1.1 Compare and contrast different types of social engineering techniques.

Social Engineering Attacks

Phishing: Fake emails trying to get you to click on harmful links or share personal info. Think of
a fisherman casting a wide net, hoping to catch something.

Smishing: Phishing via SMS. Scammers send text messages trying to make you share info or click
harmful links.

Vishing: Phishing via voice calls. Someone might call you pretending to be from your bank and
ask for sensitive details.

Spam: Unsolicited emails usually sent in bulk. They’re like those annoying flyers you get in your
mailbox.

SPIM: Unsolicited instant messages. Imagine getting unwanted ads or links in your messaging
apps.

Spear Phishing: Targeted phishing. Instead of a wide net, the attacker has a specific target in
mind and crafts a custom message for them.

Dumpster Diving: Literally going through trash to find discarded information like old bills or
documents.

Shoulder Surfing: Sneaking a peek over someone’s shoulder to see their screen or watch them
enter a password.

Pharming: Redirecting users from legit websites to malicious ones, often without the user
realizing it.

Tailgating: Following someone closely to gain unauthorized access to a restricted area.

Eliciting Information: Manipulating someone into revealing confidential information

through casual conversation.

Whaling: Big game phishing. Targeting high-profile individuals, like CEOs, with crafted scams.

Prepending: Adding a fake sender’s name to an email address in hopes that a recipient
recognizes the name and thinks the email is safe.

Identity Fraud: Using someone else’s personal information for malicious or fraudulent activities.

Invoice Scams: Sending fake invoices hoping companies pay them without noticing.

Credential Harvesting: Collecting usernames and passwords, often through fake login pages.

Reconnaissance: The act of gathering preliminary data or intelligence on a target. Think of it as a

thief “casing the joint” before a robbery.

Hoax: A false threat or piece of information meant to deceive or scare individuals.

Impersonation: Pretending to be someone else to gain trust or information.

Watering Hole Attack: Compromising a website or platform that a group of people often visit, to
target them.
Typosquatting: Registering domains that are misspellings of popular ones, hoping users make a
typo and visit the malicious site.

Pretexting: Creating a fabricated scenario to obtain information from someone.

Influence Campaigns: Efforts to change or manipulate people’s opinions or behaviors.

Hybrid Warfare: Combining traditional warfare with cyberattacks, disinformation campaigns,

and other non-traditional tactics.

Social Media: Platforms like Facebook, Twitter, and Instagram which can be exploited for
information gathering or influence campaigns.

Principles (reasons for effectiveness):

Authority: People tend to obey figures of authority.

Intimidation: Using threats or fear to get someone to comply.

Consensus: If many people do it, others will likely follow.

Scarcity: People want things they believe are in limited supply.

Familiarity: We’re more likely to trust or comply with something or someone familiar.

Trust: If we trust someone, we’re more likely to do what they say.

Urgency: Creating a sense of urgency makes people act quickly, often without thinking.
 1.2. Given a scenario, analyze potential indicators to determine the type of attack.

Malware

Ransomware: Malware that locks you out of your files and demands payment to get them back.

Trojans: Disguised as legitimate software, these malware types create a backdoor into your
system.

Worms: Self-replicating malware that spreads across networks without human intervention.

Potentially Unwanted Programs (PUPs): Software that comes bundled with other software and
typically doesn’t benefit the user.

Fileless Virus: Uses legitimate programs to infect a computer without writing new files.

Command and Control: Servers that control malware and receive data from compromised
systems.

Bots: Software that performs automated tasks, often malicious ones.

Cryptomalware: Malware that encrypts files or systems and demands ransom for decryption.

Logic Bombs: Code inserted into software to trigger a malicious event under certain conditions.

Spyware: Software that secretly monitors and collects user information.

Keyloggers: Records every keystroke made by a user to capture passwords and other data.

Remote Access Trojan (RAT): Malware that allows an attacker to control a system remotely.

Rootkit: Software designed to provide privileged access while hiding its presence.

Backdoor: Unauthorized access to a computer system.

Password Attacks

Spraying: Trying a few common passwords on many accounts.

Dictionary: Using a pre-arranged list of words found in a dictionary to crack passwords.

Brute Force: Trying all possible combinations to crack a password.

Offline: Attempting to crack a password without interacting with the actual system.

Online: Trying password combinations directly on the system.

Rainbow Table: Using precomputed tables to find cryptographic hash function outputs and
derive plaintext passwords.

Plaintext/Unencrypted: Non-encrypted data, which is readable and accessible without needing

decryption.

Physical Attacks

Malicious USB Cable: A USB cable designed to compromise systems upon connection.
 Malicious Flash Drive: A storage device loaded with malware.

Card Cloning: Creating a copy of a credit or other card with stolen data.

Skimming: Stealthily capturing and storing all the details stored on your card’s magnetic stripe.

Adversarial AI

Tainted Training Data for ML: Modifying the data used to train machine learning models to
cause misclassifications or errors.

Security of Machine Learning Algorithms: Ensuring ML algorithms are protected against

manipulation and attacks.

Others

Supply-chain Attacks: Targeting less-secure elements in the supply network to compromise a

primary target.

Cloud-based vs. On-premises Attacks: Security incidents occurring either in

a cloud infrastructure or on locally hosted (on-premises) resources.

Cryptographic Attacks

Birthday: Exploiting the probability of two distinct inputs having the same output.

Collision: Finding two different inputs that provide the same output.

Downgrade: Forcing a system to fall back to a less secure version to exploit vulnerabilities.

1.3 Given a scenario, analyze potential indicators associated with application attacks.
Privilege Escalation: Imagine you log into a computer with a guest account but somehow gain
access to the admin’s powers. This is privilege escalation — getting more access than intended.

Cross-Site Scripting (XSS): It’s like sneaking a secret note into a bunch of official letters. You
insert malicious scripts into websites, which then run on another user’s browser, stealing
information or performing actions on their behalf without them knowing.

Injections: Injecting is like slipping something unauthorized into a conversation or code:

SQL Injection: Inserting SQL code into a query to manipulate a database (e.g., to view, edit, or
delete data).

DLL Injection: Inserting code into a running process by taking advantage of Dynamic Link
Libraries used by software.

LDAP Injection: Manipulating Lightweight Directory Access Protocol queries (used for
organizing/finding user or device data in networks).

XML Injection: Inserting elements into an XML document to exploit the structure and logic of an
application.

Pointer/Object Dereference: Imagine forgetting to check who’s knocking at the door and just
letting them in — failing to validate who or what a pointer is pointing to can allow unauthorized
access or crashes.

Directory Traversal: It’s like navigating through a building’s restricted areas by exploiting weak
security, accessing unauthorized files/folders in a system.

Buffer Overflows: Imagine pouring water into a glass until it overflows, only here,
excessive data overflows into other memory areas, potentially allowing malicious code execution.

Race Conditions & Time of Check/Time of Use: Two actions racing to utilize a resource
and whoever wins could impact the system. If malicious action wins, it can exploit the time gap
between checking a condition and using a resource.

Error Handling: How a system responds to unexpected inputs or conditions — poor error
handling might expose sensitive information or pathways to attacks.

Input Handling: Not checking or sanitizing input properly could allow harmful data into a
system, causing malfunctions or unauthorized activities.

Replay Attack & Session Replays: Replaying is resending data (like login credentials)
intercepted earlier to gain unauthorized access. Session replays involve capturing and reusing
session identifiers, allowing attackers to impersonate legitimate users.

Integer Overflow: It’s like an odometer rolling over to zero after reaching its maximum value,
only here, exceeding numerical storage capacity might cause erratic system behavior.

Request Forgeries: Tricking a user or system into performing actions without knowing.

Server-Side Request Forgery (SSRF): Making a server unknowingly perform actions on behalf of
an attacker.

Cross-Site Request Forgery (CSRF): Making a user’s browser perform an unwanted action on a
site where they are authenticated.
 API Attacks: Exploiting vulnerabilities in APIs — essentially, pathways that let different software
components communicate — to interfere with an application’s functionality or steal data.

Resource Exhaustion: Draining a system’s resources (like memory or processing power) to slow
it down or cause a failure, making it vulnerable to other attacks.

Memory Leak: Continually using up memory without releasing it back, like continually filling a
basket with apples and never emptying it, which eventually causes slowdowns or crashes.

SSL Stripping: Downgrading a secure HTTPS connection to an unsecured HTTP connection,

making data transmission vulnerable to interception.

Driver Manipulation

Shimming: Using extra code (a shim) to make a driver run in environments it’s not compatible
with, potentially opening security gaps.

Refactoring: Changing the driver’s internal structure without altering its external behavior,
potentially introducing vulnerabilities.

Pass the Hash: Using a user’s hash (a type of encrypted password) to authenticate with a service
without knowing the actual password.

1.4 Given a scenario, analyze potential indicators associated with network attacks.

Wireless
 Evil Twin: Imagine someone impersonating your Wi-Fi network to trick devices into connecting
to it. It’s an “evil twin” of your legit Wi-Fi, stealing data and spying on users.

Rogue Access Point: An unauthorized Wi-Fi access point, maybe added by an employee or
attacker, which can bypass security settings.

Bluesnarfing: Stealing information from Bluetooth-enabled devices by exploiting vulnerabilities

in their Bluetooth connection.

Bluejacking: Sending unsolicited messages to a Bluetooth device, mostly harmless but

potentially annoying.

Disassociation: Interrupting the Wi-Fi connection between a device and a network, causing
disruptions.

Jamming: Flooding a frequency (like Wi-Fi or cell frequencies) to block communications.

RFID: A tech that uses radio waves for tracking and identification but can be exploited to illicitly
read information.

NFC: A way to wirelessly share data over short distances, like payment info, which can be
exploited for unauthorized data access.

Initialization Vector (IV):

A random number used in cryptography for preventing predictability in encrypted data, but if
not handled properly, can be a vulnerability.

On-Path Attack (Man-in-the-Middle)

This is like eavesdropping, where the attacker intercepts and possibly alters the communication
between two parties without them knowing.

Layer 2 Attacks

ARP Poisoning: Confusing network devices by sending fake Address Resolution Protocol
messages, redirecting traffic through an attacker’s device.

MAC Flooding: Overflowing the network switch with too many Media Access Control
addresses, forcing it into acting like a basic hub and revealing internal data traffic.

MAC Cloning: Copying a legit MAC address to impersonate a network device.

Domain Name System (DNS)

Domain Hijacking: Taking control of a domain away from the rightful owner, often for
malicious activities.

DNS Poisoning: Providing false DNS responses to redirect a user’s traffic to malicious sites.

URL Redirection: Manipulating URLs to direct users to unintended pages, often for phishing.

Domain Reputation: How trustworthy a domain is, based on its past actions and security
posture.

Distributed Denial-of-Service (DDoS): Overwhelming a target, such as a website, with a flood

of internet traffic, making it unavailable to users. Variants include targeting network, application,
or operational technology layers.
 Malicious Code or Script Execution: Running unauthorized code or scripts to perform actions on
a target’s system:

PowerShell, Python, Bash: Different scripting languages that can be used to automate tasks or
exploit vulnerabilities.

Macros, VBA: Automated scripts, often in Office documents, that can be exploited to run
malicious code.

1.5 Explain different threat actors, vectors, and intelligence sources.

Actors and Threats

1. Advanced Persistent Threat (APT): Highly skilled attackers, often funded by governments,
who aim to stealthily infiltrate and stay in networks for a long time, usually for espionage.
 2. Insider Threats: People inside an organization (like employees or contractors) who pose
security risks, either maliciously or inadvertently.

3. State Actors: Hackers sponsored by national governments to engage in cyber espionage,

warfare, or sabotage.

4. Hacktivists: Individuals or groups hacking for political or social reasons rather than financial
gain.

5. Script Kiddies: Inexperienced hackers who use pre-written scripts or tools to perform attacks,
without much understanding of how they work.

6. Criminal Syndicates: Organized crime groups engaging in cybercrime for financial gain.

7. Hackers: People who find and exploit vulnerabilities in systems. They can be:

 Authorized: Have permission to access.

 Unauthorized: No permission to access.

 Semi-authorized: Somewhere in between; maybe they had permission at one point or for
certain tasks.

8. Shadow IT: Unauthorized tech solutions used inside an organization without the IT
department’s knowledge or approval.

9. Competitors: Business rivals who might engage in cyber tactics to gain a competitive edge.

Attributes of Actors

This focuses on characteristics of the threat actors:

 Internal/External: Are they inside or outside the organization?

 Level of Sophistication: How skilled are they?

 Resources: What tools, money, or people do they have at their disposal?

 Intent/Motivation: Why are they doing what they’re doing?

Vectors

Routes or methods used by attackers to deliver malicious activities:

 Direct Access: Physically accessing systems.

 Wireless: Via Wi-Fi, Bluetooth, etc.

 Email: Think phishing or malware attachments.

 Supply Chain: Targeting suppliers or service providers.

 Social Media: Spreading malware or misinformation.

 Removable Media: USB drives, DVDs, etc.

 Cloud: Exploiting vulnerabilities in cloud services.

Threat Intelligence Sources

Sources of information about current or potential threats:

 Open-Source Intelligence (OSINT): Publicly available info.

 Vulnerability Databases: Listings of known security vulnerabilities.

 Public/Private Information-Sharing Centers: Organizations that share threat data.

 Dark Web: A part of the internet not indexed by search engines, often hosting illegal
activities.

 Indicators of Compromise: Signs that a breach has occurred.

 Automated Indicator Sharing (AIS), STIX/TAXII: Tools and formats for sharing threat
intelligence.

 Predictive Analysis: Forecasting future threats.

 Threat Maps: Visual representation of ongoing cyber-attacks globally.

 File/Code Repositories: Places where software code is stored, which can sometimes contain
vulnerabilities.

Research Sources

Places to get more details or updates on threats:

 Vendor Websites: Companies that make software/hardware often provide updates or alerts.

 Conferences: Where experts discuss the latest in cybersecurity.

 Academic Journals: Peer-reviewed publications on new findings.

 Request for Comments (RFC): Official documentations and standards.

 Local Industry Groups: Local or regional groups focusing on security.

 Social Media: Real-time info, but needs verification.

 Threat Feeds: Live data streams about potential threats.

 Adversary Tactics, Techniques, and Procedures (TTP): Documented strategies used by

attackers.

1.6 Explain the security concerns associated with various types of vulnerabilities.

Cloud-based vs. On-premises Vulnerabilities

Cloud-based vulnerabilities: Relate to the weaknesses within cloud services and platforms that
can be exploited by attackers, such as misconfigured cloud storage or inadequate identity and
 access management. On-premises vulnerabilities: Concern issues in your own physical
environment (like a server room in your building), like outdated firewalls or servers with
unpatched software.

Zero-day

A Zero-day vulnerability refers to a software security flaw that is known to the software vendor
but doesn’t have a patch in place to fix the vulnerability. It’s called “zero-day” because the
developers have “zero days” to fix the problem that has just been exposed — and perhaps
already exploited by hackers.

Weak Configurations

This involves setting up systems and applications in a way that doesn’t prioritize security.

 Open Permissions: Allowing too much access to too many people/users.

 Unsecure Root Accounts: Not protecting high-level administrative accounts properly.

 Errors: Mistakes in coding or system setup.

 Weak Encryption: Not using strong methods to protect data.

 Unsecure Protocols: Using outdated or insecure communication protocols.

 Default Settings: Not changing the settings that the system or application came with.

 Open Ports and Services: Leaving too many openings for attackers to potentially exploit.

Third-party Risks

Risks coming from dealing with external organizations or products.

 Vendor Management: Not properly overseeing or managing the organizations you buy
products or services from.

 System Integration: Problems that might arise when trying to get different systems to work
together.

 Lack of Vendor Support: Vendors not providing sufficient help or updates for their
products.

 Supply Chain: The process of creating and delivering a product, which can be disrupted or
exploited at various stages.

 Outsourced Code Development: Getting external parties to write software for you, which
might not be as secure.

 Data Storage: Where and how you store data, and the vulnerabilities there.

Improper or Weak Patch Management

Not updating or fixing systems and software in a timely and effective manner.

 Firmware: The foundational software for hardware, often neglected in the patching process.
  Operating System (OS): The main software that runs a computer, which might be left
outdated.

 Applications: Programs used for various purposes that might not be kept up-to-date with
security patches.

Legacy Platforms

Using outdated systems or software that no longer receive updates and therefore, might be full of
vulnerabilities.

Impacts

Negative consequences of security incidents.

 Data Loss: Losing data due to an incident.

 Data Breaches: Unauthorized access to data.

 Data Exfiltration: The unauthorized copying, transfer, or retrieval of data.

 Identity Theft: Unauthorized use of someone’s personal data.

 Financial: Monetary losses from an incident.

 Reputation: Damage to the organization’s standing.

 Availability Loss: Losing access to systems, data, or networks.

1.7 Summarize the techniques used in security assessments.

Threat Hunting

 Intelligence Fusion: Combining various sources of information to generate actionable

intelligence about threats.

 Threat Feeds: Streams of data related to potential threats, like IP addresses known to be
malicious.
  Advisories and Bulletins: Alerts and notifications regarding new threats or vulnerabilities.

 Maneuver: Adapting to or moving against a threat to neutralize it.

Vulnerability Scans

 False Positives: Alerts on vulnerabilities that aren’t actually present (false alarms).

 False Negatives: Failing to detect an actual vulnerability (missing a real threat).

 Log Reviews: Analyzing logs to identify suspicious activity.

 Credentialed vs. Non-credentialed: Scans with login credentials vs. those without to see
system vulnerabilities from different viewpoints.

 Intrusive vs. Non-intrusive: Scans that might impact system performance vs. those that
don’t.

 Application/Web Application/Network: Scans targeting different elements: software

applications, web platforms, or network infrastructure.

 CVE/CVSS: Standardized identifiers and scorings for vulnerabilities.

 Configuration Review: Checking system setups for vulnerabilities.

Syslog/Security Information and Event Management (SIEM)

 Review Reports: Analyzing compiled data and insights.

 Packet Capture: Collecting data packets transmitted over networks for analysis.

 Data Inputs: Different types of data fed into the SIEM for analysis.

 User Behavior Analysis: Studying how users interact with systems to identify anomalies.

 Sentiment Analysis: Utilizing data analysis to understand sentiments or attitudes expressed

in source data.

 Security Monitoring: Continuously observing systems to detect and respond to security

incidents.

 Log Aggregation: Collecting log data from different sources into a single location.

 Log Collectors: Systems or applications that gather log data.

Security Orchestration, Automation, and Response (SOAR)

This involves combining security orchestration and automation, incident management, and
interactive investigation into a single solution.

 Security Orchestration: Coordinating and structuring how different security solutions work
together.

 Automation: Utilizing technology to perform tasks without human intervention.

  Response: Actions taken to mitigate, prevent, or remediate security incidents.

1.8 Explain the techniques used in penetration testing.

Penetration Testing

This involves ethical hackers trying to find and exploit vulnerabilities in a system, similarly to
how a malicious hacker would, but with the aim to secure the system.

 Known/Unknown/Partially Known Environment: Whether the tester has prior

knowledge of the system, no knowledge, or some knowledge.

 Rules of Engagement: Agreements or boundaries defined before the test, such as what
can be tested, when, and how.
  Lateral Movement: Moving from one network segment to another, often to gain access to
a specific target.

 Privilege Escalation: Gaining higher-level privileges, such as moving from user-level to

admin-level access.

 Persistence: Maintaining access to the system, even after the initial intrusion has been
detected and supposedly “cleared”.

 Cleanup: Removing any traces and reversing any changes made during the test.

 Bug Bounty: Programs by organizations rewarding individuals for identifying and

reporting vulnerabilities.

 Pivoting: Using a compromised system to target other systems.

Passive and Active Reconnaissance

These involve gathering information about a target without the target knowing (passive) and
directly interacting with the system to gather information (active).

 Drones, War Flying, War Driving: Using drones, aircraft, or vehicles to identify wireless
networks.

 Footprinting: Gathering information about a target entity to find ways to infiltrate.

 OSINT (Open-Source Intelligence): Using publicly available sources to gather data

about a target.

Exercise Types

Different scenarios in security exercises often involving simulated attacks and defenses.

 Red Team: Simulated attackers trying to compromise a system.

 Blue Team: The defenders who try to stop the red team.

 White Team: Neutral party, usually administrators, ensuring the test goes smoothly.

 Purple Team: A blend of red and blue teams, often where they work together to understand
and remediate vulnerabilities.

2.1: Explain the importance of security concepts in an enterprise environment.

Configuration Management

Ensuring that system configurations, from hardware to software, are documented, standardized, and
maintained.

 Diagrams: Visual representations of systems and networks.

 Baseline Configuration: A standard, secure setup from which all deployments start.

 Standard Naming Conventions: Uniform naming approaches for clarity and management.
  IP Schema: Plan for assigning and managing IP addresses.

Data Sovereignty

Laws governing data and its storage based on the geographical location of the data.

Data Protection

Different methods to safeguard data from unauthorized access and data breaches.

 Data Loss Prevention (DLP): Strategies and solutions to prevent unauthorized access and
potential leakage of data.

 Masking: Concealing certain data within a database, rendering it inaccessible for

unauthorized users.

 Encryption: Scrambling data so that only someone with the correct key or password can read
it.

 At Rest: Encryption for stored data.

 In Transit/Motion: Encryption for data being transferred.

 In Processing: Encryption for data being used or computed.

 Tokenization: Substituting sensitive elements with non-sensitive equivalents.

 Rights Management: Controlling and limiting access to data based on roles or specific user
criteria.

Geographical Considerations

Taking into account location-specific laws, norms, and threats when managing data and
designing security measures.

Response and Recovery Controls

Systems and processes designed to recover from and respond to security incidents or breaches.

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Inspection

Inspecting SSL/TLS encrypted traffic to prevent encrypted threats and exploits from going
unseen in network traffic.

Hashing

Converting data (like a password) into a fixed-length string of characters, which is typically done
to keep data secure.

API Considerations

Securing Application Programming Interfaces (APIs) to ensure safe data transmission between
software applications.

Site Resiliency

Methods to ensure a business can continue to operate and access data following a catastrophe.
  Hot Site: A duplicate of the original site of the business with full computer systems as well as
near-complete backups of user data.

 Cold Site: A place where the customers can move after a disaster. It has all the facilities, but
not the user data.

 Warm Site: Something in between; partial backups, and some necessary hardware to get up
and running more quickly than a cold site.

Deception and Disruption

Using false information and setups to confuse, mislead, or otherwise thwart cyber attackers.

 Honeypots: Fake vulnerabilities designed to divert attackers from more valuable targets.

 Honeyfiles: Decoy files used to mislead cyber attackers.

 Honeynets: Entire networks of decoy servers and data to sidetrack cyber attackers.

 Fake Telemetry: Misleading attackers with false network and system data.

 DNS Sinkhole: Redirecting traffic away from its intended destination, often used to prevent
access to malicious sites.

2.2 Summarize virtualization and cloud computing concepts.

Cloud Models

Various ways in which cloud services are deployed and utilized.

 IaaS (Infrastructure as a Service): Providing virtualized computing resources over the

internet.

 PaaS (Platform as a Service): Delivering hardware and software tools to users via the
internet.

 SaaS (Software as a Service): Offering software applications over the internet.

  XaaS (Anything as a Service): Any service offered through the cloud, encompassing all of
the above and more.

 Public Cloud: Services offered over the public internet.

 Community Cloud: Shared between organizations with a common goal.

 Private Cloud: Exclusive use by a single organization.

 Hybrid Cloud: A mix of private and public cloud resources.

Cloud Service Providers

Organizations that offer cloud-based platforms, infrastructure, applications, storage, and

services.

Managed Service Provider (MSP)/Managed Security Service Provider (MSSP)

Organizations providing managed services and/or security services to end-users and

organizations.

On-Premises vs. Off-Premises

 On-Premises: Computing resources are located within the physical confines of an enterprise.

 Off-Premises: Computing resources are provided externally, typically through a cloud provider.

Fog Computing

An architectural design that uses edge devices to perform a substantial amount of computation,
storage, and communication locally and routed over the internet backbone.

Edge Computing

Data processing happens close to where it is generated instead of in a centralized data center —
often involving IoT devices.

Thin Client

A computer that relies heavily on a server for data processing and storage.

Containers

Lightweight, stand-alone executable software packages that include everything needed to run a
piece of software, including the code, runtime, libraries, and system tools.

Microservices/API

 Microservices: Small, independent processes that communicate with each other to form a
complex application.

 API (Application Programming Interface): Allows different software entities to communicate

with each other.
Infrastructure as Code (IaC)

Automating the provisioning of technology stacks through software, rather than through physical
hardware configuration or interactive configuration tools.

 Software-Defined Networking (SDN): Managing network services through abstraction of

lower-level functionality.

 Software-Defined Visibility (SDV): Enhancing visibility in software-defined networks.

Serverless Architecture

Cloud computing model where the cloud provider automatically manages the infrastructure.

Services Integration

Coordinating and managing different service elements so they work together effectively.

Resource Policies

Rules and regulations that govern the allocation, use, and behavior of computing resources
within an environment.

Transit Gateway

A network transit hub that you can use to interconnect your virtual private clouds (VPC) and on-
premises networks.

Virtualization

Creating virtual versions of physical hardware to optimize the hardware usage.

 Virtual Machine (VM) Sprawl Avoidance: Managing and limiting the unchecked creation of
VMs.

 VM Escape Protection: Ensuring that a VM cannot negatively impact the host or other VMs.

2.3 Summarize secure application development, deployment, and automation concepts.

Environment

Different stages where software goes through development, testing, and deployment.

 Development: Where software is coded and initially tested.

 Test: Where software undergoes testing to find bugs and issues.

 Staging: A replica of production, used to test before going live.

 Production: The live environment accessed by end-users.

  Quality Assurance (QA): Ensures the quality of the product through systematic activities.

Provisioning and Deprovisioning

 Provisioning: Allocating resources and providing users access to resources and services.

 Deprovisioning: Revoking access to resources and services, and potentially returning

resources.

Integrity Measurement

Ensuring that data remains accurate, consistent, and unaltered during storage or transfer.

Secure Coding Techniques

Strategies and practices to prevent vulnerabilities and security issues in coding.

 Normalization: Organizing databases to reduce redundancy and improve data integrity.

 Stored Procedures: Reusable SQL scripts stored in a database.

 Obfuscation/Camouflage: Making code harder to understand to protect it.

 Code Reuse/Dead Code: Using existing code or removing unused code.

 Server-Side vs. Client-Side Execution and Validation: Determining where code is run and
validated.

 Memory Management: Efficiently allocating, coordinating, and managing memory.

 Use of Third-Party Libraries and SDKs: Leveraging external code and development kits.

 Data Exposure: Unintentional revelation of sensitive data.

Open Web Application Security Project (OWASP)

A nonprofit foundation that works to improve the security of software through its community-
led open-source software projects.

Software Diversity

Differences in software characteristics that can be utilized for various purposes.

 Compiler: Transforms code written in a high-level programming language to machine code.

 Binary: Machine-readable code.

Automation/Scripting

Using technology to perform tasks without human intervention.

 Automated Courses of Action: Preplanned responses to various triggers or events.

 Continuous Monitoring: Constantly checking systems and networks for compliance and
threats.

 Continuous Validation: Ongoing assurance that systems and data are in the desired state.

 Continuous Integration: Merging all developers’ working copies to a shared mainline.

  Continuous Delivery: Automatically deploying all code changes to a production
environment.

 Continuous Deployment: Automatically releasing a developer’s changes from the repository

to production.

Elasticity

The ability to handle growth or shrinkage in usage dynamically, often related to cloud resources.

Scalability

The capability of a system to handle a growing amount of work or to be enlarged to

accommodate that growth.

Version Control

The practice of tracking and controlling changes to software code. This allows developers to
revert and branch as needed, ensuring consistency and version management.

2.4 Summarize authentication and authorization design concepts.

Authentication Methods
1. Directory Services
 A system providing authentication and authorization services to users, usually through a
structured dataset like LDAP.
2. Federation
 Allows users to use single identity credentials across several domains or applications.
3. Attestation
 Verifying the integrity of platforms, systems, and data.
4. Technologies
 TOTP (Time-Based One-Time Password): Generates a one-time password that expires after
a short period.
  HOTP (HMAC-Based One-Time Password): Utilizes a cryptographic algorithm and a
counter to generate one-time passwords.
 SMS: Receives an authentication code via text message.
 Token Key: Hardware that generates authentication codes.
 Static Codes: Pre-determined codes for authentication.
 Authentication Applications: Apps like Google Authenticator that generate codes.
 Push Notifications: Verification requests sent to a user’s device.
 Phone Call: Users receive a call for authentication purposes.
5. Smart Card Authentication
 Utilizing a physical card embedded with a chip as an authentication factor.
Biometrics
1. Fingerprint
 Scanning a user’s unique fingerprint pattern.
2. Retina
 Scanning the blood vessel patterns in a person’s retina.
3. Iris
 Scanning patterns in the colored circle of the eye.
4. Facial
 Recognizing facial features.
5. Voice
 Analyzing voice characteristics.
6. Vein
 Scanning vein patterns, usually in the hand.
7. Gait Analysis
 Evaluating the way a person walks.
8. Efficacy Rates and Error Metrics
 False Acceptance: Unauthorized user granted access.
 False Rejection: Authorized user denied access.
 Crossover Error Rate: The level at which false rejections and false acceptances are equal.
Multifactor Authentication (MFA)
Factors
 Something you know: Like a password or PIN.
 Something you have: Such as a smart card or mobile device.
 Something you are: Involves biometrics.
Attributes
 Somewhere you are: Based on geographical or network location.
 Something you can do: Actions you can perform, like gestures.
 Something you exhibit: Behavioral attributes.
 Someone you know: Relational attributes (not commonly used for authentication).
Authentication, Authorization, and Accounting (AAA)
 Authentication: Verifying the identity of a user, device, or system.
 Authorization: Granting access rights to authenticated entities.
 Accounting: Tracking user activity and recording it for audit purposes.
Cloud vs. On-Premises Requirements
 Cloud: Often involves integration with cloud identity providers, and might offer scalability
and off-site accessibility but could raise concerns about data security and compliance.
  On-Premises: Generally gives more control over security and data, but may require more
resources for maintenance and lacks the scalability and accessibility of cloud solutions.

2.5 Given a scenario, implement cybersecurity resilience.

Redundancy
Ensuring that system components are duplicated so the system can continue in the case of a failure.
1. Geographic Dispersal
 Distributing data and services across multiple geographical locations to mitigate localized
failures.
2. Disk
 RAID (Redundant Array of Inexpensive Disks): Using various RAID levels to ensure data is
redundant across multiple disks.
 Multipath: Utilizing multiple physical routes for data to travel.
3. Network
  Load Balancers: Distributing network or application traffic across multiple servers.
 NIC Teaming: Utilizing multiple NICs to enhance reliability and performance.
4. Power
 UPS (Uninterruptible Power Supply): Providing backup power to keep systems running
during power failures.
 Generator: Offering a long-term power backup during prolonged power outages.
 Dual Supply: Having two power sources.
 Managed PDUs: Distributing and managing power supply to the IT equipment.
Replication
1. Storage Area Network (SAN)
 Providing block-level data storage for connecting to servers.
2. VM (Virtual Machine)
 Replicating VMs to safeguard against hardware failures.
On-Premises vs. Cloud
 On-Premises: Data and systems are stored and managed in-house.
 Cloud: Using cloud-based services to store and manage data.
Backup Types
1. Full
 Backup of all selected data.
2. Incremental
 Only backup data that has changed since the last backup.
3. Snapshot
 Read-only copy of the data set.
4. Differential
 Backup of data changed since the last full backup.
5. Tape/Disk
 Utilizing tape drives or disk drives for backups.
6. Copy
 Similar to a full backup but does not affect other backup types.
7. NAS (Network-Attached Storage)
 Backup data to a specialized data storage device connected to the network.
8. Cloud
 Storing backups on cloud platforms.
9. Image
 A complete disk image of the system.
10. Online vs. Offline
 Online: Backups are performed while the system is running.
 Offline: Backups are performed while the system is offline.
11. Offsite Storage
 Keeping backup data stored in a location different from the main site.
Non-persistence
1. Revert to Known State
 Restoring systems to a previous, stable state.
2. Last Known-Good Configuration
 Using the most recent configuration before a failure.
3. Live Boot Media
 Booting a system from a live media like CD/DVD or USB.
High Availability
 Ensuring systems and data are available with minimal downtime, often via redundancy and
failover procedures.
Scalability
 Ability of a system to grow and manage increased demand effectively.
Restoration Order
Determining the sequence in which systems and data are restored after an incident to ensure
business continuity.
Diversity
1. Technologies
 Employing various technologies to prevent single points of failure.
2. Vendors
 Using products and services from different vendors to avoid dependency.
3. Crypto
 Employing various cryptographic technologies and algorithms.
4. Controls
 Implementing a range of controls (administrative, technical, and physical) to enhance
security posture.

2.6 Explain the security implications of embedded and specialized systems.

Embedded Systems and Specialized Devices

Embedded systems are specialized computing systems that perform dedicated functions or tasks
within a larger system. They are not general-purpose devices like personal computers, but they
serve specific functions.

Embedded Systems:

1. Raspberry Pi: A small and affordable computer used for multiple purposes, from learning
programming to building DIY projects.
 2. FPGA (Field-Programmable Gate Array): An integrated circuit that can be programmed after
manufacturing. Used in various industries for applications like signal processing and hardware
acceleration.

3. Arduino: A popular open-source electronics platform based on easy-to-use hardware and

software.

SCADA/ICS:

Supervisory Control and Data Acquisition systems and Industrial Control Systems manage and
monitor critical infrastructure in various sectors.

 Facilities: Manage building operations.

 Industrial: Automate manufacturing processes.

 Manufacturing: Oversee product assembly lines.

 Energy: Monitor and control energy production and distribution.

 Logistics: Manage transportation and delivery processes.

Internet of Things (IoT):

Devices connected to the internet to gather and share data.

 Sensors: Collect data from the environment.

 Smart devices: Appliances connected to the internet (e.g., smart thermostats).

 Wearables: Devices worn on the body (e.g., fitness trackers).

 Facility automation: Automated systems in buildings (like smart lighting).

 Weak defaults: Many IoT devices come with easily guessable default settings, making them
vulnerable.

Specialized Systems:

 Medical systems: Devices like MRI machines and infusion pumps.

 Vehicles: Modern cars with computer systems for navigation, entertainment, etc.

 Aircraft: Planes’ avionic systems.

 Smart meters: Measure energy consumption in real-time.

 VoIP: Technology to make voice calls using a broadband internet connection instead of a
traditional line.

 HVAC: Systems controlling temperature and air quality.

 Drones: Unmanned aerial vehicles, used from photography to delivery.

 MFP (Multifunction Printer): Devices that combine printing, scanning, and copying.

 RTOS (Real-Time Operating System): An OS designed to serve real-time applications.

  Surveillance systems: Cameras and systems to monitor areas.

 SoC (System on Chip): Integrated circuits that contain components of a computer or other
electronic systems.

Communication Considerations:

 5G: The fifth generation of mobile network technology.

 Narrow-band: A communication channel with a narrow bandwidth.

 Baseband radio: Signal processing in its raw form, without modulation.

 SIM cards: Cards containing subscriber’s information in mobile devices.

 Zigbee: A high-level communication protocol used to create personal area networks.

Constraints:

Embedded and specialized systems often face certain constraints due to their specific use-case nature:

 Power: Limited battery life.

 Compute: Limited processing capabilities.

 Network: Limited or specific connectivity options.

 Crypto: Limited cryptographic capabilities.

 Inability to patch: Some devices cannot be easily updated.

 Authentication: Limited or no user verification methods.

 Range: Limited operational range.

 Cost: Budget constraints may affect features and security.

 Implied trust: Devices are often considered trustworthy within a network, making them
potential weak points.

2.7 Explain the importance of physical security controls.

Physical Security Measures:

 Bollards/Barricades: Physical barriers used to prevent unauthorized vehicle access.

 Access Control Vestibules: Secure entry areas where one must be authenticated before
proceeding.

 Badges: ID cards to prove an individual’s credentials and grant access.

 Alarms: Systems that alert to breaches or unauthorized access.

  Signage: Signs indicating rules, warnings, or information.

 Cameras: Devices for visual surveillance.

 Motion Recognition: Detects movement.

 Object Detection: Identifies specific objects in view.

 Closed-Circuit Television (CCTV): Private video system for surveillance.

 Industrial Camouflage: Hiding critical infrastructure to make it less obvious.

Personnel:

 Guards: Human security to monitor and respond.

 Robot Sentries: Automated devices for security.

 Reception: Front-desk personnel controlling visitor access.

 Two-Person Integrity/Control: Requires two individuals to access or perform certain actions.

Locks:

 Biometrics: Uses unique biological traits (e.g., fingerprints) for access.

 Electronic: Digital locks (often uses codes or access cards).

 Physical: Traditional locks with keys.

 Cable Locks: Locks to secure devices like laptops.

 USB Data Blocker: Device that allows charging but blocks data transfer.

 Lighting: Ensures visibility to deter unauthorized access.

 Fencing: Physical barriers to prevent unauthorized entry.

 Fire Suppression: Systems to extinguish fires.

Sensors:

 Motion Detection: Detects movement.

 Noise Detection: Identifies abnormal sounds.

 Proximity Reader: Detects how close a device/card is.

 Moisture Detection: Identifies water presence.

 Cards: Used in conjunction with readers for access.

 Temperature: Monitors temperature levels.

 Drones: Aerial devices for surveillance or inspection.

 Visitor Logs: Records of individuals visiting a facility.

 Faraday Cages: Shields equipment from electromagnetic interference.

  Air Gap: Physical isolation of a computer or network, preventing it from connecting to other
networks.

 Screened Subnet (DMZ): A buffer zone between a private network and the internet.

 Protected Cable Distribution: Ensures communication cables are shielded from interference or
tapping.

Secure Areas:

 Air Gap: As mentioned above.

 Vault: A reinforced area/room for storage.

 Safe: A secure box.

 Hot Aisle/Cold Aisle: Datacenter cooling strategy.

Secure Data Destruction:

 Burning, Shredding, Pulping, Pulverizing: Various ways to destroy paper.

 Degaussing: Removes magnetism, rendering magnetic storage media unreadable.

 Third-party Solutions: Outsourcing data destruction to trusted vendors.

2.8 Summarize the basics of cryptographic concepts.

1. Digital Signatures: A way to verify the authenticity and integrity of data. Uses a private key to
create a signature and a public key to verify it.

2. Key Length: Refers to the length of a cryptographic key, typically measured in bits. Longer key
lengths are generally more secure but may be slower.

3. Key Stretching: A technique to make brute force attacks more difficult by making key derivation
computationally more intensive.

4. Salting: Adding random data to passwords before hashing to prevent rainbow table attacks.
 5. Hashing: Converting input data (like a password) into a fixed-length string of characters,
typically a hash value. It’s a one-way process.

6. Key Exchange: A method by which cryptographic keys are exchanged between parties securely.

7. Elliptic-Curve Cryptography (ECC): A type of public key cryptography based on the math of
elliptic curves. More secure with shorter key lengths than traditional methods.

8. Perfect Forward Secrecy (PFS): Ensures that even if a private key is compromised, past session
keys cannot be determined.

9. Quantum:

 Communications: Using quantum mechanics for secure communication.

 Computing: Computers that use quantum-mechanical phenomena.

1. Post-Quantum: Cryptography that is considered secure against quantum computer attacks.

2. Ephemeral: Temporary. For instance, ephemeral keys are used once then discarded.

3. Modes of Operation: How a cryptographic block cipher is used.

 Authenticated: Ensures data integrity and authenticity.

 Unauthenticated: No integrity check.

 Counter: A type of block cipher mode that uses a counter.

1. Blockchain: A distributed ledger.

 Public Ledgers: Ledgers that are publicly accessible.

1. Cipher Suites: A combination of authentication, encryption, message authentication code (MAC),

and key exchange algorithms.

 Stream: Encrypts data one bit/byte at a time.

 Block: Encrypts data in blocks.

1. Symmetric vs. Asymmetric: Symmetric uses the same key for encryption and decryption.
Asymmetric uses a pair of keys: a public key for encryption and a private key for decryption.

2. Lightweight Cryptography: Cryptography designed for environments where resources are

limited.

3. Steganography: The practice of hiding data within other data.

 Audio, Video, Image: Hiding data within these types of files.

Homomorphic Encryption:

Allows computation on ciphertexts, yielding encrypted results that, when decrypted, match the
result of operations as if they had been performed on the plaintext.

Common Use Cases:

 Low Power Devices, Low Latency, High Resiliency: Needs lightweight cryptography.
  Supporting Confidentiality: Ensuring data remains private.

 Supporting Integrity: Ensuring data is unchanged.

 Supporting Obfuscation: Hiding the purpose or meaning.

 Supporting Authentication: Verifying identity.

 Supporting Non-Repudiation: Ensuring a party cannot deny an action.

Limitations:

 Speed, Size: Efficiency constraints.

 Weak Keys: Vulnerable keys.

 Time: Time-related vulnerabilities.

 Longevity: How long a key/method remains secure.

 Predictability: If patterns can be deduced.

 Reuse: Using keys or IVs repeatedly can be insecure.

 Entropy: Measure of randomness.

 Computational Overheads: Extra processing required.

 Resource vs. Security Constraints: Balancing efficiency with security.

3.1 Given a scenario, implement secure protocols.

Protocols:

1. DNSSEC (Domain Name System Security Extensions)

Purpose: Enhances DNS security by allowing DNS responses to be verified for
authenticity.

2. SSH (Secure Shell)

Purpose: Securely access and manage systems remotely.

3. S/MIME (Secure/Multipurpose Internet Mail Extensions)

Purpose: Encrypts and digitally signs email messages.
 4. SRTP (Secure Real-time Transport Protocol)
Purpose: Provides confidentiality, integrity, and replay protection to real-time
applications, like VoIP.

5. LDAPS (Lightweight Directory Access Protocol Over SSL)

Purpose: Securely access and manage directory information over a network.

6. FTPS (File Transfer Protocol, Secure)

Purpose: Securely transfers files between systems.

7. SFTP (SSH File Transfer Protocol)

Purpose: Transfers files securely over SSH.

8. SNMPv3 (Simple Network Management Protocol, version 3)

Purpose: Manages devices on IP networks in a secure manner.

9. HTTPS (Hypertext Transfer Protocol over SSL/TLS)

Purpose: Securely transfers web content between the server and client.

10. IPSec (Internet Protocol Security)

— AH (Authentication Header): Provides packet-level authentication.
— ESP (Encapsulating Security Payloads): Provides packet-level authentication,
integrity, and confidentiality.
— Tunnel/Transport Modes: Transport encrypts the payload; Tunnel encrypts the whole
original packet.

11. POP/IMAP (Post Office Protocol/Internet Message Access Protocol)

— Purpose: Retrieve emails from a server (POP is download-based, and IMAP is server-
based).

Use Cases:

1. Voice and Video

— Protocols like SRTP help secure real-time voice and video communication.

2. Time Synchronization
— Protocols like NTP (Network Time Protocol) synchronize time across devices, crucial
for data integrity and logging.

3. Email and Web

— S/MIME encrypts and signs emails.
— HTTPS secures web browsing.

4. File Transfer
— FTPS and SFTP provide secure file transfer capabilities.

5. Directory Services
— LDAPS accesses and manages directory information securely.

6. Remote Access
— SSH allows secure remote access and management of systems.

7. Domain Name Resolution

— DNSSEC ensures that domain name lookups are authentic and haven’t been tampered
with.
 8. Routing and Switching
— BGP (Border Gateway Protocol), though not in your list, is crucial for making
decisions about routing data across the internet.

9. Network Address Allocation

— DHCP (Dynamic Host Configuration Protocol), another not in your list, is used to
dynamically assign IP addresses to devices on a network.

10. Subscription Services

— Protocols like MQTT (Message Queuing Telemetry Transport) might be utilized for
lightweight messaging in IoT subscription services.

3.2 Given a scenario, implement host or application security solutions.

Endpoint Protection:

1. Antivirus: Software designed to detect, stop, and remove viruses and malicious software.

2. Anti-malware: Similar to antivirus but focuses on a wider range of malicious software, including
newer threats.

3. EDR (Endpoint Detection and Response): Solutions that monitor endpoints to detect suspicious
activities, then automatically respond to and mitigate threats.

4. DLP (Data Loss Prevention): Tools designed to detect and prevent unauthorized data
exfiltration.

5. NGFW (Next-Generation Firewall): Firewalls with deeper inspection capabilities, integrating

traditional firewall with additional functionalities like application awareness.
 6. HIPS (Host-based Intrusion Prevention System): Software application that monitors a single
host for suspicious activity.

7. HIDS (Host-based Intrusion Detection System): Monitors and analyzes the internals of a
computing system.

8. Host-based Firewall: Filters incoming and outgoing traffic for a single host.

Boot Integrity:

1. Boot Security/UEFI (Unified Extensible Firmware Interface): Modern replacement for BIOS,
ensuring a secure boot process.

2. Measured Boot: Evaluates each component during the boot process before being loaded.

3. Boot Attestation: Allows a remote server to verify the integrity of the boot process.

Database:

1. Tokenization: Replaces sensitive data with non-sensitive equivalent, called a token.

2. Salting: Adding random data to input (like passwords) before hashing to increase security.

3. Hashing: Process of converting input data into a fixed-length string.

Application Security:

1. Input Validations: Ensuring the integrity and correctness of input data.

2. Secure Cookies: Cookies that are transmitted over secure HTTPS connections.

3. HTTP Headers: Contain metadata for HTTP requests and responses.

4. Code Signing: Utilizes a digital signature to confirm software authenticity and integrity.

5. Allow List: Specifies what is permitted.

6. Block List/Deny List: Specifies what is forbidden.

7. Secure Coding Practices: Guidelines and practices to write secure and robust code.

8. Static Code Analysis: Analyzing code without executing it to find vulnerabilities.

9. Manual Code Review: Human-driven review of the source code.

10. Dynamic Code Analysis: Analyzing code by executing it.

11. Fuzzing: Testing technique that involves providing invalid, unexpected, or random data as
inputs.

Hardening:

1. Open Ports and Services: Close or block unnecessary ports and services to reduce vulnerabilities.

2. Registry: Secure and restrict changes to the system registry.

3. Disk Encryption: Encrypt data at rest.

4. OS: Implement necessary security configurations for the operating system.

 5. Patch Management: Ensure all software has the latest security patches.

 Third-party updates: Update software from third-party vendors.

 Auto-update: Automatically update software when new patches are available.

Self-encrypting Drive (SED)/Full-disk Encryption (FDE):

1. Opal: A standard for SEDs, ensuring data is encrypted on the drive.

Other:

1. Hardware Root of Trust: A source that can always be trusted within a cryptographic system.

2. TPM (Trusted Platform Module): A hardware component used to securely generate and store
cryptographic keys.

3. Sandboxing: Running applications in a restricted environment to prevent malicious or

malfunctioning behaviors from affecting the system.

3.3 Given a scenario, implement secure network designs.

1. Load Balancing:
— Active/active: Both servers are actively processing traffic. If one fails, the other takes over.
— Active/passive: One server processes traffic while the other waits. If the active fails, the
passive takes over.
— Scheduling: Determines how to distribute incoming requests to servers.
— Virtual IP: An IP address assigned to the load balancer, not tied to a specific device.
— Persistence: Ensures a user sticks with the same server during a session.

2. Network Segmentation:
— VLAN: Logical grouping of devices in the same broadcast domain.
— Screened Subnet (DMZ): A secure area between the internal network and the external
network (internet).
— East-west Traffic: Traffic that moves within the data center.
— Extranet: Private network that uses internet technology to share business info with external
 partners.
— Intranet: Private network for internal use.
— Zero Trust: A security model that doesn’t trust any user or system, regardless of its location.

3. Virtual Private Network (VPN):

— Always-on: VPN that remains connected.
— Split Tunnel vs. Full Tunnel: Split sends only some traffic over the VPN; full sends all traffic.
— Remote Access vs. Site-to-Site: Remote access connects individuals; site-to-site connects two
networks.
— IPSec: A protocol suite for secure IP communications.
— SSL/TLS: Protocols for secure communication over a computer network.
— HTML5: A newer protocol that allows VPN through a web browser.
— L2TP: A protocol used with IPSec for creating VPNs.

4. DNS: The system that translates domain names to IP addresses.

5. Network Access Control (NAC):

— Agent & Agentless: Software that checks if a device is compliant with security before it joins a
network (agentless doesn’t require software installation).

6. Out-of-band Management: Managing devices via a dedicated channel, not through the main network
traffic.

7. Port Security:
— Broadcast Storm Prevention: Prevents overwhelming the network with broadcast traffic.
— BPDU Guard: Prevents rogue switches from causing problems.
— Loop Prevention: Stops network loops which can cause broadcast storms.
— DHCP Snooping: Stops rogue DHCP servers.
— MAC Filtering: Allows/denies devices based on MAC address.

8. Network Appliances:
— Jump Servers: Secure intermediary for admins to access devices.
— Proxy Servers: Intermediary between users and the websites they visit.
— NIDS/NIPS: Monitors or prevents unauthorized activity on the network.
— HSM: A physical device to manage digital keys securely.
— Sensors/Collectors/Aggregators: Monitors data, collects data, and aggregates data,
respectively.
— Firewalls: Devices or programs that block unauthorized access. They have many types and
functionalities, as you listed.

— Web Application Firewall (WAF): A specific type of firewall that focuses on web traffic,
particularly HTTP/HTTPS. It examines the content of web traffic to prevent attacks like SQL
injection, XSS (cross-site scripting), and CSRF (cross-site request forgery).

— NGFW (Next-Generation Firewall): More advanced than traditional firewalls. It includes

functionalities like deep packet inspection, intrusion prevention systems, and application
awareness.

— Stateful: Remembers the state of active connections and makes decisions based on context. For
example, if you initiate a connection to a website, the return traffic from that website will be
allowed because of the remembered “state” of the connection.
 — Stateless: Examines each packet independently without remembering past packets. It doesn’t
keep track of the “state” of connections.

— Unified Threat Management (UTM): A security solution that bundles multiple security
features into one device. This can include traditional firewall capabilities, antivirus, content
filtering, and more.

— Network Address Translation (NAT) Gateway: Used to allow multiple devices on a local
network to use a single public IP address. This provides security as internal IP addresses are
hidden from external networks.

— Content/URL Filter: Blocks or allows content based on specified criteria, like blocking adult
content or social media websites.

— Open-Source vs. Proprietary:

— Open-Source: Software whose source code is made available to the public, allowing
modification and redistribution. This often leads to more eyes on the code, potentially improving
security (and finding vulnerabilities faster).
—Proprietary: Software owned by an individual or a company. Only the owners can access and
modify the source code.

— Hardware vs. Software:

— Hardware Firewall: A physical device that filters network traffic. Often found in corporate
environments and as standalone devices in home networks.
— Software Firewall: A program installed on a device that filters traffic coming into and out of
that device. Commonly found on PCs and servers.

— Appliance vs. Host-Based vs. Virtual:

— Appliance: A standalone device dedicated to a specific function like security (e.g., a firewall
appliance).
—Host-Based: Software installed directly on a server or computer, providing protection to that
specific host.
— Virtual: Implemented as software and runs on virtualization platforms. It provides firewall
functionalities for virtual environments.

9. Access Control List (ACL): A list that says what users/services can or can’t do on a network/device.

10. Route Security: Ensuring routing tables and route updates are secure.

11. Quality of Service (QoS): Prioritizing network traffic.

12. Implications of IPv6: New version of IP with more addresses and security features.

13. Port Spanning/Port Mirroring: Duplicating network traffic from one port to another for monitoring.

14. Monitoring Services: Services that continuously check and report on the network’s health.

15. File Integrity Monitors: Monitors files to see if they’ve been changed, deleted, or added.
 3.4 Given a scenario, install and configure wireless security settings.

Cryptographic Protocols

1. WiFi Protected Access 2 (WPA2): A security protocol that uses encryption to protect wireless
networks from eavesdropping.

2. WiFi Protected Access 3 (WPA3): An updated version of WPA2, offering enhanced security and
stronger encryption.

3. Counter-mode/CBC-MAC Protocol (CCMP): An encryption protocol used in WPA2, providing

robust data security by using advanced cryptographic techniques.

4. Simultaneous Authentication of Equals (SAE): A security method used in WPA3 to protect

against “offline dictionary” attacks. It ensures password security during initial setup.

Authentication Protocols

1. Extensible Authentication Protocol (EAP): A set of interface used for authenticating users and
devices on both wired and wireless networks.
 2. Protected Extensible Authentication Protocol (PEAP): A version of EAP, generally encrypted
with a TLS tunnel and used to securely transmit authentication information.

3. EAP-FAST: A protocol that allows quick, automated re-establishment of authentication

connections.

4. EAP-TLS: Uses Transport Layer Security (TLS) to encrypt the EAP authentication process.

5. EAP-TTLS: Similar to EAP-TLS but only requires a server-side certificate, offering secure
authentication.

6. IEEE 802.1X: A standard for port-based network access control. It provides authentication to
devices in a LAN or WLAN.

7. Remote Authentication Dial-in User Service (RADIUS) Federation: An extended version of

RADIUS to provide a way for entities to share authentication handoffs and prevent having to
maintain separate identity stores.

Methods:

Pre-shared key (PSK) vs. Enterprise vs. Open:

 PSK: Uses a shared password for all users.

 Enterprise: Uses individual usernames and passwords (often with a RADIUS server).

 Open: No password is used.

 WiFi Protected Setup (WPS): A method that allows you to easily connect devices to a wireless
network, typically through pressing a button on the router and the device.

 Captive Portals: Webpages that require users to perform some action (like login or acceptance of
terms) before connecting to the internet.

Installation Considerations

1. Site Surveys: Assessing the area where a network will be established to understand its layout
and potential challenges.

2. Heat Maps: Visual representations of the wireless signal coverage and strength across the
location.

3. WiFi Analyzers: Tools that allow you to see all wireless networks in your area, their channels,
and strength.

4. Channel Overlaps: When multiple networks broadcast on the same or adjacent WiFi channel,
causing interference.

5. Wireless Access Point (WAP) Placement: Positioning WAPs strategically to ensure optimal
coverage and minimal interference.

6. Controller and Access Point Security: Ensuring that network controllers and access points are
secured against unauthorized access and potential vulnerabilities.
 3.5 Given a scenario, implement secure mobile solutions.

Connection Methods and Receivers

1. Cellular: Connects devices via a cellular network. Used by mobile phones for voice and data
communication.

2. WiFi: A wireless networking technology that uses radio waves to provide wireless high-speed
internet and network connections.

3. Bluetooth: Enables wireless data transfer between devices over short distances.

4. NFC (Near Field Communication): Allows devices to communicate when they’re touched
together or brought into proximity.

5. Infrared: Uses infrared radiation to transmit data between devices.

6. USB (Universal Serial Bus): A wired connection used to connect, communicate, and power
devices.

7. Point-to-point: A direct communication line between two devices.

 8. Point-to-multipoint: Connects one device to multiple devices.

9. GPS (Global Positioning System): Provides geolocation and time information to a GPS
receiver anywhere on Earth.

10. RFID (Radio-Frequency Identification): Uses electromagnetic fields to track and identify tags
attached to objects.

Mobile Device Management (MDM)

- Application Management: Controlling and managing applications on mobile devices.

- Content Management: Managing and sharing digital content securely.

- Remote Wipe: Remotely deleting data on a device.

- Geofencing: Setting a virtual geographic boundary and triggering responses when the device
enters or exits.

- Geolocation: Tracking the geographic location of the device.

- Screen Locks: Securing devices through mechanisms like PINs, passwords, or patterns.

- Push Notifications: Sending messages/alerts directly to the device.

- Passwords and PINs: Utilizing secret data for authentication.

- Biometrics: Using unique physical characteristics for authentication.

- Context-aware Authentication: Adjusting authentication methods based on context.

- Containerization: Isolating applications or data.

- Storage Segmentation: Separating data into different segments or areas.

- Full Device Encryption: Encoding all the data on the device.

Mobile Devices

- MicroSD HSM: Utilizing MicroSD as a Hardware Security Module.

- MDM/UEM: Managing devices and endpoints respectively.

- Mobile Application Management (MAM): Managing and securing enterprise mobile apps.

- SEAndroid: Enhancing Android to meet the security needs of certain (security-sensitive)

applications.

Enforcement and Monitoring of:

- Third-party Application Stores: Observing non-official platforms that distribute apps.

- Rooting/Jailbreaking: Bypassing device restrictions to gain elevated access.

- Sideloading: Installing apps from sources other than the official app store.

- Custom Firmware: Using non-standard software for device functionality.

- Carrier Unlocking: Removing a carrier’s restrictions on the device.

 - Firmware OTA Updates: Releasing firmware updates to devices wirelessly.

- Camera Use, SMS/MMS/RCS, External Media, USB OTG, Recording Microphone, GPS
Tagging, WiFi Direct/Ad hoc, Tethering, Hotspot, Payment Methods: Monitoring and
managing these functionalities to ensure secure and appropriate use.

Deployment Models

- BYOD: Employees use their devices for work.

- COPE (Corporate-owned Personally Enabled): The organization provides, but the employee
also uses it personally.

- CYOD (Choose Your Own Device): Employees choose a device from a list provided by the
enterprise.

- Corporate-owned: Devices are owned/controlled by the enterprise.

- VDI (Virtual Desktop Infrastructure): Hosting desktop environments on a central server.

3.6 Given a scenario, apply cybersecurity solutions to the cloud.

Cloud Security Controls:

1. High Availability Across Zones:

- Distribute your resources across multiple data centers (zones) in the same region to
ensure that if one fails, the others can handle the demand.

2. Resource Policies:
- Define who has what kind of access to specific resources. For instance, who can start or
terminate an instance, or who can read/write to a storage bucket.

3. Secrets Management:
- Use services like AWS Secrets Manager or HashiCorp Vault to securely store, retrieve,
and manage sensitive information like API keys or database passwords.

4. Integration and Auditing:

- Ensure that logging is turned on and integrate it with monitoring tools. Regularly audit
logs for suspicious activity.

5. Storage:
— Permissions: Use fine-grained permissions to control who can access what data.
— Encryption: Encrypt data at rest.
 — Replication: Store copies of data in different locations.
— High Availability: Ensure data is always accessible even if some nodes or centers go
down.

6. Network:
— Virtual Networks: Use VPCs or their equivalent to provision a logically isolated
section of the cloud.
— Public and Private Subnets: Public for resources you want to be accessible from the
internet, private for internal resources.
— Segmentation: Divide the network into segments to contain potential security
breaches.
— API Inspection and Integration: Monitor API calls to your resources and integrate
with security tools to identify threats.

7. Compute:
— Security Groups: Virtual firewalls to control inbound and outbound traffic.
— Dynamic Resource Allocation: Automatically allocate or de-allocate resources based
on demand.
— Instance Awareness: Know what’s running on each instance and manage
vulnerabilities.
— VPC Endpoint: Allows private connectivity to services.
— Container Security: Ensure images are secure, use orchestration tools like Kubernetes,
and monitor runtime environments.

Solutions:

1. CASB (Cloud Access Security Broker):

- Acts as a gatekeeper, allowing organizations to extend their security policies to cloud
services.

2. Application Security:
- Employ tools to monitor and protect your cloud-hosted applications from threats.

3. Next-Generation Secure Web Gateway (SWG):

- Offers advanced web security, filtering, and content inspection beyond traditional SWG
capabilities.

4. Firewall Considerations in a Cloud Environment:

— Cost: Cloud-based firewalls can introduce costs based on data processed.
— Need for Segmentation: Segment traffic to ensure that compromised resources don’t
affect others.
— OSI Layers: Ensure firewalls operate at the required layers. Some are Layer 3
(Network) or Layer 7 (Application) specific.

Cloud Native Controls vs. Third-Party Solutions:

Cloud Native Controls:

- Integrated tools provided by cloud vendors (e.g., AWS’s IAM, Azure’s Network Security Groups). They
usually provide seamless integration and are designed specifically for the platform.
Third-Party Solutions:
- Tools from cybersecurity vendors that can be used across multiple clouds or both on-premises and in
the cloud. They might offer features or interfaces that the cloud provider doesn’t offer by default.

3.7 Given a scenario, implement identity and account management controls.

Identity

- Identity Provider (IdP):

— An IdP is a system that creates, maintains, and manages identity information and provides
authentication services. Example: Azure AD, Okta.

- Attributes: Attributes are pieces of information that an identity system might keep about a user,
such as their username, email address, and roles.

- Certificates: Digital certificates confirm that the public key belongs to the private key. It ensures
secure communication and authenticates the user’s identity.

- Tokens: Tokens act like temporary digital passes, proving the user has successfully
authenticated and can access resources.

- SSH Keys: SSH keys are used to authenticate to systems via SSH, typically using a pair of keys
(private and public).

- Smart Cards: Physical cards that store user credentials securely and provide secure
authentication often with a PIN.
 Account Types

- User Account: Basic account tied to an individual user, typically requiring a username and
password.

- Shared and Generic Accounts/Credentials: Accounts used by multiple people or systems,

usually discouraged due to lack of individual accountability.

- Guest Accounts: Limited access accounts for visitors or non-regular users.

- Service Accounts: Accounts used by applications or services to interact with each other, usually
automated processes.

Account Policies

— Password Complexity: Requires passwords to have a mix of characters, numbers, and

symbols.
— Password History: Prevents reusing previous passwords.
— Password Reuse: Limiting or preventing the reuse of old passwords.

- Network Location: Limiting access based on the user’s network location (e.g., within a company
network).

- Geofencing, Geotagging, and Geolocation: Restrict or monitor access to services based on

geographical location.

- Time-Based Logins: Allow users to log in only during specified time frames.

- Access Policies: Define what resources an account can access and what actions it can perform.

- Account Permissions: Specific rights assigned to an account, dictating what it can and cannot
do.

- Account Audits: Review and analyze accounts for improper configurations, access, or malicious
activity.

- Impossible Travel Time/Risky Login: Detection of logins that occur in different geographic
locations in an implausible amount of time.

- Lockout: Disabling an account or preventing access after certain events like too many failed
login attempts.

- Disablement: Deactivating an account, often when an employee leaves the company or after a
period of inactivity.
 3.8 Given a scenario, implement authentication and authorization solutions.

Authentication Management

 Password Keys: Secure digital keys generated from a password.

 Password Vaults: Safes that store multiple passwords securely.

 TPM (Trusted Platform Module): A chip on your computer that helps with secure booting and
password storage.

 HSM (Hardware Security Module): A physical device that safeguards and manages digital keys.

 Knowledge-Based Authentication: “What was the name of your first pet?” — type questions to
verify identity.

Authentication/Authorization Protocols

 EAP (Extensible Authentication Protocol): A set of rules, a protocol, that devices use to talk to
each other to confirm identity.

 CHAP (Challenge-Handshake Authentication Protocol): Kind of like a secret handshake; the

server asks for proof that you are who you say.
  PAP (Password Authentication Protocol): An older, simpler way of confirming identity with a
username and password.

 802.1X: A standard used to restrict who can connect to a network.

 RADIUS: A protocol allowing remote access to users, often utilized by ISPs.

 SSO (Single Sign-On): Log in once, gain access to multiple related platforms.

 SAML (Security Assertion Markup Language): A means of telling others (servers) about the
identity and access rights of a user, in a secure way.

 TACACS+ (Terminal Access Controller Access-Control System Plus): A Cisco protocol for
authentication which separates the two functions of authentication and authorization.

 OAuth: A protocol that allows an application to access user data from another service without the
user’s password.

 OpenID: Like a driver’s license for the internet — a single identity that’s used across many sites.

 Kerberos: A secure method that uses ticket-granting for users and nodes to prove their identity
over a non-secure network, like the Internet.

Access Control Schemes

 ABAC (Attribute-Based Access Control): Permission to access certain things is given based on
properties (attributes) of the user.

 Role-Based Access Control: If your role is “manager”, you can access all the things a manager can
access.

 Rule-Based Access Control: Rules are set, and access is granted if you meet them.

 MAC (Mandatory Access Control): The system (not users) determines who gets access, based on
predefined policies.

 DAC (Discretionary Access Control): Users have some discretion over who is given access to
resources they control.

 Conditional Access: You get access if you meet certain conditions, like being in a certain location.

 Privileged Access Management: Making sure that special access rights are restricted and used
only when needed.

 Filesystem Permissions: Rules that specify who can read/write/execute files and directories on a
computer.
 3.9 Given a scenario, implement public key infrastructure.

Public Key Infrastructure (PKI)

 Key Management: How we look after our digital keys, including their creation, storage, and
distribution.

 Certificate Authority (CA): Like the government for the internet, it issues digital certificates (like
ID cards) and vouches for how legitimate they are.

 Intermediate CA: A step between the root CA and the end-user certificate, acting like a deputy to
the CA to issue certificates.

 Registration Authority (RA): Checks your details before telling the CA it’s OK to issue you a
certificate.

 Certificate Revocation List (CRL): A list of “bad” certificates that shouldn’t be trusted.

 Certificate Attributes: The properties and settings of a certificate.

 Online Certificate Status Protocol (OCSP): A way to check if a certificate is good or revoked.

 Certificate Signing Request (CSR): A request to the CA to get a certificate.

  CN (Common Name): The main identity of the certificate (like the website’s domain name).

 Subject Alternative Name: Additional identities (like additional domain names) for a certificate.

 Expiration: The date when the certificate will stop being valid/trusted.

Types of Certificates

 Wildcard: A certificate valid for a domain and its subdomains.

 Subject Alternative Name: A certificate that’s valid for multiple domains or subdomains.

 Code Signing: Certificates that guarantee software code hasn’t been tampered with.

 Self-Signed: A certificate that isn’t vouched for by a CA but by the entity itself.

 Machine/Computer: Certificates specific to machine identities.

 Email: Certificates used to secure email communication.

 User: Certificates to authenticate user identities.

 Root: The master certificate in a certificate chain, ultimately trusted.

 Domain Validation: A certificate that proves the certificate holder controls the domain.

 Extended Validation: Like domain validation, but with extra checks on the entity.

Certificate Formats

 DER (Distinguished Encoding Rules): A binary format for certificates.

 PEM (Privacy Enhanced Mail): ASCII-based format, often has a “.pem” or “.crt” file extension.

 PFX (Personal Information Exchange): Stores a certificate and its private key, often used in
Windows.

 .cer: A file extension often used for certificates.

 P12: A file format for storing private keys.

 P7B: A file format that contains only certificates and chain certificates, not the private key.

Concepts

 Online vs. Offline CA: An online CA can issue certificates in real-time, offline CA (often root
CAs) are kept offline for security and issue certificates less directly.

 Stapling: Bundling the OCSP response with the certificate itself to reduce certificate check
latency.

 Pinning: Storing certain cryptographic identities (like certificates or public keys) in your
application to reduce reliance on CA.

 Trust Model: How entities decide to trust others in the context of a network.

 Key Escrow: Storing a copy of cryptographic keys in a secure, third-party database.

  Certificate Chaining: Linking several certificates together to establish trust, from the server’s
certificate up to a root CA.

4.1 Given a scenario, use the appropriate tool to assess organizational security.

Network Reconnaissance and Discovery

- tracert/traceroute: Tools used to track the pathway taken by a packet over an IP network.

- nslookup/dig: DNS lookup utilities.

- ipconfig/ifconfig: Utilities to display or configure network interface settings.

- nmap: Network scanning tool to discover hosts and services.

- ping/pathping: Tools to check network connectivity.

- hping: Tool for assembling and sending custom ICMP, UDP, or TCP packets.

- netstat: Utility to display network connections.

- netcat: Networking utility for reading from and writing to network connections.

- IP scanners: Tools to scan IP addresses in a network.

- arp: Display and modify the IP-to-MAC address translation tables.

- route: View and modify IP routing table.

 - curl: Command-line tool and library for transferring data with URLs.

- theHarvester: Gather emails, subdomains, hosts, employee names, and more.

- sn1per: Automated pentest framework for scanning vulnerabilities.

- scanless: Utility to use websites to perform port scans on your behalf.

- dnsenum: Perl script that enumerates DNS information.

- Nessus: Vulnerability assessment tool.

- Cuckoo: Automated malware analysis system.

File Manipulation

- head/tail: Display the beginning/end of files.

- cat: Concatenate and display files.

- grep: Search for specific patterns within files.

- chmod: Change the permissions of a file or directory.

- logger: Command-line tool to add logs to syslog.

Shell and Script Environments

- SSH: Protocol for secure remote login and file transfer.

- PowerShell: Task automation and configuration management framework.

- Python: High-level, interpreted, interactive and object-oriented scripting language.

- OpenSSL: Toolkit for Transport Layer Security (TLS).

Packet Capture and Replay

- Tcpreplay: Tool to replay saved tcpdump files at arbitrary speeds.

- Tcpdump: Packet analyzer.

- Wireshark: Widely used network protocol analyzer.

Forensics

- dd: Disk copying and converting tool, often used in forensics.

- Memdump: Dumps system memory to a file.

- WinHex: Hexadecimal editor.

- FTK Imager: Data preview and imaging tool.

 - Autopsy: Digital forensics platform.

Exploitation Frameworks

- Examples would be Metasploit, used for developing, testing, and executing exploit code against
a remote target machine.

Password Crackers

- Tools like John the Ripper or Hashcat, used for cracking password hashes.

Data Sanitization

- Involves securely deleting data or wiping it in a manner that renders it irrecoverable. Tools
might include DBAN or Eraser.

4.2 Summarize the importance of policies, processes, and procedures for incident response.

These topics cover vital aspects of cybersecurity, particularly around incident response and continuity
planning. Below is a general breakdown and insights regarding these areas:

Incident Response Plans

- Definition: A well-structured approach detailing the processes to follow when a cybersecurity

incident occurs.

- Importance: Ensures a consistent and efficient approach to managing the incident to prevent
further damage, loss or leakage of information, and to restore systems to normal operation.

Incident Response Process

- Preparation: Establishing and fortifying the incident response team, creating incident response
plans, and setting up the necessary technology and communication channels to manage
incidents.

- Identification: Recognizing and acknowledging the incident.

- Containment: Preventing further damage by containing the incident on short and long terms.
 - Eradication: Removing the cause of the incident and securing the systems.

- Recovery: Validating system functionality for business operations and monitoring for signs of
weaknesses that can be exploited again.

- Lessons Learned: Reviewing what went wrong and developing strategies to prevent similar
incidents in the future.

Exercises

- Tabletop: A discussion-based exercise where team members meet in an informal setting to

discuss their roles during an emergency and their responses to a particular emergency situation.

- Walkthroughs: Regular and coordinated exercises for incident response team members and
relevant stakeholders to rehearse the incident response plan.

- Simulations: A practice method to validate the efficacy of an incident response plan, often
involving real-world scenarios without the actual impact.

Attack Frameworks

- MITRE ATT&CK: A globally-accessible knowledge base of adversary tactics and techniques

based on real-world observations.

- The Diamond Model of Intrusion Analysis: Framework that codifies the fundamental properties
of events, their relationships, and provides a structured methodology for analyzing intrusions.

- Cyber Kill Chain: A model to understand the stages of a cybersecurity attack.

Stakeholder Management

- Engage and manage individuals, groups, or organizations that may affect or be affected by
cybersecurity incidents, ensuring they have accurate and timely information and are involved in
decision-making processes.

Communication Plan

- A strategic plan that communicates the necessary information related to the incident to the
internal audience, media, stakeholders, and other related parties effectively and efficiently.

Disaster Recovery Plan

- A structured plan for recovering access to software, data, and hardware necessary to resume the
performance of critical business operations after a natural or human-induced disaster.

Business Continuity Plan

 - A strategic and systematic approach that helps businesses continue with their essential and
critical business functions during and after a disaster has occurred.

Continuity of Operations Planning (COOP)

- A federal initiative to encourage people and organizations to develop plans to address the
potential consequences of an event that disrupts normal operations.

Incident Response Team

- A group of experts that handle the incident recovery processes, including IT professionals,
security officers, legal advisors, public relations professionals, and others.

Retention Policies

- Guidelines that describe how to manage data for compliance purposes and operational
structures, dictating how long data is kept and how to dispose of or archive data that is no longer
needed.

4.3 Given an incident, utilize appropriate data sources to support an investigation.

When assessing organizational security, the given tools and outputs can help analysts, administrators,
and security professionals gain insights into the security posture of an organization, identify potential
vulnerabilities or threats, and create strategic responses. Here’s an overview of each and their relevance:

Vulnerability Scan Output

- Purpose: Provides a report from a vulnerability scanner that identifies potential weaknesses in
systems and networks.

- Relevance: Helps prioritize patching and mitigation efforts based on risk.

SIEM Dashboards

A Security Information and Event Management (SIEM) system provides real-time analysis of security
alerts.

- Sensor: Detects specific types of data or events.

- Sensitivity: Adjusts how much data or the type of data the sensor will detect.
 - Trends: Observing how data points move over time to predict future movements or spot
anomalies.

- Alerts: Notifications based on predefined criteria.

- Correlation: Associating different data points or events that might be related to a bigger security
event.

Log Files

Various types of logs can provide insights into specific areas of the network, system, or application:

- Network: Traffic and event logs from network devices.

- System: Logs of events on a system-level, like user logins or system errors.

- Application: Logs generated by specific applications.

- Security: Logs specifically from security appliances or software, like firewalls or IDS/IPS.

- Web: Web server logs, useful for identifying website attacks.

- DNS: Logs from DNS servers.

- Authentication: Logs for user authentication events.

- Dump files: Often a capture of a system’s memory, useful for crash analysis.

- VoIP and call managers: Logs related to voice communications.

- Session Initiation Protocol (SIP) traffic: Logs related to SIP-based VoIP traffic.

syslog/rsyslog/syslog-ng

- Purpose: Logging tools and protocols for Unix-based systems. They help in collecting and
storing log information.

- Relevance: Critical in consolidating logs from different systems into a central repository for
analysis.

journalctl

- Purpose: A tool for querying and displaying logs from the systemd journal.

- Relevance: Useful for systems running systemd, like many modern Linux distributions.

NXLog

- Purpose: A universal log collector and forwarder.

 - Relevance: Can process logs from different platforms and forward them to various analysis
tools.

Bandwidth Monitors

- Purpose: Monitors data traffic on a network.

- Relevance: Helps in identifying unusual spikes in traffic or unauthorized data transfers.

Metadata

Data about other data, such as:

- Email: Information about who sent or received an email, timestamps, etc.

- Mobile: Data about call logs, SMS logs, etc.

- Web: Data about websites visited, duration, etc.

- File: Information about when a file was created, modified, accessed, etc.

Netflow/sFlow

- Netflow/sFlow/IPFIX: Technologies to sample and monitor network traffic.

- Relevance: Helps in understanding traffic patterns, bandwidth usage, and potential security
threats.

Protocol Analyzer Output

- Purpose: Detailed analysis of network traffic, often down to the packet level.

- Relevance: Useful for deep dive investigations into network anomalies or security events.

When given a scenario, use the tools relevant to the situation. For instance, if you suspect a data breach,
checking SIEM alerts, bandwidth monitors, and Netflow might be your first steps. If a system crashes,
dump files and system logs become more pertinent. The key is to understand the nature of the incident or
the assessment need and then choose the right tools and outputs to gain the required insights.
 4.4 Given an incident, apply mitigation techniques or controls to secure an environment.

Given an incident, applying mitigation techniques or controls efficiently and promptly is crucial to
minimize damage and protect the environment. Let’s dive into the mentioned techniques and controls:

1. Reconfigure Endpoint Security Solutions

Depending on the nature of the incident, reconfiguring endpoint security solutions can help in
containment and prevent further spread.

- Application Approved List: Ensure only trusted applications are allowed to run.

- Application Blocklist/Deny List: Proactively prevent malicious or undesired applications from

executing.

- Quarantine: Isolate affected endpoints from the network to prevent the spread of malicious
activity.

2. Configuration Changes

A strategic change in configurations can also aid in controlling an incident.

- Firewall Rules: Update rules to block malicious traffic, unauthorized access, or data exfiltration.

- MDM (Mobile Device Management): Adjust policies for mobile devices to mitigate threats.

- DLP (Data Loss Prevention): Enhance policies to secure sensitive data and prevent
unauthorized access or transmission.
 - **Content Filter/URL Filter**: Block access to malicious, suspicious, or non-compliant URLs.

- Update or Revoke Certificates: Replace or revoke compromised security certificates.

3. Isolation

- Purpose: Isolate affected systems or networks to contain the incident and prevent it from
affecting other assets.

4. Containment

- Purpose: Ensure the incident does not spread further, which might involve isolating systems,
disabling user accounts, or changing credentials.

5. Segmentation

- Purpose: Utilize network segmentation to restrict lateral movements of potential threats.

- Relevance: Especially useful if an attacker gains access to one segment of the network, limiting
them from accessing other segments.

6. SOAR (Security Orchestration, Automation, and Response)

SOAR solutions allow organizations to collect data about security threats from multiple sources and
respond to low-level incidents without human intervention.

- Runbooks: Utilize predefined instructions or workflows for performing routine or repetitive

tasks. Adapt and utilize them to handle the incident effectively, especially for known threats or
vulnerabilities.

- Playbooks: Develop strategic and tactical plans to handle incidents, ensuring that every step is
taken to mitigate, contain, and eradicate the threat.

Application

If it’s a malware incident, quarantine affected endpoints, update firewall rules to block C2 servers, utilize
SOAR for automated threat hunting, and review DLP policies to protect sensitive data.

For unauthorized access incidents, consider isolation and containment of affected systems, update or
revoke certificates, and implement an application blocklist for any unauthorized applications.

If data exfiltration is suspected, segmentation could be useful to limit access to sensitive data, while DLP
and content filtering can control data transfer.
 4.5 Explain the key aspects of digital forensics.

Digital Forensics is a branch of forensic science focusing on the recovery and investigation of material
found in digital devices, often related to cybercrime. Let’s delve deeper into each aspect you’ve
mentioned:

1. Documentation/Evidence

— Legal Hold: A preservation process to secure information that may serve as evidence.

— Video: Utilizing video data as evidence; ensuring its authenticity and integrity are crucial.

— Admissibility: Ensuring that the evidence collected is acceptable in court.

— Chain of Custody: Maintaining and documenting the handling of evidence to prevent

tampering.

— Timelines/Sequence of Events: Keeping accurate records of incidents through:

— Time Stamps: Marking data or events with the time of occurrence.

— Time Offset: Adjusting time records to synchronize or correlate events accurately.

— Tags/Reports/Event Logs: Labeling, summarizing, and recording incidents to create a

comprehensive and understandable record.

— Interviews: Gathering verbal/written information and statements from relevant entities.

2. Acquisition

— Order of Volatility: Collecting evidence based on data volatility from RAM to hard disks to
preserve the integrity.

— Disk/RAM/Swap/Pagefile/OS/Device/Firmware: Acquiring data from all possible sources

ensuring no data is overlooked.
 — Snapshot: Capturing the state of a system at a specific point in time, often crucial to
understand the incident.

— Cache/Network/Artifacts: Collecting temporary and network data to understand real-time

actions and flow of data.

3. On-Premises vs. Cloud

— Right-to-audit Clauses: Agreements ensuring organizations can audit data handled by external
entities.

— Regulatory/Jurisdiction: Adhering to laws and regulations pertinent to geographical and

industrial sectors.

— Data Breach Notification Laws: Laws dictating the need and manner of notifying entities in
case of a data breach.

4. Integrity

— Hashing: Ensuring data integrity by using hash functions to detect alterations.

— Checksums: Utilizing algorithms to verify data integrity during storage and transmission.

— Provenance: Tracking and verifying the origin of data to ensure authenticity.

5. Preservation

Ensuring that digital evidence is safeguarded against tampering or loss, and is maintained in its
original form.

6. E-Discovery

Identifying, collecting, and producing electronically stored information in response to a legal

request or investigation.

7. Data Recovery

Retrieving inaccessible, lost, corrupted, or damaged data and making it accessible.

8. Non-Repudiation

Ensuring a party in a dispute cannot refute the validity of a statement or contract.

9. Strategic Intelligence/Counterintelligence

— Strategic Intelligence: Providing insights into the long-term capabilities and intentions of
potential adversaries.

— Counterintelligence: Engaging in activities designed to prevent adversaries from gaining

information.

In digital forensics, practitioners follow a systematic approach to gather, analyze, and interpret digital
evidence. All steps, from documentation to data recovery, must be executed methodically to ensure that
the evidence is reliable, and the analysis results are accurate. Moreover, all practices must comply with
relevant laws and policies to ensure that the evidence can be admissible in a legal context. This further
underscores the importance of understanding both technical and legal aspects in a forensic investigation.
 5.1 Compare and contrast various types of controls.

Categories of Controls

1. Managerial Controls:

— Definition: These are strategies, policies, and procedures defined by the

organization’s management to achieve compliance and security objectives.
— Example: Developing a cybersecurity policy, conducting risk assessments, or
establishing security training programs for employees.
— Simplified: Think of it as the “boss level” controls — the rules and guidelines set by
leadership to make sure everything stays safe.

2. Operational Controls:

— Definition: Operational controls are the mechanisms and procedures designed to

address operational aspects of ensuring system security.
— Example: Implementing a backup procedure, performing regular security audits, or
establishing an incident response team.
— Simplified: These are the “day-to-day” controls — actions and activities that we do
regularly to keep things secure.

3. Technical Controls:

— Definition: Technical controls use technology to manage vulnerabilities and protect

against identified threats.
— Example: Installing antivirus software, deploying firewalls, or using encryption.
— Simplified: Think of these as the “gadget-level” controls — using tech tools and
software to secure data and systems.

Types of Controls

1. Preventive Controls:

— Definition: These are implemented to stop unwanted or unauthorized activities from

occurring.
— Example: Installing an antivirus program to prevent malware infection.
— Simplified: Like a lock on a door — stopping bad things from happening in the first
place.
 2. Detective Controls:

— Definition: These are intended to identify and respond to incidents and breaches that
may occur.
— Example: Utilizing intrusion detection systems (IDS) to spot potential security
breaches.
— Simplified: Like a security camera — spotting when something bad is happening.

3. Corrective Controls:

— Definition: Designed to mitigate or adjust the system after a breach or incident has
occurred.
— Example: Employing a backup and recovery process to restore data after a
ransomware attack.
— Simplified: Like a repair kit — fixing things and getting back to normal after
something goes wrong.

4. Deterrent Controls:

— Definition: Implemented to discourage individuals from causing a security incident.

— Example: Displaying a warning message when logging onto a system.
— Simplified: Like a “Beware of the Dog” sign — making potential attackers think twice
before attempting.

5. Compensating Controls:

— Definition: Deployed to provide alternative security measures when a primary

control isn’t viable.
— Example: If multifactor authentication isn’t possible, implementing stringent
password policies and frequent changes might be compensating controls.
— Simplified: Like a secondary path — finding another way to stay secure when the
preferred method isn’t available.

6. Physical Controls:

— Definition: Controls that provide physical security to prevent unauthorized access.

— Example: Utilizing biometric access, security guards, or surveillance cameras in a data
center.
— Simplified: Think of these as “hands-on” controls — physically keeping unauthorized
people away from critical systems and data.

Remember that in real-world scenarios, an effective security posture employs a blend of these controls to
secure assets comprehensively. Various controls work together in layers, creating a more resilient
environment through a strategy often referred to as “defense in depth.”
 5.2 Explain the importance of applicable regulations, standards, or frameworks that impact
organizational security posture.

Regulations, standards, and legislation

1. General Data Protection Regulation (GDPR)

- Region: European Union (applies globally to organizations processing EU citizen data)

- Purpose: Protects the privacy and security of personal data of EU citizens. It
emphasizes consent, data protection by design, and data portability among other
principles.

2. National, Territory, or State Laws

- Various nations or states have their own data protection and cybersecurity laws.
- Example: The California Consumer Privacy Act (CCPA) in the USA, which gives
consumers more control over the personal information that businesses collect about
them.

3. Payment Card Industry Data Security Standard (PCI DSS)

- Purpose: Ensures that companies that process, store, or transmit credit card information
maintain a secure environment.

Key Frameworks

1. Center for Internet Security (CIS)

- Purpose: Aims to identify, develop, validate, promote, and sustain best practice
solutions for cyber defense.
- Key Component: CIS Controls, a set of 20 actionable controls that provide a roadmap
for improving cybersecurity.

2. National Institute of Standards and Technology (NIST)

— Risk Management Framework (RMF)

— A structured process that integrates security and risk management activities into the
system development life cycle.
— Cybersecurity Framework (CSF)
— Designed to help organizations manage and reduce cybersecurity risk.

3. International Organization for Standardization (ISO) 27001/27002

— ISO 27001
— A standard for information security management systems (ISMS).
 — ISO 27002
— Provides best practice guidance on information security management.

4. SSAE SOC 2 Type I/II

- Purpose: Ensures that service providers securely manage data to protect the interests
and privacy of their clients.
- Type I: Examines suitability of the design of controls at a specific point in time.
- Type II: Examines operational effectiveness of these controls over some time.

5. Cloud Security Alliance (CSA)

— Cloud Control Matrix

— A cybersecurity control framework for cloud computing, encompassing key domains
and their capabilities.
— Reference Architecture
— Provides guidance on implementing secure cloud solutions, highlighting critical areas
for cloud security.

Benchmarks / Secure Configuration Guides

1. Platform/vendor-specific guides

— Help in configuring systems securely, based on expertise and best practices.

2. Web server, OS, Application server, Network infrastructure devices

— Various vendors and cybersecurity organizations provide guidelines to securely

configure these technologies.
— For instance, the CIS provides benchmark guides for various technologies to assist in
securing them based on industry-accepted best practices.

In order to ensure robust cybersecurity and compliance posture, organizations typically leverage a
combination of the above regulatory frameworks, guidelines, and benchmarks, aligning them with their
specific operational contexts, technological stacks, and business objectives. This also often involves
establishing an information security management system (ISMS) or a similar structured approach to
managing information risks. This might be a governance, risk management, and compliance (GRC)
program, or a cybersecurity risk management program, each of which would typically leverage aspects of
the above standards and frameworks.
 5.3 Explain the importance of policies to organizational security.
1. Personnel:
— Acceptable use policy: Policies that define what is deemed acceptable behavior when using
organizational assets.
— Job rotation: Moving employees from one role to another to prevent fraud and ensure cross-
training.
— Mandatory vacation: Requiring employees to take time off, often used to discover malicious or
fraudulent activity.
— Separation of duties: Ensuring that no single individual has control over all aspects of any
critical transaction.
— Least privilege: Granting only the minimal necessary access to users.
— Clean desk space: Ensuring that sensitive information is not left exposed.
— Background checks: Verifying an employee’s history before hiring.
— NDA: An agreement to ensure sensitive information isn’t shared outside the organization.
— Social media analysis: Monitoring or analyzing employees’ social media for potential risks.
— Onboarding: Process of integrating new employees into an organization.
— Offboarding: Process of managing an employee’s exit from an organization.
— User training: Training users on various topics to improve security awareness.
— Gamification, Capture the flag, Phishing campaigns/simulations: Techniques to engage
users in security training in an interactive manner.
— Computer-based training (CBT): Online training modules.
— Role-based training: Training tailored to an employee’s specific role.
2. Diversity of training techniques:
Using various methods to train employees to cater to different learning styles and ensure
thorough comprehension.
3. Third-party risk management:
— Vendors, Supply chain, Business partners: External entities that could pose risks.
— SLA, MOU, MSA, BPA: Different agreements or understandings that dictate the terms of
business relationships.
— EOL and EOSL: Points when products or services are no longer supported.
— NDA: Non-disclosure agreements with third parties.
4. Data:
— Classification: Categorizing data based on sensitivity and importance.
— Governance: The framework for managing data across an organization.
— Retention: Policies dictating how long data should be held.
5. Credential policies:
— Personnel, Third-party, Devices, Service accounts, Administrator/root accounts: who might
require credentials, each with its unique considerations.
6. Organizational policies:
 — Change management: Ensuring changes are systematically handled.
— Change control: Process of ensuring that changes do not negatively impact systems.
— Asset management: Keeping track of organizational assets.

5.4 Summarize risk management processes and concepts.

Risk Types

- External: Risks originating from outside the organization, such as cyber-attacks or market
changes.
- Internal: Risks arising from within the organization, like personnel or system failures.
- Legacy systems: Risks related to outdated systems or technology that may be prone to
vulnerabilities.
- Multiparty: Risks involving multiple entities or parties.
- IP theft: Risks associated with the theft of intellectual property.
- Software compliance/licensing: Risks related to managing and complying with software
licensing.

Risk Management Strategies

- Acceptance: Acknowledging the risk and preparing for potential consequences without actively
altering business strategies.
- Avoidance: Changing business processes to completely avoid the risk.
- Transference: Shifting the risk to another entity, e.g., through insurance.
- Cybersecurity insurance: A policy intended to manage the impact of cybersecurity incidents.
- Mitigation: Taking steps to reduce the impact or likelihood of the risk.

Risk Analysis

- Risk register: A document that details the organization’s risk profile.

- Risk matrix/heat map: Visual representation of risk impact and likelihood.
- Risk control assessment: Evaluating the effectiveness of risk controls.
- Risk control self-assessment: A self-assessment approach to evaluate risks and controls.
- Risk awareness: Understanding and recognizing potential risks.
- Inherent risk: The risk level without considering internal controls.
- Residual risk: The risk remaining after controls are applied.
- Control risk: The risk that arises due to the failure or inefficiency of control measures.
- Risk appetite: The level of risk an organization is willing to accept.
- Regulations that affect risk posture: Legal and regulatory requirements impacting
organizational risk.
- Risk assessment types:
- Qualitative: Using non-numeric data to assess risk.
- Quantitative: Using numeric data to assess risk.
- Likelihood of occurrence: Probability of a risk event happening.
- Impact: The effect on the organization if the risk materializes.
- Asset value: The worth of the asset at risk.
 - Single-loss expectancy (SLE): The monetary loss expected from a single risk occurrence.
- Annualized loss expectancy (ALE): Expected annual monetary loss due to a risk.
- Annualized rate of occurrence (ARO): Estimated frequency of a risk occurring annually.

Disasters

- Environmental: Natural disasters like hurricanes, floods, etc.

- Person-made: Events caused by human activities, such as terrorism or vandalism.
- Internal vs. external: Disasters originating within or outside the organization.

Business Impact Analysis

- Recovery time objective (RTO): The targeted duration for recovering operations post-incident.
- Recovery point objective (RPO): The acceptable amount of data loss measured in time.
- Mean time to repair (MTTR): The average time taken to fix a failed component or system.
- Mean time between failures (MTBF): The average time between system or component failures.
- Functional recovery plans: Plans aimed at restoring essential functions after an incident.
- Single point of failure: An element whose failure can incapacitate the entire system.
- Disaster recovery plan (DRP): A detailed plan to recover and protect a business IT
infrastructure in the event of a disaster.
- Mission essential functions: Critical functions without which an organization can’t achieve its
mission.
- Identification of critical systems: Highlighting systems crucial to the organization’s operations.
- Site risk assessment: Evaluating the risks associated with a specific geographic location.
 5.5 Explain privacy and sensitive data concepts in relation to security.

Privacy and sensitive data concepts are critical aspects of information security, addressing how personal
and sensitive data is managed, protected, and utilized to safeguard the individual’s rights and maintain
trust.

Organizational Consequences of Privacy and Data Breaches

- Reputation damage: A breach may tarnish the public and business image, affecting customer
trust and business partnerships.
- Identity theft: Unauthorized access to personal data may lead to illicit use of identities.
- Fines: Legal penalties imposed due to non-compliance with data protection regulations.
- IP theft: Loss or unauthorized access to intellectual property can result in financial and strategic
damages.

Notifications of Breaches

- Escalation: Process of communicating the breach internally, ensuring it reaches the appropriate
management level.
- Public notifications and disclosures: Informing affected individuals and relevant authorities, as
mandated by applicable regulations (such as GDPR, HIPAA, or CCPA).

Data Types and Classifications

- Classifications:
— Public: Information meant for public view.
— Private: Information restricted to certain individuals or groups.
— Sensitive: Information that, if disclosed, may cause harm.
— Confidential: Highly sensitive information with restricted access.
— Critical: Information crucial for organizational functioning.
— Proprietary: Information that is owned by the organization.
— Personally Identifiable Information (PII): Information that can identify an individual.
— Health information: Data related to an individual’s physical and mental health.
— Financial information: Data pertaining to finances, like bank details or transaction histories.
— Government data: Information related to or managed by government entities.
— Customer data: Information related to the clientele of a business.

Privacy Enhancing Technologies (PETs)

- Data minimization: Collecting only the data that is strictly necessary.

- Data masking: Hiding original data with modified content, but structurally similar.
- Tokenization: Replacing sensitive elements with non-sensitive equivalents, with no exploitable
value.
 - Anonymization: Processing data to make it impossible to relate back to an individual.
- Pseudo-anonymization: Replacing private identifiers with fake identifiers, making it harder to
match data with its source.

Roles and Responsibilities in Data Management

- Data owners: Individuals or entities that have legal ownership of the data.
- Data controller: Entity that determines the purposes and means of processing personal data.
- Data processor: Entity that processes data on behalf of the controller.
- Data custodian/steward: Entity or individual responsible for safeguarding and maintaining the
data.
- Data Protection Officer (DPO): Person responsible for ensuring the company complies with
data protection laws.

Information Life Cycle

The stages through which data passes, typically consisting of creation, storage, utilization,
sharing, archiving, and destruction, each requiring particular management and protection
strategies.

Impact Assessment

Assessment to identify, evaluate, and mitigate the risks to privacy and data protection within
projects, systems, or applications, often referred to as a Data Protection Impact Assessment
(DPIA) in GDPR contexts.

Terms of Agreement & Privacy Notice

- Terms of Agreement: Legal agreements between the service provider and user, outlining the
rules that must be followed to use a service.
- Privacy Notice: A statement that describes how an organization collects, uses, retains, and
discloses personal information.