SSCP Study Guide Created By: Kathleen Gillette and Makeia Jackson, Teaching Assistants Domain 1: Access Control Lesson 1.1: Access Control Concepts (SC) Skills Learned from This Lesson: Access control fundamental concepts, Different Types of Access Control. ● ● Access Control Fundamental Concepts ○ Object: A passive entity that contains information. ■ Such as Applications, Data, Systems and Networks ○ Subject: An active entity that requests access to an object or data within an object. ■ Authorized and Unauthorized users, Applications, Systems and Networks ■ The Applications and Networks are considered to be both objects and subjects dependent on what they are doing. ○ How they interact: The subject is the entity doing the accessing and the Object is that entity that is being accessed or pulled. Different Types of Access Control ○ Discretionary Access Control: A means of assigning access rights based on rules specified by users. ■ The owner sets the permissions ○ Rule Set-Based Access Control: An Access control framework which give data owners that discretion to determine the rules necessary to facilitate access. ■ The subject enters the enforcement area and request access to an object. The enforcement area checks the rules that have been written or constructed by the data owner to determine whether the subject should be granted access. The rules come back with a yes or no and then the enforcement area, will returns with a yes or no to the subject. if it’s a yes, the access is granted to the object. If it’s a no the subject access is not granted to the object. ○ Non-Discretionary Access Control: Controls that can’t be changed by users, but they must be changed by the administrator. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 1 ○ ● ● ● ● ● Role Based Access Control: Access Decisions are based on the roles that individual users have as part of an organization. ■ People in certain departments can only access information that pertains to that department. Content-Dependent Access Control: Works by permitting or denying the subjects to access objects based on the content within the object. Only concerns itself of what’s (the information) inside the object Context-Based Access Control: Concerns only with the context or sequence of events surrounding the access attempts. Time-Based Access Control: Applies a time limitation to when a given role can be activated for a given access control subject. ○ Only allow users to access information between 9AM – 5pm Mandatory Access Control: Subjects are given clearance labels and objects are given sensitivity labels. Access rights are given based on the comparison of clearance and sensitivity labels. ○ Implements the concept of “Need to Know” ■ Clearance Labels: Confidential, Secret and Top secret. Objects: Have sensitivity labels and access rights are given depending on the comparison. IMPORTANT: It is a common mistake to get these confused so know the difference. ● Attribute-Based Access Control: An access control method where the subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions. ○ The user comes in and looks at the characteristics or the description a if there are the correct environment conditions if they are allowed to access it and the policy say they are allowed to access it then they will be allowed to access these objects. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 2 Lesson 1.2: Security Models (SC) Skills Learned from This Lesson: C onfidentiality ● Bell-LaPadula model: Is used mostly in government or military institutions. ○ With (2) properties ○ Simple security property otherwise known as No Read Up ○ And the Star property known as No Write Down ○ There are (4) different security level clearances, that the military uses ■ Unclassified, Confidential, Secret and Top-Secret. One example: John from the FBI has “Secret” clearance ● ● ● File A is labeled “Top-Secret”. John cannot read File A because its (No read up) John can’t read anything above the secret clearance level. File B is labeled “Confidential”. John can read File B, but can’t write to it (No write down) File C is labeled “Secret”. John can read File C, but cannot write to it (No write down) Lesson 1.3: Authentication Mechanisms (SC) Skills Learned from This Lesson: I dentification, Authentication, Authorization ● ● ● ● ● Identification: (Who is the subject?) Assets a unique user or process identity and provides for accountability. ○ A person claims they are somebody and they need access to a certain system. ■ Most common types of identification are: UserID, PIN#, Account# Authentication: (Proof of Identity) The process of verification that the identity presented to the access control system belongs to the party that has presented it. Is the action, a person proving who they say they are. The (3) main kinds of identification: Knowledge based authentication something you know – Passwords, Pins etc. WARNING: Knowledge based authentication is insecure and difficult to keep safe. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 3 ● ● A physical device (smart cards and tokens) which the user has in their possession ○ Something you have Types of tokens: ■ Static passwords token: The device contains a password that is physically hidden (not visible to the possessor) but that is transmitted for each authentication. ■ There is a password hidden inside the token and when a person wants to be authenticated, they take that token and that token sends the password from the token to the server. The person can’t see the password on the server can ■ Synchronous Password Token: A timer use of a clock is used to rotate through various combinations produced by cryptographic algorithms. The token and the authentication server must have synchronized clocks. ■ A clock time is combined with the password token through a cryptographic algorithm to create a different password every single time. The only way this will work, both the token and the server have the same time. When the token is ready to be authenticated, the server sends the clock time to the token. The token then takes the password inside and combines it with the clock time, then sends that result to the server for authentication. ■ Asynchronous Password Token: A one-time password is generated without the use of a clock, from either a one-time pad or a cryptographic algorithm. ■ Step1: The challenge value displayed on the computer Step2: User enters the challenge value and enter it into the token device Step3: The token device combines it with the password gives is back to the person. Step4: The person then takes that value and puts into the computer Step5: Which sends it to the server for authentication if all is correct authentication happens. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 4 ■ ■ Challenge Response Token: The authentication server encrypts a challenge with a public key; the device proves it possesses a copy of the matching private key by providing the decrypted challenge. The server sends an encrypted key to the token, then the token decrypts the key and sends the key back to the server. The server then looks at it and if it’s the original key before encryption that the server sent then authentication is granted. Remember: The server sends an encrypted key to the token, the token decrypts it and sends it back to the server. ● ● ● ● ● ● ● Types of smart cards are: ○ Contact Cards: Need to be inserted into a smart card reader with a direct connection. (Examples: Credit card with chip reader). ○ Contactless Cards: Requires proximity to a reader. Both have antennae and used radio frequency. (Examples: Apple pay, Tap to pay). Something you are. ○ Biometrics: Technologies that measure and analyze human body characteristics, such as DNA, Fingerprints, voice patterns, facial patterns, and hand measurements, for authentication purposes. Two main kinds of biometrics: Behavioral Biometrics: Are things that you have learned or acquired as you have developed since you were born. Signature analysis (the way your write your signature). Pressure and form The series of movements: acceleration, rhythm, and flow WARNING: Your signature can change depending on circumstances and time, so this is not always the most accurate of biometric readers. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 5 ● Voice pattern recognition (the way you speak): Works by creating a collection of unique characters of the subject’s voice. The subject then speaks, and the voices are compared. WARNING: Your voice can change with circumstances and time, so this is not the most accurate form of authentication. There is a high probability of error. ● ● ● ● ● ● ● Keyboard dynamic (the way you type on a keyboard). Measures the keystrokes of the subject as they type in their username and password. ○ The length of time each key is held down ○ The length of time between keystrokes ○ The typing speeds ○ The tendencies to switch between a numeric keypad and keyboard numbers ○ The keystroke tendencies involved in capitalization Physiological Biometrics: Things you are born with ○ Consist of the following recognition technologies Fingerprints: Creates a geometric relationship of 30-40 points on the finger. Hand: Based on the location of several key points on the hand and fingers. ○ Length of fingers, position of knuckles, dimensions of hands and fingers. To determine who you are. Vascular: The ultimate palm reader; best described as an image of the veins in the subject’s hand ○ Unique to the individual and does not change Eye: One of the oldest and most accurate biometric authentication mechanisms. ○ Only (2) kinds of Eye scans: ■ Retina scan ■ Iris scan Facial Recognition: Uses a geometric model od 14-22 characteristics to perform recognition ○ Different point represents, different features on the grid of your face. Once that is transferred to the computer system, it looks through its database of facial comparison to find one that best matches. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 6 ● ● ● Biometric Implementation Issues: Type I Error (False Rejection Rate): When a biometric system rejects an authorized individual (FRR) Type II Error (False Acceptance Rate): When the system accepts imposters, who should be rejected. (FAR) more dangerous) WARNING: TYPE II ERRORS IS MORE DANGEROUS THAN TYPE I Remember: Authentication consists of three categories ● ● ● Something you know Something you have Something you are Multi Factor Authentication: Any two or three of the categories ● ● Something you know Something you have Or ● ● Something you know Something you are Multi Factor Authentication: Using a password and a smartcard ● ● Using a password is something you know Using a smartcard something you have NOT Multifactor Authentication: Using a retina scan and voice recognition ● These are both something you are. Dual Control: Also known as “Split-knowledge”. Requiring two people to perform an action Single sign-on: An authentication mechanism that allows a single identity to be shared across multiple applications. It allows a user to authenticate once and gain access to multiple resources Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 7 ● Example: Google Authentication with Kerberos is designed to provide strong authentication using secret-key cryptography. ● ● ● Provides support for Authentication, Authorization, Confidentiality, Integrity and Nonrepudiation. Kerberos uses ports 53 and 88 for TCP and UDP The way Kerberos works: the client sends a request for a ticket from the Authentication service. Then the Authentication service sends a ticket and a session key back to the client. The client requests access to the server, by going to the ticket granting service with a key. If the granting service accepts the ticket, it will send the encrypted session key and the ticket back to the client. The client then sends the ticket and the session key to the server and the server responds by sending the encrypted time stamp for client validation. Authorization: What a user can do once they have been authenticated ● Dictates what a person can or cannot do, once they have been authenticated. Which is decided by the authorization table. Lesson 1.4: Trust Architectures (SC) Skills Learned from This Lesson: Identity Management Life Cycle, Trust Architectures, Trust Direction ● ● ● ● ● ● Trust Architecture Intranet: is a localized network that belonging to an organization Extranet: is a computer network that allows controlled computer access from the outside for specific business for educational purposes. DMZ: This architecture sits between the internet and extranet. It prevents outside users from getting direct access to a server that has company data. Internet: Is a global system of interconnected computer networks that use the TCP/IP suite to link the voice all around the world. Trust: The belief in the security of a connection between domains Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 8 ● ● ● ● ● ● ● ● Trusted Path: A series of trust relationships that authentication requests must follow between domains. (A software channel that is used for communication between two processes that cannot be circumvented) There (3) Kinds of trust: ○ One-Way trust – (Trust is on in one direction) Domain A has access to D omain B ○ Two-Way trust (Trust can go in any direction) – Domain A has access to Domain B and D omain B has access to Domain A ○ Trust Transitivity – (Determines whether a trust can be extended outside the two domains between which the trust was for. – (Domain A has access to Domain B and Domain B has access to Domain C therefore Domain A has access to Domain C for Domain B without the access being direct. Identify Management Life Cycle: there are five areas that make up this life cycle. Which manage users and people who are a part of an organization. Authorization: Determines whether user is permitted to access a resource. Proofing: Verifies people’s identities before they are issued accounts and credentials. Provisioning: Automation of all procedures and tools. Maintenance: Comprised of user management, password management, and role/group management. Entitlement: A set of rules for managing access to a resource and for what purpose. Domain 2: Security Operations Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 9 Lesson 2.1: Code of Ethics (SC) Skills Learned from This Lesson: ISC2 Code of Ethics, CIA Triad, Non-Repudiation & Privacy, Security Best Practices ● ● ● ● ● ● ● ● ● ● ● ● Code of Ethics: Is the absolute standard of professionalism, and the necessary qualifications for being an SSCP (It separates us from the bad guys). The four tenets as a Practitioner, the minimum requirements are: Protect Society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. The Ethics canons: Tell the truth Be confident Be respectful Honor and trust the privilege given to you. Both the Code of Ethics and Ethics Canons MUST be followed: There are serious consequences of any violations of conduct or subject to disciplinary actions by the ISC2 Ethics committee. Your SSCP could be revoked! ● ● ● ● ● ● CIA Triad and Beyond: Is the main principle of cybersecurity, it’s the fundamental thing in cyber security everything can come back to CIA Triad. Three major components of CIA Triad: ○ Confidentiality: Information is made available on a need to know basis. This is dictated by the organizations conduct and principles. If Confidentiality is breached then you will find, legal trouble and loss of confidence. Confidentiality supports the principles of Least Privilege to do your job. Information is kept confidential using Access Control Systems and security models. (Review Domain 1) ○ The most important aspect of information Security Integrity: The way that information is recorded, used and maintained. Keep the data pure and not allowing it to get tarnished, is the main job of Integrity. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 10 ● ● The key to ensuring integrity, is always to have knowledge of the state of the information. (Create a baseline of what the data should look like on a normal basis. Once you have this baseline then you check the data against the baseline at any given time. If the conditions of the data are the same in both the baseline and the current state, then integrity is maintained. If they are different then integrity is not being maintained. It’s impossible to talk about Integrity without reflecting on Sarbanes-Oxley Act This act mandates controls over financial reporting. Integrity is dictated by Laws and regulations. ● Consequences of integrity is not enforced. Which includes calculation errors and inaccurate reporting, that leads to uninformed business decisions and inadmissible evidence in court. ● Availability: Being able to access information when you need it. Availability is defined in the form of ● ● ● ● SLAs: Service level agreements, which is the amount of uptime that a system is guaranteed. RTOs: Recovery Time Objective, which focus on once the system or data is unavailable what is the maximum period to resume and be available again. RAID: Redundant Array of Independent Disc, which is a backup in case data gets destroyed or becomes unusable, the backup data can be inserted in place and take the place of the data that was destroyed or is no longer usable. Consequences: includes service interruption, and loss of revenue. (BEYOND) ● Non- Repudiation: A service that cannot deny a message was sent and the integrity of the message is intact. ■ This is accomplished through digital signatures and public key infrastructure. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 11 Overview of Public key Infrastructure: Think of two keys, Key A and Key B if something is encrypted with Key A it can only be decrypted with Key B and vice versa, the keys only work with each other. ■ So, when a person signs a document the signature is encrypted with one of the keys so then when the message is sent to the other person, they can decrypt it with the other key. The two keys can only encrypt and decrypt each other that ensures that the sender cannot deny that the message was sent. Because it was encrypted with their key. ○ Privacy: The rights and obligations of the individuals and organizations with respect to the collection, use, retention, and disclosure of personal information. ○ Privacy is a high-level concept about any information about or on an individual. The “How-To” guide for personal data GDPR ■ ● ● ● ● ● ● Best Practices: Is a defined method that has been tested and proven to consistently lead to a desired result. There is a “best practices” for every aspect of cybersecurity. ○ Email security ○ Web security etc. Best Practices are flexible enough to be modeled for your organization. Most important is to address the needs of your organization first. Lesson 2.2: Security Architecture (SC) Skills Learned from This Lesson: S ecurity Architectures, Controls, System Security Plan ● ● Security Architecture: The practice of designing a framework for the structure and function of all information security systems and practices in the organization. Components of a Security Architecture are: Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 12 ● ● ● ● ● ● ● ● ● ● ● ● Defense-In-Depth: Implementation of multiple controls so that successful penetration and compromise is more difficult to attain. ○ It’s important to add layers to make up for the imperfections in security defenses. Overlaps defenses are effective because it minimizes the different ways an attack can occur. ○ When there is an email security for email attack factors or Web security for browser attack factors. Defense-In-Depth avoids single points of failure. ○ This also applies to outside attacks and inside out attack; Defense-In-Depth prevents attacks from the outside coming into your organization and insider threats. Second component for security architecture: Risk-Based Controls: Defined as the combination of Threat + Vulnerability + Impact. Risk: basically, shows the damage that could be done if security controls do not exist. Tangible Risk: Stolen assets, Intangible Risk: loss of investor confidence Controls: are implemented based on risk assessments and analysis and the value of the assets. ○ Management needs to be able to correctly assess the risk using a standard process which is needed for consistent results. ○ Such as: ■ OCTAVE: (Operationally Critical Threat, Asset, and Vulnerability Evaluation and COBRA (Consultative, Objective and Bi-Functional Risk Analysis). ■ These are standard processes for determining risk and provide consistent results time after time. Accurate results are consistent success factors in getting an organization buy-in for security measures. Least Privilege: The concept of “Need to Know”. People can only access enough information to do their job properly. Reduces the number of authorized users: doing unauthorized actions. Also, reduced accidental errors as well. (You can’t delete a file you don’t have access to). Makes a hacker’s job much more difficult: The hacker ability to maneuver about the network is much harder. Can be implemented at the different security layers: such as the OS level, application, process file or physical levels. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 13 ● ● ● ● ● ● ● ● Authorization: Determines what a person can do once authenticated which is the third best in the access control system. ○ Authorization records are kept for validation purposes: These records are kept determining if the process of accessing data is working as intended. Also, kept for determining breaches and forensic evidence. Accountability: A principle that ties authorized users to their actions. ○ This is enforced through user accounts and event logs. (Always protect your credentials from unauthorized use). Even if it was not you this action will be traced back to you. Separation of Duties: A security mechanism for preventing fraud and unauthorized use that requires two or more individuals to complete a task or perform a specific function. This is when a task is broken up into two separate parts and two people are required to complete the entire task. A key concept of internal control: If a person submits a request to look at a document, they cannot be the same person to approve that request. (One person to access it and the other person to approve it). Is used with dual control, mandatory vacation, and job rotation. Two people must simultaneously participate to allow access. Controls: Safeguards and countermeasures that are implemented to mitigate, lessen, or avoid a risk. Three Categories of controls: ■ Management: Based on the management of risk and the management of information system security. Controls created by people which exist in the form of (Policies and Procedures). ■ Technical: Controls that are executed through mechanisms contained in the hardware, software and firmware of the components of the system. The human only sets it up by the human and the system does the rest. (ex. Access Controls) ■ Operational: primarily implemented and executed by people (ex. Personal Security). As a security guard, who verifying badges to make sure no one gets in to an organization. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 14 ■ ● ● Within the three categories of Management, Technical, and Operational are seven different control types which apply to each category. ■ Directive: specify acceptable rules behaviors ■ Deterrent: discourages people from violated security direction ■ Preventive: controls for stopping a security incident ■ Compensating: substitute controls for loss of primary controls ■ Corrective: Implemented to mitigate any damage ■ Detective: signal warning when something has been breached ■ Recovery: restore conditions back to normal System Security Plan: A comprehensive document that details the security requirements for a system, the controls established to meet those requirements, and the responsibilities of those administering and accessing the system. Roles and Responsibilities of a system security plan include: ○ System Owner: person responsible for the creation of the system, Implementation, integration and maintenance. (Overall responsibility for the system). ○ Information Owner: has the overall authority on the information stored, processed or transmitted by the system. ○ Security Officer: who is responsibility for coordinating development, review and the acceptance of the security plan Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 15 ○ ● ● ● ● ● ● Authorizing Official: A manager or a senior executive with the authority to assume full responsibility for the system covered in the system security plan. System Security Plan need to include: People and their roles: (Review above) Contacts: people who have knowledge of the configuration or the operation of the system. Requirements: which is the requirement for confidentiality, integrity and availability of the resources of that system. Controls: any type of controls which have been implemented to backup and force the requirements of this system Procedures: for maintenance and review Lesson 2.3: Secure Development and Acquisition Lifecycle (SC) Skills Learned from This Lesson: System Vulnerabilities, Secure Development, Acquisition Practices How to securely design computer systems. A secure development reduces system vulnerabilities and when we make this a habit there will be a perfect opportunity to design a secure system Physically and actively participate in the development of a system, it is important for the practitioner to know and understand how these systems are developed. The most popular secure development system is the waterfall method. ● Waterfall Methodology – Used in most organization world-wide. How it works, it starts at the top of the first step of Requirements through to the last step systematically. It goes down through all (six) step until completed. It’s a one directional path, you cannot go back up. So, make sure each step is completed, before you go onto the next step. ○ (Step 1) Requirements Gathering & Analysis ■ Functional and Non-Functional Requirements are documented ■ Functional is User interaction and processing steps ■ Non-Functional is Performance and System constraints Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 16 ■ ■ ● ● ● ● ● ● Security Requirements are defined Requirements are turned into system diagrams and presented to the stakeholder or the people who have an interest in the system. (Step 2) System Design ○ Requirements are turned into flow charts & narratives ○ Design walkthroughs are held to ensure all requirements are there ■ Once they pass the approval of all the stakeholders to make sure all the requirements are there this is when the system is beginning to be implemented. (Step 3) Implementation ○ Programming is done and modules are created ■ In small blocks of code to easily tested, applied and edited ○ The security practitioner is responsible for the correct implementation of all the security concepts (Step 4) Integration ○ Modules are combined and tested (Step 5) Deployment of System ○ The application is sent to a controlled environment for quality assurance ○ The application is then put into production (Step 6) Maintenance ○ Bugs and vulnerabilities are patched up and fixed to maintain the integrity of the system Spiral method – Very similar to the waterfall method and that their (six) different steps starting from the requirement down to the maintenance. What makes this method unique there is a loop (Plan-Do-Check-Act PDCA) as many times needed in each step until thoroughly completed. ○ (Step 1- 6) Requirements are Gathered everything is written down their checked to make sure they are all there then they start acting upon. If the loop is needed to be done again then it will if not the system design can be started. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 17 ● ● Rapid Application Development (RAD) – Designed to quickly build user interface components as requirements are gathered. ○ To detect errors early, small prototypes are built as they get requirements gathered then modify it and build another small prototype for it. The system gets repeated until all requirements are taken care of. ○ The issue with building to many prototypes takes you away from what the true purpose of the system is for. Agile Development – The requirements are gathered, and the design is started. The programmers go back and look at the requirements and teak the design. This process will continue until a good design is built, then they start to code. This process will continue until thoroughly tested and put into production. Exposing applications, infrastructure information to external abusers creates the opportunities for compromise by attackers who wish to steal customer data, private information and damage organizations reputation. There are many vulnerabilities that face web facing application, which provides excellent opportunities for malicious attacks by unauthorized users. Internal development projects should combine secure coding practices to reduce the vulnerability. The best way to participate is to use OWASP. ● System Vulnerabilities and Secure Development – The Open Web Application Security Project (OWASP) Provides a freely available listing of the top vulnerabilities found in web applications. ● Guidelines exist for developers in the following areas: Authentication Authorization Session Management Encryption of Sensitive Data Input Validation Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 18 Disallow Dynamic Queries Out- of -band Confirmations Avoid Exposing System Information Error Handling ● Check it out! https://www.owasp.org/index.php/Main_Page ● Hardware / Software ○ IT Asset Management (ITAM) – Process of collecting Inventory, Financial, and contractual data to manage the IT asset throughout its life cycle. 1. Four device management capabilities: 1. Hardware Asset Management – Anything that has an address 2. Software Inventory Management – What software on printers, servers etc. 3. Configuration Settings Management – How are these assets configured 4. Vulnerability (Patch) Management – When a vulnerability is found code is updated Lesson 2.4: Data (SC) Skills Learned from This Lesson: Data management, Maintain Data, Encryption Data, destroy Data ● Data Management – The development, execution and supervision of plans, policies, programs and practices that control, protect, deliver and enhance the value of data and information assets. This is to ensure the Triad: Confidentiality, Integrity and Availability of the data. Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 19 ● ● ● ● Secure information Storage – Encryption with respect to Data size Performance Application Compatibility ● Data Scrubbing – Using security controls to protect the integrity of the data, so when copying production data for use in testing. This is accomplished by overwriting sensitive data values with meaningless ones. ● Data Deduplication – Is to make the data smaller. The process that scans the entire collection of information looking for similar chunks of data that can be consolidated. Data needs to be protected. The way its best protected, is to have it encrypted. To encrypt and decrypt data you need encryption keys and decryption keys. These keys are only effective as the organization ability to securely manage the keys. ● Managing Encryption keys (Key management) refers to a set of systems and procedures used to securely generate storage, distribute, use archive, revoke and delete keys. Key management policies are very important, consideration include: ● Roles and responsibilities – which is who has access to the keys and who can use the keys. Key generation – is how the keys are generated through random numbers of generators and using systems desired key lengths and make sure they are sufficiently random so they cannot guess. Distribution – How keys are given to other people, how they are authorized and authenticated. ● ● Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 20 ● ● ● ● ● Expiration – Make sure the keys are deactivated and tossed away when they are no longer needed or after a certain period of time. Revocation and Destruction – Getting rid of keys that have been compromised or no longer valid. Audit and Tracking – Which all key management operations should be written down and in event logs or record to prevent unauthorized access and modification. Emergence Management – A key management policy which specify emergency replacement and revocation of encryption key. Information Rights Management (IRM) Assign specific properties to an object such as how long the object may exist, and who/what may access it. ● Data Retention and Disposal – once data has reached the end of its time. It is important to dispose of the data so that it is no longer seen by anyone else. There are several different ways to dispose of data, depending on the policy of your organization one of the ways to dispose of data is shredding. To get rid of data on a hard disc you reformat it. ● ● Shredding – Cutting documents into tiny pieces Erasure or reformatting – Removes the pointers to data so that OS can no longer see the data Disk wiping/Overwriting – Writing over existing data with a stream or zeros, ones, or both Degaussing – Erases magnetic data on a disk or tape using a degausser. ● ● Lesson 2.5: Data Leakage Prevention (SC) Skills Learned From This Lesson: Data Leakage Prevention, DLP system types, DLP Controls ● Data Leakage Prevention (DLP) ○ Prevention of data from leaking out of the organization Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 21 ● ● ● ○ Maintain integrity of data Kinds of DLP strategies: ○ Prevent transfer of data to mobile devices ○ Prevent leakage via internet & e-mail DLP strategies use host & network components to perform functions: ○ Data Discovery ■ Process of discovering where sensitive data is stored on the network ○ Labeling ■ Give data an ID # to monitor it across the network ○ Policy Creation ■ Determines which data is sensitive ■ Defines rules for the transfer of data ○ Content Detection/Monitoring ■ Inspection of data as it travels through perimeter devices & as it leaves local computers ○ Prevention or Blocking ■ Transfer of data is blocked if policy violation is detected ○ Reporting ■ Violations of the data disclosure policies are reported ■ What policy was violated? ■ Source IP ■ Login account which violation occurred Technical Controls ○ Controls that the computer system executes ○ Provide automated protection from unauthorized use & misuse ○ Categories ■ Identification and Authentication (who are allowed or not allowed) ■ Authentication control mechanisms & how to control changes ■ If passwords are the authentication mechanism then password actions need to be defined ■ Password complexity ■ Policies for bypassing the authentication system should be in place ■ # of invalid access attempts Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 22 ■ ■ ■ Brought to you by: ■ lockout ■ The procedures for key management ■ Documentation for distribution storage entry and disposal of decrypted & encrypted keys ■ How biometric & token controls are to be used Logical Access Controls ■ Authorize or restrict the activities of users ■ Topics ■ Granting of access rights & privileges ■ What do users get to do when authenticated? ■ Temporal restrictions ■ Time of day hardware/software can be accessed ■ Detection mechanisms for unauthorized people & actions ■ Timeout periods ■ Lockout after max login attempts reached ■ Encryption of sensitive files ■ How separation of duties is enforced ■ How often ACLS are reviewed? ■ Regulation of the delegation of access permissions ■ Who can give access permission to who? Public Access Controls ■ Controls for the general public ■ What the general public can and can’t do with data? ■ Topics ■ Information classification ■ What data is public, private, confidential, or secret? ■ Forms of identification & authentication ■ Limitations on read/write privileges ■ Seperation of public & private systems ■ Audits trails & user confidentiality ■ Always keep an audit trail of what everyone does ■ Requirements for system & data availability Audit Trails Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 23 ■ ■ ● ● Description of security controls used to protect the integrity of the system Topics ■ Process of audit trail reviews ■ How often reviewed? ■ What conditions? ■ Tracing user actions ■ Are users actions aligned w/ policies & procedures of system? ■ Safeguards ■ Protect confidentiality & integrity of user data ■ SSN, password or birthplace marked out ■ Recording or of appropriate information in intrusion ■ Separation of duties ■ Are they the same or different person? Operational Controls ○ Controls executed by people in DLP ■ Change management processes ■ Configuration management processes ■ Authorization processes Managerial Controls ○ Focuses ■ Management of the computer security program ■ Management of risk through security policies ○ Security policies ■ Formal written document that sets expectations for how security will be implemented & managed in an organization ○ Policies ■ How to guides: ■ Email & Internet usage ■ Antivirus ■ Remote access ■ Information classification Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 24 ■ encryption Lesson 2.6: Policy Document Format (SC) Skills Learned From This Lesson: Policy document format, Policy document elements, Standards ● ● ● ● ● Policy Document Format ○ Elements ■ Objective ■ Provides policy context ■ Policy statement ■ What must be done to meet objectives? ■ Applicability ■ Who the policy applies to? ■ Enforcement ■ How the policy will be applied? ■ Roles & responsibilities ■ Who is responsible for the policy? ■ Review ■ Timeframe Standards ○ Formal, documented requirements that sets uniform criterias or a specific technology, configuration, or method ○ Common practice but not always formal unless company becomes bigger Baseline ○ Detailed configuration standards that includes specific security settings ○ Like a checklist, it’s the norm Guidelines ○ Recommended practices to be followed to achieve a desired result ○ Not mandatory, like standards Procedures ○ Step-by-step implementation instructions for performing a specific task or goal ○ Components ■ Purpose Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 25 ■ ■ ■ ■ ■ Why is this procedure being performed? Applicability ■ Who is responsible for following the procedure? ■ What are the circumstances surrounding it? Steps ■ What are the steps taken to perform the procedure? Figures ■ Diagrams to depict a workflow & screenshots Decision points ■ yes/no questions whose answers result in branching to different steps in the procedure Lesson 2.7: Management (SC) Skills Learned From This Lesson: Management types, Release management, Change management ● ● Management ○ Controlling actions of a system ○ Implemented through policies & procedures Management Types ○ Release management ■ Release of software from the testing environment to the production ■ Seeks to ensure timeliness goals, minimize disruption, & issue all relating documentation & communication ○ Change control management ■ Determines whether controls are still effective and update if needed ■ System assurance ■ Process of validating that existing security controls are configured & functioning as expected, both during initial implementation & on an ongoing basis ■ Change control Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 26 ■ ■ ■ ■ ■ Brought to you by: Formal procedures adopted by an organization to ensure that all changes to system & application software are subject to the appropriate level of management control. Seeks to eliminate unauthorized changes & reduce defects Change control steps ■ Request submission ■ Recording ■ Details of request are recorded ■ Analysis/Impact ■ Changes are analyzed ■ Decision ■ Approval ■ Status tracking Operational aspects ■ Requests ■ Changes are proposed to the committee ■ Impact assessment ■ Committee members determine impact ■ Approval/disapproval ■ Requests are officially answered ■ Build & Test ■ Approvals are built & tested ■ Security impact assessment ■ Security risk is determined ■ Notification ■ System users are notified of the coming change ■ Implementation ■ Change is deployed incrementally ■ Validation ■ Change is confirmed ■ Documentation ■ Outcome of the system change is documented People involved ■ Change manager Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 27 ○ ○ ■ Charge of policies & procedures ■ Change control board ■ Responsible for approving system changes ■ Project manager ■ Manages budgets, resources, & tasks for the system creation ■ Architects ■ Develop security context & systems design ■ Engineers & analysts ■ Develop, build, & test system changes ■ Customer ■ Requests changes & approves functional changes ■ System security officer ■ Ensures changes to not have security impacts Configuration management ■ Updating versions Patch management ■ Applying of patches to secure system Lesson 2.8: Configuration Management (SC) Skills Learned From This Lesson: Configuration management, Patch management, Security Awareness and Training ● ● ● Configuration management ○ Discipline that seeks to manage configuration changes so that they are appropriately approved and documented, so that the integrity of the security state is maintained Maintains the integrity of hardware & software across releases inversion Change management vs Configuration management ○ Change management ■ Focuses on changes to project processes or project baselines ■ Ex. ■ Changes in the budget changed in the schedule Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 28 ○ ● ● ● ● Configuration management ■ Focuses on project specifications ■ Ex. ■ Extra features, may be added or subtracted to particular project Configuration management consists of: ○ Automated tools ■ Tools that will handle version checking any type of conflict ○ Documentation ■ Hardware list of information ■ Make ■ Model ■ MAC address ■ # of licenses ■ Expiration date ■ Software name ○ Procedures ■ Step by step process for properly configuring the hardware & software so that # of conflicts are reduced Operational aspects ○ Identification ■ Captures & maintains information about the structure of the system, usually in a Configuration Management Database (CMD) ○ Control ■ Configuration changes are controlled through the lifecycle ○ Accounting ■ Captures, tracks, & reports on the status of the configuration history ○ Auditing ■ Process of logging, reviewing, & validating configuration items Inventories ○ Kept for integrity & validation Patch Management ○ Process of applying system changes to correct software & firmware vulnerabilities Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 29 ○ ● ● ● Process ■ Acquisition ■ Patches are supplied via download ■ Testing ■ Patches are tested ■ Approval ■ Patches can’t be applied until they are approved ■ Packaging ■ Patches must be packaged for distribution & installation ■ Deployment ■ The path is applied to the target system ■ Verification ■ The success or failure of the patch application is recorded Security Impact Assessment ○ The analysis conducted w/in an organization to determine the extent of the changes to the information system affect the security posture of the system ○ Does it differ from the baseline? Interoperability ○ The extent to which systems & devices can exchange data & interpret that shared data ○ Open system ■ Lot of data can be passed back & forth between systems ○ Closed system ■ Very little data can be passed back & forth between systems Security Awareness ○ Seeks to reduce human error by educating people about cybersecurity ○ Security is only as strong as its weakest link ○ Critical success factors ■ Senior management support ■ Cultural awareness ■ Communication goals ■ Taking a change management approach ■ Measurement Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 30 Lesson 2.9: Interior Intrusion Detection Systems (SC) Skills Learned From This Lesson: Interior IDS, Building Security ● Interior IDS ○ Limit employees only to areas they need access to ○ Intrusion Detection Systems ■ Balanced Magnetic Switch (BMS) ■ Uses a magnetic field or mechanical contact to determine if an alarm signal is initiated ■ Reed Switches ■ Motion-Activated Cameras ■ A fixed camera w/ a video motion feature that signals an alarm when something enters the field of view ■ Acoustic Sensors ■ A device that uses passive listening devices to monitor building spaces ■ Designed to detect intruders who stay around after building has closed ■ Infrared Linear Beam Sensors ■ Focused light beam is projected & bounced off a reflector on either side of the detection area, when someone walks across the beam an alarm sounds off ■ Passive Infrared (PIR) Sensors ■ Set to a specific temp, when an increase in heat is detected, alarm sounds ■ Also used as an automatic request to exit (REX) device ■ Door locked - when sensor senses heat increase, it will auto unlock ■ Dual-Technology Sensors ■ 2 different sensors used to reduce false alarms ■ Visitor Control ■ Consideration factors: ■ Controlled waiting room ■ Temp. badges or passes Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 31 ■ ● ● Escorted around organization Building Security ○ Electric locks ■ Moves the door bolt ○ Electric strike ■ Lock that moves the strike, the bolt does not move ○ Magnetic locks ■ Surface mounted magnets to hold the door closed ○ Anti-passback ■ Strategy where a person must present a credential to enter & exit a facility ○ Turnstiles ■ Allows one person to pass at a time ■ May have to insert coin, ticket, pass, swipe card, etc ○ Mantraps ■ Prevents multiple people from entering an area at the same time ■ First set of doors must close before the second set opens ○ Rim lock ■ Lock mounted on the surface of the door ■ Ex. ■ Front door lock ○ Mortise lock ■ Lock that is built into the edge of the door ■ Embedded into door Data Center Security ○ Considerations: ■ Utilities and Power ■ HVAC ■ Air Contamination ■ Water Issues ■ Fire Detection and Suppression ■ Water Suppression Systems ■ Used for physical areas ■ Wet Systems 1. constant supply of water Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 32 ● ● ● ● 2. Will not shut off until water source is shut off ■ Dry Systems 1. Do not have water in them 2. Valve will not release until it is stimulated by excess heat Pre-Action Systems 1. Incorporates a detection system 2. Water is held back until the detectors are activated Deluge Systems 1. Operates the same as the Pre-Action system except the sprinkler heads are in the open position Gas Suppression Systems ○ For computer equipment ○ Aero-K 1. An aerosol of microscopic potassium compounds FM-200 1. A colorless, liquefied compressed gas Domain 3: Risk Identification, Monitoring, and Analysis Lesson 3.1: Intro to Risk Management (SC) Skills Learned From This Lesson: Risk Management Process, Risk Concepts, Risk Security Assessments ● ● ● Risk ○ A function of the likelihood of a given threat source exercising a potential vulnerability, and the resulting impact of that adverse event on the organization ○ What is the possibility that something is going to happen? ○ How bad is it going to be? Likelihood ○ Probability that a potential vulnerability may be exercised w/in the construct of the associated threat environment ○ What are the chances that a potential vulnerability will be exploited? Threat source Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 33 ○ ● ● ● ● ● Either intent & method targeted at the intentional exploitation of a vulnerability or a situation or method that may accidentally trigger a vulnerability Where is it coming from? How bad is it going to be? ○ ○ Threat ○ The potential for a threat source to exercise a specific vulnerability ○ What is the possibility that an attacker will exploit a specific part of a system? Vulnerability ○ A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised & result in a security breach or a violation of the system’s security policy Impact ○ The magnitude of harm that could be caused by a threat’s exercise of a vulnerability Asset ○ Anything of value that is owned by an organization Risk Assessment Steps: ○ Step 1: Prepare for the Assessment ■ Identify the purpose ■ Why are we performing assessment? ■ Identify the scope ■ How deep is the assessment going to go? ■ What part of organization will assessment apply too? ■ Identify any assumptions ■ Will assessment be for part or whole organization? ■ Identify sources of info ■ Identify the risk model ■ How are we going to measure our results? ○ Step 2: Conduct Assessment ■ Produce list of risk ■ Gather essential information ■ Assess impact through formulas ■ Measuring the damage ■ Single Loss Expectancy (SLE) Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 34 ● ● ● ● ■ SLE = Asset Value x Exposure Factor (%) ■ Annualized Loss Expectancy (ALE) ■ ALE = Single Loss Expectancy x Annualized Rate of Occurrence ■ How many times will this happen in a year? ■ Annualized Rate of Occurrence ■ Represents the expected # of exploitation by a specific threat of a vulnerability to an asset in a given year ■ Determine risk ■ Risk Assessment tables ■ Determines what kind of risk dealing with ■ Measures: ■ HIgh Risk 1. Corrective actions should be implemented ASAP Medium Risk 1. Corrective actions should be implemented w/in a reasonable time frame Low Risk 1. An evaluation should be performed to determine if any action should be taken to address the risk Step 3: Communicate Results ○ Talk about the results ○ Share info to support risk management activities Step 4: Maintain Assessment ○ Stay current w/ the risk knowledge ○ Incorporate Risk Monitoring Lesson 3.2: Risk Treatment (SC) Skills Learned From This Lesson: Risk Treatment, Risk Management ● Risk Treatment ○ Goal ■ Reduce risk to an acceptable level Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 35 ○ ● Risk treatment ■ Risk Mitigation ■ Implement technical, managerial, and operational controls ■ Risk Transference ■ Transfer risk to a third party ■ Risk Avoidance ■ Avoid risk ○ Risk Acceptance ■ Accept risk Risk Visibility and Reporting ○ Risk should always be recorded & reported ○ Risk needs to be aggregated in a Risk Register ■ Risk Register ■ Gives info about risk in organization ■ Risk management steps: ■ Step 1: Identify the risk ■ Step 2: Evaluate the severity of any identified risks ■ Step 3: Apply possible solutions to risks ■ Step 4: Monitor & analyze the effectiveness of any subsequent steps taken Lesson 3.3: Auditing (SC) Skills Learned From This Lesson: Auditing ● Auditing ○ Security Audit ■ An evaluation of how well the objectives of a security framework are met & a verification to ensure the security framework is appropriate for the organization ○ Purposes: ■ Point out where security is lacking ■ Emphasize what is being done correctly in security ○ Types of auditors: ■ Internal Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 36 ● ● ● ● ■ External Audit Types: ○ Annual ■ Performed on an annual basis as dictated by policy ○ Event-Triggered ■ Conducted after an incident ○ Merger/Acquisition ■ Performed to determine security standards of the company being acquired ○ Regulation Compliance ■ Performed to confirm compliance w/ security aspects of regulations ○ Ordered ■ Performed when commanded by court COBIT ○ Control Objectives for Information and related Technology ■ A set of control objectives used as a framework for IT governance developed by Information System Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) Auditors ○ Collect info about an organization's security processes ○ Responsibilities: ■ Provide independent assurance about security systems ■ 3rd party assurance ■ Analyze organizational security objectives ■ Analyze policies, standards, baseline, procedures and guidelines ■ Analyze the effectiveness of controls ■ Stating and explaining the scope of the system Auditing Domains ○ User ■ Users & their authentication methods ■ How do users log into workstations? ○ Workstation ■ End-user systems ■ What kind of security on system? Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 37 ○ ● ● Application ■ E-mail, database, web applications ■ What kind of security to protection unauthorized access to application? ○ LAN ■ Equipment necessary for LANs ○ LAN to WAN ■ Area where the DMZ resides ○ WAN ■ Things outside of the firewall ○ Remote ■ How remote users access the network ○ Cloud & Outsourced ■ Moving data to other entities ■ How do you protect your data? System Documentation ○ Disaster/Business Recovery ○ Host Configuration Baseline ○ Security Configuration ○ Acceptable Use Policy ○ Change Management Process ○ Data Classification ■ Not all data is the same ■ Ex. unrestricted, sensitive, confidential ○ Business Flow Responding to an Audit ○ Exit interview ■ Issues will be addressed ○ Presentation of findings ■ Findings presented to management ○ Management response ■ Written response to auditors Lesson 3.4: Vulnerability Scanning and Analysis Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 38 Skills Learned From This Lesson: Vulnerability Scanning, Securing Hosts, Security Monitoring Testing, Wireless Networking Testing, War Dialing/War Driving ● Vulnerability scanning ○ The process of checking a system for weaknesses ○ Goal ■ Study security levels ■ Find problems ■ Improve ○ Advantages ■ Identify system vulnerabilities ■ Allows for the prioritization of mitigation ■ Good for comparing security positions ○ Disadvantages ■ Cannot always focus efforts ■ Could crash the network ● Vulnerability scanning types ○ General ■ Probes host & OS ■ Looks for known flaws & typical attacks ○ Application specific ■ Use tools to look at specific applications Vulnerability testing qualities ○ OS Fingerprinting ■ Used to identify the OS ○ Stimulus & Respons algorithms ■ Techniques to identify software versions ○ Privileged logon ability ■ Log onto a host w/ Admin credentials ○ Cross-referencing ■ Identify possible vulnerabilities ● Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 39 ○ ● ● ● ● ● Update capability ■ Scanners need the latest signatures ○ Reporting capability ■ Report on the findings Vulnerability testing issues ○ False positives ○ Crash exposure ○ Temporal information ■ Just because a scan is good today doesn’t mean the next scan will be Scanner tools Securing Hosts ○ Disabling unneeded services ○ Disabling insecure services ○ Ensuring least privilege file system permissions ○ File system permissions ■ Share only w/ those who need ○ Establish & enforce a patching policy ○ Examine applications for weakness ○ Firewall & router testing Security Monitoring Testing ○ Ensure systems are working as expected ○ Out of the box Intrusion Detection System (IDS) systems need to be tuned to organization ○ IDS testing ■ Data patterns w/in a single packet ■ Data patterns w/in multiple packets ■ Obfuscated data ■ Fragmented data ■ Protocol embedded attacks ■ Flooding detection Wireless Networking Testing ○ Wireless technology > Wireless Access Points > Problems! ○ Security Testers ■ Test for effectiveness of wireless security Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 40 ● ■ Detect unauthorized access points ○ Wireless tools ■ Netstumbler ■ Kismet ■ Nessus ■ Aircrack-NG War Dialing/War Driving ○ War dialing ■ Attempts to locate unauthorized modems connected to computers that are connected to networks ■ A specialized program is used to scan a list of telephone #’s to search for computers for the purpose of hacking ■ Not used as much ○ War driving ■ The act of searching for open wireless networks while driving around Lesson 3.5: Penetration Testing (SC) Skills Learned From This Lesson: Penetration Testing, White Box Testing, Grey Box Testing ● Penetration Testing Phases ○ Step 1: Preparation ■ Define goals (scope) ■ Choose the right penetration tools ■ Do not let tools drive testing ■ Use tools which match environment ■ Analyze testing results ■ Use graphics, ratings, & vulnerability index when possible ○ Step 2: Information Gathering ■ Reconnaissance ■ Collecting information about the organization from publicly available sources, social engineering, & low-tech methods ■ Needed by a pen tester who has not been granted regular access to the system Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 41 ■ Social engineering & Low-Tech Reconnaissance ■ An activity that involves the manipulation of people to get information ■ Acquire information from websites, social media, & googling ■ Mid-Tech reconnaissance ■ Whois 1. A system that records internet registration information ■ DNS Zone Transfers ■ A request directed at a DNS server that asks the server for information of the domain that it serves ■ Network mapping ■ Collecting information about the organization’s internet connectivity & available hosts through automated software ■ Paints a picture of which hosts are up & running & what services are available ■ Should be limited to the scope of the project ■ Precursor to vulnerability testing ■ Techniques ■ ICMP Echo Requests (ping) ■ TCP Connect Scan ■ TCP SYN Scan ■ TCP FIN Scan ■ TCP XMAS Scan ■ TCP NULL Scan ■ UDP Scan ■ Basic built-in OS commands ■ Traceroute ■ Ping ■ Telnet ■ Whois ■ Tools ■ Nmap ■ Solarwinds Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 42 ■ ■ ● Superscan Lanspy ■ ○ Step 3: Information Evaluation & Risk Analysis ■ Evaluate the findings & perform risk analysis ■ Potential risks must be identified ■ Decide which devices should be penetration tested ○ Step 4: Active Penetration ■ WARNING!! ■ Think twice before attempting to exploit a possible vulnerability that may harm the system ■ Sometimes its better to identify the vulnerability w/o actively working to break it ○ Step 5: Analysis & Reporting ■ Documentation & analysis should be reported to management ■ Always give solutions/ideas to the problems ■ Tailor the report to the person who will be looking at it Penetration Testing modes ○ White Box testing ■ Knowledge of security & IT staff ■ Given network blueprints, planned test times, & assistance from the organization ■ Pros ■ Good support from the organization ■ Fixes can occur quicker ■ Good for testing incident response procedures ■ Cons ■ An inaccurate picture of the network is produced ○ Grey Box testing ■ Some information is known ■ Focus ■ Accessing system ■ Pros ■ Combines benefits of white & black box testing Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 43 ○ ■ Allows for focused testing scenarios ■ Cons ■ Testing coverage may be limited Black Box Testing ■ Internals not known ■ Testers perform unannounced tests ■ Upper management aware ■ Security & IT staff are unaware ■ Gives point of view from attackers ■ Objective ■ Get into whatever they can, w/o causing harm ■ Pros ■ Good look of the organization’s true responses ■ Cons ■ Staff might get their feelings hurt Lesson 3.6: Operating and Maintaining Monitoring Systems (SC) Skills Learned From This Lesson: IDS & IDPS, Types of monitoring, Log files, Event Configuration & Correlation, SIEM ● ● ● ● ● Safeguard ○ A built-in proactive security control implemented to provide protection against threats Countermeasure ○ An add-on reactive security controls ○ Helps to fight off attacks Vulnerability ○ System weakness Exploit ○ A particular attack Signature ○ A string of characters or activities found w/in processes or data communications that describes a known system attack Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 44 ● ● ● ● ● ● ● ● ● Tuning ○ Customizing a monitoring system to your environment Promiscuous interface ○ A network interface that collects & processes all of the packets sent to it regardless of the destination MAC address False positive ○ Monitoring triggered an event, but nothing was wrong False negative ○ Monitoring system missed reporting an exploit event by not signaling an alarm True positive ○ The system recognized an exploit event correctly True negative ○ The system has not recognized benign traffic as cause for concern IDS ○ A passive system ○ Only signals an alarm ○ IDS/IDPS Types ■ Network based IDS (NIDS) ■ Monitors network traffic ■ Should be placed at network entrances ■ Host based IDS (HIDS) ■ Monitors system calls ■ Should be placed on systems where protection is mandated IDPS ○ An active system ○ Signals an alarm & tries to stop an incident Implementation Issues ○ Collecting data for incident response ■ How will the organization respond to events? ○ Monitoring response techniques ■ Passive response ■ Notes the event, but does not take evasive action ■ Ex. ■ Logging the event to a file Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 45 ● ● ■ Displaying an alert ■ Sending alerts to an administrator ■ Active response ■ Notes the event & performs a reaction ■ Ex. ■ Block transactions ■ Disallow access to system calls ■ drop/reset connections Types of Monitoring ○ Real-Time monitoring ■ Provides a means for immediately identifying & sometimes stopping covert & overt events ○ Non-Real Time Monitoring ■ Provides a means for saving important information about system events & monitoring integrity of system configurations ○ Continuous/Compliance Monitoring ■ Represents the desire to have real-time risk information available at any time to make organizational decisions Log Files ○ Reviewing Incident Logs ■ Save all log files from a device after an incident ○ Log Anomalies ■ Anything out of the ordinary ○ Log Management ■ Don’t let log files get out of control ■ Clipping levels ○ Filtering ■ Reduces amount of data reviewed ○ Log Consolidation ■ Happens on SIEM systems ■ Good for tracking devices across systems ○ Log Retention ■ How long should logs be kept? ○ Centralized Logging Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 46 ● ■ Ensuring the logs are in on place Event Configuration & Correlation ○ Netflow ■ Collects network traffic which can be analyzed to create a picture of the traffic flow ○ sFlow ■ Technology for monitoring traffic in data networks containing switches & routers ○ Security Event Management (SEM) ■ Analyzes event data in real time to provide monitoring, event correlation, & incident response ○ Security Information Management (SIM) ■ Collects & analyzes on log data to support compliance & threat management ○ SIEM ■ Security Information & Event Management ■ Compliance ■ Enhanced Network Security ■ Can correlate many different events ■ Full Packet Capture ■ Captures every single packet that it finds ■ Security Analytics, Metrics, & Trends Domain 4: Incident Response and Recovery Lesson 4.1: Incident Handling (SC) Skills Learned From This Lesson: Incident Response Process, ● Incident Response Process ○ Step 1: Preparation ■ Comprised of a corporate incident handling & response policy & procedure ■ Incident Response Policy ■ Establishes a phased approach to incident response Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 47 ● ● ● ● ● ● ● ● ■ Details steps to incident response handling ■ Incident response team ■ Incident Response Policy should cover: ■ Management Support 1. Know what they are supposed to be doing when an incident happens Aligned w/ the organization Objectives Scope & Limitations Definitions of Terms Roles & Responsibilities Prioritization of Risk Metrics & Performance 1. Determine how effective policy is ■ Communications Planning ■ Mandatory Adherence ■ Compliance ○ Incident Response Team ■ Customers, Constituents, & Media ■ Something to lose in the organization if an incident was to occur ■ Other Incident Response Teams ■ May or may not be part of the organization ■ Internet Service Providers ■ Can isolate network to prevent it from getting worse ■ Incident Reporters ■ People who track, follow, or discovered incident ■ Law Enforcement Agencies ■ Software & Support Vendors Step 2: Detection & Analysis ○ Intrusion systems techniques to determine attacks ■ Signature or Pattern Matching Systems ■ Snippet of code that identifies the system ■ Protocol Anomaly-Based Systems ■ Protocol or something in the system not working as it should ■ Statistically Anomaly-Based Systems Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 48 ● ● ■ Establish a baseline, to identify deviation from the baseline ○ Incident analysis focuses on what constitutes an incident in the organization Step 3: Containment, Eradication & Recovery ○ Containment ■ Limit the damage caused by the security incident ○ Eradication ■ Performed to remove malicious code, tools, & backdoors that may have been used ■ May or may not happen depending on the incident ■ Sometimes reimaging is quicker & more reliable Step 4: Post-Incident Activity ○ Implementation of Countermeasures ■ What happen & how it can be prevented from happening again ■ Increase user awareness ■ Implement overall improvements for risk ■ Provide disincentives for bad behavior ■ Improve user training ■ Understand the benefits of better technology ○ Forensics ■ Identifying evidence ■ Collecting or acquiring evidence ■ Examining or analyzing evidence Lesson 4.2: Forensic Investigation (SC) Skills Learned From This Lesson: Crime Scenes, Locard’s Principle of Exchange, Analysis ● Crime Scene ○ Needs to be defined before evidence can be identified ○ Principles of Criminalistics: ■ Identify the scene ■ Protect the environment ■ Identify evidence ■ Collect evidence Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 49 ■ ● ● ● ● ● Minimize contamination Evidence ○ Live evidence ■ Data that is in a very dynamic & exists in running processes or other volatile locations (e.g. RAM) that disappear in a relatively short time once the system is powered down ○ Locard’s Principle of Exchange ■ When a crime is committed, the perpetrators leave something behind & take something w/ them ■ Allows aspects of the responsible person to be identified Guidelines for Handling Evidence ○ Anyone who accesses digital evidence needs to be properly trained ○ Anyone who possesses evidence is responsible ○ Evidence must not be changed ○ Evidence must be fully documented ○ Anyone who has evidence is responsible for following forensics & procedural principles Forensics Procedures ○ EVERYTHING must be documented ○ Ensure data cannot be altered ■ Disk Image & Hash algorithms ○ Establish a chain of custody ■ Document everyone who has touched evidence Five Rules of Evidence ○ Be Authentic ○ Be Accurate ○ Be Complete ○ Be Convincing ○ Be Admissible Analysis ○ Media Analysis ■ The recovery of information from information media such as hard drive ○ Network Analysis ■ Examination of data from network logs & network activity Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 50 ○ ○ Software Analysis ■ Analysis & examination of program code Hardware/Embedded Device Analysis ■ Analysis of mobile devices & hardware & firmware found in computers Lesson 4.3: Business Continuity Plans (SC) Skills Learned From This Lesson: BCP, DRP, Availability and Redundancy ● ● ● Business Continuity Plan (BCP) ○ Focuses on the continuity & recovery of critical business functions during & after a disaster ■ Helps organization get back to normal operation as quickly & smoothly as possible ■ Focuses on the company as a whole ○ Proactive development of a plan that can be executed to restore business operations ○ Significant organizational commitment in terms of people of resources ○ Establish the business continuity program & the directly related business continuity policy ■ Key participants of the BCP are defined ○ Conduct a Business Impact Analysis ○ Determine potential impacts that would result if supporting resources were unavailable ■ Impacts may be tangible or intangible Business Impact Analysis (BIA) ○ An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, & prioritizes the recovery or processes & supporting systems ○ How much impact will a business take if resources isn’t available? Maximum Tolerance Downtime (MTD/MTPOD) Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 51 ○ ● ● ● ● The max amount of time that a business function can be unavailable before the organization is harmed to a degree that puts the survivability of the organization at risk ○ What is the longest time a resource can be unavailable before the organization fail? Recovery Time Objective (RTO) ○ The earliest time period & a service level w/in which a business process must be restored after a disaster to avoid unacceptable consequences ○ What is the earliest time period that a resource can come back from being disrupted? Recovery Point Objective (RPO) ○ A measurement of the point prior to an outage to which data are to be restored ○ The last time the system was backuped Disaster Recovery Plan (DRP) ○ A document that details the steps that should be performed to restore critical IT systems in the event of a disaster ○ Considerations ■ Different types of disasters ■ Intentional acts of sabotage ■ Potential threats ○ Assets ■ Data ■ Information systems ■ Network devices ■ Facilities ■ Personnel Recovery Strategy Alternatives ○ Cold Site ■ A building w/ power, raised floors & utilities ■ No devices are available ■ Cheapest ■ Longest to get back online ○ Warm Site ■ Does not have computers but has peripherals Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 52 ■ Disk drives, controllers, & tape drives ○ ● ● Hot Site ■ Fully configured w/ hardware, software, & environmental needs ■ Most expensive ■ Quickest to get organization back online ○ Multiple Processing Sites ■ Supports 100% availability ■ Data is processed simultaneously ○ Mobile Site ■ Can be deployed to any location based on the circumstances of the disaster Plan Testing ○ BCPs & DRPs must be tested to ensure they are accurate ○ Test Types ■ Checklist Test ■ Each participant review their section of the plan to validate that it is still accurate ■ Structured Walkthrough Test ■ Representative from each business unit gather together to review ■ Simulation Test ■ An actual disaster is simulated ■ Parallel Test ■ Performing processing at an alternative site ■ Full Interruption Test ■ Regular operations are stopped & processing is moved to the alternate site Backups & Restoration ○ Backup Types ■ Full Backup ■ Entire system is copied to backup media ■ Differential Backup ■ Record differences in data since the most recent full backup ■ Incremental Backup ■ Record changes that are made to the system on a daily basis Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 53 ○ ● ● Offsite Storage ■ Backups should be stored off-site at a secure location ○ Electronic Vaulting ■ Allows backups across the internet to an offsite location ○ Remote Journaling ■ Journals & transaction logs are transmitted electronically to an offsite location Availability ○ Clustering ■ A method of configuring multiple computers so they effectively operate as a single system ○ High Availability Clustering ■ A clustering method that uses multiple systems to reduce the risk associated w/ a single point of failure ○ Load-Balancing Clustering ■ All cluster nodes are active ■ If a system fails, the others take its place Redundant Array of Independent Disks ○ Mirroring ■ The system writes data simultaneously to separate hard drives or drive arrays ■ RAID 1 ■ Identical copies of data are stored on two separate drives ○ Parity ■ The technique of determining whether data had been lost or overwritten ○ Striping ■ A data element is broken into multiple pieces, & a piece is distributed to each hard drive ■ RAID 0 ■ Relies on striping data across multiple disks ■ RAID 2 ■ Striping is performed at the bit level ■ Not used in practice ■ RAID 3 Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 54 ■ ■ ■ ■ Striping is performed at the byte level ■ Uses a dedicated parity disk ■ Not used in practice RAID 4 ■ Striping is performed at the block level ■ Use a dedicated parity disk ■ Not used in practice RAID 5 ■ Block-level striping w/ parity information that is distributed across multiple disks ■ Popular RAID levels can be combined to gain benefits from both levels Domain 5: Cryptography Lesson 5.1: Cryptography Fundamentals Concepts (SC) Skills Learned From This Lesson: Fundamental cryptography concepts ● ● High Work Factor ○ The average amount of effort or work required to break an encryption system ■ Measured in units such as hours or cost in dollars ■ If the encryption work factor is high enough, then the system is considered “economically infeasible” to break Stream-Based Ciphers ○ When encryption is performed, it happens on a bit-by-bit basis ○ Weaker ○ Less intensive ○ Used in hardware ○ Mix the plaintext w/ a keystream to produce the ciphertext ■ The operation is usually an XOR because its speed ■ Ex. Input plaintext: 0101 0001 Keystream: +0111 0011 Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 55 Output of XOR 0010 0010 ● ● ● Block Ciphers ○ Operate on chunks of text instead of one byte at a time ■ Blocks are often 64,128,192, bit sizes ○ Stronger ○ Computationally intensive ○ Used in software ○ Use a combination of substitution & transposition ■ Substitution ■ The process of exchanging one letter or byte for another ■ Transposition ■ The process of reordering the plaintext to hide the message ○ Modes ■ Electronic Code Book (ECB) ■ Each block is encrypted independently ■ Cipher Block Chaining (CBC) ■ The result of encrypting one block of data is fed back into the process to encrypt the next block ■ Cipher Feedback ■ Each block of keystream comes from encrypting the previous block of ciphertext ■ Output Feedback (OFB) ■ The keystream is generated independently of the message ■ Counter (CTR) ■ Uses the formula Encrypt (Base+N) as a keystream generator where Base is a starting 64 bit number & N is a simple incrementing function Key Length ○ The size of the key, measured in bits or bytes ■ The security of an algorithm cannot exceed its key length ■ The key’s length is distinct from its cryptographic security Block Size Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 56 ● ● ● ● ○ The size of the block used in block ciphers ○ Blocks are fixed lengths, padding is sometimes necessary ○ Block size is directly related to the security of the key Initialization Vectors (IVs) ○ An initial value to start some process Hashing ○ A cryptographic function that is considered practically impossible to invert ○ Specific Hashes ■ Message Digest 2,4,5 ■ Secure Hash Algorithm 0,1,2 ■ RIPEMD-160 Birthday Paradox ○ >50% chance two people share a birthday w/in a group of 23 people ■ (n(n-1)/2) ■ Hashes must not be susceptible to this Salting ○ Random data used as an additional input to a hashing function ■ Prevents Dictionary attacks & Rainbow Table attacks ○ Password + salt = new password to be hashed ■ Password123 + ET2FE6T4G=Password123ET2FE6T4G Lesson 5.2: Cryptography and Ciphers (SC) Skills Learned From This Lesson: Symmetric Cipher, R ijndael ● Symmetric Cryptography ○ Operates a single cryptographic key that is used for both encryption & decryption ○ Key management is a challenge, must be sent out-to-date ■ Out-of-band ■ Using a different channel to transmit the key ○ Advantages ■ Very fast ■ Affordable ■ Secure Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 57 ○ ● ● ● ● Disadvantages ■ Key management ■ No non-repudiation ○ Data Encryption Standard (DES) ■ 64 bits in length, every 8th bit is ignored ■ Key space is 256 or 72x1016 ■ Disadvantage ■ Key is too short ■ Breakable by a brute force attack ■ Solutions ■ Double DES ■ DES twice w/ 2112 key space ■ Flaw 1. Victim of the Meet-in-the-middle attack Triple DES (3DES) ○ Key space of 2112 using two different keys 1. Encrypt w/ key 1, re-encrypt w/ key 2, re-encrypt w/ key 3 Disadvantage 1. Too slow for software, 1. Advanced Encryption Standard (AES) is needed 1. Algorithm chosen for AES is Rijndael Rijndael ○ Very versatile ■ Block size can be 128,192, 256 bits ■ Key size can be 128,192, 256 bits ■ Multiple rounds of operation depending on the key size ○ Four Major Operations ■ Substitute bytes ■ Shift rows ■ Mix columns ■ Add round key Other Symmetric Algorithms ○ International Data Encryption Algorithm (IDEA) ■ Key Size (bits): 128 Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 58 ○ ○ ○ ○ ○ ○ ○ ○ ■ Block Size (bits): 64 ■ Rounds of encryption: 8 CAST ■ Key Size (bits): 40-128 ■ Block Size (bits): 64 ■ Rounds of encryption: 12-16 Secure and Fast Encryption Routine ■ Key Size (bits): 64 ■ Block Size (bits): 64 or 128 Blowfish ■ Key Size (bits): 32-448 ■ Block Size (bits): 64 RC2 ■ Key Size (bits): 8-128 ■ Block Size (bits): 64 RC4 ■ Key Size (bits): 8-2048 ■ Block Size (bits): Stream Cipher RC5 ■ Key Size (bits): 0-2040 ■ Block Size (bits): 16, 32, 64 ■ Rounds of encryption: 0-255 RC6 ■ Key Size (bits): 128, 192, 256 ■ Block Size (bits): 128 Twofish ■ Key Size (bits): 128, 192, 256 ■ Block Size (bits): 128 ■ Rounds of encryption: 16 Lesson 5.3: Asymmetric Cryptography (SC) Skills Learned From This Lesson: Asymmetric Cryptography, Hybrid Cryptography Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 59 ● ● ● Asymmetric Cryptography ○ Created to address the practical limitations of symmetric cryptography ○ Uses two keys that are mathematically related, but are mutually exclusive ■ One key to encrypt, the other to decrypt ○ Algorithms are one way functions ■ Private key ⇒ Public key ■ Private key belongs to only you ■ Public key belongs to everyone ○ Good for confidential messages, open messages, and non-repudiation Asymmetric Encryption Algorithms ○ RSA ■ Algorithm based on the mathematical challenge of factoring the product of two large prime numbers ○ Diffie-Hellman Algorithm ■ A key exchange algorithm ■ Used to enable two users to exchange symmetric keys which will be used for message encryption ■ Use for public key infrastructure ○ El Gamal ■ Based on the work of Diffie-Hellman, but includes message confidentiality & digital signatures ○ Elliptic Curve Cryptography (ECC) ■ Based on the mathematics of elliptic curves ■ Has the highest strength per bit of key length of any of the asymmetric algorithms ■ Provides confidentiality, digital signatures, & message authentication Asymmetric Key Algorithms ○ Advantages ■ Can send messages w/o key exchange ■ Offers non repudiation, access control, & integrity ○ Disadvantages ■ Slow Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 60 ● ● ■ Impractical for frequent transactions ■ Ciphertext larger than the plaintext Hybrid Cryptography ○ Combines the best of both Symmetric & Asymmetric ■ Asymmetric ■ Key exchange, nonrepudiation, & message authentication ■ Symmetric ■ Speed ■ Security of algorithms Cryptography Concepts ○ Message digest ■ A small representation of a larger message ■ Used to ensure the authentication & integrity of information ○ Message Authentication Code ■ A small block of data that is generated using a secret key & then appended to the message ○ Hashed Message Authentication Code (HMAC) ■ Cryptographic hash function that uses a symmetric key value ■ Used for data integrity & origin authentication ○ Digital Signatures ■ Ensures the authenticity & integrity of a message through the use of hashing algorithms & asymmetric algorithms ■ Message digest is encrypted w/ the sender’s private key ○ Non-repudiation ■ A service that ensures the sender cannot deny a message was sent & the integrity of the message is intact Lesson 5.4: Methods of a Cryptanalytic Attack (SC) Skills Learned From This Lesson: Common Algorithm Attacks ● Common Attacks ○ Chosen Plaintext ■ Attack where the attacker can choose arbitrary plaintexts to be encrypted & obtain the corresponding ciphertexts Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 61 ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Social Engineering attack ■ Manipulating individuals so that they will divulge confidential information Brute Force Attack ■ Trying all possible keys until one is found that decrypts the ciphertext ■ Graphical Processing Units (GPUs) have made this possible Differential Cryptanalysis ■ AKA side channel attack ■ Uses the study of how differences in an input can affect the resultant difference at the output Linear Cryptanalysis ■ A known plaintext attack that uses linear approximations to describe the behavior of the block cipher Algebraic attack ■ Exploits vulnerabilities w/in the intrinsic algebraix structure of mathematical functions Rainbow Table ■ A lookup table of sorted hash outputs. ■ Hash values are saved to refer to at a later time ■ Common dictionary words Ciphertext-Only attack ■ Cryptanalysis attack where the attacker is assumed to have access only to a set of ciphertexts ■ One of the hardest for attacker, they don’t have much information to go off of Known-Plaintext ■ Attack where the attacker is assumed to have access to sets of corresponding plaintext & ciphertext ■ Goal ■ Find the link Frequency Analysis ■ Used to identify weaknesses w/in cryptosystems by locating patterns in resulting ciphertext ■ Works well w/ other types of attacks Chosen -Ciphertext Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 62 ■ Attack where the attacker chooses a ciphertext & obtains its decryption under an unknown key ○ Birthday attack ■ Attack that exploits the mathematics behind the birthday problem in probability theory forces collisions w/in hashing functions ○ Dictionary attack ■ Encrypts all of the words in a dictionary & checks if the hash matches the passwords hash ○ Replay attack ■ Occurs when an attack intercepts authentication information & replays the information to gain access to a security system ○ Factoring attack ■ Developed to break the RSA algorithm ■ Tries to break down large prime numbers through factoring ○ Reverse Engineering ■ A product is reverse engineered to find weaknesses in the system or gain information ○ Implementation attack ■ Popular due to ease on system elements outside of the algorithm ■ Side -channel analysis ■ Uses information that has been gathered to uncover sensitive data or processing functions ■ Fault analysis ■ Attempts to force the system into an error state to gain erroneous results ■ Probing attacks 1. Attempts to watch the circuitry surrounding the cryptographic module hoping that new components will disclose information Lesson 5.5: Key Management Concepts (SC) Skills Learned From This Lesson: Key management Concepts, Secure Protocols ● Public Key Infrastructure Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 63 ○ ● ● ● ● ● ● A set of system, software, & communication protocols required for public key cryptography ○ Primary purpose ■ Publish public keys/certificates ■ Certify that a key is tied to an individual or entity ■ Provide verification of the validity of a public key Certificate Authority ○ A component of a PKI that creates & maintains digital certificates throughout their life cycles Registration Authority ○ Verifies an entity’s identity & determines whether they are entitled to have a public key certificate issued Certificate Revocation List (CRL) ○ List that is maintained by the CA of a PKI that contains information revoked digital certificates Key Management ○ Most important part of any cryptographic implementation ○ A cryptosystem should be secure even if everything about the system, except the key, is public knowledge” ~Auguste Kerckhoff ■ Everything about the encryption algorithm should be known except the key Key Management Applications ○ XML Key Management specification 2.0 ■ Protocols for distributing & registering public keys ○ ANSI X9.17 ■ Developed to address the need of financial institutions ■ Uses Data Keys (DKs) & Key-encrypting keys (KKMs) Key Distribution and Management ○ Secure keys depend on Automated Key Generation, Randomness, & Length ■ Automated Key Generation ■ Key policy enforcement ■ Randomness ■ 0’s & 1’s ■ Key length Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 64 ● ● ■ The longer the key, the more difficult it is ○ Key Wrapping ■ The process of using key encrypting keys (KEK) to protect session keys ■ Good for sending keys over an untrusted transport ■ Supports symmetric & asymmetric ciphers ○ Out-of-band ■ Key exchange that uses a medium other than that through which secure messages will be sent ■ Not very scalable ○ Key Distribution Center (KDC) ■ Contains users public keys w/ a valid certificate ■ Two keys ■ Master keys & Session keys ■ Ex. ■ Kerberos Key Aspects ○ Key Storage ■ Encryption ■ Expiration Date ■ Backups ■ Recovery ○ Key Recovery ■ Multiparty ■ Common directories ■ Password wallets ○ Key Escrow ■ 3rd party holds key ○ Web of Trust ■ Authenticity of a public key & its owner Secure Protocols ○ IP Security (IPSec) ■ A suite of protocols for communicating securely w/ IP by giving mechanisms for authentication & encryption ■ Authentication Header Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 65 ■ ● ● ● ● ● ● ● Used to identify the sender & ensure the transmitted data has not been altered ■ Uses hashes & sequence #’s ■ Encapsulating Security Payload (ESP) ■ Header ■ Seq. # & Security Associations ■ Payload 1. Encrypted part of the packet Trailer 1. Padding if required Authentication 1. Hash value of the packet Endpoints talk w/ IPSec by using transport or tunnel mode ○ Transport ■ The payload is protected ○ Tunnel ■ The payload & header are protected Internet Key Exchange (IKE) ○ Authentication part of IPSec ■ Phase 1: Establish authentication 1. Shared secret 2. Public Key Encryption 3. Revised mode of Public Key Encryption Phase 2: Security Associations are established 1. Use secure tunnel & secure associate method at the end of phase 1 Secure Sockets Layer/Transport Layer Security (SSL/TLS) ○ Used to encrypt confidential data over an unsecured network ○ Sits between the Transport layer & the Application layer Secure/Multipurpose Internet Mail Extensions (S/MIME) ○ Used to sending digitally signed & encrypted messages ○ Provides authentication, integrity, & non-repudiation Domain 6: Networks and Communications Security Lesson 6.1: ISO and DoD Models (SC) Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 66 Skills Learned From This Lesson: OSI, TCP/IP The 7 Layers of OSI ● The OSI Model OSI Model ○ Layer 1: Physical Layer ■ Network topologies ■ Most physical devices are at this level ■ Bits on a wire ○ Layer 2: Data Link Layer ■ Receives the packet it gets from the wire & formats it for the network ■ Logical Link Control (LLC) ■ Manages connections between two peers ■ Proves error & flow control ■ Media Access Control (MAC) ■ Transmits & receives frames from peers ■ Hardware addresses are defined at this sublayer ○ Layer 3: Network Layer ■ Moves information between two hosts ■ Uses logical addressing & Internet Protocol (IP) ■ Addressing ■ Uses destination IP address to send packets ■ Fragmentation ■ Subdivides packets if its size is greater than maximum size on a network ○ IP is a connectionless protocol that does not guarantee error-free delivery ○ Routers work at this level & send packets from place to place ■ Static Routing Tables ■ Updated manually ■ Dynamic Routing Tables ■ Routers share information ○ Network Routing Protocols ■ Internet Control Message Protocol (ICMP) ■ Network errors Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 67 ○ ○ ○ ■ Network congestion ■ Troubleshooting ■ Timeouts ■ Internet Group Management Protocol (IGMP) ■ Manages multicasting groups ■ Other Layer 3 Protocols ■ IPv4/IPv6 ■ Internet Protocol ■ DVMRP ■ Distance Vector Multicast Routing Protocol ■ IPsec ■ Internet Protocol Exchange ■ DDP ■ Datagram Delivery Protocol ■ SPB ■ Shortest Path Bridging Layer 4: Transport Layer ■ Creates an end-to-end connection between hosts ■ Transmission Control Protocol ■ Provides error-free transmission ■ User Datagram Control ■ A connectionless unreliable protocol Other layer 4 protocols ■ FCP ■ Fiber Channel Protocol ■ RDP ■ Reliable Datagram Protocol ■ SCTP ■ Stream Control Transmission Protocol ■ SPX ■ Sequenced Packet Exchange ■ SST ■ Structured Stream Transport Layer 5: Session Layer Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 68 ○ ○ ○ ○ ○ ■ Provides a logical, persistent connection between peer hosts Types of sessions ■ Full Duplex ■ Both hosts can pass information at the same time ■ Half duplex ■ Both hosts can pass information, but only one at a time ■ Simplex ■ Only one host can send information to its peer in one direction only Other Layer 5 Protocols ■ H.245 ■ Call control protocol for multimedia communication ■ iSNS ■ Internet Storage Name SErvice ■ PAP ■ Password Authentication Protocol ■ PPTP ■ Point-to-Point Tunneling Protocol ■ RPC ■ Remote Procedure Call Protocol ■ RTCP ■ Real -time Transport Control Protocol ■ SMPP ■ Short Message Peer-to-Peer Layer 6: Presentation Layer ■ Provides services to ensure that peer applications use a common format to represent data ■ Ex. ■ If an application can only read ASCII values & it receives Unicode data, then the Presentation Layer will convert it to ASCII Layer 7: Application Layer ■ Application’s portal to network-based services ■ Used to transmit or receive data over a network Protocols that work in Layer 7 Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 69 ■ ■ ■ ■ ■ ■ ■ DHCP ■ DNS ■ HTTP ■ IMAP ■ LDAP ■ SMTP ■ FTP ■ Dynamic Host Configuration Protocol Domain Name System Hypertext Transfer Protocol Instant Message Access Protocol Lightweight Directory Access Protocol Simple Mail Transfer Protocol File Transfer Protocol O SI Model vs TCP/IP Model Lesson 6.2: IP Networking (SC) Skills Learned From This Lesson: IP networking ● Network Classes ○ Hosts are distinguished by IP addresses: 192.168.145.123 ○ IP Addresses are divided into a network number & a host number ○ ICANN ■ Internet Corporation for Assigned Names and Numbers Network Classes ● ● Classes Inter-Domain Routing (CIDR) ○ Allows flexibility to access more IP addresses Subnets ○ Logical subdivision of a network Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 70 ● ● ● ● Subnet Mask ○ Used to define the part of the address that is used for the subnet Ex. ○ 192.168.145.123/24 ■ 24 is the subnet mask ■ Subnet mask = 11111111 11111111 11111111 00000000 or 255.255.255.0 IP Networking ○ IPv6 ■ A modernization of IPv4 ■ Much larger address field - 128 bits ■ Improved security ■ More concise IP packet header ■ Quality of service improved ○ Border Gateway Protocol (BGP) ■ Exchanges routing information between gateway hosts ■ Protocol used between the hosts & the internet TCP/UDP ○ Map data connections through port numbers which are associated w/ devices ○ Port numbers are managed by the Internet Assigned Numbers Authority ○ There are 65,536 ports broken into three categories ■ Well-known ports ■ 0 - 1023 ■ Registered Ports ■ 1024 - 49,151 ■ Dynamic Ports ■ 49,152 - 65,535 ○ TCP ■ Provides a connection ■ Has error-handling ■ Tracks packets ■ Ex. ■ HTTP, SMTP ○ UDP Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 71 ■ ■ ■ ■ ● ● DHCP ○ ○ ○ ○ ICMP ○ ○ ○ ○ ○ ○ ○ Connectionless No error-handling “Best Effort” Ex. ■ VOIP Dynamic Host Configuration Protocol Automatically assigns IP addresses to workstations The address given is leased for a period of time Address lease is referred to as a TTL (Time To Live) Internet Control Message Protocol Used for the exchange of control messages between hosts & gateways & diagnostic tools Ping of death ■ A packet echo that is greater than 65,536 bytes ICMP redirect attacks ■ A victim’s computer redirects sending information through an attacker’s computer w/o them knowing Ping scanning ■ If a host replies to a ping, then the attacker knows a host exists at that address Traceroute Exploitation ■ Used to map a victim’s network & learn about the routing Remote procedure calls ■ The ability to allow for the executing of objects across hosts ■ Client sends instructions to an application Lesson 6.3: Network Topologies (SC) Skills Learned From This Lesson: Network Topologies and Concepts ● Bus Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 72 ○ ○ ○ ● ● Tree ○ Ring ○ ○ ○ ○ ● ● A LAN w/ a central cable (bus) to which all nodes connect Advantages ■ Adding nodes ■ Node failures don’t affect the rest Disadvantages ■ Cable failure, all nodes will go down All devices connect to a branching cable ■ Advantages ■ Adding nodes ■ Node failures don’t affect the rest ■ Disadvantages ■ Cable failure, only the nodes connected to failed cable will go down A closed loop topology Data is transmitted in one direction only Advantages ■ Maximum wait time ■ Can be used as LAN or Network backbone Disadvantages ■ Single point of failure Mesh ○ All nodes are connected to every other node ■ Advantages ■ High level of redundancy ■ Disadvantages ■ Very expensive Star ○ All nodes are connected to a central device such as a hub, switch, or router ○ Advantages ■ Few cables ■ Easy to deploy ■ Nodes can easily be added or removed Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 73 ○ ● ● ● ● ● Disadvantages ■ The central piece is a single point of failure Unicast, Multicast, & Broadcast ○ Unicast ■ Send a packet to one person ○ Multicast ■ Send a packet to selected people ○ Broadcast ■ Send a packet to everybody Circuit-Switched Network ○ Dedicated circuit between end points ○ Endpoints have exclusive use of the circuit & bandwidth ○ Ex. ■ Telephones Packet-Switched Network ○ Do not use dedicated connections ○ Packets are transmitted on a shared network ○ Network devices find the best path ○ All packets (eventually) need to be in the correct order ■ Not every packet take the same path Virtual Circuits ○ Provides a connection between endpoints that acts as if it was a physical circuit ■ Permanent virtual circuit ■ The carrier configures the circuit’s routes ■ Switched virtual circuit ■ Configured dynamically by the routers Topology Concept ○ Carrier Sense Multiple Access ■ A protocol which uses the absence/presence of a signal on a medium as permission to speak ■ Variations ■ CSMA/CA ■ Carrier Sense Multiple Access w/ Collision Avoidance Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 74 ■ ■ ■ ■ ● ● ● Requires devices to announce transmitting by using a jamming signal ■ CSMA/CD ■ Carrier Sense Multiple Access w/ Collision Detection ■ Listens for a carrier before transmitting data Token Passing ■ Only one device may transmit at a time ■ Devices can only transmit if they possess the token Ethernet (IEEE 802.3) ■ Played a major role of LANs in the 1980s ■ Supports coaxial cable, unshielded twisted pair, & fiber optics Token Ring (IEEE 802.5) ■ Each device gets data from it neighbor upstream & passes it downstream ■ Devices can only transmit when they have the ring FDDI ○ Fiber Distributed Data Interface ○ Token passing architecture using two rings ○ Information flows in opposite directions MPLS ○ Multiprotocol Label Switching ○ Offers mechanisms for packet traffic, & multi-service functionality Guidelines for MLPS ○ Site availability ○ End-to-End network availability ○ Provisioning Lesson 6.4: DNS and LDAP (SC) Skills Learned From This Lesson: DNS & LDAP, Commonly used ports & protocols ● DNS ○ ○ Domain Name System A hierarchical distributed naming system for any resource connected to the internet or a private network Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 75 ○ ● ● ● ● ● ● ● ● A global database, scalable, dynamic database that translates domain names to IP addresses ○ Common domains ■ .com ■ .edu ■ .gov ■ .mil Resolver ○ A DNS client that sends DNS messages to obtain information about the requested domain name space Recursion ○ The action taken when a DNS server is asked to query on behalf of a DNS resolver Authoritative Server ○ A DNS server that responds to query messages w/ information stored in RRs for a domain name space stored on the server Recursive resolver ○ A DNS server that recursively queries for the information asked in the DNS query FQDN ○ Fully Qualified Domain Name ○ The absolute name of a device w/in the distributed DNS database RR ○ Resource record Zone ○ A database that contains information about the domain name space stored on an authoritative server DNS Attacks ○ DNS Denial-of-Service (DOS) ■ An attacker delivers traffic to the victim by reflecting it off of a third party ○ Query or Request Redirection ■ The DNS query is intercepted & modified in transit to the DNS server ■ Send user to wrong website ○ DNS Cache-Poisoning ■ Malicious data is injected into DNS servers Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 76 ○ ○ ○ ○ ● ● Zone Enumeration ■ Users use DNS diagnostic commands to learn about the websites architecture ■ Common commands used ■ dig & nslookup DNS Fast Flux ■ The ability to move distributed services to different computers quickly ■ Primarily used by botnets & phishing attacks Registration of a domain takeover ■ Change of the authoritative DNS server ■ Attackers send back different IP addresses DNS ports ■ 53/TCP ■ 53/UDP LDAP ○ Client/Server based directory for managing user information ○ Allows anyone to locate users, information, & resources on a network ○ Ports ■ 389/TCP ■ 389/UDP Services & Protocol ○ NetBIOS ■ A program which allows applications on different computers interact w/in a LAN ■ Ports ■ 135 & 139/UDP, 137 & 138/TCP ○ NIS/NIS+ ■ Network Information Service ■ Directory services used for managing user credentials in a group of machines ■ Mostly used in UNIX ○ CIFS/SMB ■ Common Internet File System/Server Message Block ■ A file sharing protocol on Windows Systems Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 77 ■ Ex. xxvii.Scanning from a printer to a computer ● ● ● ● ● 1. Ports 1. xxviii.445/TCP SMTP ○ Simple Mail Transfer Protocol ■ A client/server protocol utilized to route email on the internet ■ No authentication or encryption ■ Port 1. 25/TCP FTP ○ File Transfer Protocol ○ Uploading spreading information to the internet ■ Ports ■ 20 & 21/TCP TFTP ○ Trivial File Transfer Protocol ○ Simplified version of FTP ○ Use only on trusted networks ○ Port ■ 69/UDP HTTP ○ Hypertext Transfer Protocol ○ The foundational protocol of the web ○ Port ■ 80/TCP Lesson 6.5: Telecommunications Technologies (SC) Skills Learned From This Lesson: Telecommunications technologies ● IP Convergence ○ Using the Internet Protocol (IP) to transmit all of the information that transits a network ○ Benefits Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 78 ● ● ■ Excellent support for multimedia ■ Devices can be run in innovative ways ■ Easy to manage ■ Fewer components ■ Simplifies security management Enabling Technologies ○ iSCSI ■ Internet Small Computer System Interface ■ Facilitates data transfers over networks & manages storage over long distance ■ Links data storage facilities ■ Doesn’t need cable ○ MPLS ■ Multi-Protocol Label Switching ■ Networking protocol for helping route packets from source to destination ■ The source router applies a “label” on how to get to the destination ■ Other routers just follow the label ○ VoIP ■ A technology that allows you to make voice calls over the internet instead of a phone line ■ Video conferencing ■ Based on SIP ■ Session Initiation Protocol ■ Quality problems ■ UDP ■ “best effort” ■ Packet loss ■ The worse the sound quality, the more packets that are being lost ■ Jitter ■ A variation of packet delays ■ Sequence errors ■ Packets are received SIP Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 79 ● ● ● ○ Session Initiation Protocol ○ Responsible for setting up, maintaining, & tearing down voice connection ○ Manage multimedia connections ○ Supports encryptions & integrity Phone system communications ○ POTS ■ Plain Old Telephone Service ■ A bidirectional analog telephone designed to carry the sound of the human voice ■ The “last mile” of residential & business telephone services PBX ○ Private Branch Exchange ■ An enterprise-class phone system typically used in businesses or large organizations ■ Internal switching network Cellular ○ A network over a land area, served by a cell site Lesson 6.6: Network Access Controls (SC) Skills Learned From This Lesson: Network Access Controls, Hardware, Wired Transmission ● Network Access Controls ○ Boundary Router ■ Routers on the edge that advertise routes that external hosts can use to reach internal hosts ■ Filter traffic ■ Prevents spoofing ○ Security perimeter ■ First line of protection between trusted & untrusted networks ■ Firewalls & IDS systems ○ Network Partitioning ■ Segments networks into different areas ○ Dual-homed host ■ Has two NICs on a separate network Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 80 ○ ● ● ● Bastion host ■ A highly exposed device that will most likely be targeted for attacks ■ Usually placed on the public side of a firewall or DMZ area if there are two firewalls ■ Focus on one application ■ Ex. ■ Mail server, DNS server, FTP server Network Access Technologies ○ DMZ ■ Demilitarized zone ■ Area between firewalls ■ Servers are placed here to give external hosts access to some resources Hardware ○ Modems ■ Allows users to a network via analog phone lines ■ Converters between digital & analog signals ○ Multiplexers ■ Combine multiple signals into one signal to be transmitted on a network ○ Hubs and Repeaters ■ A device in which all other devices connect ■ Central piece in a star topology ■ Don’t let the hub become inoperable ○ Switches ■ Devices which connect network segments together ○ Bridges ■ Processes packets based on MAC addresses ■ Connects LANs w/ different media types ○ Routers ■ Receive & send packets throughout the network Wire Transmission Media ○ Considerations ■ Throughput ■ How much data is going to be sent through the wire? Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 81 ■ ■ ○ ○ ○ Distance between devices Data sensitivity ■ Is it okay that data is listened too? ■ Is it okay that data loses some clarity? ■ Environment Twisted pair ■ Copper wires twisted together to reduce electromagnetic interference ■ Unshielded ■ Susceptible to interference ■ Covering over wire ■ Easily bent ■ Inexpensive ■ Shielded ■ Uses an electronically grounded shield to protect the signal ■ More bulky ■ Harder to bend Coaxial cable ■ Uses a thick conductor that is surrounded by a grounding wire ■ Very thick & expensive ■ Used in cable TV Fiber optic ■ Uses light pulses to transmit information down fiber lines instead of electronic pulses Lesson 6.7: Multimedia Services and Technologies (SC) Skills Learned From This Lesson: Remote Access and Technologies, LAN Security, Virtual LANs ● Multimedia Technologies ○ Peer-to-Peer Applications ■ Designed to open an uncontrolled channel through network boundaries ○ Remote Meeting ■ Web-based applications which allow individuals to meet virtually Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 82 ■ Ex. ■ Skype, Zoom, Team Viewer Instant Messaging ■ Chat services that offer file exchange, video conversation, & screen sharing Remote Access ○ VPN ■ Virtual Private Network ■ An encrypted tunnel between two hosts that allows them to communicate over an untrusted network ■ Tunneling ■ A communication channel between two networks that is used to transport another network protocol ■ Point-to-Point Tunneling (PPTP) & L2TP ■ RADIUS ■ Remote Authentication Dial-In User Service ■ Authentication protocol used in network environments for single sign-on for network devices ■ SNMP ■ Simple Network Management Protocol ■ Consists of a server & a client installed on devices which can be used to retrieve & set values ■ Ports ■ 161/TCP & UDP ■ 162/TCP & UDP ■ TCP/IP Terminal Emulation Protocol (Telnet) ■ Command line protocol which gives command line access ■ Very Risky!! ■ Disable unless you absolutely need it LAN-Based Security ○ Control Plane ■ Where forwarding & routing decisions are made ■ Exchange information w/ neighbors ○ Data Plane ○ ● ● Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 83 ● ● ■ Where the action takes place ■ Carries out the commands of the control plane ■ Forwarding & routing tables Virtual LANs ○ A set of workstations w/in a LAN that communicate if they were on a single LAN ■ Logical boundaries over a physical network ○ Advantages ■ Performance ■ Flexibility ■ Virtual workgroups ■ Partitioning resources ○ VLAN Hopping ■ Devices on VLANs gaining access to traffic on other VLANs Secure Device Management ○ MACsec ■ Media Access Control Security ■ Provides point-to-point security on Ethernet links between directly connected nodes ■ Uses matching security keys at the end of each link ■ Can support data integrity & encryption ○ SSH ■ Secure Shell ■ A network protocol which allows a person to operate devices securely over an unsecure network ■ Protects the integrity of communication ■ Includes remote log-on, file transfer, & command execution ○ DNSSEC ■ A sequence of records that identify either a public key or a signature of a set of records ■ Provides a way for DNS records to be trusted Lesson 6.8: Network Based Security Devices (SC) Skills Learned From This Lesson: Network Based Attacks, Wireless Technologies Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 84 ● ● ● ● Firewalls ○ A gateway protection device ■ Enforces administrative policies ○ Filter by a rule set ■ By address or by service ○ NAT ■ Network Address Translation ■ Changing the source IP of outgoing traffic ■ Gives anonymity Proxies ○ Mediates communications between untrusted endpoints & trusted endpoints ○ Proxy types ■ Circuit ■ Allows trusted hosts to talk w/ untrusted ones ■ Application-Level ■ Relays information between a trusted endpoint & an untrusted one w/ a specific application Denial-of-Service ○ An attack which denies services to a computer by overloading it w/ traffic ○ Types ■ Volume Based attack ■ Protocol attack ■ Application Layer attack ○ Common attack types ■ Syn Flooding ■ An attack against the initial handshake in a TCP connection ■ Smurf ■ Misuses ICMP echo requests ■ Fraggle ■ Misuses UDP echo traffic Spoofing ○ The act of impersonating someone, even if you are not ○ Most common spoofing types Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 85 ● ● ● ■ IP address ■ Email ■ DNS Wireless Technologies ○ Most common ■ Wi-Fi ■ Bluetooth ■ Cellular ○ Disadvantage ■ Transmission security of wireless networks ■ Wireless networks are only as strong as their authentication methods & protocols Wireless Security Methods and Issues ○ Open System Authentication ■ The default authentication protocol for the 802.11 standard ○ WEP ■ Wired Equivalent Privacy Protocol ■ A basic security feature in 802.11 ■ Insecure ■ Shouldn’t be used ○ WPA and WPA2 ■ Wi-Fi Protected Access ■ Improves user authentication & data encryption Wireless Security Attacks ○ Parking lot ■ Attackers sit near an organization & try to access internal hosts via the wireless network ○ Shared key authentication flaw ■ A passive attack that allows eavesdropping on both the challenge & response ○ SSID flaw ■ Service set identifier ■ Attackers can attack access points due to default configuration Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 86 Domain 7: Systems and Application Security Lesson 7.1: Triad – Applicability to Malcode (SC) Skills Learned From This Lesson: Applications with malware ● ● ● ● CIA Triad: Applicability to Malcode ○ Confidentiality ■ Malware infects a computer & gives an attacker sensitive information ○ Integrity ■ Malware infects a computer & payloads are dropped ○ Availability ■ Malware denies other people access to a computer Malware Naming Standards ○ No international standard for malcode naming conventions ○ CARO ■ Computer Antivirus Research Organization ■ Established to help organize & classify malicious code ■ Classification ■ Platform.Type.Family_Name.Variant[:Modifier]@Suffix Malware Types ○ Vector ■ How the transmission of malware happens ○ Payload ■ Primary action of a malicious code attack ○ Virus ■ Malicious software which infects a host file ○ Logic Bomb ■ Malware that executes when conditions are met ○ Worm ■ Malware that clones itself in order to spread ○ Trojan ■ Malware which pretends it is something it is not Rootkits ○ Malware which maintains elevated privileges on a computer by being stealthy ○ Types Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 87 ■ ■ ■ ■ ● ● Persistent-mode ■ Activates every time the system starts Memory-based ■ No persistent code User-mode ■ System hooks in the user or application space Kernel-mode ■ Gives same privileges as an admin Scanners ○ Work to detect & remove malicious code ○ First Generation ■ Simple scanners ■ Malware signature required ○ Second Generation ■ Heuristic scanners ○ Third Generation ■ Activity traps ○ Fourth Generation ■ Full-featured protection Malware Countermeasures ○ Code signing ■ Confirms the authenticity & integrity of software through the use of digital signatures ○ Sandboxing ■ An isolated environment where suspicious code can be executed to see how it will react ○ Static code analysis ■ Code is looked at to find security errors which cannot be detected w/ compilers Lesson 7.2: Vectors Infection (SC) Skills Learned From This Lesson: Vectors of Infection Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 88 ● ● ● ● Social Engineering ○ Methods which an attacker can use to trick a victim into doing things or giving information ○ Examples ■ Baiting ■ Attracting victims by dangling something in front of them ■ Vishing ■ Uses an IVR system trick victims into giving passwords ■ Pretexting ■ Someone impersonates an authority figure ■ Quid Pro Quo ■ A request for information in exchange for compensation ■ Tailgating ■ Someone follows you into a restricted area File Extensions ○ Can be up to 255 characters long ○ Only the last file extension counts ○ File icons can be changed too Insider Threats ○ Patterns ■ Remote access at odd times ■ Unnecessarily copying material ■ Works odd hours w/o authorization ○ Countermeasures ■ Monitor logs & accounts ■ Control external access & data downloads ■ Protect critical information Phishing ○ The attempt to acquire sensitive information by masquerading as a trustworthy entity ■ Common types ■ General phishing ■ Spear phishing Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 89 ■ ● Bots ○ Most phishing is through email Botnet ■ An army of compromised machines that are under the command & control of a bot master ■ Exploits ■ DDOS ■ Spyware ■ Identity Theft ■ Adware ■ Email Spam ■ Phishing ■ Mitigation ■ Data monitoring ■ Anomaly detection Lesson 7.3: Malicious Web Activity (SC) Skills Learned From This Lesson: Web Attacks, Malicious Activity Countermeasures, Analysis of Malware, Malware Mitigation ● Attacks ○ XSS ■ ■ ○ ○ Cross-Site Scripting A vulnerability is found on a website that allows an attacker to inject malicious code into an application Zero-Day Exploits ■ An attack that exploits a previously unknown vulnerability APT ■ Advanced Persistent Threats ■ Uses multiple phases to break in, avoid detection, and collect information for a long period of time ■ The Five Stages of ATP attack ■ Reconnaissance ■ Incursion Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 90 ● ● ● ● ■ Discovery ■ Capture ■ Exfiltration ○ Brute Force ■ The act of trying every possible combination of passwords until the correct one is found Payloads ○ Backdoor Trojans ■ Programs that share the primary functionality of enabling a remote attacker to have access to a compromised computer ○ Man-in-the-Middle Malcode ■ An attacker gets in the middle of a conversation between parties & gains access to the information they were trying to send to each other Malicious Activity Countermeasures ○ Third party certifications: use products which are certified by third party ■ AV-TEST ○ Inspection of processes ■ Look for new or unexpected processes ■ Explorer.exe ○ Inspection of Windows Registry ■ Database that stores OS settings Behavioral Analysis of Malware ○ Static file analysis ■ Looking at file details & characteristics to identify & investigate code ■ File properties ■ File size & time stamp ■ Hash ■ Determines if a file has been modified ■ Hex editor ■ Looks at bits of a file to see information ○ Virtual environments Malware mitigation ○ Strategic ■ Management support Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 91 ○ ■ Defense-in-depth ■ Incident Response teams (CERT) Tactical ■ Hardening systems ■ Backing up data ■ Using security tools Lesson 7.4: Cloud Security (SC) Skills Learned From This Lesson: Cloud Characteristics, Virtualization, Data Storage, Data Loss Prevention ● ● ● Essential Characteristics ○ On-Demand self service ○ Broad network access ■ Able to access cloud anywhere around the world ○ Resource pooling ○ Rapid elasticity ■ Set and get more resources in cloud, as soon as possible ○ Measured service Deployment Models ○ Public ■ Open for used by the public ■ Ex. ■ Amazon, Microsoft, Google ○ Private ■ Use for a single organization ○ Hybrid ■ Combines two or more different cloud infrastructures ○ Community ■ Used by a group of organizations that have shared concerns Service Models ○ SaaS ■ Software as a Service Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 92 ● ● ■ Directed toward End Users ■ Applications are run on the cloud ■ Hosted Application Management (hosted AM) ■ Software on Demand ○ PaaS ■ Platform as a Service ■ Mainly for Developers ■ Capability for the user to develop applications on the cloud ○ IaaS ■ Infrastructure as a Service ■ Mainly used for IT professional ■ Fundamental resources are available for the user to run applications Virtualization ○ The foundation for a scalable cloud & the first step for building infrastructure ○ Hypervisor ■ A piece of software, hardware, or firmware that runs virtual machines ■ Type 1: Native or Bare-Metal ■ Type 2: Hosted ○ Types of virtualization ■ Server virtualization ■ Multiple OS can run on one server ■ Network virtualization ■ Reproduction of a physical network in software ■ Desktop virtualization ■ Deploying desktops Types of Virtualization ○ Server virtualization ■ Multiple OS can run on one server ○ Network virtualization ■ Reproduction of a physical network in software ○ Desktop virtualization ■ Deploying Desktops ○ Application virtualization ■ Applications as a managed service Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 93 ○ ● ● ● Storage virulization ■ Abstract disks & flash drives Legal & Privacy concerns ○ Applicable law ■ Determines the legal regime applicable to a certain matter ○ Jurisdiction ■ Determines the ability of a national court to decide a case or enforce a judgement or order Cloud Storage ○ IaaS ■ Infrastructure as a Service ■ Volume storage ■ A virtual hard drive ■ Object storage ■ A file share accessed via APIs or web interface ○ PaaS ■ Platform as a Service ■ Structured ■ Information w/ a high degree of organization ■ Unstructured ■ Information that does not reside in a database ○ SaaS ■ Software as a Service ■ Information Storage & Management ■ Utilizes databases ■ Content/File Storage ■ Utilizes object/volume storage Data Loss Prevention ○ Cloud storage is subject to leakage ■ Administrator access ■ Configuration changes ■ Lack of controls ○ DLP attempts to protect the data through ■ Discovery & classification Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 94 ■ ■ Monitoring Enforcement Lesson 7.5: Encryption in the Cloud (SC) Skills Learned From This Lesson: Cloud Encryption, Data Protection, Software Defined Network ● ● ● Cloud Encryption ○ Encryption implementation at various phases ■ Data in motion ■ IPSEC ■ VPN ■ TLS/SSL ■ Data in rest ■ Data in use ○ Components of cloud encryption ■ Data which needs to be encrypted ■ Encryption engine ■ Encrypting keys Data Encryption in IaaS ○ It is necessary to be responsible for encryption in IaaS ○ Volume Storage Encryption ■ Instance based ■ The encryption engine is located in the instance ■ Proxy-Based ■ Encryption is used on a proxy appliance ○ Object Storage Encryption ■ File-level encryption ■ Files are encrypted ■ Application-Level Encryption ■ Encryption engine is in the application Other Approaches to Data Protection ○ Data Masking/Obfuscation ■ Random Substitution Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 95 ● ■ A value is replaced w/ a random value ■ Shuffle ■ Moves order of values ■ Masking ■ Hiding certain parts of the data ■ Ex. xxxx xxxx xx98 6346 ■ Deletion ■ Removing the data ○ Data Anonymization ■ Personal information is removed ○ Tokenization ■ Substituting a sensitive data element for a non-sensitive one Virtual Environments ○ Software-Defined Network ■ Centralized network control by separating controls to computer resources ■ Controllers ■ The “brains” of the network ■ Southbound APIs ■ Relay information to routers & switches ■ Northbound APIs ■ Send information to applications Brought to you by: Develop your team with the fastest growing catalog in the cybersecurity industry. Enterprise-grade workforce development management, advanced training features and detailed skill gap and competency analytics. 96