CompTIA Security+ (601 and 701) Study Notes
CompTIA Security+ (601 and 701) Study Notes
network.
● Scans using both command-line and GUI topology discovery tools are
necessary.
Topography Discovery:
● tracert (Windows) and traceroute (Linux) report the round trip time for hops
● pathping (Windows) provides statistics for latency and packet loss along a route
● IP scanners like Nmap are essential for host discovery and identifying network
connectivity.
● Nmap can use diverse methods for host discovery and can perform detailed port
● Nmap can identify active IP hosts and network services they are running.
● It provides options for TCP SYN, UDP scans, and port range scanning.
● Packet capture utilities like tcpdump capture and analyze network traffic.
● Wireshark is a graphical packet capture and analysis utility with powerful display
Exploitation Frameworks:
● Frameworks like Metasploit are used for penetration testing and exploiting
Netcat:
● Netcat is a versatile tool for testing connectivity, port scanning, and establishing
backdoor connections.
● It can be used to send and receive files and execute commands remotely.
● Performance Limitations:
● Speed: Symmetric ciphers and hash functions are generally faster than
asymmetric.
● Latency: Critical in applications like secure protocols where handshake
phases are involved.
● Computational overheads vary across ciphers, affecting their suitability in
resource-constrained environments.
● Key Management:
● Distribution and storage of keys, particularly symmetric keys, pose
security risks.
● Private keys should be securely stored (e.g., in a TPM) and protected by
user authentication.
● Algorithm Limitations:
● Maximum data size limitations in asymmetric ciphers like RSA.
● Efficiency issues when using asymmetric encryption for bulk data
encryption.
Additional Points
● Obfuscation and Cryptography:
● Used to make source code difficult to understand, but not practical for
encryption due to execution constraints.
● White box cryptography attempts have been broken; no secure
commercial solutions available.
● Key Size and Security:
● Larger key sizes generally provide better security but increase
computational demands.
● Cannot directly compare key sizes across different algorithms (e.g., ECC
vs. RSA).
Practical Recommendations
2. Post-Quantum Cryptography
● Context: Refers to the cryptographic landscape when quantum computers are advanced
enough to break current encryption methods.
● Quantum Threat: Modern encryption potentially vulnerable to quantum attacks.
● NIST's Role: Leading efforts to develop new cryptographic standards resistant to
quantum computing attacks.
3. Cryptographic Agility
● Definition: The capability of an organization to quickly and efficiently switch between
cryptographic algorithms without disrupting existing systems.
● Importance: Ensures that an organization can adapt to new cryptographic standards as
threats evolve or new vulnerabilities are discovered.
4. Lightweight Cryptography
● Goal: Develop cryptographic solutions for devices with limited processing power and
energy resources (e.g., IoT devices).
● NIST Initiative: Focus on creating efficient, compact, and quantum-resistant
cryptographic protocols for low-power devices.
5. Homomorphic Encryption
● Purpose: Allows computation on encrypted data, enabling the data to remain secure
even during processing.
● Use Case: Enables third parties to perform data analysis without ever having access to
unencrypted data.
● Example: Analyzing encrypted logs of user activity without exposing individual identifiers.
6. Blockchain
● Mechanism: Utilizes cryptographic hashing to link blocks of data (transactions) ensuring
integrity and verifiability.
● Decentralization: Maintains a distributed ledger across a peer-to-peer network, reducing
the risk of centralized failure or attack.
● Transparency and Trust: Every transaction is visible to all network participants,
promoting transparency and trust without the need for central authority.
● Applications: Beyond cryptocurrencies, potential uses include voting systems, identity
verification, secure data storage, and more.
7. Steganography
● Definition: The practice of hiding messages or information within non-secret text or data.
● Techniques: Embedding hidden information in digital media, such as images or audio
files, without noticeable changes to the original file.
● Detection and Creation Tools: Software designed either to embed information secretly or
to detect hidden messages in digital files.
Implementing Public Key Infrastructure
Digital Certificates
● Purpose: Ensures that public keys are indeed owned by the entities that claim
them.
● Certificate Authorities (CAs): Entities that issue digital certificates and guarantee
their validity.
● Trust Models:
● Single CA: Simple but risky as compromise leads to system collapse.
● Hierarchical: Root CA issues certificates to intermediate CAs, which then
issue to end users, adding layers of security but still vulnerable at the root
level.
● Roles: Issue certificates, verify identities, manage certificate and key lifecycles,
maintain trust.
● Types:
● Private CAs: Used within an organization.
● Public CAs: Trusted across organizations and networks for broader
communication security.
● Examples: IdenTrust, Digicert, Sectigo/Comodo, GoDaddy, GlobalSign.
● Key Contents: Subject’s public key, identity details, issuer details, and a digital
signature by the CA.
● Standards: X.509 standard defines the structure of certificates; managed by the
PKIX working group.
● Certificate Attributes:
● Serial Number, Signature Algorithm, Issuer, Validity Dates, Subject Name,
Public Key, Extensions.
● Subject Alternative Name (SAN): Preferred over Common Name (CN) for
specifying the identity of the certificate subject.
● Common Name (CN): Historically used for server identification, now being
replaced by more precise identifiers in SAN.
9. Implementation Considerations
● Security: Critical to maintain the integrity and confidentiality of the private key.
● Verification: CA must rigorously verify the identity of certificate applicants to
maintain trust.
● Lifecycle Management: Includes issuing, renewing, and revoking certificates as
needed.
Implement Certificates and Certificate Authorities
● Digital Certificates Overview:
● Digital certificates assert identity and are validated by a Certificate
Authority (CA).
● They are crucial for secure communications and message signing.
● Public and Private Key Usage:
● Public key encryption allows secure communication by sharing public
keys for encryption and private keys for decryption.
● Private keys are used to create signatures, ensuring message authenticity.
● Public Key Infrastructure (PKI):
● PKI verifies the identities of public key owners through digital certificates
issued by CAs.
● CAs ensure the validity of certificates and manage key and certificate
lifecycle.
● Certificate Authorities:
● CAs issue and guarantee certificates.
● Private CAs are for internal communications, while third-party CAs are for
public or business-to-business communications.
● PKI Trust Models:
● Single CA: One CA issues certificates; vulnerable to single point of failure.
● Hierarchical: Root CA issues certificates to intermediate CAs, reducing
risk but still vulnerable.
● Online vs. Offline CAs:
● Online CAs process requests, while offline CAs are disconnected from
networks to mitigate risks.
● Registration Authorities and CSRs:
● RAs handle identity checks and submit Certificate Signing Requests
(CSRs) but don't issue certificates.
● Digital Certificates:
● Wrapper for public keys, containing subject and issuer information, signed
by a CA.
● Based on X.509 standard, managed by PKIX working group.
● Certificate Attributes:
● Serial number, signature algorithm, issuer, validity period, subject, public
key, and extensions like SAN.
● Types of Certificate:
● Domain Validation (DV) and Extended Validation (EV) for web servers,
machine certificates, email/user certificates, code signing certificates, and
root certificates.
● Self-signed Certificates:
● Deployed by machines, web servers, or programs, but marked untrusted by
OS or browser.
Implement PKI Management
PKI Management Overview:
● Security professionals often install and maintain PKI certificate services
for private networks and manage certificates from public PKI providers.
● PKI installation, configuration, troubleshooting, and certificate revocation
are essential tasks.
Certificate and Key Management:
● Key lifecycle stages: generation, certificate generation, storage,
revocation, expiration/renewal.
● Key management can be centralized or decentralized.
● Critical vulnerability if not managed properly; compromised private keys
endanger data confidentiality and authentication systems.
Key Recovery and Escrow:
● Root CA keys require stringent access controls.
● Key recovery mechanisms ensure encrypted data can be accessed if keys
are lost.
● Escrow involves archiving keys with a third party for secure storage.
Certificate Expiration and Revocation:
● Certificates have limited durations, renewed before expiration.
● Keys can be archived or destroyed upon certificate expiration.
● Revoked certificates are invalid; suspension allows for re-enabling.
Certificate Revocation Lists (CRLs) and OCSP:
● CAs maintain CRLs listing revoked/suspended certificates.
● OCSP servers provide real-time certificate status checks.
● OCSP stapling and certificate pinning enhance security.
Certificate Formats and OpenSSL:
● Certificates encoded using DER or PEM.
● Various file extensions for certificates (.CER, .CRT, .PEM).
● OpenSSL commands for key and certificate management in Linux
environments.
Certificate Issues and Troubleshooting:
● Common issues include certificate expiration, misconfiguration, and trust
chain problems.
● Ensure proper key usage settings, subject name configuration, and
time/date synchronization.
● Regularly audit certificate infrastructure for security compliance and
validity.
iptables
Firewall Implementation
Application-Based Firewalls
● Host-based, application, and network operating system firewalls.
● Enforce packet filtering ACLs and protect specific applications.
Virtual Firewalls
● Security concepts are crucial in enterprise environments to protect sensitive data and
ensure the integrity and availability of resources.
● Secure protocols are essential for maintaining the confidentiality of data, preventing
unauthorized access, and mitigating various cyber threats.
● Application protocols like HTTP, SMTP, POP3, IMAP, and SIP must be configured
securely to ensure the safe transmission of data.
● Secure configuration involves implementing encryption, authentication, and authorization
mechanisms.
5. API Considerations
● Despite newer protocols, FTP remains popular for efficient file transfer.
● Secure FTP options include SSH FTP (SFTP) and FTP Over SSL (FTPS), which encrypt
data transmission to prevent interception.
8. Email Services
● Secure protocols like SMTPS, POP3S, and IMAPS use encryption to protect email
communication and authentication mechanisms to ensure secure access.
● VoIP, web conferencing, and video teleconferencing require secure protocols like SIP
and RTP to protect real-time data transmission.
● Encryption and authentication are essential to prevent interception and man-in-the-
middle attacks.
● Remote Access VPN: Clients connect individually to a VPN gateway, suitable for
telecommuters and field employees.
● Site-to-Site VPN: Connects two or more private networks automatically, exchanging
security information between gateways.
● TLS VPN (SSL VPN) establishes a secure connection over port 443, encrypting data
and ensuring user authentication.
● OpenVPN and SSTP are examples of TLS VPN implementations, providing secure
tunnels for network traffic.
5. IPSec Modes:
● Handles authentication and key exchange for IPSec, ensuring mutual authentication and
secure communication.
● Negotiates security associations and establishes secure channels between hosts.
● L2TP/IPSec VPN combines L2TP for tunneling with IPSec for security, suitable for
remote access.
● IKE v2 enhances IKE with EAP authentication and simplified setup, providing reliability
and support for NAT traversal.
● VPN clients require installation and configuration with VPN gateway details and
authentication credentials.
● Always-On VPN establishes connections automatically when detecting trusted network
connections.
● Remote Desktop Protocol (RDP) and SSH provide secure remote access to desktops
and terminals.
● SSH enables command-line access and secure file transfer, with various authentication
methods and host key management.
4. Disk Encryption:
3. Patch Management:
4. Endpoint Protection:
● Embedded Systems:
● Definition: Complete computer systems designed for specific, dedicated
functions.
● Examples: From microcontrollers in medical devices to complex control
systems in industrial plants.
● Characteristics: Static environments with limited flexibility compared to
PCs.
● Security Implications: While static environments can be easier to protect,
identifying and correcting security issues can be challenging.
● Cost, Power, and Compute Constraints:
● Processor capability, system memory, and storage are limited in
embedded systems.
● Cost is a significant factor, driving resource provisioning to the minimum
necessary level.
● Power constraints are crucial, especially for battery-powered devices
needing long operational lifespans.
● Crypto, Authentication, and Implied Trust Constraints:
● Limited compute resources hinder traditional cryptographic technologies'
usage.
● The rise of network accessibility prompts the development of resource-
efficient encryption methods.
● Implied trust models are common in embedded networks due to the lack
of explicit trust anchors like TPMs.
● Network and Range Constraints:
● Network connectivity choices prioritize power-efficient data transfer with
reliability and low latency.
● Unlike Wi-Fi and 4G/5G, embedded systems emphasize power efficiency
over maximizing data rates and range.
● Logic Controllers for Embedded Systems:
● PLCs form the basis of embedded systems, often utilizing System on Chip
(SoC) designs for efficiency and compactness.
● FPGAs offer flexible hardware configuration, suitable for various
applications without the cost of ASICs.
● Real-Time Operating Systems (RTOS):
● RTOS are essential for time-sensitive tasks in embedded systems,
requiring stability, reliability, and predictable response times.
● Despite their design for stability, RTOS are still susceptible to CVEs and
exploits.
● Embedded Systems Communications Considerations:
● Adoption of standardized communication technologies is increasing,
enhancing integration with IT networks.
● OT networks and cellular networks serve different purposes, with
considerations for power efficiency, reliability, and security.
● Specialized Systems for Facility Automation:
● BAS integrates various control systems for building automation,
emphasizing physical access control, HVAC, and fire control.
● Vulnerabilities include process and memory vulnerabilities, plaintext
credentials, and code injection via web interfaces.
● Security for Embedded Systems:
● Network segmentation isolates embedded systems from corporate
networks, reducing the risk of infection or exploitation.
● Wrappers like IPSec can secure data in transit, mitigating risks associated
with untrusted networks.
● Firmware patching is challenging due to limited vendor support, manual
update processes, and the need for uninterrupted service.
Implementing Secure Mobile Solutions
Implement Mobile Device Management
● Python uses indentation for block structure and colons to start blocks.
● Variables are assigned using the = operator.
● Functions are defined using the def keyword.
● Logic and looping statements include if, else, elif, for, and while.
Execution Control:
● Macros in documents (e.g., Word, PDF) execute code and can be used maliciously.
● Visual Basic for Applications (VBA) is used in Microsoft Office documents.
● Mitigation involves disabling macros by default and user education.
Man-in-the-Browser Attack:
High Availability:
● Combines functionalities of secure web gateway (SWG), data loss prevention (DLP),
and CASB.
● Supports architecture defined as secure access service edge (SASE).
Summarize Infrastructure as Code Concepts
● Infrastructure as Code (IaC) concepts:
○ Virtualization and cloud computing enable continuous delivery models for
automation and service integration.
○ Provisioning networks and hosts to support application services can be achieved
through Infrastructure as Code.
● Service Integration and Microservices:
○ Traditional network architecture focused on server machines and intermediate
network systems.
○ Virtualization reduces dependency on physical placement and operating
systems.
○ Service-Oriented Architecture (SOA) emphasizes atomic services mapped to
business workflows with clear input/output interfaces.
○ Microservices are highly decoupled, capable of independent development,
testing, and deployment.
● Services Integration and Orchestration:
○ Orchestration tools automate sequences of tasks, such as provisioning and
configuring VMs.
○ Orchestration requires proper sequencing, security credentials, and permissions.
○ Third-party orchestration platforms offer protection from vendor lock-in and
support multi-cloud environments.
● Application Programming Interfaces (APIs):
○ APIs enable service integration, automation, and orchestration.
○ SOAP uses XML messaging with built-in error handling, while REST offers a
looser architectural framework.
● Serverless Architecture:
○ Serverless design pattern runs applications as functions and microservices in the
cloud.
○ Billing is based on execution time, and services are provisioned dynamically.
○ Functions as a Service (FaaS) products include AWS Lambda, Google Cloud
Functions, and Microsoft Azure Functions.
● Infrastructure as Code (IaC):
○ IaC replaces manual configuration with automation and orchestration, ensuring
consistency and idempotence.
● Software-Defined Networking (SDN):
○ SDN abstracts network functions into control, data, and management planes.
○ SDN applications define policies implemented by a network controller, facilitating
rapid deployment and automation.
● Software-Defined Visibility (SDV):
○ SDV collects real-time data about network traffic and host configurations for
improved anomaly detection and incident response.
● Fog and Edge Computing:
○ Fog computing places processing resources close to IoT sensors to address
latency and bandwidth requirements.
○ Edge computing incorporates fog computing concepts, focusing on edge devices,
gateways, fog nodes, and cloud/data center layers for data processing and
storage.
Explaining Data Privacy and Protection Concepts
Data Protection:
Data Exfiltration:
● Information Rights Management (IRM) in Microsoft Office suite restricts file permissions
and forwarding, integrating with Active Directory Rights Management Services (RMS) or
Azure Information Protection.
● Data minimization principle ensures only necessary data is processed and stored.
● Deidentification methods like tokenization, aggregation, hashing, and salting protect
privacy by removing or modifying identifying information.
● K-anonymity ensures data can't be linked to fewer than 'k' individuals, reducing
reidentification risks.
● Deidentification methods are often implemented within database management systems
(DBMS).
Performing Incident Response
● SIEM, coupled with an attack framework, helps locate indicators of malicious activity.
● SIEM parses network traffic and log data from various sources and normalizes
information.
● Correlation rules in SIEM detect potential incidents by interpreting relationships between
data points.
● Correlation rules use logical expressions (AND, OR) and operators (==, <, >, in) to
match conditions.
● SIEM can be configured with a threat intelligence feed for associating network data with
known threat actor indicators.
● Retention policies in SIEM enable historical data storage for incident and threat hunting.
SIEM Dashboards:
● Challenges in operating SIEM include tuning system sensitivity to reduce false positives.
● False negatives occur when indicators that should raise alerts are ignored.
● Correlation rules assign criticality levels to matches: log only, alert, alarm.
Sensors:
Trend Analysis:
● Detect patterns or indicators within a data set over time.
● Trend analysis applied to frequency, volume, or statistical deviation of events.
Logging Platforms:
Metadata:
● Analyzed at individual frame level or using traffic flow and protocol usage statistics.
● Protocol analyzer output and Netflow/IPFIX capture metadata and statistics about
network traffic.
● sFlow measures traffic statistics using sampling at any OSI layer.
Apply Mitigation Controls
Mitigation Overview:
● Mitigation techniques are applied to contain, eradicate, and recover from malicious
activity.
● Incident response balances eliminating intrusion without disrupting business workflows.
Incident Containment:
Isolation-Based Containment:
Segmentation-Based Containment:
Backup Types:
Copy Backups:
Offsite Storage:
3-2-1 Rule:
● Three copies of data, across two media types, with one offline and offsite.
Restoration Order:
Nonpersistence:
Configuration Validation:
Fencing:
Lighting:
Cable Locks:
https://topmate.io/ken_underhill/927998
Contents
Summarize Fundamental Security Concepts ................................................................................ 4
Security Concepts ......................................................................................................................... 4
Security Controls ........................................................................................................................... 6
Compare Threat Types ................................................................................................................. 8
Threat Actors ................................................................................................................................ 8
Attack Surfaces ........................................................................................................................... 10
Social Engineering ...................................................................................................................... 12
Explain Cryptographic Solutions ................................................................................................. 13
Cryptographic Algorithms ............................................................................................................ 13
Public Key Infrastructure ............................................................................................................. 14
Cryptographic Solutions .............................................................................................................. 15
Implement Identity and Access Management ............................................................................. 17
Authentication ............................................................................................................................. 17
Authorization ............................................................................................................................... 19
Identity Management .................................................................................................................. 21
Secure Enterprise Network Architecture ..................................................................................... 22
Enterprise Network Architecture ................................................................................................. 22
Network Security Appliances ...................................................................................................... 23
Secure Communications ............................................................................................................. 25
Secure Cloud Network Architecture ............................................................................................ 26
Cloud Infrastructure .................................................................................................................... 26
Embedded Systems and Zero Trust Architecture ....................................................................... 28
Explain Resiliency and Site Security Concepts .......................................................................... 30
Asset Management ..................................................................................................................... 30
Redundancy Strategies ............................................................................................................... 32
Physical Security ......................................................................................................................... 34
Explain Vulnerability Management .............................................................................................. 35
Device and OS Vulnerabilities .................................................................................................... 35
Application and Cloud Vulnerabilities .......................................................................................... 37
Vulnerability Identification Methods ............................................................................................ 39
Vulnerability Analysis and Remediation ...................................................................................... 41
Evaluate Network Security Capabilities ...................................................................................... 43
Network Security Baselines ........................................................................................................ 43
Network Security Capability Enhancement ................................................................................. 45
Assess Endpoint Security Capabilities ........................................................................................ 47
Implement Endpoint Security ...................................................................................................... 47
Mobile Device Hardening ............................................................................................................ 49
Enhance Application Security Capabilities .................................................................................. 50
Application Protocol Security Baselines ...................................................................................... 50
Cloud and Web Application Security Concepts .......................................................................... 52
Explain Incident Response and Monitoring Concepts ................................................................ 54
Incident Response ...................................................................................................................... 54
Digital Forensics ......................................................................................................................... 56
Data Sources .............................................................................................................................. 58
Alerting and Monitoring Tools ..................................................................................................... 60
Analyze Indicators of Malicious Activity ...................................................................................... 62
Malware Attack Indicators ........................................................................................................... 62
Physical and Network Attack Indicators ...................................................................................... 64
Application Attack Indicators ....................................................................................................... 66
Summarize Security Governance Concepts ............................................................................... 67
Policies, Standards, and Procedures .......................................................................................... 67
Change Management ................................................................................................................. 69
Automation and Orchestration .................................................................................................... 71
Explain Risk Management Processes ........................................................................................ 73
Risk Management Processes and Concepts .............................................................................. 73
Vendor Management Concepts .................................................................................................. 75
Audits and Assessments ............................................................................................................. 77
Summarize Data Protection and Compliance Concepts ............................................................. 78
Data Classification and Compliance ........................................................................................... 78
Personnel Policies ...................................................................................................................... 79
Summarize Fundamental Security Concepts
Security Concepts
● Security Concepts Study Notes:
1. Information Security:
■ Definition: Protection of data resources from unauthorized access, attack,
theft, or damage.
■ CIA Triad:
■ Confidentiality: Data accessible only to authorized individuals.
■ Integrity: Data stored and transferred as intended, with authorized
modifications.
■ Availability: Information readily accessible to authorized users.
■ Additional Property: Non-repudiation, preventing denial of actions like
creating or modifying data.
2. Cybersecurity Framework:
■ Definition: Provisioning secure processing hardware and software.
■ Five Functions (NIST Framework):
■ Identify: Develop security policies, evaluate risks, recommend
controls.
■ Protect: Secure IT assets throughout the lifecycle.
■ Detect: Proactive monitoring for new threats.
■ Respond: Analyze, contain, eradicate threats.
■ Recover: Restore systems and data post-attack.
■ Importance: Guides control selection, aids in risk management and
compliance.
3. Gap Analysis:
■ Definition: Process identifying deviations from framework requirements.
■ Purpose: Assess current cybersecurity capabilities, prioritize investments
for improvement.
■ Components: Outcome-based, identifies missing/poorly configured
controls.
■ Utilization: Initial adoption, compliance fulfillment, periodic validation.
■ Involvement: Can engage third-party consultants for complex
assessments.
4. Access Control:
■ Definition: Governs interactions between subjects (users/devices) and
objects (resources).
■ Components:
■ Identification: Unique representation of users/devices.
■ Authentication: Proving identity, often via passwords or digital
certificates.
■ Authorization: Determining and enforcing resource access rights.
■ Accounting: Tracking authorized resource usage and detecting
unauthorized attempts.
■ Implementation: Often through Identity and Access Management (IAM)
systems.
■ AAA Framework: Alternative terminology for authentication, authorization,
and accounting.
5. Application of Access Control:
■ E-commerce Example: Enroll users, manage orders, ensure payment
integrity, record customer actions for accountability.
Security Controls
● Security Controls Study Notes:
1. Introduction to Security Controls:
■ Definition: Measures to ensure information and cybersecurity assurance.
■ Importance: Selecting and implementing appropriate controls for different
scenarios.
■ Responsibility: Often falls under the purview of IT departments within
organizations.
2. Security Control Categories:
■ Managerial Controls: Oversight of information systems, including risk
identification and control selection.
■ Operational Controls: Implemented by people, such as security training
programs.
■ Technical Controls: Implemented as hardware, software, or firmware, like
firewalls and antivirus software.
■ Physical Controls: Measures like alarms and security cameras to deter
and detect physical access.
3. Functional Types of Security Controls:
■ Preventive Controls: Aim to eliminate or reduce the likelihood of
successful attacks.
■ Detective Controls: Identify and record attempted or successful intrusions
during an attack.
■ Corrective Controls: Reduce the impact of security policy violations after
an attack.
■ Additional Types:
■ Directive Controls: Enforce behavioral rules, often through policies
or training.
■ Deterrent Controls: Discourage attackers psychologically, such as
warning signs.
■ Compensating Controls: Substitute for principal controls to provide
equivalent protection.
4. Information Security Roles and Responsibilities:
■ Chief Information Officer (CIO): Overall responsibility for IT and often
security.
■ Chief Security Officer (CSO) or Chief Information Security Officer (CISO):
Internal security leadership.
■ Managers: Departmental responsibility for security domains.
■ Technical and Specialist Staff: Implement, maintain, and monitor security
policies and controls.
■ Nontechnical Staff: Comply with policies and relevant legislation.
5. Information Security Competencies:
■ Skills required for IT professionals with security responsibilities, including
risk assessment, system configuration, incident response, and training.
6. Information Security Business Units:
■ Security Operations Center (SOC): Monitors and protects critical
information assets, typically in larger corporations.
■ DevSecOps: Integration of security expertise into software development
and operations processes.
■ Incident Response: Dedicated teams for handling security incidents,
either as part of SOC or standalone units.
Compare Threat Types
Threat Actors
● Threat Actors Study Notes:
Introduction to Vulnerability, Threat, and Risk:
● Vulnerability: Weakness in security systems that can be exploited.
● Threat: Potential for exploitation by a threat actor, intentional or
unintentional.
● Risk: Level of hazard posed by vulnerabilities and threats, calculated
based on likelihood and impact.
Attributes of Threat Actors:
● Internal/External: Degree of access before initiating an attack, either
unauthorized (external) or authorized (internal/insider).
● Level of Sophistication/Capability: Ability to use advanced exploit
techniques and tools.
● Resources/Funding: Support necessary for sophisticated threat actors,
often from nation-states or organized crime.
● Motivations: Reasons for perpetrating attacks, including financial gain,
political agendas, or revenge.
Threat Actor Types:
● Hackers:
● Unauthorized (black hat) or authorized (white hat), with varying
levels of skill.
● Increasingly work in teams or groups, known as hacktivist groups,
to promote political agendas.
● Nation-State Actors:
● Often pursue espionage and disinformation for strategic
advantage, with plausible deniability.
● Known for sophisticated attacks, such as advanced persistent
threats (APTs).
● Organized Crime and Competitors:
● Focus on financial fraud, blackmail, and extortion, operating
across jurisdictions.
● Competitors may engage in cyber espionage for theft or
disruption.
● Internal Threat Actors:
● Can be permanent insiders (employees) or temporary insiders
(contractors, guests).
● Motivated by revenge, financial gain, or unintentional actions like
poor security practices.
● Whistleblowers may release information ethically, while
unintentional threats arise from lack of awareness or shadow IT.
Motivations and Strategies of Threat Actors:
● Strategies include service disruption, data exfiltration, and disinformation,
affecting confidentiality, integrity, and availability.
● Motivations range from chaotic (e.g., causing chaos) to financial (e.g.,
fraud, extortion) and political (e.g., promoting change or furthering war
aims).
● Threat sources and motivations evolve over time, with shifts from
opportunistic to structured attacks associated with organized crime and
nation-states.
Attack Surfaces
● Attack Surface and Threat Vectors:
○ The attack surface refers to all points where a malicious actor could exploit a
vulnerability.
○ It includes network ports, applications, computers, and user interactions.
○ Minimizing the attack surface involves restricting access to known endpoints,
protocols, and services.
○ Assessment should cover the overall organization as well as specific scopes like
servers, web applications, or user identities.
● Assessing the Attack Surface:
○ Organizations should evaluate the attributes of threat actors posing the most risk.
○ External threat actors have a smaller attack surface compared to insider threats.
○ Threat vectors represent paths used by threat actors to execute attacks like data
exfiltration or service disruption.
○ Sophisticated actors plan multistage campaigns and may develop novel vectors.
● Vulnerable Software Vectors:
○ Vulnerabilities in software allow threat actors to exploit flaws in code or design.
○ Patch management is crucial, as almost no software is free from vulnerabilities.
○ Consolidating to fewer products and ensuring consistent versions help reduce
the attack surface.
● Unsupported Systems and Applications:
○ Unsupported systems lack vendor updates and patches, making them highly
vulnerable.
○ Isolating such systems reduces the likelihood of exploitation.
● Client-Based versus Agentless Scanning:
○ Scanning software helps identify vulnerabilities, but threat actors can also use it
for reconnaissance.
○ Scans can be client-based, requiring installation, or agentless, scanning without
installation.
● Network Vectors:
○ Vulnerable software allows threat actors to execute code remotely or locally.
○ Remote exploits occur over a network, while local exploits require authenticated
access.
○ Securing networks involves ensuring confidentiality, integrity, and availability.
● Lure-Based Vectors:
○ Lures, like malicious files, trick users into facilitating attacks.
○ Common lures include removable devices, executable files, document files, and
image files.
● Message-Based Vectors:
○ Threat actors use messaging systems like email, SMS, IM, web, and social
media to deliver malicious files.
○ Social engineering techniques persuade users to open attachments or links.
● Supply Chain Attack Surface:
○ Threat actors target supply chains to infiltrate organizations indirectly.
○ Procurement management ensures reliable sources of equipment and software.
○ Establishing a trusted supply chain involves vetting suppliers, vendors, and
partners.
Social Engineering
● Social Engineering Overview:
○ People within organizations are part of the attack surface and are collectively
referred to as the human vector.
○ Social engineering exploits human psychology to manipulate individuals into
divulging information or performing actions for threat actors.
● Human Vectors:
○ Employees and contractors possess valuable information about networks and
security systems, making them potential targets.
○ Social engineering involves eliciting information or actions from individuals, also
known as "hacking the human."
○ Examples include tricking users into providing passwords, obtaining sensitive
information from help desks, or infiltrating buildings during emergencies.
● Impersonation and Pretexting:
○ Impersonation involves pretending to be someone else to gain trust.
○ Threat actors use persuasive or coercive approaches to deceive targets.
○ Pretexting involves crafting convincing stories to charm or intimidate targets,
often relying on privileged information about the organization.
● Phishing and Pharming:
○ Phishing combines social engineering with spoofing to trick targets into
interacting with malicious resources.
○ Phishing emails or messages persuade users to perform actions like installing
malware or revealing credentials.
○ Pharming redirects users from legitimate websites to malicious ones by
corrupting name resolution processes.
● Typosquatting and Business Email Compromise:
○ Typosquatting involves registering domain names similar to legitimate ones to
deceive users.
○ Business Email Compromise targets specific individuals within companies, often
executives, using sophisticated techniques to deceive and manipulate.
● Brand Impersonation and Disinformation:
○ Brand impersonation involves accurately duplicating company logos and
formatting to create visually compelling fakes.
○ Disinformation aims to deceive, while misinformation involves repeating false
claims unintentionally.
● Watering Hole Attack:
○ This attack targets a group of users who frequent an unsecure third-party
website, allowing threat actors to compromise their systems through exploit code.
Explain Cryptographic Solutions
Cryptographic Algorithms
● Cryptographic Concepts:
○ Cryptography ensures information security by encoding data.
○ Terms: Plaintext (unencrypted), Ciphertext (encrypted), Algorithm
(encryption/decryption process), Cryptanalysis (cracking cryptographic systems).
○ Actors: Alice (sender), Bob (recipient), Mallory (malicious attacker).
● Symmetric Encryption:
○ Uses a single secret key for both encryption and decryption.
○ Examples: Substitution and transposition algorithms.
○ Key exchange challenge: securely sharing the key.
○ Fast and efficient for bulk encryption but vulnerable if the key is intercepted.
● Key Length:
○ Longer keys increase security by expanding the keyspace.
○ Example: AES-128 vs AES-256, where AES-256 has a significantly larger
keyspace.
○ Brute force cryptanalysis: attempting decryption with every possible key value.
● Asymmetric Encryption:
○ Uses different but related public and private keys for encryption and decryption.
○ Public key can be freely distributed, while the private key must be kept secret.
○ Involves more computing overhead compared to symmetric encryption.
● Hashing:
○ Produces fixed-length digest from plaintext, used for integrity verification.
○ Example: Comparing password hashes or verifying file integrity after download.
○ Algorithms: SHA256 (strong) and MD5 (less secure but still used for
compatibility).
● Digital Signatures:
○ Combines public key cryptography with hashing for authentication, integrity, and
non-repudiation.
○ Sender creates a hash of the message and signs it with their private key.
○ Recipient verifies the signature using sender's public key.
● Standards:
○ PKCS#1 defines RSA algorithm for digital signatures.
○ DSA and ECDSA are used for digital signatures and were developed as part of
FIPS.
Public Key Infrastructure
● Single CA Model:
○ Root CA directly issues certificates to users and computers.
○ Often used on private networks.
○ Vulnerable because if compromised, the entire PKI collapses.
● Third-party CAs:
○ Operate on a hierarchical model.
○ Root CA issues certificates to intermediate CAs, which in turn issue certificates to
end entities.
○ Provides clear certificate policies and certification path (chain of trust).
● Self-signed Certificates:
○ Used when PKI management is too difficult or expensive.
○ Deployed on machines, web servers, or program code.
○ Often marked as untrusted by operating systems or browsers.
○ Suitable for non-critical environments like development or testing.
● Certificate Signing Requests (CSR):
○ Process for requesting certificates.
○ Subject generates a key pair and submits a CSR to the CA.
○ CA reviews and validates the information before issuing the certificate.
○ Private key is not part of the CSR and must be securely stored by the subject.
● Subject Name Attributes:
○ CN attribute deprecated; SAN extension field used to represent identifiers.
○ SAN field more secure for representing FQDNs and IP addresses.
○ It's safer to duplicate FQDN information in CN for compatibility.
● Certificate Revocation:
○ Certificates can be revoked or suspended by owner or CA for various reasons.
○ Revoked certificates are no longer valid; suspended certificates can be re-
enabled.
○ CA maintains a Certificate Revocation List (CRL) accessible to verify certificate
status.
● Key Management:
○ Lifecycle stages: generation, storage, revocation, expiration/renewal.
○ Decentralized vs. centralized key management models.
○ Cryptoprocessors offer more secure key generation and storage.
○ Trusted Platform Module (TPM) and Hardware Security Modules (HSM)
examples.
● Key Escrow:
○ Archiving keys with third-party providers.
○ Mitigates risk of key loss or damage.
○ M of N controls ensure multiple authorizations for key operations.
Cryptographic Solutions
1. Importance of Cryptographic Solutions:
○ Cryptographic solutions are essential for implementing security controls.
○ They ensure confidentiality, integrity, and authenticity of data.
○ Used to secure data at rest, in transit, and in use.
2. Encryption for Confidentiality:
○ Encryption renders data unreadable to unauthorized parties.
○ Protects data even if storage media is stolen or data is intercepted.
○ Data states: at rest, in transit, in use.
3. Bulk Encryption vs. Asymmetric Encryption:
○ Bulk encryption (symmetric cipher) used for large data volumes (e.g., AES).
○ Asymmetric encryption (RSA, ECC) less efficient for bulk encryption.
○ Hybrid approach: symmetric for data encryption, asymmetric for key exchange.
4. Disk and File Encryption:
○ Full-disk encryption (FDE) encrypts entire storage device, including metadata.
○ Self-encrypting drives (SEDs) have built-in encryption.
○ Partition-based encryption allows selective encryption for different partitions.
5. Volume and File Encryption:
○ Volume encryption secures entire storage resource, implemented in software.
○ File encryption encrypts individual files or folders (e.g., Microsoft's EFS).
6. Database Encryption:
○ Encryption at database level (TDE) protects entire database.
○ Record/column-level encryption provides granular protection.
○ Enables separation of duties between administrators and data owners.
7. Transport Encryption and Key Exchange:
○ Secures data in motion using protocols like TLS, IPsec, WPA.
○ Key exchange enables secure sharing of symmetric session keys.
○ Integrity and authenticity ensured through HMAC or authenticated encryption.
8. Perfect Forward Secrecy (PFS):
○ Uses Diffie-Hellman key agreement to generate session keys.
○ Ensures future compromise of server doesn't compromise past sessions.
○ Increases complexity for attackers, enhances security.
9. Salting and Key Stretching:
○ Salting prevents precomputed hash attacks by adding random value to
passwords.
○ Key stretching (PBKDF2) increases key length through multiple iterations.
○ Mitigates low-entropy password vulnerabilities.
10. Blockchain:
○ Blockchain secures transaction records through cryptographic hashing.
○ Decentralized, distributed ledger ensures transparency and integrity.
○ Applications in finance, contracts, voting, identity management, and more.
11. Obfuscation:
○ Obfuscation hides data to make it difficult to find.
○ Uses include steganography, data masking, and tokenization.
○ Protects privacy and enhances security in certain contexts.
Implement Identity and Access Management
Authentication
● Windows Sign-In Screen:
○ Personal Identification Number (PIN) is a form of something you know.
○ Modern PINs are not limited to numeric sequences and can be of any length and
character combination.
○ They are valid for authenticating to a single device only.
● Password Concepts:
○ Improper credential management is a major vector for network attacks.
○ Password best practices policy should instruct users on choosing and
maintaining passwords.
○ Credential management policy should cover various authentication methods and
educate users on social engineering attacks.
● Password Policies:
○ Password Length: Enforces minimum and possibly maximum length for
passwords.
○ Password Complexity: Requires a combination of uppercase/lowercase
alphanumeric and non-alphanumeric characters.
○ Password Age: Forces users to select a new password after a set number of
days.
○ Password Reuse and History: Prevents the selection of previously used
passwords.
● Password Aging and Expiration:
○ Aging allows logging in with the old password after a defined period but
mandates choosing a new password immediately.
○ Expiration disables logging in with the outdated password and effectively
disables the account.
● Password Managers:
○ Users often use poor credential management practices, such as reusing
passwords across multiple sites.
○ Password managers generate random passwords and securely store them,
reducing the risk of data breaches.
○ Risks include compromise of the master password or vendor's cloud storage, and
impersonation attacks.
● Multifactor Authentication (MFA):
○ Combines multiple authentication factors for stronger security.
○ Factors include something you have (like a smart card), something you are
(biometrics), and somewhere you are (location-based).
● Biometric Authentication:
○ Involves physiological or behavioral identifiers like fingerprints or facial scans.
○ Enrollment includes acquiring a biometric sample and creating a template for
comparison.
○ Metrics include False Rejection Rate (FRR), False Acceptance Rate (FAR), and
Crossover Error Rate (CER).
● Hard Authentication Tokens:
○ Generated within a secure cryptoprocessor, avoiding transmission of the token.
○ Types include Certificate-Based Authentication, One-Time Password (OTP), and
FIDO Universal 2nd Factor (U2F).
● Soft Authentication Tokens:
○ One-time passwords sent via SMS, email, or authenticator apps.
○ Vulnerable to interception, with authenticator apps offering higher security than
SMS or email.
● Passwordless Authentication:
○ Entirely eliminates knowledge-based factors like passwords.
○ Relies on factors like biometrics or hardware tokens.
○ Utilizes FIDO2 with WebAuthn specifications for secure authentication without
passwords.
Authorization
● Authorization Overview:
○ Authorization is a crucial aspect of identity and access management (IAM).
○ It involves assigning privileges to network users and services to manage access
to resources effectively.
● Discretionary Access Control (DAC):
○ DAC prioritizes the resource owner's authority.
○ Owners have full control over resources and can modify access control lists
(ACLs) to grant rights to others.
○ Widely used but vulnerable to insider threats and abuse of compromised
accounts.
● Mandatory Access Control (MAC):
○ Based on security clearance levels rather than individual ownership.
○ Each object is assigned a classification label, and each subject is granted a
clearance level.
○ Subjects can access objects classified at their own level or below, ensuring
confidentiality.
● Role-Based Access Control (RBAC):
○ Defines permissions based on user roles.
○ Each principal is assigned to one or more roles, and permissions are managed
by system owners.
○ Offers flexibility and scalability in permission management.
● Attribute-Based Access Control (ABAC):
○ Utilizes subject and object attributes for access decisions.
○ Factors like location, device status, and user behavior influence access control.
○ Provides fine-grained control over access based on contextual information.
● Rule-Based Access Control:
○ Access control policies are enforced by system rules rather than user discretion.
○ Examples include RBAC, ABAC, and MAC.
○ Conditional access systems monitor behavior and enforce access rules
dynamically.
● Least Privilege Principle:
○ Grants the minimum necessary privileges to perform authorized tasks.
○ Reduces the risk of compromised accounts and limits potential damage.
○ Requires careful analysis of business workflows to determine necessary
permissions.
● User Account Provisioning:
○ Involves setting up user accounts according to standardized procedures.
○ Includes identity proofing, credential issuance, hardware/software allocation, and
policy awareness training.
● Account Restrictions and Policies:
○ Location-based and time-based policies restrict account access.
○ Policies enforce authorized login hours, session durations, and geographical
constraints.
○ Privileged Access Management (PAM) controls and monitors privileged account
usage to prevent compromise.
● Just-in-Time (JIT) Permissions:
○ Elevates privileges only when needed for a limited duration.
○ Ensures zero standing privileges (ZSP) to minimize attack surface.
○ Implemented through temporary elevation, password vaulting, or ephemeral
credentials.
Identity Management
● Identity Management Exam Objectives:
● Implementing and maintaining identity and access management.
● Authentication Provider:
● Essential feature of an OS for user authentication.
● Relies on cryptographic hashes for knowledge-based authentication.
● Windows Authentication:
● Local sign-in: LSASS compares credentials to hash in SAM database.
● Network sign-in: LSASS authenticates via Active Directory using Kerberos or
NTLM.
● Remote sign-in: Authentication over VPN, enterprise Wi-Fi, or web portal.
● Linux Authentication:
● Local user account info in /etc/passwd, password hash in /etc/shadow.
● Network login via SSH; can use cryptographic keys.
● Pluggable Authentication Module (PAM) enables different authentication
methods.
● Directory Services:
● Store info about users, computers, security groups, etc.
● LDAP is a common protocol for interoperability.
● Distinguished Name (DN) uniquely identifies resources in a directory.
● Single Sign-on (SSO):
● Authenticates once, access multiple services without re-entering credentials.
● Kerberos is a common SSO protocol, authenticates users and services.
● Federation:
● Extends network access to partners, suppliers, customers.
● Trusts external networks for authentication and authorization.
● SAML (Security Assertion Markup Language):
● Protocol for exchanging authentication and authorization data.
● Uses XML for assertions, HTTP/HTTPS for communication.
● OAuth (Open Authorization):
● Protocol for sharing user attributes between sites.
● Allows linking identity to consumer sites without sharing passwords.
● Uses JSON Web Tokens (JWTs) for claims data, supports various grant type
Secure Enterprise Network Architecture
Cloud Infrastructure
● Containerization:
○ Enforces resource separation at the operating system level.
○ Defines isolated "cells" for each user instance to run in.
○ Allocated CPU and memory resources for each container.
○ Processes run through the native OS kernel.
○ Containers may run slightly different OS distributions.
○ Docker is a well-known container virtualization product.
○ Supports microservices and serverless architecture.
○ Used in implementing corporate workspaces on mobile devices.
● Serverless Computing:
○ Cloud provider manages infrastructure and allocates resources automatically.
○ Charges only for actual usage of the application.
○ Examples include chatbots, mobile backends, IoT services.
○ Major providers include AWS, Microsoft Azure, Google Cloud.
○ Provides scalable, cost-effective infrastructure for event-driven tasks.
● Microservices:
○ Collection of small, independent services focusing on specific business
capabilities.
○ Modular design with well-defined interfaces.
○ Allows efficient development and deployment of complex applications.
○ Enables teams to work independently on different features.
○ Promises agility, scalability, and resilience.
○ Risks include integration issues and complexity.
● Infrastructure as Code (IaC):
○ Manages computing infrastructure using machine-readable definition files.
○ YAML, JSON, and HCL formats are common.
○ Automates deployment and management of infrastructure.
○ Ensures consistency and repeatability across environments.
○ Implemented using tools like Terraform.
● Load Balancing, Edge Computing, Auto-Scaling:
○ Load balancing distributes network traffic to improve performance and
availability.
○ Edge computing optimizes processing location for reduced latency.
○ Auto-scaling adjusts resources based on demand dynamically.
● Software Defined Networking (SDN):
○ Abstract model divides network functions into control, data, and management
planes.
○ SDN applications define policy decisions on the control plane.
○ Implemented through APIs interfacing with network devices.
○ Manages both physical and virtual network appliances.
○ Supports rapid deployment of virtual networking using NFV.
● Cloud Architecture Features:
○ Data replication, redundancy, and auto-scaling ensure high availability.
○ Disaster recovery, SLAs, and ISAs are critical for data protection.
○ Power efficiency, compute capabilities, and ease of deployment enhance cloud
infrastructure.
● Cloud Security Considerations:
○ Data protection, patch management, and secure communication are essential.
○ SD-WAN and SASE provide enhanced security features for cloud environments.
○ Zero trust security model and IAM are crucial for secure access.
Embedded Systems and Zero Trust Architecture
● SCADA Overview:
○ SCADA replaces control servers in large-scale ICSs.
○ Typically runs as software on ordinary computers.
○ Gathers data from and manages plant devices with embedded PLCs (field
devices).
○ Uses WAN communications like cellular or satellite to link to field devices.
● Applications of ICS/SCADA:
○ Used in energy (power generation, distribution), industrial (mining, refining),
fabrication/manufacturing, logistics, and facilities management.
○ Historically built without strong IT security, but awareness of security importance
is increasing.
● Security Concerns in ICS/SCADA:
○ Vulnerable to cyberattacks.
○ Example: Stuxnet worm targeting Iran's nuclear program.
○ NIST Special Publication 800-82 provides security control recommendations.
● Priorities in Industrial Systems:
○ Safety is paramount.
○ Prioritize availability and integrity over confidentiality (AIC triad instead of CIA
triad).
● Cybersecurity in ICS/SCADA:
○ Critical for sectors like energy, manufacturing, transportation, and water
treatment.
○ Robust cybersecurity measures like network segmentation, access controls,
intrusion detection, and encryption are essential.
● Internet of Things (IoT):
○ Refers to networked physical devices with sensors and connectivity.
○ Used in various sectors like smart homes, smart cities, healthcare, agriculture,
etc.
○ Factors driving adoption include decreased sensor costs, advances in
connectivity tech, and the COVID-19 pandemic.
● Security Risks Associated with IoT:
○ Many devices lack adequate security measures.
○ Standardization issues make security implementation challenging.
○ Large volume of data increases the risk of breaches and cyberattacks.
● Best Practices for IoT Security:
○ Recommendations from organizations like IoTSF, IIC, CSA, and ETSI.
● Zero Trust Architecture (ZTA):
○ Assumes nothing is trusted by default.
○ Requires continuous authentication and verification for all users, devices, and
applications.
○ NIST SP 800-207 defines ZTA and CISA provides a maturity model.
● Deperimeterization:
○ Shifts focus from defending network boundaries to protecting individual
resources.
○ Essential due to trends like cloud adoption, remote work, mobile devices,
outsourcing, and wireless networks.
● Key Components of Zero Trust Architecture:
○ Network and endpoint security, IAM, policy-based enforcement, cloud security,
network visibility, network segmentation, data protection, and threat
detection/prevention.
● Zero Trust Security Concepts:
○ Adaptive identity, threat scope reduction, policy-driven access control, and
device posture assessment.
● Control and Data Planes in Zero Trust Models:
○ Control plane manages policies, while data plane establishes secure sessions.
○ Separation allows for flexibility and scalability.
● Zero Trust Architecture Examples:
○ Google BeyondCorp, DoD’s JEDI cloud, Cisco Zero Trust Architecture, Palo Alto
Networks Prisma Access.
Explain Resiliency and Site Security Concepts
Asset Management
Monitoring and Asset Tracking:
● Inventory and enumeration tasks involve creating and maintaining a comprehensive list
of all assets within an organization, including hardware, software, data, and network
equipment.
● Regularly updating and verifying asset inventory helps organizations manage assets
effectively and ensures accurate information about each asset's location, owner, and
status.
● Asset monitoring includes tracking performance, security, and usage to detect potential
issues, vulnerabilities, or unauthorized access promptly.
● Proactive asset monitoring helps mitigate risks, optimize resource utilization, and ensure
compliance with regulatory requirements.
● Manual Inventory: Feasible for smaller organizations or specific asset types, involves
physically inspecting assets and recording relevant information.
● Network Scanning: Tools like Nmap, Nessus, or OpenVAS automatically discover and
enumerate networked devices, including open ports and services.
● Asset Management Software: Solutions like Lansweeper or ManageEngine
automatically discover, track, and catalog various assets, providing a centralized
dashboard for management.
● Configuration Management Database (CMDB): Centralized repository for IT
infrastructure information, managed by tools like ServiceNow or BMC Remedy.
● Mobile Device Management (MDM) Solutions: Manage mobile assets like smartphones
and tablets using solutions like Microsoft Intune or VMware Workspace ONE.
● Cloud Asset Discovery: Cloud-native or third-party tools like AWS Config or CloudAware
help discover and catalog assets deployed in the cloud.
Asset Acquisition/Procurement:
● Select hardware and software solutions with strong security features, prioritize reputable
vendors providing ongoing support.
● Integrate solutions seamlessly with existing security infrastructure like firewalls, intrusion
detection systems, or SIEM platforms.
● Assess total cost of ownership (TCO) considering initial purchase price, ongoing costs,
and potential security incidents.
● Prioritize cybersecurity during acquisition to reduce breach risk, enhance compliance,
and protect critical data and systems.
● Assets include critical resources, information, and infrastructure components that must
be protected from threats and unauthorized access.
● Identify and prioritize assets based on sensitivity and potential impact on core functions
if breached.
● Use standard naming conventions and configuration management to ensure consistency
and manageability.
● Implement ITIL framework elements for effective configuration management.
Data Backups:
● Essential for ensuring availability and integrity of critical data and systems.
● Regularly test and verify backup data to ensure reliability of recovery process.
● Enterprise backup solutions offer scalability, performance, advanced features like data
encryption and ransomware protection, and integration with various environments.
● Snapshots capture system state at a specific time, useful for VMs, filesystems, and
SANs.
● Replication creates redundant copies of data for availability and recovery.
● Journaling tracks changes to data for recovery and consistency, useful for filesystems.
● Advanced techniques like remote journaling, SAN replication, and VM replication
enhance data protection across multiple locations and systems.
Encrypting Backups:
● Sanitization and destruction processes remove sensitive information from storage media
to prevent unauthorized access.
● Certification provides verification of data destruction process compliance with industry
standards and regulations.
● Active methods like overwriting or physical destruction ensure irrecoverability of data
from storage devices.
● Proper disposal of assets at the end of lifecycle or when no longer needed minimizes
security risks and ensures compliance.
Redundancy Strategies
● Site Considerations
○ Resiliency Provisioning: Site-level resiliency is common in enterprise
environments.
○ Alternate Processing Site: Provides similar service levels and can be always
available.
○ Recovery Site: Used in emergencies, might take longer to set up.
○ Failover: Technique ensuring redundancy, quickly taking over functionality from
a failed asset.
○ Site Resiliency Levels:
■ Hot Site: Immediate failover, fully operational and updated.
■ Warm Site: Similar to hot site but requires loading latest data set.
■ Cold Site: Longer setup time, may be empty building with lease
agreement.
○ Geographic Dispersion: Distributing recovery sites across different locations to
minimize regional disaster impact.
● Cloud as Disaster Recovery (DR)
○ Cost Efficiency: Cloud providers offer affordable redundancy due to economies
of scale.
○ Scalability: Cloud services allow redundant capabilities without over-
provisioning.
○ Faster Deployment: Enables quick setup and deployment of redundant
systems.
○ Simplified Management: Cloud providers offer tools to reduce redundant
infrastructure complexity.
○ Improved Security and Compliance: Cloud providers invest heavily in security
and compliance.
● Testing Redundancy and High Availability
○ Load Testing: Validates system performance under expected or peak loads.
○ Failover Testing: Validates seamless transition between primary and secondary
infrastructure.
○ Monitoring Systems Testing: Validates effective detection and response to
failures and performance issues.
● Clustering
○ Load Balancing vs. Clustering: Load balancing distributes traffic, while
clustering allows redundant processing nodes to accept connections.
○ Active/Passive vs. Active/Active Clustering: Active/passive ensures no
performance impact during failover, while active/active utilizes maximum capacity
but may degrade performance during failover.
● Power Redundancy
○ Dual Power Supplies: Provide redundancy, can be replaced without system
shutdown.
○ Managed Power Distribution Units (PDUs): Support remote power monitoring
and integrate with UPSs.
○ Battery Backups and UPSs: Provide temporary power source during outages.
○ Generators: Provide backup power for extended periods.
● Diversity and Defense in Depth
○ Platform Diversity: Reduces risk by using multiple technologies and platforms.
○ Defense in Depth: Implements multiple layers of protection against cyber
threats.
● Vendor Diversity
○ Cybersecurity Benefits: Reduces single point of failure and promotes healthy
competition.
○ Business Resilience: Mitigates risk associated with vendor lock-in and
disruptions.
○ Innovation and Competition: Encourages innovation and ensures better value
for investments.
● Multi-Cloud Strategies
○ Cybersecurity Benefits: Diversifies risk, improves security posture, and
promotes vendor independence.
○ Business Benefits: Enhances flexibility, agility, and cost efficiency.
● Deception Technologies
○ Honeypots, Honeynets, Honeyfiles, and Honeytokens: Cybersecurity tools to
detect and defend against attacks by diverting attackers' attention and gathering
intelligence.
● Disruption Strategies
○ Active Defense: Uses tactics like bogus DNS entries, web server decoys, and
fake telemetry to raise attack cost and tie up adversary's resources.
● Testing Resiliency
○ Method of Testing: Tabletop exercises, failover tests, simulations, and parallel
processing tests.
○ Importance of Testing: Identifies vulnerabilities, evaluates recovery strategies,
and improves preparedness for real-life incidents.
● Documentation
○ Business Continuity Documentation: Covers planning, implementation, and
evaluation.
○ Test Plans, Scripts, and Results: Provide structure for testing process and
communication with stakeholders.
○ Third-Party Assessments and Certifications: Offer objective evaluation,
compliance verification, and recommendations for improvement.
Physical Security
1. Fundamental Security Concepts:
○ Physical security is integral to cybersecurity, protecting physical assets like
servers and data centers.
○ Measures include access control, surveillance, and environmental controls.
○ Effective physical security reduces the risk of unauthorized access and insider
threats.
2. Physical Security Controls:
○ Access control mechanisms include biometric scanners, smart cards, and key
fobs.
○ Surveillance systems involve video cameras, motion sensors, and alarms.
○ Environmental controls like backup power and fire suppression are crucial for
data centers.
3. Zone Implementation:
○ Zones use barriers and security mechanisms to control entry and exit points.
○ Each zone should have increasingly restrictive access.
○ Entry points to secure zones should be discreet to prevent inspection by
intruders.
4. Physical Security through Environmental Design:
○ Enhances security using non-obvious features in physical spaces.
○ Promotes safety and deters criminal activity in various settings.
5. Barricades, Fencing, and Lighting:
○ Barricades channel people through defined entry and exit points.
○ Security fencing needs to be transparent, robust, and secure against climbing.
○ Security lighting improves safety and acts as a deterrent at night.
6. Bollards and Existing Structures:
○ Bollards prevent vehicular access to restricted areas.
○ Existing structures can be adjusted for improved site layout and security.
7. Gateways, Locks, and Access Control:
○ Gateways require secure locks, which can be physical, electronic, or biometric.
○ Access control vestibules regulate entry to secure areas, preventing tailgating.
○ Access badges replace physical keys and provide access through card readers.
8. Security Guards and Cameras:
○ Surveillance enhances resilience, with guards providing visual deterrence.
○ Cameras offer cost-effective monitoring and can use AI for smart security.
○ Alarms supplement other security controls, detecting and deterring threats
effectively.
● Vulnerability Analysis:
○ Evaluates vulnerabilities for potential impact and exploitability.
○ Considers factors like ease of exploitation, potential damage, asset value, and
current threat landscape.
○ Helps prioritize remediation efforts by addressing critical vulnerabilities first.
● Remediation:
○ Mitigation techniques include patching, configuration changes, software updates,
or system replacement.
○ Compensating controls provide alternative plans when immediate remediation is
impossible.
○ Verification of successful remediation via rescanning affected systems.
● Vulnerability Feeds:
○ Updated via SCAP, facilitating sharing of intelligence data.
○ Consist of common identifiers for vulnerability descriptions.
● National Vulnerability Database (NVD):
○ Maintained by NIST, provides detailed vulnerability information.
○ Supplements CVE descriptions with additional analysis and CVSS metrics.
● CVSS (Common Vulnerability Scoring System):
○ Generates a score from 0 to 10 based on vulnerability characteristics.
○ Score bands: 0.1+ (Low), 4.0+ (Medium), 7.0+ (High), 9.0+ (Critical).
● False Positives:
○ Incorrect identification of vulnerabilities by scanners.
○ Can lead to unnecessary time and effort if not addressed.
● False Negatives:
○ Undetected vulnerabilities in scans.
○ Risk mitigated by periodic rescanning and using scanners from different vendors.
● Log Review:
○ Validates vulnerability reports by examining system and network logs.
○ Confirms vulnerability alerts and ensures accurate remediation.
Vulnerability Analysis
● Prioritization:
○ Identifies critical vulnerabilities for focused remediation efforts.
● Classification:
○ Categorizes vulnerabilities based on characteristics for clarity.
● Exposure Factor:
○ Assesses susceptibility of assets to specific vulnerabilities.
● Impacts:
○ Evaluates potential organizational impact for informed decision-making.
● Environmental Variables:
○ Includes IT infrastructure, external threat landscape, regulatory environment, and
operational practices.
● Remediation Practices:
○ Patching, cybersecurity insurance, segmentation, compensating controls,
exceptions, and exemptions.
● Validation:
○ Ensures remediation actions are implemented correctly and do not introduce new
vulnerabilities.
● Reporting:
○ Highlights existing vulnerabilities, ranks based on severity, provides
recommendations, and emphasizes timely reporting for effective remediation.
Evaluate Network Security Capabilities
● Default settings in network equipment, software, and operating systems balance ease of
use with security.
● Default configurations are often targeted by attackers due to well-documented
credentials, insecure protocols, etc.
● Hardening involves changing default settings to enhance security, typically following
published secure baselines.
● Ensure good coverage of authorized Wi-Fi access points to prevent rogue and evil twin
attacks.
● Use nonoverlapping channels in the 5 GHz band for better performance.
● Conduct site surveys to measure signal strength and interference.
● Use heat maps to optimize WAP placement and configuration.
● Configure wireless encryption settings to secure the network.
● Consider vulnerabilities and limitations of Wi-Fi Protected Setup (WPS).
● Utilize Wi-Fi Protected Access 3 (WPA3) for improved security.
● Firewalls, IDS, IPS, and web filters are essential components in network security.
● Firewalls create a barrier between trusted internal networks and untrusted external
networks, controlling incoming and outgoing traffic based on rules.
● IDS monitor network traffic for possible incidents and alert administrators.
● IPS not only detect but also prevent threats by taking automated actions like blocking
traffic.
● Web filters control access to Internet content, preventing access to malicious websites
and monitoring access to restricted sites.
● ACLs control traffic at a network interface level using packet information like
source/destination IP addresses, port numbers, and protocols.
● Firewall rules dictate how firewalls handle inbound/outbound traffic based on IP
addresses, port numbers, protocols, or application traffic patterns.
● Rules in a firewall's ACL are processed from top to bottom; specific rules are placed at
the top, and a default deny rule is typically at the end.
● Basic principles include blocking internal/private IP addresses, protocols for local
network level, penetration testing, and securing hardware.
Screened Subnet:
● Acts as a neutral zone between an organization's internal network and the Internet,
separating public-facing servers from sensitive internal resources.
● Hosts web, email, DNS, or FTP services accessible from the Internet but isolated from
internal systems to limit damage from breaches.
● Firewalls control traffic to/from the screened subnet, providing an additional layer of
protection.
IDS/IPS Tools:
Web Filtering:
Monitoring:
Configuration Enforcement:
Group Policy:
SELinux:
Hardening Techniques:
Decommissioning:
● Secure process for retiring devices to prevent data exposure.
● Involves data sanitization, resetting to factory settings, and updating inventory records.
● Unique hardening strategies for industrial control systems, embedded systems, real-time
operating systems, and IoT devices.
● Involves network segmentation, authentication, secure coding, and compliance with
security standards and certifications.
Code Signing:
Application Protections:
Monitoring Capabilities:
Software Sandboxing:
● Isolates processes, prevents access to system.
● Implemented in web browsers, operating systems, virtual machines.
These study notes cover the essential concepts and techniques for understanding cloud and
web application security, including secure coding practices, input validation, secure cookies,
static code analysis, code signing, application protections, monitoring capabilities, and software
sandboxing.
Incident Response
Incident Response and Monitoring Concepts
Detection:
Analysis:
Impact:
Category:
Playbooks:
Containment:
Lessons Learned:
Threat Hunting:
Digital Forensics
1. Introduction to Digital Forensics:
○ Digital forensic analysis involves examining evidence gathered from computer
systems and networks.
○ Purpose: Uncover relevant information such as deleted files, timestamps, user
activity, and unauthorized traffic.
2. Incident Response Activities:
○ Importance of digital forensic analysis in incident response.
○ Processes and tools for acquiring digital evidence.
○ Documentation is critical for collecting, preserving, and presenting valid digital
proofs.
3. Due Process and Legal Hold:
○ Digital forensics for prosecuting crimes, especially insider threats like fraud or
misuse of equipment.
○ Importance of due process and procedural safeguards to ensure fairness.
○ Legal hold: Preservation of information relevant to a court case, including
electronic records.
4. Acquisition of Digital Evidence:
○ Process of obtaining a forensically clean copy of data from seized devices.
○ Impact of legality on acquisition, especially regarding BYOD policies.
○ Order of volatility for evidence collection: CPU cache, system memory, mass
storage, remote logging, physical configuration.
5. System Memory Acquisition:
○ Importance of volatile data from RAM.
○ Tools and methods for capturing system memory, such as memory dumps.
6. Disk Image Acquisition:
○ Acquiring data from nonvolatile storage like hard drives, SSDs, and optical
media.
○ Live acquisition vs. static acquisition methods.
○ Imaging tools for bit-level copies of storage media.
7. Preservation of Digital Evidence:
○ Ensuring the integrity of evidence by avoiding alterations during acquisition.
○ Use of write blockers to prevent changes to source data or metadata.
8. Evidence Integrity and Non-Repudiation:
○ Cryptographic hashing to ensure data integrity.
○ Chain of custody documentation to establish proper handling and integrity of
evidence.
9. Reporting in Digital Forensics:
○ Ethical principles in analysis: unbiased, repeatable methods, minimal
manipulation of evidence.
○ Importance of strong documentation and reporting to withstand legal scrutiny.
10. E-Discovery:
○ Filtering relevant evidence from forensic examinations.
○ Functions of e-discovery tools: de-duplication, search, tagging, security,
disclosure.
Data Sources
1. Introduction to Metadata:
○ Metadata is data about data, including properties like creation time, author, and
permissions.
○ It is crucial for establishing timelines and providing evidence in incident
investigations.
2. File Metadata:
○ Attributes stored by the file system include creation, access, and modification
times.
○ Security attributes like read-only or hidden, and permissions represented by
ACLs.
○ Extended attributes can include author information, copyright details, or tags for
indexing.
3. Social Media Metadata:
○ Metadata uploaded to social media can reveal unintended information like
location and time.
4. Web Metadata:
○ Web servers return resource properties via headers in response to client
requests.
○ Headers can include authorization information, data type (text or binary), and
may be logged by servers.
5. Email Metadata:
○ Email headers contain sender, recipient, and transmission details handled by
mail agents.
○ Mail user agents (MUAs) create initial headers, mail delivery agents (MDAs) add
or amend headers, and message transfer agents (MTAs) route messages.
○ Headers can contain additional information added by each MTA along the
delivery path.
6. Viewing and Analyzing Metadata:
○ Headers are not typically exposed to users but can be viewed via message
properties or source command.
○ MTAs add detailed information to headers, making it difficult to read in plaintext.
○ Tools like Message Analyzer can parse and display headers in a structured
format, showing the delivery path and added headers.
Alerting and Monitoring Tools
Agent-Based and Agentless Collection:
1. Agent-based Collection:
○ Involves installing an agent service on each host.
○ Events on the host are logged, filtered, aggregated, and sent to the SIEM server
for analysis.
○ Typically used for Windows/Linux/macOS computers.
2. Listener/Collector:
○ Hosts push log changes to the SIEM server without installing an agent.
○ Used for devices like switches, routers, and firewalls.
○ Uses Syslog protocol for forwarding logs to SIEM.
3. Sensor:
○ Collects packet captures and traffic flow data.
○ Utilizes sniffer tools via mirror port functionality or network tap.
Log Aggregation:
1. Normalization:
○ Interprets data from various systems for consistency and searchability.
○ SIEM features connectors or plug-ins for different systems.
○ Requires parsers for each data source to map attributes to standard fields.
2. Date/Time Normalization:
○ Ensures consistency across different time zones to establish a single timeline.
1. Alerting:
○ SIEM runs correlation rules on extracted indicators to detect potential incidents.
○ Correlation involves interpreting relationships between data points.
○ Correlation rules use logical expressions and operators to define conditions.
○ Threat intelligence feeds associate collected data with known threat indicators.
2. Incident Response:
○ Includes analysis, containment, eradication, and recovery steps.
○ Validation during analysis confirms true positives.
○ Quarantine isolates the source of indicators.
3. Reporting:
○ Provides insight into security system status.
○ Formats tailored for different audiences like executives, managers, and
compliance regulators.
○ Metrics include authentication data, patch status, incident statistics, and trend
reporting.
4. Archiving:
○ Retains historical log and network traffic data.
○ Supports retrospective incident and threat hunting and compliance requirements.
○ Requires a retention policy to manage data volume and SIEM performance.
1. Alert Tuning:
○ Reduces false positives to avoid alert fatigue.
○ Techniques include refining detection rules, redirecting alerts, and continuous
monitoring.
○ False negatives are also addressed to prevent overlooking threats.
2. Monitoring Infrastructure:
○ Uses managerial reports for day-to-day monitoring of computer resources and
network infrastructure.
○ Network monitors collect data about network infrastructure appliances for status
monitoring.
○ NetFlow provides flow data analysis for network traffic metadata.
● Viruses and worms evolved from destructive replication to facilitating intrusion, fraud,
and data theft.
● Tracking cookies record web activity, IP addresses, search queries, etc., while
supercookies and beacons track covertly.
● Adware alters browser settings, inserts ads, and changes search providers.
● Spyware monitors application activity, captures screenshots, and activates recording
devices like microphones.
● Keyloggers record keystrokes to steal confidential information like passwords and credit
card data.
● Metasploit Meterpreter tool can be used to dump keystrokes from victim machines.
● Backdoors provide unauthorized access, while Remote Access Trojans (RATs) operate
covertly for administrative control.
● Compromised hosts may have bots, forming botnets used for DDoS attacks, spam, or
cryptomining.
● RATs connect to a command and control (C&C) host for remote control, often using
covert channels like IRC or HTTPS/DNS.
Rootkits:
● Trojans requiring user execution inherit user privileges; gaining admin privileges needs
UAC confirmation.
● Rootkits operate at the system level, concealing themselves as legitimate processes,
files, or services.
● Some rootkits exploit vulnerabilities to gain SYSTEM privileges or reside in firmware for
persistence.
● Sandboxes isolate and analyze suspicious code; resource consumption, file system
changes, and account compromise indicate malicious activity.
● Access denial, resource inaccessibility, and suspicious account behavior like lockouts or
impossible travel suggest a security breach.
● Threat actors may attempt to cover their tracks by deleting or altering logs, leading to
missing or manipulated log entries.
Physical and Network Attack Indicators
● ARP Poisoning Attack:
○ Targets subnet's default gateway.
○ If successful, attacker intercepts traffic destined for remote networks.
○ Implemented through ARP poisoning to perform on-path attack.
● DNS Attacks:
○ Exploit weaknesses in Domain Name System (DNS).
○ Various types: typosquatting, DRDoS, DoS against public DNS services, DNS
server hijacking.
○ DNS poisoning compromises name resolution process.
○ Methods: on-path attacks, DNS client cache poisoning, DNS server cache
poisoning.
● Wireless Attacks:
○ Rogue Access Points:
■ Unauthorized access points installed on the network.
■ Can be malicious or accidental.
■ Evil twin mimics legitimate access point to deceive users.
○ Wireless Denial of Service:
■ Disrupts wireless networks using interference or spoofed frames.
○ Wireless Replay and Key Recovery:
■ Exploits lack of encryption in management frame traffic.
■ Disassociation attacks disconnect clients.
■ Aimed at recovering network keys.
● Password Attacks:
○ Online Attacks:
■ Interact directly with authentication service.
■ Mitigated by limiting login attempts.
○ Offline Attacks:
■ Exploit obtained password hashes.
■ Utilize packet sniffers or access to password databases.
○ Brute Force, Dictionary, Hybrid Attacks:
■ Attempt every combination or use dictionary words.
○ Password Spraying:
■ Tries common passwords with multiple usernames.
● Credential Replay Attacks:
○ Target Windows Active Directory networks.
○ Exploit cached credentials to gain access to other hosts.
○ Types: pass the hash, golden ticket, silver ticket attacks.
● Cryptographic Attacks:
○ Downgrade Attacks:
■ Forces use of weaker protocols or ciphers.
○ Collision Attacks:
■ Exploits weak hashing functions to create same hash for different inputs.
○ Birthday Attacks:
■ Exploits collisions in hash functions through brute force.
● Malicious Code Indicators:
○ Types of malicious activity: shellcode, credential dumping, pivoting/lateral
movement, persistence.
○ Indicators found in endpoint protection software or network logs.
○ Malware interacts with network, file system, and registry.
Application Attack Indicators
1. Application Attacks Overview:
○ Application attacks target vulnerabilities in OS or application software.
○ Vulnerabilities can lead to compromised security systems or application crashes.
○ Main scenarios: compromising OS or third-party apps, compromising website or
web application security.
2. Indicators of Application Attacks:
○ Increased application crashes/errors can indicate exploitation attempts.
○ Anomalous CPU, memory, storage, or network utilization can also be indicators.
○ Indicators may be found in system logs or application-specific logs.
3. Privilege Escalation:
○ Goal: Allow threat actors to run their own code on the system.
○ Types: Vertical (elevation) and horizontal privilege escalation.
○ Indicators: Process logging, audit logs, incident response, and endpoint
protection agents.
4. Buffer Overflow:
○ Exploits vulnerabilities by overwriting data in a buffer.
○ Common vulnerability: stack overflow.
○ Mitigation: Address Space Layout Randomization (ASLR) and Data Execution
Prevention (DEP).
5. Replay Attacks:
○ Exploit session mechanisms like cookies.
○ Session token identification and exploitation.
6. Forgery Attacks:
○ CSRF: Exploits cookies for unauthorized actions.
○ SSRF: Causes server to process arbitrary requests targeting other services.
7. Injection Attacks:
○ Exploits unsecure application request processing.
○ Types include XML Injection, LDAP Injection, Directory Traversal, and Command
Injection.
8. URL Analysis:
○ HTTP request structure and methods.
○ Percent encoding and its misuse for obfuscation.
○ Web server logs as indicators of attacks, including status codes and HTTP
header information.
Summarize Security Governance Concepts
1. Importance of Standards
○ Stakeholders influence standards choice.
○ Standards reflect dedication to quality, security, reliability.
○ Strategic selection based on legal, business, risk management, and stakeholder
needs.
○ Adoption impacts operations; appropriate selection enhances effectiveness.
2. Industry Standards
○ ISO/IEC 27001, 27002, 27017, 27018.
○ NIST Special Publication 800-63.
○ PCI DSS.
○ FIPS.
○ Audit compliance and security practices; assess adherence and identify gaps.
3. Internal Standards
○ Password standards: hashing, salting, transmission, reset, managers.
○ Access control standards: models, verification, privilege management,
authentication, session management, audit trails.
4. Physical Security Standards
○ Building, workstation, datacenter security.
○ Equipment disposal, visitor management.
5. Encryption Standards
○ Algorithms, key length, management.
6. Legal Environment
○ Governance committees ensure compliance with laws and regulations.
○ Legislation examples: Sarbanes-Oxley Act, Computer Security Act, Federal
Information Security Management Act.
○ International laws like GDPR and CCPA protect privacy globally.
7. Global Law
○ Laws like GDPR and CCPA have international reach.
○ GDPR emphasizes informed consent, data subject rights.
○ CCPA empowers California residents with data control rights.
8. Regulations and Laws
○ National, local, regional laws vary; compliance essential.
○ Examples: HIPAA, GLBA, FISMA, Data Protection Act, PIPEDA, IT Act.
9. Industry-Specific Regulations
○ Examples across healthcare, finance, telecommunications, energy, education,
government sectors.
○ Compliance ensures industry-specific data protection.
10. Governance and Accountability
○ Ensures compliance with laws and regulations.
○ Continuous monitoring, evaluation, and updating essential.
○ Governance boards, committees crucial for oversight.
11. Centralized vs. Decentralized Governance
○ Centralized: unified decision-making; standardized practices.
○ Decentralized: localized decision-making; adaptability.
○ Hybrid models combine elements for flexibility and standardization.
12. Government Entities and Groups
○ Regulatory, intelligence, law enforcement, defense agencies involved.
○ Data protection authorities enforce regulations.
○ National cybersecurity agencies focus on critical infrastructure protection.
13. Data Governance Roles
○ Owner: strategic guidance.
○ Controller: legal and regulatory compliance.
○ Processor: secure data handling.
○ Custodian: implementation and enforcement of security controls.
Change Management
Study Notes on Change Management:
● Allow lists: Approved changes exempt from full change management process.
● Deny lists: Explicitly blocked changes requiring full change management process.
● Ensure control over authorized and unauthorized changes.
● Critical tools in modern IT operations for streamlining processes and enhancing security.
● Enhances security governance by enforcing policies consistently.
● Aids in change management by reducing implementation time and providing audit trails.
3. Capabilities of Automation:
● Provisioning: Automating user and resource provisioning tasks to reduce manual effort
and errors.
● Guardrails and Security Groups: Automating monitoring and enforcement of security
policies.
● Ticketing: Automating incident detection, ticket generation, routing, and escalation
procedures.
● Service Management: Automating routine tasks to free up time for strategic analysis.
● Continuous Integration and Testing: Automation improves code quality and accelerates
development cycles.
● Application Programming Interfaces (APIs): Automation orchestrates interactions
between software systems.
● Proactive and systematic approaches to identify, assess, prioritize, and mitigate risks.
● Risk mitigation involves reducing exposure to or the effects of risk factors.
● Risk Deterrence/Reduction: Controls to make risk incidents less likely or less costly.
● Avoidance: Stopping activities causing risk, although infrequently a credible option.
● Risk Transference: Assigning risk to a third party, such as through insurance.
● Risk Acceptance/Tolerance: No countermeasures put in place due to risk level
justification.
● Risk Exceptions/Exemptions: Formal recognition of risks that cannot be mitigated within
specified conditions.
● Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), Work Recovery
Time (WRT), Recovery Point Objective (RPO).
● Mean Time to Repair (MTTR) and Mean Time Between Failures (MTBF) as KPIs for
system reliability and efficiency.
Vendor Management Concepts
● Vendor Management Concepts:
○ Third-party risk assessment involves:
■ Vendor due diligence.
■ Risk identification and assessment.
■ Ongoing monitoring.
■ Incident response planning.
○ Vendor due diligence includes evaluating:
■ Security practices.
■ Financial stability.
■ Regulatory compliance.
■ Reputation.
○ Risk identification and assessment involve:
■ Identifying potential risks.
■ Assessing impact on operations, data, and reputation.
○ Ongoing monitoring ensures:
■ Vendors maintain security controls.
■ Adhere to contractual obligations.
■ Promptly address identified risks or vulnerabilities.
○ Critical in risk management to:
■ Identify, assess, and mitigate risks.
■ Implement robust assessment processes.
■ Maintain regulatory compliance.
■ Foster a safe operational environment.
● Vendor Selection:
○ Systematically evaluate potential vendors.
○ Steps include:
■ Identifying risk criteria.
■ Conducting due diligence.
■ Selecting vendors based on risk profile.
○ Aims to identify and mitigate risks related to:
■ Financial stability.
■ Operational reliability.
■ Data security.
■ Regulatory compliance.
■ Reputation.
○ Select vendors aligning with:
■ Organization’s risk tolerance.
■ Effective risk management capability.
● Third-Party Vendor Assessment:
○ External entities providing goods, services, or technology.
○ Offer specialized expertise and support.
○ Range from technology providers to suppliers.
○ Bring efficiency, cost-effectiveness, and innovation.
○ Introduce potential risks:
■ Access to sensitive data.
■ Infrastructure.
■ Critical processes.
○ Proper assessment ensures adherence to security standards, compliance, and
fulfillment of obligations.
Audits and Assessments
1. Purpose of Audits and Assessments:
○ Ensure operations align with standards, policies, and regulations.
○ Identify gaps and provide recommendations for improvement.
○ Enhance security measures by assessing effectiveness and efficiency.
2. Attestation and Assessments:
○ Attestation verifies security controls' accuracy and compliance.
○ Independent examination assures stakeholders of security measures.
3. Internal vs. External Assessments:
○ Internal assessments by employees ensure continuous improvement.
○ External assessments by third-party providers offer impartial evaluation.
○ Both methods complement each other for comprehensive evaluation.
4. Internal Assessment Approaches:
○ Compliance Assessment: Ensures alignment with laws, regulations, and policies.
○ Audit Committee: Provides oversight and assurance on financial practices.
○ Self-Assessment: Allows for internal evaluation of performance and practices.
5. External Assessment Approaches:
○ Regulatory Assessments: Ensure compliance with laws and industry standards.
○ Examination: Independent evaluation of financial statements and controls.
○ Assessment: Broad evaluation of performance, practices, and capabilities.
○ Third-Party Audit: Objective assessment by external entities for compliance.
Personnel Policies
● Personally Owned Devices in the Workplace:
○ Portable devices like smartphones, USB sticks, etc., pose security threats due to
easy file copying and potential camera/voice recording functions.
○ Solutions like network access control, endpoint management, and data loss
prevention can help prevent attachment of such devices to corporate networks.
○ Companies may struggle to enforce policies against bringing personal devices
onsite.
○ Unauthorized use of personal software (shadow IT) can lead to security
vulnerabilities and legal liabilities for the organization.
● Clean Desk Policy:
○ Requires employees to keep their work areas free from documents to prevent
unauthorized access to sensitive information.
● User and Role-Based Training:
○ Essential for ensuring users understand security policies, incident reporting, site
security procedures, data handling, password/account management, social
engineering threats, etc.
○ Training should be tailored to different job roles' security requirements and levels
of expertise.
● Training Topics and Techniques:
○ Use a variety of techniques like workshops, one-on-one instruction, computer-
based training, videos, etc., to improve engagement and retention.
○ Computer-based training can include simulations and branching scenarios to
practice cybersecurity tasks.
● Critical Elements for Security Awareness Training:
○ Includes policy training, situational awareness, insider threat education,
password management, and training on handling removable media and cables.
○ Also covers social engineering tactics, operational security, and training for
hybrid/remote work environments.
● Phishing Campaigns:
○ Simulated phishing attacks are used to raise awareness about phishing risks
among employees.
○ Training helps employees recognize and respond effectively to phishing
attempts, reducing the likelihood of data breaches.
● Anomalous Behavior and Recognizing Risky Behaviors:
○ Training focuses on identifying unusual actions or patterns that could indicate
security threats.
○ Employees learn to recognize and report risky, unexpected, and unintentional
behaviors that could lead to security incidents.
● Security Awareness Training Lifecycle:
○ Follows stages of assessing security needs, planning, development, delivery,
evaluation, reinforcement, and monitoring/adaptation to ensure effectiveness.
● Development and Execution of Training:
○ Emphasizes creating engaging materials, incorporating real-world examples, and
facilitating discussions to enhance learning.
● Reporting and Monitoring:
○ Methods include assessments, incident reporting analysis, phishing simulations,
observations/feedback, and tracking metrics like training completion rates.