Cisco Certified Support

Technician (CCST)

Cyber Security
Cybersecurity is the practice of protecting computers, networks, and
data from cyberattacks, unauthorized access, and damage.
It involves using tools and strategies to keep information safe from
hackers, viruses, and other online threats.
Introduction to CCST

Domain 1: Essential Security Principles

Domain 2: Basic Network Security Concepts

Domain 3: Endpoint Security Concepts

Domain 4: Vulnerability Assessment and Risk Management

Domain 5: Incident Handling

What is Ethical Hacking ?

Ethical hacking is the practice of legally hacking or testing systems or

networks for vulnerabilities to identify and fix security weaknesses, with the
owner's consent, before malicious hackers can exploit them.

Phases of Hacking:-

1. Information Gathering
2. Scanning & Enumeration
3. Gaining Access
4. Maintaining Access
5. Clearing Logs
LAB Set-up

• VMware or Virtual Box

• Kali Linux or any other Linux Distro

Domain 1: Essential Security Principles
Vulnerabilities, Threats, Exploits, and Risks

Vulnerability : It is a weakness in a system/network which can be exploited

by an attacker, to perform unauthorized actions within a system or network.

Exploit : An exploit is a piece of software or code that takes advantage of a

vulnerability in a system or application to gain unauthorized access or to
cause harm.
Threat : Threat is a possible danger that might be exploited through a
vulnerability to breach security and therefore cause possible harm.

Risk : Risk is the probability that a threat will be realized against the
Vulnerability.
Expressed through Qualitative (low, medium or high) or Quantitative
(Percentage)
Attack Vectors
The path that an attacker takes to exploit specific vulnerability is
called attack vectors.

Ex: Phishing Attacks, Malware, Injection attacks etc.

Exploit vs Attack Vector

Exploit is a specific technique or method.
Attack vector is the path chosen.
 Hardening and Defense-in-Depth

Security Controls: Passwords, OTPs, Firewall and Anti-Virus etc.

Hardening : Process of deploying security controls to make the environment more

secure.

Defense-In-Depth strategy : Each resources be protected by multiple security

controls, preferably deployed in different physical and logical locations.
 Hardening and Defense-in-Depth

Common approach to hardening any system is to disable unnecessary services.

Elements of Information Security
(CIA Triad) or (CIAAN)
 Confidentiality - Ensuring that sensitive information is only accessible to
authorized user.

 Integrity - Ensuring that data remains accurate, consistent, and unaltered

during storage, transmission, or processing. This prevents unauthorized
modifications or corruption of data.

 Availability - Ensuring that data is accessible for authorized users when

needed, even in the event of a cyberattack or system failure.

 Authenticity - Ensuring that data, users, or systems are genuine and not
tampered with or impersonated. Authenticity verifies that something is
what it claims to be.

 Non-Repudiation - Non-repudiation prevents individuals from denying their

actions and helps provide accountability in digital communications and
transactions.
Types of Attackers/Hackers and Reasons

 White Hat (Ethical Hacker)  Hacktivist

 Black Hat Hackers  Suicide hackers
 Gray Hat Hackers  Insider Threat
 Script Kiddies  State-Sponsored Hackers
 Cybercriminals (Organized (Nation-State Hackers)
Cybercrime Groups)
Code of Ethics

A Code of Ethics in cybersecurity provides a set of guidelines and

principles designed to ensure that professionals in the field act
with integrity, responsibility, and respect for the law.

These ethical standards help maintain trust, protect privacy, and

safeguard data from misuse.
Common Cyber Threats

 Malware

 DoS / DDoS

 Social Engineering Attacks

Types of Malware
DoS attack
Denial of Service (DoS) is a cyber-attack on an individual Computer
or Website with the intent to deny services to intended users.
This is the attack on the availability principle of the security.
Distributed Denial of Service (DDoS) attack
Cyberattack aimed at overwhelming a website, server, or network by
flooding it with massive amounts of traffic, rendering it slow or completely
unavailable.
Attackers typically use a network of compromised computers, servers, or
devices to carry out the attack. This network of devices is called a botnet.

Types of DDoS Attacks:

 Volumetric Attacks: These aim to consume all available bandwidth by
sending a high volume of traffic (e.g., UDP floods).
 Protocol Attacks: These target server resources by exploiting
weaknesses in the protocols used for communication (e.g., SYN
floods).
 Application Layer Attacks: These focus on exploiting weaknesses in the
application layer (Layer 7) of a network (e.g., HTTP floods).
DDoS attack
DoS/DDoS Mitigation Techniques
 Traffic Filtering
 Rate Limiting
 Load Balancing
 Cloud-Based DDoS Protection
Social Engineering
Attacks
What is Social Engineering
Social Engineering is a technique used to manipulate, deceive, or exploit
others human beings into revealing sensitive information, performing
certain actions, or providing access to secure systems.

Human elements that is taken advantage:

 Human Trust
 Psychological manipulation
 Lack of suspicion

Social Engineering have one of two goals:

 Sabotage: Disrupting or corrupting data to cause harm.

 Theft: Stealing valuable information or finacial theft.

Phases of Social Engineering

 Researching the Target

 Selecting a Target
 Build a relationship with the Target
 Exploiting the relationship
Types of Social Engineering

 Human based
 Computer Based
 Mobile Based
Human-based Social Engineering

 Impersonation
 Identity Theft
 Eavesdropping
 Shoulder Surfing
 Dumpster Diving
 Reverse Social Engineering
 Piggybacking or Tailgating
 Quid pro quo --> Latin term that translates to "something for
something" or "this for that."
Computer-based Social Engineering
 Hoax Letter: Fake news on any Media. Email message warning recipients of a non-existent
threat.
 Chain Letter: A chain letter is a message that attempts to convince the recipient to make a
number of copies and pass them on to a certain number of recipients.
 Spam Emails: Unsolicited and unwanted junk email.
 Phishing : Attackers pretend to be a trusted source (like a bank or social media) to steal
personal information (e.g., passwords, credit card details).
 Baiting: A type of social engineering attack where a scammer uses a false promise to lure a
victim into a trap to steal sensitive information or to download malware.
 Scareware : Type of malware designed to scare users into thinking their computer is infected,
with the goal of tricking them into purchasing unnecessary antivirus software or downloading
real malware.
Mobile-based Social Engineering

● Publishing Malicious Apps

● Repackaging Legitimate Apps
● Fake Security Applications
● Smishing: SMS Phishing
Physical Attacks
Physical attacks in cybersecurity refer to any attempt to gain
unauthorized physical access to a device, system, or network
infrastructure to steal, damage, or compromise data.
These attacks often target the hardware or physical security of
the organization, bypassing traditional digital defenses.
How to Prevent Physical Attacks?

 Physical Access Controls: RFID or biometric authentication.

 Secure Workstations: Lock up devices when not in use, and use

cable locks or secure docking stations to prevent theft.
 Employee Training: Educate employees about the risks of
tailgating, USB drops, and other physical threats.
 Surveillance: Install CCTV cameras or security personnel to
monitor and secure physical access points.
IoT Threats
Internet of Things refers to a network of physical devices
embedded with sensors and software.
Ex: Smart watch, smart TV, wearable health trackers, etc.

How to protect from IoT threats:

 Change Default Passwords

 Regular Updates and Patches
 Use Strong Encryption
 Choose Trusted Vendors
Authentication Authorization and
Accounting (AAA)

Gives the foundation to determine the difference between Authorised

and unauthorised subjects.

Authentication - Challenging the user to provide information that only

possessed by the authentic user.

Authorization - The act of giving permission to perform a specific

action.

Accounting - Ensures that authentication and authorization controls

correctly do their jobs.
Authentication Authorization and
Accounting (AAA)

AAA ensures that the resources are accessed and modified by the
authorised subjects.
Remote Authentication Dial-in User
Service (RADIUS)

In 2000, a specification for Remote Authentication Dial-in User

Service (RADIUS) was published.

RADIUS provides a centralised standard for establishing trust for

remote users or subjects for information systems.

Widely used for WiFi and VPN authentication, Support for Multi-
Factor Authentication (MFA), Network Access Control (NAC)
solutions, etc.
Multi-Factor Authentication (MFA)

Multiple types of authentication are used to satisfy the

authentication process.

Two-Factor Authentication (2FA):

Two authentication factors are required to satisfy the authentication

process.
Multi-Factor Authentication (MFA)

3 popular types of Authentication credentials:

Type 1 : What u know (Includes passwords, passcodes, Pin )

Type 2 : What you have (tokens)

Type 3 : What you are / what you do (biometrics)

Type 1 Authentication : What u know

Includes passwords, passcodes, Pin

Many use DOB, pet names as passwords.

To overcome the weakness, organization implement password policy.

Type 2 Authentication : What u know

Involves possession of tokens or other devices that generates a

number or character string that a server will recognise.
Type 3 Authentication : What u are

Biometric

Fingerprint / retina scan

Password policies

Passwords are most commonly used in every authentication process.

Policies are implemented to force the users to make it secure.

Different Types of Encryption

Symmetric Encryption

Symmetric encryption is widely used in various areas of

cybersecurity and data protection, primarily when data needs to be
encrypted and decrypted quickly using the same key.

Common use cases:

 Encrypting Data at Rest

 Disk Encryption

 Database Encryption
Different Types of Encryption
Asymmetric Encryption

Asymmetric encryption is a type of encryption that uses two different

keys: one for encrypting the data (the public key) and one for
decrypting it (the private key).

Common use cases:

 SSL/TLS

 Email encryption

 Digital Signature

 Encrypting Data in Transit

Encryption Algorithm

A mathematical technique for converting plaintext (data) to

ciphertext is known as an encryption algorithm.

Blowfish, Advanced Encryption Standard (AES), Rivest Cipher 4

(RC4), RC5, RC6, Data Encryption Standard (DES), and Twofish are
some of the most regularly used encryption algorithms.
Hashing
A very useful cryptographic function.

Hashing is called one way function, which means it is very easy to calculate
in one direction but very difficult to reverse. It has a fixed length of string.

To see how it works:

https://andersbrownworth.com/blockchain/hash

Common use cases:

 Password Storage

 Data Integrity

 Blockchain
Certificate & Public key infrastructure
(PKI)
A certificate containing a public key that is used to encrypt electronic
messages, files, documents, or data transmissions, or to establish or
exchange a session key for these same purposes

A public key infrastructure (PKI) is a system for the creation, storage,

and distribution of digital certificates which are used to verify that a
particular public key belongs to a certain entity.
It refers to the tools used to create and manage public keys for
encryption, which is a common method of securing data transfers on
the internet
Certificate
A data structure includes a trusted identity. The public key of the
identity is been verified by a trusted entity.

The trusted entity is often call Certificate Authority (CA)

If a subject trusts a CA, then the subject should also trust the
certificates provided by CA
Digital Signature
Similar to encrypting and decrypting the data using asymmetric
cryptography.
Signing algorithm encrypted the data with sender's private key
The recipient can validate the message by using public key of the sender.

Common use cases:

 Email Verification and Security

 Document Signing (e-signatures)

 Blockchain and Cryptocurrency

 Secure Online Transactions (E-commerce)

 Code Signing

 Government and Legal Services

Strong vs Weak encryption algorithm

Strength of the encryption algorithm is measured by the level of

effort and time taken by an attacker to crack the algorithm.
States of Data

Data at Rest : Data stored on storage media (Disk, USB, Magnetic

tapes)
Symmetric encryption algorithm works best for this state of data.

Data at Transit : Data being transmitted from one storage

location to another
Asymmetric encryption algorithm works best for this state of data

Data in use : Data the resides in a computer or device memory

Symmetric encryption algorithm works best for this state of data
Protocols using Encryption

Multiple layers of protocols are used to exchange data among

nodes.

Only way for the devices to communicate is to agree to the rules of

communication.
IP Security (IPsec)

Complete approach to secure the network communication.

Offers data authentication, integrity and privacy between two

entities

We have HTTPS - the http protocol transmitted over Secure socket

layer (SSL) or transport layer security (TLS)
IP Security (IPsec)

Secure Shell (SSH) : A protocol that supports secure remote

communication.

FTP : lacks encryption and is not secured

So they came with SSH file transfer protocol (SFTP) and File
transfer protocol secure (FTPS)
Domain 2 : Basic Network Security
Concepts
Protocol Vulnerabilities

Network Protocols are set of rules that computers and devices in a

network used to exchange message across network.
A protocol defines each messages format and contents.

To understand how that hackers use the protocol vulnerabilities to

attack, it is important for us to be familiar with the common protocols.
Protocol Vulnerabilities These protocols were
designed decades
before the security was
an issue.
The messages put on
these can be read by
Three most common protocols anyone who has access
to a node or network
● Transmission Control Protocol (TCP)
● User Datagram (UDP)
● Hypertext transfer protocol (HTTP)

TCP and UDP provide the transport mechanism for the network
across the internet.
HTTP is the most common protocol for web browsers and the
servers to communicate.
TCP Handshake
UDP Protocol

Connectionless Protocol
UDP sends the message to all the nodes in the network, a process
called broadcasting.
Various different DOS attack can be performed in UDP
Network needs more than core protocols to operate.

Address Resolution Protocol (ARP)

Internet Control Message Protocol (ICMP)
Dynamic Host Configuration Protocol (DHCP)
Domain Name System (DNS)
ARP Protocol

Translates an IP address to MAC address

Attackers often respond to ARP request with their own MAC address and
are able to intercept
ICMP Protocol
This is designed to help administrators to troubleshoot network problems.
ICMP helps sending queries to the target and collect return information from
the device. Admin’s use this return information status to determine the cause

Most widely recognised ICMP packet is ping packet, attackers used this to
check if the node is active
DHCP Protocol

Allows Nodes to move from network to network.

When a nodes want to connect to a network, it sends a DHCP request

to the published DHCP server on network.
The server responses with the IP address that the node uses.

Can be vulnerable to attacks that assigns malicious IP address

DNS Protocol
Similar to ARP but at higher level
Allows user enters Domain name in the browser, the browser is able to
find the IP address of the domain.
Attackers who can compromise the DNS server can replace valid IP
address with their own malicious server.
Network Segmentation

The practice of separating network groups from one another is called

network Segmentation.
Network segmentation can increase the security.
Classless Inter-Domain Routing - CIDR
Introduced to help define the public network of different sizes.
IP address for the first node is 192.168.1.8
The CIDR notation is 192.168.1.0/24
There are 3 commonly used IP addresses

● Smallest Private network use address from 192.168.0.0 to 192.168.255.255

Can address 65,536 hosts

● Medium size Private network use address from 172.16.0.0 to 172.31.255.255.

Can address 10,48,576

● Largest private network uses address from 10.0.0.0 to 10. 255.255.255

Can address 1,67,77,216

Network Address Translation (NAT)
protocol

● The way the packets in a private network can leave that network

When the private IP reached the border router, the NAT protocol is used to

replace the private IP to public IP address of that organization

Network Security Architecture

The collection of devices and nodes which includes several firewalls, IDS, IPS to

secure the network architecture.

Demilitarized Zone (DMZ)

This isolates internal data/resources from internet users

Virtualization and Cloud

Virtualization : A practice of running Multiple OS simultaneously in one physical

system.

Virtualization uses a software called Hypervisor to simulate physical hardware.

Which allows the OS to function as if they are running on Physical Hardware.

Virtualization and Cloud

Virtualization is the one which made the cloud computing possible.

What is cloud computing ??

Cloud computing is the delivery of computing services like storage, processing

power, and software over the internet, rather than on a local computer or server. It

allows users to access and use these resources on-demand, without needing to

own or maintain the physical hardware. Examples include services like Google

Drive, Amazon Web Services (AWS), or Microsoft Azure.

IDS IPS and Honeypots
What is Honeypots ?

Honeypot is a network-attached system used as a trap for cyber-attackers to

detect and study the tricks and types of attacks used by hackers
 MAC address filtering

One of the most secured technique to secure a wireless network.

Wireless security
ACL (Access Control List) and Firewall
VPN (Virtual Private Network)
VPN (Virtual Private Network)
 NAC (Network Access Control)

The demand for secure remote access is continuously growing.

NAC is a layer of security control that limits access to protect network resources.
It implements controlled remote access through authentication and implementing
minimum device requirement.
Domain 3 : Endpoint Security Concepts
 Operating System Security Concepts

Most of the Modern computers use the following 3 OS

1. Microsoft Windows The primary goal of an OS is to
2. Apple Mac Os provide access to system
3. Linux Distribution resources and controls to limit
that access to authorised
individuals.
 Security Features
Identification
Authentication
Authorization

Windows Provide additional security via windows defender firewall.

(Go to Start and select windows defender)

 OS interfaces
Different Types of interfaces
● Command line Interface (CLI)
● Graphical User Interface (GUI)

Microsoft introduced an advanced CLI called microsoft Powershell that

supports many internal commands that interact with the OS functions.
Powershell runs on most of the operating Systems
CLI support executing commands stored in text files.
Text files that contains commands called scripts, makes it possible to
construct highly complex process
OS interfaces
Linux OS has several choices of CLI’s
Its referred as Shell
Common Linux and Unix shell are
● Bourne shell
● C shell
● Korn (K) Shell
● Bourne again shell (BASH)
 Files and Directory Permissions
Primary security functions of OS are AAA
Access control : Any control that limits access to protected resources.
Permissions : Actions that allows or denies the user as per their authority over the
resources.
Role based access controls : commonly implemented as user groups in windows,
Linux, and MacOS
The account group list along with the row containing the permissions for that
identity, which we call it as ACL (Access control List)
 Files and Directory Permissions
Linux and MacOS handle file permissions in a little different manner.
Instead of ACL, each file or directory has a unique list of permissions.
Permissions are based on 3 groups of identities
● Files owner
● Identities that belong to the groups associated with the file
● Anyone else
 Privilege Escalation
This is one of the Goals of any attackers.
When you have access to any software or any system, the authorization layer
determines what that identity is able to do.
Attackers can elevate the privilege by
Endpoint tools
● Netstat Command
● Nslookup
● TCPdump
 Netstat Command
● The primary use is to determine what ports are in use for network
communication

$ netstat -a Lists all the connections

$ netstat -l Lists all ports that are actively listening
$ netstat -lt Lists all TCP ports that are actively
listening
$ netstat -lu Lists all UDP ports that are actively
listening
$ netstat -s Gives the netstat’s statistic report
Nslookup (DNS lookup utility)
A CLI utility that helps in troubleshooting the DNS server
This utility takes the hostname as input and return the IP address of the host
name

$ nslookup <Target hostname>

In alternative, it takes IP address as input and returns hostname associated

with it.
This is used to determine if your DNS is working properly or if its
compromised.
Tcpdump
This CLI utility allows the user to monitor TCP network traffic and displays the
contents of the packets received from or sent to a connected network.
Tcpdump makes it easy sniff the network
Endpoint systems and standards -
Hardware Inventory
One of the key aspects is to see what devices are connected to the network
We need to scan the network and monitor frequently to maintain the security.
And compare the results to the hardware inventory list

Network scanners
- NMAP
- Advanced IP scanners
- Angry IP scanners
It's important to document the configuration of each node, and to manage the
services running on each node and control how each one is accessed.
This gives a clear understanding of what assets are connected in a network.
If theres a week node thats connected in a network that will lead to the
unauthorised access and risk.
Software Inventory and program
deployment
Every node in a network is a computing device which has hardware and
software.
Hardware - physical aspect of a device
Software - provides instruction how it operates.

Its is necessary to maintain the accounting of each hardware in the network

and the softwares that are associated with it.
Collecting inventory information of both the hardware and software, and
examining known vulnerabilities is the task that the hackers and ethical
hackers has to do.
 Data Backups

Creating the data backup policies involve

● Identifying the data
● Frequency of creating backups
● Types of backups to create
● Methods to transport and store the backups in the final location
 Regulatory Compliance

Several compliance requirements place restrictions and performance mandates on

organization.

Specific compliance that the organization should comply depends on the nature of
the organization .
● PCI DSS
● HIPAA
● FISMA
● FERPA
● GDPR
 PCI DSS (Payment Card Industry Data
Security Standard)
● PCI DSS (Payment Card Industry Data Security Standard) is a set of security
standards designed to protect sensitive cardholder information during and
after financial transactions. It was developed by the Payment Card Industry
Security Standards Council (PCI SSC), which is made up of major payment
card companies like Visa, MasterCard, American Express, Discover, and JCB.

● The PCI DSS aims to ensure that companies that store, process, or transmit
cardholder data
do so securely, reducing the risk of data breaches and fraud.

● Consequences of Non-Compliance
Failure to comply with PCI DSS standards can result in various penalties,
including:

● Fines from payment card companies.

● Increased risk of data breaches and fraud.
● Damage to reputation and customer trust.
 Health Insurance Portability and
Accountability Act (HIPAA)
● HIPAA (Health Insurance Portability and Accountability Act) is a U.S. federal law
designed to protect sensitive patient health information and ensure the privacy and
security of healthcare data. Enacted in 1996, HIPAA aims to improve the efficiency of
the healthcare system while safeguarding the confidentiality and integrity of
personal health information (PHI).

● Key Patient Rights Under HIPAA:

● Right to Access: Individuals have the right to access and obtain copies of their health
records.
● Right to Amend: Individuals can request corrections to their health records if they
believe they are incorrect.
● Right to Restrict Disclosure: Patients can request restrictions on the use or sharing of
their health information.
● Right to Confidential Communications: Patients can request that communications
(e.g., appointment reminders, medical billing) be sent in a way that protects their
privacy.
 Federal Information Security
Management act (FISMA)
● FISMA (Federal Information Security Modernization Act) is a U.S. federal law
that was enacted in 2002 and updated in 2014. It mandates the
establishment of comprehensive security programs for federal agencies and
contractors to ensure the protection of government information systems.

● FISMA has a broad impact across the federal government by ensuring that
agencies consistently implement and manage information security practices.

● The law has also helped improve security in critical infrastructure systems and
other sectors that rely on government data.

● With the rise of cybersecurity threats, FISMA is an essential framework for

ensuring the protection of sensitive government information.
Family Education Rights and Privacy act
(FERPA)
● U.S. federal law that was enacted in 1974 to protect the privacy of student
education records. FERPA grants parents and eligible students certain
rights regarding access to and the control over their educational records.

● Rights Under FERPA:

● Access to Records: Parents and eligible students have the right to inspect
and review education records.

● Control Over Disclosure: Written consent is generally required before

disclosing personally identifiable information from education records.

● Exceptions to Disclosure: FERPA allows for certain disclosures without

consent, such as to school officials, in health and safety emergencies, or as
required by law.
 General Data Protection Regulation
(GDPR)
● Data protection law enacted by the European Union (EU) in 2016. It regulates
how personal data of individuals in the EU is collected, processed, stored, and
transferred. GDPR aims to give individuals greater control over their personal
data while imposing stricter requirements on organizations that handle such
data.

● Key Differences between GDPR and Other Privacy Regulations:

● Scope: GDPR applies not only to organizations based in the EU but also to any
entity outside the EU that processes personal data of individuals within the
EU.
● Stricter Requirements: GDPR provides stronger protections than previous data
protection laws, such as the Data Protection Directive (1995), with specific
and more comprehensive rights for individuals.
● Accountability and Transparency: GDPR places a greater emphasis on
accountability and transparency, requiring organizations to be able to
demonstrate compliance with its provisions.
 BYOD (Bring your own Device)

● BYOD policies establishes guidelines for how a personal device can be used
for organizational purpose and access critical data.

They implement Network access control and policies

Windows and application updates
Windows and application updates

Security researchers find new vulnerabilities and new attacks and report t the
hardware and software vendors.
Windows and application updates

The 2 most volatile technical environments are OS and application software

Device drivers, firmware and patching

Device drivers are software programs, they may need new updates as new
features are added
Firmware is a software that is transferred to an onboard chip
Patching is applying the updates on to the existing softwares. That will help
eliminating the known vulnerabilities.
Event Viewer

Primary monitoring tool for the microsoft environments

Hardware, components, applications, OS, device drivers, all post notable
offences to event log
Log provide the visibility into the operation of the windows.

Open event viewer in windows

Audit, System and Application Log

One of the main problem of software operation is conveying errors, warnings

and any message of interests to the appropriate recipient.
We have event viewer for windows OS, whereas windows and MacOS has a
different approach based on collecting audits and logging messages from text
files
Syslog

Log files are valuable for both security professionals and attackers.
System and application log files contain audit trails for both expected and
unexpected activities
After any cyber attack, the investigators and cyber security professionals
check the event logs to find the trace of the attacker.
So the attacker can remove the evidence from the system.
 Syslog

To avoid the log file tampering, the ethical hackers have different approach to
protect the log file
● Transfer the Log file entries to a secured remote location, where they would
vbe difficult to alter.
● Linux syslog utility allows system to transmit logging message that are
resistant to Modification.
● Syslog separate log file message generation from log file message storage.
 Anomaly Identification

● The log file can provide valuable inputs. The value of any log file is entirely
dependent on the ability to separate normal and abnormal behaviour.

If there’s 100 login attempts in just 5 sec, what can we log that as ? normal or
abnormal ?
It's more difficult to determine if 5 connection request from same IP 10 sec is a
potential attack.
The best way to identify the malicious behaviour is to understand what normal
behaviour looks like.
Domain 4 : Vulnerability Assessment and
Risk Management
 Vulnerability Management

An ongoing process within organizations to

● Identify vulnerabilities
● Document discovered vulnerabilities
● Make decisions on how to handle vulnerabilities
● Respond to most important vulnerability
● Monitor the patch we have applied
Vulnerability Management

Once the organization decides which vulnerability to be mitigated, the goal is

to reduce the opportunity of the attacker to exploit that vulnerability.
Mitigating the vuln doesn't mean to remove that vuln, it means to make it less
dangerous to the organization
Vulnerability Management

In order to follow the Vulnerability management, we need to collect

information about the target.
Process is called Reconnaissance
Active reconnaissance
Passive reconnaissance
Vulnerability Management

Testing Phase :
Scanning the target
Nmap utility is the favorite tool in port scanning.

Nessus or openVAS provide aggressive port scanning and environment

analysis
Vulnerability Database

Important part of vulnerability management is to determine the know

vulnerabilities in the technology.
There are multiple sources of vulnerabilities available.

Go to https://nvd.nist.gov/ and https://cve.mitre.org/

https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-fee
ds/
Vulnerability Assessment Tools
Ad-Hoc and Automated Intelligence

Threat Intelligence :
Threat intelligence is the process of identifying and analysing cyber threats. It
can refer to the data collected on a potential threat or the process of
gathering, processing and analysing that data to better understand threats.
Ad-Hoc Threat Intelligence :
Ad hoc is a term derived from Latin that means "for this" or "for this
situation." In the context of technology and computing, "ad hoc" refers to
solutions that are developed specifically for a particular problem or task,
without considering broader applications.
Ad-Hoc and Automated Intelligence

Automating the threat intelligence activities is very necessary to keep up with

the fast changing security landscape
 Documentation

1. Enumeration phase : Developing the architectural detailed plan for your target
environment.

2. Ensure that all documentation contacting your IT environment is up-to-date

3. Documentation should be reviewed whenever a security incident occure

Vulnerability Management
VS
Risk Management
 Risk Management, Mitigation and levels

Create a list of known risk, sorted by likelihood and effect on the

organization.
Any action that exploits a vulnerability successfully is called as realized
risk.

Approach to assessing and managing risk.

1. Qualitative
2. Quantitative
Qualitative Risk Assessment

Assigns a subjective level of risk based on a individual risk’s likelihood of

occurrence and effect on the organization.
● Low risk Risk that is likely
● Medium risk to occur several
● High risk times each year
● Extremely High risk and result in a
loss of several
100 or 1000 $
Quantitative Risk Assessment

Assigns numbers that are easy to calculate and use in formulas to

determine expected losses
 Risk Management, Mitigation and levels

For each identified risk there are 4 mitigation options

1. Avoidance : Risk should be completely avoided if possible without excessive
cost.
Ex : disabling or removing unwanted services.

2. Acceptance : If the risk is realized and cause little damage to the organization,
the the best strategy is to accept it.

3. Control : This is best for any risk that cannot be accepted or avoided.
Ex: Adding firewall, IDS, IPS.

4. Transfer : example : Insurance is the most common approach to risk

transference
 Risk with data and data Classification

While risk are global across any organization, other risk target specific
data.

Common Classes
1. Personal Identifiable Information (PII)
2. Personal Health Information (PHI)
Disaster recovery and Business
Continuity
 Disaster recovery Plan (DRP) and
Business Continuity Plan (BCP)
A BCP addresses short term interruptions, while a DRP addresses severe damage
to the infrastructure that supports operation.
BCP is activated when one or more Critical Business functions (CBF) interrupts
DRP is activated when there is a massive damage to the Inffrastructure
 Backup

The Backup is one of the most common components of the BCP and DRP, that
allows the operations to continue
 Disaster Recovery Control

Layers of disaster recovery control.

1. Preventive Controls are designed to prevent the attack from happening

2. Detective Controls detects and incident or attack.
3. Corrective Controls corrects an incident or any issue.
Domain 5: Incident Handling
Role of SIEM and SOAR

SIEM (Security information and event management)

is a solution that helps organizations detect, analyze, and respond to security
threats before they harm business operations.

SOAR (security orchestration, automation and response)

is a stack of compatible software programs that enables an organization to
collect data about cybersecurity threats and respond to security events with
little or no human assistance. The system includes documentation
capabilities.
Role of SIEM and SOAR

The goal of using a SOAR platform is to improve the efficiency of physical and
digital security operations.
The responsibility of a SOAR system is to help Cyber security professional to
tdentify, classify and respond to security incidents as effectively as possible.
 Identifying Security Incidents

A Security incident is defined as any incident that results in violation of the

security policy or any impending violation of security policy.
Events are normal actions that occur in the day to day operations of the IT
infrastructure.

Events include
● Account Sign-in
● Requesting access to resource
● Consuming services

Security incident would be any event that result in unauthorized access.

Only way to know if there's an incident is to monitor events.
 Identifying Security Incidents

Detection process
1. Collected Event Information
2. Analyse Event Information
3. Examine the analysed Event Information to detect if any event satisfies the
criteria of security incident
Identifying Security Incidents
Identifying Security Incidents
Suspicious Event :
Any action that occurs in an IT infrastructure that deviates from a
normal behaviour.
We need to study the normal behaviour in order to understand the abnormal
behaviour.
 Identifying Security Incidents
First step to identify a behaviour
● Train Observer on the appearance of the normal behaviour.
Attack Framework
Cyber Kill Chain Model
Attack Framework
Mitre Attack

Go to : https://attack.mitre.org/tactics/enterprise/
Tactics Techniques and Procedures (TTP)

The behavior of an actor. A tactic is the highest-level description of this

behavior, while techniques give a more detailed description of behavior in the
context of a tactic, and procedures an even lower-level, highly detailed
description in the context of a technique.
Evidence sources and handling
Evidence sources and handling

Identifying Collecting and Protecting the evidence is of most importance to

protect the integrity of the investigation.

The original evidence is called Best evidence

The copy of the original evidence is called Secondary evidence.
Evidence sources and handling
Evidence sources and handling
Evidence sources and handling
Evidence sources and handling
Reporting and notification requirement
Reporting and notification requirement
Incident Response Life Cycle