DOMAIN 3

securiTY+
PROVEN FAST, EFFECTIVE &
AFFORDABLE EXAM PREP

EXAM
CRAM
with Pete Zerger CISSP, vCISO, MVP
EXAM OBJECTIVES (DOMAINS)

1.0 Attacks, Threats, and Vulnerabilities 24%

2.0 Architecture and Design 21%

3.0 Implementation 25%

4.0 Operations and Incident Response 16%

5.0 Governance, Risk, and Compliance 14%

EXAM OBJECTIVES (DOMAINS)

1.0 Attacks, Threats, and Vulnerabilities 24%

2.0 Architecture and Design 21%

3.0 Implementation 25%

4.0 Operations and Incident Response 16%

5.0 Governance, Risk, and Compliance 14%

 I N T R O D U C T I O N : SERIES OVERVIEW

LESSONS IN THIS SERIES

1 2 3 4 5 6
1

Intro + one lesson for each exam domain

+ 5-10 shorter supplemental lessons
CompTIA Security+
Exam Cram
EXAM NUMBER: SY0-601
• 3.0 Implementation
Covering all topics in the official
Security+ exam objectives
SECURITY+
EXAM STUDY GUIDE
& PRACTICE TESTS BUNDLE

1,000 flashcards
1,000 practice questions
2 practice exams
SECURITY+
EXAM STUDY GUIDE
& PRACTICE TESTS BUNDLE

1,000 flashcards
1,000 practice questions
2 practice exams
 SECURITY+
EXAM STUDY GUIDE
& PRACTICE TESTS BUNDLE
Includes
10% exam
discount
coupon

link to the 2021 exam bundle in the video description !

A pdf copy of the presentation is
available in the video description!

Subscribed
SUBSCRIBE
3.0 implementation
3.1 Given a scenario, implement secure protocols

• Protocols • Simple Network Management • Use cases

• Domain Name System Security
Extensions (DNSSEC)
• SSH
• Secure/Multipurpose Internet
Mail Extensions (S/MIME)
• Secure Real-time Transport
Protocol (SRTP)
• Lightweight Directory Access
Protocol Over SSL (LDAPS)
• File Transfer Protocol, Secure
(FTPS)
• SSH File Transfer Protocol (SFTP)
• Protocol, version 3 (SNMPv3)
• Hypertext transfer protocol
over SSL/TLS (HTTPS)
• IPSec
• Authentication header
(AH)/Encapsulating Security
Payloads (ESP)
• Tunnel/transport
• Post Office Protocol (POP)/
Internet Message Access
Protocol (IMAP)
• Voice and video
• Time synchronization
• Email and web
• File transfer
• Directory services
• Remote access
• Domain name resolution
• Routing and switching
• Network address allocation
• Subscription services

Implement = choose the right protocol for a use case

 SECURE PROTOCOLS & USE CASES
PROTOCOL TCP/UDP PORT USE CASES
Secure Shell (SSH) 22 Secure remote access (Linux and network)
Secure copy protocol (SCP) 22 Secure copy to Linux/Unix
SSH File Transfer Protocol (SFTP) 22 Secure FTP download
DNSSEC TCP/UDP 55 Secure DNS traffic
Kerberos 88 Secure authentication
Simple Network Management remote monitoring and configuration of
UDP 162
Protocol version 3 (SNMP v3) SNMP entities (such as network devices)
Lightweight Directory Access Secure directory services information
636
Protocol over SSL (LDAPS) (e.g. - Active Directory Domain Services)
Hypertext Transport Protocol
443 Secure web browsing
over TLS/SSL (HTTPS)
Transport Layer Security (TLS) /
443 Secure data in transit
Secure Sockets Layer (SSL)

Internet Protocol Security (IPSec) UDP 500 Secure VPN session between two hosts

Know the protocols and modes for IPSec

 SECURE PROTOCOLS & USE CASES

PROTOCOL TCP/UDP PORT USE CASES

Secure Simple Mail Transfer
587 Secure SMTP (email)
Protocol (SMTPS)
Secure Internet Message
993 Secure IMAP (email)
Access Protocol (IMAP4)
Secure Post Office Protocol 3 (POP3) 995 Secure POP3 (email)
Secure/Multipurpose Internet
993 Encrypt or digitally sign email
Mail Extensions (S/MIME)
File Transfer Protocol, Secure (FTPS) 989/990 Download large files securely

Remote Desktop Protocol (RDP) 3389 Secure remote access

Session Initiated Protocol (SIP)
Secure Real Time Protocol (SRTP)
Signaling and controlling in Internet
5060/5061
telephony for voice and video
Encryption, message auth, and integrity
5061
for audio and video over IP networks

For the exam,, grouping by use case may be helpful in memorization

 IPSec Protocols and Modes

Authentication Header (AH) and Encapsulating Security Payload (ESP)

protocols
AH protocol provides a mechanism for authentication only.
Because AH does not perform encryption, it is faster than ESP.
ESP protocol provides data confidentiality (encryption) and authentication
(data integrity, data origin authentication, and replay protection).
ESP can be used with confidentiality only, authentication only, or both
confidentiality and authentication.

In transport mode, the IP addresses in the outer header are used to

determine the IPsec policy that will be applied to the packet.
It is good for ESP host-to-host traffic
In tunnel mode, two IP headers are sent. The inner IP packet determines the
IPsec policy that protects its contents.
It is good for VPNs, and gateway-to-gateway security.
3.0 implementation
Given a scenario, implement host or
3.2 application security controls

• Endpoint protection • Database • Hardening

• Antivirus • Tokenization • Open ports and services
• Anti-malware • Salting • Registry
• Endpoint detection and response • Hashing • Disk encryption
(EDR) • Application security • OS
• DLP • Input validations • Patch management
• Next-generation firewall (NGFW) • Secure cookies • Third-party updates
• Host-based intrusion prevention • Hypertext Transfer Protocol • Auto-update
system (HIPS) (HTTP) headers • Self-encrypting drive (SED)/
• Host-based intrusion detection • Code signing full-disk encryption (FDE)
system (HIDS) • Allow list • Opal
• Host-based firewall • Block list/deny list • Hardware root of trust
• Boot integrity • Secure coding practices • Trusted Platform Module
• Boot security/Unified Extensible • Static code analysis (TPM)
Firmware Interface (UEFI) • Manual code review
• Sandboxing
• Measured boot • Dynamic code analysis
• Boot attestation • Fuzzing
Endpoint protection
These capabilities are generally delivered together in a single solution

Antivirus
is a software program designed to detect and destroy viruses and
other malicious software from the system.

Anti-malware
a program that protects the system from all kinds of malware
including viruses, Trojans, worms, and potentially unwanted programs.

Endpoint Detection and Response (EDR)

an integrated endpoint security solution that combines:
real-time continuous monitoring and collection of endpoint data
with rules-based automated response and analysis capabilities.

Usually go beyond AV signature-based protection to identify

potentially malicious behaviors (aka zero-day or “emerging threats”)
describe Data Loss Prevention (DLP)

is a way to protect sensitive information and

prevent its inadvertent disclosure.

can identify, monitor, and automatically

protect sensitive information in documents
Data Loss
Prevention Protects personally identifiable information (PII),
protected health information (PHI) and more

policies can be typically applied to email, SharePoint,

cloud storage, and in some cases, even databases
modern firewalls
protect web applications by filtering and
monitoring HTTP traffic between a web
application and the Internet.
Web Application typically protects web applications from common
aka “WAF” attacks like XSS, CSRF, and SQL injection.
Some come pre-configured with OWASP rulesets

a deep-packet inspection firewall that moves

beyond port/protocol inspection and blocking.
adds application-level inspection, intrusion
Next Generation prevention, and brings intelligence from
aka “NGFW” outside the firewall.
IDS and IPS

analyzes whole packets, both header and

payload, looking for known events. When a
known event is detected, a log message is
generated.

analyzes whole packets, both header and

payload, looking for known events. When a
known event is detected, packet is rejected.
Host-based IDS and IPS
IDS/IPS in software form, installed on a host (often a server)

analyzes whole packets, both header and

payload, looking for known events. When a
Host-based Intrusion known event is detected, a log message is
Detection System generated.

analyzes whole packets, both header and

payload, looking for known events. When a
Host-based Intrusion known event is detected, packet is rejected.
Prevention System
Endpoint protection

an application firewall that is built into desktop

operating systems, like Windows or Linux.

Because it is an application, it is more vulnerable to

attack in some respects (versus hardware FW).

Restricting service/process access to ensure

malicious parties cannot stop/kill is important.

Host-based and network-based firewalls are

often used together in a layered defense
 BOOT INTEGRITY

Boot integrity ensures host are protected during the boot process,
so all protections are in place when system is fully operational.

Unified Extensible Firmware Interface (UEFI)

a modern version of the Basic Input/Output System (BIOS) that is more secure and is
needed for a secure boot of the OS. The older BIOS cannot provide secure boot.
Measured Boot
where all components from the firmware, applications, and software are measured and
information stored in a log file
The log file is on the Trusted Platform Module (TPM) chip on the motherboard.
Trusted Secure Boot and Boot Attestation
Operating Systems such as Windows 10 can perform a secure boot at startup where the
OS checks that all of the drivers have been signed.
If they have not, the boot sequence fails as the system integrity has been compromised.
This can be coupled with attestation, where the software integrity has been confirmed.
Bitlocker implements attestation and its keys are stored on the TPM
databases

is deemed more secure than encryption because it cannot be reversed

takes sensitive data, such as a credit card number, and replaces it with random data.
For example, many payment gateway providers store the credit card details securely
and generate a random token.
Tokenization can help companies meet PCI DSS, HIPAA compliance requirements

A database may contain a massive amount of data, and hashing is used to index and
fetch items from a database.
This makes the search faster as the hash key is shorter than the data.
The hash function maps data to where the actual records are held.

Salting passwords in a database adds random text before hashing to increase the
compute time for a brute-force attack. and renders rainbow tables ineffective
 APPLICATION SECURITY

Implement application security controls to prevent attacks.

Input Validation
ensures buffer overflow, integer overflow, and SQL injection attacks
cannot be launched against applications and databases.
use where data is entered either using a web page or wizard.
only accept data in the correct format within a range of minimum and
maximum values.
Incorrect format should be rejected, forcing user to re-enter
Secure Cookies
used by web browsers and contain information about your session.
can be stolen by attackers to carry out a session hijacking attack.
setting the secure flag in website code to ensure that cookies are only
downloaded when there is a secure HTTPS session.
 APPLICATION SECURITY

Implement application security controls to prevent attacks.

Hypertext Transfer Protocol (HTTP) Headers

HTTP headers are designed to transfer information between the host and the web server.
an attacker can carry out cross-site scripting (XSS) as it is mainly delivered through
injecting HTTP response headers.
can be prevented by entering the HTTP Strict Transport Security (HSTS) header:
HSTS ensures that the browser will ignore all HTTP connections
Code Signing
uses a certificate to digitally sign scripts and executables to verify their authenticity and
to confirm that they are genuine.
Allow List
An allow list enable only explicitly allowed applications to run. This can be done by
setting up an application whitelist.
Firewalls, IDS/IPS, and EDR systems can have an allow list
 APPLICATION SECURITY

Implement application security controls to prevent attacks.

Block List/Deny List

prevents specified applications from being installed or run by using a block/deny list in the
specified security solution.
Firewalls, IDS/IPS, and EDR systems can have a block list.
 APPLICATION SECURITY

Implement application security controls to prevent attacks.

Secure Coding Practices: developer who creates software writes code in a

manner that ensures that there are no bugs or flaws.
Intent is to prevent attacks such as buffer overflow or integer injection.
Static Code Analysis: analysis where the code is not executed locally but is
analyzed by a static code analyzer tool.
source code is run inside the tool that reports any flaws or weaknesses.
Requires source code access
Dynamic Code Analysis: code is executed, and a technique called fuzzing
is used to inject random input into the application.
output is reviewed to ensure appropriate handling of unexpected input.
exposes flaws in an application before it is rolled out to production.
Does not require source code access
 APPLICATION SECURITY

Static and dynamic testing, as described in the CISSP exam

analysis of computer software performed

without actually executing programs
Application Security tester has access to the underlying
Testing framework, design, and implementation

tests “inside out” requires source code

a program which communicates with a

web application (executes the application).
Application Security tester has no knowledge of the
Testing technologies or frameworks that the
application is built on
tests “outside in” no source code required
 APPLICATION SECURITY

Implement application security controls to prevent attacks.

Manual Code Review

code is reviewed line by line to ensure that the code is well-written and
error free.
tends to be tedious and time-consuming.

Fuzzing
random information is input into an application to see if the application
crashes or memory leaks result, or if error information is returned.
used to remedy any potential problems within application code before a
new application is released. white box testing scenario
can also be used to find any vulnerabilities with the application after
release. This is called improper input validation. black box testing scenario
 HARDENING

listening ports should be restricted to those necessary, filtered to restrict

traffic, and disabled entirely if unneeded.
Block through firewalls, disable by disabling underlying service.

access should be restricted, and updates controlled through policy

where possible.
always take a backup of the registry before you start making changes.

drive encryption can prevent unwanted access to data in a variety of

circumstances. Using FDE or SED, described later in this module

OS hardening can often be implemented through security baselines

Can be applied through group policies or management tools (like MDM)
Baselines can implement all the above
Hardening
ensures that systems are kept up-to-date
with current patches.
will evaluate, test, approve, and deploy
patches.
system audits verify the deployment of
approved patches to system
aka “update management” Patch both native OS and 3rd party apps
Apply out-of-band updates promptly.

Orgs without patch management will experience outages

from known issues that could have been prevented
Drive encryption
Full Disk Encryption is built into the Windows
operating system.
Full Disk Encryption Bitlocker is an implementation of FDE.
Keys are stored on the TPM

encryption on a SED that’s built into the

hardware of the drive itself.
Self-Encrypting anything that’s written to that drive is
Device automatically stored in encrypted form.

A good SED should follow the Opal Storage Specification

 HARDENING

When certificates are used in FDE, they use a

hardware root of trust for key storage.

It verifies that the keys match before the secure

boot process takes place

TPM is often used as the basis

for a hardware root of trust
 HARDENING

A chip that resides on the motherboard of the

device.

Multi-purpose, like storage and management of

keys used for full disk encryption (FDE) solutions.

Provides the operating system with access to keys,

but prevents drive removal and data access
 HARDENING

application is installed in a virtual machine

environment isolated from our network.
enables patch, test, and ensure that it is secure before
putting it into a production environment.
Also facilitates investigating dangerous malware.

In a Linux environment, this is known as “chroot Jail“.

3.0 implementation
Given a scenario, implement
3.3 secure network designs

• Load balancing • Virtual private network • Out-of-band

• Active/active (VPN) management
• Active/passive • Always-on • Port security
• Scheduling • Split tunnel vs. full tunnel • Broadcast storm prevention
• Virtual IP • Remote access vs. site-to-site • Bridge Protocol Data Unit
• Persistence • IPSec (BPDU) guard
• Network segmentation • SSL/TLS • Loop prevention
• Virtual local area network (VLAN) • HTML5 • Dynamic Host Configuration
• Screened subnet (previously • Layer 2 tunneling protocol Protocol (DHCP) snooping
known as demilitarized zone) (L2TP) • Media access control (MAC)
• East-west traffic • DNS filtering
• Extranet • Network access control (NAC)
• Intranet • Agent and agentless
• Zero Trust
 LOAD BALANCING

A network load balancer (NLB) is a device that is used to direct traffic to

an array of web servers, application servers, or other service endpoints

Configurations
There are several ways to set up a load balancer (LB).
Active/Active. the load balancers act like an array, dealing with the traffic
together as both are active. Single LB failure may degrade performance
Active/Passive. the active node is fulfilling load balancing duties and the
passive node is listening and monitoring the active node.
Should the active node fail, then the passive node will take over, providing
redundancy.

NLB = network load balancer = load balancer

 LOAD BALANCING

A network load balancer (NLB) is a device that is used to direct traffic to

an array of web servers, application servers, or other service endpoints

Virtual IP
A virtual IP address eliminates a host's dependency upon individual
network interfaces.
Web traffic comes into the NLB from the Virtual IP address (VIP) on the
frontend
Request is sent to one of the web servers in the server farm (on the
backend).

VIP NLB

FE BE
 LOAD BALANCING

A network load balancer (NLB) is a device that is used to direct traffic to

an array of web servers, application servers, or other service endpoints

Scheduling
Scheduling options, which determine how the load is distributed by the load
balancer, include:
Least Utilized Host: NLB knows the status of all servers in the server farms and
which web servers are the least utilized by using a scheduling algorithm.
DNS Round Robin. when the request comes in, the load balancer contacts the
DNS server and rotates the request based on the lowest IP address first.
Affinity. When the LB is set to Affinity, the request is sent to the same web
server based on the requester's IP address, IP+port, and/or session ID.
Affinity configuration may be referred to in tuples (2-tuple, 3-tuple)
This is also known as persistence or a sticky session, where the load
balancer uses the same server for the session.
network segmentation
a private network that is designed to host the
information internal to the organization.

a section of an organization’s network that has

been sectioned off to act as an intranet for the
a cross between private network but also serves information to
Internet & intranet external business partners or the public Internet.

an extranet for public consumption is typically

labeled a demilitarized zone (DMZ) or
perimeter network.

used to control traffic and isolate static/sensitive environments

addresses the limitations of the legacy
network perimeter-based security model.
treats user identity as the control plane
Assumes compromise / breach in verifying
every request. no entity is trusted by default

VERIFY MANAGE MANAGE PROTECT

IDENTITY DEVICES APPS DATA
network segmentation

Boosting Performance
can improve performance through an organizational scheme in which
systems that often communicate are located in the same segment, while
systems that rarely or never communicate are located in other segments.
Reducing Communication Problems
reduces congestion and contains communication problems, such as
broadcast storms, to individual subsections of the network.
Providing Security
can also improve security by isolating traffic and user access to those
segments where they are authorized.
Secure Network Design
where traffic moves laterally between servers within
a data center.
north-south traffic moves outside of the data center.

a collection of devices that communicate with one

Virtual Local Area another as if they made up a single physical LAN.
Network Creates a distinct broadcast domain

a subnet is placed between two routers or firewalls.

bastion host(s) are located within that subnet.

aka “DMZ”:
Virtual private network (vpn)
extends a private network across a public network, enabling users and
devices to send and receive data across shared or public networks as if
their computing devices were directly connected to the private network.

Always On mode. a low-latency point-to-point connection between two

sites. A tunnel between two gateways that is “always connected”
L2TP/IPSec: This is the most secure tunneling protocol that can use
certificates, Kerberos authentication, or a pre-shared key.
L2TP/IPSec provides both a secure tunnel and authentication.
Secure Socket Layer (SSL) VPN: works with legacy systems and uses SSL
certificates for authentication.
HTML 5 VPN: similar to the SSL VPN, as it uses certificates for authentication.
easy to set up and you just need an HTML5-compatible browser such as
Opera, Edge, Firefox, or Safari.
Virtual private network (vpn)
extends a private network across a public network, enabling users and
devices to send and receive data across shared or public networks as if
their computing devices were directly connected to the private network.

Split tunnel vs full tunnel

Full tunnel means using VPN for all traffic, both to the Internet and
corporate network.
Split tunnel uses VPN for traffic destined for the corporate network
only, and Internet traffic direct through its normal route.
Remote access vs site-to-site
In site-to-site, IPSec site-to-site VPN uses an always on mode where
both packet header and payload are encrypted. IPSec tunnel mode
In a remote access scenario, a connection is initiated from a users
PC or laptop for a connection of shorter duration. IPSec transport mode
 DOMAIN NAME SYSTEM (DNS)

a hierarchical naming system that resolves a hostname to an IP address.

Fully-Qualified Domain Name (FQDN)

A hostname + domain, for example server1.contoso.com
Record Types
A: IPv4 host
Used together to secure email
AAAA: IPv6 host
CNAME: Alias
SRV records: Finds services such as a domain controller
MX: Mail server
Sender Policy Framework (SPF) : This is a text (TXT) record used by DNS to prevent
spam and confirm the email has come from the domain it appears to come from.
Domain-based Message Authentication, Reporting and Conformance (DMARC):
This is another DNS text (TXT) that is used by Internet Service Providers (ISPs) to
prevent malicious email, such as phishing or spear phishing attacks.
 DOMAIN NAME SYSTEM (DNS)

a hierarchical naming system that resolves a hostname to an IP address.

DNS Cache: stores recently resolved DNS requests for later reuse,
reducing calls to the DNS server.
Hosts File: This is a flat-file where name and IP pairs are stored on a
client. Often checked before request is sent to DNS server
DNS Server: This normally maintains only the hostnames for domains it is
configured to serve. Server is said to be “authoritative” for those domains
Root Server: DNS nameservers that operate in the root zone. they can
also refer requests to the appropriate Top-Level Domain (TLD) server.

DNSSEC a digitally signed record

Prevents unauthorized access to DNS records on the server. Each DNS record
is digitally signed, creating an RRSIG record to protect against attacks
DNS attacks
DNS Poisoning
when an attacker alters the domain-name-to-IP-address mappings in a DNS
system to redirect traffic to a rogue system or perform DoS against a system.

DNS Spoofing
occurs when an attacker sends false replies to a requesting system, beating
the real reply from the valid DNS server.

DNS Hijacking aka “DNS Redirection” attack

many ways to perform DNS Hijacking, the most common way we see is used
by a captive portal such as a pay-for-use WiFi hotspot.

Homograph Attack
leverages similarities in character sets to register phony international domain
names (IDNs) that appear legitimate to the naked eye.
e.g. Latin character "a" is replaced with the Cyrillic character "а“ in example.com
DNS attacks

End goal of most DNS attacks

Network access control
A desktop or laptop off the network for an extended
period may need multiple updates upon return.
After a remote client has authenticated, Network Access
Control (NAC) checks that the device being used is patched
and compliant with corporate security policies.
A compliant device is allowed access to the LAN.
A non-compliant device may be redirected to a boundary
network where a remediation service address issues
Boundary network is sometimes called a “quarantine network”
Network access control These are “agentless”

Some operating systems include network access control as part of the

operating system itself. And no additional agent is required.
These generally perform checks when the system logs into the network
and logs out of the network, making them less configurable.
If you need additional functionality, you may require a persistent or
dissolvable agent.
Persistent: A permanent agent is installed on the host.
Dissolvable: A dissolvable agent is known as temporary
and is installed for a single use.
Out-of-band management These are “agentless”

Enable IT to work around problems that may be

occurring on the network.

Out-of-band management on devices may

Out-of-Band include cellular modems and serial interfaces
Management In larger environments, this out-of-band
management function may be centralized.
 PORT SECURITY

There are two types, 802.1x and switch port security

Port Security. When anyone, authorized or not, plugs their Ethernet cable into the wall
jack, the switch allows all traffic. With port security, the port is turned off.
Undesirable as it limits the functionality of the switch
802.1x. user or device is authenticated by a certificate before a connection is made.
prevents an unauthorized device from connecting and allows an authorized device to
connect. Preferred, as it does not require limiting switch functionality
and other protection that can be configured:
Loop Protection: When two or more switches are joined together, they can create loops
that create broadcast storms. Spanning Tree Protocol (STP) prevents this from
happening by forwarding, listening, or blocking on some ports.
Bridge Protocol Data Units (BPDU): These are frames that contain information about
the STP. A BPDU attack will try and spoof the root bridge so that the STP is recalculated.
A BPDU Guard enables the STP (Spanning Tree Protocol) to stop such attempts.
DHCP Snooping: layer 2 security that prevents a rogue DHCP server from allocating IP
addresses to a host on your network.
Port security

a list of authorized wireless client interface

MAC addresses

used by a wireless access point to block

access to all non-authorized devices.

also factors in some Ethernet (wired)

network scenarios.

“MAC spoofing” is a way some attackers get around this

3.0 implementation
Given a scenario, implement
3.3 secure network designs
• Network appliances • Aggregators • Access control list (ACL)
• Jump servers • Firewalls • Route security
• Proxy servers • Web application firewall (WAF)
• Quality of service (QoS)
• Forward • NGFW
• Stateful • Implications of IPv6
• Reverse
• Stateless • Port spanning/port
• Network-based intrusion
detection system (NIDS) • Unified threat management mirroring
/network-based intrusion (UTM) • Port taps
prevention system (NIPS) • Network address translation • Monitoring services
• Signature-based (NAT) gateway • File integrity monitors
• Heuristic/behavior • Content/URL filter
• Anomaly • Open-source vs. proprietary
• Inline vs. passive • Hardware vs. software
• HSM • Appliance vs. host-based vs.
• Sensors virtual
• Collectors
Network appliances
typically placed on a screened subnet, allows
admins to connect remotely to the network.

server that controls requests from clients

seeking resources on the internet or an
external network.

placed on a screened subnet, performs the

authentication and decryption of a secure
session to enable it to filter the incoming traffic.
flavors of intrusion detection systems

can monitor activity on a single system

only. A drawback is that attackers can
host-based IDS discover and disable them.

can monitor activity on a network,

and a NIDS isn’t as visible to
attackers.
network-based IDS
Network-based IDS and IPS
IDS/IPS at the network level, often in hardware form

analyzes whole packets, both header and

payload, looking for known events. When a
Network-based Intrusion known event is detected, a log message is
Detection System generated.

analyzes whole packets, both header and

payload, looking for known events. When a
Network-based Intrusion known event is detected, packet is rejected.
Prevention System
types of ids systems
creates a baseline of activity to identify
normal behavior and then measures system
performance against the baseline to detect
aka “anomaly-based”
abnormal behavior.
or “heuristic-based” can detect previously unknown attack methods

uses signatures similar to the signature

definitions used by anti-malware software.
only effective against known attack methods
aka “knowledge-based”

Both host-based and network-based systems can be

knowledge based, behavior based, or a combination of both.
Modes of Operation

NIDS/NIPS placed on or near the firewall

aka “in-band” as an additional layer of security.

traffic does not go through the

NIPS/NIDS.
aka “out-of-band” sensors and collectors forward
alerts to the NIDS.
Network appliances

can be placed on a network to alert NIDS of

any changes in traffic patterns on the network.
If you place a sensor on the Internet side of the
network, it can scan all of the traffic from the
Internet.
Hardware security module (hsm)

a physical computing device that safeguards and

manages digital keys, performs encryption and
decryption functions for digital signatures, strong
authentication and other cryptographic functions.
Like a TPM, but are often removable or external devices
Types of firewalls
protect web applications by filtering and
monitoring HTTP traffic between a web
application and the Internet.
Web Application
aka “WAF” typically protects web applications from common
attacks like XSS, CSRF, and SQL injection.
Some come pre-configured with OWASP rulesets

a “deep-packet inspection” firewall that

moves beyond port/protocol inspection and
Next Generation blocking.
aka “NGFW” adds application-level inspection, intrusion
prevention, and brings intelligence from
outside the firewall.
types of firewalls
packet inspection inspects and filters both
the header and payload of a packet that is
transmitted through an inspection point.

can detect protocol non-compliance, spam, viruses, intrusions

a multifunction device (MFD) composed of

several security features in addition to a firewall;
may include IDS, IPS, a TLS/SSL proxy, web
filtering, QoS management, bandwidth throttling,
aka “UTM” NAT, VPN anchoring, and antivirus.

More common in small and medium businesses (SMB)

Firewall and state
Watch network traffic and restrict or block packets based
on source and destination addresses or other static values.
Not 'aware' of traffic patterns or data flows.
Typically, faster and perform better under heavier traffic
loads.

Can watch traffic streams from end to end.

Are aware of communication paths and can implement
various IP security functions such as tunnels and encryption.
Better at identifying unauthorized and forged
communications.
Types of firewalls
allows private subnets to communicate with
other cloud services and the Internet but hides
the internal network from Internet users.
Network Address
The NAT gateway has the Network Access
Translation Gateway
Control List (NACL) for the private subnets. .

Looks at the content on the requested web

page and blocks request depending on filters.
Used to block inappropriate content in the
context of the situation.
Open-source vs proprietary firewalls

one in which the vendor makes the license freely available and allows
access to the source code, though it might ask for an optional donation.
There is no vendor support with open source, so you might pay a third
party to support in a production environment
One of the more popular open-source firewalls is pfsense, the
details for which can be found at https://www.pfsense.org/.

are more expensive but tend to provide more/better protection and

more functionality and support (at a cost).
many vendors in this space, including Cisco, Checkpoint, Pal Alto,
Barracuda. but “no source code access”
hardware vs software

A piece of purpose-built network hardware.

May offer more configurable support for LAN and WAN connections.
Often has superior throughput versus software because it is hardware
designed for the speeds and connections common to an enterprise network.

Software based firewalls that you might install on your own hardware.
Provide flexibility to place firewalls anywhere you’d like in your organization.
On servers and workstations, you can run a host-based firewall.

Host-based (software) are more vulnerable

in some respects as discussed earlier
application vs host-based vs virtual
typically catered specifically to application communications.
often that is HTTP or Web traffic.
an example is called a next generation firewall (NGFW)

An application installed on a host OS, such as Windows

or Linux, both client and server operating systems.

In the cloud, firewalls are implemented as virtual

network appliances (VNA).
Available from both the CSP directly and third-party
partners (commercial firewall vendors)
network device types
Firewalls Varies by type, but may filter at layers 3 through 7
Firewalls are essential tools in managing and controlling network traffic. A firewall is a
network device used to filter traffic.

Switch
repeats traffic only out of the port on which the destination is known to exist. Switches
offer greater efficiency for traffic delivery, create separate collision domains, and
improve the overall throughput of data. usually layer 2, sometimes layer 3

Routers
used to control traffic flow on networks and are often used to connect similar
networks and control traffic flow between the two. They can function using statically
defined routing tables, or they can employ a dynamic routing system. layer 3

Gateways
a gateway connects networks that are using different network protocols. Also known
as protocol translators, can be stand-alone hardware devices or a software service.
network gateways work at layer 3.
Route security
Routers are not designed to be security devices but include some
built-in capabilities that do provide some security functions.
One of these is an access control list (ACL), which is used to allow
or deny traffic. If no allow rules, last rule (deny) is applied (implicit deny)
Configure an access control list on the ingress (inbound traffic)
or egress (outbound traffic) of an interface
ACL evaluate traffic on multiple criteria similar to a firewall

Quality of Service (QOS)

Ensures that applications have the bandwidth they need to
operate by prioritizing traffic based on importance and function.
Traffic of real-time functions (like voice and video streaming)
might be given greater priority. Priorities are human-configurable
Implications of ipv6
Network security focus changes somewhat with IPv6
One change is that there are many more IPv6 addresses compared to IPv4.
This means it is more difficult to perform a complete port scan or interface scan when we’re
working with IPv6 addresses.
Many of the security tools like port scanners and vulnerability scanners have already been
updated to take advantage of IPv6.
Because there are so many IP addresses available with IPv6, there is less need to perform port
address translation (PAT) or outbound network address translation (NAT) on the network.
This can simplify the communications process, but…
Network address translation is itself a security feature, as it removes direct access to source
(user) in some use cases (like Internet browsing).
with IPv6 we removed the Address Resolution Protocol or ARP.
without ARP there cannot be any ARP spoofing!
Does not imply IPv6 is any more or less secure than IPv4 but changes the attack vectors!
For example, a Neighbor Cache Exhaustion attack can use IPv6 protocols to fill up the
neighbor cache, interrupting network communication.
 PORT SPANNING/PORT MIRRORING

Port mirroring (also known as port spanning) sends a

copy of all data that arrives at a port to another device
or sensor for investigation later or in near real-time

the switch, a reserved port will “mirror” all traffic that passes
through to that reserved port.
works across multiple switches, whereas a physical device like a
network (port) tap requires installation connected to every switch
May be leveraged inform the Network Intrusion Detection
System (NIDS) of changes in traffic patterns.

Increases load on the switch, so should be configured

with knowledge of traffic type and volume
monitoring

To help provide additional security on the network, some organizations

employ a monitoring service -a group that monitors network security/activity.
Common with SIEM and SOAR functions (covered in 1.7)
Often an outsourced security operations center (SOC) function to provide 24x7
monitoring and alert or remediate issues after business hours.
May also be helpful in maintaining compliance (HIPAA, GDPR, PCI DSS).

Monitors and detects changes to files that should not be modified,

automating notification (and potentially remediation).
Commonly monitors files that would never change: things like your operating
system files, where changes indicate some type of malicious activity.

Can also be used to detect unwanted changes to baseline configurations

3.0 implementation
Given a scenario, install and configure
3.4 wireless security settings

• Cryptographic protocols • IEEE 802.1X • Installation

• Wi-Fi Protected Access 2 (WPA2) • Remote Authentication considerations
• Wi-Fi Protected Access 3 (WPA3) Dial-in User Service • Site surveys
• Counter-mode/CBC-MAC (RADIUS) Federation
• Heat maps
• Protocol (CCMP) • Methods
• Wi-Fi analyzers
• Simultaneous Authentication of • Pre-shared key (PSK) vs.
Equals (SAE) Enterprise vs. Open • Channel overlaps
• Wireless access point
• Authentication protocols • Wi-Fi Protected Setup
(WPS) (WAP) placement
• Extensible Authentication
• Captive portals • Controller and access
Protocol (EAP)
point security
• Protected Extensible
Authentication Protocol (PEAP)
• EAP-FAST
• EAP-TLS
• EAP-TTLS
wireless technologies
Version Speed Frequency

* 802.11 2 Mbps 2.4 GHz

802.11a 54 Mbps 5 GHz
802.11b 11 Mbps 2.4 GHz
802.11g 54 Mbps 2.4 GHz
802.11n 200+ Mbps 2.4 GHz
802.11ac 1 Gbps 5 GHz

802.11 standard also defines WEP

TKIP

was designed as the replacement for WEP

without the need to replace legacy hardware
Temporal Key implemented into 802.11 wireless networking
Integrity Protocol under the name WPA (Wi-Fi Protected Access).
CCMP

Counter Mode with Cipher Block Chaining

Message Authentication Code Protocol

Counter-mode / created to replace WEP and TKIP/WPA

CBC-MAC Protocol
uses AES (Advanced Encryption Standard)
with a 128-bit key

used with WPA2, which replaced WEP and WPA

wpa2

an encryption scheme that implemented the

Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol (CCMP),

CCMP is based on the AES encryption scheme

wpa3

released in 2018 to address the weaknesses

in WPA2.
uses a much stronger 256-bit Galois/Counter
Mode Protocol (GCMP-256) for encryption
There are two versions: WPA3-Personal for home
users, and WPA3-Enterprise for corporate users
SAE
SAE is a relatively new 802.11 authentication method.

used with WPA3-Personal and replaces the

WPA2-PSK Protects against brute-force attacks

uses a secure Diffie Hellman handshake,

Simultaneous
called dragonfly
Authentication of
Equals uses perfect forward secrecy, so immune to
offline attacks
Wpa3 personal Vs enterprise
uses Simultaneous Authentication of
Equals (SAE).
SAE means users can use passwords
PERSONAL that are easier to remember.
uses perfect forward secrecy (PFS)

supports 256-bit AES, whereas, WPA2 only

supported 128 bits 256-bit required by US gov’t
uses Elliptic-Curve Diffie Hellman Ephemeral
ENTERPRISE
(ECDHE) for the initial handshake.
Wireless authentication protocols
a Cisco proprietary alternative to TKIP for WPA. developed
to address deficiencies in TKIP before the 802.11i/WPA2
Lightweight… system was ratified as a standard.

encapsulates EAP methods within a TLS tunnel that

provides authentication and potentially encryption.
Protected…

an authentication framework. allows for new authentication

technologies to be compatible with existing wireless or
point-to-point connection technologies
extensible
authentication
protocol
 WIRELESS AUTHENTICATION PROTOCOLS

EAP-FAST
developed by Cisco, is used in wireless networks and point-to-point
connections to perform session authentication.
It replaced LEAP, which was insecure.

EAP-TLS
a secure version of wireless authentication that requires X509
certification.
involves 3 parties: the supplicant (user’s device), the authenticator
(switch or controller), and the authentication server (RADIUS server).

EAP-TTLS
uses two phases; the first is to set up a secure session with the server, by
creating a tunnel, utilizing certificates that are seamless to the client
Second phase use a protocol such as MS-CHAP to complete the session.
designed to connect older legacy systems.
 WIRELESS AUTHENTICATION PROTOCOLS

IEEE 802.1x
is transparent to users because it uses certificate authentication
can be used in conjunction with a RADIUS server for enterprise networks.

RADIUS Federation
enables members of one organization to authenticate to another with
their normal credentials.
trust is across multiple RADIUS servers across multiple organizations.
a federation service where network access is gained using wireless
access points (WAPs).
WAP forwards the wireless device's credentials to the RADIUS server for
authentication.
commonly uses 802.1X as the authentication method. which relies on EAP
 WIRELESS AUTHENTICATION METHODS

was introduced for the home user who does not have an
enterprise setup.
the home user enters the password of the wireless router to gain
access to the home network.
PSK in WPA2 Replaced by SAE in WPA3
Home use scenario
password is already stored and all you need to do is to press the
button to get connected to the wireless network.
Password is stored locally, so could be brute-forced

a corporate version of WPA2 or WPA3, used in a centralized

domain environment.
Often where a RADIUS server combines with 802.1x, using
certificates for authentication
CAPTIVE PORTALS

Common in airports and public spaces, wi-fi redirects

users to a webpage when they connect to SSID.
User provides additional validation of identity,
normally through an email address or social identity.
May include acceptable use policy and
premium upgrade offer
site survey

The process of investigating the presence,

strength, and reach of wireless access
points deployed in an environment.
site survey

usually involves walking around with a

portable wireless device, taking note of the
wireless signal strength, and mapping this on
a plot or schematic of the building.
 CONTROLLER AND ACCESS POINT SECURITY

If you’re installing a new access point, you want to make sure that
you place it in the right location.
You want minimal overlap with other access points and maximize
the coverage that’s being used in your environment.
This should minimize the number of physical access points,
optimizing costs
Avoid placement near electronic devices that could create
interference, and areas where signals can be absorbed.
Metal objects and bodies (like elevators) and concrete
walls absorb signal.

Ensure access point in a place doesn’t send signal outside of

your existing work areas, enabling unwanted access attempts.
 CONTROLLER AND ACCESS POINT SECURITY

In addition to minimizing coverage overlap, choose different channels

per device so there are no conflicts between access points.

In a large office, you will deploy a large number of access points, which
need to be managed. And each one has a separate configuration.
A wireless controller enables central management of configuration, as
well as security patches and firmware updates of the access points.
Use HTTPS to encrypt traffic to controller and WAP web interfaces.
On the access points themselves, use strong authentication methods.
3.0 implementation
Given a scenario, implement
3.5 secure mobile solutions

• Connection methods and • Mobile device • Mobile devices

receivers management (MDM) • MicroSD hardware security
• Cellular • Application management module (HSM)
• Wi-Fi • Content management • MDM/Unified Endpoint
• Bluetooth • Remote wipe Management (UEM)
• NFC • Geofencing • Mobile application
• Infrared • Geolocation management (MAM)
• USB • Screen locks • SEAndroid
• Point-to-point • Push notifications
• Point-to-multipoint • Passwords and PINs
• Global Positioning System (GPS)
• RFID
Communication considerations

Faster speeds and lower latency

Unlike 4G, 5G doesn’t identify each user through

their SIM card. Can assign identities to each device.

Some air interface threats, such as session

5th Generation
hijacking, are dealt with in 5G.
Cellular
Standalone (SA) version of 5G will be more secure
than the non-standalone (NSA) version

NSA anchors the control signaling of 5G networks to the 4G Core

Communication considerations

Diameter protocol, which provides authentication,

authorization, and accounting (AAA), will be a
target.

Because 5G has to work alongside older tech

5th Generation (3G/4G), old vulnerabilities may be targeted.
Cellular Because scale of IoT endpoint counts on 5G is
exponentially greater, DDoS is a concern.

Some carriers originally launched an NSA version of 5G,

which continues to rely on availability of the 4G core.
Communication considerations

small computer chips that contain the

information about mobile subscription
Subscriber allows user to connect to telecommunication
Identity provider to make calls, send text messages,
Module cards or use the Internet.

Used as a second factor in authentication

One of the auth factors most prone to attack

BLUETOOTH
Bluetooth, or IEEE 802.15, personal area
networks (PANs) are another area of
wireless security concern.

Connects headsets for cell phones, mice,

keyboards, GPS, and other devices
(IEEE 802.15)
Connections are set up using pairing, where
primary device scans the 2.4 GHz radio
frequencies for available devices

Pairing uses a 4-digit code (often 0000) to reduce

accidental pairings but is not actually secure.
Mobile connection methods & receivers
uses radio frequency to identify electromagnetic
fields in a tag to track assets.
RADIO FREQUENCY
commonly used in shops as the tags are attached
IDENTIFICATION
to high-value assets to prevent theft.
Common in access badge systems and retail anti-theft use cases

Built on RFID, often used with payment systems.

NEAR FIELD Subject to many of the same vulnerabilities as RFID
COMMUNICATION
The touch pay system at the grocery

uses satellites in the Earth's orbit to

measure the distance between two points.
Used in map and find-my-phone use cases
Mobile connection methods & receivers
Some mobile devices can be tethered to a USB
dongle to gain access to the internet.
UNIVERSAL
A flash USB device can be used to transfer data
SERIAL BUS
between devices
It is a data exfiltration concern, often blocked through policy

device is purely line-of-sight and has a maximum

range of about 1 meter. Can be used to print from
your laptop to an infrared printer.
Not encrypted, but attack requires close physical proximity
Mobile connection methods & receivers

one-to-one connection between the two devices

communicating on a network, typically wireless
A directional antenna connecting two wireless
networks or wireless repeater connecting WAPs

802.11 networks are more commonly

communicating from point-to-multipoint.

A WAP connecting to multiple wireless devices

Mobile device management (MDM)
Common features in secure mobile device management

Passwords and PINs: Some mobile devices, such as smartphones, are very
easy to steal and you can conceal them by putting them in a pocket.
Strong passwords and PINs with six or more characters must be used.
Also allows device to be disabled on X failed attempts
Geofencing: Geofencing uses the Global Positioning System (GPS) or RFID
to define geographical boundaries.
Once the device is taken past the defined boundaries, the security team
will be alerted.
For the exam: remember Geofencing prevents mobile devices from being
removed from the company's premises.
Mobile device management (MDM)
Application Management: Application management uses whitelists to control
which applications are allowed to be installed onto the mobile device.
Content Management: Content management stores business data in a
secure area of the device in an encrypted format to protect it against attacks.
Prevents confidential or business data from being shared with external users.
Remote Wipe: When a mobile device has been lost or stolen, it can be
remotely wiped.
Device will revert to its factory settings and the data will no longer be
available. wipe options allow removing business data only (BYOD)
Screen Locks: Screen locks are activated once the mobile device has not
been accessed for a period of time.
After it is locked, the user gets a fixed number of attempts to correctly enter
the PIN before the device is disabled.
Mobile device management (MDM)
Geolocation: Geolocation uses GPS to give the actual location of a
mobile device.
can be very useful if you lose or drop a device.
For the exam: remember that geo-tracking will tell you the location of
a stolen device.
Push Notification: messages that appear on your screen,
even when your system is locked.
this information is usually pushed your device without intervention
from the end user and may include sensitive information.
some MDM platforms provide policy-based control whether app
notifications can appear with the notifications on lock screen.
Mobile devices

a physical device that provides cryptographic features for your computer in

a smaller, mobile form factor.
enables associating a smaller piece of hardware with the cryptographic
functions for encryption, key generation, digital signatures or authentication.

provides management of the hardware, such as desktops, tablets,

smartphones, and IoT devices ensuring that they secure and compliant.
can manage the security and applications running on the devices
can identify and block devices have been jailbroken (iOS) or rooted
(Android).
Multi-platform support is a key characteristic

An example is Microsoft Intune, which manages Windows, iOS, Android, and MacOS
Mobile devices

allows a security team to manage application and data security, even on

unmanaged devices.
controls access to company applications and data and can restrict the
exfiltration of data from the company applications.
Useful in BYOD scenarios, enabling business data access on
personal mobile devices

includes SELinux functionality as part of the Android operating system.

provides additional access controls (MAC and DAC), security policies and
includes policies for configuring the security of these mobile devices.
prevents any direct access to the kernel of the Android operating system
provides centralized management for policy configuration and device
management.
3.0 implementation
Given a scenario, implement
3.5 secure mobile solutions

• Enforcement and monitoring of: • Recording microphone

• Third-party application stores • GPS tagging
• Rooting/jailbreaking • Wi-Fi direct/ad hoc
• Sideloading • Tethering
• Custom firmware • Hotspot
• Carrier unlocking • Payment methods
• Firmware over-the-air (OTA) updates • Deployment models
• Camera use • Bring your own device (BYOD)
• SMS/Multimedia Messaging Service • Corporate-owned personally
(MMS)/Rich Communication enabled (COPE)
• Services (RCS) • Choose your own device (CYOD)
• External media • Corporate-owned
• USB On-The-Go (USB OTG) • Virtual desktop infrastructure (VDI)
Enforcement and monitoring

There is a danger of downloading apps from third-party app stores

as there is no guarantee of the security of the app being installed.
This could pose a security risk, as vetting process for mobile apps in
third-party stores may be less rigorous than official app stores.

Enables installing an application package in .apk format on a

mobile device.
Useful for developers to run trial of third-party apps, but also
allows unauthorized software to be run on a mobile device.
Enforcement and monitoring

Custom firmware downloads are used to root an Android mobile

device.
Gives user a higher level of permissions on that device and
removes some elements of vendor security.
Jailbreaking is the Apple's iOS equivalent of rooting on Android:
it allows you to run unauthorized software and remove device
security restrictions.
You can still access the Apple App Store even though
jailbreaking has been carried out.

For the exam: Rooting and jailbreaking remove the vendor restrictions
on a mobile device to allow unsupported software to be installed.
Enforcement and monitoring

Custom firmware downloads are used so that you can root your mobile
device.
Gives the user a higher level of permissions on that device and removes
some elements of vendor security.

When a mobile device is no longer tied to the original carrier. This will allow
you to use your device with any provider, and also install third-party apps.

Firmware is software that is installed on a small, read-only memory chip on

a hardware device and is used to control the hardware running on device.
Firmware OTA updates are pushed out periodically by the vendor, ensuring
that the mobile device is secure.
One example is when the mobile device vendor sends a notification that
there is a software update.
Enforcement and monitoring

Text messaging and has become a common method of communication.

Can be sent between two people in a room without other people in the
room knowing about their communication.
Text messages can be used to launch an attack.

A way to send pictures as attachments, similar to sending SMS messages.

An enhancement to SMS and is used in Facebook and WhatsApp to send

messages so that you can see the read receipts.
You can also send pictures and videos.
Image capability makes MMS and RCS paths for data theft.
Enforcement and monitoring
External media. SD card or other external storage media may enable
unauthorized transfer of corporate data
USB On-The-Go (USB OTG). allows USB devices plugged into smartphones
and tablets to act as a host for other USB devices.
Attaching USB devices can pose security problems as it makes it easy to
steal information.
Apple does not allow USB OTG.
Recording microphone. smartphones and tablets can record
conversations with their built-in microphones.
They could be used to take notes, but they could also be used to tape
conversations or record the proceedings of a confidential meeting.
GPS tagging. When you take a photograph, GPS tagging adds the location
where the photograph was taken.
Most modern smartphones do this by default.
Enforcement and monitoring

Wi-Fi direct wireless network allows two Wi-Fi devices to connect to each other
without requiring a WAP.
It is single-path and therefore cannot be used for internet sharing.
Ad-hoc wireless network is where two wireless devices can connect without a WAP,
but it is multipath and can share an internet connection with someone else.

When a GPS-enabled smartphone can be attached to a laptop or mobile device

device to provide internet access.
If a user uses a laptop to connect to the company's network and then tethers to
the internet, it may result in split tunneling. This presents a security risk if device is
compromised.
Mobile devices can often function as a wifi hotspot
over USB or Bluetooth.
Enforcement and monitoring

Smartphones allow credit card details to be stored locally so that the

phone can be used to make contactless payments using Near-Field
Communications (NFC).
For BYOD, it needs to be carefully monitored as someone could leave the
company with a company credit card and continue to use it.
MDM may prevent the payment function by disabling this tool in the mobile
device management policies.

MDM can also disable screen captures

Smartphone cameras pose a security risk to companies, as trade secrets
could be stolen very easily.
Research and development departments ban the use of personal
smartphones in the workplace. Prevents theft of intellectual property
MDM policies can disable cameras on company-owned smartphones.
Deployment models

is where an employee is encouraged to bring in their own device so that they can
use it for work.
cost effective for the company and more convenient for the user.
needs two policies to be effective, Acceptable Use Policy and On/Offboarding
Acceptable Use Policy (AUP): An AUP outlines what the employee can do with the
device during the working day.
Onboarding Policy: Device configuration requirements to access corporate data
(min OS system, not rooted/jailbroken, etc.)
Offboarding Policy: How corporate data will be wiped from the device (most MDM
platforms support a selective wipe, removing only company data).

MDM solutions with MAM (mobile app management) functionality

can manage corporate data on BYOD devices
Deployment models

fully owned and managed by the company, enabling full IT control over MAM and
MDM options.

new employee chooses from a list of approved devices.

avoids problems of ownership because the company has a limited number of
tablets, phones, and laptops, simplifying management compared to BYOD.
when they leave the company and offboard, the devices are taken from them as
they belong to the company (corporate-owned).

when the company purchases the device, such as a tablet, phone, or laptop, and
allows the employee to use it for personal use.
often better solution for the company than BYOD from a management perspective,
as IT can limit what applications run on the devices.
also frees the company to perform full device wipe if lost or stolen.
Deployment models

Hosted desktop environments on a central server / cloud

environment.
Provides a high degree of control and management automation.
In the event of security issues, the endpoint can easily be isolated
for forensic investigation if desired.
Provisioning a new desktop is also generally a push-button
operation.
VDI is a common deployment solution for
contractors and offshore teams.
3.0 implementation
Given a scenario, apply cybersecurity
3.6 solutions to the cloud
• Cloud security controls
• High availability across zones
• Resource policies
• Secrets management
• Integration and auditing
• Storage
• Permissions
• Encryption
• Replication
• High availability
• Network
• Virtual networks
• Public and private subnets
• Segmentation
• API inspection and
integration
• Compute • Solutions
• Security groups • CASB
• Dynamic resource • Application security
allocation • Next-generation secure
• Instance awareness web gateway (SWG)
• Virtual private cloud • Firewall considerations in
(VPC) endpoint a cloud environment
• Container security • Cost
• Need for segmentation
• Open Systems
Interconnection (OSI)
layers
• Cloud native controls vs.
third-party solutions
High availability across zones
GEOGRAPHIES
High availability across zones
REGIONS
High availability across zones
REGION PAIRS
chosen by the CSP

300+ miles
High availability across zones
Zone redundant

Availability Zones
Unique physical locations within
a region with independent
power, network, and cooling

Comprised of two or more

datacenters

Tolerant to datacenter failures

via redundancy and isolation
Cloud Security Controls

policies that state what access level a

user has to a particular resource.
ensuring the principle of least privilege
is followed is crucial for resource
security and audit compliance.

CSP will provide details on how their cloud platform can

help organizations meet a variety of compliance standards
Cloud security controls

CSPs offer a cloud service for centralized secure storage and

access for application secrets
A secret is anything that you want to control access to, such as API
keys, passwords, certificates, tokens, or cryptographic keys.
Service will typically offer programmatic access via API to support
DevOps and continuous integration/continuous deployment (CI/CD)
Access control at vault instance-level and to secrets stored within.
Cloud Security Controls
Integration and Auditing
Integration is the process of how data is being handled from input to
output.
A cloud auditor is responsible for ensuring that the policies, process, and
security controls defined have been implemented.
Auditor will be a third party from outside the company
They test to verify that process and security controls and the system
integration are working as expected.
Some of these controls may include the following:
- Encryption Levels Process will be repeated
- Access Control Lists periodically (annually)
- Privilege Account Use
- Password Policies Self-audits ahead of
- Anti-Phishing Protection external audits are common
- Data Loss Prevention Controls
Cloud Security Controls - storage
permissions, encryption, replication, and high availability for cloud storage.
Permissions: Customers have a storage identity and are put into different storage
groups that have appropriate rights to restrict access at a tenant/subscription level.
Encryption: With cloud storage, encryption at the service level is generally in place
by default, with configurable encryption within the storage service
For relational databases (SQL), Transparent Data Encryption (TDE) is common.
Encryption for data in transit, such as TLS/SSL.
Replication: a method wherein data is copied from one location to another
immediately to ensure recovery in case of an outage.
In the cloud, multiple copies of your data are always held for redundancy.
There are locally redundant, zone redundant, and geo-redundant options.
High Availability:
High availability ensures that copies of your data are held in different locations.
Automatic failover between region pair in event of an outage is common
Cloud Security Controls - network
virtual networks, public and private subnets, segmentation, and API
inspection and integration are important elements of cloud network security.

A virtual network that consists of cloud resources, where the VMs for one
company are isolated from the resources of another company.
Separate VPCs can be isolated using public and private networks.

The environment needs to be segmented public subnets that can access

the Internet directly (through a firewall) and protected private networks.
Virtual networks can be connected to other networks with a VPN gateway
or network peering.
For VDI/client scenarios, a NAT gateway for Internet access makes sense.
Cloud Security Controls - network
Not for public services (like websites)
Our VPC contains private subnets. Each of these subnets has its own CIDR IP
address range and cannot connect directly to the internet.
They could be configured go through the NAT gateway if outbound internet
connectivity is desired.
Client VMs and database servers will often be hosted in a private subnet.

The private subnet will use one of the

following IP address ranges:
10.0.0.0 Private IP ranges are
172.16.x.x – 172.31.x.x defined in RFC 1918
192.168.0.0

All other IP address ranges, except the APIPA 169.254.x.x, are public addresses.
Cloud Security Controls - network

Resources on the public subnet can connect directly to the internet. Therefore,
public-facing web servers will be placed within this subnet.
Public subnet will have a NAT gateway or firewall for communicating with the
private subnets, and an internet gateway.
Public services, like websites, will be published through a firewall

To create a secure connection to your VPC, you can connect a VPN using
L2TP/IPsec using a VPN gateway (aka transit gateway).
Network peering is another method is another method for connecting virtual
networks in the cloud.
Peering is the more common option between cloud networks
Site-to-site VPN common for on-premises to cloud connectivity
Cloud Security Controls - network

Security of services that are permitted to access or be accessible

from other zones involves a strict set of rules controlling this traffic.
Rules are enforced by the IP address ranges of each subnet.
Within a private subnet, segmentation can be used to achieve
departmental isolation.

Representational State Transfer (REST) is the modern approach to

writing web service APIs.
Enables multi-language support, can handle multiple types of
calls, return different data formats.
APIs published by an organizations should include encryption,
authentication, rate limiting, throttling, and quotas. Covered in Domain 2
Cloud Security Controls - compute
Security controls and concerns for compute in the public cloud platforms

Security Groups
Cloud provider has to secure multiple customers. They do use firewalls but cannot
grant individual customers direct firewall access.
Instead, they use security groups to define permissible network traffic, consisting of
rules similar to a firewall ruleset.
Dynamic Resource Allocation Varies by service and configuration
This uses virtualization technology to scale the cloud resources up and down as the
demand grows or falls.
Instance Awareness
VM instances need to be monitored to prevent VM sprawl and unmanaged VMs,
which would have security consequences, but also add costs in the cloud.
Tools like NIDS/NIPS can help to detect new instances, and process controls like
privileged identity management, change and configuration management help.
CSPs offer policy tooling to help tenants enforce governance policies
Cloud Security Controls - compute
Virtual Private Cloud (VPC) Endpoint
This allows you to create a private connection between your VPC
and another cloud service without crossing over the internet.
CSPs offer site-to-site connectivity options for hybrid cloud.
Most will offer a premium option to connect on-premises data
centers to cloud without the need to traverse the Internet.

Most enterprise (large) organizations today

have Implemented a hybrid cloud model
Container security
Containers offer a more granular option for application
and process isolation. Containers run in a VM
Most CSPs offer hosted Kubernetes service,
handles critical tasks like health monitoring and
maintenance for you. Platform-as-a-Service
Managed
Kubernetes You pay only for the agent nodes within your clusters,
not for the management cluster.

Kubernetes has become the de facto standard

Containers enable more efficient utilization of hardware resources

Containers offer a more granular level of isolation for resources

(CPU, memory), process isolation, and restricted system access.
Cloud Security Controls - solutions

Enforces the company's policies between on-premises and the cloud.

Can detect (and optionally, prevent) data access with unauthorized apps and
data storage in unauthorized locations. Help stop “Shadow IT”

Using solutions such as Web App Firewalls (WAF), Next Gen Firewalls (NGFW),
IDP/IPS.

Firewalls function at the packet level, using rules to allow or deny each packet
inbound or outbound.
Secure web gateways work at the application level (layer 7), looking at the actual
traffic over the protocol to detect malicious intent.
Functions include web proxy, policy enforcement, malware detection, traffic
inspection, data loss protection, and URL filtering.
Cloud Security Controls - solutions

One reason that we need a good firewall is to filter incoming traffic to protect our cloud-
hosted infrastructure and applications from hackers or malware.
For example, the most common cloud firewall is
the Web Application Firewall (WAF)
Cost
Cost is one of the reasons for WAF popularity. It meets a common need, is easy to
configure, and is less expensive than more function-rich NGFW and SWG options.
Need for Segmentation:
Network segmentation should be supported with appropriate traffic filtering/restriction
with the firewall type that is most appropriate for the use case.
The firewall can filter traffic between virtual networks and the Internet.
Open Systems Interconnection (OSI) Layers
A network firewall works on Layer 3, stateful packet inspection at layers 3/4.
Many cloud firewalls, like Web Application Firewalls work at Layer 7 of the OSI.
THE OSI MODEL Where protocols live in the model

7 Application SSH, HTTP, FTP, LPD, SMTP, Telnet, TFTP, EDI,

POP3, IMAP, SNMP, NNTP, S-RPC, and SET

6 Presentation Encryption protocols and format types, such

as ASCII, EBCDICM, TIFF, JPEG, MPEG, MIDI

5 Session SMB, RPC, NFS, and SQL

4 Transport SPX, SSL, TLS, TCP, and UDP

| ICMP,
3 Network RIP, OSPF, BGP, IGMP, IP, IPSec,
IPX, NAT, and SKIP

2 Data Link ARP, SLIP, PPP, L2F, L2TP, PPTP, FDDI, ISDN

1 Physical EIA/TIA-232, EIA/TIA-449, X.21, HSSI, SONET,

V.24, V.35, Bluetooth, 802.11 – Wifi, and Ethernet
THE OSI MODEL Quick functionality overview

7 Application
interfacing user applications, network services, or the
operating system with the protocol stack.

6 Presentation transforming data received from the Application layer into a

format that any system following the model can understand.

5 Session establishing, maintaining, and terminating communication

sessions between two computers.

4 Transport managing the integrity of a connection and controlling the

session. [segment or datagram]

3 Network adding routing and addressing information (source

and destination) to the data. [packet]

2 Data Link formatting the packet from the Network

layer into the proper format for transmission. [frame]

1 Physical contains the device drivers that tell the protocol how to use
the hardware for the transmission and reception of bits.
Cloud native vs third-party solutions

Platforms like Microsoft Azure and Amazon Web Services (AWS) have their own
tools, such as Azure Resource Manager (ARM) and AWS Cloud Formation.
These tools make managing Microsoft and AWS cloud resources easier,
supporting Infrastructure-as-Code.

Separate tools, for separate platforms, separate skillsets

Third-party tools adds more flexibility, functionality, and multi-platform support.

Organizations will typically move to third-party solutions when the native cloud
solutions do not meet their functionality needs.
For example, some organizations move to Terraform for infrastructure-as-Code
because it supports the major CSPs using a single language .

CSPs offer a marketplace where third-parties can publish offers

3.0 implementation
Given a scenario, implement identity and
3.7 account management controls

• Identity • Guest accounts • Access policies

• Identity provider (IdP) • Service accounts • Account permissions
• Attributes • Account policies • Account audits
• Certificates • Password complexity • Impossible travel
• Tokens • Password history time/risky login
• SSH keys • Password reuse • Lockout
• Smart cards • Network location • Disablement
• Account types • Geofencing
• User account • Geotagging
• Shared and generic • Geolocation
accounts/credentials • Time-based logins
identity providers

Creates, maintains, and manages

identity information while providing
authentication services to applications.
Identity For example, Azure Active Directory is the
Providers identity provider for Office 365
Other examples include Active Directory,
OKTA, and DUO
identity
Attribute: a unique property in a user’s account details, such as
employee ID.
Smart Card: a credit card-like token with a certificate embedded on a
chip; it is used in conjunction with a pin. physical card
Certificates. a digital certificate where two keys are generated, a public
key and a private key. The private key is used for identity.
Token. a digital token, such as a SAML token used for federation
services, or a token used by Open Authentication (OAuth2).
SSH Keys. typically used by an administrator for secure authentication
to a remote Linux server, instead of using username and password.
The public key is stored on the server, with the private key remaining on
the administrator's desktop.
Account types
Types of accounts you may be tested on in Security+

a standard user account with limited privileges.

cannot install software, limited access to the computer systems.
two types of user accounts: those that are local to the machine, and
those that access a domain.

a legacy account that was designed to give limited access to a

single computer without the need to create a user account.
normally disabled as it is no longer used, and some administrators
see it as a security risk.
Account types

privileged accounts have greater access to the system and tend to

be used by members of the IT team.
Administrators are an example of privileged accounts.

can install software and manage the configuration of a server or

client computer computer.
also have privileges to create, delete, and manage user accounts.

administrators have been told they should have two accounts:

one for routine tasks, and another for administrative duties.
Account types

privileged accounts have greater access to the system and tend to

be used by members of the IT team.
Administrators are an example of privileged accounts.

can install software and manage the configuration of a server or

client computer computer.
also have privileges to create, delete, and manage user accounts.

administrators have been told they should have two accounts:

one for routine tasks, and another for administrative duties.
some cloud providers now eliminate this need, and instead enable
an admins to activate privilege just-in-time for a single account.
Account types
aka “Service Principal”
when software is installed on a computer or server, it may require
privileged access to run.
a lower-level administrative account, and the service account fits
the bill.
a service account is a type of administrator account used to run an
application. example: account to run an anti-virus application.

When a group of people performs the same duties, such as

members of customer services, they can use a shared account.
when user-level monitoring, auditing, or non-repudiation are
required, you must eliminate the use of shared accounts.
Most cloud IDPs have options to eliminate the need for shared accounts
Account types

default administrative accounts created by manufacturers of a wide

range smart and Internet-connected devices.
most have a default username and password.
default passwords should always be changed
identifying presence of these accounts should be part of the
onboarding process. address through configuration management

This is a common attack vector (covered in Domain 1)

Account policies

Complex passwords (sometimes known as strong passwords) are formatted by

choosing at least three of the following four groups:
lowercase (a, b, and c), uppercase (A, B, and C), numbers (1, 2, and 3), special
characters ($, @)

prevents someone from reusing the same password. For example, if number
remembered is 12 passwords, only on 13th change could it be reused.

is a term used in the exam that means the same as password history.
both prevent someone from reusing the same password.

For the Security+ exam, password reuse

and history are the same thing.
Account policies

an auditor will review accounts periodically to ensure that old accounts are not
being used after an employee changes departments or leaves the company.
auditor will also ensure that all employees have the only necessary permissions
and privileges to carry out their jobs. principle of least privilege

can be added as an additional factor in authentication.

Geofencing can be used to establish a region and can pinpoint whether you
are in that region. If you are not, you will not be able to log in.
Context-Aware Location: can be used to block any attempt to log in outside of
the locations that have been determined as allowed regions.
Geolocation can track your location by your IP address and the ISP.
Smart Phone Location Services: This can be used to identify where your phone
is located by using Global Positioning System (GPS).
Many identity providers enable admins to pre-define “trusted locations”
Account policies

This is a security feature used by cloud providers such as Microsoft with their
Office 365 package to prevent fraud.
If a person is in Houston and then 15 minutes later is determined to be New
York, their attempt to log in will be blocked.

A security feature used by cloud providers, leveraging a record of devices

used by each user.
Response will vary by provider but may include confirmation email to
validate identity or responding to a prompt in an authenticator app.
How user and sign-in risk are used varies by provider.

Account management (the identity lifecycle) ranges from account creation

at onboarding to its disablement when a user leaves the company.
Account policies

May be established for users based on role as a company may

have many different shift patterns
Employers may not wish their employees to access their
network outside of their working hours.
For example, employees may be restricted to accessing the
network between 7 am and 6 pm.
This prevents data theft by preventing users from coming in at
3 a.m. when nobody is watching and stealing corporate data.
Can be effective in preventing individual fraud, as well as
collusion, by enforcing restrictions of schedule rotations.
Common in some industries, such as financial services
3.0 implementation
Given a scenario, implement authentication
3.8 and authorization solutions

• Authentication management • 802.1X • Role-based access control

• Password keys • RADIUS • Rule-based access control
• Password vaults • Single sign-on (SSO) • MAC
• TPM • Security Assertion • Discretionary access
• HSM • Markup Language (SAML) control (DAC)
• Knowledge-based • Terminal Access Controller • Conditional access
authentication Access Control System • Privileged access
• Authentication/authorization Plus (TACACS+) management
• EAP • OAuth • File system permissions
• Challenge-Handshake • OpenID
Authentication Protocol • Kerberos
(CHAP) • Access control schemes
• Password Authentication • Attribute-based access
Protocol (PAP) control (ABAC)
Authentication management

looks like a USB device and works in

conjunction with your password to
provide multi-factor authentication

One example is YubiKey is a FIPS 140-2 validation that

provides code storage within a tamper-proof container
Authentication management

stored locally on the device and store

passwords so user does not need to
remember them.
Uses strong encryption (e.g. AES-256) for
secure storage.
only as secure as the owner password
that is used to protect the vault itself

Typically uses multi-factor authentication

A type of password vault exists in the cloud for DevOps

scenarios, which will be discussed later in this module.
Authentication management

are normally built into the motherboard of a

computer, and they are used when you are
using Full Disk Encryption (FDE)

used to store encryption keys, a key escrow

that holds the private keys for third parties
Authentication management

This is normally used by banks, financial institutions, or email

providers to identify someone when they want a password reset.
There are two different types of KBA, dynamic and static, and they
have their strengths and weaknesses:
Static KBA: These are questions that are common to the user.
For example, "What is the name of your first school?"
Dynamic KBA: These are deemed to be more secure because they
do not consist of questions provided beforehand.
For example, confirm identity, a bank may ask the customer to
name three direct debit mandates, the date, and the amount paid.
 AUTHENTICATION PROTOCOLS

password-based authentication protocol used by Point-

to-Point Protocol to validate users.
PASSWORD supported by almost all network OS remote access
AUTH PROTOCOL servers but is considered weak.

a user or network host to an authenticating entity. That

entity may be, for example, an Internet service provider.
CHALLENGE HANDSHAKE
requires that both the client and server know the plaintext
AUTH PROTOCOL
of the secret, although it is never sent over the network.

an authentication framework. allows for new authentication

technologies to be compatible with existing wireless or
EXTENSIBLE AUTH
PROTOCOL
point-to-point connection technologies
Authentication/Authorization

an authentication mechanism to devices

wishing to attach to a LAN or WLAN.
defines the encapsulation of EAP protocol.
involves three parties: a supplicant, an
authenticator, and an authentication server

supplicant = client

defines the encapsulation of EAP over IEEE 802.11,

which is also known as "EAP over LAN"
AAA protocols
Several protocols provide centralized authentication,
authorization, and accounting services.
Network Access Server
is a client to a RADIUS server, and the RADIUS server provides AAA services.

RADIUS (remote access)

uses UDP and encrypts the password only.
TACACS+ (admin access to network devices)
uses TCP and encrypts the entire session.
Diameter (4G)
is based on RADIUS and improves many of the weaknesses of
RADIUS, but Diameter is not compatible with RADIUS.

Network access (or remote access) systems use AAA protocols.

Authentication/Authorization

Single sign-on means a user doesn't have

to sign into every application they use.
Single Sign-
on (SSO)
Authentication/Authorization

Single sign-on means a user doesn't have

to sign into every application they use.

Single Sign- The user logs in once and that credential is

used for multiple apps.
on (SSO)
Authentication/Authorization

Single sign-on means a user doesn't have

to sign into every application they use.
The user logs in once and that credential is
used for multiple apps.
Single Sign-
on (SSO) Single sign-on based authentication systems
are often called "modern authentication".
Authentication/Authorization
is a mechanism that allows subjects to authenticate once and access
multiple objects without authenticating again.
Common SSO methods/standards include:
— SAML
— SESAME
Know enough to differentiate
— KryptoKnight these three on the exam
— OAuth
— OpenID

The three to know for the exam are SAML, Oauth 2.0, and OpenID.
Authentication / authorization
Security Assertion Markup Language (SAML)
is an XML-based, open-standard data format for exchanging authentication
and authorization data between parties, in particular, between an identity
provider and a service provider. common in on-prem federation scenarios

OAuth 2.0 Azure AD (the identity provider for Office 365)

is an open standard for authorization, commonly used as a way for
Internet users to log into third party websites using their Microsoft,
Google, Facebook, Twitter, One Network etc. accounts without exposing
their password.

OpenID Example – logging into Spotify with your FB account

is an open standard, It provides decentralized authentication, allowing
users to log into multiple unrelated websites with one set of credentials
maintained by a third-party service referred to as an OpenID provider.
Authentication / authorization

authorization protocol in Microsoft’s Azure Directory

(and is preferred is to NTLM).
stronger encryption, interoperability, and mutual
authentication. client and server verified
runs as a third-party trusted server known as the
Key Distribution Center (KDC)

Includes an authentication server, a ticket granting service,

and database of secret keys for users and services.

Helps prevent replay attacks through timestamps

 ACCESS CONTROL SCHEMES
Object = resource
Non-discretionary Access Control Subject = user
Enables the enforcement of system-wide restrictions that override
object-specific access control. RBAC is considered non-discretionary
Discretionary Access Control (DAC) Use-based, user-centric
A key characteristic of the Discretionary Access Control (DAC) model is that every
object has an owner, and the owner can grant or deny access to any other subject.
Example: New Technology File System (NTFS),

Role Based Access Control (RBAC)

A key characteristic is the use of roles or groups. Instead of assigning permissions
directly to users, user accounts are placed in roles and administrators assign
privileges to the roles. Typically mapped to job roles.

Rule-based access control

A key characteristic is that it applies global rules that apply to all subjects. Rules
within this model are sometimes referred to as restrictions or filters.
example: a firewall uses rules that allow or block traffic to all users equally.
 MADATORY ACCESS CONTROL

“
A key point about the MAC model is that every
object and every subject has one or more labels.
These labels are predefined, and the system
determines access based on assigned labels.
 D O M A I N 3 : ACCESS CONTROL SCHEMES

access is restricted based on an attribute

on the account, such as department,
location, or functional designation.
For example, admin my require user accounts have
the ‘Legal’ department attribute to view contracts
D O M A I N 3 : PRIVILEGED ACCESS MANAGEMENT

a solution that helps protect the privileged

accounts within a domain, preventing attacks
such as pass the hash and privilege escalation.
also provides visibility into who is using privileged
accounts and what tasks they are being used for
D O M A I N 3 : PRIVILEGED ACCESS MANAGEMENT

a solution that helps protect the privileged

accounts within a domain, preventing attacks
such as pass the hash and privilege escalation.
Native to some cloud identity providers today,
and may include a just-in-time elevation feature
 FILE SYSTEM PERMISSIONS

NTFS (Windows) SUID and SGID (Linux)

Are applied to every file and folder stored The Linux permissions model has two special access
on a volume with NTFS file system modes called suid (set user id) and sgid (set group id).
Recognizes three types of permissions at three levels:
read(r), write(w), and execute(x)

Read = 4 7 = read, write, and execute

Write = 2 6 = read and write
Execute = 1 5 = read and execute
3.0 implementation
Given a scenario, implement
3.9 public key infrastructure certificate services

• Public key infrastructure (PKI) • Types of certificates • Privacy enhanced mail

• Key management • Wildcard (PEM)
• Certificate authority (CA) • Subject alternative name • Personal information
• Intermediate CA • Code signing exchange (PFX)
• Registration authority (RA) • Self-signed • .cer
• Certificate revocation list (CRL) • Machine/computer • P12
• Certificate attributes • Email • P7B
• Online Certificate Status Protocol • User • Concepts
(OCSP) • Root • Online vs. offline CA
• Certificate signing request (CSR) • Domain validation • Stapling
• CN • Extended validation • Pinning
• Subject alternative name • Certificate formats • Trust model
• Expiration • Distinguished encoding • Key escrow
rules (DER) • Certificate chaining
Public key infrastructure (pki) CONCEPTS

Key management
management of cryptographic keys in a cryptosystem.
Operational considerations include dealing with the generation, exchange,
storage, use, crypto-shredding (destruction) and replacement of keys.
Design considerations include cryptographic protocol design, key servers,
user procedures, and other relevant protocols.
Certificate authority (CA)
Certification Authorities create digital certificates and own the policies.
PKI hierarchy can include a single CA that serves as root and issuing, but
this is not recommended.
Public key infrastructure (pki) CONCEPTS

Subordinate CA aka “Intermediate CA” or “Policy CA”

Also known as a Registration Authority (RA) sits below root CAs in the CA
hierarchy.
Regularly issue certificates, making it difficult for them to stay offline as
often as root CAs.
Do have the ability to revoke certificates, making it easier to recover from
any security breach that does happen
Certificate revocation list (CRL)
Contains information about any certificates that have been revoked by a
subordinate CA due to compromises to the certificate or PKI hierarchy.
CAs are required to publish CRLs, but it’s up to certificate consumers if they
check these lists and how they respond if a certificate has been revoked.
Public key infrastructure (pki) CONCEPTS

Online Certificate Status Protocol (OCSP)

Offers a faster way to check a certificate’s status compared to
downloading a CRL.
With OCSP, the consumer of a certificate can submit a request to the
issuing CA to obtain the status of a specific certificate.

Certificate signing request (CSR)

Records identifying information for a person or device that owns a
private key as well as information on the corresponding public key.
It is the message that's sent to the CA in order to
get a digital certificate created.
CN (common name)
the Fully Qualified Domain Name (FQDN) of the entity (e.g. web server)
Public key infrastructure (pki) CONCEPTS

Subject alternative name SAN

an extension to the X. 509 specification that allows users to specify additional
host names for a single SSL certificate.
Is standard practice for SSL certificates, and it's on its way to replacing the use
of the common name.
Enables support for FQDNs from multiple domains in a single certificate.

Expiration
certificates are valid for a limited period from the date of issuance, as
specified on the certificate.
Current industry guidance on maximum certificate lifetime from widely
trusted issuing authorities (like Digicert) is currently 1 year (398 days).
Types of certificates
Wildcard Supports multiple FQDNs in the same domain
Can be used for a domain and a subdomain. For example:
In the contoso.com domain, there are two servers called web and mail.
The wildcard certificate is *.contoso.com and, when installed, it would work for the
Fully Qualified Domain Names (FQDNs) for both of these.
A wildcard can be used for multiple servers in the same domain, saving costs.
Subject alternative name (SAN) multiple domains in a single cert
Can be used on multiple domain names, such as abc.com or xyz.com.
You can also insert other information into a SAN certificate, such as an IP address.
Code signing Provides proof of content integrity
When code is distributed over the Internet, it is essential that users can trust that it
was actually produced by the claimed sender.
An attacker would like to produce a fake device driver or web component (actually
malware) that purported to be from a software vendor.
Using a code signing certificate to digitally sign the code mitigates this danger.
Types of certificates
Self-signed
A self-signed certificate is issued by the same entity that is using it. However, it does
not have a CRL and cannot be validated or trusted.
It is the cheapest form of internal certificates and can be placed on multiple servers.

Machine/computer
A computer or machine certificate is used to identify a computer within a domain.

Email
Allow users to digitally sign their emails to verify their identity through the attestation
of a trusted third party known as a certificate authority (CA).
Allow users to encrypt the entire contents (messages, attachments, etc.)
Types of certificates
User Root
Used to represent a user's digital identity.
CA
In most cases, a user certificate is mapped back to a user account.
Root
A trust anchor in a PKI environment is the root certificate from which the
whole chain of trust is derived; this is the root CA.
Subordinate
Domain validation CA
A Domain-Validated (DV) certificate is an X.509 certificate that
proves the ownership of a domain name.
Extended validation
Extended validation certificates provide a higher level of trust in
identifying the entity that is using the certificate. Issuing
Commonly used in the financial services sector. CA
 CERTIFICATE FORMATS

X.509 certificate formats and descriptions

FORMAT EXT PRI KEY DESCRIPTION

Distinguished encoding rules DER NO Secure remote access (Linux and network)
Privacy enhanced mail PEM YES Secure copy to Linux/Unix
Personal information
PFX YES Supports storage of all certificates in path
exchange
Base64-encoded CER NO Storage of a single certificate.
PKCS#12 standard P12 YES Supports storage of all certificates in path
Cryptographic Message Supports storage of all certificates in path.
P7B NO
Syntax Standard KCS #12 is the successor to Microsoft's "PFX“.

EXT = File extension PRI KEY = File includes private key?

Certificates are not whole without the private key!

example: asymmetric cryptography
Franco sends a message to Maria,
requesting her public key

Maria sends her public key to Franco

Franco uses Maria’s public key to encrypt

the message and sends it to her

Maria uses her private key to decrypt

the message
Concepts
Online vs. offline CA. Online CA is always running, offline kept offline
expect for specific issuance and renewal operation.
Offline is best practice for your root ca.
Stapling. a method used with OCSP, which allows a web server to provide
information on the validity of its own certificate.
Done by the web server essentially downloading the OCSP response from
the certificate vendor in advance and providing it to browsers.
Pinning. a method designed to mitigate the use of fraudulent certificates.
Once a public key or certificate has been seen for a specific host, that key
or certificate is pinned to the host.
Should a different key or certificate be seen for that host, that might
indicate an issue with a fraudulent certificate.
Concepts
Trust model
A model of how different certificate authorities trust each other and how
their clients will trust certificates from other certification authorities.
The four main types of trust models that are used with PKI are
bridge, hierarchical, hybrid, and mesh.

Key escrow
Addresses the possibility that a cryptographic key may be lost.
The concern is usually with symmetric keys or with the private key in
asymmetric cryptography.
If that occurs, then there is no way to get the key back, and the user cannot
decrypt messages.
Organizations establish key escrows to enable recovery of lost keys.
Concepts
Certificate chaining
Refers to the fact that certificates are handled by a chain of trust.
You purchase a digital certificate from a certificate authority (CA), so you
trust that CA’s certificate.
In turn, that CA trusts a root certificate.
INSIDE CLOUD

THANKS
F O R W A T C H I N G!