Chapters 1-11 Final Review
Course
Security+ SY0-601
Confidence
Not Confident
Last Edited
@December 9, 2023 1:31 PM
Chapter 1
Security Goals
CIA - Confidentiality, integrity, and availability
Use case - a goal that an organization wants to achieve
A use case can have different parts including:
1. Actors - the parties involved
2. Precondition - must occur before the process can start
3. Trigger - starts the use case
4. Postcondition - occurs after the actor triggers the process
5. Normal Flow - lists each of the steps in a specific order
6. Alternate Flow - all flow wont be the same
Confidentiality
Confidentiality - prevents the unauthorized disclosure of data (authorized personnel =
good, unauthorized personnel = cannot access)
Several different types of method of confidentiality:
Encryption - scrambles data to make it unreadable by unauthorized personnel
Access Controls:
Identification - claim an identity with a unique username
Authentication - users prove their identity with authentication
Chapters 1-11 Final Review
1
Authorization - grant or restrict access to resources using an
authorization method
💡
Confidentiality ensures that data is only viewable by authorized users. Best
way to protect confidentiality of data is by encrypting it. Access controls
help protect confidentiality by restricting access.
Integrity
Integrity - assurances that data has not been changed
Hash - a number created by executing a hashing algorithm against data.
A variation in the hashes doesn’t tell you what modified the message. It only tells
you that the message has been modified.
💡
Integrity verifies that data has not been modified. Loss of integrity can
occur through unauthorized or unintended changes. Hashing algorithms,
such as SHA, calculate hashes to verify integrity. A hash is simply a
number created by applying the algorithm to a file or message at different
times. By comparing the hashes, you can verify integrity has been
maintained.
Availability
Availability - data and services are available when needed
Organizations typically implement redundancy and fault-tolerance methods to
ensure high levels of availability for key systems.
💡
Availability ensures that systems are up and operation when needed and
often address single points of failure. You can increase availability by
adding fault tolerance and redundancies, such as RAID, failover clusters,
backups, and generators.
Redundancy adds duplication to critical systems and provides fault tolerance. If a
critical component has a fault, the redundancy’s duplication allows the service to
Chapters 1-11 Final Review
2
continue without interruption.
Types of redundancies:
Disk redundancy - RAID 1, 5, 10 allow a system to continue to operate
even if a disk fails.
Server redundancy - failover clusters
Network redundancy - load balancing
Power redundancy - uninterruptible power supplies (UPSs) and power
generators
💡
Redundancy and fault tolerance methods increase the availability of
systems and data. Scalability refers to manually adding or removing
resources to a system to scale it up or out. Elasticity refers to dynamically
adding or removing resources to a system to scale it.
Scalability - systems ability to handle increased workload either by scaling up or
scaling out. (Manual)
Elasticity - ability of a system to handle an increased workload by dynamically scaling
up or out as the need arises.
Resiliency - help systems heal themselves or recover from faults with minimal
downtime.
Risk vs Threat
Risk is the possibility or likelihood of a threat exploiting a vulnerability resulting in
a loss. A threat is a circumstance or event that has the potential to compromise
confidentiality, integrity, or availability.
Risk mitigation reduces the chances that a threat will exploit a vulnerability or
reduces the risk’s impact by implementing security controls.
Security controls
Managerial control - administrative that focuses on managing risk
Risk assessment - help orgs quantify and qualify risks within an org so that
they can focus on serious risks
Vulnerability assessment - attempts to discover current vulnerabilities
Chapters 1-11 Final Review
3
Operational control - ensure day to day operations complying with security
policies
Technical controls - use tech (hardware, software, firmware) to reduce
vulnerabilities
Preventative controls - prevent an incident from happening
Hardening - making a system more secure than default (disabling
unnecessary ports and services, implementing secure protocols, patching
system, strong passwords)
Training, security guards, change management, account disablement policy,
intrusion prevention system
Detective controls - detect incidents after they happen
Log monitoring, security information and event management systems
(SIEM), security audit, video surveillance, motion detection, intrusion
detection system (IDS)
Corrective controls - reverse the impact of an incident
Backups, system recovery
Incident handling process - define steps to take in response to security
incidents
Deterrent controls - attempt to discourage individuals from causing an incident
Compensating controls - alt controls used when primary control is not feasible
Physical controls - controls you can physically touch
Commands
Ping
A basic command used to test connectivity for remote systems.
Hping - similar to ping command, but can send pings using TCP, UDP, and ICMP
Ipconfig - internet protocol configuration shows the TCP/IP config info for a
windows system
Ifconfig - same protocol but for linux
Chapters 1-11 Final Review
4
ifconfig eth0 - shows the config of the first ethernet interface (same for wlan0)
ifconfig eth0 promisc - enables promiscuous mode. Allows a NIC to process all
traffic it receives
ifconfig eth0 allmulti - enables multicast mode on the NIC
The ip command is more encouraged than the ifconfig because it is no longer
maintained by developers
ip link show - shows interfaces along with details
ip link set eth0 up - enables network interface
ip -s link - shows stats on the network interface
Netstat
Allows you to view stats for TCP/IP protocols on a system
netstat - displays all open TCP connections
netstat -a - displays all TCP and UDP ports
netstat -r - displays routing table
netstat -e - displays details on network stats
netstat -s - displays stats of packets sent or received for specific protocols
netstat -n - displays addresses and port numbers in numerical order
netstat -p protocol - shows stats on a specific protocol such as TCP and UDP
Tracert & Traceroute
Commands all routers between two systems. Used to identify faulty routers on the
network and identify modified paths.
Pathping
Combines the functions of ping and tracert
ARP
arp the command and ARP the protocol aren’t the same thing
Chapters 1-11 Final Review
5
arp - without a switch, shows help on Windows
arp -a - shows the ARP cache on Windows
LAMP
Linux, Apache, MySQL, and PHP/Perl/Python
sudo
Allows you to run the command with root, or elevated privileges, assuming you
have the permissions
cat
Used to display contents of the files
grep
Used to search for a specific string or pattern of text within a file
ex. sudo cat /var/log/auth.log | grep “authentication failure”
head
Shows the first 10 lines of a file
tail
Displays the last 10 lines of a log file by default
ex. sudo tail -n 15 /var/log/messages
logger
Adds entries in the /var/log/syslog file
Admins use this command before performing an operation (like backing up)
journalctl
Queries the Linux system logging utility and displays log entries from several
sources
ex. journalctl — since “1 hour ago”
Chapters 1-11 Final Review
6
ex. journalctl — since “1 hour ago” > myjournal.txt
chmod
Used to modify permissions on Linux systems files and folders
Read - someone can open the file and view its content
Write - a user can modify the contents
Executes - a user can launch the file and is used with exe files
First set of permissions applies to the owner of the file
Second set applies to the owner group
Third set applies to everyone else
Can use octal nums from (0-7)
ex. chmod 760 filename
Also possible to assign permission using the text method
u - file owner
g - owner group
o - all others
ex. chmod g=r filename or chmod o-x filename
SIEM System
Security information and event management system provides a centralized
solution for collection and analyzing and managing data from multiple sources.
Capabilities
Log collectors - collects and stores log data in a searchable database
Data inputs - log entries come from various sources such as firewalls,
routers, network intrusion detection and prevention systems
Log aggregation - refers to combining several dissimilar items into a single
similar format. SIEM system collects data from multiple systems and
aggregates the data and stores it so that its easy to analyze and search
Chapters 1-11 Final Review
7
Correlation engine - software component used to collect and analyze event
log data from various systems within the network. Aggregates data looking
for common attributes like patterns
Reports - most systems include built-in reports. Typically groups in different
categories such as network traffic event monitoring, device events, threat
events, and more.
Packet capture - protocol analyzers/sniffers capture network traffic allowing
admins to view and analyze individual packets
User behavior analysis - focuses on what users are doing, such as what
applications they are launching and network activity.
Sentiment analysis - analyzing text to detect an opinion or emotion
Security monitoring - alerts which can provide continuous monitoring of
systems and provide notifications of suspicious events
Automated triggers - cause an action in response to a predefined number of
repeated events
Time sync - all servers sending data to the SIEM should be synced with the
same time
Events deduplication - process of removing duplicate entries
Logs/WORM - SIEM typically includes methods to prevent anyone from
modifying log entries
Syslog
Specifies a general log entry format and the details on how to transport log
entries.
Syslog-ng - allows a system to collect logs form any source. Includes correlation
and routing abilities to route log entries to any log analysis tool.
Rsyslog - improvement over syslog-ng. Significant change is the ability to send
log entries directly into database engines.
NXLog
log management tool and is similar to rsyslog and syslog-ng. Supports log form
Chapters 1-11 Final Review
8
Chapter 2
Authentication - proves an identity with some type of credentials, such as a
username and password.
Something you know (password or PIN)
Something you have (smart card, phone, software tokens, or USB token)
Something you are (fingerprint/biometric identification)
Accounting - track user activity and record the activity in logs
Authorization - access resources based on their proven identity
💡
Complex passwords use a mix of character types. Strong password use a
mix of characters types and have a minimum length of at least 8
characters. Pass exp identities when a password much be changed.
Knowledge Based Authentication
Static KBA - used to verify your identity when you’ve forgotten your password
(Security questions)
Dynamic KBA - individuals without an account like financials institutions or health
care companies. (Multiple choice questions that only the user would know)
Account lockout policies
Thresholds - max number of times a user can enter the wrong password
Duration - how long an account remains locked
Smart card authentication
Requirements for a smart card:
Embedded certificate - holds a user’s private key and is matched with a
public key
Public Key Infrastructure - supports issuing and managing certificates
Often paired with a password or PIN
Chapters 1-11 Final Review
9
Token Key
Sometimes called a key fob, is an electronic device the size of a car remote that
displays a number.
Token is synced with a server that knows what the number is at any moment
Hash based message authentication code
Uses a hash function and cryptographic key for many different functions
HMAC based one time password (HOPT)
Time based one time password
Similar to HOTP, but uses a timestamp instead of a counter
💡
HOTP and TOTP are open source standards used to create one time
passwords. HOTP creates OTP that do not expire until used. TOTP
creates OTP that expires after 30 seconds.
Biometric methods
Strongest method of authentication
Fingerprint
Vein - using new infrared light to view veins. (Hospitals use palm scanners for
patients)
Retina - one or both eyes and use the pattern of blood vessels
Iris - captures the patterns of the iris around the pupil for recognition
Facial - identify people based on facial features
Voice - speech recognition methods to identify different acoustic features
Gait analysis - identifies individuals based on the way they walk. Measures how
someone’s feet hit and leave the ground while walking.
Chapters 1-11 Final Review
10
💡
Iris and retina scan are the strongest biometric methods. Iris scans are
used instead or retina scans because retina scans are intrusive to people
medical issues. Facial recognition and gait analysis bypass the enrollment
process when done for identification instead of authorization.
Biometric efficacy rates
False acceptance - allows unknown user as registered user
False rejection - incorrectly rejects a registered user
True acceptance - system correctly identified a registered user
True rejection - system correctly rejected unknown user
2 Factor Authentication
Can’t be in the same category (Password & PIN / Retina & Thumbprint)
Authentication Attributes
Somewhere you are - geolocation but can be spoofed by VPN
Something you can do - actions you can take such as gestures on a touch
screen (picture password)
Something you exhibit - something that you show or display (ID employee
badge)
Someone you know - someone that vouches for you
Privileged access management (PAM)
Implement stringent security controls over accounts with elevated privileges,
such as admin or root-level accounts
Capabilities
Allow users to access privileged accounts without knowing password
Automatically change privileged account password periodically
Limit time users can use the privileged account
Allow user to checkout credentials
Chapters 1-11 Final Review
11
Log all access of credentials
💡
Usage auditing records user activity in logs. A usage auditing review looks
at the logs to see what users are doing and it can be used to re-create an
audit trail. Permission auditing reviews help ensure that user have only the
access they need and no more and can detect privilege creep issues.
Kerberos
A network authentication protocol within a Microsoft Windows AD. It uses a
database of objects such as AD and KDC to issue time stamped tickets that
expire after a certain time period.
SAML
Security Assertion Markup Language is an Extensible Markup Language (XML)
based data format used for SSO on web browsers.
It is used to exchange authentication and authorization information between
different parties. SAML provides SSO for web based applications.
Roles:
Principal - typically a user
Identity provider - IdP creates, maintains, and manages identity info for
principals
Service provider - entity that provides services to principles
OAuth
Open standard for authorization many companies use to provide secure access
to protected resources
OpenID
An authentication standard maintained by the OpenID foundation.
Access Control Schemes
Chapters 1-11 Final Review
12
Role based - uses roles to manage rights and permissions for users. For users
within a specific dept who perform the same job functions. A role based access
control scheme uses roles based on jobs and functions. A matrix is a planning
document that matches the roles with the required privileges.
Rule based - uses rules. Routers and firewalls use rules within access control
lists (ACLs) Some rules are static and dynamic depending on the attack used.
Rules can be triggered in response to an event like after detecting an attack or
granting additional permissions to a user in certain situations.
Discretionary (DAC) -scheme, objects have an owner and the owner establishes
access for the objects. New Tech File System (NTFS) provides security by
allowing users and admins to restrict access to files and folders with
permissions.
Access control entries (ACE) make up a DACL for example:
Lisa: Full control
Bart: Read
Maggie: Modify
Mandatory (MAC) - Uses labels to determine access. Security admins assign
labels to both subjects. When the labels match, the system can grant a subject
access to an object. Commonly used when access needs to be restricted based
on a need to know.
Attribute (ABAC) - Evaluates attributes and grants access based on the value of
these attributes.
Ex. Homers account is defined with employee, inspector, and nuclear aware.
A file server at the plant includes a share called inspector. An ABAC policy
for the share might grant access to the share for any subjects that have the
attribute.
Chapter 3
Basic Networking Concepts
Sniffing attack - attackers often use a protocol analyzer to capture data sent over
a network. After capturing the data, attackers can easily read it within the
protocol analyzer if sent in cleartext.
Chapters 1-11 Final Review
13
Dos/DDos - denial of service attack is a service attack from a single source that
attempts to disrupt the services provided by another system. A DDos attack
includes multiple computers attacking a single target.
Poisoning attack - many protocols store data in cache for temporary access.
Poisoning attacks attempt to corrupt the cache with different data.
Basic Networking Protocols
Transmission Control Protocol (TCP) - provides connection oriented traffic
(guaranteed delivery). TCP uses a three way handshake. Client sends a SYN,
the server responds with a SYN/ACK packet, and the client completes the
handshake with a ACK packet to establish a connection.
User Datagram Protocol (UDP) - provides connectionless sessions (without a
three way handshake). While TCP traffic provides guaranteed delivery, UDP
makes a best effort to deliver traffic without using extra traffic to ensure delivery.
TCP/IP traffic is either connection-oriented TCP traffic or connectionless UDP.
Internet Protocol (IP) - identifies hosts in a TCP/IP network and delivers traffic
from one host to another using IP addresses.
Internet Control Message Protocol (ICMP) - used for testing basic connectivity
and includes tools such as ping, pathping, and tracert. Because of how often
ICMP is used in attacks, it has become common to block ICMP at firewalls and
routers. Blocking prevents attackers from discovering devices in a network.
Address Resolution Protocol (ARP) - resolves IPc4 address to media access
control (MAC) addresses. TCP/IP uses IP addresses to get a packet to a
destination network, It then uses the MAC address to get it to the correct host.
Implementing Protocols for Use Cases
Chapters 1-11 Final Review
14
Voice and Video
Real-time Transport Protocol (RTP) - delivers audio and video over IP
networks. (Voice over Internet Protocol (VoIP), streaming media, video
teleconferencing, web based push to talk.
Secure Real-time Transport Protocol (SRTP) - provides encryption, message
authentication, and integrity for RTP. SRTP helps protect the confidentiality of
data from these attacks while also ensuring the data transmissions integrity.
Session Initiation Protocol (SIP) - used to initiate, maintain, and terminate
voice, video, and messaging sessions. SIP messages don’t contain any data, but
contain metadata about sessions. Many VoIP support SIP logging and can
record these SIP messages. VoIP logs can contain timestamps, caller phone
numbers, recipient phone numbers, extensions, and missed calls. SIP log files
show timestamps, sender IP addresses, and recipient IP addresses.
File Transfer
💡
Secure Shell (SSH) encrypts traffic over TCP port 22 and is used to
transfer encrypted files over a network. SFTP uses SSH to encrypt traffic
while FTP Secure uses TLS to encrypt.
File Transfer Protocol (FTP) - uploads and downloads large files to and from an
FTP server. By default transfers data in cleartext, making it easy for attackers to
capture and read FTP data with a protocol analyzer. Active mode uses port 21
for control signals and port 20 for data. Passive mode uses port 21 for control
signals but uses a random port for data.
Trivial File Transfer Protocol (TFTP) - uses UDP port 69 and is used to transfer
smaller amounts of data such as communicating with network devices. Often
disabled
Encryption Protocols
Secure Shell (SSH) - encrypts traffic in transit and can be used to encrypt other
protocols such as FTP. When SSH encrypts traffic it uses TCP port 22.
Secure Sockets Layer (SSL) - was the primary method used to secure HTTP
traffic as HTTPS.
Chapters 1-11 Final Review
15
Transport Layer Security (TLS) - designated replacement for SSL and should
be used instead of SSL for browsers. STARTTLS is a command used to upgrade
an unencrypted connection to an encrypted connection on the same port.
Internet Protocol security (IPsec) - used to encrypt IP traffic. Encapsulates and
encrypts IP packet payloads and uses Tunnel mode to protect VPN traffic.
Includes two main components: Authentication Header (AH) identified by
protocol ID number 51 and Encapsulating Security Payload (ESP) identified by
protocol ID number 50.
Secure File Transfer Protocol (SFTP) - a secure implementation of FTP.
Extension of SSH to transmit the files in an encrypted format using TCP port 22.
File Transfer Protocol Secure (FTPS) - extension of FTP and uses TLS to
encrypt the FTP traffic. SFTP uses SSH and FTPS uses TLS.
Email and Web Use Cases
Simple Mail Transfer Protocol (SMTP) - transfers email between clients and
SMTP servers. Uses TCP port 25 for unencrypted email and port 587 for emails
encrypted with TLS.
Post Office Protocol v3 (POP3) - transfers emails from servers down to clients.
Uses port 110 for unencrypted emails and TCP port 995 for encrypted.
Internet Message Access Protocol version 4 (IMAP4) - used to store email on
an email server and allows users to organize and manage email in folders on the
server. Uses TCP port 143 for unencrypted and port 993 for encrypted
connections.
HTTP - transmits web traffic on the internet and in intranets. Uses TCP port 80.
HTTPS - HTTP over SSL/TLS encrypts web traffic to ensure it is secure while in
transit. Uses TCP port 443.
Directory Services and LDAPS
Lightweight Directory Access Protocol (LDAP) - specifies the formats and
methods used to query directories. Uses TCP port 389. LDAP secure encrypts
with TLS using TCP port 636.
💡
Directory services provide authentication services for a network. Active
Directory Domain Services uses LDAP encrypted with TLS when querying
the directory.
Chapters 1-11 Final Review
16
Remote Access Use Case
Remote Desktop Protocol (RDP) - used to connect to other systems from remote
locations
OpenSSH
A suite of tools that simplify the use of SSH to connect to remote server securely
ssh ______ - used to connect to the server
ssh-keygen -t rsa - creates a key pair (public and private key)
ssh-copy-id - copies the public key to a remote server
id_rsa.pub - public key
id_rsa - private key
Time Sync Use Case
Network Time Protocol (NTP) - most commonly used protocol for time sync,
allowing systems to synchronize their time
Simple NTP (SNTP) - can be used for time synchronization. SNTP does not use
complex algorithms and queries multiple time servers so it might not be as
accurate.
Network Address Allocation Use Case
Dynamic Host Configuration Protocol (DHCP) - dynamically assign IP addresses
to hosts. Also assigns other TCP/IP info such as subnet masks, default
gateways, DNS server addresses, and more.
IPv4
Uses 32 bit IP addresses expressed in dotted decimal format
Routers on the internet include rules to drop any traffic that is coming from or
going to a private IP address.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
DHCP Snooping
Chapters 1-11 Final Review
17
Prevents unauthorized DHCP servers from operating on a network
DHCP clients and servers normally send four packets back and fourth
DHCP Discover - DHCP client broadcasts a message asking a DHCP server
for a lease
DHCP Offer - DHCP server answers offering a lease.
DHCP Request - client responds by requesting the offered lease
DHCP Acknowledge - Allocates the offered IP address to the DHCP client
and sends back an acknowledge packet.
Domain Name Resolution Use Case
Domain Name System (DNS)
Resolves hostnames to IP addresses
DNS servers host data in zones/databases
Uses port TCP port 53 for zone transfers and UDP port 53 for DNS client queries
Records
A (host record) - holds the hostname and IPc4 address and is the most
commonly used record in a DNS server. Mostly used with IPv4
AAAA - holds the hostname and IPv6 address. Similar to A record except its for
IPv6
MX (Mail exchange) - identifies a mail server used for email. When more than 1
mail server, the one with the lowest preference number in the MX record is the
primary one.
CNAME - allows a single system to have multiple names associated with a single
IP address
SOA (Start of authority) - includes info about the DNS zone and some of its
settings.
Ex. Includes TTL settings which determine how long to cache DNS results.
Lower times cause clients to renew the records more often.
DNSSEC
Chapters 1-11 Final Review
18
A risk of DNS is DNS poisoning which modifies the IP address to redirect to
another website.
Domain Name System Security Extensions (DNSSEC) - suite of extensions to
DNS that provides validation for DNS responses.
Adds a Resources Record Signature (RRSIG) or digital signature to each record
Nslookup and dig
The lowest preference number identifies the primary server
nslookup - troubleshoots problems related to DNS
Ex. can use nslookup to verify that a DNS server can resolve specific
hostnames
nslookup -querytype=mx website.com
Output: website.com MX preference = 10, mail exchanger =
mx1.emailsrvr.com
website.com MX preference = 50, mail exchanger = mx2.emailsrvr.com
dig - replaced nslookup on Linux systems. Can be used to verify that the DNS
server is reachable and verify that a DNS server can resolve hostnames to IP
addresses.
Quality of Service
QoS refers to the tech running on a network that measure and control different
traffic types. Allows admins to prioritize certain types of traffic over other types of
traffic.
Network Devices
Unicast - one to one traffic. One host sends traffic to another host using a
destination IP address. The host with the destination IP address will process the
packet. Other hosts on the same network may see the packet, but they will not
process it since it isn’t addressed to them.
Broadcast - one to all traffic. One host sends traffic to all other hosts on the
subnet, using a broadcast address such as 255.255.255.255. Every host that
receives broadcast traffic will process it. Switches pass broadcast traffic between
their ports, but routers do not pass broadcast traffic.
Chapters 1-11 Final Review
19
Switches
Can learn which computer are attached to each of its physical ports. Then uses
this knowledge to create internal switched connections when two computers
communicate to each other.
Port Security
Limits the computers that can connect to physical ports on a switch
Disabling unused ports and limiting the number of MAC addresses per port.
A physical port used by a network device, such as a switch or a router is entirely
different from a logical port. A logical port is a number embedded in a packet and
identifies services and protocols.
Broadcast Storm and Loop Prevention
Can flood a network with traffic and can effectively disable a switch
Many switches have Spanning Tree Protocol (STP) or Rapid STP (RSTP) which
provide both broadcast storm prevention and loop prevention. However if
disabled the switch is susceptible to loop problems.
Broadcast storm and loop prevention such as STP and RSTP is necessary to
protect against switching loop problems, such as those caused when two ports of
a switch are connected together.
STP sends Bridge Protocol Data Unit (BPDU) messages in a network to
detect loops
Routers and ACL’s
Access control lists (ACL) are rules implemented on a router/firewalls to identify
what traffic is allowed and what traffic is denied. Can block IP addresses, ports,
and protocol numbers.
Implicit Deny
All traffic that isn’t explicitly allowed is implicitly denied
Firewalls
Filters incoming and outgoing traffic for a single host or between networks
Chapters 1-11 Final Review
20
A firewall can ensure only specific types of traffic are allowed into a network or
host, and only specific types of traffic are allowed out of a network or host.
They start with a basic routing capability for packet filtering including the use of
an implicit deny rule. More advanced firewalls go beyond simple packet filtering
and include advanced content filtering.
Host based firewalls
Monitors traffic going in and out of a single host.
Many third party firewalls allow you to configure rules to allow or restrict inbound
and outbound traffic.
💡
Host based firewalls provide protection for individual hosts, such as
servers or workstations. A host based firewall provides intrusion protection
for the host. Network based firewalls are often dedicated servers and
provide protection for the network.
Stateless firewalls
Uses rules implemented in ACLs to identify allowed and blocked traffic
Stateful firewalls
Inspects traffic and makes decisions based on the traffic context or state.
Keeps track of established sessions, inspects traffic based on its state within a
session, and blocks traffic that isn’t part of an established session.
💡
A stateless firewall blocks traffic using an ACL and a stateful firewall blocks
traffic based on the state of the packet within a session. Web app firewalls
provide strong protection for web servers. They protect against several
different types of attacks, focusing on web app attacks.
Next Gen Firewall
An advanced firewall that add capabilities that aren’t available in first or second
gen firewalls.
Chapters 1-11 Final Review
21
NGFW performs deep packet inspection adding app level inspection as a core
feature. It can identify app commands and detect potentially malicious traffic
Intranet vs Extranet
Intranet is an internet network used for communicating and sharing content with
each other.
Extranet is a part of a network that can be access by authorized entities from
outside of the network.
Screened subnet
Also known as a demilitarized zone (DMZ)
A buffered zone between a private network and the internet.
It allows access to services while segmenting access to the internal network.
Internet clients can access the services hosted on servers in the screened
subnet, but the screened subnet provides a layer of protection for the private
network.
Network Address Translation Gateway
A protocol that translates public IP addresses to private IP addresses and private
addresses back to public.
A gateway provides internal clients with private IP address a path to the internet.
Commonly used as Port Address Translation (PAT)
Static vs Dynamic
Static uses a single public IP address in a one to one mapping. Maps private
IP address with a single public IP address
Dynamic uses multiple public IP addresses in a one to many mapping.
Decides which public IP address to use based on load.
Air Gaps
Isolates one network from another by ensuing there is a physical space between
all systems and cables.
VLAN
Chapters 1-11 Final Review
22
Virtual local area network uses a switch to group several different computers into
a virtual network
Separates or segments traffic on physical networks and you can create multiple
VLANs with a single layer 3 switch
Can group computers together or separate without regard to physical location
Proxy Servers
Used for forwarding requests such as HTTP or HTTPS
Can improve performance by caching content and restrict access to
inappropriate websites by filtering content.
The server increases the performance by caching each result received from the
internet and saving it for another user that requests the same content.
Transparent proxy vs Non-transparent proxy
Transparent will accept and forward requests without modifying them
Non-transparent can modify or filter requests
Reverse Proxy
Accepts requests from the internet
Unified Threat Management
A single solution that combines multiple security controls.
Reduces workload of admins without sacrificing security
May include:
URL Filtering
Malware inspection
Content inspection
DDoS mitigator - attempts to detect DDoS attacks and block them
Jump Server
Chapters 1-11 Final Review
23
A hardened server used to access and manage devices in another network with
a different security zone
Common to connect to a jump server using passwordless SSH
Chapter 4
Understanding IDSs and IPSs
HIDS
Host based intrusion detection system (HIDS) - additional software installed on a
system such as a workstation or a server.
It protects the individual host, detect potential attacks, and protects critical
operating system files.
Monitor all traffic on a single host systems such as a server or a workstation.
NIDS
Network based intrusion detection system (NIDS) - monitors activity on the
network
An admin installs NIDS sensors or collectors on network devices such as
switches, routers, or firewalls.
Cannot monitor encrypted traffic and cannot monitor traffic on individual hosts
Detection Methods
Two primary detection methods are signature based and heuristic based
Any IDS can detect attacks based on signatures, anomalies, or both
Signature based detection
Use a database of known vulnerabilities or known attack patterns
Ex. An attacker can launch a SYN flood attack on a server
Heuristic based detection
Starts by identifying the networks regular operation or normal behavior
Can detect unknown anomalies
Chapters 1-11 Final Review
24
Continuously monitors network traffic and compares current network behavior
against the baseline
False Positives vs False Negatives
Admins often set the IDS threshold high enough so that it minimizes false positives
but not low enough so that it does not allow false negative
False positive - IDS or IPS sends an alarm or alert when there is no actual attack
False negative - IDS or IPS fails to send an alarm or alert even though the attack
is active
True negative - IDS or IPS does not send an alarm or alert and there is no attack
True positive - IDS or IPS sends an alarm or alert after recognizing an attack
IPS vs IDS
IPS is inline with traffic since traffic passes though the IPS and can block
IDS is out of band since it just monitors traffic but the traffic doesn’t go through
the IDS
Because IPS is inline with traffic is is referred to as active whereas IDS is
referred to as passive
Honeypot
A server that is left open or appears to have been locked down sloppily, allowing
an attacker relatively easy access.
Intent is for the server to look like an easy target so that the attacker spends their
time in the honeypot instead of a live network.
Goals
Deceive the attackers and divert their attention form the live network
Observe the attacker and their methodologies
Honeynets
A group of honeypots within a separate network or zone but accessible from an
orgs primary network.
Chapters 1-11 Final Review
25
Often create honeynets using multiple virtual servers contained within a single
physical server
Honeyfile
Designed to attract the attention of an attacker
Ex. password.txt
Telemetry
Telemetry - collecting information such as stat data and measurements which
then forwards it to a centralized system for processing.
Fake telemetry - corrupts data sent to monitoring systems and can disrupt a
system
Ex. Hackers hack into natural gas company and changes pressure on gas
causing explosions
Wireless Basic
Access point (AP) - connects wireless clients to a wired network
All wireless routers are APs but not all APs are wireless routers
MAC filtering can restrict access to a wireless network to specific clients.
However, an attacker can use a sniffer to discover allowed MAC addresses and
circumvent this form of network access control.
MAC Cloning - process of changing the MAC address on a PC or other device
with the same MAC address as the wide area network.
A site survey examines the wireless environment to identify potential problem
areas.
A heat map shows wireless coverage and dead spots if they exist
Wireless footprinting gives you a detailed diagram of wireless access points,
hotspots, and dead spots within an org
WPA2
Can operate is either open, pre-shared key (PSK), or Enterprise mode
Chapters 1-11 Final Review
26
Open mode doesn’t use any security. All data is transferred in cleartext making it
easy for anyone to read
PSK mode allows users to access the wireless network anonymously with a PSK
or passphrase
Enterprise mode forces users to authenticate with unique credentials before
granting them access to the wireless network. Uses 802.1X which accesses a
database of accounts used for authentication.
Need to enter this info when using enterprise mode:
RADIUS server - enter the IP address assigned to the 802.1X server
RADIUS port - port used by the RADIUS server (Default is 1812)
Shared secret - similar to a password but not the user’s password
802.1X Authentication Protocols
Provides port-based authentication ensuring that only authorized clients can
connect to a device or network
EAP - provides a method for two systems to create a secure encryption key, also
known as a Pairwise Master Key (PMK). This key is used to encrypt all data
transmitted between the devices
Protected EAP - provides an extra layer of protection for EAP. Used with TLS to
protect the communication channel.
EAP-FAST - EAP Flexible Authentication via Secure Tunneling for a replacement
for Lightweight EAP.
EAP-TLS - EAP Transport Layer Security - one of the most secure EAP
standards. Requires certificates on the 802.1X server and client.
EAP-TTLS - EAP Tunneled TLS is an extension of PEAP allowing systems to
use older authentication methods such as PAP within a TLS tunnel.
RADIUS Federation - users can log on once and access shared resources with
the other entity without logging on again.
💡
Enterprise mode requires an 802.1X server. EAP-FAST supports
certificates. PEAP and EAP-TTLS require a cert on the 802.1X server.
EAP-TLS requires certs on both the server and client.
Chapters 1-11 Final Review
27
Captive Portal
A technical solution that forces clients using web browsers to complete a specific
process before it allows them access to the network.
Free internet access
Paid internet access
Alt to IEEE 802.1X - requires users to authenticate before granting them
access
Disassociation Attack
Removes a wireless client from a wireless network
Attacker sends a disassociation frame to the AP with a spoofed MAC address of
the victim.
Wi-Fi Protected Setup
Allows users to configure wireless devices without typing in the passphrase.
A WPS attack guesses all possible PINs until it finds the correct one
Evil Twin
A rouge access point with the same SSID as a legit access point
Used to capture and exfiltrate data
VPN
IPsec in tunneling protocol
Support both tunneling and transport mode
Tunnel mode encrypts the entire IP packet, including both the payload and
packet headers.
Uses Internet Key Exchange (IKE) over port 500
Provides security in two ways:
Authentication - includes authentication header (AH) to allow each of the
IPsec conversation hosts to authenticate with each other before exchanging
data. Uses protocol 51.
Chapters 1-11 Final Review
28
Encryption - Includes Encapsulating Security Payload (ESP) to encrypt the
data and provide confidentiality. Uses protocol 50
SSL/TLS as a tunneling protocol
Some tunneling protocols use TLS to secure the VPN channel
Split Tunnel vs Full Tunnel
Split tunnel - a VPN admin determines what traffic should use the encrypted
tunnel. Doesn’t have to connect to VPN server first if it doesn’t use the private
network.
Full tunnel - all traffic goes through the encrypted tunnel
Network access control
NAC provides continuous security monitoring by inspecting computers and
preventing them from accessing the network if they don’t pass the inspection.
Common health conditions checked by NAC:
Firewall enabled
OS up to date
Antivirus software is up to date and has updated signatures
Uses authentication agents to inspect NAC clients
VPN Authentication & Authorization Methods
Password Authentication Protocol (PAP) - Used with Point to Point Protocol
(PPP) to authenticate clients. Sends passwords over a network in clear text
Challenge Handshake Authentication Protocol (CHAP) - also uses PPP and
authenticates remote users. More secure since it hashes the shared secret to
share between the client and server.
Remote Authentication Dial-In Service (RADIUS) - centralized authentication
service. VPN servers forward the authentication requests to a central RADIUS
server. Can be used with EAP to encrypt entire sessions.
Terminal Access Controller Access-Control System Plus (TACACS+) - alt to
RADIUS and provides two security benefits over RADIUS. Encrypts the entire
Chapters 1-11 Final Review
29
authentication process, whereas RADIUS only encrypts the password by default.
Uses multiple challenges and responses between the client and server. Can be
used with Kerberos
Chapter 5
Virtualization Concepts
Thin client - computer with enough resources to boot and connect to a server to
run specific applications or desktops.
Virtual desktop infrastructure (VDI) - hosts a users desktop operating system on
a server
Container virtualization
Runs services or applications within isolated containers or application cells
Uses fewer resources and can be more efficient than a system using a traditional
Type II virtualization
Containers must use same OS as host
VM Escape Protection
An attack that allows an attacker to access the host system from within the
virtual system
VM Sprawl Avoidance
Occurs when an org has many VM’s that aren’t appropriately managed.
Someone creates a test VM that no one knows about and doesn’t get
deleted/updated
Using Master Images for Baseline Configurations
Admins sometimes create them images with templates or with other tools to
create a secure baseline
Imaging provides two important benefits:
Chapters 1-11 Final Review
30
Secure starting point - image includes mandated security configurations for
the system
Reduced costs - deploying imaged systems reduces the overall maintenance
costs and improves reliability
Patch Management
Ensures that systems and apps stay up to date with current patches
Reduces OS and app vulnerabilities since it protects systems from known
vulnerabilities
Change Management
Defines the process and accounting structure for handling modifications and
upgrades
Reduce risks related to unintended outages and provide documentation for all
changes
Application Approved Lists and Block Lists
Approved lists (whitelist) - apps authorized to run on a system
Block Lists (black lists) - list of apps the system blocks
Application Programming Interfaces
A software component that gives devs access to features or data within an app,
service, or OS.
Devs need to address several API considerations to ensure that API
considerations to ensure that APIs aren’t vulnerable to common exploits:
Authentication (2nd factor auth)
Authorization (diff levels of access)
Transport level security - should use strong security like TLS when
transferring any traffic over the internet
Full Disk Encryption
Encrypts an entire disk
Chapters 1-11 Final Review
31
Self encrypting disk (SED) - automatically encrypts and decrypts data on a drive
without user intervention.
Boot Integrity
Measured boot - goes through enough of the boot process to perform these
checks without allowing a user to interact with the system. If it detects that the
system has lost integrity and can no longer be trusted, the system won’t boot.
Trusted Platform Module
TPM is a hardware chip on the motherboard that stores cryptographic keys used
for encryption.
Provides full disk encryption and supports secure boot and remote attestation
Hardware security module
Security device you can add to a system to manage, generate, and securely
store cryptographic keys
Diff between a TPM and HSM is that HSM’s are removeable or external devices
(Micro SD)
Data Exfiltration
Unauthorized transfer of data out of a network.
Data loss prevention (DLP) tech can block the use of USB devices to prevent
data loss and monitor outgoing email traffic for unauthorized data transfers.
Software as a Service
Includes any software or application provided to users over a network such as
the internet
Platform as a Service
Provides customers with a preconfigured computing platform they can use as
needed
Easily configurable OS system and appropriate apps with on demand computing.
Chapters 1-11 Final Review
32
Infrastructure as a Service
Allows an org to outsource its equipment requirements
Provides customers with access to hardware in a self managed platform
Anything as a service
Could services beyond SaaS, PaaS, and IaaS
Includes services such as communications, databases, desktops, storage,
security, and more.
Cloud Deployment Models
Private clouds are only available for one organization
Public cloud services are available to anyone and are provided by third party
organizations
Two or more orgs with shared concerns can share a community cloud
A hybrid cloud is a combination of two or more clouds
Managed Security Service Provider
A third party vendor that provides security services for an organization.
MSP provides any IT services needed by an org including security services
provided by an MSSP
Cloud Service Provider Responsibilities
An entity that offers one or more cloud services via one or more cloud
deployment models
High availability
Resource Policy - folders, projects, and virtual machine instances
Secrets Management - passwords and encryption keys that users create. Stores
and manages secrets.
Integration and auditing - CSP integrates auditing methods that help customers
identify the effectiveness of security controls
Chapters 1-11 Final Review
33
Virtual Network - Software defined network tech instead of physical routers and
switches
Public and private subnets - Public subnets have public IP addresses and are
accessible via the internet. Same for private.
Segmentation
Security groups - Admins assign permissions to a group and add users to the
account
Dynamic resource allocation
Instance awareness - Ability of the CSP to know and report how many instances
of cloud based resources an org is renting
Virtual private cloud (VPC) endpoint - virtual device within a virtual network.
Transit gateway - used to connect VPCs to an on premise network
Container security - runs services or apps within containers.
Next Generation Secure Web Gateway
A combination of a proxy server and a stateless firewall
Filters URLs, scans malware, packet filtering
Cloud based service but can be on-site
💡
A cloud access security broker (CASB) is a software tool or service
deployed between an orgs network and cloud provider. It provides security
by monitoring traffic and enforcing security policies.
Infrastructure as Code
Managing and provisioning data centers with code to define VMs and virtual
networks.
Reduces complexity of creating virtual objects by allowing admins to run a script
to create them
Software defined networking
Chapters 1-11 Final Review
34
Uses virtualization tech to route traffic instead of using hardware routers and
switches
Routing protocols such as Open Shortest Path First (OSPF) and Border
Gateway Protocol (BGP) help routers determine the best path to route traffic on
the control plane
Edge Computing
Practice of storing and processing data close to the devices that generate and
use the data
Diff between fog and edge computing is that fog computing uses a network close
to the device and may have multiple nodes sensing and processing data within
the fog network. Edge computing stores and processes the data on single nodes
or appliances.
Deployment Models
Corporate owned - org purchases devices and issues them to employees
Corporate owned, personally enabled (COPE) - similar to CO, but employees are
free to use the device as if it was their own
Bring your own device (BYOD) - employees are responsible for selecting and
supporting the device
Choose your own device (CYOD) - some orgs create a list of acceptable devices
and publish the list in a BYOD policy. The employee purchases the device.
Connection and Receiving Methods
Cellular
WIFI
Bluetooth
NFC - payment gateway for phone
RFID
Infrared - used in remote controls or smartphones
USB
Point to point - between two wireless devices (Bluetooth, RFID, NFC)
Chapters 1-11 Final Review
35
Point to multipoint - wireless devices connect to each other without an AP
Payment Methods
Mobile Device Management
Includes the technologies to manage mobile devices
Unified endpoint management (UEM) - ensure systems are kept up to date with
current patches, have antivirus, and are secured using standard security
practices.
App management - MDM tools can restrict what apps can run
Full device encryption - provides device security, app security, and data security
Storage segmentation - users would store corporate data within an encrypted
segment and personal data elsewhere on the device.
Content management - can force the user to authenticate again when accessing
data within this encrypted segment
Containerization - orgs can implement containerization in mobile devices and
encrypt the container to protect it without encrypting the entire device. Good for
BYOD and CYOD
Passwords and PINs
Biometrics
Screen locks
Remote wipe
Geolocation
Geofencing - orgs sometimes use GPS to create a virtual fence or boundary. An
org can configure a wireless network to only operate for mobile devices within
the defined boundary.
GPS tagging - adds geographical info to files like pictures
Context aware authentication - uses multiple elements to authenticate a user and
a mobile device. Can include identity, geolocation, geofence, time of day, and
type of device.
Push notifications
Chapters 1-11 Final Review
36
Embedded Systems
Any device that has a dedicated function and uses a computer system to perform
that function
Field programmable gate array (FPGA) - programmable integrated circuit
installed on a circuit board
Arduino - microcontroller board, circuit board contains the CPU, RAM, and ROM.
Used for simple repetitive tasks like monitoring temp
Raspberry Pi - microprocessor based mini computer. Can be used to send
signals to control temp
ICS and SCADA Systems
Systems within large facilities such as power plants or water treatment facilities.
Supervisory control and data acquisition system (SCADA) - controls an ICSS by
monitoring it and sending it commands. Protected within isolated networks that
can’t access the internet
Used in manufacturing, facilities, energy, and logistics
Embedded System Constraints
Computing
Crypto - encrypting data
Power
Range
Authentication
Network - often need an interface to configure a device
Cost - adding features increases cost
Inability to patch
Implied trust - most users trust that embedded systems are secure
Weak defaults - weak defaults used for authentication or defaulting to no
encryption when sending data
Chapters 1-11 Final Review
37
Chapter 6
Threat Actors
Advanced Persistent Threat (APT) - group of organized threat actors that engage
in target attacks against organization
State actors - target specific companies organizations, or agencies
Criminal syndicates - group of individuals working together in criminal activities
Script kiddie - attacker who uses existing computer scripts or code to launch
attacks
Hacktivist - launches attacks as part of an activist movement or to further a
cause
Blackhat - unauthorized hacker
White hat - security professional working within the law
Gray hat - identifies individuals who may have good intentions, but activities may
cross ethical lines.
Attack Vectors
Email - frequently used to send out spam with malicious links or attachments
Social media - used to gather info on targets
Malware Types
Malware - wide range of software that has malicious intent
Symptoms include running slower, starting unknown processes, sending out
email without user interaction, random reboots, and more.
Virus - malicious code that attaches itself to a host application
May delete files, cause random reboots, join computer to a botnet, or enable
backdoors that attackers can use to access systems
Worms - self replicating malware that ravels throughout a network without
assistance of a host application or user interaction
Logic Bombs - string of code embedded into an app or script that will execute in
response to an event or specific time
Chapters 1-11 Final Review
38
Backdoor - another way of accessing a system
Trojans - can come as pirated software, useful utility, game, or something users
might be enticed to download and try
Drive by download steps:
Attackers compromise website
Install trojan into website code
Attackers bring in people to the website
Users visit and website tries to download trojan onto their system
Remote access trojan (RAT) - malware that allows attackers to control systems
from remote locations
Keyloggers - attempt to capture a user’s keystrokes
Spyware - software installed on users systems without their awareness or
consent. Often includes a keylogger
Changes a users homepage, redirecting web browsers, installing additional
software within the browser
Rootkit - group of programs that hides that fact that the system has been infected
or compromised by malicious code. Modifies internal OS processes, system files,
and modifying admin access.
Bots/Botnets - software bots used to malicious purposes like stealing sensitive
and private info
Command and Control - used by botnets to periodically check in for instructions
Ransomware - attackers take control of computers and networks, locking out
users
Cryptomalware - attackers encrypt data on computers within the network to
prevent access to demand the org to pay ransom
Fileless virus - type of malicious software that runs in memory
Potential Indicators of Malware
Extra traffic
Data exfiltration - unauthorized transfer of data out of a network
Encrypted traffic - malware will encrypt the data before data exfiltration attempts
Chapters 1-11 Final Review
39
Traffic to specific IPs - bot zombies will attempt to connect to known command
and control servers
Outgoing spam - botnets are sending phishing emails
Social Engineering
The practice of using social tactics to gain info
Flattery/conning
Assuming position of authority
Encouraging a risky action
Encouraging to reveal sensitive info
Impersonating
Tailgating
Dumpster diving
Zero-day vulnerabilities - bug that is unknown to trusted sources. Could be
that vendors don’t know about the vulnerability or haven’t written patches to
fix it. Can evade up to date anti-virus software
Watering hole attack - attempts to discover which website a group of people
are likely to visit and then infects those websites with malware that can affect
other visitors
Typo Squatting - when someone buys a domain name that is close to a
legitimate name
Hosting malicious websites
Earning ad revenue
Reselling the domain
Eliciting Information - act of getting information without asking for it directly
Pretexting - fictitious scenario added to a conversation to make a request
more believable
Prepending - adding something to the beginning of something else
Identity theft - when someone steals personal info
Invoice scams
Chapters 1-11 Final Review
40
Credential harvesting
Reconnaissance
Influence campaigns
Hybrid warfare - military strategy that blends conventional warfare with
unconventional methods to influence people
Other Types of Attacks
Phishing
Whaling
Vishing - use the phone system to trick users into giving up personal and
financial info
Smishing - texts that include malicious attachments and try to trick the user into
giving up personal info
Blocking Malware
Spam filter on mail gateway - detect and filter spam before it gets to users
Anti-malware software on mail gateway - strips potentially malicious attachments
off the email
All systems
Boundaries or firewalls
Antivirus and Anti-Malware software
Signature based detection
Heuristic based detection
File integrity monitors
Cuckoo Sandbox - open source automated software analysis system. Primary
purpose is to analyze suspicious files and test
Chapters 1-11 Final Review
41
💡
Social engineers are effective because they use psychology based
techniques to overcome users objections. Including representing
themselves as authoritative figures , intimidation, faking scarcity, urgency,
familiarity, or creating a sense of trust.
Threat Intelligence Sources
Open source intelligence (OSINT) - gathering public information
Common types of OSINT:
Vulnerability databases - known vulnerabilities and public databases
Trusted automated eXchange of Indicator information (TAXII) - open
standard that defines a set of services and message exchanges used to
share info. Standard way for orgs to exchange cyber threat info
Structured threat info eXpression (STIX) - open standard that identifies what
cyber threat info orgs should share
Automated Indicator sharing (AIS) - used for real time exchange of threat
indicators and defensive measures
Dark web
Public/private info sharing centers
Indicators of compromise - evidence that a cyberattack is happening or has
happened
Predictive analysis - attempt to predict what attackers will do next and how to
thwart their attacks
Threat maps - visual representation of active threats
File/code repositories - prewritten code that developers can use for a variety
of purposes, including gathering intelligence
Chapter 7
Attack Frameworks
Cyber kill chain - concept related to an attack
Chapters 1-11 Final Review
42
Reconnaissance - researching, identifying, and selecting targets
Weaponization - malware is embedded within a deliverable payload
Delivery - payload is transmitted to the target. (malware attachment in
phishing email)
Exploitation - after weapon is delivered, it activates and triggers the exploit
Installation - exploit will often install a remote access Trojan or backdoor on
the system
Command and Control - infected systems send out a signal over the internet
Actions over objectives - attackers can begin taking action to achieve their
ultimate goals
Diamond Model of Intrusion Analysis
Adversary - can be identified by email, usernames, memberships in
advanced persistent threat groups
Capabilities - malware, exploits, and other hacker tools
Infrastructure - Internet domain names, email addresses, and IP addresses
used by the adversary
Victim - can be identified by names, email, or other network identifiers
MITRE ATT&CK - knowledge base of tactics and techniques used in real world
attacks
Identifying Network Attacks
DoS vs DDoS
Denial of service - attack from one attacker against one target
Distributed denial of service - attack from two or more computers against a
single target
The goal is resource exhaustion which overloads the system
SYN Flood Attacks
Disrupts the TCP three way handshake process by never responding with a
SYN/ACK
Spoofing
Chapters 1-11 Final Review
43
When one person or entity impersonates as someone
On Path Attacks
Man in the middle attacks isa form of active interception or active
eavesdropping
When secure channels aren’t used, the hackers system may use certs that
aren’t issued by a CA and will generate certificate warnings.
Secure Sockets Layer Stripping
Redirects the user to HTTP by intercepting the beginning of the TLS
negotiation process
Layer 2 Attacks
ARP Poisoning - attack that misleads computers or switches about the actual
MAC address of a system
ARP Request - broadcasts the IP address and asks, “Who has this IP
address?”
ARP Reply - the computer with the IP address in the ARP request responds
with its MAC address. The sender computer caches the MAC address for the
IP.
ARP On Path Attacks
Can eavesdrop, redirect network traffic, or insert malicious code
Normally it goes from user → switch → router → internet
But with poisoning it goes user → attacker → router → internet
ARP DoS Attacks
If all computers cache a bogus MAC address for the default gateway, none
of them can reach it, making all traffic stop going out of the network
MAC Flooding
Attack against a switch that attempts to overload it with different MAC
addresses associated with each physical port
After flooding, the switch runs out of memory to store all the MAC addresses
and enters a fail-open state turning it into a simple hub.
Traffic sent to any port of the switch is now sent to all other switch ports
Chapters 1-11 Final Review
44
MAC Cloning
Changing a systems MAC address to another MAC address
DNS Attacks
DNS poisoning attacks - attempts to modify or corrupt DNS data
Users enter the URL and are taken to a different website
Pharming Attack - manipulates the DNS name resolution process
Redirects users to a different website like DNS poisoning attacks
URL Redirection - used to redirect traffic to a different page within the site.
Domain Hijacking - an attacker changes a domain name registration without
permission from the owner
Domain Reputation - helps ISPs determine the likelihood that an email is being
sent by a legitimate organization
DNS Sinkhole - a DNS server that gives incorrect results for one or more domain
names
DNS Log Files - record DNS queries such as each request to resolve a
hostname to an IP address
Replay Attack and Session Replays
An attacker replays data that was already part of a communication session.
The attacker modifies the data then tries to impersonate one of the clients in the
original session and send the modified data in session replays
Secure Coding Concepts
OWASP - Open Web Application Security Project focused on improving the
security of software
Code Reuse and Dead Code
Third party Libraries and SDKs - their party libraries that devs can call from
within a web application without needing to write any code.
Input Validation - prevents an attacker form sending malicious code that an
application will use by either sanitizing input to remove malicious code or
Chapters 1-11 Final Review
45
rejecting the input
Verifies proper characters
Blocking HTML code
Preventing the use of certain characters
Boundary or range checking
Protects against buffer overflow, SQL injection, dynamic link library injection,
and cross-site scripting attacks
Client side and server side input validation - client side input validation is quicker
but is vulnerable to attacks. Server side is longer but more secure since it
ensures that the application doesn’t receive invalid data
Avoiding Race conditions - when two or more applications attempt to access a
resource at the same time.
Like people buying things and having the same ticket details
Proper Error Handling - ensures that an application can handle an error
gracefully
Errors to users should be general - detailed errors provide info that attackers
can use against the system
Detailed errors should be logged - makes it easier for devs to identify what
caused the error and how to resolve it
Code Obfuscation and Camouflage - attempts to make something unclear or
difficult to understand. Camouflage attempts to make the code unreadable
Software Diversity - used to mimic the use of multiple different core languages
A compiler converts code written in a programming language into a binary
exe file
Adds a level of randomness to the code allowing the same program to
behave slightly differently on different OS’s but still achieving the same
result.
Outsourced Code Development
Making sure the code works as expected
Vulnerable code
Malicious code
Chapters 1-11 Final Review
46
Lack of updates
Data Exposure
HTTP Headers
HTTP Strict Transport Security - tells browser to display the page only if
sent as HTTPS
Content Security Policy - acceptable content
X-Frame Options - Tells the browser if X-Frames are allowed
Secure Cookies - small text file and is used to enhance the user experience.
Secure ensures that the cookie is only transmitted over secure channels like
HTTPS
Code Signing - authenticate and validates software
Analyzing and Reviewing Code
Static Code Analysis - examines code without executing it. Can use automated
tools
Manual Code Review - review code line by line. Done by someone other than the
programmer.
Dynamic code analysis - checks the code as its running. Fuzzing uses a
computer program to send random data to an application. Can crash the
program sometimes
Sandboxing - used to test applications within an isolated area
Software Version Control
Tracks the versions of software as its updated, who edited, and is able to
rollback changes
Secure Development Environment
Development - use an isolated environment to create the application
Test - put the application through its paces and attempt to discover any bugs or
errors
Staging - simulates the production environment and is used for late stage testing
Chapters 1-11 Final Review
47
Production - application goes live as the final product
Quality assurance - helps ensure that an application maintains a high level of
quality
Database Concepts
Normalization - organizing tables and columns to reduce redundant data and
improve overall database performance. A database is considered normalized
when it conforms to the first three normal forms
First Normal Form
Each row within a table is unique and identified with a primary key
Related data is contained in a separate table
None of the columns include repeating groups
Second Normal Form
Only applies to tables that have a composite primary key where two or
more columns make up the full primary key
1NF
Non-primary key attributes are completely dependent on the composite
primary key
Third Normal Form
2NF which also means 1NF
All columns that aren’t primary keys are only dependent on the primary
key
SQL Queries
SQL Injection Attacks
The attacker enters enters additional data into the webpage form to generate
different SQL statements
Protecting against SQL injection attacks
Stored procedure - group of SQL statements that execute as a whole
The stored procedure performs data validation but it handles the parameter
differently and prevents a SQL injection attack
Chapters 1-11 Final Review
48
Provisioning and Deprovisioning
Giving and removing services for users/apps
An app can run on IOS devices and use diff services like the accelerometer and
gyroscope to detect movement. Deprovisioning an app refers to removing it from
the device.
Integrity Measurement - Quality of the code and how extensively the code was
tested throughout the development cycle.
Web Server Logs
Logs activity on the server. Will show normal activity like HTTP requests from
users and server’s responses
Common to send log entries to a centralized logging system and configure it to
send alerts after detecting suspicious activity
Using Scripting for Automation
SIEM systems include a wide variety of scripts working behind the scenes to
collect and analyze log entries
Automated courses of action - updating code triggers automated responses to
verify the application runs correctly
Continuous monitoring - monitors code changes to detect compliance issues and
security threats
Continuous validation - Revalidates code after every change
Continuous integration - practice of merging code changes into a version control
repository
Continuous delivery - code changes are released automatically to a testing or
staging environment
Continuous deployment - code changes are deployed automatically to the entire
production environment. Deployment deploys the changes to a production
environment whereas delivery only sends the changes to a testing environment.
Identifying Malicious Code and Scripts
Can’t update the system
Chapters 1-11 Final Review
49
Antivirus is disabled
System is slow
Internet traffic increases on it own
Programs start automatically
System randomly crashes or freezes
Security warnings
Browser home page or search engine changes
Ransom message
Powershell
Task based command line shell and scripting language that uses cmdlets
Can run .bat and .ps1 files
Common verbs are: get, add, test, remove, new, find, and move
Common nouns: command service, location, process, childitem, wmiobject,
psdrive
Bash
Command language interpreter for Unix and Unix-like operating systems
When running a bash script file you much prefix it with bash or sh
If logs show that bash or sh is being invoked to run scripts it may be an indicator
of an attack
Python
Interpreted programming language that includes extensive libraries
Potential indicator of a system running Python scripts is any reference to .py files
Macros
Short instruction that will run a longer set of instructions
Useful for automating repetitive functions
Visual Basic for Applications (VBA)
Chapters 1-11 Final Review
50
Internal programming language within Microsoft applications
Event driven tool and started by initiating macros
OpenSSL
Software library used to implement SSL and TLS protocols
SSH
Used by Windows or Linux to connect with remote systems
Identifying Application Attacks
Zero day attacks - weakness or bug that us unknown to trusted sources
Memory vulnerabilities - vulnerabilities in memory or buffers
Memory leak - bug in a computer application that causes the application to
consume more and more memory the longer it runs
Buffer Overflow - occurs when an application recieves more input than it
expects
Buffer Overflow attacks - include NOP instructions followed by malicious
code
Integer Overflow - occurs if an application receives a numeric value that is too
big for the application to handle
Pointer/Object Dereference - Stores a reference to a variable or object.
Dynamic Link Library Injection - DLL is a compiled set of code that an application
can use without re-creating the code. Injection is an attack that injects DLL into a
system’s memory and causes it to run
Lightweight directory access protocol injection - specifies the formats and
methods used to query databases of objects such as users, computers, and
other objects within a network
Extensible Markup Language (XML) - markup language commonly used to
transfer data. Primary indicator of XML injection is the creation of unwanted
accounts
Directory Traversal - specific type of injection attack that attempts to access a file
by including the full directory path or traversing the directory structure on a
computer
Chapters 1-11 Final Review
51
Cross-Site Scripting - web application vulnerability that allows attackers to inject
scripts into webpages
Reflected XSS or non-persistent - attacker crafting a malicious email then
encouraging a user to click on it. The request includes malicious code and
the server sends it back to the user in the HTTP responses
Stored XSS or persistent - malicious code stored in a database or other
location trusted by the web application
Cross-site request forgery (XSRF or CSRF) - an attack where an attacker tricks
a user into performing an action on a website to capture user information such as
cookies. Can usually be prevented by a CAPTCHA or dual authentication.
Server-side request forgeries (SSRF) - exploit how a server processes external
information. If an attacker can modify the external URL he can potentially inject
malicious code into the webpage.
Client-side request forgeries - occurs if an attacker can inject code into the client
side webpage after the server has crafted it and sent it to the user
Driver manipulation - Shimming provides the solution that makes it appear that
the older drivers are compatible
AI and Machine Learning - AI is intelligence that machines can demonstrate. ML
refers to technologies that help computer systems improve with experience
Adversarial AI - attempts to fool AI models by supplying it with deceptive input
Chapter 8
Understanding Risk Management
Threats - potential danger
Malicious human threats
Accidental human threats - users can accidentally delete or corrupt data
Environmental threats - long term power failure
Risk types
Internal - any risks from within an organization
External - from outside the organization
Chapters 1-11 Final Review
52
IP theft - Intellectual property like copyrights, patents, trademarks, and trade
secrets
Software compliance - Development companies sell software as licenses
which employees can sometimes use up without authorization
Legacy systems and legacy platforms - no vendor support
Multiparty - occur when an org contracts with an external organization for
goods and services
Vulnerabilities
Default configurations
Lack of malware protection or updated definitions - out of date antivirus
Improper or weak patch management
Lack of firewalls - more vulnerable if host based and network firewalls aren’t
enabled
Lack of organizational policies - if job rotation, mandatory vacations, and lest
privilege policies aren’t implemented, an organization may be more
susceptible to fraud from employees
Risk Management
Practice of identifying, monitoring, and limiting risks to a manageable level
Inherent risk - risks that exist before controls are in place to manage the risk
Residual risk
Control risk - risk that exist if in-place controls do not adequately manage risks
Risk appetite - amount of risk an org is willing to accept
Avoidance - org can avoid a risk by not providing a service or not participating in
a risky activity
Mitigation - org implements controls to reduce risks
Acceptance - cost of a control outweighs a risk
Transference - org transfers the risk to another entity or at least shares the risk
with another entity (insurance)
Cybersecurity insurance - helps protect businesses and individuals from losses
related to cybersecurity incidents such as data breaches and network damage
Chapters 1-11 Final Review
53
Risk Assessment types
Quantitative Risk Assessment - measures the risk of using a specific monetary
amount
Single loss expectancy (SLE) - cost of any single loss
Annual rate of occurrence (ARO) - how many times the loss will occur in a
year
Annual loss expectancy (ALE) - value of SLE x ARO
Qualitative Risk Assessment - uses judgement to categorize risks based on the
likelihood of occurrence and impact
Supply Chain Risks - includes all the elements required to produce and sell a
product
Risk Register - comprehensive document listing known info about risks
Risk Matrix plots risks onto a graph
Risk heat map - uses color coding to plot the risks
Threat Hunting
Process of actively looking for threats within a network before an automated tool
detects and reports on the threat
Adversary tactics, techniques, and procedures (TTPs) - refers to attackers
methods when exploiting a target
Intelligence fusion - combines all data to create a picture of likely threats and
risks for an organization
Comparing Scanning and Testing Tools
Checking for vulnerabilities
Password Cracker - attempts to discover a password (Online or Offline)
Network Scanners - uses various techniques to gather info about hosts
within a network
Arp ping scan - used to resolve IP addresses to MAC addresses
Syn stealth scan - sends a single SYN packet to each IP address in the
scan range. If hosts responds the scanner knows the host is operational
Chapters 1-11 Final Review
54
with that IP address.
Port scan - checks for open ports on a system
Service scan - verifies the protocol or service
OS detection - analyzes packets from an IP address to identify the OS
Vulnerability Scanning - identify which systems are susceptible to attacks
Open ports and services
Unsecure root accounts
Default accounts and passwords
Default settings
Unpatched systems
Errors
Open permissions
Unsecure protocols
Weak encryption
Weak passwords
Sensitive data
Vulnerability Scan Outputs
Lists of hosts discovered
Detailed list of apps running on each host
Open ports and services on each host
Vulnerabilities
Recommendations
💡
Vulnerability scans are passive and have little impact on a system during a
test. A penetration test is intrusive and can potentially compromise a
system.
Penetration Testing
Chapters 1-11 Final Review
55
Rules of engagement - authorization before beginning any vulnerability or
penetration testing
Reconnaissance - attempts to learn as much as possible about a network
Passive - collects info about a targeted system, network, or org using open
source intelligence (OSINT)
Active - use tools to engage targets
Network Reconnaissance and Discovery
Use tools to send data to systems and analyze the responses
Tools include:
IP scanner - searches for active IP addresses
Nmap - identifies active hosts on a network, IP addresses, protocols and
services, and the host’s OS
Netcat - cmd line for remotely accessing Linux systems
Scanless - Python based command line utility which performs port scans
Dnsenum - list DNS records for domains
Nessus - vulnerability scanner used for configuration reviews
hping - sends pings using TCP, UDP, or ICMP
Sn1per - automated scanner used for vulnerability assessments and to
gather info on targets during penetration testing
Client URL (Curl) - used to transfer and retrieve data to and from servers
Lateral Movement
The way attackers maneuver throughout a network
Privilege Escalation
Attackers using various methods to gain more and more privileges from a user
on a network
Pivoting
Process of using various tools to gain additional info
Chapters 1-11 Final Review
56
Uses an exploited system to target other systems
Known, Unknown, and Partially Known Testing
Environment
Unknown - zero knowledge of the environment prior to starting a unknown test.
Approach the test with the same knowledge as an attacker
Known - testers have full knowledge of the environment before starting a known
test. Access to product documentation, source code, and even logon details.
Partially - testers have some knowledge of the environment prior to starting the
partial test
Cleanup
One of the last steps of a penetration test
Removing any user accounts created on systems in the network
Removing scripts or applications
Removing files, logs, or temp files
Reconfiguring all settings modified during the penetration test
Exercise Types
Red team - attacks systems, breaking into defenses and exploiting vulnerabilities
Blue team - defends. Usually employees
Purple team - can do either blue or red team activities
White team - establish the rules of engagement for a test and oversee the testing
Capturing Network Traffic
Packet Capture and Replay - using a protocol analyzer, this allows admins to
analyze and modify packet headers and payloads
A capture shows info such as the type of traffic, flags, source and destination IP,
and MAC addresses.
Tcpreplay and Tcpdump
Chapters 1-11 Final Review
57
Tcpreplay is a suite of utilities used to edit packet captures and then send the
edited packets over the network. Used for testing network devices
Tcpdump - cmd protocol analyzer. Allows the capture of packets
NetFlow, sFlow, and IPFIX
Netflow - feature on routers and switches that can collect IP traffic statistics and
send them to a NetFlow collector
sFlow - provides traffic info based on a preconfigured sample rate. (Ex. captures
1 packet out of every 10 and sends it to the sFlow collector.
Understanding Frameworks and Standards
Framework - structure used to provide a foundation
ISO 27001 - Information Security Management requirements
ISO 27002 - Information Technology Security Techniques
ISO 27701 - Privacy Information Management System outlines a framework for
managing and protecting PII
ISO 31000 - family of standards related to risk management
SOC 2 Type I - an orgs systems and covers the design effectiveness of security
controls on a specific date
SOC 2 Type II - an orgs systems and covers security controls operational
effectiveness over a range of dates
Risk Management Frameworks
Prepare - identifies key roles for implementing the framework, identifies risk
tolerance strategies, updates risk assessments, and identifies in place controls
Categorize information systems - personnel determine the impact to operations
and assests if there is a loss of CIA
Select security controls - personnel select and tailor the controls necessary to
protect their operations and assets
Implement security controls - personnel implement the selected controls
Assess security controls - personnel assess the controls to see if they are
producing the desired outcome
Chapters 1-11 Final Review
58
Authorize info systems - senior management official determines if the system is
authorized to operate
Monitor security controls - ongoing step where personnel constantly assess
changes in the system and environment
Cybersecurity Framework
Framework core - set of activities that an org can select to achieve desired
outcomes (identify, protect, detect, respond, and recover)
Framework implantation tiers - help an org identify how it views risks. (Partial Tier
1, Risk informed Tier 2, Repeatable Tier 3, and Adaptive Tier 4)
Framework profiles - provide a list of outcomes for an organization based on its
needs and risk assessments. By comparing current and target profiles an org
can identify gaps in its risk management.
Reference Architecture
Document or set of documents that provides a set of standards
Exploitation Frameworks
Metasploit Framework - open source project for Linux. Has data on over 1600
exploits
Browser Exploitation Framework (BeEF) - open source web browser exploitation
framework. Focuses on identifying web browser vulnerabilities
Web app attack and audit framework (w3af) - focuses on web app vulnerabilities
Chapter 9
Physical Security Controls
Proximity cards
Physical locks
Cipher locks
Biometric locks
Cable locks
Chapters 1-11 Final Review
59
Security with Personnel
Two person integrity - security control that requires the presence of at least two
authorized individuals to perform a task
Monitoring Areas with Sensors
Motion detection
Noise detection
Temperature
Moisture detection
Proximity reader
Cards
Asset Management
Process of tracking valuable assets throughout their life cycles
Architecture and design weaknesses - helps reduce architecture and design
weaknesses by ensuring that purchases go through the approval process
System sprawl and undocumented assets - occurs when an org has more
systems than it needs
Implementing Diversity
Defense in depth - security practice of implementing several layers of protection
Vendor diversity - practice of implementing security controls from different
vendors to increase security
Technology diversity - practice of using different technologies to protect an
environment
Control diversity - use of different security control types, such as tech, physical,
and admin controls.
Faraday Cage
A room that prevents radio frequency signals from entering into or emanating
beyond a room.
Chapters 1-11 Final Review
60
Malicious Universal Serial Bus Cable
Has an embedded WiFi controller capable of receiving commands from nearby
wireless devices
Redundant array of inexpensive disks
RAID-0 - Striping doesn’t provide any redundancy or fault tolerance. Increased
read/write performance
RAID-1 - Mirroring uses both disks to write, so if one fails the other has the same
data.
RAID-5 / RAID-6 - Consisted of 3 or more disks. Similar to RAID-0, but if 2 or
more disks fails then the data is lost. RAID-6 requires 4 or more disks and 2
drives can fail but still operate
RAID-10 - combination of RAID 1 + 0. 4 minimum drives. (Ex. 4 500gb so 1TB of
usable storage)
NIC Teaming
Allows you to group two or more physical network adapters into a single software
based virtual network adapter
Increases performance using load balancing
Power Redundancies
Uninterruptible power supplies (UPS) - provides short term power and protects
against power fluctuations
Dual supply - second power supply
Generators - provides long term power during extended outages
Managed power distribution units - server racks within a data center house
multiple computing devices. Used with a Power Distribution Unit, this monitors
the quality of power and reports the measurements to a console.
Backup Media
Disk
Chapters 1-11 Final Review
61
Network attached storage (NAS) - dedicated computer used for file storage and
is accessible on a network. Ran by a stripped down version of Linux for simplicity
and to reduce costs
Storage area network (SAN) - provides block level data storage via full network.
Can be used for real time replication of data
Cloud
Comparing Backup Types
Full backup
Differential - backs up all the data that has changed or is different since the last
time
Incremental - backs up all the data that has changed since the last full or
incremental backup or a single day
Snapshot and image backup - captures the data at a point in time
Business Impact Analysis Concepts
Important part of a BCP
Helps org identify critical system and components that are essential to the orgs
success
Recovery Time Objective
The maximum amount of time it can take to restore a system after an outage
Recover Point Objective
A point in time where data loss is acceptable
MTBF vs MTTR
Mean time between failures (MTBF) - provides a measure of a system’s reliability
and is usually represented in hours
Mean time to repair (MTTR) - average time it takes to restore a system
Continuity of Operations
Chapters 1-11 Final Review
62
Focuses on restoring mission essential functions at a recover site after a critical
outage
Site resiliency - if one site suffers a failure an alt site can take over after the
disaster
Hot site - up and operational 24/7. Includes all the equipment, software, and
capabilities of the primary site
Cold site - requires power and connectivity. Ability to relocate and operate
anywhere
Warm site - provides a compromise that a org can tailor to meet its needs
Disaster Recovery
How to recover critical systems and data after a disaster
Phases:
Activate the disaster recovery plan
Implement contingencies
Recover critical systems
Test recovered systems
After action support
Testing Plans with Exercises
Table top exercises - discussions based around scenarios
Walk throughs - workshops that train team members about their roles and
responsibilities
Simulations - functional exercises that allow personnel to test the plans in a
simulated operational environment
Chapter 10
Cryptography Concepts
Integrity - provides assurances that data has not been modified
Chapters 1-11 Final Review
63
Hash - number derived from performing a calculation on data. Cannot be
reversed to re-create the original data
Confidentiality - ensures that data is only viewable by authorized users
Encryption - scrambles data to make it unreadable if intercepted. Typically
includes an algorithm and a key.
Symmetric encryption - uses the same key to encrypt and decrypt data
Stream ciphers - encrypts data 1 bit at a time
Asymmetric encryption - uses two keys (public and private) as a matched
pair
Requires a Public Key Infrastructure (PKI) to issue certificates
Anything encrypted with the Public/Private key has to be decrypted with
the matching Public/Private key
Steganography - provides a level of confidentiality by hiding data within other
files
Hash vs Checksum
Hashes are longer numbers and used in strong cryptographic implementations
Checksum is typically a small piece of data and used to verify the integrity of
data
💡
Two popular hashing algorithms used to verify integrity are MD5 and SHA256.
MD5
Common hashing algorithm that produces a 128 bit hash
Sometimes used to verify the integrity of files as a quick checksum (Ex, emails.
disk files, exe files)
Secure Hash Algorithms
SHA - group of hashing algorithms with variations in grouped four families (SHA0, SHA-1, SHA-2, and SHA-3)
Chapters 1-11 Final Review
64
SHA-0 is not used
SHA-1 similar to MD5, but weaknesses were discovered so it’s not used
SHA-2 improved SHA-1 to overcome potential weaknesses. Includes 4
versions (256, 512, 244, 384.
SHA-3 an alternative to SHA-2
Used for file integrity
HMAC
Hash message authentication code
Fixed length string of bits similar to other hashing algorithms such as MD5 and
SHA-256
Can be used with a HMAC secret key to create another hash unknown to
attackers
Hashing Collision
Occurs when the hashing algorithm creates the same hash from different inputs
MD5 is highly susceptible to collision attacks, which is why it’s no longer
recommended as a cryptographic hash
Password Attacks
Online password attack - attempts to discover a password from an online system
Offline password - attempt to discover passwords from a captured database or
captured packet scan that is downloaded
Dictionary Attacks
Uses dictionary of words and attempts every word in the dictionary to see if it
works.
Brute Force Attacks
Attempts to guess all possible character combinations
Spraying Attacks
Chapters 1-11 Final Review
65
A special type of brute force or dictionary attack designed to avoid being locked
out.
Loops through a long list of accounts so it takes a while before it hits the same
account twice, avoiding the account lockout policy
Pass the Hash Attack
Attacker discovers the hash of the user’s password and then uses it to log on to
the system as the user
Birthday Attacks
Attacker attempts to create a password that produces the same hash as the
user’s actual password
Exploit collisions in hashing algorithms
Rainbow Table Attacks
Attempts to discover the password from the hash
Huge database of possible passwords with the precomputed hashes for each
The application guesses a password
Application hashes the guessed password
Compare original password hash with the guessed password hash
If not the same password, app repeats
Salting Passwords
Common method of preventing rainbow table attacks, brute force, and dictionary
attacks
Key Stretching
Advanced technique used to increase the strength of store passwords
bcrypt - used on many Unix and Linux distributions to protect the passwords
stored in the shadow password file. Salts the password by adding additional
random bits before encrypting it
Chapters 1-11 Final Review
66
Password-Based Key Derivation Function 2 (PBKDF2) - uses salt of at least 64
bits and uses a pseudo-random function such as HMAC to protect passwords. A
weakness is that it can be configured to use less computing time making it
beneficial to users but easier for attackers.
Argon 2 - uses a password and salt that is passed through an algorithm several
times
💡
Encryption provides confidentiality and helps ensure that data is viewable
only by authorized users such as data in a database or data in transit.
Providing Confidentiality with Encryption
Data at rest - refers to any data stored on media
Data in transit - any data sent over a network
Data in processing - data being used by a computer. Because the data is being
used by the computer it is not encrypted while in use.
Symmetric Encryption
Uses the same key to encrypt and decrypt data
Encryption algorithm - move X spaces forward to encrypt
Decryption algorithm - move X spaces backward to decrypt
Plaintext - human readable text
Ciphertext - substituted text
ROT13 - rotates 13 places, doesn’t provide true encryption but instead
obfuscates the data
Block Ciphers vs Stream Ciphers
Both symmetric and use the same key to encrypt and decrypt data
Block cipher - encrypts data in specific sized blocks such as 64 or 128 bit blocks.
Divides large files or messages into these blocks and then encrypts each
individual block separately.
Chapters 1-11 Final Review
67
Stream cipher - encrypts data as a stream of bits or bytes rather than dividing it
into blocks. More efficient when the size of the data is unknown or sent in a
continuous stream like video or audio.
Common Symmetric Algorithms
Advanced Encryption Standard (AES) - strong symmetric block cipher that
encrypts data in 128, 192, 256 blocks.
3DES - Triple DES is a symmetric block cipher designed as an improvement
over Data Encryption Standard (DES). Encrypts data in three separate passes
and 64 bit blocks. Uses key sizes of 56, 112, or 168 bits.
Blowfish - encrypts data in 64 bit blocks and supports key sizes between 32 and
448 bits.
Twofish - encrypts data in 128 bit blocks and supports 128, 192, or 256 bit keys
Asymmetric Encryption
Uses two keys in a matched pair to encrypt and decrypt data (public/private key)
Private keys are always kept private and never shared
Public keys are freely shared by embedding them in a shared certificate
Key Exchange
Cryptographic method used to share cryptographic keys between two entities
Rayburn Box
Lockbox that allows people to securely transfer items over long distances
Two keys. One can lock the box but not unlock and another can unlock but not
lock the box
Either used to send secrets in confidential manner or send messages with
authentication
Certificates
Serial Number
Issuer
Chapters 1-11 Final Review
68
Validity dates
Subject
Public Key
Usage
Ephemeral Keys
Short lifetime and is recreated for each session
Uses a private ephemeral and public key that discards after a single session
Perfect forward secrecy - important characteristic that ephemeral keys comply
with in asymmetric encryption. Given the same input, the algorithm will create a
different public key.
Elliptic Curve Cryptography
uses mathematical equations to formulate an elliptical curve. It then graphs
points on the curve to create keys. ECC keys can be much smaller compared to
non-ECC keys. Commonly associated with low powered devices
Quantum Computing
Quantum cryptography - uses quantum mechanical properties to perform
cryptographic tasks
Any attempt to read the data changes it
If data is changed it corrupts the Quantum Key Distribution and corrupts the
connection
Post Quantum Cryptography - cryptographic algorithms that are likely to be
resistant to attacks using a quantum computer
Homomorphic Encryption
Allows data to remain encrypted while being processed
Key length
Any individual algorithm is strengthened by increasing the length of the key
Chapters 1-11 Final Review
69
💡
Three common encryption modes of operation used with encryption are
authenticated, counter, and unauthenticated. Authenticated provides both
confidentiality and authenticity. Counter mode allows block ciphers to
function as stream ciphers. Unauthenticated provides confidentiality but
not authenticity.
Steganography
Hides data inside other data
If other people know what to look for they will be able to retrieve the message
Used with audio, image, and video files
Audio Steganography
Takes advantage of the limitations of the human ear.
Can be used to determine what commercials, shows users are watching
Image Steganography
Can be done by hiding data in the whitespace of an image without altering the
size of the file
Video Steganography
Similar to image steganography but only used to modify image portion because it
can warp the audio portion of the video.
Protecting Email
Digital Signature Algorithm (DSA) provides:
Authentication - Identifies the sender
Non-repudiation - sender cannot deny sending the message
Integrity - ensures that the message has not been modified
Encrypting Email
Chapters 1-11 Final Review
70
Asymmetric Encryption - sender retrieves recipients public key and encrypts
email with it. It is sent and the receiver unencrypts the email with their private
key.
Encrypting with Asymmetric and Symmetric - A symmetric key is used to encrypt
along with the recipients public key. The recipients private key can only
unencrypt the message.
S/MIME
Secure/Multipurpose Internet Mail Extensions used to digitally sign and encrypt
emails.
Port 995 for Post Office Protocol 3 (POP3) over TLS
Port 587 for Simple Mail Transfer Protocol (SMTP) over TLS
Port 993 for Internet Message Access Protocol (IMAP) over TLS
HTTPS Transport Encryption
TLS provides certificate based authentication and encrypts data with a
combination of both symmetric and asymmetric encryption during a session.
Requires certificates issued by certificate authorities.
TLS uses asymmetric encryption to securely share the symmetric key
TLS uses symmetric encryption to encrypt the session data
Downgrade attacks on weak implementations
Downgrade attack - type of attack that forces a system to downgrade its security
Blockchain
Public record keeping technology. Block refers to pieces of digital information.
Chain refers to a public database.
Each block as three parts:
Information about a transaction (date, time, amount)
Information on the parties involved (digital signature)
Unique hash
Chapters 1-11 Final Review
71
Identifying Limitations
Resource vs Security Constraints - encrypting all data is usually adding 40%
more resources
Speed and Time - refers to how long an algorithm takes to compute the result.
When salting and hashing passwords, a slower algorithm is desirable
Size and Computational Overhead - Relates to the amount of memory space the
algorithm needs to execute.
Entropy - refers to the randomness of a cryptographic algorithm. The higher level
of randomness results in a higher level of security
Predictability - knowing what will likely happen based on repeating the same
events. Given the same input to a pseudo random number generator will
produce the same output.
Weak keys - short or small key
Longevity - how long you can expect to use an algorithm. By doubling a key size
it increases the longevity of the algorithm
Reuse - When using symmetric encryption, the same keys shouldn’t be used
Plaintext attack - Only possible if the attacker has some known plaintext data
and the ciphertext created form this plaintext
Common use cases
Supporting Integrity - hashing protocols are used to support integrity. They can
verify that data has been changed by an unauthorized entity.
Supporting confidentiality - encryption protocols are used to provide
confidentiality. Prevents unauthorized users from accessing data
Supporting non-repudiation - digital signatures are used to support nonrepudiation
Supporting high resiliency - the security of an encryption key even if an attacker
discovers part of the key
Supporting obfuscation - steganography is used to support obfuscation. Hiding
data in plain sight like in a message, image, audio, or video file.
Supporting low power devices
Supporting low latency
Chapters 1-11 Final Review
72
Exploring PKI Components
Public Key Infrastructure - group of technologies used to request, create,
manage, store, distribute, and revoke digital certificates.
Asymmetric encryption depends on the use of certificates for protecting emails,
internet traffic.
Allows two people or entities to communicate securely without knowing each
other previously. (Ex. Someone connecting to Amazon securely if they haven’t
before)
Certificate Authority
Issues, manages, validates, and revokes certificates
Certificate Trust Models
CAs are trusted by placing a copy of their root certificate into a trusted root CA
store.
Root certificate is the first certificate create by the CA that identifies it
A large trust model:
The root CA issues certificates to intermediate CAs
Intermediate CAs issue certificates to child CAs
Child CAs issue certificates to devices or end users
Certificate chaining - combines all the certificates from the root CA down to the
certificate issued to the end user.
Registration Authority and CSRs
Users and systems request certificates from a CA using a registration process
like sending a website form or sending a formatted file to the CA.
Certificate signing requests (CSR) - include the purpose of the certificate, info
about the website, public key.
RSA based private key is used to create the public key. Public key is sent to the
CSR and the CA will embed the public key in the certificate
Online vs Offline CAs
Chapters 1-11 Final Review
73
Submitting CSRs online is more susceptible to attacks. Large orgs keep the root
CA offline to reduce the risk of compromise.
If the root CA is compromised the entire cert path is compromised
Updating and Revoking Certificates
Common configurations changes related to certificates are updating and
revoking them
Key compromise
CA compromise
Change affiliation
Superseded
Cease of operation
Certificate hold
Certificate Revocation List
CRL includes a list of revoked certs and is publicly available
Validating a certificate
Expired - If the certification is expired the computer system gives the user an
error that the certificate is not valid
Certificate not trusted - checks to see if the cert was issued by a trusted CA
Certification revoked - clients validate certificates through the CA to ensure
they haven’t been revoked
Client initiates a session requiring a cert such as a HTTPS session
Server responds with a copy of the cert that includes the public key
Client queries the CA for a copy of the CRL
CA responds with a copy of the CRL
Online Certificate Status Protocol (OCSP) - allows the client to query the CA with
the serial number of the certificate. The CA responds with “good, revoked, or
unknown.” A response of unknown could indicate the certificate is a forgery.
OCSP stapling solves the problem of generating too much traffic for the CA.
Chapters 1-11 Final Review
74
Public Key Pinning
Security mechanism designed to prevent attackers from impersonating a website
using fraudulent certificates
On a website server, the server responds to client HTTPS requests with an extra
header. When connecting again the hash is compared to the first time they
connected and validated.
Key Escrow
Process of placing a copy of a private key in a safe environment
Useful for recovery if the original is lost
Comparing Certificate Types
Machine/Computer - used to identify the computer within a domain
User - can be used for encryption, authentication, smart cards, etc…
Email - used for email encryption and digital signatures
Code signing - used to validate the authentication of executable apps or scripts.
Verifies that code has not been modified.
Self-signed - Private CAs within an enterprise often create self-signed
certificates. Self signed certificates from private CAs eliminate the cost of
purchasing certificates from public CAs
Root
Wildcard - starts with a * and can be used for multiple domains if each domain
name has the same root domain. (accounts.google.com, support.google.com)
Subject alternative name - used for multiple domains that have different name
but are owned by the same org. (*.google.com, *.android.com,
*.cloud.google.com)
Domain validation - indicates that the certificate requestor has some control over
a DNS domain.
Extended validation - use additional steps beyond domain validation
Comparing Certificate Formats
Canonical Encoding Rules (CER) - ASCII format
Chapters 1-11 Final Review
75
Distinguished Encoding Rules (DER) - Binary format
Privacy Enhanced Mail (PEM) - implies that PEM based certificates are used for
email only but is misleading. Can be formatted as CER or DER, can also be
used to share public keys within a certificate, request certs from CAs, install
private key on a server, publish a CRL, or share the full cert chain.
P7B - CER based and are commonly used to share public keys with proof of
identity
P112 - DER based and are commonly used to hold certificates with the private
key
Personal Information Exchange (PFX) - predecessor to the P12. Used on
Windows to import and export certs
Chapter 11
Security Policies
Personnel Policies
Acceptable Use Policy - The purpose of computer systems and networks, how
users can access them, and the responsibilities of users when they access the
systems
Mandatory Vacations - detect when employees are involved in malicious activity,
such as fraud or embezzlement and are discovered when the employee is away.
Separation of duties - principle that prevents any single person or entity from
being able to complete all the functions of a critical or sensitive process. Helps
prevent fraud
Least Privilege - specifies that individuals and processes are granted only the
privileges needed to perform assigned tasks or functions
Job rotation - concept that has employees rotate through different jobs to learn
the processes and procedures in each job. Helps prevent a single person from
controlling too much.
Clean desk space - directs users to keep their areas organized and free of
papers. Reduces threats of security incidents by ensuring the protection of
sensitive data.
Chapters 1-11 Final Review
76
Background check - investigate employees histories to discover anything about
them that might make them less than ideal for any given job
Onboarding - process of granting individuals access to an organization’s
computing resources after being hired
Offboarding - removing an employee’s access when they leave the company
Nondisclosure agreement (NDA) - used between two entities to ensure that
proprietary data is not disclosed to unauthorized entities
Social Media Analysis - Monitoring employee activity on social media networks.
Third party risk management
Supply chain and vendors - includes all the elements required to produce and
sell products and services. In some cases the supply chain becomes an attack
vector
End of life (EOL) - date when a product will no longer be offered for sale
Third party agreements
Service level agreement (SLA) - an agreement between a company and vendor
that stipulates performance expectations, such as min and max uptime/downtime
levels.
Memorandum of understanding (MOU) - expresses an understanding between
two or more parties indicating their intention to work together toward a common
goal
Business partners agreement (BPA) - written agreement that details the
relationship between business partners
Terms of agreement
Refers to the period that an agreement shall be in effect
Measurement systems analysis
MSA evaluates the processes and tools used to make measurements. The
system should produce the same values when measuring the same sample
Incident Response Plan
Chapters 1-11 Final Review
77
Provides more detail than incident response policies. Provides orgs with a
formal, coordinated plan that personnel can use when responding to an incident.
Definitions of incident types - Helps employees identify the difference
between an event and an incident. (Attacks from botnets, malware delivered
via email, data breaches, and ransom demand)
Incident response team - composed of employees with expertise in different
areas. Referred to as a computer incident response team (CIRT), or a
security incident response team. Combined they have the knowledge and
skills to respond to an incident.
Roles and responsibilities
Communication Plan
Provides direction on how to communicate issues related to an incident
First responders - initial responders
Internal communication - incident response team should know when to
inform senior personnel of an incident
Reporting requirements - security incident needs to be reported to external
entities such as law enforcement when data is breached
External communication - who can talk to external entities like the media
Law enforcement - Bringing in law enforcement increases the chance that
the incident may get increased public scrutiny
Customer communication - laws dictate when an org must inform customers
of a data breach
Data Breach Responses
If Intellectual property (IP) such as trade secrets and software algorithms is
stolen the org will suffer direct losses
If personal information about customers is accessed, attackers can impersonate
them and steal their identity
Stakeholder Management
Any entity with an interest or concern in an org. (Owners, stock owners,
employees, creditors, suppliers and more)
Chapters 1-11 Final Review
78
Incident Response Process
Preparation - Occurs before an incident and provides guidance to personnel on
how to respond to an incident
Identification - When a potential incident is reported, personnel take the time to
verify it’s an actual incident.
Containment - Security personnel attempt to isolate or contain it. This protects
critical system while maintaining business operations
Eradication - Remove components from the attack.
Recovery - Admins return all affected systems to normal operation and verify
they are operating normally
Lessons learned - Security personnel perform a review
Understanding SOAR
Security Orchestration, Automation, and Response (SOAR) tools that respond to
low level security events automatically
Combination of tools that can work together to detect and respond to suspicious
activity
Playbooks
Document formal procedures to follow for well known incidents
Some playbooks can trigger automated actions, they typically document the
steps to take in response to the action and let the runbook automate the
response
Runbook
Implement the guidelines documented in the playbooks using the available tools
within the org
Understanding Digital Forensics
Help an org collect and analyze data as evidence to can use to prosecute a
crime
Chapters 1-11 Final Review
79
Admissibility of documentation and evidence
Essential to follow specific procedures to ensure that the evidence is admissible
in a court of law
Supports non-repudiation. Includes proof that individuals were involved in an
incident prevent them from believably denying they were involved
Chain of Custody
Process that provides assurances that evidence has been controlled and
appropriately handled after collection
Provides a record of every person who was in possession of a physical asset
collected as evidence
Legal Hold
Refers to a court order to maintain different types of data as evidence
This data may include emails, databases, logs, backup tapes, data store on
servers in file shares and document libraries, and data sored on desktop
computers, laptops, tablets, and smartphones owned by the company.
Video
Video surveillance methods such as CCTV systems
Interviews
Witnesses provide firsthand reports of what happened and when it happened
Event Logs
Helps investigators re-create events leading up to and during an incident
Logs record what happened during an event, when it happened, and what
account was used during the event
Sequence of Events
Timeline of the event
Chapters 1-11 Final Review
80
By identifying the first failure in the incident, it becomes easier to make
recommendations to prevent such a failure in the future
Reports
Documents findings that include tactics, techniques, and procedures (TTP) used
in the attack
Executive summary listing the findings and recommendations
Forensic tools used
List of evidence collected and analyzed
Findings derived from analyzing each piece of the evidence
Recommendations based on findings
On premises vs Cloud Concerns
The cloud provider becomes a third party risk since you don’t know exactly
where the data is being stored
Right to audit clauses - allows a customer to hire an auditor and review the
cloud providers records
Regulatory Jurisdiction - cloud provider must comply with laws relevant to
the state they’re storing data in.
Data Breach Notification Laws - require orgs to notify customers about a
data breach and take steps to mitigate loss
Acquisition and Preservation
Order of volatility - refers to the order in which you should collect evidence. Start
with the most volatile moving to the least volatile (least permanent)
Cache
RAM - data in RAM is used by the operating system and applications
Swap or pagefile - rebuilds when rebooting
Disk
Attached
Network
Chapters 1-11 Final Review
81
Data Acquisition - by following the order of volatility, you prevent destroying the
data before you collect it
Web history
Recycle bin
Windows error reporting - give insight into what programs were running when
a system crashed
Remote desktop protocol (RDP) cache - can provide useful info if an attacker
moves laterally through a network or when an attacker is connecting to a
system from an internet server
Forensic Tools
Capturing data - A forensic image of captured data will collect the data without
modifying it all. After it is captured, experts create a copy and analyze the copy
Data duplicator (dd) - oldest disk imaging tools used for forensics
memdump - can dump any addressable memory space to the terminal or
redirect the output to a dump file
WinHex - windows based hexadecimal editor used for evidence gathering,
data analysis, editing, recovery of data, and data removal
FTK imager - capture an image of a disk as a single file or multiple files and
save the image in various formats
Autopsy - allows users to add command line utilities from The Sleuth Kit
(TSK)
Verifying Integrity - hashes and checksums are important elements of forensic
analysis to provide proof that collected data has retained integrity.
Provenance - refers to tracing something back to its origin. In forensic
context, hashing and checksums allow you to prove the analyzed copy of
data is the same as the original data
Bandwidth Monitors - by comparing captures taken at different times,
investigators can determine changes in network traffic
Electronic Discovery
Chapters 1-11 Final Review
82
Identification and collection of electronically stored information (voice mail, social
media entries, and website data)
Metadata is data about data instead of the data itself
File metadata - includes items like when the file was created, who create it,
when it was modified, and last accessed
Email metadata - includes header, sender, recipient, and when the sent it
Web metadata - header, title, character sent, meta tags
Mobile metadata - users location, who they called, who called them,
messages, website history, and more
Data Recovery
Restoring lost data
Though files can be marked for deletion and emptied from the recycle bin,
forensic experts can use tools to undelete the files as well as unformat drives
Strategic Intelligence and Counterintelligence
Strategic Intelligence - refers to collecting, processing, and analyzing information
to create long term plans and goals.
Protecting Data
Classifying Data Types
Government Data
Top secret
Secret
Confidential
Identifiers that private companies may use:
Public Data
Private Data
Confidential Data
Proprietary Data - data owned by an individual, group, or organization
Chapters 1-11 Final Review
83
Financial Information
Employee Data
Customer Data
PII and Health Information
Full name
Birthday and birthplace
Medical and health info
Street or email address info
Personal characteristics
Identification number
Impact Assessment
Helps orgs understand the value of data by considering the impact if it is lost or
released to the public
All data doesn’t need the same protection, it needs to be protected according to
its classification and value
Data Governance
Refers to the processes an organization uses to manage, process, and protect
data
Health Insurance Portability and Accountability Act (HIPAA) - any info related
to the health of an individual
Gramm Leach Bliley Act (GLBA) - requires financial institutions to provide
consumers with privacy notice explaining what information they collect and
how it is used
Sarbanes Oxley Act (SOX) - requires that executives within an org take
individual responsibility for the accuracy of financial reports
General Data Protection Regulation (GDPR) - EU directive mandates the
protection of privacy data for individuals. Applies to any org that collects and
maintains this data
Chapters 1-11 Final Review
84
Privacy Enhancing Technologies
Data minimization - principle requiring orgs to limit the info they collect and use
Data Masking - permanently modifying data to hide the original content
(substitution)
Anonymization - permanently modifies data to protect the privacy of individuals
by removing all the PII within a data set while maintaining other data within the
data set
Pseudo Anonymization - replaces PII and other data with pseudonyms or
artificial identifiers. Anonymization is used when the intent is to anonymize data
permanently.
Tokenization - replaces sensitive data elements with a token. The token is a
substitute value used in place of the sensitive data
Data Retention Policies
Identifies how long data is retained, and sometimes where it is stored
Data Sanitization
Ensure that data is removed or destroyed from any devices before disposing of
the devices
Common methods used to destroy data and sanitize media:
File shredding
Wiping
Erasing and overwriting
Paper shredding
Burning
Pulping - reduces shredded paper to mash or puree
Pulverizing
Degaussing - passing a disk through a electronic magnet rendering the data
on tape unreadable
Third party solutions
Chapters 1-11 Final Review
85
Training users
Computer based training (CBT) - refers to any training where an individual
interacts with an application on a computer
Phishing Campaigns - attackers tricking users into clicking a malicious link
Phishing Simulations - sends out fake phishing emails to employees to see if
anyone will clock on it
Gamification - intertwines game design elements within user training methods to
increase participation and interaction
Capture the flag (CTF) - when players solve a challenge, they receive a digital
flag that they preset as proof they they solved the challenge
Role-based awareness training - targeted to personnel based on their roles
Data owners - responsible for ensuring adequate security controls are in
place to protect the data
Data controller - determines why and how personal data should be
processed
Data processor - uses and manipulates the data on behalf of the data
controller
Data custodian - responsible for routine daily tasks like backing up data
Data protection officer -ensures the org is complying with all relevant laws
Chapters 1-11 Final Review
86