PROVEN FAST, EFFECTIVE &
AFFORDABLE EXAM PREP
with Pete Zerger CISSP, vCISO, MVP
securiTY+
EXAM
CRAM
©2022 No reuse without written permission
DOMAIN 1
PROVEN FAST, EFFECTIVE &
AFFORDABLE EXAM PREP
with Pete Zerger CISSP, vCISO, MVP
securiTY+
EXAM
CRAM
EXAM OBJECTIVES (DOMAINS)
1.0 Attacks, Threats, and Vulnerabilities
24%
2.0 Architecture and Design
21%
3.0 Implementation
25%
4.0 Operations and Incident Response
16%
5.0 Governance, Risk, and Compliance
14%
ULTIMATE STRATEGY GUIDE
PROVEN FAST, EFFECTIVE
& AFFORDABLE EXAM PREP
securiTY+
EXAM
CRAM
with Pete Zerger CISSP, vCISO, MVP
CompTIA Security+
Exam Cram
EXAM NUMBER: SY0-601
• 1.0 Threats, Attacks and Vulnerabilities
Covering all topics in the official
Security+ exam objectives
1.0 Threats, Attacks and Vulnerabilities
1.1
•
•
•
•
•
•
•
•
•
•
•
•
Compare and contrast different types
of social engineering techniques
Phishing
Smishing
Vishing
Spam
Spam over instant messaging
(SPIM)
Spear phishing
Dumpster diving
Shoulder surfing
Pharming
Tailgating
Eliciting information
Whaling
•
•
•
•
•
•
•
•
•
•
•
Prepending
Identity fraud
Invoice scams
Credential harvesting
Reconnaissance
Hoax
Impersonation
Watering hole attack
Typosquatting
Pretexting
Influence campaigns
• Hybrid warfare
• Social media
• Principles (reasons for
effectiveness)
•
•
•
•
•
•
•
Authority
Intimidation
Consensus
Scarcity
Familiarity
Trust
Urgency
Classifying Social engineering attacks
At a high level, two categories of social engineering attacks:
✓ Tailgating
✓ Shoulder surfing
✓ Dumpster diving
✓
✓
✓
✓
✓
✓
Phishing
Spear Phishing
Whaling
Vishing
Hoax
Watering hole attack
1.1 Compare and contrast different types of social engineering techniques
Social engineering techniques
Best defense for both is security
awareness training (user education)
an attempt by an attacker to convince someone to provide info (like a password) or
perform an action they wouldn’t normally perform (such as clicking on a malicious link)
Social engineers often try to gain access to the IT infrastructure or the physical facility.
commonly used to try to trick users into giving up personal information (such as user
accounts and passwords), click a malicious link, or open a malicious attachment.
Spear phishing targets specific groups of users
Whaling targets high-level executives
phishing is #1 cyber attack!
Vishing (voice phishing) phone-based
An entry point for ransomware!
Smishing uses sms(text) messaging on mobile
Know all these variants!
spam and spim
Unsolicited email, generally
considered an irritant
defeat with strong spam filtering
SPAM over instant messaging, also
generally considered an irritant
IM and mobile providers providing some
protection here
Create cryptic usernames and do not list
your ID in the IM service public directory
Not always just an irritant! Both are delivery channels for ransomware!
SOCIAL ENGINEERING TECHNIQUES
WHAT IS
Gathering important details (intelligence) from
things that people have thrown out in their trash.
Often legal, and may target
individuals or organizations
SOCIAL ENGINEERING TECHNIQUES
when an unauthorized individual might
follow you in through that open door
without badging in themselves.
Usually not an accident!
aka ‘elicitation’
strategic use of casual conversation
to extract information without the
arousing suspicion of the target
Can involve complex cover
stories and co-conspirators!
SOCIAL ENGINEERING TECHNIQUES
when an unauthorized individual might
follow you in through that open door
without badging in themselves.
Usually not an accident!
aka ‘elicitation’
strategic use of casual conversation
to extract information without the
arousing suspicion of the target
Techniques include flattery, false
statements, artificial ignorance, bracketing
SOCIAL ENGINEERING TECHNIQUES
a criminal practice where thieves
steal your personal data by spying
over your shoulder
Can happen anywhere with any device
an online scam similar to phishing, where
a website's traffic is manipulated, and
confidential information is stolen.
a portmanteau of the words
"phishing" and "farming",
SOCIAL ENGINEERING TECHNIQUES
use of another person's personal information,
without authorization, to commit a crime or to
deceive or defraud that person or other 3rd party
aka “identity theft”
Prepending is adding words or phrases like “SAFE”
to a malicious file or suggesting topics via social
engineering to uncover information of interest.
fake invoices with a goal of receiving money or
by prompting a victim to put their credentials
into a fake login screen.
SOCIAL ENGINEERING TECHNQUES
attackers trying to gain access to your
usernames and passwords that might be
stored on your local computer
This is a frequent goal of phishing attempts
SOCIAL ENGINEERING TECHNQUES
attackers trying to gain access to your
usernames and passwords that might be
stored on your local computer
COUNTERMEASURES: email defense, anti-malware, EDR/XDR solutions that
will check URLs and block the scripts often used to execute the attack
reconnaissance
A common technique that comes in multiple forms
Passive discovery
Techniques that do not send packets to the target; like Google hacking, phone
calls, DNS and WHOIS lookups
Semi-passive discovery
Touches the target with packets in a non-aggressive fashion to avoid raising
alarms of the target
Active discovery
More aggressive techniques likely to be noticed by the target, including port
scanning, and tools like nmap and Metaspoit
SOCIAL ENGINEERING TECHNIQUES
Intentional falsehoods coming in a variety of forms ranging from virus
hoaxes to fake news. Social media plays a prominent role in hoaxes today
A form of fraud in which attackers pose as a known or trusted person to
dupe the user into sharing sensitive info, transferring money, etc.
Attack strategy in which an attacker guesses or observes which websites an
organization often uses and infects one or more of them with malware
typosquatting
aka “URL hijacking”
a form of cybersquatting (sitting on
sites under someone else’s brand or
copyright) targeting users who type
an incorrect website address
Often employ a drive-by download that can infect
a device even if the user does not click anything
pretexting
an attacker tries to convince a victim to give up
information of value, or access to a service or system.
The distinguishing feature…
Is that the attacker develops a story, or pretext, in order to fool
the victim.
The pretext often leans on establishing authority for the
attacker as someone who should have access to information.
The pretext often includes a character played by the scam artist, and
a plausible situation in which that character needs access to information.
INFLUENCE CAMPAIGNS
A social engineering attack intended to manipulate
the thoughts and minds of large groups of people
Attack using a mixture of conventional and unconventional
methods and resources to carry out the campaign
Social media
May use multiple social platforms leveraging multiple/many
individuals to amplify the message, influencing credibility.
May involve creating multiple fake accounts to post content and
seed the spread.
and may even include paid advertising.
principles of social engineering
Authority
Citing position, responsibility, or affiliation that grants the attacker
the authority to make the request.
Intimidation
Suggesting you may face negative outcomes if you do not facilitate
access or initiate a process.
Consensus
Claiming that someone in a similar position or peer has carried out
the same task in the past.
Scarcity
quantity
Limited opportunity, diminishing availability that requires we get this
done in a certain amount of time, similar to urgency.
principles of social engineering
Familiarity
aka ‘liking’
Attempting to establish a personal connection, often citing mutual
acquaintances, social proof.
Trust
Citing knowledge and experience, assisting the to target with a
issue, to establish a relationship.
Urgency
Time sensitivity that demands immediate action, similar to scarcity
1.0 Threats, Attacks and Vulnerabilities
Given a scenario, analyze potential indicators
1.2 to determine the type of attack
• Malware
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Ransomware
Trojans
Worms
Potentially unwanted programs
(PUPs)
Fileless virus
Command and control
Bots
Crypto-malware
Logic bombs
Spyware
Keyloggers
Remote access Trojan (RAT)
Rootkit
Backdoor
• Password attacks
•
•
•
•
•
•
•
Spraying
Dictionary
Brute force
Offline
Online
Rainbow table
Plaintext/unencrypted
• Physical attacks
• Malicious Universal Serial
Bus (USB) cable
• Malicious flash drive
• Card cloning
• Skimming
• Adversarial artificial
intelligence (AI)
• Tainted training data for
machine learning (ML)
• Security of machine
learning algorithms
• Supply-chain attacks
• Cloud-based vs. onpremises attacks
• Cryptographic attacks
• Birthday
• Collision
• Downgrade
application attacks
attacks attackers use to exploit poorly written software.
Rootkit (escalation of privilege)
freely available on the internet and exploit known vulnerabilities in various
operating systems enabling attackers to elevate privilege.
keep security patches up-to-date
anti-malware software, EDR/XDR
Back Door
undocumented command sequences that allow individuals with knowledge
of the back door to bypass normal access restrictions.
often used in development and debugging.
countermeasures:
firewalls, anti-malware, network monitoring, code review
TYPES OF VIRUSES
WHAT IS A
a type of malicious code or program written to
alter the way a computer operates and is designed
to spread from one computer to another.
a class of threat with many types
TYPES OF VIRUSES
You should know key characteristic(s) of each for the exam!
Crypto-malware
Ransomware that encrypts files stored on a computer or mobile device in order
to extort money.
Hoaxes
Virus hoaxes are a nuisance that result in wasted resources. Used to spread
through “email from a friend” but have changed with social media.
Logic Bombs
Logic bombs are malicious code objects that infect a system and lie dormant
until they are triggered by the occurrence of one or more conditions, such as
time, program launch, website logon, etc.
TYPES OF VIRUSES
WHAT IS A
a software program that appears good and harmless
but carries a malicious, hidden payload that has the
potential to wreak havoc on a system or network.
good defense? 1) only allow software from
trusted sources. 2) don’t let users install software
Malware
Worm
a type of malware that spreads copies of itself from computer to computer,
replicating itself without human interaction.
Potentially unwanted programs (PUPs)
a program that may be an unwanted app, often delivered alongside a program
the user wants. PUPs include spyware, adware, and dialers.
Keylogger
Designed to log keystrokes, creating records of everything you type on a
computer or mobile keyboard.
Spyware
Malware designed to obtain information about an individual, system, or
organization.
malware
a type of malicious software that does not rely on virus-laden files to infect a
host. Instead, it exploits applications that are commonly used for legitimate
and justified activity to execute malicious code in resident memory.
a computer controlled by an attacker or cybercriminal which is used to send
commands to systems compromised by malware and receive stolen data
from a target network.
a malware program that gives an intruder administrative control over a
target computer.
MOST COMMON ATTACKS
WHAT IS
infects a target machine and then uses encryption
technology to encrypt documents, spreadsheets,
and other files stored on the system with a key
known only to the malware creator.
MOST COMMON ATTACKS
WHAT IS
user is then unable to access their files and receives
an ominous pop-up message warning that
the files will be permanently deleted unless a
ransom is paid within a short period of time.
ransomware is a trojan variant
ransomware countermeasures & prevention
There are a number of countermeasures
and prevention techniques:
countermeasures
- Back up your computer
- Store backups separately
- File auto-versioning
cloud-hosted email
and file storage ease
this process
©2022 Inside Cloud and Security. No reuse without written permission
ransomware countermeasures & prevention
There are a number of countermeasures
and prevention techniques:
Prevention
- Update and patch computers
- Use caution with web links
- Use caution with email attachments
- Verify email senders
AI-driven cloud
services offer
help with these
- Preventative software programs
- User awareness training
Most important defense!
Password attacks
Use programs with built in dictionaries.
They attempt all dictionary words to try and find the
correct password, in the hope that a user would have
used a standard dictionary word.
Effective countermeasures include MFA, biometric
authentication, limit number of attempts, force
resets after certain number of failed attempts.
Password attacks
Password spraying
a type of brute force attack
Attacker tries a password against many different
accounts to avoid lockouts that typically come when
brute forcing a single account.
Succeeds when admin or application sets a default
password for new users.
Effective countermeasures include MFA, CAPTCHA,
and forcing password change on first login.
Password attacks
Attempt to discover passwords from a captured database or
captured packet scan.
Attempts to discover a password from an online system. For
example, an attacker trying to log on to an account by trying to
guess a user’s password.
most web and wi-fi attacks are online attacks
Protocols and authentication methods that leave credentials unencrypted,
like basic authentication and telnet.
Password attacks
Brute Force Attack
Attempts to randomly find the correct cryptographic key
attempting all possible combinations (trial and error)
Password complexity and attacker resources will determine
effectiveness of this attack.
rainbow tables and powerful compute
resources make this attack more effective
Effective countermeasures include cryptographic salts,
Captcha, throttling the rate of repeated logins, and IP blocklists
Password attacks
Attackers may use rainbow tables, which contain
precomputed values of cryptographic hash
functions to identify commonly used passwords
Cryptographic
A salt is random data that is used as an additional
input to a one-way function that hashes data, a
password or passphrase.
Adding salts to the passwords before hashing
them reduces the effectiveness of rainbow table
attacks.
multi-attack prevention
Something you know (pin or password)
Something you have (trusted device)
Something you are (biometric)
prevents:
— Phishing
— Credential stuffing
— Spear phishing
— Brute force and reverse brute force attacks
— Keyloggers
— Man-in-the-middle (MITM) attacks
BOTS, BOTNETS, AND BOT HERDERS
represent significant threats due to the massive
number of computers that can launch attacks
Botnet
a collection of compromised computing devices
(often called bots or zombies).
Bot Herder
criminal who uses a command-and-control server
to remotely control the zombies
often use the botnet to launch attacks on other
systems, or to send spam or phishing emails
physical attacks
Attack comes in two common forms:
Drives dropped where they are likely to be
picked up.
Sometime effectively a trojan, shipped with
malware installed after leaving the factory.
Less likely to be noticed than a flash drive.
May be configured to show up as a human
interface device (e.g. keyboard)
Less common because it requires dedicated engineering
physical attacks
Focuses on capturing info from cards used for
access, like RFID and magnetic stripe cards.
Involve fake card readers or social
engineering and handheld readers to
capture (skim) cards, then clone so
attacker may use for their own purposes
Device (skimmer) often installed at
POS devices like ATM and gas pumps
adversarial artificial intelligence
A rapidly developing field targeting AI and ML
Tainted training data for machine learning (ML)
Data poisoning that supplies AI and ML algorithms with adversarial
data that serves the attackers purposes, or attacks against privacy.
Security of machine learning algorithms
Validate quality and security of the data sources.
Secure infrastructure and environment where AI and ML is hosted.
Review, test, and document changes to AI and ML algorithms.
Know the difference between AI & ML for the exam
ARTIFICIAL INTELLIGENCE VS MACHINE LEARNING
Knowing the difference will help on the exam!
Focuses on accomplishing “smart” tasks
combining machine learning and deep
learning to emulate human intelligence
A subset of AI, computer algorithms that
improve automatically through experience
and the use of data.
a subfield of machine learning concerned with
algorithms inspired by the structure and function
of the brain called artificial neural networks.
supply chain attacks
a cyber-attack that seeks to damage an organization
by targeting less-secure elements in the supply chain.
Often attempt to compromise devices, systems, or software
before it reaches an organization.
Sometimes focus on compromising a vulnerable vendors in
the organization’s supply chain, and then attempting to
breach the target organization.
Known as an “island hopping” attack
Supply chain attacks can have massive consequences for
organizations upstream and downstream in the supply chain
cloud-based vs on-premises attacks
Data center is often more secure and less
vulnerable to disruptive attacks (like DDoS)
On the downside, you will not have facilitylevel or physical system-level audit access.
Changes (and limits) the attacks you will worry about
You do not benefit from the cloud’s shared
responsibility model.
You have more control but are responsible for
security of the full stack.
Org has to defend a wider range of attacks and
greater expense and effort to defend against them.
common cryptographic attacks
attack on a cryptographic hash to find
two inputs that produce the same
hash value
beat with collision-resistant hashes
when a protocol is downgraded
from a higher mode or version to a
low-quality mode or lower version.
commonly targets TLS
common cryptographic attacks
an attempt to find collisions in hash
functions.
commonly targets digital signatures
an attempt to reuse authentication
requests.
targets authentication (often
Kerberos)
common cryptographic attacks
an attempt to find collisions in hash
functions.
defeat with long hash output (to
make it computationally infeasible)
an attempt to reuse authentication
requests.
defeat with date/time stamps
1.0 Threats, Attacks and Vulnerabilities
Given a scenario, analyze potential indicators
1.3 associated with application attacks
• Privilege escalation
• Cross-site scripting
• Injections
• Race conditions
• Time of check/time of use
• Structured query language (SQL)
• Dynamic-link library (DLL)
• Lightweight Directory Access
Protocol (LDAP)
• Extensible Markup Language
(XML)
• Pointer/object dereference
• Directory traversal
• Buffer overflows
• Error handling
• Improper input handling
• Replay attack
• Session replays
• Integer overflow
• Request forgeries
• Server-side
• Cross-site
• Application programming
interface (API) attacks
• Resource exhaustion
• Memory leak
• Secure Sockets Layer (SSL)
stripping
• Driver manipulation
• Shimming
• Refactoring
• Pass the hash
©2022 Inside Cloud and Security. No reuse without written permission
APPLICATION ATTACKS
A security hole created when code is
executed with higher privileges than
those of the user running it.
Request forgeries
a type of injection using malicious scripts
Cross-site scripting (XSS) a client-side vulnerability
A type of injection, in which malicious scripts are injected into
otherwise benign and trusted websites.
Occur when an attacker uses a web application to send
malicious code to a different end user.
occur when web apps contain ‘reflected input’
Input validation and filtering. Validate data length AND data
type. This filters out malicious input (like a <SCRIPT> tag)
Request forgeries
exploits website trust to execute code
Cross-site request forgery (XSRF or CSRF)
similar to cross-site scripting attacks but exploits a different
trust relationship.
exploits trust a website has for your browser to execute code
on the user’s computer.
create web apps that use secure tokens, and sites that check
the referring URL in requests to ensure it came from local site!
injections (injection attacks)
Dynamic-link library (DLL)
Is a situation in which the malware tries to inject code into the memory process
space of a library using a vulnerable/compromised DLL.
Lightweight Directory Access Protocol (LDAP)
exploits weaknesses in LDAP implementations.
This can occur when the user’s input is not properly filtered, and the result can be
executed commands, modified content, or results returned to unauthorized queries.
Extensible Markup Language (XML)
when users enter values that query XML (known as XPath) with values that take
advantage of exploits, it is known as an XML injection attack.
XPath works in a similar manner to SQL, except that it does not have the same levels
of access control, so exploits can return entire documents.
The best defense is to filter the user’s input and sanitize it to make
certain that it does not cause XPath to return more data than it should.
injections (injection attacks)
Improper input handling
used to compromise web front-end and backend databases
SQL injection attacks
Use unexpected input to a web application to gain
unauthorized access to an underlying database.
NOT new and can be prevented
through good code practices
Countermeasures: Input validation, use prepared
statements, and limit account privileges.
pointer/object dereference
An attack that consists of finding null references in a target program
and dereferencing them, causing an exception to be generated.
Dereferencing means taking away the reference and
giving you what it was actually referring to.
The vulnerability in memory that usually causes the applications
to crash or a denial of service is a NULL Pointer dereference.
In this case, there is nothing at that memory address to
dereference (it is empty, or NULL) and the application crashes.
Good coding is the best protection. Code should check
to make sure it is not NULL BEFORE dereferencing it.
directory traversal
If an attacker is able to gain access to restricted directories through
HTTP, it is known as a
.
One of the simplest ways to perform directory traversal is by using a
command injection attack that carries out the action.
If successful, may allow attacker to get to site’s root directory,
Most vulnerability scanners will check for weaknesses with directory
traversal/command injection and inform you of their presence.
To secure your system, you should run a scanner and
keep the web server software patched.
Buffer overflows
attacks attackers use to exploit poorly written software.
Buffer Overflow
exist when a developer does not validate user input to ensure that it is of an
appropriate size (allows Input that is too large can “overflow” memory buffer).
prevent with INPUT VALIDATION !
race conditions
A condition where the system's behavior is dependent on the
sequence or timing of other uncontrollable events.
Time-of-Check-to-Time-of-Use (TICTOU)
a timing vulnerability that occurs when a program checks access
permissions too far in advance of a resource request.
file locking, transactions in file system or OS kernel
It becomes a bug when one or more of
the possible behaviors is undesirable.
Related to input validation is error handling
Every function that has any meaningful functionality should
have appropriate error handling.
Properly done, the user will simply see an error message box
If a program crashes, it is a sign of poor error handling!
Error handling is an element of good coding practices
common cryptographic attacks
an attempt to reuse authentication
requests.
targets authentication
(Kerberos a frequent target)
an attacker steals a valid session ID of a
user and reuses it to impersonate an
authorized user and perform fraudulent
transactions or activities.
Disallow session ID reuse in web apps
integer overflow
Putting too much information into too small of
a space that has been set aside for numbers.
A type of arithmetic overflow error when the result of an integer
operation does not fit within the allocated memory space.
Instead of an error handled in the program, it usually causes
the result to be unexpected.
Often lead to buffer overflows, and generally ranked as one of
the most dangerous software errors.
Error messages may include ‘overflow’ or ‘arithmetic overflow’
Countermeasures: Good coding practices, appropriate typing of
variables, using larger variable types, like long (Java) or long int (C)
Attempts to manipulate the application
programming interface (API)
Include DDoS, Man in the Middle, and injection
attacks focused on an API
Goals are to gain additional resource or data
access, or interrupt service
Countermeasures: Transport Layer Security (TLS), OAuth,
request timestamps, key/password hash
resource exhaustion
a form of DoS attack (when intentional)
When an application continuously allocates additional resources,
exhausting machine resources, leading the system to hang or crash.
When exploited, resource exhaustion vulnerabilities in apps,
software, or system security that hang, crash, or interfere with
external programs perform designated tasks properly.
Memory leaks can lead to resource exhaustion (see “memory
leaks” in this session).
However, these attacks can be executed by exhausting other
resource subsystems, such as CPU, disk, or network.
Countermeasures: Good software development practices (e.g. preventing
memory leaks), limiting what files and apps can be executed on endpoints.
memory leak
Which languages are susceptible?
Many modern programming languages (such as C# and Java) don’t
allow the programmer to directly allocate or deallocate memory.
Therefore, those programming languages are not prone to memory leaks.
However, certain older languages, most notably C and C++, give the
programmer a great deal of control over memory management.
Cause
Memory leaks are usually caused by failure to deallocate
memory that has been allocated.
A static code analyzer can check to see if all memory allocation commands
(malloc, alloc, and others) have a matching deallocation command.
secure sockets layer (ssl) stripping
aka ‘SSL downgrading’.
A technique by which a website is downgraded from https to http
This attack downgrades your connection from HTTPS to HTTP and
exposes you to eavesdropping and data manipulation.
To execute an SSL strip attack, there must be three entities – victim’s
system, secure web server, and attacker’s system.
In order to “strip” the TLS/SSL, an attacker intervenes in the redirection
from HTTP to HTTPS and intercepts a request from the user to the server.
TLS has replaced SSL, so this attack affects TLS as well
Countermeasures: Enable HTTPS on ALL pages of your website. Implement a
HTTP Strict Transport Security (HSTS) policy, so the browser requires HTTPS.
driver manipulation
Shimming
A shim is a small library that is created to intercept API calls transparently and
do one of three things:
1) handle the operation itself, 2) change the arguments passed, or
3) redirect the request elsewhere.
Involves creating a library (or modifying an existing) to bypass a driver and
perform a function other than the one for which the API was created.
Refactoring
The name given to a set of techniques used to identify the flow and then modify
the internal structure of code without changing the code’s visible behavior.
In legitimate scenarios, this is done in order to improve the design, to remove
unnecessary steps, and to create better code.
In malware, this is often done to look for opportunities to take advantage of
weak code and look for holes that can be exploited.
pass the hash
typically targets NTLM
a technique whereby an attacker captures a password hash (as opposed to the
password characters) and then passes it through for authentication and lateral access.
Pass-the-ticket targets Kerberos
One primary difference between pass-the-hash and pass-the-ticket, is
ticket expiration
Kerberos TGT tickets expire (10 hours by default) whereas NTLM hashes
only change when the user changes their password.
A TGT ticket must be used within its lifetime, or it can be renewed for a
longer period (7 days).
Enforce least privilege access, analyze applications to determine
which require admin privileges, use flexible policies that allow only
trusted applications to run and in specific context.
“Credential Guard” in Windows 10 encrypts hash in memory, stopping this attack
1.0 Threats, Attacks and Vulnerabilities
Given a scenario, analyze potential indicators
1.4 associated with network attacks
• Wireless
Evil twin
Rogue access point
Bluesnarfing
Bluejacking
Disassociation
Jamming
Radio frequency identification
(RFID)
• Near-field communication (NFC)
• Initialization vector (IV)
•
•
•
•
•
•
•
• On-path attack (previously
known as man-in-themiddle attack/ man-in-thebrowser attack)
• Layer 2 attacks
• Address Resolution Protocol
(ARP) poisoning
• Media access control (MAC)
flooding
• MAC cloning
• Domain name system
(DNS)
• Domain hijacking
• DNS poisoning
• Uniform Resource Locator
(URL) redirection
• Domain reputation
• Distributed denial-ofservice (DDoS)
• Network
• Application
• Operational technology
(OT)
• Malicious code or script
execution
•
•
•
•
•
PowerShell
Python
Bash
Macros
Visual Basic for
Applications (VBA)
On-path (Man-in-the-middle) attack
Attacker sits in the middle between two endpoints and is able to
intercept traffic, capturing (and potentially changing) information.
Fools both parties into communicating with the attacker
(in between the two) instead of directly with each other.
Different versions of the attack exist, some affecting websites,
email communications, DNS lookups, or Wi-Fi networks.
Countermeasures: only use secured Wi-Fi, VPN, HTTPS,
and use multi-factor authentication.
Mobile and wireless attacks
to prevent, use long pin, 2FA, and disable discovery mode
annoyance
data theft
eavesdropping
or hacking
pranksters push unsolicited messages to engage
or annoy other nearby Bluetooth through a
loophole in Bluetooth messaging options
data theft using Bluetooth. Vulnerable devices
are those using bluetooth in public places with
device in discoverable mode.
developed a year after bluejacking, creates a
backdoor attack before returning control of the
phone to its owner.
Mobile and wireless attacks
A malicious fake wireless access point set up to
appear as a legitimate, trusted network.
Common in airports and coffee shops
A type of DoS attack in which the attacker
breaks the wireless connection between the
victim device and the access point.
Gives attacker a window to inject an evil twin
A DoS attack that prevents other nodes from
using the channel to communicate by occupying
the channel that they are communicating on.
Can be difficult to detect & often unintentional
Mobile and wireless attacks
RADIO FREQUENCY
IDENTIFICATION
NEAR FIELD
COMMUNICATION
Vulnerable to several classes of attack, like
sniffing (or eavesdropping), spoofing, cloning,
replay, relay, and DoS attacks
RFID commonly used in access badge systems
Built on RFID, often used with payment systems.
Subject to many of the same vulnerabilities as RFID
The touch pay system at the grocery
modifies the initialization vector of an encrypted
wireless packet during transmission. Enables
attacker to compute the RC4 key stream generated
by IV used and decrypt all other packets.
Fairly uncommon today (legacy)
DNS attacks
attacker alters the domain-name-to-IPaddress mappings in a DNS system
may redirect traffic to a rogue system OR
perform denial-of-service against system.
attacker sends false replies to a
requesting system, beating the real
reply from the valid DNS server.
COUNTERMEASURES: allow only authorized changes to DNS, restrict
zone transfers, verified forwarders and log all privileged DNS activity.
network attacks
Similar to DNS spoofing
Can take the form of DNS spoofing or can simply be an
alteration of the hyperlink URLs
is usually successful because people just click links!
Use same precautions used against DNS spoofing, and
services that mask and test links in detonation chamber.
network attacks
these are a class of attacks
is a resource consumption attack
intended to prevent legitimate activity
on a victimized system.
Distributed
a DoS attack utilizing multiple
compromised computer systems as
sources of attack traffic.
COUNTERMEASURES: firewalls, routers, intrusion detection (IDS), SIEM,
disable broadcast packets entering/leaving, disable echo replies, patching
Types of ddos attacks
Cloud service providers (MSFT, AWS)
have DDoS protection built-in
Network
volume-based attacks targeting flaws in network protocols, often using botnets,
using techniques such as UDP, ICMP flooding, or SYN flooding (TCP-based).
Application
exploit weaknesses in the application layer (Layer 7) by opening connections and
initiating process and transaction requests that consume finite resources like disk
space and available memory.
Operational Technology (OT)
Targets the weaknesses of software and hardware devices that control systems in
factories, power plants, and other industries, such as IoT devices.
Often target weaknesses using the network and application techniques described
above.
COUNTERMEASURES: IDS, IPS, rate-limiting, firewall ingress/egress filters
NETWORK & DENIAL-OF-SERVICE
KNOW THE ORDER OF THE 3-WAY
It comes up commonly in discussions
of TCP/IP-based network attacks!
1)
SYN
2) SYN-ACK
3) ACK
network attacks
a vulnerability which allows an attacker
to force users of your application to an
untrusted external site.
Comes in multiple forms - parameter-based,
session restoration, domain-based
services and tools provide info as to
whether a domain is a trusted email
sender or is a source of spam email.
SPF and DMARC are all commonly used to ensure
email comes from approved senders
NETWORK ATTACKS
involves an individual changing the domain
registration information for a site without
the original registrant’s permission.
COUNTERMEASURES: domain registration auto-renewal, privacy
protection (blocking your name from WHOIS), a trusted domain provider
network attacks
Layer 2 attacks (OSI model)
forcing legitimate MAC table contents out of the
switch and forcing a unicast flooding behavior.
potentially sends sensitive info to areas of the
network where it is not normally intended to go.
sending ARP packets across the LAN that
contain the attacker’s MAC address and the
target’s IP address.
Aka “ARP spoofing”
network attacks
Layer 2 attacks (OSI model)
Duplicates the MAC address (hardware
address) of a device, allowing attacker
to appear as a trusted device.
Can be difficult to detect without
additional info about the device
Countermeasures: network access control (NAC) to
provide a validation gate to network access.
application attacks
Malicious code or scripts that are not malware
Commonly PowerShell, Python, Bash, macros, and VBA
Comprehensive endpoint security (like XDR), spam/phishing
defense, and user education are good countermeasures
Microsoft Defender Application Control and Attack Surface
Reduction features are effective on Windows endpoints
1.0 Threats, Attacks and Vulnerabilities
Explain different threat actors, vectors,
1.5 and intelligence sources
• Actors and threats
Advanced persistent threat (APT)
Insider threats
State actors
Hacktivists
Script kiddies
Criminal syndicates
Hackers
• Authorized
• Unauthorized
• Semi-authorized
• Shadow IT
• Competitors
•
•
•
•
•
•
•
• Attributes of actors
•
•
•
•
Internal/external
Level of sophistication / capability
Resources/funding
Intent/motivation
•
•
•
•
•
•
•
Direct access
Wireless
Email
Supply chain
Social media
Removable media
Cloud
• Vectors
©2022 Inside Cloud and Security. No reuse without written permission
1.0 Threats, Attacks and Vulnerabilities
Explain different threat actors, vectors,
1.5 and intelligence sources
• Threat intelligence sources
•
•
•
•
•
•
•
•
Open-source intelligence (OSINT)
Closed/proprietary
Vulnerability databases
Public/private information sharing
centers
Dark web
Indicators of compromise
Automated Indicator Sharing (AIS)
Structured Threat Information
eXpression (STIX)/Trusted
Automated eXchange of
Intelligence Information (TAXII)
• Predictive analysis
• Threat maps
• File/code repositories
• Research sources
•
•
•
•
•
•
•
•
•
Vendor websites
Vulnerability feeds
Conferences
Academic journals
Request for comments (RFC)
Local industry groups
Social media
Threat feeds
Adversary tactics, techniques, and
procedures (TTP)
actors and threats
Threat Actor
Skill
Description
High
Conduct sophisticated series of related attacks taking
place over an extended period of time. Typically wellorganized, well-funded and highly skilled.
Varies
people inside the targeted organization and are either
responsible for the attack or are colluding with
outsiders (who are responsible).
State actors
High
Well-funded, often driving warfare conducted against
information processing equipment and municipal
services (water, power, etc.)
Hacktivists
Varies, but often
Medium-High
a group of hackers working together for a collectivist
effort, usually on the behalf of some cause.
Low
Individuals who use hacking techniques but have
limited skills. Often rely almost entirely on automated
tools they download from the Internet.
Advanced Persistent
Threat (APT)
Insider threats
Script kiddies
Actors, threats, skill, funding, and motivation
Threat Actor
Criminal syndicates
Hackers
Skill
High
Med/High
Shadow IT
Varies
Competitors
Varies, but
often Med/High
Description
A “structured” threat. Structured threats are
conducted over a longer period of time, have more
financial backing, and possibly help from insiders.
Skilled actor falling into various categories:
Unauthorized (malicious), Authorized (Good), Semiauthorized (usually finding but not exploiting)
The use of information technology systems, devices,
software, applications, and services without explicit IT
department approval, often done with good intentions.
May encourage individuals within a competitive
organization to steal/sell intellectual property.
D O M A I N 7 : SECURITY OPERATIONS
INSIDE THE
Collusion, Fraud,
Espionage, and Sabotage
preventing fraud and collusion
Collusion is an agreement among multiple persons to
perform some unauthorized or illegal actions.
Separation of duties
a basic security principle that ensures that no single person
can control all the elements of a critical function or system.
Job rotation
employees are rotated into different jobs, or tasks are
assigned to different employees.
Implementing these policies helps prevent fraud by limiting
actions individuals can do without colluding with others.
espionage & sabotage
external
insider
when a competitor tries to steal
information, and they may use an
internal employee.
malicious insiders can perform
sabotage against an org if they
become disgruntled for some reason
Attack vectors
- Methods of attack
Countermeasures
Vector
Description
Direct access
Physical access to facilities, hardware and
infrastructure. Keylogger, flash drive common here.
Wireless
Unsecure access points, rogue access points, evil twin.
Emails
SPAM, phishing, ransomware, fake invoice scams.
User training
Phishing simulations
Supply chain
Attack on vendors in an organizations supply chain,
sometimes as a precursor to direct attack.
Vendor screening
Social media
Individuals who use hacking techniques but have
limited skills. However, does factor in hybrid warfare.
Acceptable use
policies
Cloud
Unsecure apps, misconfigured infrastructure, shadow IT
CASB and config
management
Physical security
Secure Wi-Fi netwks
1.0 Threats, Attacks and Vulnerabilities
Explain different threat actors, vectors,
1.5 and intelligence sources
• Threat intelligence sources
•
•
•
•
•
•
•
•
Open-source intelligence (OSINT)
Closed/proprietary
Vulnerability databases
Public/private information sharing
centers
Dark web
Indicators of compromise
Automated Indicator Sharing (AIS)
Structured Threat Information
eXpression (STIX)/Trusted
Automated eXchange of
Intelligence Information (TAXII)
• Predictive analysis
• Threat maps
• File/code repositories
• Research sources
•
•
•
•
•
•
•
•
•
Vendor websites
Vulnerability feeds
Conferences
Academic journals
Request for comments (RFC)
Local industry groups
Social media
Threat feeds
Adversary tactics, techniques, and
procedures (TTP)
©2022 Inside Cloud and Security. No reuse without written permission
threat intelligence sources
Open-source intelligence (OSINT)
Enables orgs to conduct cyber-threat intelligence gathering free of charge.
Sources include threatcrowd.org, openphish.com.
Closed/proprietary
You may see these vendor-specific threat intelligence feeds limited to paying
customers, which are intended to keep customers informed and secure, while
not tipping off threat actors (hackers).
Vulnerability databases
such as www.shodan.io, allow you to search for vulnerabilities. The National
Institute of Standards and Technology (NIST) maintains a comprehensive
database of vulnerabilities. This is the National Vulnerability Database and it
keeps within that database a list of CVEs or Common Vulnerabilities and
Exposures.
threat intelligence sources
Public/private information sharing centers.
Programs, groups, and feeds to designed to share cyber intelligence in various
forms to government and commercial organizations around the world.
The Cybersecurity Infrastructure and Security Agency (CISA), an agency of the
US federal government, maintains a list of information sharing centers at
https://www.cisa.gov/information-sharing-and-awareness .
Dark web
This is an overlay to the existing internet that requires specialized software to
be able to access these private websites. There’s extensive information to
gather from the dark web, including the activities of hacker groups.
Indicators of compromise
sometimes called “threat indicators” are “pieces of forensic data, such as
data found in system log entries or files, that identify potentially malicious
activity on a system or network.”
threat intelligence sources
SIEM solutions can often ingest
threat intelligence feeds
Sources of shared threat intelligence
Automated Indicator Sharing (AIS)
a Cybersecurity and Infrastructure Security Agency (CISA) capability, enables the realtime exchange of machine-readable cyber threat indicators and defensive measures.
It’s provided free to help protect participants of the AIS community and ultimately
reduce the prevalence of cyberattacks.
Find it at https://www.cisa.gov/ais
Trusted Automated eXchange of Intelligence Information (TAXII)
short for Trusted Automated eXchange of Intelligence Information, defines how realtime cyber threat information can be shared via services and message exchanges.
Structured Threat Information eXpression (STIX)
TAXII is designed specifically to support STIX information, which it does by defining an API
that aligns with common sharing models. Created by MITRE, maintained by OASIS
threat intelligence sources
Predictive analysis.
Leverages predictive intelligence, a mix of automation and human intelligence
capabilities to optimize your cybersecurity program and gradually build capacity
to predict and prevent attacks before they hit.
Threat maps
A cyber threat map, also known as a cyber attack map, is a real-time map of the
computer security attacks that are going on at any given time.
Find cyber threat maps from Fortinet, FireEye and other in the Top 8 Cyber Threat Maps
File/code repositories.
Google searching code repositories on sources like Github can show you what
threat actors are using. For example, full source code of Mimikatz is available at
https://github.com/ParrotSec/mimikatz.
If you’re using open-source software for your business, know that hackers often
review popular open-source apps looking for vulnerabilities.
Research sources
Vendor websites
There's usually a page on a vendor's website where they keep track of all of
the known vulnerabilities.
Often, there's some type of notification process so they can inform you
immediately when a new vulnerability is discovered.
Vulnerability feeds
It's common to supplement vulnerability databases with third party feeds
from other organizations. You might roll up all of those vulnerability feeds
into one central vulnerability management system.
Conferences
These are great events to network with experts, hear talks often based on
experiences of others, and even hear from members of product teams
talking in-depth about security of their app or service.
R E S E A R C H SOURCES
Offer information about attack types and how others have
responded or recovered from them.
Available from a variety of government, education, and
community sources, often peer-reviewed!
usually results in
EXAMPLES:
Oxford Academic Journal of Cybersecurity
https://academic.oup.com/cybersecurity
MDPI Switzerland
https://www.mdpi.com/journal/jcp
higher quality
Research sources
A publication in a series, from the principal technical
development and standards-setting bodies for the
Internet, most prominently the Internet Engineering Task
Force (IETF).
An RFC is authored by individuals or groups of engineers and computer
scientists in the form of a memorandum describing methods,
behaviors, research, or innovations applicable to the working of the
Internet and Internet-connected systems.
Research sources
A publication in a series, from the principal technical
development and standards-setting bodies for the
Internet, most prominently the Internet Engineering Task
Force (IETF).
The IETF adopts some of the proposals published as Internet Standards.
However, many are informational or experimental in nature and are not
standards.
Research sources
A publication in a series, from the principal technical
development and standards-setting bodies for the
Internet, most prominently the Internet Engineering Task
Force (IETF).
The IETF adopts some of the proposals published as Internet Standards.
However, many are informational or experimental in nature and are not
standards.
RFCs have become official documents of Internet specifications,
communications protocols, procedures, and events.
Research sources
Learning from your peers and community experts
Local industry groups
You’ll find local interest groups or user groups around
cybersecurity (and many related topics) where you can learn
from your peers and experts in your local community.
Social media
Hackers often publish recent vulnerabilities on Twitter
Security interest groups and certification study groups on
LinkedIn.
Video learning content on YouTube on cybersecurity
certification, concepts, and entertainment.
Research sources
automated threat feed that delivers information
about the most important threats you need to
know about.
Tactics, Techniques,
and Procedures
the behaviors, methods, tools and strategies that
cyber threat actors and hackers use to plan and
execute cyber attacks on business networks.
TTPs are the “why” and “how” of cyber
attacks, guidance on response and prevention.
1.0 Threats, Attacks and Vulnerabilities
Explain the security concerns associated
1.6 with various types of vulnerabilities
• Cloud-based vs. on-premises
vulnerabilities
• Zero-day
• Weak configurations
•
•
•
•
•
•
•
Open permissions
Unsecure root accounts
Errors
Weak encryption
Unsecure protocols
Default settings
Open ports and services
• Third-party risks
Vendor management
System integration
Lack of vendor support
Supply chain
Outsourced code
development
• Data storage
•
•
•
•
•
• Improper or weak patch
management
• Firmware
• Operating system (OS)
• Applications
• Legacy platforms
• Impacts
•
•
•
•
•
•
•
Data loss
Data breaches
Data exfiltration
Identity theft
Financial
Reputation
Availability loss
Cloud-based vs. on-premises vulnerabilities
A few examples
User awareness training is the best defense
One type of vulnerability is an untrained user. It only takes one
person to cause a breach. For IT, training and formal processes
Change and release mgmt, infrastructure-as-code
An improperly configured account or service be a significant
vulnerability in either model.
Many cloud platforms have in-built tooling to alert on current
misconfigurations, open configurations, least privilege concerns, etc.
On-premises will be more susceptible to disruptive attacks at
scale, like DDoS.
CSPs have many infrastructure, process, and training advantages
On-premises
IaaS
PaaS
SaaS
Shared responsibility model
RESPONSIBILITY ALWAYS RETAINED BY CUSTOMER
RESPONSIBILITY VARIES BY SERVICE TYPE
RESPONSIBILITY TRANSFERS TO CLOUD PROVIDER
CSP
CUSTOMER
Image courtesy of Microsoft
Better security in the cloud?
CLOUD-ENABLED
Unique business value
ON-PREMISES
ADDITIONAL ATTACKS AND CONCEPTS
an attack that uses a vulnerability that is either
unknown to anyone but the attacker or known
only to a limited group of people.
basic security practices can often prevent!
ADDITIONAL ATTACKS AND CONCEPTS
an attack that uses a vulnerability that is either
unknown to anyone but the attacker or known
only to a limited group of people.
Today, AI, ML, and UEBA driven antivirus, SIEM,
IDPS, and EDR/XDR solutions offer some defense
Weak configurations
Open permissions
Configurations that have greater than necessary permissions,
failing to implement least privilege.
Unsecure default configurations, lack of standards, and human error
frequently factors.
Prevent with DevOps, Infra-as-Code, change and release mgmt
Unsecure root accounts
Root accounts with default or weak passwords, or without an elevation
gate (like sudo).
Similar issues have been common on Windows in the past.
Errors
Humans are the weakest link in cybersecurity
Researchers from Stanford University found that approximately
88 percent of all data breaches are caused by an employee mistake.
Open ports and services
Open ports and running services that are not actually being used
increase the attack surface and risk of breach.
Weak configurations
Weak encryption
Choosing strong encryption is key here.
Some cipher suites are easier to crack than others.
Deprecated cryptographic algorithms often remain in production beyond their
recommended lifespan.
Unsecure protocols
TELNET, SNMP v1 and v2, FTP
Most networks involve equipment (such as servers, routers, and switches) that
support communication protocols that lack security features.
Unsecure protocols allow attackers and hackers to easily have access to your data
and even to remote controls.
Default settings
Often a process issue in business scenarios
Every device that you put on your network to manage has a default username and a
default password.
Often, the defaults are open and available for anybody to use. (wi-fi and IoT)
Botnets and offensive security tools will find, and exploit devices with weak default
settings still in place.
Third-party risks
Vendor may end support for legacy application versions before an
organization is ready to support dependent business processes on
another platform.
For apps beyond mainstream support, security patches may be
expensive or unavailable entirely.
Source code storage and access control will be important.
Development workstations and environments must be secured to
the organization’s standards. Managed virtual desktop
Sensitive data stored in vendor repositories, such as cloud services,
needs to be secured, access managed, and usage monitored.
Third-party risks
Supply chain
One impacted customer can result in service impact
Supply chain security has become a significant concern for organizations.
Includes, suppliers, manufacturers, distributors, and customers.
A breach at any link in the supply chain can result in business impact.
Vendor management
Risk of “island hopping attack”
Many orgs are reducing the number of vendors they work with and requiring
stricter onboarding procedures
Vendors may be required to submit to an external audit and agree to strict
communication and reporting requirements in event of potential breach.
System integration
Potential for Increased risk of insider attack
System integration partners working on systems often have privileged remote or
physical access, necessitating security measures and process controls.
Improper or weak patch management
Commonly overlooked in IoT devices and other embedded
systems, like VoIP phones.
Windows has historically been (and continues to be) the
biggest target.
In the age of the smartphone, mobile systems are a common
target of threat actors. Not rooted, min OS version, and manged
In many environments, non-Microsoft applications (commonly
called third-party apps) get overlooked for patching.
Due in part because many management tools (and software
vendors) do not offer the same level of automation.
Legacy applications that might require an
outdated version of an operating system.
May run aging business-critical applications for
which staff to manage is difficult to find.
Isolation, attack surface reduction, and patching (if possible)
are important to minimize exposure of legacy vulnerabilities
Sandboxing, the process of isolating legacy apps,
such as in a VM, can be an effective approach.
Legacy applications that might require an
outdated version of an operating system.
May run aging business-critical applications for
which staff to manage is difficult to find.
Lack of vendor support for legacy apps poses a risk.
end-of-life date, security updates may no longer be available.
Sandboxing, the process of isolating legacy apps,
such as in a VM, can be an effective approach.
impacts
Exposure of sensitive data, such as customer data is the first in a long line of
consequences of an attack.
When a company suffers a data breach and it is known to the public, it can
cause their damage to their brand as they lose the respect of the public.
Your domain reputation is dependent on the type of emails you send out.
An attack that results in spam from your domain can affect your domain
reputation and perhaps result in it being blacklisted.
Disruptive attacks like DDoS and ransomware can impact an organization's
ability to conduct business, including revenue-producing activities.
impacts
Identity theft can have far reaching consequences for affected individuals.
If any data held on a customer is stolen and then used for identity theft, the
company can be sued for damages.
Data breaches could result in lost revenue AND regulatory fines.
With GDPR, the max fine is 20 million euros or 4% of the company's annual global
turnover, whichever is greater.
IP theft could result in copyrighted material, trade secrets, and patents being
stolen by competitors, resulting in a loss of revenue.
This data could be used in countries where a legal route to recover your data
would be impossible.
1.0 Threats, Attacks and Vulnerabilities
Summarize the techniques used
1.7 in security assessments
• Threat hunting
•
•
•
•
Intelligence fusion
Threat feeds
Advisories and bulletins
Maneuver
• Vulnerability scans
•
•
•
•
•
•
•
•
•
False positives
False negatives
Log reviews
Credentialed vs. noncredentialed
Intrusive vs. non-intrusive
Application
Web application
Network
Common Vulnerabilities and
• Exposures (CVE)/Common
Vulnerability Scoring System (CVSS)
• Configuration review
• Syslog/Security information and
event management (SIEM)
•
•
•
•
•
•
•
•
Review reports
Packet capture
Data inputs
User behavior analysis
Sentiment analysis
Security monitoring
Log aggregation
Log collectors
• Security orchestration,
automation, and response (SOAR)
threat hunting
a dynamic process of seeking out cybersecurity threats
inside your network from attackers and malware threats.
Intelligence Fusion
involves industry and government
Fusion centers in the US and abroad play an important role in countering
cyber threats, attacks, and crime through gathering, analyzing, and
sharing threat information.
Threat Feeds
Threat intelligence feeds
Enable organizations to stay informed about indicators of compromise
(IoCs) related to various threats that could adversely affect the network.
threat hunting
a dynamic process of seeking out cybersecurity threats
inside your network from attackers and malware threats.
Advisories and Bulletins
Advisories and security bulletins provide good advice on how to keep
your company safe.
The advisories tend to be released government-funded agencies.
Bulletins tend to be released by vendors or private companies.
Maneuver
A cybersecurity maneuver, then, refers to a company's efforts to defend
itself by disguising its systems, thereby making it difficult for an attacker
to successfully infiltrate.
vulnerability scans
A vulnerability scan assesses possible security vulnerabilities in
computers, networks, and equipment that can be exploited.
False Positive: where the scan believes that there is a
vulnerability but when physically checked, it is not there.
False Negative: When there is a vulnerability, but the
scanner does not detect it.
True Positive: This is where the results of the system scan
agree with the manual inspection.
Log Reviews: Following a vulnerability scan, it is important to
review the log files/reports that list any potential vulnerabilities.
vulnerability scans
A vulnerability scan assesses possible security vulnerabilities in
computers, networks, and equipment that can be exploited.
Credentialed Scan: A credentialed scan is a much more
powerful version of the vulnerability scanner. It has
higher privileges than a non-credentialed scan.
Spot vulnerabilities that require privilege, like non-expiring PWs
Non-Credentialed Scan: A non-credentialed scan has
lower privileges than a credentialed scan. It will identify
vulnerabilities that an attacker would easily find.
Scans can find missing patches, some protocol vulnerabilities
vulnerability scans
A vulnerability scan assesses possible security vulnerabilities in
computers, networks, and equipment that can be exploited.
Non-Intrusive Scans: These are passive and merely report
vulnerabilities. They do not cause damage to your system.
Intrusive Scans: can cause damage as they try to exploit the
vulnerability and should be used in a sandbox and not on your
live production system.
Configuration Review: Configuration compliance scanners
and desired state configuration in PowerShell ensure that no
deviations are made to the security configuration of a system.
The combination of techniques can reveal which vulnerabilities
are most easily exploitable in a live environment.
vulnerability scans
Network Scans: These scans look at computers and devices on your
network and help identify weaknesses in their security.
Application Scans: Before applications are released, coding experts
perform regression testing that will check code for deficiencies.
Web Application Scans:
Crawl through a website as if they are a search engine looking for
vulnerabilities.
Perform and automated check for site/app vulnerabilities, such as
cross-site scripting and SQL injection.
Also know difference between SAST and DAST for the exam
There are many sophisticated web application scanners
available, due in part due to mass adoption of cloud computing.
vulnerability scans
Common Vulnerabilities and Exposures (CVE) and
Common Vulnerability Scoring System (CVSS)
CVSS is the overall score assigned to a vulnerability. It indicates
severity and is used by many vulnerability scanning tools.
CVE is simply a list of all publicly disclosed vulnerabilities that
includes the CVE ID, a description, dates, and comments.
The CVSS score is not reported in the CVE listing – you must use the
National Vulnerability Database (NVD) to find assigned CVSS scores.
The CVE list feeds into the NVD
The National Vulnerability Database (NVD) is a database,
maintained by NIST, that is synchronized with the MITRE CVE list.
SIEM and SOAR
Security Information
Event Management
Security Orchestration
Automation, & Response
uses AI, ML, and threat intelligence
system that collects data from many other
sources within the network.
provides real-time monitoring, analysis,
correlation & notification of potential attacks.
centralized alert and response automation
with threat-specific playbooks.
response may be fully automated or
single-click.
Many providers deliver these capabilities together
Syslog/Security information and event management (SIEM)
SIEM has built-in log collector tooling that can collect information from both the
syslog server and multiple other servers. An agent is placed on the device that can
collect log information, parse and restructure data, and pass to SIEM for aggregation.
Ingestion may be with via an agent, syslog, or API
Can correlate and aggregate events so that duplicates are filtered and a better
understanding network events is achieved to help identify potential attacks.
Can capture packets and analyze them to identify threats as soon as they
reach your network, providing immediate alert to security team if desired.
The SIEM system collects a massive amount of data from various sources.
May include network devices, IDM, MDM, CASB, XDR, and more
Syslog/Security information and event management (SIEM)
This is based on the interaction of a user that focuses on their identity and the
data that they would normally access on a normal day.
It tracks the devices that the user normally uses and the servers that they
normally visit.
Artificial intelligence and machine learning to identify attacks.
Cybersecurity sentiment analysis can monitor articles on social media, look at the
text and analyze the sentiment behind the articles.
Over time, can identify a users' attitudes to different aspects of cybersecurity.
Real-time protection and event monitoring system that correlates the security
events from multiple resources, identifies a breach, and helps the security team to
prevent the breach. UEBA, AI, ML, and threat intel feeds all factor here
ARTIFICIAL INTELLIGENCE VS MACHINE LEARNING
From section 1.2
Knowing the difference will help on the exam!
Focuses on accomplishing “smart” tasks
combining machine learning and deep
learning to emulate human intelligence
A subset of AI, computer algorithms that
improve automatically through experience
and the use of data.
a subfield of machine learning concerned with
algorithms inspired by the structure and function
of the brain called artificial neural networks.
Syslog/Security information and event management (SIEM)
A SIEM typically includes dashboard and collects reports
that can be reviewed regularly to ensure that the policies
have been enforced and that the environment is compliant.
Also highlight whether the SIEM system is effective and
working properly. Are incidents raised true positives?
False positives may arise because the wrong input filters are
being used or the wrong hosts monitored.
For the exam, Know the difference between UEBA, machine
learning, AI, and deep learning.
Security orchestration, automation, and response (SOAR)
Tooling that allows an organization to define incident analysis
and response procedures in a digital workflow format.
Integrates your security processes and tooling in a
central location.
Log
Collection
Response automation, using machine learning and
artificial intelligence
SIEM
SOC
These make it faster than humans in identifying
and responding to true incidents.
Reduces MTTD and accelerates response
Uses playbooks that define an incident and the
action taken. Capabilities vary by situation & vendor
SOAR
Over time, should produce faster alerting and
response for the SOC team.
1.0 Threats, Attacks and Vulnerabilities
1.8 Explain the techniques used in penetration testing
• Penetration testing
•
•
•
•
•
•
•
•
•
•
Known environment
Unknown environment
Partially known environment
Rules of engagement
Lateral movement
Privilege escalation
Persistence
Cleanup
Bug bounty
Pivoting
• Passive and active
reconnaissance
•
•
•
•
•
Drones
War flying
War driving
Footprinting
OSINT
•
•
•
•
Red-team
Blue-team
White-team
Purple-team
Exercise types
©2022 Inside Cloud and Security. No reuse without written permission
Penetration testing
CONCEPTS
Known environment
white box test
penetration tester is given a map of target systems and networks. They go into the
test with substantial/full information of the target systems and networks.
Unknown environment
black box test
penetration tester knows nothing about target systems and networks. They go into the
test completely blind and build out the database of everything they find as they go.
Partially known environment
grey box test
limited information is shared with the tester, sometimes in the form of login
credentials. Simulate the level of knowledge that a hacker with long-term access to a
system would achieve through research and system footprinting.
Rules of engagement
Rules of engagement define the purpose of the test, and what the scope will be for the
people who are performing this test on the network.
They ensure everyone will be aware of what systems will be considered, date and
time, and any constraints all should be aware of.
Penetration testing
CONCEPTS
Lateral movement
Gaining access to an initial system, then moving to other devices on the inside
of the network.
Privilege escalation
A security hole created when code is executed with higher privileges than those
of the user running it.
Generally, a higher-level account, but in some cases, it is a horizontal privilege
escalation where a user gains access to another users' resources.
Persistence
in the context of penetration testing refers to the testers ability to achieve a
persistent presence in the exploited system— long enough for a bad actor to
gain in-depth access.
Enabling the ability to reconnect to the compromised host and use it as a
remote access tool.
Penetration testing
Cleanup
The final stage of a penetration test, in which all work done during the testing
process is cleaned up / removed.
Bug bounty
A monetary reward given to ethical hackers for successfully discovering and
reporting a vulnerability or bug to the application's developer. Bug bounty
programs allow companies to leverage the hacker community to improve their
systems’ security posture over time continuously.
Pivoting
Also known as island hopping , a compromised system is used to attack
another system on the same network following the initial exploitation . If the
compromise is introduced at a different time than the attack, then it is said to
involve persistence.
Passive and active reconnaissance
Passive reconnaissance one is not interacting directly with the target and
as such, the target has no way of knowing, recording, or logging activity.
War driving
Gathering wireless network information while driving around the streets of the city.
Drones
Can be leveraged in multiple ways for passive reconnaissance, from assessing
physical security to gathering wireless network information.
War flying
Combines war driving with a drone and simply float above all of these
organizations to gather wireless details. Enables accumulation of information like
SSID or wireless network names, and encryption status of these networks.
Passive and active reconnaissance
Passive reconnaissance one is not interacting directly with the target and
as such, the target has no way of knowing, recording, or logging activity.
OSINT
Much of this information in the open source can be categorized as open-source
intelligence or OSINT. The data that you can gather through these open sources is
extensive.
A site that gives you a base of information that you can gather is available at
https://osintframework.com
©2022 Inside Cloud and Security. No reuse without written permission
Passive and active reconnaissance
Active reconnaissance interacts directly with the target in some way and
as such, the target may discover, record, or log these activities.
Footprinting
Includes active and passive methods
An ethical hacking technique used to gather as much data as possible about a
specific targeted computer system, infrastructure and networks to identify
opportunities to penetrate them.
Active footprinting
Ping sweep
Tracert analysis
Nmap
Extracting DNS information
Passive footprinting
Browsing target website
Google search (Google hacking)
Performing WHOIS lookup
Visiting social media profiles
Penetration testing
Red Team
offense
are internal or external entities dedicated to testing the effectiveness of a security
program by emulating the tools and techniques of likely attackers in the most realistic
way possible.
Blue Team
defense
the internal security team that defends against both real attackers and Red Teams.
Purple Team
process improvement
exist to ensure and maximize the effectiveness of the Red and Blue teams.
Team
judge / referee
responsible for overseeing an engagement/competition between a Red Team of
mock attackers and a Blue Team of actual defenders.
DOMAIN 2
PROVEN FAST, EFFECTIVE &
AFFORDABLE EXAM PREP
with Pete Zerger CISSP, vCISO, MVP
securiTY+
EXAM
CRAM
EXAM OBJECTIVES (DOMAINS)
1.0 Attacks, Threats, and Vulnerabilities
24%
2.0 Architecture and Design
21%
3.0 Implementation
25%
4.0 Operations and Incident Response
16%
5.0 Governance, Risk, and Compliance
14%
2.0 architecture and design
Explain the importance of security concepts
2.1 in an enterprise environment
• Configuration management
•
•
•
•
Diagrams
Baseline configuration
Standard naming conventions
Internet protocol (IP) schema
•
•
•
•
•
•
•
•
Data loss prevention (DLP)
Masking
Encryption
At rest
In transit/motion
In processing
Tokenization
Rights management
• Data sovereignty
• Data protection
• Geographical
considerations
• Response and recovery
controls
• Secure Sockets Layer
(SSL)/Transport Layer
Security (TLS) inspection
• Hashing
• API considerations
• Site resiliency
• Deception and disruption
•
•
•
•
•
Honeypots
Honeyfiles
Honeynets
Fake telemetry
DNS sinkhole
• Hot site
• Cold site
• Warm site
enterprise = large and complex
D O M A I N 2 : CONFIGURATION MANAGEMENT
Can prevent security related incidents and outages
Configuration Management
ensures that systems are configured similarly, configurations are known
and documented.
Baselining ensures that systems are deployed with a common baseline
or starting point, and imaging is a common baselining method.
Change Management
helps reduce outages or weakened security from unauthorized changes.
Versioning uses a labeling or numbering system to track changes in
updated versions of software.
requires changes to be requested, approved, tested, and documented.
D O M A I N 2 : CONFIGURATION MANAGEMENT
Diagrams: detailed diagrams to show the relationship of all the interconnected
devices ensuring security team have visibility of the security in place.
Standard Naming Conventions: standard naming convention make identifying
device type (router, server, printer) easier.
Naming prefixes (e.g. rtr, svr prt) can help
Asset Management: Maintain an up-to-date asset register to ease the process
of tracking and maintaining assets.
Scan for unknown devices, ensure devices are patched
Baseline Configurations: It is vital that each type of device being placed on the
network has a secure baseline configuration.
Image-based deployment, infrastructure-as-code (IaC)
Firewall Rules: Firewalls can be used to block traffic and we can use either an
MDM solution or group policy to change the configuration on endpoint devices.
Standardize and automate configuration (IaC)
D O M A I N 2 : CONFIGURATION MANAGEMENT
Mobile Device Management (MDM): An MDM solution can be used to push
configuration changes to mobile devices.
Min iOS/Android version, 6-digit pin, no rooted devices, app management
Content Filter/URL Filter: Blocking harmful content with filtering appliances like
Unified Threat Management (UTM) or Next Generation (NG) firewalls.
UTM bundles features (URL, email, AV, IPS) NG use threat intel feeds
Update or Revoke Certificates: Certificates facilitate authentication and secure
connectivity (TLS/HTTPS web, IPSec VPN connectivity).
Track certificate expiration and ensure minimum TLS version support.
IP Schema. Use network segmentation to reduce broadcast traffic and enable
filtering/restricting traffic to subnets containing sensitive resources.
Matching resources to specific segments maximizes data and resource security.
IP subnetting, port filtering
Security concepts
Digital data is subject to the laws and regulations
of the country in which it was created.
Sovereignty
It cannot be moved to another region—even for a
backup-related reason.
Data is subject to the laws of where it is stored,
which can bring significant legal implications.
Moving data out of the EU does not remove GDPR requirements!
A company’s Legal department should be consulted to offer
guidance on legal impact of geography on data sovereignty.
D O M A I N 2 : SECURITY CONCEPTS
Confidentiality is often protected through
encryption (at rest and in transport)
We cover cryptography in section 2.8 of this video
DATA PROTECTION
Stateless, stronger than
encryption, keys not local
Reversal requires access
to another data source
where meaningful data is replaced with a
token that is generated randomly, and the
original data is held in a vault.
de-identification procedure in which
personally identifiable information (PII) fields
within a data record are replaced by one or
more artificial identifiers, or pseudonyms.
D O M A I N 2 : DATA PROTECTION
when only partial data is left in a data field.
for example, a credit card may be shown as
**** **** **** 1234
Commonly implemented within the database tier, but
also possible in code of frontend applications
Data Loss Prevention (DLP)
is a way to protect sensitive information
and prevent its inadvertent disclosure.
can identify, monitor, and automatically
protect sensitive information in documents
Data Loss
Prevention
DLP reports showing content that matches
the organization's DLP policies
policies can be typically applied to email, SharePoint,
cloud storage, and in some cases, even databases
Protecting data at rest
How can we encrypt different types of data at rest?
Storage Service Encryption
CSPs usually encrypt by default
CSP storage providers usually protect data at rest by automatically encrypting
before persisting it to managed disks, Blob Storage, file, or queue storage.
Full Disk Encryption
helps you encrypt Windows and Linux IaaS VMs disks using BitLocker (Windows)
and dm-crypt feature of Linux to encrypt OS and data disks.
Transparent data encryption (TDE)
Helps protect SQL Database and data warehouses against threat of malicious
activity with real-time encryption and decryption of database, backups, and
transaction log files at rest without requiring app changes.
Protecting data at rest
Trusted Platform Module (TPM): is on the motherboard and is used to store the
encryption keys so when system boots, it can compare keys and ensure that the system
has not been tampered with.
Hardware Root of Trust: When using certificates for FDE, they use a hardware root of trust
that verifies that the keys match before the secure boot process takes place.
The OPAL storage specification is the industry standard for self-encrypting drives. This is
a hardware solution, and typically outperform software-based alternatives.
They don't have the same vulnerabilities as software and therefore are more secure.
SEDs are Solid State Drives (SSDs) and are purchased already set to encrypt data at rest.
The encryption keys are stored on the hard drive controller.
They are immune to a cold boot attack and are compatible with all operating systems
SED is effective in protecting the data on lost or stolen devices (such
as a laptop). Only the user and vendor can decrypt the data.
Protecting data in motion
How can we encrypt different types of data in motion?
Data in motion is most often encrypted
using TLS or HTTPS
This is typically how a session is encrypted
before a user enters the credit card details.
“
“
While similar in function, TLS has largely replaced SSL
Protecting data in use / in processing
How can we encrypt different types of data in use?
Data-in-use/in processing occurs when we launch an
application such as Microsoft Word or Adobe Acrobat
Apps not running the data from the disk drive but running the
application in random access memory (RAM).
This is volatile memory, meaning that, should you power down
the computer, the contents are erased.
Data “in use” is sometimes called data “in processing”
Protecting secrets
A secret is anything that you want to tightly
control access to, such as API keys, passwords,
certificates, tokens, or cryptographic keys
Protecting
Secrets
Password access management solutions (PAM)
centralized secure storage and access for
application secrets
This is a common component in DevOps and DevSecOps
Enterprise solutions typically offer policy-based access
controls and programmatic access to secrets
digital rights management
Allow content owners to enforce restrictions on
the use of their content by others.
Digital Rights
Management
Commonly protect entertainment and media
content, such as music, movies, and e-books
Occasionally found in the enterprise, protecting
sensitive information stored in documents.
Information rights management
IRM programs enforce data rights, provisioning
access, and implementing access control models
Information
Rights
Management
For example, Microsoft’s IRM provides policybased control over data
Can be used to block specific actions, like print,
copy/paste, download, and sharing
Provide file expiration so that documents can no
longer be viewed after a specified time
This is a continually evolving space, and Microsoft and other
vendors offers multiple avenues for protecting data.
Geographic considerations
Considerations for data, systems, services, and personnel
Distance. While the fastest site to restore service is a hot site, a site hundreds
of miles away is impractical/inconvenient in some respects.
Location selection. The location of the hot site is critical to speed of data,
system, and service recovery. Considerations for personnel may vary
Should be far enough away to ensure recoverability in the event of a natural
disaster (hurricane, tornado).
Off-site backups. When we back up our data, physical backup media (like
tapes) should be stored in a fire-proof safe offsite.
Similarly, disk-based backups should be stored offsite in a cloud or other
secure remote repository. Cloud services are a common solution
How csps handle site failover
GEOGRAPHIES
How csps handle site failover
REGIONS
How csps handle site failover
REGION PAIRS
chosen by cloud service provider
300+ miles
RESPONSE AND RECOVERY CONTROLS
Read-through test
You distribute copies of incident response plans to the
members of the incident response team for review.
Team members then provide feedback about any updates
needed to keep the plan current.
Structured walkthrough aka “tabletop exercise”
Members of the disaster recovery team gather in a large
conference room and role-play a disaster scenario.
Usually, the exact scenario is known only to the test moderator,
who presents the details to the team at the meeting.
The team members refer to the document and discuss the
appropriate responses to that particular type of disaster.
these exercises are ‘all talk’
RESPONSE AND RECOVERY CONTROLS
Simulation test
Similar to structured walk-through, except some of the response
measures are then tested (on non-critical functions).
This one involves some form of ‘doing’
Enterprises need these controls to minimize service interruption,
coordinate recovery at scale with appropriate security
securing TRAFFIC
Standards for encrypted messages include
S/MIME protocol and Pretty Good Privacy (PGP).
The de facto standard for secure web traffic is
the use of HTTP over Transport Layer Security
(TLS), largely replacing the older SSL
IPsec protocol standard provides a common
framework for encrypting network traffic and is
built into many common operating systems.
hashing vs encryption
Encryption
Encryption is a two-way function; what is encrypted can be decrypted with
the proper key.
Hashing
no way to reverse if properly designed
a one-way function that scrambles plain text to produce a unique message
digest.
©2022 Inside Cloud and Security. No reuse without written permission
HASH FUNCTION REQUIREMENTS
Good hash functions have five requirements:
1. They must allow input of any length.
2. Provide fixed-length output.
3. Make it relatively easy to compute the hash
function for any input.
4. Provide one-way functionality.
5. Must be collision free.
MODERN COMPUTE & SECURITY
is a set of exposed interfaces that allow programmatic
interaction between services.
REST uses the HTTPS protocol for web communications to
offer API end points
Security mechanisms include API gateway, authentication,
IP filtering, throttling, quotas, data validation
Also ensure that storage, distribution, and transmission
of access keys is performed in a secure fashion.
recovery site types
Three primary types of recovery sites:
recovery site types
DESCRIPTION
A “recovery” cold site is essentially just
data center space, power, and network
connectivity that’s ready and waiting for
whenever you might need it.
cost = LOW
effort = HIGH
TO RECOVER
If disaster strikes, your engineering and
logistical support teams can readily help
you move your hardware into the data
center and get you back up and running.
recovery site types
DESCRIPTION
A “preventative” warm site allows you to
pre-install your hardware and preconfigure your bandwidth needs.
TO RECOVER
cost = MEDIUM
effort = MEDIUM
If disaster strikes, all you have to do is
load your software and data to restore
your business systems.
recovery site types
DESCRIPTION
A “proactive” hot site allows you to keep
servers and a live backup site up and
running in the event of a disaster. You
replicate your production environment in
that data center.
cost = HIGH
effort = LOW
TO RECOVER
This allows for an immediate cutover in
case of disaster at your primary site. A
hot site is a must for mission critical sites.
Deception and disruption
Lure bad people into doing bad things. Lets
you watch them.
Only ENTICE, not ENTRAP. You are not allowed
to let them download items with “Enticement”.
A group of honeypots
is called a honeynet.
For example, allowing download of a fake
payroll file would be entrapment.
Goal is to distract from real assets and isolate in a padded cell
until you can track them down.
honeypot, padded cell, pseudo flaws
a system that often has pseudo flaws and fake
data to lure intruders. lures and distracts attackers
as long as attackers are in the honeypot, they are
not in the live network. …and admins can observe
Some IDPS systems have the ability to transfer
attackers into a padded cell after detection
Deception and disruption
a decoy file deceptively named so it attracts
the attention of an attacker.
When security teams/tools send false
information back to an attacker spotted using
offensive security tools, like port scanners
A honeypot can be used to examine the attack methods
that hackers use to help direct fake telemetry response.
Deception and disruption
A DNS Blacklist can be created on a firewall so
that it can identify malicious traffic trying to
gain access to your network.
Protects users by intercepting DNS requests
attempting to connect to known malicious
domains and returning a false address.
Notice how tools in this
section work together?
The false (or controlled) address can point to a
sinkhole server in a honeypot.
2.0 architecture and design
Summarize virtualization and
2.2 cloud computing concepts
• Cloud models
•
•
•
•
•
•
•
•
Infrastructure as a service (IaaS)
Platform as a service (PaaS)
Software as a service (SaaS)
Anything as a service (XaaS)
Public
Community
Private
Hybrid
• Cloud service providers
• Managed service provider
(MSP) / managed security
service provider (MSSP)
Summarize = Explain
• On-premises vs. offpremises
• Fog computing
• Edge computing
• Thin client
• Containers
• Microservices/API
• Infrastructure as code
• Software-defined
networking (SDN)
• Software-defined
visibility (SDV)
•
•
•
•
•
Serverless architecture
Services integration
Resource policies
Transit gateway
Virtualization
• Virtual machine (VM) sprawl
avoidance
• VM escape protection
COMPARE CLOUD
MODELS & SERVICES
SHARED RESPONSIBILITY MODEL
shared responsibility model
100% YOURS
Applications
Applications
Applications
Applications
Data
Data
Data
Data
Runtime
Runtime
Runtime
Runtime
Responsible
Middleware
Middleware
Middleware
Middleware
CSP
Customer
Shared
OS
OS
OS
OS
Virtualization
Virtualization
Virtualization
Virtualization
Servers
Servers
Servers
Servers
Storage
Storage
Storage
Storage
Networking
Networking
Networking
Networking
On-premises
IaaS
PaaS
SaaS
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD MODELS & SERVICES - IAAS
Applications
Applications
Data
Data
Runtime
Runtime
Middleware
Middleware
OS
OS
Virtualization
Virtualization
Servers
Servers
Storage
Storage
Networking
Networking
On-premises
IaaS
CSP provides building blocks, like
networking, storage and compute
CSP manages staff, HW, and
datacenter
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD MODELS & SERVICES - IAAS
Applications
Applications
Data
Data
Runtime
Runtime
Middleware
Middleware
OS
OS
Virtualization
Virtualization
Servers
Servers
Storage
Storage
Networking
Networking
On-premises
IaaS
Azure Virtual
Machines
Amazon EC2
GCP Compute
Engine
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD MODELS & SERVICES - PAAS
Applications
Applications
Data
Data
Runtime
Runtime
Middleware
Middleware
OS
OS
Virtualization
Virtualization
Servers
Servers
Storage
Storage
Networking
Networking
On-premises
PaaS
Customer is responsible for
deployment and management of apps
CSP manages provisioning,
configuration, hardware, and OS
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD MODELS & SERVICES - PAAS
Applications
Applications
Data
Data
Runtime
Runtime
Middleware
Middleware
OS
OS
Virtualization
Virtualization
Servers
Servers
Storage
Storage
Networking
Networking
On-premises
PaaS
Azure SQL
Database
API
Management
Azure App
Service
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD MODELS & SERVICES - SAAS
Applications
Applications
Data
Data
Runtime
Runtime
Middleware
Middleware
OS
OS
Virtualization
Virtualization
Servers
Servers
Storage
Storage
Networking
Networking
On-premises
SaaS
Customer has some responsibility in
access management and data recovery
Customer just configures features.
CSP is responsible for management,
operation, and service availability.
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD MODELS & SERVICES - SAAS
Applications
Applications
Data
Data
Runtime
Runtime
Middleware
Middleware
OS
OS
Virtualization
Virtualization
Servers
Servers
Storage
Storage
Networking
Networking
On-premises
SaaS
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
describe CLOUD CONCEPTS
Describe the differences between Public, Private
and Hybrid cloud models
Benefits of
Cloud
Computing
Cloud is cost-effective,
global, secure, scalable,
elastic, and always current
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
DOMAIN 1: Describe cloud concepts
Describe the differences between Public, Private
and Hybrid cloud models
Describe
Public Cloud
Everything runs on your
cloud provider's hardware.
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
DOMAIN 1: Describe cloud concepts
Describe the differences between Public, Private
and Hybrid cloud models
Describe
Public Cloud
Advantages include
scalability, agility, PAYG, no
maintenance, and low skills
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
DOMAIN 1: Describe cloud concepts
Describe the differences between Public, Private
and Hybrid cloud models
Describe
Private Cloud
A cloud environment in your
own datacenter
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
DOMAIN 1: Describe cloud concepts
Describe the differences between Public, Private
and Hybrid cloud models
Describe
Private Cloud
Advantages include legacy
support, control, and compliance
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
describe CLOUD CONCEPTS
Describe the differences between Public, Private
and Hybrid cloud models
Describe
Hybrid Cloud
Combines public and private
clouds, allowing you to run your
apps in the right location
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
describe CLOUD CONCEPTS
Describe the differences between Public, Private
and Hybrid cloud models
Describe
Hybrid Cloud
Advantages include flexibility in
legacy, compliance, and
scalability scenarios
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
Cloud models
Anything as a Service
May be managed by
members or 3rd party
describes the range of other cloud –aaS
offerings, from Desktop-aaS or Backup-aaS,
to any new –aaS offerings that appear
a collaborative effort in which infrastructure
is shared between several organizations
from a specific community with common
concerns (security, compliance, etc)
CSP and MSSP
entities that resell cloud services to customers.
Cloud Service
Provider
may provide infrastructure, software, VMs, and
other services (IaaS, PaaS, SaaS, etc.)
may also provide day-to-day management
maintains the security environment for
companies
Managed Security
Service Provider
may manage firewalls, IDPS, and SIEM systems,
and other security services and infrastructure.
may provide an outsourced security operations
center (SoC) and incident response
ON-PREMISES and OFF-PREMISES
On-premises servers are the traditional enterprise
computing model.
A business purchases and maintains its own servers,
located in a secure, climate-controlled room onsite.
Moving to cloud shifts some responsibilities to the CSP
Shifts IT spending from capital expense (CAPEX) to
operational expense (OPEX).
Know the advantages of cloud and on-premises for the exam
Covered in the “cloud models” content in this video
MODERN COMPUTE & SECURITY
Some compute operations require processing
activities to occur locally, far from the cloud.
Common in various Internet-of-things scenarios,
like agricultural, science/space, military.
All the processing of data storage is closer to the
sensors rather than in the cloud data center.
With large network-connected device counts in varied locations,
data encryption, spoofing protection, and authentication are key
MODERN COMPUTE & SECURITY
Complements cloud computing by processing
data from IoT devices.
Often places gateway devices in the field to collect
and correlate data centrally at the edge.
Generally, brings cloud computing nearer to the
sensor to process data closer to the device.
Important to speed processing time and reduce dependence on
cloud/Internet connectivity mission critical situations (healthcare)
MODERN COMPUTE & SECURITY
A thin client is a client that has limited resources
that are insufficient to run applications.
It connects to a server and processes the
application on its resources.
May be a purpose-built device or PC with client app/software
MODERN COMPUTE & SECURITY
Examples include
Docker and Kubernetes
A lightweight, granular, and portable way to package
applications for multiple platforms.
Reduces overhead of server virtualization by enabling
containerized apps to run on a shared OS kernel.
containers don’t have their own OS !
Share many concerns of server virtualization: isolation
at host, process, network, and storage levels
Can be used in some cases to isolate existing applications
developed to run in a VM with a dedicated operating system.
MODERN COMPUTE & SECURITY
SOA is creation of discrete services that may be
accessed by users in a black box fashion.
Microservices are fine-grained services with a
discrete function. a modern adaptation of SOA to cloud computing.
Code-level vulnerabilities should be identified
early in the development lifecycle.
static code analysis and dynamic testing incorporated early
in the CI/CD process can identify deficiencies before release.
MODERN COMPUTE & SECURITY
is a set of exposed interfaces that allow
programmatic interaction between services.
REST uses the HTTPS protocol for web
communications to offer API endpoints
They are loosely coupled and can be reused when
creating applications.
Cloud service providers (CSP) offer multiple security
controls, some 3rd parties adding accounting features
Recommended security controls mentioned
briefly in section 2.1 in this video
Infrastructure as code
is the management of infrastructure (networks,
VMs, load balancers, and connection topology)
described in code
Infrastructure
as Code
just as the same source code generates the same
binary, code in the IaC model results in the same
environment every time it is applied.
IaC is a key DevOps practice and is used in
conjunction with continuous integration and
continuous delivery (CI/CD).
IaC is very common (the standard) in the cloud
Infrastructure as code
a network architecture approach that enables
the network to be intelligently and centrally
controlled, or ‘programmed,’ using software
Software
Defined
Networks
and has capacity to reprogram the data plane at
any time.
use cases include SD-LAN and SD-WAN
Separating the control plane from the data plane
opens up a number of security challenges
SDN vulnerabilities can include man-in-the-middle attack
(MITM) and a service denial (DoS) secure with TLS !
Infrastructure as code
provides visibility of the network traffic use.
Software
Defined
Visibility
can collect and aggregate network traffic data
and provide better reports to the network admins.
may extend the capabilities of a platform so that it
can programmatically tie together security tools.
Can increase the effectiveness of multi -tiered
security architecture in stopping data loss and theft.
Cloud computing concepts
a cloud computing execution model where
the cloud provider dynamically manages
the allocation and provisioning of servers.
hosted as a pay-as-you-go model based
on use.
Example:
Function-as-service
Resources are stateless, servers ephemeral
and often capable of being triggered
Provisioning of multiple business services is
combined with different IT services to
provide a single business solution.
HOW
is SERVERLESS
Different
from PAAS in terms of
responsibility?
PaaS
More control over
deployment environment
Application has to be
configured to auto-scale
Application takes
a while to spin up
Serverless
Devs have to
write code
No server
management
Less control over
deployment environment
Application scales
automatically
Application code only
executes when invoked
Cloud computing concepts
policies that state what level of access
someone has to data or a particular
resource.
Most CSPs have solutions to automate enforcement
a network hub that acts as a regional virtual
router to interconnect virtual private clouds
(VPC) and VPN connections.
DOMAIN 2: VIRTUALIZATION
Server virtualization the process of dividing a physical server into multiple
unique and isolated virtual servers by means of a software application (hypervisor).
related concepts indicate server virtualization is the focus
where an attacker gains access to a VM, then attacks either the host
machine that holds all VMs, the hypervisor, or any of the other VMs.
Protection: ensure patches and hypervisor and VMs are always up to date, guest
privileges are low. Server-level redundancy and HIPS/HIDS protection also effective.
When unmanaged VMs have been deployed on your network. Because IT doesn't know
it is there, it may not be patched and protected, and thus more vulnerable to attack
Avoidance: enforcement of security policies for adding VMs to the
network, as well as periodic scanning to identify new virtualization hosts.
2.0 architecture and design
Summarize secure application development,
2.3 deployment, and automation concepts
• Environment
•
•
•
•
•
Development
Test
Staging
Production
Quality assurance (QA)
• Provisioning and
deprovisioning
• Integrity measurement
• Secure coding techniques
• Normalization
• Stored procedures
• Obfuscation/camouflage
• Code reuse/dead code
• Server-side vs. client-side
execution and validation
• Memory management
• Use of third-party libraries
and software development
kits (SDKs)
• Data exposure
• Open Web Application
Security Project (OWASP)
• Software diversity
• Compiler
• Binary
• Automation/scripting
•
•
•
•
•
•
Automated courses of action
Continuous monitoring
Continuous validation
Continuous integration
Continuous delivery
Continuous deployment
• Elasticity
• Scalability
• Version control
CI/CD (DevOps)!
and DevSecOps
environment
Secure environments for development, testing, and staging
before moving the application into production are necessary.
Environments map to phases of application
development, debugging, testing, and release.
DEV
Development. Where the application is initially
coded, often through multiple iterations (versions).
TESTING
PROD
Testing. where developers integrate all of their
work into a single application. Regression testing to
ensure functionality is as expected.
Staging. where we ensure quality assurance before
we roll it out to production. QA happens here !
STAGING
Production. where the application goes live, and
end-users have the support of the IT team.
APPLICATION DEVELOPMENT
is the process of making an application or service
available.
may also refer to the lifecycle of designing, preparing,
creating, and managing the applications.
occurs when the application meets its end of life.
should be deprovisioned in accordance with local
regulations, such as HIPAA or GDPR.
APPLICATION DEVELOPMENT
is the measuring and identification of changes to a system,
away from its expected or baseline value.
ensures that the application performs as it should do and
conforms to data industry standards and regulations.
code updates should be regression tested to ensure
functionality is intact and no security vulnerabilities exist
The result is a secure baseline configuration
Should be performed regularly to ensure applications
and systems have not drifted from security baseline
SECURE CODING TECHNIQUES
Secure coding techniques should address conditions that may
result in vulnerabilities that can be exploited by attackers.
Normalization
Each database has a list of tables that are broken down into rows and
columns.
In a large relational database, data may be retained in multiple places.
The goal of normalization is to reduce and eliminate redundancy to make
fewer indexes per table and make searching faster.
Stored Procedures
A stored procedure is reusable, prepared SQL code (T-SQL).
When apps use stored procedures, it will provide the required information
while ensuring an attacker will not be able to modify the code it contains.
SECURE CODING TECHNIQUES
Secure coding techniques should address conditions that may
result in vulnerabilities that can be exploited by attackers.
Obfuscation/Camouflage
the process of obscuring source code so that if it was stolen, it
could not be interpreted or reverse engineered by the attacker.
XOR and ROT 13 can be used to mask data, and steganography can be
used to hide or camouflage the source code.
Code Reuse/Dead Code reuse is good if code is high quality
When developing a new application, a developer may start with
previously developed code and then modify it for the new application.
Dead code is code that is never executed but may consume resources
and increase attack surface. dead code should be removed!
SECURE CODING TECHNIQUES
Secure coding techniques should address conditions that may
result in vulnerabilities that can be exploited by attackers.
Server-side vs client-side execution and validation
Server-side (backend) includes databases, application servers, and
domain controllers are known as server-side or backend servers
C# and .NET are server-side programming languages
Client-side (frontend) validation happens on client in browser
JavaScript and HTML5 are client-side languages
Memory management
Code should be written to minimize memory consumption and return
memory to the system when no longer needed.
Failure to manage memory in code may result in memory leaks
SECURE CODING TECHNIQUES
Secure coding techniques should address conditions that may
result in vulnerabilities that can be exploited by attackers.
Use of third-party libraries and SDKs
Third party libraries can speed development time, but may provide users
with greater access than desired. and may come with security vulnerabilities!
An SDK is a set of software development tools that a vendor creates to
make application development easier.
Data exposure
masking common for credit card and password data
Sensitive data should be encrypted to prevent it from being stolen by
attackers, and sometimes masked even to user.
Data allocation to a user should be limited.
Protect through input validation and data protection techniques.
XOR (IN SECURE CODING)
Used to mask, obfuscate,
or camouflage source code
The Exclusive-OR option (XOR, also known as binary addition) is used
in cryptology, sounds more complicated than it actually is:
a function of flipping bits in a simple, systematic fashion.
Original Value
Key Value
Cipher Value
1
1
0
0
1
0
1
0
0
1
1
0
binary values match = 0, otherwise cipher value is 1
O W A S P (OPEN WEB APP SECURITY PROJECT)
A non-profit foundation
(relies on donations)
Organization that provides an up-to-date list of the most
recent web application security concerns. “OWASP TOP 10”
Mission is to improve software security through opensource initiatives and community education.
-Tools, news, and information
-Community and networking
-Education and training
Application development
Creation of software that’s different
on each user endpoint/device
Techniques include dynamic paths in
compiler at compile time
Results in a binary that is slightly
different on every endpoint
Minimizes attack surface if vulnerability is discovered
Makes the process of exploiting a software
vulnerability more difficult for attackers
Automation/scripting
Processes designed to carry out tasks automatically
without the need for human intervention.
Continuous integration (CI) Happens in Testing environment
The process where multiple software developers consolidate and test
their code to ensure functionality is as expected.
Continuous delivery (CD)
The process of fixing bugs before the application moves into production.
Generally happens in the Staging environment.
Continuous deployment (CD)
The process of pushing out new updates into production software, such
as new versions, patches, and bugfixes.
In DevOps, these concepts are referred to as “CI/CD”
Automation/scripting
Processes designed to carry out tasks automatically
without the need for human intervention.
Continuous validation
Testing the to make sure that it is fit for its purpose and fulfills the
user's requirements, and security requirements are met.
Help ensure application and system updates do not introduce
new security vulnerabilities
elasticity
Elasticity
The ability of a system to automatically
grow and shrink based on app demand
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
scalability
Scalability
The ability of a system to
handle growth of users or work
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
Application development
As updates are released, major or
minor version numbers are updated.
Ensures newer and older versions of
the software can be identified.
Allows security team to track security
vulnerabilities and vendor support
Versions typically factor in vendor support statements
Vendor may only support current and X previous versions
2.0 architecture and design
Summarize authentication and
2.4 authorization design concepts
Authentication methods
•
•
•
•
•
•
•
•
•
•
•
•
•
Directory services
Federation
Attestation
Technologies
Time-based onetime password
(TOTP)
HMAC-based one-timepassword (HOTP)
Short message service (SMS)
Token key
Static codes
Authentication applications
Push notifications
Phone call
Smart card authentication
Biometrics
•
•
•
•
•
•
•
•
•
•
•
Fingerprint
Retina
Iris
Facial
Voice
Vein
Gait analysis
Efficacy rates
False acceptance
False rejection
Crossover error rate
• Multifactor authentication
(MFA) factors and attributes
• Factors
• Something you know
• Something you have
• Something you are
• Attributes
• Somewhere you are
• Something you can do
• Something you exhibit
• Someone you know
• Authentication, authorization,
and accounting (AAA)
• Cloud vs. on-premises
requirements
Authentication methods
is based on HOTP but where the moving factor is
time instead of the counter.
Time-based OneTime Password
uses time in increments called the timestep,
which is usually 30 or 60 seconds.
each OTP is valid for duration of the timestep
uses a keyed-hash message authentication
code, or an HMAC
HMAC-based OneTime Password
aka “HOTP”
relies on two pieces of info: the seed, a secret
known only by the token and validating server
the second is a moving factor - a counter.
Authentication methods
one-time password provided on a hardware of
software token generator. Authenticator apps
are a common software solution for token keys.
a static set of numbers and letters to provide
for authentication. A password or passphrase
is an example of an alphanumeric static code.
a credit-card-sized token that contains a
certificate and is used for authentication in
conjunction with a PIN.
Generally requires physical proximity to or insertion into a reader.
Authentication methods
Authentication applications
“Authenticator apps”
is a software-based authenticator that implements two-step verification services using
the Time-based One-time Password Algorithm and HMAC-based One-time Password
algorithm, for authenticating users of software applications.
Examples include Microsoft Authenticator and Google Authenticator.
Authenticator apps from companies like Microsoft and Google generate one-time
passcodes using open standards developed by the Initiative for Open Authentication (OATH).
You’ll hear HMAC and TOTP tokens called OATH tokens with some of these providers.
Push notifications
where the server is pushing down the authentication information to your mobile device.
uses the mobile device app to be able to receive the pushed message and display the
authentication information.
Authentication methods
SMS
This is used as an additional layer of security where the user is
authenticated, and an SMS message is sent to the user’s mobile phone.
Phone call
You could also use a phone call to perform the same type of function.
Instead of having an app, an automated process calls you
You then respond with a pin or other input via voice or keypad
SMS and phone are less desirable (considered
less secure) than Authenticator apps and biometrics
D O M A I N 2 : CONFIGURATION MANAGEMENT
One of the conditions to access corporate resources may require the
access request originate from an approved, managed device.
Attestation is the process of confirming the device (laptop, mobile
device, etc) is an approved device compliant with company policies.
Remote attestation involves checks that occur on a local device and
are reported to a verification server. as with an MDM solution
Generally, includes validation of a unique identifier for the hardware
that confirms the device is known.
device attestation is common in zero trust architecture,
AUTHENTICATION METHODS
used to store, retrieve, and manage information about
objects, such as user accounts, computer accounts, mail
accounts, and information on resources
LDAP is a common protocol for a directory service
(used by Microsoft Active Directory Domain Services)
AUTHENTICATION METHODS
is coupled with an authentication service to
authenticate entities (users, computers, etc.)
attempting to access resources
Kerberos is a example of protocol for authentication
(used by Microsoft Active Directory Domain Services)
describe the concept of Federated services
is a collection of domains that have
established trust.
The level of trust may vary, but typically includes authentication and almost
always includes authorization.
Often includes a number of organizations that have established trust for
shared access to a set of resources.
You can federate your on-premises environment with Azure Active Directory
(Azure AD) and use this federation for authentication and authorization.
This sign-in method ensures that all user authentication occurs onpremises.
Allows administrators to implement more rigorous levels of access control.
Certificate authentication, key fob, card token
identity federation (example)
Twitter
Azure AD
idP-A trusts idP-B
idP-A
idP-B
User authenticates
with idP-B
may be cloud or on-premises
Website (app or services)
authenticates with idP-A
shared access
user
website
trust is not always bi-directional
Biometrics
a method of authentication using an individual’s physical
characteristics, which are unique to the individual.
Fingerprint Scanner
Fingerprint scanners are now very common, and used not only in
MFA, but various travel, financial, and legal situations.
Retina Scanner
With appropriate lighting, the retina can be accurately identified as
the blood vessels of the retina absorb light more readily than the
surrounding tissue.
Biometrics
a method of authentication using an individual’s physical
characteristics, which are unique to the individual.
Iris Scanner
Confirms the identity of the user by scanning of their iris.
Both retina and iris scanners are physical devices.
Voice Recognition
The voice patterns can be stored in a database and used for
authentication.
Biometrics
a method of authentication using an individual’s physical
characteristics, which are unique to the individual.
Facial Recognition
Looks at the shape of the face and characteristics such as mouth, jaw,
cheekbone, and nose.
Light and angle/direction can be a factor, especially in software.
Microsoft facial recognition, called Windows Hello, was released with
Windows 10.
It uses a special USB infrared camera and, as such, is better than other
facial recognition programs that can have problems with light.
Biometrics
a method of authentication using an individual’s physical
characteristics, which are unique to the individual.
Vein
Using blood vessels in the palm can be used as a biometric factor of
authentication.
Gait Analysis
gait is the way an individual walks. Identification and/or authentication
using gait is possible even with lower resolution video
Biometrics
A false acceptance occurs when an invalid subject
is authenticated. Type 2 error
Sometimes called a false positive authentication.
A false rejection occurs when a valid subject is
rejected. Type 1 error
Sometimes called a false negative authentication.
False rejection is undesirable, but false acceptance is worse
Biometrics
A false acceptance occurs when an invalid subject
is authenticated. Type 2 error
Sometimes called a false positive authentication.
A false rejection occurs when a valid subject is
rejected. Type 1 error
Sometimes called a false negative authentication.
For the exam, remember FAR=false acceptance rate and
FRR=false rejection rate.
Biometrics
Biometric methods identify users based on
characteristics such as fingerprints.
The crossover error rate (CER) identifies the
accuracy of a biometric method.
It shows where the false rejection rate is equal to
the false acceptance rate.
to move the CER higher or lower, you can increase
or decrease the sensitivity of the biometric device.
Multifactor authentication (mfa)
MFA works by requiring two or more of
the following authentication methods:
MFA
MFA factors and attributes
Something you know (pin or password)
Something you have (trusted device)
MFA
Authenticator app
Something you are (biometric)
Voice call
SMS (text msg)
OATH HW token
MFA factors and attributes
includes two or more authentication factors
more secure than using a single authentication
factor.
passwords are the weakest form of authentication,
password policies help increase their security by
enforcing complexity and history requirements.
Smartcards include microprocessors and
cryptographic certificates
tokens create onetime passwords
Biometric methods identify users based on
individual characteristics such as fingerprints and
facial recognition.
MFA FACTORS AND ATTRIBUTES
Somewhere you are
Your expected location, such as the company office, your
home or home city.
Something you can do
such as writing your signature.
Something you exhibit
The personalized manner you perform an action, such as your
gait (the way you walk).
Someone you know
Responding to challenge with knowledge of a characteristic of
a specific individual you know.
AAA protocols
Several protocols provide centralized authentication,
authorization, and accounting services.
Network Access Server
is a client to a RADIUS server, and the RADIUS server provides AAA services.
RADIUS
uses UDP and encrypts the password only.
TACACS+
uses TCP and encrypts the entire session.
Diameter
is based on RADIUS and improves many of the weaknesses of
RADIUS, but Diameter is not compatible with RADIUS.
Network access (or remote access) systems use AAA protocols.
CLOUD vs ON-PREMISES
Considerations and differences between authentication in
the cloud or on-premises.
On-Premises
The perimeter of on-premises location is easy to establish and
control.
Proximity cards (badge system), and security guards at a reception
can also control access to the company.
Does not always assume Internet access is available.
In the Cloud
Internet access is assumed to authenticate and connect to cloud
resources.
With the adoption of cloud computing, the security perimeter is no
longer confined to the on-premises environment
A zero-trust model is recommended (nothing trusted by default)
conditional access
enforcing “conditions of access”
signal > decision > enforcement
image credit: Microsoft
2.0 architecture and design
2.5 Given a scenario, implement cybersecurity resilience
• Redundancy
• Geographic dispersal
• Disk
• Redundant array of
• inexpensive disks (RAID)
levels
• Multipath
• Network
• Load balancers
• Network interface card
(NIC) teaming
• Power
• Uninterruptible power
supply (UPS)
• Generator
• Dual supply
• Managed power
distribution units (PDU)
• Replication
• Storage area network
• VM
• On-premises vs. cloud
Implement = choose the right option for a scenario
Disk redundancy
RAID (Redundant Array of Inexpensive Disks) is a technology that is used to increase the
performance and/or reliability of data storage with two or more drives working in parallel
RAID Levels
RAID 0 – striping
RAID 1 – mirroring
RAID 5 – striping with parity
RAID 6 – striping with double parity
RAID 10 – combining mirroring and striping
Replication to another site for
availability through site failures.
In the cloud, this will come down to
choosing a disk/storage tier/sku
For storage
Multipathing, aka SAN multipathing or I/O multipathing, is the establishment of
multiple physical routes between a server and the storage device that supports it.
You are not expected to know the details of RAID levels for the exam.
Network redundancy
Methods for building redundancy into network
connectivity for systems and services
Network Interface Card (NIC) Teaming
Dual network cards, paired together to give maximum throughput.
Should one adapter fail, the other can ensure the server or client
maintains network connectivity. Windows and Linux support teaming
Load Balancers
Can balance multiple types of traffic across multiple servers.
Includes logic to determine server availability.
Often used for web (HTTPS) traffic but support other protocols.
Can help maintain service availability in cyber attack scenarios
POWER redundancy
Uninterruptible Power Supply (UPS)
Essentially a battery that is a standby device so that when primary power
fails, it provides power.
Designed to keep connected systems running for a limited period of time,
enabling graceful system shutdown.
Also used to clean up the power coming from the grid, eliminating spikes,
surges, and voltage fluctuations.
Protects systems and data from damage.
Generator
A standby power source that is powered by diesel, gasoline, propane, or
natural gas.
When power from the grid fails, can be started to provide electricity for an
extended period of time.
Used by hospitals, data centers, and other facilities hosting critical services.
Provides sustained alternate power source to support
continued operation
POWER redundancy
Dual Supply
Most servers will have a dual power supply so that if one power
supply fails, then the other power supply keeps the server running.
Managed Power Distribution Units (PDUs)
Generally, a device that provides multiple power outlets (for power
cable plugs).
A managed PDU includes network connectivity for remote
connection and management of the power outlets.
Distributes clean power to multiple, critical network resources, such
as servers, routers, switches, and data centers.
Replication
Method wherein data is copied from one location to another.
(on-premises)
Storage Area Network (SAN):
A hardware device that contains a large number of fast disks, such as Solid-State
Drives (SSDs), usually isolated from the LAN on its own network:
Host Bus Adapters (HBAs):
Connects servers to storage device.
Using two HBAs with each node provides multiple paths.
SAN Fabric:
A collection of servers, storage, switches, and other devices. Redundant SAN fabrics
would enable more robust redundancy.
SAN nodes with one HBA connected to Fabric 1 and the other to Fabric 2
Data replication between SAN fabrics can provide service-level resilience.
replication
Method wherein data is copied from one location to another.
Virtual Machine (VM) Replication
Where a copy of a VM is copied across to another physical host.
With live migration, VM files can be copied across onto a second
physical host with no downtime
With SAN migration, the files for a virtual machine are not copied from
one server to another and thus downtime is minimized.
Each node in the hypervisor cluster can see the storage LUN and has a
cluster disk resource for the LUN.
VM migration in this scenario means transferring control of the storage
from one hypervisor host to another!
While terminology differs by vendor, this capability exists for
Hyper-V, VMware, and other popular Type 1 hypervisors
Resilience: cloud vs on-premises
Considering cloud vs on-premises for data resilience
Hybrid Cloud
Usually an agent-based replication operation for VMs
We could also consider hosting a backup of our environment in
the cloud.
We could replicate data and VMs from on-premises to the cloud
so that if we have a disaster, we could switch quickly to the cloud.
Cloud Native (Public Cloud)
Storage replication in the cloud is often a simple service-level
selection. VM replication is also greatly simplified
Reduces infrastructure complexity, but comes at additional cost
2.0 architecture and design
2.5 Given a scenario, implement cybersecurity resilience
• Backup types
• Full
• Incremental
• Snapshot
• Differential
• Tape
• Disk
• Copy
• Network-attached
storage (NAS)
• Storage area network
• Cloud
• Image
• Online vs. offline
• Offsite storage
• Distance
considerations
• Non-persistence
• Revert to known state
• Last known-good
configuration
• Live boot media
• High availability
• Scalability
• Restoration order
• Diversity
• Technologies
• Vendors
• Crypto
• Controls
The “A” in the CIA Triad = Availability!
D O M A I N 2 : BACKUP TYPES
Tape: backup to magnetic tape, and this would be the slowest form of restore.
Can be stored offsite with a vaulting service in a fireproof vault.
Disk: backup to a USB, removable hard drive, or disk on another server.
Copy: using xcopy/robocopy to copy to another server on the network.
Useful in one-off / ad hoc scenarios.
Network-attached storage (NAS): useful when data is accessed by using a
Universal Naming Convention (UNC) path rather than a LUN, as with a SAN.
A good solution for large volume of data (multiple terabytes)
Storage area network (SAN): Good for fast backups of large datasets, common
with SQL databases or email.
Also enables tiered storage access for prioritizing by workload.
D O M A I N 2 : BACKUP TYPES
Cloud: backup to cloud storage for multiple scenarios. For user files, solutions like
Dropbox and OneDrive enable automated sync and versioning.
Cloud backup solutions support server and file share backups.
Image: clone of OS to enable quick restore of the image to bare metal
Online vs offline: Offline media needs to be labeled and securely stored. Online
backups will be faster to restore.
Distance and bandwidth should be considered in planning,
such as travel time for retrieving tapes or copying from cloud
Non-persistence
Non-persistence refers to systems that are not
permanent and can be returned to a previous state.
Revert to Known State. In a Windows environment, you can save the system
state, and the system’s settings, to removable media.
If the computer is corrupt, then you can repair the computer and then insert the
media and revert to the system state data.
Last Known Good Configuration. Where the system has recorded the
configuration state as you log in. This can be reverted to at a later stage.
In Windows, new last known good is created at each login.
Live Boot Media. A copy of the operating system is saved to a USB flash drive or
DVD. Enables booting from the removable media.
High availability
Concepts that relate to and support cyber resilience.
Scalability
The ability of a system to
handle growth of users or work
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
High availability
Concepts that relate to and support cyber resilience.
Fault
Tolerance
The ability of a system to handle
faults in a service like power,
network, or hardware failures
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
High availability
Concepts that relate to and support cyber resilience.
Fault
Tolerance
Generally refers to componentlevel failures
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
High availability
Concepts that relate to and support cyber resilience.
High
Availability
The ability to keep services up and
running for long periods of time.
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
High availability
Concepts that relate to and support cyber resilience.
High
Availability
The ability to keep services up and
running for long periods of time.
Generally refers to service-level
failures
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
High availability
Concepts that relate to and support cyber resilience.
Disaster
Recovery
The ability to recover from an event
which has taken down a service or site
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
High availability
Concepts that relate to and support cyber resilience.
Disaster
Recovery
Generally, refers to recovery in the
event of a service or site failure
For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
Restoration order
Establishing the order in which components, systems, and
services should be restored based on defined criteria.
Order of restoration
Prioritized restore sequence based on business impact assessment (BIA)
Most critical systems will be restored first.
RTO (recovery time objective) Service-focused
Maximum amount of time that a process or service is allowed to be down
and the consequences still to be considered acceptable.
RPO (recovery point objectives) Data-focused
Point of last known good data prior to an outage that is used to recover
systems. time that can pass before loss exceeds maximum tolerance.
DIVERSITY
can improve security and resiliency if well managed
Impact of diversity on availability, resiliency, and security
Vendor diversity involves getting a service from multiple
(different) providers at the same time.
Technology diversity different technologies in service
delivery (OS, apps, appliances).
Crypto diversity is when a company uses multiple
algorithms to protect their data.
Controls diversity implements a compensating (backup)
control that could replace a primary control should it fail.
2.0 architecture and design
Explain the security implications of
2.6 embedded and specialized systems
• Embedded systems
• Raspberry Pi
• Field-programmable gate
array (FPGA)
• Arduino
• Supervisory control and data
acquisition (SCADA) /
industrial control system (ICS)
• Facilities
• Industrial
• Manufacturing
• Energy
• Logistics
• Internet of Things (IoT)
• Sensors
• Smart devices
• Wearables
• Facility automation
• Weak defaults
• Specialized
• Medical systems
• Vehicles
• Aircraft
• Smart meters
• Voice over IP (VoIP)
computer system that has a dedicated function
within a larger mechanical or electronic system.
MODERN COMPUTE & SECURITY
the technology component of an IOT device is often
referred to as an embedded system.
a full computer system embedded inside of
another larger system.
examples: hosts of embedded systems include
printers, GPS, drones, semi-autonomous vehicles.
D O M A I N 2 : EMBEDDED SYSTEMS
An embedded system is both hardware and
software combined in a single device.
Some such devices will have updates, but some have no update
mechanism, making them more vulnerable to attack.
Raspberry Pi
This is a credit card size computer that allows you to run programming languages
such as Python or Scratch. Can be plugged into a monitor or computer.
Can typically run with relatively low power draw.
Field-Programmable Gate Array (FPGA)
an array of programmable logic blocks, designed to be configured by customer or
designer after manufacturing.
Accepts custom code and stores it in multiple hardware blocks.
Flexible in that it allows field modification to your use case.
D O M A I N 2 : EMBEDDED SYSTEMS
An embedded system is both hardware and
software combined in a single device.
Arduino
This is an open-source programmable
microprocessor/microcontroller.
Boards are programmable through a USB.
Can read inputs, such as light on a sensor, or an activity such as
turning on a LED, publishing something online, or activating a motor.
Can run from a 9-volt battery and can be used to control electronic
components.
The Arduino has shields, and these allow you to add wireless or
Bluetooth to it so that it could be used to build a robot.
SCADA
You will often find SCADA systems in place where there is a large
amount of industrial equipment.
In an industrial, manufacturing, or public utility setting, equipment is
often network-connected and monitored.
And it can all be centrally configured, controlled, and monitored from
a computer using a SCADA network.
Usually do not have direct internet access for greater security.
Should be segmented off from the rest of the network and
protected by security controls to restrict access.
internet of things
A class of devices connected to the internet in
order to provide automation, remote control, or
AI processing in a home or business setting
more scenarios involving IoT devices
likely to appear in 2021 exam update
smart devices
Mobile devices that offer customization
options, typically through installing apps,
and may use on-device or in-the-cloud
artificial intelligence (AI) processing.
A smart device has three main features:
context-awareness, autonomous computing, and connectivity.
smart devices
Mobile devices that offer customization
options, typically through installing apps,
and may use on-device or in-the-cloud
artificial intelligence (AI) processing.
Many devices can be called “smart” if you add a sensor, a
tiny bit of computing capabilities and network connectivity.
internet of things
Default settings
in business scenarios, lingers due to a process issue
Every device that you put on your network to manage has a default username and a
default password.
Often, the defaults are open and available for anybody to use. (wi-fi and IoT)
Botnets and offensive security tools will find, and exploit devices with weak default
settings still in place. Simply change defaults to shut down this attack vector!
Wearables.
You might be wearing an IoT device, such as a fitness tracker or smartwatch.
Facility automation.
In a large facility, IoT devices able to manage the heating and AC, lights, and
motion/fire/water detection.
Enable facility managers to be able to configure automation and monitoring of
device function.
Sensors.
Vehicles have very specialized sensors embedded, assisting with vehicle function
D O M A I N 2 : SPECIALIZED SYSTEMS
Medical Systems
With these devices, human life is at stake
A broad category that covers everything from small implantable devices to tools
for measuring vital signs to MRI machines.
An issue is how to patch discovered vulnerabilities as
considerable testing is required to ensure human safety
Vehicles
Our automobiles have now very specialized and multiple embedded systems.
Today, almost every aspect of the car has sensors monitoring function or
surroundings.
Some of these communicate with each other
to make driving experience safer.
Security updates (patches) and network security are going
to be major concerns in securing specialized systems.
D O M A I N 2 : SPECIALIZED SYSTEMS
Aircraft
A similar set of specialized embedded system exists on aircraft.
Many different networks and many different sensors, all
communicating amongst each other.
Smart Meters
In homes and businesses, we’re starting to put more and more
sensors on our utilities.
Increasingly, embedded systems that are watching water,
electrical, and other types of utility use.
Protecting against denial-of-service attacks is
going to be of paramount concern
In addition to secure network access, ensuring
device access is secured will be important.
VOICE OVER IP
(VOIP)
Embedded systems for voice communication and more.
IP phones can be entry points into your business network and
are susceptible to data network attacks.
Use security features on VoIP system to restrict system
access, call types, and call hours.
Ensure users delete sensitive voice mails when they are no
longer needed.
e.g. firewall, IPS, apply updates, restrict network access
Essentially standalone computers, so we can use many of the same
security controls you would employ to protect a typical computer network.
2.0 architecture and design
Explain the security implications of
2.6 embedded and specialized systems
• Heating, ventilation, air conditioning
(HVAC)
• Drones
• Multifunction printer (MFP)
• Real-time operating system (RTOS)
• Surveillance systems
• System on chip (SoC)
• Communication considerations
• 5G
• Narrow-band
• Baseband radio
• Subscriber identity
module (SIM) cards
• Zigbee
Constraints
• Power
• Compute
• Network
• Crypto
• Inability to patch
• Authentication
• Range
• Cost
• Implied trust
EMBEDDED AND SPECIALIZED SYSTEMS
Embedded systems are often in the heating, ventilation, and air
conditioning (HVAC) systems in businesses and data center.
are usually very complex systems, especially in larger
environments, usually integrated with the fire system, as well.
in large HVAC implementations have a computer that
monitors and maintains all of the HVAC for the facility.
as HVAC systems play a role in human safety, security in
HVAC and HVAC monitoring system is critical.
unauthorized access by an attacker may allow full control of
the system, with potentially dangerous or disastrous results.
Smart buildings allow turning HVAC systems on or off based on
occupancy and use, reducing costs, but Internet access adds risk.
EMBEDDED AND SPECIALIZED SYSTEMS
The security implications of an embedded
systems are of special concern with drones
These may be devices that are manually controlled, but some
have autonomous functions not requiring human intervention.
In the United States, you have to have a federal license to be able
to fly one of these drones of a certain size.
It’s very common to find security features and fail-safe
functionality built into these drones.
That way, if anything occurs while this device is in the air, you can
land it safely without harming anyone in the vicinity.
EMBEDDED AND SPECIALIZED SYSTEMS
In a multi-function device (MFD) you can have a scanner, a
printer, a fax machine all within this single embedded device.
These devices have become increasingly complex with very
sophisticated firmware.
Scans and faxes are stored somewhere on this device, usually
with the internal memory of this multi-function device.
Bi-directional communication with user endpoints for document
sending and retrieval opens an attack vector.
Logs on the device can also provide an attacker with a list of
users and endpoints the device has communicated with.
EMBEDDED AND SPECIALIZED SYSTEMS
Smart devices like wearables and embedded systems
like in cars and industrial equipment often use an RTOS.
is an operating system that’s designed to work on a very
deterministic schedule.
This means that the hardware and software of this device is
able to operate with very specific scheduling.
Security of these devices is important, but it’s often difficult to
know exactly what’s running inside of those embedded systems.
They process data immediately, and if a task or process does
not complete within a certain time, the process will fail.
EMBEDDED AND SPECIALIZED SYSTEMS
The cameras and the monitoring systems used for
video surveillance are also embedded systems.
Some are high-end, feature-rich, and expensive, often with
advanced networking to protect their content.
Others are cheap, ubiquitous security cameras used for surveillance
at home and in public.
May have motion sensitive (activated) functionality, or even object
tracking capabilties.
Important to ensure that the proper access security is implemented,
so that only authorized users can view camera data.
Due to location (often on the roof or building exterior), remotely
upgradable firmware and patching may be very desirable.
EMBEDDED AND SPECIALIZED SYSTEMS
used in a variety of embedded systems and smart devices
is a complete computer system miniaturized on a single
integrated circuit, providing full computing platform on a chip.
includes networking and graphics display capabilities, though
memory may be located elsewhere.
SoCs are very common in the mobile computing market and
are on billions of devices worldwide.
has multiple components on the single platform and often, a
single chip may handle multiple functions on that single board.
common with embedded systems, primarily because they are
widely available, multi-functional, and customizable.
Communication considerations
Faster speeds and lower latency
Unlike 4G, 5G doesn’t identify each user through
their SIM card. Can assign identities to each device.
5th
Generation
Cellular
Some air interface threats, such as session
hijacking, are dealt with in 5G.
Standalone (SA) version of 5G will be more secure
than the non-standalone (NSA) version
NSA anchors the control signaling of 5G networks to the 4G Core
Communication considerations
Diameter protocol, which provides authentication,
authorization, and accounting (AAA), will be a
target.
5th Generation
Cellular
Because 5G has to work alongside older tech
(3G/4G), old vulnerabilities may be targeted.
Because scale of IoT endpoint counts on 5G is
exponentially greater, DDoS is a concern.
Some carriers originally launched an NSA version of 5G,
which continues to rely on availability of the 4G core.
Communication considerations
Refers to radio communications that carry signals
in a narrow band of frequencies
Used in a variety of scenarios requiring shortrange, wireless communication
Examples include security Radio-Frequency
Identification (RFID) or keyless vehicle entry
products.
DDoS attacks that disrupt communications, impacting
device function or sending telemetry are a major concern
Communication considerations
used for audio signals over a radio
frequency
transmitted over a single channel
uses a single frequency for
communication, and is digital
EXAMPLE: truck drivers communicating with one another on
a specific channel.
Communication considerations
small computer chips that contain the
information about mobile subscription
Subscriber
Identity
Module cards
allows user to connect to telecommunication
provider to make calls, send text messages,
or use the Internet.
Used as a second factor in authentication
One of the auth factors most prone to attack
Communication considerations
uses the modulation of light intensity to
transmit data (uses LED).
Light Fidelity
can safely function in areas otherwise
susceptible to electromagnetic interference
can theoretically transmit at speeds of up to
100 Gbit/s
LI-FI only requires working LED lights
“visible light” in that it cannot penetrate opaque walls.
Communication considerations
Personal Area
Network (PAN)
IoT smart
home hub
A short-range wireless PAN (Personal Area Network)
technology developed to support automation,
machine-to-machine communication, remote
control and monitoring of IoT devices.
supports both centralized and distributed
security models, and mesh topology
assumes that symmetric keys used are
transmitted securely (encrypted in-transit)
During pre-configuration of a new device, in which a single
key might be sent unprotected, creating a brief vulnerability.
D O M A I N 2 : CONSTRAINTS
There are many constraints associated with embedded devices, due
to their size, location, cost and architecture. Common constraints:
Power and compute. Limited size and remote/unusual locations
results in limited compute capacity and low power consumption.
Network: Embedded systems are not scalable, and some can only
communicate through Wi-Fi or Bluetooth and are short-ranged.
It is difficult to transfer data from one system to another.
Authentication: Some embedded systems are incapable of joining a
network and may only support local logon. Change defaults
Crypto: PKI needs at least a 32-bit processor, and embedded devices
are limited to 8 or 16.
As a result, authentication may be very slow.
D O M A I N 2 : CONSTRAINTS
There are many constraints associated with embedded devices, due
to their size, location, cost and architecture. Common constraints:
Hardware Upgrade/Patching: Most embedded devices cannot have
their hardware upgraded and may require physical access to patch.
Some vendors may not produce patches
Range: Many have a very short range, and so are not flexible or
scalable in terms of management and use.
Cost: are mainly customized and function-specific to keep costs
down, making upgrade to new hardware versions impractical.
Implied Trust: It may not be feasible to troubleshoot these devices.
When you purchase an embedded system, there is implied trust that
the system functions as documented. Ask manufacturer if they pen tested
2.0 architecture and design
2.7 Explain the importance of physical security controls
Bollards/barricades
Access control vestibules
Badges
Alarms
Signage
Cameras
• Motion recognition
• Object detection
• Closed-circuit television
(CCTV)
• Industrial camouflage
•
•
•
•
•
•
• Personnel
• Guards
• Robot sentries
• Reception
• Two-person
integrity/control
• Locks
• Biometrics
• Electronic
• Physical
• Cable locks
•
•
•
•
USB data blocker
Lighting
Fencing
Fire suppression
“explain the importance” means you
need to know not only what, but why!
functional order of security controls
Deterrence
Denial
Detection
Delay
Layers of security
Defense in Depth is the concept of
protecting a company's data with a
series of protective layers.
if one layer fails, another layer will
already be in place to thwart an attack.
Physical security plays a role in data
security, service resilience, and more.
Fence
CCTV
Guards
Secure Area
Encryption
Permissions
Data
Understanding types of security controls can be a
major advantage in your cybersecurity career !
physical security controls
Physical security controls can be divided into three groups:
Operational aka “managerial” or “administrative” controls
include policies and procedures, like site management, personnel controls,
awareness training, and emergency response and procedures.
Logical aka “technical” controls
implemented through technology like access controls, intrusion detection, alarms,
CCTV, monitoring, HVAC, power supplies, and fire detection and suppression.
Physical
use physical means to protect objects and includes fencing, lighting, locks,
construction materials, mantraps, dogs, and guards.
physical security requirements
Know the logical controls for physical security
Technical controls for physical security include:
-
access controls
intrusion detection
alarms
CCTV and monitoring
HVAC
power supplies
fire detection and suppression
physical security requirements
Know administrative controls for physical security
Administrative controls for physical security include:
-
facility construction
facility selection
site management
personnel controls
awareness training
emergency response
emergency procedure
physical security requirements
Know the physical controls for physical security
Physical controls for physical security include:
-
fencing
lighting
locks
construction materials
mantraps
dogs
guards
physical security requirements
There is no security without physical security
Without control over the physical environment, no
amount of administrative or technical/logical access
controls can provide adequate security.
If a malicious person can gain physical access to your
facility or equipment, they can do just about anything they
want, from destruction to disclosure and alteration.
Bollards and barricades
a short post used to divert vehicle traffic
from an area or road.
can be placed in front of a building to
stop a car from driving at desired point.
bollard
may be used to establish different zones
of physical security.
For the exam, be familiar with the different physical controls
related to entry/entrance security.
Access control vestibules
Turnstile devices that only allow one
person in at a time.
A mantrap is a common example.
An airlock is a similar concept that also
restricts airflow.
mantrap
mantrap = access control vestibule
Badges, Signage, and Alarms
Signage: Before anyone reaches your main entrance, there should be highly visible signs
warning them that they are entering a secure area with armed guards and dogs.
This is used as a deterrent to prevent possible intruders.
discourage intruders
Badges: The form of identification is retained (or captured/photocopied), and they are
allocated a visitor's badge that is a different color to that of employees.
They return the badge when they leave.
These badges should be visible at all times, and anyone that isn't displaying a badge should
be challenged.
train employees in this behavior
FOR STAFF: Badges for members of staff might be RFID-enabled cards so that they can
access the building via a card reader (requiring physical proximity).
Burglar Alarms: Enabled when the premises are not occupied, so when someone attempts a
break-in, it will trigger the alarm and notify the monitoring company or local police.
Fire Alarms/Smoke Detectors: In a company building, there should be fire alarms or smoke
detectors in every room so that when a fire breaks out and the alarms go off, the people
inside the premises are able to escape.
cameras
Detective and deterrent controls for physical security
Cameras can be set up in areas around the perimeter and on
doorways to detect motion.
They can be set up to detect objects both day and night to alert
the security team by raising an alarm.
Object detection in higher quality cameras can recognize the
type of object (a vehicle, a person, etc.)
and may be able to lock onto object (e.g. person’s face) and
track it as it moves from place to place.
Closed circuit television (cctv)
You should consider monitoring entry points with CCTV. Through
CCTV, you can compare the audit trails and access logs with a
visually recorded history of the events.
Audit trails and visitor access logs are useful tools for managing for
physical access control.
Logs may need to be created manually by security guards or may
generated automatically (with RFID badges and proximity readers)
Audit trail + visitor access log are valuable in reconstructing
timeline of events in intrusion, breach, or attack.
Through CCTV, you can compare the audit trails and access
logs with a visually recorded history of the actual events.
Industrial camouflage
Designing a facility or other resources to obscure it from identification
via aerial photography and other means of observation.
For company facilities housing important resources and operations,
designing the building to prevent recognition.
This is another layer of physical security.
Entrances will often be disguised as well to prevent visual
identification by potential attackers and intruders.
You would also avoid placing signs that explain the purpose of the
facility or resources it contains.
The need for secrecy will also influence physical security decisions,
such as fencing, lighting, and camera selection.
D O M A I N 2 : PERSONNEL
Guards: work at the entrance reception desk to check the identity of people
entering the building to stop unauthorized access.
In high security scenarios, an armed guard and a dog may be appropriate.
Procedures for staff and visitors should be clearly defined.
Robot sentries: can be used patrol the facility perimeter and raise warnings to
deter any intruders or alert security staff.
Reception: The desk/station at facility entrance where guards will check
employees and visitors.
Two-person integrity/control: ensures that no single person would have access
to any particular asset in the building.
Also reduces the risk of a malicious insider attack.
threats to physical access controls
No matter which physical access control is used, a security
guard or other monitoring system must be deployed to prevent:
Abuses of physical access control include propping open
secured doors and bypassing locks or access controls.
Masquerading is using someone else’s security ID to gain
entry to a facility.
Piggybacking is following someone through a secured
gate or doorway without being identified and authorized.
All are related to badged entry
lock types
Biometric locks
Something you are
Electronic locks
Something you have . Usually a PIN code.
Cable Locks
attached to laptops or tablets to secure them
against theft.
Physical Locks
A device that prevents access to data, such as a
key lock switch on a computer
D O M A I N 2 : PHYSICAL SECURITY CONTROLS
device blocks the data pins on the USB device,
which prevents attacks in unsecure scenarios
For example, this can prevent juice jacking, where data is stolen
when you are charging a USB device in a public area.
lighting
Attackers avoid any place that may be lit, because they don’t
want to be seen.
proper lighting is one of the best security controls you can
implement, particularly in environments that need to be
monitored 24 hours a day.
You want to make sure you’re providing enough light levels for
the cameras & guards monitoring that area.
Consider lighting angles especially if there are shadows and
you’re doing some type of facial recognition.
lighting
EXTRA CREDIT
should not illuminate the positions of guards, dogs, patrol
posts, or other similar security elements
lighting used for perimeter protection should illuminate critical
areas with 2 feet of candle power from a height of 8 feet
light poles should be placed the same distance apart as the
diameter of the illuminated area
20 feet of coverage means poles 20 feet apart
Fencing basics
Fences protect resources for which access should be restricted
Also advertise that you have something in this area that you don’t
want people to gain access to.
If it is OK for people to be able to see into a particular area, then you
may want a fence that you can look through.
which can help police, fire, and security professionals
An opaque fence that prevents seeing what is behind will prevent
anyone seeing contents – if it’s tall enough.
Height and material will factor in how effective a fence will be in
access prevention.
Multiple physical security controls (fencing, lighting, cameras)
together can improve their effectiveness.
FENCES
3-4 feet
deters the casual trespasser
6-7 feet
Fence is a DETERRENT control
PIDAS is a DETECTIVE control
too difficult to climb easily
may block vision (providing additional security)
8-feet (topped with barbed wire)
will deter determined intruders
EXPENSIVE and may
generate false positives
PIDAS (perimeter intrusion detection and assessment system)
will detect someone attempting to climb a fence.
Fire suppression basics
Fire is one of the worst-case scenarios we must plan for to
protect human safety.
First, proper monitoring and warning, consisting of fire
detection and fire alarm.
Next, clearly marked fire exits ensure both employees and
visitors can find safe egress from facilities in event of a fire.
When a fire is detected, suppression will vary by the nature of
the fire.
Different materials (electronics, oil, chemicals) require specific response
damage from fire and fire suppression
The destructive elements of a fire include smoke and heat but
also the suppression medium, such as water or soda acid.
Smoke is damaging to most storage devices.
Heat can damage any electronic or computer component.
Suppression mediums can cause short circuits, initiate
corrosion, or otherwise render equipment useless.
All of these issues must be addressed when designing a
fire response system. #1 concern is ALWAYS human safety!
damage from fire and fire suppression
The destructive elements of a fire include smoke and heat but
also the suppression medium, such as water or soda acid.
Smoke is damaging to most storage devices.
Heat can damage any electronic or computer component.
Suppression mediums can cause short circuits, initiate
corrosion, or otherwise render equipment useless.
All of these issues must be addressed when designing a fire
response system. #1 concern is ALWAYS human safety!
fire and suppression agents
EXTRA CREDIT
Class A (ASH) fires are common combustibles such as wood, paper, etc. This
type of fire is the most common and should be extinguished with water or soda acid.
Class B (BOIL) – fires are burning alcohol, oil, and other petroleum products
such as gasoline. They are extinguished with gas or soda acid. You should never use
water to extinguish a class B fire.
Class C (CONDUCTIVE) – fires are electrical fires which are fed by electricity
and may occur in equipment or wiring. Electrical fires are conductive fires, and the
extinguishing agent must be non-conductive, such as any type of gas.
Class D (DILYTHIUM) – fires are burning metals and are extinguished with dry
powder.
Class K (KITCHEN) – fires are kitchen fires, such as burning oil or grease. Wet
chemicals are used to extinguish class K fires.
The three categories of fire detection systems include smoke sensing, flame sensing, and heat sensing.
fire extinguisher classes
EXTRA CREDIT
Fire extinguishers and suppression agents
Class
Can use water
A
Don’t use water!
B
C
D
K
Type
Suppression material
Common
combustibles
Liquids
Electrical
Metal
Kitchen
Water, soda acid (a dry
powder or liquid chemical)
CO2, halon, soda acid
CO2, halon
Dry powder
Wet chemicals
2.0 architecture and design
2.7 Explain the importance of physical security controls
• Sensors
• Motion detection
• Noise detection
• Proximity reader
• Moisture detection
• Cards
• Temperature
• Drones
• Visitor logs
• Faraday cages
• Air gap
• Screened subnet (previously
known as demilitarized zone)
• Protected cable distribution
• Secure areas
• Air gap
• Vault
• Safe
• Hot aisle
• Cold aisle
• Secure data destruction
• Burning
• Shredding
• Pulping
• Pulverizing
• Degaussing
• Third-party solutions
Sensors
The role of sensors in physical security
Motion detection Deterrent control
When someone is walking past a building and the motion sensors detect
movement and turn on lights to discourage would-be intruders.
A building with a CCTV camera in a prominent position and a sign warning people
that they are being recorded may act as a deterrent.
Noise detection
Noise monitoring devices can detect excessive noise to detect a variety of issues,
depending on where they are placed, including intruders or other negative events.
Proximity reader and cards
Proximity cards are commonly used to gain access to doors, or door locks.
By moving the card close to the proximity reader, info on the card is checked, and
then the system can either allow or disallow access through that lock.
Sensors
Moisture detection
Humidity sensors measure the amount of moisture in the air.
If there is too much moisture in the air it could lead to condensation, which can
damage sensitive equipment and lead to formation of harmful mold.
Temperature
Temperature sensors detect that it is getting too hot, it can trigger corrective
action, such as injecting cold air into a space.
Critical systems could fail if the temperature gets too hot.
CO2 Sensors measure the CO2 in the air, as workers could become ill with
headaches or get drowsy if the CO2 levels get too high.
As with most security processes and equipment, sensors require
ongoing maintenance and management. and periodic testing
TEMPERATURE AND HUMIDITY
Know ideal levels as well as effects of temperature and humidity
Humidity
40% – 60% ideal
Temperature
for computers ideal is 60-75F (15-23C), damage at 175F.
Managed storage devices damaged at 100F
humidity and static electricity
“
Too much humidity can cause corrosion. Too
little humidity causes static electricity. Even on
non-static carpet, low humidity can generate
20,000-volt static discharge!
D O M A I N 2 : PHYSICAL SECURITY
are used to monitor facility perimeters and conduct
constant surveillance over large areas.
can also be sent out as a response mechanism before
personnel can respond and conduct an initial site
assessment.
enables personnel to assess risks before responding or
entering a secure area.
Visitor logs
Understand how to handle visitors in a secure facility.
If a facility employs restricted areas to control physical security, then a
mechanism to handle visitors is required.
Often an escort is assigned to visitors, and their access and activities
are monitored closely.
Tracking actions of outsiders when they are granted access to prevent
malicious activity against the most protected assets.
Visitor Logs
The guards at the main entrance to a base or company will ask visitors to
complete the visitor logs, and then provide some form of identification.
PHYSICAL SECURITY
an enclosure used to block electromagnetic
fields. prevents wireless or cellular phones
from working inside the enclosure.
Signals such as HF RFID are likely to
break through a Faraday cage.
A boundary layer between the LAN and the WAN that
holds information that companies may want people
from the internet to access.
Front-end web and email servers may reside in a
screened subnet.
Systems with sensitive data or hosting identity and
access management would not. e.g. Active Directory
Other names for a screened subnet are
Demilitarized Zone (DMZ) or perimeter network.
D O M A I N 2 : PROTECTED CABLE DISTRIBUTION
A protected distribution system (PDS) encases network cabling within a carrier.
enables data to be securely transferred directly between two high-security areas
through an area of lower security.
Hardened carrier
In a hardened carrier PDS, network cabling is run within metal conduit. All conduit
connections are permanently welded or glued to prevent external access.
To identify signs of tampering, regular visual inspections of the carrier should be
conducted.
Alarmed carrier
Welds and/or glue used to secure a hardened carrier are replaced with an
electronic alarm system that can detect attempts to compromise the carrier
and access the protected cable within it.
Continuously viewed carrier
Security guards continuously monitor the carrier to detect any intrusion attempt
by attackers.
Secure areas
create “air gaps” between some systems that are
used internally to separate confidential systems
from standard systems.
The only way to insert or remove data from an
air-gapped machine is by using removable
media such as a USB or CD-ROM drive.
SECURE AREAS
and
Aisles
The cold aisle is where the cold air enters and is
contained; it faces the front of the servers.
The rear of the servers face each other. They push
hot air out into the hot aisles
Hot air is allowed to escape through a vent or
chimney. or may be captured and channeled back to HVAC
unit
Hot and cold aisles need to be considered in data center
design. This is the CSPs responsibility in the cloud.
Secure areas
where data can be encrypted and stored in
the cloud, giving you an extra-secure
storage area.
“vault” may also be mentioned in solutions
for storing passwords and secrets
there are safes for the storage of laptops and
tablets.
The Information Lifecycle
Creation
Destruction
Classification
Can be created by users
a user creates a file
Can be created by systems
Archive
Storage
Usage
a system logs access
The Information Lifecycle
Creation
Destruction
Classification
To ensure it’s handled properly,
it’s important to ensure data is
classified as soon as possible.
Archive
Storage
Usage
The Information Lifecycle
Creation
Destruction
Classification
Data should be protected by
adequate security controls
based on its classification.
Archive
Storage
Usage
The Information Lifecycle
Creation
Destruction
Classification
refers to anytime data is in use
or in transit over a network
Archive
Storage
Usage
The Information Lifecycle
Creation
Destruction
Classification
archival is sometimes needed to
comply with laws or regulations
requiring the retention of data.
Archive
Storage
Usage
The Information Lifecycle
Creation
Destruction
Classification
When data is no longer needed,
it should be destroyed in such a
way that it is not readable.
Archive
Storage
Usage
D O M A I N 2 : SECURE DATA DESTRUCTION
Erasing. performing a delete operation against a file, files, or
media.
Clearing (overwriting). preparing media for reuse and
ensuring data cannot be recovered using traditional
recovery tools.
Purging. a more intense form of clearing that prepares
media for reuse in less secure environments.
Media is reusable with any of these methods
Data may be recoverable with forensic tools
May be “distractors” in exam questions
D O M A I N 2 : SECURE DATA DESTRUCTION
Destroying data on media such as a hard drive or DVD/CD ROM
Degaussing. creates a strong magnetic field that erases
data on some media and destroy electronics.
Shredding. You can shred a metal hard drive into powder.
Pulverizing. Use a hammer and smash drive into pieces, or
drill through all the platters.
Media is not reusable with any of these methods
Data is also not recoverable by any means
D O M A I N 2 : SECURE DATA DESTRUCTION
Destroying data on paper so it cannot be stolen.
Burn: Burning with fire, as with an incinerator on site or via a
third-party vendor providing a destruction certificate.
Pulping: If burning is not available, pulping, which turns the
data into paper mâché, is the best option.
Shredding: If burning or pulping is not possible; a cross-cut
shredder is best, as it makes reassembly much more difficult.
These methods are listed in order of effectiveness
Third parties may use different methods, but will certify task is complete
2.0 architecture and design
2.8 Summarize the basics of cryptographic concepts
•
•
•
•
•
•
•
•
•
Digital signatures
Key length
Key stretching
Salting
Hashing
Key exchange
Elliptic-curve cryptography
Perfect forward secrecy
Quantum
• Communications
• Computing
• Post-quantum
• Ephemeral
• Modes of operation
• Authenticated
• Unauthenticated
• Counter
• Blockchain
• Public ledgers
• Cipher suites
• Stream
• Block
• Symmetric vs.
asymmetric
• Lightweight
cryptography
D O M A I N 2 : CRYPTOGRAPHIC CONCEPTS
Digital signatures are similar in concept to handwritten signatures on printed
documents that identify individuals, but they provide more security benefits.
is an encrypted hash of a message, encrypted with the sender’s private key.
in a signed email scenario, it provides three key benefits:
Authentication. This positively identifies the sender of the email.
ownership of a digital signature secret key is bound to a specific user
Non-repudiation. The sender cannot later deny sending the message.
This is sometimes required with online transactions
Integrity. provides assurances that the message has not been modified or
corrupted.
Recipients know that the message was not altered in transit
These are the basics important for the Security+ exam
Digital Signature Standard
The Digital Signature Standard uses the SHA-2,
and SHA-3 message digest functions…
Digital Signature
Standard
Works in conjunction with one of three encryption
algorithms:
Digital Signature Algorithm (DSA)
Rivest, Shamir, Adleman (RSA) algorithm
Elliptic Curve DSA (ECDSA) algorithm.
DSS is documented in FIPS 186-4 from NIST at
https://csrc.nist.gov/publications/detail/fips/186/4/final
Cryptographic concepts
some cipher suites are easier to crack than others.
larger keys tend to be more secure, because there
are more possible key combinations
processes used to take a key that may be weak and
make it stronger, by making it longer and more random
a longer key has more combinations a brute force
attack has to go through to crack
Quantum computing will impact this recommendation
Since 2015, NIST recommends a minimum of 2048-bit keys for
RSA. This will change over time as computing power advances.
hashing vs encryption
Encryption
Encryption is a two-way function; what is encrypted can be decrypted with
the proper key.
Hashing
no way to reverse if properly designed
a one-way function that scrambles plain text to produce a unique message
digest.
Common uses
Verification of digital signatures
Generation of pseudo-random numbers
Integrity services file hash comparison
SALTING
Attackers may use rainbow tables of precomputed
values to identify commonly used passwords
Cryptographic
A salt is random data that is used as an additional
input to a one-way function that hashes data, a
password or passphrase
Adding salts to the passwords before hashing
them reduces the effectiveness of rainbow table
attacks.
is a small, fast key that is used for encryption in small mobile
devices.
was created because of the constraints that we have associated
with the calculations that we use in asymmetric encryption.
Curves in ECC are easier to calculate than the large primes
typical in asymmetric encryption.
asymmetric algorithm comparison
Smaller key makes ECC attractive for resource-constrained systems
Name
Type
Algorithm Type
RSA
Asymmetric
Key transport
Diffie-Hellman
Asymmetric
Key exchange
El Gamal
Asymmetric
Key exchange
ECC
Asymmetric
Elliptic Curve
Size
1,024, 2,048, and
4,096 are typical
1024 minimum,
2048 for PCIDSS
1024 minimum
2048 common
Variable (smaller key size
due to EC, 160-bit EC key
= 1025 RSA)
Strength
Replaced By
Strong
-
Moderate
El Gamal
Very Strong
-
Very Strong
-
For comparison only. No need to memorize these key details for the exam!
Perfect forward secrecy
a feature of specific key agreement protocols that assures session
keys will not be compromised if long-term secrets (private key) used
in session key exchange are compromised.
indicates that a cryptographic system generates random public
keys for each session and it does not use a deterministic algorithm
in the process.
given the same input, the algorithm will create a different public key,
ensuing systems do not reuse keys.
Protects data on the Transport layer that uses TLS protocols, like OpenSSL.
uses more computing power than if you’re using a single private key
on a web server, so it will not be a fit for all scenarios.
The value of forward secrecy is that it protects past communication,
reducing motivation for an attacker to compromise keys
CONCEPT: Symmetric vs Asymmetric
Relies on the use of a shared secret key.
Lacks support for scalability, easy key
distribution, and nonrepudiation
Public-private key pairs for communication
between parties. Supports scalability, easy
key distribution, and nonrepudiation
example: asymmetric cryptography
Franco sends a message to Maria,
requesting her public key
Maria sends her public key to Franco
Franco uses Maria’s public key to encrypt
the message and sends it to her
Maria uses her private key to decrypt
the message
asymmetric key types
Public keys are shared among communicating parties.
Private keys are kept secret.
To encrypt a message: use the recipient’s public key.
To decrypt a message: use your own private key.
To sign a message: use your own private key.
To validate a signature: use the sender’s public key.
each party has both a private key and public key!
common uses
Symmetric
Example: AES256
Typically used for bulk encryption / encrypting large amounts of data.
Asymmetric
Example: RSA, DSS, ECC
Distribution of symmetric bulk encryption keys (shared key)
Identity authentication via digital signatures and certificates
Non-repudiation services and key agreement
Hash functions
Verification of digital signatures
Generation of pseudo-random numbers
Integrity services (data integrity and authenticity)
D O M A I N 2 : QUANTUM
Quantum cryptography
the practice of harnessing the principles of quantum mechanics to improve security
and to detect whether a third party is eavesdropping on communications.
Leverages fundamental laws of physics such as the observer effect, which states that it
is impossible to identify the location of a particle without changing that particle.
Quantum Key Distribution
is the most common example of quantum cryptography.
by transferring data using photons of light instead of bits, a confidential key transferred
between two parties cannot be copied or intercepted secretly.
Post-quantum cryptography
Post-quantum cryptography refers to cryptographic algorithms (usually public-key
algorithms) that are thought to be secure against an attack by a quantum computer.
Post-quantum cryptography focuses on preparing for the era of quantum computing
by updating existing mathematical-based algorithms and standards.
POST-QUANTUM CRYPTOGRAPHY
What is post-quantum cryptography?
The development of new kinds of cryptographic
approaches that can be implemented using
today’s conventional computers.
…but will be impervious (resistant) to attacks
from tomorrow’s quantum computers.
Which algorithms are susceptible?
Which algorithms are resistant?
POST-QUANTUM CRYPTOGRAPHY
How well do current encryption algorithms
hold up to the power of quantum computing?
Shared Key
Public Key Cryptography
bulk encryption (fast)
key exchange, digital signatures
Holds up fairly well to
quantum computing
Quantum poses more
immediate threats here
POST-QUANTUM CRYPTOGRAPHY
How well do current encryption algorithms
hold up to the power of quantum computing?
Shared Key
bulk encryption (fast)
Grover’s algorithm shows that a quantum
computer speeds up these attacks to effectively
halve the key length.
This would mean that a 256-bit key is as strong
against a quantum computer as a 128-bit key is
against a conventional computer.
Doubling key length from 128 to 256 does not make the
key twice as strong, it makes it 2128 times as strong.
POST-QUANTUM CRYPTOGRAPHY
How well do current encryption algorithms
hold up to the power of quantum computing?
Shor’s algorithm can easily break all of the
commonly used public-key algorithms based on
both factoring and the discrete logarithm problem
Public Key Cryptography
key exchange,
digital signatures
This means RSA is vulnerable
This means Elliptic Curve is vulnerable
However, Lattice offers some resistance!
Doubling the key length increases the difficulty to break by
a factor of eight. That’s not a sustainable advantage.
POST-QUANTUM CRYPTOGRAPHY
How well do current encryption algorithms
hold up to the power of quantum computing?
However, Lattice offers some resistance!
QUICK NOTES ON
Based on different types of problems: the shortest
vector problem and the closest vector problem
Potentially enables us to replace essentially all of
our currently endangered schemes
Lattice-based cryptographic schemes make up
the lion’s share of scientific publications on postquantum cryptography
Research, selection, and standards development is ongoing
What exactly is a lattice?
a 3-dimensional array of
regularly spaced points
CRYPTOGRAPHIC CONCEPTS
The two primary categories of asymmetric keys are static and ephemeral.
Static Keys
RSA uses static keys.
Static keys are semi-permanent and stay the same over a long
period of time.
A certificate includes an embedded public key matched to a private
key. This key pair is valid for the lifetime of a certificate.
Certificates have expiration dates and systems continue to use these
keys until the certificate expires. 1-2 years is a common certificate lifetime
A certification authority (CA) can validate a certificates static key
with a certificate revocation list (CRL) or using the Online Certificate
Status Protocol (OCSP).
CRYPTOGRAPHIC CONCEPTS
The two primary categories of asymmetric keys are static and ephemeral.
Ephemeral Keys
Ephemeral keys have very short lifetimes and are re-created for
each session.
An ephemeral key pair includes a private ephemeral key and a
public ephemeral key.
Systems use these key pairs for a single session and then discard
them.
Some versions of Diffie-Hellman use ephemeral keys.
MODES OF OPERATION
Electronic Codebook Mode (ECB)
Simplest & least secure mode. Processes 64-bit blocks, encrypts block
with the chosen key.
If same block encountered multiple times, same encrypted block is
produced, making it easy to break.
Cipher Block Chaining (CBC)
Each block of unencrypted text is XORed with the block of ciphertext
immediately preceding.
Decryption process simply decrypts ciphertext and reverses the XOR
operation.
Counter (CTR)
Uses an incrementing counter instead of a seed. Errors do not
propagate.
blockchain
Blockchain was originally the technology that
powered Bitcoin but has broader uses.
A distributed, public ledger that can be used to store financial,
medical, or other transactions. Anyone is free to join and participate
does not use intermediaries such as banks and financial institutions.
data is “chained together” with a block of data holding both the
hash for that block and the hash of the preceding block.
To create a new block on the chain, the computer that wishes to add
the block solves a cryptographic puzzle and sends the solution to
the other computers participating in that blockchain.
This is known as “proof of work”
Cipher suites
is a symmetric key cipher where plaintext digits are combined
with a pseudorandom cipher digit stream (keystream).
each plaintext digit is encrypted one at a time with the
corresponding digit of the keystream, to give a digit of
the ciphertext stream.
is a method of encrypting text in which a cryptographic key and
algorithm are applied to a block of data (for example, 64 contiguous
bits) at once as a group rather than to one bit at a time.
Widely used today because it is faster than stream cipher
Lightweight cryptography
An encryption method that features a small footprint and/or
low computational complexity.
For the exam, ECC (asymmetric) is the go-to option for low
power small devices, and AES 256 (symmetric) for military.
NIST is working on standards for lightweight cryptography
Lightweight cryptography is important for embedded
systems and other resource-constrained devices.
2.0 architecture and design
2.8 Summarize the basics of cryptographic concepts
• Steganography
• Audio
• Video
• Image
• Homomorphic
encryption
• Common use cases
•
•
•
•
•
•
•
•
Low power devices
Low latency
High resiliency
Supporting confidentiality
Supporting integrity
Supporting obfuscation
Supporting authentication
Supporting non-repudiation
• Limitations
•
•
•
•
•
•
•
•
•
•
Speed
Size
Weak keys
Time
Longevity
Predictability
Reuse
Entropy
Computational overheads
Resource vs. security
constraints
symmetric & asymmetric algorithms work
together to solve for these!!
Cryptographic concepts
a computer file, message, image, or video is
concealed within another file, message,
image, or video.
a type of obfuscation
an attacker may hide info in this way to
exfiltrate sensitive company data.
allows users to run calculations on data
while it is still encrypted
allows data to be encrypted and outsourced to commercial cloud for processing
D O M A I N 2 : CRYPTOGRAPHIC CONCEPTS
Common scenarios for specific cryptographic choices.
Low power devices. devices often use ECC for encryption, as it uses a small key.
IoT devices do not have the processing power for conventional encryption.
Low latency. Means “encryption and decryption should not take a long time”.
Specialized encryption hardware is a common answer in this scenario.
a VPN concentrator or encryption accelerator cards
can improve efficiency
High resiliency. Use the most secure encryption algorithm practical to prevent
the encryption key from being cracked by attackers.
Device, application, or service compatibility may influence decisions
Supporting confidentiality. Encryption should be implemented for exchange of
any sensitive data, and in a way that ensures only authorized parties can view.
For example, connecting remote offices via IPSec VPN
D O M A I N 2 : CRYPTOGRAPHIC CONCEPTS
Common scenarios for specific cryptographic choices.
Supporting integrity. two important scenario for ensuring integrity: ensuring file
data has not been tampered with, and that communications not altered in transit.
File hash to check file integrity, digital signature or DKIM for email.
Supporting obfuscation. obfuscation is commonly used in source code to ensure
it cannot be read by anyone who steals it.
ROT13, XOR, or steganography can be used to obscure data.
Supporting authentication. a single-factor username and password as they are
not as secure as multifactor usernames and passwords.
MFA for user authentication, certificate-based auth for devices
Supporting non-repudiation. When you digitally sign an email with your private
key, you cannot deny that it was you, as there is only one private key.
Non-repudiation is important in any legally binding transaction
D O M A I N 2 : CRYPTOGRAPHIC CONCEPTS
Common scenarios for specific cryptographic choices.
Speed. Application and hardware must be able to keep pace with the selected
encryption.
Size. if encrypting 16 bytes of data with a block cipher, the encrypted information
is also 16 bytes. This overhead must be considered in resource planning
Need enough memory, storage, and network to support the result
Weak keys. Larger keys are generally stronger and thus more difficult to break.
Find balance between security, compatibility, and capacity
Time. encryption and hashing take time. Larger amounts of data and asymmetric
encryption take more time than small data and symmetric encryption.
Selections need to match time constraints in transactions
Longevity. consider how long encryption algorithms select can be used.
Older algorithms will generally be retired sooner
D O M A I N 2 : CRYPTOGRAPHIC CONCEPTS
Common scenarios for specific cryptographic choices.
Predictability. cryptography relies on randomization. Random number generation
that can’t be easily predicted is crucial for any type of cryptography.
Reuse. using the same key is commonly seen in a number of encryption
mechanisms. If an attacker gains access to the key, they can decrypt data
encrypted with it.
some IoT devices may not allow a key change
Entropy. a measure of the randomness or diversity of a data-generating function.
Data with full entropy is completely random with no meaningful patterns.
Resource vs security constraints. more secure the encryption used and the higher
the key length, the more processing power, and memory the server will need.
requires balance between algorithms and hardware selections
DOMAIN 3
PROVEN FAST, EFFECTIVE &
AFFORDABLE EXAM PREP
with Pete Zerger CISSP, vCISO, MVP
securiTY+
EXAM
CRAM
EXAM OBJECTIVES (DOMAINS)
1.0 Attacks, Threats, and Vulnerabilities
24%
2.0 Architecture and Design
21%
3.0 Implementation
25%
4.0 Operations and Incident Response
16%
5.0 Governance, Risk, and Compliance
14%
3.0 implementation
3.1 Given a scenario, implement secure protocols
• Protocols
• Domain Name System Security
Extensions (DNSSEC)
• SSH
• Secure/Multipurpose Internet
Mail Extensions (S/MIME)
• Secure Real-time Transport
Protocol (SRTP)
• Lightweight Directory Access
Protocol Over SSL (LDAPS)
• File Transfer Protocol, Secure
(FTPS)
• SSH File Transfer Protocol (SFTP)
• Simple Network Management
• Protocol, version 3 (SNMPv3)
• Hypertext transfer protocol
over SSL/TLS (HTTPS)
• IPSec
• Authentication header
(AH)/Encapsulating Security
Payloads (ESP)
• Tunnel/transport
• Post Office Protocol (POP)/
Internet Message Access
Protocol (IMAP)
• Use cases
•
•
•
•
•
•
•
•
•
•
Voice and video
Time synchronization
Email and web
File transfer
Directory services
Remote access
Domain name resolution
Routing and switching
Network address allocation
Subscription services
Implement = choose the right protocol for a use case
SECURE PROTOCOLS & USE CASES
PROTOCOL
PORT
USE CASES
Secure Shell (SSH)
22
Secure remote access (Linux and network)
Secure copy protocol (SCP)
22
Secure copy to Linux/Unix
SSH File Transfer Protocol (SFTP)
22
Secure FTP download
55
Secure DNS traffic
88
Secure authentication
DNSSEC
TCP/UDP
TCP/UDP
Kerberos
Simple Network Management
Protocol version 3 (SNMP v3)
Lightweight Directory Access
Protocol over SSL (LDAPS)
Hypertext Transport Protocol
over TLS/SSL (HTTPS)
Transport Layer Security (TLS) /
Secure Sockets Layer (SSL)
Internet Protocol Security (IPSec)
UDP
162
636
UDP
remote monitoring and configuration of
SNMP entities (such as network devices)
Secure directory services information
(e.g. - Active Directory Domain Services)
443
Secure web browsing
443
Secure data in transit
500
Secure VPN session between two hosts
Know the protocols and modes for IPSec
SECURE PROTOCOLS & USE CASES
PROTOCOL
Secure Simple Mail Transfer
Protocol (SMTPS)
Secure Internet Message
Access Protocol (IMAP4)
TCP/UDP
PORT
USE CASES
587
Secure SMTP (email)
993
Secure IMAP (email)
Secure Post Office Protocol 3 (POP3)
995
Secure POP3 (email)
Secure/Multipurpose Internet
Mail Extensions (S/MIME)
993
Encrypt or digitally sign email
File Transfer Protocol, Secure (FTPS)
989/990
Download large files securely
Remote Desktop Protocol (RDP)
3389
Session Initiated Protocol (SIP)
5060/5061
Secure Real Time Protocol (SRTP)
5061
Secure remote access
Signaling and controlling in Internet
telephony for voice and video
Encryption, message auth, and integrity
for audio and video over IP networks
For the exam,, grouping by use case may be helpful in memorization
IPSec Protocols and Modes
Authentication Header (AH) and Encapsulating Security Payload (ESP)
protocols
AH protocol provides a mechanism for authentication only.
Because AH does not perform encryption, it is faster than ESP.
ESP protocol provides data confidentiality (encryption) and authentication
(data integrity, data origin authentication, and replay protection).
ESP can be used with confidentiality only, authentication only, or both
confidentiality and authentication.
In transport mode, the IP addresses in the outer header are used to
determine the IPsec policy that will be applied to the packet.
It is good for ESP host-to-host traffic
In tunnel mode, two IP headers are sent. The inner IP packet determines the
IPsec policy that protects its contents.
It is good for VPNs, and gateway-to-gateway security.
3.0 implementation
Given a scenario, implement host or
3.2 application security controls
• Endpoint protection
• Antivirus
• Anti-malware
• Endpoint detection and response
(EDR)
• DLP
• Next-generation firewall (NGFW)
• Host-based intrusion prevention
system (HIPS)
• Host-based intrusion detection
system (HIDS)
• Host-based firewall
• Boot integrity
• Boot security/Unified Extensible
Firmware Interface (UEFI)
• Measured boot
• Boot attestation
• Database
• Tokenization
• Salting
• Hashing
• Application security
• Input validations
• Secure cookies
• Hypertext Transfer Protocol
(HTTP) headers
• Code signing
• Allow list
• Block list/deny list
• Secure coding practices
• Static code analysis
• Manual code review
• Dynamic code analysis
• Fuzzing
• Hardening
•
•
•
•
•
Open ports and services
Registry
Disk encryption
OS
Patch management
• Third-party updates
• Auto-update
• Self-encrypting drive (SED)/
full-disk encryption (FDE)
• Opal
• Hardware root of trust
• Trusted Platform Module
(TPM)
• Sandboxing
Endpoint protection
These capabilities are generally delivered together in a single solution
Antivirus
is a software program designed to detect and destroy viruses and
other malicious software from the system.
Anti-malware
a program that protects the system from all kinds of malware
including viruses, Trojans, worms, and potentially unwanted programs.
Endpoint Detection and Response (EDR)
an integrated endpoint security solution that combines:
real-time continuous monitoring and collection of endpoint data
with rules-based automated response and analysis capabilities.
Usually go beyond AV signature-based protection to identify
potentially malicious behaviors (aka zero-day or “emerging threats”)
describe Data Loss Prevention (DLP)
is a way to protect sensitive information and
prevent its inadvertent disclosure.
Data Loss
Prevention
can identify, monitor, and automatically
protect sensitive information in documents
Protects personally identifiable information (PII),
protected health information (PHI) and more
policies can be typically applied to email, SharePoint,
cloud storage, and in some cases, even databases
modern firewalls
protect web applications by filtering and
monitoring HTTP traffic between a web
application and the Internet.
Web Application
aka “WAF”
typically protects web applications from common
attacks like XSS, CSRF, and SQL injection.
Some come pre-configured with OWASP rulesets
a deep-packet inspection firewall that moves
beyond port/protocol inspection and blocking.
Next Generation
aka “NGFW”
adds application-level inspection, intrusion
prevention, and brings intelligence from
outside the firewall.
IDS and IPS
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, a log message is
generated.
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, packet is rejected.
Host-based IDS and IPS
IDS/IPS in software form, installed on a host (often a server)
Host-based Intrusion
Detection System
Host-based Intrusion
Prevention System
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, a log message is
generated.
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, packet is rejected.
Endpoint protection
an application firewall that is built into desktop
operating systems, like Windows or Linux.
Because it is an application, it is more vulnerable to
attack in some respects (versus hardware FW).
Restricting service/process access to ensure
malicious parties cannot stop/kill is important.
Host-based and network-based firewalls are
often used together in a layered defense
BOOT INTEGRITY
Boot integrity ensures host are protected during the boot process,
so all protections are in place when system is fully operational.
Unified Extensible Firmware Interface (UEFI)
a modern version of the Basic Input/Output System (BIOS) that is more secure and is
needed for a secure boot of the OS. The older BIOS cannot provide secure boot.
Measured Boot
where all components from the firmware, applications, and software are measured and
information stored in a log file
The log file is on the Trusted Platform Module (TPM) chip on the motherboard.
Trusted Secure Boot and Boot Attestation
Operating Systems such as Windows 10 can perform a secure boot at startup where the
OS checks that all of the drivers have been signed.
If they have not, the boot sequence fails as the system integrity has been compromised.
This can be coupled with attestation, where the software integrity has been confirmed.
Bitlocker implements attestation and its keys are stored on the TPM
databases
is deemed more secure than encryption because it cannot be reversed
takes sensitive data, such as a credit card number, and replaces it with random data.
For example, many payment gateway providers store the credit card details securely
and generate a random token.
Tokenization can help companies meet PCI DSS, HIPAA compliance requirements
A database may contain a massive amount of data, and hashing is used to index and
fetch items from a database.
This makes the search faster as the hash key is shorter than the data.
The hash function maps data to where the actual records are held.
Salting passwords in a database adds random text before hashing to increase the
compute time for a brute-force attack. and renders rainbow tables ineffective
APPLICATION SECURITY
Implement application security controls to prevent attacks.
Input Validation
ensures buffer overflow, integer overflow, and SQL injection attacks
cannot be launched against applications and databases.
use where data is entered either using a web page or wizard.
only accept data in the correct format within a range of minimum and
maximum values.
Incorrect format should be rejected, forcing user to re-enter
Secure Cookies
used by web browsers and contain information about your session.
can be stolen by attackers to carry out a session hijacking attack.
setting the secure flag in website code to ensure that cookies are only
downloaded when there is a secure HTTPS session.
APPLICATION SECURITY
Implement application security controls to prevent attacks.
Hypertext Transfer Protocol (HTTP) Headers
HTTP headers are designed to transfer information between the host and the web server.
an attacker can carry out cross-site scripting (XSS) as it is mainly delivered through
injecting HTTP response headers.
can be prevented by entering the HTTP Strict Transport Security (HSTS) header:
HSTS ensures that the browser will ignore all HTTP connections
Code Signing
uses a certificate to digitally sign scripts and executables to verify their authenticity and
to confirm that they are genuine.
Allow List
An allow list enable only explicitly allowed applications to run. This can be done by
setting up an application whitelist.
Firewalls, IDS/IPS, and EDR systems can have an allow list
APPLICATION SECURITY
Implement application security controls to prevent attacks.
Block List/Deny List
prevents specified applications from being installed or run by using a block/deny list in the
specified security solution.
Firewalls, IDS/IPS, and EDR systems can have a block list.
APPLICATION SECURITY
Implement application security controls to prevent attacks.
Secure Coding Practices: developer who creates software writes code in a
manner that ensures that there are no bugs or flaws.
Intent is to prevent attacks such as buffer overflow or integer injection.
Static Code Analysis: analysis where the code is not executed locally but is
analyzed by a static code analyzer tool.
source code is run inside the tool that reports any flaws or weaknesses.
Requires source code access
Dynamic Code Analysis: code is executed, and a technique called fuzzing
is used to inject random input into the application.
output is reviewed to ensure appropriate handling of unexpected input.
exposes flaws in an application before it is rolled out to production.
Does not require source code access
APPLICATION SECURITY
Static and dynamic testing, as described in the CISSP exam
analysis of computer software performed
without actually executing programs
Application Security
Testing
tests “inside out”
tester has access to the underlying
framework, design, and implementation
requires source code
a program which communicates with a
web application (executes the application).
Application Security
Testing
tests “outside in”
tester has no knowledge of the
technologies or frameworks that the
application is built on
no source code required
APPLICATION SECURITY
Implement application security controls to prevent attacks.
Manual Code Review
code is reviewed line by line to ensure that the code is well-written and
error free.
tends to be tedious and time-consuming.
Fuzzing
random information is input into an application to see if the application
crashes or memory leaks result, or if error information is returned.
used to remedy any potential problems within application code before a
new application is released. white box testing scenario
can also be used to find any vulnerabilities with the application after
release. This is called improper input validation. black box testing scenario
HARDENING
listening ports should be restricted to those necessary, filtered to restrict
traffic, and disabled entirely if unneeded.
Block through firewalls, disable by disabling underlying service.
access should be restricted, and updates controlled through policy
where possible.
always take a backup of the registry before you start making changes.
drive encryption can prevent unwanted access to data in a variety of
circumstances. Using FDE or SED, described later in this module
OS hardening can often be implemented through security baselines
Can be applied through group policies or management tools (like MDM)
Baselines can implement all the above
Hardening
ensures that systems are kept up-to-date
with current patches.
will evaluate, test, approve, and deploy
patches.
system audits verify the deployment of
approved patches to system
aka “update management”
Patch both native OS and 3rd party apps
Apply out-of-band updates promptly.
Orgs without patch management will experience outages
from known issues that could have been prevented
Drive encryption
Full Disk Encryption
Self-Encrypting
Device
Full Disk Encryption is built into the Windows
operating system.
Bitlocker is an implementation of FDE.
Keys are stored on the TPM
encryption on a SED that’s built into the
hardware of the drive itself.
anything that’s written to that drive is
automatically stored in encrypted form.
A good SED should follow the Opal Storage Specification
HARDENING
When certificates are used in FDE, they use a
hardware root of trust for key storage.
It verifies that the keys match before the secure
boot process takes place
TPM is often used as the basis
for a hardware root of trust
HARDENING
A chip that resides on the motherboard of the
device.
Multi-purpose, like storage and management of
keys used for full disk encryption (FDE) solutions.
Provides the operating system with access to keys,
but prevents drive removal and data access
HARDENING
application is installed in a virtual machine
environment isolated from our network.
enables patch, test, and ensure that it is secure before
putting it into a production environment.
Also facilitates investigating dangerous malware.
In a Linux environment, this is known as “chroot Jail“.
3.0 implementation
Given a scenario, implement
3.3 secure network designs
• Load balancing
•
•
•
•
•
Active/active
Active/passive
Scheduling
Virtual IP
Persistence
• Network segmentation
• Virtual local area network (VLAN)
• Screened subnet (previously
known as demilitarized zone)
• East-west traffic
• Extranet
• Intranet
• Zero Trust
• Virtual private network
(VPN)
Always-on
Split tunnel vs. full tunnel
Remote access vs. site-to-site
IPSec
SSL/TLS
HTML5
Layer 2 tunneling protocol
(L2TP)
• DNS
• Network access control (NAC)
• Agent and agentless
•
•
•
•
•
•
•
• Out-of-band
management
• Port security
• Broadcast storm prevention
• Bridge Protocol Data Unit
(BPDU) guard
• Loop prevention
• Dynamic Host Configuration
Protocol (DHCP) snooping
• Media access control (MAC)
filtering
LOAD BALANCING
A network load balancer (NLB) is a device that is used to direct traffic to
an array of web servers, application servers, or other service endpoints
Configurations
There are several ways to set up a load balancer (LB).
Active/Active. the load balancers act like an array, dealing with the traffic
together as both are active. Single LB failure may degrade performance
Active/Passive. the active node is fulfilling load balancing duties and the
passive node is listening and monitoring the active node.
Should the active node fail, then the passive node will take over, providing
redundancy.
NLB = network load balancer = load balancer
LOAD BALANCING
A network load balancer (NLB) is a device that is used to direct traffic to
an array of web servers, application servers, or other service endpoints
Virtual IP
A virtual IP address eliminates a host's dependency upon individual
network interfaces.
Web traffic comes into the NLB from the Virtual IP address (VIP) on the
frontend
Request is sent to one of the web servers in the server farm (on the
backend).
VIP
FE
NLB
BE
LOAD BALANCING
A network load balancer (NLB) is a device that is used to direct traffic to
an array of web servers, application servers, or other service endpoints
Scheduling
Scheduling options, which determine how the load is distributed by the load
balancer, include:
Least Utilized Host: NLB knows the status of all servers in the server farms and
which web servers are the least utilized by using a scheduling algorithm.
DNS Round Robin. when the request comes in, the load balancer contacts the
DNS server and rotates the request based on the lowest IP address first.
Affinity. When the LB is set to Affinity, the request is sent to the same web
server based on the requester's IP address, IP+port, and/or session ID.
Affinity configuration may be referred to in tuples (2-tuple, 3-tuple)
This is also known as persistence or a sticky session, where the load
balancer uses the same server for the session.
network segmentation
a private network that is designed to host the
information internal to the organization.
a cross between
Internet & intranet
a section of an organization’s network that has
been sectioned off to act as an intranet for the
private network but also serves information to
external business partners or the public Internet.
an extranet for public consumption is typically
labeled a demilitarized zone (DMZ) or
perimeter network.
used to control traffic and isolate static/sensitive environments
addresses the limitations of the legacy
network perimeter-based security model.
treats user identity as the control plane
Assumes compromise / breach in verifying
every request. no entity is trusted by default
VERIFY
IDENTITY
MANAGE
DEVICES
MANAGE
APPS
PROTECT
DATA
network segmentation
Boosting Performance
can improve performance through an organizational scheme in which
systems that often communicate are located in the same segment, while
systems that rarely or never communicate are located in other segments.
Reducing Communication Problems
reduces congestion and contains communication problems, such as
broadcast storms, to individual subsections of the network.
Providing Security
can also improve security by isolating traffic and user access to those
segments where they are authorized.
Secure Network Design
where traffic moves laterally between servers within
a data center.
north-south traffic moves outside of the data center.
Virtual Local Area
Network
a collection of devices that communicate with one
another as if they made up a single physical LAN.
Creates a distinct broadcast domain
a subnet is placed between two routers or firewalls.
bastion host(s) are located within that subnet.
aka “DMZ”:
Virtual private network (vpn)
extends a private network across a public network, enabling users and
devices to send and receive data across shared or public networks as if
their computing devices were directly connected to the private network.
Always On mode. a low-latency point-to-point connection between two
sites. A tunnel between two gateways that is “always connected”
L2TP/IPSec: This is the most secure tunneling protocol that can use
certificates, Kerberos authentication, or a pre-shared key.
L2TP/IPSec provides both a secure tunnel and authentication.
Secure Socket Layer (SSL) VPN: works with legacy systems and uses SSL
certificates for authentication.
HTML 5 VPN: similar to the SSL VPN, as it uses certificates for authentication.
easy to set up and you just need an HTML5-compatible browser such as
Opera, Edge, Firefox, or Safari.
Virtual private network (vpn)
extends a private network across a public network, enabling users and
devices to send and receive data across shared or public networks as if
their computing devices were directly connected to the private network.
Split tunnel vs full tunnel
Full tunnel means using VPN for all traffic, both to the Internet and
corporate network.
Split tunnel uses VPN for traffic destined for the corporate network
only, and Internet traffic direct through its normal route.
Remote access vs site-to-site
In site-to-site, IPSec site-to-site VPN uses an always on mode where
both packet header and payload are encrypted. IPSec tunnel mode
In a remote access scenario, a connection is initiated from a users
PC or laptop for a connection of shorter duration. IPSec transport mode
DOMAIN NAME SYSTEM (DNS)
a hierarchical naming system that resolves a hostname to an IP address.
Fully-Qualified Domain Name (FQDN)
A hostname + domain, for example server1.contoso.com
Record Types
A: IPv4 host
Used together to secure email
AAAA: IPv6 host
CNAME: Alias
SRV records: Finds services such as a domain controller
MX: Mail server
Sender Policy Framework (SPF) : This is a text (TXT) record used by DNS to prevent
spam and confirm the email has come from the domain it appears to come from.
Domain-based Message Authentication, Reporting and Conformance (DMARC):
This is another DNS text (TXT) that is used by Internet Service Providers (ISPs) to
prevent malicious email, such as phishing or spear phishing attacks.
DOMAIN NAME SYSTEM (DNS)
a hierarchical naming system that resolves a hostname to an IP address.
DNS Cache: stores recently resolved DNS requests for later reuse,
reducing calls to the DNS server.
Hosts File: This is a flat-file where name and IP pairs are stored on a
client. Often checked before request is sent to DNS server
DNS Server: This normally maintains only the hostnames for domains it is
configured to serve. Server is said to be “authoritative” for those domains
Root Server: DNS nameservers that operate in the root zone. they can
also refer requests to the appropriate Top-Level Domain (TLD) server.
DNSSEC
a digitally signed record
Prevents unauthorized access to DNS records on the server. Each DNS record
is digitally signed, creating an RRSIG record to protect against attacks
DNS attacks
DNS Poisoning
when an attacker alters the domain-name-to-IP-address mappings in a DNS
system to redirect traffic to a rogue system or perform DoS against a system.
DNS Spoofing
occurs when an attacker sends false replies to a requesting system, beating
the real reply from the valid DNS server.
DNS Hijacking
aka “DNS Redirection” attack
many ways to perform DNS Hijacking, the most common way we see is used
by a captive portal such as a pay-for-use WiFi hotspot.
Homograph Attack
leverages similarities in character sets to register phony international domain
names (IDNs) that appear legitimate to the naked eye.
e.g. Latin character "a" is replaced with the Cyrillic character "а“ in example.com
DNS attacks
End goal of most DNS attacks
Network access control
A desktop or laptop off the network for an extended
period may need multiple updates upon return.
After a remote client has authenticated, Network Access
Control (NAC) checks that the device being used is patched
and compliant with corporate security policies.
A compliant device is allowed access to the LAN.
A non-compliant device may be redirected to a boundary
network where a remediation service address issues
Boundary network is sometimes called a “quarantine network”
Network access control
These are “agentless”
Some operating systems include network access control as part of the
operating system itself. And no additional agent is required.
These generally perform checks when the system logs into the network
and logs out of the network, making them less configurable.
If you need additional functionality, you may require a persistent or
dissolvable agent.
Persistent: A permanent agent is installed on the host.
Dissolvable: A dissolvable agent is known as temporary
and is installed for a single use.
Out-of-band management
These are “agentless”
Enable IT to work around problems that may be
occurring on the network.
Out-of-Band
Management
Out-of-band management on devices may
include cellular modems and serial interfaces
In larger environments, this out-of-band
management function may be centralized.
PORT SECURITY
There are two types, 802.1x and switch port security
Port Security. When anyone, authorized or not, plugs their Ethernet cable into the wall
jack, the switch allows all traffic. With port security, the port is turned off.
Undesirable as it limits the functionality of the switch
802.1x. user or device is authenticated by a certificate before a connection is made.
prevents an unauthorized device from connecting and allows an authorized device to
connect. Preferred, as it does not require limiting switch functionality
and other protection that can be configured:
Loop Protection: When two or more switches are joined together, they can create loops
that create broadcast storms. Spanning Tree Protocol (STP) prevents this from
happening by forwarding, listening, or blocking on some ports.
Bridge Protocol Data Units (BPDU): These are frames that contain information about
the STP. A BPDU attack will try and spoof the root bridge so that the STP is recalculated.
A BPDU Guard enables the STP (Spanning Tree Protocol) to stop such attempts.
DHCP Snooping: layer 2 security that prevents a rogue DHCP server from allocating IP
addresses to a host on your network.
Port security
a list of authorized wireless client interface
MAC addresses
used by a wireless access point to block
access to all non-authorized devices.
also factors in some Ethernet (wired)
network scenarios.
“MAC spoofing” is a way some attackers get around this
3.0 implementation
Given a scenario, implement
3.3 secure network designs
• Network appliances
• Jump servers
• Proxy servers
• Forward
• Reverse
• Network-based intrusion
detection system (NIDS)
/network-based intrusion
prevention system (NIPS)
• Signature-based
• Heuristic/behavior
• Anomaly
• Inline vs. passive
• HSM
• Sensors
• Collectors
• Aggregators
• Firewalls
• Web application firewall (WAF)
• NGFW
• Stateful
• Stateless
• Unified threat management
(UTM)
• Network address translation
(NAT) gateway
• Content/URL filter
• Open-source vs. proprietary
• Hardware vs. software
• Appliance vs. host-based vs.
virtual
•
•
•
•
•
Access control list (ACL)
Route security
Quality of service (QoS)
Implications of IPv6
Port spanning/port
mirroring
• Port taps
• Monitoring services
• File integrity monitors
Network appliances
typically placed on a screened subnet, allows
admins to connect remotely to the network.
server that controls requests from clients
seeking resources on the internet or an
external network.
placed on a screened subnet, performs the
authentication and decryption of a secure
session to enable it to filter the incoming traffic.
flavors of intrusion detection systems
host-based IDS
network-based IDS
can monitor activity on a single system
only. A drawback is that attackers can
discover and disable them.
can monitor activity on a network,
and a NIDS isn’t as visible to
attackers.
Network-based IDS and IPS
IDS/IPS at the network level, often in hardware form
Network-based Intrusion
Detection System
Network-based Intrusion
Prevention System
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, a log message is
generated.
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, packet is rejected.
types of ids systems
aka “anomaly-based”
or “heuristic-based”
creates a baseline of activity to identify
normal behavior and then measures system
performance against the baseline to detect
abnormal behavior.
can detect previously unknown attack methods
uses signatures similar to the signature
definitions used by anti-malware software.
aka “knowledge-based”
only effective against known attack methods
Both host-based and network-based systems can be
knowledge based, behavior based, or a combination of both.
Modes of Operation
aka “in-band”
aka “out-of-band”
NIDS/NIPS placed on or near the firewall
as an additional layer of security.
traffic does not go through the
NIPS/NIDS.
sensors and collectors forward
alerts to the NIDS.
Network appliances
can be placed on a network to alert NIDS of
any changes in traffic patterns on the network.
If you place a sensor on the Internet side of the
network, it can scan all of the traffic from the
Internet.
Hardware security module (hsm)
a physical computing device that safeguards and
manages digital keys, performs encryption and
decryption functions for digital signatures, strong
authentication and other cryptographic functions.
Like a TPM, but are often removable or external devices
Types of firewalls
Web Application
aka “WAF”
protect web applications by filtering and
monitoring HTTP traffic between a web
application and the Internet.
typically protects web applications from common
attacks like XSS, CSRF, and SQL injection.
Some come pre-configured with OWASP rulesets
Next Generation
aka “NGFW”
a “deep-packet inspection” firewall that
moves beyond port/protocol inspection and
blocking.
adds application-level inspection, intrusion
prevention, and brings intelligence from
outside the firewall.
types of firewalls
packet inspection inspects and filters both
the header and payload of a packet that is
transmitted through an inspection point.
can detect protocol non-compliance, spam, viruses, intrusions
a multifunction device (MFD) composed of
several security features in addition to a firewall;
aka “UTM”
may include IDS, IPS, a TLS/SSL proxy, web
filtering, QoS management, bandwidth throttling,
NAT, VPN anchoring, and antivirus.
More common in small and medium businesses (SMB)
Firewall and state
Watch network traffic and restrict or block packets based
on source and destination addresses or other static values.
Not 'aware' of traffic patterns or data flows.
Typically, faster and perform better under heavier traffic
loads.
Can watch traffic streams from end to end.
Are aware of communication paths and can implement
various IP security functions such as tunnels and encryption.
Better at identifying unauthorized and forged
communications.
Types of firewalls
Network Address
Translation Gateway
allows private subnets to communicate with
other cloud services and the Internet but hides
the internal network from Internet users.
The NAT gateway has the Network Access
Control List (NACL) for the private subnets. .
Looks at the content on the requested web
page and blocks request depending on filters.
Used to block inappropriate content in the
context of the situation.
Open-source vs proprietary firewalls
one in which the vendor makes the license freely available and allows
access to the source code, though it might ask for an optional donation.
There is no vendor support with open source, so you might pay a third
party to support in a production environment
One of the more popular open-source firewalls is pfsense, the
details for which can be found at https://www.pfsense.org/.
are more expensive but tend to provide more/better protection and
more functionality and support (at a cost).
many vendors in this space, including Cisco, Checkpoint, Pal Alto,
Barracuda. but “no source code access”
hardware vs software
A piece of purpose-built network hardware.
May offer more configurable support for LAN and WAN connections.
Often has superior throughput versus software because it is hardware
designed for the speeds and connections common to an enterprise network.
Software based firewalls that you might install on your own hardware.
Provide flexibility to place firewalls anywhere you’d like in your organization.
On servers and workstations, you can run a host-based firewall.
Host-based (software) are more vulnerable
in some respects as discussed earlier
application vs host-based vs virtual
typically catered specifically to application communications.
often that is HTTP or Web traffic.
an example is called a next generation firewall (NGFW)
An application installed on a host OS, such as Windows
or Linux, both client and server operating systems.
In the cloud, firewalls are implemented as virtual
network appliances (VNA).
Available from both the CSP directly and third-party
partners (commercial firewall vendors)
network device types
Firewalls Varies by type, but may filter at layers 3 through 7
Firewalls are essential tools in managing and controlling network traffic. A firewall is a
network device used to filter traffic.
Switch
repeats traffic only out of the port on which the destination is known to exist. Switches
offer greater efficiency for traffic delivery, create separate collision domains, and
improve the overall throughput of data. usually layer 2, sometimes layer 3
Routers
used to control traffic flow on networks and are often used to connect similar
networks and control traffic flow between the two. They can function using statically
defined routing tables, or they can employ a dynamic routing system. layer 3
Gateways
a gateway connects networks that are using different network protocols. Also known
as protocol translators, can be stand-alone hardware devices or a software service.
network gateways work at layer 3.
Route security
Routers are not designed to be security devices but include some
built-in capabilities that do provide some security functions.
One of these is an access control list (ACL), which is used to allow
or deny traffic. If no allow rules, last rule (deny) is applied (implicit deny)
Configure an access control list on the ingress (inbound traffic)
or egress (outbound traffic) of an interface
ACL evaluate traffic on multiple criteria similar to a firewall
Quality of Service (QOS)
Ensures that applications have the bandwidth they need to
operate by prioritizing traffic based on importance and function.
Traffic of real-time functions (like voice and video streaming)
might be given greater priority. Priorities are human-configurable
Implications of ipv6
Network security focus changes somewhat with IPv6
One change is that there are many more IPv6 addresses compared to IPv4.
This means it is more difficult to perform a complete port scan or interface scan when we’re
working with IPv6 addresses.
Many of the security tools like port scanners and vulnerability scanners have already been
updated to take advantage of IPv6.
Because there are so many IP addresses available with IPv6, there is less need to perform port
address translation (PAT) or outbound network address translation (NAT) on the network.
This can simplify the communications process, but…
Network address translation is itself a security feature, as it removes direct access to source
(user) in some use cases (like Internet browsing).
with IPv6 we removed the Address Resolution Protocol or ARP.
without ARP there cannot be any ARP spoofing!
Does not imply IPv6 is any more or less secure than IPv4 but changes the attack vectors!
For example, a Neighbor Cache Exhaustion attack can use IPv6 protocols to fill up the
neighbor cache, interrupting network communication.
PORT SPANNING/PORT MIRRORING
Port mirroring (also known as port spanning) sends a
copy of all data that arrives at a port to another device
or sensor for investigation later or in near real-time
the switch, a reserved port will “mirror” all traffic that passes
through to that reserved port.
works across multiple switches, whereas a physical device like a
network (port) tap requires installation connected to every switch
May be leveraged inform the Network Intrusion Detection
System (NIDS) of changes in traffic patterns.
Increases load on the switch, so should be configured
with knowledge of traffic type and volume
monitoring
To help provide additional security on the network, some organizations
employ a monitoring service -a group that monitors network security/activity.
Common with SIEM and SOAR functions (covered in 1.7)
Often an outsourced security operations center (SOC) function to provide 24x7
monitoring and alert or remediate issues after business hours.
May also be helpful in maintaining compliance (HIPAA, GDPR, PCI DSS).
Monitors and detects changes to files that should not be modified,
automating notification (and potentially remediation).
Commonly monitors files that would never change: things like your operating
system files, where changes indicate some type of malicious activity.
Can also be used to detect unwanted changes to baseline configurations
3.0 implementation
Given a scenario, install and configure
3.4 wireless security settings
• Cryptographic protocols
•
•
•
•
•
Wi-Fi Protected Access 2 (WPA2)
Wi-Fi Protected Access 3 (WPA3)
Counter-mode/CBC-MAC
Protocol (CCMP)
Simultaneous Authentication of
Equals (SAE)
• Authentication protocols
• Extensible Authentication
Protocol (EAP)
• Protected Extensible
Authentication Protocol (PEAP)
• EAP-FAST
• EAP-TLS
• EAP-TTLS
• IEEE 802.1X
• Remote Authentication
Dial-in User Service
(RADIUS) Federation
• Methods
• Pre-shared key (PSK) vs.
Enterprise vs. Open
• Wi-Fi Protected Setup
(WPS)
• Captive portals
• Installation
considerations
• Site surveys
• Heat maps
• Wi-Fi analyzers
• Channel overlaps
• Wireless access point
(WAP) placement
• Controller and access
point security
wireless technologies
Version
Speed
Frequency
2 Mbps
2.4 GHz
802.11a
54 Mbps
5 GHz
802.11b
11 Mbps
2.4 GHz
802.11g
54 Mbps
2.4 GHz
802.11n
200+ Mbps
2.4 GHz
802.11ac
1 Gbps
5 GHz
* 802.11
802.11 standard also defines WEP
TKIP
was designed as the replacement for WEP
without the need to replace legacy hardware
Temporal Key
Integrity Protocol
implemented into 802.11 wireless networking
under the name WPA (Wi-Fi Protected Access).
CCMP
Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol
Counter-mode /
CBC-MAC Protocol
created to replace WEP and TKIP/WPA
uses AES (Advanced Encryption Standard)
with a 128-bit key
used with WPA2, which replaced WEP and WPA
wpa2
an encryption scheme that implemented the
Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol (CCMP),
CCMP is based on the AES encryption scheme
wpa3
released in 2018 to address the weaknesses
in WPA2.
uses a much stronger 256-bit Galois/Counter
Mode Protocol (GCMP-256) for encryption
There are two versions: WPA3-Personal for home
users, and WPA3-Enterprise for corporate users
SAE
SAE is a relatively new 802.11 authentication method.
used with WPA3-Personal and replaces the
WPA2-PSK Protects against brute-force attacks
Simultaneous
Authentication of
Equals
uses a secure Diffie Hellman handshake,
called dragonfly
uses perfect forward secrecy, so immune to
offline attacks
Wpa3 personal Vs enterprise
uses Simultaneous Authentication of
Equals (SAE).
PERSONAL
SAE means users can use passwords
that are easier to remember.
uses perfect forward secrecy (PFS)
supports 256-bit AES, whereas, WPA2 only
supported 128 bits 256-bit required by US gov’t
ENTERPRISE
uses Elliptic-Curve Diffie Hellman Ephemeral
(ECDHE) for the initial handshake.
Wireless authentication protocols
Lightweight…
Protected…
extensible
authentication
protocol
a Cisco proprietary alternative to TKIP for WPA. developed
to address deficiencies in TKIP before the 802.11i/WPA2
system was ratified as a standard.
encapsulates EAP methods within a TLS tunnel that
provides authentication and potentially encryption.
an authentication framework. allows for new authentication
technologies to be compatible with existing wireless or
point-to-point connection technologies
WIRELESS AUTHENTICATION PROTOCOLS
EAP-FAST
developed by Cisco, is used in wireless networks and point-to-point
connections to perform session authentication.
It replaced LEAP, which was insecure.
EAP-TLS
a secure version of wireless authentication that requires X509
certification.
involves 3 parties: the supplicant (user’s device), the authenticator
(switch or controller), and the authentication server (RADIUS server).
EAP-TTLS
uses two phases; the first is to set up a secure session with the server, by
creating a tunnel, utilizing certificates that are seamless to the client
Second phase use a protocol such as MS-CHAP to complete the session.
designed to connect older legacy systems.
WIRELESS AUTHENTICATION PROTOCOLS
IEEE 802.1x
is transparent to users because it uses certificate authentication
can be used in conjunction with a RADIUS server for enterprise networks.
RADIUS Federation
enables members of one organization to authenticate to another with
their normal credentials.
trust is across multiple RADIUS servers across multiple organizations.
a federation service where network access is gained using wireless
access points (WAPs).
WAP forwards the wireless device's credentials to the RADIUS server for
authentication.
commonly uses 802.1X as the authentication method. which relies on EAP
WIRELESS AUTHENTICATION METHODS
was introduced for the home user who does not have an
enterprise setup.
the home user enters the password of the wireless router to gain
access to the home network.
PSK in WPA2 Replaced by SAE in WPA3
Home use scenario
password is already stored and all you need to do is to press the
button to get connected to the wireless network.
Password is stored locally, so could be brute-forced
a corporate version of WPA2 or WPA3, used in a centralized
domain environment.
Often where a RADIUS server combines with 802.1x, using
certificates for authentication
CAPTIVE PORTALS
Common in airports and public spaces, wi-fi redirects
users to a webpage when they connect to SSID.
User provides additional validation of identity,
normally through an email address or social identity.
May include acceptable use policy and
premium upgrade offer
site survey
The process of investigating the presence,
strength, and reach of wireless access
points deployed in an environment.
site survey
usually involves walking around with a
portable wireless device, taking note of the
wireless signal strength, and mapping this on
a plot or schematic of the building.
CONTROLLER AND ACCESS POINT SECURITY
If you’re installing a new access point, you want to make sure that
you place it in the right location.
You want minimal overlap with other access points and maximize
the coverage that’s being used in your environment.
This should minimize the number of physical access points,
optimizing costs
Avoid placement near electronic devices that could create
interference, and areas where signals can be absorbed.
Metal objects and bodies (like elevators) and concrete
walls absorb signal.
Ensure access point in a place doesn’t send signal outside of
your existing work areas, enabling unwanted access attempts.
CONTROLLER AND ACCESS POINT SECURITY
In addition to minimizing coverage overlap, choose different channels
per device so there are no conflicts between access points.
In a large office, you will deploy a large number of access points, which
need to be managed. And each one has a separate configuration.
A wireless controller enables central management of configuration, as
well as security patches and firmware updates of the access points.
Use HTTPS to encrypt traffic to controller and WAP web interfaces.
On the access points themselves, use strong authentication methods.
3.0 implementation
Given a scenario, implement
3.5 secure mobile solutions
• Connection methods and
receivers
•
•
•
•
•
•
•
•
•
•
Cellular
Wi-Fi
Bluetooth
NFC
Infrared
USB
Point-to-point
Point-to-multipoint
Global Positioning System (GPS)
RFID
• Mobile device
management (MDM)
•
•
•
•
•
•
•
•
Application management
Content management
Remote wipe
Geofencing
Geolocation
Screen locks
Push notifications
Passwords and PINs
• Mobile devices
• MicroSD hardware security
module (HSM)
• MDM/Unified Endpoint
Management (UEM)
• Mobile application
management (MAM)
• SEAndroid
Communication considerations
Faster speeds and lower latency
Unlike 4G, 5G doesn’t identify each user through
their SIM card. Can assign identities to each device.
5th
Generation
Cellular
Some air interface threats, such as session
hijacking, are dealt with in 5G.
Standalone (SA) version of 5G will be more secure
than the non-standalone (NSA) version
NSA anchors the control signaling of 5G networks to the 4G Core
Communication considerations
Diameter protocol, which provides authentication,
authorization, and accounting (AAA), will be a
target.
5th Generation
Cellular
Because 5G has to work alongside older tech
(3G/4G), old vulnerabilities may be targeted.
Because scale of IoT endpoint counts on 5G is
exponentially greater, DDoS is a concern.
Some carriers originally launched an NSA version of 5G,
which continues to rely on availability of the 4G core.
Communication considerations
small computer chips that contain the
information about mobile subscription
Subscriber
Identity
Module cards
allows user to connect to telecommunication
provider to make calls, send text messages,
or use the Internet.
Used as a second factor in authentication
One of the auth factors most prone to attack
BLUETOOTH
Bluetooth, or IEEE 802.15, personal area
networks (PANs) are another area of
wireless security concern.
(IEEE 802.15)
Connects headsets for cell phones, mice,
keyboards, GPS, and other devices
Connections are set up using pairing, where
primary device scans the 2.4 GHz radio
frequencies for available devices
Pairing uses a 4-digit code (often 0000) to reduce
accidental pairings but is not actually secure.
Mobile connection methods & receivers
RADIO FREQUENCY
IDENTIFICATION
uses radio frequency to identify electromagnetic
fields in a tag to track assets.
commonly used in shops as the tags are attached
to high-value assets to prevent theft.
Common in access badge systems and retail anti-theft use cases
NEAR FIELD
COMMUNICATION
Built on RFID, often used with payment systems.
Subject to many of the same vulnerabilities as RFID
The touch pay system at the grocery
uses satellites in the Earth's orbit to
measure the distance between two points.
Used in map and find-my-phone use cases
Mobile connection methods & receivers
UNIVERSAL
SERIAL BUS
Some mobile devices can be tethered to a USB
dongle to gain access to the internet.
A flash USB device can be used to transfer data
between devices
It is a data exfiltration concern, often blocked through policy
device is purely line-of-sight and has a maximum
range of about 1 meter. Can be used to print from
your laptop to an infrared printer.
Not encrypted, but attack requires close physical proximity
Mobile connection methods & receivers
one-to-one connection between the two devices
communicating on a network, typically wireless
A directional antenna connecting two wireless
networks or wireless repeater connecting WAPs
802.11 networks are more commonly
communicating from point-to-multipoint.
A WAP connecting to multiple wireless devices
Mobile device management (MDM)
Common features in secure mobile device management
Passwords and PINs: Some mobile devices, such as smartphones, are very
easy to steal and you can conceal them by putting them in a pocket.
Strong passwords and PINs with six or more characters must be used.
Also allows device to be disabled on X failed attempts
Geofencing: Geofencing uses the Global Positioning System (GPS) or RFID
to define geographical boundaries.
Once the device is taken past the defined boundaries, the security team
will be alerted.
For the exam: remember Geofencing prevents mobile devices from being
removed from the company's premises.
Mobile device management (MDM)
Application Management: Application management uses whitelists to control
which applications are allowed to be installed onto the mobile device.
Content Management: Content management stores business data in a
secure area of the device in an encrypted format to protect it against attacks.
Prevents confidential or business data from being shared with external users.
Remote Wipe: When a mobile device has been lost or stolen, it can be
remotely wiped.
Device will revert to its factory settings and the data will no longer be
available. wipe options allow removing business data only (BYOD)
Screen Locks: Screen locks are activated once the mobile device has not
been accessed for a period of time.
After it is locked, the user gets a fixed number of attempts to correctly enter
the PIN before the device is disabled.
Mobile device management (MDM)
Geolocation: Geolocation uses GPS to give the actual location of a
mobile device.
can be very useful if you lose or drop a device.
For the exam: remember that geo-tracking will tell you the location of
a stolen device.
Push Notification: messages that appear on your screen,
even when your system is locked.
this information is usually pushed your device without intervention
from the end user and may include sensitive information.
some MDM platforms provide policy-based control whether app
notifications can appear with the notifications on lock screen.
Mobile devices
a physical device that provides cryptographic features for your computer in
a smaller, mobile form factor.
enables associating a smaller piece of hardware with the cryptographic
functions for encryption, key generation, digital signatures or authentication.
provides management of the hardware, such as desktops, tablets,
smartphones, and IoT devices ensuring that they secure and compliant.
can manage the security and applications running on the devices
can identify and block devices have been jailbroken (iOS) or rooted
(Android).
Multi-platform support is a key characteristic
An example is Microsoft Intune, which manages Windows, iOS, Android, and MacOS
Mobile devices
allows a security team to manage application and data security, even on
unmanaged devices.
controls access to company applications and data and can restrict the
exfiltration of data from the company applications.
Useful in BYOD scenarios, enabling business data access on
personal mobile devices
includes SELinux functionality as part of the Android operating system.
provides additional access controls (MAC and DAC), security policies and
includes policies for configuring the security of these mobile devices.
prevents any direct access to the kernel of the Android operating system
provides centralized management for policy configuration and device
management.
3.0 implementation
Given a scenario, implement
3.5 secure mobile solutions
• Enforcement and monitoring of:
Third-party application stores
Rooting/jailbreaking
Sideloading
Custom firmware
Carrier unlocking
Firmware over-the-air (OTA) updates
Camera use
SMS/Multimedia Messaging Service
(MMS)/Rich Communication
• Services (RCS)
• External media
• USB On-The-Go (USB OTG)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Recording microphone
GPS tagging
Wi-Fi direct/ad hoc
Tethering
Hotspot
Payment methods
• Deployment models
• Bring your own device (BYOD)
• Corporate-owned personally
enabled (COPE)
• Choose your own device (CYOD)
• Corporate-owned
• Virtual desktop infrastructure (VDI)
Enforcement and monitoring
There is a danger of downloading apps from third-party app stores
as there is no guarantee of the security of the app being installed.
This could pose a security risk, as vetting process for mobile apps in
third-party stores may be less rigorous than official app stores.
Enables installing an application package in .apk format on a
mobile device.
Useful for developers to run trial of third-party apps, but also
allows unauthorized software to be run on a mobile device.
Enforcement and monitoring
Custom firmware downloads are used to root an Android mobile
device.
Gives user a higher level of permissions on that device and
removes some elements of vendor security.
Jailbreaking is the Apple's iOS equivalent of rooting on Android:
it allows you to run unauthorized software and remove device
security restrictions.
You can still access the Apple App Store even though
jailbreaking has been carried out.
For the exam: Rooting and jailbreaking remove the vendor restrictions
on a mobile device to allow unsupported software to be installed.
Enforcement and monitoring
Custom firmware downloads are used so that you can root your mobile
device.
Gives the user a higher level of permissions on that device and removes
some elements of vendor security.
When a mobile device is no longer tied to the original carrier. This will allow
you to use your device with any provider, and also install third-party apps.
Firmware is software that is installed on a small, read-only memory chip on
a hardware device and is used to control the hardware running on device.
Firmware OTA updates are pushed out periodically by the vendor, ensuring
that the mobile device is secure.
One example is when the mobile device vendor sends a notification that
there is a software update.
Enforcement and monitoring
Text messaging and has become a common method of communication.
Can be sent between two people in a room without other people in the
room knowing about their communication.
Text messages can be used to launch an attack.
A way to send pictures as attachments, similar to sending SMS messages.
An enhancement to SMS and is used in Facebook and WhatsApp to send
messages so that you can see the read receipts.
You can also send pictures and videos.
Image capability makes MMS and RCS paths for data theft.
Enforcement and monitoring
External media. SD card or other external storage media may enable
unauthorized transfer of corporate data
USB On-The-Go (USB OTG). allows USB devices plugged into smartphones
and tablets to act as a host for other USB devices.
Attaching USB devices can pose security problems as it makes it easy to
steal information.
Apple does not allow USB OTG.
Recording microphone. smartphones and tablets can record
conversations with their built-in microphones.
They could be used to take notes, but they could also be used to tape
conversations or record the proceedings of a confidential meeting.
GPS tagging. When you take a photograph, GPS tagging adds the location
where the photograph was taken.
Most modern smartphones do this by default.
Enforcement and monitoring
Wi-Fi direct wireless network allows two Wi-Fi devices to connect to each other
without requiring a WAP.
It is single-path and therefore cannot be used for internet sharing.
Ad-hoc wireless network is where two wireless devices can connect without a WAP,
but it is multipath and can share an internet connection with someone else.
When a GPS-enabled smartphone can be attached to a laptop or mobile device
device to provide internet access.
If a user uses a laptop to connect to the company's network and then tethers to
the internet, it may result in split tunneling. This presents a security risk if device is
compromised.
Mobile devices can often function as a wifi hotspot
over USB or Bluetooth.
Enforcement and monitoring
Smartphones allow credit card details to be stored locally so that the
phone can be used to make contactless payments using Near-Field
Communications (NFC).
For BYOD, it needs to be carefully monitored as someone could leave the
company with a company credit card and continue to use it.
MDM may prevent the payment function by disabling this tool in the mobile
device management policies.
MDM can also disable screen captures
Smartphone cameras pose a security risk to companies, as trade secrets
could be stolen very easily.
Research and development departments ban the use of personal
smartphones in the workplace. Prevents theft of intellectual property
MDM policies can disable cameras on company-owned smartphones.
Deployment models
is where an employee is encouraged to bring in their own device so that they can
use it for work.
cost effective for the company and more convenient for the user.
needs two policies to be effective, Acceptable Use Policy and On/Offboarding
Acceptable Use Policy (AUP): An AUP outlines what the employee can do with the
device during the working day.
Onboarding Policy: Device configuration requirements to access corporate data
(min OS system, not rooted/jailbroken, etc.)
Offboarding Policy: How corporate data will be wiped from the device (most MDM
platforms support a selective wipe, removing only company data).
MDM solutions with MAM (mobile app management) functionality
can manage corporate data on BYOD devices
Deployment models
fully owned and managed by the company, enabling full IT control over MAM and
MDM options.
new employee chooses from a list of approved devices.
avoids problems of ownership because the company has a limited number of
tablets, phones, and laptops, simplifying management compared to BYOD.
when they leave the company and offboard, the devices are taken from them as
they belong to the company (corporate-owned).
when the company purchases the device, such as a tablet, phone, or laptop, and
allows the employee to use it for personal use.
often better solution for the company than BYOD from a management perspective,
as IT can limit what applications run on the devices.
also frees the company to perform full device wipe if lost or stolen.
Deployment models
Hosted desktop environments on a central server / cloud
environment.
Provides a high degree of control and management automation.
In the event of security issues, the endpoint can easily be isolated
for forensic investigation if desired.
Provisioning a new desktop is also generally a push-button
operation.
VDI is a common deployment solution for
contractors and offshore teams.
3.0 implementation
Given a scenario, apply cybersecurity
3.6 solutions to the cloud
• Cloud security controls
• High availability across zones
• Resource policies
• Secrets management
• Integration and auditing
• Storage
• Permissions
• Encryption
• Replication
• High availability
• Network
• Virtual networks
• Public and private subnets
• Segmentation
• API inspection and
integration
• Compute
• Security groups
• Dynamic resource
allocation
• Instance awareness
• Virtual private cloud
(VPC) endpoint
• Container security
• Solutions
• CASB
• Application security
• Next-generation secure
web gateway (SWG)
• Firewall considerations in
a cloud environment
• Cost
• Need for segmentation
• Open Systems
Interconnection (OSI)
layers
• Cloud native controls vs.
third-party solutions
High availability across zones
GEOGRAPHIES
High availability across zones
REGIONS
High availability across zones
REGION PAIRS
chosen by the CSP
300+ miles
High availability across zones
Zone redundant
Availability Zones
Unique physical locations within
a region with independent
power, network, and cooling
Comprised of two or more
datacenters
Tolerant to datacenter failures
via redundancy and isolation
Cloud Security Controls
policies that state what access level a
user has to a particular resource.
ensuring the principle of least privilege
is followed is crucial for resource
security and audit compliance.
CSP will provide details on how their cloud platform can
help organizations meet a variety of compliance standards
Cloud security controls
CSPs offer a cloud service for centralized secure storage and
access for application secrets
A secret is anything that you want to control access to, such as API
keys, passwords, certificates, tokens, or cryptographic keys.
Service will typically offer programmatic access via API to support
DevOps and continuous integration/continuous deployment (CI/CD)
Access control at vault instance-level and to secrets stored within.
Cloud Security Controls
Integration and Auditing
Integration is the process of how data is being handled from input to
output.
A cloud auditor is responsible for ensuring that the policies, process, and
security controls defined have been implemented.
Auditor will be a third party from outside the company
They test to verify that process and security controls and the system
integration are working as expected.
Some of these controls may include the following:
- Encryption Levels
- Access Control Lists
- Privilege Account Use
- Password Policies
- Anti-Phishing Protection
- Data Loss Prevention Controls
Process will be repeated
periodically (annually)
Self-audits ahead of
external audits are common
Cloud Security Controls - storage
permissions, encryption, replication, and high availability for cloud storage.
Permissions: Customers have a storage identity and are put into different storage
groups that have appropriate rights to restrict access at a tenant/subscription level.
Encryption: With cloud storage, encryption at the service level is generally in place
by default, with configurable encryption within the storage service
For relational databases (SQL), Transparent Data Encryption (TDE) is common.
Encryption for data in transit, such as TLS/SSL.
Replication: a method wherein data is copied from one location to another
immediately to ensure recovery in case of an outage.
In the cloud, multiple copies of your data are always held for redundancy.
There are locally redundant, zone redundant, and geo-redundant options.
High Availability:
High availability ensures that copies of your data are held in different locations.
Automatic failover between region pair in event of an outage is common
Cloud Security Controls - network
virtual networks, public and private subnets, segmentation, and API
inspection and integration are important elements of cloud network security.
A virtual network that consists of cloud resources, where the VMs for one
company are isolated from the resources of another company.
Separate VPCs can be isolated using public and private networks.
The environment needs to be segmented public subnets that can access
the Internet directly (through a firewall) and protected private networks.
Virtual networks can be connected to other networks with a VPN gateway
or network peering.
For VDI/client scenarios, a NAT gateway for Internet access makes sense.
Cloud Security Controls - network
Not for public services (like websites)
Our VPC contains private subnets. Each of these subnets has its own CIDR IP
address range and cannot connect directly to the internet.
They could be configured go through the NAT gateway if outbound internet
connectivity is desired.
Client VMs and database servers will often be hosted in a private subnet.
The private subnet will use one of the
following IP address ranges:
10.0.0.0
172.16.x.x – 172.31.x.x
192.168.0.0
Private IP ranges are
defined in RFC 1918
All other IP address ranges, except the APIPA 169.254.x.x, are public addresses.
Cloud Security Controls - network
Resources on the public subnet can connect directly to the internet. Therefore,
public-facing web servers will be placed within this subnet.
Public subnet will have a NAT gateway or firewall for communicating with the
private subnets, and an internet gateway.
Public services, like websites, will be published through a firewall
To create a secure connection to your VPC, you can connect a VPN using
L2TP/IPsec using a VPN gateway (aka transit gateway).
Network peering is another method is another method for connecting virtual
networks in the cloud.
Peering is the more common option between cloud networks
Site-to-site VPN common for on-premises to cloud connectivity
Cloud Security Controls - network
Security of services that are permitted to access or be accessible
from other zones involves a strict set of rules controlling this traffic.
Rules are enforced by the IP address ranges of each subnet.
Within a private subnet, segmentation can be used to achieve
departmental isolation.
Representational State Transfer (REST) is the modern approach to
writing web service APIs.
Enables multi-language support, can handle multiple types of
calls, return different data formats.
APIs published by an organizations should include encryption,
authentication, rate limiting, throttling, and quotas. Covered in Domain 2
Cloud Security Controls - compute
Security controls and concerns for compute in the public cloud platforms
Security Groups
Cloud provider has to secure multiple customers. They do use firewalls but cannot
grant individual customers direct firewall access.
Instead, they use security groups to define permissible network traffic, consisting of
rules similar to a firewall ruleset.
Dynamic Resource Allocation
Varies by service and configuration
This uses virtualization technology to scale the cloud resources up and down as the
demand grows or falls.
Instance Awareness
VM instances need to be monitored to prevent VM sprawl and unmanaged VMs,
which would have security consequences, but also add costs in the cloud.
Tools like NIDS/NIPS can help to detect new instances, and process controls like
privileged identity management, change and configuration management help.
CSPs offer policy tooling to help tenants enforce governance policies
Cloud Security Controls - compute
Virtual Private Cloud (VPC) Endpoint
This allows you to create a private connection between your VPC
and another cloud service without crossing over the internet.
CSPs offer site-to-site connectivity options for hybrid cloud.
Most will offer a premium option to connect on-premises data
centers to cloud without the need to traverse the Internet.
Most enterprise (large) organizations today
have Implemented a hybrid cloud model
Container security
Containers offer a more granular option for application
and process isolation. Containers run in a VM
Managed
Kubernetes
Most CSPs offer hosted Kubernetes service,
handles critical tasks like health monitoring and
maintenance for you. Platform-as-a-Service
You pay only for the agent nodes within your clusters,
not for the management cluster.
Kubernetes has become the de facto standard
Containers enable more efficient utilization of hardware resources
Containers offer a more granular level of isolation for resources
(CPU, memory), process isolation, and restricted system access.
Cloud Security Controls - solutions
Enforces the company's policies between on-premises and the cloud.
Can detect (and optionally, prevent) data access with unauthorized apps and
data storage in unauthorized locations. Help stop “Shadow IT”
Using solutions such as Web App Firewalls (WAF), Next Gen Firewalls (NGFW),
IDP/IPS.
Firewalls function at the packet level, using rules to allow or deny each packet
inbound or outbound.
Secure web gateways work at the application level (layer 7), looking at the actual
traffic over the protocol to detect malicious intent.
Functions include web proxy, policy enforcement, malware detection, traffic
inspection, data loss protection, and URL filtering.
Cloud Security Controls - solutions
One reason that we need a good firewall is to filter incoming traffic to protect our cloudhosted infrastructure and applications from hackers or malware.
For example, the most common cloud firewall is
the Web Application Firewall (WAF)
Cost
Cost is one of the reasons for WAF popularity. It meets a common need, is easy to
configure, and is less expensive than more function-rich NGFW and SWG options.
Need for Segmentation:
Network segmentation should be supported with appropriate traffic filtering/restriction
with the firewall type that is most appropriate for the use case.
The firewall can filter traffic between virtual networks and the Internet.
Open Systems Interconnection (OSI) Layers
A network firewall works on Layer 3, stateful packet inspection at layers 3/4.
Many cloud firewalls, like Web Application Firewalls work at Layer 7 of the OSI.
THE OSI MODEL
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
Where protocols live in the model
SSH, HTTP, FTP, LPD, SMTP, Telnet, TFTP, EDI,
POP3, IMAP, SNMP, NNTP, S-RPC, and SET
Encryption protocols and format types, such
as ASCII, EBCDICM, TIFF, JPEG, MPEG, MIDI
SMB, RPC, NFS, and SQL
SPX, SSL, TLS, TCP, and UDP
| ICMP,
RIP, OSPF, BGP, IGMP, IP, IPSec,
IPX, NAT, and SKIP
ARP, SLIP, PPP, L2F, L2TP, PPTP, FDDI, ISDN
EIA/TIA-232, EIA/TIA-449, X.21, HSSI, SONET,
V.24, V.35, Bluetooth, 802.11 – Wifi, and Ethernet
THE OSI MODEL
7
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
Application
Quick functionality overview
interfacing user applications, network services, or the
operating system with the protocol stack.
transforming data received from the Application layer into a
format that any system following the model can understand.
establishing, maintaining, and terminating communication
sessions between two computers.
managing the integrity of a connection and controlling the
session. [segment or datagram]
adding routing and addressing information (source
and destination) to the data. [packet]
formatting the packet from the Network
layer into the proper format for transmission. [frame]
contains the device drivers that tell the protocol how to use
the hardware for the transmission and reception of bits.
Cloud native vs third-party solutions
Platforms like Microsoft Azure and Amazon Web Services (AWS) have their own
tools, such as Azure Resource Manager (ARM) and AWS Cloud Formation.
These tools make managing Microsoft and AWS cloud resources easier,
supporting Infrastructure-as-Code.
Separate tools, for separate platforms, separate skillsets
Third-party tools adds more flexibility, functionality, and multi-platform support.
Organizations will typically move to third-party solutions when the native cloud
solutions do not meet their functionality needs.
For example, some organizations move to Terraform for infrastructure-as-Code
because it supports the major CSPs using a single language .
CSPs offer a marketplace where third-parties can publish offers
3.0 implementation
Given a scenario, implement identity and
3.7 account management controls
• Identity
• Identity provider (IdP)
• Attributes
• Certificates
• Tokens
• SSH keys
• Smart cards
• Account types
• User account
• Shared and generic
accounts/credentials
• Guest accounts
• Service accounts
• Account policies
• Password complexity
• Password history
• Password reuse
• Network location
• Geofencing
• Geotagging
• Geolocation
• Time-based logins
Access policies
Account permissions
Account audits
Impossible travel
time/risky login
• Lockout
• Disablement
•
•
•
•
identity providers
Creates, maintains, and manages
identity information while providing
authentication services to applications.
Identity
Providers
For example, Azure Active Directory is the
identity provider for Office 365
Other examples include Active Directory,
OKTA, and DUO
identity
Attribute: a unique property in a user’s account details, such as
employee ID.
Smart Card: a credit card-like token with a certificate embedded on a
chip; it is used in conjunction with a pin. physical card
Certificates. a digital certificate where two keys are generated, a public
key and a private key. The private key is used for identity.
Token. a digital token, such as a SAML token used for federation
services, or a token used by Open Authentication (OAuth2).
SSH Keys. typically used by an administrator for secure authentication
to a remote Linux server, instead of using username and password.
The public key is stored on the server, with the private key remaining on
the administrator's desktop.
Account types
Types of accounts you may be tested on in Security+
a standard user account with limited privileges.
cannot install software, limited access to the computer systems.
two types of user accounts: those that are local to the machine, and
those that access a domain.
a legacy account that was designed to give limited access to a
single computer without the need to create a user account.
normally disabled as it is no longer used, and some administrators
see it as a security risk.
Account types
privileged accounts have greater access to the system and tend to
be used by members of the IT team.
Administrators are an example of privileged accounts.
can install software and manage the configuration of a server or
client computer computer.
also have privileges to create, delete, and manage user accounts.
administrators have been told they should have two accounts:
one for routine tasks, and another for administrative duties.
Account types
privileged accounts have greater access to the system and tend to
be used by members of the IT team.
Administrators are an example of privileged accounts.
can install software and manage the configuration of a server or
client computer computer.
also have privileges to create, delete, and manage user accounts.
administrators have been told they should have two accounts:
one for routine tasks, and another for administrative duties.
some cloud providers now eliminate this need, and instead enable
an admins to activate privilege just-in-time for a single account.
Account types
aka “Service Principal”
when software is installed on a computer or server, it may require
privileged access to run.
a lower-level administrative account, and the service account fits
the bill.
a service account is a type of administrator account used to run an
application. example: account to run an anti-virus application.
When a group of people performs the same duties, such as
members of customer services, they can use a shared account.
when user-level monitoring, auditing, or non-repudiation are
required, you must eliminate the use of shared accounts.
Most cloud IDPs have options to eliminate the need for shared accounts
Account types
default administrative accounts created by manufacturers of a wide
range smart and Internet-connected devices.
most have a default username and password.
default passwords should always be changed
identifying presence of these accounts should be part of the
onboarding process. address through configuration management
This is a common attack vector (covered in Domain 1)
Account policies
Complex passwords (sometimes known as strong passwords) are formatted by
choosing at least three of the following four groups:
lowercase (a, b, and c), uppercase (A, B, and C), numbers (1, 2, and 3), special
characters ($, @)
prevents someone from reusing the same password. For example, if number
remembered is 12 passwords, only on 13th change could it be reused.
is a term used in the exam that means the same as password history.
both prevent someone from reusing the same password.
For the Security+ exam, password reuse
and history are the same thing.
Account policies
an auditor will review accounts periodically to ensure that old accounts are not
being used after an employee changes departments or leaves the company.
auditor will also ensure that all employees have the only necessary permissions
and privileges to carry out their jobs. principle of least privilege
can be added as an additional factor in authentication.
Geofencing can be used to establish a region and can pinpoint whether you
are in that region. If you are not, you will not be able to log in.
Context-Aware Location: can be used to block any attempt to log in outside of
the locations that have been determined as allowed regions.
Geolocation can track your location by your IP address and the ISP.
Smart Phone Location Services: This can be used to identify where your phone
is located by using Global Positioning System (GPS).
Many identity providers enable admins to pre-define “trusted locations”
Account policies
This is a security feature used by cloud providers such as Microsoft with their
Office 365 package to prevent fraud.
If a person is in Houston and then 15 minutes later is determined to be New
York, their attempt to log in will be blocked.
A security feature used by cloud providers, leveraging a record of devices
used by each user.
Response will vary by provider but may include confirmation email to
validate identity or responding to a prompt in an authenticator app.
How user and sign-in risk are used varies by provider.
Account management (the identity lifecycle) ranges from account creation
at onboarding to its disablement when a user leaves the company.
Account policies
May be established for users based on role as a company may
have many different shift patterns
Employers may not wish their employees to access their
network outside of their working hours.
For example, employees may be restricted to accessing the
network between 7 am and 6 pm.
This prevents data theft by preventing users from coming in at
3 a.m. when nobody is watching and stealing corporate data.
Can be effective in preventing individual fraud, as well as
collusion, by enforcing restrictions of schedule rotations.
Common in some industries, such as financial services
3.0 implementation
Given a scenario, implement authentication
3.8 and authorization solutions
• Authentication management
• Password keys
• Password vaults
• TPM
• HSM
• Knowledge-based
authentication
• Authentication/authorization
• EAP
• Challenge-Handshake
Authentication Protocol
(CHAP)
• Password Authentication
Protocol (PAP)
802.1X
RADIUS
Single sign-on (SSO)
Security Assertion
Markup Language (SAML)
Terminal Access Controller
Access Control System
Plus (TACACS+)
• OAuth
• OpenID
• Kerberos
• Access control schemes
• Attribute-based access
control (ABAC)
•
•
•
•
•
•
Role-based access control
Rule-based access control
MAC
Discretionary access
control (DAC)
• Conditional access
• Privileged access
management
• File system permissions
•
•
•
•
Authentication management
looks like a USB device and works in
conjunction with your password to
provide multi-factor authentication
One example is YubiKey is a FIPS 140-2 validation that
provides code storage within a tamper-proof container
Authentication management
stored locally on the device and store
passwords so user does not need to
remember them.
Uses strong encryption (e.g. AES-256) for
secure storage.
only as secure as the owner password
that is used to protect the vault itself
Typically uses multi-factor authentication
A type of password vault exists in the cloud for DevOps
scenarios, which will be discussed later in this module.
Authentication management
are normally built into the motherboard of a
computer, and they are used when you are
using Full Disk Encryption (FDE)
used to store encryption keys, a key escrow
that holds the private keys for third parties
Authentication management
This is normally used by banks, financial institutions, or email
providers to identify someone when they want a password reset.
There are two different types of KBA, dynamic and static, and they
have their strengths and weaknesses:
Static KBA: These are questions that are common to the user.
For example, "What is the name of your first school?"
Dynamic KBA: These are deemed to be more secure because they
do not consist of questions provided beforehand.
For example, confirm identity, a bank may ask the customer to
name three direct debit mandates, the date, and the amount paid.
AUTHENTICATION PROTOCOLS
PASSWORD
AUTH PROTOCOL
CHALLENGE HANDSHAKE
AUTH PROTOCOL
EXTENSIBLE AUTH
PROTOCOL
password-based authentication protocol used by Pointto-Point Protocol to validate users.
supported by almost all network OS remote access
servers but is considered weak.
a user or network host to an authenticating entity. That
entity may be, for example, an Internet service provider.
requires that both the client and server know the plaintext
of the secret, although it is never sent over the network.
an authentication framework. allows for new authentication
technologies to be compatible with existing wireless or
point-to-point connection technologies
Authentication/Authorization
an authentication mechanism to devices
wishing to attach to a LAN or WLAN.
defines the encapsulation of EAP protocol.
involves three parties: a supplicant, an
authenticator, and an authentication server
supplicant = client
defines the encapsulation of EAP over IEEE 802.11,
which is also known as "EAP over LAN"
AAA protocols
Several protocols provide centralized authentication,
authorization, and accounting services.
Network Access Server
is a client to a RADIUS server, and the RADIUS server provides AAA services.
RADIUS
(remote access)
uses UDP and encrypts the password only.
TACACS+
(admin access to network devices)
uses TCP and encrypts the entire session.
Diameter
(4G)
is based on RADIUS and improves many of the weaknesses of
RADIUS, but Diameter is not compatible with RADIUS.
Network access (or remote access) systems use AAA protocols.
Authentication/Authorization
Single Signon (SSO)
Single sign-on means a user doesn't have
to sign into every application they use.
Authentication/Authorization
Single sign-on means a user doesn't have
to sign into every application they use.
Single Signon (SSO)
The user logs in once and that credential is
used for multiple apps.
Authentication/Authorization
Single sign-on means a user doesn't have
to sign into every application they use.
Single Signon (SSO)
The user logs in once and that credential is
used for multiple apps.
Single sign-on based authentication systems
are often called "modern authentication".
Authentication/Authorization
is a mechanism that allows subjects to authenticate once and access
multiple objects without authenticating again.
Common SSO methods/standards include:
— SAML
— SESAME
— KryptoKnight
— OAuth
— OpenID
Know enough to differentiate
these three on the exam
The three to know for the exam are SAML, Oauth 2.0, and OpenID.
Authentication / authorization
Security Assertion Markup Language (SAML)
is an XML-based, open-standard data format for exchanging authentication
and authorization data between parties, in particular, between an identity
provider and a service provider. common in on-prem federation scenarios
OAuth 2.0
Azure AD (the identity provider for Office 365)
is an open standard for authorization, commonly used as a way for
Internet users to log into third party websites using their Microsoft,
Google, Facebook, Twitter, One Network etc. accounts without exposing
their password.
OpenID
Example – logging into Spotify with your FB account
is an open standard, It provides decentralized authentication, allowing
users to log into multiple unrelated websites with one set of credentials
maintained by a third-party service referred to as an OpenID provider.
Authentication / authorization
authorization protocol in Microsoft’s Azure Directory
(and is preferred is to NTLM).
stronger encryption, interoperability, and mutual
authentication. client and server verified
runs as a third-party trusted server known as the
Key Distribution Center (KDC)
Includes an authentication server, a ticket granting service,
and database of secret keys for users and services.
Helps prevent replay attacks through timestamps
ACCESS CONTROL SCHEMES
Non-discretionary Access Control
Object = resource
Subject = user
Enables the enforcement of system-wide restrictions that override
object-specific access control. RBAC is considered non-discretionary
Discretionary Access Control (DAC) Use-based,
user-centric
A key characteristic of the Discretionary Access Control (DAC) model is that every
object has an owner, and the owner can grant or deny access to any other subject.
Example: New Technology File System (NTFS),
Role Based Access Control (RBAC)
A key characteristic is the use of roles or groups. Instead of assigning permissions
directly to users, user accounts are placed in roles and administrators assign
privileges to the roles. Typically mapped to job roles.
Rule-based access control
A key characteristic is that it applies global rules that apply to all subjects. Rules
within this model are sometimes referred to as restrictions or filters.
example: a firewall uses rules that allow or block traffic to all users equally.
MADATORY ACCESS CONTROL
“
A key point about the MAC model is that every
object and every subject has one or more labels.
These labels are predefined, and the system
determines access based on assigned labels.
D O M A I N 3 : ACCESS CONTROL SCHEMES
access is restricted based on an attribute
on the account, such as department,
location, or functional designation.
For example, admin my require user accounts have
the ‘Legal’ department attribute to view contracts
D O M A I N 3 : PRIVILEGED ACCESS MANAGEMENT
a solution that helps protect the privileged
accounts within a domain, preventing attacks
such as pass the hash and privilege escalation.
also provides visibility into who is using privileged
accounts and what tasks they are being used for
D O M A I N 3 : PRIVILEGED ACCESS MANAGEMENT
a solution that helps protect the privileged
accounts within a domain, preventing attacks
such as pass the hash and privilege escalation.
Native to some cloud identity providers today,
and may include a just-in-time elevation feature
FILE SYSTEM PERMISSIONS
NTFS (Windows)
SUID and SGID (Linux)
Are applied to every file and folder stored
on a volume with NTFS file system
The Linux permissions model has two special access
modes called suid (set user id) and sgid (set group id).
Recognizes three types of permissions at three levels:
read(r), write(w), and execute(x)
Read = 4
Write = 2
Execute = 1
7 = read, write, and execute
6 = read and write
5 = read and execute
3.0 implementation
Given a scenario, implement
3.9 public key infrastructure
• Public key infrastructure (PKI)
•
•
•
•
•
•
•
•
•
•
•
Key management
Certificate authority (CA)
Intermediate CA
Registration authority (RA)
Certificate revocation list (CRL)
Certificate attributes
Online Certificate Status Protocol
(OCSP)
Certificate signing request (CSR)
CN
Subject alternative name
Expiration
certificate services
• Types of certificates
•
•
•
•
•
•
•
•
•
•
Wildcard
Subject alternative name
Code signing
Self-signed
Machine/computer
Email
User
Root
Domain validation
Extended validation
• Certificate formats
• Distinguished encoding
rules (DER)
• Privacy enhanced mail
(PEM)
• Personal information
exchange (PFX)
• .cer
• P12
• P7B
• Concepts
•
•
•
•
•
•
Online vs. offline CA
Stapling
Pinning
Trust model
Key escrow
Certificate chaining
©2022 Inside Cloud and Security. No reuse without written permission
Public key infrastructure (pki)
CONCEPTS
Key management
management of cryptographic keys in a cryptosystem.
Operational considerations include dealing with the generation, exchange,
storage, use, crypto-shredding (destruction) and replacement of keys.
Design considerations include cryptographic protocol design, key servers,
user procedures, and other relevant protocols.
Certificate authority (CA)
Certification Authorities create digital certificates and own the policies.
PKI hierarchy can include a single CA that serves as root and issuing, but
this is not recommended.
Public key infrastructure (pki)
Subordinate CA
CONCEPTS
aka “Intermediate CA” or “Policy CA”
Also known as a Registration Authority (RA) sits below root CAs in the CA
hierarchy.
Regularly issue certificates, making it difficult for them to stay offline as
often as root CAs.
Do have the ability to revoke certificates, making it easier to recover from
any security breach that does happen
Certificate revocation list (CRL)
Contains information about any certificates that have been revoked by a
subordinate CA due to compromises to the certificate or PKI hierarchy.
CAs are required to publish CRLs, but it’s up to certificate consumers if they
check these lists and how they respond if a certificate has been revoked.
Public key infrastructure (pki)
CONCEPTS
Online Certificate Status Protocol (OCSP)
Offers a faster way to check a certificate’s status compared to
downloading a CRL.
With OCSP, the consumer of a certificate can submit a request to the
issuing CA to obtain the status of a specific certificate.
Certificate signing request (CSR)
Records identifying information for a person or device that owns a
private key as well as information on the corresponding public key.
It is the message that's sent to the CA in order to
get a digital certificate created.
CN (common name)
the Fully Qualified Domain Name (FQDN) of the entity (e.g. web server)
Public key infrastructure (pki)
Subject alternative name
CONCEPTS
SAN
an extension to the X. 509 specification that allows users to specify additional
host names for a single SSL certificate.
Is standard practice for SSL certificates, and it's on its way to replacing the use
of the common name.
Enables support for FQDNs from multiple domains in a single certificate.
Expiration
certificates are valid for a limited period from the date of issuance, as
specified on the certificate.
Current industry guidance on maximum certificate lifetime from widely
trusted issuing authorities (like Digicert) is currently 1 year (398 days).
Types of certificates
Wildcard
Supports multiple FQDNs in the same domain
Can be used for a domain and a subdomain. For example:
In the contoso.com domain, there are two servers called web and mail.
The wildcard certificate is *.contoso.com and, when installed, it would work for the
Fully Qualified Domain Names (FQDNs) for both of these.
A wildcard can be used for multiple servers in the same domain, saving costs.
Subject alternative name (SAN)
multiple domains in a single cert
Can be used on multiple domain names, such as abc.com or xyz.com.
You can also insert other information into a SAN certificate, such as an IP address.
Code signing
Provides proof of content integrity
When code is distributed over the Internet, it is essential that users can trust that it
was actually produced by the claimed sender.
An attacker would like to produce a fake device driver or web component (actually
malware) that purported to be from a software vendor.
Using a code signing certificate to digitally sign the code mitigates this danger.
Types of certificates
Self-signed
A self-signed certificate is issued by the same entity that is using it. However, it does
not have a CRL and cannot be validated or trusted.
It is the cheapest form of internal certificates and can be placed on multiple servers.
Machine/computer
A computer or machine certificate is used to identify a computer within a domain.
Email
Allow users to digitally sign their emails to verify their identity through the attestation
of a trusted third party known as a certificate authority (CA).
Allow users to encrypt the entire contents (messages, attachments, etc.)
Types of certificates
User
Used to represent a user's digital identity.
In most cases, a user certificate is mapped back to a user account.
Root
CA
Root
A trust anchor in a PKI environment is the root certificate from which the
whole chain of trust is derived; this is the root CA.
Domain validation
A Domain-Validated (DV) certificate is an X.509 certificate that
proves the ownership of a domain name.
Subordinate
CA
Extended validation
Extended validation certificates provide a higher level of trust in
identifying the entity that is using the certificate.
Commonly used in the financial services sector.
Issuing
CA
CERTIFICATE FORMATS
X.509 certificate formats and descriptions
FORMAT
EXT
PRI KEY
DESCRIPTION
Distinguished encoding rules
DER
NO
Secure remote access (Linux and network)
Privacy enhanced mail
Personal information
exchange
PEM
YES
Secure copy to Linux/Unix
PFX
YES
Supports storage of all certificates in path
Base64-encoded
CER
NO
Storage of a single certificate.
PKCS#12 standard
P12
YES
Supports storage of all certificates in path
Cryptographic Message
Syntax Standard
P7B
NO
Supports storage of all certificates in path.
KCS #12 is the successor to Microsoft's "PFX“.
EXT = File extension
PRI KEY = File includes private key?
Certificates are not whole without the private key!
example: asymmetric cryptography
Franco sends a message to Maria,
requesting her public key
Maria sends her public key to Franco
Franco uses Maria’s public key to encrypt
the message and sends it to her
Maria uses her private key to decrypt
the message
Concepts
Online vs. offline CA. Online CA is always running, offline kept offline
expect for specific issuance and renewal operation.
Offline is best practice for your root ca.
Stapling. a method used with OCSP, which allows a web server to provide
information on the validity of its own certificate.
Done by the web server essentially downloading the OCSP response from
the certificate vendor in advance and providing it to browsers.
Pinning. a method designed to mitigate the use of fraudulent certificates.
Once a public key or certificate has been seen for a specific host, that key
or certificate is pinned to the host.
Should a different key or certificate be seen for that host, that might
indicate an issue with a fraudulent certificate.
Concepts
Trust model
A model of how different certificate authorities trust each other and how
their clients will trust certificates from other certification authorities.
The four main types of trust models that are used with PKI are
bridge, hierarchical, hybrid, and mesh.
Key escrow
Addresses the possibility that a cryptographic key may be lost.
The concern is usually with symmetric keys or with the private key in
asymmetric cryptography.
If that occurs, then there is no way to get the key back, and the user cannot
decrypt messages.
Organizations establish key escrows to enable recovery of lost keys.
Concepts
Certificate chaining
Refers to the fact that certificates are handled by a chain of trust.
You purchase a digital certificate from a certificate authority (CA), so you
trust that CA’s certificate.
In turn, that CA trusts a root certificate.
DOMAIN 4
PROVEN FAST, EFFECTIVE &
AFFORDABLE EXAM PREP
with Pete Zerger CISSP, vCISO, MVP
securiTY+
EXAM
CRAM
EXAM OBJECTIVES (DOMAINS)
1.0 Attacks, Threats, and Vulnerabilities
24%
2.0 Architecture and Design
21%
3.0 Implementation
25%
4.0 Operations and Incident Response
16%
5.0 Governance, Risk, and Compliance
14%
4.0 Operations and Incident Response
Given a scenario, use the appropriate tool
4.1
to assess organizational security
• Network reconnaissance
and discovery
•
•
•
•
•
•
•
•
•
•
•
•
•
•
tracert/traceroute
nslookup/dig
ipconfig/ifconfig
nmap
ping/pathping
hping
netstat
netcat
IP scanners
arp
route
curl
theHarvester
sn1per
•
•
•
•
scanless
dnsenum
Nessus
Cuckoo
•
•
•
•
•
•
head
tail
cat
grep
chmod
logger
• File manipulation
• Shell and script
environments
• SSH
• PowerShell
• Python
• OpenSSL
• Packet capture and
replay
• Tcpreplay
• Tcpdump
• Wireshark
• Forensics
•
•
•
•
•
dd
Memdump
WinHex
FTK imager
Autopsy
• Exploitation frameworks
• Password crackers
• Data sanitization
Hands-on learning will be helpful!
Do NOT use active reconnaissance tools to
explore or exploit resources without permission
Network reconnaissance and discovery
Tracert/Traceroute: This shows the route taken from a computer to a
remote host such as a website.
It also shows response latency (in ms) at each hop.
Nslookup: Nslookup is a diagnostic tool for verifying the IP address of a
hostname (A record by default) in the DNS server database.
Using the set type= command, you can change the type of records it
searches. “Set type=MX” scopes search to mail exchange records
Dig: Dig is the equivalent of nslookup in a Linux/Unix environment.
ipconfig/ifconfig: These commands show the IP configuration. The
Windows version is ipconfig, but Unix/Linux can use ifconfig.
Nmap: a free and open-source network mapper that can be used to
create an inventory of devices on your network
Also good for banner grabbing (computer and service info).
Network reconnaissance and discovery
Pathping: has the functionality of both ping and tracert.
also calculates statistics after the trace, showing the packet loss at
each router (each hop) it passes through.
Hping: an open-source packet generator and analyzer for
the TCP/IP protocol, often used for auditing firewalls and networks.
for example, testing firewall rules and open ports, and analyzes
network traffic, including packet formats and traceroute.
Netstat: a native tool on Windows operating system.
used to see the established connections, listening ports, and even
running services.
Netstat shows listening ports and established connections, but if
you reboot the computer, the established connections disappear.
Network reconnaissance and discovery
netcat: or nc, is a Linux/UNIX utility for showing network
connections, port scanning, and even file transfer.
IP Scanners: the Angry IP scanner is a popular free and opensource, that will scan addresses in a range and ID open ports.
will export results to TXT, CSV, or XML format.
Comes in command line and GUI versions
Address Resolution Protocol (ARP): a protocol for mapping an IP
address to a physical MAC address on a local area network.
the arp -a command shows the ARP cache.
route. enables listing existing routes in the local routing table, as
well as adding manual entries into the network routing tables.
route print to view local route table, route add to add a route
Network reconnaissance and discovery
Curl: command-line tool used to transfer data using any of these
supported protocols:
HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP, or FILE
TheHarvester: This is a passive tool that comes with Kali Linux used to
harvest the email addresses of an organization.
EXAMPLE: search for email addresses in kali.org domain, limiting
results to 500, using Google:
theharvester -d kali.org -l 500 -b google
You can run Linux on Windows 10 or 11 using the Windows
Subsystem for Linux (WSL). Includes a Kali Linux distribution
Network reconnaissance and discovery
Sn1per: a penetration test reconnaissance tool that can be used for
automated tests.
can scan for vulnerabilities, open ports, web application vulnerabilities
and perform attack surface discovery.
dynamic code analysis
used by pen testers, bug bounty researchers, and red teams.
all-in-one offensive security tool with free and paid versions
Scanless: pentesting tool to perform anonymous open port scans on
target hosts, such as web servers. (free and open-source)
developed in Python, utilizes a number of port scanners, like
ipfingerprints, pingeu, spiderip, portcheckers
Network reconnaissance and discovery
Dnsenum: is a command-line tool that automatically identifies basic DNS
records and it has the ability to attempt reverse DNS resolution.
brute forces (queries for the existence of hostnames) in order to get their
IP address of subdomains and hostnames.
used in web penetration testing to identify potential targets for further
exploration.
Nessus: a network security (vulnerability) scanner. It utilizes plug-ins,
which are separate files, to handle the vulnerability checks.
raises an alert if it discovers any vulnerabilities that malicious hackers
could use to gain access.
Cuckoo: This tool creates a sandbox that can be used for analyzing files
for malware inspection.
File manipulation
You may want to look deeper into different files, including the log files that
are produced. Here are a few tools in the file manipulation category.
Concatenate (cat): The cat command in Linux can be used to create files, view
files, and also concatenate several files into another file.
To create a new file called weblog, we use the following syntax:
cat > weblog
You can also concatenate the contents of three files and combine them in an
output file using the following syntax:
cat file1.txt file2.txt file3.txt | sort > samplefile.txt
Head: the /var/log/messages file is an important log file, which shows system
events such as shutdown and reboot.
We can use the head command to check the top 10 messages from that log
head /var/log/messages -n 10
File manipulation
Tail: views the last X lines at the end of a log file
EXAMPLE: view the last 10 messages in the /var/log/messages log file:
tail /var/log/messages -n 10
Grep: used to search text and log files for specific values.
EXAMPLE: search a file called users.txt for the name PETE, we would use the
following syntax:
grep -f PETE users.txt
EXAMPLE: search a whole directory for the word project, we can use the
following syntax:
grep -r project
File manipulation
chmod: The chmod command is used to change the permission level, for example:
chmod 766
Linux permissions covered briefly in Domain 3
In example above, the owner has rwx, the group has rw-, and others have rw-.
Logger: can add a message to the local system log file or to a remote syslog server.
Frequently used to send log messages from automation scripts to record actions
performed and errors encountered.
EXAMPLE:
logger -n 10.10.10.10 'hostname’ found a potential backdoor attack
The tools in this category are core (everyday)
commands present in just about any flavor of Linux
Shell and script environments
SSH: created to serve as a secure alternative to telnet for running commands
remotely; it is commonly used when you want remote access to network devices.
It can be used as a command-line tool or in a Graphical User Interface (GUI), but it is
not browser-based. Unlike telnet, SSH traffic is encrypted
PowerShell: PowerShell can perform tasks in a Windows environment. Each command
is known as a cmdlet and can be saved to a script with a .ps1 extension.
Each PowerShell cmdlet is comprised of a noun and a verb.
EXAMPLE: Get-Help will show the help commands.
Python: a popular and powerful programming language used by open source
developers, and data scientists. Widely used in cybersecurity
OpenSSL: a suite that can be used to create and manage Transport Layer Security
(TLS) and Secure Socket Layer (SSL) protocol.
often used to generate private keys, create CSRs, install your SSL/TLS certificate, and
identify certificate information. can create a self-signed certificate
Packet capture and replay
A protocol analyzer can also be referred to as a packet sniffer.
Protocol analyzers can save the data that they collect to a packet
capture file (PCAP).
tcpreplay: This is an open-source tool that can be used to analyze
.pcap files generated by either Wireshark or tcpdump
It can then replay the traffic and send it to the NIPS.
tcpdump: a network packet analyzer command line tool on Linux/UNIX
EXAMPLE:
tcpdump -i eth0 shows information on the first Ethernet adapter
Wireshark: a free and open-source packet analyzer, with commandline and GUI versions, available for Windows and Linux.
forensics
Tools in the forensics category are often used in forensic investigation.
dd. when the forensics team needs to investigate an image on a desktop or laptop, the
dd command can be used to clone a disk or copy a folder in a Linux/Unix environment.
In a SCSI environment, the first disk is /dev/sda, the second as /dev/sdb,
If the first disk has two partitions, they will be sda1 and sda2.
The if command is the input file and the of command represents the output file.
Copy Entire Hard Disk: We are going to copy the first SCSI disk to the second SCSI disk.
The syntax would be:
dd if = /dev/sda of = /dev/sdb
Create an Image: We are going to make a disk image of /dev/sda. We would use the
this syntax:
dd if=/dev/sda of=~/sdadisk.img
forensics
Tools in the forensics category are often used in forensic investigation.
WinHex: a hexadecimal editor that can be used on any version of Windows operating
systems to help forensics teams find evidence.
can be used to find and recover deleted or lost data from a corrupt drive.
Capturing System Memory Dump Files:
When a computer system crashes (commonly known as the blue screen of death), all
of the content of the memory is saved in a dump file (.dmp).
dump files can be analyzed by using a tool such as BlueScreenReview.
the Linux equivalent is memdump.
FTK imager: a data preview and imaging tool that lets you quickly assess electronic
evidence to determine if further analysis with a forensic tool is warranted.
Autopsy: can be used to analyze hard drives, smartphones, and media cards.
has a built-in translator to translate foreign languages into English.
Exploitation frameworks
such as the open-source Metasploit Framework, contain capabilities
to detect and then exploit vulnerabilities on remote systems.
can be used to harden your IT systems before they are attacked.
use information from the National Vulnerability Database, which is
comprised of Common Vulnerabilities and Exposures (CVE)
Uses the Common Vulnerability Scoring System (CVSS), to show the
level of severity of each of the vulnerabilities.
MOST POPULAR
EXPLOIT FRAMEWORKS
Metasploit Framework (http://www.metasploit.com)
CORE IMPACT (http://www.coresecurity.com)
Immunity CANVAS (http://www.immunitysec.com)
Password crackers AND DATA SANITIZATION
such as the Cain portion of Cain and Able or LOphtcrack, can
be used to crack the passwords and create password hashes.
In the Security+ exam, when you see names in clear text
followed by hashes, the hash is a password hash.
the process of irreversibly removing or destroying data stored
on a memory device (hard drives, flash memory, SSDs, etc.)
It is important to use the proper technique to ensure that
all data is purged.
4.0 Operations and Incident Response
Summarize the importance of policies, processes,
4.2 and procedures for incident response
• Incident response plans
• Incident response process
•
•
•
•
•
•
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
• Exercises
• Tabletop
• Walkthroughs
• Simulations
• Attack frameworks
• MITRE ATT&CK
• The Diamond Model of
Intrusion Analysis
• Cyber Kill Chain
• Stakeholder
management
• Communication plan
• Disaster recovery plan
• Business continuity plan
• Continuity of operations
planning (COOP)
• Incident response team
• Retention policies
©2022 Inside Cloud and Security. No reuse without written permission
Plan, process, and procedure
Plan vs Process vs Procedure: What is the difference?
Plan
High-level (light on the details)
A set of intended actions, usually mutually related,
through which one expects to achieve a goal.
Ordered task list or flow chart
A series of related tasks or methods that together turn
inputs into outputs.
Process
LOW
Level of detail
Procedure Task-level details (the “HOW”)
A prescribed way of undertaking a process or part of a
process. A particular method for performing a task
HIGH
managing INCIDENT response
6 phases of incident response
1
2
3
4
5
6
Preparation
Where incident response plans are written, and
configurations documented.
Identification
determining whether or not an organization has been
breached. Is it really an incident?
Containment
Limiting damage (scope) of the incident.
Eradication
Once affected systems are identified, coordinated
isolation or shutdown, rebuild, and notifications.
Recovery
Root cause is addressed and time to return to normal
operations is estimated and executed.
Lessons Learned
Helps prevent recurrence, improve IR process.
INCIDENT RESPONSE PLANS AND EXERCISES
Tabletop
Paper-based, hypothetical
You distribute copies of incident response plans to the members
of the incident response team for review.
Team members then provide feedback about any updates
needed to keep the plan current.
Walkthrough
Test team response without full simulation
Members of the incident response team gather in a large
conference room and role-play an incident scenario.
Usually, the exact scenario is known only to the test moderator,
who presents the details to the team at the meeting.
Can ensure needed tools and resources are available, and team
members are familiar with their roles.
INCIDENT RESPONSE PLANS AND EXERCISES
Simulation
Similar to structured walkthrough, except some of the response
measures are then tested (on non-critical functions).
This one involves some form of ‘doing’
ATTACK FRAMEWORKS
An online framework that can be used by commercial organizations.
Developed by MITRE, a US Government-sponsored company whose aim is
to help prevent cyber-attacks.
Provides information about adversaries and their attack methods.
Uses the acronym ATT&CK to better articulate the attack vectors
used by attackers:
Adversarial Tactics, Techniques, & Common Knowledge
Adversarial: This looks at the behavior of potential attackers who are put into
different groups.
Tactics: the medium by which (how) the attack will be carried out.
Techniques: a breakdown of the processes of how an attack will be launched.
Common Knowledge: documentation relating to the attackers’ tactics and
techniques that have been made available online to the general public.
The Cyber Kill Chain
Lockheed Martin Edition
Traces stages of a cyberattack from early
reconnaissance to the exfiltration of data
Harvesting email
addresses, company
info, etc.
Delivering weaponized
bundle to victim via
email, web, USB, etc.
Installing
malware on the
asset
With ‘hands on keyboard’
access, intruders accomplish
their original goals
RECONNAISSSANCE
DELIVERY
INSTALLATION
ACTIONS ON OBJECTIVEES
1
2
3
4
5
6
WEAPONIZATION
EXPLOITATION
COMMAND & CONTROL
Actor creates malware
tailored to vulnerabilities of
the remote target
Exploiting a vulnerability
to execute code on the
victim’s system
Command channel for
remote manipulation of
the victim
7
Diamond Model of Intrusion Analysis
A framework for gathering intelligence on network
intrusion attacks, comprised four key elements:
Adversary
The threat actor group
Capabilities
where the adversary develops
an exploit that they use to
carry out the attack.
Infrastructure
This is how the attacker
can get to the victim.
Victim
The person targeted
by the adversary.
was used by the intelligence community until it was declassified in 2013.
Communication Plan
The plan that details how relevant stakeholders will be informed in
event of an incident. (like a security breach)
Would include plan to maintain confidentiality, such as encryption
to ensure that the event does not become public knowledge.
Contact list should be maintained that includes stakeholders from
the government, police, customers, suppliers, and internal staff.
Compliance regulations, like GDPR, include notification
requirements, relevant parties and timelines
Confidentiality amongst internal stakeholders is desirable so
external stakeholders can be informed in accordance with the plan.
Stakeholder Management
When we have an incident, there are multiple groups of relevant
stakeholders that we need to inform and manage, and may include:
-Internal stakeholders
-Cyber insurance provider
-Business partners
-Customers
-Law enforcement
A stakeholder is a party with an interest in an enterprise;
corporate stakeholders include investors, employees, customers,
and suppliers.
Regulated industries, such as banking and healthcare will have
requirements driven by the regulations governing their industries.
BCP Definitions
Some BCP-related definitions worth knowing
BCP (Business Continuity Plan)
the overall organizational plan for “how-to”
continue business.
DRP (Disaster Recovery Plan)
the plan for recovering from a disaster impacting IT
and returning the IT infrastructure to operation.
COOP (Continuity of Operations Plan)
the plan for continuing to do business until the IT
infrastructure can be restored.
BCP vs DRP
Business Continuity Planning (BCP) vs Disaster Recovery
Planning (DRP) – What is the difference?
BCP focuses on the whole business
DRP focuses more on the technical aspects
of recovery
BCP will cover communications and
process more broadly
BCP is an umbrella policy and DRP is part of it
Incident response team
When an incident occurs, it is important to get an
incident response team together to deal with the incident.
Includes the following roles:
Incident Response Manager: A top-level manager who takes charge.
Security Analyst: Technical support to the incident.
IT Auditor: Checks that the company is compliant.
Risk Analyst: Evaluates all aspects of risk.
HR: Sometimes employees are involved in the incident.
Legal: Gives advice and makes decisions on legal issues.
Public Relations: Deals with the press to reduce the impact.
The Information Lifecycle
Creation
Destruction
(from a functional perspective)
Classification
Can be created by users
a user creates a file
Can be created by systems
Archive
Storage
Usage
a system logs access
The Information Lifecycle
Creation
Destruction
(from a functional perspective)
Classification
To ensure it’s handled properly,
it’s important to ensure data is
classified as soon as possible.
Archive
Storage
Usage
The Information Lifecycle
Creation
Destruction
(from a functional perspective)
Classification
Data should be protected by
adequate security controls
based on its classification.
Archive
Storage
Usage
The Information Lifecycle
Creation
Destruction
(from a functional perspective)
Classification
refers to anytime data is in use
or in transit over a network.
Archive
Storage
Usage
The Information Lifecycle
Creation
Destruction
(from a functional perspective)
Classification
Archive
Storage
Usage
archival is sometimes needed to
comply with laws or regulations
requiring the retention of data.
a data retention policy ensures
a company retains data as long
as necessary.
“as long as necessary” is
defined by company policies or
regulatory requirements.
The Information Lifecycle
Creation
Destruction
(from a functional perspective)
Classification
When data is no longer needed,
it should be destroyed in such a
way that it is not readable.
Archive
Storage
Usage
Keeping data longer than
necessary increases risk
The Information Lifecycle
Creation
Destruction
(from a functional perspective)
Classification
When data is no longer needed,
it should be destroyed in such a
way that it is not readable.
Archive
Storage
Usage
The Information Lifecycle to know
for the exam is covered in DOMAIN 5
RETENTION POLICY
More on classifications in Domain 5
Labeling / tagging of data based on type, like personally identifiable
info (PII), protected health info(PHI), etc.
for legal and compliance reasons, you may need to keep certain
data for different periods of time.
EXAMPLES:
some financial data needs to be retained for 7 years
Some medical data may need to be retained up to 20-30 years.
ensure that legal and compliance issues are addressed.
4.0 Operations and Incident Response
Given an incident, utilize appropriate data
4.3 sources to support an investigation
• Vulnerability scan output
• SIEM dashboards
•
•
•
•
•
•
•
•
•
•
•
•
Sensor
Sensitivity
Trends
Alerts
Correlation
• Log files
• Network
• System
• Application
•
•
•
•
Security
Web
DNS
Authentication
Dump files
VoIP and call managers
Session Initiation Protocol (SIP)
traffic
syslog / rsyslog / syslog-ng
journalctl
NXLog
Bandwidth monitors
Metadata
•
•
•
•
Email
Mobile
Web
File
Netflow / sFlow
• Netflow
• sFlow
• IPFIX
Protocol analyzer output
VULNERABILITY SCAN OUTPUT
A vulnerability scanner can identify and report various
vulnerabilities before they are exploited, such as:
Examples include:
-software flaws
-missing patches
-open ports
-services that should not be running
-weak passwords
will help companies avoid known attacks such as SQL injection, buffer
overflows, denial of service, and other type of malicious attacks.
A credentialed vulnerability scan is the most effective as it
provides more information than any other vulnerability scan.
SIEM DASHBOARDS
dashboards are very useful to the security operations centers as they provide
centralized visibility and information on threats in real time.
Sensor: Sensors are deployed across your network to monitor and collect changes in
network patterns or monitor changes in log file entries as events occur.
Varies by solution and device. May be a sensor, syslog, text log, API or other format.
Sensitivity: can monitor PII, PHI, and other sensitive information to ensure regulatory
compliance (HIPAA, PCI DSS, GDPR)
Trends: can identify trends in network traffic, event volume, or changes in activities/
activity levels across identities, endpoints, network and infrastructure.
Alerts: provide information about events on hosts and network devices.
Email notification and response automation (playbooks, SOAR) optional.
Correlation: correlates, aggregates, and analyzes the log files from multiple sources
can generate a broad, centralized view.
Because sequence of events crosses multiple sources, time sync matters (NTP).
LOG FILES
Log files play a core role in providing evidence for investigations. You’ll want to
be familiar with the many different types of log files for the Security+ exam.
Network: This log file can identify the IP and MAC addresses of devices that
are attached to your network. Usually sent to a central syslog server
NIDS/NIPS can be important in identifying threats and anomalies from these.
log files from a proxy server can reveal who’s visiting malicious sites.
The collective insight may be useful in stopping DDoS attack
Web: web servers log many types of information about the web requests, so
evidence of potential threats and attacks will be visible here.
information collected about each web session: IP address request, Date and
time, HTTP method, such as GET/POST, Browser used, and HTTP Status code.
400 series HTTP response codes are client-side errors
500 series HTTP response codes are server-side errors
These logs must be fed to a SIEM, IDS/IPS or other system to analysis this data
LOG FILES
These files exist on client and server systems. Sending these to a SIEM can help
establish a central audit trail and visibility into the scope of an attack.
System: contains information about hardware changes, updates to devices,
and time synchronization, group policy application, etc.
Application: contains information about software applications, when
launched, success or failure, and warnings about potential problems or errors.
Security: contains information about a successful login, as well as
unauthorized attempts to access the system and resources.
can identify attackers trying to log in to your computer systems.
captures information on file access and can determine who has downloaded
certain data.
You will find log files with these names in the
Event Viewer on any Windows client or server
LOG FILES
Log files play a core role in providing evidence for investigations. You’ll want go
be familiar with the many different types of log files for the Security+ exam.
DNS: contains virtually all DNS server-level activity, such as zone transfer, DNS
server errors, DNS caching, and DNSSEC.
DNS query logging often disabled by default due to volume.
Authentication: information about login events, logging success or failure.
multiple sources authenticating log files in a domain environment, including
RADIUS, Active Directory, and cloud providers Azure Active Directory.
Dump Files: file generated when a computer crashes, with contents in the
memory are saved in a dump file (.dmp).
dump files can be analyzed by using a tool such as the BlueScreenReview,
Windows Debugger, and Kernel Debugger.
LOG FILES
VoIP phones are embedded systems that must be secured
Log files related to voice applications can be valuable in identifying
anomalous activity, unauthorized users, and even potential attacks.
VoIP and Call Managers: These systems provide information on the
calls being made and the devices that they originate from.
may also capture call quality by logging the Mean Optical Score (MOS), jitter,
and loss of signal. Significant loss in quality may indicate attack
each call is logged (inbound and outbound calls), the person making the
call, and the person receiving the call. Including long-distance calls
Session Initiation Protocol (SIP) Traffic: SIP is used for internet-based calls
and the log files generally show:
the 100 events, known as the INVITE, the initiation of a connection, that relates
to ringing.
the 200 OK is followed by an acknowledgement.
Large number of calls not connecting may indicate attack
syslog / rsyslog / syslog-ng
These log management solutions all perform
the same basic functions – SYSLOG
Linux solutions
Syslog the original
is known as a log collector as it collects event logs from various devices
and often sent to a central syslog server.
in the Linux version, it is implemented as syslogd or syslog daemon,
which stores the log files in the var/log/syslog directory.
Rsyslog
called rocket-fast as it has a high performance.
receives data, transforms, and can send output to destinations
such as a SIEM server or other syslog. Log forwarding
Syslog-ng
an open-source logging solution for Unix and Linux systems.
broader platform support than Rsyslog.
Great opensource options
that came later
Journalctl and nxlog
Other logging solutions
provides several system
components for Linux
journalctl
a utility for querying and displaying logs from journald, which is systemd's
logging service.
journald collects and stores log data in binary format.
journalctl is used to query and display these logs in a readable format.
NXLog
an open-source log management tool that helps identify security risks in
a Linux/ Unix environment.
a multi-platform log collection and centralization tool that offers log
processing features, including log enrichment and log forwarding.
similar to syslog-ng or Rsyslog but it is not limited to UNIX and syslog only.
Supports Linux, Windows, and Android
Bandwidth monitors
can be used to understand your network traffic flow.
monitor changes in traffic patterns and identify
devices on the network that are causing bottlenecks.
can detect broadcast storms and potential
denial-of-service attacks.
a way for IT professionals to determine
actual bandwidth availability on your systems.
metadata
data that provides information about other data.
Email: headers contain detailed information, including source, destination, and route
through the email providers to the recipient.
can be used when phishing emails are received to identify the bad actor
Mobile: Telecom providers retain information about phone calls, including calls made,
calls received, text messages, internet usage, and location information.
can be used in an investigation to provide evidence of suspect’s location
Web: Website metadata provides information about every page created on a website,
including author, date created, images, and other files (videos, pdfs, etc.)
File: When investigations are being carried out, the file metadata can be used to track
information such as the author, date created, date modified, and file size.
file metadata does not include info on actions like printing or copying
Photograph: When someone takes a photograph, the metadata might include geotagging that documents the location in which a photograph was taken.
you cannot get metadata from a deleted file after recovery
Netflow, sflow, IPFIX
Network monitoring solutions
Netflow
Proprietary
a CISCO product that monitors network traffic
can identify the load on the network.
in an investigation, it can help identify patterns in network traffic.
Sflow
Supports a wide variety of network hardware vendors
a multi-vendor product that provides visibility into network traffic patterns.
can help identify malicious traffic to help in securing the network.
IP Flow Information Export (IPFIX)
Open source, similar to and
can be used to capture traffic from the node itself. patterned after Netflow
data can then be exported to a collector within the node.
can be used to identify data traveling through a switch to facilitate billing.
can format IP Flow data and forward it to a collector.
Protocol analyzer output
Details on output format, compatibility
and use in forensic investigation
A protocol analyzer can also be referred to as a packet sniffer.
Protocol analyzers can save the data that they collect to a packet
capture file (.PCAP).
PCAP file format is a binary format, with support for
nanosecond-precision timestamps
Wireshark, Tcpreplay, and tcpdump all support .PCAP format
Can be used for forensics by replaying network traffic sent to
network devices from which they capture traffic.
Law enforcement has used PCAP data successfully
in prosecuting cybercrime
4.0 Operations and Incident Response
Given an incident, apply mitigation techniques
4.4 or controls to secure an environment
• Reconfigure endpoint
security solutions
• Application approved list
• Application blocklist/deny list
• Quarantine
• Configuration changes
•
•
•
•
•
Firewall rules
MDM
DLP
Content filter/URL filter
Update or revoke certificates
•
•
•
•
Isolation
Containment
Segmentation
SOAR
• Runbooks
• Playbooks
Reconfigure Endpoint Security Solutions
When technologies change or we suffer a data breach, we
might have to reconfigure the endpoint security solutions.
Approved Applications List
Where the approved applications are listed. If an application is not listed, it
cannot be launched.
Application Block List/Deny List
List of apps deemed dangerous, such as certain offensive security tools. If the
app is on the blocklist, the app cannot run.
Quarantine
When a device has been infected with a virus, it is removed from the network.
With Network Access Control (NAC) user is authenticated and device checked to
confirm patched and compliant before being granted access.
Will be blocked and may be placed in a quarantine network for remediation.
Configuration changes
As new attacks emerge, configuration changes may
be necessary to secure the environment.
will vary for network and host-based firewalls
can be used to block traffic and we can use either an MDM solution or
group policy to change the configuration on endpoint devices.
can be used to push configuration changes to mobile devices.
can enforce device settings from password policy to blocking camera.
policy-based protection of sensitive data, usually based on labels or
pattern match. new patterns to identify sensitive data may emerge
Protects data at-rest or in-transit, in email, Intranet, cloud drives, etc.
Configuration changes
As new attacks emerge, configuration changes may
be necessary to secure the environment.
Changes in attacks, might require an update to the content
filters on either a proxy server or a UTM firewall.
Some devices, like a NGFW, may automatically
detect new threats and adjust accordingly
:
Endpoints reporting a host or trust error may indicate a
certificate problem.
This may require updating a certificate that has expired or
revoke a certificate because it has been compromised.
Internet-facing services need a certificate issued by a commercial CA
Isolation
Air gap endpoints are used to view classified data to isolate the endpoint
from the network to protect against a network-based attack.
Air gap eliminates all network connectivity (wired, wi-fi)
The only way to add or extract data from an air gapped computer is by
using a removable device such as a USB drive.
Requiring users entering an area for confidential meetings or to view
secret research to place their phones in a faraday cage.
It blocks electromagnetic signals from entering or exiting the cage,
rendering cellular signals useless
containment
Containment is about minimizing damage and
limiting the scope of an incident.
Examples of containment
If an endpoint has been compromised and may be infected by a
virus, IT Security will contain to stop the malware spreading.
removing infected machines from the network.
disabling user accounts that have been used to breach your
network.
A containment process that minimizes
downtime and disruption is preferable
Remember the incident response process. Containing the
incident comes before finding root cause and full remediation.
segmentation
Mobile device management. in a BYOD mobile device scenario, mobile app
management (MAM) will keep personal and business data separate.
Prevents personal data from being removed in remote wipe.
Endpoints. segment devices that have become vulnerable, such as an
unpatched printer where there are no updates.
You could place these printers in a VLAN.
Non-compliant devices can be quarantined until remediated.
This is possible with network access control (NAC)
Applications. Within a private subnet, VLANs can be used to carry out
segmentation and traffic filtering for sensitive apps and data.
These rules could be enforced with subnets and firewalls
SIEM and SOAR
often use AI, ML, and threat intelligence
Security Information
Event Management
Security Orchestration
Automation, & Response
system that collects data from many other
sources within the network.
provides real-time monitoring, traffic
analysis & notification of potential attacks.
centralized alert and response automation
with threat-specific playbooks.
response may be fully automated or
single-click.
these capabilities are commonly delivered together in a single solution
SOAR Playbooks and runbooks
documents with info on events and the
necessary actions to stop threats.
can be used to configure automated
response in a playbook.
Documents the human analyst response steps
contain a set of rules and actions to identify
incidents and take preventative action.
may need to be amended for better
automated response as threats evolve.
This is the response automation
4.0 Operations and Incident Response
4.5 Explain the key aspects of digital forensics
• Documentation/evidence
•
•
•
•
•
•
•
•
•
Legal hold
Video
Admissibility
Chain of custody
Timelines of sequence of events
• Time stamps
• Time offset
Tags
Reports
Event logs
Interviews
• Acquisition
• Order of volatility
• Disk
• Random-access memory
(RAM)
• Swap/pagefile
• OS
• Device
• Firmware
• Snapshot
• Cache
• Network
• Artifacts
• On-premises vs. cloud
• Right-to-audit clauses
• Regulatory/jurisdiction
• Data breach notification
laws
• Integrity
•
•
•
•
•
• Hashing
• Checksums
• Provenance
Preservation
E-discovery
Data recovery
Non-repudiation
Strategic intelligence/
counterintelligence
Documentation and evidence
protecting any documents that can be used
in evidence from being altered or destroyed.
sometimes called litigation hold
tracks the movement of evidence through its
collection, safeguarding, and analysis lifecycle
documents each person who handled the
evidence, the date/time it was collected or
transferred, and the purpose for the transfer.
Confirms appropriate collection, storage, and handling
EVIDENCE ADMISSIBILITY
Requirements for evidence to be admissible in a court of law:
TO BE ADMISSIBLE:
Evidence must be relevant to a fact at issue in
the case. makes a fact more or less probable than without
The fact must be material to the case.
the evidence
Is important in proving a case
The evidence must be competent or legally
collected. competent means “reliable” here
Must be obtained by legal means.
To prevail in court, evidence must be sufficient, which
means “convincing without question, leaving no doubt”
DOCUMENTATION/EVIDENCE
CCTV can be a good source of evidence for helping to identify attackers and the
time the attack was launched.
Can be vital in apprehending suspects and reconstructing timeline of events.
Time stamps. Each file has timestamps showing when files were created, last
modified, and last accessed
Time offset. where evidence is collected across multiple time zones, you must
record offset based on time zone.
For example, recording the time offset, it looks as if it started in Chicago, but if we
apply time normalization, when it is 4 a.m. in London, the time in Chicago is 10 p.m.
eDiscovery tags virtual are virtual 'sticky notes’ or labels attached to documents,
making them easier to search/find.
Helps legal team stay organized and build a defensible case.
DOCUMENTATION/EVIDENCE
To support an effective post incident review, all key discussions and decisions
made during the eradication event should be well documented.
A report should be produced from the post incident review and presented to all
relevant stakeholders.
Provide a means to reconstruct sequence of events.
Centralized log collection helpful here, and audit trail a requirement.
Maintaining audit trail is a legal requirement in some cases
To track incidents, we need to be actively monitoring and actively logging
changes to patterns in our log files or traffic patterns in our network.
SIEM can help with log collection, aggregation, and analysis
A photofit is a reconstructed picture of a suspect
The police may also take witness statements to try and develop a picture of who
was involved and maybe then use photofits so that they can be apprehended.
TYPES OF evidence
EXTRA CREDIT
Best. Original, preferred by courts.
Secondary evidence. Copy.
Direct. Proves or disproves an act based on the five senses.
Conclusive. Incontrovertible, overrides all other types.
Circumstantial. Inference from other info.
Corroborative. Supporting evidence but cannot stand on its own.
Opinions. Expert and non-expert.
Hearsay. Not based on first-hand knowledge.
Evidence must be relevant, complete, sufficient and reliable
ACQUISITION OF EVIDENCE
As soon you discover an incident…
Importance of collecting
You must begin to collect evidence and
as much information about the incident
as possible.
Evidence can be used in a subsequent
legal action or in finding attacker identity.
Evidence can also assist you in
determining the extent of damage.
evidence storage
Understand the concerns for evidence storage
How to retain logs, drive images, VM snapshots, and other
datasets for recovery, internal and forensic investigations.
Protections for evidence storage include:
-
locked cabinets or safes
dedicated/isolated storage facilities
offline storage
access restrictions and activity tracking
hash management and encryption
ACQUISITION
Areas and considerations in evidence acquisition.
Disk aka hard drive. Was the storage media itself damaged?
Random-access memory (RAM). Volatile memory used to run
applications.
Swap/Pagefile. used for running applications when RAM is exhausted.
OS (operating system). Was there corruption of data associated with
the OS or the applications?
Device. When the police are taking evidence from laptops, desktops,
and mobile devices they take a complete system image.
The original image is kept intact, installed on another computer,
hashed, then analyzed to find evidence of any criminal activity.
ACQUISITION
Firmware. embedded code, could be reversed engineered by an
attacker, so original source code must be compared to code in use.
a coding expert to compare both lots of source code in a technique
called regression testing. rootkits and backdoors are concerns
Snapshot. If the evidence is from a virtual machine, a snapshot of the
virtual machine can be exported for investigation.
Cache. special high-speed storage that can be either a reserved section
of main memory or an independent high-speed storage device.
memory cache AND disk cache, both are volatile
Network. OS includes command-line tools (like netstat) that provide
information that could disappear if you reboot the computer.
Like RAM, connections are volatile and lost on reboot.
Artifacts. any piece of evidence, including log files, registry hives, DNA,
fingerprints, or fibers of clothing normally invisible to the naked eye.
ORDER OF VOLATILITY
To determine what happened on a system, you need a copy of
the data. What evidence you collect first?
most volatile (perishable) information should be collected first.
If it disappears with a system reboot or passage of time, it is volatile
In approximate order:
1. CPU, cache, and register contents
2. Routing tables, ARP cache, process tables, kernel statistics
3. Live network connections and data flows
4. Memory (RAM)
5. Temporary file system and swap/pagefile
6. Data on hard disk
7. Remotely logged data
8. Data stored on archival media and backups
Collection must also consider questions of storage and chain of custody!
On premises vs cloud
Customer rights and capabilities to perform forensic
investigation varies in the cloud versus on-premises.
written into supply chain contracts, allow an auditor can visit the premises to inspect
and ensure that the contractor is complying with contractual obligations.
This would help an auditor identify:
- Faulty or inferior quality of goods
- Short shipments
- Goods not delivered
- Kickbacks
- Gifts and gratuities to company employees
- Commissions to brokers and others
- Services allegedly performed that were not actually necessary
On premises vs cloud
Customer rights and capabilities to perform forensic
investigation varies in the cloud versus on-premises.
Cloud data should be stored and have data sovereignty in region stored.
Many countries have laws requiring businesses to store
data within their borders.
The US introduced the Clarifying Lawful Overseas Use of Data (CLOUD) Act in 2018 due
to the problems that FBI faced in forcing Microsoft to hand over data stored in Ireland.
Aids in evidence collection in investigation of serious crimes
In 2019, the US and the UK signed a data-sharing agreement to give law enforcement
agencies in each country faster access to evidence held by cloud service providers.
Verifying right-to-audit and audit procedures with your cloud provider to ensure you
understand your rights and their legal obligations before you sign contracts is critical.
On premises vs cloud
Forensic investigators should know their legal rights in every jurisdiction
(region or country) where the organization hosts data in the cloud.
Some countries will not allow eDiscovery from outside their borders
In traditional forensic procedures, it is “easy” to maintain an accurate history of
time, location, and handling.
In the cloud, physical location is somewhat obscure. However, investigators can
acquire a VM image from any workstation connected to the internet.
Time stamps and offsets can be more challenging due to location.
Maintaining a proper chain of custody is more challenging in the cloud.
Varies by country and regulations. For example, GDPR requires notification
within 72 hours. and applies to ANY company with customers in the EU !
integrity
When either the forensic copy or the system image is being
analyzed, the data and applications are hashed at collection.
It can be used as a checksum to ensure integrity later.
File can be hashed before and after collection to ensure a
match on the original hash value to prove data integrity.
Data provenance effectively provides a historical record of
data and its origin and forensic activities performed on it.
Similar to data lineage, but also includes the inputs, entities,
systems and processes that influenced the data
PRESERVATION
Data needs to be preserved in its original state so that it can be
produced as evidence in court.
original data must remain unaltered and pristine.
What is a “forensic copy” of evidence?
an image or exact, sector by sector, copy of a hard disk or other storage device,
taken using specialized software, preserving an exact copy of the original disk.
Deleted files, slack space, system files and executables (and documents
renamed to mimic system files and executables) are all part of a forensic image.
Putting a copy of the most vital evidence in a WORM drive will prevent any
tampering with the evidence (you cannot delete data from a WORM drive.)
You could also write-protect/put a legal hold on some types of cloud storage.
E-discovery (electronic discovery)
e-discovery is about gathering the data.
the process of identifying, preserving, collecting, processing, reviewing,
and producing electronically stored information (ESI) in litigation.
The digital forensics process involves identifying, preserving, collecting,
recovering, analyzing, and reporting on digital information.
During e-discovery, Cloud Service Providers (CSP) may be subpoenaed to
allow collection, review, and interpretation of electronic documents and data.
Digital forensics vs eDiscovery: what’s the difference?
computer forensics involves the use of a forensic expert to protect data
integrity and to copy/capture/recover the data stored on a device.
eDiscovery firms typically do not analyze the data they collect.
Forensic investigators have specialized training enabling them to analyze
data, protect data integrity, and recover missing or deleted data.
Data recovery
requires specialized training and knowledge
A process used to retrieve data which will be used for legal purposes.
Investigators must work with information in a way that will not change
or compromise the original source.
They can use a variety of techniques to fill in missing pieces or make
information meaningful.
EXAMPLE: restoring a damaged or deleted partition, looking for traces
of information which could reveal how and when the partition was used.
may be working with computers which have been seeded with safety
measures to prevent legal investigations, requiring special procedures.
E-discovery works in conjunction with digital forensics
- their functions are complementary.
Non-repudiation
Non-repudiation is the guarantee that no one can deny a transaction.
Digital Signatures prove that a digital message or document was not
modified—intentionally or unintentionally—from the time it was signed.
based on asymmetric cryptography (a public/private key pair)
the digital equivalent of a handwritten signature or stamped seal.
message authentication code (MAC). the two parties that are
communicating can verify non-repudiation.
is generated via a cryptographic algorithm that depends on both the
message and session key known only to the sender and receiver
Digital signatures are covered in more detail in Domain 2
Strategic intelligence/ counterintelligence
Historically, when governments gather (and potentially exchange) data
about cyber criminals so that they can work together to reduce threats.
In the context of forensic investigation, gathering evidence can also
be performed using strategic intelligence methods.
Focuses gathering threat information about a domain, including
business info, geographic info, or other details on a specific country.
Counterintelligence
The target of someone’s strategic intelligence may want to prevent
that intelligence gathering from occurring.
The target may perform strategic counterintelligence (CI) to identify
and disrupt the adversary gathering intelligence.
EXAM OBJECTIVES (DOMAINS)
1.0 Attacks, Threats, and Vulnerabilities
24%
2.0 Architecture and Design
21%
3.0 Implementation
25%
4.0 Operations and Incident Response
16%
5.0 Governance, Risk, and Compliance
14%
5.0 Governance, Risk, and Compliance
5.1 Compare and contrast various types of controls
• Category
• Managerial
• Operational
• Technical
• Control type
• Preventive
• Detective
• Corrective
• Deterrent
• Compensating
• Physical
Know the security controls
that fall into each category!
D O M A I N 5 : CONTROLS
Security measures for countering and
minimizing loss or unavailability of
services or apps due to vulnerabilities
D O M A I N 5 : CONTROLS
The terms safeguards and
countermeasure may seem to
be used interchangeably
D O M A I N 5 : CONTROLS
are proactive
are reactive
functional order of security controls
Deterrence
Denial
Detection
Delay
SECURITY CONTROLS
There are three categories of security controls:
Managerial. Policies and procedures defined by org’s
security policy, other regulations and requirements.
Operational. are executed by company personnel during
their day-to-day operations.
security awareness training, change mgmt, BCP
Technical. aka “logical”, involves the hardware or software
mechanisms implemented by IT team to reduce risk.
firewall rules, antivirus/malware, IDS/IPS, etc.
CONTROL TYPES
Deterrent. Deployed to discourage violation of
security policies.
Preventative. Deployed to thwart or stop
unwanted or unauthorized activity from occurring.
Detective. Deployed to discover or detect
unwanted or unauthorized activity.
Compensating. Provides options to other existing
controls to aid in enforcement of security policies.
CONTROL TYPES
Deterrent. Deployed to
security policies.
Preventative. Deployed to thwart or
of
from occurring.
Detective. Deployed to
unwanted or unauthorized activity.
Compensating. Provides
to aid in enforcement of security policies.
CONTROL TYPES
Corrective. modifies the environment to return
systems to normal after an unwanted or
unauthorized activity has occurred.
Physical. a control you can physically touch.
CONTROL TYPES
Corrective. modifies the environment to
after an unwanted or
unauthorized activity has occurred.
Physical. a control you can
.
CONTROL TYPES
Preventative
deployed to stop unwanted or unauthorized activity from occurring,
EXAMPLES: fences, locks, biometrics, mantraps, alarm systems, job
rotation, data classification, penetration testing, access control methods,
Deterrent
deployed to discourage the violation of security policies. A deterrent
control picks up where prevention leaves off.
EXAMPLES: locks, fences, security badges, security guards, mantraps,
security cameras, trespass or intrusion alarms, separation of duties,
awareness training, encryption, auditing, and firewalls. .
CONTROL TYPES
Detective
deployed to discover unwanted or unauthorized activity. Often are
after-the-fact controls rather than real-time controls.
EXAMPLES: security guards, guard dogs, motion detectors, job rotation,
mandatory vacations, audit trails, intrusion detection systems, violation
reports, honey pots, and incident investigations,
Physical
barriers deployed to prevent direct contact with systems or
portions of a facility.
EXAMPLES: guards, fences, motion detectors, locked doors, sealed
windows, lights, cable protections, laptop locks, swipe cards, guard
dogs, video cameras, mantraps, and alarms.
CONTROL TYPES
Corrective
deployed to restore systems to normal after an unwanted or unauthorized
activity has occurred. minimal capability to respond to access violations.
EXAMPLES: intrusion prevention systems, antivirus solutions, alarms,
mantraps, business continuity planning, and security policies,
Compensating
deployed to provide options to other existing controls to aid in the
enforcement and support of a security policy.
EXAMPLES: security policy, personnel supervision, monitoring,
and work task procedures.
5.0 Governance, Risk, and Compliance
5.2
Explain the importance of applicable regulations, standards,
or frameworks that impact organizational security posture
• Regulations, standards, and
legislation
• General Data Protection
Regulation (GDPR)
• National, territory, or state laws
• Payment Card Industry Data
Security Standard (PCI DSS)
• Key frameworks
• Center for Internet Security (CIS)
• National Institute of Standards
and Technology (NIST) Risk
Management Framework (RMF)/
Cybersecurity Framework (CSF)
• International Organization for
Standardization (ISO)
27001/27002/27701/31000
• SSAE SOC 2 Type I/II
• Cloud security alliance
• Cloud control matrix
• Reference architecture
• Benchmarks /secure
configuration guides
•
•
•
•
•
Platform/vendor-specific guides
Web server
OS
Application server
Network infrastructure devices
©2022 Inside Cloud and Security. No reuse without written permission
DEFINING SENSITIVE DATA
Sensitive data is any information that isn’t public or
unclassified.
Personally Identifiable Information (PII). any
information that can identify an individual (name,
SSN, birthdate/place, biometric records, etc)
Protected Health Information (PHI). healthrelated information that can be related to a
specific person.
REGULATIONS, STANDARDS, AND LEGISLATION
Deals with the handling of data while
maintaining privacy and rights of an individual.
General Data
Protection
Regulation
It is international as it was created by the EU,
which has 27 different countries as members.
GDPR applies to ANY company with
customers in the EU
REGULATIONS, STANDARDS, AND LEGISLATION
Steps to reduce or eliminate GDPR requirements
Anonymization. The process of removing all relevant data
so that it is impossible to identify original subject or person.
If done effectively, then GDPR is no longer relevant for the
anonymized data.
Good only if you don’t need the data!
REGULATIONS, STANDARDS, AND LEGISLATION
Steps to reduce or eliminate GDPR requirements
Anonymization. The process of removing all relevant data
so that it is impossible to identify original subject or person.
If done effectively, then GDPR is no longer relevant for the
anonymized data.
Pseudonymization. The process of using pseudonyms
(aliases) to represent other data.
Can result in less stringent requirements than would
otherwise apply under the GDPR.
Use if you need data and want to reduce exposure
REGULATIONS, STANDARDS, AND LEGISLATION
Gramm-Leach-Bliley Act (GLBA)
focused on services of banks, lenders, and insurance
severely limited services they could provide and the
information they could share with each other
LEGAL & REGULATORY
Federal Information
Security Management Act
Required formal infosec operations for federal gov’t
Requires that government agencies include the activities
of contractors in their security management programs
Repealed and replaced the Computer Security Act of 1987
and Government Information Security Reform Act of 2000
NIST responsible for developing the FISMA implementation
guidelines
Any mention on exam will be brief. Remember it applies to “government”
LEGAL & REGULATORY
HIPAA (Health Insurance Portability and Accountability Act)
HITECH (Health Information Technology for Economic and
Clinical Health) Widens scope of privacy protections under HIPAA
Gramm-Leach-Bliley Act (financial institutions)
Children’s Online Privacy Protection Act (COPPA)
was designed to protect children under age 13
Electronic Communications Privacy Act (ECPA)
prohibits a third party from intercepting or
disclosing communications without authorization
REGULATIONS, STANDARDS, AND LEGISLATION
Payment Card Industry
Data Security Standard
a widely accepted set of policies and procedures intended to
optimize the security of credit, debit and cash card transactions
created jointly in 2004 by four major credit-card companies: Visa,
MasterCard, Discover and American Express
BASED ON 6 MAJOR OBJECTIVES
> a secure network must be maintained in which transactions can be conducted
> cardholder information must be protected wherever it is stored
> systems should be protected against the activities of malicious hackers
> cardholder data should be protected physically as well as electronically.
> networks must be constantly monitored and regularly tested
> a formal information security policy must be defined, maintained, and followed
KEY FRAMEWORKS
(CIS)
a not-for-profit organization that publishes information on cybersecurity best
practices and threats.
has tools to help harden your environment and provide risk management.
provides benchmarks for different operating systems and provides controls to
help secure your organization.
Details at https://www.cisecurity.org/cybersecurity-tools/.
(NIST)
Cyber Security Framework (CSF): NIST RMF/CSF a set of guidelines and best
practices to help organizations build and improve their cybersecurity posture.
CSF is aimed at private industry (commercial businesses)
replaces NIST's Risk Management Framework (RMF) and was designed to focus
on risk management for governmental agencies.
CSF available at https://www.nist.gov/cyberframework.
RMF available at https://csrc.nist.gov/projects/risk-management/rmf-overview.
KEY FRAMEWORKS
(ISO)
develops global technical, industrial and commercial standards.
ISO standards for information systems include
ISO 27001 – Security techniques for Information Security Management Systems:
an international standard on how to manage information security.
Available at https://www.iso.org/standard/54534.html
ISO 27002 – Code of Practice for Information Security Controls, which aims to
improve the management of information.
Available at https://www.iso.org/standard/54533.html.
ISO 27701 – An extension to 27001/27002 for Privacy Information Management –
provides guidance for establishing, implementing, maintaining and continually
improving a Privacy Information Management System (PIMS).
Available at https://www.iso.org/standard/71670.html.
ISO 31000 – provides principles, a framework and a process for managing risk
for organizations of any size in any sector.
Available at https://www.iso.org/standard/65694.html.
KEY FRAMEWORKS
(SSAE)
SSAE 18 is an audit standard to enhance the quality and usefulness of
System and Organization Control (SOC) reports.
designed for larger organizations, such as cloud providers
(the cost of a Type 2 report can run $30,000 or more).
SOC 2 Type 1
report that assesses the design of security processes at a specific
point in time.
SOC 2 Type 2
(often written as “Type II”) assesses how effective those controls are
over time by observing operations for six months.
KEY FRAMEWORKS
(CSA)
is a not-for-profit organization that produces resources to help Cloud Service
Providers (CSPs), like online training, webinars, discussion groups, and virtual summits.
Cloud Control Matrix (CCM)
is designed to provide a guide on security principles for cloud vendors and potential
cloud customers to assess the overall risk of a cloud provider:
CSA Reference Architecture
contains best security practices for CSPs and examples, examines topics, such as
- Security and risk
- Presentation services
- Application services
- Information services
- IT Operation and Support (ITOS)
- Business Operation and Support
Services (BOSS)
FOR THE EXAM: Remember CSA CCM helps potential customers
measure the overall risk of a CSP.
BENCHMARKS/SECURE CONFIGURATION GUIDES
benchmarks are configuration baselines and best
practices for securely configuring a system.
Platform-/Vendor-Specific Guides: released with new products so that they
can be set up as securely as possible, making them less vulnerable to attack.
Web Servers: the two main web servers used by commercial companies are
Microsoft’s Internet Information Server (IIS), and the Linux-based Apache.
because they are public-facing, they are prime targets for hackers.
to help reduce the risk, both Microsoft and Apache provide security guides to
help security teams reduce the attack surface, making them more secure.
These guides advise updates being in place, unneeded services are disabled,
and the operating system is hardened to minimize risk of security breach.
BENCHMARKS/SECURE CONFIGURATION GUIDES
benchmarks are configuration baselines and best
practices for securely configuring a system.
Operating Systems: Most vendors, such as Microsoft, have guides
that detail the best practices for installing their operating systems.
OS benchmarks are also available from CIS and others
Application Server: Vendors produce guides on how to configure
application servers, such as email servers or database servers, to
make them less vulnerable to attack.
Network Infrastructure Devices: companies like Cisco produce
network devices and offer benchmarks for secure configuration.
benchmarks aim to ease process of securing a component,
reduce attack footprint, and minimize risk of security breach.
5.0 Governance, Risk, and Compliance
Explain the importance of policies
5.3 to organizational security
• Personnel
•
•
•
•
•
•
•
•
•
•
•
•
Acceptable use policy
Job rotation
Mandatory vacation
Separation of duties
Least privilege
Clean desk space
Background checks
Non-disclosure
agreement (NDA)
Social media analysis
Onboarding
Offboarding
User training
• Gamification
• Capture the flag
• Phishing campaigns
• Phishing simulations
• Computer-based training (CBT)
• Role-based training
• Diversity of training techniques
• Third-party risk management
•
•
•
•
•
•
•
•
•
•
Vendors
Supply chain
Business partners
Service level agreement (SLA)
Memorandum of understanding (MOU)
Measurement systems analysis (MSA)
Business partnership agreement (BPA)
End of life (EOL)
End of service life (EOSL)
NDA
• Data
• Classification
• Governance
• Retention
• Credential policies
•
•
•
•
•
Personnel
Third-party
Devices
Service accounts
Administrator/root
accounts
• Organizational policies
• Change management
• Change control
• Asset management
LIMITING ACCESS & damage
Need-to-know and the principle of least privilege are two
standard IT security principles implemented in secure networks.
They limit access to data and systems so that users and other
subjects have access only to what they require.
They help prevent security incidents
They help limit the scope of incidents when they occur.
When these principles are not followed, security incidents
result in far greater damage to an organization.
preventing fraud and collusion
Collusion is an agreement among multiple persons to
perform some unauthorized or illegal actions.
Separation of duties
a basic security principle that ensures that no single person
can control all the elements of a critical function or system.
Job rotation
employees are rotated into different jobs, or tasks are
assigned to different employees.
Implementing these policies helps prevent fraud by limiting
actions individuals can do without colluding with others.
monitoring privileged operations
Privileged entities are trusted, but they can abuse their
privileges.
it’s important to monitor all assignment of privileges and
the use of privileged operations.
Goal
to ensure that trusted employees do not abuse the special
privileges they are granted.
Monitoring these operations can also detect many attacks
because attackers commonly use special privileges
espionage & sabotage
external
insider
when a competitor tries to steal
information, and they may use an
internal employee.
malicious insiders can perform
sabotage against an org if they
become disgruntled for some reason
Personnel policies
increases the physical security of data by
requiring employees to limit what is on their desk
to what they are working on at the present time.
Anything else is secured and out of sight
NON-DISCLOSURE
AGREEMENT
a legal contract intended to cover confidentiality.
The scope of an NDA will vary based on situation.
Always review terms before signing any NDA
All potential employees should be thoroughly
screened with an extensive background check
before being hired and granted network access.
Should part of employment screening policy
personnel
describe how the employees in an organization
can use company systems and resources,
including software, hardware, and access.
Should include the consequences of misuse
not allowing one person to be in one position for
a long period of time.
Extended control of assets can result in fraud
requiring employees (especially those in sensitive
areas) to take their vacations.
Replacement provides another measure of oversight
personnel
a basic security principle that ensures that no
single person can control all the elements of a
critical function or system.
Reduces likelihood of collusion amongst employees
a subject should be given only those privileges
necessary to complete their job-related tasks.
Can prevent or limit scope of security incidents and data theft
Analysis of a potential employee's social media
during the hiring process to understand more about
an individual based on their Internet presence.
Helps identify cultural alignment, character concerns
personnel
process of integrating a new employee into a
company and its culture, customers, etc.
Often includes review and signing of company policies (like AUP)
the process that leads to the formal separation
between an employee and the company through
resignation, termination, or retirement.
Includes return of equipment, access badge, and exit interview
Disabling user access in this process should be aligned between IT and HR.
personnel
used in computer-based training (CBT) to provide
employees with a question/challenge.
can helps to gauge learner retention of the
information presented.
May promote competition by awarding points and a leader board
a security related competition where someone is
trying to hack into a resource to gain access to data.
team (offense) attempts to breach, while the
team (defense) defend resources.
Benefits may include skills development, team-building, employee morale
personnel
false phishing emails sent to employees by IT
using a service that measure response (pass/fail).
Fail often triggers just-in-time user training
self-paced training available via computer,
whether for job role or skills enhancement
May be “always available” and use measured
when the company carries out related training
specific to a user’s specific job role
Should include training on role-specific security awareness
THIRD-PARTY RISK MANAGEMENT
(BPA)
is used between two companies who want to participate in a business
venture to make a profit.
details how much each partner’s contributions, rights and responsibilities, as well
as the details of operations, decision-making, and sharing of profits.
also has rules for the partnership ending either at a given point or if one of the
partners dies or moves on.
(MOU)
a formal agreement between two or more parties indicating their intention to
work together toward a common goal.
similar to an SLA in that it defines the responsibilities of each party.
more formal alternative to handshake but lacks the binding power of a contract.
(MOA)
similar to an MOU but serves as a legal document and describes
terms and details of the agreement.
THIRD-PARTY RISK MANAGEMENT
Measurement
Systems
Analysis
provides a way for an organization to evaluate the
quality of the process used in their measurement
systems.
will assess the measurement process itself, and
then calculate any uncertainty or variation in the
measurement process.
evaluates the test method, instruments, and process
to ensure the integrity of data used for analysis
MSA is an important element of Six Sigma methodology and of
other quality management systems.
THIRD-PARTY RISK MANAGEMENT
NON-DISCLOSURE
AGREEMENT
END OF LIFE
contract with vendors and suppliers not to
disclose the company’s confidential information.
A “mutual NDA” binds both parties in the agreement
point at which a vendor stops selling a product
and may limit replacement parts and support.
EOL often specific to an older version
END OF SERVICE LIFE
product is no longer sold by manufacturer, updates
cease, and support agreements are not renewed.
considered the final phase of product life
Products are usually declared EOL before being declared EOSL.
THIRD-PARTY RISK MANAGEMENT
Today, most services are delivered
through a chain of multiple entities
THIRD-PARTY RISK MANAGEMENT
A secure supply chain includes
who
are secure, reliable, trustworthy, reputable
Due diligence should be exercised in assessing vendor
security posture, business practices, and reliability
THIRD-PARTY RISK MANAGEMENT
A secure supply chain includes
who
are secure, reliable, trustworthy, reputable
May include periodic attestation requiring vendors to
confirm continued implementation of security practices
THIRD-PARTY RISK MANAGEMENT
A secure supply chain includes
who
are secure, reliable, trustworthy, reputable
A vulnerable vendor in the supply
chain puts the organization at risk
THIRD-PARTY RISK MANAGEMENT
When evaluating 3rd parties in the chain, consider:
On-Site Assessment . Visit organization, interview
personnel, and observe their operating habits.
Document Exchange and Review . Investigate dataset
and doc exchange, review processes.
Process/Policy Review . Request copies of their security
policies, processes, or procedures.
Third-party Audit. Having an independent auditor provide
an unbiased review of an entity’s security infrastructure.
THIRD-PARTY RISK MANAGEMENT
Stipulate performance expectations such as
maximum downtimes and often include penalties if
the vendor doesn’t meet expectations.
Generally used with vendors (external)
Credential policies
Internal staff
Identity provider will be under management of IT (greater control).
Avoid using shared accounts unless necessary. breaks non-repudiation
Best practices for MFA, password complexity, and least privilege enforced.
Business partners, vendors, suppliers
May include accounts from external identity providers (Azure AD, OAuth2, OpenID).
Should be required to use multi-factor authentication.
Additional conditions should be applied for sensitive operations.
Conditions might include location, device, connection method, etc.
desktops, laptops, mobile, point-of-sale, IoT
Default passwords should be changed on devices with generic accounts.
For MDM managed devices, certificate authentication may be possible.
Access restricted for unknown/unmanaged and non-compliant devices
Credential policies
are used to run applications/services such as antivirus.
May run as local service accounts with the same rights as a user.
A system account provides higher level of privilege, giving a service full control.
Administrator accounts (Windows) and root accounts (Linux) should be
protected as they enable elevated access.
Require periodic password changes and enforce password complexity.
Admin users should have two accounts: a normal user account for day-to-day
use and an admin account for administrative duties.
All accounts should have some form of multi-factor
authentication enabled. SMS as a 2nd factor is discouraged
Conditional access
FROM DOMAIN 3 (3.7)
image credit: Microsoft
often possible in federation scenarios (SAML, OAuth, OpenID)
ORGANIZATIONAL POLICIES
Can prevent security related incidents and outages
Configuration Management
ensures that systems are configured similarly, configurations are known
and documented.
Baselining ensures that systems are deployed with a common baseline
or starting point, and imaging is a common baselining method.
Change Management
the policy outlining the procedures for processing changes
helps reduce risk associated with changes, including outages or
weakened security from unauthorized changes.
requires changes to be requested, approved, tested, and documented.
ORGANIZATIONAL POLICIES
Change Control
refers to the process of evaluating a change request within an organization
and deciding if it should go ahead.
requests are sent to the Change Advisory Board (CAB) to ensure that it is
beneficial to the company.
Change Management
Change Control
policy that details how changes will
be processed in an organization
process of evaluating a change request
to decide if it should be implemented
Guidance on the process
The process in action
ORGANIZATIONAL POLICIES
Asset Management:
process where each asset belonging to the company is been tagged and
recorded in an asset register.
maintain an up-to-date asset register to ease the process of tracking and
maintaining assets.
includes periodic (usually annual) audits need to be carried out to ensure
that all assets are accounted for.
Can help Security team identify
unauthorized devices on your network.
ORGANIZATIONAL POLICIES
Asset classifications should
match the data classifications.
Data policies
Data policies ensure data is classified, handled, stored,
and disposed of in accordance with applicable regulations.
Classification: the process of labeling data with relevant classifications, indicating
level of sensitivity, such as top secret, secret, confidential, or sensitive data.
classification determines how the data is handled. Discussed in section 5.5
Governance: the oversight and management that describes security controls
applied at each stage of the data-handling process, from creation to destruction.
details the processes used to manage, store, and dispose of data to ensure that the
organization meets their compliance obligations.
Retention: Organizations do not want to hold data any longer than they need to, as
unnecessary retention increases liability and risk.
Org may have to retain data after its usefulness for regulatory compliance.
An example, one regulation requires hospitals
retain PHI for at least 5 years.
5.0 Governance, Risk, and Compliance
Summarize risk management
5.4 processes and concepts
• Risk types
•
•
•
•
•
•
External
Internal
Legacy systems
Multiparty
IP theft
Software compliance /
licensing
• Risk management
strategies
•
•
•
•
•
Acceptance
Avoidance
Transference
Cybersecurity insurance
Mitigation
• Risk analysis
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Risk register
Risk matrix/heat map
Risk control assessment
Risk control self-assessment
Risk awareness
Inherent risk
Residual risk
Control risk
Risk appetite
Regulations that affect risk
posture
Risk assessment types
• Qualitative
• Quantitative
Likelihood of occurrence
Impact
Asset value
• Single-loss expectancy (SLE)
• Annualized loss expectancy (ALE)
• Annualized rate of occurrence (ARO)
• Disasters
• Environmental
• Person-made
• Internal vs. external
• Business impact analysis
•
•
•
•
•
•
•
•
•
•
Recovery time objective (RTO)
Recovery point objective (RPO)
Mean time to repair (MTTR)
Mean time between failures (MTBF)
Functional recovery plans
Single point of failure
Disaster recovery plan (DRP)
Mission essential functions
Identification of critical systems
Site risk assessment
Risk types
The six types of risk you should know for the exam
Different threat actors, ranging from competitors and script kiddies to
criminal syndicates and state actors.
Capabilities depend on tools, experience, and funding.
Other external environmental threats, such as fire and floods, and manmade threats, such as the accidental deletion of data or users.
A malicious insider, a threat actor who may be a dissatisfied employee
(someone overlooked for a promotion).
Another internal threat is human error, which is when data is
accidentally deleted.
Risk types
Risks may include end of support and security patches because vendor
has deemed that the system has reached the end of its service life.
As technologies improve, so do the hacking tools, and the legacy
systems may have limited or no protection against them.
Vulnerabilities to legacy systems tend to increase over time
When a contractor wins a contract and then sub-contracts some of the
parts of the contract to other companies, who in turn subcontract again.
With many parties being involved in a single contract, if any of them
goes out of business, it cause disruption to the company.
Any party in the agreement with security issues could also put the
company at risk.
Common in supply chains, these risks should be addressed in BIA
Risk types
If thieves steal your copyrighted material, trade secrets, and patents, it
may result in a loss of revenue.
This data could be used in other countries where a legal route to
recover your data or seek damages is impossible.
Data Loss Prevention (DLP) or document management systems
can protect documents even if exfiltrated.
Software purchased from a disreputable source may not include valid
licenses, could lead to a fine, or may contain malware.
This would be a licensing violation
Employees may use more copies of the company-purchased software
than the licenses that you purchase, sometimes for personal use.
Sometimes called a “compliance violation”
RISK MANAGEMENT STRATEGIES
Risk Acceptance. Do nothing, and you must accept
the risk and potential loss if threat occurs.
Risk Mitigation. You do this by implementing a
countermeasure and accepting the residual risk.
The act of reducing risk
rd
Risk Transference. Transfer (assign) risk to 3 party,
like by purchasing insurance against damage.
Risk Avoidance. When costs of mitigating or
accepting are higher than benefits of the service.
RISK MANAGEMENT STRATEGIES
Risk Appetite. Sometimes called “risk tolerance”, is the
amount of risk that a company is willing to accept.
These terms are often used interchangeably, though
many experts can articulate a difference.
regulations addressing data privacy and security that
influence an organizations risk posture include:
-General Data Protection Regulation (GDPR)
-Sarbanes-Oxley Act (SOX),
-Health Insurance Portability Accountability Act (HIPAA)
-Payment Card Industry & Data Security
Standard regulations (PCI-DSS)
Risk analysis
A tool in risk management and project management
Sometimes used to fulfill regulatory compliance but often to
track potential issues that can derail intended outcomes.
Typically includes several details, including:
-Risk ID
-Description
-Probability
-Impact
-Severity
-Response
-Owner
Metrics in a risk register will vary
from company to company.
Should be considered a living document and
updated periodically (at least annually).
Risk Matrix/Heat Map
A risk matrix is used to a provide visual representation of risks affecting a company.
A heat map shows the severity of the situation, with the most severe risks being in red.
Likelihood
Impact
Risk analysis
occurs when a company periodically checks that the risk controls that
they have in place are still effective with changing technology.
May involve an external auditor or expert
conducted by employees within the company, often through survey or
department-level review.
employees evaluate existing risk controls so management-level
decision makers can decide if current controls are adequate.
A bottom-up approach often used in smaller organizations
the process of educating employees to increase their risk awareness
and encourage them to identify, review and report concerns.
Can bring new insights into reducing risk from those most familiar !
TYPES OF RISK
TYPES OF RISK
The risk that remains even with all
conceivable safeguards in place.
TYPES OF RISK
The risk management has chosen
to accept rather than mitigate.
TYPES OF RISK
Newly identified risk not yet addressed
with risk management strategies
TYPES OF RISK
The amount of risk that exists
in the absence of controls.
TYPES OF RISK
The amount of risk an organization would
face if no safeguards were implemented.
RISK MANAGEMENT
TYPES OF RISK
RISK ANALYSIS
the likelihood that cyber incidents
will exploit vulnerabilities with an
organization’s IT environment.
|
D O M A I N 5 : RISK ANALYSIS
Two ways to evaluate risk to assets:
and
|
Assigns a dollar value to evaluate
effectiveness of countermeasures
D O M A I N 5 : RISK MANAGEMENT
Assigns a
to evaluate
effectiveness of countermeasures
OBJECTIVE, uses formulas
D O M A I N 5 : RISK MANAGEMENT
Assigns a
to evaluate
effectiveness of countermeasures
To prioritize, often initially calculated
using “impact x probability” score
D O M A I N 5 : RISK MANAGEMENT
|
D O M A I N 5 : RISK MANAGEMENT
Uses a scoring system to rank threats
and effectiveness of countermeasures
D O M A I N 5 : RISK MANAGEMENT
Uses a
to rank threats
and effectiveness of countermeasures
SUBJECTIVE
D O M A I N 5 : RISK MANAGEMENT
Uses a
to rank threats
and effectiveness of countermeasures
typically uses low/med/high or number scale
RISK ANALYSIS
Exposure Factor (EF) . The % of value an asset lost due to an
incident, represented in a decimal.
Single Loss Expectancy (SLE). How much would it cost you
if it happened just ONE time?
SLE = Asset Value x Exposure Factor (SLE=AV*EF)
Annualized Rate of Occurrence (ARO). How many times does
it happen in one year? Watch for AROs longer than 1 year!
Annualized Loss Expectancy (ALE). How much you will lose
per year? ALE = SLE x ARO or AV x EF x ARO
RISK ANALYSIS
Annualized Rate of Occurrence (ARO). How many times does
it happen in one year?
Watch for AROs longer than 1 year will be represented as a
fraction. EXAMPLE: One occurrence every 5 years = 0.2
ARO = “Likelihood of occurrence”
Do not expect in-depth quantitative risk analysis on
the exam. Do not worry about memorizing the formulas
RISK ANALYSIS
Asset Value (AV). Monetary value of the asset for which we
are making calculations.
Safeguard Evaluation. Answers the question “is this
safeguard cost effective?”.
Organizations will not spend more than
an asset’s value to protect the asset!
RISK ANALYSIS
(EXTRA CREDIT)
The six major steps in quantitative risk analysis
1. Inventory assets and assign a value (asset value, or AV).
2. Identify threats. Research each asset and produce a list of all
possible threats of each asset. (and calculate EF and SLE)
3. Perform a threat analysis to calculate the likelihood of each threat
being realized within a single year. (the ARO aka “likelihood of occ”)
4. Estimate the potential loss by calculating the annualized loss
expectancy (ALE).
5. Research countermeasures for each threat, and then calculate the
changes to ARO and ALE based on an applied countermeasure.
6. Perform a cost/benefit analysis of each countermeasure for each
threat for each asset.
Environmental (natural) disasters
Know the common types of natural disasters
that may threaten an organization.
- Earthquakes
- Floods
- Storms
- Tsunamis
- Volcanic eruptions
person-made disasters
Know the common types of person-made
disasters that may threaten an organization.
- Explosions
- Electrical fires
- Terrorist acts
- Power outages
- Other utility failures
Internal vs external
How does disaster location factor in impact to
the organization and influence DRP and BCP?
If an office is impacted, workers may be able
to work from home.
Impact of an unavailable office will vary by
type of business.
If a manufacturing facility, it may impact the
organizations' ability to produce products.
Risks will vary by site, and impacts by site purpose
Business impact analysis
focuses on the steps required to restore
critical business processes.
plans use structured walkthroughs, tabletop
exercises, and simulations.
any non-redundant part of a system that, if
unavailable, would cause the entire system
or service to fail.
undesirable in any system that requires high
availability and reliability, such as supply
chains, networks, and applications.
Business impact analysis
is the age of data that must be recovered
from backup storage for normal operations
to resume if a system or network goes down
is the duration of time and a service level
within which a business process must be
restored after a disaster in order to avoid
unacceptable consequences associated
with a break in continuity.
SLAs between a company and customers will influence RPO and RTO
BCP Definitions
Important BCP-related definitions for the exam
Business Impact Analysis (BIA)
the process of assessing the impact of disasters to the
business, including lost sales, recovery costs, etc.
BIA looks at financial loss following a disaster.
BCP (Business Continuity Plan)
the overall organizational plan for “how-to” continue
business. Business-focused
DRP (Disaster Recovery Plan)
the plan for recovering from an IT disaster and having
the IT infrastructure back in operation. Tech-focused
Business impact analysis
part of business impact assessment that
determines what the company's missionessential (business-critical) functions are.
the process of identifying the systems that
are required to support mission essential
functions of the organization.
BIA findings, including these areas, will influence BCP and DRP
BUSINESS IMPACT ANALYSIS
Assesses the security risk of a specific
location (site) planned for use (or in
use) to meet a business purpose.
BUSINESS IMPACT ANALYSIS
will assess a variety of risks from
exposure to natural and person-made
disasters and other events
…that
may impact business operations or human safety
BCP Definitions
Important BCP-related definitions for the exam
MTBF (Mean Time Between Failures)
a time determination for how long a piece of IT
infrastructure will continue to work before it fails.
MTTR (Mean Time to Repair)
a time determination for how long it will take to get a piece
of hardware/software repaired and back on-line.
goals of bcp and drP
What are the core goals of disaster recovery
and business continuity planning?
Minimizing the effects of a disaster by:
Improving responsiveness by the employees in
different situations.
Easing confusion by providing written procedures
and participation in drills.
Helping make logical decisions during a crisis.
An auditor assessing BIA will likely focus primarily on single points of
failure, RPO and RTO in assessing the efficacy of the organizations plan.
5.0 Governance, Risk, and Compliance
Explain privacy and sensitive data
5.5 concepts in relation to security
• Organizational consequences
of privacy and data breaches
•
•
•
•
Reputation damage
Identity theft
Fines
IP theft
• Notifications of breaches
• Escalation
• Public notifications and
disclosures
• Data types
•
•
•
•
•
Classifications
Public
Private
Sensitive
Confidential
• Critical
• Proprietary
• Personally identifiable
information (PII)
• Health information
• Financial information
• Government data
• Customer data
• Privacy enhancing
technologies
•
•
•
•
•
Data minimization
Data masking
Tokenization
Anonymization
Pseudo-anonymization
• Roles and responsibilities
•
•
•
•
•
•
•
•
•
Data owners
Data controller
Data processor
Data custodian/steward
Data protection officer (DPO)
Information life cycle
Impact assessment
Terms of agreement
Privacy notice
©2022 Inside Cloud and Security. No reuse without written permission
Consequences of privacy and data breaches
effects may last for years!
can result in loss of customer trust and loss of revenue.
involves someone using a person’s private information to impersonate that
individual, usually for financial gain.
might quickly cost customers, credit ratings, and brand reputation.
losing IP could mean forfeiture of first-to-market advantage, loss of
profitability, or even an entire lines of business to competitors or counterfeiters.
and may lead to lawsuits
failing to report a breach can result in fines that can reach into the millions of
dollars.
GDPR outlines fines of up to 4% of a company's annual global revenues or 20
million euros for failing to report a breach.
ANY company with a customer in the EU is subject to GDPR
Notifications of breaches
If a data breach occurs, failing to report a breach can
result in fines that can reach into the millions of dollars.
The EU sets their standard GDPR, and notifications of
data breaches must be reported within 72 hours.
Escalations. to external sources, like law enforcement
or outside experts to stop/investigate breach.
Other countries have their own reporting timescale.
Delays sometimes allowed for criminal investigation
DATA CLASSIFICATIONS
Top Secret
Exceptionally grave damage
Secret
Serious damage
Confidential
Damage
Unclassified
No damage
Confidential/Proprietary
Class 3 Exceptionally grave damage
Class 2
Class 1
Class 0
Private
Serious damage
Sensitive
Damage
Public
No damage
DEFINING SENSITIVE DATA
Sensitive data is any information that isn’t public or
unclassified.
Personally Identifiable Information (PII). any
information that can identify an individual (name,
SSN, birthdate/place, biometric records, etc)
Protected Health Information (PHI). and healthrelated information that can be related to a
specific person. covered by HIPAA
DATA TYPES
Other sensitive data types you should know for the exam:
Critical Data: data that a company does not want to disclose; could also be classified
and encrypted to prevent someone from reading it.
Proprietary Data: data generated by a company, such as its trade secrets, or work done
by the R&D department.
Financial Information: data about a company's bank account, share capital, and any
investments that it has made. It could also be credit card and payroll data.
Customer Data: data held about individual customers of an organization that should
never be divulged.
Information of an account manager or representative at a business dealing with a
customer is also classified as customer data.
Government Data: data collected by governmental agencies, and there are strict rules
on how it can be shared, normally only internally.
government often have strict rules contractors must follow when the contract has
finished, and the data used in the contract is to be disposed of.
They CANNOT simply delete the data!
DATA ROLES AND RESPONSIBILITIES
The most likely to show up on the exam?
Data Owner. Usually a member of senior
management. Can delegate some day-to-day
duties. Cannot delegate total responsibility.
Data Custodian. Usually someone in the IT
department. Does not decide what controls are
needed, but does implement controls for data owner
TIP: if question mentions “day-to-day” it’s custodian!
DATA ROLES AND RESPONSIBILITIES
The most likely to show up on the exam?
Data Owner. Usually a member of
. Can delegate some day-to-day
duties. Cannot delegate total responsibility.
Data Custodian. Usually someone in the
Does not decide what controls are
needed, but does implement controls for data owner
TIP: if question mentions “day-to-day” it’s custodian!
DATA ROLES AND RESPONSIBILITIES
Be prepared to answer questions on other roles
Data Processor. A natural or legal person, public authority,
agency, or other body, which processes personal data solely
on behalf of the data controller.
Data Controller. The person or entity that controls
processing of the data.
Data Protection Officer (DPO). Under GDPR, the DPO is a
mandatory appointment within an organization.
DPO ensures the organization complies with data regulations
PRIVACY ENHANCING TECHNOLOGIES
Stateless, stronger than
encryption, keys not local
Reversal requires access
to another data source
where meaningful data is replaced with a
token that is generated randomly, and the
original data is held in a vault.
de-identification procedure in which
personally identifiable information (PII) fields
within a data record are replaced by one or
more artificial identifiers, or pseudonyms.
PRIVACY ENHANCING TECHNOLOGIES
process of removing all relevant data
so that it is impossible to identify
original subject or person.
Only effective if you do NOT need the identity data!
PRIVACY ENHANCING TECHNOLOGIES
only necessary data required to fulfill the
specific purpose should be collected
Collect “the minimum amount” to meet the stated
purpose and manage retention to meet regulations
PRIVACY ENHANCING TECHNOLOGIES
when only partial data is left in a data field.
for example, a credit card may be shown as
**** **** **** 1234
Commonly implemented within the database tier, but
also possible in code of frontend applications
The Information Lifecycle
Creation
Destruction
What we covered in DOMAIN 4
Classification
What do you need
for the exam?
Archive
Storage
Usage
The Information Lifecycle
Creation
Disposal
What we covered in DOMAIN 4
Classification
What you need for exam day
is simpler than this!
Retention
Storage
Use
The Information Lifecycle
Creation
What we covered in DOMAIN 4
Disposal
Classification
Retention
Storage
Use
The Information Lifecycle
Creation
What we covered in DOMAIN 4
Disposal
Classification
Retention
Storage
Use
The Information Lifecycle
Creation
Disposal
What we covered in DOMAIN 4
Classification
Data should be protected by
adequate security controls
based on its classification.
Retention
Storage
Use
The Information Lifecycle
Creation
Disposal
What we covered in DOMAIN 4
Classification
refers to anytime data is in use
or in transit over a network
Retention
Storage
Use
The Information Lifecycle
Creation
Disposal
What we covered in DOMAIN 4
Classification
archival is sometimes needed to
comply with laws or regulations
requiring the retention of data.
Retention
Storage
Use
The Information Lifecycle
Creation
Disposal
What we covered in DOMAIN 4
Classification
When data is no longer needed,
it should be destroyed in such a
way that it is not readable.
Retention
Storage
Use
The Information Lifecycle
Creation
For the Security+ exam
classify
Disposal
Use
encrypt
Retention
One study guide
presented this.
The Information Lifecycle
Creation and
Receipt
Disposition
For the Security+ exam
Distribution
This is from the “Storage Networking
Industry Association” on Wikipedia
Maintenance
Use
Others showed this
as the info lifecycle
The Information Lifecycle
For the Security+ exam
This is the diagram from
the official study guide
(no diagram)
©2022 Inside Cloud and Security. No reuse without written permission
IMPACT ASSESSMENT
Assesses the potential impact to data
security and privacy.
Can help Security identify appropriate
security controls.
Should be conducted for new
services, projects, and initiatives.
Helps the company avoid data breach!
Enables proactive identify and remediate
issues before they become a production issue
Terms of agreement
Protects the company
May also be called “terms of service” or “terms and conditions”
Tells the customer what will be legally required of them if they
subscribe to your service or download and use your mobile app.
User must agree to the terms to use the service.
NOT required by law, but reduces risk to the company
Protects the customer (user)
May also be called “privacy policy”
Documents handling of personal data, answers questions like:
-What data is collected and for what purpose?
-With whom will data be shared?
Required by law in many regions/countries