.
o Ethernet was also not built for how we use networks today, so we bolt on functionality we
want.
● Wireless technologies are often built into Smartphones, tablets, and laptops.
o In a wireless LAN, users can move unrestricted in the coverage area; the transfer from one
wireless access point to another is often completely seamless.
● CSMA (Carrier Sense Multiple Access):
o Clients on a network check to see if the shared line is in use, if not they will send their
data.
o Clients listen to see if the line is idle: If idle, they send; if in use, they wait a random
amount of time (milliseconds).
● CSMA/CD (CSMA/Collision Detection):
o Used for systems that can send and receive at the same time like Ethernet.
o If 2 clients listen at the same time and see the line is clear they can both transmit at the
same time causing collisions, CD is added to help with that scenario.
o Clients listen to see if the line is idle: If idle, they send; if in use, they wait a random
amount of time (milliseconds).
▪ While transmitting, they monitor the network.
▪ If more input is received than sent, another workstation is also transmitting.
● They send a Jam signal to tell the other nodes to stop sending.
● Wait for a random amount of time before starting to retransmit.
● CSMA CA (CSMA/Collision Avoidance):
o Used for systems that can either send or receive like wireless.
o They check if the line is idle: If idle, they send; if in use, they wait a random amount of
time (milliseconds).
▪ Slightly different than CD, on Ethernet networks clients are normally aware of
other clients, on wireless that is not always the case.
▪ If there is a lot of congestion, the client can send a RTS (Request To Send), and if
the host (the wireless access point) replies with a CTS (Clear To Send), similar to a
token, the client will transmit.
▪ This goes some way to alleviating the problem of hidden nodes, in a wireless
network, the Access Point only issues a Clear to Send to one node at a time.

32 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

Legacy Lan Systems

● ARCNET (Attached Resource Computer Network):
o Used network tokens for traffic, no collisions.
o Used a Star topology.
o 2.5Mbps.
● Token Ring:
o Used network tokens for traffic, no collisions.
o Used a Ring topology.
o 16Mbps.
● FDDI (Fiber Distributed Data Interface):
o Used token-bus for traffic, no collisions.
o Used a Ring topology.
o Used fiber and not copper so not susceptible to EMI.
o 100Mbps.

Physical LAN Topologies

● Bus:
o All nodes are connected in a line, each node inspects traffic
and passes it along.
o Not very stable, a single break in the cable will break the signal
to all nodes past that point, including communication between
nodes way past the break. Bus Topology

o Faulty NIC's (Network Interface Card) can also break the chain.
Tree Topology
● Tree (Hierarchical):
o The base of the Tree topology controls the traffic, this was often
the mainframe.

● Ring:
o All nodes are connected in a ring. Ring Topology

● Star:
o All nodes are connected to a central device.
o This is what we normally use for ethernet, our nodes are
connected to a switch.

33 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Provides better fault tolerance, a break in a cable or a faulty NIC

will only effect that one node. Star Topology
o If we use a switch, no token passing, or collision detection is
needed since each node is on its own segment.
o If we use hubs, collisions will still occur, but I hope none are
around anymore, not just how slow they are, but more how
unsecure they are now.

● Mesh:
o Nodes are connected to each other in either a partial mesh Full Mesh Topology

or a full mesh.
o Partial Mesh:
▪ Nodes are directly connected to some other nodes.
o Full Mesh:
▪ All nodes are directly connected to all other nodes.
o More redundant but requires a lot more cables and NIC’s.
o Often used in HA (High Availability) environments, with cluster servers
for keepalives.
Secure Network Devices and Protocols Partial Mesh Topology

● We have different network devices through the OSI and TCP/IP models and many have protocols
specific to that device.
● Layer 1 devices:
o Repeaters receive a signal and retransmit it.
▪ They are used to extend transmissions so that the signal
can cover longer distances.
o Hubs are repeaters with more than 2 ports.
▪ All traffic is sent out all ports, no Confidentiality or
Integrity, half-duplex and not secure at all.
● Layer 2 devices:
o Bridges are 2 port switches used to separate collision domains,
which send traffic across the 2 domains, but traffic from one
domain is not seen on the other unless sent there.
o Switches are bridges with more than 2 ports.
▪ Each port is its own collision domain, fixing some of
the issues with collisions.
▪ Can range from 4 to 500+ ports.
▪ Use MAC addresses to direct traffic.
▪ Good switch security includes:

34 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● Shutting unused ports down.

● Put ports in specific VLANs.
● Using the MAC Sticky command to only allow
that MAC to use the port, either with a
warning or shut command if another MAC
accesses the port.
● Use VLAN pruning for Trunk ports.

● Layer 2 Protocols:
o VLAN (Virtual LAN) is a broadcast domain that is
partitioned and isolated at layer 2.
▪ Specific ports on a switch are assigned to a
certain VLAN.
▪ The Payroll VLAN is in 2 different buildings and
spans multiple switches.
▪ VLANs uses tags within network packets and tag
handling in networking systems, replicating the
appearance and functionality of network traffic
that is physically on a single network but acts as
if it is split between separate networks.
▪ It allows networks and devices that must be kept
separate to share the same physical devices
without interacting, for simplicity, security,
traffic management, and/or cost reduction.
▪ VLAN Trunks - Ports connecting two switches to
span VLANs across them.
▪ VLANs share bandwidth, a VLAN trunk can use
link aggregation, quality-of-service prioritization,
or both to route data efficiently.

● Virtual eXtensible Local Area Network (VXLAN):

o Made and widely used for cloud computing with
organizations that have mass tenants. (Think
AWS, Google or similar).
o Solves the issue with only having 4094 maximum
VLANs.

35 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● Layer 3 devices:
o Routers:
▪ Normally have a few ports vs. a lot on switches.
▪ For our organizations they are in the data centers.
▪ In your home they are often combined with a switch, and
wireless in one box.
▪ Forwards traffic based on source and destination IPs and
ports.
▪ Connecting our LANs to the WAN.
▪ Routers send traffic to the most specific route in their routing table.
▪ Static route, a preconfigured route, always sends traffic there for a certain
subnet.
▪ Default gateway sends all non-local traffic to an ISP for instance.
▪ Dynamic route is learned from another routing via a routing protocol (OSPF,
EIGRP, BGP, IS-IS).
▪ Metric is used to determine the best route to a destination.
o Routers have two operation planes:
▪ Control plane:
▪ A router maintains a routing table that lists which route should be used to
forward a data packet, and through which physical interface connection.
▪ It uses internal pre-configured static routes, or by learning routes using a
dynamic routing protocol.
▪ Static and dynamic routes are stored in the RIB (Routing Information
Base).
▪ The control-plane logic then strips non-essential directives from the RIB
and builds a FIB (Forwarding Information Base) to be used by the
forwarding-plane.
▪ Forwarding plane:
▪ The router forwards data packets between incoming and outgoing
interface connections.
▪ It routes them to the correct network type using information that the
packet header contains.
▪ It uses data recorded in the routing table control plane.

36 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

Firewalls
● Firewalls: A firewall typically establishes a barrier between a trusted,
secure internal network and another outside network, like the Internet.
o Packet filtering firewalls, OSI Layer 1-3.
▪ Packet filters act by inspecting the "packets" which are
transferred between clients.
▪ If a packet does not match the packet filter's set of
filtering rules, the packet filter will drop the packet or
reject it and send error responses to the source.
▪ Any packet that matches one of the Permits is allowed to
pass.
▪ Rules are checked in order; the attacker's traffic is
dropped on the 3rd filter rule. Drop anything trying to
access 100.1.1.100.
▪ The internal machines can access the server since their IPs are whitelisted in the
first rule.
o Stateful filtering firewalls, OSI Layer 1-4.
▪ Records all connections passing through and
determines whether a packet is the start of a
new connection, a part of an existing
connection, or not part of any connection.
▪ Static rules are still used; these rules can now
contain connection state as one of their
criteria.
▪ Some DOS attacks bombard the firewall with
thousands of fake connection packets trying to
overwhelm the firewall by filling its connection
state memory.

o A proxy server can act as a firewall by responding to input

packets in the manner of an application, while blocking
other packets.
o A proxy server is a gateway from one network to another for
a specific network application, in the sense that it functions
as a proxy on behalf of the network user.

o Application layer firewalls, OSI Layer 7.

▪ The key benefit of application layer firewalls is that they can understand certain
applications and protocols.
▪ They see the entire packet, the packet isn't decrypted until layer 6, any other
firewall can only inspect the packet, but not the payload.
▪ They can detect if an unwanted application or service is attempting to bypass the
firewall using a protocol on an allowed port or detect if a protocol is being used in
any malicious way.

37 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Network firewalls filter traffic between two or more networks, either software appliances
running on general purpose hardware, or hardware-based firewall.
o Host-based firewalls provide a layer of software security on one host that controls
network traffic in and out of that single machine.
o Next-generation firewall (NGFW)
▪ NGFW combines traditional firewall technologies with deep packet inspection
(DPI) and network security systems (IDS/IPS, malware filtering and antivirus).
▪ Packet inspection in traditional firewalls only looks at the protocol header of the
packet DPI also looks at the actual data the packet is carrying.
▪ Next-generation firewalls tries to include more layers of the OSI model, improving
filtering of network traffic that is dependent on the packet contents.
▪ DPI firewalls track the progress of web browsing sessions and can tell if a packet
payload, when assembled with other packets in an HTTP server reply, is actually a
legitimate HTML-formatted response.

● Firewalls Design:
o A bastion host is a special purpose host designed and configured to withstand attacks.
▪ Normally hosts a single application, all other services are
removed or limited to reduce the threat to the host.
▪ It is hardened in this manner because of its location and
purpose, which is either on the outside of a firewall or in a
DMZ (demilitarized zone) and usually involves access from
untrusted networks or computers.
o A dual-homed host has two network interfaces, one connected to
a trusted network, and the other connected to an untrusted
network (Internet).
▪ The dual-homed host doesn't route.
▪ Any user wanting to access the trusted network from the
outside, needs to log into the dual-homed host and then
access the trusted network from there.
▪ No longer really used, mostly used premodern firewalls.
o Screened host architecture:
▪ An older flat network design using one router to filter external traffic to and from
a bastion host via ACLs.
▪ The bastion host can reach other internal resources, but
the router's ACL denies direct internal/external
connectivity.
▪ The difference between dual-homed host and screened
host design is screened host uses a screening router,
which filters Internet traffic to other internal systems.
▪ Screened host network design does not use defense-in-
depth: a failure of the bastion host puts the entire
trusted network at risk.
▪ Screened subnet architecture evolved as a result, using
network defense in depth by using DMZs.

38 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Screened Subnet Architecture:

▪ A screened subnet firewall is a variation of the
dual-homed and screened host firewall.
▪ It can be used to separate components of the
Screened Subnet using Dual Firewall DMZ
firewall onto separate systems, achieving
greater throughput and flexibility, although at
some cost to simplicity.
▪ As each component system of the screened
subnet firewall needs to implement only a specific task, each system is less
complex to configure.
▪ A screened subnet firewall is often used to establish a DMZ (demilitarized zone).
▪ Good design uses 2 different brands of firewalls, to avoid both having the same
vulnerabilities.
o DMZs:
▪ Normal DMZs use 2 firewalls in a screened subnet, but they
can also be three-legged DMZs which only use 1 firewall.
▪ Physical or logical subnetwork that contains and exposes an
organization's external-facing services to an untrusted
network, like the Internet.
▪ It adds an additional layer of security to our organization's
LAN, an external network node can access only what is
exposed in the DMZ, while the rest of the organization's
network is firewalled.
o Firewalls are designed to fail closed, if they crash, get flooded with
traffic or are shut down, they block all traffic.
o To get some redundancy we often use firewall pairs, and have the
firewall in a mesh topology, this way one firewall failure will just shift
the traffic paths.

Preventive and Detective Controls

● IDSs and IPSs.
o We use both IDSs (Intrusion Detection Systems) and IPSs (Intrusion Prevention Systems)
on our network to capture and alert or block traffic seen as malicious.
o They can be categorized into 2 types and with 2 different approaches toward identifying
malicious traffic.
▪ Network-based, placed on a network segment (a switch port in promiscuous
mode).
▪ Host-based, on a client, normally a server or workstation.
▪ Signature (Pattern) matching, similar to anti-virus, it matches traffic against a long
list of known malicious traffic patterns.
▪ Heuristic-based (Behavioral), uses a normal traffic pattern baseline to monitor for
abnormal traffic.

39 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Just like firewalls, routers, servers, switches, and everything else in our environment they
just see part of the larger picture, for full picture views and data correlation we use a SIEM
(Security Information and Event Management) system or even better a SOAR (Security
Orchestration, Automation, and Response) system.

● IDS (Intrusion Detection System):

o They are passive, they monitor, but they take no action other than sending out alerts.
o Events trigger alerts: Emails/text message to administrators or an alert on a monitoring
tool, but if not monitored right this can take hours before being noticed.

● IPS (Intrusion Prevention System):

o Similar to IDS, but they also take action against malicious traffic, what they do with the
traffic is determined by configuration.
o Events trigger an action, drop/redirect traffic, often combined with the trigger
monitoring/administrator warnings, emails, or text messages.

● IDS/IPS:
o Part of our layered defense.
o Basically, they are packet sniffers with analysis engines.

● Network-based, placed on a network segment (a switch port in promiscuous mode).

o Looks at a segment of our network, normally a switch, but can aggregate multiple
switches.
o Inspects Host/destination ports, IPs, protocols, content of traffic, but can obviously not
look in encrypted traffic.
o Can protect against DDOS, Port scans, brute force attacks, policy violations …
o Deployed on one switch, port and NIC must be promiscuous, and port must be a span
port.

● Host-based, on a client, normally a server or workstation.

o We only look at a single system.
o Who is using the system, the resource usage, traffic, ...
o It can be application specific; it does not have to be the entire system we monitor.
o If we do choose to do traffic analysis it will impact the host by slowing it down.
o Certain attacks can turn off HIDS/HIPS.
o Can look at the actual data (it is decrypted at the end device), NIDS/NIPS can't look at
encrypted packets.

● Signature-based:
o Looks for known malware signatures.
o Faster since they just check traffic against malicious signatures.
o Easier to set up and manage, someone else does the signatures for us.
o They are completely vulnerable to 0-day attacks and have to be updated constantly to
keep up with new vulnerability patterns.

40 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● Heuristic-based (Behavioral):
o Looks for abnormal behavior - can produce a lot of false positives.
o We build a baseline of what normal network traffic looks like and all traffic is matched to
that baseline.
o Traffic not matching the baseline is handled depending on settings, they can take a lot of
tweaking.
o Can detect 'out of the ordinary' activity, not just attacks.
o Takes much more work and skills.

● Hybrid based systems combining both are more used now and check for both signatures and
abnormalities.
● Intrusion Events and Masking:
o IDS/IPS obviously then prompt attackers to develop attacks that try to avoid detection.
▪ Fragmentation: Sending fragmented packets, the attack can avoid the detection
system's ability to detect the attack signature.
▪ Avoiding Defaults: The TCP port utilized by a protocol does not always provide an
indication to the protocol which is being transported. Attackers can send malware
over an unexpected port.
▪ Low-Bandwidth Coordinated Attacks: A number of attackers (or agents) allocate
different ports or hosts to different attackers making it difficult for the IDS to
correlate the captured packets and deduce that a network scan is in progress.
▪ Address spoofing/proxying: attackers can use poorly secured or incorrectly
configured proxy servers to bounce an attack. If the source is spoofed and
bounced by a server then it makes it very difficult for IDS to detect the origin of
the attack.
▪ Pattern Change Evasion: The attacker changes the data used slightly, which may
avoid detection.

o Alerts on IDSs/IPSs can, like biometrics, be one of 4 categories:

▪ True Positive: An attack is happening,
and the system detects it and acts.
▪ True Negative: Normal traffic on the
network and the system detects it and
does nothing.
▪ False Positive: Normal traffic and the
system detects it and acts.
▪ False Negative: An attack is happening;
the system does not detect it and does
nothing.
o We rarely talk about the “true” states since things are happening like they are supposed
to, we are interested in when it does not, and we prevent authorized traffic or allow
malicious traffic.

41 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

Secure Communications
● Securing our data-in-motion is one of the most difficult tasks we have.
● The internet and IPv4 was never built to be secure and just like anywhere else we need to find the
right balance of Confidentiality, Integrity, and Availability.
● Authentication Protocols:
o Communications or cryptographic protocols designed to transfer authentication data
between two entities.
o They authenticate to the connecting entity (often a server) as well as authenticate
themselves (often a server or desktop) by declaring the type of information needed for
authentication as well as syntax.
o It is the most important layer of protection needed for secure communication between
networks.
o PAP (Password Authentication Protocol):
▪ Authentication is initialized by the client/user by sending a packet with credentials
(username and password) at the beginning of the connection.
▪ One of the oldest authentication protocols, no longer secure. The credentials are
being transmitted over the network in plain text making it vulnerable to simple
attacks like Eavesdropping and man-in-the-middle attacks.

o CHAP (Challenge-Handshake Authentication Protocol):

▪ Provides protection against replay attacks by the peer
through the use of an incrementally changing
identifier and of a variable challenge-value.
▪ Requires that both the client and server know the
plaintext of a shared secret like a password, it is never
sent over the network.
▪ Providing better security compared to PAP, which is vulnerable for both these
reasons.
▪ Used by PPP (Point to Point Protocol) servers to validate the remote clients.
▪ CHAP periodically verifies the identity of the client by using a three-way
handshake.
▪ The CHAP server stores plaintext passwords of each client; an attacker gaining
access to the server can steal all the client passwords stored on it.

o 802.1X defines the encapsulation of the EAP (Extensible Authentication Protocol).

▪ 802.1X authentication involves three parties: a
supplicant, an authenticator, and an AS
(authentication server).
▪ The supplicant is a client device (normally a
workstation) that wants to attach to the LAN/WLAN,
normally software running on the client that
provides credentials to the authenticator.
▪ The authenticator is a network device, a switch or
wireless AP.

42 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

▪ The AS (Authentication server) is typically a host running software supporting the

RADIUS and EAP protocols.
▪ In some cases, the authentication server software may be running on the
authenticator hardware.
▪ EAP is widely used, in 802.11 (Wi-Fi) the WPA and WPA2 standards it was adopted
with 100+ EAP Types as the official authentication mechanism.

o PEAP (Protected EAP):

▪ A protocol that encapsulates EAP within an encrypted and authenticated TLS
(Transport Layer Security) tunnel.
▪ Developed by Cisco Systems, Microsoft, and RSA Security.

o EAP-MD5:
▪ Very weak forms of EAP. It offers client-to-server authentication only, where most
others provide mutual authentication.
▪ Vulnerable to man in the middle attacks and password attacks.
o LEAP (Lightweight Extensible Authentication Protocol):
▪ Cisco distributed the protocol through the CCX (Cisco Certified Extensions) as part
of getting 802.1X and dynamic WEP adoption into the industry in the absence of a
standard.
▪ No native support of LEAP in the Windows OS.
o EAP-TLS (EAP-Transport Layer Security):
▪ Uses PKI, requiring both server and client-side certificates.
▪ Establishes a secure TLS tunnel used for authentication.
▪ This makes it very secure, but also complex and expensive.
o EAP-TTLS (EAP Tunneled Transport Layer Security):
▪ Simpler than EAP-TLS by dropping the client-side certificate requirement, allowing
other authentication methods for client-side authentication.
▪ This makes it easier to deploy, but also less secure.
o PANA (Protocol for Carrying Authentication for Network Access):
▪ Allows a device to authenticate itself with a network to be granted access.
▪ EAP will be used for authentication protocol, key distribution, key agreement, and
key derivation protocols.
o SLIP (Serial Line Internet Protocol):
▪ An encapsulation of IP designed to work over serial ports and modem
connections.
▪ On PCs it has been replaced by PPP, which is better engineered, has more
features, and does not require its IP address configuration to be set before it is
established.
▪ On microcontrollers, SLIP is still the preferred way of encapsulating IP packets
because of the very small overhead.
o PPP (Point-to-Point Protocol):
▪ Used over many types of physical networks including serial cable, phone line,
trunk line, cellular telephone, ...
▪ PPP is also used over Internet access connections.

43 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

▪ ISPs (Internet Service Providers) have used PPP for customer dial-up access to the
Internet, since IP packets cannot be transmitted over a modem line on their own,
without some data link protocol.
o VPN (Virtual Private Network):
▪ Extends a private network across a public network, and
users can send and receive data across shared or public
networks as if they were on the private network.
▪ VPNs may allow employees and satellite offices to
securely access the organization's intranet.
▪ They are used to securely connect.
▪ Can also be used to get around geo-restrictions and
censorship, or to connect to proxy servers for the
purpose of protecting personal identity and location.
▪ Created by establishing a virtual point-to-point
connection using dedicated connections, virtual tunneling
protocols, or traffic encryption.
o PPTP (Point-to-Point Tunneling Protocol):
▪ Obsolete method for implementing virtual private networks because of many
known security issues.
▪ PPTP uses a TCP control channel and a GRE tunnel to encapsulate PPP packets.
▪ No built-in encryption or authentication and PPP being tunneled to implement
security.
o L2TP (Layer 2 Tunneling Protocol):
▪ Tunneling protocol used to support VPNs or as part of the delivery of services by
ISPs.
▪ No built-in encryption or confidentiality, it relies on an encryption protocol that it
passes within the tunnel to provide privacy.

WLAN (Wireless LAN) Technologies and Protocols

● A wireless computer network that links two or more devices using a
wireless distribution method within a limited area (a home, a school,
a coffee shop, or an office building).
● Gives users the ability to move around within a locally covered area
and be connected to the network.
● Often multiple APs (Access Points) are set up throughout an office
building to give seamless roaming coverage for the employees.
● WLAN normally also provides an Internet connection, but not always.
● Most modern WLANs are based on IEEE 802.11 standards and are
marketed under the Wi-Fi brand name.
● Wi-Fi makes us more mobile and our connection more seamless, but
it is easier to compromise than cabled internet connection.

44 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● Wi-Fi Attacks:
o Rogue Access Points:
▪ An unauthorized access point that has been added to our
network without our knowledge.
▪ This can be malicious by an attacker or just an employee
wanting Wi-Fi somewhere with bad coverage.
▪ Without our security posture they are a very big concern.
▪ Can be somewhat mitigated with Port security on the switches,
and by scanning for Rogue access points.
▪ Can compromise confidentiality and integrity.

o Jamming/Interference:
▪ This can be a lot of traffic on the Wi-Fi frequencies or done
by attackers to disrupt our network (DOS).
▪ If interference is an issue we can change to other channels, if
any less crowded channels are available, or to different
frequencies if our equipment supports it.
▪ The 2.4 GHz band is used by Bluetooth, microwaves, cordless
phones, baby monitors, Wi-Fi, …
▪ Can compromise integrity and availability.

o Evil Twin:
▪ An evil twin is used when attackers are trying to create rogue
access points so as to gain access to the network or access to
information that is being put through a network.
▪ Can be done on your network or not, the attacker simply
names their access point the same as ours, but with no
security and user devices automatically connect to them.
▪ Can compromise confidentiality and integrity.

● 802.11 Standards:
o The 802.11 is a set of media
access control (MAC) and
physical layer (PHY)
specifications for
implementing WLAN
computer communication in
the 2.4, 3.7, 5, and 6 GHz
frequency bands.
o There are more 802.11
protocols but for the exam
know these.

45 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o The 2.4 GHz frequency can be very crowded, wireless, Bluetooth, microwaves, cordless
phones, and baby monitors, ... use that frequency.
o The 5 GHz frequency is normally less crowded and has less
interference than 2.4 GHz.
o Now with the 6 GHz being available, one of its largest selling points is a
completely non-crowded frequency.
o 5 and 6 GHz is a higher frequency with shorter waves, it does not
penetrate walls, floors, and other obstructions as well as the longer 2.4
GHz waves.
o It is easy to change the channel of your Wi-Fi to a less crowded one.
o Some access points management software can dynamically change the
channels on individual access points, to find better channels and
provide less overlap.

● 802.11 Wireless NICs:

o Operate in four different modes:
▪ Managed/Client mode:
● A wireless access point is required.
● Clients connect to an access point in managed mode;
once connected, clients communicate with the access
point only, they can’t directly communicate with other
clients.
▪ Infrastructure mode:
● A wireless access point is required.
● Client must use the same SSID (service set identifier) as
the access point and if encryption is enabled, they must
share the same keys or other authentication parameters.
▪ Ad-hoc mode network:
● The WNIC does not require an access point but can interface with all other
wireless nodes directly.
● All the nodes in an ad hoc network must have the same channel and SSID.
● A computer connected to the Internet via a wired NIC may advertise an
ad-hoc WLAN to allow internet sharing.
▪ Monitor mode or RFMON (Radio Frequency Monitor) mode:
● Enables a computer with a WNIC to monitor all traffic received from the
wireless network.
● Unlike promiscuous mode, which is also used for packet sniffing, monitor
mode allows packets to be captured without having to associate with an
access point or ad hoc network first.

● SS (Service Set) is a set consisting of all the devices associated with an organization's WLAN
(Wireless Local Area Network).

46 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● SSID (Service Set Identifier) is the name of the wireless access point you see
when you connect.
o Clients must know the SSID before joining that WLAN.
o The SSID is a configuration parameter.
o SSIDs are normally broadcasted, but we can disable the broadcast in
the access point configuration.
o It is a security measure we want to use, but it is easy to bypass.
o We can also use MAC address filtering on our wireless access points,
this is another limited security feature.
o MAC addresses are sent in plaintext on 802.11 WLANs, it is easy to sniff and spoof.

● WEP (Wired Equivalent Privacy) protocol, early 802.11 wireless security (1997).
o No longer secure, should not be used.
o Attackers can break any WEP key in a few minutes.
o It was designed to not conflict with the Wassenaar Arrangement’s 40-bit limit on
encryption and because of that, it was designed weaker than it should have been.
o Many access points still have the WEP option today, but most are preconfigured with
WPA2/PSK.
o WEP uses 10 or 26 hexadecimal digits (40 or 104 bits).
o It was years back used widely and was often the first security choice presented to users by
router configuration tools.
o WEP frames do not use timestamps and have no replay protection; attackers can inject
traffic by replaying previously sniffed WEP frames.

● WPA (Wi-Fi Protected Access): (2003)

o Interim standards to address WEP issues, should not be used.
o Uses RC4 and TKIP (Temporal Key Integrity Protocol).
▪ Neither are considered secure anymore.
▪ TKIP uses a per-packet key, meaning that it dynamically generates a new 128-bit
key for each packet and prevents the types of attacks that compromised WEP.
o WPA has been designed specifically to work with wireless hardware produced prior to the
introduction of the WPA protocol.

● WPA2 (Wi-Fi Protected Access II), also called RSN (Robust Security Network) (2004):
o Most commonly used but a slow move towards WPA3; the most secure form of WPA2 is
WPA2-PSK (Pre-Shared Key) using AES.
o AES provides confidentiality and CCMP (Counter Mode CBC MAC Protocol), a Message
Integrity Check (MIC), which provides integrity. It can be configured to use older less
secure protocols (TKIP)

● WPA3 (Wi-Fi Protected Access III) (2020)

o Current standard but transition from WPA2 is slow.
o 192-bit key strength and WPA3 replaces the pre-shared key (PSK) exchange with
Simultaneous Authentication of Equals (SAE) exchange, uses AES-256 in GCM mode with
SHA-384 as HMAC.

47 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● Bluetooth:
o A wireless technology standard for exchanging data over short
distances using 2.4 GHz from fixed and mobile devices and building
personal area networks (PANs).
o Bluetooth has three classes of devices, while designed for short-
distance networking, Class 1 can reach up to 100 meters.
o Class 1: 100 meters, 2: 10 meters, 3: under 10 meters.
o Bluetooth implements confidentiality, authentication and key
derivation with custom algorithms based on the SAFER+ block cipher.
o The E0 stream cipher is used for encrypting packets, granting
confidentiality, and is based on a shared cryptographic secret, namely
a previously generated link key or master key.
o Cryptanalysis of E0 has proven it to be weak, attacks show the true strength to be 38 bits
or even less.
o Bluetooth key generation is generally based on a Bluetooth PIN, which must be entered
on one or both devices.
o Bluetooth security is to some extent security through obscurity, it assumes the 48-bit MAC
address of the Bluetooth adapter is not known.
o Even when disabled, Bluetooth devices may be discovered by guessing the MAC address.
o The first 24 bits are the OUI, which can be easily guessed, the last 24 bits can be
discovered with brute-force attacks.
o Attacks:
▪ Bluejacking: Sending unsolicited messages over Bluetooth, most often harmless
but annoying.
▪ Bluesnarfing: Unauthorized access of information from a Bluetooth device
phones, desktops, laptops, ...
▪ Bluebugging: The attacker gains total access and control of your device; it can
happen when your device is left in the discoverable state.
▪ Only possible on older phones with outdated OSs, newer smartphones constantly
update their OS.
o Countermeasures:
▪ Enable Bluetooth only when you need it.
▪ Enable Bluetooth discovery only when necessary and disable discovery when your
devices are paired.
▪ Do not enter link keys or PINs when unexpectedly prompted to do so.
▪ Remove paired devices when you do not use them.
▪ Regularly update firmware on all Bluetooth enabled devices.

48 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

Preventive and Detective Controls

● Honey pots and Honey nets:
o Honeypots:
▪ System looking like a real system, but with the sole purpose of attracting
attackers.
▪ They are used to learn about our vulnerabilities and how attackers would
circumvent our security measures.
▪ Used both internally and externally, internal honeypots can alert us to attackers
and malware that made it past our security perimeter and external honeypots
teach us about the attack vectors attackers’ use.
▪ External honeypots will get compromised on a regular basis, we analyze the attack
and ensure our internal systems are protected against that type of attack.
▪ Honeypots are rarely hardened completely; our actual data servers are always
hardened completely.
▪ Always talk to your legal department before deploying honeypots.
▪ Remember the thin line between entrapment and enticement.
▪ What are the legal/liability ramifications if an attacker launches a 3rd
party attack from your honeypot/net?
▪ Get very clear legal guidelines issued before deploying and get senior
management's approval in writing.

o Honeynets:
▪ A network (real or simulated) of honeypots, can be a full
server farm simulated with applications, OSs, and fake data.
▪ Best practice segments the honeynet from our actual network
by a DMZ/firewall.
▪ The SIEM/SOAR systems collect the data from our internal
systems as well as the honeynet.

Secure Communications
● IPSEC (Internet Protocol Security):
o SA (Security Association): Simplex one-way communication, can be used to negotiate ESP
(Encapsulation Security Payload) or AH (Authentication Header) parameters.
▪ If 2 systems use ESP to communicate, they need 1 SA for each direction (2 total); if
AH and ESP, 4 total.
▪ A unique 32bit SPI (Security Parameter Index) is used to identify each SA
connection.
o ISAKMP (Internet Security and Key Management Protocol):
▪ Manages the SA creation process.
o Tunnel mode encrypts and authenticates the entire package (including headers).
o Transport mode only encrypts and authenticates the payload, used for systems that speak
IPSEC.

49 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o IKE (Internet Key Exchange):

▪ IPsec can use different types of encryptions (3DES or AES) and hashes (MD5,
SHA1, SHA2, …).
▪ IKE negotiates the algorithm selection process.
▪ The 2 sides of an IPsec tunnel will normally use IKE to negotiate to the highest and
fastest level of security, selecting AES over single DES for confidentiality if both
sides support AES, for example.
o IPSec can protect data flows between a pair of hosts (host-to-host), a pair of security
gateways (network-to-network), and a security gateway and a host (network-to-host).
o IPSec is an end-to-end security scheme operating in the Internet Layer of the TCP/IP
model, only IPsec protects all application traffic over an IP network.
o IPsec can automatically secure applications at the IP layer.

● SSL and TLS – Confidentiality and Authentication for web traffic.

o Cryptographic protocols for web browsing, email, Internet faxing, instant messaging, and
VOIP.
o You download the server’s digital certificate which includes the sites public key.
o SSL (Secure Socket Layer) Currently on v3.0.
▪ Mostly used for web traffic.
o TLS (Transport Layer Security) More secure than SSL v3.0.
▪ Used for internet chat and email client access and used for securing web traffic.
● ISDN (Integrated Services Digital Network) - OSI layer 1-3.
o Used for digital transmission of voice, video, data, and other network services over the
traditional circuits of the public switched telephone network.
o A circuit-switched telephone network system which also provides access to packet
switched networks.
o It offers circuit-switched connections (for either voice or data) and packet-switched
connections (for data) in increments of 64 kilobit/s but could be higher with channel
bonding.
● DSL (Digital Subscriber Line) is a family of technologies that are used to transmit digital data over
telephone line.
o Often used to describe ADSL (Asymmetric DSL), the most common DSL technology.
o DSL service can be delivered side by side with wired telephone service on the same line,
this is possible because DSL uses higher frequency bands for data.
o At the customer Demarc, a DSL filter on each non-DSL outlet blocks any high-frequency
interference to enable simultaneous use of the voice and DSL services.
● Callback is a modem-based authentication system.
o mostly used for securing dial-up connections.
o The client computer calls the server computer.
o After a greeting the client identifies itself, usually with a username.
o The server disconnects the call.
o Depending on the user’s name and a list of users' phone numbers, the server will then
establish a second call back to the client computer.
o The client computer expecting this returned call will then answer and communications
between the two computers will proceed normally.

50 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● Caller ID does the same, but the user has to be calling from the right number.
o It can easily be faked; many phones or phone companies allow the end user to pick their
caller ID.
● Remote Administration is controlling a computer from a remote location, we do this through
software.
o A remote location may refer to a computer in the next room or to one across the world.
o Any computer with an Internet connection can be remotely administered.
● RDP (Remote Desktop Protocol) - A Microsoft proprietary protocol.
o The user uses RDP client software for this, and the other computer must run RDP server
software.
o Providing a user with a GUI (Graphical User Interface) by default, the server listens on TCP
and UDP 3389.
● VNC (Virtual Network Computing) - Non-MS proprietary and can run on most OSs (Using screen
scraping).
o It was at first used for remote administration of computers but is also being used more
and more now for Remote Desktop Protocol for multi-user environments and helpdesk
RDP access.
● Newer versions use HTTPS (TCP port 443) and has the GUI contained in a browser.
o You install the software on the system you want to access and the one you want to access
from, set up username/password and you can control that system from anywhere.
o Commonly used include: Chrome Remote Desktop, LogMeIn, GoToMyPC, support.me, …
● VDI (Virtualized Desktop Infrastructure/Interface):
o Thin Clients:
▪ Diskless Workstation (Diskless node) has all the normal hardware/firmware except
the disk, it has the lower-level OS (the BIOS) which performs the POST, and it then
downloads the kernel and OS.
▪ Thin Client Applications - We use a Web Browser to connect to the application on
a server on port 80 (HTTP) or port 443 (HTTPS), the full application is housed and
executed on the server vs. on your PC.
▪ Often stripped of non-essentials like CD drives, most ports, ...
o Zero Clients:
▪ Getting more popular for VDI because they are even slimmer and more cost-
effective than thin clients.
▪ These are client devices that require no configuration and have nothing stored on
them.
▪ They are sold by Dell, Fujitsu, HP, Pano Logic, ...

● IM (Instant Messaging):
o Short messages are typically sent between two parties (one-to-one) or many to many
(group IMs).
o Some IM applications can use push technology to provide real-time text which transmits
messages character by character as they are typed, others send when you hit enter.
o More advanced instant messaging can add file transfer, clickable hyperlinks, Voice over IP,
and video chat.

51 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Commonly used chat protocols today include IRC, Jabber, Lync, and still used but very
limited ICQ and AIM.
o Today most IM’ing is done embedded in other applications like Facebook, LinkedIn,
Twitter, or WhatsApp.
o Many IM applications and protocols are not designed with security in mind, they are
designed for usability.
▪ A report on the level of safety offered by instant messengers, only 2 out of 18
instant IM apps they looked got “nothing of concern” on sending sensitive
attachments and mining/selling customer data, the rest got “not recommended”.
The most popular messenger has 25 “not recommended” and only 6 “nothing of
concern” when looking at privacy and security
▪ IM connections are often sent in plain text, making them vulnerable to
eavesdropping.
▪ Software often requires the user to open UDP ports, increasing the threat posed
by potential security vulnerabilities.
● Web Conferencing:
o An umbrella term for different types of online collaborative services including webinars,
webcasts, and peer-level web meetings.
o Commonly used ones are WebEx, Zoom, GoToMeeting, Google Meet, TeamViewer, ...
o Done over TCP/IP connections, services often use real-time point-to-point
communications as well as multicast communications from one sender to many receivers.
o It offers data streams of text-based messages, voice, and video chat to be shared
simultaneously across geographically dispersed locations.
o Applications where web conferencing is used: Meetings, training events, lectures, or
presentations one-to-one or many-to-many like IMs.
o The use of web conferencing should align with your organizations policies, some may, if
not implemented right be a security vulnerability.
o They can bypass some security by using SSL/TLS tunnels and acceptable products should
be hardened.
● CDN (Content Distribution Network):
o A geographically dispersed network of proxy servers and data centers.
o The client is sent to the server node with the lowest latency in MS.
o The client's webpages, software download, and video streaming are
faster.
o The provider saves on cost, sending traffic short distances vs. long
distance and it provides redundancy and some DDOS protection.
o The idea is to distribute service spatially relative to end-users to
provide high availability and high performance.
o Many different services can be provided over CDNs: video streaming,
software downloads, web, and mobile content acceleration,
licensed/managed CDN, transparent caching, and services to measure
CDN performance, load balancing, multi-CDN switching and analytics,
and cloud intelligence.
● Third-party Connectivity:

52 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Medium size enterprises typically have 20 or more third-party providers. I believe the
hospital where I worked in Hawaii had more than 200 third-party providers.
o How do we ensure they are secure enough and conform to our policies and procedures?
o Many never have direct contact with IT or IT-Security.
o We must conduct a thorough risk assessment to ensure that whatever they provide does
not jeopardize our security posture, or we must accept the risk.
o We should have MOUs/MOAs and ISAs (Interconnection Security Agreement).
● Network Access Control (NAC):
o Automatic detection and response to ensure our systems are in adherence with our
security policies.
o Can helps us with the prevention or reduction of 0-day and known attacks.
o Along with ensuring that security policies are adhered to at all times.

Mobile Security
● The more external devices we connect, the more complex policies, procedures, and standards we
need.
● Mobile devices are really anything “mobile” – External hard disks, USB drives, CDs, laptops, cell
phones, ...
● Most internal threats are not malicious people. They just do not know any better, did not think
about it or figured they would not get found out.
● Good security policies should lock down USB ports, CD drives, network ports, wireless networks,
disable autorun on media, use full disk encryption, have remote wipe capabilities, raise user
awareness training on where (if anywhere) mobile devices are allowed. (Defense in Depth)
● Cell phones are the mobile devices most often lost – Current Android and iOS phones all have full
disk encryption.
o We can add a lot more features to our company cell phones to make them more secure.
o Remote wipe, find my device, lock after x minutes, number of failed passwords, disable
removable storage, …
o We can also use a centralized management system: MDM (Mobile Device Management)
controls a lot of settings.
▪ App negative/positive list, Storage Segmentation, Remote Access Revocation,
Configuration Pushes, Backups.
▪ More controversial: Track the location of employees, monitor their data traffic
and calls.
o Laptops, Smartphones and Tablets are great productivity tools, but they (just like anything
else) have to be secured properly or they are a liability.
▪ BYOD (Bring Your Own Device) - There should be clear corporate
policies/procedures/guidelines.
▪ On/off boarding - How is the return of mobile devices handled and enforced?
▪ It is much harder to standardize on BYOD. Is support staff ready for that many
devices, OSs, applications?
▪ Should we use MDM?
▪ How do we handle patch and virus management?

53 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

Preventive and Detective Controls

● Application Positive listing:
o We can positive list the applications we want to allow to run on our environments, but it
can also be compromised.
o We would positive list against a trusted digital certificate, a known hash or path and
name, the latter is the least secure, an attacker can replace the file at the path with a
malicious copy.
o Building the trusted application positive-list takes a good deal of time, but is far superior
to negative-listing, there are 10,000’s of application and we can never keep up with them.
● Removable Media Controls:
o Good security policies would also have us lock down USB ports, CD drives, memory card
ports and anything else where you can load malicious code onto our systems from
external devices.
o For servers we may rarely have to enable USB ports for firmware or other updates, we
would enable the ports while we use them and lock them right away after, it is safer to be
done centrally via group policies or similar.

Virtualization and Distributed Computing

● Virtualization
o Virtualization poses a whole new set of standards, best practices, and security concerns.
▪ With Virtualization we have many servers (clients) on the same hardware platform
(host).
▪ Virtualization is software running under the OS and above the Hardware (Ring -1).
▪ Traffic between the clients on the host doesn't have to traverse our network.
▪ Common Virtualization software could be VMWare, Hyper-V, or Xen.
▪ With Distributed Computing we use either multiple local or remote clients for our
needs, most commonly cloud computing. How do we ensure the cloud Data
Center meets our security posture, how do they segment their network?
o Virtualization holds a ton of benefits:
▪ Virtualized environments cost a lot less than all physical servers.
▪ It is much easier to stand up new servers (don't need to buy hardware, wait 2
weeks, rack it, run power/internet).
▪ You can easily backup servers with snapshots; server builds can be done with
images.
▪ You can instantly reallocate resources.
▪ They have lower power and cooling costs, a much smaller rack footprint (50-100
servers in the space of 5-8).

54 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Hypervisor - Controls the access between the

virtual guest/clients and the host hardware.
▪ Type 1 hypervisor (Bare Metal) is a part of
a Virtualization OS that runs on top of the
host hardware (Think Data Center).
▪ Type 2 hypervisor runs on top of a regular
OS like Windows 10 - (Think your PC).
o Virtualization also poses new vulnerabilities
because the technology is new-ish and very complex.
o Clients on the same host should be on the same
network segment (Internal/DMZ). A host should
never house both zones.
o Clients should be logically separated on the
network like physical servers would be (HR,
Accounting, IT VLANs).
o VM Escape (Virtualization escape) is when an
attacker can jump from the host or a client to
another client, this can be even more of a
concern if you have different Trust Level Clients
on the same host. They should ideally be on
separate hosts.
o Hypervisor Security - If an attacker can get
access to the hypervisor, they may be able to gain access to the clients.
o Resource Exhaustion - Admins oversubscribe the CPU/Memory and do not realize more is
needed (availability).

● Cloud Computing - (There is no 'Cloud' it is just another computer somewhere else).

o When we use cloud computing we build or outsources some part of our IT Infrastructure,
storage, applications.
o This can be done for many good reasons, but most are cost related.
o Cloud Computing can be divided into 4 main types:
▪ Private Cloud Computing - Organizations build and run their own cloud
infrastructure (or they pay someone to do it for them).
▪ Public Cloud Computing - Shared tenancy – A company builds massive
infrastructures and rents it out to anyone who wants it. (Amazon AWS, Microsoft,
Google, IBM).
▪ Hybrid Cloud Computing – A mix of Private and Public Cloud Computing. An
organization can choose to use Private Cloud for sensitive information and Public
Cloud for non-sensitive data.
▪ Community Cloud Computing – Only for use by a specific community of
consumers from organizations that have shared concerns. (Mission, policy,
security requirements, and/or compliance considerations.)

55 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

As with any other outsourcing make sure you have the right to audit, pen test (clearly agreed upon
criteria), conduct vulnerability assessment, and check that the vendor is compliant with your
industry and the standards you adhere to.

● Cloud Computing Public Cloud Computing:

o Platforms are normally offered as:
▪ IaaS - (Infrastructure as a Service)
The vendor provides infrastructure
up to the OS; the customer adds the
OS and up.
▪ PaaS - (Platform as a Service) The
vendor provides pre-configured OSs,
then the customer adds all programs
and applications.
▪ SaaS - (Software as a Service) The
vendor provides the OS and
applications/programs. Either the customer interacts with the software manually
by entering data on the SaaS page, or data is automatically pushed from your
other applications to the SaaS application (Gmail, Office 365, Dropbox, Payroll, …).

● Grid Computing – can make use of resources not currently in use from 100 or 100,000's of
computers to perform very complex tasks.
o Each node has a smaller subtask but leveraging the entire Grid can make it be very
powerful and fast.
o Often used in problems so complex that they need that many nodes to be solved.
o BOINC (Berkeley Open Infrastructure for Network Computing) has over 4,000,000
machines enrolled, used for a wide variety of scientific research.
o Peer to Peer (P2P) - Any system can be a client and/or a server.
▪ Most commonly used on torrent networks to
share music, movies, programs, pictures and
more (The majority without the copyright
holder’s consent).
▪ Older versions had centralized index servers
making it easier to disrupt a sharing network,
but the current versions use no centralized
infrastructure.
▪ Each client is often also a server and has the
index. Taking down 10,000 in a network of
100,000 will just result in a network of 90,000,
with no other discernible impact.

● Thin Clients (Boot sequence - BIOS > POST > TCP/IP > BOOTP or DHCP)
o Diskless Workstation (Diskless node) has all the normal hardware/firmware except the
disk, and the low-level OS (BIOS), which performs the POST. It then downloads the kernel
and higher-level OS.

56 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Thin Client Applications - We use a Web Browser to connect to the application on a server
on port 80 (HTTP) or port 443 (HTTPS). The full application is housed and executed on the
server vs. on your PC.
● Distributed Systems:
o Can also be referred to as:
▪ Distributed computing environment (DCE), concurrent
computing, parallel computing, and distributed computing.
o A collection of individual systems that work together to support a
resource or provide a service.
o Most end-users see the DCE as a single entity and not as multiple
systems.
o Why do we use DCEs?
▪ They can give us horizontal scaling (size, geography, and
administration), modular growth, fault tolerance, cost-
effectiveness, low latency (users connect to the closest node).
o Where do we use DCEs?
▪ All over the place (The internet, websites, cell networks, research,
P2P networks, blockchain, …).
● High-Performance Computing (HPC) Systems:
o Most often aggregates of compute nodes in a system designed
to solve complex calculations or manipulate data at very high
speeds.
o HPCs have 3 components. Compute, network, and storage.
▪ All 3 must have enough resources to not become a
bottleneck.
o Most well-known versions are super computers.
● Edge Computing Systems:
o The processing of data is done as close as possible to where it
is needed, we do that by moving the data and compute
resources.
o This will optimize bandwidth use and lower latency.
o CDN’s are one of the most common types of edge computing.
o 80%+ of large enterprises have already implemented or are in
the process of implementing an edge computing strategy.

Software Vulnerabilities and Attacks

● Buffer overflow (buffer overrun):
o An anomaly where a program, while writing data to a buffer, overruns the buffer's
boundary and overwrites adjacent memory locations, happen from improper coding when
a programmer fails to perform bounds checking.
o Buffers are areas of memory set aside to hold data, often while moving it from one section
of a program to another, or between programs.

57 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o Buffer overflows can often be triggered by malformed inputs, if one assumes all inputs will
be smaller than a certain size and the buffer is created to be that size, if an anomalous
transaction produces more data, it could cause it to write past the end of the buffer.
o If this overwrites adjacent data or executable code, this may result in erratic program
behavior, including memory access errors, incorrect results, and crashes.
o By sending in data designed to cause a buffer overflow, it is possible to write into areas
known to hold executable code and replace it with malicious code.
● Race condition (race hazard):
o Two or more programs may collide in their attempts to modify or access a file.
o This can be an attacker with access, altering files which can then result in data corruption
or privilege escalation.
o TOCTOU (time of check to time of use):
▪ A software bug caused by changes in a system between the checking of a
condition (such as a security credential) and the use of the results of that check.
● Privilege escalation:
o Exploiting a bug, design flaw or configuration oversight in an OS or application to gain
access to resources that are normally protected from an application or user.
o Attacker often use this to elevate the user account they have gained access to, in order to
get administrator access.
o The result is that an application with more privileges than intended by the application
developer or system administrator can perform unauthorized actions.
● Backdoors:
o Often installed by attackers during an attack to allow them access to the systems after the
initial attack is over, to exfiltrating data over time or to come back and compromise other
systems.
o Bypassing normal authentication or encryption in a computer system, a product, or an
embedded device, ...
o Backdoors are often used for securing remote access to a computer or obtaining access to
plaintext in cryptographic systems.
● Ethical Disclosure:
o What do you do when you discover a vulnerability? we covered some of this in the white,
gray, black hat hacker section.
o Full disclosure: Tell everyone, make it public, assuming attackers already know and are
using it.
o Responsible/Partial disclosure: Telling the vendor, they have time to develop a patch and
then disclose it.
▪ If they do nothing, we can revert to the full disclosure forcing them to act.
o No disclosure: Attackers finding a vulnerability would try to exploit it and keep it secret as
long as possible.

58 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

System Vulnerabilities and Attacks

● Security Orchestration, Automation, and Response (SOAR):
o A software solution that uses AI to allows us to respond to some security incidents
automatically.
o SOAR vs. SIEM: Very similar, both detect and alert on security events, but using AI, SOAR
will also react to some security events.
▪ SIEMs often generate more alerts than a SOC team can handle, SOAR can help
reduce the number of alerts and make workflows more manageable.
o SOAR combines all the comprehensive data we gather, has case management,
standardization, workflows, and analytics, and it can integrate with many of our other
solutions (Vulnerability Management (VM), IT Service Management (ITSM), Threat
Intelligence, …).
o All this can help our organization implement a detailed defense-in-depth solution.

● Operation and Maintenance:

o Once our finished software/project is handed off to operations, there will still be some
maintenance tasks our organization needs to perform.
o Our environment and the requirements for our applications are never static.
o We need a solid support team in place to make sure the software functions as required,
that any required changes are implemented using proper change management, and that
all this is done with security in mind.

● Integrated Development Environment (IDE):

o Applications that help in the development of other applications.
o They are designed to contain all programming tasks in a single application, having a single
central interface with all the tools the developer needs, including:
▪ The Code editor: For writing and editing source code, these editors are different
from text editors, they are designed to either simplify or enhance the process of
writing and editing the code.
▪ Compiler: The compilers change our source code, which is written in a human-
readable language, into a form that computers can execute.
▪ Debugger: Debuggers are used during the testing phase and can help our
developers debug their code.
▪ Build automation tools: Tools to help automate common dev tasks to save time.
▪ On top of this some IDEs may also include:
▪ Class browser: Used to reference and study the properties of an object-
oriented class hierarchy.
▪ Object browser: Used to inspect objects present in a running application
program.
▪ Class hierarchy diagram: Helps devs to visualize the structures of object-
oriented programming code.
● Runtime:
o Runtime is the amount of time when a program is running. Starting when a program is
executed/started and stopping with the program terminated/closed.

59 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

o The term, runtime, is most often used in software development. Commonly used with
"runtime error," an error that occurs while a program is running. This error is used to
differentiate from other types of errors, like syntax errors and compilation errors, which
happen before a program is run.

Emanations and Covert Channels

● Emanations - Often Electromagnetic Emanations.
o Information that can be disseminated from the electrical changes from a system or a wire.
o It is possible to log a user’s keystrokes on a smart phone using the motion sensor.
o It is unintentional information-bearing signals, which - if intercepted and analyzed - can
lead to a compromise.
o We can protect against Electromagnetic Emanations with heavy metals, but we would
have 80 lbs. (40 kgs.) laptops.
● Covert Channels – Creates the capability to transfer information using channels not intended to
do so.
o Covert Timing Channels: Operations that affect the "real response time observed" by the
receiver.
▪ Most common is username/password - wrong username takes 100ms to confirm,
wrong password takes 500ms to confirm, you get the "Wrong username or
password" error, but an attacker can tell when they use a correct username
because of the delay difference.
o Covert Storage Channels: Hidden information through the modification of a stored object.
▪ Certain file sizes have a certain meaning.
▪ Attackers can add data in payload if outbound ICMP packets (Unless we need it,
block outbound ICMP packets).
o Steganography - Hiding a message within another media (invisible ink
and the hidden clues in da Vinci's paintings). Original image
▪ The messages can be hidden in anything really, most
commonly images and soundtracks.
▪ On images like this one, the program changes the shading
of some of the pixels of the image. To the naked eye, it is
not noticeable, but a lot of information can be hidden in
the images this way.
▪ Hidden in the bottom image is the first chapter of Great
Expectations (Charles Dickens, 1867 Edition - 4 pages at font Altered image
size 11, 1827 words, 7731 characters).
o Digital Watermarks encode data into a file.
▪ The watermark may be hidden, using steganography, or
visible watermarks.
▪ Often used to fingerprint files (the file is identified as
yours).

60 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

The Internet of Things (IoT)

● It is really anything “Smart”: Smart TVs, Thermostats,
Lightbulbs, Cars, anything that connects to the internet in
some way (that didn’t before).
● They can be an easy way into your smart device, as most are
never patched (many don’t even have the option).
● Most devices have very basic security (if any). They use the
default login/password, and they often use well-known ports,
making them easy to target. We harden here, we patch,
segment the network, lock ports, and change defaults.
● They are not only simple to hack but can also provide
attackers an easy way onto your network. If you use it in your
organization or at home, segment that part of the network off from everything else and lock it
down.

WLAN (Wireless LAN) Technologies and Protocols

● Li-Fi:
o Uses light to transmit data and position between devices.
o Can send high-speed data using visible light, ultraviolet, and infrared spectrums.
o Can be used in areas prone to EMI (Electromagnetic interference), such as aircraft cabins,
hospitals, and nuclear power plants.
o Speeds (currently) up to 100 Gbit.
o Light can reflect off walls and still reach 70 Mbit without requiring a direct line of sight.
o Pros: Not the same capacity as Wi-Fi (radio frequency exhaustion) and can be used in
places where Wi-Fi is prohibited.
o Cons: Short-range, not always reliable, and high cost of implementation.

● Zigbee:
o Mesh wireless network with low power, low data rate, and close proximity.
o Simple and less complex compared to other WPANs (Wireless Personal Area Networks)
such as Bluetooth or Wi-Fi.
o It has a range of 10 to 100 meters, but it requires line-of-sight. Data rates vary between 20
kbit/s (868 MHz band) and 250 kbit/s (2.4 GHz band).

61 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

● Satellite:
o For many years, satellite internet was a relatively slow and
expensive option.
o You have a modem, as with any other internet connection, as well
as a satellite dish (2-3 ft. or 60-90 cm).
o Typical satellite connections have had a latency of 500 ms and
speeds ranging from 10 to 50 Mbps.
o Starlink is currently testing speeds ranging from 20-200 Mbps down
to 15-50 Mbps up, with latencies ranging from 15-40 ms.

Cellular Networks
● Cellular networks/mobile networks are communication networks where the last leg is wireless.
● The network is divided into cells and distributed across areas, with each cell containing at least
one fixed-location transceiver, if not more.
● These base stations provide network coverage to the cell, allowing it to transmit voice, data, and
other types of content.
● To avoid interference and provide guaranteed service quality within each cell, a cell typically uses
a different set of frequencies than neighboring cells.

● 3G:
o Bandwidth: 2 Mbps, latency: 100-500 ms, average speed 144 kbps.
● 4G:
o Bandwidth: 200 Mbps, latency: 20-30 ms, average speed 25 Mbps, 16km (10 miles).
● 5G:
o Bandwidth: 5-20 Gbps, latency: <10 ms, average speed 200-400 Mbps, 500m (1500 ft).
o High frequency, short-range, and can be blocked by anything metal and even just solid
objects.
o A lot more 5G towers are needed to get coverage.

62 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

What we covered in Domain 2

● Congratulations on finishing Domain 2: Information Security Risk Management.
● 20% of the exam questions on the certification are from this domain.

● We identify all of our assets, identify the risks, then we assess the risks with qualitative and
quantitative risk analysis, we respond to the risk, mitigation, and then we monitor controls.
● We talked about attackers, and he attacks in OWASP top 10 (2021).
● We covered how we secure our communication, software, and systems, by securing our
networking, networking devices.
● Many networking basics like IP, NAT, PAT, protocols, hardware, and software, wireless and much
more from networking.
● Finally, we talked about what cloud computing is and what is our responsibility to secure and IOT.

● This should be what you are tested on for Domain 2 until the next planned CISM curriculum
change in 2027.

63 | Page
https://thorteaches.com/
Thor’s Study Guide – CISM® Domain 2

The OSI Model Graphics

64 | Page
https://thorteaches.com/