CompTIA Security+ (601

Minha conta de acesso ao corp.local: bob_net:98765

and 701) Study Notes

Share, don't be selfish, don't think only of yourself.

Contents
Compare and Contrast Information Security Roles ...................................................................... 5
Compare and Contrast Security Control and Framework Types .................................................. 6
Explain Threat Actor Types and Attack Vectors ........................................................................... 7
Explain Threat Intelligence Sources ............................................................................................. 8
Assess Organizational Security with Network Reconnaissance Tools ....................................... 10
Explain Security Concerns with General Vulnerability Types ..................................................... 12
Summarize Vulnerability Scanning Techniques .......................................................................... 13
Explain Penetration Testing Concepts ........................................................................................ 15
Identifying Social Engineering and Malware ............................................................................... 16
Compare and Contrast Social Engineering Techniques ............................................................. 16
Analyze Indicators of Malware-Based Attacks ............................................................................ 18
Summarizing Basic Cryptographic Concepts .............................................................................. 20
Compare and Contrast Cryptographic Ciphers ........................................................................... 20
Summarize Cryptographic Modes of Operation .......................................................................... 22
Summarize Cryptographic Use Cases and Weaknesses Cryptographic Concepts .................... 24
Summarize Other Cryptographic Technologies .......................................................................... 26
Implementing Public Key Infrastructure Implement Certificates and Certificate Authorities ....... 28
Implement Certificates and Certificate Authorities ...................................................................... 31
Implement PKI Management ...................................................................................................... 33
Implementing Authentication Controls ........................................................................................ 34
Summarize Authentication Design Concepts .............................................................................. 34
Implement Knowledge-Based Authentication ............................................................................. 35
Implement Authentication Technologies ..................................................................................... 37
Summarize Biometrics Authentication Concepts ........................................................................ 39
Implementing Identity and Account Management Controls ........................................................ 41
Implement Identity and Account Types ....................................................................................... 41
Implement Account Policies ........................................................................................................ 43
Implement Authorization Solutions ............................................................................................. 45
Explain the Importance of Personnel Policies ............................................................................. 47
Implementing Secure Network Designs ...................................................................................... 48
Implement Secure Network Designs ........................................................................................... 48
Implement Secure Switching and Routing .................................................................................. 50
Implement Secure Wireless Infrastructure .................................................................................. 52
Implement Load Balancers ......................................................................................................... 54
Implementing Network Security Appliances ................................................................................ 56
Implement Firewalls and Proxy Servers ..................................................................................... 56
Implement Network Security Monitoring ..................................................................................... 58
Summarize the Use of SIEM ....................................................................................................... 59
Implementing Secure Network Protocols .................................................................................... 60
Implement Secure Network Operations Protocols ...................................................................... 60
Implement Secure Application Protocols .................................................................................... 62
Implement Secure Remote Access Protocols ............................................................................. 63
Implementing Host Security Solutions ........................................................................................ 65
Implement Secure Firmware ....................................................................................................... 65
Implement Endpoint Security ...................................................................................................... 67
Explain Embedded System Security Implications ....................................................................... 69
Implementing Secure Mobile Solutions Implement Mobile Device Management ....................... 71
Implement Secure Mobile Device Connections .......................................................................... 73
Summarizing Secure Application Concepts ................................................................................ 75
Analyze Indicators of Application Attacks ................................................................................... 75
Analyze Indicators of Web Application Attacks ........................................................................... 77
Summarize Secure Coding Practices Introduction to Secure Coding Practices: ........................ 79
● Understanding secure application development, deployment, and automation concepts. . 79
● Integration of security into development processes for effective DevSecOps. ................... 79
Secure Coding Techniques: ........................................................................................................ 79
● Emphasizing security considerations in new programming technologies before
deployment. ................................................................................................................................ 79
● Modern development practices incorporate security development life cycles alongside
functionality and usability. .......................................................................................................... 79
● Examples: Microsoft's SDL, OWASP SAMM, Security Knowledge Framework, and OWASP
Top 10. ........................................................................................................................................ 79
Input Validation: .......................................................................................................................... 79
● Key practice to mitigate attacks exploiting faulty input. ..................................................... 79
● Includes user data input, URLs, or HTTP headers. .............................................................. 79
● Mitigation involves documenting input methods and rejecting non-conforming input. ...... 79
Normalization and Output Encoding: .......................................................................................... 79
● Normalization ensures input string conformity before processing. .................................... 79
● Output encoding ensures safe re-encoding of strings for different contexts, preventing
attacks like XSS. ......................................................................................................................... 79
Server-Side versus Client-Side Validation: ................................................................................... 79
● Applications can perform validation locally (client-side) or remotely (server-side). ............ 79
● Server-side validation is essential for comprehensive security, despite potential time
constraints. ................................................................................................................................. 79
Web Application Security: ........................................................................................................... 79
● Focus on secure cookies and HTTP response header security options. ............................. 79
● Parameters for SetCookie header and security options for response headers. .................. 79
Data Exposure and Memory Management: ................................................................................. 79
● Protecting privileged data transmission with cryptography. ............................................... 79
● Implementing error handling and structured exception handling to prevent code execution
vulnerabilities. ............................................................................................................................. 79
Secure Code Usage: .................................................................................................................... 79
● Practices including code reuse, third-party libraries, SDKs, and stored procedures. ........... 80
● Monitoring and patching vulnerabilities in external code sources. ..................................... 80
Unreachable Code and Dead Code: ............................................................................................. 80
● Identifying and removing unreachable code to maintain application integrity. ................... 80
● The importance of code maintenance and removal of dead code to prevent misuse. ........ 80
Obfuscation/Camouflage: ........................................................................................................... 80
● Use of obfuscators to obscure code for security purposes, making reverse engineering
difficult. ....................................................................................................................................... 80
Static and Dynamic Code Analysis: ............................................................................................. 80
● Static code analysis for identifying vulnerabilities in source code. ..................................... 80
● Human and dynamic analysis to identify runtime vulnerabilities and stress test
applications................................................................................................................................. 80
Implement Secure Script Environments ...................................................................................... 81
Summarize Deployment and Automation Concepts Agile Methodologies and Continuous
Integration/Deployment: .............................................................................................................. 83
Implementing Secure Cloud Solutions ........................................................................................ 85
Summarize Secure Cloud and Virtualization Services ................................................................ 85
Apply Cloud Security Solutions ................................................................................................... 87
Summarize Infrastructure as Code Concepts ............................................................................. 89
Explaining Data Privacy and Protection Concepts ...................................................................... 91
Explain Privacy and Data Sensitivity Concepts .......................................................................... 91
Explain Privacy and Data Protection Controls ............................................................................ 93
Performing Incident Response .................................................................................................... 95
Summarize Incident Response Procedures ................................................................................ 95
Utilize Appropriate Data Sources for Incident Response ............................................................ 96
Apply Mitigation Controls ............................................................................................................ 98
Explaining Digital Forensics ...................................................................................................... 100
Explain Key Aspects of Digital Forensics Documentation ........................................................ 100
Explain Key Aspects of Digital Forensics Evidence Acquisition ............................................... 102
Summarizing Risk Management Concepts ............................................................................... 104
Explain Risk Management Processes and Concepts ............................................................... 104
Explain Business Impact Analysis Concepts ............................................................................ 106
Implementing Cybersecurity Resilience .................................................................................... 107
Implement Redundancy Strategies ........................................................................................... 107
Implement Backup Strategies ................................................................................................... 108
Implement Cybersecurity Resiliency Strategies ........................................................................ 110
Explaining Physical Security ..................................................................................................... 112
Explain the Importance of Physical Site Security Controls ....................................................... 112
Explain the Importance of Physical Host Security Controls ...................................................... 114

Compare and Contrast Information Security Roles

● Information Security Fundamentals: Information security (infosec) involves
safeguarding data from unauthorized access, damage, or theft. It encompasses
the principles of confidentiality, integrity, and availability (CIA triad), along with
non-repudiation.
● Cybersecurity Framework: The National Institute of Standards and Technology
(NIST) outlines five functions of cybersecurity: Identify, Protect, Detect, Respond,
and Recover.
 ● Information Security Competencies: Professionals in security roles need diverse
skills, such as risk assessment, system configuration, incident response, and
business continuity planning.
● Information Security Roles and Responsibilities: Organizations establish security
policies to protect sensitive data and resources. Roles may include security
directors, managers, technical staff, and non-technical employees, each with
specific responsibilities.
● Information Security Business Units: Security operations centers (SOCs) monitor
and protect critical assets, while DevSecOps integrates security into the
development process. Incident response teams handle security incidents.

Compare and Contrast Security Control and

Framework Types
● Security Control Categories: Controls are categorized as Technical, Operational,
and Managerial, based on how they are implemented.
● Functional Types of Security Controls: Controls are classified as Preventive,
Detective, and Corrective based on their function in preventing, identifying, or
mitigating security threats.
 ● Frameworks: Frameworks like NIST Cybersecurity Framework (CSF) and Risk
Management Framework (RMF), ISO standards (27001, 27002, 31000), and
Cloud Security Alliance resources provide guidelines for managing cybersecurity
risks and compliance.
● Regulatory Compliance: Various regulations such as Sarbanes-Oxley Act (SOX),
Federal Information Security Management Act (FISMA), and General Data
Protection Regulation (GDPR) mandate security controls and privacy protection
measures.
● Industry Standards: Industry-specific standards like Payment Card Industry Data
Security Standard (PCI DSS) ensure secure handling of financial information.

Explain Threat Actor Types and Attack Vectors

Threat Actor Types and Attack Vectors:

Vulnerability, Threat, and Risk:

● Vulnerability: Weakness that could lead to a security breach.
● Threat: Potential for exploiting a vulnerability.
● Risk: Likelihood and impact of a threat actor exploiting a vulnerability.
 Attributes of Threat Actors:
● Internal/External: Based on access permissions.
● Intent/Motivation: Goals and reasons for the attack.
● Level of Sophistication/Capability and Resources/Funding: Skills,
resources, and funding available to the threat actor.
Hackers, Script Kiddies, and Hacktivists:
● Hackers: Individuals gaining unauthorized access to systems.
● Script Kiddies: Users using hacking tools without understanding.
● Hacktivists: Groups using cyber weapons for political agendas.
State Actors and Advanced Persistent Threats (APTs):
● Nation states using cyber weapons for military and commercial goals.
● APTs: Ongoing efforts to compromise network security using various
techniques.
Criminal Syndicates and Competitors:
● Cybercrime overtaking physical crime in many countries.
● Criminal syndicates seeking financial profit through fraud and extortion.
● Competitors engaging in espionage for business advantage.
Insider Threat Actors:
● Internal actors with legitimate access, including employees and
contractors.
● Malicious insiders intentionally abusing access for sabotage or financial
gain.
● Unintentional insiders posing risks due to lack of awareness or
carelessness.
Attack Surface and Attack Vectors:
● Attack surface: Points where a threat actor could exploit a vulnerability.
● Attack vectors: Paths used by threat actors to gain access.
● Various vectors include direct access, removable media, email,
remote/wireless, supply chain, web/social media, and cloud.
● Sophisticated threat actors use multiple vectors in multi-stage campaigns.

Explain Threat Intelligence Sources

Threat Intelligence Sources:

Threat Research Sources:

● Security companies and researchers study modern cyber adversaries'
tactics, techniques, and procedures (TTPs).
 ● Primary sources include security solution providers, academic institutions,
and honeynets.
● The dark web serves as a primary source, using networks like TOR for
anonymity.
Threat Intelligence Providers:
● Outputs include behavioral threat research, reputational threat intelligence,
and threat data.
● Threat data is often packaged as feeds for integration with security
information and event management (SIEM) platforms.
● Commercial models include closed/proprietary platforms, vendor
websites, and public/private information sharing centers.
Other Threat Intelligence Research Sources:
● Academic journals, security conferences, Request for Comments (RFC),
and social media provide additional sources.
● Open source intelligence (OSINT) includes services like AT&T Security,
Malware Information Sharing Project (MISP), Spamhaus, and VirusTotal.
Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise
(IoCs):
● TTPs describe adversary behavior, while IoCs are signs of successful or
ongoing attacks.
● IoCs include unauthorized software/files, suspicious emails, registry/file
system changes, unusual network usage, rogue hardware, service
disruption, and unauthorized account usage.
Threat Data Feeds:
● Structured Threat Information eXpression (STIX) and Trusted Automated
eXchange of Indicator Information (TAXII) enable automated feed sharing.
● Automated Indicator Sharing (AIS) by DHS facilitates threat intelligence
sharing among companies.
Artificial Intelligence (AI) and Predictive Analysis:
● AI and machine learning (ML) help process, correlate, and analyze security
intelligence and CTI data.
● Predictive analysis aims to forecast attacks by identifying patterns and
correlating data from various sources.
Assess Organizational Security with Network
Reconnaissance Tools
Assessing Organizational Security:

● Reconnaissance is crucial for mapping potential attack surfaces.

 ● Network reconnaissance involves identifying nodes and connections in a

network.

● Scans using both command-line and GUI topology discovery tools are

necessary.

● Host configurations are reported using fingerprinting tools.

● Network traffic is captured and analyzed for security assessment.

Topography Discovery:

● Topology discovery, also known as "footprinting," involves scanning for hosts, IP

ranges, and routes between networks.

● It helps in building an asset database and identifying unauthorized hosts or

network configuration errors.

● Basic topology discovery tasks can be accomplished using command-line tools

such as ipconfig, ifconfig, ping, and arp.

Route and Traceroute:

● route is used to view and configure the local routing table.

● tracert (Windows) and traceroute (Linux) report the round trip time for hops

between the local host and a host on a remote network.

● pathping (Windows) provides statistics for latency and packet loss along a route

over a longer period.

IP Scanners and Nmap:

● IP scanners like Nmap are essential for host discovery and identifying network

connectivity.

● Nmap can use diverse methods for host discovery and can perform detailed port

scans to identify running services.

Service Discovery with Nmap:

● Nmap can identify active IP hosts and network services they are running.

● It provides options for TCP SYN, UDP scans, and port range scanning.

● Service discovery helps in identifying operating systems, network services, and

application software versions.

 Packet Capture and Analysis:

● Packet capture utilities like tcpdump capture and analyze network traffic.

● Wireshark is a graphical packet capture and analysis utility with powerful display

and filtering options.

Exploitation Frameworks:

● Frameworks like Metasploit are used for penetration testing and exploiting

vulnerabilities identified during reconnaissance.

● Other exploitation frameworks target different kinds of vulnerabilities, such as

fireELF for Linux hosts and RouterSploit for embedded systems.

Netcat:

● Netcat is a versatile tool for testing connectivity, port scanning, and establishing

backdoor connections.

● It can be used to send and receive files and execute commands remotely.

Explain Security Concerns with General Vulnerability

Types
Introduction to Security Concerns
● Effective security assessment involves understanding various vulnerability types.
● Evaluation of vulnerabilities helps prioritize assessment and remediation
activities.
 Software Vulnerabilities and Patch Management
● Software exploitation targets flaws in software code.
● Application vulnerabilities allow circumvention of security systems or application
crashes.
● Vulnerabilities affect all types of code, including OS, firmware, and applications.
● Patch management is crucial to mitigate vulnerabilities, but improper
management leaves systems vulnerable.
Zero-Day and Legacy Platform Vulnerabilities
● Zero-day vulnerabilities are exploited before developers can release patches.
● Legacy platforms lack security patch support and are highly vulnerable.
Weak Host Configurations
● Default settings and unsecured root accounts pose vulnerabilities.
● Open permissions and weak network configurations increase the attack surface.
Impacts from Vulnerabilities
● Vulnerabilities lead to data breaches, data loss, and identity theft.
● Financial and reputation impacts result from breaches and availability loss.
● Third-party risks highlight supply chain vulnerabilities and vendor management
importance.
Vendor Management
● Vendor management involves assessing risks and ensuring security standards.
● System integration and outsourced code development pose specific challenges.
Data Storage
● Risks associated with granting vendor access and hosting data backups must be
addressed.
● Precautions include data protection measures, monitoring, and compliance
evaluation.
Cloud-Based versus On-Premises Risks
● Both cloud and on-premises environments face software and configuration
vulnerabilities.
● Shared responsibility model in the cloud requires active security measures from
both providers and consumers.

Summarize Vulnerability Scanning Techniques

Introduction to Security Assessments:
● Security assessments involve evaluating system security and compliance.
● Network reconnaissance identifies hosts, network topology, and open
services/ports.
 ● Security assessments can include testing for vulnerabilities, logical weaknesses,
and interviews.
Types of Security Assessments:
● Vulnerability assessment evaluates a system's security based on its configuration
state.
● Threat hunting proactively searches for evidence of threats based on threat
intelligence.
● Penetration testing involves attempting to intrude into systems to demonstrate
weaknesses.
Network Vulnerability Scanners:
● Tools like Tenable Nessus and OpenVAS test network hosts for vulnerabilities.
● They compare scan results to configuration templates and lists of known
vulnerabilities.
● Scanning phases include detection, probing for services, security configurations,
etc.
Application and Web Application Scanners:
● These scanners, like Nikto, focus on specific attacks such as SQL injection and
XSS.
● They may analyze source code and database security for unsecure programming
practices.
Common Vulnerabilities and Exposures (CVE):
● CVE is a dictionary of vulnerabilities in published operating systems and
applications.
● Each vulnerability is identified by a unique code and includes a description,
references, and fix information.
Intrusive vs. Non-Intrusive Scanning:
● Intrusive scanning interacts directly with the target, consuming more network
bandwidth.
● Non-intrusive scanning analyzes indirect evidence, like network traffic, with
minimal impact.
Credentialed vs. Non-Credentialed Scanning:
● Credentialed scans have user access rights, allowing in-depth analysis.
● Non-credentialed scans lack access rights and provide a view exposed to
unprivileged users.
False Positives, False Negatives, and Log Review:
● False positives are incorrect vulnerability identifications, while false negatives are
missed vulnerabilities.
● Reviewing system and network logs can validate vulnerability reports.
Configuration Review:
● Vulnerability scans assess security controls and application settings against
established benchmarks.
● Compliance scans compare systems against regulatory standards or best
practices frameworks.
Threat Hunting:
 ● Threat hunting uses threat intelligence to proactively discover evidence of threats
within the network.
● It involves advisory analysis, intelligence fusion, and defensive maneuvering to
detect and respond to threats.

Explain Penetration Testing Concepts

● Penetration Testing Overview:
● Penetration testing uses authorized hacking techniques to find weaknesses in
security systems.
● Also known as ethical hacking.
● Steps involved: verifying threats, bypassing security controls, actively testing
controls, exploiting vulnerabilities.
● Difference from Passive Vulnerability Assessment:
 ● Pen testing actively tests and exploits vulnerabilities.
● Provides a more intrusive assessment compared to passive vulnerability
scanning.
● Rules of Engagement:
● Specify permitted activities in security assessments.
● Should be explicit in contractual agreements.
● Concrete objectives and scope are necessary.
● Attack Profile:
● Different sources and motivations for attacks.
● Types: Black box, White box, Gray box testing.
● Blind and double-blind tests also exist.
● Bug Bounty Programs:
● Rewards for reporting vulnerabilities.
● Crowd-sourcing detection of vulnerabilities.
● Can be internal or open to public submissions.
● Exercise Types:
● Red team: Offensive role.
● Blue team: Defensive role.
● White team: Sets rules and monitors the exercise.
● Passive and Active Reconnaissance:
● Initial phase involves establishing a profile of the target.
● Activities can be passive or active.
● Techniques include OSINT, social engineering, footprinting, war driving,
drones/UAVs.
● Pen Test Attack Life Cycle:
● Reconnaissance followed by initial exploitation.
● Techniques include persistence, privilege escalation, lateral movement, pivoting,
actions on objectives, cleanup.
● Cleanup involves removing backdoors and ensuring the system is not less
secure than before the engagement.

Identifying Social Engineering and Malware

Compare and Contrast Social Engineering

Techniques
Social Engineering Techniques:

Introduction to Social Engineering:

● Adversaries use various techniques to compromise security systems.
 ● Social engineering involves eliciting information or actions from
individuals, often referred to as "hacking the human."
Intrusion Scenarios:
● Creation of executable files to prompt users for passwords.
● Pretending to be someone else to obtain sensitive information.
● Triggering distractions like fire alarms to gain physical access.
Social Engineering Principles:
● Familiarity/Liking: Being affable and presenting requests as reasonable.
● Consensus/Social Proof: Exploiting social norms and polite behavior.
● Authority and Intimidation: Pretending to be a superior or using technical
jargon.
● Scarcity and Urgency: Creating a sense of urgency to pressure targets.
● Impersonation and Trust: Pretending to be someone else to gain trust.
Dumpster Diving and Tailgating:
● Dumpster Diving: Searching through garbage for information.
● Tailgating and Piggy Backing: Unauthorized entry by following authorized
personnel.
Identity Fraud and Invoice Scams:
● Identity Fraud: Impersonating someone to gain access or make
transactions.
● Invoice Scams: Altering invoice details to redirect payments.
Phishing, Whaling, and Vishing:
● Phishing: Persuading users to interact with malicious resources.
● Whaling: Targeting high-level executives with tailored phishing attacks.
● Vishing: Conducting phishing attacks through voice channels.
Spam, Hoaxes, and Prepending:
● Spam: Unsolicited emails used for various attacks.
● Hoaxes: False security alerts combined with phishing attempts.
● Prepending: Adding misleading text to emails to appear legitimate.
Pharming and Credential Harvesting:
● Pharming: Redirecting users to malicious websites.
● Typosquatting: Registering domains similar to legitimate ones.
● Credential Harvesting: Stealing account credentials for various purposes.
Influence Campaigns:
● Major programs launched by adversaries to shift public opinion.
● Utilizes various tactics including disinformation and hacking, often via
social media.
Analyze Indicators of Malware-Based Attacks
● Malware Classification:
● Viruses and worms spread without user authorization, concealed within
executable code or attached to other files.
● Trojans masquerade as legitimate software installers, operating secretly
without user consent.
 ● Potentially unwanted programs (PUPs)/Potentially unwanted applications
(PUAs) are installed alongside desired software or bundled with new
systems.
● Payload classifications include spyware, rootkit, remote access Trojan
(RAT), and ransomware.
● Computer Viruses:
● Types include non-resident/file infector, memory resident, boot, and
script/macro viruses.
● Multipartite viruses use multiple vectors, and polymorphic viruses
dynamically change code to evade detection.
● Computer Worms and Fileless Malware:
● Worms replicate over networks without user intervention, consuming
bandwidth and potentially crashing systems.
● Fileless malware runs in memory, evading detection by not writing to disk,
using lightweight shellcode, and utilizing legitimate system tools.
● Spyware and Keyloggers:
● Spyware monitors application activity, captures screenshots, and redirects
DNS.
● Keyloggers record keystrokes to steal confidential information.
● Tracking cookies, adware, and spyware are forms of unwanted code that
facilitate monitoring.
● Backdoors and Remote Access Trojans (RATs):
● Backdoors provide unauthorized access to a host, while RATs mimic
remote control programs to operate covertly.
● Compromised hosts may form botnets for various malicious purposes,
such as DDoS attacks or cryptomining.
● Rootkits:
● Rootkits conceal their presence on a system, often by exploiting
vulnerabilities to gain administrative control.
● They can reside in firmware, surviving attempts to remove them by
formatting drives and reinstalling the OS.
● Ransomware, Crypto-Malware, and Logic Bombs:
● Ransomware extorts money from victims by blocking access to systems
or encrypting files.
● Crypto-malware encrypts data to demand ransom, while some variants
hijack resources for cryptocurrency mining.
● Logic bombs trigger malicious actions based on predetermined
conditions, remaining undetected until activated.
● Malware Indicators:
 ● Indicators include changes in system behavior, anti-virus notifications,
sandbox execution results, abnormal resource consumption, file system
changes, and process analysis.
● Analyzing process behavior and network activity helps identify malware,
which may attempt to evade detection by using legitimate tools and
services.

Summarizing Basic Cryptographic Concepts

Compare and Contrast Cryptographic Ciphers

● Cryptography Basics
● Definition: The art of securing information by encoding it.
 ● Plaintext/Cleartext: Unencrypted message.
● Ciphertext: Encrypted message.
● Cipher: Algorithm used for encrypting and decrypting.
● Cryptanalysis: The study or practice of deciphering encrypted data.
● Key Actors
● Alice: Message sender.
● Bob: Intended recipient.
● Mallory: Malicious attacker.
● Types of Cryptographic Algorithms
● Hashing Algorithms: Used for data integrity. Produces a fixed-length
output (hash) that is unique and one-way.
● SHA (Secure Hash Algorithm): Strong, variable output sizes, e.g.,
SHA-256.
● MD5 (Message Digest Algorithm 5): 128-bit digest, less secure,
legacy compatibility.
● Encryption Ciphers: Used for data confidentiality.
● Symmetric Ciphers: Same key for encryption and decryption.
● Asymmetric Ciphers: Pair of keys (public and private) used for
encryption and decryption.
● Hashing Algorithms
● Purpose: Ensure integrity of data.
● Operation: Converts input plaintext of any length to a fixed-length hash.
● Security Features: Collision-resistant, one-way function.
● Symmetric Encryption
● Key: Same secret key used for both encryption and decryption.
● Use Cases: Effective for large data encryption due to speed.
● Security Concern: Key distribution and storage are critical.
● Examples: Stream ciphers (encrypt data bit by bit), Block ciphers (encrypt
fixed-size blocks of data).
● Asymmetric Encryption
● Key Pair: Public key for encryption, private key for decryption.
● Security: Public key can be shared without compromising security.
● Use Cases: Secure message exchange, digital signatures.
● Drawback: Higher computational overhead compared to symmetric
encryption.
● Encryption Techniques
● Substitution Cipher: Replaces elements of plaintext with ciphertext (e.g.,
ROT13).
 ● Transposition Cipher: Rearranges elements of plaintext to create
ciphertext (e.g., Rail Fence Cipher).
● Key Concepts
● Key Length and Keyspace: Longer keys provide stronger security.
● Cryptographic Strength: Determined by key length, algorithm security, and
resistance to cryptanalysis.
● Practical Applications
● Password Verification: Using hashes to confirm password without storing
plaintext.
● File Integrity: Using hashes to verify file integrity post-transfer.
● Confidential Communications: Using encryption to ensure that only
intended recipients can access message content.

Summarize Cryptographic Modes of Operation

Overview of Modes of Operation
● Modes of operation define how cryptographic algorithms are applied to
achieve security goals like confidentiality and integrity.
● Key to implementing security controls like digital signatures and transport
encryption.
Digital Signatures
● Utilizes public key cryptography for authentication and hash functions for
integrity.
● Process:
● Sender hashes the message and encrypts the hash with their
private key.
● The encrypted hash (digital signature) is sent along with the
message.
● Recipient decrypts the signature using the sender's public key to
obtain the hash.
● Recipient hashes the received message and compares both hashes
to verify integrity and authenticity.
● Digital signatures ensure data integrity and sender authenticity but do not
provide confidentiality.
● Other algorithms like DSA and ECC can be used for digital signatures.
Digital Envelopes and Key Exchange
● Combines symmetric and asymmetric encryption to securely exchange
keys.
● Process:
● Sender encrypts the message with a symmetric key (session key).
● Session key is then encrypted with the recipient's public key and
sent along with the encrypted message.
● Recipient decrypts the session key with their private key and then
decrypts the message.
● Ensures secure key exchange and message confidentiality.
Digital Certificates and PKI
● Certificates verify ownership of public keys through a Certificate Authority
(CA).
● Public Key Infrastructure (PKI) involves issuing and verifying certificates
to establish trust.
Perfect Forward Secrecy (PFS)
● Uses ephemeral keys for each session to prevent past session
compromise if private keys are later exposed.
● Implementations include DHE and ECDHE which use Diffie-Hellman key
exchange methods.
Cipher Suites and Modes of Operation
● TLS uses cipher suites to negotiate security protocols including
encryption, key exchange, and authentication methods.
● Example of modes:
 ● CBC (Cipher Block Chaining): Uses IV for uniqueness, requires
padding.
● Counter Mode: Converts block cipher into a stream cipher using IV
and counter, improves parallel processing, no padding required.
Authenticated Encryption
● Combines encryption and authentication in one step.
● Modes like AEAD provide integrity and authenticity checks in addition to
encryption.
● Examples include AES-GCM and ChaCha20-Poly1305, preferred due to
resistance against certain attacks like padding oracle attacks.

Summarize Cryptographic Use Cases and

Weaknesses Cryptographic Concepts
● Cryptographic Primitives: Fundamental components like hash functions,
symmetric and asymmetric ciphers.
● Cipher Suite: Combination of multiple cryptographic primitives used in
cryptographic systems.

Use Cases of Cryptography

 Authentication and Non-Repudiation:
● Encryption ensures sender authentication and message integrity.
● Non-repudiation ensures the sender cannot deny sending the message.
● Asymmetric encryption and public/private key pairs are used for these
purposes.
Confidentiality:
● Ensures data remains private through encryption (data-at-rest and data-in-
transit).
● Symmetric ciphers (e.g., AES) handle bulk data encryption due to
efficiency.
● Asymmetric encryption used for secure key exchange (e.g., digital
certificates for public keys).
Integrity and Resiliency:
● Hashing algorithms verify data integrity by ensuring no tampering has
occurred.
● Cryptography aids in designing secure control systems that are resilient to
partial compromise.
● Cryptographic methods like message authentication codes (MACs)
prevent man-in-the-middle attacks.

Weaknesses in Cryptographic Systems

● Performance Limitations:
● Speed: Symmetric ciphers and hash functions are generally faster than
asymmetric.
● Latency: Critical in applications like secure protocols where handshake
phases are involved.
● Computational overheads vary across ciphers, affecting their suitability in
resource-constrained environments.
● Key Management:
● Distribution and storage of keys, particularly symmetric keys, pose
security risks.
● Private keys should be securely stored (e.g., in a TPM) and protected by
user authentication.
● Algorithm Limitations:
● Maximum data size limitations in asymmetric ciphers like RSA.
● Efficiency issues when using asymmetric encryption for bulk data
encryption.

Additional Points
 ● Obfuscation and Cryptography:
● Used to make source code difficult to understand, but not practical for
encryption due to execution constraints.
● White box cryptography attempts have been broken; no secure
commercial solutions available.
● Key Size and Security:
● Larger key sizes generally provide better security but increase
computational demands.
● Cannot directly compare key sizes across different algorithms (e.g., ECC
vs. RSA).

Practical Recommendations

● Deploy appropriate cryptographic controls based on use case requirements and

environmental constraints.
● Ensure robust key management practices to safeguard cryptographic keys.
● Select cryptographic tools and protocols based on performance requirements
and security needs.

Summarize Other Cryptographic Technologies

1. Quantum Computing
● Definition: Uses quantum mechanics to perform computational tasks far more efficiently
than classical computers.
● Qubits: Basic unit of quantum information, can be in a state of 0, 1, or both
simultaneously (superposition).
● Entanglement: Allows qubits to be interconnected such that the state of one (once
measured) affects the state of another, no matter the distance.
● Computational Impact: Excel in solving problems like factoring large integers and
discrete logarithm problems, which challenges the security of RSA and ECC.

2. Post-Quantum Cryptography
 ● Context: Refers to the cryptographic landscape when quantum computers are advanced
enough to break current encryption methods.
● Quantum Threat: Modern encryption potentially vulnerable to quantum attacks.
● NIST's Role: Leading efforts to develop new cryptographic standards resistant to
quantum computing attacks.

3. Cryptographic Agility
● Definition: The capability of an organization to quickly and efficiently switch between
cryptographic algorithms without disrupting existing systems.
● Importance: Ensures that an organization can adapt to new cryptographic standards as
threats evolve or new vulnerabilities are discovered.

4. Lightweight Cryptography
● Goal: Develop cryptographic solutions for devices with limited processing power and
energy resources (e.g., IoT devices).
● NIST Initiative: Focus on creating efficient, compact, and quantum-resistant
cryptographic protocols for low-power devices.

5. Homomorphic Encryption
● Purpose: Allows computation on encrypted data, enabling the data to remain secure
even during processing.
● Use Case: Enables third parties to perform data analysis without ever having access to
unencrypted data.
● Example: Analyzing encrypted logs of user activity without exposing individual identifiers.

6. Blockchain
● Mechanism: Utilizes cryptographic hashing to link blocks of data (transactions) ensuring
integrity and verifiability.
● Decentralization: Maintains a distributed ledger across a peer-to-peer network, reducing
the risk of centralized failure or attack.
● Transparency and Trust: Every transaction is visible to all network participants,
promoting transparency and trust without the need for central authority.
● Applications: Beyond cryptocurrencies, potential uses include voting systems, identity
verification, secure data storage, and more.

7. Steganography
● Definition: The practice of hiding messages or information within non-secret text or data.
● Techniques: Embedding hidden information in digital media, such as images or audio
files, without noticeable changes to the original file.
● Detection and Creation Tools: Software designed either to embed information secretly or
to detect hidden messages in digital files.
Implementing Public Key Infrastructure

Implement Certificates and Certificate Authorities

Digital Certificates

● Definition: A digital certificate is a public assertion of identity validated by a

Certificate Authority (CA).
● Uses: Certificates are issued for various purposes, including web server
communication security and message signing.
2. Public and Private Key Usage

● Encryption: Public keys encrypt messages for confidentiality; only the

corresponding private key can decrypt them.
● Authentication: Private keys create signatures to authenticate identity; the
signature is verified using the public key.
● Security Risks: Vulnerable to man-in-the-middle attacks if the identity of the
communicating party is not verified.

3. Public Key Infrastructure (PKI)

● Purpose: Ensures that public keys are indeed owned by the entities that claim
them.
● Certificate Authorities (CAs): Entities that issue digital certificates and guarantee
their validity.
● Trust Models:
● Single CA: Simple but risky as compromise leads to system collapse.
● Hierarchical: Root CA issues certificates to intermediate CAs, which then
issue to end users, adding layers of security but still vulnerable at the root
level.

4. Certificate Authorities (CAs)

● Roles: Issue certificates, verify identities, manage certificate and key lifecycles,
maintain trust.
● Types:
● Private CAs: Used within an organization.
● Public CAs: Trusted across organizations and networks for broader
communication security.
● Examples: IdenTrust, Digicert, Sectigo/Comodo, GoDaddy, GlobalSign.

5. PKI Trust Models

● Single CA Model: All users trust a single CA.

● Hierarchical Model: A root CA issues to intermediate CAs; reduces risk by
distributing trust but retains a single point of failure.
● Online vs. Offline CAs: Offline CAs enhance security by reducing exposure to
network threats.

6. Registration Authorities and Certificate Signing Requests (CSRs)

 ● RA Role: Facilitate the identity verification process and submit CSRs to CAs.
● CSR: A request filed by an entity to obtain a digital certificate, containing
necessary identification and public key.

7. Digital Certificate Components

● Key Contents: Subject’s public key, identity details, issuer details, and a digital
signature by the CA.
● Standards: X.509 standard defines the structure of certificates; managed by the
PKIX working group.
● Certificate Attributes:
● Serial Number, Signature Algorithm, Issuer, Validity Dates, Subject Name,
Public Key, Extensions.

8. Extensions and Attributes

● Subject Alternative Name (SAN): Preferred over Common Name (CN) for
specifying the identity of the certificate subject.
● Common Name (CN): Historically used for server identification, now being
replaced by more precise identifiers in SAN.

9. Implementation Considerations

● Security: Critical to maintain the integrity and confidentiality of the private key.
● Verification: CA must rigorously verify the identity of certificate applicants to
maintain trust.
● Lifecycle Management: Includes issuing, renewing, and revoking certificates as
needed.
Implement Certificates and Certificate Authorities
● Digital Certificates Overview:
● Digital certificates assert identity and are validated by a Certificate
Authority (CA).
● They are crucial for secure communications and message signing.
● Public and Private Key Usage:
● Public key encryption allows secure communication by sharing public
keys for encryption and private keys for decryption.
● Private keys are used to create signatures, ensuring message authenticity.
● Public Key Infrastructure (PKI):
● PKI verifies the identities of public key owners through digital certificates
issued by CAs.
 ● CAs ensure the validity of certificates and manage key and certificate
lifecycle.
● Certificate Authorities:
● CAs issue and guarantee certificates.
● Private CAs are for internal communications, while third-party CAs are for
public or business-to-business communications.
● PKI Trust Models:
● Single CA: One CA issues certificates; vulnerable to single point of failure.
● Hierarchical: Root CA issues certificates to intermediate CAs, reducing
risk but still vulnerable.
● Online vs. Offline CAs:
● Online CAs process requests, while offline CAs are disconnected from
networks to mitigate risks.
● Registration Authorities and CSRs:
● RAs handle identity checks and submit Certificate Signing Requests
(CSRs) but don't issue certificates.
● Digital Certificates:
● Wrapper for public keys, containing subject and issuer information, signed
by a CA.
● Based on X.509 standard, managed by PKIX working group.
● Certificate Attributes:
● Serial number, signature algorithm, issuer, validity period, subject, public
key, and extensions like SAN.
● Types of Certificate:
● Domain Validation (DV) and Extended Validation (EV) for web servers,
machine certificates, email/user certificates, code signing certificates, and
root certificates.
● Self-signed Certificates:
● Deployed by machines, web servers, or programs, but marked untrusted by
OS or browser.
Implement PKI Management
PKI Management Overview:
● Security professionals often install and maintain PKI certificate services
for private networks and manage certificates from public PKI providers.
● PKI installation, configuration, troubleshooting, and certificate revocation
are essential tasks.
Certificate and Key Management:
● Key lifecycle stages: generation, certificate generation, storage,
revocation, expiration/renewal.
● Key management can be centralized or decentralized.
● Critical vulnerability if not managed properly; compromised private keys
endanger data confidentiality and authentication systems.
 Key Recovery and Escrow:
● Root CA keys require stringent access controls.
● Key recovery mechanisms ensure encrypted data can be accessed if keys
are lost.
● Escrow involves archiving keys with a third party for secure storage.
Certificate Expiration and Revocation:
● Certificates have limited durations, renewed before expiration.
● Keys can be archived or destroyed upon certificate expiration.
● Revoked certificates are invalid; suspension allows for re-enabling.
Certificate Revocation Lists (CRLs) and OCSP:
● CAs maintain CRLs listing revoked/suspended certificates.
● OCSP servers provide real-time certificate status checks.
● OCSP stapling and certificate pinning enhance security.
Certificate Formats and OpenSSL:
● Certificates encoded using DER or PEM.
● Various file extensions for certificates (.CER, .CRT, .PEM).
● OpenSSL commands for key and certificate management in Linux
environments.
Certificate Issues and Troubleshooting:
● Common issues include certificate expiration, misconfiguration, and trust
chain problems.
● Ensure proper key usage settings, subject name configuration, and
time/date synchronization.
● Regularly audit certificate infrastructure for security compliance and
validity.

Implementing Authentication Controls

Summarize Authentication Design Concepts

Authentication Overview:
● Authentication is crucial for securing network resources, involving various
methods and mechanisms.
● Understanding identification and authentication technologies helps in
selecting, implementing, and supporting appropriate security measures.
Identity and Access Management (IAM):
 ● IAM encompasses four main processes: identification, authentication,
authorization, and accounting.
● Identification creates unique IDs, authentication verifies identities,
authorization determines access rights, and accounting tracks authorized
usage.
Authentication Factors:
● Something You Know: Passwords, passphrases, PINs, or swipe patterns.
● Something You Have: Smart cards, fobs, or USB tokens.
● Something You Are/Do: Biometrics like fingerprints or behavioral
identifiers.
Authentication Design:
● Confidentiality, integrity, and availability are key considerations.
● Design must address context-specific needs, balancing security with
usability.
Multifactor Authentication (MFA):
● Combines multiple authentication factors for enhanced security.
● Two-Factor Authentication (2FA) combines ownership factors with
knowledge factors.
● Three-Factor Authentication adds an additional factor like location.
Authentication Attributes:
● Somewhere You Are: Location-based authentication using geographic or
network location.
● Something You Can Do: Behavioral characteristics like gait or device
interaction patterns.
● Someone You Know: Web of trust models where users vouch for each
other's identities.

Implement Knowledge-Based Authentication

● Knowledge-Based Authentication Overview:
● Knowledge-based authentication primarily involves password-based
account access mechanisms.
● Password-based authentication protocols are crucial, and supporting
users with authentication issues is essential.
● Local, Network, and Remote Authentication:
● Operating systems typically use password or PIN-based authentication.
 ● Authentication relies on cryptographic hashes stored in databases.
● Windows authentication involves local sign-in, network sign-in (Kerberos
or NTLM), and remote sign-in (VPN or web portal).
● Linux authentication stores user account names in /etc/passwd and
hashes in /etc/shadow. SSH is commonly used for network logins.
● Single Sign-On (SSO):
● SSO allows users to authenticate once to a device and be authenticated to
compatible application servers without re-entering credentials.
● Kerberos framework provides SSO in Windows environments.
● Kerberos Authentication:
● Kerberos is a single sign-on network authentication and authorization
protocol.
● It involves a Key Distribution Center (KDC), Authentication Service, and
Ticket Granting Service.
● Clients request services from application servers, authenticated by the
KDC.
● Kerberos operates on TCP or UDP port 88.
● PAP, CHAP, and MS-CHAP Authentication:
● PAP and CHAP are authentication protocols developed for PPP.
● PAP sends passwords in clear text, while CHAP uses encrypted
challenges.
● MS-CHAPv2 is Microsoft's implementation of CHAP, requiring encrypted
tunnels for security.
● Password Attacks:
● Attacks include plaintext/unencrypted, online, password spraying, and
offline attacks.
● Online attacks involve interacting directly with authentication services.
● Offline attacks exploit captured password hashes.
● Password spraying targets multiple accounts with common passwords.
● Password crackers like Hashcat run primarily on Linux and use brute-
force, dictionary, and hybrid attacks.
● Authentication Management:
● Users often adopt poor credential management practices, making
networks vulnerable to breaches.
● Password managers generate unique passwords for web accounts,
reducing security risks.
● Password managers can be implemented with hardware tokens or
software apps.
Implement Authentication Technologies
Authentication and Authorization Design Concepts:
● Authentication technologies include ownership/possession factors.
● Multifactor authentication systems are deployed by many organizations.
● Smart cards and USB key fobs are commonly used for multifactor
authentication.
Smart-Card Authentication:
 ● Smart-card authentication involves cryptographic information
programmed onto a card with a secure chip.
● Components stored on the chip include the user's digital certificate,
private key, and a personal identification number (PIN).
● For Kerberos authentication, the smart card's cryptoprocessor generates a
Ticket Granting Ticket (TGT) request upon PIN entry, which is then
transmitted to the authentication server (AS).
Key Management Devices:
● Public Key Infrastructure (PKI) usage in smart-card authentication requires
secure handling of private keys.
● Technologies such as smart cards, USB keys, and Trusted Platform
Modules (TPM) help generate key material securely.
● Hardware Security Modules (HSMs) are network appliances used for
centralized PKI management, offering key storage, backup, and
cryptographic functionalities.
Extensible Authentication Protocol/IEEE 802.1X:
● Extensible Authentication Protocol (EAP) allows various authentication
methods, often involving digital certificates for secure authentication.
● IEEE 802.1X facilitates EAP methods for network access control, requiring
authentication, authorization, and accounting (AAA) architecture
components: supplicant, network access server (NAS), and AAA server.
Remote Authentication Dial-in User Service (RADIUS):
● RADIUS is used for network access control, where NAS devices forward
authentication requests to AAA servers.
● RADIUS supports protocols like PAP, CHAP, and EAP for authentication.
● The workflow involves the NAS prompting for credentials, the supplicant
submitting them, and the AAA server responding with acceptance or
rejection.
Terminal Access Controller Access-Control System (TACACS+):
● TACACS+ is designed for centralizing logins for administrative accounts
on network appliances.
● It offers advantages such as TCP-based communication, encryption of all
data, and discrete authentication, authorization, and accounting functions.
Token Keys and Static Codes:
● OTP tokens like RSA SecurID generate passcodes based on time and a
secret key.
● Other mechanisms, like FIDO U2F tokens, leverage public-private key pairs
for authentication.
 ● OATH develops open and strong authentication frameworks, including
HMAC-Based One-Time Password Algorithm (HOTP) and Time-Based
One-Time Password Algorithm (TOTP).
2-Step Verification:
● Also known as out-of-band mechanisms, 2-step verification sends a
software token to a user-controlled resource via SMS, phone call, push
notification, or email.
● Though considered 2-factor authentication, intercepting the code within
the timeframe could compromise security.

Summarize Biometrics Authentication Concepts

Biometric Authentication:
● Biometric authentication uses physiological or behavioral patterns for
access.
● Enrollment involves scanning and converting biometric data into binary
format.
 ● Scanning involves a sensor module acquiring the sample and a feature
extraction module recording unique features.
Evaluation Metrics for Biometric Patterns:
● False Rejection Rate (FRR) measures legitimate users not recognized.
● False Acceptance Rate (FAR) measures interlopers accepted.
● Crossover Error Rate (CER) is where FRR and FAR meet, indicating system
efficiency.
● Throughput, Failure to Enroll Rate (FER), cost, and user perception are also
crucial considerations.
Fingerprint Recognition:
● Widely used physiologic biometric method due to simplicity and
affordability.
● Vulnerable to spoofing, addressed by vein matching or vascular
biometrics.
Facial Recognition:
● Records facial indicators, suffers from privacy concerns and relatively
high error rates.
● Retinal and iris scans offer higher accuracy but are more complex and
intrusive.
Behavioral Technologies:
● Behavioral biometrics analyze actions like typing, signature, or gait.
● Voice recognition, gait analysis, signature recognition, and typing are
examples.
● Subject to higher error rates and can be troublesome to perform.
Other Biometric Applications:
● Biometric identification matches individuals to a database, useful for
security alerts.
● Continuous authentication monitors user activity post-logon, enhancing
security but currently in research phase.
Implementing Identity and Account Management
Controls

Implement Identity and Account Types

Identity Management Controls:
● Digital identity represented by accounts, managed by network administrators.
● Cryptographic material may enhance identity security on public networks.
Certificates and Smart Cards:
● Public Key Infrastructure (PKI) manages digital identities via certificates.
● Certificates contain public keys and are signed by Certificate Authorities (CAs).
● Smart cards or USB keys store certificates and private keys for authentication.
Tokens and Identity Providers:
● Tokens enable single sign-on authentication, but susceptibility to capture exists.
● Identity providers provision user accounts and handle authentication requests.
● Federated identity management facilitates authentication across web-based
services.
Background Checks and Onboarding Policies:
● HR policies include background checks and onboarding phases.
● Background checks verify identities and screen for potential risks.
● Onboarding integrates IT and HR functions to create secure user accounts and
provide training.
Personnel Policies for Privilege Management:
● Separation of duties divides responsibilities to prevent abuse of power.
● Least privilege principle grants minimal necessary access rights to users.
● Job rotation and mandatory vacation policies mitigate insider threats and
enhance accountability.
Administrator Accounts and Credential Management:
● Administrative accounts should be limited and secured to prevent unauthorized
access.
● Default security groups and service accounts manage access to resources
efficiently.
● Proper credential management, including password policies and multifactor
authentication, is crucial for security.
Shared/Generic/Device Accounts and Credentials:
● Shared accounts pose risks to security and accountability, challenging password
management.
● Credential policies for devices ensure secure access and configuration.
● Privilege Access Management tools help manage high-risk credentials
effectively.
Secure Shell Keys and Third-Party Credentials:
● Secure Shell (SSH) keys are used for remote access and should be managed
securely.
● Third-party credentials for vendor services or cloud apps require proper
management to prevent breaches.
Implement Account Policies
Account Policies Overview
● Account policies enforce privilege management policies.
● They dictate what users can and cannot do, helping to enforce strong
credential policies and manage risks from compromised accounts.
● Auditing and permission reviews aid in detecting suspicious behavior and
security breaches.
Account Attributes
● A user account is defined by a unique security identifier (SID), name, and
credential.
● Associated with a profile containing custom identity attributes like full
name, email, contact number, and department.
● Profiles may support media like account pictures and provide storage for
user-generated data files (home folder) and application settings.
Access Policies
● Accounts can be assigned permissions over files and network resources.
● Access policies determine rights like local/remote logins, software
installation, and network configuration changes.
● Configured via Group Policy Objects (GPOs) in Windows Active Directory
networks.
Account Password Policy Settings
● Password policies enforce rules on length, complexity, aging, reuse, and
history.
● NIST guidance recommends allowing user-selected passwords between 8
and 64 characters and avoiding complexity rules.
● Aging policies should not be enforced; users should choose when to
change passwords.
● Password hints should not be used for account recovery.
Account Restrictions
● Used to make compromising user security harder.
● Location-based policies restrict logins based on IP, subnet, VLAN, or OU.
● Geolocation mechanisms like IP address and location services help
enforce geofencing and geotagging.
Time-Based Restrictions
● Establish authorized logon hours, maximum login duration, and detect
risky logins based on travel time.
Account Audits
 ● Used to detect compromises or misuse.
● Audit logs track user actions, intrusions, and changes to resources and
users.
● Regular auditing, recertification, and access control list reviews are
essential.
Account Permissions
● Manage permissions to avoid authorization creep.
● Regularly audit group membership and access control lists.
Usage Audits
● Configure security logs to record key indicators and review for suspicious
activity.
Account Lockout and Disablement
● Disable accounts manually to prevent login.
● Account lockout prevents login for a period, triggered by incorrect
password attempts or expiration.
● Automatic lockouts can occur based on policy violations, expired
accounts, or restricted time/location access.
Implement Authorization Solutions
● Discretionary Access Control (DAC):
● Based on resource owner's primacy.
● Owner has full control over the resource.
● Widely implemented but weakest model.
● Vulnerable to insider threats and compromised accounts.
● Role-Based Access Control (RBAC):
● Adds centralized control to DAC.
● Organizational roles defined, subjects allocated to roles.
● Subjects gain rights implicitly through roles.
● Non-discretionary, system owner reserves right to modify roles.
● File System Permissions:
● Each object in file system has ACL.
● ACL contains list of allowed accounts and permissions.
● Order of ACEs important for determining effective permissions.
● Permissions: Read (r), Write (w), Execute (x) for owner, group, others.
● chmod command modifies permissions.
● Mandatory Access Control (MAC):
● Based on security clearance levels.
● Each object and subject granted clearance level (label).
● Subjects permitted to access objects at or below their clearance level.
● Attribute-Based Access Control (ABAC):
● Fine-grained access control.
● Decisions based on combination of subject, object, and context attributes.
● Allows policies like M-of-N control and separation of duties.
● Conditional Access:
● Monitors account or device behavior.
● Suspends account or requires re-authentication based on conditions.
● Examples: User Account Control (UAC), sudo restrictions.
● Privileged Access Management (PAM):
● Policies, procedures, and controls to prevent abuse of privileged accounts.
● Identifies, documents, and manages privileged accounts and their
credentials.
● Directory Services:
● Store information about users, computers, security groups, services.
● Based on LDAP, provides privilege management and authorization.
● Federation and Attestation:
● Extends network accessibility beyond employees.
 ● Allows access to trusted accounts from different networks.
● Users provide attestation of identity to service providers.
● OAuth and OpenID Connect:
● OAuth facilitates sharing resources between sites.
● OpenID Connect adds authentication to OAuth, validates user presence.
● OIDC implements special OAuth flows with defined token fields.
Explain the Importance of Personnel Policies
● Importance of Personnel Policies:
● Human element significant attack surface, especially for social engineering.
● Work with HR to formulate policies and deliver security awareness training.
● Operational Policies:
● Include privilege/credential management, data handling, and incident response.
● Acceptable Use Policy (AUP):
● Protects organization from misuse of equipment.
● Forbids fraud, defamation, unauthorized hardware/software, snooping.
● Guidelines must be reasonable and not interfere with job duties.
● Code of Conduct and Social Media Analysis:
● Sets professional standards.
● Addresses risks of social media/file sharing.
● Communications made through organization's system likely monitored.
● Use of Personally Owned Devices:
● Pose security threats, make file copying easy.
● Endpoint management, data loss prevention help prevent device attachment.
● Unauthorized personal software or shadow IT also risks security.
● Clean Desk Policy:
● Prevents unauthorized access to sensitive information.
● User and Role-Based Training:
● Essential for secure system.
● Covers security policies, incident reporting, data handling, social engineering,
etc.
● Tailored training based on job roles.
● Diversity of Training Techniques:
● Frame training in language relevant to users.
● Use varied methods: workshops, one-on-one instruction, online training, etc.
● Phishing Campaigns:
● Simulated phishing messages to users for training.
● Follow-up training for users who respond.
● Capture the Flag (CTF):
● Ethical hacker training or gamified competitions.
● Participants complete challenges to discover flags representing
threats/vulnerabilities.
● Computer-Based Training and Gamification:
● Boosts security awareness.
● Uses CBT with simulations, branching scenarios, and video game elements for
engagement.
Implementing Secure Network Designs

Implement Secure Network Designs

● Importance of Secure Network Designs:
● Ensures confidentiality, integrity, and availability of assets and services.
● Mitigates vulnerabilities arising from weaknesses in network architecture.
● Contributes to project improvements and recommendations.
● Common Weaknesses in Network Architecture:
● Single points of failure.
● Complex dependencies.
● Sacrificing security for quick fixes.
● Lack of documentation and change control.
● Overdependence on perimeter security.
● Cisco's SAFE Architecture:
● Defines network locations (PIN) and secure domains.
● PIN includes campus networks, branch offices, data centers, and the cloud.
● Each PIN can be protected with security controls and categorized into secure
domains.
● Business Workflows and Network Architecture:
● Network architecture supports business workflows.
● Analyzing workflows (e.g., email) helps identify security needs.
● Understanding data flow between network locations is crucial for secure design.
● Network Appliances:
● Switches: Forward frames between nodes, establish network segments.
● Wireless access points: Bridge between cabled networks and wireless clients.
● Routers: Forward packets between networks based on IP addresses.
● Firewalls: Filter traffic based on ACLs.
● Load balancers: Optimize traffic distribution.
● DNS servers: Host name records and perform name resolution.
● Routing and Switching Protocols:
● Layer 2 forwarding occurs within the same broadcast domain.
● Layer 3 forwarding (routing) occurs between different networks.
● Protocols like ARP and IP are fundamental for addressing and routing.
● Network Segmentation:
● Segregates hosts to restrict communication, often using VLANs.
● Physical and logical segmentation ensures security between segments.
● Helps enforce access control policies and improve network security.
● Network Topology and Zones:
● Zones define areas with similar security configurations.
● Segregation between zones enhances network security.
● Examples include intranet, extranet, and Internet/guest zones.
● Demilitarized Zones (DMZ):
 ● Internet-facing hosts are placed in DMZs to protect the internal network.
● DMZs use firewalls and proxies to control traffic flow.
● Different DMZ topologies include screened subnet and triple-homed firewall.
● Implications of IPv6:
● Requires management and security planning.
● Should align with IPv4 topology and security configurations.
● Exposes new attack vectors and requires careful monitoring and configuration.
● Other Secure Network Design Considerations:
● Data center traffic includes both north-south and east-west traffic.
● Zero trust and microsegmentation enhance network security beyond perimeter
defenses.
Implement Secure Switching and Routing
● Implementing Secure Switching and Routing
● Exam Objectives Covered: 1.4, 3.1, 3.3
● Attacks at low-level networking functions can be effective; implement network
designs ensuring confidentiality, integrity, and availability.
● Configure switches and routers with appropriate settings to enforce network
access control mechanisms and ensure fault-tolerant paths.
● Man-in-the-Middle (MitM) and Layer 2 Attacks:
● Focus on information gathering and eavesdropping on network traffic.
● MitM attacks involve gaining a position between hosts to capture, monitor,
and relay communication transparently.
● MAC Cloning:
● Changes or spoofs hardware addresses, leading to security incidents or
unreliable device identification.
● ARP Poisoning Attacks:
● Use unsolicited ARP reply packets to update MAC:IP address cache tables
with spoofed addresses, redirecting traffic to attackers.
● MAC Flooding Attacks:
● Exhausts switch memory to disrupt MAC-based forwarding, turning the
switch into a hub and facilitating sniffing attacks.
● Loop Prevention:
● Spanning Tree Protocol (STP) organizes bridges into a hierarchy to
prevent layer 2 loops.
● Broadcast Storm Prevention:
● STP prevents broadcast storms by limiting broadcast traffic and detecting
and closing loops.
● BPDU Guard:
● Disables ports receiving Bridge Protocol Data Units (BPDUs) to prevent
STP-related attacks.
● Physical Port Security and MAC Filtering:
● Restricts access to switch ports and filters MAC addresses to prevent
unauthorized connections.
● DHCP Snooping:
● Inspects DHCP traffic to prevent MAC address spoofing and rogue DHCP
servers.
● Network Access Control (NAC):
 ● IEEE 802.1X standard enables port-based network access control,
authenticating devices before port activation.
● Route Security:
● Protects against route injection and source routing attacks by controlling
access and authentication in routing protocols.
● Vulnerabilities in routing include spoofed routing information, source routing, and
software exploits in router operating systems.
Implement Secure Wireless Infrastructure
● Wireless Network Installation Considerations:
● Ensure good coverage of authorized Wi-Fi access points.
● Patchy coverage increases vulnerability to rogue and evil twin attacks.
● 5 GHz band provides more space for non-overlapping channels.
● Use bonded channels cautiously as they can increase interference risks.
● Wireless Access Point (WAP) Placement:
● WAPs forward traffic to/from wired networks.
● Each WAP has a unique MAC address (BSSID) and SSID for identification.
● Operates in either 2.4 GHz or 5 GHz radio band with divided channels.
● Avoid co-channel and adjacent channel interference by spacing channels widely.
● Site Surveys and Heat Maps:
● Conduct site surveys to measure signal strength and channel usage.
● Use Wi-Fi analyzer software to create heat maps indicating signal strength,
channel usage, and overlap.
● Optimize network design based on survey data by adjusting transmit power,
changing channels, or adding/moving WAPs.
● Controller and Access Point Security:
● Use wireless controllers for centralized management and monitoring.
● Controllers ensure consistent configuration and enhance visibility of wireless
deployment.
● Secure access points physically and via secure management interfaces with
strong administrative credentials.
● Wi-Fi Protected Access (WPA):
● WPA replaces WEP and enhances security.
● WPA2 uses AES cipher with CCMP for authenticated encryption.
● WPA3 improves security with SAE, enhanced open, updated cryptographic
protocols, and management protection frames.
● Wi-Fi Authentication Methods:
● Personal authentication includes WPA2-PSK and WPA3-SAE.
● Enterprise authentication utilizes IEEE 802.1X with EAP mechanisms for better
security and accounting.
● Wi-Fi Protected Setup (WPS):
● Automated setup process for Wi-Fi networks.
● Vulnerable to brute force attacks; consider disabling or using alternative methods
like Easy Connect (DPP).
● Rogue Access Points and Evil Twins:
● Rogue APs pose security risks; detect through physical inspections or Wi-Fi
analyzers.
● Evil twins mimic legitimate APs; may intercept sensitive information.
● Disassociation and Replay Attacks:
● Deauthentication and disassociation attacks disrupt connectivity.
 ● Replay attacks capture authentication data for unauthorized access.
● Mitigate with Management Frame Protection (MFP) and patching against known
vulnerabilities like KRACK.
● Jamming Attacks:
● Disrupt Wi-Fi networks with intentional interference.
● Detect and mitigate interference using spectrum analyzers and configurable
power level controls.
Implement Load Balancers

Introduction to Load Balancers:

● Load balancers are crucial for implementing secure network designs, especially
in mitigating Denial of Service (DoS) attacks.
● They distribute client requests across available server nodes in a farm or pool,
ensuring scalability, fault tolerance, and high availability.
Types of Load Balancers:
● Layer 4 Load Balancer:
● Makes forwarding decisions based on IP address and TCP/UDP port
values.
● Layer 7 Load Balancer (Content Switch):
● Makes forwarding decisions based on application-level data, such as
URLs or data types like video or audio streaming.
Scheduling Algorithms:
● Round Robin:
● Simplest method, picks the next node in line for processing.
● Other methods include selecting nodes with the fewest connections or the best
response time.
● Scheduling methods can be weighted based on administrator preferences or
dynamic load information.
Health Checks and Probes:
● Load balancers use heartbeat or health check probes to verify the availability and
load of each node.
● Layer 4 load balancers conduct basic connectivity tests, while layer 7 appliances
can test application state.
Source IP Affinity and Session Persistence:
● Layer 4 approach that binds a client's session to the initial server node it
connected to.
● Application-layer load balancers use persistence mechanisms like cookies to
maintain session connections.
Clustering:
● Enables multiple redundant processing nodes to share data and accept
connections, providing fault tolerance.
● Clustering ensures continuity of service by allowing connections to failover to
working nodes if one node fails.
Active/Passive and Active/Active Clustering:
● Active/Passive:
● One node is active while the other is passive, ensuring no performance
degradation during failover.
● Active/Active:
 ● Both nodes process connections concurrently, maximizing hardware
capacity but causing performance degradation during failover.
Application Clustering:
● Used to provision fault-tolerant application services, allowing session state data
to be shared among cluster nodes.
Quality of Service (QoS):
● Prioritizes network traffic based on characteristics like bandwidth, latency, and
jitter, primarily to support real-time applications like voice and video.
● Complex implementation involving application discovery, traffic marking, and
prioritization mechanisms.
● QoS marking introduces potential for DoS attacks; trust boundaries must be
established for legitimate traffic marking authorities.
Implementing Network Security Appliances

Implement Firewalls and Proxy Servers

Packet Filtering Firewalls

● Packet filtering: earliest type of network firewall.

● Configured using Access Control Lists (ACLs).
● Rules define specific packet types and actions.
● Can inspect IP packet headers for filtering.
● Filters based on IP address, protocol, port numbers.
● Stateless operation: each packet analyzed independently.
● Vulnerable to attacks spread over multiple packets.

Stateful Inspection Firewalls

● Track session information between hosts.

● Majority of firewalls incorporate stateful inspection.
● Session data stored in state table.
● Examines TCP handshake for new/established connections.
● Can detect anomalies and respond to attacks.
● Inspects both transport and application layers.

iptables

● Command line utility in many Linux distributions.

● Edits rules enforced by Linux kernel firewall.
● Works with chains for different types of traffic.
● Rules determine whether traffic is allowed or dropped.

Firewall Implementation

● Consider hardware or software implementation.

● Firewall Appliances: standalone hardware deployed at network edge.
● Routed vs. Bridged deployment.
● Router Firewall: filtering functionality as part of router firmware.

Application-Based Firewalls
 ● Host-based, application, and network operating system firewalls.
● Enforce packet filtering ACLs and protect specific applications.

Proxies and Gateways

● Proxy: application layer filtering, store-and-forward model.

● Forward Proxy Servers: protocol-specific outbound traffic.
● Transparent vs. non-transparent proxies.

Access Control Lists

● Configured on principle of least access.

● Rules processed top-to-bottom, most specific rules first.
● Implicit deny as default rule.
● Specify block or allow based on parameters.

Network Address Translation (NAT)

● Translates between private and public IP addresses.

● Types: static/dynamic source NAT, NAPT, destination NAT.
● IPv6 makes some NAT use cases redundant.

Virtual Firewalls

● Deployed in data centers and cloud services.

● Hypervisor-based, virtual appliance, multiple context.
● Support east-west security and microsegmentation.

Open-Source vs. Proprietary Firewalls

● Wholly proprietary, mostly proprietary, wholly open-source.

● Consider access to support, updates, and subscription-based features.
Implement Network Security Monitoring
● Network-Based Intrusion Detection Systems (NIDS):
● IDS: Software tools for real-time analysis of network traffic or system logs.
● NIDS: Captures traffic via packet sniffer (sensor), analyzes packets for malicious
activity, and alerts via console/dashboard.
● Examples: Snort, Suricata, Zeek/Bro.
● Passive detection: Raises alerts/logs without blocking source host, doesn't slow
traffic, undetectable by attackers.
● Sensor Placement and Connectivity:
● Placement: Inside firewall or close to critical servers to capture malicious traffic.
● Options:
● SPAN/Mirror Port: Copies frames to sensor port but may drop frames
under heavy load.
● Passive TAP: Physically copies signal from cabling to monitor port,
unaffected by load.
● Active TAP: Signal regeneration, may require power backup.
● Network-Based Intrusion Prevention Systems (IPS):
● Provides active response to matched threats, such as ending TCP sessions or
blocking IPs.
● Advanced measures: Throttling bandwidth, applying complex firewall filters,
modifying packets.
● Inline, wire-speed anti-virus scanning.
● Signature-Based Detection:
● Analysis engine scans traffic with a set of rules or signatures.
● Generates incident if traffic matches a pattern in the signature database.
● Signatures need regular updates for latest threat protection.
● Behavior and Anomaly-Based Detection:
● Recognizes baseline "normal" traffic and flags deviations.
● Historical: Network Behavior and Anomaly Detection (NBAD) products.
● Modern: Utilizes machine learning for improved detection.
● UEBA and NTA products.
● Next-Generation Firewalls (NGFW) and Unified Threat Management (UTM):
● NGFW: Application-aware filtering, user account-based filtering, IPS capabilities.
● UTM: Centralizes multiple security controls into a single appliance.
● Potential single point of failure, latency issues under heavy load.
● Content/URL Filters and Web Application Firewalls (WAF):
● Content filters: Secure web gateway (SWG) for user-focused filtering rules.
● WAF: Protects web servers from code injection and DoS attacks using
application-aware processing rules and pattern matching.
● Examples: ModSecurity, NAXSI, Imperva.
Summarize the Use of SIEM
● Log Data and Monitoring:
● Security controls generate log data and alerts.
● Essential for security assessments and incident response.
● Includes packet capture, network monitors, and system logs.
● Security Information and Event Management (SIEM):
● Aggregates traffic data and logs from various sources.
● Includes logs from hosts, switches, routers, firewalls, IDS sensors, etc.
● Enables reporting, alerting, and correlation of security events.
● SIEM Functionality:
● Log Collection:
● Agent-based: Install agent service on each host.
● Listener/collector: Hosts push updates using syslog or SNMP.
● Sensor: Collects packet captures and traffic flow data.
● Log Aggregation:
● Normalizes data from different sources for consistency and searchability.
● Connectors or plug-ins interpret data from distinct systems.
● Analysis and Reporting:
● Correlates events to identify indicators of compromise (IOCs).
● Supports reporting, often using AI and machine learning.
● User and Entity Behavior Analytics (UEBA):
● Tracks user and entity behavior across devices and services.
● Relies on AI and machine learning to identify malicious behaviors.
● Security Orchestration, Automation, and Response (SOAR):
● Addresses alert overload by automating incident response workflows.
● Utilizes security and threat intelligence for automated analysis and enrichment.
● File Manipulation Commands:
● cat Command:
● Views contents of files, adds line numbers.
● head and tail Commands:
● Output first and last lines of a file, adjust default line count.
● logger Command:
● Writes input to system log or remote syslog server.
● Regular Expressions and grep:
● Used for string search and pattern matching in log files.
● grep command searches text files using simple string matching or regex
syntax.
Implementing Secure Network Protocols

Implement Secure Network Operations Protocols

● Network Address Allocation:
● Utilizes static and dynamic allocation for routers, firewalls, and servers.
● DHCP provides automatic address allocation, vulnerable to rogue DHCP
attacks.
● DHCP snooping port security feature mitigates rogue DHCP attacks.
● Domain Name Resolution:
● DNS resolves FQDNs to IP addresses, distributed among name servers.
● Vulnerable to domain hijacking, URL redirection, and DNS poisoning
attacks.
● Uniform Resource Locator (URL) Redirection:
● Redirects users to pages other than requested, often exploited for
phishing.
● Can be inserted via compromised servers or JavaScript.
● Domain Reputation:
● Hijacked domains used for spam or malware distribution.
● Monitoring tools like Talos Intelligence Reputation Center can detect
misuse.
● DNS Poisoning:
● Compromises DNS query process to redirect traffic.
● Includes man-in-the-middle attacks, DNS client cache poisoning, and DNS
server cache poisoning.
● DNS Security Extensions (DNSSEC):
● Provides validation process for DNS responses, mitigating spoofing and
poisoning attacks.
● Establishes a chain of trust from root servers to subdomains.
● Secure Directory Services:
● LDAP facilitates authentication and authorization, but plaintext
transmissions are vulnerable.
● Implements authentication mechanisms like SASL and LDAPS for secure
access.
● Time Synchronization:
● NTP synchronizes time-dependent applications over UDP on port 123.
 ● Vulnerable to lack of security mechanisms, but efforts like Network Time
Security are addressing this.
● Simple Network Management Protocol (SNMP) Security:
● Monitors network activity through agents and SNMP monitors.
● Vulnerable to plaintext transmission, default community names, and lack
of encryption.
● SNMP v3 supports encryption and strong authentication for enhanced
security.
Implement Secure Application Protocols
Importance of Security Concepts

● Security concepts are crucial in enterprise environments to protect sensitive data and
ensure the integrity and availability of resources.
● Secure protocols are essential for maintaining the confidentiality of data, preventing
unauthorized access, and mitigating various cyber threats.

2. Secure Implementation of Application Protocols

● Application protocols like HTTP, SMTP, POP3, IMAP, and SIP must be configured
securely to ensure the safe transmission of data.
● Secure configuration involves implementing encryption, authentication, and authorization
mechanisms.

3. Hypertext Transfer Protocol (HTTP)

● Foundation of web technology enabling clients to request resources from servers.

● Typically operates over TCP port 80.
● Supports stateless communication but can be extended for session management using
cookies.
● HTTPS (HTTP Secure) uses Transport Layer Security (TLS) to encrypt data
transmission, typically over port 443.

4. Transport Layer Security (TLS)

● Developed to secure HTTP communications.

● Uses digital certificates signed by trusted Certificate Authorities (CAs) for server
authentication.
● TLS 1.3 enhances security by preventing downgrade attacks and simplifying cipher
suites.
● Cipher suites define encryption and hashing algorithms used for secure communication.

5. API Considerations

● APIs are essential for creating and managing web applications.

● APIs should be secured using methods like OAuth and SAML, and API secrets must be
effectively managed to prevent breaches.
● Monitoring API usage ensures that only authorized transactions occur.
6. Subscription Services

● Employees may require access to various subscription services, necessitating secure

authentication mechanisms and single sign-on (SSO) solutions.
● Web feeds should be protected against vulnerabilities like XML injection attacks.

7. File Transfer Services

● Despite newer protocols, FTP remains popular for efficient file transfer.
● Secure FTP options include SSH FTP (SFTP) and FTP Over SSL (FTPS), which encrypt
data transmission to prevent interception.

8. Email Services

● Secure protocols like SMTPS, POP3S, and IMAPS use encryption to protect email
communication and authentication mechanisms to ensure secure access.

9. Voice and Video Services

● VoIP, web conferencing, and video teleconferencing require secure protocols like SIP
and RTP to protect real-time data transmission.
● Encryption and authentication are essential to prevent interception and man-in-the-
middle attacks.

Implement Secure Remote Access Protocols

1. Remote Access Architecture:

● Remote access involves connecting to a network through an intermediate network,

commonly implemented using a VPN over the Internet.
● Administering remote access requires ensuring authorized user access and securing
remote workstations and servers.
● VPNs establish secure tunnels for remote connections, ensuring privacy even over
public networks.

2. VPN Deployment Models:

● Remote Access VPN: Clients connect individually to a VPN gateway, suitable for
telecommuters and field employees.
 ● Site-to-Site VPN: Connects two or more private networks automatically, exchanging
security information between gateways.

3. Transport Layer Security VPN:

● TLS VPN (SSL VPN) establishes a secure connection over port 443, encrypting data
and ensuring user authentication.
● OpenVPN and SSTP are examples of TLS VPN implementations, providing secure
tunnels for network traffic.

4. Internet Protocol Security (IPSec):

● Operates at the network layer, providing confidentiality and integrity to IP packets.

● Utilizes AH (Authentication Header) and ESP (Encapsulation Security Payload)
protocols for authentication and encryption.

5. IPSec Modes:

● Transport Mode: Secures communication between hosts, encrypting payload data.

● Tunnel Mode: Used for VPNs, encrypts the entire IP packet and adds a new IP header.

6. Internet Key Exchange (IKE):

● Handles authentication and key exchange for IPSec, ensuring mutual authentication and
secure communication.
● Negotiates security associations and establishes secure channels between hosts.

7. Layer 2 Tunneling Protocol (L2TP) and IKE v2:

● L2TP/IPSec VPN combines L2TP for tunneling with IPSec for security, suitable for
remote access.
● IKE v2 enhances IKE with EAP authentication and simplified setup, providing reliability
and support for NAT traversal.

8. VPN Client Configuration and Always-On VPN:

● VPN clients require installation and configuration with VPN gateway details and
authentication credentials.
● Always-On VPN establishes connections automatically when detecting trusted network
connections.

9. Split Tunnel vs. Full Tunnel:

 ● Split tunnel directs Internet traffic directly, offering flexibility but potentially compromising
security.
● Full tunnel routes all traffic through the VPN, providing better security but increasing
overhead.

10. Remote Desktop and Secure Shell (SSH):

● Remote Desktop Protocol (RDP) and SSH provide secure remote access to desktops
and terminals.
● SSH enables command-line access and secure file transfer, with various authentication
methods and host key management.

Implementing Host Security Solutions

Implement Secure Firmware

1. Exam Objectives Covered:

● Analyze potential indicators to determine the type of attack.

● Implement host or application security solutions.
● Explain the importance of policies to organizational security.

2. Hardware Root of Trust (RoT):

● Secure subsystem providing attestation.

● Utilizes trusted platform module (TPM) for establishing RoT.
● TPM stores encryption keys, hashed passwords, and user identification.
● Supports owner concept and can be managed via tpm.msc console or group policy.
3. Boot Integrity:

● Unified Extensible Firmware Interface (UEFI) ensures boot integrity.

● Secure Boot prevents hijacking by verifying OS boot loader and kernel using digital
certificates.
● Measured Boot uses TPM to check hashes of key system state data.
● Boot Attestation transmits boot log report signed by TPM for analysis.

4. Disk Encryption:

● Full Disk Encryption (FDE) encrypts entire drive contents.

● FDE keys stored securely in TPM or removable USB drive.
● Self-Encrypting Drives (SED) mitigate performance issues of FDE.

5. USB and Flash Drive Security:

● Firmware exploitation in external storage devices poses significant security risks.

● USB sticks can be vectors for malware infections.
● Careful consideration and user education necessary to mitigate risks.

6. Third-Party Risk Management:

● Importance of vetting supply chain vendors for proper implementation of security

measures.
● Differentiation between vendor and business partner relationships.
● Need for ongoing assessment and management of third-party risks.

7. Organizational Security Agreements:

● Various types of agreements to formalize security responsibilities.

● Memorandum of understanding (MOU), Business partnership agreement (BPA), Non-
disclosure agreement (NDA), Service level agreement (SLA), and Measurement
systems analysis (MSA).
● Legal agreements are essential, but vigilance in ensuring supplier capability is equally
important.
Implement Endpoint Security
1. Hardening:

● Process of configuring OS or applications securely.

● Balances security with access requirements and usability.
● Least functionality principle reduces attack surface.

2. Baseline Configuration and Registry Settings:

● Configuration baselines tailored for different system types.

● Registry stores configuration settings in Windows.
● Group Policy Objects (GPOs) apply settings to domain-joined computers.
● Baseline deviation reporting ensures configuration compliance.

3. Patch Management:

● Vulnerability scanners identify missing patches.

● Automated patch deployment needs cautious implementation.
● Enterprise patch management suites mitigate compatibility issues.
● Legacy and proprietary systems require alternative risk mitigation strategies.

4. Endpoint Protection:

● Configuration of endpoint protection essential for malware detection and prevention.

● Various tools include Antivirus (A-V), Host-Based Intrusion Detection/Prevention
(HIDS/HIPS), Endpoint Protection Platform (EPP), Data Loss Prevention (DLP).
● Deployment involves agent software installation, policy assignment, testing, and
monitoring.

5. Next-Generation Endpoint Protection:

● Focuses on behavioral and anomaly-based analysis.

● Endpoint Detection and Response (EDR) provides real-time visibility and containment.
● Managed Detection and Response (MDR) offers hosted security services.

6. Advanced Malware Tools:

● Analysis beyond automated scanners required for evasive malware.

● Sysinternals and sandboxing are common tools for advanced analysis.
● Sandboxing isolates untrusted hosts/apps for testing in controlled environments.
Explain Embedded System Security Implications

● Embedded Systems:
● Definition: Complete computer systems designed for specific, dedicated
functions.
● Examples: From microcontrollers in medical devices to complex control
systems in industrial plants.
● Characteristics: Static environments with limited flexibility compared to
PCs.
● Security Implications: While static environments can be easier to protect,
identifying and correcting security issues can be challenging.
● Cost, Power, and Compute Constraints:
● Processor capability, system memory, and storage are limited in
embedded systems.
● Cost is a significant factor, driving resource provisioning to the minimum
necessary level.
● Power constraints are crucial, especially for battery-powered devices
needing long operational lifespans.
● Crypto, Authentication, and Implied Trust Constraints:
● Limited compute resources hinder traditional cryptographic technologies'
usage.
● The rise of network accessibility prompts the development of resource-
efficient encryption methods.
● Implied trust models are common in embedded networks due to the lack
of explicit trust anchors like TPMs.
● Network and Range Constraints:
● Network connectivity choices prioritize power-efficient data transfer with
reliability and low latency.
● Unlike Wi-Fi and 4G/5G, embedded systems emphasize power efficiency
over maximizing data rates and range.
● Logic Controllers for Embedded Systems:
● PLCs form the basis of embedded systems, often utilizing System on Chip
(SoC) designs for efficiency and compactness.
● FPGAs offer flexible hardware configuration, suitable for various
applications without the cost of ASICs.
● Real-Time Operating Systems (RTOS):
 ● RTOS are essential for time-sensitive tasks in embedded systems,
requiring stability, reliability, and predictable response times.
● Despite their design for stability, RTOS are still susceptible to CVEs and
exploits.
● Embedded Systems Communications Considerations:
● Adoption of standardized communication technologies is increasing,
enhancing integration with IT networks.
● OT networks and cellular networks serve different purposes, with
considerations for power efficiency, reliability, and security.
● Specialized Systems for Facility Automation:
● BAS integrates various control systems for building automation,
emphasizing physical access control, HVAC, and fire control.
● Vulnerabilities include process and memory vulnerabilities, plaintext
credentials, and code injection via web interfaces.
● Security for Embedded Systems:
● Network segmentation isolates embedded systems from corporate
networks, reducing the risk of infection or exploitation.
● Wrappers like IPSec can secure data in transit, mitigating risks associated
with untrusted networks.
● Firmware patching is challenging due to limited vendor support, manual
update processes, and the need for uninterrupted service.
Implementing Secure Mobile Solutions
Implement Mobile Device Management

Mobile Device Deployment Models:

● BYOD (Bring Your Own Device): Employees use their own devices meeting
company requirements.
● COBO (Corporate Owned, Business Only): Devices owned and used exclusively
for company purposes.
● COPE (Corporate Owned, Personally-Enabled): Company-supplied devices used
for personal and work purposes.
● CYOD (Choose Your Own Device): Employees select devices from a list
provided by the company.
Enterprise Mobility Management (EMM):
● EMM applies security policies to mobile devices and apps.
● Functions include Mobile Device Management (MDM) and Mobile Application
Management (MAM).
● Unified Endpoint Management (UEM) extends management to various device
types.
iOS in the Enterprise:
● Apple's iOS ecosystem requires app approval and distribution through Apple.
● Device Enrollment Program, Volume Purchase Program, and Developer
Enterprise Program facilitate corporate control.
Android in the Enterprise:
● Android's open nature allows for vendor-specific versions and multiple app
sources.
● Android Enterprise program and Samsung's KNOX facilitate EMM control.
Mobile Access Control Systems:
● Screen lock with authentication methods like PIN, password, or biometrics.
● Remote wipe feature to clear stolen devices.
● Full device encryption and management of external media.
Location Services and Geofencing:
● GPS and IPS used for geolocation.
● Geofencing controls device functions based on location.
● GPS tagging poses privacy concerns and risks.
Application Management and Content Management:
● Containerization isolates corporate apps and data.
● Content management prevents unauthorized data sharing.
● Trusted app sources and distribution channels ensure app security.
Rooting and Jailbreaking:
● Rooting (Android) and jailbreaking (iOS) bypass device restrictions.
● Carrier unlocking removes carrier restrictions.
● EMM/UEM detects rooted/jailbroken devices and protects enterprise data.
Implement Secure Mobile Device Connections
● Smartphones and tablets utilize cellular networks for calls and data access, less
prone to monitoring.
● SS7 hack is a notable attack on telecoms networks.
● GPS triangulates device position using signals from satellites, while A-GPS uses
cellular data.
● GPS signals can be jammed or spoofed.
● Wi-Fi and Tethering Connection Methods:
● Mobile devices default to Wi-Fi for data; risks include open access points and
rogue networks.
● Personal Area Networks (PANs) enable connectivity with peripherals; peer-to-
peer functions should generally be disabled for security.
● Ad hoc Wi-Fi connections establish peer-to-peer networks; Wi-Fi Direct allows
one-to-one connections.
● Tethering and Hotspots:
● Smartphones can share their Internet connection, either as hotspots (via Wi-Fi)
or tethering (via USB or Bluetooth).
● Such functionality may be disabled on enterprise networks to prevent security
circumvention.
● Bluetooth Connection Methods:
● Bluetooth enables PANs; known security issues include device discovery,
authentication, and malware.
● Bluejacking and bluesnarfing are potential risks.
● Infrared and RFID Connection Methods:
● Infrared used for device control and sensors in smartphones.
● RFID encodes information into passive tags; risks include skimming and injecting
malicious code.
● Near Field Communications and Mobile Payment Services:
● NFC facilitates short-range communication; vulnerabilities include eavesdropping
and data corruption.
● NFC is used for mobile payments with apps like Apple Pay, Google Pay, and
Samsung Pay.
● USB Connection Methods:
● Android and iOS devices connect to computers via USB for data transfer and
firmware upgrades.
● USB On The Go (OTG) allows ports to function as either host or device; potential
abuses include malware spread and juice-jacking.
● SMS/MMS/RCS and Push Notifications:
● Vulnerabilities in SMS/MMS and RCS could compromise security; push
notifications can be targeted by attackers.
● Firmware Over-the-Air Updates:
 ● Updates to baseband firmware are crucial for security; vulnerabilities can be
exploited through malicious base stations or firmware update processes.
● Microwave Radio Connection Methods:
● Cellular networks use microwave radio links; P2P and P2M modes require
encryption to mitigate interception risks.
Summarizing Secure Application Concepts

Analyze Indicators of Application Attacks

● Application Attacks Overview:

● Application attacks target vulnerabilities in OS or application software.
● Vulnerabilities can allow threat actors to execute arbitrary code or cause
applications to crash.
● Attacks can lead to data compromise, denial of service, or privilege escalation.
● Privilege Escalation:
● Application attacks often aim for arbitrary code execution, allowing attackers to
gain control over systems.
● Privilege escalation involves gaining higher system privileges than initially
assigned.
● Types of privilege escalation:
● Vertical: Accessing functions/data not meant for the user/application.
● Horizontal: Accessing another user's functions/data.
● Indicators: Detected through process logging, incident response, and endpoint
protection agents.
● Error Handling:
● Error messages can reveal vulnerabilities if they disclose sensitive information.
● Examples of error messages include "Instruction could not be read or written"
and "Process has encountered a problem."
● Improper Input Handling:
● Input should be validated to ensure it matches expected data.
● Attacks exploit improperly handled input, often through overflow or injection
techniques.
● Overflow Vulnerabilities:
● Overflow attacks involve submitting input that exceeds allocated memory space.
● Types:
● Buffer Overflow: Filling a buffer with excessive data to overwrite adjacent
memory.
● Integer Overflow: Causing the calculation of a value to exceed bounds,
potentially leading to system compromise.
● Null Pointer Dereferencing and Race Conditions:
● Dereferencing null pointers can lead to crashes or code execution.
● Race conditions occur when events execute out of intended order, potentially
leading to exploitation.
● Memory Leaks and Resource Exhaustion:
● Failure to release memory can lead to resource exhaustion, causing system
instability.
 ● Malicious processes may deliberately exhaust resources to disrupt services or
escalate privileges.
● DLL Injection and Driver Manipulation:
● DLL injection allows malware to force legitimate processes to load malicious
DLLs.
● Attackers exploit this technique to evade detection and move between
processes.
● Pass the Hash Attack:
● Involves harvesting cached credentials to authenticate to other systems.
● Exploits legitimate network protocols like NTLM for lateral movement.
● Difficult to detect as it leverages standard network behavior.
Analyze Indicators of Web Application Attacks
● Web Application Attacks Analysis Study Notes:
Uniform Resource Locator (URL) Analysis:
● URLs encode actions or data for server submission.
● Malicious activities often exploit this vector.
● Understanding URL structure aids in identifying malicious intent.
HTTP Methods:
● HTTP session starts with client request to server.
● Key methods: GET, POST, PUT, DELETE, HEAD.
● Data submitted via URL or HTTP headers/body.
Percent Encoding:
● Allows submission of safe or unsafe characters in URLs.
● Misuse can obfuscate URLs or exploit server decoding weaknesses.
● Common characters and their percent encoding.
Application Programming Interface (API) Attacks:
● APIs automate services; must be secured (HTTPS).
● Common attacks: ineffective secrets management, lack of input validation, error
message exposure, denial of service.
Replay Attacks:
● Session management essential for user identification.
● Vulnerable to replay attacks; tokens must be non-predictable.
Cross-Site Request Forgery (CSRF):
● Exploits authenticated user sessions.
● Attackers mimic user actions to perform unauthorized actions.
Clickjacking:
● Maliciously overlays trusted web pages to deceive users into clicking.
● Mitigation through HTTP response headers and proper page design.
SSL Strip:
● Intercepts HTTP requests and downgrades them to HTTP, capturing sensitive
data.
● Mitigation through HSTS implementation.
Cross-Site Scripting (XSS):
● Exploits trust in user-generated content.
● Types: reflected, stored, DOM-based.
● Allows execution of malicious scripts in client browsers.
Structured Query Language (SQL) Injection Attacks:
● Exploits vulnerabilities in SQL queries to execute unauthorized commands.
● Can lead to data extraction, insertion, or system compromise.
Directory Traversal and Command Injection Attacks:
● Exploits flaws in file path handling to access restricted directories or execute
unauthorized commands.
● Canonicalization attacks disguise malicious input.
Server-Side Request Forgery (SSRF):
● Causes server to execute arbitrary requests.
● Exploits lack of authentication between internal servers and weak input
validation.
Summarize Secure Coding Practices
Introduction to Secure Coding Practices:

● Understanding secure application development, deployment, and

automation concepts.
● Integration of security into development processes for effective
DevSecOps.
Secure Coding Techniques:
● Emphasizing security considerations in new programming technologies
before deployment.
● Modern development practices incorporate security development life
cycles alongside functionality and usability.
● Examples: Microsoft's SDL, OWASP SAMM, Security Knowledge
Framework, and OWASP Top 10.
Input Validation:
● Key practice to mitigate attacks exploiting faulty input.
● Includes user data input, URLs, or HTTP headers.
● Mitigation involves documenting input methods and rejecting non-
conforming input.
Normalization and Output Encoding:
● Normalization ensures input string conformity before processing.
● Output encoding ensures safe re-encoding of strings for different
contexts, preventing attacks like XSS.
Server-Side versus Client-Side Validation:
● Applications can perform validation locally (client-side) or remotely
(server-side).
● Server-side validation is essential for comprehensive security, despite
potential time constraints.
Web Application Security:
● Focus on secure cookies and HTTP response header security options.
● Parameters for SetCookie header and security options for response
headers.
Data Exposure and Memory Management:
● Protecting privileged data transmission with cryptography.
● Implementing error handling and structured exception handling to prevent
code execution vulnerabilities.
Secure Code Usage:
 ● Practices including code reuse, third-party libraries, SDKs, and stored
procedures.
● Monitoring and patching vulnerabilities in external code sources.
Unreachable Code and Dead Code:
● Identifying and removing unreachable code to maintain application
integrity.
● The importance of code maintenance and removal of dead code to
prevent misuse.
Obfuscation/Camouflage:
● Use of obfuscators to obscure code for security purposes, making reverse
engineering difficult.
Static and Dynamic Code Analysis:
● Static code analysis for identifying vulnerabilities in source code.
● Human and dynamic analysis to identify runtime vulnerabilities and stress
test applications.
Implement Secure Script Environments
Exam Objectives Covered:
1.4 Analyze potential indicators associated with network attacks
3.2 Implement host or application security solutions

4.1 Use the appropriate tool to assess organizational security

Scripting for Security Automation:

● Scripts automate tasks, reducing errors and ensuring consistent configurations.

● Elements of a script include parameters, branching and looping statements, validation,
error handlers, and unit tests.
● Popular scripting languages for automation: PowerShell, Python, JavaScript, Ruby, and
Go.

Python Script Environment:

● Python uses indentation for block structure and colons to start blocks.
● Variables are assigned using the = operator.
● Functions are defined using the def keyword.
● Logic and looping statements include if, else, elif, for, and while.

PowerShell Script Environment:

● Preferred for Windows administration tasks and increasingly used by hackers.

● Cmdlets perform administrative tasks with a Verb-Noun naming convention.
● Supports branching and looping structures like switch and do statements.
● Case-insensitive and supports textual operators.

Execution Control:

● Implemented through allow lists (restrictive) or block lists (permissive).

● Code signing authenticates and ensures integrity of code.
● OS-based execution control includes Software Restriction Policies (SRP), AppLocker,
and Windows Defender Application Control (WDAC).

Malicious Code Indicators:

● Indicators include shellcode, credential dumping, lateral movement, and persistence.

 ● PowerShell indicators include specific cmdlets, bypassing execution policy, and system
calls.
● Mitigation strategies include group policy restrictions, logging, and PowerShell version
control.

Bash and Python Malicious Indicators:

● Linux exploits often target weak configurations or vulnerabilities in web applications.

● Common indicators include downloading tools, adding crontab entries, adding users,
changing firewall rules, and executing reverse shells.

Macros and VBA:

● Macros in documents (e.g., Word, PDF) execute code and can be used maliciously.
● Visual Basic for Applications (VBA) is used in Microsoft Office documents.
● Mitigation involves disabling macros by default and user education.

Man-in-the-Browser Attack:

● Browser compromise allows attackers to intercept and manipulate browser activity.

● Attackers install malicious plug-ins or scripts or exploit vulnerabilities in websites to
execute code on clients' browsers.
Summarize Deployment and Automation Concepts

Agile Methodologies and Continuous

Integration/Deployment:
● Most organizations use Agile methodologies.
● Agile involves continuous integration, delivery, and deployment.
● Supports creation of secure development and staging environments.
● Utilizes provisioning and deprovisioning tools.
● DevSecOps Culture:
● Combines development, security, and operations expertise.
● Promotes automation for security tasks.
● Automation completes administrative tasks without human intervention.
● Scalability and Elasticity:
● Scalability ensures linear costs with increased users.
● Elasticity handles changes in demand in real time, reducing costs during low
demand.
● Secure Application Development Environments:
● Security must be integral to the design process.
● Software Development Life Cycle (SDLC) divides software creation into phases.
● Two main SDLCs: waterfall model and Agile development.
● Quality Assurance (QA):
● Testing to ensure compliance with requirements and expectations.
● Driven by risk-based assessments and compliance factors.
● Development Environments:
● Development, test/integration, staging, and production environments.
● Each environment serves specific purposes in the SDLC.
● Secure Development Environments:
● Segmented environments prevent connections outside the sandbox.
● Each environment should match a secure configuration baseline.
● Integrity measurement ensures environments match the baseline.
● Provisioning, Deprovisioning, and Version Control:
● Provisioning deploys applications to target environments.
● Deprovisioning removes applications from packages or instances.
● Version control tracks iterations of software products.
● Continuous Integration (CI):
● Developers commit and test updates often to reduce conflicts.
● Automated test suite validates builds quickly.
● Continuous Delivery and Deployment:
● Continuous delivery tests infrastructure supporting the app.
● Continuous deployment makes changes to the production environment.
● Continuous Monitoring and Automated Courses of Action:
● Continuous monitoring detects service failures and security incidents.
● Automated actions can be configured based on monitoring results.
● Continuous Validation and Software Diversity:
● Verification ensures compliance with design goals.
● Validation determines if the application meets user requirements.
● Software diversity includes compiled and interpreted code approaches.
● Obfuscation techniques can make code difficult to detect as malicious.
● Security by diversity can mitigate risks from less motivated threat actors.
Implementing Secure Cloud Solutions

Summarize Secure Cloud and Virtualization

Services
● Cloud Computing Solutions:
○ Implement hybrid solutions combining
public/private/community/hosted/onsite/offsite components.
○ Example: A travel organization may use a private cloud for most of the year but
switch to a public cloud during peak demand periods.
○ Flexibility is a key advantage, but data risk implications must be understood
when moving data between storage environments.
● Cloud Service Models:
○ Differentiated by ownership (public, private, hybrid, community) and level of
complexity/pre-configuration.
○ Common models: Infrastructure as a Service (IaaS), Software as a Service
(SaaS), Platform as a Service (PaaS).
● Infrastructure as a Service (IaaS):
○ Provision IT resources like servers, load balancers, and storage quickly.
○ Rent components on an as-needed basis from service providers.
○ Examples: Amazon EC2, Microsoft Azure Virtual Machines, Oracle Cloud,
OpenStack.
● Software as a Service (SaaS):
○ Access software hosted on supplier's servers on a pay-as-you-go basis.
○ Eliminates need for purchasing software licenses.
○ Examples: Microsoft Office 365, Salesforce, Google G Suite.
● Platform as a Service (PaaS):
○ Provides servers, storage, and web application/database platform.
○ Requires developers to create software to run on the platform.
○ Examples: Oracle Database, Microsoft Azure SQL Database, Google App
Engine.
● Anything as a Service (XaaS):
○ Reflects the idea that anything can be provisioned as a cloud service.
○ Includes Database as a Service, Network as a Service, etc.
○ Security considerations: Responsibilities vary between security in the cloud and
security of the cloud.
● Security as a Service:
○ Includes consultants, Managed Security Services Providers (MSSP), Security as
a Service (SECaaS).
○ Third-party support for improving security awareness and capabilities.
● Virtualization Technologies:
 ○ Virtualization allows multiple operating systems to run simultaneously on a single
computer.
○ Components: Host hardware, Hypervisor/Virtual Machine Monitor (VMM), Guest
operating systems/VMs.
○ Two methods: Host-based (Type II hypervisor) and bare metal (Type I
hypervisor).
● Virtual Desktop Infrastructure (VDI):
○ Uses VMs to provision corporate desktops, replacing traditional desktop
computers.
○ Thin client computers connect to VMs stored on company servers.
● Application Virtualization and Container Virtualization:
○ Application virtualization hosts applications on servers or streams them to clients
for local processing.
○ Container virtualization enforces resource separation at the operating system
level, supporting microservices and serverless architecture.
● VM Escape Protection:
○ Refers to malware jumping from a guest OS to another guest or to the host.
○ Detection methods and implications for security.
● VM Sprawl Avoidance:
○ Treating each VM as a network host and implementing security policies and
controls.
○ Challenges of VM sprawl and deployment of undocumented assets.
○ Use of Virtual machine life cycle management (VMLM) software and tight
management procedures to avoid sprawl.
Apply Cloud Security Solutions
Secure Authentication and Authorization:

● Require strong multifactor authentication (MFA) for interactive logons.

● Use conditional authentication to deny or warn of risky account activity.
● Programmatic access to cloud services is enabled by assigning a secret key to the
account, not the ordinary account credential.
● Secret keys must be securely transferred to the host and stored securely.

Cloud Compute Security:

● Cloud resources are abstracted from physical hardware through virtualization.

● Compute component provides process and system memory resources as required.
● Virtualization layer ensures dynamic resource allocation.
● Critical security considerations:
○ Container Security: Isolation through separate namespaces and control groups.
○ API Inspection and Integration: Monitoring requests, latency, error rates, and
unauthorized endpoints.
○ Instance Awareness: Managing instances to avoid sprawl, configuring logging,
and monitoring.

Cloud Storage Security:

● Cloud storage abstracts underlying hardware to provide required storage types.

● Performance metrics include IOPS.
● Permissions and Resource Policies: Configured to allow reads and writes only from
authorized endpoints.
● Encryption: Equates to full disk encryption (FDE) on-premises, minimizes data loss risk.

High Availability:

● Cloud provides resilient services through redundancy and replication.

● Storage tiers include high availability (HA) with 99.99% uptime.
● Replication options: Local, regional, geo-redundant storage.

Cloud Networking Security:

● CSP establishes a virtualization layer for network isolation.

● Virtual Private Clouds (VPCs): Isolated networks, each with its own CIDR block and
subnets.
● Public and Private Subnets: Configured with Internet gateways for public access.
● VPC Endpoints: Gateway and interface endpoints for private service access.

Cloud Firewall Security:

 ● Firewalls determine traffic acceptance or denial.
● Filtering based on packet headers and payload contents.
● Security Groups in AWS for packet filtering and segmentation.

Cloud Access Security Brokers (CASB):

● Mediate access to cloud services, provide visibility, enforce access controls.

● Implemented as forward proxy, reverse proxy, or API-based.

Next-Generation Secure Web Gateway:

● Combines functionalities of secure web gateway (SWG), data loss prevention (DLP),
and CASB.
● Supports architecture defined as secure access service edge (SASE).
Summarize Infrastructure as Code Concepts
● Infrastructure as Code (IaC) concepts:
○ Virtualization and cloud computing enable continuous delivery models for
automation and service integration.
○ Provisioning networks and hosts to support application services can be achieved
through Infrastructure as Code.
● Service Integration and Microservices:
○ Traditional network architecture focused on server machines and intermediate
network systems.
○ Virtualization reduces dependency on physical placement and operating
systems.
○ Service-Oriented Architecture (SOA) emphasizes atomic services mapped to
business workflows with clear input/output interfaces.
○ Microservices are highly decoupled, capable of independent development,
testing, and deployment.
● Services Integration and Orchestration:
○ Orchestration tools automate sequences of tasks, such as provisioning and
configuring VMs.
○ Orchestration requires proper sequencing, security credentials, and permissions.
○ Third-party orchestration platforms offer protection from vendor lock-in and
support multi-cloud environments.
● Application Programming Interfaces (APIs):
○ APIs enable service integration, automation, and orchestration.
○ SOAP uses XML messaging with built-in error handling, while REST offers a
looser architectural framework.
● Serverless Architecture:
○ Serverless design pattern runs applications as functions and microservices in the
cloud.
○ Billing is based on execution time, and services are provisioned dynamically.
○ Functions as a Service (FaaS) products include AWS Lambda, Google Cloud
Functions, and Microsoft Azure Functions.
● Infrastructure as Code (IaC):
○ IaC replaces manual configuration with automation and orchestration, ensuring
consistency and idempotence.
● Software-Defined Networking (SDN):
○ SDN abstracts network functions into control, data, and management planes.
○ SDN applications define policies implemented by a network controller, facilitating
rapid deployment and automation.
● Software-Defined Visibility (SDV):
○ SDV collects real-time data about network traffic and host configurations for
improved anomaly detection and incident response.
● Fog and Edge Computing:
○ Fog computing places processing resources close to IoT sensors to address
latency and bandwidth requirements.
○ Edge computing incorporates fog computing concepts, focusing on edge devices,
gateways, fog nodes, and cloud/data center layers for data processing and
storage.
Explaining Data Privacy and Protection Concepts

Explain Privacy and Data Sensitivity Concepts

● Privacy and Data Sensitivity Concepts:
○ Importance of privacy and data sensitivity in enterprise security.
○ Policies and procedures are crucial alongside technical controls for compliance.
○ Privacy considerations extend to agreements with external partners, suppliers,
and customers.
● Privacy versus Security:
○ Privacy focuses on personal data governance and compliance.
○ Security ensures confidentiality, integrity, and availability (CIA) of data.
○ Privacy policies involve identifying, securing, and managing access to personal
data.
● Information Life Cycle Management:
○ Creation/collection: Data classification and tagging.
○ Distribution/use: Access control for authorized users and third parties.
○ Retention: Archiving data for regulatory reasons.
○ Disposal: Sanitizing media to remove data remnants.
● Data Roles and Responsibilities:
○ Data owner: Ultimate responsibility for information asset confidentiality, integrity,
and availability.
○ Data steward: Responsible for data quality and metadata.
○ Data custodian: Manages storage system and access controls.
○ Data Privacy Officer (DPO): Oversees management of personally identifiable
information (PII).
● Data Classifications:
○ Public, Confidential, Critical classifications based on confidentiality.
○ Proprietary, Personal, Sensitive classifications based on data type and
sensitivity.
● Data Types:
○ Personally Identifiable Information (PII) includes unique identifiers and personal
data.
○ Customer Data, Health Information, Financial Information, and Government Data
have specific privacy considerations.
● Privacy Notices and Data Retention:
○ Informed consent required for data collection and processing.
○ Privacy notices describe data usage purposes and limitations.
○ Data retention policies comply with business needs and legal regulations.
● Data Sovereignty and Geographical Considerations:
○ Data sovereignty regulates processing and storage jurisdiction.
○ Geographic access requirements ensure compliance with privacy laws across
regions.
● Privacy Breaches and Data Breaches:
○ Breaches result in reputation damage, identity theft, fines, and intellectual
property theft.
○ Escalation and public notification are essential steps in breach response.
● Data Sharing and Privacy Terms of Agreement:
○ SLAs, ISAs, NDAs, and data sharing agreements establish security protocols
and responsibilities between parties.
Explain Privacy and Data Protection Controls
Privacy and Data Protection Controls:

Data Protection:

● Data can be categorized into three states:

○ Data at rest: Stored in persistent storage media. Examples include financial
information in databases, archived media, operational policies, etc.
○ Data in transit: Data being transmitted over a network, like website traffic or
remote access traffic.
○ Data in use: Present in volatile memory like system RAM or CPU cache, such as
documents open in applications or database data being modified.
● Encryption is a key mechanism to protect data at rest, in transit, and in use.
● Transport encryption protocols like TLS or IPSec safeguard data in transit.
● Trusted execution environment (TEE) mechanisms, like Intel Software Guard
Extensions, encrypt data in memory to prevent unauthorized access.

Data Exfiltration:

● Unauthorized copying or retrieval of data from a system is termed data exfiltration.

● Methods include copying data to removable media, using network protocols like HTTP or
FTP, communicating orally over phones or VoIP, or using pictures/videos of data.
● Mitigation involves encrypting data at rest, maintaining offsite backups, implementing
access controls, restricting network channels, and educating users about document
confidentiality and encryption.

Data Loss Prevention (DLP):

● DLP products automate discovery, classification, and enforcement of data protection

rules.
● Components include policy server, endpoint agents, and network agents.
● DLP agents scan content in structured (e.g., databases) and unstructured (e.g., emails)
formats, applying rules to prevent unauthorized viewing or transfer.
● Remediation mechanisms include alerts, blocking, quarantine, and tombstone actions.
Rights Management Services:

● Information Rights Management (IRM) in Microsoft Office suite restricts file permissions
and forwarding, integrating with Active Directory Rights Management Services (RMS) or
Azure Information Protection.

Privacy Enhancing Technologies:

● Data minimization principle ensures only necessary data is processed and stored.
● Deidentification methods like tokenization, aggregation, hashing, and salting protect
privacy by removing or modifying identifying information.
● K-anonymity ensures data can't be linked to fewer than 'k' individuals, reducing
reidentification risks.
● Deidentification methods are often implemented within database management systems
(DBMS).
Performing Incident Response

Summarize Incident Response Procedures

● Importance of Policies, Processes, and Procedures
○ Formal policies and procedures govern effective incident response.
○ Understanding and following procedures is crucial.
● Incident Response Process
○ Follows a structured process: Preparation, Identification, Containment,
Eradication, Recovery, Lessons learned.
● Cyber Incident Response Team (CIRT)
○ Establishes policies, procedures, and resources for dealing with security
breaches.
○ Challenges include defining and categorizing incidents.
● Communication Plan and Stakeholder Management
○ Clear communication channels are vital.
○ Ensure secure communication within the team.
○ Manage stakeholder communications effectively.
● Incident Response Plan (IRP)
○ Lists procedures, contacts, and resources for responders.
○ Develops profiles or scenarios of typical incidents.
● Allocation of Resources
○ Assess incidents based on severity and prioritize for remediation.
○ Consider factors like data integrity, downtime, economic impact, scope, detection
time, and recovery time.
● Cyber Kill Chain Attack Framework
○ Describes stages of an attack: Reconnaissance, Weaponization, Delivery,
Exploitation, Installation, Command and control, Actions on objectives.
● Other Attack Frameworks
○ MITRE ATT&CK: Provides database of known TTPs.
○ Diamond Model of Intrusion Analysis: Analyzes intrusion events based on
adversary, capability, infrastructure, and victim.
● Incident Response Exercises
○ Tabletop, Walkthroughs, Simulations help develop competencies and identify
deficiencies.
● Incident Response vs. Disaster Recovery and Business Continuity
○ Incident response focuses on specific security incidents, distinct from disaster
recovery and business continuity planning.
● Incident Response, Forensics, and Retention Policy
○ Forensics procedures differ from incident response; retention policy crucial for
retrospective incident handling.
Utilize Appropriate Data Sources for Incident
Response
Analysis and Incident Identification:

● After notification, CIRT or responsible individuals must analyze the event.

● Determine if a genuine incident occurred and its priority level.
● Analysis involves identifying the incident type and affected data/resources.
● Incident management database should record event indicators, nature, impact, and
investigator.
● Next phase is to decide an appropriate response.

Security and Information Event Management (SIEM):

● SIEM, coupled with an attack framework, helps locate indicators of malicious activity.
● SIEM parses network traffic and log data from various sources and normalizes
information.
● Correlation rules in SIEM detect potential incidents by interpreting relationships between
data points.
● Correlation rules use logical expressions (AND, OR) and operators (==, <, >, in) to
match conditions.
● SIEM can be configured with a threat intelligence feed for associating network data with
known threat actor indicators.
● Retention policies in SIEM enable historical data storage for incident and threat hunting.

SIEM Dashboards:

● Main source of automated alerts in SIEM.

● Provides console for day-to-day incident response.
● Dashboards can be customized for different purposes (e.g., incident handler's
dashboard vs. manager's dashboard).

Sensitivity and Alerts:

● Challenges in operating SIEM include tuning system sensitivity to reduce false positives.
● False negatives occur when indicators that should raise alerts are ignored.
● Correlation rules assign criticality levels to matches: log only, alert, alarm.

Sensors:

● Sensors perform packet capture and intrusion detection.

● SIEM aggregates data from multiple sensors and log sources.

Trend Analysis:
 ● Detect patterns or indicators within a data set over time.
● Trend analysis applied to frequency, volume, or statistical deviation of events.

Logging Platforms:

● SIEM aggregates log data from network appliances and hosts.

● Log data can be collected using local agents or forwarding systems.
● Syslog provides open format, protocol, and server software for logging event messages.

Metadata:

● Properties of data created, stored, or transmitted.

● Useful in investigating incidents for establishing timeline and other types of evidence.
● Includes file, web, email, mobile metadata.

Network Data Sources:

● Analyzed at individual frame level or using traffic flow and protocol usage statistics.
● Protocol analyzer output and Netflow/IPFIX capture metadata and statistics about
network traffic.
● sFlow measures traffic statistics using sampling at any OSI layer.
Apply Mitigation Controls
Mitigation Overview:

● Mitigation techniques are applied to contain, eradicate, and recover from malicious
activity.
● Incident response balances eliminating intrusion without disrupting business workflows.

Incident Containment:

● No standard approach; varies based on scenario, tech, motivations, and severity.

● Consider loss control, countermeasures' costs, implications, and evidence preservation.
● Containment includes isolation-based or segmentation-based techniques.

Isolation-Based Containment:

● Remove affected components from the larger environment.

● Options include disconnecting host from network, VLAN routing, firewall rules, or
disabling user accounts or services.
● Effective for containing damage and preventing further access.

Segmentation-Based Containment:

● Uses network technologies (VLANs, routing, firewalls) to isolate hosts.

● Can configure as sinkhole or honeynet for deceptive communication with attackers.
● Reverse engineering malware can aid in deception and attribution.

Incident Eradication and Recovery:

● Apply mitigation to remove intrusion tools and unauthorized changes.

● Recover systems to pre-incident state; ensure no similar attack vectors remain.
● Steps include system reconstitution, security control re-audit, and notifying affected
parties.

Firewall and Content Filter Configuration Changes:

● Update rules to block known attack vectors.

● Apply egress filtering to prevent malware communication.
● Use URL, content filtering, and DNS restrictions to enhance security.

Data Loss Prevention (DLP) and Mobile Device Management (MDM):

● DLP restricts data copying; MDM controls smartphone features.

● Address misconfigurations or backdoors to prevent circumvention.

Certificate Management and Endpoint Configuration Changes:

 ● Revoke compromised certificates and update endpoint security configurations.
● Address vulnerabilities, weak configurations, and unauthorized changes.

Application Allow/Block Lists and Quarantine:

● Define policies for application execution control.

● Quarantine endpoints for analysis if mitigation fails.

Security Orchestration, Automation, and Response (SOAR):

● Automate incident response workflows using SOAR platforms.

● Create specific playbooks for different incident types; automate where possible.

Adversarial Artificial Intelligence:

● Adversarial AI manipulates systems by injecting noise or deceptive samples.

● Successful attacks depend on knowledge of target algorithms.
● Mitigation includes algorithm secrecy, filter development, and training systems to
recognize adversarial examples.
Explaining Digital Forensics

Explain Key Aspects of Digital Forensics

Documentation
● Digital Forensics Documentation:
○ Documentation is essential for collecting, preserving, and presenting valid digital
proofs.
○ Mistakes or gaps in documentation can lead to evidence being dismissed.
○ Understanding key aspects of forensics documentation is crucial for effective
assistance to investigators.
● Evidence, Documentation, and Admissibility:
○ Digital evidence, like DNA or fingerprints, is latent and must be interpreted using
machines or processes.
○ Admissibility of digital evidence requires documentation showing how it was
collected and analyzed without tampering or bias.
○ Due process ensures fairness in forensic investigations and trial proceedings,
requiring procedural safeguards.
● Legal Hold:
○ Legal hold mandates the preservation of information relevant to a court case.
○ Information subject to legal hold might be defined by regulators, litigation notices,
or industry best practices.
● Chain of Custody:
○ Documentation ensures the integrity and proper handling of evidence from
collection to presentation.
○ Chain of custody protects against accusations of evidence tampering or
alteration.
● Digital Forensics Reports:
○ Summarize significant digital data contents and investigator analysis conclusions.
○ Ethical principles guide forensic analysis, emphasizing unbiased analysis and
repeatability of methods.
● E-Discovery:
○ Filters relevant evidence from forensic examination data for use as trial evidence.
○ Tools assist in de-duplication, search, tagging, security, and disclosure of
evidence.
● Video and Witness Interviews:
○ Document the crime scene with photographs, audio, and video recordings.
○ Interview witnesses to gather information and establish a clear understanding of
the incident circumstances.
● Timelines:
○ Establish chronological order of events to create a verifiable narrative.
 ○ Consider time stamp calculation methods, offsets between local and UTC time,
and potential clock synchronization issues.
● Event Logs and Network Traffic:
○ Obtain event logs and network packet captures for investigation.
○ Ensure accuracy and integrity of captured data, especially in SIEM environments.
● Strategic Intelligence and Counterintelligence:
○ Forensics aids in cybersecurity by detecting past or ongoing intrusions.
○ Counterintelligence analyzes adversary tactics to configure logging systems
effectively.
○ Strategic intelligence informs risk management and security control provisioning
for mature cybersecurity capabilities.
Explain Key Aspects of Digital Forensics Evidence
Acquisition
● Evidence Acquisition in Digital Forensics:
○ Processes and tools are used to obtain digital evidence from computer hosts and
networks.
○ Demonstration of how evidence was acquired and ensuring it's a true copy of the
system state is crucial.
○ Familiarity with acquisition processes and tools enables effective assistance to
investigators.
● Data Acquisition and Order of Volatility:
○ Acquisition involves obtaining a forensically clean copy of data from a device
held as evidence.
○ Legality of search or seizure impacts BYOD policies and evidence admissibility.
○ Data is acquired in order of volatility, capturing evidence from more volatile to
less volatile storage.
● Digital Forensics Software:
○ Tools assist in acquisition, documentation, and analysis of digital evidence.
○ Commercial tools like EnCase Forensic, FTK, and open-source tools like Sleuth
Kit and Volatility Framework are commonly used.
● System Memory Acquisition:
○ Volatile data in system memory is obtained through live acquisition or crash
dumps.
○ Memory dumps capture processes, registry data, network connections, and
encrypted data for analysis.
● Disk Image Acquisition:
○ Nonvolatile data from storage devices like HDDs, SSDs, and optical media is
acquired.
○ Methods include live acquisition, static acquisition by shutdown, or pulling the
plug to preserve storage devices.
● Preservation and Integrity of Evidence:
○ Evidence must conform to a valid timeline and be tightly controlled to prevent
tampering.
○ Write blockers prevent alterations to data during acquisition, ensuring evidence
integrity.
● Acquisition of Other Data:
○ Additional sources like network packet captures, cache, artifacts, and firmware
may contain valuable forensic data.
○ Data recovery methods like file carving and snapshots are used to extract
evidence.
● Digital Forensics for Cloud:
○ Cloud investigations face challenges due to the on-demand nature of services
and jurisdiction issues.
○ Chain of custody and data sovereignty complexities require close coordination
with cloud service providers (CSPs) for evidence retrieval.
Summarizing Risk Management Concepts

Explain Risk Management Processes and Concepts

● Risk Management Processes:
○ Identify mission essential functions
■ Focus on critical functions to prevent business failure
■ Identify critical systems and assets supporting these functions
○ Identify vulnerabilities
■ Analyze systems and assets for weaknesses
○ Identify threats
■ Identify potential threat sources and actors
○ Analyze business impacts
■ Assess likelihood of vulnerability activation
■ Evaluate impact on critical systems
○ Identify risk response
■ Determine countermeasures and assess cost
● Risk Types:
○ External
■ Threat actors and wider threats (e.g., natural disasters)
○ Internal
■ Risks from assets and workflows within the organization
○ Multiparty
■ Risks affecting multiple organizations, often from supplier relationships
○ Intellectual Property (IP) Theft
■ Loss of valuable organizational data
○ Software Compliance/Licensing
■ Breaking EULA terms leading to fines
○ Legacy Systems
■ Risks from outdated systems lacking security updates
● Quantitative Risk Assessment:
○ Assign concrete values to risk factors
○ Calculate Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE)
● Qualitative Risk Assessment:
○ Focus on identifying significant risk factors
○ Categorize assets and risks for simplicity
● Risk Management Strategies:
○ Inherent risk and security controls
○ Regulatory requirements and high-value assets
○ Threats with high likelihood and risk factors
● Risk Avoidance and Transference:
○ Avoiding risk-bearing activities or transferring risk to third parties
● Risk Acceptance and Appetite:
○ Accepting or tolerating certain risks based on cost or unavoidable delay
○ Assessing institution-wide tolerance for residual risk
● Control Risk:
○ Measure of security control effectiveness over time
● Risk Awareness:
○ Articulate risk scenarios for clear understanding by stakeholders
● Risk Register:
○ Documenting risk assessments comprehensively
○ Sharing risk information among stakeholders
Explain Business Impact Analysis Concepts
● Business Impact Analysis (BIA) informs risk assessment by documenting workflows,
critical assets, and systems.
● BIA assesses potential losses for various threat scenarios, aiding in quantifying losses
from specific events like DDoS attacks.
● Business continuity planning (BCP) ensures critical workflows can continue despite
adverse events, while continuity of operations planning (COOP) refers to similar
activities in government agencies.
● Mission essential functions (MEF) are crucial functions that cannot be deferred, requiring
continuous operation or immediate restoration in case of disruption.
● Primary business functions (PBF) support MEF but are not critical on their own.
● Metrics for MEF include Maximum Tolerable Downtime (MTD), Recovery Time Objective
(RTO), Work Recovery Time (WRT), and Recovery Point Objective (RPO).
● Identification of critical systems involves compiling an inventory of business processes
and supporting assets.
● Single Points of Failure (SPoF) are assets whose failure can disrupt entire workflows
and can be mitigated through redundancy.
● Key performance indicators (KPIs) like Mean Time to Failure (MTTF), Mean Time
Between Failures (MTBF), and Mean Time to Repair (MTTR) help assess asset
reliability and recovery time.
● Disasters can be internal or external, person-made or environmental, with disaster
recovery plans (DRPs) detailing procedures for system or site recovery.
● DRPs should identify scenarios, tasks, resources, responsibilities, and train staff, also
addressing stakeholder communication and legal requirements.
● Functional recovery plans are assessed through walk-throughs, tabletop exercises,
functional exercises, and full-scale exercises.
Implementing Cybersecurity Resilience

Implement Redundancy Strategies

● Risk assessments and business impact analysis identify vulnerable business processes,
leading to the implementation of redundancy strategies to reduce risks.
● High availability, measured as the percentage of time a system is online over a defined
period, is crucial for resilient systems.
● Scalability and elasticity allow systems to cope with rapid growth in demand, achieved
through scaling out or scaling up resources.
● Fault tolerance ensures systems can continue providing service despite failures, often by
provisioning redundancy for critical components.
● Power redundancy strategies include dual power supplies, managed power distribution
units (PDUs), battery backups, uninterruptible power supplies (UPSs), and generators.
● Network redundancy techniques such as NIC teaming, switching and routing
redundancy, and load balancers ensure continuous network operation.
● Disk redundancy, typically achieved through RAID configurations, ensures servers can
keep functioning even if storage devices fail.
● Multipath I/O ensures controller redundancy and multiple network paths to storage
devices, enhancing reliability.
● Data replication maintains exact copies of data at multiple locations, providing
redundancy and ensuring data availability in case of disasters.
● Geographical dispersal and replication involve replicating data across physically distant
sites to protect against natural disasters and ensure data consistency.
● Synchronous replication writes data to all replicas simultaneously, while asynchronous
replication copies data to replicas at scheduled intervals.
● Cloud services offer built-in redundancy and replication, providing high availability
without the need for expensive on-premises infrastructure.
Implement Backup Strategies
Backups and Retention Policy:

● Short-term retention for version control and malware recovery.

● Long-term retention for legal compliance or policy requirements.
● Determined by frequency of overwriting youngest media sets.

Backup Types:

● Full, incremental, and differential backups.

● Full backup: all selected data regardless of previous backups.
● Incremental backup: new and modified files since last backup.
● Differential backup: all new and modified files since last full backup.

Copy Backups:

● Made outside tape rotation system.

● Do not affect archive attribute.

Snapshots and Images:

● Snapshots for open file backup.

● Utilizes Volume Shadow Copy Service (VSS) in Windows.
● Images duplicate OS installation for quick redeployment.

Backup Storage Issues:

● Same confidentiality, integrity, and availability as live data.

● Encryption for data confidentiality on stolen media.

Offsite Storage:

● Plan for natural disasters.

● Distance consideration for offsite storage.
● High-bandwidth Internet and cloud storage options.

Online vs. Offline Backups:

● Online: Instant availability, vulnerable to ransomware.

● Offline: Better security, manual connection required.

3-2-1 Rule:

● Three copies of data, across two media types, with one offline and offsite.

Backup Media Types:

 ● Disk, NAS, tape, SAN, and cloud.
● Advantages and disadvantages for different scenarios.

Restoration Order:

● Controlled restoration order to minimize service disruption.

● Power systems, network infrastructure, security appliances, servers, applications,
clients.

Nonpersistence:

● Ensure artifacts from disaster are removed.

● Mechanisms: snapshot/revert, rollback, live boot media.
● Master image vs. automated build from template for provisioning.

Configuration Validation:

● Validate recovery solution at each layer.

● Dashboard for key indicators and compliance metrics.
Implement Cybersecurity Resiliency Strategies
● Importance of Security Concepts in an Enterprise Environment:
○ Effective site management and cybersecurity resilience rely on change control
and configuration management.
○ Lack of updated documentation can lead to confusion, errors, and delays in
incident response and disaster recovery.
○ Implementation of techniques like defense in depth and control diversity is crucial
for resilient systems.
○ Deception and disruption tactics increase the cost of attacks, deterring threat
actors.
● Configuration Management:
○ Ensures ICT infrastructure components remain in a trusted state.
○ Change control and management reduce the risk of service disruption from
component changes.
○ ITIL framework outlines elements of configuration management: service assets,
Configuration Item (CI), baseline configuration, and Configuration Management
System (CMS).
● Asset Management:
○ Tracks critical systems, components, and devices.
○ Involves collecting and analyzing information for informed decision-making.
○ Asset identification and standard naming conventions improve consistency and
automation.
● Internet Protocol (IP) Schema:
○ Subnet division planning enhances firewall ACLs and security monitoring.
○ Identifies IP address allocation methods and usage monitoring using IPAM
software.
● Change Control and Change Management:
○ Change control requests and approves changes in a planned manner.
○ Reactive or proactive changes categorized based on impact and risk.
○ Formal change management process involves RFC submission and approval.
● Site Resiliency:
○ Provisioning resiliency at the site level involves alternate processing or recovery
sites.
○ Failover techniques ensure redundant components maintain service availability.
○ Site resiliency levels include hot, warm, and cold sites, each with varying
deployment times and costs.
● Diversity and Defense in Depth:
○ Layered security improves cybersecurity resilience by providing control diversity.
○ Technology, control, vendor, and crypto diversity reduce attack surface and
increase attack cost.
○ Active defense strategies like honeypots and honeyfiles lure attackers and gather
threat intelligence.
○ Disruption strategies raise attack cost and tie up adversary resources, e.g.,
bogus DNS entries, decoy directories, and DNS sinkholes.
Explaining Physical Security

Explain the Importance of Physical Site Security

Controls
Importance of Physical Site Security Controls:

● Physical access to premises opens opportunities for rogue devices, disruption, or

information observation.
● Security professionals need to install access and monitoring controls to protect against
physical intrusion.

Physical Security Controls:

● Restrict and monitor access to specific areas or assets.

● Control access to buildings, equipment, server rooms, etc.
● Depend on access control fundamentals: Authentication, Authorization, Accounting.

Site Layout, Fencing, and Lighting:

● Locate secure zones deep within buildings.

● Use demilitarized zone (DMZ) design to separate public access areas.
● Employ signage, warnings, and camouflage to enhance security.
● Minimize traffic between zones and use one-way glass where necessary.
● Ensure high-traffic public areas have high visibility.

Barricades and Entry/Exit Points:

● Channel people through defined entry and exit points.

● Authenticate individuals at entry points.
● Use barricades like bollards and security posts to prevent vehicle attacks.

Fencing:

● Should be transparent, robust, and secure against climbing.

● Provides protection but may give buildings an intimidating appearance.

Lighting:

● Contributes to the perception of safety and security.

● Acts as a deterrent and aids surveillance.
● Design must consider overall light levels and avoid areas of shadow and glare.

Gateways and Locks:

 ● Secure gateways with locks, including physical, electronic, and biometric types.
● Consider the use of mantraps for critical areas.

Cable Locks:

● Attach to secure points on device chassis to prevent unauthorized access.

Physical Attacks against Smart Cards and USB:

● Vulnerable to cloning and skimming attacks.

● Risks vary depending on the type of smart card.

Alarm Systems and Sensors:

● Include circuit, motion, noise, proximity, and duress alarms.

● Suited for different areas and types of threats.

Security Guards and Cameras:

● Provide surveillance and deterrence.

● Guards offer visual presence and real-time response.
● CCTV offers continuous monitoring and recording.

Reception Personnel and ID Badges:

● Enforce challenge policies and standardize employee behavior.

● Maintain visitor logs and two-person integrity/control.
● ID badges are essential for building security and access control.
Explain the Importance of Physical Host Security
Controls
1. Perimeter Defenses Not Enough:
○ Perimeter defenses alone are insufficient for host security within a site.
○ Insider threats and potential breaches necessitate additional controls.
2. Secure Areas:
○ Critical assets require higher access protection than general office areas.
○ Communications or server rooms are particularly vulnerable.
○ Stringent access and surveillance controls are essential.
○ Data centers require similar measures.
3. Air Gap/Demilitarized Zone (DMZ):
○ Air-gapped hosts aren't connected to any network.
○ Stringent physical access controls are crucial.
○ DMZ serves the same purpose, monitored for intrusions.
4. Safes and Vaults:
○ Safes store portable devices and media securely.
○ Vaults are hardened against unauthorized entry.
○ Vaults may be necessary for mission-critical assets.
5. Protected Distribution and Faraday Cages:
○ Protected cabled networks mitigate eavesdropping and denial-of-service risks.
○ Faraday Cages block signals from entering or leaving an area.
6. Heating, Ventilation, Air Conditioning (HVAC):
○ Environmental controls prevent equipment overheating.
○ HVAC systems maintain optimal temperature and humidity.
○ Proper monitoring and maintenance are essential.
7. Hot and Cold Aisles:
○ Design server rooms for efficient airflow.
○ Utilize hot aisle/cold aisle arrangement.
○ Secure cabling to prevent interference and air leaks.
8. Fire Detection and Suppression:
○ Implement mechanisms to detect and suppress fires.
○ Different types of fire suppression systems are available.
9. Secure Data Destruction:
○ Dispose of data securely to prevent unauthorized access.
○ Media sanitization and remnant removal are crucial.
○ Physical destruction or purging of data are common methods.
10. Data Sanitization Tools:
○ Overwriting is a standard method for HDD sanitization.
○ Secure Erase (SE) command for SATA and SAS drives.
○ Instant Secure Erase (ISE) for self-encrypting drives (SEDs).
CompTIA Security+ (701)
Study Notes
Help us keep supporting others in their
cybersecurity career.

https://topmate.io/ken_underhill/927998
Contents
Summarize Fundamental Security Concepts ................................................................................ 4
Security Concepts ......................................................................................................................... 4
Security Controls ........................................................................................................................... 6
Compare Threat Types ................................................................................................................. 8
Threat Actors ................................................................................................................................ 8
Attack Surfaces ........................................................................................................................... 10
Social Engineering ...................................................................................................................... 12
Explain Cryptographic Solutions ................................................................................................. 13
Cryptographic Algorithms ............................................................................................................ 13
Public Key Infrastructure ............................................................................................................. 14
Cryptographic Solutions .............................................................................................................. 15
Implement Identity and Access Management ............................................................................. 17
Authentication ............................................................................................................................. 17
Authorization ............................................................................................................................... 19
Identity Management .................................................................................................................. 21
Secure Enterprise Network Architecture ..................................................................................... 22
Enterprise Network Architecture ................................................................................................. 22
Network Security Appliances ...................................................................................................... 23
Secure Communications ............................................................................................................. 25
Secure Cloud Network Architecture ............................................................................................ 26
Cloud Infrastructure .................................................................................................................... 26
Embedded Systems and Zero Trust Architecture ....................................................................... 28
Explain Resiliency and Site Security Concepts .......................................................................... 30
Asset Management ..................................................................................................................... 30
Redundancy Strategies ............................................................................................................... 32
Physical Security ......................................................................................................................... 34
Explain Vulnerability Management .............................................................................................. 35
Device and OS Vulnerabilities .................................................................................................... 35
Application and Cloud Vulnerabilities .......................................................................................... 37
Vulnerability Identification Methods ............................................................................................ 39
Vulnerability Analysis and Remediation ...................................................................................... 41
Evaluate Network Security Capabilities ...................................................................................... 43
Network Security Baselines ........................................................................................................ 43
Network Security Capability Enhancement ................................................................................. 45
Assess Endpoint Security Capabilities ........................................................................................ 47
Implement Endpoint Security ...................................................................................................... 47
Mobile Device Hardening ............................................................................................................ 49
Enhance Application Security Capabilities .................................................................................. 50
Application Protocol Security Baselines ...................................................................................... 50
Cloud and Web Application Security Concepts .......................................................................... 52
Explain Incident Response and Monitoring Concepts ................................................................ 54
Incident Response ...................................................................................................................... 54
Digital Forensics ......................................................................................................................... 56
Data Sources .............................................................................................................................. 58
Alerting and Monitoring Tools ..................................................................................................... 60
Analyze Indicators of Malicious Activity ...................................................................................... 62
Malware Attack Indicators ........................................................................................................... 62
Physical and Network Attack Indicators ...................................................................................... 64
Application Attack Indicators ....................................................................................................... 66
Summarize Security Governance Concepts ............................................................................... 67
Policies, Standards, and Procedures .......................................................................................... 67
Change Management ................................................................................................................. 69
Automation and Orchestration .................................................................................................... 71
Explain Risk Management Processes ........................................................................................ 73
Risk Management Processes and Concepts .............................................................................. 73
Vendor Management Concepts .................................................................................................. 75
Audits and Assessments ............................................................................................................. 77
Summarize Data Protection and Compliance Concepts ............................................................. 78
Data Classification and Compliance ........................................................................................... 78
Personnel Policies ...................................................................................................................... 79
Summarize Fundamental Security Concepts

Security Concepts
● Security Concepts Study Notes:
1. Information Security:
■ Definition: Protection of data resources from unauthorized access, attack,
theft, or damage.
■ CIA Triad:
■ Confidentiality: Data accessible only to authorized individuals.
■ Integrity: Data stored and transferred as intended, with authorized
modifications.
■ Availability: Information readily accessible to authorized users.
■ Additional Property: Non-repudiation, preventing denial of actions like
creating or modifying data.
2. Cybersecurity Framework:
■ Definition: Provisioning secure processing hardware and software.
■ Five Functions (NIST Framework):
■ Identify: Develop security policies, evaluate risks, recommend
controls.
■ Protect: Secure IT assets throughout the lifecycle.
■ Detect: Proactive monitoring for new threats.
■ Respond: Analyze, contain, eradicate threats.
■ Recover: Restore systems and data post-attack.
■ Importance: Guides control selection, aids in risk management and
compliance.
3. Gap Analysis:
■ Definition: Process identifying deviations from framework requirements.
■ Purpose: Assess current cybersecurity capabilities, prioritize investments
for improvement.
■ Components: Outcome-based, identifies missing/poorly configured
controls.
■ Utilization: Initial adoption, compliance fulfillment, periodic validation.
■ Involvement: Can engage third-party consultants for complex
assessments.
4. Access Control:
■ Definition: Governs interactions between subjects (users/devices) and
objects (resources).
■ Components:
■ Identification: Unique representation of users/devices.
■ Authentication: Proving identity, often via passwords or digital
certificates.
 ■ Authorization: Determining and enforcing resource access rights.
■ Accounting: Tracking authorized resource usage and detecting
unauthorized attempts.
■ Implementation: Often through Identity and Access Management (IAM)
systems.
■ AAA Framework: Alternative terminology for authentication, authorization,
and accounting.
5. Application of Access Control:
■ E-commerce Example: Enroll users, manage orders, ensure payment
integrity, record customer actions for accountability.
Security Controls
● Security Controls Study Notes:
1. Introduction to Security Controls:
■ Definition: Measures to ensure information and cybersecurity assurance.
■ Importance: Selecting and implementing appropriate controls for different
scenarios.
■ Responsibility: Often falls under the purview of IT departments within
organizations.
2. Security Control Categories:
■ Managerial Controls: Oversight of information systems, including risk
identification and control selection.
■ Operational Controls: Implemented by people, such as security training
programs.
■ Technical Controls: Implemented as hardware, software, or firmware, like
firewalls and antivirus software.
■ Physical Controls: Measures like alarms and security cameras to deter
and detect physical access.
3. Functional Types of Security Controls:
■ Preventive Controls: Aim to eliminate or reduce the likelihood of
successful attacks.
■ Detective Controls: Identify and record attempted or successful intrusions
during an attack.
■ Corrective Controls: Reduce the impact of security policy violations after
an attack.
■ Additional Types:
■ Directive Controls: Enforce behavioral rules, often through policies
or training.
■ Deterrent Controls: Discourage attackers psychologically, such as
warning signs.
■ Compensating Controls: Substitute for principal controls to provide
equivalent protection.
4. Information Security Roles and Responsibilities:
■ Chief Information Officer (CIO): Overall responsibility for IT and often
security.
■ Chief Security Officer (CSO) or Chief Information Security Officer (CISO):
Internal security leadership.
■ Managers: Departmental responsibility for security domains.
■ Technical and Specialist Staff: Implement, maintain, and monitor security
policies and controls.
■ Nontechnical Staff: Comply with policies and relevant legislation.
5. Information Security Competencies:
■ Skills required for IT professionals with security responsibilities, including
risk assessment, system configuration, incident response, and training.
6. Information Security Business Units:
■ Security Operations Center (SOC): Monitors and protects critical
information assets, typically in larger corporations.
■ DevSecOps: Integration of security expertise into software development
and operations processes.
■ Incident Response: Dedicated teams for handling security incidents,
either as part of SOC or standalone units.
Compare Threat Types

Threat Actors
● Threat Actors Study Notes:
Introduction to Vulnerability, Threat, and Risk:
● Vulnerability: Weakness in security systems that can be exploited.
● Threat: Potential for exploitation by a threat actor, intentional or
unintentional.
● Risk: Level of hazard posed by vulnerabilities and threats, calculated
based on likelihood and impact.
Attributes of Threat Actors:
● Internal/External: Degree of access before initiating an attack, either
unauthorized (external) or authorized (internal/insider).
● Level of Sophistication/Capability: Ability to use advanced exploit
techniques and tools.
● Resources/Funding: Support necessary for sophisticated threat actors,
often from nation-states or organized crime.
● Motivations: Reasons for perpetrating attacks, including financial gain,
political agendas, or revenge.
Threat Actor Types:
● Hackers:
● Unauthorized (black hat) or authorized (white hat), with varying
levels of skill.
● Increasingly work in teams or groups, known as hacktivist groups,
to promote political agendas.
● Nation-State Actors:
● Often pursue espionage and disinformation for strategic
advantage, with plausible deniability.
● Known for sophisticated attacks, such as advanced persistent
threats (APTs).
● Organized Crime and Competitors:
● Focus on financial fraud, blackmail, and extortion, operating
across jurisdictions.
● Competitors may engage in cyber espionage for theft or
disruption.
● Internal Threat Actors:
● Can be permanent insiders (employees) or temporary insiders
(contractors, guests).
● Motivated by revenge, financial gain, or unintentional actions like
poor security practices.
● Whistleblowers may release information ethically, while
unintentional threats arise from lack of awareness or shadow IT.
Motivations and Strategies of Threat Actors:
● Strategies include service disruption, data exfiltration, and disinformation,
affecting confidentiality, integrity, and availability.
● Motivations range from chaotic (e.g., causing chaos) to financial (e.g.,
fraud, extortion) and political (e.g., promoting change or furthering war
aims).
● Threat sources and motivations evolve over time, with shifts from
opportunistic to structured attacks associated with organized crime and
nation-states.
Attack Surfaces
● Attack Surface and Threat Vectors:
○ The attack surface refers to all points where a malicious actor could exploit a
vulnerability.
○ It includes network ports, applications, computers, and user interactions.
○ Minimizing the attack surface involves restricting access to known endpoints,
protocols, and services.
○ Assessment should cover the overall organization as well as specific scopes like
servers, web applications, or user identities.
● Assessing the Attack Surface:
○ Organizations should evaluate the attributes of threat actors posing the most risk.
○ External threat actors have a smaller attack surface compared to insider threats.
○ Threat vectors represent paths used by threat actors to execute attacks like data
exfiltration or service disruption.
○ Sophisticated actors plan multistage campaigns and may develop novel vectors.
● Vulnerable Software Vectors:
○ Vulnerabilities in software allow threat actors to exploit flaws in code or design.
○ Patch management is crucial, as almost no software is free from vulnerabilities.
○ Consolidating to fewer products and ensuring consistent versions help reduce
the attack surface.
● Unsupported Systems and Applications:
○ Unsupported systems lack vendor updates and patches, making them highly
vulnerable.
○ Isolating such systems reduces the likelihood of exploitation.
● Client-Based versus Agentless Scanning:
○ Scanning software helps identify vulnerabilities, but threat actors can also use it
for reconnaissance.
○ Scans can be client-based, requiring installation, or agentless, scanning without
installation.
● Network Vectors:
○ Vulnerable software allows threat actors to execute code remotely or locally.
○ Remote exploits occur over a network, while local exploits require authenticated
access.
○ Securing networks involves ensuring confidentiality, integrity, and availability.
● Lure-Based Vectors:
○ Lures, like malicious files, trick users into facilitating attacks.
○ Common lures include removable devices, executable files, document files, and
image files.
● Message-Based Vectors:
○ Threat actors use messaging systems like email, SMS, IM, web, and social
media to deliver malicious files.
○ Social engineering techniques persuade users to open attachments or links.
● Supply Chain Attack Surface:
○ Threat actors target supply chains to infiltrate organizations indirectly.
○ Procurement management ensures reliable sources of equipment and software.
○ Establishing a trusted supply chain involves vetting suppliers, vendors, and
partners.
Social Engineering
● Social Engineering Overview:
○ People within organizations are part of the attack surface and are collectively
referred to as the human vector.
○ Social engineering exploits human psychology to manipulate individuals into
divulging information or performing actions for threat actors.
● Human Vectors:
○ Employees and contractors possess valuable information about networks and
security systems, making them potential targets.
○ Social engineering involves eliciting information or actions from individuals, also
known as "hacking the human."
○ Examples include tricking users into providing passwords, obtaining sensitive
information from help desks, or infiltrating buildings during emergencies.
● Impersonation and Pretexting:
○ Impersonation involves pretending to be someone else to gain trust.
○ Threat actors use persuasive or coercive approaches to deceive targets.
○ Pretexting involves crafting convincing stories to charm or intimidate targets,
often relying on privileged information about the organization.
● Phishing and Pharming:
○ Phishing combines social engineering with spoofing to trick targets into
interacting with malicious resources.
○ Phishing emails or messages persuade users to perform actions like installing
malware or revealing credentials.
○ Pharming redirects users from legitimate websites to malicious ones by
corrupting name resolution processes.
● Typosquatting and Business Email Compromise:
○ Typosquatting involves registering domain names similar to legitimate ones to
deceive users.
○ Business Email Compromise targets specific individuals within companies, often
executives, using sophisticated techniques to deceive and manipulate.
● Brand Impersonation and Disinformation:
○ Brand impersonation involves accurately duplicating company logos and
formatting to create visually compelling fakes.
○ Disinformation aims to deceive, while misinformation involves repeating false
claims unintentionally.
● Watering Hole Attack:
○ This attack targets a group of users who frequent an unsecure third-party
website, allowing threat actors to compromise their systems through exploit code.
Explain Cryptographic Solutions

Cryptographic Algorithms
● Cryptographic Concepts:
○ Cryptography ensures information security by encoding data.
○ Terms: Plaintext (unencrypted), Ciphertext (encrypted), Algorithm
(encryption/decryption process), Cryptanalysis (cracking cryptographic systems).
○ Actors: Alice (sender), Bob (recipient), Mallory (malicious attacker).
● Symmetric Encryption:
○ Uses a single secret key for both encryption and decryption.
○ Examples: Substitution and transposition algorithms.
○ Key exchange challenge: securely sharing the key.
○ Fast and efficient for bulk encryption but vulnerable if the key is intercepted.
● Key Length:
○ Longer keys increase security by expanding the keyspace.
○ Example: AES-128 vs AES-256, where AES-256 has a significantly larger
keyspace.
○ Brute force cryptanalysis: attempting decryption with every possible key value.
● Asymmetric Encryption:
○ Uses different but related public and private keys for encryption and decryption.
○ Public key can be freely distributed, while the private key must be kept secret.
○ Involves more computing overhead compared to symmetric encryption.
● Hashing:
○ Produces fixed-length digest from plaintext, used for integrity verification.
○ Example: Comparing password hashes or verifying file integrity after download.
○ Algorithms: SHA256 (strong) and MD5 (less secure but still used for
compatibility).
● Digital Signatures:
○ Combines public key cryptography with hashing for authentication, integrity, and
non-repudiation.
○ Sender creates a hash of the message and signs it with their private key.
○ Recipient verifies the signature using sender's public key.
● Standards:
○ PKCS#1 defines RSA algorithm for digital signatures.
○ DSA and ECDSA are used for digital signatures and were developed as part of
FIPS.
Public Key Infrastructure
● Single CA Model:
○ Root CA directly issues certificates to users and computers.
○ Often used on private networks.
○ Vulnerable because if compromised, the entire PKI collapses.
● Third-party CAs:
○ Operate on a hierarchical model.
○ Root CA issues certificates to intermediate CAs, which in turn issue certificates to
end entities.
○ Provides clear certificate policies and certification path (chain of trust).
● Self-signed Certificates:
○ Used when PKI management is too difficult or expensive.
○ Deployed on machines, web servers, or program code.
○ Often marked as untrusted by operating systems or browsers.
○ Suitable for non-critical environments like development or testing.
● Certificate Signing Requests (CSR):
○ Process for requesting certificates.
○ Subject generates a key pair and submits a CSR to the CA.
○ CA reviews and validates the information before issuing the certificate.
○ Private key is not part of the CSR and must be securely stored by the subject.
● Subject Name Attributes:
○ CN attribute deprecated; SAN extension field used to represent identifiers.
○ SAN field more secure for representing FQDNs and IP addresses.
○ It's safer to duplicate FQDN information in CN for compatibility.
● Certificate Revocation:
○ Certificates can be revoked or suspended by owner or CA for various reasons.
○ Revoked certificates are no longer valid; suspended certificates can be re-
enabled.
○ CA maintains a Certificate Revocation List (CRL) accessible to verify certificate
status.
● Key Management:
○ Lifecycle stages: generation, storage, revocation, expiration/renewal.
○ Decentralized vs. centralized key management models.
○ Cryptoprocessors offer more secure key generation and storage.
○ Trusted Platform Module (TPM) and Hardware Security Modules (HSM)
examples.
● Key Escrow:
○ Archiving keys with third-party providers.
○ Mitigates risk of key loss or damage.
○ M of N controls ensure multiple authorizations for key operations.
Cryptographic Solutions
1. Importance of Cryptographic Solutions:
○ Cryptographic solutions are essential for implementing security controls.
○ They ensure confidentiality, integrity, and authenticity of data.
○ Used to secure data at rest, in transit, and in use.
2. Encryption for Confidentiality:
○ Encryption renders data unreadable to unauthorized parties.
○ Protects data even if storage media is stolen or data is intercepted.
○ Data states: at rest, in transit, in use.
3. Bulk Encryption vs. Asymmetric Encryption:
○ Bulk encryption (symmetric cipher) used for large data volumes (e.g., AES).
○ Asymmetric encryption (RSA, ECC) less efficient for bulk encryption.
○ Hybrid approach: symmetric for data encryption, asymmetric for key exchange.
4. Disk and File Encryption:
○ Full-disk encryption (FDE) encrypts entire storage device, including metadata.
○ Self-encrypting drives (SEDs) have built-in encryption.
○ Partition-based encryption allows selective encryption for different partitions.
5. Volume and File Encryption:
○ Volume encryption secures entire storage resource, implemented in software.
○ File encryption encrypts individual files or folders (e.g., Microsoft's EFS).
6. Database Encryption:
○ Encryption at database level (TDE) protects entire database.
○ Record/column-level encryption provides granular protection.
○ Enables separation of duties between administrators and data owners.
7. Transport Encryption and Key Exchange:
○ Secures data in motion using protocols like TLS, IPsec, WPA.
○ Key exchange enables secure sharing of symmetric session keys.
○ Integrity and authenticity ensured through HMAC or authenticated encryption.
8. Perfect Forward Secrecy (PFS):
○ Uses Diffie-Hellman key agreement to generate session keys.
○ Ensures future compromise of server doesn't compromise past sessions.
○ Increases complexity for attackers, enhances security.
9. Salting and Key Stretching:
○ Salting prevents precomputed hash attacks by adding random value to
passwords.
○ Key stretching (PBKDF2) increases key length through multiple iterations.
○ Mitigates low-entropy password vulnerabilities.
10. Blockchain:
○ Blockchain secures transaction records through cryptographic hashing.
○ Decentralized, distributed ledger ensures transparency and integrity.
○ Applications in finance, contracts, voting, identity management, and more.
11. Obfuscation:
○ Obfuscation hides data to make it difficult to find.
○ Uses include steganography, data masking, and tokenization.
○ Protects privacy and enhances security in certain contexts.
Implement Identity and Access Management

Authentication
● Windows Sign-In Screen:
○ Personal Identification Number (PIN) is a form of something you know.
○ Modern PINs are not limited to numeric sequences and can be of any length and
character combination.
○ They are valid for authenticating to a single device only.
● Password Concepts:
○ Improper credential management is a major vector for network attacks.
○ Password best practices policy should instruct users on choosing and
maintaining passwords.
○ Credential management policy should cover various authentication methods and
educate users on social engineering attacks.
● Password Policies:
○ Password Length: Enforces minimum and possibly maximum length for
passwords.
○ Password Complexity: Requires a combination of uppercase/lowercase
alphanumeric and non-alphanumeric characters.
○ Password Age: Forces users to select a new password after a set number of
days.
○ Password Reuse and History: Prevents the selection of previously used
passwords.
● Password Aging and Expiration:
○ Aging allows logging in with the old password after a defined period but
mandates choosing a new password immediately.
○ Expiration disables logging in with the outdated password and effectively
disables the account.
● Password Managers:
○ Users often use poor credential management practices, such as reusing
passwords across multiple sites.
○ Password managers generate random passwords and securely store them,
reducing the risk of data breaches.
○ Risks include compromise of the master password or vendor's cloud storage, and
impersonation attacks.
● Multifactor Authentication (MFA):
○ Combines multiple authentication factors for stronger security.
 ○ Factors include something you have (like a smart card), something you are
(biometrics), and somewhere you are (location-based).
● Biometric Authentication:
○ Involves physiological or behavioral identifiers like fingerprints or facial scans.
○ Enrollment includes acquiring a biometric sample and creating a template for
comparison.
○ Metrics include False Rejection Rate (FRR), False Acceptance Rate (FAR), and
Crossover Error Rate (CER).
● Hard Authentication Tokens:
○ Generated within a secure cryptoprocessor, avoiding transmission of the token.
○ Types include Certificate-Based Authentication, One-Time Password (OTP), and
FIDO Universal 2nd Factor (U2F).
● Soft Authentication Tokens:
○ One-time passwords sent via SMS, email, or authenticator apps.
○ Vulnerable to interception, with authenticator apps offering higher security than
SMS or email.
● Passwordless Authentication:
○ Entirely eliminates knowledge-based factors like passwords.
○ Relies on factors like biometrics or hardware tokens.
○ Utilizes FIDO2 with WebAuthn specifications for secure authentication without
passwords.
Authorization
● Authorization Overview:
○ Authorization is a crucial aspect of identity and access management (IAM).
○ It involves assigning privileges to network users and services to manage access
to resources effectively.
● Discretionary Access Control (DAC):
○ DAC prioritizes the resource owner's authority.
○ Owners have full control over resources and can modify access control lists
(ACLs) to grant rights to others.
○ Widely used but vulnerable to insider threats and abuse of compromised
accounts.
● Mandatory Access Control (MAC):
○ Based on security clearance levels rather than individual ownership.
○ Each object is assigned a classification label, and each subject is granted a
clearance level.
○ Subjects can access objects classified at their own level or below, ensuring
confidentiality.
● Role-Based Access Control (RBAC):
○ Defines permissions based on user roles.
○ Each principal is assigned to one or more roles, and permissions are managed
by system owners.
○ Offers flexibility and scalability in permission management.
● Attribute-Based Access Control (ABAC):
○ Utilizes subject and object attributes for access decisions.
○ Factors like location, device status, and user behavior influence access control.
○ Provides fine-grained control over access based on contextual information.
● Rule-Based Access Control:
○ Access control policies are enforced by system rules rather than user discretion.
○ Examples include RBAC, ABAC, and MAC.
○ Conditional access systems monitor behavior and enforce access rules
dynamically.
● Least Privilege Principle:
○ Grants the minimum necessary privileges to perform authorized tasks.
○ Reduces the risk of compromised accounts and limits potential damage.
○ Requires careful analysis of business workflows to determine necessary
permissions.
● User Account Provisioning:
○ Involves setting up user accounts according to standardized procedures.
 ○ Includes identity proofing, credential issuance, hardware/software allocation, and
policy awareness training.
● Account Restrictions and Policies:
○ Location-based and time-based policies restrict account access.
○ Policies enforce authorized login hours, session durations, and geographical
constraints.
○ Privileged Access Management (PAM) controls and monitors privileged account
usage to prevent compromise.
● Just-in-Time (JIT) Permissions:
○ Elevates privileges only when needed for a limited duration.
○ Ensures zero standing privileges (ZSP) to minimize attack surface.
○ Implemented through temporary elevation, password vaulting, or ephemeral
credentials.
Identity Management
● Identity Management Exam Objectives:
● Implementing and maintaining identity and access management.
● Authentication Provider:
● Essential feature of an OS for user authentication.
● Relies on cryptographic hashes for knowledge-based authentication.
● Windows Authentication:
● Local sign-in: LSASS compares credentials to hash in SAM database.
● Network sign-in: LSASS authenticates via Active Directory using Kerberos or
NTLM.
● Remote sign-in: Authentication over VPN, enterprise Wi-Fi, or web portal.
● Linux Authentication:
● Local user account info in /etc/passwd, password hash in /etc/shadow.
● Network login via SSH; can use cryptographic keys.
● Pluggable Authentication Module (PAM) enables different authentication
methods.
● Directory Services:
● Store info about users, computers, security groups, etc.
● LDAP is a common protocol for interoperability.
● Distinguished Name (DN) uniquely identifies resources in a directory.
● Single Sign-on (SSO):
● Authenticates once, access multiple services without re-entering credentials.
● Kerberos is a common SSO protocol, authenticates users and services.
● Federation:
● Extends network access to partners, suppliers, customers.
● Trusts external networks for authentication and authorization.
● SAML (Security Assertion Markup Language):
● Protocol for exchanging authentication and authorization data.
● Uses XML for assertions, HTTP/HTTPS for communication.
● OAuth (Open Authorization):
● Protocol for sharing user attributes between sites.
● Allows linking identity to consumer sites without sharing passwords.
● Uses JSON Web Tokens (JWTs) for claims data, supports various grant type
Secure Enterprise Network Architecture

Enterprise Network Architecture

● Network Addressing:
● IPv4 addresses use a /24 prefix to define a subnet, written as 255.255.255.0.
● IPv6 addresses are 128-bit and hierarchical, with the last 64 bits representing the
host's interface ID.
● Logical Addressing and Access Control:
● Hierarchical network architecture assigns separate IP subnets to access blocks,
facilitating access control.
● Each access block is allocated a subnet, ensuring logical separation (e.g., guest
network vs. enterprise LAN).
● VLANs (Virtual LANs):
● VLANs segment networks into separate broadcast domains.
● VLAN IDs (2 to 4,094) are assigned to switches, enabling different ports on the
same switch to belong to different VLANs.
● Security Zones:
● Internal security topology based on network segmentation and access control.
● Different zones for different levels of trust and access control requirements.
● Attack Surface:
● Points of vulnerability at different network layers (1/2, 3, 4/7).
● External and internal attack surfaces require different security controls.
● Port Security:
● Measures to control physical access to network ports.
● Methods include MAC filtering, MAC limiting, and IEEE 802.1X authentication.
● Physical Isolation:
● Critical hosts isolated from networks for security.
● Challenges include management and restricted access.
● Architecture Considerations:
● Factors include costs, scalability, availability, resilience, power usage, patch
availability, and risk transference.
Network Security Appliances
● Packet Filtering Firewall:
○ Stateless firewall: Does not preserve information about network sessions.
○ Analyzes each packet independently without record of previous packets.
○ Vulnerable to attacks spread over multiple packets.
○ Can introduce traffic flow problems, especially with load balancing or dynamically
assigned ports.
● Stateful Inspection Firewall:
○ Tracks information about established sessions between hosts.
○ Incorporates stateful inspection capability, storing session data in a state table.
○ Checks incoming packets against existing connections in the state table.
○ Once a connection is allowed, traffic usually passes unmonitored to conserve
processing effort.
○ Can occur at layer 4 and layer 7.
● Layer 4 Firewall:
○ Examines the TCP three-way handshake to distinguish new from established
connections.
○ Tracks legitimate TCP connections following SYN > SYN/ACK > ACK sequence.
○ Can detect anomalies like SYN without ACK or sequence number anomalies.
○ Capable of tracking UDP traffic and detecting IP header and ICMP anomalies.
● Layer 7 Firewall:
○ Inspects headers and payload of application-layer packets.
○ Verifies application protocol matches the port to prevent malicious data transfer.
○ Can analyze HTTP headers and webpage formatting code to identify threats.
○ Also known as application-aware firewalls or deep packet inspection.
● Proxy Servers:
○ Perform application layer filtering and operate on a store-and-forward model.
○ Deconstruct packets, perform analysis, and rebuild packets according to rules.
○ Can be non-transparent (client must be configured) or transparent (intercepts
traffic without client reconfiguration).
● Forward Proxy Servers:
○ Provide outbound traffic filtering and enable client connections to external
resources like websites.
○ Offer traffic management, security, and caching benefits.
● Reverse Proxy Servers:
○ Provide inbound traffic filtering and are typically deployed on the network edge.
○ Listen for client requests from the public network, filter, and forward requests to
application servers.
● Intrusion Detection Systems (IDS):
○ Perform real-time analysis of network traffic or system/application logs.
○ Utilize sensors to capture traffic data, which is then analyzed by IDS software.
○ Raise alerts or generate log entries for detected threats but do not actively block
traffic.
● Intrusion Prevention Systems (IPS):
○ Capable of active response to detected threats, including blocking noncompliant
traffic, resetting connections, or redirecting traffic for further analysis.
● Next-Generation Firewalls (NGFW) and Unified Threat Management (UTM):
○ NGFW incorporates intrusion detection functionalities into firewall systems.
○ UTM centralizes various security controls into a single appliance for
comprehensive security management.
● Load Balancers:
○ Distribute client requests across server nodes to optimize resource usage,
provide fault tolerance, and mitigate denial of service attacks.
○ Can be Layer 4 (IP and port-based) or Layer 7 (application-aware) load
balancers.
○ Employ scheduling algorithms and health checks to manage traffic distribution
effectively.
● Web Application Firewalls (WAF):
○ Designed to protect web servers and back-end databases from code injection
and denial of service attacks.
○ Use application-aware processing rules and pattern matching to filter traffic and
detect threats.
○ Can be deployed as appliances or plug-in software for web server platforms.
Secure Communications
● VPN Topologies:
○ Remote Access VPN: Initiated by the client.
○ Site-to-Site VPN: Configured to operate automatically, connecting two or more
private networks.
○ Host-to-Host Tunnel: Securing traffic between two computers on an untrusted
private network.
● VPN Protocols:
○ Legacy Protocols: Deprecated due to inadequate security (e.g., PPTP).
○ Modern Protocols: TLS and IPsec preferred for VPN access.
● Transport Layer Security (TLS) Tunneling:
○ Mutual authentication using digital certificates.
○ TLS creates an encrypted tunnel for user authentication and data transmission.
● Internet Protocol Security (IPsec) Tunneling:
○ Operates at OSI layer 3 (network layer).
○ Core Protocols: Authentication Header (AH) and Encapsulating Security Payload
(ESP).
○ Modes: Transport mode for host-to-host, tunnel mode for site-to-site VPNs.
● Internet Key Exchange (IKE):
○ Establishes security associations (SA) for IPsec.
○ Negotiations in two phases for key agreement and cipher selection.
● Remote Desktop:
○ Remote access to private networks via secure tunnel over public networks.
○ Includes graphical and terminal server access methods.
○ Examples: Microsoft's Remote Desktop Protocol (RDP), TeamViewer, Virtual
Network Computing (VNC).
● Secure Shell (SSH):
○ Provides secure remote access to command line terminal.
○ Authentication methods: Username/password, public key, Kerberos.
● Out-of-Band Management and Jump Servers:
○ OOB management ensures separate network for administrative access.
○ Jump servers provide controlled access to administrative interfaces on hosts in
secure zones.
○ Enhances security by limiting direct access to administrative interfaces.
Secure Cloud Network Architecture

Cloud Infrastructure
● Containerization:
○ Enforces resource separation at the operating system level.
○ Defines isolated "cells" for each user instance to run in.
○ Allocated CPU and memory resources for each container.
○ Processes run through the native OS kernel.
○ Containers may run slightly different OS distributions.
○ Docker is a well-known container virtualization product.
○ Supports microservices and serverless architecture.
○ Used in implementing corporate workspaces on mobile devices.
● Serverless Computing:
○ Cloud provider manages infrastructure and allocates resources automatically.
○ Charges only for actual usage of the application.
○ Examples include chatbots, mobile backends, IoT services.
○ Major providers include AWS, Microsoft Azure, Google Cloud.
○ Provides scalable, cost-effective infrastructure for event-driven tasks.
● Microservices:
○ Collection of small, independent services focusing on specific business
capabilities.
○ Modular design with well-defined interfaces.
○ Allows efficient development and deployment of complex applications.
○ Enables teams to work independently on different features.
○ Promises agility, scalability, and resilience.
○ Risks include integration issues and complexity.
● Infrastructure as Code (IaC):
○ Manages computing infrastructure using machine-readable definition files.
○ YAML, JSON, and HCL formats are common.
○ Automates deployment and management of infrastructure.
○ Ensures consistency and repeatability across environments.
○ Implemented using tools like Terraform.
● Load Balancing, Edge Computing, Auto-Scaling:
○ Load balancing distributes network traffic to improve performance and
availability.
○ Edge computing optimizes processing location for reduced latency.
○ Auto-scaling adjusts resources based on demand dynamically.
● Software Defined Networking (SDN):
○ Abstract model divides network functions into control, data, and management
planes.
○ SDN applications define policy decisions on the control plane.
○ Implemented through APIs interfacing with network devices.
○ Manages both physical and virtual network appliances.
○ Supports rapid deployment of virtual networking using NFV.
● Cloud Architecture Features:
○ Data replication, redundancy, and auto-scaling ensure high availability.
○ Disaster recovery, SLAs, and ISAs are critical for data protection.
○ Power efficiency, compute capabilities, and ease of deployment enhance cloud
infrastructure.
● Cloud Security Considerations:
○ Data protection, patch management, and secure communication are essential.
○ SD-WAN and SASE provide enhanced security features for cloud environments.
○ Zero trust security model and IAM are crucial for secure access.
Embedded Systems and Zero Trust Architecture
● SCADA Overview:
○ SCADA replaces control servers in large-scale ICSs.
○ Typically runs as software on ordinary computers.
○ Gathers data from and manages plant devices with embedded PLCs (field
devices).
○ Uses WAN communications like cellular or satellite to link to field devices.
● Applications of ICS/SCADA:
○ Used in energy (power generation, distribution), industrial (mining, refining),
fabrication/manufacturing, logistics, and facilities management.
○ Historically built without strong IT security, but awareness of security importance
is increasing.
● Security Concerns in ICS/SCADA:
○ Vulnerable to cyberattacks.
○ Example: Stuxnet worm targeting Iran's nuclear program.
○ NIST Special Publication 800-82 provides security control recommendations.
● Priorities in Industrial Systems:
○ Safety is paramount.
○ Prioritize availability and integrity over confidentiality (AIC triad instead of CIA
triad).
● Cybersecurity in ICS/SCADA:
○ Critical for sectors like energy, manufacturing, transportation, and water
treatment.
○ Robust cybersecurity measures like network segmentation, access controls,
intrusion detection, and encryption are essential.
● Internet of Things (IoT):
○ Refers to networked physical devices with sensors and connectivity.
○ Used in various sectors like smart homes, smart cities, healthcare, agriculture,
etc.
○ Factors driving adoption include decreased sensor costs, advances in
connectivity tech, and the COVID-19 pandemic.
● Security Risks Associated with IoT:
○ Many devices lack adequate security measures.
○ Standardization issues make security implementation challenging.
○ Large volume of data increases the risk of breaches and cyberattacks.
● Best Practices for IoT Security:
 ○ Recommendations from organizations like IoTSF, IIC, CSA, and ETSI.
● Zero Trust Architecture (ZTA):
○ Assumes nothing is trusted by default.
○ Requires continuous authentication and verification for all users, devices, and
applications.
○ NIST SP 800-207 defines ZTA and CISA provides a maturity model.
● Deperimeterization:
○ Shifts focus from defending network boundaries to protecting individual
resources.
○ Essential due to trends like cloud adoption, remote work, mobile devices,
outsourcing, and wireless networks.
● Key Components of Zero Trust Architecture:
○ Network and endpoint security, IAM, policy-based enforcement, cloud security,
network visibility, network segmentation, data protection, and threat
detection/prevention.
● Zero Trust Security Concepts:
○ Adaptive identity, threat scope reduction, policy-driven access control, and
device posture assessment.
● Control and Data Planes in Zero Trust Models:
○ Control plane manages policies, while data plane establishes secure sessions.
○ Separation allows for flexibility and scalability.
● Zero Trust Architecture Examples:
○ Google BeyondCorp, DoD’s JEDI cloud, Cisco Zero Trust Architecture, Palo Alto
Networks Prisma Access.
Explain Resiliency and Site Security Concepts

Asset Management
Monitoring and Asset Tracking:

● Inventory and enumeration tasks involve creating and maintaining a comprehensive list
of all assets within an organization, including hardware, software, data, and network
equipment.
● Regularly updating and verifying asset inventory helps organizations manage assets
effectively and ensures accurate information about each asset's location, owner, and
status.
● Asset monitoring includes tracking performance, security, and usage to detect potential
issues, vulnerabilities, or unauthorized access promptly.
● Proactive asset monitoring helps mitigate risks, optimize resource utilization, and ensure
compliance with regulatory requirements.

Ways to Perform Asset Enumeration:

● Manual Inventory: Feasible for smaller organizations or specific asset types, involves
physically inspecting assets and recording relevant information.
● Network Scanning: Tools like Nmap, Nessus, or OpenVAS automatically discover and
enumerate networked devices, including open ports and services.
● Asset Management Software: Solutions like Lansweeper or ManageEngine
automatically discover, track, and catalog various assets, providing a centralized
dashboard for management.
● Configuration Management Database (CMDB): Centralized repository for IT
infrastructure information, managed by tools like ServiceNow or BMC Remedy.
● Mobile Device Management (MDM) Solutions: Manage mobile assets like smartphones
and tablets using solutions like Microsoft Intune or VMware Workspace ONE.
● Cloud Asset Discovery: Cloud-native or third-party tools like AWS Config or CloudAware
help discover and catalog assets deployed in the cloud.

Asset Acquisition/Procurement:
 ● Select hardware and software solutions with strong security features, prioritize reputable
vendors providing ongoing support.
● Integrate solutions seamlessly with existing security infrastructure like firewalls, intrusion
detection systems, or SIEM platforms.
● Assess total cost of ownership (TCO) considering initial purchase price, ongoing costs,
and potential security incidents.
● Prioritize cybersecurity during acquisition to reduce breach risk, enhance compliance,
and protect critical data and systems.

Asset Protection Concepts:

● Assets include critical resources, information, and infrastructure components that must
be protected from threats and unauthorized access.
● Identify and prioritize assets based on sensitivity and potential impact on core functions
if breached.
● Use standard naming conventions and configuration management to ensure consistency
and manageability.
● Implement ITIL framework elements for effective configuration management.

Data Backups:

● Essential for ensuring availability and integrity of critical data and systems.
● Regularly test and verify backup data to ensure reliability of recovery process.
● Enterprise backup solutions offer scalability, performance, advanced features like data
encryption and ransomware protection, and integration with various environments.

Snapshot, Replication, and Journaling:

● Snapshots capture system state at a specific time, useful for VMs, filesystems, and
SANs.
● Replication creates redundant copies of data for availability and recovery.
● Journaling tracks changes to data for recovery and consistency, useful for filesystems.
● Advanced techniques like remote journaling, SAN replication, and VM replication
enhance data protection across multiple locations and systems.

Encrypting Backups:

● Adds an extra layer of protection against unauthorized access or theft.

● Ensures compliance with regulations regarding sensitive data protection.
● Essential for safeguarding sensitive customer data, intellectual property, or trade
secrets.

Secure Data Destruction and Asset Disposal:

● Sanitization and destruction processes remove sensitive information from storage media
to prevent unauthorized access.
 ● Certification provides verification of data destruction process compliance with industry
standards and regulations.
● Active methods like overwriting or physical destruction ensure irrecoverability of data
from storage devices.
● Proper disposal of assets at the end of lifecycle or when no longer needed minimizes
security risks and ensures compliance.

Redundancy Strategies
● Site Considerations
○ Resiliency Provisioning: Site-level resiliency is common in enterprise
environments.
○ Alternate Processing Site: Provides similar service levels and can be always
available.
○ Recovery Site: Used in emergencies, might take longer to set up.
○ Failover: Technique ensuring redundancy, quickly taking over functionality from
a failed asset.
○ Site Resiliency Levels:
■ Hot Site: Immediate failover, fully operational and updated.
■ Warm Site: Similar to hot site but requires loading latest data set.
■ Cold Site: Longer setup time, may be empty building with lease
agreement.
○ Geographic Dispersion: Distributing recovery sites across different locations to
minimize regional disaster impact.
● Cloud as Disaster Recovery (DR)
○ Cost Efficiency: Cloud providers offer affordable redundancy due to economies
of scale.
○ Scalability: Cloud services allow redundant capabilities without over-
provisioning.
○ Faster Deployment: Enables quick setup and deployment of redundant
systems.
○ Simplified Management: Cloud providers offer tools to reduce redundant
infrastructure complexity.
○ Improved Security and Compliance: Cloud providers invest heavily in security
and compliance.
● Testing Redundancy and High Availability
○ Load Testing: Validates system performance under expected or peak loads.
○ Failover Testing: Validates seamless transition between primary and secondary
infrastructure.
 ○ Monitoring Systems Testing: Validates effective detection and response to
failures and performance issues.
● Clustering
○ Load Balancing vs. Clustering: Load balancing distributes traffic, while
clustering allows redundant processing nodes to accept connections.
○ Active/Passive vs. Active/Active Clustering: Active/passive ensures no
performance impact during failover, while active/active utilizes maximum capacity
but may degrade performance during failover.
● Power Redundancy
○ Dual Power Supplies: Provide redundancy, can be replaced without system
shutdown.
○ Managed Power Distribution Units (PDUs): Support remote power monitoring
and integrate with UPSs.
○ Battery Backups and UPSs: Provide temporary power source during outages.
○ Generators: Provide backup power for extended periods.
● Diversity and Defense in Depth
○ Platform Diversity: Reduces risk by using multiple technologies and platforms.
○ Defense in Depth: Implements multiple layers of protection against cyber
threats.
● Vendor Diversity
○ Cybersecurity Benefits: Reduces single point of failure and promotes healthy
competition.
○ Business Resilience: Mitigates risk associated with vendor lock-in and
disruptions.
○ Innovation and Competition: Encourages innovation and ensures better value
for investments.
● Multi-Cloud Strategies
○ Cybersecurity Benefits: Diversifies risk, improves security posture, and
promotes vendor independence.
○ Business Benefits: Enhances flexibility, agility, and cost efficiency.
● Deception Technologies
○ Honeypots, Honeynets, Honeyfiles, and Honeytokens: Cybersecurity tools to
detect and defend against attacks by diverting attackers' attention and gathering
intelligence.
● Disruption Strategies
○ Active Defense: Uses tactics like bogus DNS entries, web server decoys, and
fake telemetry to raise attack cost and tie up adversary's resources.
● Testing Resiliency
○ Method of Testing: Tabletop exercises, failover tests, simulations, and parallel
processing tests.
○ Importance of Testing: Identifies vulnerabilities, evaluates recovery strategies,
and improves preparedness for real-life incidents.
● Documentation
 ○ Business Continuity Documentation: Covers planning, implementation, and
evaluation.
○ Test Plans, Scripts, and Results: Provide structure for testing process and
communication with stakeholders.
○ Third-Party Assessments and Certifications: Offer objective evaluation,
compliance verification, and recommendations for improvement.

Physical Security
1. Fundamental Security Concepts:
○ Physical security is integral to cybersecurity, protecting physical assets like
servers and data centers.
○ Measures include access control, surveillance, and environmental controls.
○ Effective physical security reduces the risk of unauthorized access and insider
threats.
2. Physical Security Controls:
○ Access control mechanisms include biometric scanners, smart cards, and key
fobs.
○ Surveillance systems involve video cameras, motion sensors, and alarms.
○ Environmental controls like backup power and fire suppression are crucial for
data centers.
3. Zone Implementation:
○ Zones use barriers and security mechanisms to control entry and exit points.
○ Each zone should have increasingly restrictive access.
○ Entry points to secure zones should be discreet to prevent inspection by
intruders.
4. Physical Security through Environmental Design:
○ Enhances security using non-obvious features in physical spaces.
○ Promotes safety and deters criminal activity in various settings.
5. Barricades, Fencing, and Lighting:
○ Barricades channel people through defined entry and exit points.
○ Security fencing needs to be transparent, robust, and secure against climbing.
○ Security lighting improves safety and acts as a deterrent at night.
6. Bollards and Existing Structures:
○ Bollards prevent vehicular access to restricted areas.
 ○ Existing structures can be adjusted for improved site layout and security.
7. Gateways, Locks, and Access Control:
○ Gateways require secure locks, which can be physical, electronic, or biometric.
○ Access control vestibules regulate entry to secure areas, preventing tailgating.
○ Access badges replace physical keys and provide access through card readers.
8. Security Guards and Cameras:
○ Surveillance enhances resilience, with guards providing visual deterrence.
○ Cameras offer cost-effective monitoring and can use AI for smart security.
○ Alarms supplement other security controls, detecting and deterring threats
effectively.

Explain Vulnerability Management

Device and OS Vulnerabilities

1. Mobile OS Vulnerabilities:
○ Android and iOS are primary computing platforms, prone to attacks.
○ Android's open-source nature leads to similar benefits and problems as Linux.
○ Fragmentation among manufacturers and versions of Android results in
inconsistent patching.
○ iOS, though not open source, faces significant vulnerabilities.
2. Example OS Vulnerabilities:
○ Microsoft Windows: MS08-067 and MS17-010 allowed remote code execution,
exploited by Conficker and WannaCry.
○ macOS: "Shellshock" vulnerability in Unix-based systems.
○ Android: "Stagefright" vulnerability allowed remote code execution via MMS.
○ iOS: Google's Project Zero discovered vulnerabilities used in "watering hole"
attacks.
○ Linux: "Heartbleed" bug compromised OpenSSL cryptographic software.
3. Legacy and End-of-Life Systems:
○ EOL systems lack vendor support and critical security patches, posing
vulnerabilities.
○ Legacy systems are outdated but may still receive support.
○ Notable examples include Windows 7 and Server 2008.
4. Firmware Vulnerabilities:
○ Meltdown and Spectre vulnerabilities impacted computers and mobile devices.
○ "LoJax" exploited UEFI firmware.
 ○ EOL hardware vulnerabilities arise from discontinued updates.
5. Virtualization Vulnerabilities:
○ VM escape allows attackers to access host systems.
○ Examples include "Cloudburst" vulnerability in VMware.
○ Resource reuse can lead to data leakage between virtual machines.
6. Zero-Day Vulnerabilities:
○ Previously unknown flaws exploited before developers can fix them.
○ Notable examples include the BEAST and POODLE attacks.
○ Ethical disclosure aims to limit potential harm.
7. Misconfiguration Vulnerabilities:
○ Common cause of security vulnerabilities.
○ Default configurations often prioritize usability over security.
○ Proper configuration and change management are crucial.
8. Cryptographic Vulnerabilities:
○ Weaknesses in cryptographic systems, algorithms, or protocols.
○ Examples include MD5, SHA-1, and RSA vulnerabilities.
○ Proper key generation and protection are essential.
9. Sideloading, Rooting, and Jailbreaking:
○ Methods to gain elevated privileges on mobile devices.
○ Introduces security risks, including malware installation and data breaches.
○ Violates terms of service and voids warranties on some platforms.
10. Mobile Device Vulnerabilities:
● Susceptible to common vulnerabilities like insecure Wi-Fi and phishing attacks.
● More likely to be lost or stolen, exposing data if unencrypted.
Application and Cloud Vulnerabilities
● Malicious Update:
○ Definition: Update containing harmful code disguised as legitimate.
○ Purpose: Distribution of malware, execution of cyberattacks.
○ Examples: CCleaner compromise (2017), SolarWinds attack (2020).
○ Mitigation: Secure software supply chain management, digital signature
verification.
● Evaluation Scope:
○ Definition: Analysis of product, system, or service for vulnerabilities.
○ Targets: Software application, network, security service, or IT infrastructure.
○ Goals: Identify weaknesses, ensure compliance with security standards.
● TOE Practice Description:
○ Security Testing: Vulnerability assessments, penetration testing.
○ Documentation Review: Ensure implementation according to secure design
principles.
○ Source Code Analysis: Identify security vulnerabilities in code.
○ Configuration Assessment: Evaluate security-related configurations.
○ Cryptographic Analysis: Assess encryption mechanisms and key management.
○ Compliance Verification: Ensure compliance with relevant regulations.
○ Security Architecture Review: Evaluate security controls and design.
● Penetration Tester vs. Attacker:
○ Scope: Defines objectives for penetration tester or attacker.
○ Penetration Tester: Authorized to evaluate system, report findings, recommend
remediation.
 ○ Attacker: Aims to exploit vulnerabilities within target for unauthorized access or
other malicious objectives.
● Web Application Attacks:
○ Definition: Target applications accessible over the Internet.
○ Characteristics: Exploit poor input validation, misconfigured security settings,
outdated software.
○ Examples: XSS, CSRF, improper session management.
● Cross-Site Scripting (XSS):
○ Types: Reflected/nonpersistent, stored/persistent, DOM-based.
○ Execution: Injects malicious scripts into trusted sites, executed in client's
browser.
● SQL Injection (SQLi):
○ Exploits: Unsecure handling of SQL queries.
○ Impact: Unauthorized access to database, data theft, execution of arbitrary code.
● Cloud-Based Application Attacks:
○ Targets: Cloud-hosted applications.
○ Exploits: Misconfigurations, weak authentication, insufficient network
segmentation.
○ Characteristics: Shared responsibility model, scalability attracts attackers.
● Cloud Access Security Brokers (CASBs):
○ Definition: Mediate access to cloud services by users.
○ Functions: Single sign-on authentication, malware scanning, activity monitoring.
○ Implementation: Forward proxy, reverse proxy, API-based.
● Supply Chain:
○ Definition: Risks and weaknesses introduced into software products during
development, distribution, maintenance.
○ Components: Service providers, hardware suppliers, software providers.
○ Importance: Transparency, visibility, rapid response to vulnerabilities.
○ Tools: OWASP Dependency-Check, SPDX, OWASP CycloneDX standards for
SBOM creation.
Vulnerability Identification Methods
● Network Vulnerability Scanner
○ Designed to test network hosts such as client PCs, servers, routers, and
switches.
○ Compares scan results to configuration templates and lists of known
vulnerabilities.
○ Identifies missing patches, deviations from baseline configurations, and related
vulnerabilities.
○ Examples include Tenable Nessus and OpenVAS.
● Credentialed vs. Non-Credentialed Scans
○ Non-Credentialed Scans:
■ Test packets directed at hosts without login access.
■ View obtained is that of an unprivileged user.
■ Useful for external network perimeter assessment or web application
scanning.
○ Credentialed Scans:
■ Given user account access with appropriate permissions.
■ Allows in-depth analysis, especially for detecting misconfigurations.
■ Mimics insider attacks or compromised user accounts.
● Application and Web Application Scanners
○ Specialized for identifying software application weaknesses.
○ Includes static analysis (reviewing code) and dynamic analysis (testing running
applications).
 ○ Identifies issues like unvalidated inputs, broken access controls, and SQL
injection vulnerabilities.
● Package Monitoring
○ Tracks and assesses security of third-party software packages, libraries, and
dependencies.
○ Ensures they are up to date and free from known vulnerabilities.
○ Associated with software bill of materials (SBOM) and software supply chain risk
management.
● Threat Feeds
○ Real-time, continuously updated sources of information about potential threats
and vulnerabilities.
○ Integrated into vulnerability management practices for swift response to
emerging risks.
○ Gathered from security vendors, cybersecurity organizations, and open-source
intelligence.
● Open-Source Intelligence (OSINT)
○ Collects and analyzes publicly available information for decision-making.
○ Used in cybersecurity to identify vulnerabilities and threat information.
○ Sources include blogs, forums, social media, and the dark web.
● Penetration Testing
○ Aggressive approach to vulnerability management.
○ Involves ethical hacking to breach security and exploit vulnerabilities.
○ Identifies complex vulnerabilities that automated tools may miss.
● Bug Bounties
○ Incentivizes external security researchers to discover and report vulnerabilities.
○ Complements penetration testing with a global community of researchers.
○ Encourages responsible disclosure of verified security issues.
● Auditing
○ Essential part of vulnerability management.
○ Includes product audits, system/process audits, and security audits.
○ Penetration testing is a critical component of technical and compliance audits.
Vulnerability Analysis and Remediation
Vulnerability Analysis and Remediation

● Vulnerability Analysis:
○ Evaluates vulnerabilities for potential impact and exploitability.
○ Considers factors like ease of exploitation, potential damage, asset value, and
current threat landscape.
○ Helps prioritize remediation efforts by addressing critical vulnerabilities first.
● Remediation:
○ Mitigation techniques include patching, configuration changes, software updates,
or system replacement.
○ Compensating controls provide alternative plans when immediate remediation is
impossible.
○ Verification of successful remediation via rescanning affected systems.

Common Vulnerabilities and Exposures (CVE)

● Vulnerability Feeds:
○ Updated via SCAP, facilitating sharing of intelligence data.
○ Consist of common identifiers for vulnerability descriptions.
● National Vulnerability Database (NVD):
○ Maintained by NIST, provides detailed vulnerability information.
 ○ Supplements CVE descriptions with additional analysis and CVSS metrics.
● CVSS (Common Vulnerability Scoring System):
○ Generates a score from 0 to 10 based on vulnerability characteristics.
○ Score bands: 0.1+ (Low), 4.0+ (Medium), 7.0+ (High), 9.0+ (Critical).

False Positives, False Negatives, and Log Review

● False Positives:
○ Incorrect identification of vulnerabilities by scanners.
○ Can lead to unnecessary time and effort if not addressed.
● False Negatives:
○ Undetected vulnerabilities in scans.
○ Risk mitigated by periodic rescanning and using scanners from different vendors.
● Log Review:
○ Validates vulnerability reports by examining system and network logs.
○ Confirms vulnerability alerts and ensures accurate remediation.

Vulnerability Analysis

● Prioritization:
○ Identifies critical vulnerabilities for focused remediation efforts.
● Classification:
○ Categorizes vulnerabilities based on characteristics for clarity.
● Exposure Factor:
○ Assesses susceptibility of assets to specific vulnerabilities.
● Impacts:
○ Evaluates potential organizational impact for informed decision-making.
● Environmental Variables:
○ Includes IT infrastructure, external threat landscape, regulatory environment, and
operational practices.

Vulnerability Response and Remediation

● Remediation Practices:
○ Patching, cybersecurity insurance, segmentation, compensating controls,
exceptions, and exemptions.
● Validation:
○ Ensures remediation actions are implemented correctly and do not introduce new
vulnerabilities.
● Reporting:
○ Highlights existing vulnerabilities, ranks based on severity, provides
recommendations, and emphasizes timely reporting for effective remediation.
Evaluate Network Security Capabilities

Network Security Baselines

Hardening Concepts:

● Default settings in network equipment, software, and operating systems balance ease of
use with security.
● Default configurations are often targeted by attackers due to well-documented
credentials, insecure protocols, etc.
● Hardening involves changing default settings to enhance security, typically following
published secure baselines.

Switches and Routers Hardening:

● Change default credentials to mitigate security risks.

● Disable unnecessary services like HTTP or Telnet to reduce attack surface.
● Use secure management protocols like SSH instead of Telnet.
● Implement Access Control Lists (ACLs) to restrict access.
● Enable logging and monitoring to identify security issues.
 ● Configure port security to limit device connections.
● Implement strong password policies.
● Physically secure equipment to prevent unauthorized access.

Server Hardware and Operating Systems Hardening:

● Change default credentials to prevent unauthorized access.

● Disable unnecessary services to reduce attack surface.
● Apply software security patches and updates regularly.
● Implement the least privilege principle.
● Use firewalls and Intrusion Detection Systems (IDS) to block or alert on malicious
activity.
● Secure configurations using baseline configurations like CIS or STIGs.
● Implement strong access controls like strong password policies, MFA, and PAM.
● Enable logging and monitoring for identifying security issues.
● Use antivirus and antimalware solutions to detect and quarantine malware.
● Physically secure server equipment to prevent unauthorized access.

Wireless Network Installation Considerations:

● Ensure good coverage of authorized Wi-Fi access points to prevent rogue and evil twin
attacks.
● Use nonoverlapping channels in the 5 GHz band for better performance.
● Conduct site surveys to measure signal strength and interference.
● Use heat maps to optimize WAP placement and configuration.
● Configure wireless encryption settings to secure the network.
● Consider vulnerabilities and limitations of Wi-Fi Protected Setup (WPS).
● Utilize Wi-Fi Protected Access 3 (WPA3) for improved security.

Wi-Fi Authentication Methods:

● Personal, open, and enterprise authentication types.

● WPA2-PSK and WPA3-SAE for personal authentication.
● WPA3 enhances security over WPA2, particularly with SAE protocol.
● Enterprise authentication involves 802.1x, EAP methods, and RADIUS.

Network Access Control (NAC):

● Authenticates users and devices, enforces compliance with security policies.

● Restricts access based on user profile, device type, location, etc.
● Works with VLANs to automate security measures.
● NAC can be agent-based or agentless, each with its advantages and limitations.
Network Security Capability Enhancement
Network Security Capability Enhancement:

● Firewalls, IDS, IPS, and web filters are essential components in network security.
● Firewalls create a barrier between trusted internal networks and untrusted external
networks, controlling incoming and outgoing traffic based on rules.
● IDS monitor network traffic for possible incidents and alert administrators.
● IPS not only detect but also prevent threats by taking automated actions like blocking
traffic.
● Web filters control access to Internet content, preventing access to malicious websites
and monitoring access to restricted sites.

Access Control Lists (ACL):

● ACLs control traffic at a network interface level using packet information like
source/destination IP addresses, port numbers, and protocols.
● Firewall rules dictate how firewalls handle inbound/outbound traffic based on IP
addresses, port numbers, protocols, or application traffic patterns.
 ● Rules in a firewall's ACL are processed from top to bottom; specific rules are placed at
the top, and a default deny rule is typically at the end.
● Basic principles include blocking internal/private IP addresses, protocols for local
network level, penetration testing, and securing hardware.

Screened Subnet:

● Acts as a neutral zone between an organization's internal network and the Internet,
separating public-facing servers from sensitive internal resources.
● Hosts web, email, DNS, or FTP services accessible from the Internet but isolated from
internal systems to limit damage from breaches.
● Firewalls control traffic to/from the screened subnet, providing an additional layer of
protection.

Intrusion Detection and Prevention Systems (IDS/IPS):

● IDS/IPS monitor network traffic for suspicious patterns or activities.

● Host-based (HIDS/HIPS) installed on individual systems detect insider threats, file
changes, and local events.
● Network-based (NIDS/NIPS) monitor network traffic for known threats and unusual
behavior across multiple systems.

IDS/IPS Tools:

● Snort and Suricata are well-known IDS/IPS tools.

● Security Onion provides intrusion detection, network security monitoring, and log
management.
● These tools use signature-based, behavioral/anomaly-based, and trend analysis
detection methods.

Web Filtering:

● Web filters block access to malicious or inappropriate websites, preventing malware

infections and increasing productivity.
● Agent-based filtering installs software agents on devices, enforcing filtering policies
locally.
● Centralized web filtering uses proxy servers to analyze and control web traffic,
implementing block rules, content categorization, and reputation-based filtering.
● Issues include overblocking, underblocking, handling of encrypted traffic, and privacy
concerns. Proper configuration and management are essential.
Assess Endpoint Security Capabilities

Implement Endpoint Security

ACLs and File System Permissions:

● ACLs manage access control policies for files and directories.

● Each object in the file system has an ACL associated with it.
● ACLs contain a list of allowed accounts and their permissions.
● Permissions include Read (r), Write (w), and Execute (x).
● Permissions are applied based on owner user (u), group (g), and others (o).
● Commands like chmod modify permissions using symbolic or absolute mode.

Application Allow Lists and Block Lists:

● Allow lists permit execution only for approved applications.

 ● Block lists prohibit execution of listed processes.
● Lists need regular updates based on incidents and threat hunting.
● Strategic changes may be necessary based on threat analysis.

Monitoring:

● Monitoring enforces and maintains security measures on endpoints.

● Helps detect changes that weaken security configurations.
● Provides data for compliance and auditing purposes.

Configuration Enforcement:

● Ensures systems adhere to mandatory security configurations.

● Involves standardized configuration baselines, automated management tools,
continuous monitoring, and change management processes.

Group Policy:

● Centralized management of Windows OS settings in an Active Directory environment.

● Applies security settings consistently across systems.
● Settings include password policies, firewall settings, software restrictions, etc.

SELinux:

● Security feature in Linux supporting access control security policies.

● Offers granular permission control over processes and system objects.
● Limits resource access to prevent harm from malicious or flawed programs.

Hardening Techniques:

● Protects endpoints against evolving cybersecurity threats.

● Strategies include physical port hardening, logical port security, encryption, and host-
based firewalls/IPS.

Installing Endpoint Protection:

● Involves strategic planning, standardized configurations, automated deployments,

updates, monitoring, and centralized management.

Changing Defaults and Removing Unnecessary Software:

● Crucial steps in hardening endpoints.

● Changing default passwords and removing unnecessary software reduces
vulnerabilities.

Decommissioning:
 ● Secure process for retiring devices to prevent data exposure.
● Involves data sanitization, resetting to factory settings, and updating inventory records.

Hardening Specialized Devices:

● Unique hardening strategies for industrial control systems, embedded systems, real-time
operating systems, and IoT devices.
● Involves network segmentation, authentication, secure coding, and compliance with
security standards and certifications.

Mobile Device Hardening

1. Mobile Device Deployment Models:
○ Corporate owned, business only (COBO): Device owned by organization, strictly
for business use.
○ Corporate owned, personally enabled (COPE): Device provided by organization,
allows personal use within policy limits.
○ Choose your own device (CYOD): Employees select devices from a
predetermined list.
○ Each model balances control, flexibility, and security differently.
○ COBO offers more control but higher equipment spending; BYOD offers flexibility
but security challenges.
2. Mobile Device Management (MDM):
 ○ Crucial for managing, securing, and enforcing policies on smartphones and
tablets.
○ Maintains device inventory, ensures authorized access, enforces security
policies, and enables remote lock or wipe.
○ Manages device updates, patches, app distributions, and other tasks.
○ Various platforms available: Apple’s MDM, Android Enterprise, Microsoft Intune,
VMware AirWatch, IBM MaaS360.
3. Full Device Encryption and External Media:
○ Most mobile OSes offer full device encryption.
○ iOS offers multiple encryption levels, including Data Protection for sensitive data.
○ Android encrypts user data at the file level by default (since Android 10).
○ Care should be taken with external media (MicroSD cards) to apply encryption
where necessary.
4. Location Services:
○ Utilizes GPS or Indoor Positioning System (IPS) for device location.
○ Privacy concerns arise due to tracking potential; apps require user permission.
○ Geofencing creates virtual boundaries; can be used for context-aware
authentication.
5. Connection Methods (Cellular, Wi-Fi, Bluetooth):
○ Cellular connections bypass enterprise network protections; require endpoint
controls.
○ Wi-Fi risks from open access points or rogue networks; strong WPA3 security
recommended.
○ Bluetooth vulnerabilities include device discovery, authentication issues,
malware, and bluejacking/bluesnarfing.
○ NFC for short-range communication and mobile payments; vulnerable to
eavesdropping, interception, and data corruption attacks.

Enhance Application Security Capabilities

Application Protocol Security Baselines

● Secure Directory Services:
○ Network directory lists subjects (users, computers, services) and objects
(directories, files) with permissions.
○ Most use Lightweight Directory Access Protocol (LDAP) over port 389.
○ Authentication methods:
■ No Authentication: Anonymous access.
■ Simple Bind: Plaintext DN and password.
 ■ SASL: Negotiates supported authentication mechanisms.
■ LDAPS: Uses digital certificate for secure tunnel on port 636.
○ Limit access: Disable anonymous and simple authentication if secure access is
required.
○ Access control policy for read-only and read/write access.
○ Restrict access to private network; block LDAP port from public interface.
● Simple Network Management Protocol Security (SNMP):
○ Framework for management and monitoring.
○ Agent maintains Management Information Base (MIB); communicates over ports
161 (queries) and 162 (traps).
○ SNMP Monitor oversees agents, polls them for info, alerts for traps.
○ Security measures: Disable if not used, use difficult-to-guess community names,
restrict management operations, use SNMP v3 for encryption and strong
authentication.
● File Transfer Services:
○ FTP remains popular despite newer protocols.
○ FTP lacks security mechanisms, vulnerable to interception.
○ SSH FTP (SFTP) and FTP Over SSL (FTPS) provide encryption.
○ SFTP uses SSH over port 22; FTPS uses TLS over ports 21 (explicit) and 990
(implicit).
● Email Services:
○ SMTP for sending; mailbox protocol (POP3, IMAP) for storing/accessing.
○ Secure SMTP (SMTPS) and Secure POP (POP3S) use TLS.
○ Secure IMAP (IMAPS) allows permanent connections and folder management.
○ Email Security:
■ SPF, DKIM, DMARC authenticate senders, prevent phishing and spam.
■ Email Gateway scrutinizes emails, utilizes anti-spam filters, antivirus
scanners, DMARC, SPF, DKIM.
■ S/MIME encrypts and authenticates email communications.
■ Email Data Loss Prevention (DLP) prevents unauthorized sharing of
sensitive information.
● DNS Filtering:
○ Blocks or allows access to specific websites by controlling DNS resolution.
○ Proactive defense mechanism against phishing sites, malware, and inappropriate
content.
○ Implemented through DNS filtering services, DNS servers, DNS firewalls, or local
DNS resolvers.
● DNS Security:
○ Configure DNS servers for fault tolerance, restrict recursive queries to local
hosts.
○ Patch DNS server software regularly to mitigate vulnerabilities.
○ Prevent DNS footprinting by applying access control lists to prevent unauthorized
zone transfers.
 ○ DNSSEC provides validation process for DNS responses, mitigates spoofing and
poisoning attacks.

Cloud and Web Application Security Concepts

Concepts:

● Cloud and web application security involve:

○ Cloud hardening: fortifies cloud infrastructure, reduces attack surface.
○ Application security: ensures secure design, development, deployment.
● Both practices establish a layered defense strategy against various threats.
● Secure coding practices include:
○ Input validation techniques.
 ○ Principle of least privilege.
○ Secure session management.
○ Encryption enforcement.
○ Patching support.
● Developers should design software with:
○ Comprehensive, structured, meaningful logs.
○ Real-time alerting mechanisms.

Secure Coding Techniques:

● Security considerations for new programming technologies should be understood and

tested.
● Modern development practices include security development lifecycle.
● Examples: Microsoft’s SDL, OWASP Software Assurance Maturity Model, OWASP Top
10.
● Input validation:
○ Essential for addressing untrusted input issues.
○ Techniques: Allowlisting, Blocklisting, Data Type Checks, Range Checks,
Regular Expressions, Encoding.
● Secure Cookies:
○ Principles include 'Secure', 'HttpOnly', 'SameSite' attributes.
○ Protect against session hijacking, cross-site scripting.
● Static Code Analysis:
○ Identifies vulnerabilities, errors, noncompliant coding practices.
○ Tools: SonarQube, Coverity, Fortify.

Code Signing:

● Verifies integrity, authenticity of software code.

● Uses digital signatures, certificates from trusted CAs.
● Assures source, integrity of code, not its safety or security.

Application Protections:

● Data exposure prevention.

● Error handling: Structured exception handling, avoiding default error messages.
● Memory management: Avoiding faulty practices.
● Client-Side vs. Server-Side Validation: Client-side informs users, server-side validates.
● Application Security in the Cloud: Complementary to cloud hardening.

Monitoring Capabilities:

● Enhance logging, monitoring for better threat detection.

● Real-time alerting improves incident response.

Software Sandboxing:
 ● Isolates processes, prevents access to system.
● Implemented in web browsers, operating systems, virtual machines.

Sandboxing in Security Operations:

● Essential for malware detection, forensic inspection.

● Tools: Cuckoo Sandbox, Joe Sandbox.

These study notes cover the essential concepts and techniques for understanding cloud and
web application security, including secure coding practices, input validation, secure cookies,
static code analysis, code signing, application protections, monitoring capabilities, and software
sandboxing.

Explain Incident Response and Monitoring Concepts

Incident Response
Incident Response and Monitoring Concepts

Incident Response Plan:

 ● Formal plan listing procedures, contacts, and resources for various incident categories.
● Preparation outcome.

Detection:

● Correlating events from network and system data sources.

● Identifying indicators:
○ Matching events in log files, IDS alerts, etc.
○ Deviations from baseline metrics.
○ Proactive threat hunting.
○ Employee, customer, or supplier notifications.
● Importance of confidential reporting.
● First responder notification crucial for appropriate response.
● Managing alerts through SIEM platform.

Analysis:

● Investigating detected indicators.

● Determining genuine incident and priority level.
● Categorizing true positive incidents.
● Escalating analysis for complex or high-impact events.

Impact:

● Factors affecting impact determination:

○ Data integrity.
○ Downtime.
○ Economic/publicity.
○ Scope.
○ Detection time.
○ Recovery time.

Category:

● Shared understanding of incident terms and concepts.

● Relies on threat intelligence for effective analysis.
● Utilizes frameworks like cyber kill chain for threat research.

Playbooks:

● SOPs for specific cyber threat scenarios.

● Guide for detection and response steps.

Containment:

● Isolation-based and segmentation-based techniques.

 ● Focus on preserving forensic evidence.

Eradication and Recovery:

● Mitigation and restoration steps post-containment.

● Reconstitution of affected systems.
● Reaudit security controls.
● Notification and remediation for affected parties.

Lessons Learned:

● Root cause analysis.

● Structured inquiry into incident causes.
● Staff meeting and report compilation.
● Focus on improving procedures rather than blaming individuals.

Testing and Training:

● Validate incident response readiness.

● Testing forms: tabletop exercises, walkthroughs, simulations.
● Training on incident detection, reporting, and cross-departmental coordination.

Threat Hunting:

● Proactive discovery of TTPs.

● Utilizes threat intelligence and analytics platforms.
● Considerations for intelligence fusion and adversary maneuvering.

Digital Forensics
1. Introduction to Digital Forensics:
○ Digital forensic analysis involves examining evidence gathered from computer
systems and networks.
 ○ Purpose: Uncover relevant information such as deleted files, timestamps, user
activity, and unauthorized traffic.
2. Incident Response Activities:
○ Importance of digital forensic analysis in incident response.
○ Processes and tools for acquiring digital evidence.
○ Documentation is critical for collecting, preserving, and presenting valid digital
proofs.
3. Due Process and Legal Hold:
○ Digital forensics for prosecuting crimes, especially insider threats like fraud or
misuse of equipment.
○ Importance of due process and procedural safeguards to ensure fairness.
○ Legal hold: Preservation of information relevant to a court case, including
electronic records.
4. Acquisition of Digital Evidence:
○ Process of obtaining a forensically clean copy of data from seized devices.
○ Impact of legality on acquisition, especially regarding BYOD policies.
○ Order of volatility for evidence collection: CPU cache, system memory, mass
storage, remote logging, physical configuration.
5. System Memory Acquisition:
○ Importance of volatile data from RAM.
○ Tools and methods for capturing system memory, such as memory dumps.
6. Disk Image Acquisition:
○ Acquiring data from nonvolatile storage like hard drives, SSDs, and optical
media.
○ Live acquisition vs. static acquisition methods.
○ Imaging tools for bit-level copies of storage media.
7. Preservation of Digital Evidence:
○ Ensuring the integrity of evidence by avoiding alterations during acquisition.
○ Use of write blockers to prevent changes to source data or metadata.
8. Evidence Integrity and Non-Repudiation:
○ Cryptographic hashing to ensure data integrity.
○ Chain of custody documentation to establish proper handling and integrity of
evidence.
9. Reporting in Digital Forensics:
○ Ethical principles in analysis: unbiased, repeatable methods, minimal
manipulation of evidence.
○ Importance of strong documentation and reporting to withstand legal scrutiny.
10. E-Discovery:
○ Filtering relevant evidence from forensic examinations.
○ Functions of e-discovery tools: de-duplication, search, tagging, security,
disclosure.
Data Sources
1. Introduction to Metadata:
 ○ Metadata is data about data, including properties like creation time, author, and
permissions.
○ It is crucial for establishing timelines and providing evidence in incident
investigations.
2. File Metadata:
○ Attributes stored by the file system include creation, access, and modification
times.
○ Security attributes like read-only or hidden, and permissions represented by
ACLs.
○ Extended attributes can include author information, copyright details, or tags for
indexing.
3. Social Media Metadata:
○ Metadata uploaded to social media can reveal unintended information like
location and time.
4. Web Metadata:
○ Web servers return resource properties via headers in response to client
requests.
○ Headers can include authorization information, data type (text or binary), and
may be logged by servers.
5. Email Metadata:
○ Email headers contain sender, recipient, and transmission details handled by
mail agents.
○ Mail user agents (MUAs) create initial headers, mail delivery agents (MDAs) add
or amend headers, and message transfer agents (MTAs) route messages.
○ Headers can contain additional information added by each MTA along the
delivery path.
6. Viewing and Analyzing Metadata:
○ Headers are not typically exposed to users but can be viewed via message
properties or source command.
○ MTAs add detailed information to headers, making it difficult to read in plaintext.
○ Tools like Message Analyzer can parse and display headers in a structured
format, showing the delivery path and added headers.
Alerting and Monitoring Tools
Agent-Based and Agentless Collection:

1. Agent-based Collection:
○ Involves installing an agent service on each host.
○ Events on the host are logged, filtered, aggregated, and sent to the SIEM server
for analysis.
○ Typically used for Windows/Linux/macOS computers.
2. Listener/Collector:
○ Hosts push log changes to the SIEM server without installing an agent.
○ Used for devices like switches, routers, and firewalls.
○ Uses Syslog protocol for forwarding logs to SIEM.
3. Sensor:
○ Collects packet captures and traffic flow data.
○ Utilizes sniffer tools via mirror port functionality or network tap.

Log Aggregation:

1. Normalization:
○ Interprets data from various systems for consistency and searchability.
○ SIEM features connectors or plug-ins for different systems.
○ Requires parsers for each data source to map attributes to standard fields.
2. Date/Time Normalization:
○ Ensures consistency across different time zones to establish a single timeline.

Alerting and Monitoring Activities:

1. Alerting:
○ SIEM runs correlation rules on extracted indicators to detect potential incidents.
○ Correlation involves interpreting relationships between data points.
○ Correlation rules use logical expressions and operators to define conditions.
○ Threat intelligence feeds associate collected data with known threat indicators.
2. Incident Response:
○ Includes analysis, containment, eradication, and recovery steps.
○ Validation during analysis confirms true positives.
○ Quarantine isolates the source of indicators.
3. Reporting:
○ Provides insight into security system status.
○ Formats tailored for different audiences like executives, managers, and
compliance regulators.
○ Metrics include authentication data, patch status, incident statistics, and trend
reporting.
4. Archiving:
○ Retains historical log and network traffic data.
 ○ Supports retrospective incident and threat hunting and compliance requirements.
○ Requires a retention policy to manage data volume and SIEM performance.

Alert Tuning and Monitoring Infrastructure:

1. Alert Tuning:
○ Reduces false positives to avoid alert fatigue.
○ Techniques include refining detection rules, redirecting alerts, and continuous
monitoring.
○ False negatives are also addressed to prevent overlooking threats.
2. Monitoring Infrastructure:
○ Uses managerial reports for day-to-day monitoring of computer resources and
network infrastructure.
○ Network monitors collect data about network infrastructure appliances for status
monitoring.
○ NetFlow provides flow data analysis for network traffic metadata.

Monitoring Systems and Applications:

1. System Monitors and Logs:

○ System monitors assess host health status using SNMP traps.
○ Logs are critical for security information, audit trails, and intrusion detection.
2. Application and Cloud Monitors:
○ Monitor application/service status, bandwidth consumption, and cloud services.
○ Vulnerability scanners assess host vulnerabilities and misconfigurations.
○ Antivirus software detects malware and integrates with SIEM for alerting.
3. Data Loss Prevention (DLP):
○ Controls data copying to restrict it to authorized media and services.
○ Monitoring statistics for DLP policy violations help identify trends.
4. Benchmarks and Compliance Scans:
○ Compare system configurations to established benchmarks for compliance.
○ Compliance scans ensure conformity to regulatory standards and best practices.
Analyze Indicators of Malicious Activity

Malware Attack Indicators

Spyware and Keyloggers:

● Viruses and worms evolved from destructive replication to facilitating intrusion, fraud,
and data theft.
● Tracking cookies record web activity, IP addresses, search queries, etc., while
supercookies and beacons track covertly.
● Adware alters browser settings, inserts ads, and changes search providers.
● Spyware monitors application activity, captures screenshots, and activates recording
devices like microphones.
● Keyloggers record keystrokes to steal confidential information like passwords and credit
card data.
● Metasploit Meterpreter tool can be used to dump keystrokes from victim machines.

Backdoors and Remote Access Trojans:

● Backdoors provide unauthorized access, while Remote Access Trojans (RATs) operate
covertly for administrative control.
● Compromised hosts may have bots, forming botnets used for DDoS attacks, spam, or
cryptomining.
● RATs connect to a command and control (C&C) host for remote control, often using
covert channels like IRC or HTTPS/DNS.

Rootkits:

● Trojans requiring user execution inherit user privileges; gaining admin privileges needs
UAC confirmation.
● Rootkits operate at the system level, concealing themselves as legitimate processes,
files, or services.
● Some rootkits exploit vulnerabilities to gain SYSTEM privileges or reside in firmware for
persistence.

Ransomware, Crypto-Malware, and Logic Bombs:

● Ransomware encrypts files, demanding payment for decryption; crypto-ransomware

encrypts data and demands ransom in cryptocurrency.
● Cryptojacking hijacks resources for cryptocurrency mining, often across botnets.
● Logic bombs execute after a set time or event, triggering malicious actions.

TTPs and IoCs:

 ● Tactics, Techniques, and Procedures (TTPs) describe threat behaviors, methods, and
detailed procedures used by threat actors.
● Indicators of Compromise (IoCs) are residual signs of successful or ongoing attacks,
including compromised processes, connections to C&C networks, and altered system
settings.

Malicious Activity Indicators:

● Sandboxes isolate and analyze suspicious code; resource consumption, file system
changes, and account compromise indicate malicious activity.
● Access denial, resource inaccessibility, and suspicious account behavior like lockouts or
impossible travel suggest a security breach.
● Threat actors may attempt to cover their tracks by deleting or altering logs, leading to
missing or manipulated log entries.
Physical and Network Attack Indicators
● ARP Poisoning Attack:
○ Targets subnet's default gateway.
○ If successful, attacker intercepts traffic destined for remote networks.
○ Implemented through ARP poisoning to perform on-path attack.
● DNS Attacks:
○ Exploit weaknesses in Domain Name System (DNS).
○ Various types: typosquatting, DRDoS, DoS against public DNS services, DNS
server hijacking.
○ DNS poisoning compromises name resolution process.
○ Methods: on-path attacks, DNS client cache poisoning, DNS server cache
poisoning.
● Wireless Attacks:
○ Rogue Access Points:
■ Unauthorized access points installed on the network.
■ Can be malicious or accidental.
■ Evil twin mimics legitimate access point to deceive users.
○ Wireless Denial of Service:
■ Disrupts wireless networks using interference or spoofed frames.
○ Wireless Replay and Key Recovery:
■ Exploits lack of encryption in management frame traffic.
■ Disassociation attacks disconnect clients.
■ Aimed at recovering network keys.
● Password Attacks:
○ Online Attacks:
■ Interact directly with authentication service.
■ Mitigated by limiting login attempts.
○ Offline Attacks:
■ Exploit obtained password hashes.
■ Utilize packet sniffers or access to password databases.
○ Brute Force, Dictionary, Hybrid Attacks:
■ Attempt every combination or use dictionary words.
○ Password Spraying:
■ Tries common passwords with multiple usernames.
● Credential Replay Attacks:
○ Target Windows Active Directory networks.
○ Exploit cached credentials to gain access to other hosts.
○ Types: pass the hash, golden ticket, silver ticket attacks.
● Cryptographic Attacks:
○ Downgrade Attacks:
■ Forces use of weaker protocols or ciphers.
○ Collision Attacks:
■ Exploits weak hashing functions to create same hash for different inputs.
 ○ Birthday Attacks:
■ Exploits collisions in hash functions through brute force.
● Malicious Code Indicators:
○ Types of malicious activity: shellcode, credential dumping, pivoting/lateral
movement, persistence.
○ Indicators found in endpoint protection software or network logs.
○ Malware interacts with network, file system, and registry.
Application Attack Indicators
1. Application Attacks Overview:
○ Application attacks target vulnerabilities in OS or application software.
○ Vulnerabilities can lead to compromised security systems or application crashes.
○ Main scenarios: compromising OS or third-party apps, compromising website or
web application security.
2. Indicators of Application Attacks:
○ Increased application crashes/errors can indicate exploitation attempts.
○ Anomalous CPU, memory, storage, or network utilization can also be indicators.
○ Indicators may be found in system logs or application-specific logs.
3. Privilege Escalation:
○ Goal: Allow threat actors to run their own code on the system.
○ Types: Vertical (elevation) and horizontal privilege escalation.
○ Indicators: Process logging, audit logs, incident response, and endpoint
protection agents.
4. Buffer Overflow:
○ Exploits vulnerabilities by overwriting data in a buffer.
○ Common vulnerability: stack overflow.
○ Mitigation: Address Space Layout Randomization (ASLR) and Data Execution
Prevention (DEP).
5. Replay Attacks:
○ Exploit session mechanisms like cookies.
○ Session token identification and exploitation.
6. Forgery Attacks:
○ CSRF: Exploits cookies for unauthorized actions.
○ SSRF: Causes server to process arbitrary requests targeting other services.
7. Injection Attacks:
○ Exploits unsecure application request processing.
○ Types include XML Injection, LDAP Injection, Directory Traversal, and Command
Injection.
8. URL Analysis:
○ HTTP request structure and methods.
○ Percent encoding and its misuse for obfuscation.
○ Web server logs as indicators of attacks, including status codes and HTTP
header information.
Summarize Security Governance Concepts

Policies, Standards, and Procedures

Security Governance Concepts

1. Importance of Standards
○ Stakeholders influence standards choice.
○ Standards reflect dedication to quality, security, reliability.
○ Strategic selection based on legal, business, risk management, and stakeholder
needs.
○ Adoption impacts operations; appropriate selection enhances effectiveness.
2. Industry Standards
○ ISO/IEC 27001, 27002, 27017, 27018.
○ NIST Special Publication 800-63.
○ PCI DSS.
○ FIPS.
○ Audit compliance and security practices; assess adherence and identify gaps.
3. Internal Standards
○ Password standards: hashing, salting, transmission, reset, managers.
○ Access control standards: models, verification, privilege management,
authentication, session management, audit trails.
4. Physical Security Standards
○ Building, workstation, datacenter security.
○ Equipment disposal, visitor management.
5. Encryption Standards
○ Algorithms, key length, management.
6. Legal Environment
○ Governance committees ensure compliance with laws and regulations.
○ Legislation examples: Sarbanes-Oxley Act, Computer Security Act, Federal
Information Security Management Act.
○ International laws like GDPR and CCPA protect privacy globally.
7. Global Law
○ Laws like GDPR and CCPA have international reach.
○ GDPR emphasizes informed consent, data subject rights.
○ CCPA empowers California residents with data control rights.
8. Regulations and Laws
○ National, local, regional laws vary; compliance essential.
○ Examples: HIPAA, GLBA, FISMA, Data Protection Act, PIPEDA, IT Act.
9. Industry-Specific Regulations
○ Examples across healthcare, finance, telecommunications, energy, education,
government sectors.
○ Compliance ensures industry-specific data protection.
10. Governance and Accountability
○ Ensures compliance with laws and regulations.
○ Continuous monitoring, evaluation, and updating essential.
○ Governance boards, committees crucial for oversight.
11. Centralized vs. Decentralized Governance
○ Centralized: unified decision-making; standardized practices.
○ Decentralized: localized decision-making; adaptability.
○ Hybrid models combine elements for flexibility and standardization.
12. Government Entities and Groups
○ Regulatory, intelligence, law enforcement, defense agencies involved.
○ Data protection authorities enforce regulations.
○ National cybersecurity agencies focus on critical infrastructure protection.
13. Data Governance Roles
○ Owner: strategic guidance.
○ Controller: legal and regulatory compliance.
○ Processor: secure data handling.
○ Custodian: implementation and enforcement of security controls.
Change Management
Study Notes on Change Management:

1. Importance of Change Management:

● Systematic approach to managing changes in IT infrastructure.

● Goal: Minimize risk and disruption, maximize value and efficiency of changes.
● Relies on planning, testing, approval, and implementation.
● Considers impacts, dependencies, and develops contingency plans.
● Requires proper documentation and communication.

2. Change Management Programs:

● Ensure efficient and effective handling of changes.

● Minimize risks associated with changes.
● Manage various changes including software deployments, updates, hardware
replacements, etc.
● Prevent introduction of vulnerabilities, service disruptions, or compliance issues.

3. Change Management Approval Process:

● Begins with submitting a Request for Change (RFC).

● Reviewed by designated change manager or committee.
● Formal approval involving stakeholders.
● Documentation and communication throughout the process.

4. Factors Driving Change Management:

● Involvement of stakeholders from various parts of the organization.

● Ensures comprehensive review of proposed changes.
● Promotes acceptance and adoption of changes.
● Facilitates ownership and responsibility.

5. Change Management Concepts:

● Impact Analysis: Identifying and assessing potential implications of proposed changes.

● Test Results: Evaluation of changes in a test environment before implementation.
● Backout Plans: Contingency plans for reversing changes if implementation fails.
● Maintenance Windows: Predefined time frames for implementing changes.
● Standard Operating Procedures (SOPs): Detailed instructions for implementing changes
consistently.

6. Allowed and Blocked Changes:

● Allow lists: Approved changes exempt from full change management process.
 ● Deny lists: Explicitly blocked changes requiring full change management process.
● Ensure control over authorized and unauthorized changes.

7. Restarts, Dependencies, and Downtime:

● Considerations for minimizing disruptions during change implementation.

● Scheduled maintenance windows and minimizing impacts on business operations.
● Understanding dependencies to mitigate unintended outages.

8. Legacy Systems and Applications:

● Unique challenges in managing changes due to outdated technology and lack of

support.
● Requires specialized solutions and extensive testing.

9. Documentation and Version Control:

● Tracking and controlling changes to documents, code, or data.

● Ensures historical record of changes, consistency, and quick reversion to previous
versions.
● Impacts various documentation including change requests, policies, system
documentation, etc.
Automation and Orchestration
Study Notes on Automation and Orchestration:

1. Importance of Automation and Orchestration:

● Tools for managing security operations efficiently.

● Automation: Performs repetitive, rule-based tasks to reduce human error.
● Orchestration: Coordinates interactions between automated processes and systems.
● Enhances efficiency, reduces errors, and provides clear audit trails.

2. Automation and Scripting:

● Critical tools in modern IT operations for streamlining processes and enhancing security.
● Enhances security governance by enforcing policies consistently.
● Aids in change management by reducing implementation time and providing audit trails.

3. Capabilities of Automation:

● Provisioning: Automating user and resource provisioning tasks to reduce manual effort
and errors.
● Guardrails and Security Groups: Automating monitoring and enforcement of security
policies.
● Ticketing: Automating incident detection, ticket generation, routing, and escalation
procedures.
● Service Management: Automating routine tasks to free up time for strategic analysis.
● Continuous Integration and Testing: Automation improves code quality and accelerates
development cycles.
● Application Programming Interfaces (APIs): Automation orchestrates interactions
between software systems.

4. Benefits of Automation and Orchestration:

● Enhances efficiency by reducing repetitive tasks and human error.

● Combats operator fatigue in security operations.
● Improves security posture by enforcing standardized baselines and automating security
tasks.
● Supports staff retention initiatives by reducing fatigue from repetitive tasks.

5. Challenges of Automation and Orchestration:

● Complexity: Requires deep understanding of systems and processes.

● Cost: Initial investment in tools, integration, and training can be high.
 ● Single Point of Failure: Critical automated systems failing could cause widespread
problems.
● Technical Debt: Hasty implementation leading to poorly documented code or system
instability.
● Ongoing Support: Requires continuous updates, patches, and maintenance for
effectiveness.

6. Benefits of Infrastructure Management Automation:

● Ensures consistency and accuracy throughout the infrastructure.

● Saves time and resources by quickly deploying configurations.
● Enhances scalability, flexibility, standardization, compliance, and change management.
● Strengthens security and governance by enforcing security controls and applying
patches consistently.
Explain Risk Management Processes

Risk Management Processes and Concepts

1. Risk Management Overview:

● Proactive and systematic approaches to identify, assess, prioritize, and mitigate risks.
● Risk mitigation involves reducing exposure to or the effects of risk factors.

2. Risk Management Strategies:

● Risk Deterrence/Reduction: Controls to make risk incidents less likely or less costly.
● Avoidance: Stopping activities causing risk, although infrequently a credible option.
● Risk Transference: Assigning risk to a third party, such as through insurance.
● Risk Acceptance/Tolerance: No countermeasures put in place due to risk level
justification.
● Risk Exceptions/Exemptions: Formal recognition of risks that cannot be mitigated within
specified conditions.

3. Residual Risk and Risk Appetite:

● Residual Risk: Likelihood and impact after mitigation measures.

● Risk Appetite: Strategic assessment of tolerable residual risk levels.

4. Risk Management Processes:

● Identification of Mission Essential Functions (MEFs) and vulnerabilities.

● Analysis of threats, business impacts, and risk responses.
● Assessing likelihood and impact of risks using qualitative and quantitative methods.
● Risk management frameworks like NIST RMF or ISO 31K guide processes.
● Risk Registers: Documents results of risk assessments, including severity, mitigation
strategies, and ownership.

5. Risk Threshold and Key Risk Indicators (KRIs):

● Risk Threshold: Defines acceptable risk levels based on various factors.

● KRIs: Predictive indicators to monitor and predict potential risks, supporting proactive
risk management.

6. Business Impact Analysis (BIA) and Mission Essential Functions (MEFs):

 ● BIA: Identifying and assessing impact of disruptions on business operations.
● MEFs: Functions critical for business continuity that cannot be deferred.

7. Key Metrics in Risk Management:

● Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), Work Recovery
Time (WRT), Recovery Point Objective (RPO).
● Mean Time to Repair (MTTR) and Mean Time Between Failures (MTBF) as KPIs for
system reliability and efficiency.
Vendor Management Concepts
● Vendor Management Concepts:
○ Third-party risk assessment involves:
■ Vendor due diligence.
■ Risk identification and assessment.
■ Ongoing monitoring.
■ Incident response planning.
○ Vendor due diligence includes evaluating:
■ Security practices.
■ Financial stability.
■ Regulatory compliance.
■ Reputation.
○ Risk identification and assessment involve:
■ Identifying potential risks.
■ Assessing impact on operations, data, and reputation.
○ Ongoing monitoring ensures:
■ Vendors maintain security controls.
■ Adhere to contractual obligations.
■ Promptly address identified risks or vulnerabilities.
○ Critical in risk management to:
■ Identify, assess, and mitigate risks.
■ Implement robust assessment processes.
■ Maintain regulatory compliance.
■ Foster a safe operational environment.
● Vendor Selection:
○ Systematically evaluate potential vendors.
○ Steps include:
■ Identifying risk criteria.
■ Conducting due diligence.
■ Selecting vendors based on risk profile.
○ Aims to identify and mitigate risks related to:
■ Financial stability.
■ Operational reliability.
■ Data security.
■ Regulatory compliance.
■ Reputation.
○ Select vendors aligning with:
 ■ Organization’s risk tolerance.
■ Effective risk management capability.
● Third-Party Vendor Assessment:
○ External entities providing goods, services, or technology.
○ Offer specialized expertise and support.
○ Range from technology providers to suppliers.
○ Bring efficiency, cost-effectiveness, and innovation.
○ Introduce potential risks:
■ Access to sensitive data.
■ Infrastructure.
■ Critical processes.
○ Proper assessment ensures adherence to security standards, compliance, and
fulfillment of obligations.
Audits and Assessments
1. Purpose of Audits and Assessments:
○ Ensure operations align with standards, policies, and regulations.
○ Identify gaps and provide recommendations for improvement.
○ Enhance security measures by assessing effectiveness and efficiency.
2. Attestation and Assessments:
○ Attestation verifies security controls' accuracy and compliance.
○ Independent examination assures stakeholders of security measures.
3. Internal vs. External Assessments:
○ Internal assessments by employees ensure continuous improvement.
○ External assessments by third-party providers offer impartial evaluation.
○ Both methods complement each other for comprehensive evaluation.
4. Internal Assessment Approaches:
○ Compliance Assessment: Ensures alignment with laws, regulations, and policies.
○ Audit Committee: Provides oversight and assurance on financial practices.
○ Self-Assessment: Allows for internal evaluation of performance and practices.
5. External Assessment Approaches:
○ Regulatory Assessments: Ensure compliance with laws and industry standards.
○ Examination: Independent evaluation of financial statements and controls.
○ Assessment: Broad evaluation of performance, practices, and capabilities.
○ Third-Party Audit: Objective assessment by external entities for compliance.

Study Notes on Penetration Testing:

1. Purpose of Penetration Testing:

○ Simulate real-world attacks to identify vulnerabilities and weaknesses.
○ Test specific systems, incident response capabilities, and physical controls.
2. Types of Penetration Testing:
○ Offensive Penetration Testing (Red Teaming): Mimics potential attackers' tactics.
○ Defensive Penetration Testing (Blue Teaming): Evaluates defensive measures.
○ Physical Penetration Testing: Assesses physical security practices and controls.
○ Integrated Penetration Testing: Holistic approach combining different
methodologies.
3. Active and Passive Reconnaissance:
○ Active: Probing and interacting with target systems to gather information.
 ○Passive: Gathering information without directly interacting, focusing on publicly
available data.
4. Known, Partially Known, and Unknown Testing Methods:
○ Known Environment: Detailed knowledge about the target system or network.
○ Partially Known Environment: Limited knowledge requiring reconnaissance.
○ Unknown Environment: Little prior knowledge to simulate real-world scenarios.

Summarize Data Protection and Compliance

Concepts

Data Classification and Compliance

● Definition of Data Breach:
○ Occurs when information is read, modified, or deleted without authorization.
○ Includes loss of any type of data, especially corporate and intellectual property.
○ Privacy breach specifically refers to loss or disclosure of personal and sensitive
data.
● Organizational Consequences of Breaches:
○ Reputation damage: Leads to negative publicity and loss of customer trust.
○ Identity theft: Can result in lawsuits for damages.
○ Fines: Regulators may impose fixed sums or a percentage of turnover.
○ IP theft: Loss of revenue due to theft of copyrighted material or corporate data.
● Notifications of Breaches:
○ Requirements set by law or regulations dictate who must be notified.
○ Breach can include loss, theft, or accidental disclosure of information.
○ Accidental breaches pose substantial risks if effective procedures are lacking.
○ Breach may be considered even with potential for unauthorized access.
● Escalation:
○ Even minor breaches should be escalated to senior decision-makers.
○ Impact from legislation and regulation should be considered.
● Public Notification and Disclosure:
○ Notification to law enforcement, affected individuals, third-party companies, and
the public may be required.
○ Legislation sets out requirements and timescales for notifications.
○ Disclosure includes description of breached information, contact details,
consequences, and mitigation measures.
● Compliance:
○ Refers to adherence to security standards, regulations, and best practices.
 ○ Requires establishment of policies, procedures, controls, and technical
measures.
○ Noncompliance can result in legal sanctions, financial penalties, reputational
damage, and loss of customer trust.
● Data Protection Methods:
○ Geographic restrictions, encryption, hashing, masking, tokenization, obfuscation,
segmentation, permission restrictions.
● Data Loss Prevention (DLP):
○ Automates discovery, classification, and enforcement of data protection rules.
○ Components include policy server, endpoint agents, and network agents.
○ Remediation actions include alerting, blocking, quarantining, and tombstoning.

Personnel Policies
● Personally Owned Devices in the Workplace:
○ Portable devices like smartphones, USB sticks, etc., pose security threats due to
easy file copying and potential camera/voice recording functions.
○ Solutions like network access control, endpoint management, and data loss
prevention can help prevent attachment of such devices to corporate networks.
○ Companies may struggle to enforce policies against bringing personal devices
onsite.
○ Unauthorized use of personal software (shadow IT) can lead to security
vulnerabilities and legal liabilities for the organization.
● Clean Desk Policy:
○ Requires employees to keep their work areas free from documents to prevent
unauthorized access to sensitive information.
● User and Role-Based Training:
○ Essential for ensuring users understand security policies, incident reporting, site
security procedures, data handling, password/account management, social
engineering threats, etc.
○ Training should be tailored to different job roles' security requirements and levels
of expertise.
● Training Topics and Techniques:
○ Use a variety of techniques like workshops, one-on-one instruction, computer-
based training, videos, etc., to improve engagement and retention.
○ Computer-based training can include simulations and branching scenarios to
practice cybersecurity tasks.
● Critical Elements for Security Awareness Training:
○ Includes policy training, situational awareness, insider threat education,
password management, and training on handling removable media and cables.
○ Also covers social engineering tactics, operational security, and training for
hybrid/remote work environments.
● Phishing Campaigns:
 ○ Simulated phishing attacks are used to raise awareness about phishing risks
among employees.
○ Training helps employees recognize and respond effectively to phishing
attempts, reducing the likelihood of data breaches.
● Anomalous Behavior and Recognizing Risky Behaviors:
○ Training focuses on identifying unusual actions or patterns that could indicate
security threats.
○ Employees learn to recognize and report risky, unexpected, and unintentional
behaviors that could lead to security incidents.
● Security Awareness Training Lifecycle:
○ Follows stages of assessing security needs, planning, development, delivery,
evaluation, reinforcement, and monitoring/adaptation to ensure effectiveness.
● Development and Execution of Training:
○ Emphasizes creating engaging materials, incorporating real-world examples, and
facilitating discussions to enhance learning.
● Reporting and Monitoring:
○ Methods include assessments, incident reporting analysis, phishing simulations,
observations/feedback, and tracking metrics like training completion rates.