CC Chapter 1
Lecture notes
Welcome to the First Chapter.
➢ Domain 1: What we will be covering.

This chapter is VERY important because:
▪ Every other knowledge domain build on top of this chapter.
▪ This is the foundation.

We will cover:
▪ The differences between Information security, IT Security, and Cybersecurity.
▪ The CIA triad and IAAA.
▪ Privacy.
▪ Risk and incident management.
▪ Access control.
▪ Governance, management, laws, and regulations.
▪ The ISC2 ethics.
 Information Security, IT Security, and Cybersecurity:



Information Security is all our information:
▪ Paper documents, voice information, data, the knowledge people have, …
IT Security is all our hard/software, and data:
▪ Computers, servers, networks, hardware, software, firmware, and data being
processed, stored, and communicated.
Cybersecurity is everything from IT Security that is accessible from the internet.
 The CIA Triad: Confidentiality, Integrity and Availability:

This is the foundation of IT/IS security.
▪ Confidentiality

This is what most people think IT Security is.

We keep our data and secrets secret.

We ensure no one unauthorized can access
the data.
▪ Integrity

How we protect against modifications of the
data and the systems.

We ensure the data has not been altered.
▪ Availability

We ensure authorized people can access the data they need when they
need to.

Confidentiality, Integrity, and Availability.
▪ We use:

Encryption for data at rest (for instance AES256), full disk encryption.

Secure transport encryption protocols for data in motion. (SSL, TLS or
IPSEC).
1|Page
https://thorteaches.com/
CC Chapter 1
Lecture notes

▪
Best practices for data in use - clean desk, no shoulder surfing, screen
view angle protector, PC locking (automatic and when leaving).

Strong passwords, multi-factor authentication, masking, access control,
need-to-know, least privilege.
Threats:

Attacks on your encryption (cryptanalysis).

Social engineering.

Key loggers (software/hardware), cameras, steganography.

IOT (Internet of Things) – The growing number of connected devices we
have pose a new threat, they can be a backdoor to other systems.

Confidentiality, Integrity, and Availability.
▪ We use:

Cryptography (again).

Check sums (This could be CRC).

Message Digests also known as a hash (This could be MD5, SHA1 or
SHA2).

Digital Signatures – non-repudiation.

Access control.
▪ Threats:

Alterations of our data.

Code injections.

Attacks on your encryption (cryptanalysis).

Confidentiality, Integrity, and Availability.
▪ We use:

IPS/IDS.

Patch Management.

Redundancy on hardware power (Multiple power
supplies/UPS’s/generators), Disks (RAID), Traffic paths (Network
design), HVAC, staff, HA (high availability) and much
more.

SLA’s – How much uptime do we want (99.9%?) –
(ROI)
▪

Threats:

Malicious attacks (DDOS, physical, system
compromise, staff).

Application failures (errors in the code).

Component failure (Hardware).
Disclosure, Alteration, and Destruction
▪ The opposite of the CIA Triad is DAD.

Disclosure – Someone not authorized
getting access to your information.

Alteration – Your data has been changed.
2|Page
https://thorteaches.com/
CC Chapter 1


Lecture notes
Destruction – Your data or systems have been destroyed or rendered
inaccessible.
IAAA (Identification and Authentication, Authorization and Accountability):


Identification
▪ Your name, username, ID number, employee number, SSN etc.
▪ “I am Thor”.
Authentication
▪ “Prove you are Thor”. – Should always be done with multi-factor
authentication!

Something you know - Type 1 Authentication (passwords, pass phrase,
PIN, etc.).

Something you have - Type 2 Authentication (ID, passport, smart card,
token, cookie on PC, etc.).

Something you are - Type 3 Authentication (and Biometrics)
(Fingerprint, iris scan, facial geometry, etc.).
▪
Something you know - Type 1 Authentication:
⬧ Passwords, pass phrase, PIN etc., also called Knowledge factors.
⬧ The subject uses these to authenticate their identity, if they know the
secret, they must be who they say they are.
⬧ This is the most commonly used form of authentication, and a password
is the most common knowledge factor.
⬧ The user is required to prove knowledge of a secret in order to
authenticate.
⬧ Variations include both longer ones formed from multiple words (a
passphrase) and the shorter purely numeric PINs (personal
identification number) commonly used for cash machines (ATM’s).
⬧ It is the weakest form of authentication and can easily be compromised.
⬧ Secret questions like "Where were you born?" are poor examples of a
knowledge factor, it is known by a lot of people and can often be
researched easily.
▫ Sarah Palin had her email account hacked during the 2008 US
Presidential campaign using her secret questions. Since she
used basic ones (high school and birthday, …) the hackers could
easily find that information online, he reset her password with
the information and gained full control of her email account.
⬧
Passwords:
▫ It is always easier to guess or steal passwords than it is to break
the encryption.
▫ We have password policies to ensure they are as secure as
possible.
3|Page
https://thorteaches.com/
CC Chapter 1
▫
▫
▫
▫
▫
▫
⬧
Lecture notes
→ They should contain minimum length, upper/lower case
letters, numbers, and symbols, they should not contain
full words or other easy to guess phrases.
→ They have an expiration date, password reuse policy
and minimum use before users can change it again.
→ Common and less secure passwords often contain:
• The name of a pet, child, family member,
significant other, anniversary dates, birthdays,
birthplace, favorite holiday, something related
to a favorite sports team, or the word
"password".
• Winter2023 is not a good password, even if it
does fulfil the password requirements.
Key Stretching – Adding 1-2 seconds to password verification.
If an attacker is brute forcing a password and needs millions of
tries it will become an unfeasible attack.
Brute Force Attacks (Limit number of wrong logins):
Uses the entire key space (every possible key), with enough
time any ciphertext can be decrypted.
Effective against all key based ciphers except the one-time pad,
it would eventually decrypt it, but it would also generate so
many false positives the data would be useless.
Clipping Levels: Clipping levels are in place to prevent
administrative overhead.
→ It allows authorized users who forget or mistype their
password to still have a couple of extra tries.
→ It prevents password guessing by locking the user
account for a certain timeframe (an hour), or until
unlocked by an administrator.
Password Management:
▫ We covered some password requirements, here are the official
recommendations by the U.S. Department of Defense and
Microsoft.
→ Password history = set to remember 24 passwords.
→ Maximum password age = 90 days.
→ Minimum password age = 2 days (to prevent users from
cycling through 24 passwords to return to their favorite
password again).
→ Minimum password length = 14 characters.
→ Passwords must meet complexity requirements = true.
→ Store password using reversible encryption = false.
4|Page
https://thorteaches.com/
CC Chapter 1
▪
Lecture notes
Something you have - Type 2 Authentication:
⬧ ID, passport, smart card, token, cookie on PC, these are called
Possession factors.
▫ The subject uses these to authenticate their identity, if they
have the item, they must be who they say they are.
▫ Simple forms can be credit cards, you have the card, and you
know the pin, that is multifactor authentication.
▫ Most also assume a shared trust, you have your passport, it
looks like you on the picture, we trust the issuer, so we assume
the passport is real.
⬧ Single-Use Passwords:
▫ Having passwords which are only valid once makes many
potential attacks ineffective, just like one-time pads.
▫ While they are passwords, it is something you have in your
possession, not something you know.
▫ Some are one-time-pads with a challenge-response or just a pin
or phase sent to your phone or email you need to enter to
confirm the transaction or the login.
▫ Most users find single use passwords extremely inconvenient.
⬧ They are widely implemented in online banking, where they are known
as TANs (Transaction Authentication Numbers).
▫ Most private users only do a few transactions each week, the
single-use passwords has not led to customers refusing to use
it.
→ It is their money; they actually care about keeping those
safe.
⬧ Smart Cards and Tokens (contact or contactless):
▫ They contain a computer circuit using an ICC (Integrated Circuit
Chip).
▫ Contact Cards - Inserted into a machine to be read.
→ This can be credit cards you insert into the chip reader
or the DOD CAC (Common Access Card).
▫ Contactless Cards - can be read by proximity.
→ Key fobs or credit cards where you just hold it close to a
reader.
→ They use a RFID (Radio Frequency Identification) tag
(transponder) which is then read by a RFID Transceiver.
5|Page
https://thorteaches.com/
CC Chapter 1
▫
⬧
▪
▪
Lecture notes
Magnetic Stripe Cards:
→ Swiped through a reader, no circuit.
→ Very easy to duplicate.
Tokens:
▫ HOTP and TOTP can be either hardware or software based.
▫ Cellphone software applications are more common now.
→ HOTP (HMAC-based One-Time Password):
• Shared secret and incremental counter,
generate code when asked, valid till used.
→ TOTP (Time-based One-Time Password):
• Time based with shared secret, often generated
every 30 or 60 seconds, synchronized clocks are
critical.
Something you are - Type 3 Authentication (Biometrics):
⬧ Fingerprint, iris scan, facial geometry etc., these are also called realistic
authentication.
▫ The subject uses these to authenticate
their identity, if they are that, they must
be who they say they are.
▫ Something that is unique to you, this one
comes with more issues than the two
other common authentication factors.
▫ We can allow unauthorized people into
our facilities or systems if we accept
someone by mistake. (False Accept)
▫ We can prevent our authorized people
from entering our facilities if we refuse
them by mistake. (False Reject).
Errors for Biometric Authentication:
⬧ FRR (False rejection rate)
Type 1 error:
▫ Authorized users are
rejected.
▫ This can be too high
settings - 99%
accuracy on
biometrics.
6|Page
https://thorteaches.com/
CC Chapter 1
⬧
⬧
Lecture notes
FAR (False accept rate) Type 2 error:
▫ Unauthorized user is granted access.
▫ This is a very serious error.
We want a good mix of FRR and FAR where they meet on the graph is
the CER (Crossover Error Rate), this is where we want to be.
▪
Biometric identifiers are often categorized as physiological and behavioral
characteristics.
⬧ Physiological Characteristics uses the shape of the body, these do not
change unless a drastic event occurs.
▫ Fingerprint, palm veins, facial recognition, DNA, palm print,
hand geometry, iris recognition, retina, and odor.
⬧ Behavioral Characteristics uses the pattern of behavior of a person,
these can change, but most often revert back to the baseline.
▫ Typing rhythm, how you walk, signature and voice.
▪
Issues with Biometric Authentication:
⬧ We also need to respect and protect our employee’s privacy:
▫ Some fingerprint patterns are related to chromosomal diseases.
▫ Iris patterns could reveal genetic sex, retina scans can show if a
person is pregnant or diabetic.
⬧ Hand vein patterns could reveal vascular diseases.
⬧ Most behavioral biometrics could reveal neurological diseases, etc.
⬧ While passwords and smart cards should be safe because you keep
them a secret and secure, biometrics is inherently not and something
others can easily find out.
⬧ Attackers can take pictures of your face, your fingerprints, your hands,
your ears and print good enough copies to get past a biometric scan.
⬧ It is possible to copy fingerprints from your high-resolution social media
posts if you do a peace sign like the one on the right here.
⬧ How you type, sign your name and your voice pattern can be recorded,
also not too difficult to cheat biometrics if it is worth the effort.
⬧ Some types are still inherently more secure, but they are often also
more invasive.
⬧ Lost passwords and ID cards can be replaced with new different ones,
biometrics can’t.
⬧ Which should make us question even more the mass collection of
biometric data.
▫ When Home Depot loses 10 million credit card numbers it is
bad, but they can be reissued.
▫ The US Office of Personnel Management got hacked and lost 5.6
million federal employees’ fingerprints.
7|Page
https://thorteaches.com/
CC Chapter 1
▫
▫

Lecture notes
The FBI has a database with 52 million facial images and
Homeland Security and U.S. Customs and Border Patrol is
working on adding the iris scans and 170 million foreigner
fingerprints to the FBI’s database.
The compromises of the future will have much more widereaching ramifications than the ones we have seen until now.
Authorization
▪ What are you allowed to access?
▪ We use Access Control models. What and
how we implement depends on the
organization and what our security goals
are.
▪ More on this in later when we cover DAC,
MAC, RBAC, ABAC, and RUBAC.
▪
Least Privilege and Need to Know.

Least Privilege – (Minimum necessary access) Give users/systems
exactly the access they need, no more, no less.

Need to Know – Even if you have access, if you do not need to know,
then you should not access the data.
▪
DAC (Discretionary Access Control) - Often used when Availability is most
important:
⬧ Access to an object is assigned at the discretion of the object owner.
⬧ The owner can add, remove rights, commonly used by most OS's’.
⬧ Uses DACL’s (Discretionary ACL), based on user identity.
▪
MAC (Mandatory Access Control) - Often used when Confidentiality is most
important:
⬧ Access to an object is determined by labels and clearance, this is often
used in the military or in organizations where confidentiality is very
important.
⬧ Labels: Objects have Labels assigned to them; the subject's clearance
must dominate the object's label.
▫ The label is used to allow Subjects with the right clearance
access them.
▫ Labels are often more granular than just “Top Secret”, they can
be “Top Secret – Nuclear”.
8|Page
https://thorteaches.com/
CC Chapter 1
⬧
▪
Clearance: Subjects have Clearance assigned to them.
▫ Based on a formal decision on a subject's current and future
trustworthiness.
▫ The higher the clearance the more in depth the background
checks should be.
RBAC (Role-Based Access Control) - Often used when Integrity is most
important:
⬧ Policy neutral access control mechanism defined around roles and
privileges.
⬧
⬧
⬧
⬧
▪
Lecture notes
A role is assigned permissions, and subjects in that role are added to the
group, if they move to another position they are moved to the
permissions group for that position.
It makes administration of 1,000's of users and 10,000's of permissions
much easier to manage.
The most commonly used form of access control.
If implemented right, it can also enforce separation of duties and
prevent authorization/privilege creep.
▫ We move employees
transferring within the
organization from one role to
another and we do not just
add the new role to the old
one.
ABAC (Attribute-Based Access Control):
⬧ Access to objects is granted based on
subjects, objects, AND environmental
conditions.
⬧ Attributes could be:
9|Page
https://thorteaches.com/
CC Chapter 1
⬧
⬧
▪
▪
•
Lecture notes
▫ Subject (user) – Name, role, ID, clearance, etc.
▫ Object (resource) – Name, owner, and date of creation.
▫ Environment – Location and/or time of access, and threat levels.
Expected to be used by 70% of large enterprises within the next 5 years,
versus around 25% today.
Can also be referred to as policy-based access control (PBAC) or claimsbased access control (CBAC).
Context-Based Access Control:
⬧ Access to an object is controlled based on certain contextual
parameters, such as location, time, sequence of responses, access
history.
⬧ Providing the username and password combination followed by a
challenge and response mechanism such as CAPTCHA, filtering the
access based on MAC addresses on wireless, or a firewall filtering the
data based on packet analysis are all examples of context-dependent
access control mechanisms.
Content-Based Access Control:
⬧ Access is provided based on the attributes or content of an object, then
it is known as a content-dependent access control.
⬧ In this type of control, the value and attributes of the content that is
being accessed determine the control requirements.
⬧ Hiding or showing menus in an application, views in databases, and
access to confidential information are all content-dependent.
Accountability (often referred to as Auditing):
▪ Traces an Action to a Subject's Identity:
⬧ Proves who performed given action, it
provides non-repudiation.
⬧ Group or shared accounts are never OK,
they have zero accountability.
⬧ Uses audit trails and logs, to associate a
subject with its actions.
▪
▪
Non-repudiation.

A user cannot deny having performed a
certain action. This uses both
Authentication and Integrity.
Subject and Object.

Subject – (Active) Most often users but
can also be programs – Subject
manipulates Object.
10 | P a g e
https://thorteaches.com/
CC Chapter 1


Lecture notes
Object – (Passive) Any passive data (both physical paper and data) –
Object is manipulated by Subject.
Some can be both at different times, an active program is a subject;
when closed, the data in program can be object.
 Privacy:
•
Privacy is a human right.
▪ A definition of Privacy:
1. The state or condition of being free from being observed or disturbed by
other people.
2.
Freedom from unauthorized intrusion.
•
You as a citizen and consumer have the right that your Personally Identifiable
Information (PII) is being kept securely.
US privacy regulation is a patchwork of laws, some overlapping and some areas with no
real protection.
EU Law – Strict protection on what is gathered, how it is used and stored.
•
•

Risk Management:

•
•
•
•

Risk Management - Identification:
Risk = Threat * Vulnerability (or likelihood).
We can also use Risk = Threat * Vulnerability *
Impact.
Total Risk = Threat * Vulnerability * Asset Value.
Residual Risk = Total Risk – Countermeasures.
Threat – A potentially harmful incident.
Vulnerability – A weakness that can allow the Threat to do
harm.
Due Diligence: Doing the research before implementation.
DD – Do Detect
Due Care: It is the implementation. DC - Do Correct
The Risk Management lifecycle is iterative.
Identify our Risk Management team.
▪ What is in and what is out of scope?
▪ Which methods are we using?
▪ Which tools are we using?
▪ What are the acceptable risk levels, which type of risk appetite do we have in
our enterprise?
▪ Identify our assets.

Tangible: Physical hardware, buildings, anything you can touch.

Intangible: Data, trade secrets, reputation, etc.
11 | P a g e
https://thorteaches.com/
CC Chapter 1
Lecture notes

Risk Assessment.
▪ Quantitative and Qualitative Risk
Analysis.
▪ Uncertainty analysis.
▪ Everything is done using cost-benefit
analysis.
▪ Risk Mitigation/Risk Transference/Risk
Acceptance/Risk Avoidance.
▪ Risk Rejection is NEVER acceptable.
▪ We assess the current countermeasures.

Are they good enough?

Do we need to improve on them?

Do we need to implement
entirely new countermeasures?

Qualitative vs. Quantitative Risk Analysis.
▪ For any Risk analysis we need to identify our assets. What are we protecting?
▪ Qualitative Risk Analysis – How likely is it to happen and how bad is it if it
happens?
▪ Quantitative Risk Analysis – What will it actually cost us in $? This is fact-based
analysis, Total $ value of asset, math is involved.

Qualitative Risk Analysis with the Risk
Analysis Matrix.
Let’s pick an asset, a laptop.
▪ How likely is one to get stolen or
left somewhere?
I would think possible or likely.
▪ How bad is it if it happens?
That really depends on a couple of things:

Is it encrypted?
Where the L, M, H, E is for your organization can be different from this.

Does it contain classified or
L = Low, M = Medium, H = High, E = Extreme Risk
PII/PHI content?
▪
Let’s say it is likely and a minor issue, that puts the loss the high-risk category.
▪ It is normal to move high and extreme on the quantitative risk analysis. If
mitigation is implemented, we can maybe move the risk level to “Low” or
“Medium”.

▪
▪
▪
A risk category to group similar risks.
The risk breakdown structure identification number.
A brief description or name of the risk to make the risk easy to discuss.
12 | P a g e
https://thorteaches.com/
CC Chapter 1
▪
▪
▪
▪

Lecture notes
The impact (or consequence) if event actually
occurs rated on an integer scale.
The probability or likelihood of
its occurrence rated
on an integer scale.
The Risk Score (or Risk Rating)
is the multiplication
of Probability and Impact, and
is often used to rank
the risks.
Common mitigation steps (e.g.
within IT projects)

Identify

Analyze

Plan Response

Monitor

Control
Quantitative Risk Analysis
▪ This is where we put a number on our assets and risks.
▪ We find the asset’s value: How much of it is compromised, how much one
incident will cost, how often the incident occurs and how much that is per year.

Asset Value (AV) – How much is the asset worth?

Exposure factor (EF) – Percentage of Asset lost?

Single Loss Expectancy (SLE) = (AV x EF) – What does it cost if it happens
once?

Annual Rate of Occurrence (ARO) – How often will this happen each
year?

Annualized Loss Expectancy (ALE) – This is what it costs per year if we
do nothing.

Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing
cost (Normally Operational
Let’s look at a few examples.
• Asset Value (AV) = The Laptop ($1,000) + PII ($10,000) per loss.
• Exposure factor (EF) = It is a 100% loss, it is gone.
• Single Loss Expectancy (SLE) = (AV x EF) = Loss per laptop is $11,000 x 100%.
• Annual Rate of Occurrence (ARO) = The organization loses 25 Laptops Per Year.
• Annualized Loss Expectancy (ALE) = The annualized loss is $275,000
• Total Cost of Ownership (TCO) = $100,000

Types of risk responses:
▪ Accept the Risk – We know the risk is there, but the mitigation is more costly
than the cost of the risk (Low risks).
13 | P a g e
https://thorteaches.com/
CC Chapter 1
▪
▪
▪
▪
▪




Lecture notes
Mitigate the Risk (Reduction) – The laptop encryption/wipe is an example –
acceptable level (Leftover risk = Residual).
Transfer the Risk – The insurance risk approach.
Risk Avoidance – We don’t issue employees laptops (if possible) or we build the
data center in an area that doesn’t flood.
Risk Rejection – You know the risk is there, but you are ignoring it. This is never
acceptable. (You are liable).
Secondary Risk – Mitigating one risk may open up another risk.
KGI (Key Goal Indicator):
▪ Define measures that tell management, after the fact—whether an IT process
has achieved its business requirements.
KPI (Key Performance Indicators):
▪ Define measures that determine how well the IT process is performing in
enabling the goal to be reached.
KRI (Key Risk Indicators):
▪ Metrics that demonstrate the risks that an organization is facing or how risky an
activity is.
▪ They are the mainstay of measuring adherence to and establishing enterprise
risk appetite.
▪ Key risk indicators are metrics used by
organizations to provide an early signal of
increasing risk exposures in various areas of the
enterprise.
▪ KRI give an early warning to identify potential
event that may harm continuity of the
activity/project.
Risk Response and Mitigation
▪ Risk mitigation, transference, acceptance, or
avoidance.
▪ We act on senior management choices, which
they made based on our recommendations
from the assessment phase.
▪ Do we stop issuing laptops, or do we add full-disk encryption and remote wipe
capabilities?
▪ Update the risk register, with the mitigations, and the risk responses.
14 | P a g e
https://thorteaches.com/
CC Chapter 1

Lecture notes
Risk and Control Monitoring and Reporting
▪ The process is ongoing, we have to keep
monitoring both the risk and the controls we
implemented.
▪ This is where we could use the KRIs (Key Risk
Indicators)
▪ We would also use KPIs (Key Performance
Indicators)
▪ It is normal to do the Risk Management
lifecycle on an annual basis and do out-ofcycle Risk Management on critical items.
 Access Control Categories and Types:
•
Access Control Categories:
▪ Administrative (Directive) Controls:
⬧ Organizational policies and procedures.
⬧ Regulation.
⬧ Training and awareness.
▪ Technical (Logical) Controls:
⬧ Hardware/software/firmware – Firewalls, routers, encryption.
▪ Physical Controls:
⬧ Locks, fences, guards, dogs, gates, bollards.
•
Access Control Types:
▪ Access Control Types (Many can be multiple types – On the exam look at
question content to see which type it is).
⬧ Preventative:
▫ Prevents action from happening – Least privilege, drug tests,
IPS, firewalls, encryption.
⬧ Detective:
▫ Controls that Detect during or after an attack – IDS, CCTV,
alarms, anti-virus.
⬧ Corrective:
▫ Controls that Correct an attack – Anti-virus, patches, IPS.
⬧ Recovery:
▫ Controls that help us Recover after an attack – DR Environment,
backups, HA Environments.
⬧ Deterrent:
▫ Controls that Deter an attack – Fences, security guards, dogs,
lights, Beware of the dog signs.
⬧ Compensating:
▫ Controls that Compensate – When other controls are impossible
or too costly to implement.
15 | P a g e
https://thorteaches.com/
CC Chapter 1

Lecture notes
The Ethics of your organization and (ISC)2:

ISC² Code of Ethics
▪ You agree to this before the exam, and the code of ethics is very testable.
▪ Understand the preamble and the 4 ethics canons, but they should not be a
substitute for the ethical judgment of the professional.
▪ Code of Ethics Preamble:

The safety and welfare of society and the common good, duty to our
principles, and to each other, requires that we adhere, and be seen to
adhere, to the highest ethical standards of behavior.

Therefore, strict adherence to this code is a condition of certification.
▪ Code of Ethics Canons:

Protect society, the common good, necessary public trust and
confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principles.

Advance and protect the profession.
▪ Computer Ethics Institute:

Thou shalt not use a computer to harm other people.

Thou shalt not interfere with other people’s computer work.

Thou shalt not snoop around in other people’s computer files.

Thou shalt not use a computer to steal.

Thou shalt not use a computer to bear false witness.

Thou shalt not copy or use proprietary software for which you have not
paid.

Thou shalt not use other people's’ computer resources without
authorization or proper compensation.

Thou shalt not appropriate other people's’ intellectual output.

Thou shalt think about the social consequences of the program you are
writing or the system you are designing.

Thou shalt always use a computer in ways that ensure consideration
and respect for your fellow humans.

Your Organization’s Ethics:
▪ You need to know the Internal Code of Ethics of your organization
▪ If you don’t, how can you adhere to it?
16 | P a g e
https://thorteaches.com/
CC Chapter 1
Lecture notes
 Governance vs. Management:
▪

Governance – This is C-level Executives.

Stakeholder’s needs, conditions and options are evaluated to define:
 Balanced agreed-upon enterprise objectives to be achieved.
 Setting direction through
prioritization and
decision making.
 Monitoring
performance and
compliance against
agreed-upon
direction and
objectives.
 Risk appetite –
Aggressive, neutral,
adverse.
▪ Management – How do we get to the destination.

Plans, builds, runs, and monitors activities in alignment with the
direction set by the governance to achieve the objectives.

Risk tolerance – How are we going to practically work with our risk
appetite and our environment.
C-Level Executives (Senior
Leadership) – Ultimately Liable.
▪ CEO: Chief Executive
Officer.
▪ CIO: Chief Information
Officer.
▪ CTO: Chief Technology
Officer.
▪ CSO: Chief Security
Officer.
▪ CISO: Chief Information
Security Officer.
▪ CFO: Chief Financial
Officer.
▪ Normal organizations
obviously have more CLevel executives, the
ones listed here you need to know.
17 | P a g e
https://thorteaches.com/
CC Chapter 1

Lecture notes
Laws and Regulations:

There are a handful types of laws covered on the exam and important to your job as an
IT Security Professional.
▪ Criminal Law:

“Society” is the victim and proof must be “Beyond a reasonable doubt”.

Incarceration, death, and financial fines to “Punish and deter”.
▪ Civil Law (Tort Law):

Individuals, groups or organizations are the victims and proof must be
”The majority of proof”.

Financial fines to “Compensate the victim(s)”.
▪ Administrative Law (Regulatory Law):

Laws enacted by government agencies (FDA Laws, HIPAA, FAA Laws,
etc.)
▪ Private Regulations:

Compliance is required by contract (For instance PCI-DSS).
▪ Customary Law:

Mostly handles personal conduct and patterns of behavior and it is
founded in traditions and customs of the area or region.
▪ Religious Law:

Based on the religious beliefs in that area or country, they often include
a code of ethics and moralities which are required to be upheld.

Rules, Regulations and Laws:
▪ HIPAA: Health Insurance Portability and Accountability Act.

Strict privacy and security rules on handling of PHI (Protected Health
Information).
▪ Security Breach Notification Laws.

NOT Federal, all 50 states have individual laws, know your state.
▪ Electronic Communications Privacy Act (ECPA):

Protection of electronic communications against warrantless
wiretapping.

The Act was weakened by the Patriot Act.
▪ PATRIOT Act of 2001:

Expands law enforcement electronic monitoring capabilities.

Allows search and seizure without immediate disclosure.
▪ Computer Fraud and Abuse Act (CFAA) – Title 18 Section 1030:

Most commonly used law to prosecute computer crimes.
▪ Payment Card Industry Data Security Standard (PCI-DSS)

Technically not a law, created by the payment card industry.

The standard applies to cardholder data for both credit and debit cards.

Requires merchants and others to meet a minimum set of security
requirements.

Mandates security policy, devices, control techniques, and monitoring.

NOT Federal, all 50 states have individual laws, know your state.
18 | P a g e
https://thorteaches.com/
CC Chapter 1

GDPR
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪
▪

Lecture notes
GDPR is a regulation in EU law on data protection and privacy for all individuals
within the European Union (EU) and the European Economic Area (EEA).
It does not matter where we are based, if we have customers in EU/EEA we
have to adhere to the GDPR.
Violators of the GDPR may be fined up to €20 million or up to 4% of the annual
worldwide turnover of the preceding financial year in case of an enterprise,
whichever is greater.
Restrictions: Lawful Interception, national security, military, police, justice
system
Right to access: Data controllers must be able to provide a free copy of an
individual’s data if requested.
Personal data: Covers a variety of data types including: Names, Email
Addresses, Addresses, Unsubscribe confirmation URLs that contain email and/or
names, IP Addresses.
Right to erasure: All users have a “right to be forgotten”.
Data portability: All users will be able to request access to their data “in an
electronic format”.
Data breach notification: Users and data controllers must be notified of data
breaches within 72 hours.
Privacy by design: When designing data processes, care must be taken to
ensure personal data is secure. Companies must ensure that only data is
“absolutely necessary for the completion of duties”.
Data protection officers: Companies whose activities involve data processing
and monitoring must appoint a data protection officer.
Information Security Governance: Values, vision, mission, and
plans:

Security governance principles.
▪ Values:

What are our values? Ethics, Principles,
Beliefs.
▪ Vision:

What do we aspire to be? Hope and
Ambition.
▪ Mission:

Who do we do it for? Motivation
and Purpose.
▪ Strategic Objectives:

How are we going to progress?
Plans, goals,
and sequencing.
19 | P a g e
https://thorteaches.com/
CC Chapter 1
Lecture notes
▪
Action & KPIs:

What do we need to do and how do we know when we achieved it?
Actions, Recourses, Outcomes, Owners, and Timeframes.
▪
Policies – Mandatory.

High level, non-specific.

They can contain “Patches, updates, strong
encryption”

They will not be specific to “OS, encryption
type, vendor Technology”
Standards – Mandatory.

Describes a specific use of technology (All
laptops are W10, 64bit, 8gig memory,
etc.)
Guidelines – non-Mandatory.

Recommendations, discretionary –
Suggestions on how you would do it.
Procedures – Mandatory.

Low level step-by-step guides,
specific.

They will contain “OS,
encryption type, vendor
Technology”
▪
▪
▪
20 | P a g e
https://thorteaches.com/
CC Chapter 1
Lecture notes
➢ Domain 1: What we covered.

This chapter is VERY important because:
▪ Every other knowledge domain build on top of this chapter
▪ This is the foundation.

We talked about:
▪ The differences between Information Security, IT Security, and Cybersecurity.
▪ The CIA triad and IAAA.
▪ Privacy.
▪ Risk and incident management.
▪ Access control.
▪ The (ISC)² ethics.
▪ Governance, management, laws, and regulations.
21 | P a g e
https://thorteaches.com/
CC Chapter 2
Lecture notes
Welcome to the Second Chapter.
➢ Domain 2: What we will be covering.




BCP (Business Continuity Plan):
▪ The overarching plan, with many subplans.
▪ This is the process of creating the long-term strategic business plans, policies,
and procedures for continued operation after a disruptive event.
DRP (Disaster Recovery Plan):
▪ Focused on our IT systems.
▪ How do we recover fast enough in a disaster scenario.
▪ DRP has a lifecycle of Mitigation, Preparation, Response and Recovery.
Incident Management:
▪ How we monitor and detect security events on our systems, and how we react
in those events.
BCP - Business Continuity Plan:

Business Continuity Plan (BCP)
▪ This is the process of creating the long-term strategic business plans, policies,
and procedures for continued operation after a disruptive event.
▪ It is for the entire organization, everything that could be impacted, not just IT.
▪ Lists a range of disaster scenarios and the steps the organization must take in
any particular scenario to return to regular operations.
▪ BCPs often contain COOP (Continuity of
Operations Plan), Crisis Communications Plan,
Critical Infrastructure Protection Plan, Cyber
Incident Response Plan, DRP (Disaster Recovery
Plan), ISCP (Information System Contingency
Plan), Occupant Emergency Plan.
▪ We look at what we would do if a critical supplier
closed, the facility was hit by an earthquake,
what if we were snowed in and staff couldn't get
to work, ...
▪ They are written ahead of time, and continually
improved upon, it is an iterative process.
▪ We write the BCP with input from key staff and at
times outside BCP consultants.
1|Page
https://thorteaches.com/
CC Chapter 2
Lecture notes


Senior management needs to be involved and committed to the BCP/DRP process.
They need to be part of at least the initiation and the final approval of the plans.
▪ They are responsible for the plan, they own the plan and since they are
ultimately liable, they must show due-care and due-diligence.
▪ We need top-down IT security in our organization (the exam assumed we have
that).
▪ In serious disasters, it will be Senior Management or someone from our legal
department who should talk to the press.
▪ Most business areas often feel they are the most important area and because of
that their systems and facilities should receive the priority, senior management
being ultimately liable and the leaders of our organization, obviously have the
final say in priorities, implementations, and the plans themselves.
•
Related Plans:
▪ Our BCP being the overarching plan also contains our other plans, including but
not limited to:
▪ COOP (Continuity of Operations Plan):
⬧ How we keep operating in a disaster, how do we get staff to alternate
sites, what are all the operational things we need to ensure we function
even if at reduced capacity for up to 30 days.
▪ Crisis Communications Plan:
⬧ A subplan of the CMP.
⬧ How we communicate internally and externally during a disaster.
⬧ Who is permitted to talk to the press? Who is allowed to communicate
what to whom internally?
▪ Cyber Incident Response Plan:
⬧ How we respond in cyber events, can be part of the DRP or not. This
could be DDOS, worms, viruses,...
▪ OEP (Occupant Emergency Plan):
⬧ How do we protect our facilities, our staff and the environment in a
disaster event.
⬧ This could be fires, hurricanes, floods, criminal attacks, terrorism,...
⬧ Focuses on safety and evacuation, details how we evacuate, how often
we do the drills and the training staff should get.
▪ BRP (Business Recovery Plan):
⬧ Lists the steps we need to take to restore normal business operations
after recovering from a disruptive event.
⬧ This could be switching operations from an alternate site back to a
(repaired) primary site.
▪ Continuity of Support Plan:
⬧ Focuses narrowly on support of specific IT systems and applications.
⬧ Also called the IT Contingency Plan, emphasizing IT over general
business support.
2|Page
https://thorteaches.com/
CC Chapter 2
▪
•
•
•
•
•
•
•
•
•
Lecture notes
CMP (The Crisis Management Plan):
⬧ Gives us effective
coordination among
the management of
the organization in
the event of an
emergency or
disruptive event.
⬧ Details what steps
management must
take to ensure that
life and safety of
personnel and
property are
immediately
protected in case of
a disaster.
Older versions of NIST 800-34 had these steps as a framework for building our BCP/DRP.
Project Initiation: We start the project, identify stakeholders, get C-level approval and
formalize the project structure.
Scope the Project: We identify exactly what we are trying to do and what we are not.
Business Impact Analysis: We identify and prioritize critical systems and components.
Identify Preventive Controls: We identify the current and possible preventative controls
we can deploy.
Recovery Strategy: How do we recover efficiently? What are our options? DR site,
system restore, cloud,...
Plan Design and Development: We build a specific plan for recovery from a disaster,
procedures, guidelines and tools.
Implementation, Training, and Testing: We test the plan to find gaps and we train staff
to be able to act on the plan.
BCP/DRP Maintenance: It is an iterative process. Our organization develops, adds
systems, facilities or technologies and the threat landscape constantly changes, we have
to keep improving and tweaking our BCP and DRP.
3|Page
https://thorteaches.com/
CC Chapter 2

Lecture notes
•
We categorize disasters in 3 categories: Natural, Human, or Environmental.
▪ Natural:
⬧ Anything caused by nature, this could be earthquakes, floods, snow,
tornados, ...
⬧ They can be very devastating but are less common than the other types
of threats.
⬧ The natural disaster threats are different in different areas, we do the
risk analysis on our area.
⬧ For one site we could build our buildings and data center earthquake
resilient and another flood resilient.
▪ Human:
⬧ Anything caused by humans, they can be intentional or unintentional
disasters.
⬧ Unintentional could be an employee uses a personal USB stick on a PC
at work and spreads malware, just as bad as if an attacker had done it,
but the employee was just ignorant, lazy or didn't think it would matter.
⬧ Intentional could be malware, terrorism, DOS attacks, hacktivism,
phishing, ...
▪ Environmental (Not to be confused with natural disasters):
⬧ Anything in our environment, could be power outage/spikes, hardware
failures, provider issues, ...
•
The plans need to be continually updated; it is an iterative process.
▪ Plans should be reviewed and updated at least every 12 months.
▪ We changed major components of our systems (new backup solution, new IP
scheme,…).
▪ We had a disaster, and we had a lot of gaps in our plans.
▪ A significant part of senior leadership has changed.
DRP – Disaster Recovery Plan:
•
Our DRP (Disaster Recovery Plan) should answer at least three basic questions:
▪ What is the objective and purpose?
▪ Who will be the people or teams who will be responsible in case any disruptions
happen?
▪ What will these people do (our procedures) when the disaster hits?
•
DRP has a lifecycle of Mitigation, Preparation, Response and Recovery.
▪ Mitigation: Reduce the impact, and likeliness of a disaster.
▪ Preparation: Build programs, procedures and tools for our response.
4|Page
https://thorteaches.com/
CC Chapter 2
•
•
•
In our recovery process we have to consider the many factors that can impact us, we
need look at our options if our suppliers, contractors or the infrastructure are impacted
as well.
We may be able to get our data center up and running in 12 hours, but if we have no
outside connectivity that may not matter.
Simulated Tests:
▪ DRP Review:
⬧ Team members who are part of the DRP team review the plan quickly
looking for glaring omissions, gaps or missing sections in the plan.
▪ Read-Through (Checklist):
⬧ Managers and functional areas go through the plan and check a list of
components needed for in the recovery process.
▪ Walk/Talk-through (Tabletop or Structured Walkthrough):
⬧ A group of managers and critical personnel sit down and talk through
the recovery process.
⬧ Can often expose gaps, omissions or just technical inaccuracies that
would prevent the recovery.
▪
•
Lecture notes
Simulation Test (Walkthrough Drill):
⬧ Similar to the walkthrough (but different, do not confuse them).
⬧ The team simulates a disaster and the teams respond with their pieces
from the DRP.
Physical Tests:
▪ Partial Interruption:
⬧ We interrupt a single application and fail it over to our secondary
facilities, often done off hours.
5|Page
https://thorteaches.com/
CC Chapter 2
Lecture notes
•
We have looked at the first 2 before, for now we will focus on Response and Recovery.
▪ Response: How we react in a disaster, following the procedures.
⬧ How we respond and how quickly we respond is essential in Disaster
Recovery.
⬧ We assess if the incident we were alerted to or discovered is serious and
could be a disaster, the assessment is an iterative process.
⬧ The more we learn and as the team gets involved we can assess the
disaster better.
⬧ We notify appropriate staff to help with the incident (often a call tree or
automated calls), inform the senior management identified in our plans
and if indicated by the plan communicate with any other appropriate
staff.
▪ Recovery: Reestablish basic functionality and get back to full production.
⬧ We act on our assessment using the plan.
⬧ At this point all key stakeholders should be involved, we have a clearer
picture of the disaster and take the appropriate steps to recover. This
could be DR site, system rebuilds, traffic redirects,…
•
BIA (Business Impact Analysis):
▪ Identifies critical and non-critical organization systems, functions, and activities.
▪ Critical is where disruption is considered unacceptable, the acceptability is also
based on the cost of recovery.
▪ A function may also be considered critical if dictated by law.
▪ For each critical (in scope) system, function, or activity, two values are then
assigned:
▪ RPO (Recovery Point Objective): The acceptable amount of data that can not
be recovered.
⬧ The recovery point objective must ensure that the maximum tolerable
data loss for each system, function or activity is not exceeded.
⬧ If we only back up once a week, we accept up to a week of data loss.
▪ MTD (Maximum Tolerable Downtime) MTD ≥ RTO + WRT:
⬧ The time to rebuild the system and configure it for reinsertion into
production must be less than or equal to our MTD.
⬧ The total time a system can be inoperable before our organization is
severely impacted.
⬧ Remember companies that had a major loss of data, 43% never reopen
and 29% close within two years.
⬧ Other frameworks may use other terms for MTD, but for the exam know
and use MTD.
⬧ MAD (Maximum Allowable Downtime), MTO (Maximum Tolerable
Outage), MAO (Maximum Acceptable Outage), MTPoD (Maximum
Tolerable Period of Disruption).
▪ RTO (Recovery Time Objective): The amount of time to restore the system
(hardware).
6|Page
https://thorteaches.com/
CC Chapter 2
Lecture notes
⬧
▪
▪
▪
▪
•
The recovery time objective must ensure that the MTD for each system,
function or activity is not exceeded.
WRT (Work Recovery Time) (software):
⬧ How much time is required to configure a recovered system.
MTBF (Mean Time Between Failures):
⬧ How long a new or repaired system or component will function on
average before failing, this can help us plan for spares and give us an
idea of how often we can expect hardware to fail.
MTTR (Mean Time to Repair):
⬧ How long it will take to recover a failed system.
MOR (Minimum Operating Requirements):
⬧ The minimum environmental and connectivity requirements for our
critical systems to function, can also at times have minimum system
requirements for DR sites.
⬧ We may not need a fully spec'd system to resume the business
functionality.
Recovery Strategies:
▪ From our MTD we can determine our approach to how we handle disasters and
the safeguards we put in place to mitigate or recover from them.
▪ Redundant Site:
⬧ Complete identical site to our production, receives a real time copy of
our data.
⬧ Power, HVAC, Raised floors, generators,…
⬧ If our main site is down the redundant site will automatically have all
traffic fail over to the redundant site.
⬧ The redundant site should be geographically distant, and have staff at it.
⬧ By far the most expensive recovery option, end users will never notice
the fail over.
▪ Hot Site:
⬧ Similar to the redundant site, but only houses critical applications and
systems, often on lower spec’d systems.
⬧ Still often a smaller but a full data center, with redundant UPS’s,
HVAC’s, ISP’s, generators,…
⬧ We may have to manually fail traffic over, but a full switch can take an
hour or less.
⬧ Near or real-time copies of data.
▪ Warm Site:
⬧ Similar to the hot site, but not with real or near-real time data, often
restored with backups.
⬧ A smaller but full data center, with redundant UPS’s, HVAC’s, ISP’s,
generators,…
⬧ We manually fail traffic over, a full switch and restore can take 4-24+
hrs.
7|Page
https://thorteaches.com/
CC Chapter 2
▪
▪
▪
Lecture notes
Cold Site:
⬧ A smaller but full data center, with redundant UPSs’, HVAC’s, ISP’s,
generators,…
⬧ No hardware or backups are at the cold site, they require systems to be
acquired, configured and applications loaded and configured.
⬧ This is by far the cheapest, but also longest recovery option, can be
weeks+.
Reciprocal Agreement Site:
⬧ Your organization has a contract with another organization that they
will give you space in their data center in a disaster event and vice
versa.
⬧ This can be promised space or some racks with hardware completely
segmented off the network there.
Subscription/Cloud Site:
⬧ We pay someone else to have a minimal or full replica of our production
environment up and running within a certain number of hours (SLA).
⬧ They have fully built systems with our applications and receive backups
of our data, if we are completely down we contact them and they spin
the systems up and apply the latest backups.
⬧ How fast and how much is determined by our plans and how much we
want to pay for this type of insurance.
▪
•
•
Mobile Site:
⬧ Basically a data center on wheels, often a container or trailer that can
be moved wherever by a truck.
⬧ Has HVAC, fire suppression, physical security, (generator),… everything
you need in a full data center.
⬧ Some are independent with generator and satellite internet, others
need power and internet hookups.
Once we have had and recovered from a disruption or we have done our failover test
we do a lessons learned.
Lessons Learned:
▪ This phase is often overlooked, we removed the problem, we have
implemented new controls and safeguards.
▪ We can learn a lot from lessons learned, not just about the specific incidence,
but how well we handle them, what worked, what didn't.
8|Page
https://thorteaches.com/
CC Chapter 2
Lecture notes
▪
•
•
•
•
•
What happened and didn’t happen is less important than how we improve for
next time.
▪ We do not place blame, the purpose is improving.
▪ How can we as an organization grow and become better next time we have
another incidence? While we may have fixed this one vulnerability there are
potentially 100's of new ones we know nothing about yet.
The outcome and changes of the Lessons Learned will then feed into our preparation
and improvement of our BCP and DRP.
We only use our BCP/DRP's when our other countermeasures have failed.
This makes the plans even more important. (Remember 72% of business with major
data loss closed).
When we make and maintain the plans there are some common pitfalls we want to
avoid:
▪ Lack of senior leadership support
▪ Too narrow scope
▪ Not keeping the BCP/DRP plans up to date, or no proper versioning controls
The plans needs to be continually updated, it is an iterative process.
▪ Plans should be reviewed and updated at least every 12 months.
▪ When we update the plans older copies are retrieved and destroyed, and
current versions are distributed.
 Incident Management:
•
Incident Management:
▪ Involves the monitoring and detection of security events on our systems, and
how we react in those events.
▪ It is an administrative function of managing and protecting computer assets,
networks, and information systems.
▪ The primary purpose is to have a well understood and predictable response to
events and computer intrusions.
▪ We have very clear processes and responses, and our teams are trained in them
and know what to when an event occurs.
▪ Incidents are very stressful situations, it is important staff knows exactly what to
do, that they have received ongoing training and understand the procedures.
•
We categorize disasters in 3 categories: Natural, Human, or Environmental.
▪ Natural:
⬧ Anything caused by nature, this could be earthquakes, floods, snow,
tornados, ...
⬧ They can be very devastating, but are less common than the other types
of threats.
⬧ The natural disaster threats are different in different areas, we do the
risk analysis on our area.
9|Page
https://thorteaches.com/
CC Chapter 2
Lecture notes
⬧
▪
▪
•
For one site we could build our buildings and data center earthquake
resilient and another flood resilient.
Human:
⬧ Anything caused by humans, they can be intentional or unintentional
disasters.
⬧ Unintentional could be an employee uses a personal USB stick on a PC
at work and spreads malware, just as bad as if an attacker had done it,
but the employee were just ignorant, lazy or didn't think it would
matter.
⬧ Intentional could be malware, terrorism, DOS attacks, hacktivism,
phishing, ...
Environmental (Not to be confused with natural disasters):
⬧ Anything in our environment, could be power outage/spikes, hardware
failures, provider issues, ...
Incident Management:
▪ Event:
⬧ An observable change in state, this is neither negative nor positive, it is
just something has changed.
⬧ A system powered on, traffic from one segment to another, an
application started.
▪ Alert:
⬧ Triggers warnings if certain event happens.
⬧ This can be traffic utilization above 75% or memory usage at 90% or
more for more than 2 minutes.
▪ Incident:
⬧ Multiple adverse events happening on our systems or network, often
caused by people.
▪ Problem:
⬧ Incidence with an unknown cause, we would follow similar steps to
incidence response.
⬧ More time would be spent on root cause analysis, we need to know
what happened so we can prevent it from happening again, this could
be a total internet outage or server crash.
▪ Inconvenience (Non-disasters):
⬧ Non-disruptive failures, hard disk failure, 1 server in a cluster is down,…
▪ Emergency (Crisis):
⬧ Urgent, event with the potential for loss of life or property.
▪ Disaster:
⬧ Our entire facility is unusable for 24 hours or longer.
⬧ If we are geographically diverse and redundant we can mitigate this a
lot.
⬧ Yes, a snowstorm can be a disaster.
▪ Catastrophe:
⬧ Our facility is destroyed
10 | P a g e
https://thorteaches.com/
CC Chapter 2
•
•
•
Lecture notes
NIST 800-61 - IR lifecycle (ALL NIST publications are free)
▪ https://thorteaches.com/study/ -> Scroll down to free stuff.
CIRT (Cyber Incident Response Team):
▪ Senior management
▪ Incident manager
▪ Technical leads and teams.
▪ IT Security.
▪ PR, HR, and legal.
▪ Auditors IT/financial.
Incident Management:
▪ We most common use a 8-step
lifecycle.
1. Preparation.
2. Detection
3. Response
4. Mitigation
5. Reporting.
6. Recovery.
7. Remediation.
8. Lessons Learned
▪
Preparation:
⬧ This is all the steps we take
to prepare for incidences.
⬧ We write the policies,
procedures, we train our
staff, we procure the detection soft/hardware, we give our incidence
response team the tools they need to respond to an incident.
⬧ The more we train our team, the better they will handle the response,
the faster we recover, the better we preserve the crime scene (if there
is one), the less impactful an incident will be.
▪
Detection:
⬧ Events are analyzed to determine if they might be a security incident.
⬧ If we do not have strong detective capabilities in and around our
systems, we will most likely not realize we have a problem until long
after it has happened.
⬧ The earlier we detect the events, the earlier we can respond, IDS's can
help us detect, where IPS's can help us detect and prevent further
compromise.
⬧ The IDS's and IPS's can help us detect and prevent on a single network
segment, we also need something that can correlate all the information
from the entire network.
11 | P a g e
https://thorteaches.com/
CC Chapter 2
▪
▪
▪
Lecture notes
Response:
⬧ The response phase is when the incident response team begins
interacting with affected systems and attempts to keep further damage
from occurring as a result of the incident.
⬧ This can be taking a system off the network, isolating traffic, powering
off the system, or however our plan dictates to isolate the system to
minimize both the scope and severity of the incident.
⬧ Knowing how to respond, when to follow the policies and procedures to
the letter and when not to, is why we have senior staff handle the
responses.
⬧ We make bit level copies of the systems, as close as possible to the time
of incidence to ensure they are a true representation of the incident.
⬧ IT Security is there to help the business, it may not be the choice of
senior management to disrupt business to contain or analyze, it is
ultimately a decision that is made by them.
⬧ We stop it from spreading, but that is it, we contain the event.
Mitigation:
⬧ We understand the cause of the incident so that the system can be
reliably cleaned and restored to operational status later in the recovery
phase.
⬧ Organizations often remove the most obvious sign of intrusion on a
system or systems, but miss backdoors and other malware installed in
the attack.
⬧ The obvious sign is often left to be found, where the actual payload is
hidden. if that is detected or assumed, we often just rebuild the system
from scratch and restore application files from a known good backup,
but not system files.
⬧ To ensure the backup is good, we need to do root cause analysis, we
need a timeline for the intrusion, when did it start?
⬧ If it is from a known vulnerability we patch. If it's a newly discovered
vulnerability we mitigate it before exposing the newly built system to
the outside again.
⬧ If anything else can be learned about the attack, we can add that to our
posture.
⬧ Once eradication is complete, we start the recovery phase.
Reporting:
⬧ We report throughout the process beginning with the detection, and we
start reporting immediately when we detect malicious activity.
⬧ The reporting has 2 focus areas: technical and non-technical.
⬧ The incident handling teams report the technical details of the incident
as they start the incident handling process, but they also notify
management of serious incidents.
⬧ The procedures and policies will outline when which level of
management needs to be informed and involved, it is commonly
forgotten until later and can be a RPE (Resume Producing Event).
12 | P a g e
https://thorteaches.com/
CC Chapter 2
Lecture notes
⬧
▪
▪
▪
▪
Management will also involve other departments if needed, this could
be legal, PR or whomever has been identified in the policies or
procedures.
Recovery:
⬧ We carefully restore the system or systems to operational status.
⬧ When the system is ready for reinsertion is determined by the business
unit responsible for the system.
⬧ We closely monitor the rebuilt or cleaned system carefully, it is possible
the attackers left backdoors or we did not remove all the infected
sectors.
⬧ Often the system(s) are reinserted off peak hours to minimize the effect
of the system(s) still being infected, or they can be introduced in a
controlled sandbox environment to see if the infection persists.
Remediation:
⬧ The remediation happens during the mitigation phase, where
vulnerabilities on the impacted system or systems are mitigated.
⬧ Remediation continues after mitigation and becomes broader, this can
be patching all systems with the same vulnerability or change how the
organization authenticates.
Lessons Learned:
⬧ This phase is often overlooked, we removed the problem, we have
implemented new controls and safeguards.
⬧ We can learn a lot from lessons learned, not just about the specific
incidence, but how well we handle them, what worked, what didn't.
⬧ How can we as an organization grow and become better next time we
have another incidence? While we may have fixed this one vulnerability
there are potentially 100's of new ones we know nothing about yet.
⬧ At the end of lessons learned we produce a report to senior
management, with our findings, we can only make suggestions, they are
ultimately in charge (and liable).
⬧ Often after major incidents organizations shift to a top-down approach
and will listen more to IT Security.
⬧ The outcome and changes of the Lessons Learned will then feed into
our preparation.
Root-Cause Analysis:
⬧ We attempt to determine the underlying weakness or vulnerability that
allowed the incident to happen.
⬧ If we do not do the root-cause analysis we will most likely face the same
problem again.
⬧ We need to fix the vulnerability on the system(s) that were effected, but
also on any system in the organization that has that particular
vulnerability or set of vulnerabilities.
⬧ We could have a weak password policy and weak encryption, that could
be the root cause of a system compromise, we then would implement
countermeasures to remove the vulnerability.
13 | P a g e
https://thorteaches.com/
CC Chapter 2
⬧
Lecture notes
If we do nothing and just fix the problem, the root of the issue still
persists, that is what we need to fix.
•
BCP (Business Continuity Plan):
▪ This is the process of creating the long-term
strategic business plans, policies and procedures for
continued operation after a disruptive event.
▪ It is for the entire organization, everything that
could be impacted, not just IT.
▪ Lists a range of disaster scenarios and the steps the
organization must take in any particular scenario to
return to regular operations.
▪ BCP’s often contain COOP (Continuity of Operations
Plan), Crisis Communications Plan, Critical
Infrastructure Protection Plan, Cyber Incident
Response Plan, DRP (Disaster Recovery Plan), ISCP
(Information System Contingency Plan), Occupant
Emergency Plan.
▪ What would we do if a critical supplier closed, the
facility was hit by an earthquake, what if we were snowed in and staff couldn't
get to work,...
▪ They are written ahead of time, and continually improved upon, it is an iterative
process.
▪ We write the BCP with input from key staff and at times outside BCP
consultants.
•
DRP (Disaster Recovery Plan):
▪ This is the process of creating the short-term plans, policies, procedures and
tools to enable the recovery or continuation of vital IT systems in a disaster.
▪ It focuses on the IT systems supporting critical business functions, and how we
get those back up after a disaster.
▪ DRP is a subset of our BCP.
▪ We look at what we would do if we get hit with a DDOS attack (can be in the
DRP or in our Cyber Incident Response Plan), a server gets compromised, we
experience a power outage, ...
▪ Often the how and system specific, where the BCP is more what and non-system
specific.
•
We categorize disasters in 3 categories: Natural, Human, or Environmental.
▪ Natural:
⬧ Anything caused by nature, this could be earthquakes, floods, snow,
tornados, ...
⬧ They can be very devastating, but are less common than the other types
of threats.
14 | P a g e
https://thorteaches.com/
CC Chapter 2
Lecture notes
⬧
▪
▪
•
•
•
•
The natural disaster threats are different in different areas, we do the
risk analysis on our area.
⬧ For one site we could build our buildings and data center earthquake
resilient and another flood resilient.
Human:
⬧ Anything caused by humans, they can be intentional or unintentional
disasters.
⬧ Unintentional could be an employee uses a personal USB stick on a PC
at work and spreads malware, just as bad as if an attacker had done it,
but the employee were just ignorant, lazy or didn't think it would
matter.
⬧ Intentional could be malware, terrorism, DOS attacks, hacktivism,
phishing, ...
Environmental (Not to be confused with natural disasters):
⬧ Anything in our environment, could be power outage/spikes, hardware
failures, provider issues, ...
Errors and Omissions (Human):
▪ The most common reason for disruptive events are internal employees, often
called errors and omissions.
▪ They are not intending to harm our organization, but they can inadvertently do
so by making mistakes or not following proper security protocols.
▪ This could be a mistype, leaving a door unlocked to go outside to smoke or
leaving a box of backup tapes somewhere not secure.
▪ They often have a minor impact, but if we have issues where they are deemed
very common or potentially damaging we can build in controls to mitigate them.
▪ We could put a double check in place for the mistype, an alarm on the unlocked
door that sounds after being open for 10 seconds, or very clear procedures and
controls for the transport of backup tapes.
Electrical or Power Problems (Environmental):
▪ Are power outages common in our area?
▪ Do we have proper battery and generator backup to sustain our sites for an
extended period of time?
▪ We want the redundancy of UPS's and generators, they both supply constant
and clean power.
▪ These should always be in place in data centers, but what about our other
buildings?
▪ Power fluctuations can damage hardware.
Heat (Environmental):
▪ Many data centers are kept too cold, the last decades research has shown it is
not needed.
▪ Common temperature levels range from 68–77 °F (20–25 °C) - with an allowable
range 59–90 °F (15–32 °C).
▪ Keeping a Data Center too cold wastes money and raises humidity.
Pressure (Environmental): Keeping positive pressure keeps outside contaminants out.
15 | P a g e
https://thorteaches.com/
CC Chapter 2
•
•
Lecture notes
Humidity (Environmental): Humidity should be kept between 40 and 60% rH (Relative
Humidity).
▪ Low humidity will cause static electricity and high humidity will corrode metals
(electronics).
Warfare, Terrorism and Sabotage (Human):
▪ We still see plenty of conventional conflicts and wars, but there is much more
happening behind the veil of the internet, hacking for causes, countries, religion
and many more reasons.
▪ It makes sense to cripple a country's or region's infrastructure if you want to
invade or just destabilize that area.
▪ This could be for war, trade, influence or many other reasons, everything is so
interconnected we can shut down water, electricity or power from across the
world.
▪ The targets are not always the obvious targets, hospitals, air travel, shipping,
production,... are potential targets.
▪ State, Cause or Religious Hacking (Human):
⬧ Common, we often see the attacks happening 9-5 in that time zone, this
is a day job.
⬧ Approximate 120 countries have been developing ways to use the
internet as a weapon to target financial markets, government computer
systems and utilities.
⬧ Famous attacks: US elections (Russia), Sony websites (N. Korea), Stuxnet
(US/Israel), US Office of Personnel Management (China),…
•
Financially Motivated Attackers (Human):
▪ We are seeing more and more financially motivated attacks, they can be both
highly skilled or not.
▪ The lower skilled ones could be normal phishing attacks, social engineering or
vishing, these are often a numbers game, but only a very small percentage
needs to pay to make it worth the attack.
▪ The ones requiring more skills could be stealing cardholder data, identity theft,
fake anti-malware tools, or corporate espionage,...
▪ Ransomware is a subtype of financially motivated attacks, it will encrypt a
system until a ransom is paid, if not paid the system is unusable, if paid the
attacker may send instructions on how to recover the system.
▪ Attackers just want the payday, they don’t really care from whom.
•
Personnel Shortages (Human/Nature/Environmental):
▪ In our BCP, we also have to ensure that we have redundancy for our personnel
and how we handle cases where we have staff shortages.
▪ If we have 10% of our staff, how impacted is our organization?
▪ This can be caused by natural events (snow, hurricane) but is more commonly
caused by the flu or other viruses.
▪ Pandemics:
16 | P a g e
https://thorteaches.com/
CC Chapter 2
⬧
▪
▪
Lecture notes
Organizations should identify critical staff by position not by name, and
have it on hand for potential epidemics. <Insert your own COVID-19
work experiences here.>
Strikes:
⬧ A work stoppage caused by the mass refusal of employees to work.
⬧ Usually takes place in response to employee grievances.
⬧ How diminished of a workforce can we have to continue to function?
Travel:
⬧ When our employees travel, we need to ensure both they and our data
is safe.
⬧ That may mean avoiding certain locations, limiting what they bring of
hardware and what they can access from the remote location.
⬧ If they need laptops/smartphones, we use encryption, device
monitoring, VPNs, and all other appropriate measures.
➢ Domain 2: What we covered.
•
•
•
BCP (Business Continuity Plan):
▪ The overarching plan, with many subplans.
▪ This is the process of creating the long-term strategic business plans, policies,
and procedures for continued operation after a disruptive event.
DRP (Disaster Recovery Plan):
▪ Focused on our IT systems.
▪ How do we recover fast enough in a disaster scenario.
▪ DRP has a lifecycle of Mitigation, Preparation, Response and Recovery.
Incident Management:
▪ How we monitor and detect security events on our systems, and how we react
in those events.
17 | P a g e
https://thorteaches.com/
CC Chapter 3
Lecture notes
Welcome to the Third Chapter.
➢
Domain 3: What we will be covering.



Physical Controls:
▪ Locks, fences, guards, dogs, gates, bollards, ...
Technical Controls:
▪ Hardware/software/firmware – Firewalls, routers, encryption, ...
Access Control Categories and Types:

Access Control Categories:
▪ Administrative (Directive) Controls:

Organizational policies and procedures.

Regulation.

Training and awareness.
▪ Technical Controls:

Hardware/software/firmware – Firewalls, routers, encryption.
▪ Physical Controls:

Locks, fences, guards, dogs, gates, bollards.

Access Control Types (Many can be multiple types – On the exam look at question
content to see which type it is).
▪ Preventative:

Prevents action from happening – Least privilege, drug tests, IPS,
firewalls, encryption.
▪ Detective:

Controls that Detect during or after an attack – IDS, CCTV, alarms, antivirus.
▪ Corrective:

Controls that Correct an attack – Anti-virus, patches, IPS.
▪ Recovery:

Controls that help us Recover after an attack – DR Environment,
backups, HA Environments.
▪ Deterrent:

Controls that Deter an attack – Fences, security guards, dogs, lights,
Beware of the dog signs.
▪ Compensating:
Controls that Compensate – other controls that are impossible or too
costly to implement.
1|Page
https://thorteaches.com/
CC Chapter 3

Lecture notes
Physical Security Controls:
•
Perimeter defense:
▪ Fences (Deterrence, Preventative):
⬥ Smaller fences such as 3ft. (1m) can be a deterrence, while taller ones,
such as 8ft. (2.4m) can be a prevention mechanism.
⬥ The idea of the fences is to ensure entrance/exits from the facility
happen through only a few entry points (doors, gates, turnstiles).
▪ Gates (Deterrence, Preventative):
⬥ Placed at control points at the
perimeter.
⬥ Used with the fences to ensure access
only happens through a few entry
points.
⬥ ASTM Standard:
🢭 Class I Residential (your house)
🢭 Class II Commercial/General
Access (parking garage).
🢭 Class III Industrial/Limited Access (loading dock for 18-wheeler
trucks).
🢭 Class IV Restricted Access (airport or prison).
▪ Bollards (Preventative):
⬥ Used to prevent cars or trucks from entering an area while allowing foot
traffic to pass.
⬥ Often shops use planters or similar; it looks prettier but achieves the
same goal.
⬥ Most are static heavy-duty objects, but some cylindrical versions can
also be electronically raised or lowered to allow authorized traffic past a
"no traffic" point. Some are permanent fixtures and can be removed
with a key or other unlock functions.
▪ Lights (Detective and Deterrence):
⬥ Lights should be used to fully illuminate the entire area.
⬥ Lights can be static, motion activated (static) or automatic/manual
Fresnel lights (search lights).
⬥ Measured in lumen - 1 lumen per square foot or lux - 1 lumen per
square meter more commonly used.
▪ CCTV (Closed Circuit Television) (Detective, Deterrence) - used to monitor the
facility’s perimeter and inside it.
⬥ Older cameras are analog and use video tapes for storage (often VHS);
quality is often bad, unclear.
⬥ Modern cameras are digital and use CCD (Charged Couple Discharge);
also use a DVR (Digital Video Recorder).
⬥ Organizations may have retention requirements either from policies or
legislation that require a certain retention of their video (this could be
bank ATM, data center or entry point footage).
⬥ Cameras can be either static or non-static (automatic or manual).
2|Page
https://thorteaches.com/
CC Chapter 3
Lecture notes
🢭 We have all seen the spy or heist movies where they avoid them
by knowing the patterns and timers.
🢭 This risk can be mitigated with a randomizer or pseudo
randomizer, we want to ensure full coverage.
▪
Locks (Preventative):
⬥ Key locks:
🢭 Requires a physical key to unlock;
keys can be shared/copied.
🢭 Key Bitting Code (How far the key is
bitten down for that section.) – Can
be copied and replicated without the
key from either the numbers or a
photo of it.
🢭 Pin Tumbler Lock (or Yale lock) – A
lock mechanism that uses pins of
varying lengths to prevent
the lock from opening without the correct key.
🢭 Lock Picking - with a lock pick set or bumping, opening a lock
without the key.
🢭 Any key lock can be picked or bumped, how long it
takes depends on the quality of the lock.
🢭 Lock pick sets lift the pins in the tumbler, opening the
lock.
🢭 Lock Bumping - Using a shaved-down key that matches the lock,
the attacker “bumps“ the key handle with a hammer or
screwdriver which makes the pins jump, then the attacker
quickly turns the key.
🢭 Master Keys open any lock in a given area or security zone.
🢭 Both who has them and where they are kept should be
very closely guarded at all times.
🢭 Core Key is used to remove a lock core in
"interchangeable core locks."
🢭 An interchangeable core, or IC, is a
compact keying mechanism in a
specific figure-eight shape.
🢭 Relies upon a specialized "control" key
for insertion and extraction of the core.
🢭 Should be kept secure and access
should be very restricted.
⬥ Combination Locks:
🢭 Not very secure and have limited accountability even
with unique codes.
🢭 Should be used for low security areas.
🢭 Can be Dial type (think safe), Button or Keypad.
3|Page
https://thorteaches.com/
CC Chapter 3
Lecture notes
🢭 Very susceptible to brute force, shoulder surfing and are often
configured with weak security (I know of a good deal of places
where the code is the street number).
🢭 Over time, the buttons used for the code will have more wear
and tear.
🢭 For 4-number PIN where 4 keys are used, the possible
combinations are no longer 10,000, but 256: if 3 keys, then 81
options.
▪
▪
▪
▪
▪
Smart Cards (contact or contactless):
⬥ They contain a computer circuit, using ICC (Integrated Circuit Card).
⬥ Contact Cards - Inserted into a machine to be read.
🢭 This can be credit cards you insert into the chip reader or the
DOD CAC (Common Access Card).
⬥ Contactless Cards - can be read by proximity.
🢭 Key fobs or credit cards where you just hold it close to a reader.
🢭 They use an RFID (Radio Frequency Identification) tag
(transponder) which is then read by an RFID Transceiver.
Magnetic Stripe Cards:
⬥ Swiped through a reader, no circuit.
⬥ Very easy to duplicate.
Tailgating/Piggybacking:
⬥ Following someone authorized into an area you are not authorized to
be in.
⬥ Often combined with Social Engineering.
⬥ It is easy to do if your reason for being there seems plausible.
⬥ Bring a lot of food, a cake, and some balloons, have on clothes, ID badge
and tools that a repairman would, the options are endless.
Mantrap:
⬥ A Mantrap is a room with 2 doors; Door 1 must close completely before
Door 2 can be opened.
⬥ Each door has a different authentication method (something you know,
something you have, something you are).
⬥ They can at times use weight sensors - Bob weighs 220lbs (100kg), the
weight measured by the pressure plate is 390lbs (177kg), someone is
probably in the room with Bob. Door 2 won’t open until Bob is
confirmed alone in the Mantrap with a cart of old servers, normally
done by the cameras in the trap.
Turnstiles (Preventative, Deterrence):
⬥ Also prevents tailgating, by allowing only 1 person to enter
per Authentication (think like in US subway systems or amusement park
entries, but for secure areas they are often floor to ceiling
turnstiles with interlocking blades).
4|Page
https://thorteaches.com/
CC Chapter 3
Lecture notes
Both Mantraps and Turnstiles should be designed to allow safe evacuation in
case of an emergency. (Remember that people are more important to protect
than stuff.)
▪
▪
▪
Contraband Checks (Preventative, Detective, Deterrent):
⬥ Often seen in airports, courthouses, intelligence offices or other higher
security facilities.
⬥ Checking what you are bringing in or out of the building to ensure
nothing dangerous gets in or anything confidential gets out.
⬥ With technology becoming much smaller, these are less effective when
it comes to data theft; it is easy to hide a microSD memory card, which
can contain up to 1TB+ of data per card.
Motion Detectors (Detective, Deterrence):
⬥ Used to alert staff by triggering an alarm (silent or not).
⬥ Someone is here, did an authorized person pass the checkpoint?
🢭 IF yes, then log the event and do nothing else
IF no, then alert/alarm.
⬥ Basic ones are light-based - They require light, making them not very
reliable.
⬥ Ultrasound, Microwave, Infrared or Laser (pew-pew!!)
🢭 Active sensors, they send energy (sound, wave or light).
🢭 If the sound takes less time to return or the pattern it receives
back is altered, it means someone is somewhere they should
not be.
🢭 Photoelectric motion sensors send a beam of light to a sensor, if
broken the alarm sounds. These are the pew-pew lasers and
sorry, no, they are not green or red and they are rarely visible.
Perimeter Alarms:
⬥ Door/window sensors – these are the thin strips around the edges of
either or contact sensors.
🢭 If opened, an alarm sounds; if broken, same effect.
🢭 Can be circumvented, but they are part of a layered defense.
⬥ Walls, windows, doors, and any other openings should be considered
equally strong.
⬥ Walls are inherently stronger; the rest need compensating measures
implemented (locks, alarms, sensors).
⬥ Glass is normally easy to break, but can be bullet and/or explosion
proof, or have a wire mesh in the middle.
⬥ Plexiglass can also be used, as it is stronger and does not shatter, but
can be melted.
⬥ Door hinges should always be on the inside (or hidden in the door).
⬥ Just like the turnstiles and mantraps, doors (and in some cases
windows) should be designed to allow safe exit from the building in case
of an emergency. Often there is a "Panic Bar" that opens the door, but
5|Page
https://thorteaches.com/
CC Chapter 3
Lecture notes
they are also connected to alarms that sound when opened (clearly
labeled Emergency Only - Alarm WILL Sound).
▪
Walls, Floors, and Ceilings:
⬥ In line with our layered defense strategy, the strong security
encountered in getting to a data center does nothing if there is a crawl
space that an attacker can use.
⬥ We need to secure all possible ways into our Data Center or other
secure location.
⬥ Walls should be "slab to slab" (from the REAL floor to the REAL ceiling);
if sub-flooring or sub-ceilings are used, then they should be contained
within the slab-to-slab walls.
⬥ Walls, floors, and ceilings should be made of materials (where it makes
sense) that are secure enough for that location, e.g., don't have
sheetrock around your Data Center because I can cut that with a knife.
⬥ Walls, floors, and ceilings should have an appropriate fire rating.
🢭 So should your doors, but walls, floors and ceilings are more
often overlooked.
🢭 This is to protect the Data Center from outside fire and just as
well the rest of the building from a Data Center fire.
▪
Guards – (Deterrent, Detective, Preventative, Compensating)
⬥ Guards can serve many diverse purposes for an organization.
⬥ They can check credentials/ID Cards, monitor CCTV cameras,
monitor environmental controls (HVAC), react to incidents, act as a
deterrent, and so much more.
⬥ Professional Guards - Professional training and/or schooling; armed.
⬥ Amateur Guards - No professional training or schooling; armed.
⬥ Pseudo Guard - Unarmed guard.
⬥ Guards should have a very clear set of rules and regulations.
⬥ Social engineering attacks are common and should be prevented
with training to raise awareness.
▪
Dogs (Deterrent, Detective, Compensating):
⬥ Most often used in controlled, enclosed areas.
⬥ Liability can be an issue.
⬥ Dogs are trained to corner suspects and
attack someone who’s fleeing. People often
panic when they encounter a dog and run.
⬥ Even if they’re in a secure area, the
organization may still be liable for injuries.
⬥ Can also be internal authorized employees
walking out the wrong door or trying to take a
shortcut.
⬥ They panic and the dog attacks.
6|Page
https://thorteaches.com/
CC Chapter 3
▪

Lecture notes
Restricted Work Areas and Escorts.
⬥ To track and funnel authorized visitors, we can use visitor badges, visitor
logs, and escorts.
⬥ Non-electronic visitor badges are easy to make copies of and easy to
fake.
⬥ Electronic can be just a cheap re-programmable magnetic strip (like for
hotel rooms, easy to copy). Make sure they have a short window of use,
or more secure individually printed ones for each visit, and only used
once.
⬥ The return of all badges and physical sign-out should be enforced when
the visitor leaves.
⬥ When a vendor is coming to repair, install or remove something in your
facility, they need to be checked in and escorted from the entry point to
where they are going to work by an employee, and the employee
should stay with the vendor until the work is completed.
⬥ The vendor’s employees should already have passed a security check
when they were hired; the vendor is liable.
⬥ This sounds and is boring, but it is more likely to prevent the vendor
from compromising your security than if they were free to roam the
facility and the data center unsupervised.
Technical or Logical Security Controls:
•
•
Access Control Categories:
▪ Administrative (Directive) Controls:
⬥ Organizational policies and procedures.
⬥ Regulation.
⬥ Training and awareness.
▪
Logica/Technical Controls:
▪
⬥ Hardware/software/firmware – Firewalls, routers, encryption.
Physical Controls:
⬥ Locks, fences, guards, dogs, gates, bollards.
Access Control Types (Many can be multiple types – On the exam look at question
content to see which type it is).
▪ Preventative:
⬥ Prevents action from happening – Least privilege, drug tests, IPS,
firewalls, encryption.
▪ Detective:
⬥ Controls that Detect during or after an attack – IDS, CCTV, alarms, antivirus.
▪ Corrective:
⬥ Controls that Correct an attack – Anti-virus, patches, IPS.
7|Page
https://thorteaches.com/
CC Chapter 3
▪
▪
▪
Lecture notes
Recovery:
⬥ Controls that help us Recover after an attack – DR Environment,
backups, HA Environments.
Deterrent:
⬥ Controls that Deter an attack – Fences, security guards, dogs, lights,
Beware of the dog signs.
Compensating:
Controls that Compensate – other controls that are impossible or too
costly to implement.

Identity and Access Provisioning:
▪ We can have multiple identities per
entity and each identity can have
multiple attributes.

I can be staff, alumni, and
enrolled student at a college.

As staff I could have access to
different areas and data than I
would as alumni and student.

Companies can have the same,
they can be the parent
company, then smaller
companies under the parent
umbrella, all with different
attributes.

Identity and Access Provisioning Lifecycle:
▪ This is a suggested lifecycle example from “Identity Management Design Guide
with IBM Tivoli Identity Manager”.
▪ You obviously don’t have to implement it verbatim but find a clear policy that
works for your organization.

Life cycle rules provide administrators with the ability to define life cycle
operations to be executed as the result of an event. Life cycle rules are
especially useful in automating recurring administrative tasks.
 Password policy compliance checking.
 Notifying users to change their passwords before they expire.
 Identifying life cycle changes such as accounts that are inactive
for more than 30 consecutive days.
 Identifying new accounts that have not been used for more
than 10 days following their creation.
 Identifying accounts that are candidates for deletion because
they have been suspended for more than 30 days.
8|Page
https://thorteaches.com/
CC Chapter 3

Lecture notes
When a contract expires, identifying all accounts belonging to a
business partner or contractor’s employees and revoking their
access rights.

Federated Identity:
▪ How we link a person's electronic identity and attributes across multiple distinct
identity management systems.
▪ FIDM (Federated Identity Management):

Having a common set of policies, practices, and protocols in place to
manage the identity and trust into IT users and devices across
organizations.

SSO: A subset of federated identity management. Users use a single
sign-on for multiple systems.

Access Control Systems:
▪ We can use centralized and/or decentralized
(distributed) access control systems, depending on
which type makes the most sense. Both options
provide different benefits.
▪ Access control decisions are made by comparing the
credential to an access control list.
▪ This look-up can be done by a host or server, by an
access control panel, or by a reader.
▪ Most common is hub and spoke with a control
panel as the hub, and the readers as the spokes.
▪ Today most private organizations use Role Based
Access Control (RBAC).

You are in Payroll you get the payroll staff
access and permissions, if you move to HR,
you lose your payroll access and get HR
access assigned.
▪ Normal systems are much larger, but you get the
idea from this drawing how they would connect.
▪ In a perfect world, access control systems should be physically and logically
segmented from the rest of our IP Network, in reality it is most often segmented
logically with VLANs, but in many cases not even that.
▪
Centralized Pro’s (Decentralized Con’s):

All systems and locations have the same security posture.

Easier to manage: All records, configurations and policies are centralized
and only configured once per policy.
9|Page
https://thorteaches.com/
CC Chapter 3
Lecture notes

▪
▪




Attackers look for the weakest link in our chain, if a small
satellite office is not following our security posture, they can be
an easy way onto our network.

It is more secure, only a few people have access and can make changes
to the system.

It can also provide separation of duties, the local admin can’t
edit/delete logs from their facility.

SSO can be used for user access to multiple systems with one login.
Centralized Con’s (Decentralized Pro’s):

Traffic overhead and response time, how long does it take for a door
lock to authenticate the user against the database at the head office?

Is connectivity to the head office stable, is important equipment on
redundant power and internet?
Hybrid:

Centrally controlled; access lists for that location are pushed to a local
server on a daily/hourly basis; local administrators have no access.

We must still ensure that the local site follows the organization's
security posture in all other areas.
Authorization:
▪ We use Access Control models to determine what a subject is allowed to access.
▪ What and how we implement depends on the organization and what
our security goals are, type can often be chosen dependent on which
leg of the CIA Triad is the most important one to us.
▪ If it is Confidentiality, we would most likely go with Mandatory
Access Control.
▪ If it is Availability, we would most likely go with Discretionary
Access Control.
▪ If it is Integrity, we would most likely go with Role Based Access Control
or Attribute Based Access Control.
There technically is also RUBAC (Rule Based Access Control), it is mostly used on
firewalls with IF/THEN statements but can be used in conjunction with the other models
to provide defense in depth.
DAC (Discretionary Access Control) - Often used when Availability is most important:
▪ Access to an object is assigned at the discretion of the object owner.
▪ The owner can add, remove rights, commonly used by most OS's’.
▪ Uses DACL’s (Discretionary ACL), based on user identity.
MAC (Mandatory Access Control) - Often used when Confidentiality is most important:
▪ Access to an object is determined by labels and clearance, this is often used in
the military or in organizations where confidentiality is very important.
10 | P a g e
https://thorteaches.com/
CC Chapter 3
Lecture notes
▪



Labels: Objects have Labels assigned to them; the subject's clearance must
dominate the object's label.

The label is used to allow Subjects with the right clearance access them.

Labels are often more granular than just “Top Secret”, they can be “Top
Secret – Nuclear”.
▪ Clearance: Subjects have Clearance assigned to them.

Based on a formal decision on a subject's current and future
trustworthiness.

The higher the clearance the more in depth the background checks
should be.
RBAC (Role-Based Access Control) - Often used when Integrity is most important:
▪ Policy neutral access control mechanism
defined around roles and privileges.
▪ A role is assigned permissions, and subjects
in that role are added to the group, if they
move to another position they are moved to
the permissions group for that position.
▪ It makes administration of 1,000's of users
and 10,000's of permissions much easier to
manage.
▪ The most commonly used form of access
control.
▪ If implemented right it can also enforce
separation of duties and prevent
authorization/privilege creep .
▪ We move employees transferring within the organization from one role to
another and we do not just add the new role to the old one.
ABAC (Attribute-Based Access Control):
▪ Access to objects is granted based on subjects,
objects, AND environmental conditions.
▪ Attributes could be:

Subject (user) – Name, role, ID, clearance, etc.

Object (resource) – Name, owner, and date of
creation.

Environment – Location and/or time of
access, and threat levels.
Context-Based Access Control:
▪ Access to an object is controlled based on certain
contextual parameters, such as location, time, sequence of
responses, access history.
▪ Providing the username and password combination followed
by a challenge and response mechanism such as CAPTCHA,
11 | P a g e
https://thorteaches.com/
CC Chapter 3
Lecture notes
filtering the access based on MAC addresses on wireless, or a firewall filtering
the data based on packet analysis are all examples of context-dependent access
control mechanisms.

Content-Based Access Control:
▪ Access is provided based on the attributes or content of an object, then it is
known as a content-dependent access control.
▪ In this type of control, the value and attributes of the content that is being
accessed determine the control requirements.
▪ Hiding or showing menus in an application, views in databases, and access to
confidential information are all content-dependent.

Least Privilege and Need to Know.
▪ Least Privilege - (Minimum necessary access) We give our users/systems exactly
the access they need, no more, no less.
▪ Need to Know - Even if you have access, if you do not need to know, then you
should not access the data.
▪ Separation of Duties - More than one individual in one single task is an internal
control intended to prevent fraud and error.

Administrative Security:
▪ Job Rotation:

For the exam think of it to detect errors and frauds. It is easier to detect
fraud and there is less chance of collusion between individuals if they
rotate jobs.

It also helps with employee’s burnout and it helps employees
understand the entire business.

This can be to cost prohibitive for the exam/real life, make sure on the
exam the cost justifies the benefit.
▪ Mandatory Vacations:

Done to ensure one person is not always performing the same task,
someone else has to cover and it can keep fraud from happening or help
us detect it.

Their accounts are locked, and an audit is performed on the accounts.

If the employee has been conducting fraud and covering it up, the audit
will discover it.

The best way to do this is to not give too much advance notice of
vacations.
12 | P a g e
https://thorteaches.com/
CC Chapter 3




Lecture notes
NDA (Non-Disclosure Agreement):
▪ We covered NDAs between our and other organizations, it is also normal to
have them for internal employees.
▪ Some employment agreements will include a clause restricting employees' use
and dissemination of company-owned confidential information.
Background Checks:
▪ References, Degrees, Employment, Criminal, Credit history (less common, more
costly).
▪ For sensitive positions the background check is an ongoing process.
Privilege Monitoring:
▪ The more access and privilege an employee has the more we keep an eye on
their activity.
▪ They are already screened more in depth and consistently, but they also have
access to many business-critical systems, we need to audit their use of that
access.
▪ With more access comes more responsibility and scrutiny.
Data Classification Policies:
13 | P a g e
https://thorteaches.com/
CC Chapter 3
Lecture notes
➢ Domain 3: What we covered.

Physical Controls:
▪ Locks, fences, guards, dogs,
gates, bollards, ...

Technical Controls:
▪ Hardware/software/firmware –
Firewalls, routers, encryption, ...
14 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
Welcome to the Fourth Chapter.
➢ Domain 4: What we will be covering.

This is a GIANT domain.








Network Basics and Definitions.
The OSI and TCP/IP model.
IP Addresses, Port Numbers, and MAC Addresses.
Wi-Fi and other wireless networks.
Virtualization, Cloud, and Distributed Computing.
Fault tolerance and resiliency.
Data centers.
Attacks and Attackers.
 Network Basics and Definitions:

What is networking?
▪
A computer network is a set of computers sharing resources or data.
We use defense-in-depth on our internal network and when our data traverses the
internet.
 We do this by ensuring all our network devices, protocols, and traffic are as secure as
possible.
 Simplex is a one-way communication (One system transmits, the other listens).
 Half-duplex communication sends or receives at one time only (Only one system can
transmit at a time).
 Full-duplex communication sends and receives simultaneously. (Both systems can
transmit/receive simultaneously).
 Baseband networks have one channel and can only send one signal at a time.
▪ Ethernet is baseband: “1000base-T” STP cable is a 1000-megabit, baseband,
Shielded Twisted Pair cable.
 Broadband networks have multiple channels and can send and receive multiple signals
at a time.
 The Internet is a global collection of peered WAN networks, it really is a patchwork of
ISPs.
 An Intranet is an organization's privately owned network, most larger organizations
have them.
 An Extranet is a connection between private Intranets, often connecting business
partners' Intranets.
1|Page
https://thorteaches.com/
CC Chapter 4








Lecture notes
Circuit Switching - Expensive, but always available,
Circuit Switching Network
used less often.
▪ A dedicated communications channel through
the network.
▪ The circuit guarantees the full bandwidth.
▪ The circuit functions as if the nodes were
physically connected by a cable.
Packet Switching - Cheap, but no capacity guarantee,
Packet Switching Network
very widely used today.
▪ Data is sent in packets but take multiple
different paths to the destination.
▪ The packets are reassembled at the
destination.
▪ QoS (Quality of Service) gives specific traffic
priority over other traffic.

Most commonly VOIP (Voice over IP)
or other UDP traffic needing close to real time communication.

Other non-real time traffic is down prioritized, the 0.25 second delay
won’t be noticed.
PAN (Personal Area Network) - A personal area network is a computer network used for
communication among computers and other information technological devices close to
one person (PCs, printers, scanners, consoles …).
▪ Can include wired (USB and FireWire) and wireless devices (Bluetooth and
infrared).
LAN (Local Area Network) - A network that connects computers and devices in a limited
geographical area such as a home, school, office building or campus.
▪ Each computer or device on the network is a node, wired LANs are most likely
based on Ethernet technology.
MAN (Metropolitan Area Network) – A large computer network that usually spans a
city or a large campus.
WAN (Wide Area Network) - A computer network that covers a large geographic area
such as a city, country, or spans even intercontinental distances. Combines many types
of media such as telephone lines, cables, and air waves.
GAN (Global Area Network) - A global area network, is a network used for supporting
mobile users across a number of wireless LANs, satellite coverage areas, … the transition
from one to the next can be seamless.
VPN (Virtual Private Network) - A VPN network sends private data over an insecure
network, most often the Internet.
▪ Your data is sent across a public network, but looks and feels private.
2|Page
https://thorteaches.com/
CC Chapter 4
Lecture notes
 The OSI Model:
•
The OSI Model (Open Systems Interconnect):
▪ A layered network model that standardizes the communication functions of
a telecommunication or computing system regardless of their underlying
internal structure and technology.
▪ The model partitions a communication system into abstraction layers, the
model has 7 layers.
1. Physical
2. Data Link
3. Network
4. Transport
5. Session
6. Presentation
7. Application.
▫ 7-1 All People Seem To Need Data Processing.
▫ 1-7 Please Do Not Throw Sausage Pizza Away.
▪ Know the PDUs (Data, Segments, Packets, Frames, Bits).
▪
Layer 1 - Physical Layer:
⬧ Wires, Fiber, Radio waves, hub, part of
NIC, connectors (wireless).
⬧ Cable types:
▫ Copper TP (Twisted Pair) Least
secure, eavesdropping,
interference, easy tap into, but
also cheap.
▫ Fiber is more secure, not
susceptible to eavesdropping,
harder to use, can break, higher
cost.
⬧ Topologies:
▫ Bus, Star, Ring, Mesh partial/full.
⬧ Threats:
▫ Data emanation, theft,
eavesdropping, sniffing,
interference.
3|Page
https://thorteaches.com/
CC Chapter 4
Lecture notes
▪
Layer 2 - Data Link Layer:
⬧ Transports data between 2
nodes connected to same
network.
⬧ LLC – Logical Link Control –
error detection.
⬧ MAC address (BIA) – a
unique identifier on the
network card.
▫ Can be spoofed very easily, both for good and not so good
reasons.
▫ 48-bit hexadecimal first 24 manufacturer identifier, last 24
unique.
▫ 64-bit hexadecimal first 24 manufacturer identifier, last 40
unique.
▫ Threats - MAC Spoofing, MAC Flooding.
⬧ ARP (Address Resolution Protocol) Layer 2/3.
⬧ CSMA/CD – Ethernet – minimized with switches vs. hubs.
⬧ CSMA/CA – Wireless.
⬧ Token passing – Similar to the talking stick, not really used anymore.
▪
Layer 3 - Network Layer:
⬧ Expands to many different nodes (IP) – The Internet is IP based.
⬧ Isolates traffic into broadcast domains.
⬧ Protocols:
▫ IP, ICMP, IPSEC, IGMP, IGRP, IKE, ISAKMP, IPX.
⬧ Threats:
▫ Ping of Death, Ping Floods, Smurf – spoof source and directed
broadcast, IP modifications, DHCP attacks, …
▪
Layer 4: Transport Layer:
⬧ SSL/TLS Layer 4 to 7.
⬧ UDP (User Datagram Protocol):
▫ Connectionless protocol, unreliable, VOIP, Live video, gaming,
“real time’’.
▫ Timing is more important than delivery confirmation.
▫ Sends message, doesn’t care if it arrives or in which order.
4|Page
https://thorteaches.com/
CC Chapter 4
▫
⬧
Lecture notes
Attack: Fraggle attack –
works the same way as
smurf but may be more
successful since it uses
UDP and not ICMP.
TCP (Transmission Control Protocol):
▫ Reliable, Connection orientated, Guaranteed delivery, 3-way
handshake, slower/more overhead, data reassembled.
▫ Attacks: SYN floods – half open TCP sessions, client sends
1,000s of SYN requests, but never the ACK.
▪
•
•
Layer 5 – Session Layer:
⬧ Establishes connection between 2 applications: Setup > Maintenance >
Tear Down.
▪ Layer 6 - Presentation Layer:
⬧ Only layer with no protocols.
⬧ Formatting, compressing, encryption (file level).
▪ Layer 7 - Application Layer:
⬧ Presents data to user (applications/websites).
⬧ HTTP, HTTPS, FTP, SNMP, IMAP, POP, and many more.
⬧ Non-Repudiation, certificates, application proxies, deep packet
inspection, content inspection, AD integration.
The higher you go up the layers, the slower it is. Speed is traded for intelligence.
Threats to Level 5-7: Virus, worms, trojans, buffer overflow, application, or OS
vulnerabilities.
5|Page
https://thorteaches.com/
CC Chapter 4
Lecture notes
 The TCP/IP Model:
•
The TCP/IP Model (Internet Protocol Suite):
▪ A conceptual model that provides end-to-end data communication.
▪ Specifying how data should be packetized, addressed, transmitted,
routed, and received.
▪ It has four layers which are used to sort all related protocols according to
the scope of networking involved.
▪ From lowest to highest:
⬧ The link layer containing communication methods for data that
remains within a single network segment.
⬧ The internet layer connecting independent networks, thus providing
internetworking.
⬧ The transport layer handling host-to-host communication.
⬧ The application layer provides process-to-process data exchange for
applications.
6|Page
https://thorteaches.com/
CC Chapter 4
▪
▪
▪
▪
▪
▪
Lecture notes
The link and physical layer have the networking scope of the local
network connection to which a host is attached.
⬧ Used to move packets between the Internet layer interfaces of two
different hosts on the same network.
⬧ The process of transmitting and receiving packets on a given link can
be controlled both in the software device driver for the network
card, as well as on firmware or specialized chipsets.
⬧ These perform functions such as adding a packet header to prepare
it for transmission, then transmit the frame over a physical medium.
⬧ The TCP/IP model includes specifications of translating the network
addressing methods used in the Internet Protocol to link layer
addresses, such as Media Access Control (MAC) addresses.
⬧ The link and physical layer = OSI layer 1-2.
Internet/Internetwork layer is responsible for sending packets across
potentially multiple networks.
⬧ Requires sending data from the source network to the destination
network (routing).
⬧ Internet/Internetwork layer = OSI layer 3.
⬧ The Internet Protocol performs two basic functions:
▫ Host addressing and identification: This is done with a
hierarchical IP address.
▫ Packet routing: Sending the packets of data (datagrams)
from the source to the destination by forwarding them to
the next network router closer to the final destination.
The transport layer establishes basic data channels that applications use
for task-specific data exchange.
⬧ Its responsibility includes end-to-end message transfer independent
of the underlying network, along with error control, segmentation,
flow control, congestion control, and application addressing (port
numbers).
⬧ Data is sent connection-oriented (TCP) or connectionless (UDP).
⬧ The transport layer = OSI layer 4.
The application layer includes the protocols used by applications for
providing user services or exchanging application data over the network
(HTTP, FTP, SMTP, DHCP, IMAP).
Data coded according to application layer protocols are encapsulated
into transport layer protocol units, which then use lower layer protocols
for data transfer.
The transport layer and the lower-level layers are unconcerned with the
specifics of application layer protocols.
7|Page
https://thorteaches.com/
CC Chapter 4
Lecture notes
▪
•
•
Routers and switches do not typically examine the encapsulated traffic,
rather they just provide a conduit for it. However, some firewall and
bandwidth throttling applications must interpret application data.
▪ The TCP/IP reference model distinguishes between user protocols and
support protocols.
▪ The application layer = OSI layer 5, 6, and 7.
Each layer of the model adds or removes encapsulation (encapsulation / decapsulation).
The higher we go, the slower and smarter the stack is, just like the OSI model.
 IP Addresses, Port Numbers, and MAC Addresses:
•
•
•
A unique identifier on the network card.
Can be spoofed pretty easily, both for good and less good reasons.
EUI/MAC-48 are 48bits (original design).
▪ The first 24 are the manufacturer identifier.
▪ The last 24 are unique and identify the host.
• EUI-64 Mac Addresses use
24bit for manufacturer, but 40
for unique ID.
▪ The first 24 are the
manufacturer identifier.
▪ The last 40 are unique and
identify the host.
• Both are widely used today and used by both IPv4 and IPv6.
▪ For 48bit MAC’s IPv6 modified it into 64bit MAC’s by adding FF:FE to the
device identifier.
8|Page
https://thorteaches.com/
CC Chapter 4
Lecture notes
•
IP Addresses:
▪ First deployed for production in the ARPANet in 1983, ARPANet later
became the internet.
▪ IP was developed in the 1970’s for secure closed networks (DARPA Defense Advanced Research Projects Agency). Security was not built in
but was bolted on later.
▪ IPv4 is a connectionless protocol for use on packet-switched networks.
▪ It operates on a best effort delivery model, it does not guarantee
delivery, it also does not assure proper sequencing or avoidance of
duplicate delivery. We have added protocols on top of IP to ensure those.
▪ IPv4 is the IT route's most Internet traffic today, but we are slowly
moving towards IPv6.
⬧ The move towards IPv6 is mainly dictated by IPv4 Addresses being
depleted years ago.
▪ IPv4 has around 4.2 billion IP addresses and of those ~4 billion are usable
internet addresses.
⬧ There are currently over 35 billion mobile devices on the internet, 75
billion is predicted by 2025.
⬧ All major cellphone carriers in the US use IPv6 for all cell phones.
⬧ IPv4 has 4,294,967,296 addresses where IPv6 has
340,282,366,920,938,463,463,374,607,431,768,211,456.
•
IP Addresses and Ports:
▪ When we send traffic, we use both the Source IP and Port as well as
Destination IP and Port. This ensures we know where we are going, and
when the traffic returns it knows where to return to.
▪ The IP addresses can be seen as the number of an apartment building.
⬧ The Port number is your apartment number.
⬧ If you have 50 browser tabs open, each tab has its own port
number(s).
▪ Well-known Ports:
⬧ 0-1023 - Mostly used for protocols.
9|Page
https://thorteaches.com/
CC Chapter 4
▪
▪
•
•
Lecture notes
Registered Ports:
⬧ 1024 to 49151 - Mostly used for vendor specific applications.
Dynamic, Private or Ephemeral Ports:
⬧ 49152–65535 - Can be used by anyone for anything.
Common Ports:
▪ 20
▪ 21
▪ 22
▪ 23
▪ 25
TCP
TCP
TCP/UDP
TCP
TCP
▪
80
TCP/UDP
▪
▪
110
137
TCP
UDP
▪
▪
▪
138
143
443
TCP/UDP
TCP
TCP
▪
3389
TCP/UDP
FTP data transfer.
FTP control.
Secure Shell (SSH).
Telnet unencrypted text communications.
Simple Mail Transfer Protocol (SMTP) can also
use port 2525.
Hypertext Transfer Protocol (HTTP) can also
use port 8008 and 8080.
Post Office Protocol, version 3 (POP3).
NetBIOS Name Service, used for name
registration and resolution.
NetBIOS Datagram Service.
Internet Message Access Protocol (IMAP).
Hypertext Transfer Protocol over TLS/SSL
(HTTPS).
Microsoft Terminal Server (RDP).
IPv4 (Internet Protocol version 4) addresses:
▪ IPv4 addresses are made up of 4 octets (dotted-decimal notation) and
broken further down in a 32bit integer binary.
▪ We use IP addresses to make
it readable to normal people,
it is easier to read 4 sets of
numbers than a 32 bits string
of 0s and 1s.
▪ Similarly, websites are really
just IP addresses translated
with DNS, which is then
translated into binary.
▪ It is easier to remember
google.com, than it is to
remember 66.102.12.231 or
2607:f8b0:4007:80b::200e.
▪ Public IP Addresses (Internet routable addresses):
⬧ Used to communicate over the internet between hosts.
▪ Private Addresses (RFC 1918 – Not routable on the internet):
10 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
Other notable IP spaces:
⬧ 10.0.0.0 10.255.255.255 16777216 127.0.0.0/8 Loopback IPs
⬧ 172.16.0.0 172.31.255.255 1048576 169.254.0.0/16 Link-Local
⬧ 192.168.0.0 192.168.255.255 65536 255.255.255.255 Broadcast
•
IPv6:
▪
▪
▪
▪
▪
▪
▪
IPv6 is 128bit in hexadecimal numbers (uses 0-9 and a-f).
8 groups of 4 hexadecimals, making addresses look like this:
⬧ fd01:fe91:aa32:342d:74bb:234c:ce19:123b
The IPv6 address space is huge compared to IPv4.
340,282,366,920,938,463,463,374,607,431,768,211,456 addresses.
⬧ 34 with 37 0s
total or 79 with
27 0s as many
addresses as
IPv4.
⬧ Every square
foot on the
planet can have
65000 IP
addresses.
IPSec is built in, not bolted on like with IPv4.
Mostly switched behind the scenes today, many organizations do not have
Dual Stack equipment in place.
Used by major US ISPs for cell phones (and to some extend the connection
to your modem).
To make the address more manageable 1 set of 0s can be shortened with ::
above you see the last 16 0s being shortened to 2001:0DB8:AC10:FE01::
11 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
 IP Support Protocols:
•
ARP (Address Resolution Protocol):
▪ Translates IP Addresses into MAC Addresses.
⬧ OSI Data/Network Layer or Network/Internet Layer.
▪ ARP is a simple and trusting protocol,
anyone can respond to an ARP
request.
▪ ARP (cache) Poisoning: An attacker
sends fake responses to ARP requests,
often done repeatedly for critical ARP
entries (Default Gateway).
⬧ A countermeasure can be
hardcoding ARP entries.
▪ RARP (Reverse ARP) is used by
diskless workstations to get IPs.
•
ICMP (Internet Control Message Protocol):
▪ Used to help IP, for Ping
(Echo request/reply) and TTL
Exceeds in Traceroute.
▪ Often used for
troubleshooting.
▪ An ICMP Echo Request is
sent to the IP, which then
sends an ICMP reply back (or
not).
▪ Originally used (and still) to
see if a host is up or down.
▪ Today if we get an Echo reply
we know the host is up, but
no reply does not mean it is
down.
▪ Firewalls and routers can block ICMP replies.
12 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
•
Traceroute:
▪ Uses ICMP to trace a network
route.
▪ Traceroute uses the TTL value
in somewhat reverse.
▪ We send a message with TTL
1.
⬧ The first router
decrements the TTL to
0 and sends an ICMP
Time Exceed message
back, First Hop is now
identified.
▪ We send message 2 with TTL 2, 2nd router does the same, it is identified.
▪ We do that over and over till the destination is reached (maximum 30
hops).
•
HTTP and HTTPS - Transport HTML data.
▪ HTTP (Hypertext Transfer Protocol):
⬧ Uses TCP port 80 (8008 and 8080), unencrypted website data sent
across the internet.
HTTPS (HTTP Secure):
▪ Uses TCP Port 443 (8443), encrypted data sent over the internet.
HTML (Hypertext Markup Language):
▪ The actual language webpages are written in.
▪ Not to be
confused with
HTTP/HTTPS.
•
•
13 | P a g e
https://thorteaches.com/
CC Chapter 4
•
Lecture notes
DHCP (Dynamic Host Configuration
Protocol):
▪ The common protocol we use
to assign IPs. Controlled by a
DHCP Server for your
environment.
▪ You most likely already use it
on your home network, this is
how when you connect a
cable or connect wireless,
you are online right away.
Both BOOTP and DHCP use UDP Port 67
for the BOOTP/DHCP Server and UDP
Port 68 for the Client.
•
 Cables:
•
Networking Cables:
▪ When it comes to networking cables, most people think RJ45 Copper
Ethernet cables, many more types are used though.
▪ Networking cables all come with pros
and cons, some are cheap, some more
secure, some faster, ...
▪ They can also pose different security
vulnerabilities depending on the cable
type and the environment.
▪ EMI (Electromagnetic Interference):
⬧ Magnetism that can disrupt data
availability and integrity.
▪ Crosstalk is the signal crossing from one
cable to another, this can be a confidentiality issue.
▪ Attenuation is the signal getting weaker the farther it travels.
⬧ Copper lines have attenuation, with DSL the farther you are
from the DSLAM (Digital Subscriber Line Access Multiplexer) the
lower speed you get.
14 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
•
Twisted Pair Cables:
▪ UTP (Unshielded Twisted Pair):
▪ Pairs of twisted pairs of cable.
⬧ Twisting them makes them less
susceptible of EMI.
⬧ 1 cable sends and 1 receives data.
⬧ The tighter the cables are twisted, the
less susceptible to EMI. For example,
CAT3 pairs (less tight) are more
susceptible to EMI than CAT6 (more
tight).
▪ STP (Shielded Twisted Pair):
⬧ Has extra metal mesh shielding
around each pair of cables, making
them less susceptible to EMI, but also
making the cables thicker, stiffer, and
more expensive.
•
Fiber Optic Cables Use light to carry data (vs. electricity for copper cables):
▪ Pros: Speed 1 Petabit per second, 35miles/50 km over a single fiber.
⬧ Distance, it has no attenuation like
copper, a single uninterrupted cable can
be 150 miles+ (240km+) long.
⬧ Not susceptible to EMI.
⬧ More secure than copper since it can't be
sniffed as easily as copper.
▪ Cons: Price, more difficult to use, you can
break the glass in the cable if you are not
careful.
▪ Single-Mode fiber - A Single strand of fiber
carries a single mode of light (down the
center), used for long distance cables (Often
used in IP-Backbones).
▪ Multi-Mode fiber - Uses multiple modes (light
colors) to carry multiple data streams
simultaneously, this is done with WDM
(Wavelength Division Multiplexing).
15 | P a g e
https://thorteaches.com/
CC Chapter 4
•
•
Lecture notes
All cable measurements are in metric system (m/km).
Only 3 countries in the world do not use metric system (Burma (Myanmar), Liberia,
and the United States).
▪ 1Kbps - Kilobits per second
⬧ 1,000 bps (103)
▪ 1Mbps - Megabit per second
⬧ 1,000,000 bps (106)
▪ 1Gbps - Gigabit per second
⬧ 1,000,000,000 bps (109)
▪ 1Tbps - Terabit per second
⬧ 1,000,000,000,000 bps (1012)
▪ 1Pbps - Petabit per second
⬧ 1,000,000,000,000,000 bps (1015)
16 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
 LAN Topologies:
•
•
•
•
•
Network topology describes the layout and topologies of interconnections between
devices and network segments.
Ethernet and Wi-Fi are the two most common transmission technologies in use for
local area networks.
At the data link layer and physical layer, a wide variety of LAN topologies have been
used, including ring, bus, mesh, and star.
At the higher layers, NetBEUI, IPX/SPX, and AppleTalk used to be common, but
TCP/IP is now the de facto standard.
Bus:
▪
•
All nodes are connected in a line, each
node inspects traffic and passes it along.
▪ Not very stable, a single break in the
cable will break the signal to all nodes
past that point, including
communication between nodes way
past the break.
▪ Faulty NICs (Network Interface Card) can
also break the chain.
Tree (Hierarchical):
▪ The base of the Tree topology controls
the traffic, this was often the
mainframe.
•
Ring:
•
Star:
▪
All nodes are connected in a ring.
▪
All nodes are connected to a
central device.
This is what we normally use for
Ethernet, our nodes are
connected to a switch.
Provides better fault tolerance, a
break in a cable or a faulty NIC
will only effect that one node.
If we use a switch, no token
passing, or collision detection is
needed since each node is on its
own segment.
If we use hubs, collisions will still
occur; but I hope none are
around anymore, not just how
slow they are, but more how
unsecure they are now.
▪
▪
▪
▪
17 | P a g e
https://thorteaches.com/
CC Chapter 4
•
Lecture notes
Mesh:
▪
▪
▪
Nodes are connected to
each other in either a partial
mesh or a full mesh.
Partial Mesh:
⬧ Nodes are directly
connected to some
other nodes.
Full Mesh:
⬧ All nodes are directly
connected to all other
nodes.
⬧ More redundant but
requires a lot more
cables and NICs.
⬧ Often used in HA (High
Availability)
environments, with
cluster servers for
keepalives.
 Wi-Fi:






A wireless computer network that links two or more devices
using a wireless distribution method within a
limited area (a home, a school, a coffee shop, or
an office building).
Gives users the ability to move around within a
locally covered area and be connected to the
network.
Often multiple APs (Access Points) are set up
throughout an office building to give seamless
roaming coverage for the employees.
WLAN normally also provides an Internet
connection, but not always.
Most modern WLANs are based on IEEE 802.11
standards and are marketed under the Wi-Fi brand
name.
Wi-Fi makes us more mobile and our connection more
seamless, but it is easier to compromise than cabled
internet connection.
18 | P a g e
https://thorteaches.com/
CC Chapter 4

Lecture notes
Wi-Fi Attacks:
▪ Rogue Access Points:

An unauthorized access point
that has been added to our
network without our
knowledge.

This can be malicious by an
attacker or just an employee
wanting Wi-Fi somewhere
with bad coverage.

Without our security posture,
they are a very big concern.

Can be somewhat mitigated
with Port security on the
Switches and by scanning for
Rogue access points.

Can compromise confidentiality and
integrity.
▪
Jamming/Interference:

This can be a lot of traffic on the Wi-Fi frequencies or done by attackers
to disrupt our network (DOS).

If interference is an issue, we can
change to other channels if any
less crowded channels are
available or to different
frequencies if our equipment
supports it.

The 2.4 GHz band is used by
Bluetooth, microwaves,
cordless phones, baby
monitors, Wi-Fi,…

Can compromise
integrity and
availability.
19 | P a g e
https://thorteaches.com/
CC Chapter 4
▪

Lecture notes
Evil Twin:

An evil twin is used when
attackers are trying to create
rogue access points so as to gain
access to the network or access
to information that is being put
through a network.

Can be done on your network
or not, the attacker simply
names their access point the
same as ours but with no
security and user
devices automatically
connect to them.

Can compromise
confidentiality and
integrity.
Wireless Networks:

Bluetooth:
▪ A wireless technology standard for exchanging data over short distances using
2.4 GHz from fixed and mobile devices and building personal area networks
(PANs).
▪ Bluetooth has three classes of devices; while designed for short-distance
networking, Class 1 can reach up to 100 meters.
▪ Class 1: 100 meters, 2: 10 meters, 3: under 10 meters.
▪ Bluetooth implements confidentiality, authentication, and key derivation with
custom algorithms based on the SAFER+ block cipher.
▪ The E0 stream cipher is used for encrypting packets, granting confidentiality,
and is based on a shared cryptographic secret, namely a previously generated
link key or master key.
▪ Cryptanalysis of E0 has proven it to be weak, attacks show the true strength to
be 38 bits or even less.
▪ Bluetooth key generation is generally based on a Bluetooth PIN which must be
entered on one or both devices.
▪ Bluetooth security is to some extent security through obscurity, it assumes the
48-bit MAC address of the Bluetooth adapter is not known.
▪ Even when disabled, Bluetooth devices may be discovered by guessing the MAC
address.
▪ The first 24 bits are the OUI, which can be easily guessed, the last 24 bits can be
discovered with brute-force attacks.
20 | P a g e
https://thorteaches.com/
CC Chapter 4

▪
Attacks:

Bluejacking: Sending unsolicited messages over Bluetooth, most often
harmless but annoying.

Bluesnarfing: Unauthorized access of information from a Bluetooth
device: phones, desktops, laptops,...

Bluebugging: The attacker gains total access and control of your device;
it can happen when your device is left in the discoverable state.

Only possible on older phones with outdated OSs, newer smartphones
constantly update their OS.
▪
Countermeasures:

Enable Bluetooth only when you needed it.

Enable Bluetooth discovery only when necessary and disable discovery
when your devices are paired.

Do not enter link keys or PINs when unexpectedly prompted to do so.

Remove paired devices when you do not use them.

Regularly update firmware on all Bluetooth enabled devices.
Li-Fi:
▪
▪
▪
▪
▪
▪
▪

Uses light to transmit data and position between devices.
Can send high-speed data using visible light, ultraviolet, and infrared spectrums.
Can be used in areas prone to EMI (Electromagnetic interference), such as
aircraft cabins, hospitals, and nuclear power plants.
Speeds (currently) up to 100 Gbit.
Light can reflect off walls and still reach 70 Mbit without requiring a direct line
of sight.
Pros: Not the same capacity as Wi-Fi (radio frequency exhaustion) and can be
used in places where Wi-Fi is prohibited.
Cons: Short-range, not always reliable, and high cost of implementation.
Zigbee:
▪
▪
▪

Lecture notes
Mesh wireless network with low power, low data rate, and close proximity.
Simple and less complex compared to other WPANs (Wireless Personal Area
Networks) such as Bluetooth or Wi-Fi.
It has a range of 10 to 100 meters, but it requires line-of-sight. Data rates vary
between 20 kbit/s (868 MHz band) and 250 kbit/s (2.4 GHz band).
Satellite:
▪ For many years, satellite internet was a relatively slow and expensive option.
▪ You have a modem, as with any other internet connection, as well as a satellite
dish (2-3 ft. or 60-90 cm).
▪ Typical satellite connections have had a latency of 500 ms and speeds ranging
from 10 to 50 Mbps.
▪ Starlink is currently testing speeds ranging from 20-200 Mbps down to 15-50
Mbps up, with latencies ranging from 15-40 ms.
21 | P a g e
https://thorteaches.com/
CC Chapter 4







Lecture notes
Cellular networks/mobile networks are communication
networks where the last leg is wireless.
The network is divided into cells and distributed across
areas, with each cell containing at least one fixedlocation transceiver, if not more.
These base stations provide network coverage to the
cell, allowing it to transmit voice, data, and other types
of content.
To avoid interference and provide guaranteed service
quality within each cell, a cell typically uses a different
set of frequencies than neighboring cells.
3G:
▪
Bandwidth: 2 Mbps, latency: 100-500 ms,
average speed 144 kbps.
▪
Bandwidth: 200 Mbps, latency: 20-30 ms,
average speed 25 Mbps, 16km (10 miles).
▪
Bandwidth: 5-20 Gbps, latency: <10 ms, average
speed 200-400 Mbps, 500m (1500 ft).
High frequency, short-range, and can be blocked by anything metal and even
just solid objects.
A lot more 5G towers are needed to get coverage.
4G:
5G:
▪
▪
22 | P a g e
https://thorteaches.com/
CC Chapter 4

Lecture notes
VLANs and Routers:


Layer 2 Protocols:
VLAN (Virtual LAN) is a broadcast domain that is
partitioned and isolated at layer 2.
▪ Specific ports on a switch are assigned to
a certain VLAN.
▪ The Payroll VLAN is in 2 different
buildings and spans multiple switches.
▪ VLANs use tags within network packets
and tag handling in networking systems,
replicating the appearance and
functionality of network traffic that is
physically on a single network but acts as
if it is split between separate networks.
▪ It allows networks and devices that must
be kept separate to share the same
physical devices without interacting, for
simplicity, security, traffic management,
and/or cost reduction.
▪ VLAN Trunks - Ports connecting two
switches to span VLANs across them.
▪ VLANs share bandwidth, a VLAN trunk
can use link aggregation, quality-ofservice prioritization, or both to route
data efficiently.

Virtual eXtensible Local Area Network (VXLAN):
▪ Made and widely used
for cloud computing
with organizations that
have mass tenants.
(Think AWS, Google or
similar).
▪ Solves the issue with
only having 4094
maximum VLANs.
23 | P a g e
https://thorteaches.com/
CC Chapter 4


Lecture notes
Layer 3 Devices:
▪ Routers:

Normally have a few ports vs. a lot on switches.

For our organizations, they are in the data centers.

In your home, they are often combined with a switch and wireless in
one box.

Forward traffic based on source and destination IPs and ports.

Connecting our LANs to the WAN.

Send traffic to the most specific route in their routing table.

Static route is a preconfigured route, always sends traffic there for a
certain subnet.

Default gateway sends all non-local traffic to an ISP for instance.

Dynamic route is learned from another routing via a routing protocol
(OSPF, EIGRP, BGP, IS-IS).

Metric is used to determine the best route to a destination.
VPNs, NAC, and Third-party Connectivity:

Authentication Protocols:
▪ VPN (Virtual Private Network):

Extends a private network
across a public network and
users can send and receive data
across shared or public
networks as if they were on the
private network.

VPNs may allow employees and
satellite offices to securely
access the organization's
intranet.

They are used to securely
connect.

Can also be used to get around
geo-restrictions and censorship
or to connect to proxy servers
for the purpose of protecting personal identity and location.

Created by establishing a virtual point-to-point connection using
dedicated connections, virtual tunneling protocols or traffic encryption.

Third-party Connectivity:
▪ Medium size enterprises typically have 20 or more third-party providers. I
believe the hospital where I worked in Hawaii had more than 200 third-party
providers.
▪ How do we ensure they are secure enough and conform to our policies and
procedures?
▪ Many never have direct contact with IT or IT-Security.
24 | P a g e
https://thorteaches.com/
CC Chapter 4
▪
▪


Lecture notes
We must conduct a thorough risk assessment to ensure that whatever they
provide does not jeopardize our security posture, or we must accept the risk.
We should have MOUs/MOAs and ISAs (Interconnection Security Agreement).
Network Access Control (NAC):
▪ Automatic detection and response to ensure our systems are in adherence with
our security policies.
▪ Can helps us with the prevention or reduction of 0-day and known attacks.
▪ Along with ensuring that security policies are adhered to at all times.
SDN, SD-WAN, and SDX:


SDN (Software-Defined Networking):
▪ Allows network administrators via software
to initialize, control, change, and manage
network behavior dynamically.
▪ Addresses the static architecture of
traditional networks that doesn't support
the dynamic, scalable computing and
storage needs of more modern
computing environments such as data
centers.
▪ This is done by separating the router’s
control plane from the data plane, the control
plane makes routing decisions, the data plane
forwards data through the router.
▪ Giving us the option to be hardware vendor agnostic.
Software-Defined Wide Area Network (SD-WAN)
▪ 85%+ of surveyed companies have deployed or plan to deploy within 2 years
(Cisco/FortiNet).
▪ Why we are seeing a move
towards SD-WAN:

Higher cheaper bandwidth,
LAN
flexibility and scalability of
bandwidth allocation, and
traffic engineering.

Ability to utilize many different
connection types (DSL, cable, fiber,
satellite, 4G/5G, ...).
SD-WAN

Near real-time failover between
connection types.
Fiber

Centralized easier
DSL
management, better
MPLS
insights, reporting, and
5G
statistics.
Satellite
L
25 | P a g e
https://thorteaches.com/
LAN
CC Chapter 4
Lecture notes


Better performance with intelligent routing, it can choose the optimal
network circuit for a given application or type of traffic.

Rapid deployment with pre-configured appliances or virtual appliances.

Secure connectivity - IPSec and next-generation firewall.
SDx (Software-Defined Everything):
▪ Any function that can be performed by or automated by software. This includes
networking, storage, data center, compute, security, WAN, really anything.
 Attacks and Attackers:

Hackers:
▪ Now: Anyone trying to get access to or disrupt any leg of the CIA Triad
(Confidentiality, Integrity, Availability).
▪ Original use: Someone using something in a way not intended.
▪ White Hat hackers: Professional pen testers trying to find flaws so we can fix it
(Ethical hackers).
▪ Black Hat hackers: Malicious hackers, trying to find flaws to exploit them
(Crackers – they crack the code).
▪ Gray/Grey Hat hackers: They are somewhere between the white and black
hats, they go looking for vulnerable code, systems or products.
▪ Script Kiddies: They have little or no coding knowledge, but many sophisticated
hacking tools are available and easy to use.
26 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
▪
Outsiders:

Unauthorized individuals - Trying to gain access; they launch the
majority of attacks but are often mitigated if the organization has good
Defense in Depth.

Interception, malicious code (e.g. virus, logic bomb, trojan horse), sale
of personal information, system bugs, system intrusion, system
sabotage or unauthorized system access.

48-62% of risks are from outsiders.
▪
Insiders:

Authorized individuals - Not necessarily to the compromised system,
who intentionally or unintentionally compromise the system or data.

This could be assault on an employee, blackmail, browsing of
proprietary information, computer abuse, fraud and theft, information
bribery, input of falsified or corrupted data.

38-52% of risks are from insiders, another reason good Authentication
and Authorization controls are needed.
▪
Hacktivism/Hacktivist (hacker activist):
Hacking for political or socially motivated
purposes.

Often aimed at ensuring free
speech, human rights, freedom of
information movement.
▪
Governments:

State sponsored hacking is common;
often you see the attacks happening
between the hours of 9 and 5 in that
time zone; this is a day job.

Approximately 120 countries have
been developing ways to use the
internet as a weapon to target
financial markets, government
computer systems and utilities.

Famous attacks: US elections
(Russia), Sony websites (N. Korea),
Stuxnet (US/Israel), US Office of
Personnel Management (China), …
27 | P a g e
https://thorteaches.com/
CC Chapter 4

▪
Bots and botnets (short for robot):

Bots are a system with malware
controlled by a botnet.

The system is compromised by an attack
or the user installing a remote access
trojan (game or application with a hidden
payload).

They often use IRC, HTTP, or HTTPS.

Some are dormant until activated.

Others are actively sending data from the
system (Credit card/bank information for
instance).

Active bots can also be used to send spam
emails.
▪
Botnets is a C&C (Command and Control)
network, controlled by people (bot-herders).

There can often 1,000s or even 100,000s
of bots in a botnet.
Lecture notes
Malware:
▪ Malware (Malicious Code) - This is the catch-all name for any malicious
software used to compromise systems or data.

Viruses - require some sort of human interaction and are often
transmitted by USB sticks or other portable devices.

When the program is executed, it replicates itself by inserting its own
code into other programs.
 Macro (document) Viruses: Written in Macro Languages,
embedded in other documents (Word, Outlook).
 Boot Sector Viruses: Infect the boot sector or the Master Boot
Record, ensuring they run every time the PC boots.
 Stealth Viruses: Try to hide themselves from the OS and
antivirus software.
 Polymorphic Viruses: Change their signature to avoid the
antivirus signature definitions.
 Multipart (Multipartite) Viruses: Spread across multiple
vectors. They are often hard to get rid of because even if you
clean the file infections, the virus may still be in the boot sector
and vice-versa.
▪
▪
Worms - spread through self-propagation - they need no human interaction;
they do both the payload damage and replicate through aggressive network use
(also makes them easier to spot).
Trojans - malicious code embedded in a program that is normal. This can be
games, attachments, website clicks, etc.
28 | P a g e
https://thorteaches.com/
CC Chapter 4

▪

Lecture notes
RAT (Remote Access Trojan): A malware program that gives the attacker
admin control over the target system.
Antivirus Software - tries to protect us against malware.

Signature based - looks for known malware signatures - MUST be
updated constantly.

Heuristic (Behavioral) based - looks for abnormal behavior - can result in
a lot of false positives.
Intrusion Detection and Prevention Systems (IDS/IPS):

IDS’s and IPS’s:
▪ We use both IDS’s (Intrusion Detection Systems) and IPS’s (Intrusion Prevention
Systems) on our network to capture and alert or block traffic seen as malicious.
▪ They can be categorized into 2 types and with 2 different approaches toward
identifying malicious traffic.

Network-Based, placed on a network segment (a switch port in
promiscuous mode).

Host-Based, on a client, normally a server or workstation.

Signature (Pattern) Matching, similar to anti-virus, it matches traffic
against a long list of known malicious traffic patterns.

Heuristic-Based (Behavioral), uses a normal traffic pattern baseline to
monitor for abnormal traffic.
▪ Just like firewalls, routers, servers, switches, and everything else in our
environment they just see part of the larger picture, for full picture views and
data correlation we use a SIEM (Security Information and Event Management)
system or even better a SOAR (Security Orchestration, Automation, and
Response) system.

IDS (Intrusion Detection System):
▪ They are passive, they monitor, but they take no action other than sending out
alerts.
▪ Events trigger alerts: Emails/text message to administrators or an alert on a
monitoring tool, but if not monitored right this can take hours before noticed.
IPS (Intrusion Prevention System):
▪ Similar to IDS, but they also take action to malicious traffic, what they do with
the traffic is determined by configuration.
▪ Events trigger an action, drop/redirect traffic, often combined with the trigger
monitoring/administrator warnings, emails, or text messages.
IDS/IPS:
▪ Part of our layered defense.
▪ Basically, they are packet sniffers with analysis engines.
Network-Based, placed on a network segment (a switch port in promiscuous mode).
▪ Looks at a segment of our network, normally a switch, but can aggregate
multiple switches.



29 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
▪





Inspects Host/destination ports, IP's, protocols, content of traffic, but can
obviously not look in encrypted traffic.
▪ Can protect against DDOS, Port scans, brute force attacks, policy violations, …
▪ Deployed on one switch, port and NIC must be promiscuous, and port must be a
span port.
Host-Based, on a client, normally a server or workstation.
▪ We only look at a single system.
▪ Who is using the system, the resource usage, traffic, ...
▪ It can be application specific; it doesn’t have to be the entire system we
monitor.
▪ If we do choose to do traffic analysis it will impact the host by slowing it down.
▪ Certain attacks can turn off HIDS/HIPS.
▪ Can look at the actual data (it is decrypted at the end device), NIDS/NIPS can't
look at encrypted packets.
Signature-Based:
▪ Looks for known malware signatures.
▪ Faster since they just check traffic against malicious signatures.
▪ Easier to set up and manage, someone else does the signatures for us.
▪ They are completely vulnerable to 0-day attacks and have to be updated
constantly to keep up with new vulnerability patterns.
Heuristic-Based (Behavioral):
▪ Looks for abnormal behavior - can produce a lot of false positives.
▪ We build a baseline of what normal network traffic looks like and all traffic is
matched to that baseline.
▪ Traffic not matching the baseline is handled depending on settings, they can
take a lot of tweaking.
▪ Can detect 'out of the ordinary' activity, not just attacks.
▪ Takes much more work and skills.
Hybrid-Based:
▪ Systems combining both are more used now and check for both signatures and
abnormalities.
Intrusion Events and Masking:
▪ IDS/IPS obviously then prompt attackers to develop attacks that try to avoid
detection.

Fragmentation: Sending fragmented packets, the attack can avoid the
detection system's ability to detect the attack signature.

Avoiding Defaults: The TCP port utilized by a protocol does not always
provide an indication to the protocol which is being transported.
Attackers can send malware over an unexpected port.

Low-Bandwidth Coordinated Attacks: A number of attackers (or agents)
allocate different ports or hosts to different attackers making it difficult
for the IDS to correlate the captured packets and deduce that a network
scan is in progress.
30 | P a g e
https://thorteaches.com/
CC Chapter 4
▪
▪

Lecture notes
Alerts on IDS’s/IPS’s can, like biometrics, be one of 4 categories:

True Positive: An attack is
happening, and the system
detects it and acts.

True Negative: Normal traffic
on the network and the system
detects it and does nothing.

False Positive: Normal traffic
and the system detects it and
acts.

False Negative: An attack is
happening the system does not
detect it and does nothing.
We rarely talk about the “true” states since things are happening like they are
supposed to, we are interested in when it doesn’t, and we prevent authorized
traffic or allow malicious traffic.
SIEM and SOAR systems:


SIEM (Security information and event management):
▪ Provides a holistic view of our organization’s events and incidents.
▪ Gathers from all our systems and looks at everything.
SOAR (Security Orchestration, Automation, and Response):
▪ A software solution that uses AI to allows us to respond to some security
incidents automatically.
▪ SOAR will also react to some events.
31 | P a g e
https://thorteaches.com/
CC Chapter 4

Honeypots and Honeynets:

Honeypots and Honeynets:
▪ Honeypots:
▪ System looking like a real system, but with the
sole purpose of attracting attackers.
▪ They are used to learn about our vulnerabilities
and how attackers would circumvent our security
measures.
▪

Lecture notes
Honeynets:

A network (real or simulated) of honeypots, can
be a full server farm simulated with applications,
OSs, and fake data.

Best practice segments the honeynet from our
actual network by a DMZ/firewall.

The SIEM/SOAR systems collect the data from our
internal systems as well as the honeynet.
Firewalls:

Firewalls: A firewall typically establishes a barrier between a trusted, secure internal
network, and another outside network, like the Internet.
▪ Packet filtering firewalls, OSI Layer 1-3.

Packet filters act by inspecting the "packets" which are transferred
between clients.

If a packet does not match the packet
filter's set of filtering rules, the packet
filter will drop the packet or reject it and
send error responses to the source.

Any packet that matches one of the
Permits is allowed to pass.

Rules are checked in order; the
attacker's traffic is dropped on the 3rd
filter rule. Drop anything trying to
access 100.1.1.100.

The internal machines can access the
server since their IPs are whitelisted in
the first rule.
32 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
▪
Stateful filtering firewalls, OSI Layer 1-4.

Records all connections
passing through and
determines whether a
packet is the start of a new
connection, a part of an
existing connection or not
part of any connection.

Static rules are still used,
these rules can now
contain connection state
as one of their criteria.

Some DOS attacks
bombard the firewall with
thousands of fake
connection packets trying
to overwhelm the firewall
by filling its connection
state memory.
▪
A proxy server can act as a firewall by responding to input packets in the
manner of an application while blocking other packets.

A proxy server is a gateway from one network to another for a specific
network application in the sense that it
functions as a proxy on behalf of the
network user.
Application layer firewalls, OSI Layer 7.

The key benefit of application layer
firewalls is that they can understand
certain applications and protocols.

They see the entire packet, the packet
isn't decrypted until layer 6, any other firewall can
only inspect the packet but not the payload.

They can detect if an unwanted application or service is attempting to
bypass the firewall using a protocol on an allowed port or detect if a
protocol is being used any malicious way.
Network firewalls filter traffic between two or more networks, either software
appliances running on general purpose hardware or hardware-based firewall.
Host-based firewalls provide a layer of software security on one host that
controls network traffic in and out of that single machine.
▪
▪
▪
33 | P a g e
https://thorteaches.com/
CC Chapter 4
▪

Lecture notes
Next-generation firewall (NGFW)

NGFW combines traditional firewall technologies with deep packet
inspection (DPI) and network security systems (IDS/IPS, malware
filtering and antivirus).

Packet inspection in traditional firewalls only looks at the protocol
header of the packet DPI also looks at the actual data the packet is
carrying.

Next-generation firewalls tries to include more layers of the OSI model,
improving filtering of network traffic that is dependent on the packet
contents.

DPI firewalls track the progress of web browsing sessions and can tell if
a packet payload, when assembled with other packets in an HTTP server
reply, is actually a legitimate HTML-formatted response.
Firewalls Design:
▪ DMZs:

Normal DMZs use 2 firewalls in a screened
subnet, but they can also be three-legged
DMZs which only use 1 firewall.

Physical or logical subnetwork that contains
and exposes an organization's externalfacing services to an untrusted network, like
the Internet.

It adds an additional layer of security to our
organization's LAN, an external network
node can access only what is exposed in the
DMZ, while the rest of the organization's
network is firewalled.

Firewalls are designed to fail closed, if they
crash, get flooded with traffic or are shut
down, they block all traffic.

To get some redundancy we often use
firewall pairs and have the firewall in a mesh
topology, this way one firewall failure will
just shift the traffic paths.
34 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
 0-day Attacks and Exploits:

0-day Vulnerabilities:
▪ Vulnerabilities not generally known or discovered, the first time an attack is
seen is considered day 0, hence the name.
▪ From when a vulnerability is discovered it is now only a short timespan before
patches or signatures are released on major software.
▪ With millions of lines of code in a lot of software and the 1% errors we talked
about there will always be new attack surfaces and vulnerabilities to discover.
The only real defense against the 0-day exploits is defense in depth and when
discovered immediate patching as soon as it is available, and we have tested it
in our test environments. Most signatures in IDS/IPS and anti-virus auto update
as soon as new signatures are available.
▪ 0-day Vulnerability: The vulnerability that has not been widely discovered and
published.
▪ 0-day Exploit: Code that uses the 0-day vulnerability.
▪ 0-day Attack: The actual attack using the code.
▪
Stuxnet has three modules:

A worm that executes all routines related to the main payload of the
attack.

A link file that automatically executes the propagated copies of the
worm.

A rootkit responsible for hiding all malicious files and processes,
preventing detection of Stuxnet.

It is introduced to the target environment by an infected USB flash
drive.

The worm then propagates across the network, scanning for Siemens
Step7 software on computers controlling a PLC, If both are not present,
Stuxnet becomes dormant inside the computer, it will still replicate the
worm.

If both are present, Stuxnet introduces the infected rootkit onto the PLC
and Step7 software, modifying the codes and giving unexpected
commands to the PLC while returning a loop of normal operations
system values feedback to the users.
35 | P a g e
https://thorteaches.com/
CC Chapter 4

Lecture notes
Vulnerability Scanning/Testing:

Vulnerability Scanning/Testing:
▪ A vulnerability scanning tool is used to scan a network or system for a list of
predefined vulnerabilities such as system misconfiguration, outdated software,
or a lack of patching.
▪ It is very important to understand the output from a vulnerability scan, they can
be 100's of pages for some systems, and how do the vulnerabilities map to
Threats and Risks (Risk = Threat x Vulnerability).
▪ When we understand the true Risk, we can then plan our mitigation.
 Virtualization, Cloud, and Distributed Computing:

Virtualization:
▪ Virtualization poses a whole new set of standards, best practices, and security
concerns.
▪ With Virtualization we have many servers (clients) on the same hardware
platform (host).
▪ Virtualization is software running under the OS and above the Hardware (Ring 1).
▪ Traffic between the clients on the host doesn't have to traverse our network.
▪ Common Virtualization software could be VMWare, Hyper-V, or Xen.
▪ With Distributed Computing we use either multiple local or remote clients for
our needs, most commonly cloud computing. How do we ensure the cloud Data
Center meets our security posture, how do they segment their network?
36 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
▪
Virtualization holds a ton of benefits:

Virtualized environments cost a lot less than all physical servers.

It is much easier to stand up new servers (don't need to buy hardware,
wait 2 weeks, rack it, run power/internet).

You can easily back up servers with snapshots; server builds can be
done with images.

You can instantly reallocate resources.

They have lower power and cooling costs, a much smaller rack footprint
(50-100 servers in the space of 5-8).
▪
Hypervisor - Controls the access between the virtual guest/clients and the host
hardware.

Type 1 hypervisor (Bare Metal) is a part of a Virtualization OS that runs
on top of the host hardware (Think Data Center).

Type 2 hypervisor runs on top of a regular OS like Windows 10 - (Think
your PC).
▪
Virtualization also poses new
vulnerabilities because the
technology is new-ish and very complex.
Clients on the same host should be on the same network segment
(Internal/DMZ). A host should never house both zones.
Clients should be logically separated on the network like physical servers would
be (HR, Accounting, IT VLANs).
VM Escape (Virtualization escape) is when an attacker can jump from the host
or a client to another client, this can be even more of a concern if you have
different Trust Level Clients on the same host. They should ideally be on
separate hosts.
Hypervisor Security - If an attacker can get access to the hypervisor, they may
be able to gain access to the clients.
▪
▪
▪
▪
37 | P a g e
https://thorteaches.com/
CC Chapter 4
▪
Lecture notes
Resource Exhaustion - Admins oversubscribe the CPU/Memory and do not
realize more is needed (availability).

Cloud Computing:
▪ Cloud Computing - (There is no 'Cloud', it is just another computer somewhere
else).

When we use cloud computing we build or outsources some part of our
IT Infrastructure, storage, applications.

This can be done for many good reasons, but most are cost related.

Cloud Computing can be divided into 4 main types:
 Private Cloud Computing - Organizations build and run their
own cloud infrastructure (or they pay someone to do it for
them).
 Public Cloud Computing - Shared tenancy – A company builds
massive infrastructures and rents it out to anyone who wants it.
(Amazon AWS, Microsoft, Google, IBM).
 Hybrid Cloud Computing – A mix of Private and Public Cloud
Computing. An organization can choose to use Private Cloud for
sensitive information and Public Cloud for non-sensitive data.
 Community Cloud Computing – Only for use by a specific
community of consumers from organizations that have shared
concerns. (Mission, policy, security requirements, and/or
compliance considerations.)
▪ As with any other outsourcing, make sure you have the right to audit, pen test
(clearly agreed upon criteria), conduct vulnerability assessment, and check that
the vendor is compliant with your industry and the standards you adhere to.

Cloud Computing Public Cloud Computing:
▪ Platforms are normally offered as:

IaaS - (Infrastructure as a Service) The vendor provides infrastructure up
to the OS; the customer adds the OS and up.

PaaS - (Platform as a Service) The vendor provides pre-configured OSs,
then the customer adds all programs and applications.

SaaS - (Software as a Service) The vendor provides the OS and
applications/programs. Either the customer interacts with the software
manually by entering data on the SaaS page, or data is automatically
pushed from your other applications to the SaaS application (Gmail,
Office 365, Dropbox, Payroll,…).
38 | P a g e
https://thorteaches.com/
CC Chapter 4

Lecture notes
Distributed Systems:
▪ Can also be referred to as:

Distributed computing environment (DCE),
concurrent computing, parallel computing, and
distributed computing.
▪ A collection of individual systems that work together to
support a resource or provide a service.
▪ Most end-users see the DCE as a single entity and not as
multiple systems.
▪ Why do we use DCEs?

They can give us horizontal scaling (size,
geography, and administration), modular
growth, fault tolerance, cost-effectiveness,
low latency (users connect to the closest
node).
▪ Where do we use DCEs?

All over the place (The internet, websites, cell
networks, research, P2P networks, blockchain, …).
39 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
•

High-Performance Computing (HPC) Systems:
▪ Most often aggregates of compute nodes in a
system designed to solve complex calculations or
manipulate data at very high speeds.
▪ HPCs have 3 components. Compute, network, and
storage.
▪ All 3 must have enough resources to not become a
bottleneck.
▪ Most well-known versions are super computers.
Edge Computing Systems:
▪ The processing of data is done as close as possible
to where it is needed, we do that by moving the
data and compute resources.
▪ This will optimize bandwidth use and lower
latency.
▪ CDN’s are one of the most common types of edge
computing.
▪ 80%+ of large enterprises have already
implemented or are in the process of
implementing an edge computing strategy.
 The Internet of Things (IoT):



It is really anything “Smart”: Smart TVs, Thermostats, Lightbulbs, Cars, anything that
connects to the internet in some way (that didn’t before).
They can be an easy way into your smart device, as most are never patched (many don’t
even have the option).
Asset Tracking and Hardware Hardening:



Asset Tracking:
▪ Keeping an accurate inventory of all our assets is important; we can't protect
what we don't know we have.
▪ We covered this a little in our risk analysis section, but other than identifying
the assets, we also should have it as part of our technology refresh cycle to
record the Asset Serial Number, Model Number, and often an internal Asset ID.
Hardware Hardening:
▪ On our servers - we harden the server.

Apply all patches, block ports not needed, delete default users, … most
places are good about this.
▪ Workstations are often overlooked.
Disabling the USB Ports, CD drives and any other port that can introduce malware to
our network:
▪ Physically: Disabled on motherboard or port itself blocked, easy to bypass - not
very secure.
▪ Logically: Locked in Windows services or through AD (Active Directory) is not
easy to bypass (if done right) - more secure.
40 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
 Electricity:

Electricity:
▪ Electricity - It is important to have clean, reliable power for our servers, disk
arrays, network equipment.
▪ Loss of power can affect our availability and the Integrity of our data.

Nothing can be accessed, and power fluctuations can damage hardware
and corrupt data.
▪ Power Fluctuation Terms:

Blackout - Long loss of power.

Fault - Short loss of power.

Brownout - Long low voltage.

Sag - Short low voltage.

Surge - Long high voltage.

Spike - Short high voltage.
▪
Surge Protectors, UPSs and
Generators are used to get clean
power.

Surge Protectors - Protect
equipment from high voltage.

UPSs (Uninterruptible Power
Supplies):
 Ensure constant clean
power to the systems.
 Have large battery
banks that take over
in the event of a
power outage, they also act as surge protectors.

Generator:
 Fueled generators are programmed to kick in during a power
outage event manually or automatically (preferred).
 Will run as long as they have fuel, must be maintained.

PDU (Power Distribution Unit) can be in rack or not.
41 | P a g e
https://thorteaches.com/
CC Chapter 4

Lecture notes
Backups:

Fault Tolerance:
▪ To ensure our internal SLAs and provide as high availability as possible we use as
high degree of redundancy and resiliency as makes sense to that particular
system and data set.
▪ Backups:

One of the first things that comes to mind when talking about fault
tolerance is backups of our data, while it is very important it is often like
log reviews an afterthought and treated with "Set it and forget it"
mentality.

For backups we use Full, Incremental, Differential and Copy backups,
and how we use them is determined on what we need from our
backups.

How much data we can stand to lose and how fast we want the backup
and restore process to be.

In our backup solution we make backup policies of what to back up,
what to exclude, how long to keep the data of the Full, Incremental and
Differential backups.

All these values are assigned dependent on what we back up, and
normal organizations would have different backup policies and apply
those to the appropriate data.

This could be Full 3, 6, 12, 36, 84 months and infinity, the retention is
often mandated by our policies and the regulations in our field of
business.

It is preferable to run backups outside of business hours, but if the
backup solution is a little older it can be required to run around the
clock, in that case we put the smaller and less important backups in the
daytime and the important larger ones after hours.

We often want to exclude parts of the system we are backing up, this
could be the OS, the trashcan, certain program folders, ... we just
backup what is important and rarely everything.

If a system is compromised and the issue is a rootkit, the rootkit would
persist on the backup if we did a full mirror restore, by eliminating some
of the system data we not only backup a lot less data, we also may
avoid the infection we are trying to remedy.

For very important data we may do hourly incremental or use another
form of data loss prevention (covered later in this chapter).
Full Backup:
 This backs everything up, the entire database (most often), or
the system.
 A full backup clears all archive bits.
 Dependent on the size of the data we may do infrequent full
backups, with large datasets it can take many hours for a full
backup.
 IF we need to restore on Thursday:
42 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
 Restore with a single Wednesday full backup tape.
 1 tape.
Full Backup:
•
Everything in the backup policy is backed up.

Incremental Backup:
 Backs up everything that has changed since the last backup.
 Clears the archive bits.
 Incremental are often fast to do, they only backup what has
changed since the last incremental or full.
 The downside to them is if we do a monthly full backup and
daily incremental, we have to get a full restore and could have
to use up to 30 tapes, this would take a lot longer than with 1
Full and 1 Differential.
 IF we need to restore on Thursday:
 Restore with the full Sunday backup and Monday,
Tuesday, and Wednesday’s incremental tapes.
 4 tapes.
Incremental Backup:
•
Anything changed since the last backup is backed up.
•
The archive bit is cleared.

Differential Backup:
 Backs up everything since the last Full backup.
 Does not clear the archive bit.
 Faster to restore since we just need 2 tapes for a full restore,
the full and the differential.
 Backups take longer than the incremental, we are backing
everything since the last full.
43 | P a g e
https://thorteaches.com/
CC Chapter 4


Lecture notes
Never use both incremental and differential on the same data, it
is fine on the same backup solution, different data has different
needs.
IF we need to restore on Thursday:
 Restore with the Sunday full backup and Wednesday’s
incremental tapes.
 2 tapes.
Differential Backup:
•
Anything changed since the last Full backup is backed up.
•
The archive bit is not cleared.
▪
Copy Backup:

This is a full backup with one important difference, it does not clear the
archive bit.

Often used before we do system updates, patches, and similar
upgrades.

We do not want to mess up the backup cycle, but we want to be able to
revert to a previous good copy if something goes wrong.
▪
Archive Bit:

For Windows the NTFS has an archive bit on file, it is a flag that indicates
if the file was changed since the last Full or Incremental backup.
 Fault Tolerance, Redundancy, and Resiliency:

RAID (Redundant Array of Independent/Inexpensive Disks):
▪ Comes in 2 basic forms, disk mirroring and disk striping.

Disk Mirroring:
 Writing the same data across multiple hard disks, this is slower,
the RAID controller has to write all data twice.
 Uses at least 2 times as many disks for the same data storage,
needs at least 2 disks.

Disk Striping:
 Writing the data simultaneously across multiple disks providing
higher write speed.
 Uses at least 2 disks, and in itself does not provide redundancy.
 We use parity with striping for the redundancy, often by XOR, if
we use parity for redundancy, we need at least 3 disks.
44 | P a g e
https://thorteaches.com/
CC Chapter 4
Disk Striping, no parity:
Disk Mirroring:
Disk A
Disk B
▪
▪
▪
Lecture notes
Disk A
Disk B
Disk C
There are many different types of RAID, for the exam I would know the above
terms and how RAID 0, 1 and 5 works.
RAID 0:

Striping with no mirroring or parity, no fault tolerance, only provides
faster read write speed, requires at least 2 disks
RAID 1:

Mirror set, 2 disks with identical data, and write function is written to
both disks simultaneously.
RAID 1
RAID 0
45 | P a g e
https://thorteaches.com/
CC Chapter 4
▪
Lecture notes
RAID 5:


Block level striping with distributed parity, requires at least 3 disks.
Combined speed with redundancy.
RAID 5
▪
▪
▪
▪

RAID will help with data loss when we have a single disk failure if we use a fault
tolerant RAID type, if more than one disk fails before the first is replaced and
rebuilt, we will need to restore from our tapes.
Most servers have the same disks with the same manufacturer date, they will
hit their MTBF (Mean time between failures) around the same time.
Larger data centers often have SLAs with the hard disk/server vendor, which
also includes MTTR (Mean time to repair).
This could be within 4 or 8 hours the vendor has to be onsite with a
replacement disk.
System Redundancy:
▪ On top of the RAID and the backups we also try to provide system redundancy
as well as redundant parts on the systems.
▪ The most common system failures are from pieces with moving parts, this could
be disks, fans, or PSU (power supplies).
▪ Most servers have redundant power supplies, extra fans, redundant NIC’s.
▪ The NIC and PSU serve a dual purpose, both for internal redundancy and
external. If a UPS fails, the server is still operational with just the 1 PSU getting
power.
▪ Redundant disk controllers are also reasonably common, we design and buy the
system to match the redundancy we need for that application.
▪ Often, we have spare hardware on hand in the event of a failure, this could
include hard disks, PSU's, fans, memory, NICs.
▪ Many systems are built for some hardware to be hot-swappable, most
commonly HDD's, PSU’s, and fans.
46 | P a g e
https://thorteaches.com/
CC Chapter 4
▪
▪
▪
▪
▪
▪
▪
▪
Lecture notes
If the application or system is important, we often also have multiple systems in
a cluster.
Multiple servers often with a virtual IP, seen as a single server to users.
Clustering is designed for fault tolerance, often combined with load balancing,
but not innately.
Clustering can be active/active, this is load balancing, with 2 servers both
servers would actively process traffic.
In well-designed environments the servers are geographically dispersed.
Database Shadowing:

Exact real time copy of the database or files to another location.
Electronic Vaulting (E-vaulting):

Using a remote backup service, backups are sent off-site electronically
at a certain interval or when files change.
Remote Journaling:

Sends transaction log files to a remote location, not the files
themselves.
 Fire Suppression:

Fire Suppression is done by removing one of the 3
requirements a fire has.
▪ A fire needs Oxygen, Heat, and Fuel to burn.
▪ Removing any of the 3 will put the fire out.
▪ Removing Oxygen is done by replacing the
oxygen in the room with something else or
covering the fire, so the burning material
doesn’t have oxygen access (Halon, FM200,
Argon).
▪ Removing Heat is done by adding chemicals
or water to the fire, cooling it down.
▪ Removing Fuel is rarely done since the fuel is
our equipment.

Fire Classes:
▪ Answer all questions from a right point of view and in a top-down security
organization.
47 | P a g e
https://thorteaches.com/
CC Chapter 4

Lecture notes
Automatic Fire Suppression Systems:
▪ Water:

Removes the “heat” leg of the fire triangle by lowering the temperature.

Is the safest suppression
agent, but for Data Centers:

Water + hardware = dead
hardware.

Electricity could always be
cut before water is used.

Sprinkler Systems:
 Sprinklers have
different types of
bulbs for different
temperatures.
 Should be
connected to
alarm/warning
sirens and lights.
 Each sprinkler head
is independent; it
will trigger if the
temperature for that bulb is met.
48 | P a g e
https://thorteaches.com/
CC Chapter 4




Lecture notes
Wet Pipe: Sprinkler heads are closed. The pipes for the sprinkler
system have water until the sprinkler.
Dry Pipe: Sprinkler heads are closed.
The pipe contains compressed air and a valve that stays shut as
long as the air is present.
Fire Suppression:
▪ Fire Extinguishers:

A fire extinguisher is an active fire protection device used to extinguish
or control small fires, often in emergency situations.

All portable fire extinguishers should be marked with the type of fire
they are designed to extinguish.

Never use a fire extinguisher on a fire it was not intended for.

Use the PASS method to extinguish a fire with a portable fire
extinguisher:
 Pull the pin in the handle.
 Aim at the base of the fire.
 Squeeze the lever slowly.
 Sweep from side to side.
 Secure Design Principles:





Least Privilege:
▪ We give employees the minimum necessary access they
need, no more, no less.
Need to Know:
▪ Even if you have access, if you do not need to
know, then you should not access the data
(Kaiser employees).
Separation of Duties:
▪ More than one individual in one single task
is an internal control intended to prevent
fraud and error.
▪ We do not allow the same person to enter
the purchase order and issue the check.
▪ For the exam assume the organization is large
enough to use separation of duties, in smaller
organizations where that is not practical,
compensating controls should be in place.
Defense in Depth – Also called Layered Defense or Onion Defense:
▪ We implement multiple overlapping security controls to protect an asset.
▪ This applies to physical, administrative, and logical controls.
Secure Defaults:
▪ A program or a system is as secure as possible when implemented.
▪ We can then remove security for usability.
▪ What is secure and usability is determined by risk analysis and usability tests.
49 | P a g e
https://thorteaches.com/
CC Chapter 4






Lecture notes
Fail Securely:
▪ Systems are designed to prevents or mitigates unsafe consequences if the
system fails.
▪ If the system fails, it stays at least as secure as it was before the failure.
▪ Open/safe vs. closed/secure.
Keep It Simple:
▪ Keeping our security simple, makes it better understood and accepted.
▪ The more complex our security is the harder it is to control, troubleshoot, and
manage.
Trust but Verify:
▪ Implicit trust but we verify you.
▪ A majority of serious compromises are from privileged users (admins accounts).
Zero Trust (never trust, always verify) - NIST SP 800-207 - Zero Trust Architecture:
▪ We do by default not trust devices on our network, even if they have been
verified.
▪ We change our defenses from static, network-based perimeters to focus on
users, assets, and resources.
▪ With ZT there is no implicit trust given to assets or users based on their physical
or logical location.
▪ We use authentication and authorization of both subject and device that is done
before a session to an enterprise resource can be established.
Privacy by Design:
▪ Proactive not reactive, Privacy as the default setting, Privacy embedded into
design, Full functionality, End-to-end security, Visibility and transparency,
Respect for user privacy
Shared Responsibility:
▪ With cloud computing the provider and customer share responsibility for the
security.
➢ Domain 4: What we covered.

This is a GIANT domain.








Network Basics and Definitions.
The OSI and TCP/IP model.
IP Addresses, Port Numbers, and MAC Addresses.
Wi-Fi and other wireless networks.
Virtualization, Cloud, and Distributed Computing.
Fault tolerance and resiliency.
Data centers.
Attacks and Attackers.
50 | P a g e
https://thorteaches.com/
CC Chapter 4
Lecture notes
51 | P a g e
https://thorteaches.com/
CC Chapter 5
Lecture notes
Welcome to the Fifth Chapter.
➢ Domain 5: What we will be covering.
•
This is everything we do in our day-to-day jobs to make sure we are secure.
•
•
•
•
•
•
•
Configuration, patch, and change management.
Cryptography and hashing.
Attacks on our cryptography.
Data handling, classification, labeling, retention, and destruction/disposal.
Administrative (Directive) controls.
Security awareness training.
Social engineering.
 Configuration Management:
•
Configuration Management:
▪ When we receive or build new systems, they often are completely open, before
we introduce them to our environment we harden them.
▪ We develop a long list of ports to close, services to disable, accounts to delete,
missing patches and many other things.
▪ Often it is easier to have OS images that are completely hardened and use the
image for the new system, we then update the image when new vulnerabilities
are found or patches need to be applied, often though we use a standard image
and just apply the missing patches.
▪ We do this for any device on our network, servers, workstations, phones,
routers, switches,...
▪ Pre-introduction into our production environment we run vulnerability scans
against the system to ensure we didn't miss anything (Rarely done on
workstations, should be done on servers/network equipment).
▪ Having a standard hardening baseline for each OS ensures all servers are
similarly hardened and there should be no weak links, we also have the
standardized hardening making troubleshooting much easier.
▪ Once a system is introduced to our production environment we monitor
changes away from our security baseline, most changes are administrators
troubleshooting or making workarounds, which may or may not be allowed, but
it could also be an attacker punching a path out of our network.
 Patch Management:
•
Patch Management:
▪ In order to keep our network secure we need to apply patches on a regular
basis.
▪ Whenever a vulnerability is discovered the software producer should release a
patch to fix it.
▪ Most organizations give the patches a few weeks to be reviewed and then
implement them in their environment.
1|Page
https://thorteaches.com/
CC Chapter 5
▪
▪
Lecture notes
We normally remember the OS patches, but can often forget about network
equipment updates, array updates, IoT updates and so on, if they are not
patched, we are not fully using defense in depth and we can expose ourselves to
risk.
We use software to push our patches to all appropriate systems, this is easier,
we ensure all systems gets patched and they all get the same parts of the patch,
we may exclude some parts that have an adverse effect on our network.
 Change Management:
•
Change Management:
▪ Our formalized process on how we handle changes to our environments.
▪ If done right we will have full documentation, understanding and we
communicate changes to appropriate parties.
▪ The change review board should be comprised of both IT and other operational
units from the organization, we may consider impacts on IT, but we are there to
serve the organization, they need to understand how it will impact them and
raise concerns if they have any.
▪ A change is proposed to the change board, they research in order to understand
the full impact of the change.
▪ The person or group submitting the change should clearly explain the reasons
for the change, the pro's and con's of implementing and not implementing, any
changes to systems and processes they know about and in general aide and
support the board with as much information as needed.
▪ The board can have senior leadership on it or they can have a predefined range
of changes they can approve and anything above that threshold they would
make recommendations but changes require senior leadership approval.
▪
There are many different models and process flows for change management,
some are dependent on organization structure, maturity, field of business and
many other factors.
⬥ A generalized flow would look like this:
→ Identifying the change.
→ Propose the change.
→ Assessing risks.
→ Provisional change approval.
→ Testing the change.
→ Scheduling the change.
→ Change notification for impacted parties.
→ Implementing the change.
→ Post implementation reporting of the actual change impact.
2|Page
https://thorteaches.com/
CC Chapter 5
▪
▪

Lecture notes
We closely monitor and audit changes, remember changes can hold residual risk
which we would then have to mitigate.
Everything in the change control process should be documented and kept, often
auditors want to see that we have implemented proper change controls, and
that we actually follow the paper process we have presented them with.
Cryptography:
•
The History of Cryptography (yes, this is testable).
▪ Spartan Scytale - Message written
lengthwise on a long thin piece of
parchment wrapped around a certain
size round stick. By itself it would make
no sense, but if rewrapped around a
stick of the same diameter it would be
decipherable.
▪ Caesar Cipher (Substitution) - Done by
switching Letters by a certain number of spots in the alphabet.
•
For the exam, what you need to know is that cryptography helps us:
▪ Keep our secrets secret (Confidentiality) ← This is what most people think all
cryptography does.
▪ Keep our data unaltered (Integrity).
▪ Provide a way to verify (Authentication) our Subjects; it can also provide nonrepudiation.
•
Definitions:
▪ Cryptology is the science of securing communications.
▪ Cryptography creates messages where the meaning is hidden.
▪ Cryptanalysis is the science of breaking encrypted communication.
3|Page
https://thorteaches.com/
CC Chapter 5
Lecture notes
⬥
▪
▪
▪
▪
▪
▪
▪
Cryptanalysis is used to breach cryptographic security systems and gain
access to the contents of encrypted messages, even if the cryptographic
key is unknown.
⬥ It uses mathematical analysis of the cryptographic algorithm, as well as
side-channel attacks that do not target weaknesses in the cryptographic
algorithms themselves, but instead exploit weaknesses in their
implementation and the devices that run them.
Cipher is a cryptographic algorithm.
Plaintext (Cleartext) is an unencrypted message.
Ciphertext is an encrypted message.
Encryption converts the plaintext to a ciphertext.
Decryption turns a ciphertext back into a plaintext.
Book Cipher - Use of a well-known text (Often a book) as the key.
⬥ Messages would then look like 244.2.13, 12.3.7, 41.42.1,...
⬥ The person reviewing the message would look at page 244, sentence 2,
word 13, then page 12, sentence 3, word 7, page 41, sentence 42 word
1,...
Running-Key Cipher – uses a well-known test as a key as well but uses a
previously agreed upon phrase.
⬥ The sender would add the plaintext message to the letters from the key,
and the receiver would subtract the letters from the key.
•
Asymmetric vs Symmetric Encryption and Hybrid:
▪ Asymmetric
⬥ Pros: It does not need a pre-shared
key, only 2x users = total keys.
⬥ Cons: It is much slower; it is weaker
per bit.
▪ Symmetric:
⬥ Pros: Much faster, stronger per bit.
⬥ Cons: Needs a pre-shared key, n(n1)/2 users, becomes unmanageable
with many users.
•
Asymmetric Encryption (Public Key Encryption):
▪ Asymmetric Encryption uses 2 keys: A Public Key and a Private Key (Key Pair):
⬥ Your Public Key is publicly available.
→ Used by others to encrypt messages sent to you. Since the key is
asymmetric, the cipher text can't be decrypted with your public
Key.
⬥ Your Private Key - You keep this safe.
→ You use it to decrypt messages sent with your public key.
4|Page
https://thorteaches.com/
CC Chapter 5
•

Asymmetric vs Symmetric Encryption and Hybrid:
▪ Hybrid Encryption:
⬥ Uses Asymmetric encryption to share a Symmetric Key (session key).
⬥ We use the security over an unsecure media from Asymmetric for the
initial exchange and we use the speed and higher security of the
Symmetric for the actual data transfer.
⬥ The Asymmetric Encryption may send a new session key every so often
to ensure security.
Hashing:
•

Lecture notes
Hash Functions (One-Way Hash Functions) are used for Integrity:
▪ A variable-length plaintext is hashed into a fixed-length value hash or MD
(Message Digest).
▪ It is used to prove the Integrity of the data has not changed. Even changing a
comma in a 1000-page document will produce an entirely new hash.
▪ Collisions: When 2 hashes of different
data provide the same hash. It is
possible, but very unlikely.
▪ Just 1 bit change completely changes
the hash.
▪ Using Great Expectations (Charles
Dickens 1867 Edition again, 4 pages at
font size 11, 1827 words, 7731
characters).
▪ Hash#1 is the original
2b72b2c18554112e36bd0db4f27f1d89
▪ Hash#2 is with 1 comma removed
21b78d32ed57a684e7702b4a30363161
▪ Just a single “.” added will change the hash value to
5058f1af8388633f609cadb75a75dc9d
Attacks on our Cryptography:
•
Cryptographic Attacks:
▪ Steal the Key: Modern encryption being so difficult to break, it is easier to
recover the private key.
⬥ Law enforcement does this when they get search warrants, to recover
the private key from the PC or phone of someone charged with a crime.
⬥ Attackers do this by gaining access to your system or key repository;
they can then decrypt your data.
▪ Brute Force:
⬥ Uses the entire key space (every possible key); with enough time, any
plaintext can be decrypted.
⬥ Effective against all key-based ciphers except the one-time pad; it would
eventually decrypt it, but it would also generate so many false positives
that the data would be useless.
5|Page
https://thorteaches.com/
CC Chapter 5
▪
Key stretching: Adding 1-2 seconds to password verification.
⬥ If an attacker is brute forcing password and needs millions of attempts,
it will become an unfeasible attack vector.
▪
Man-in-the-Middle Attack (MITM):
⬥ The attacker secretly relays and may alter
communication between two parties, who
believe they are directly communicating
with each other.
⬥ The attacker must be able to intercept all
relevant messages passing between the
two victims.
⬥ They can alter the information, just steal it
or inject new messages.
Side Channel Attacks:
⬥ Attackers use physical data to break a crypto system. This can be CPU
cycles, power consumption while encrypting/decrypting,...
▪

Lecture notes
Data Handling Classification Labeling Retention Destruction/Disposal:
•
Sensitive information
▪ Data handling:
⬥ Only trusted individuals should handle our data; we should also have
policies on how, where, when, and why the data was handled. Logs
should be in place to show these metrics.
▪ Data storage:
⬥ Where do we keep our sensitive data? It should be kept in a secure,
climate-controlled facility, preferably geographically distant or at least
far enough away that potential incidents will not affect that facility too.
⬥ Many older breaches were from bad policies around tape backups.
⬥ Tapes were kept at the homes of employees instead of at a proper
storage facility or in a storage room with no access logs and no access
restrictions (often unencrypted).
▪ Data retention:
⬥ Data should not be kept beyond the period of usefulness or beyond the
legal requirements (whichever is greater).
⬥ Regulation (HIPAA or PCI-DSS) may require a certain retention of the
data (1, 3, 7 years, or infinity).
⬥ Each industry has its own regulations and company policies may differ
from the statutory requirements.
⬥ Know your retention requirements!
•
Paper disposal – It is highly encouraged to dispose of ANY paper with any data on it in a
secure manner. This also has standards and cross shredding is recommended.
It is easy to scan and have a program re-assemble documents from normal shreds like
this one.
6|Page
https://thorteaches.com/
CC Chapter 5
Lecture notes
•
Digital disposal – The digital disposal procedures are determined by the type of media.
▪ Deleting, formatting, and overwriting (Soft destruction):
⬥ Deleting a file just removes it from the table; everything is still
recoverable.
⬥ Formatting does the same, but it also puts a new file structure over the
old one. Still recoverable in most cases.
⬥ Overwriting (Clear) is done by writing 0s or random characters over the
data.
⬥ Sanitization is a process of rendering target data on the media
infeasible for a given level of recovery effort.
⬥ Purge is removing sensitive data from a system or device to a point
where data recovery is no longer feasible even in a laboratory
environment.
•
Degaussing destroys magnetic media by exposing it to a very strong magnetic field. This
will also most likely destroy the media integrity.
Full physical destruction is safer than soft destruction:
▪ Disk crushers do exactly what their name implies: they crush disks (often used
on spinning disks).
▪ Shredders do the same thing as paper shredders do; they just work on metal.
These are rare to have at normal organizations, but you can buy the service.
▪ Incineration, pulverizing, melting, and acid are also (very rarely) used to ensure
full data destruction.
It is common to do multiple types of data destruction on sensitive data (both degaussing
and disk crushing/shredding).
•
•
•
The Information Life Cycle:
▪ Data acquisition.
⬥ The information is either created or
copied from another location.
⬥ Make it useful, index it, and store it.
▪ Data use.
⬥ How to we ensure the data is kept
confidential, the integrity is intact,
and it is available when needed (The
CIA triad).
▪ Data archival.
⬥ Retention required by law, or the
data will be used later.
▪ Archival vs. backup.
▪ Data disposal.
⬥ How do we dispose properly of the
data once it is no longer useful and
required.
7|Page
https://thorteaches.com/
CC Chapter 5
Lecture notes
 Administrative (Directive) Controls:
•
Access Control Categories:
▪ Administrative (Directive) Controls:
⬥ Organizational policies and procedures.
▪ Technical Controls:
⬥ Hardware/software/firmware – Firewalls, routers, encryption.
▪ Physical Controls:
⬥ Locks, fences, guards, dogs, gates, bollards.
•
Access Control Types:
▪ Access Control Types (Many can be multiple types – On the exam look at
question content to see which type it is).
⬥ Preventative:
→ Prevents action from happening.
⬥ Detective:
→ Controls that Detect during or after an attack.
⬥ Corrective:
→ Controls that Correct an attack.
⬥ Recovery:
→ Controls that help us Recover after an attack.
⬥ Deterrent:
→ Controls that Deter an attack.
⬥ Compensating:
→ Controls that Compensate.
8|Page
https://thorteaches.com/
CC Chapter 5
Lecture notes
•
Policies – Mandatory and high level.
▪ AUP (Acceptable Use Policy).
⬥ What is acceptable use of the network, data,
resources, …
▪ BYOD (Bring Your Own Device) policy.
⬥ Allows employees to bring their own
devices within certain parameters.
▪ Privacy policy.
⬥ How we gather, use, disclose, and
manage private data.
•
Policies – Mandatory.
▪ Password policy.
⬥ Remember last 24 passwords.
⬥ Max. password age 90 days.
⬥ Min. password age 2 days
⬥ Min. password length 8
characters.
⬥ Complex passwords.
⬥ Stored not using
reversible encryption.
▪ ,…
•
•
Data handling policy:
Classify, categorize, label, encrypt, store, backup, disposal/destroy.
•
Data has 3 States:
▪ Data at Rest: Stored data.
▪ Data in Motion: Data being transferred on a network.
▪ Data in Use: We are actively using the files/data, it cannot be encrypted.
 Training and Awareness:
•
Users often pose the largest security risk:
▪ Training: Provides users with a skillset - this is nice, but if they ignore the
knowledge, it does nothing.
▪ Awareness: Change user behavior - this is what we want, we want them to
change their behavior.
▪ We want to build a cybersecurity culture, with a good cyber hygiene.
9|Page
https://thorteaches.com/
CC Chapter 5
Lecture notes
 Social Engineering:
•
Cryptographic Attacks:
▪ Social Engineering:
⬥ Much easier than breaking the key is convincing the key holder to hand
it over to the “help desk”.
FREE ICE CREAM!
▪ A very successful social engineering attack was a Pentest company driving up in
front of a company office with "Free Ice Cream” and company logo signs on an
ice cream van.
•
Social Engineering uses people skills to bypass security controls.
▪ Can be used in a combination with many other attacks, especially client-side
attacks or physical tests.
▪ Attacks are often more successful if they use one or more of these approaches:
⬥ Authority (someone you trust or are afraid of) - Look and sound like an
authority figure, be in charge, this can be in a uniform or a suit. Most
effective with impersonation, whaling, and vishing attacks.
⬥ Intimidation (If you don't bad thing happens) - Virus on the network,
credit card compromised, lawsuit against your company, intimidation is
most effective with impersonation and vishing attacks.
•
Social Engineering Attacks:
▪ Consensus (Following the crowd, everyone else was doing it) - Fake reviews on
a website, using consensus/social proof is most effective with Trojans and
hoaxes.
▪ Scarcity (If you don't act now, it is too late) - New iPhone out, only 200
available, often effective with phishing and Trojan attacks.
▪ Urgency (It has to happen now or else) - The company will be sued for
$1,000,000 if these papers are not filled out before Friday, often used with
Phishing.
▪ Familiarity (Have a common ground or build it) - Knowing something about the
victim ahead of time and then reference it can raise chances of a successful
attack drastically. People want to be helpful, if they feel like they know you they
want too even more. Often successful with vishing and in-person social
engineering.
•
Phishing, spear phishing, and whale phishing: Fishing spelled in hacker speak with Ph
not F.
▪ Phishing (Social engineering email attack):
⬥ Click to win, Send information to get your inheritance …
⬥ Sent to hundreds of thousands of people; if just 0.02% follow the
instructions they have 200 victims.
→ A public treasurer in Michigan sent $1.2m to Nigeria ($1.1m of
taxpayer funds and $72,000 of his own).
10 | P a g e
https://thorteaches.com/
CC Chapter 5
▪
▪
▪
Lecture notes
Spear Phishing: Targeted phishing, not just random spam, but targeted at
specific individuals.
⬥ Sent with knowledge about the target (person or company); familiarity
increases success.
Whale Phishing (Whaling): Spear phishing targeted at senior leadership of an
organization.
⬥ This could be: “Your company is being sued if you don’t fill out the
attached documents (with trojan in them) and return them to us within
2 weeks”.
Vishing (Voice Phishing): Attacks over automated VOIP (Voice over IP) systems,
bulk spam similar to phishing.
⬥ These are: “Your taxes are due”, “Your account is locked” or “Enter your
PII to prevent this” types of calls.
➢ Domain 5: What we covered.
•
This is everything we do in our day-to-day jobs to make
sure we are secure.
•
•
•
•
Configuration, patch, and change management.
Cryptography and hashing.
Attacks on our cryptography.
Data handling, classification, labeling, retention, and
destruction/disposal.
Administrative (Directive) controls.
Security awareness training.
Social engineering.
•
•
•
11 | P a g e
https://thorteaches.com/