Need To Know:
1. WildFire analysis Security Profile
a. What it is
i.
WildFire Analysis Security Profile: A security profile used to submit
potentially malicious files or URLs to Palo Alto Networks' WildFire
cloud-based sandboxing service for dynamic analysis, detecting and
preventing unknown threats by analyzing their behavior in a controlled
environment.
b. What it’s used for
i.
Mainly used to analyze files for malware
2. Pros of a WPA3 over a WPA2
a. Why is it better
b. WPA2
i.
Personal mode (shared authentication) is secure, but
ii.
humans share the key (passcode) and never change it
iii.
Enterprise mode (each user is authenticated before connection is
completed) is common and widely deployed
c. WPA3
i.
Will take many years to become wide-spread
ii.
Personal mode is more resistant to brute-force key (passcode) guessing
iii.
Enterprise mode increases key length from 128-bit to 192-bit
3. Know what an active passive firewall configuration is
a. What are the benefits
i.
Active-passive firewall configuration involves deploying two firewalls in
parallel, with one actively processing traffic and the other in standby
mode.
ii.
Benefits include high availability with automatic failover, continuous
protection during maintenance or failures, and scalability to accommodate
increased traffic or security needs.
iii.
It enhances network reliability, resilience, and security by providing
redundancy and ensuring uninterrupted protection against cyber threats.
4. Know Trusted Root CA (Certification Authority)
a. Trusted Root CA (Certification Authority): A Certificate Authority (CA) that is
implicitly trusted by operating systems and web browsers to issue digital
certificates for verifying the authenticity of public key infrastructure (PKI)
certificates used in secure communication protocols such as SSL/TLS.
5. VLAN tags
a. Logically separate frames moving over a single port (VLAN tagging)
b. VLAN Tags: Numeric identifiers added to Ethernet frames to designate which
virtual LAN (VLAN) a particular frame belongs to, enabling network segmentation
and isolation for traffic management and security purposes.
6. Primary Reason why an IDS Solution is vs over a IPS solution
a. It's not necessarily "better" than an IPS solution; rather, it serves a different
purpose. An IDS solution focuses on detection and alerting without actively
blocking traffic, which can be useful for monitoring and analysis without risking
false positives or potential disruptions to legitimate traffic. However, an IPS
solution actively prevents and blocks identified threats, offering proactive
protection but potentially causing disruptions if misconfigured or if false positives
occur. The choice between an IDS and an IPS depends on specific security
needs and risk tolerance.
7. Zero Trust
a. Zero Trust, Zero Trust Network, Zero Trust Architecture
i.
Never trust, always verify
ii.
Authenticate ALL authorized actions and then log all actions to hold users
accountable, regardless of their location
b. Zero Trust is only possible at Layer 7
i.
Segment the networks, and then authenticate and validate the access at
the application layer (Layer 7) based on the user’s identity
ii.
This is one of the primary functions of a NextGen firewall
iii.
A Segmentation Gateway provides all security features
c. What layer does it run on
i.
Zero Trust is only possible at Layer 7, but you can start now in other
layers
8. Benefits of Network Segmentation
a. Reduces the number of potential attackers for a given host (reduces the attack
surface)
b. Reduces propagation of malware (lateral movement)
c. Reduces ability of attackers to “call home” from compromised computer
9. Know User ID & what a DNS Sinkhole is
a. User ID: Identifies individual users or devices accessing a network, allowing for
granular security policies and monitoring based on user identity rather than just
IP addresses.
b. DNS Sinkhole: A DNS sinkhole is a technique used to redirect malicious or
unwanted domain name resolution requests to a controlled server, often used to
block access to known malicious domains or to monitor and analyze malicious
activity.
10. What is an External Dynamic List
a. External Dynamic List: A list of IP addresses, domains, or other indicators of
compromise sourced from external threat intelligence feeds or custom sources,
used by security devices to enhance threat detection and prevention capabilities.
11. Know the difference b/w Access Controls and an Access Control list
a. ACCESS CONTROL LISTS
i.
Lists of rules are often called Access Control Lists (ACLs)
ii.
Access Control Entries are rules in an ACL that are evaluated in order of
placement, and once an ACE is “fired” the subsequent ACEs are ignored
iii.
On Cisco devices (and others) you type commands in, but systems with a
visual editors are much easier to understand
b.
12. Understand what layer reverse proxy runs on
a. Layer 7 - Application
b. Inbound (reverse proxy or Web Application Firewall) achieves this by installing
the website’s SSL certificate at the proxy, instead of at the web server itself
13. Know Difference b/w EDR, XDR, MDR
a. EDR
i.
(Endpoint Detection and Response): Focuses on detecting and
responding to threats on individual endpoints, providing visibility and
protection at the device level.
ii.
A software agent protecting each workstation, server, etc
b. XDR
i.
(Extended Detection and Response): Offers broader threat detection and
response capabilities by integrating data from multiple security solutions
across different layers of the infrastructure.
c. MDR
i.
(Managed Detection and Response): Provides a fully managed security
service that combines technology, expertise, and continuous monitoring to
detect and respond to threats across the entire environment, often
including EDR and XDR capabilities.
d. Definitions:
i.
Endpoint Detection and Response (EDR) – Detect and contain attacks at
the endpoint
ii.
Endpoint Protection Platform (EPP) – Extends EDR to provide prevention
iii.
Extended Detection and Response (XDR) – Integrates with network
detection to correlate attacks
iv.
Managed Detection and Response (MDR) – Outsource to an MSSP
(Managed Security Service Provider)
14. Know Difference b/w Layer 3 & Layer 2 Switch
a. Layer 3 Switch:
i.
Operates at the network layer (Layer 3) of the OSI model, allowing for IP
routing between different subnets or VLANs.
ii.
Can make forwarding decisions based on IP addresses, enabling more
efficient routing of traffic within a network and providing enhanced
scalability and flexibility.
b. Layer 2 Switch:
i.
Operates at the data link layer (Layer 2) of the OSI model, primarily
forwarding traffic based on MAC addresses.
ii.
Typically used for local area networks (LANs) to segment network traffic
into separate collision domains and reduce network congestion.
15. Know what a privilege account is and it’s benefits
a. Privileged Account: An account with elevated permissions and access rights,
typically used by system administrators or IT personnel to perform administrative
tasks, configure systems, and manage resources. The benefits include enhanced
security through access control, better accountability for actions performed, and
reduced risk of unauthorized access or misuse of critical systems and data.
16. What Single sign on Tech is
a. Single-Sign On is not the same as MFA
i.
One authentication server for multiple applications
ii.
Reduces MFA fatigue
iii.
Reduces effort of application-level authentication
iv.
Enables swift, broad revocation of access
17. Know Network Segmentation vs Micro Segmentation
a. Network Segmentation
i.
Reduce visibility of assets to the minimum necessary
ii.
Reduces traffic on on all networks
● Enables intrusion detection sensors to work more efficiently and
thus reduces load on traffic monitoring systems
iii.
Reduces the number of potential attackers for a given host (reduces the
attack surface)
iv.
Reduces propagation of malware (lateral movement)
v.
Reduces ability of attackers to “call home” from compromised computer
b. Micro Segmentation
i.
Makes segmentation more granular
ii.
Would be expensive with multiple hardware firewalls
iii.
Would be difficult with multi-homed hardware firewalls
iv.
Leverages virtual firewalls
v.
Allows application-level data flow restrictions within the virtual
environment
c. How to Implement Micro Seg
i.
Leverages virtual firewalls
ii.
Virtual network firewalls
d. Pros & cons of Network Segmentation
i.
Reduces traffic on on all networks
● Enables intrusion detection sensors to work more efficiently and
thus reduces load on traffic monitoring systems
ii.
Reduces the number of potential attackers for a given host (reduces the
attack surface)
iii.
Reduces propagation of malware (lateral movement)
iv.
Reduces ability of attackers to “call home” from compromised computer
18. Know IPSec Crypto
a. IPsec (Internet Protocol Security) Crypto refers to the cryptographic protocols
and algorithms used to secure communications over IP networks.
b. The version of encryption used in IPsec can vary depending on the specific
configuration and negotiation between communicating devices. Common
encryption algorithms used in IPsec include:
c. What version of encryption is it using?
i.
AES (Advanced Encryption Standard)
19. Know What an attack surface is
a. An “attack surface” is the sum of all potential points of entry of an attacker, which
is nearly impossible to define
20. Know What a Security Profile is
a. Security Profile: A comprehensive summary of an entity's security posture,
including its security policies, configurations, vulnerabilities, and defenses, often
used for assessment, monitoring, and improvement purposes.
21. Know the benefits & cons of Public VPS Services
a. Benefits & Cons of Public VPS Services:
i.
Benefit: Cost-effective and scalable solution for hosting websites,
applications, and services with flexible resources and pay-as-you-go
pricing models.
ii.
Con: Shared infrastructure may result in reduced performance, security
concerns, and limited customization options compared to dedicated
hosting environments.
22. Know what a Secure Gateway is
a. Modern, advanced outbound proxies are called Secure Web Gateways
(on-premise or cloud-based)
i.
URL filtering (by name or category)
ii.
File caching for reducing page load time and bandwidth use Malware
detection
iii.
Content analysis and filtering
iv.
VPN replacement
23. Know PAT vs NAT
a. NAT
i.
maps a private IP address to a public IP address (Layer 3) within a router
or firewall
● Used outbound it can be many-to-one
● Use inbound it is one-to-one (static NAT)
ii.
Rules are still written to control the flow of data between NAT’d IP
addresses
b. PAT
i.
PAT maps a specific port (Layer 4) on a private IP to specific port on a
public IP, which allows many private IPs to share one public IP
ii.
Rules are still written to control the flow of data between the established
ports
24. Know what a Vulnerability protection profile is
25. Know what Layer 4 (Transport) Protocols are
a. TCP & UDP
i.
At Layer 4 the firewall rules will control the TCP and UDP connections
between previously the approved IP addresses
ii.
Layer 4 (Transport) Protocols: TCP (Transmission Control Protocol) and
UDP (User Datagram Protocol) are Layer 4 protocols responsible for
facilitating communication between applications over a network, with TCP
providing reliable, connection-oriented communication, and UDP offering
simpler, connectionless communication.
iii.
Firewall Rules: At Layer 4, firewall rules regulate TCP and UDP
connections between pre-approved IP addresses, enforcing security
policies based on protocol, source and destination IP addresses, and port
numbers.
26. Know what Lateral Movement is
a. Lateral Movement refers to the technique used by attackers to move horizontally
across a network, from one compromised system to another, in search of
valuable targets.
b. It involves exploiting vulnerabilities in interconnected systems within the same
network segment, known as east-west or lateral traffic, bypassing traditional
perimeter defenses.
27. Know what a Cloud Access Security Broker is (CasB)
a. Cloud Access Security Brokers (CASB) have historically been used for reporting
on use of “shadow IT”
b. Modern CASBs are more invasive
i.
Uses a proxy server and API connectors to correlate activity
ii.
Monitors traffic moving between cloud applications
iii.
Enforces encryption of data-in-motion
iv.
Integrates with Single-Sign On systems to enforce policies
c. SWGs are blurring the lines with CASBs
d. Cloud-based CASBs are the future, not on-premise
28. Know What Anti Spyware profile is
a. Anti-Spyware Profile: A security profile used to detect and prevent spyware,
which is malicious software designed to monitor and gather information about a
user's activities without their consent.
29. Know what a Jump Server is
a. Jump Server: A secure intermediary server used to access and manage devices
within a network, typically employed to enhance security by minimizing direct
access to critical systems.
b. Remote
30. Know Diff b/w State list vs Statefull Firewall
a. Stateful Firewall vs. Stateless Firewall:
i.
Stateful Firewall: Monitors the state of active connections and enforces
security policies based on the context of those connections, allowing only
legitimate traffic to pass through.
ii.
Stateless Firewall: Filters network traffic based solely on predetermined
criteria such as source and destination addresses, without considering the
state or context of connections.
31. Know Basic Network Components
a. Basic Network Components:
i.
ii.
iii.
iv.
b.
Router: Device used to forward data packets between computer
networks.
Switch: Device that connects multiple devices within a network,
forwarding data only to the intended recipient.
Firewall: Security device that monitors and controls incoming and
outgoing network traffic based on predetermined security rules.
Access Point: Device that allows wireless devices to connect to a wired
network using Wi-Fi technology.