Security Concepts, Controls and Tools

Security+ 701 Study Guide

By: Krystal Ballew

Security Concepts
• Information Assurance Concepts
o Confidentiality, Integrity, and Availability (CIA) Triad: A guiding model in information security. A
comprehensive information security strategy includes policies and security controls that minimize threats to
these three crucial components:
o Confidentiality: Not disclosing data to unauthorized persons or processes.
o Integrity: The proof that data has not been altered in an unauthorized manner.
o Availability: Ensuring timely and reliable access to and use of information by authorized users.
o Other Information Assurance Concepts
o Authenticity/ Trustworthiness: The ability to verify the source of information and its integrity.
o Privacy: The right of an individual to control the distribution of information about themselves.
o Accountability: Ensuring that employee actions, along with their security ramifications, are
appropriately tracked as to be held accountable for inappropriate activities.
o Non-Repudiation: An access control process that compares one or more factors of identification, to
validate that the identity claimed by a user or entity is known to the system.
o Resilience: The quick availability of a system, technology, or data during and after a failure event.

Networking Terminology
• Terminology
o Bit: The most essential form of data (0 or 1) at Layer 1 of the Open Systems Interconnection (OSI) model.
o Byte: A unit of digital information that most commonly consists of eight bits.
o Frame: Representation of data at Layer 2 of the OSI model.
o Packet: Representation of data at Layer 3 of the OSI model.
o Segment/ Datagram: Representation of data at Layer 4 of the OSI model.
o Data: Representation of data at Layers 5, 6 and 7 of the OSI model.
o Multi-Cast: Transmission is a one-to-several form of sending Internet traffic.
o Broadcast: Transmission is a one-to-everyone form of sending Internet traffic.
o Loopback: The routing of electronic signals or digital data streams back to their source without intentional
processing or modification. It is primarily a means of testing the communications infrastructure.
o Hardware: The physical parts of a computer and related devices.
o Software: A collection of programs and data that tell a computer how to perform specific tasks.
o Firmware: Computer software that provides the low-level control for a device's specific hardware.
o Ports: A port in networking is a software-defined number associated to a network protocol that receives or
transmits communication for a specific service. A port in computer hardware is a jack or socket that
peripheral hardware plugs into.
o Protocols: A set of rules, formats, and procedures to control communication between systems.
o Payload: The primary action of a malicious code attack.
o Network: Two or more computers linked together to share data, information, or resources.
o Fault Tolerance: A system designed to continue functioning even if hardware or software components fail.
o High Availability: The percentage of the time a system or resource is expected to be operating and
responsive, such as 5 Nines system (Up for 99.999% of the time, which should be down for no more than
5.26 minutes per year). Strategies focus on limiting expected disruptions and improving recovery times.
They include redundant failover systems, which can quickly take over if the primary system fails.
 o Scalability: Ability to cope with significant changes on demand without suffering performance problems,
service interruptions due to upgrades, or procedural bottlenecks. Strategies are closely related to high
availability but focus more on provisioning extra resources to a service before failures even occur.
o Timeouts: In networking, timeouts are typically preset time periods for handling unplanned events. One may
experience a network timeout for a number of reasons; The system is down, an incorrect IP address was
used, a service is not running or not offered on that system, a firewall is blocking the traffic or network
traffic is congested, causing packet loss.
o Latency: The time between a source sending a packet and the packets destination receiving it. High latency
is slow, which is typically a problem. It is often caused by low bandwidth or saturation. In addition, routers
overloaded by network traffic may cause high network latency.
o Jitter: A term used to indicate high deviations from a network's average latency. For streaming services, for
example, jitter can have serious negative impacts.
o Packet Drop: Also-called packet loss. This occurs when a network packet fails to reach its destination.
Unreliable network cables, failing adapters, network traffic congestion, and underperforming devices are the
main reasons for packet drop. Routers contain buffers that allow them to hold on to network packets when
their outbound queues become too long. If the router cannot forward its IP packets in a reasonable time
frame, it will drop the packet located in its buffer.
o Baseband: A single cable with a digital signal that can be fiber or copper. The communication signal uses all
of the bandwidth. Either 0% or 100%. Bidirectional communication is optional, but not at the same time
using the same wire or fiber.
o Bandwidth: A measurement of the maximum data amount that can be transferred between two network
points over a period of time. This measurement is typically represented by number of bytes per second.
o Throughput: A measurement of the actual data amount that is transferred between two network over a
period of time. Bandwidth is the maximum rate and throughput is the actual rate.
o Saturation: Also called congestion or bandwidth saturation. This occurs when traffic exceeds capacity.
o Bufferbloat: Some router manufacturers attempt to avoid packet loss by increasing their routers buffer size.
This leads to a condition called bufferbloat, which increases network latency and congested segments due to
packet staying too long in the router’s buffer.
o Page File/Swap File: When RAM becomes full, Windows moves some of the data from RAM back to the hard
drive, placing it into a page file. This file is a form of virtual memory and is highly volatile.

Networking Concepts
• Network Types
o Personal Area Network (PAN): Connects electronic devices close to the user, such as a wireless mouse, a
keyboard, and a computer.
o Small Office/ Home Office (SOHO): A type of Local Area Network (LAN) connection designed for small
businesses with fewer than 10 employees, or a home network. SOHO networks can be a small, wired
Ethernet LAN, or a combination of wired and wireless computers.
o Local Area Network (LAN): A group of computers and peripheral devices that share a common
communication line or wireless link to a server within a distinct geographic area. A LAN may serve as few as
2-3 users in a home office, or thousands of users in a corporation's central office.
o Wireless Local Area Network (WLAN): A wireless network that links two or more devices within a limited
area, such as a home, school, computer laboratory, campus, or office building.
o Campus Area Network (CAN): A network made up of an interconnection of LANs within a limited
geographical area, such as the size of a corporate or university campus.
o Metropolitan Area Network (MAN): A network that interconnects users with computer resources in a
geographic region the size of a metropolitan area.
o Wide Area Network (WAN): Telecommunications network that extends over a large geographic area.
 o Global Area Network (GAN): A network composed of different interconnected networks that cover an
unrestricted geographical area. The term is synonymous with the Internet.
o Virtual Private Network (VPN): A mechanism for creating a secure connection between a computing device
and a computer network, or between two networks, using an otherwise unsecure communication medium.
o Enterprise Private Network (EPN): A dedicated computer network that connects an organization's various
locations, such as offices, warehouses, and production sites, in a secure manner. The network is designed to
share resources and protect data and can be tailored to the organization's specific needs.
o Storage/System Area Network (SAN): A network of storage devices that can be accessed by multiple servers
or computers, providing a shared pool of storage space.
o Passive Optical Local Area Network (POLAN): A fiber-optic telecommunications technology that provides
broadband network access to customers using a point-to-multipoint architecture. POLANs are an alternative
to traditional LAN networks and can be used for both residential and business purposes.
• Common Network Devices
Ethernet A family of wired computer networking technologies commonly used in Local Area Networks
(LANs), Metropolitan Area Networks (MANs) and Wide Area Networks (WANs).
Hub A device that links mul@ple computers and devices. Also called repeaters or concentrators. Each
connected device is on the same subnet and receives all data sent to the hub.
Switch Mul@-port network bridge that uses MAC addresses to forward data.
Router A device that connects two or more packet-switched networks or subnetworks. It manages
traffic between these networks by forwarding data packets to their intended IP addresses and
allows mul@ple devices to use the same Internet connec@on.
Firewall A security system that restricts Internet traffic into, out of, or within a private network. This
soIware or dedicated hardware-soIware unit func@ons by blocking or allowing data packets.
Server A computer or system that provides resources, data, services, or programs to other computers,
known as clients, over a network.
End Points A desktop, laptop, tablet, mobile phone, Voice over IP (VoIP), or any other end user device.
Sensor, Collector, Tap Monitors network data from various sources, and sends it to a central loca@on for storage,
viewing, and analysis. Place inside a firewall or near a cri@cal server to capture malicious traffic.

• Open Systems Intercommunication (OSI) Model

o Created by the International Organization for Standards (ISO), this model serves as an abstract framework
or theoretical model for how protocols should function in an ideal world on ideal hardware. The model has
become a common conceptual reference that is used to understand the communication of various
hierarchical components, from software interfaces to physical hardware.
§ Architecture Layers
• Physical (1): Transports data using electrical, mechanical, or procedural interfaces through
hardware and cables.
• Data Link (2): Transfers data between nodes on a network segment across the physical
layer, via switches and hubs.
• Network (3): Decides which physical path the data will take via routers and IP addressing.
• Transport (4): Transmits data across a network or Internet using transmission protocols,
including TCP and UDP.
• Session (5): Maintains connections and is responsible for controlling ports and sessions.
• Presentation (6): Ensures that data is in a usable format. Where data encryption occurs.
• Application (7): Human-computer interaction layer, where applications can access the
network services.
§ Mnemonic: Please Do Not Throw Sausage Pizza Away
§ The Lower Layers: Often referred to as the Media or Transport Layer. Responsible for receiving bits
from the physical connection medium and converting them into frames.
 § The Upper Layers: Also known as the Host or Application Layer, is responsible for managing the
integrity of a connection and controlling the session, as well as establishing, maintaining and
terminating communication sessions between two computers. It is also responsible for transforming
data received from the application layer into a format that any system can understand. It allows
applications to communicate and determine whether a remote computer is available and accessible.
§ Encapsulation/ De-Encapsulation
• Encapsulation: Each layer has the potential to perform encapsulation, or the addition of
header, and possibly footer data. This occurs as the data moves down the OSI model from
the Application Layer to the Physical Layer. As data is encapsulated at each descending
layer, the previous layer’s header payload and footer are all treated as the next layer’s
payload. The data unit size increases as we move down the conceptual model and the
contents continue to encapsulate.
• De-Encapsulation: The inverse action occurs as data moves up the OSI model layers from
Physical to Application. The header and footer are used to properly interpret the data
payload and are then discarded. Moving up the OSI Model, the data units become smaller.
• Transmission Control Protocol/ Internet Protocol (TCP/IP) Model
o The Internet Protocol Suite, commonly known as TCP/IP, is a framework for organizing the set of
communication protocols used on the Internet. It is a protocol stack comprised of dozens of individual
protocols. It can be found in every available operating system, but it consumes significant resources and is
relatively easy to hack because it was designed for ease of use rather than security.
§ Architecture Layers
• Network Interface (1): Defines how data moves through the network. Specifies the
hardware and cable characteristics of the network.
• Internet (2): Creates and inserts packets. Internet Control Message Protocol (ICMP),
Address Resolution Protocol (ARP), and Internet Protocol (IP) are used here.
• Transport (3): Permits data to move among devices. Transmission Control Protocol (TCP)
and User Datagram Protocol (UDP) are used here.
• Application (4): Defines the protocols for the transport layer. File Transfer Protocol (FTP),
Simple Mail Transfer Protocol (SMTP), and Domain Name Service (DNS) are used here.
• OSI and TCP/IP
o Both models take ones and zeros from the Physical or Network Interface Layer, where the cables or Wi-Fi
connect, to the Application Layer where users interact with the data. The data traverses the network as
packets with headers or footers being added and removed, as they move beyond each layer.
• TCP vs UDP
o Transmission Control Protocol (TCP): A connection-oriented protocol that enables application programs and
computing devices to exchange messages over a network. It sends packets across the Internet and ensures
the successful delivery of data. While TCP is more reliable, it transfers data more slowly.
§ Three-Way Handshake: TCP uses a three-way handshake to establish a reliable connection. The
connection is full duplex, and both sides synchronize (SYN) and acknowledge (ACK) each other. The
exchange of these four flags is performed in three steps: SYN, SYN-ACK, and ACK.
o User Datagram Protocol (UDP): A connectionless protocol used for communication throughout the Internet.
UDP is less reliable but works more quickly. Because there is no three-way handshake, packets can arrive out
of order and must buffer on the backend. But it provides the fast communication needed for time-sensitive
applications like gaming, streaming, playing videos, or Domain Name System (DNS) lookups.
• Ports and Protocols
o A port is a software-defined number associated with a network protocol that receives or transmits
communication for a specific service.
o A protocol is a specification for how two devices will exchange data in a way that they can both understand.
§ Well-Known Ports (1-1023): These ports are related to the common protocols that are at the core of
the TCP/IP model.
§ Registered Ports (1024-49151): These ports are often associated with proprietary applications from
vendors and developers.
§ Dynamic/ Private Ports (49152-65535): Whenever a service is requested that is associated with a
well-known or registered port, those services will respond with a dynamic port that is used for that
session and then released.
o Most Commonly Used Ports and Protocols
 o Simple Authentication and Security Layer (SASL): A framework that allows developers to add
authentication support to connection-based protocols such as IMAP, SMTP and LDAP. It also provides
mechanisms for data integrity.
• Internet Protocol (IP)
o IPv4: Provides A 32-bit address space, which by the late 1980s was projected to be exhausted.
§ Expressed as 4 octets separated by a dot. For example, 216.12.146.140.
§ Every address is subdivided into two parts: The network number and the host number.
• Network Number: Assigned by an external organization and represents the network.
• Host Number: Represents the network interface within that network.
o Class A: Assigned to very large corporations. These networks can be divided into 128
different networks.
o Class B: Used for medium and large-sized networks in enterprises and organizations.
They support up to 65,000 hosts on 16,000 individual networks.
o Class C: Most common and used in small business and home networks.
o Class D: Not used to address individual hosts. Reserved for multi-cast networking.
o Class E: Address range is reserved for future or experimental purposes.

§ Networks are typically divided into subnets. The first allocated address in any network or subnet is
used for the network itself (216.12.146.0). The last is used for the broadcast address
(216.12.146.255).
• Subnetting: The practice of logically dividing a network into two or more smaller networks.
Computers that belong to the same subnet are addressed with an identical group of its most
significant bits of their IP addresses.
• Subnet Masks: Used to define the part of the address used for the subnet. The mask is
usually converted to a decimal notation like 255.255.255.0.
§ IPV 4 addressing does not provide enough addresses for our needs. To address this shortcoming,
IPv4 was subdivided into public and private address ranges.
• Public Addresses: Are limited with IPv4.
• Private Addresses: Can be shared by anyone and can be reused. Address ranges to be used
by private networks:
o Class A: 10.0. 0.0 to 10.255. 255.254.
o Class B: 172.16. 0.0 to 172.31. 255.254.
o Class C: 192.168. 0.0 to 192.168. 255.254.
• Loopback Address: 127.0.0.1. Used to provide a mechanism for self-diagnosis and
troubleshooting at the machine level.
• Common Address Redundancy Protocol (CARP): Allows multiple hosts on the same network
segment to share an IP address.
 • Network Address Translation (NAT): For private IP addresses to communicate across the
Internet, they need to be mapped to a public IP address. NAT is a method of mapping a
private IP address to a public IP address to conserve available IPv4 address space. IPv4 is
slowly being phased out by IPv6 to improve security and support more devices.
o IPv6: Provides several important features and improvements upon IPv4.
§ A much larger address field: IPv6 addresses are 128-bits, which supports far more hosts, and
ensures that address space will never run out.
§ Improved Security: IPsec is an optional part of IPv4 networks, but a mandatory component of IPv6
networks. This will help to ensure the integrity and confidentiality of IP packets and allow
communicating partners to authenticate with each other.
§ Improved Quality of Service (QoS): Helps services obtain an optimal share of network bandwidth.
§ Complex Addressing: An IPv6 address is shown as eight groups of four digits. Instead of the numeric
digits like IPv4, IPv6 addresses use the hexadecimal range (0000-ffff) and are separated by colons
rather than periods. Example: 2001: 0db8: 0000: 0000: 0000: FFFF: 0000: 0001. To make it easier for
humans to read and type, it can be shortened by removing the leading zeros at the beginning of
each field and substituting two colons for the longest consecutive 0 fields. All fields must retain at
least one digit. After shortening, the example address above is rendered as 2001:db8::FFFF:0:1.
§ Loopback Address: ::1
• Routing Protocols
o Routing Information Protocol (RIP): One of the oldest distance-vector protocols, which employs hop count
as a routing metric. RIP prevents routing loops by implementing a limit on the number of hops allowed in a
path from source to destination.
§ RIPv1: Deprecated. Do not use.
§ RIPv2: An enhanced version of RIP that includes support for important routing features, such as
classless addressing and variable-length subnet masks.
§ RIPng: (RIP-Next Generation): An extension of RIPv2 for support of IPv6.
o Interior Gateway Routing Protocol (IGRP): A type of routing protocol used for exchanging routing table
information between gateways within an Autonomous System (AS). This routing information can then be
used to route Network Layer protocols, like IP.
o Enhanced Interior Gateway Routing Protocol (EIGRP): Advanced distance-vector protocol designed by Cisco
Systems as a proprietary protocol, available only on Cisco routers.
o Open Shortest Path First (OSPF): An Interior Gateway Protocol (IGP) for the Internet. Used to distribute IP
information throughout a single Autonomous System (AS) in an IP network. More prone to cyberattacks.
o Intermediate System to Intermediate System (IS-IS): Moves information efficiently within a network by
determining the best route for data through a packet-switching network. Less prone to cyberattacks.
o Exterior Gateway Protocol (EGP): Used to connect different Autonomous Systems (AS) on the Internet from
the mid-1980s until the mid-1990s, when it was replaced by Border Gateway Protocol (BGP). Deprecated.
o Border Gateway Protocol (BGP): A standardized exterior gateway protocol for exchanging routing and
reachability information among Autonomous Systems (AS). Mostly used by Internet Service Providers (ISP).

Network Connec6vity
• Ethernet
o A piece of networking hardware that is used to connect one network device to other, or to connect two or
more computers to shared devices, such as printers or scanners.
• Wired Topologies
o Point-to-Point: A simple topology that directly links two nodes and reserves the entire bandwidth of the
connection for them to communicate with one another
 o Bus: Consists of one flat network, where all devices directly connect and transmit data between one
another. This topology is inefficient because it broadcasts data to all devices on the network, which can
cause network congestion and reduce performance. If one link goes down, the whole network goes down.
o Ring: A configuration where every device directly connects to two other devices on the network, forming a
continuous circle in a non-hierarchical structure. Data sent to a specific device transmits from device to
device, around the ring, until it reaches its intended destination.
o Mesh: Infrastructure nodes connect directly, dynamically, and non-hierarchically, to as many other nodes as
possible and cooperate to efficiently route data to and from clients.
o Star: Every host is connected to a central hub. In its simplest form, one central hub acts as a conduit to
transmit messages. The star network is one of the most common computer network topologies.
o Hybrid: Two or more different topologies are integrated or combined to lay out a network.
o Tree: A hybrid Star-Bus network in which Star networks are interconnected via Bus networks. Tree networks
are hierarchical, and each node can have an arbitrary number of child nodes.
• Wireless Connectivity
o Wireless Access Points (WAPs): A hardware device that allows other Wi-Fi devices to connect to a wired
network or wireless network.
§ Fat: Includes everything necessary to handle wireless clients. If end users deploy several Fat WAPs,
each one needs to be configured individually.
§ Thin: Acts as a radio and antenna that is controlled by a wireless switch. If multiple Thin WAPs are
deployed, the entire configuration takes place at the switch. This is the far cheaper option.
§ Controller-Based: Requires a controller for centralized management and is not manually configured.
§ Stand-Alone: This does not require a controller and is generally used in smaller environments.
o Types of Wireless/ Mobile Connectivity
§ Point-to-Point (PtP): Used to connect two locations using directional antennas with Line of Sight
(LoS). They use a combination of small, powerful, highly directional aerials, routers, and cables to set
up the connection. An example is a Wi-Fi repeater, used to extend the length of an existing network.
§ Point-to-Multi-Point: A one-to-many connection, providing multiple paths from a single point to
multiple locations.
§ Cellular: Where the link to and from end nodes is wireless and the network is distributed over land
areas called cells, each served by at least one fixed-location transceiver.
§ SATCOM: Satellite communication that is used in remote areas and during natural disasters.
Potential risks include GPS data leak, remote code execution, and difficulty in remote updates.
§ Hotspot/ Tethering: Using the existing mobile phone and data plan to share a secure Internet
connection with another device, typically a laptop or tablet. True hotspots allow for access to a
dedicated device, like a portable Wi-Fi hotspot, that is capable of connecting to the closest cellular
tower. This can be done over a mobile LAN, Bluetooth, or a wired device, such as a USB. Hotspots
tend to use Wi-Fi, while tethering tends to use a UBS.
§ Ad Hoc Mode/ Mobile Direct: When two wireless devices communicate in a Peer-to-Peer (P2P)
manner without using Access Points (APs) or wireless routers. For example, a client workstation with
wireless capability can be configured in ad hoc mode, enabling another device to connect to it. Or
connecting two mobile devices directly; commonly seen in home networks.
§ Near Field Communication (NFC): A set of protocols that enables communication between two
electronic devices over a distance of 4 cm or less. It is best known as the technology enables
consumers to pay retailers and each other with their cell phones.
• Cloud Connectivity
o Deployment Models
§ Public: Infrastructure is entirely owned, managed, and maintained off-site via the Internet, by third-
party service providers such as Amazon, Microsoft, or Google. Cloud Service Providers (CSP) rent out
their computing resources, like servers, storage, and applications, to various organizations.
 § Private: Infrastructure is dedicated to a single organization or enterprise. The software and
applications are usually proprietary platforms tailored to meet the needs of the business. The
architecture can be hosted and managed either internally by on-site staff or externally by a third-
party service provider.
§ Community: Shared by enterprises with common operational and regulatory concerns, such as trade
associations, nonprofits, and government agencies. This model is hosted either on-site or off-site
and owned by one or more of the organizations or by a Cloud Service Provider (CSP).
§ Hybrid: This infrastructure combines elements from private and public cloud deployments, offering
the security of a private cloud and the additional storage and cost-effectiveness of a public cloud.
This deployment is optimal for industries that store sensitive information, such as healthcare,
government, and finance. These regulated industries are often required to keep certain types of
sensitive data on-premises while allowing less sensitive data to be stored in the cloud.
o Service Models
§ Software as a Service (SaaS): Allows users to use cloud-based apps over the Internet.
§ Platform as a Service (PaaS): A complete code development and deployment environment in the
cloud, with resources that enable delivery from simple cloud-based apps to sophisticated cloud-
enabled enterprise applications.
§ Infrastructure as a Service (IaaS): Provides on-demand access to computing resources such as
servers, storage, networking, and virtualization.

§ Anything-as-a-Service (XaaS): Describes a category of services related to cloud computing and

remote access. It recognizes the vast number of products, tools, and technologies that are now
delivered to users as a service over the Internet.
• Storage-as-a-Service (STaaS): Using public cloud storage resources to store data.
• Information-as-a-Service (IAS): Cloud services that supplies data for its customers.
• Security-as-a-Service (SECaaS): A business model in which a service provider integrates their
cloud-based security services into a corporate infrastructure on a subscription basis. May
include authentication, anti-virus, anti-malware, Intrusion Detection Systems, (IDSs), and
Security Information and Event Management (SIEM).
• Monitoring-as-a-Service (MaaS): Implements monitoring solutions such as state monitoring
or SIEM as an online service.
• Firewall-as-a-Service (FWaaS): A Layer 7 Next Generation Firewall (NGFW) deployed on the
cloud to protect cloud or on-premises services.
o Cloud Computing Requirements
§ On-Demand Self-Service: Customers must be able to access computing resources unilaterally and
automatically without human interaction with the service provider.
§ Broad Network Access: Resources are available through the network in a standard format that
allows use from a wide variety of client platforms and devices.
§ Resource Pooling: The provider’s resources are pooled and shared between multiple customers in a
multi-tenant arrangement and they can be dynamically allocated to suit changing demands.
§ Rapid Elasticity: Resources can be quickly or automatically allocated or released to meet demand.
From a customer perspective, resources might seem to be unlimited.
§ Measured Service: Resources are measured and metered so that usage can be monitored and
transparently reported so that the customer can be billed appropriately.
o Access Control on the Cloud
§ Defined in part by policy objects, or rules which determine how identities and resources interact.
They can usually be defined with a high level of granularity.
• Identity-Based Policies: Attached to an IAM user, group, or role. They define permissions
that specify what that identity can do, such as actions a user can perform, or resources a
group can access. Identity-based policies can be managed policies administered by the Cloud
Service Provider (CSP) or they can be inline policies embedded in the identity itself.
• Resource-Based Policies: Attached to a resource, such as a storage bucket, encryption key,
or message queue. Resource-based policies are always inline, but they can affect identities
outside of the organization’s control.
o Cloud Security
§ Cloud-Based Service Level Agreement (SLA): An agreement between a Cloud Service Provider (CSP)
and a customer, which includes the minimum level of service, availability, security, controls,
processes, communications, and support. The purpose of an SLA is to document specific parameters,
minimum service levels and remedies for any failure to meet the specified requirements. It should
also affirm data ownership and specify data return and destruction details.
§ Cloud-Based Managed Service Providers (MSP): A company that manages information technology
assets for another company. Organizations may also use an MSP to provide network security
monitoring and patching services. Includes cloud-based services that augment SaaS solutions, with
active incident investigation and response activities.
§ Managed Security Service Provider (MSSP): A third-party organization that offers cybersecurity
services to other businesses. MSSPs can help organizations protect their applications, devices, and
systems from cyberthreats. They can also help reduce the need for an organization to hire, train,
and retain security personnel.
§ Managed Detection and Response (MDR) Service: A vendor monitors firewall and other security
tools to provide expertise in triaging events.
§ Security-as-a-Service (SECaaS): A business model in which a service provider integrates their
security services into a corporate infrastructure on a subscription basis.
o The OSI Model and the Cloud
• Internet of Things (IoT) Connectivity
o IoT Technology Types
§ Near Field Communication (NFC): A set of communication protocols that enables communication
between two electronic devices over a distance of 4 cm or less.
§ Radio Frequency Identification (RFID): Uses electromagnetic fields to automatically identify and
track tags attached to objects. An RFID system consists of a tiny radio transponder, a radio receiver,
and a transmitter.
§ Bluetooth: Used for exchanging data between fixed and mobile devices over short distances (up to
10 meters) and used for building Personal Area Networks (PANs).
§ Infrared (IR): A wireless mobile technology used for device communication over short ranges. IR
communication has limitations because it requires a Line of Sight (LoS), has a short transmission
range, and is unable to penetrate walls.
§ Zigbee: A wireless protocol that is used to connect smart devices such as light bulbs, sockets, plugs,
smart locks, and motion sensors.
§ Z-wave: Used primarily for residential and commercial building automation.
§ ANT+: Communication protocol to manage communication between fitness sensors, such as cycling
computers and heart-rate monitors. Uses a 2.4 GHz band to communicate. Potential risks include
eavesdropping, vulnerable encryption, and frequency band-jamming.
o Fog/ Edge Computing
§ Fog Devices: IoT devices with limited access to the Internet. Fog computing places processing
resources close to IoT sensors to address latency and bandwidth requirements.
§ Edge Devices: IoT devices that only make local decisions. Edge computing incorporates fog
computing concepts but focuses on edge devices, gateways, fog nodes, and cloud/data center layers
for data processing and storage.
o IoT Embedded Systems
§ Embedded Systems: A complete computer system designed for specific dedicated functions. Static
environments with limited flexibility compared to PCs. A computer that is implemented as part of a
larger system. A combination of a computer processor, computer memory, and input/output
peripheral devices that have a dedicated function within a larger mechanical or electronic system.
Examples: Network-attached printers, smart TVs, HVAC controls, smart appliances, smart
thermostats, and medical devices. Requires segmentation for enhanced security.
§ Embedded System Technologies
• System on a Chip (SOC): A compact embedded computer where all or most of an entire
system exists on a single integrated circuit package, rather than as separate components on
a circuit board. The system might still be mounted on a circuit board, but it's typically small
and only used for external I/O connections.
• Raspberry Pi: A debit card-sized low-cost computer that connects to a desktop or TV and
uses a standard mouse and keyboard. It has a dedicated processor, memory, and a graphics
driver, just like a PC. It also comes with an OS, Raspberry Pi OS, a modified version of Linux.
• Arduino: A low-cost, flexible, easy-to-use, programmable, open-source microcontroller
board, that can be integrated into a variety of electronic projects.
• Field Programmable Gate Array (FPGA): A customizable integrated circuit that includes
digital logic circuitry that can be programmed to customize its functionality. Flexible
hardware configuration that is suitable for various applications without added cost.
• Real-Time Operating System (RTOS): A software component for embedded systems to use
predictability to see what happens to meet real-time requirements. Essential for time-
sensitive tasks requiring stability, reliability, and predictable response times. Commonly
used in manufacturing and automobiles. Despite their design for stability, RTOSs are still
susceptible to CVEs and exploits. The predicted guesses must be secured.
 • Multi-Function Device (MFD): A device with multiple functions, such as a printer that can
print, scan, and fax.
§ Embedded Systems Security Considerations: While static environments can be easier to protect,
identifying and correcting security issues can be challenging. Limited computing resources hinder
traditional cryptographic technology usage. The rise of network accessibility prompts the
development of resource-efficient encryption methods. Implied trust models are common in
embedded networks due to the lack of explicit trust anchors like TPMs. Network segmentation
isolates embedded systems from corporate networks, reducing the risk of infection or exploitation.
Wrappers like IPSec can secure data in transit, mitigating risks associated with untrusted networks.
Firmware patching is challenging due to the limited vendor support, the manual update process, and
the need for uninterrupted services.

Security Controls
• Primary Security Controls
o Physical Controls: Controls implemented through a tangible mechanism. The components are put in place to
protect a physical building, perimeter, database center, or server room. Examples include data center
perimeter fencing, locks, guards, access control cards, badge readers, biometric access control systems,
surveillance cameras, architectural features, and intrusion detection sensors.
o Technical/Logical Controls: The hardware and software components that protect a system against
cyberattack. Examples include firewalls, Intrusion Detection Systems (IDS), encryption, Access Control Lists
(ACLs), steganography, and identification and authentication mechanisms.
o Administrative Controls: A set of security rules, policies, procedures, or guidelines specified by management
to control access and usage of confidential information. Applies to all the levels of employees and
determines the privileged access to the resources to access data. Examples includes password policies,
Incident Response (IR) procedures and Disaster Recovery Plans (DRPs).
• Other Security Control Concepts
o Managerial Controls: The security controls that focus on the management of risk and the management of
information system security. Includes vulnerability management, change management, asset management,
and standardized penetration testing.
o Procedural Controls: Establishes a framework for validating and maintaining the computer system, and for
ensuring that users understand how to use the system. Takes the form of Standard Operating Procedures
(SOPs) and user manuals.
o Operational Controls: The security controls that are primarily implemented and executed by people, as
opposed to systems. Security controls for day-to-day operations. They can include policies and procedures
that dictate who can use IT assets, such as access lists for computers, virtual machines, and networking
equipment. They can also include allowed operations for users, such as the principle of least privilege.
• Security Control Classifications
o Preventative Controls: Implemented before a threat event to reduce and/or avoid the likelihood and
potential impact of a successful threat event. Includes policies, standards, processes, procedures,
encryption, firewalls, and physical barriers. Physical controls are often preventative controls.
o Detective Controls: Detects, logs, and alerts after an event has occurred. Includes Intrusion Detection
Systems (IDSs) and motion detectors. May not prevent access.
o Corrective Controls: Used to remediate or mitigate the effect of a security incident and prevent the same
security incident from recurrence. Includes account lockout, Intrusion Prevention Systems (IPS), or a sprinkler
system coming on after detecting smoke.
o Directive Controls: Enforce behavioral rules, often through policies or training. Includes employee training,
or phishing campaigns.
 o Deterrent Controls: Administrative mechanisms that are used to guide the execution of security within an
organization. Includes policies, procedures, standards, guidelines, laws, and regulations. May not directly
prevent access but will discourages an intrusion attempt.
o Mitigating/ Compensating Controls: A substitute for principal controls to provide equivalent protection.
Measures taken to address any weaknesses of existing controls or to compensate for the inability to meet
specific security requirements due to various constraints. Doesn’t prevent an attack but restores by other
means. Includes patches, firewalls, backups, and hot sites.
• Security Controls Related to the CIA Triad
o Confidentiality-Related Controls
§ Principle of Least Privilege.
§ Mandatory Access Control (MAC).
§ Separation of Duties.
§ Encryption.
o Integrity-Related Controls
§ Hashing.
§ Digital Signatures.
§ Certificates.
§ Version Control.
o Availability-Related Controls
§ Data Backups.
§ Hardware Redundancy.
§ Fault Tolerance.
§ Patch Management.
• Security Postures
o Security Through Obscurity: The reliance on secrecy as the main method of providing security to a system or
component, whether by design or implementation.
o Defense in Depth/ Layered Defense: A security concept realized by placing multiple, varying layers of
security controls throughout an IT system to provide several consecutive controls to protect an asset.
§ Example of a Defense in Depth Security Posture
• Data Controls: Protecting data with technology such as encryption, data leak prevention,
and Identity and Access Management (IAM).
• Application Controls: Protecting applications with technologies such as data leak protection,
application firewalls, and database monitors.
• Host Controls: Placed at the endpoint level, such as antivirus, endpoint firewall,
configuration, and patch management.
• Internal Network Controls: Protecting against uncontrolled data flow and user access with
technologies such as Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs),
internal firewalls, and Network Access Control (NAC).
• Perimeter Controls: Protecting against unauthorized access with the use of technology, such
as gateway firewalls, honeypots, malware analysis, and Demilitarized Zones (DMZs).
• Physical Controls: Provides a physical barrier, such as locks, walls, or access control.
• Policies, Procedures, and Awareness: Initiating administrative controls that reduce insider
threats (intentional and unintentional) and identify risks as soon as they appear.
o De-Perimeterization: Shifts focus from defending network boundaries to protecting individual resources.
Essential due to cloud computing, remote work, mobile devices, outsourcing, and wireless networks.
o Implicit Deny: A security strategy that automatically denies unauthorized or unknown communication. It can
be used in firewalls, where the default answer to whether the communication is allowed is "no" or "deny".
 o Zero Trust Architecture (ZTA): No one is trusted, by default, from inside or outside the network. Verification
is required from everyone trying to gain access to resources on the network. This added layer of security has
been shown to prevent data breaches. Zero Trust can be achieved through micro-segmentation, firewalls,
Multi-Factor Authentication (MFA), Identity and Access Management (IAM), and data analytics.
§ Key components of Zero trust architecture: Network and endpoint security, Identity and Access
Management (IAM), policy-based enforcement, cloud security, network visibility, network
segmentation, data protection, and threat detection and prevention.
§ Zero Trust Security Concepts: Adaptive identity, threat scope reduction, policy-driven access
control, and device posture assessments.
o Microsegmentation: Part of a zero-trust strategy that breaks LANs into small, highly localized zones, using
firewalls at every connection point.

Governance, Risk and Compliance (GRC)

• Security Governance
o The process of how an organization is managed; Includes all aspects of how decisions are made for that
organization, such as policies, rules, and procedures the organization uses to make those decisions.
• Regulatory Compliance Documentation
Procedures Specific and ordered instruc@ons.
Policy A statement describing how the organiza@on is to be run.
Standard Defines specific methodologies.
Reguladons Government-issued laws that typically carry financial penal@es for non-compliance.
Framework A blueprint that documents an overall process.
Guidelines A descrip@on of best prac@ces.
Benchmark A checklist of poten@al vulnerabili@es and configura@ons to mi@gate them.
Controls A safeguard used to limit risk.
• Organizational Planning
o Strategic Plan: High-level Management; Business-wide implications.
o Tactical Plan: Mid-level Management; Defined timelines/objectives.
o Operational Plan: Low-Level Management; Day-to-day operations.
• Security C-Suite Roles
o Chief Information Officer (CIO): Overseas IT operations. The role requires technical knowledge but in large
organizations is more strategic than hands-on.
o The Chief Security Officer (CSO): Overseas strategic security needs with a focus on organizational risk
management.
o Chief Information Security Officer (CISO): This role may exist in addition to or instead of the CSO. If both
roles exist, the CISO is more technically-focused on information assets.
o Chief Compliance Officer (CCO) and Chief Privacy Officer (CPO): More specialized roles that ensure
compliance with industry regulations and privacy laws.
• Privacy Laws and Regulations
o Computer Security Act (1987): Directs the National Bureau of Standards to establish computer standards
programs for federal computer systems, including guidelines for the security of such systems. Sets forth
authorities of the Bureau in implementing such standards.
o Sarbanes-Oxley Act (SOX): A federal law designed to protect investors from fraudulent accounting practices.
It regulates the preservation, auditing, and disclosure of financial records. Protected data cannot be deleted
for a set period and neither it nor accounting software can be modified without appropriate documentation.
o Federal Information Security Management Act (FISMA): A law applying to all federal agencies requiring
every agency to develop, document, and implement an information security and protection program.
o Family Educational Rights and Privacy Act (FERPA): A federal privacy law that governs access to educational
records held by any school or educational institution. It describes guidelines for what data must be
protected and how it may be disclosed.
o General Data Protection Regulation (GDPR): A newly enacted European Union privacy law governing all
individual data related to EU residents. It addresses the security, privacy, and export of such data. It is
important to American companies because it specifically applies to any foreign organizations that do
business with or market to EU residents.
o Gramm-Leach-Bliley Act (GLBA): A law designed to protect the customers of financial institutions. It
requires that such institutions meet minimum standards to safeguard the personal information of their
clients and customers. It requires them to inform customers about how data will be stored, used, or shared.
o Health Insurance Portability and Accountability Act (HIPAA): Protects the privacy of patient records,
defines protected health information (PHI), and regulates how it can be used or disclosed. It also defines
security standards for the storage and access of PHI.
o California Consumer Privacy Act (CCPA): A state statute intended to enhance privacy rights and consumer
protection for residents of the state of California.
o Payment Card Industry Data Security Standard (PCI DSS): A set of shared rules developed by the world's
major credit card companies. Compliance is part of a contract that an organization must sign before
processing payment cards. The standard itself regulates how payment information must be stored,
processed, and transmitted. It also requires standardized vulnerability scanning and penetration testing.
• Data Ownership
o Data Sovereignty: Determines ownership of the data, and which laws apply to the governance of such data,
based on geographic region.
o Data Governance: Everything that is done to ensure data is secure, private, accurate, available, and usable. It
includes the achons people must take, the processes they must follow, and the technology that supports
them throughout the data life cycle.
• Access Control
o The process by which permissions are granted for given resources. Access control can be physical or logical.
The access control model chosen is determined based on the needs of the organization. To determine the
best model, a risk assessment should be performed to determine what threats might be applicable.
§ Access Control Types
• Discretionary Access Control (DAC): The file owner controls permissions. Not easily scalable
and can be difficult to locate the source when a problem occurs. Widely implemented but
the weakest model. Vulnerable to insider threats and compromised accounts.
• Attribute-Based Access Control (ABAC): A collection of attributes defines which rights to
grant. A flexible system that could be used to implement other models within it. Fine-
grained access control decisions based on a combination of subject, object, and context
attributes. Allows policies like M-of-N control and separation of duties.
• Rule-Based Access Control (RBAC): A set of rules implemented by an administrator.
• Role-Based Access Control (RBAC): Organizational roles are pre-defined, and subjects are
allocated to those roles. Roles are associated with job function. Subjects gain rights
implicitly. Non-discretionary in that the system owner reserves the right to modify roles.
Monitoring and temporary permission increases can help avoid permission/privilege creep.
• Mandatory Access Control (MAC): Mandatory for security administrators to assign access
rights or permissions. Very restrictive and used in government systems. Based on security
clearance levels. Each object and subject are granted clearance level or labels. Subjects are
permitted to access objects at or below their clearance level only.
• Conditional Access: Setting context-aware conditions like location or employee status for
access to cloud resources. Monitors account or device behavior. Suspends account or
requires reauthentication based on conditions. Example: User Account Control (UAC).
§ Explicit/Implicit Allow and Explicit/Implicit Deny
• Explicit Allow: Rules specifically added to the Whitelist.
• Implicit Allow: Rules don’t specifically deny traffic.
• Explicit Deny: Rules specifically added to the Blacklist.
• Implicit Deny: Rules don’t specifically allow traffic.
§ Privileged Access Management
• Managing superuser, admin, and root users. Privileged accounts are stored in digital vaults.
Privileges are granted by request, only for a short hme, and are easily logged and audited.
Requires stringent authenhcahon, mandatory logging, and frequent log reviews/audits.
§ Just-In-Time (JIT) Permissions
• Elevates privileges only when needed, for a limited duration. Implemented through
temporary elevation, password vaulting, or ephemeral credentials. Ensures Zero Standing
Privileges (ZSP), a security principle that aims to eliminate persistent, always-on access
rights for accounts and identities.
• Data Handling
o Data Classificadon
§ Public/Unclassified.
§ Private/Classified.
§ Restricted.
§ Internal Use Only.
§ Sensitive.
§ Confidential.
§ Secret.
§ Critical.
§ Top Secret.
 o Data Labels
§ Proprietary: Informahon for which the rights of ownership are restricted so that the ability to freely
distribute the data is limited.
§ Personally Idendfiable Informadon (PII): Any informahon about an individual that can be used to
dishnguish an individual's idenhty, such as name, Social Security Number, date of birth, place of
birth, mother’s maiden name, or biometric records. Also includes medical, educahonal, financial,
and employment informahon.
§ Protected Health Informadon (PHI): Informahon about health status, the provision of healthcare, or
payment of healthcare, as defined in the Health Insurance Portability and Accountability Act (HIPAA).
o Data Responsibilides
§ Data Owner: The enhty that creates the data and is legally responsible and accountable for it.
Ulhmate responsibility for informahon, asset confidenhality, integrity, and availability. Usually, a
higher-level execuhve who makes business decisions regarding the data.
§ Data Controller: Same as the Data Owner when a true Data Owner does not exist. This person or
organizahon determines the why and the how for processing personal data. Under the GDPR, this
enhty is most responsible for the protechon of privacy and website user rights.
§ Data Processor: Any third-party enhty that works under or processes data on behalf of the Data
Owner or Controller. The Data Processor manages the operahonal use of the data, but not the rights
and permissions to the informahon.
§ Data Custodian: Any enhty that handles the data daily or uses the data for business purposes.
Manages storage system and access controls. Manages access rights and set security controls.
§ Data Steward: Responsible for metadata, data classificahon and quality, and the applicahon of rules.
Manages access rights to the data. Data Stewards are ojen IT team members. This data governance
role could sponsor data quality and data entry inihahves that ensure business and regulatory
requirements are met. The Steward is also responsible for ensuring the quality and fitness for
purpose of the organizahon’s data assets, including the metadata for those assets.
§ Data Protecdon Officer (DPO)/ Privacy Officer (PO): A privacy role sanchoned under the GDPR. It
ensures the organizahon processes the personal data of its staff, customers, and providers in
compliance with applicable data protechon rules. Overseas the management of Personally
IdenZfiable InformaZon (PII). Sets privacy policies, processes and procedures.
o Data/Information Life Cycle
§ Creation and Acquisition
§ Distribution
§ Use and Storage
§ Maintenance
§ Retention and Archival
§ Disposition, Destroying, and Wiping
o Data Retention Policies
§ Data Minimization: Collect as little as possible.
§ Purpose Limitation: Use data for only expressed purposes.
§ Data Retention: Protect the confidentiality, integrity, and availability of data in use and at rest.
§ Regulations: Rules that govern how and how long data must be stored, protected, and destroyed.
• Privacy Threshold Analysis (PTA)
o Determines if Personally Identifiable Information (PPI) is involved. Analyzes the probability of each threat
and the extent to which it will damage the asset if the threat is realized.
• Privacy Impact Assessment (PIA)
o An analysis of how Personally Identifiable Information (PII) is handled, to ensure compliance with
appropriate regulations, determine the privacy risks associated with information, and evaluate ways to
reduce the risks.
• Other Compliance Concepts
o Due Diligence: Promise of continued research.
o Due Care: Promise of continued action.
o Secure by Design: Created with security in mind, by developers.
o Secure by Default: Finished software that has secure default configurations.
o Secure by Deployment: Easy and secure installation.
• Interoperability Agreements/ Business Documents
o Memorandum of Understanding (MOU): Also called a Memorandum of Agreement (MOA), a Joint
Operating Agreement (JOA), or a Letter of Intent (LOI). A nonbinding agreement that states each party's
intentions to conduct a transaction or form a new partnership. It is an informal agreement of mutual goals.
o Service Level Agreement (SLA): A document that outlines a commitment between a service provider and a
client, including details of the service, the standards the provider must adhere to, and the metrics by which
to measure performance.
o Business Partnership Agreement (BPA): Establishes rules for parties going into business together. A legally-
binding document that outlines every detail of business operations, ownership stakes, financials,
responsibilities, and decision-making strategies. Defines relationships between business partners, including
profit-sharing, loss liability, responsibility to each other, dissolution, and intellectual property rights.
o Non-Disclosure Agreement (NDA): Discloses which confidential information may not be shared.
o Non-Compete Agreement (NCA): A contract under which one party agrees not to enter into or start a
similar profession or trade in competition with another entity.
o Interconnection Security Agreement (ISA): A security-focused document that specifics technical
requirements in establishing a secure connection between the two parties.
o Supply Chain Agreements
§ Operation-Level Agreements (OLA): More specific than an SLA.
§ End of Life (EOL): Delineates the end of manufacturing or support for discontinued/legacy products.
§ End of Service Life (EOSL): Delineates when the product will no longer be sold or supported.
§ Request for Quotation (RFQ): Intended to generate bids for services.
§ Request for Proposal (RFP): Same as RFQ but for customized projects or solutions.

Procedural Controls
• Asset Management Policies
o Asset: Anything of value that is owned by an organization. Assets include both tangible items such as
information systems and physical property and intangible assets such as intellectual property.
o Asset Management: The process of identifying, on a continuous, real-time basis, the IT assets that the
organization owns and the potential security risks or gaps that affect them.
§ Asset Management Software. Automatically discover, track, and catalog various assets, with a
centralized dashboard for management.
o Asset Tracking: The tracking of physical assets, either by scanning barcode labels attached to the assets or
by using GPS or RFID tags, which broadcast their location. Includes procedures for tagging, inventory
management, and procedures for lost or stolen devices. Assets are often tracked using Inventory
Management Databases.
o Package Monitoring: Tracks and assesses the security of third-party software packages, libraries and
dependencies. Ensures that they are up to date and free from known vulnerabilities.
• Configuration Management (CM) Policies
o Configuration Management: The process of maintaining systems, such as computer hardware and software,
in a desired state. A discipline that is used to ensure that only changes made to a system are those that have
been authorized and validated. One must conduct inventory baselines, updates, and patches. This process
ensures that systems perform in a manner consistent with expectations over time.
 § Configuration Management Database (CMDB): A central repository for infrastructure information.
o Configuration Management Process
§ Identification of assets and configurations.
§ Baseline of last known good state, and desired configurations.
§ Change Control, including formal processes and procedures for implementing change.
§ Verification and approval of changes.
§ Continuous Auditing.
o The Information Technology Infrastructure Library (ITIL) Framework: A set of best practices and processes
for managing IT and digital services. The four elements of configuration management are as follows:
§ Service Assets: Any resource or capability that can contribute to the delivery of a service. This can
include resources like infrastructure, applications, and data, as well as capabilities like people,
organizations, and management.
§ Configuration Items (CIs): Any component that needs to be managed to deliver an IT service. CIs can
be hardware, software, or data, and can range in complexity, size, and type. Some examples of CIs
include routers, servers, applications, virtual machines, single modules, entire systems, minor
hardware components, single software packages, or documentation.
§ Baseline Configurations: Note any static allocation of IP addresses, versus DHCP.
• IP Address Management (IPAM): Used for planning and managing the assignment and use
of IP addresses in a network.
§ Configuration Management Systems (CMS): A set of tools and databases that are used to manage
the configuration data of a customer's IT infrastructure and services. The CMS contains data about
users, suppliers, locations, business units, and customers.
• CM Diagrams: Includes any relevant workflows, physical and logical network diagrams, and
network rack layouts. Should include standard naming conventions that are easily
understood by everyone, and a clear IP address schema.
• Change Management/ Change Control
o Change Management: The systematic process of managing and controlling changes related to information
security within an organization. The operational steps needed to ensure that changes are necessary, well-
documented, and cause minimal disruption.
§ Request for Change (RFC): A change request, sometimes called a change control request, is a
document containing a call for an adjustment of a system.
§ Approval: Approvers are authorized to stop a request and determine whether the RFC will be
accepted or rejected.
§ Regression/ Rollback: Follow up on the change by updating documentation and monitoring for
negative effects. In case something breaks during the change/update, have a rollback plan ready.
o Change Control: The process that management uses to identify, document, and authorize changes to an IT
environment. It minimizes the likelihood of disruptions, unauthorized alterations, and errors.
§ Change Control Process
• Identify and document the reason why a change is necessary.
• Research and document the required steps, the potential impacts, and who will be affected.
• Go through the organization’s approval process for a specific change.
• Prepare for the change; Gather resources and notify users of when it will be performed.
• Implement and test the change, but have a rollback plan ready.

Standards and Frameworks Organiza6ons

• Frameworks Organizations
o National Institute of Standards and Technology (NIST): Addresses the measurement infrastructure for
technology efforts within the US government. NIST sets standards in several areas, including IT security.
 o International Organization of Standards (ISO): Develops voluntary international standards in the field of
information and communication technologies.
o Institute of Electrical and Electronics Engineers (IEEE): Sets standards for telecommunications, computer
engineering, and similar disciplines.
o The Center for Internet Security (CIS): A nonprofit entity whose mission is to identify, develop, validate,
promote, and sustain best practice solutions for cyber-defense. It draws on the expertise of cybersecurity
and IT professionals from government, business, and academia from around the world.
o ISACA: An international professional association focused on IT governance. It is known as the Information
Systems Audit and Control Association, although they now go by acronym only. ISACA currently offers 8
certification programs, as well as other micro-certificates.
o The Open Worldwide Application Security Project (OWASP): An online community that produces freely
available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system
software, and web application security.
o The Cloud Security Alliance (CSA): The world's leading organization dedicated to defining and raising
awareness of best practices to help ensure a secure cloud computing environment.
o The Internet Assigned Numbers Authority (IANA): A standards organization that oversees global IP address
allocation, autonomous system number allocation, root zone management in the Domain Name System
(DNS), media types, and other Internet Protocol–related symbols and numbers.
o The International Electrotechnical Commission (IEC): An international standards organization that creates
standards for all electrical, electronic, and related technologies, collectively known as electrotechnology.
o Internet Engineering Task Force (IETF): An Internet standards organization, made up of network designers,
operators, vendors, and researchers, that defines protocol standards through a process of collaboration and
consensus, under the management of the Internet Society, consisting of volunteer contributors.
o World Wide Web Consortium (W3C): A standards organization founded to develop and maintain
interoperable standards for the World Wide Web used by web browsers, servers, and other technologies.

Informa6on Security Frameworks

• NIST RMF: National Institute of Standards and Technology- Risk Management Framework
o A United States federal government guideline, standard, and process for risk management to help secure
information systems. Mandated for government agencies.
§ Step 1- Categorize: Define the environment.
§ Step 2- Select: Choose appropriate controls.
§ Step 3- Implement: Define proper implementation.
§ Step 4- Assess: Determine if controls are working.
§ Step 5- Authorize: Decide to authorize a system.
§ Step 6- Monitor: Check for ongoing compliance.
• NIST CSF: National Institute of Standards and Technology- Cybersecurity Framework
o A set of cybersecurity best practices and recommendations that make it easier to understand cyber risks and
improve defenses. Designed for voluntary commercial implementation.
§ Framework Core: Identify, Protect, Detect, Respond and Recover
• NIST Special Publication 800-53-Security and Privacy Controls for Information Systems and Organizations
o A set of recommended security and privacy controls to help organizations to meet Federal Information
Security Management Act (FISMA) requirements. Compliance requirements are extensive, with over 1,000
security controls across 18 families. Often requires formal audit and continuous monitoring.
• NIST Special Publication 800-171-Protecting Controlled Unclassified Information in Nonfederal Systems
o Sets standards for safeguarding sensitive information on federal contractors' IT systems, to ensure the
security of the federal supply chain. Compliance is required by any organization that processes or stores
 sensitive, unclassified information on behalf of the US government. Compliance is typically self-assessed and
requires organizations to implement 110 security controls across 14 families.
• NIST NaYonal Vulnerability Database (NVD)
o A U.S. government repository of standards-based vulnerability management data represented using the
Security Content AutomaZon Protocol. This data enables automahon of vulnerability management, security
measurement, and compliance. Fully synchronized with the MITRE CVE List.
• MITRE Common VulnerabiliYes and Exposures (CVE)
o A list of publicly disclosed vulnerabilihes and exposures, along with The Common Vulnerability Scoring
System (CVSS Scores), provides a numerical representahon of the severity of an informahon security
vulnerability. Generates a score from 0 to 10 based on vulnerability characterishcs.
§ Score Bands: 0.1+ (Low), 4.0+ (Medium), 7.0+ (High), 9.0+ (Crihcal).

• ISO/IEC: International Organization for Standardization/ International Electrotechnical Commission

o ISO/IEC 27001: The foundational standard for an Information Security Management System (ISMS).
o ISO/IEC 27002: Code of Practice for Information Security Controls.
o ISO/IEC 27701: Privacy Information Management Systems (PIMS). Extends the ISO 27001 and ISO 27002
standards to include detailed management of Personally Identifiable Information (PII) and data privacy.
o ISO 27005: Crihcal Domains of Informahon Security.

• ISO 31000- InternaYonal Standards for Risk Management PracYces

o An internahonal risk management standard which focuses on IT management at the organizahonal level. It is
comprehensive in terms of the risks it covers, and it generates a total risk metric ranging from 0-9.
• CIS CSC: Center for Internet Security- Critical Security Controls for Effective Cyber Defense
o Written by IT professionals for IT professionals. 20 Key Actions or The Critical Security Controls.
§ Foundational CIS Controls
• E-mail and Web Browser Protections.
• Malware Defenses.
• Limitation and Control of Network Ports, Protocols and Services.
• Data Recovery Capabilities.
• Secure Configuration for Network Devices: Firewalls, Routers and Switches.
• Boundary Defense.
• Data Protection.
• Controlled Access Based on Need to Know.
• Wireless Access Control.
• Account Monitoring and Control.
§ Basic CIS Controls
• Inventory and Control of Hardware Assets.
• Inventory and Control of Software Assets.
• Continuous Vulnerability Management.
• Control the Use of Administrative Privileges.
• Secure Configuration of Mobile Devices, Laptops, Workstations, and Servers.
• Maintenance Monitoring and Analysis of Audit Logs.
§ Organizational CIS controls
• Implement a Security Awareness and Training Program.
• Application Software Security.
• Incident Response and Management.
• Penetration Tests and Red Team Exercises.
• ISACA COBIT: Control Objectives for Information and Related Technology
o This framework helps organizations optimize their IT management and governance processes by meeting
contractual agreements and complying with regulatory and legal requirements. It provides tools that
establish and prioritize clear and actionable IT goals.
§ Core Principles
• Meeting Stakeholder Needs.
• Covering the Enterprise End-to-End.
• Applying a Single, Integrated Framework.
• Enabling a Holistic Approach.
• Separating Governance from Management.
• SSAE SOC2: The American Institute of Certified Public Accountants (AICPA), Statement on Standards for
Attestation Engagement Number 18 (SSAE 18)
o SOC 2- Trust Services Criteria: A compliance framework meant to ensure that third-party service providers
store and process client data securely. Examples of SOC-2 controls are firewalls, Intrusion Detection Systems
(IDSs), and Multi-Factor Authentication (MFA). Compliance requires regular audits.
§ Type 1 Audit: Tests controls in place at a particular point in time.
§ Type 2 Audit: Test controls over a period of at least six consecutive months.
• The Information Technology Infrastructure Library (ITIL) Framework
o A set of best practices and processes for managing IT services. The four elements of configuration
management according to this framework are: Service Assets, Configuration Items, Baseline Configurations,
and Configuration Management Systems (CMS).
• HITRUST CSF: The HITRUST Common Security Framework
o A certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach
to regulatory compliance and risk management. A set of prescriptive controls that cover several industry
standards, including ISO 27001.
• CSA CCM: Cloud Security Alliance-Cloud Controls Matrix (CCM)
o Cloud-specific security controls. It is composed of 197 control objectives that are structured in 17 domains,
covering all key aspects of cloud technology and are mapped to standards, best practices, and regulations.
• OWASP Top 10
o A standard awareness document for developers and web applicahon security. It represents a broad
consensus about the most crihcal security risks to web applicahons. Globally recognized by developers as the
first step towards more secure coding.

• Microso^’s DREAD
o A sojware rahng system designed by Microsoj, to evaluate risk and threat. It uses a mnemonic: Damage
potenhal, Reproducibility, Exploitability, Affected users, and Discoverability. Each factor is given a value
between 1-3. A total threat value falls between 5-15, with higher values being more serious.
• RFC 3227-Guidelines for Evidence Collection and Archiving
o A set of best practices for the acquisition, analysis and reporting of digital forensics.

Cyber Threat Frameworks

• Diamond Model of Intrusion Analysis
o A model to describe cyber-aoacks. Applies the scienhfic principles of measurement, testability, and
repeatability to intrusion analysis. It contains four parts: Adversary, Infrastructure, Capability, and Target.
 These components also have various links or relahonships, such as adversary-vichm, adversary-
infrastructure, and vichm-capability. Integrates well with other frameworks.
• MITRE ATT&CK: Adversarial TacYcs, Techniques, and Common Knowledge
o A guideline for classifying and describing cyberaoacks and intrusions. A valuable tool to use in conjunchon
with threat modeling to idenhfy potenhal aoack vectors and tachcs used by threat actors.
• Cyber Kill Chain- EC Council
o A series of steps that trace stages of a cyberaoack from early reconnaissance to data exfiltraZon. Helps us
understand and combat ransomware, security breaches, and Advanced Persistent Threats (APTs).
§ Reconnaissance: The act of researching potenhal targets before carrying out any penetraZon tesZng.
This may include idenhfying potenhal targets, finding vulnerabilihes, discovering which third parhes
are connected to them, what data they can access, and finding new and exishng entry points.
§ Weaponizadon: Preparatory work culminates in the creahon of malware to be used against an
idenhfied target. This can include creahng new types of malware or modifying exishng tools.
§ Delivery: Tools are used to infiltrate a target’s network and reach users. May involve
sending phishing E-mails containing malware aoachments with subject lines that prompt users to
click through or infiltrahng a network by exploihng a hardware or sojware vulnerability.
§ Exploitadon: Taking advantage of the vulnerabilihes discovered in previous stages to further
infiltrate a target’s network. Cybercriminals ojen move laterally within a network to reach targets.
§ Installadon: Installing malware and other cyberweapons onto the target network to take control of
its systems and exfiltrate valuable data. Cybercriminals may install cyberweapons and malware using
Trojan horses, backdoors, or Command-Line Interfaces (CLIs).
§ Command and Control (C2): Communicahng with the malware they’ve installed onto a target’s
network to instruct cyberweapons or tools to carry out their objechves.
§ Acdons and Objecdves: Accomplishing the purpose of a cyber-aoack. Examples include weaponizing
a botnet to interrupt services with a Distributed Denial of Service (DDoS) aoack, distribuhng malware
to steal sensihve data from a target organizahon, or using ransomware as a cyber extorhon tool.

Security Terminology
• Terminology
o Threat: Any event with the potential to adversely impact organizational operations (including mission,
functions, image, or reputation), organizational assets, individuals, other organizations, or the nation, via
unauthorized access, destruction, disclosure, modification of information, and/or Denial of Service (DoS).
o Risk: The potential or likelihood of exposing business information and communications systems to
dangerous actors, elements, or circumstances capable of causing loss or damage.
o Vulnerability: A weakness in an information system, system security procedure, internal controls, or
implementation, that could be exploited or triggered by a threat source.
o Likelihood/ Probability: The chances that a potential vulnerability may be exercised within the construct of
an associated threat environment. A weighted factor that is based on a subjective analysis of the probability
that a given threat is capable of exploiting a given vulnerability.
o Impact Planning: Determining the magnitude of harm that can be expected from the consequences of
unauthorized disclosure, modification, destruction or loss of information or availability.

Cyber Threats
• Threat Sources
o Adversarial: An individual or a group that intends to perform malicious actions against cyber resources.
o Accidental: A non-malicious insider or supply chain vendor, unknowingly threatening security.
o Structure Failure: Hardware or software failure, without fault tolerance.
 o Environmental: Natural disasters, earthquakes, or overheating of a server room.
o Black Hat: Criminals who break into computer networks with malicious intent.
o Grey Hat: A security expert who may violate laws or ethical standards but does not have malicious intent.
o White Hat: Ethical Hackers or Pen-Testers aiming to identify vulnerabilities in an IT system.
o Shadow IT: The use of IT-related hardware or software by a department or individual without the
knowledge of the organization.
• Threat Vectors
o A specific path or method that can be exploited to break into a system and compromise its security.
§ Direct Physical Access.
§ Human Vectors: Social Engineering and Insider Threats.
§ Wired and Wireless Access.
§ E-mail or Personal Communication.
§ Message-Based Vectors: Social Media, IM, or SMS.
§ Supply Chains.
§ Removable Media on Mobile Devices.
§ Lure-Based Vectors: Executable Documents and Image Files.
§ Cloud Services.
§ Artificial Intelligence or Machine Learning.
• Threat Awareness
o Knowledge and understanding of which attack surfaces or vulnerabilities are more likely to be targeted, and
how to mitigate those vulnerabilities. It includes research on how the current threat landscape is changing.
§ Current Known Threats.
§ Current Vulnerabilities Discovered through Vulnerability Scans and Pen-Testing.
§ Trending Attacks.
§ Emerging Threat Sources.
§ Zero-Day Vulnerabilities and Attacks.
• Threat Intelligence Research
o Knowledge, skills, and experience-based information concerning the occurrence and assessment of both
cyber/physical threats and threat actors, that is intended to help mitigate potential attacks and harmful
events. Threat intelligence must be current, timely, and consistent.
§ Threat Intelligence Types
• Strategic: Non-technical, high-level, and used to make big-picture decisions.
• Operational: Known adversaries and their actions. Changes more frequently.
• Tactical: Immediate and specific threats/actions, generated by logs. Highly technical.
• Counterintelligence: Active security strategy to use intelligence offensively to lure attackers.
Gathering threat information on foreign threat intelligence actors.
§ Threat Intelligence Sources
• Open-Source Intelligence (OSINT): Publicly available sources, such as discussion groups,
social media, public hearings, government websites, financial reports, maps, or databases.
• Closed-Source or Proprietary Intelligence: Threat intelligence services that provide (for a
fee), threat analytics and correlation across different data sources.
• MITRE CVE list and NIST National Vulnerability Database (NVD): A community-managed list
of vulnerabilities found by security researchers.
• Automated Indicator Sharing (AIS): A free service from the Department of Homeland
Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) that allows
organizations to share and receive cyber threat indicators (CTIs) and defensive measures
(DMs) in real-time.
 • Collective Defense: A collaborative strategy that involves organizations working together to
defend against cyber threats. This strategy recognizes that no single entity can withstand
sophisticated cyber threats alone, and instead emphasizes sharing resources, expertise, and
threat intelligence.
• Dark Web Intelligence: Data from the dark web that can help organizations identify and
mitigate cyber threats. Data sources include dark web forums, illegal marketplaces, and
private messaging platforms.
• Indicators of Compromise (IoC): A system event that indicates an intrusion with a high level
of confidence.
• Predictive Analysis: Analyzing large amounts of data very quickly to identify suspicious
patterns, often combined with Machine Learning.
• Threat Maps: A worldwide perspective of real attack data that identifies attacks and trends.
• File Code Repositories: Public code repositories that showcase what hackers are building,
such as those found on GitHub, for example.
§ Threat Research Sources
• Vendor Websites: Vendors and manufacturers know their products better than anyone.
They react when surprises happen and are often involved in the disclosure process.
• Vulnerability Feeds: Automated vulnerability notifications from third-party feeds.
• Conferences: Security researchers often use conferences to convey new methods of
protecting data, intelligence gathering, and/or hacking the latest technology. These
presentations are often based on experience fighting and recovering from attacks.
• Local Industry Groups: A gathering of local peers with shared industry, technology, and
geographical presence.
• Academic Journals: Research from academic professionals on cutting-edge security analysis.
Includes an evaluation of existing security technologies and the latest attack methods.
• Social Media: Monitoring hacking group conversations, or groups where professionals
discuss vulnerability analysis. Keyword monitoring (zero-day, for example) is also helpful.
• Threat Feeds: Monitoring thread announcements from sources such as the U.S. Department
of Homeland Security (DHS), VirusTotal Intelligence, AT&T Security, Malware Information
Sharing Project (MISP), Spamhaus, or the U.S. Federal Bureau of Investigation (FBI).
• Request for Comments (RFCs): A formal document that contains information about Internet
and computer networking topics, published by the Internet Society (ISOC) and often written
by The Internet Engineering Task Force (IETF).
• Tactics, Techniques, and Procedures (TTPS): Proactively looking for threats and information
about what adversaries are doing and how they are doing it.
§ Threat Intelligence Cycle
• Define Intelligence Requirements.
• Collect and Process Information.
• Analyze and Turn Processed Information into Actionable Intelligence.
• Disseminate Information to Decision-Makers.
• Generate Feedback.
• Strategic Intelligence
o Provides a high-level view of the attack trends, techniques, and methods used by attackers, including their
motivations and attributions, and helps answer a specific set of questions: Who are the adversaries? What
do they want? What threat groups are active in the same sector or region?
• Threat Hunting
o The practice of proactively searching for cyber threats that are lurking undetected in a network. Digs deep to
find malicious actors in the environment that have slipped past initial endpoint security defenses.
 § Threat Hunting Process
• Determine the purpose of the hunt, such as identifying attackers or finding weaknesses in
Incident Response (IR) processes. Determine which systems and threats to include.
• Collect raw data from internal logging and external threat intelligence.
• Analyze raw data to establish a hypothesis about potential threats. May be based on threat
intelligence, data analytics, or awareness of the network. It must ask testable questions.
• Build a plan to test the hypothesis, then obtain approval through a standard procedure.
• Execute the approved plan by analyzing data. Revisit the hypothesis based on the findings.
• Compile the results into a report which details discovered threats and vulnerabilities, along
with recommended solutions.
• Act based on the results of the report. Implement Incident Response (IR) or Vulnerability
Management (VM).
• Perform a retrospective analysis of the hunt to provide feedback for future hunts.
§ Advisory Analysis: A notification that includes analytical insights into new trends or developments
that may threaten an organization's information systems. These insights can include information
about an adversary's intentions, technologies, tactics, or trends.
§ Defensive Maneuvering: The active, real-time defense of a network in response to an attack,
whether it be automated or supervised by a computer security specialist.
§ Data Fusion: The process of combining data from multiple sources to create more accurate,
consistent, and useful information than any individual data source could provide.
• Collect the Data: Use logs, sensors, Internet events, and network/ intrusion detection data.
• Add External Sources: Threat feeds, governmental alerts, advisories, and social media.
• Correlate with Big Data Analytics: Focus on predictive analytics and User and Entity
Behavior Analytics (UEBA). Use mathematical analysis of unstructured data.
• Communicating Threat Information
o Protocols and Frameworks
§ Structured Threat Information eXpression (STIX): A language designed by MITRE for standard
expression of threat information, such as observed or recorded events, associated threat actors,
adversary techniques, and defensive actions.
§ Trusted Automated eXchange of Indicator Information (TAXII): An Application Layer protocol
designed for exchanging STIX-based information over HTTPS. It allows secure relationships for
organizations to distribute threat information from a central clearinghouse, subscribe to a central
source, or exchange information with peers.
§ OpenIoC: Allows the expression of Indicators of Compromise (IoC) in a standard, machine-readable
format containing a wide variety of criteria, such as files, URLs, processes, and network connections.
It is a popular tool for creating or editing indicators. Once done, they can be converted to a STIX
format and shared using TAXII.
§ Cyber Observable eXpression (CyBOX): A framework developed by MITRE, which is similar in
purpose to OpenIoC. It describes a broader range of observable events by default but was designed
with extensions to allow OpenIoC entries.
• Collective Defense
o The ability for organizations, comprising a sector, supply chain, or country, to share threat intelligence
securely and in real-time, providing all members an early warning system about potential incoming attacks.
• Threat Assessments
o The practice of determining the credibility and seriousness of a potential threat, as well as the probability
that the threat will become a reality.
§ Potential Threats to Assess
• Accidents and Disasters.
 • Equipment Failure.
• Supply Chain Failure.
• Human Error or Negligence.
• Malicious Outsider.
• Malicious Insiders.
o Useful Frameworks for Threat Assessments
§ MITRE ATT&CK: Adversarial Tacdcs, Techniques, and Common Knowledge- MITRE: A guideline for
classifying and describing cyberaoacks and intrusions. A valuable tool to use in conjunchon with
threat modeling to idenhfy potenhal aoack vectors and tachcs used by threat actors.
§ MITRE Common Vulnerabilides and Exposures (CVE): A list of publicly disclosed vulnerabilihes and
exposures, associated with The Common Vulnerability Scoring System (CVSS Scores), which
provides a numerical (0-10) value of the severity of an informahon security vulnerability.
§ NIST Nadonal Vulnerability Database (NVD): A U.S. government repository of standards-based
vulnerability management data represented using the Security Content AutomaZon Protocol. This
data enables automahon of vulnerability management, security measurement, and compliance. Fully
synchronized with the MITRE CVE list.
§ OWASP Top 10: A standard awareness document for developers and web applicahon security. It
represents a broad consensus about the most crihcal security risks to web applicahons. Globally
recognized by developers as the first step towards more secure coding.

Cyber Risk
• Risk Awareness
o Forms the foundation of an organization’s defense against cyber threats. It involves educating employees
about potential risks, promoting best practices, and fostering a culture of vigilance so cyber pitfalls and
threats can be avoided.
• Risk Analysis
o The process of identifying risks to system security and determining the probability of occurrence, the
resulting impact, and the additional safeguards that mitigate this impact.
• Risk Models
o Risk Concepts
§ Inherent Risk: The inherent probability that a cybersecurity event may occur due to a lack of
countermeasures.
§ Residual Risk: The risk level that remains after risk mitigation efforts and internal controls have
been implemented.
§ Control Risk: The risk that a control put in place to mitigate risks will also fail.
§ Risk Tolerance: The level of risk that an organizahon is prepared to take on, to achieve its objechves.
§ Risk Threshold: Defines acceptable risk levels based on various factors.
§ Key Risk Indicators (KRIs): Predictive indicators to monitor and predict potential risks, supporting
proactive risk management.
o Risk Appedte: A strategic assessment of tolerable residual risk levels.
§ Risk Treatment: Determining the best way to address an idenhfied risk.
§ Risk Midgadon: Reducing the impact of potenhal risks by implemenhng controls and plans.
§ Risk Deterrence: Placing visible controls to deter potenhal aoacks.
§ Risk Avoidance: Eliminahng any hazard that might harm the organizahon.
§ Risk Acceptance: Acknowledging that the potenhal loss from a risk is not great enough to warrant
spending money to avoid it.
§ Risk Excepdons/ Exempdons: A formal recognihon of risks that cannot be mihgated within the
specified condihons.
 § Risk Transference: Use of insurance or disclaimers, to transfer liability for expected loss.
• Managed DetecDon and Response (MDR): A vendor monitors firewall and other security
tools to provide experhse in triaging events.
• Managed Service Provider (MSP): Outsource IT infrastructure security.
• Managed Security Service Provider (MSSP): A third-party organizahon that can help
organizahons protect their applicahons, devices, and systems from cyberthreats. They can
also help reduce the need for an organizahon to hire, train, and retain security personnel.
• Cyber Risk Assessments
o Assesses the potenhal implicahons, risks, and costs of a cyber-aoack or data breach on the organizahon and
its stakeholders.
§ Qualitadve Risk Assessment
• The primary focus is to quickly idenhfy risks. These use either numerical rahngs (1-5) or
colors (green, yellow, and red) to rank risks based on their likelihood of occurrence,
frequency, and the magnitude of the impact on the business. Less monetary-based, but shll
uses standard metrics to analyze likelihood and impact.
o MITRE Common Vulnerability Scoring System (CVSS): Used by many vulnerability
management products. It involves 14 separate metrics, with non-numeric values.
Metrics include: The attack vector, ease of repeatability, privileges required, user
interaction required, scope of impact, and types of impact. The results yield low,
medium, high, or critical-level risks.
o DREAD: A software rating system by Microsoft. Evaluates risk and threat. It uses a
mnemonic: Damage Potential, Reproducibility, Exploitability, Affected Users, and
Discoverability. Each factor is given a value between 1-3. A total threat value falls
between 5-15, with higher values being more serious.
o ISO 31000- International Standards for Risk Management Practices: A risk
management standard which focuses on IT management at the organizational level.
It is comprehensive in terms of the risks it covers, but for qualitative analysis, it
generates a total risk metric ranging from 0-9.
§ Quandtadve Risk Assessment
• Involves numerical values, stahshcal analyses, and measurable data to provide a more
precise and objechve measure of cybersecurity risk. Also involves a monetary value assigned
to potenhal loss/impact.
o Single Loss Expectancy (SLE): Cost of a single loss or damage.
o Annual Rate of Occurrence (ARO): Expected loss per year.
o Annual Loss Expectancy (ALE): SLE x ARO = ALE
§ Site Risk Assessment
• A standard risk assessment that is specific to a single site or facility. Since each business site
has individual risks, business functions, and roles in a disaster, one is needed for each site.
Many site risk assessments begin as a generic assessment but are then filtered to contain
only risks relevant to that site.
§ Risk Control Assessment
• Evaluahng the effechveness of current controls and mihgahons.
o Risk Assessment Steps
§ Identify Assets Potentially at Risk.
§ Conduct a Threat Assessment for Each Asset.
§ Analyze the Business Impact of Each Threat.
§ Determine the Likelihood of a Given Threat Doing Damage.
§ Prioritize Risks by Weighing the Likelihood Versus Potential Impact of Each Threat.
§ Create a Risk Mitigation Strategy to Shape Future Security Policies.
 o Comprehensive Assessments
§ Determine the Attack Surface.
§ Code Review: Updates, Patches, and Installation.
§ Code Review: After Updates/ Installation.
§ Architecture Review: Hardware and Software Appliances.
§ Configuration Review: Network Connections, Permissions and Passwords.
§ Log Review: System, Network, and Application Logs.
§ Baseline Review: Compare Current Status to Last Known Good Baselines.
§ Risk Assessment Results.
o Results and Repordng
§ Event Evaluadon
• True Positive: Correctly identifying a risk event.
• False Positive: Incorrectly reporting a risk event.
• True Negative: Correctly reporting no known risk event.
• False Negative: Incorrectly identifying no known risk event.
§ Risk Heatmap/ Risk Matrix: A graphical representation of cyber risk data, where the individual
values are represented as colors that connote meaning. Risk heat maps are used to present cyber
risk assessment results in an easy-to-understand, visually attractive, and concise format.
§ Risk Register: A document used as a risk management tool to fulfill regulatory compliance. A
repository for all risks identified. Includes additional information about each risk, such as the nature
of the risk, reference and owner, and mitigation measures. It can be displayed as a scatterplot or as
a table. Used for documenting risk assessments and sharing risk information with stakeholders.
o Third-Party Risks
§ System Integration Risk.
§ Lack of Vendor Support.
§ Outsourced Code Development.
§ Supply Chain Risk.
§ Data Storage Risk.
§ Human Error.
• Cybersecurity Gap Analysis
o Also known as a Security Gap Assessment. A process that evaluates an organization's current security
posture and identifies areas for improvement. Organizations can compare their current security posture to
industry-standard security frameworks and create a security baseline. One commonly used framework is the
ISO/IEC – 27002 standard, which provides best practices for Information Security Management (ISM).
§ Steps Involved in a Gap Assessment
• Gathering Information on the Organization's Current Information Security Posture.
• Evaluate the Organization's Cybersecurity Strategy.
• Identify Critical Assets, such as Networks, Systems, and Data.
• Identify Vulnerabilities.
• Assess Overall Cyber Risk and Security Risks.
• Determine if Measures are Adequate.
• Create a Plan for Improvement.
• Make Recommendations on Security Controls, Processes, and Procedures.
• Prioritize and Budget Spending.
• Risk Management
o The process of identifying, evaluating, and controlling threats, including all the phases of risk context, risk
assessment, risk treatment, and risk monitoring. Enterprises frequently use a Risk Management Framework,
or a structured approach to oversee and manage risks.
 § Useful Frameworks for Managing Risk
• NIST RMF-Risk Management Framework: A United States federal government guideline,
standard, and process for risk management to help secure information systems. Mandated
for government agencies.
• OWASP Top 10: A standard awareness document for developers and web applicahon
security. It represents a broad consensus about the most crihcal security risks to web
applicahons. Globally recognized by developers as the first step towards more secure coding.
• ISO 31000-International Standards for Risk Management Practices: A risk management
standard which focuses on IT management at the organizational level. It is very
comprehensive in terms of the risks it covers, but for qualitative analysis, it generates a total
risk metric ranging from 0-9.

Impact Planning
• Potential Impacts of Cyber Incidents
o Data Breach.
o Data Loss, Exposure or Exfiltration.
o Protected Information Disclosure.
o Theft of Financial, Physical, and Intellectual Property (IP).
o Availability Loss/ Denial of Service (DoS).
o High Recovery or Downtime Costs.
o Public Reputation Damage.
o Legal Consequences.
o Fines and Reparations.
o Identity Theft.
• Business Impact Analysis (BIA)
o Conducted before intrusion or disruption but referred to during Incident Recovery. An assessment that
identifies critical business functions, how long the business can operate without them, and what threats
exist to each. Predicts the consequences of a disruption to the business, and gathers information needed to
develop recovery strategies. Potential loss scenarios would also be identified during a Risk Assessment. The
comparison of risk and impact is used to conduct a Cost-Benefit Analysis.
§ Creating a BIA
• Identify Mission Essential Functions (MEFs) critical to sustained business operations. A
function is critical if its loss would lead to considerable revenue loss, safety risks, or failures
to comply with regulations and/or contractual obligations.
• Identify systems, resources, and other functions used by each critical function, also known
as Primary Business Functions (PBFs).
• Prioritize critical functions according to Maximum Tolerable Downtime (MTD), or how
quickly they must be restored to prevent severe damage to business operations.
• Consider Key Performance Indicators (KPIs), such as Recovery-Time Objective (RTO),
Recovery Point Objective (RPO), Mean-Time to Repair (MTTR), Mean-Time Between
Failures (MTBF), and Work Recovery Time (WRT) to assess asset reliability/recovery time.
• Identify threats that could compromise each business function.
• Determine mitigation techniques that could be used against each threat.
• Cost-Benefit Analysis
o A systematic approach to estimating whether the benefit of a control outweighs the cost it incurs or the cost
of not implementing it. Used to determine whether it is more cost-effective to replace legacy systems, patch
them, or simply accept the risk associated with using them.
 § Total Cost of Ownership (TCO): The purchase price of an asset plus the costs of operation. Assessing
the TCO requires understanding of the value of a product now and over time.
§ Return on Investment (ROI): A ratio between net income and investment. A high ROI means the
investment's gains compare favorably to its cost. As a performance measure, ROI is used to evaluate
the efficiency of an investment or to compare the efficiencies of several different investments.
§ Recovery-Time Objective (RTO): The maximum amount of time that is considered tolerable for a
service or a certain business function to be unavailable. The duration of time within which a
business process must be restored after a disaster to avoid unacceptable consequences.
§ Recovery Point Objective (RPO): The maximum amount of data that can be lost after a recovery
from a disaster or failure, before data loss will exceed what is acceptable to an organization.
§ Mean-Time to Repair (MTTR): The average time it takes to recover from a product or system failure.
§ Mean-Time Between Failures (MTBF): A measure of the reliability of a system or component,
representing the average time that it will operate before it fails.
§ Mean-Time Between Service Incidents (MTBSI): MTBF + MTTR.

System Vulnerability
• Vulnerability Assessments
o The process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the
software that runs on them. Frequently conduct vulnerability assessments to find vulnerabilities/attack
vectors and to harden the system. The goals of vulnerability assessments may be to find and mitigate the
following: Missing security controls, open ports and services not blocked by a firewall, unsecure network
protocols, weak encryption, unsecure accounts, open permissions, misconfigured security controls,
unsecure data, already-compromised systems, exploitable vulnerabilities, unpatched firmware, and
software, or system/ human configuration errors.
§ Vulnerability Types
• Zero-Day: A previously unknown system vulnerability, with the potential of exploitation
without risk of detection or prevention, because it does not fit any recognized patterns,
signatures, or methods.
• Open Permissions: There is a high statistical chance that a hacker will find an open
permission. This is increasingly common with cloud storage.
• Open Ports and Services: Manage open ports and services. Close unnecessary ports.
• Weak Encryption: Some cipher suites are easier to break than others. Stay updated with
current best practices.
• Unsecured Root Account: Protect and correctly configure root and administrator accounts.
• Unsecure Protocols: Some protocols aren't encrypted. Use the encrypted versions.
• Default Settings: Never keep the default settings, usernames, or passwords.
• Improper Patch Management: Keep firmware, operating systems, applications, and
programs updated and patched.
• Legacy platforms: May require additional security protections or firewall rules.
• Errors: These messages can provide useful information to an attacker, such as the service
type, version information, or debug data.
§ Vulnerability Scanning: Both active and passive vulnerability scans identifying security weaknesses
and flaws in systems and software running on them.
• Non-Intrusive/ Intrusive: Non-intrusive scans simply identify a vulnerability and report on it
so it can be fixed. Intrusive scans attempt to exploit a vulnerability when it is found.
• Non-Credentialed/ Non-Authenticated Scans: Do not require credentials and do not get
trusted access to the systems they are scanning. While they provide an outsider's view of an
environment, they tend to miss most vulnerabilities within a target environment.
 • Credentialed/ Authenticated Scans: Require administrative access to the systems being
scanned and are performed using the same credentials and privileges as an administrator.
§ Scan Results
• True Positive: A vulnerability exists, and it was correctly identified.
• True Negative: A vulnerability was not identified, and one does not exist.
• False Positive: A vulnerability is identified that doesn't exist.
• False Negative: A vulnerability exists, but it was not correctly identified.
§ Best Practices
• Credentialed scans offer more accurate and detailed results.
• Agent-based scanning of target servers provide inside-out understanding.
• Change the perspective of the scan: External, internal, agent, and inside data center.
• Patch and update scanners regularly to avoid scanner-based vulnerabilities.
• Update the plug-ins daily to keep up with current and new threats.
• Run more intense vulnerability scans in a test environment first to avoid disrupting activity
or damaging certain content on the system.
• Vulnerability Management Process
o A Vulnerability Assessment is typically a one-time, but repeatable event. In contrast, Vulnerability
Management is a continuous, cyclical, ongoing process with several steps. There are several models tailored
to the vulnerability management process. One such model consists of five steps: Identification, Evaluation,
Remediation, Verification, and Reporting.

Identification

Reporting Evaluation

Verification Remediation

§ Identification: Identify vulnerabilities by creating an inventory of all IT assets and perform a

thorough vulnerability assessment using industry-standard tools, such as Nessus or OpenVAS.
• The scope should include internal and external facing devices, particularly those between
the network and the Internet.
• The devices should include servers, hosts, laptops, firewalls, switches, routers, virtual
machines, operating systems, and even printers.
• Scan for open ports, installed software, firmware patches, configurations, and IoT devices.
§ Evaluation: Evaluate the discovered risks according to severity rating or CVSS Score.
• Some mitigations will be easier to implement, while some will be more labor or cost-
intensive. Some risks may be impractical to fully remediate. If so, consider a mitigating
control instead.
• It is also important to consider the impact on business continuity, data availability, and
whether any MOUs or SLAs will inhibit remediation.
§ Remediation: Take physical and logical steps to reduce risk and protect valuable data assets.
• Patching, OS updates, and port filtering will mitigate the risks found on many scans.
 • In some situations, a decision may be made to change nothing. A certain level of risk
acceptance is sometimes necessary. It can be used to set a baseline for the company’s risk
appetite moving forward. Additionally, some elements are far too critical to ignore,
regardless of the cost to remediate.
§ Verification: This involves additional scans and assessments to ensure that the remediation steps
taken, actually resolved the security issues.
§ Reporting: Results and Findings must be disseminated in reports suitable for various readers,
specifically management. The reports must also include recommendations for countermeasures and
a plan for continuous vulnerability management.
• Preventing/ Reducing Vulnerabilities
o While there is no single step to take to protect against all threats, there are some basic steps that can be
taken to help reduce the risk of many types of threats.
§ Keep Systems and Applications Patched and Current: Patch Management ensures that systems and
applications are kept current with relevant patches.
§ Implement Package Monitoring: Track and assess the security of third-party software packages,
libraries and dependencies. Ensures that they are current and free from known vulnerabilities.
§ Remove or Disable Unneeded Services and Protocols: Attackers cannot exploit a vulnerability in a
service or protocol that isn't running on a system.
§ Use Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): These systems
observe activity and can provide alerts for and/or block attempted attacks.
§ Use Current Anti-Malware Software: A primary countermeasure to various types of malicious
codes, viruses, and worms.
§ Use Firewalls: This can prevent many types of attacks. Network-based firewalls protect entire
networks and host-based firewalls protect individual systems.

Intrusion Terminology
• Terminology
o Event: Any observable occurrence in a network or system.
o Incident/ Adverse Event: An event that actually or potentially jeopardizes the confidentiality, integrity, or
availability of an information system or the information the system processes, stores, or transmits.
o Exploit: A particular attack that exploits system vulnerabilities.
o Attacker: Also known as a threat actor, bad actor, malicious actor, or adversary. A person or a group of
people that take part in an action that is intended to cause harm to a computer, device, system, or network.
o Attack/Threat Vector: An avenue for attackers to enter a network or system. Common attack vectors
include social engineering, credential theft, vulnerability exploits, and insider threats.
o Zero-Day Attack: A previously unknown system vulnerability, with the potential of exploitation without risk
of detection or prevention, because it does not fit any recognized patterns, signatures, or methods.
o Attack Surface: The number of all possible points, or attack vectors, where an unauthorized user can access
a system and extract data. The smaller the attack surface, the easier it is to protect.
o Intrusion: A security event or a combination of events that constitutes a deliberate security incident in
which an intruder gains or attempts to gain access to a system or system resources without authorization.
o Breach: The loss of control, compromise, unauthorized disclosure, or unauthorized acquisition, where a
person other than an authorized user accesses personally identifiable information (PII), or an authorized user
accesses PII for other than an authorized purpose.
o Cyber Warfare: Use of cyber-attacks against an enemy state, causing comparable harm to actual warfare
and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage,
propaganda, manipulation, or economic warfare.
 AIacks
• Attacker/ Threat Actor Types
o Hackers: Skilled in information technology and can use non-standard methods to achieve their goals.
§ Black Hat: Criminals who break into computer networks with malicious intent.
§ Grey Hat: A security expert who violates laws or ethical standards, without malicious intent.
§ White Hat: Ethical Hackers or Pen-Testers aiming to identify vulnerabilities in the current system.
o Script Kiddies: Unskilled hackers who rely on commonly available attack tools and malicious scripts.
o Hacktivists: Hackers who attack organizations to send a political or ideological message.
o Criminal Syndicates/ Organized Crime: Criminal hackers seeking financial gain, who work as a part of the
larger organization.
o Competitors: Business competitors may seek to gain access to organization secrets that will give them a
competitive business advantage.
o Insiders (Malicious and Unintentional): A threat to an organization that comes from people within the
organization, such as employees, former employees, contractors, or business associates, who have inside
information concerning the organization's security practices, data, and computer systems. Actors can be
malicious, such as disgruntled ex-employees, or non-malicious, accidental threat actors. These actors have a
much larger attack surface than external actors.
o Nation States: Typically, sophisticated, and well-resourced threats from other nations or military groups.
o Advanced Persistent Threats (APT): Ongoing series of sophisticated attacks against an organization.
o Hybrid War: Cyber techniques used alongside physical war. May include sabotaging critical infrastructure,
intelligence collecting, disseminating propaganda, or planting fake news to confuse or enrage.
• Reconnaissance
o Passive Reconnaissance: An attempt to gain information about targeted computers and networks without
actively engaging with the systems. Gathering the information without alerting the victim. If the victim host
is alerted, then it drastically decreases the likelihood that the attack will work, due to increased defenses.
o Active Reconnaissance: Gathering information by actively engaging with the targeted system.
§ Xmas Attack: A TCP packet with all flags set, a combination of options never used in routine
communication. How a remote host responds can reveal information about its inner workings open
ports. Processing such packets takes longer, making them useful in Denial of Service (DoS) attacks.
§ Null Packet: A TCP packet with no flags set, reveals information about the inner workings of a
remote host.
§ Fuzzing: Inserts random or invalid data into fields or application data input. Fuzzing attacks can
result in access, permissions, or applications failure.
§ Banner Grabbing: Sending a routine packet, such as a connection request, to a network service and
seeing what information is returned. Many services report their software and protocol version,
application identity, or other information that an attacker can use to search for known exploits.
§ Port Scanning: A technique hackers use to discover open doors or weak points in a network.
§ Side Channel: A passive, non-invasive attack to observe the operations of a device. Methods include
power monitoring, timing, and fault analysis attacks.
• Social Engineering
o The psychological manipulation of people into performing actions or divulging confidential information.
§ Phishing: A scam where attackers deceive people into revealing sensitive information or installing
malware such as ransomware. Domain-Based Message Authentication, Reporting, and Conformance
(DMARC) is an E-mail security protocol that verifies E-mail senders and helps prevent spoofing.
• Spear Phishing: Targeted Phishing.
• Whaling: Phishing with a specific high-level target.
• Smishing: SMS or Text Phishing.
• Vishing: Voice or VoIP Phishing.
 § Diversion Thel: Tricking the vichm into sending sensihve data to or sharing it with the wrong
person. The thief ojen accomplishes this by spoofing the E-mail address of someone in the vichm's
company, an audihng firm, or a financial inshtuhon.
§ Business E-mail Compromise (BEC): An E-mail-based social engineering aoack that aims to defraud
its vichms. Campaigns ojen bypass tradihonal E-mail filters.
§ Quid Pro Quo: When a social engineer offers a service, such as “tech support,” in exchange for
access to secure informahon.
§ Tailgadng/Piggybacking: An unauthorized actor gains access by following behind authorized
personnel.
§ Shoulder Surfing: Used to obtain confidential information, such as PINs, passwords, by looking over
the victim's shoulder.
§ Dumpster Diving: Finding sensitive documents or data that have been carelessly thrown away.
§ Lunchtime Attack: A user's decrypted computer is more readily available while the user is out to
lunch, or away from their desk.
o Psychological Principles of Social Engineering
§ Authority: People tend to obey authority figures, even if told to perform objectionable acts.
§ Intimidation: Attempting to intimidate a victim by trying to appear superior. This is a high-risk
strategy for an attacker and is likely to be reported by a victim.
§ Familiarity: Using charisma or likeability to get a victim to complete a request. This is a low-risk
strategy for an attacker and is unlikely to be reported by a victim.
§ Consensus/ Social Proof: Convinces a victim that the attacker can be trusted by pretending that
others would or already have trusted the threat actor or their tools and have completed a request.
§ Scarcity: Creating a false sense of urgency so the victim thinks they must act quickly or lose out.
§ Trust: The attacker assumes an alter ego that targets are expected to trust inherently.
§ Urgency: Encouraging victims to act quickly before they notice suspicious signs.
o Tactics Used By Social Engineers: The Set Up.
§ Baidng: Using a false promise to pique a vichm’s greed or curiosity.
§ Impersonation: A powerful technique in large organizations or those with frequent guests/ visitors.
§ Pre-texting: Designing a fictional scenario, or pretext, to go with an initial claim. This cover story
gives the victim reason to believe and prevents the attacker from stumbling over easy questions.
§ Information-Seeking: Via interview, interrogation, or elicitation.
§ Disinformation/ Misinformation: Disinformation aims to deceive, while misinformation involves
unintentionally repeating false claims.
§ Brand Impersonation/ Brandjacking: Involves accurately duplicating company logos and formatting
to create visually compelling fakes.
§ Scareware: Bombarding victims with false alarms and fictitious threats.
§ Honeytrap: The social engineer assumes the idenhty of an aorachve person. They then engage in a
relahonship with the vichm online to try to get sensihve informahon from them.
o Goals of Social Engineering
§ Reconnaissance: Gathering sensitive data either as a primary goal or to set up further attacks.
§ Credential Harvesting: Attacks designed to gain access to secure systems. May include the
download of a malicious file or document, that runs harvesting programs in the background.
§ Influence Campaigns: Intended to shape people's opinions about a topic.
§ Identity Fraud: Attacks to gather personal information to sell, or to commit fraud.
§ Financial Fraud: Scams conducted for financial gain.
• Malware
o Any software designed to intentionally disrupt a computer, server, client, or network, leak private
information, gain unauthorized access to information or systems, deprive access to information, or which
interferes with the user's computer security and/or privacy.
§ Malware Vectors
• Virus: Spreads within code without authorization. Classified by payload.
o Program: Targeted executable code that hides in applications.
o Boot Sector: Targeted executable code that hides in device boot programs.
o Memory Resident: Infects applications as they are opened by a user.
o Non-Resident: Can infect executable files even when programs are not running.
o Macro/ Script: Written in macro, a programming language that is embedded inside
software applications like Microsoft Office.
o Multipartite: Harms the files of computers, systems, or devices and attacks both the
boot sector and the executable files.
• Worm: Self-propagates within code, without authorization or action by the user. The best
remediation is to change the default application password.
• Trojan: A malicious program concealed within a benign one. Intended to spread malware
through an outwardly innocent vector.
o Drive-by Malware: Messages containing links to malware, or other malicious
attachments that appear benign.
o Remote Access Trojan (RAT): This attack establishes a connection which allows
remote commands to be executed. Allows an attacker to remotely control an
infected computer. Creates the ultimate backdoor, and total control of the device.
This may include screen recording, keylogging, copying files, and embedding more
malware. The best remediation is to implement a host-based IPS.
o Potentially Unwanted Program (PUP)/ Grayware: Preinstalled bloatware or
installed alongside another application. Installation may be covert.
o Easter Eggs: A form of hidden attack that exploits vulnerabilities in a system. They
are often disguised as harmless features or games, making them difficult to detect.
• Malicious Update: Update containing harmful code disguised as legitimate.
• Prepending: Links to false login sites, or misleading E-mails/ text that appear legitimate.
• Watering Hole: An attacker guesses or observes which websites an organization often uses
and infects one or more of them with malware.
o Drive-by Download: A compromised, or malicious website designed to spread
malware to its visitors.
• Logic Bomb: A piece of code intentionally inserted into software that will set off a malicious
function when specified conditions are met. Often initiated by a malicious insider.
• Removable Devices
o Malicious Flash Drive: Also called a BadUSB or USB Key Drop. Can allow a victim to
steal stored passwords, gain access to sensitive files, or directly open a backdoor to
gain control of a device. In rare cases, it may even damage the device so badly that
it can no longer be used.
o Malicious USB Cable: Any cable that performs an unwanted function. The most
common malicious capabilities are found in USB cables. Data exfiltration, GPS
tracking, and audio eavesdropping are primary malicious functions.
o Human Interface Device (HID): Takes advantage of external devices, usually
connected via USB, to maliciously run commands on a computer or device.
• Evasive Malware
o Low-Observable Characteristics (LOC) Attacks: A type of stealth attack that evades
detection by most security solutions and impacts forensic analysis efforts.
§ Stealth Malware: Has an intelligent architecture, making it difficult to
detect and eliminate from a computer system.
 § Polymorphic/ Metamorphic Malware: The code intelligently changes itself
every time it runs, so it appears differently and is difficult to catch, but the
function of the code stays the same.
• Polymorphic Engine: A software component that alters the payload
of polymorphic code, while preserving the same functionality.
§ Retrovirus: An anti-anti-virus virus; It attacks and disables any anti-virus or
protective software on the system it is trying to infect, to avoid detection.
§ Fileless Malware: Exploits remote execution and memory residence to
deliver malicious payloads. May run from a script or Trojan, and/or use a
shell code to create backdoors or download additional tools. They gain
persistence through the registry, and live off the land, via built-in tools.
§ Rootkit/ Kernel Driver: A collection of computer software, typically
malicious, designed to enable access to a computer or an area of its
software that is not otherwise allowed and often masks its existence or the
existence of other software. Modifies core system files. They can reside in
firmware and resist attempts to remove it by formatting drives and
reinstalling the OS.
§ Advanced Volatile Threats (AVT): An advanced kind of cyberattack where
the malicious code does not need to reach its victim's hard drive to deliver
its payload. Traditional antivirus solutions depend on the presence of a file
on the hard drive. That makes this attack particularly more potent than the
related Advanced Persistent Threat (APT).
§ Shim: Intercepts information passing between hardware and operating
systems.
§ Refactor: Rearranges code. Can intelligently redesign itself so it appears
differently each time it is loaded.
§ Malware Payloads
• Ransomware: Locks user out by replacing shell and denies access until payment is made.
o Crypto-Malware: High-impact ransomware that encrypts data files or drives.
o Crypto-Mining/ Crypto-Jacking: Hijacking resources to mine cryptocurrency.
• Command and Control (C2): A more advanced form of malware that uses automated
processes to establish and maintain remote control of an infected system.
o Backdoor Malware: Negates normal authentication procedures to access a system.
As a result, remote access is granted to resources within an application, such as
databases and file servers, giving perpetrators the ability to remotely issue system
commands and update malware. Alternatively, an attacker embeds hidden access in
an internally developed application that bypasses account login. In the second
example, the best remediation would be to conduct a code review.
o Beaconing: When malware periodically calls out to the attacker's C2 server to get
further instructions on tasks to perform on the victim machine.
o Bots/ Zombies: A computer or device infected with malware that is controlled
remotely by a hacker. Zombies may be used to launch online attacks or send spam
or phishing E-mails to infect other devices.
• Adware: Software that generates revenue for its developer by automatically generating
online advertisements in the user interface of the software or on a screen presented to the
user during the installation process.
o Spam: Aggressive form of unsolicited advertising.
o Spam over VoIP (SPIT): Unsolicited calls initiated by Voice over Internet Protocol
(VoIP) systems. The spammer attempts to initiate a voice session and if the receiver
 answers, they play a recorded message. Robocalls can be delivered automatically
using telephony software.
o Spam Over Instant Message (SPIM): A type of spam targeting users of instant
messaging services, SMS, or private messages within websites.
o Hoaxes: A threat that doesn’t exist but appears as though it could be real. These can
take the form of false virus alerts, E-mails, memorandums, chain letters, attempts at
spreading false information, wasting time, or causing panic.
o Influence Campaigns: Fake news sites or spreading false news with bot accounts.
o Deep-Fake Technology: Synthetic media that have been digitally manipulated to
replace one person's likeness convincingly with another. Fake audio, video, or faces.
§ Malware Indicators
• Antivirus Notifications.
• Overt Ransomware Notification.
• Changes to File Systems or Registry.
• New Temporary Files.
• Browser Changes.
• Sandbox Execution.
• Resource Utilization or Consumption.
• Evidence of Compromised Software or Firmware.
• Forced Access Attacks
o Card Cloners: Hardware-based attack where a cloner can read ID, credit, ATM, or gift cards and produce a
working facsimile.
o Skimmers: Attached to ATMs and appear to be a normal part of the machine. They capture the user's card
information and PIN. May include a small camera. Digital skimmers use a similar principle but work by
inserting scripts into website login pages or online payment forms.
o Transitive Trust: Machine A trusts Machine B and Machine B trusts Machine C. Therefore, Machine A can
attack Machine C, and Machine C will automatically trust the attack.
o Transitive Access: Occurs when a user is inadvertently given advanced access to another part of the
application or system on which it is hosted.
o Password Cracking: The process of finding, recovering, and decrypting scrambled passwords.
§ Brute Force: Trying every possible password in systematic order until the right one is found. Brute
force can theoretically crack any password, but it is impractically slow against long passwords.
§ Password Spraying: An attack, usually dictionary-based, which targets many different usernames on
the same system at one time. By trying a short list of common passwords against many accounts, an
attacker can increase the chance of finding a user with a weak password.
§ Dictionary Attack: Uses a word list, such as a literal dictionary, or list of common passwords
downloaded from the Internet. Dictionary attacks won't find random character strings, but they
work well against the word or name-based passwords many users choose.
§ Credential Stuffing: A kind of dictionary attack where the dictionary is made up of stolen usernames
and password pairs from another compromised system. Like password spraying, the attacker targets
many accounts at once. Makes use of the fact that many people use the same username and
password across multiple systems or sites.
o Password Hash Cracking
§ Birthday Attack: Attacks that exploit hash collisions in weaker hashing and digital signature
algorithms, allowing increased cracking speed.
§ Rainbow Attack: The ability to crack large numbers of hashes at once by using a precomputed table
containing a long list of possible hash values, along with the passwords behind them.
 § Pass the Hash: In Single Sign-On (SSO) systems, an attacker can compromise one system and steal its
stored hashes. The attacker can then present the stolen hash to access resources on another
computer, instead of using credentials.
§ Collision Attacks: Exploits weak hashing functions to create the same hash for different inputs.
o Golden Ticket Attacks: A technique that allows a malicious actor to gain unrestricted full access to an Active
Directory (AD) domain by creating a fake Kerberos Ticket Granting Ticket (TGT).
o Silver Ticket Attacks: Using a silver ticket, an attacker can create multiple Ticket-Granting Service (TGS)
tickets for a specific service without communicating with a Domain Controller (DC) in a network. Not full
access but still useful for an attacker.
• Denial of Service (DoS) Attacks
o Denial of Service (DoS): Rendering a computer or other device unavailable to its intended users by
interrupting the device's normal functioning.
o Distributed Denial of Service (DDOS): Flooding a server with Internet traffic, usually from several different
devices, to prevent users from accessing connected online services and sites.
§ Bot/ Zombie: A computer that has been infected with malware, allowing for remote control.
§ Botnet: A group of devices, each of which runs one or more bots/zombies. An attacker sends
multiple SYN packets from multiple sources. The best remediation is to enable DDoS protection.
§ Smurf Attack: Large numbers of Internet Control Message Protocol (ICMP) packets with the victim's
spoofed source IP are broadcasted to a computer network using an IP broadcast address.
§ Fraggle Attack: A DoS attack that involves sending a large amount of spoofed UDP traffic to a
router's broadcast address. It is very similar to a Smurf Attack, which uses spoofed ICMP traffic
rather than UDP traffic to achieve the same goal.
§ Ping Flood: Overwhelming the victim with ICMP echo request packets. This is most effective by using
the flood option of ping which sends ICMP packets as fast as possible without waiting for replies.
§ Ping of Death: Occurs when an attacker crashes, destabilizes, or freezes computers or services by
targeting them with oversized data packets.
§ SYN Flood: Rapidly initiating a connection to a server without finalizing the connection.
§ Amplified SYN Flood: Spoofing the victim’s IP address and attempting to open connections with
multiple servers. Those servers direct their SYN/ACK responses to the victim.
§ Resource Exhaustion: Exploits that crash, hang, or otherwise interfere with the targeted program or
system. May only require one device with low bandwidth.
§ ZIP Bomb: A 42-kilobyte compressed .zip file, that when decompressed, expands to 4.5 petabytes
(4,500 terabytes).
§ DHCP Starvation: The attacker floods a network with IP address requests. The MAC address changes
each time. The DHCP server eventually runs out of addresses to allocate.
§ Oversized Packet Attacks: The attacker sends packets that are too large for the network to handle
efficiently. This can cause network congestion, degrade performance, and system crashes.
§ Packet Drops Attack/ Black Hole Attack: A malicious user manually or through software gains
unauthorized access to a router and configures it to drop packets instead of forwarding them.
§ Operational Technology (OT) Attack: A DoS against embedded systems. Can be more vulnerable to
mis-crafted packets than computing hosts.
§ Distributed Reflected Denial of Service (DrDoS): Occurs when attackers compromise computers to
send multiple simultaneous requests to their chosen target. They redirect or reflect their requests to
the victims' systems before they are sent to a selected website, server, application, or computer.
• Eavesdropping Attacks
o Packet Sniffing: Technique that involves collecting data packets that travel through an unencrypted
computer network. Packet sniffers monitor the data packets in network traffic, to intercept sensitive
information, like personal financial details, to sell or use in other attacks.
 o On-Path/ Man-in-the-Middle (MiTM): Attackers place themselves between two devices (often a web
browser and a web server) and intercept or modify communications between the two. The attackers can
then collect information as well as impersonate either of the two agents.
§ Replay: The attacker intercepts data transmissions, especially those with authentication credentials
or encryption key exchanges, then delays or resends them. Replaying allows the attacker to disrupt
legitimate communications, gain authorized access, or both.
§ Session Replay: A type of replay attack targeting secure websites. An attacker with a stolen session
ID can take over an existing but idle session, without having login credentials. Relies on header
manipulation.
§ Session Hijacking/ Sidejacking: Similar to session replay except the attacker takes over the session
immediately after the client logs in. Relies on header manipulation.
§ Downgrade: The attacker interferes with the initial connection set up to force legitimate clients into
using weak or no encryption.
§ SSL Stripping: An on-path attack intended to bypass secure connections that use SSL/TLS encryption,
such as HTTPS.
§ Browser-Based: On-path attack where a Trojan or other spyware infects the web browser, then
either modifies the page that the user views or the actions the user takes.
§ On-Path/Man-in-the-Browser: Compromises the browser in ways that inspect session data, change
browser settings, perform redirection, or perform code injection.
o Spyware: Any software with malicious behavior that gathers information about a person or organization,
using recording devices and screenshots, and sending it to another entity. Harms the user by violating their
privacy or endangering the device's security. May also redirect DNS queries, track cookies, or install adware.
§ Keystroke Logger/ Keylogger: Recording the keys struck on a keyboard, typically covertly, so that a
person using the keyboard is unaware that their actions are being monitored. Data can then be
retrieved by the person operating the logging program. The attacker uses hardware to remotely
monitor a user's input activity and harvest credentials. The best remediation would be to implement
Two Factor Authentication (2FA) using push notifications.
§ Data Exfiltration: A form of data theft that occurs when malware and/or a malicious actor carries
out an unauthorized data transfer from a computer. It is also commonly called data extrusion or
data exportation.
• Spoofing Attacks
§ IP Spoofing: Alters the source IP address used to route packets on IP networks. It is often used to
impersonate another device on the network.
§ MAC Spoofing: Alters the source MAC address used to identify physical devices on local networks. It is
defined in hardware but can be changed in software.
§ MAC Cloning: A form of MAC Spoofing used to impersonate another device on the same network by copying
its MAC address. MAC Cloning can be useful in defeating some forms of Network Access Control (NAC).
§ MAC Flooding: A form of MAC Spoofing used to compromise the security of a switch by spoofing many MAC
addresses to override its MAC table cache. Can be used to assist eavesdropping or redirection attacks.
§ E-mail Spoofing: Altering the sender’s E-mail address. Frequently used in phishing attacks. Domain-based
Message Authentication, Reporting, and Conformance (DMARC) is an E-mail security protocol that verifies E-
mail senders and helps prevent E-mail spoofing.
§ Caller-ID Spoofing: Spoofs the origin of a telephone call. A common feature in vishing attacks.
§ Reflected Attack: Makes use of a potentially legitimate third-party component to send the attack traffic to a
victim, ultimately hiding the attackers' own identity.
§ Header Manipulation: Changing values and headers used by a communication protocol, either directly used
by an application or by the underlying network layers. MAC and IP Address Spoofing are examples of Header
Manipulation, as are Xmas Attacks and other non-standard flag use. Session Hijacking attacks frequently rely
on TCP header manipulation as well.
• Re-Direction Attacks
o ARP Poisoning: Using spoofed ARP messages to alter the ARP cache of a target host or switch, associating
the given IP address with the physical device of the attacker’s choice. The attacker can then silently
eavesdrop, actively modify data in transit, or block network traffic entirely. ARP only works on the local
network segment, so ARP Poisoning can generally only be performed by inside attackers.
o DNS Poisoning: Compromising or impersonating a DNS server to modify the DNS cache of a target host or
DNS server, to associate a legitimate host or domain name with an IP address of the attacker’s choice.
o Pharming: Redirecting a website's traffic to another fake site by installing a malicious program on the
computer. Can be conducted either by changing the host files on a victim's computer or by exploiting a
vulnerability in DNS server software.
o URL Redirection: Attackers can manipulate compromised pages or poorly designed sites and redirect users
to malicious sites that install malware or perform credential theft. Often used in phishing attacks.
o URL Hijacking/Typo Squatting: Also called a Sting Site or Fake URL. A type of Cybersquatting, and potentially
Brandjacking, which relies on user typing mistakes. Registering a URL that is close to that of a legitimate site,
but with a misspelled word or typo. This sends people to malicious sites if they make that typing error.
o Domain Hijacking: Re-registering an expired domain name or compromising the account that controls one.
An attacker can then redirect traffic from the original site to an imitator.
o DNS Sinkhole/ Blackhole DNS: A DNS that hands out incorrect IP addresses. Used to redirect all traffic for a
given domain name to a specific monitored server. Can be used to redirect users to a malicious site.
o Clickjacking: Once on a redirected page, clickable content is hidden under seemingly normal content.
Actions (clicking) may share information with the malicious party.
o VLAN-Hopping: Compromising the protocols used to define and control VLANs and diverting traffic to the
wrong VLAN, exposing it to attack.
• Application Attacks
o Directory/ Path Traversal: Accessing directories on the target machine that regular clients do not. Also
known as the Dot Dot Slash (../) Attack, Directory Climbing, or Backtracking.
o Privilege Escalation: Gaining increased privileges within an existing session. For example, accessing
administrator-only commands from an ordinary user account.
§ Vertical: An increase of privileges/access beyond what a user or application already has.
§ Horizontal: Gaining access to the rights of another account, human or machine, with similar
privileges. This action is referred to as account takeover.
o Improper Error Handling: Error messages that leak information and provide attackers with attack options.
o Improper Input Handling: Input handling describe functions such as validation, sanitization, filtering, or
encoding/decoding of input data. Improper Input Handling is a leading cause of critical vulnerabilities that
exist in today's systems and applications.
o Memory Manipulation: Sending input into a program that will affect variables in memory, either to produce
unexpected behavior or to crash the application in a Denial of Service (DoS) attack.
§ Buffer Overflow: Sending too much information in a request will cause an application to overfill the
buffer and further overflow into adjacent memory. Overflows can allow arbitrary code execution.
Mitigations include Address Space Layout Randomization (ASLR), and Data Execution Prevention
(DEP), both of which will cause service crashes, prevent code execution, and alert an administrator.
§ Integer Overflow: Causes applications to calculate values that are out-of-bounds. Doesn't spread
into other memory. It just makes the number wrap-around, causing undesired behavior.
§ Memory Leaks: Coding errors can cause an application to allocate memory but never release it. The
resulting leak of system memory eventually consumes so much memory that the application or host
crashes. An attacker can exploit memory leaks as a Denial of Service (DoS) attack.
§ Resource Exhaustion: Spawning activity to use up CPU time, system memory allocation, fixed disk
capacity, and/or network utilization.
o Code Injection Attacks: A broad term for sending specially formatted input that will be processed by some
sort of command interpreter within the web application or its host machine.
§ Arbitrary Code Execution: Executing code on a remote computer, also known as Remote Code
Execution.
§ Command Injection: When an application allows data to be passed to a command shell on a server,
an Injection attack can execute operating system commands. This isn't an attack against the
application or database, but it is a way into the server itself. Especially used in conjunction with
Directory Traversal or Privilege Escalation.
§ SQL Injection: A code injection technique used to attack data-driven applications, in which malicious
Structured Query Language (SQL) statements are inserted into an entry field for execution.
• Unfiltered Escape Characters: If an input field includes special characters used by SQL or the
scripting language, they might be mistaken for a command. Well-designed applications use
escaping techniques to encase or substitute those characters so that it is clear that they're
data, rather than code. Poorly implemented techniques allow for code injection.
• Improper Input Types: Applications should check that any data inputs are the right type. If
the application is too trusting, an attacker could enter a string of numeric data either to
generate a useful error or to alter the query.
• Stacked Queries: Appending additional forged queries into the original legitimate one. A
semi-colon tells SQL that the query is over, and a new one is beginning. Since the following
query can be anything the attacker wants, it's a powerful technique.
• Blind Injection: Securely designed production servers hide SQL error messages from end
users to prevent attackers from gaining information. Blind Injection attacks use statements
that should create verifiable changes in page output, or perform time-insensitive operations
that creates a server delay.
• Signature Evasion: More sophisticated attacks carefully format queries to avoid matching
IDS signature files, while still behaving identically on the server.
§ NoSQL Injection: An attacker can inject arbitrary text into NoSQL queries. NoSQL Injections are very
similar to the traditional SQL Injections, except that the attack is against a NoSQL database.
§ Lightweight Directory Access Protocol (LDAP) Injection: An attack used to exploit web-based
applications that construct LDAP statements based on user input.
§ eXtensible Markup Language (XML) Injection: Any technique used to manipulate or compromise
the logic of an XML application or document.
• XML External Entities (XXE): Any attack that exploits a common XML parser feature. XML is
a tagged markup language designed to be both human and machine-readable.
§ Dynamic Link Library (DLL) Injection: Inserting executable code into a running process from a
shared library file. It is frequently used as a malware vector or payload but can also be triggered by a
Buffer Overflow attack against a web application. It can also be used for Privilege Escalation.
§ Application Programming Interface (API) Injection: Sending an API malicious commands through a
user input field, whether a text input, file upload, or other means.
o Cross-Site Scripting (XSS): An attacker injects malicious executable scripts into the code of a trusted
application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and
enticing the user to click it.
§ Stored/Persistent: The attacker uploads a script to the server, where it can be viewed as content on
a vulnerable web page. It is usually placed where a typical user can add content, such as a comment
field, message forum, or social media.
§ Reflected/Non-Persistent: This occurs when a malicious script is reflected off of a web application
to the victim's browser.
§ Document Object Model (DOM)-Based: The attack payload is executed as a result of modifying the
DOM environment in the victim's browser used by the original client-side script so that the client-
side code runs unexpectedly.
 o Cross-Site Request Forgeries (XSRF): An attack on a session between a user and a legitimate web server.
This attack begins with a link to an attacker's site. The page has hidden code that instructs the victim's
browser to make requests to another server.
§ Server-Side Request Forgery (SSRF): Malicious exploit of a website or web application where
unauthorized commands are submitted from a user that the web application trusts.
o Null Pointer Dereferencing: Pointers are used in C/ C++ to refer to memory locations. Dereferencing occurs
when the program tries to read or write the location via the pointer. An attacker can cause a vulnerable
application to dereference to a null or invalid pointer. Doing so might crash the application, bypass a
security function, or return useful debug information.
o Race Conditions: A bug that generates errors or corrupts data. Can compromise security controls, or an
attacker can deliberately manipulate one. Execution depends on timing and sequence of events.
o Bogus DNS/NTP Queries: Queries can be constructed to generate large response packets. Attackers then
direct the responses to the victim.
• OWASP Top 10 Web Application Security Risks (2023)
o OWASP Top 10 is a standard awareness document for developers and web application security. It represents
a broad consensus about the most critical security risks to web applications. Globally recognized by
developers as the first step towards more secure coding.

o Elements Used in Client-Side Application Attacks

§ Application Vulnerabilities: Any sort of application that communicates with the network can be
targeted for attack. Even network services and lower levels of TCP/IP stack on a client computer
might have potential vulnerabilities.
§ Browser Add-Ons: Plug-ins and add-ons that modify browser capabilities can be exploited.
§ Malicious Add-Ons: Users could be tricked into installing add-ons, which contain malware. They
might conceal their installation, or they might masquerade as helpful tools. They allow attackers to
manipulate browser behavior or further compromise the system.
§ Cookies: Stored in browsers, cookies are used for authentication and session identification
purposes. They are also used to store website preferences or track browsing behavior. This
information can become a security or privacy risk.
§ Malicious Attachments: E-mail attachments or other files introduced onto the system can carry
viruses or other harmful content.
• Wireless Attacks
o Wireless Reconnaissance: Methods used to gather information about wireless networks or communication.
§ Wardriving: The act of searching for Wi-Fi networks, usually from a moving vehicle, using a laptop or
smartphone. Software for wardriving is freely available on the Internet. Warbiking, warcycling, and
warwalking use the same approach but with other modes of transportation.
§ Warflying: When someone on a plane or helicopter, or using a drone, uses a Wi-Fi-enabled device to
look for open Access Points (APs). Also called warstorming.
§ Wireless Sniffing: Analyzing and logging traffic that passes over a wireless network.
o Encryption Attacks: Taking advantage of the known vulnerabilities of wireless encryption standards.
o Rogue Access Point (AP): An unauthorized Wireless Access Point (WAP) connected to the wired network,
commonly by an employee or other insider. It doesn't have to be malicious to be a threat.
o Evil Twin: A Rogue Access Point (AP) that has the same SSID and security settings as a legitimate AP, so the
users might connect to it instead of the real one. The evil twin controller can then use it to launch Man-in-
the-Middle (MiTM) attacks.
o Intrusion/ Resource Use: Utilizing a network’s free Wi-Fi to conduct attacks.
§ Shadow IT: The use of IT-related hardware or software by a department or individual without the
knowledge of the IT or security group within the organization.
o Wireless Disassociation Attacks: Sending a packet with a spoofed address that de-authenticates a client
from a Wi-Fi network. This attack can be launched by anyone in the range of hotspots even if it's an
encrypted connection.
o Jamming: An attacker can jam the signal of a Radio Frequency (RF) or wireless network by introducing a
competing one. This is considered a Physical Layer Denial of Service (Dos) attack.
o Initialization Vector (IV) Attack: An attacker modifies an encrypted wireless packet's IV during
transmission. IVs are blocks of bits that are used to differentiate users on a wireless network and are also
used in many encryption approaches to add randomization to the final ciphertext.
• Bluetooth Attacks
o Bluejacking: The sending of unsolicited messages to a Bluetooth device. Usually harmless but can be
considered intrusive or annoying.
o Bluesnarfing/ Bluesniffing: A more serious attack that allows an attacker to steal, transfer, or compromise
data on a device typically by pairing with it without the owner's knowledge. Occurs when the attacker listens
in on the victim's Bluetooth connection to gather data such as text messages, phone calls and E-mails,
without actively connecting to the device.
o Eavesdropping: Malware on a Bluetooth-enabled device can be used to bypass security settings and take
control of the paired device so that the device is opened for remote access or eavesdropping via a headset.
• Other Network Attacks
o Virtual Machine (VM) Escape: An exploit in which the attacker runs code on a VM that allows an operating
system running within it to break out and interact directly with the hypervisor.
o Invoice Scam: Sending false bills for false services, in hopes that someone pays them. If a link is included, the
attacker now also has access to payment details, not just the payment.
o Fragmentation Attack: Exploits how IP packets are fragmented and reassembled to evade security controls
or launch attacks.
o Jailbreaking/ Rooting: Jailbreaking refers to iPhones in particular. It means getting around Apple software
restrictions so the phone can be managed at an administrator level. Rooting refers to achieving the same
results but on an Android device.
o Supply Chain Attack: The supply chain contains many moving parts, such as raw materials, suppliers,
manufacturers, distributors, customers, and consumers. Attackers can infect any step along the supply chain
without suspicion, primarily because people trust their suppliers.
o Application Programming Interface (API) Attack: Attackers may target APIs to gain unauthorized access to
sensitive data, manipulate data, or disrupt services.
 o API Injection: Sending an API malicious commands through a user input field, whether a text input, file
upload, or other means.
o Near Field Communication (NFC) Attacks: Attackers can use specialized hardware or software tools to
exploit NFC vulnerabilities.
§ Skimming: An attacker gets close enough to a victim's phone or contactless card to trigger a
transaction. For example, an attacker could walk by and initiate a payment from a mobile wallet
using a handheld card reader.
o Domain Name Kiting: Registering a Domain Name for a short time, and then deleting and re-reregistering it,
again for a short time. The procedure is repeated until the scammer doesn't need the domain anymore.
o Radio Frequency Identification (RFID) Attacks: An unauthorized person intercepts or manipulates the
signals between RFID tags and readers.
o Adversarial Artificial Intelligence: Submit tainted samples of training data, compromising the integrity of
the machine’s learning. Mitigation includes algorithms, secrecy, filter development, and training systems to
recognize adversarial examples.
o AI Evasion Attacks: Attackers can find holes in the AI training. AI that knows what spam looks like can be
fooled by a different approach. AI that is trained with social security numbers in their data can be fooled into
revealing those numbers.

Detec6on Terminology
• Terminology
o Indicators of Attack (IoA): Forensic signs that typically surround a cyberattack. Finding them warns that such
an attack is likely to be in progress.
o Indicators of Compromise (IoC): An artifact observed on a network or in an operating system that, with high
confidence, indicates a computer intrusion has already taken place.
o Security Audits: An independent review and examination of system records, activities, and documents
related to an organization’s security posture.
o Data Analysis: The process of collecting data, then organizing it, and presenting it in a way that provides
useful insights.
o Data Analytics: Applying business or technical knowledge to create formal algorithms that can process the
data further and extract hidden information that simple analysis won't reveal.
o Artificial Intelligence/Machine Learning: Enables computers to simulate human intelligence and behavior.
o Scripting: Automation of activity through programs, scripts, and scripting languages.
o Automation: The process of automatically detecting, investigating, and remediating cyber threats, with or
without human intervention, using a programmatic solution specifically designed for this purpose.
o Orchestration: Allows for easy sharing of information. It also enables multiple tools to respond to incidents
as a group, even when the data is spread across a large network and multiple systems or devices.
o Penetration Testing/ Ethical Hacking: An authorized attempt to gain unauthorized access to a computer
system, application, or data. Carrying out an ethical hack involves duplicating the strategies and actions of
malicious attackers.
o Active Defense: Proactive approach to cybersecurity. This involves predicting the attacker’s actions and
setting relevant traps to detect a wide range of attacks with precision and speed. Uses tactics like bogus DNS
entries, web server decoys, and fake telemetry to raise attack costs and tie up adversary resources.
o Counterintelligence: Activities designed to prevent or thwart spying, intelligence gathering, and sabotage by
an enemy or other foreign entity.

Threat/ Attack Detection Strategies

• Indicators of Attack (IoA)
o Forensic signs that typically indicate a cyberattack. Finding these warns that an attack is likely in progress.
 § Reputational Indicators: IP Address or E-mail of a known or likely threat source.
§ Behavioral Indicators: Such as several failed login attempts.
§ Tactics, Techniques, Procedures (TTPs): Used to describe the behaviors, strategies, and methods
used by an attacker to develop and execute cyberattacks on enterprise networks.
§ Indicators of Compromise (IoC): Such as unauthorized configuration changes.
• Indicators of Compromise (IoC)
o An artifact observed on a network or device which indicates an intrusion with a high degree of confidence.
§ Detection of Compromise Through Monitoring Platforms or Behavior Analysis.
§ Bandwidth Consumption.
§ Unexpected Traffic Compared to Current Baseline.
§ Beaconing.
§ Changes in DNS Data.
§ Unusual Amount of Network Activity.
§ Changes to File Hashes.
§ Atypical Login Patterns.
§ Spikes in Read Requests to Certain Files.
§ Abnormal System and Process Behavior.
§ Irregular International Traffic.
§ Memory and Drive Capacity Consumption.
§ Denial of Service (DoS) or Loss of Availability.
§ Changes in Permissions, Registry, Scheduled tasks, or Privileges.
§ Use of the Tool netcat.
§ Evidence of Reconnaissance Activity.
§ Presence of New Download Tools.
§ Presence of Exploit Frameworks.
§ Unexpectedly Downloading Large Files.
§ Launching PowerShell from a Different Script Type.
§ Unexpected Use of Crontab or Task Scheduler.
§ Account or Firewall Configuration Changes.
§ Presence of a Backdoor or Shell Code.
§ Evidence of Lateral Movement.
§ Evidence Remote Execution.
§ Windows Management Instrumentation (WMI) event subscriptions.
§ Evidence of Scans and Probes.
• Sequentially Testing Ports.
• Connecting to Many Addresses in a Network.
• Repeated Requests to Inactive Ports/Services.
• Security Audits
o Independent review and examination of records and activities, to assess the adequacy of system controls,
and to ensure compliance with established policies and operational procedures. How frequent and intensive
security audits should be depends on network needs and the organization’s security resources. If managing
an extensive network or protecting valuable data, audits should be more frequent and comprehensive.
Audits may also be required for regulatory compliance purposes.
§ Elements of a Security Audit
• Vulnerability and Compliance Scanning: To find undetected security issues.
• Security Log Review: To find unusual activities or unreported incidents.
• Incident Response Review: Both to verify the responses were appropriate and to detect
particular trends or patterns.
 • User and Administrative Review: To verify compliance with network policies, and to review
user permissions, to minimize the potential for unauthorized access.
• Device Configuration and Application Review: Compare the current state to the security
baseline, or last known good state.
• Data Analysis/ Data Analytics
o Data Analysis: The process of collecting, organizing, and presenting data to provide useful insights. May use
analysis to map which links are the most congested, what servers have experienced failed login attempts, or
what devices have been generating the most ICMP errors. Popular network analysis methods include
NetFlow analysis, protocol analysis, packet analysis, and wireless analysis.
o Data Analytics: Applying business or technical knowledge to create formal algorithms that can process data
further and extract hidden information that simple analysis won't reveal. Data Analytics is used to correlate
multiple data sources into a more complete descriptive picture, to create predictive models that describe
likely future events, or even create prescriptive models that can advise on what to do next.
§ Trend Analysis: Compares measurements taken over time to find increases, decreases, or
predictable patterns. Can predict when future traffic levels might cause availability issues.
§ Anomaly Analysis: Compares data to an established baseline, recognizing when events or patterns
are unusual enough to warrant further study. Used to recognize unexpected traffic on endpoints
that might represent rogue services or malware.
§ Heuristic Analysis: Compares new data against known threats to find similar behaviors, even
without an exact threat signature. Used to determine that a new pattern of ICMP Error Messages on
the network might be a new variant of a stealthy network scan.
§ User and Entity Behavioral Analytics (UEBA): An advanced form of analysis that collects user
behavior data, and then uses it to recognize unusual actions that might represent a security
incident. Similar methods can help administrators recognize when the time, location, or context of
an account login is suspicious.
§ Sentiment Analysis: An emerging technique that uses text analysis and natural language processing
to determine the emotional state of words or speech. It can also apply to biometric techniques that
discern emotional expression and body language. Used to analyze social media or surveillance
videos, to determine when a person's posts or actions show hostile intent. More indirectly,
sentiment analysis can be applied to attack logs to determine an adversary's motivation or goals.
• Artificial Intelligence/ Machine Learning
o Artificial Intelligence: The ability of computers and robots to simulate human intelligence and behavior.
o Machine Learning: Relies on training data to develop analysis capability. Algorithms may be susceptible to
security flaws. Related technologies include Sentiment Analysis, Machine Interpretation of Natural
Language, and User and Entity Behavior Analytics (UEBA).
§ Adversarial Artificial Intelligence: Threat actors may be able to submit tainted samples of training
data, compromising the integrity of the learning.
§ AI Evasion Attacks: Attackers can find holes in the AI training. AI that knows what spam looks like
can be fooled by a different approach. AI that is trained with social security numbers in their data
can be fooled into revealing those numbers.
• Scripting
o Automation of activity through programs and scripts.
§ Scripting Languages
• Windows PowerShell: A task automation and configuration management program from
Microsoft, consisting of a command-line shell and the associated scripting language. Used
for system administration. Attackers use this language to compromise Microsoft system and
Active Domain (AD) administration, and/or file share access.
 o Basic Syntax Elements: Uses a verb-noun pair as a naming system. The name of
each cmdlet includes a standard verb hyphenated with a specific noun. Verbs are
used for specific actions in Windows PowerShell, and nouns are used to describe
objects by users and system administrators.
• Python: A high-level, general-purpose programming language, commonly used in cloud
orchestration. Attackers commonly use this language to compromise infrastructure, such as
routers, servers, and switches.
o Basic Syntax Elements: Its design philosophy emphasizes code readability with the
use of significant indentation. It supports multiple programming paradigms,
including structured, object-oriented, and functional programming.
• Bourne Again Shell (BASH): Batch scripting for Linux and Unix command line. Used to
automate and extend the command line. Attackers use this language to compromise Linux
and Unix environments, such as web, database, and virtualization servers, or control the OS
from the command line.
o Basic Syntax Elements: A simple Bash script might look like this: #!/bin/bash echo
"Hello, world!" In this script, #!/bin/bash is a special directive known as a shebang.
• Macros: Automates functions within an application or operating system. Attackers
automate exploits when the user opens the file. Coded in a scripting language, and records
steps taken in Office productivity applications.
o Visual Basic for Applications (VBA): Office Document Macros. Automates processes
within Windows applications. Attackers use this language to easily infect computers
via arbitrary code embedded in a document.
o JavaScript: PDF Document Macros.
• Automation/Orchestration
o Automation: The process of automatically detecting, investigating, and remediating cyber threats, with or
without human intervention, using a programmatic solution specifically designed for this purpose.
o Orchestration: Allows for easy sharing of information, enabling multiple tools to respond to incidents as a
group, even when the data is spread across a large network and multiple systems or devices. Security
orchestration uses multiple automated tasks to execute a complete, complex process or workflow.
• Penetration Testing/ Ethical Hacking
o An authorized attempt to gain access to a computer system, application, or data. Carrying out a pen test or
ethical hack involves duplicating the strategies and actions of malicious attackers. May or may not include
social engineering or phishing campaigns in the test scope. Certain industries are required to conduct semi-
regular penetration tests to stay PCI DSS compliant.
§ Types of Penetration Testing
• Offensive Penetration Testing: Mimics potential attackers’ tactics.
• Defensive Penetration Testing: Evaluates defensive measures.
• Physical Penetration Testing: Assesses physical security practices and controls.
• Integrated Penetration Testing: Holistic approach combining different methodologies.
§ Penetration Teams
• White Team: Rule-Makers.
• Blue Team: Defensive Team.
• Red Team: Offensive Team.
• Purple Team: Blended Teams.
§ Penetration Testing Environments
• White Box: Known Environment with detailed knowledge about the target.
• Gray Box: Partially Known Environment with limited network knowledge, requiring
reconnaissance.
 • Black Box: Unknown Environment with little prior knowledge. Simulates real-world
scenarios.
§ Penetration Testing Life Cycle
• Passive Foot-Printing: Collecting data about a specific target using innocuous methods, like
performing a Google search, looking through Archive.org, browsing through employees'
social media profiles, looking at job sites, and using Whois.
• Reconnaissance/ Active Foot-Printing: The practice of covertly discovering and collecting
information about the security posture and network configuration of the target.
• Initial Exploitation: Obtaining a foothold, via an exploit.
• Persistence: Establish a Command and Control (C2) back door to be able to reconnect even
if a host shuts down or if a user logs off.
• Privilege Escalation: Internal reconnaissance conducted to gain additional credentials and
compromise higher-level privileged accounts.
• Lateral Movement: Compromising other hosts on the system.
• Pivoting: Access hosts with no direct remote connection via a pivot host.
• Actions on Objectives: Carry out a data breach, data exfiltration, or other goals, stated in
the scope of the test.
• Clean Up: Deleting any files, tools, directories, or backdoors, and returning the system to
how it was before the test.
• Active Defense
o A proactive approach to cybersecurity that involves predicting the attacker’s actions and setting relevant
traps to detect a wide range of attacks with precision and speed. It may mean utilizing asymmetric defenses,
which are defenses that increase costs to cyber adversaries by reducing costs to cyber-defenders.
§ Asymmetric Defense: Bypasses or sabotages an attacker’s strengths while targeting their
vulnerabilities. In this type of active defense, the defender maintains an asymmetric advantage over
the opponent. It can even be difficult to detect.
§ Counterintelligence: Activities designed to prevent or thwart spying, intelligence gathering, and
sabotage by an enemy or other foreign entity.

Decepdon Strategies
Honeypot A service or computer configured to act as a decoy, aPrac@ng aPackers.
Honeynet Network of honeypots used to lure aPackers to study their ac@vi@es.
Honey Files Seemingly important files located on a honeypot.
Honey Tokens Fic@@ous words/records added to legi@mate databases. If data is stolen,
these allow admins to iden@fy who it was stolen from or how it was leaked.
Fake Telemetry Similar to honey files. Contains decoy data that can be used to en@ce
aPackers while capturing data on and about the aPack
Breadcrumbs Can be in the form of cookies, registry values, files, mounted drives, and ARP
table values, all with fake creden@als and data. Breadcrumbs should be
strategically placed in order to be effec@ve with decoys.
Bogus DNS Records False DNS records to lure an aPacker.
Decoy Realis@c lures, such as domains, databases, directories, servers, apps, files, or
Directories/Resources creden@als, alongside real network assets.
Disrup'on Strategies
Port Spoofing Relies on using Secure Shell (SSH) protocol on non-standard ports.
DNS Sinkhole/ A DNS that reports incorrect IP addresses. Redirects all traffic for a given
Blackhole DNS domain to a specific monitored server. An aPacker may redirect users to a
malicious site. A defender may redirect malicious domains to a benign
address, while watching the malicious address. Users hiWng the malicious
address could indicate devices infec@on.
 Darknet The dark web is an encrypted part of the Internet not indexed by search
engines and needs specific authoriza@on to access.
Proac've Programs
Bug BounCes An ongoing formal offer of name recogni@on or financial reward to any
individual who finds a soIware bug or security exploit in a specific website
applica@on or other product.
Phishing Campaigns Simulates a phishing aPack to monitor how employees respond. Sending a
suspicious E-mail and tracking data for the company over @me.

Response Terminology
• Terminology
o Incident Response: The technical procedures by which an organization handles a data breach or
cyberattack. It is an effort to quickly identify an attack, minimize its effects, contain damage, and remediate
the cause to reduce the risk of future incidents.
o Incident Handling: Management procedures that include planning, coordination, and communication
before, during, and after an incident. Incident Response and Incident Handling should work closely together
as two halves of the same operation but should be treated distinctly.
o Incident Recovery: Used to designate specific roles, establish staff hierarchy, and prioritize tasks in the wake
of a serious cyberattack or data breach. This is a multi-staged process that requires the cooperation and
dedication of the entire IT staff.
o Digital Forensics: A branch of forensic science encompassing the recovery, investigation, examination, and
analysis of material found in digital devices, often about mobile devices and computer crime.

Incident Response
• Incident Response Plan (IRP)
o A written document, formally approved by the senior leadership team, that helps the organization before,
during, and after a security incident.
• Incident Response Teams
o Computer Incident Response Teams (CIRTs) or Computer Security Incident Response Teams (CSIRTs) assist
with investigating the incident, assessing the damage, collecting evidence, reporting the incident, and
initiating recovery procedures. They also participate in the remediation and lessons learned stages and help
with the root cause analysis.
§ CIRT/CSIRT Responsibilities
• Determine the amount and scope of damage caused by the incident.
• Determine whether any confidential information was compromised during the incident.
• Implement procedures to restore security and recover from any incident-related damage.
• Supervise the implementation of any additional security measures necessary to improve
security and prevent recurrence of the incident.
• Incident Response Process
o Preparation
§ Develop Policies Approved by Management.
§ Identify Critical Data and System Single Points of Failure.
§ Train Staff on Incident Response (IR).
§ Implement an Incident Response Team.
§ Identify Roles and Responsibilities.
§ Practice Incident Identification via Simulation.
§ Plan the Coordination of Communication Between Stakeholders.
 o Detection and Analysis
§ Monitor All Possible Attack Vectors.
§ Identify Precursors: Log Files and Alerts Often Warn of Potential Problems.
§ Analyze Incidents Using Known Data and Threat Intelligence.
§ Prioritize Incident Response.
§ Standardize Incident Documentation.
o Containment, Investigation, Eradication and Recovery/ Reconstitution
§ Choose an Appropriate Containment Strategy.
§ Isolate the Attack.
§ Gather Evidence.
§ Identify the Attacker.
§ Eliminate the Root Cause of the Incident.
§ Prevent Immediate Recurrence.
o Post Incident Activity/ Follow-Up
§ Reconstitution: A Phased Approach to Recovery After a Breach.
§ Apply Vulnerability Mitigations.
§ Identify Evidence that Must be Retained.
§ Document Lessons Learned.
o Incident Reporting
§ Write a Brief Overview and Summary of the Nature and Scope of the Incident.
§ Present a Timeline of the Incident, Including When it Began and Ended.
§ Compile a List of Personnel Involved in the Response Process.
§ Cite the Root Cause of the incident.
§ Provide a Detailed List of Actions Taken in the Response Process.
§ Document Remaining Vulnerabilities and Possible Actions that Could Prevent a Recurrence.
§ Document Evidence Gathered During the Response Process, as Well as How it Will be Retained.

Incident Recovery
• Business Continuity Plan (BCP)/ Continuity of Operations Plan (COOP)
o A document including an analysis of risks to business operations, controls to mitigate them, and the
proactive development of procedures to restore business operations after a disaster or other significant
disruption to the organization. The capability of an organization to continue service delivery at pre-defined
acceptable levels. A well written BCP should include preventative, corrective and recovery controls.
§ Components of a Business Continuity Plan (BCP)
• List of the BCP team members, including multiple contact methods and backup members.
• Immediate response procedures and checklists, such as security and safety procedures, fire
suppression procedures, and notification of appropriate emergency response agencies.
• Notification systems and call trees for alerting personnel that the BCP is being enacted.
• Guidance for management, including designation of authority for specific managers.
• How and when to enact the plan.
• Contact numbers for critical members of the supply chain, such as vendors, customers,
possible external emergency providers, and 3rd party partners.
§ Continuity of Operations Plan (COOP): Refers to similar activities but in government agencies.
Procedures for moving critical operations to a temporary site during disaster recovery.
• Site Resilience/ Redundancy/ Fault-Tolerance
o Hot Sites: A fully functional backup site that already has data mirrored.
o Cold Sites: Provides power, networking capability, and cooling, but no other
hardware.
 o Warm Sites: Contains all elements of cold sites but adds storage hardware. Still
requires data to be transported should a disaster occur.
• Restoration Order
o Power Delivery Systems.
o Switch Infrastructure and Routing Appliances.
o Network Security Appliances.
o Critical Network Servers.
o Back-End and Middleware (Verify Data Integrity).
o Front-End Applications.
o Client Workstations and Devices.
o Client Browser Access.
• Information System Contingency Plan (ISCP)
o Procedures for restoring individual information systems after a disaster or for maintaining partial function
during the recovery process.
• Crisis Communication Plan (CCP)
o Procedures for communications in the event of a disaster. Crisis Communication Plans should coordinate (in
advance of a crisis) internal communications, to aid in recovery efforts and define a single authority for
providing information to or answering questions from customers or outside organizations.
• Succession Plan (SP)
o Procedures for managing sudden changes of personnel. They should identify essential employee roles within
the organization and identify/train replacements to step in should those roles suddenly become open. They
should also define a clear Chain of Command during disaster recovery.
• Functional Recovery Plan (FRP)
o A step-by-step guide for going from an outage to being back up and running. FRP's are assessed through
walkthroughs, tabletop exercises, functional exercises, and full-scale exercises.
• Disaster Recovery Plan (DRP)
o Process of maintaining or reestablishing vital infrastructure and systems following a natural or human-
induced disaster, such as a storm or war. It employs policies, tools, and procedures.
§ Disaster Types
• Environmental/ Natural.
• Person-Made/ War.
• Malicious/ Accidental Insiders.
• Malicious Outsiders/ Adversaries.
§ Components of a Disaster Recovery Plan (DRP)
• Critical disaster recovery team members must have checklists to guide their actions amidst
the chaotic atmosphere of a disaster.
• IT personnel must have technical guides to help them get alternate sites up and running.
• Managers and public relations personnel must have simple, high-level documents to help
them communicate the issue accurately without requiring input from other team members.
§ Information Needed to Create a DRP
• System Documentation: Network diagrams, facility blueprints, system configurations, user
credentials, and software activation keys.
• Reserve Resources: Replacement parts, redundant systems, and alternate sites, which can
repair or replace the affected resource.
• Vendor Lists: Vendors and suppliers for equipment that may need to be replaced and
procedures or contracts needed for quick replacement of critical components.
 • Alternate Practices: Procedures allowing business needs to be met during recovery,
especially regarding regulatory requirements.
• Backup Policies: Procedures for creating and safely storing backups that can be restored in
case of system or data loss.
• Recovery Procedures: Detailed procedures for assessing, containing, and repairing damage
to critical systems, as well as for restoring those that cannot be repaired.
• Restoration Order: A list of what functionalities should be restored, in which order,
following a disaster. Business criticality is an integral part of restoration order. It should also
consider dependencies between functions or the duration and difficulty of specific tasks.
• Personnel List: Responsibilities and contact information for the members of recovery teams.
• Emergency Contacts: Contact information for relevant parties, such as upper management,
utility companies, or emergency services.

Digital Forensics
• Digital Forensics
o A branch of forensic science encompassing the recovery, investigation, examination, and analysis of material
found in digital devices, often related to mobile devices and computer crime.
§ RFC 3227-Guidelines for Evidence Collection and Archiving: A set of best practices for the
acquisition, analysis and reporting of digital forensics.
§ Forensics Concepts
• Due Process: Procedural safeguards that ensure fairness in forensic investigations and trials.
• Legal Hold: Also known as a litigation hold. The process organizations use to inform relevant
parties, such as Data Custodians, that they must preserve data for anticipated litigation.
• Chain of Custody: A chronological paper trail that records the sequence of custody, control,
transfer, analysis, and disposition of materials, including physical or electronic evidence.
• Admissibility: Not all data can be used in a court of law. There are different rules for
different jurisdictions. Factors that influence admissibility are obtaining legal authorization
for search and seizure, using proper scientific procedures and tools, and the verification of
the technical and academic qualifications of the experts.
• E-Discovery: Legal Discovery where the information sought is in an electronic format. Filters
relevant evidence from forensic examination data for use as trial evidence. Tools assist in
deduplication, search, tagging, security and disclosure of evidence.
• Provenance: A chain of custody for data handling that guarantees authenticity and integrity.
• Order of Volatility: Prioritizing the collection of the most volatile data first. By collecting the
most time-sensitive or easily changed evidence first, the chances of losing it are minimized.
o CPU registers and cache memory.
o Routing tables, ARP cache, process tables, and kernel statistics.
o Other RAM contents, browsing history, clipboard data, encryption keys, and
command history.
o Swap files/ page files and other temporary file systems.
o Other data on hard drives, disks, or flash media, such as OS files, logged-in users,
open ports, processes currently running, and attached device list.
o Network and remote monitoring and logging data.
o Security and authentication logs for all affected systems and accounts.
o System and application logs representing host activity.
o Memory dump files from hosts or applications.
o Web, DNS, and other network logs.
o SIP traffic, call manager logs, and other VoIP records.
 o Data and metadata on mobile devices, such as phone calls, contact information, text
messages, E-mails, images, movies, date, time and GPS location.
o Virtual Machine (VM) Snapshots and Images.
o Firmware data.
o Physical configuration and network topology.
o Other artifacts found in log information, flash memory, prefetch cache files, recycle
bin, browser bookmarks, and browser logins.
o Analyze the USB device history log.
o Vulnerability scan results.
o External data, such as surveillance feeds and physical sensor data.
o Archival media, such as optical discs or printouts.
§ Forensics Process
• Determine what data needs to be collected. If unsure, it's better to collect too much than
too little. Include any information placed on a legal hold by involved parties. If information
outside of the organization's control is relevant, then coordinate with an attorney to
establish a legal hold on it. Verify that the gathered information will answer any questions
(who, what, where, why, and how) later in the investigation.
• Secure physical and remote access to any systems or data relevant to the investigation
before they can be accidentally or deliberately altered.
• Document the scene whether physical or digital, as it was found. Document any known
changes made during containment or before the area was fully secured. Take pictures of the
scene and the evidence collected.
• Use forensic backup software to make disk images, copy memory, or save configuration
files. Include unallocated space and slack space. These applications will preserve valuable
information that conventional backup software will not.
• Back up the image. Ensure the integrity of evidence by avoiding alterations during
acquisition. Use write blockers to prevent changes to source data or metadata. Create a
hash of files submitted to evidence.
• Conduct a File Integrity Check. This is done with an application that can verify that the files
have not been modified using a hash algorithm to authenticate the file.
• Use analysis tools for password cracking, file carving, and memory/ cryptographic analysis.
• Include mobile device, cloud, virtualization and container forensics.
• Secure the confidentiality, integrity, and authenticity of the findings.
• Consider the use of a Faraday Cage: Used in electronic labs, where stray EM fields must be
kept out. This is important for testing sensitive wireless receiving equipment. Also good to
prevent signals from being sent to mobile devices during a forensic investigation.
• For a formal investigation, observe the chain of custody, legal holds, and standards for the
preservation of data. For an ordinary investigation, just make sure that the collection is
accurate and doesn't cause any security leaks.
• Consider timestamp calculation methods to account for potential clock synchronization
issues. Record offsets between local and UTC time.
• Hashing for Integrity, Data-Continuity and Non-Repudiation
o Message Digest: A fixed-size numeric representation of the contents of a message, computed by a hash
function. A message digest can be encrypted, forming a digital signature.
o Check Digit: One or more digits (or letters) computed by an algorithm from the other digits (or letters) in the
sequence input. With a check digit, one can detect simple errors in the input.
o Checksum: A digital fingerprint of a piece of data that can be used to check that it is an unaltered copy.
o Cryptographic Nonce: Random or pseudo-random numbers that authentication protocols attach to
communications. Sometimes these numbers include a timestamp to intensify their fleeting nature.
 § Initialization Vector (IV): A type of nonce used for randomizing and encryption schemes. Used in
encryption ciphers, WEP, and some SSL implementations.
§ Salt/Pepper: A pepper is similar to a salt, or a random bit of data is added to the password before
it's hashed. But unlike a salt, it's not kept in the database along with the hash value. Instead, it's
usually hard coded into the website's source code.
o Hash Functions
§ Message Digest 5 (MD5): Widely used hash function producing a 128-bit hash value. Has collisions.
§ Secure Hash Algorithm (SHA-1): Produces a 160-bit hash for the same input.
§ Secure Hash Algorithm 2 (SHA-2): Produces 224 to 512-bit hashes. A 256-bit hash is most common.
§ Secure Hash Algorithm 3 (SHA-3): Six hash functions with digests (hash values) that are 128, 224,
256, 384, or 512 bits. Newer, more secure, but slower. SHA3-256 is the most widely used algorithm.

Secure Applica6ons
• DevOps/ DevSecOps
o DevOps: A set of practices that stress the collaboration of developers and IT operations teams, to form an
environment where software can be rapidly developed, tested, and released in a mostly automated process.
Primarily focused on increasing the speed and quality of software development and delivery.
o DevSecOps: Aims to secure the software development process by integrating security early and throughout
the software development life cycle. Developers and operations teams work together.
• Software Lifecycle Models
o Waterfall: Breaks the software lifecycle up into consecutive phases, one after the other. The first formal
description of this model describes six steps.
§ Requirements: Determining what the software's function and usability requirements will be, along
with the hardware and resources that will be required to run and support it.
§ Analysis: Working with stakeholders to turn their requirements document into a product model
with enough detail to begin system design.
§ Design: Creating detailed frameworks and algorithms for how the application will achieve its
functional and usability goals. The design phase maps out the application’s look and feel, chooses
the technologies used to develop it, and breaks it up into components that can be coded separately.
§ Development: Coding individual modules and integrating the application into a functional whole.
§ Testing: A systematic process of finding and removing software bugs and verifying that the
application meets stakeholder requirements.
§ Maintenance: Deploying and maintaining the application through the remainder of its use.
o Agile: Follows an iterative or incremental model. Instead of a monolithic project, development is broken up
into many successive iterations, that each add a little bit more to the product. Each iteration is a new
software version with the same phases, requirements, and testing. Not all of them will be deployed into
production, but each can be shared across teams and with stakeholders. This method allows fast delivery
and constant user feedback and is well-suited to online or cloud distributions, where frequent software
updates aren't difficult. It is more difficult to track documents and ensure that design principles, including
security, remain sound throughout.
o Spiral: Uses repeated development iterations like Agile, but the goal isn't to have a rapidly developing
product. Instead, the spiral model uses repeated prototyping cycles to create a mature end-product. It also
incorporates risk management into every iteration.
o Continuous Integration/Delivery: These methods aspire to an ideal where software is continually being
improved yet can be released into production at any time.
§ Continuous Integration (CI): The practice of merging code changes to the main branch several times
a day. Designed to prevent integration conflicts caused by multiple developers making independent
changes to their working copies of the same code. To prevent merging bad code, CI relies on
 automated testing and building processes, maintaining a test environment, and ensuring each
change is committed as a single operation. Everything is orchestrated into a single workflow.
§ Continuous Delivery (CD): The practice of developing software that can be reliably released at any
time without additional preparation. Typically, it relies on short development cycles, geared towards
frequent, even daily, releases into production.
§ Continuous Deployment (CD): A further extension to continuous delivery, which automates and
orchestrates the entire release process, from committing code to deploying production software. No
human intervention is required.
§ Continuous Validation (CV): Adds a validation package as an additional output to the CI/CD pipeline.
It contains evidence that all mandated development practices were followed during the
development process, to allow easy auditing.
§ Continuous Monitoring (CM): Adds automated processes to monitor the performance of the
application and its environment. It is especially important as a final quality safeguard in DevOps
environments, where code is pushed into production environments as quickly as possible.
• The Secure Development Lifecycle
o Core Security Training: Ensuring that all personnel directly involved are trained appropriately for their role.
o Requirements: Establishing security and privacy requirements and performing risk assessments.
o Design: Establishing design requirements, analyzing the attack surface, and performing threat modeling.
o Implementation: Creating the documentation and tools needed to compile and deploy the program,
establishing best practices for development, and analyzing code before it's compiled.
o Verification: Performing dynamic testing and compiling code to verify that it meets security requirements
defined in the previous phases.
o Release: Performing a final security review, designing incident response procedures, archiving all relevant
data, and finally releasing the product itself to users.
o Response: Executing an Incident Response Plan (IRP) for any security or privacy incidents that arise within
the deployed software.

• Quality Control
o Concerned with ensuring that the created product is fit for usage. It focuses mostly on the quality of the
product/service given to clients during or after software deployment.
§ Quality Control Steps
• Quality Test: A process organizations use to ensure their products and services meet
specified regulations and standards.
• Quality Assessment: Assessment of the precision and accuracy of the data, after analysis.
• Quality Audit: Conducted to check the causes of poor quality, corrective action taken, and
the confirmation or verification activities undertaken related to quality.
• Quality Evaluation: A quality management activity in which another individual, typically a
supervisor or someone from the QM team, scores the product or process based on key
criteria defined in a quality form.
• Application Programming Interfaces (API)
o A set of standards, protocols, and tools for building software. How external entities interact with a service.
§ Simple Object Access Protocol (SOAP): A strict and secure way to build APIs, that encode data in
XML. Used for standardized, protocol-based communication requiring high security and reliability.
§ Representational State Transfer (REST): An architectural style and an approach for communication
used in the development of web services. More flexible and allows applications to exchange data in
multiple formats.
• Other DevSecOps Concepts
o Immutable Systems: Deploying systems or other infrastructure as a monolithic instance that can be
replaced by the next iteration, but not modified or upgraded. Immutable systems are locked and unable to
change. To update a component, the entire platform must be updated. Immutability prevents the process of
upgrading from introducing unforeseen vulnerabilities.
o Baseline: A documented, lowest level of security configurations allowed by a standard or organization.
o Benchmark: A checklist of potential vulnerabilities in a piece of software along with the configuration
settings used to mitigate them.
o Compiled Code: Code that is optimized by an application and converted into an executable.
o Runtime Code: Code that is interpreted as it runs.
o Code Reuse: The use of old code to build new applications via copy-paste. If the old code has security
vulnerabilities, reusing the code spreads it to other applications.
o Dead Code: A section in the source code that is executed but the result is never used in any other
computation. All code, especially unnecessary code, is an opportunity for a security problem.
o Transitive Access: Occurs when a user is given access to another part of the application or system.
Developers must ensure that the application does not allow access in the event of a crash or malfunction.
o Infrastructure as Code (IaC): Writing code that can automate the provision or configuration of
infrastructure, such as servers and network appliances, so that a new iteration can be deployed rapidly and
with minimal chance of error. Orchestration tools automate sequences of tasks such as provisioning and
configuring Virtual Machines (VMs).
o Function-as-a-Service (FaaS): Serverless architecture where applications are separated into individual
autonomous functions. Developers can still create server-side logic. Can run in a stateless compute
container without an operating system. May be event triggered or ephemeral. May only run for one event.
Managed by a third-party.

ISC/SCADA Systems
• ISC/SCADA
o Industrial Control Systems (ICS): An electronic control system and associated instrumentation used for
industrial process control.
o Supervisory Control and Data Acquisition (SCADA): Developed to monitor state changes in large-scale
distribution systems, such as electrical grids, waste control systems, and transportation.
§ Industrial Control Systems (ICS) are often managed via a Supervisory Control and Data Acquisition
(SCADA) system that provides operators with a Graphical User Interface (GUI) to easily observe the
status of a system, receive alarms, enter system adjustments, and manage processes. Typically runs
as software on ordinary computers. Gathers data from and manages plant devices with embedded
PLCs (field devices) and uses WAN communications like cellular or satellite to link field devices.
o Distributed Control System (DCS): Designed to extend process control systems in refineries and other
industrial plants, while remaining within the confines of a single operation. It offers more real-time control
than SCADA but has less tolerance for unreliable networks.
 Security Controls
Security+ 701 Study Guide
By: Krystal Ballew

Data Center Security

• Physical Controls
o Perimeter Security: Deter or prevent a perimeter breach at the physical site of a network or data center.
§ Fencing/Electrical Fencing/Razor Wire: Deter and prevent a perimeter breach. Fencing may have
sensors, and/or contain electrical current.
§ Bollards: Cement architectural obstacles that prevent vehicle entry and direct the flow of traffic.
Large cement planters outside of buildings are often disguised bollards.
§ Good Lighting: Avoid shadow and glare. Deter casual and opportunistic adversaries.
§ One-Way Glass: Highly reflective. See out, without allowing others to see in.
§ CCTV Cameras: Deter unauthorized entry, keep a digital record of access, and identify adversaries.
§ Visible Signage: Used to deter unauthorized access, control foot traffic, and for human safety.
§ Drones: Easily monitor large areas, assess damage, or conduct Site Surveys.
§ Crime Prevention Through Environmental Design (CPTED): Directing the flow of people through
passive techniques, such as water features or architectural obstacles.
§ Industrial Camouflage: Blend into the environment. No visible signs. “Security Through Obscurity.”
§ Air Gap: A network where the devices are physically separate from one another and don't share any
components to communicate. Physical space between facilities, server rooms, and networks. Great
for security but must be mindful of removable media.
§ Alarms and Sensors: On doors, windows, gates, and turnstiles. Strain-sensitive cables or other
vibration sensors can detect if someone attempts to scale a fence.
• Object Detection: Can detect missing objects, foreign objects and human/animal targets.
May include facial recognition.
• Motion Detectors: Detect unexpected access or physical presence in a restricted area.
• Noise Detectors: An electronic device that measures sound levels or noise signals.
• Pressure Sensors: Measures the force of pressure on a surface and converts the information
into an electrical signal. The signal is used to monitor or regulate the pressure of a space.
• Environmental Temperature Sensors: Monitor and detect unusual heat, cold, and humidity.
o Heating, Ventilation, Air Flow, and Cooling (HVAC).
o Moisture Detection and Humidity Control.
o Hot and Cold Isles in data centers and server rooms.
• Fire Suppression and Detection Systems: Dupont FM-200.
o Fire Extinguisher Classes
 § Door, Entryway and Window Access: First line of defense, access control and perimeter security.
• Sealed and Locked Doors and Windows: Use deadbolts, locks and keys.
• PINs, Passwords, Passphrases: Something You Know.
• Employee ID Badges, Proximity Cards, Key Cards, and Key Fobs: Something You Have.
• Biometrics: Something You Are.
• Access Control Vestibule/Mantrap/Airlock: Prevents Piggybacking and Tailgating.
§ Security Guards: A physical deterrent and sometimes preventative security measure.
• Access Lists and Physical Visitor Log: Logical or physical access lists and records.
• Robot Sentries: Replaces human guards with robots and drones.
• Guard Dogs: A physical detergent for most opportunistic and casual adversaries.
§ Vaults/ Safes: Physical protection for the most valuable assets. Vulnerable to insider threats.
• Duress/ Panic Button: Alert the authorities and seal specific doors, vaults or safes.

Network Security
• Physical Controls
o Physical Redundancy and Backups: Remove single points of failure and create fault tolerance.
§ Power Distribution Units (PDU): A power strip connected to ethernet for better control and
monitoring of power usage across the network.
§ Power Conditioner: Improves the quality of power that is delivered to electrical equipment.
§ Backup Power Supplies: Provides fault tolerance in the event of an electrical outage. Useful for data
center, operations, and network security.
• Backup Gas Powered-Generator: Also known as a natural gas generator. A portable piece of
equipment that converts fuel into electricity. Used for backups and in natural disasters.
• Dual Power Supplies: Can be used as a backup power supply for mission-critical equipment.
• Uninterruptible Power Supply (UPS): A type of continual power system that provides
automated backup electric power when the input power source fails.
§ Protected Distribution System (PDS): Metal cable and fiber protectors that prevent cable and fiber
taps or cuts. All data flows through physically secured conduits. Requires periodic visual inspection.
§ Electromagnetic Shielding: A method of using conductive or magnetic materials to create a barrier
around electronics and cables to protect them from Electromagnetic Frequencies (EMF).
• Electrostatic Discharge (ESD): A sudden and momentary flow of electric current between
two differently charged objects when brought close together.
• Electromagnetic Interference (EMI): A disturbance generated by an external source that
affects a circuit by electromagnetic induction, electrostatic coupling, or conduction.
• Radio Frequency Interference (RFI): An electrical disturbance within the radio frequency
spectrum.
• Electromagnetic Pulse (EMP): Also called a Transient Electromagnetic Disturbance (TED), it
is a brief burst of electromagnetic energy or pulse.
o Anti-Static Wrist Strap: Used when troubleshooting hardware, replacing parts, or
taking apart a device, to provide grounding. This protects the technician from shock
and preserves the components of the device, and data on them.
o Personal Protective Equipment (PPE): Insulated clothing or rubber gloves to
prevent shock.
o Faraday Cage: Used in electronic labs, where stray EM fields must be kept out. This
is important in the testing of sensitive wireless receiving equipment. Also good to
prevent signals from being sent to mobile devices during a forensic investigation.
o Physical Network Segmentation: Minimizing the attack surface of a network through physical means such
as port security and isolation. Making it more difficult for a successful attack of one component or computer
to spread throughout the network.
 § Hardware and Vendor Diversity: Choosing hardware and appliances from more than one vendor
provides fewer attack surfaces and eliminates single points of failure.
§ Port Security: Disable unused physical ports on network devices/appliances (especially switches).
§ Air Gap: A security measure that involves isolating a computer or network and preventing it from
establishing an external connection. A network where the devices are physically separate from one
another and don't share any components to communicate. Also describes the physical space
between facilities, server rooms, and networks.
§ System Isolation/ Containment: A security measure taken in the event of attack, to prevent the
spread of malware, or other malicious action. Involves physically disconnecting the system from the
rest of the LAN, and disabling wired, and wireless connectivity.
• Logical Controls
o Logical Network Segmentation: Also known as Virtual Network Segmentation. Dividing a network into
smaller, more manageable sections using software. This can be done through subnetting, Virtual Local Area
Networks (VLANs), or network addressing schemes.
§ Security Zones: Internal security topology based on network segmentation and access control.
Different zones for different levels of trust and access control requirements.
§ Micro-Segmentation: A network security approach that constructs security zone boundaries per
machine in data centers and cloud deployments, to segregate and secure workloads independently.
Allows an organization to limit which business functions, units, offices, or departments can
communicate with each other, and enforce the concept of least privilege.
§ De-Perimeterization: Focuses on protecting specific assets instead of network boundaries. Essential
due to the prevalence of cloud, remote work, mobile devices, outsourcing, and wireless networks.
§ Virtual Local Area Networks (VLANs): Using switches to create software-based LAN segments,
which can segregate or consolidate traffic across multiple switch ports. Devices that share a VLAN
communicate through switches as if they were on the same Layer 2 network. Broadcast traffic is
limited to the VLAN, reducing congestion, and reducing the effectiveness of some attacks.
§ Screened Subnet: Previously called a Demilitarized Zone (DMZ) or Perimeter Network. Refers to the
use of one or more routers as a firewalls to define three separate subnets: An external router, that
separates the external network from a perimeter network, and an internal router that separates the
perimeter network from the internal network. Acts as a neutral zone between an organization's
internal network and the Internet. Separates public-facing servers from sensitive internal resources.
Hosts web, E-mail, DNS or FTP services accessible from the Internet but isolated from internal
systems to limit damage from breaches. Firewalls control traffic to and from the Screen Subnet,
providing an additional layer of protection.
• Dual Firewalls (DMZ): This implementation uses two firewalls to create a DMZ.
• Intranet: Only available internally.
• Extranet: Accessed by trusted business partners or others who need access to hosted data
or services but who should not get access to the entire private network. It is commonly
accessed through a VPN.
• Bastion Hosts: Dedicated server that lets authorized users access a private network from an
external network.
• Three-Homed Firewall: A network architecture where a single firewall is used with three
network interfaces, creating segmentation.
• Jump Server: Also called the Jump Box or Secure Admin Workstation (SAW). A highly secured
steppingstone from one zone to another. From a workstation in a corporate network, log
into a jump server. Access the DMZ without directly exposing the workstation to the DMZ.
• Out-of-Band Management: Ensure a separate network for administrative access. Enhances
security by limiting direct access to administrative interfaces.
§ Subnets: A logical subdivision of an IP network. The practice of dividing a network into two or more
networks is called subnetting.
 • Network Address Translation (NAT): A logical measure to map multiple private IP addresses
inside a local network to a single public IP address before transferring the information onto
the Internet. Saves IPv4 address space.
• Port Address Translation (PAT): Similar to Network Address Translation (NAT). It permits
multiple devices on a LAN to be mapped to a single public IP address to save address space.
Found on a router or virtual switch, primarily in SOHO networks.
• Source Network Address Translation (SNAT): Used when most traffic comes from internal
systems, such as internal client workstations connecting to Internet servers. It helps security
by making it harder for outside attackers to contact internal hosts, but it also makes it
harder to run server applications.
• Destination Network Address Translation (DNAT): Used when traffic is generally initiated
by external systems, such as intranet clients connecting to local servers. It requires pre-
configured address assignments for internal servers.
• Common Address Redundancy Protocol (CARP): Allows multiple hosts on the same network
segment to share an IP address.
o Network Appliances (Hardware-Based)
§ Port Mirrors: Copies network packets from one switch port to another switch port's network
monitoring connection. It's also known as Switched Port Analyzer (SPAN) or traffic mirroring. Limited
functionality but can work for light traffic.
§ Network Taps: A hardware device that performs Port-Mirroring. Sends a copy of network packets
from one switch port (or an entire VLAN) to a network monitoring connection on another port.
§ Sensors: Monitors data in different locations on the network and sends that data to a central
location (like a SIEM) for storage, viewing, and analysis. Can be hardware or software and can be a
component of a different network appliance, such as a switch, firewall or router. Place on the inside
of a firewall, or close to a critical server to detect malicious traffic.
§ Collectors: Hardware or software that receives, stores, and preprocesses network monitoring data,
especially in the context of NetFlow analysis. Works with data from proprietary consoles, SIEM
consoles, syslog servers, Intrusion Prevention Systems (IPSs), and firewalls.
§ Correlation Engines: Compares and corresponds data collected from the sensors to determine if an
attack is present. Often built into a SIEM.
§ Wrappers: A hardware, software, or network appliance that intercepts all communications meant
for a legacy or deprecated device and handles security for it. Comparable to adding a complete
Firewall/Antivirus/IDS solution to a system that cannot otherwise run them.
§ Switches: A hardware or virtual component that connects devices on a network, allowing them to
communicate and share resources.
• Virtual Local Area Network (VLANs): Switches can create software-based LAN segments,
which can segregate or consolidate traffic across multiple switch ports. Devices that share a
VLAN communicate as if they were on the same Layer 2 network. Broadcast traffic is limited
to the VLAN, reducing congestion, and reducing the effectiveness of some attacks. VLANs
can be configured based on switch port, IP subnet, MAC address, and protocols. VLAN IDs
(2- 4,094) are assigned, enabling different ports on the same switch to belong to different
VLANs. Routers are required for VLANs to communicate
o Security Concerns
§ Collision Domains: Data collisions may occur.
§ Broadcast Domains: All broadcasts are forwarded.
§ VLAN Hopping: Attacks where a host on one VLAN can gain access to traffic
in another, that would normally not be accessible.
o Security Features
§ ARP Inspection: A security feature for Address Resolution Protocol (ARP).
Checks all ARP packets on untrusted interfaces and compares them to the
DHCP snooping database and/or an ARP access list.
 § Spanning Tree Protocol (STP)/ Rapid Spanning Tree Protocol (RSTP):
Prevents broadcast storms, unstable MAC tables, loops, and collisions.
• STP States
o Blocking: Preventing a loop.
o Listening: STP determines whether the port should
participate in frame forwarding or not.
o Learning: Learns MAC addresses before entering a
forwarding state.
o Forwarding: The interface will forward Ethernet frames,
enabling data transmission.
• Loop Protection/ Loop Guard: Prevents loops from forming on
unmanaged switches.
• Bridge Protocol Data Unit (BPDU) Guard: Disables ports if
unwarranted BPDUs are sent.
• Root Guard: A port cannot be selected as the root port. It is
assigned an alternate port role and enters a blocking state.
§ Port Security: Tracks device MAC addresses connected to each port on a
switch and can allow or deny traffic based on MAC address. Can prevent
unauthorized devices from joining the network, or block attacks that rely on
MAC spoofing.
§ MAC Filtering: Prevents physical connections from neighboring MAC
addresses. Security Through Obscurity.
§ DHCP Snooping: Excludes rogue DHCP servers and blocks malicious or
malformed DHCP traffic.
§ Broadcast Storm Control: The switch intentionally stops broadcast traffic if
the bandwidth consumed exceeds a designated threshold.
§ Flood Guard: Limits the devices that can communicate through a switch
interface. Protects against Denial of Service (DoS) and SYN Flood attacks.
§ MACsec Encryption: A security protocol that guards against network data
breaches by encrypting traffic between Ethernet-connected devices.
§ Routers: A device that connects networks and allows devices to share an Internet
connection. Usually connected to a modem and acts as a central hub, directing data packets to their
intended destinations. Can also provide network security features and allow wireless setup.
• MAC Address Filtering: Block, allow, or filter traffic through the router based on the
hardware MAC address of the device.
• Access Control Lists (ACLs): Protect against spoofing by blocking Martian Packets with
unusual source addresses and/or packets arriving on invalid interfaces.
§ Firewalls: Hardware or software devices. Rules consist of a source address, source port, destination
address, destination port, and an action that determines whether to Allow or Deny the packet.
• Access Control Lists (ACLs): Firewalls are based on an implicit deny rule and must specify
which traffic should be allowed. Rules are processed top to bottom with the most specific
rule first. Implicit deny is the default rule, often listed at the bottom, even if not specified.
o Whitelists/ Blacklists: Allow List/ Block List. Can explicitly block or allow a range of
IP addresses on the network. Any rules listed will create a log.
o Firewall-Based Content Filter: Controlling the Internet content users can access.
o Port Filtering: A feature in which packets that are ingressed through a certain
source port can be blocked from egressing on a specific set of ports.
§ Block all unnecessary Ports and Protocols.
§ Use Private Ports where possible.
§ Use secure versions of Protocols.
§ Block Port 23 for Telnet.
• Dynamic Packet Filtering: A Screen that sits between the client and a server, that examines
each data packet as it arrives. Based on information in the packet, the state retained from
previous events, and security policy rules, the Screen will either pass the data packet
forward, or block and drop it.
• North/South Traffic: Network traffic flowing into (South) and out of (North) a data center.
o Ingress: Refers to traffic that originates from outside a network. Devices and tools
that offer logging and alerting opportunities for Ingress Monitoring are:
§ Firewalls.
§ Gateways.
§ Remote Authentication Servers.
§ IDS/IPS Tools.
§ SIEM Solutions.
§ Anti-Malware Solutions.
o Egress: Data shared externally via a network's outbound traffic. Egress Monitoring is
used in conjunction with Data Loss Prevention (DLP) and Data Leak Protection.
These solutions inspect all data leaving the organization, including E-mail contents
and attachments, copy to portable media, File Transfer Protocol (FTP), posting to
web pages/websites, applications, and Application Programming Interfaces (APIs).
• East/West Traffic: Network traffic among devices within a specific data center. Requires a
different security posture than North/South traffic.
• Firewall Types
o Stateless Firewalls: Older and does not keep track of traffic flows. Needs more rules
because it doesn’t remember active sessions.
§ Packet Filtering Firewall: The earliest network firewall configured using ACL
rules. It is Stateless in that it does not preserve information about network
sessions. Each packet is analyzed independently. Vulnerable to attacks
spread over multiple packets. Can introduce traffic flow problems, especially
with load balancing or dynamically assigned ports. Considered deprecated.
§ Transparent Firewall Mode: The firewall acts as an L2 device, not an L3.
o Stateful Firewalls: Tracks information about established sessions between hosts.
Incorporates stateful inspection capabilities by storing session data in a state table.
Checks incoming packets against existing connections in the state table. Once a
connection is allowed, traffic usually passes unmonitored to conserve processing
effort. Remembers sessions and traffic flows and needs fewer rules.
§ Layer 3 Firewall: A type of firewall that operates on Layer 3 of the Open
Systems Interconnection (OSI) model.
• Routed Firewall Mode: Considered a L3 device. It supports multiple
interfaces with each interface on a different subnet. It can perform
Network Address Translation (NAT) between connected networks.
§ Layer 4 Firewall: Examines the TCP 3-Way Handshake to distinguish new
connections from established connections. Can track UDP traffic and detect
IP headers and ICMP anomalies, such as a SYN without an ACK.
§ Layer 7 Firewall/Web Application Firewalls (WAF): Also known as an
Application Layer Firewall, an Application-Aware Firewall or Deep Packet
Inspection. A specific firewall that filters, monitors, and blocks HTTP traffic
to and from a web service. Verifies that the application protocol matches
the expected port. External traffic is filtered by a traditional or Next
Generation Firewall (NGFW) first. Designed to protect web servers and back-
end databases from Code Injection and Denial of Service (DoS) attacks. Can
apply rules to API communication to help prevent API injection. Can be
deployed as an appliance or plug-in software.
 § Next-Generation Firewall (NGFW): Also called Application Layer Gateway,
Stateful Multilayer Inspection, or Deep Packet Inspection. Third-generation
firewall technology, combining a conventional firewall with other network
device filtering functions. Can contain Intrusion Detection System (IDS),
Intrusion Prevention Systems (IPS), Content Filtering, Web Proxy, Anti-Bot,
Anti-Malware, Virtual Private Network (VPN), and Identity and Access
Management (IAM) functionality.
• Deep Packet Inspection: A type of data processing that inspects the
data being sent over a computer network in detail, and may take
actions such as alerting, blocking, re-routing, or simply logging it.
• Other Firewall Deployments
o Zero Trust: By default, no one is trusted from inside or outside the network.
Verification is required from everyone trying to gain access to resources. This added
layer of security has been shown to prevent data breaches.
o Virtual Wire Firewall: A firewall that is transparently installed on a network
segment by binding two firewall interfaces together. Can be stateless or stateful.
o Three-Homed Firewall: A network architecture where a single firewall is used with
three network interfaces, creating network segmentation.
o Dual Firewalls (DMZ): This implementation uses two firewalls to create a DMZ. The
first firewall, called the Front-End Firewall, must be configured to allow traffic
destined for the DMZ only. The second firewall, called a Back-End Firewall, only
allows traffic from the DMZ to the internal network.
§ Network Intrusion Detection Systems (NIDS): Monitors and evaluates network activity to detect
attacks or event anomalies. A single NIDS can monitor large networks by using remote sensors to
collect data at key locations, which send data to a central management console. These sensors can
monitor traffic at routers, firewalls, and switches that support port mirroring. NIDSs can detect the
initiation of an attack or ongoing attacks, but they can't provide information about the success or
effects of an attack, nor can they monitor the content of encrypted traffic.
• Passive Monitoring: Examines a copy of traffic via a port mirror or network tap.
• Out-of-Band Response: IDS sends RESET frames to stop subsequent frames but cannot block
the first frame.
• Stateful Protocol Analysis: Methods that use Deep Packet Inspection (DPI) to examine traffic
by comparing a profile of how the protocol is supposed to work. Can detect many attacks
signature-based methods won't, but it's only as good as the profiles it uses and doesn't work
well with poorly documented proprietary protocols.
• Signature-Based: Methods that look for behavior characteristics of known attacks. A
signature list might include a specific malformed packet used by a Telnet attempt into a root
account. Signature-based methods are excellent at stopping known attacks, but they'll miss
anything that's not on the list.
• Anomaly-Based: Heuristic methods that look for behavior that seems unusual relative to a
normal baseline. Heuristic detection rules are challenging to design and rely on a large set of
baseline data to be accurate. Their main advantage is the ability to identify dangerous zero-
day attacks against undetected vulnerabilities.
§ Network Intrusion Prevention Systems (NIPS): Automatically detects and blocks attacks before they
reach target systems. All traffic must pass through the NIPS. Rules are based on implicit allow and
must specify which traffic to block. It is common to see NIPS function integrated into firewalls.
• In-Line Monitoring: All traffic must flow through the appliance.
• In-Band Response: Can monitor and block traffic on the spot.
• Stateful Protocol Analysis: Methods that use Deep Packet Inspection (DPI) to examine traffic
by comparison to a profile of how its protocol is supposed to work.
 • Signature-Based: Methods that look for behavior characteristics of known attacks.
• Anomaly-Based: Heuristic methods that look for unusual behavior relative to a baseline.
§ Network Detection and Response (NDR) Solutions: Also called Network Traffic Analysis (NTA), or
Network Analysis and Visibility (NAV). Analyzes behavioral heuristics. Uses machine learning and
data analytics to compare baselines and known good behavior to anomalous behavior. Unusual
behaviors generate a report or alert.
§ Proxy Servers: Sits between users and the external network. Receives the user’s request and sends
the request on their behalf. Also receives the response, evaluates the response, and sends the result
back to the user. Can control much of the traffic flow. Performs Application Layer filtering,
deconstructs packets, performs analysis, and rebuilds packets according to rules.
• Forward Proxy: An internal proxy, used to control internal access to the Internet.
• Reverse Proxy: Protects inbound traffic from the Internet to the internal servers.
• Transparent Proxy: Operates like a Forward Proxy but doesn't require any special client
configuration. Commonly used on large enterprise networks. Sometimes called a Forced
Proxy because the client doesn't choose whether to use them.
• Application Proxy: Receives requests intended for another server and acts as the proxy to
obtain the requested service. An application proxy server is often used when the client and
the server are incompatible for direct communication.
• Anonymous Proxy: Usually hosted on the Internet and masks the client's original IP address
from the server. Security concern.
• Open Proxy: Uncontrolled and available to anyone. Can circumvent security protocols.
• Jump Server: Also called the Jump Box or Secure Admin Workstation (SAW). A highly secure
steppingstone from one zone to another.
• Content Distribution Networks (CDNs): Geographically distributed network of proxy servers
and their data centers. Provides High Availability (HA) and performance by distributing the
service relative to end user. Can come with Distributed Denial of Service (DDoS) mitigation.
§ Load Balancers: Distribute a set of tasks over a set of resources, to streamline processing. Can
optimize response time and avoid unevenly overloading some compute nodes, while other compute
nodes are left idle. Also increases hardware redundancy and data availability. Load Balancers use
heartbeat or health check probes to verify the availability and the load of each node.
• Active/Active: All redundant servers are always available and sharing the load. If one fails,
its workload is distributed to the remaining nodes. Most load balancers are active/active.
This utilizes maximum capacity but may degrade performance during a failover.
• Active/Passive: In addition to any active nodes, there are one or more failover nodes that
are left on standby. When a node fails, a new node becomes immediately activated. Ensures
no performance impact during failover.
• Load Testing: Validates system performance under expected or peak loads.
• Failover Testing: Validate easy transition between primary and secondary infrastructure.
• Monitoring System Testing: Validates effective detection and response to failures/issues.
• Load Balancing Modes: A method of distributing network traffic or workloads across
multiple resources, to reduce the strain on each resource and improve performance.
Round Robin Client requests are forwarded to each server, in turn, going
down the list of servers in a group.
Weighted Round Robin Each server in a pool is given a fixed numerical weight so client
requests are forwarded in a particular order.
Dynamic Round Robin The numerical weight assigned to servers is assigned based on
the server’s current load and idle capacity.
Active Balancing Divides workload among multiple nodes based on availability.
Source Affinity/ Sticky Directs all requests from a particular end user to a specific
Session/ Session Persistence server, which preserves data that might otherwise be lost.
 • Types of Load Balancers
o Layer 4 Load Balancer: Makes forwarding decisions based on IP address and
TCP/UDP ports. They also conduct basic connectivity tests and health checks.
o Layer 7 Load Balancer/ Content Switch: A higher layer router that uses Network
Address Translation (NAT) to split server requests between multiple identical servers
that share a single virtual IP address. Used to direct requests for specific types of
content to targeted servers by way of load-balancing virtual servers. Makes
forwarding decisions based on Application-Level data such as URLs or data types like
video or audio streaming. Can test an application state when doing a health check.
• Clustering: Load Balancing distributes traffic, while Clustering provides fault tolerance by
enabling multiple redundant nodes to share data and accept connections. Clustering
ensures continuity of service by allowing connections to fail over to working nodes.
§ AAA Servers: Controls access to resources, enforces policies, and audits usage. Identification
creates unique user IDs. Authentication proves that the user is who they claim to be. Authorization
proves that the user is allowed access the resource. Accounting includes logging and audit methods.
• Remote Authentication Dial-In User Service (RADIUS): Authentication and authorization.
Members of one organization can authenticate to the network of another organization using
their normal credentials. Only encrypts the passwords. Centralized authentication for users
logging in to routers, switches, firewalls, VPNs, servers, and 802.1x. Works well with VPN
Concentrators. Available for any server operating system. The client is a Network Access
Server (NAS), which prompts a user for credentials and then relays user (supplicant)
authentication requests to the RADIUS server, which responds with an acceptance or
rejection. Uses UDP, over ports 1812 (Authentication and Authorization) and 1813
(Accounting). Supports protocols like PAP, CHAP, and EAP for authentication. Not as
versatile as LDAP for authorization.
• DIAMETER: Next-generation industry-standard protocol used to exchange Authentication,
Authorization, and Accounting (AAA) information in Long-Term Evolution (LTE) and IP Multi-
Media Systems (IMS) networks. An evolution of RADIUS.
• Terminal Access Controller Access-Control System (TACACS): A family of protocols that
provides remote authentication in a server environment. Each server on the network
submits individual authentication requests to the centralized server, even though there's a
common authentication database. Now considered obsolete, with the advent of TACACS+.
o TACACS+: More recent version. Supports more authentication requests and
response codes. Encrypts entire access request. Centralized logins for administrative
accounts on network appliances. It offers advantages such as TCP-based
communication, encryption of all data, and discrete Authentication, Authorization,
and Accounting functions. No SSO functionality.
o XTACACS (Extended TACACS): CISCO proprietary tool that has additional support for
Accounting and Auditing. Now obsolete.
• Kerberos: Authentication through a cryptographic ticket-granting service. Allows for Single
Sign-On (SSO). Authenticate once, and the device is trusted by the system. Users can gain
access to multiple resources with one authentication. Still requires individual servers to
maintain the access databases. Works well in Microsoft environments.
o Authentication Service/ Server (AS): Users log in to initiate the authentication
process. The AS directs the login process through multiple Kerberos servers.
o Key Distribution Center (KDC): The AS passes the login request to the KDC, which
issues the user a Ticket-Granting Ticket (TGT). The TGT has a timestamp and time
limit. The KDC encrypts the ticket to make it harder to duplicate or impersonate.
o Ticket Granting Service (TGS): After the KDC issues the user ticket, the user can log
on to any network server that supports Kerberos.
 § Unified Threat Management (UTM) Solutions: A single hardware or software installation that
provides multiple security functions, including anti-virus, content filtering, E-mail, web filtering, and
anti-spam. Potential single point of failure, and high latency under a heavy load.
§ VPN Concentrators: A hardware device that manages VPN traffic for multiple users, allowing secure
remote access a network. Can also be built into a firewall. Encrypts and decrypts communication.
§ Hardware Security Models (HSM): High-end cryptographic hardware that stores and generates
encryption keys and offloads CPU overhead for cryptographic processing from other devices.
§ SSL/TLS Accelerators: Device on the edge of the network used to offload processor-intensive public-
key encryption for Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), to a
hardware accelerator. Useful because the SSL handshake is CPU-intensive, and time consuming.
§ Distributed Denial of Service (DDoS) Mitigators: Sits between the network and the Internet and
identifies and blocks DDoS attacks in real-time.
o Network Appliances (Software-Based)
§ Syslog: A standard by which network devices can send logs to a shared server for centralized
compilation. The server can be configured to send alerts when notable events occur. Any network
device can operate as a client, logging operational events and sending them to the syslog server.
• Severity Level: An essential concept for event logging. Syslog defines eight levels ranging
from emergency messages about severe error conditions, to detailed information on
everyday activities that can be used to troubleshoot applications.

§ Bandwidth Monitors: Provides fundamental network statistics and monitors the percentage of
network use over time. Helps identify issues. There are many different ways to gather this metric,
such as NetFlow, IPFIX, sFLOW, and other software agents, such as protocol analyzers.
• NetFlow: A standard collection method that gathers traffic statistics from all flows and
shared communication between devices. Uses probes and collectors, where probes watch
the network communication, and summary records are sent to the collector.
• IP Flow Information Export (IPFIX): A newer NetFlow-based standard that evolved from
NetFlow v9. Includes flexible data support and uses templates to describe the data.
• Sampled Flow (sFLOW): Not technically a network traffic flow analyzer as it only looks at a
portion of the actual network traffic. This is usually embedded in infrastructure such as
switches and routers. Sampling usually occurs in hardware.
• Protocol Analyzers: Gather packets on the network or in the air, sometimes built into a
device. View detailed traffic information, identify unknown traffic, verify packet filtering and
security controls, and view a plain language description of the application data.
§ Security Information and Event Management (SIEM) Tools: Aggregate and correlate log data from
various sources (hosts, switches, routers, firewalls, IDS sensors etc.) across the enterprise to better
understand potential security concerns and apportion resources accordingly. Creates alerts for
system administrators to respond to. Combines event, threat, and risk data into a single system to
improve the detection and remediation of security issues and provide an extra layer of in-depth
 defense. Configure SIEM to aggregate appropriate data sources, develop correlation rules, and
display alerts, status indicators, and trend analysis, via a dashboard.
• Detecting Threats
o Rules: Based on fixed criteria. When an event matches the rule, a specific action is
taken. Rules can be written or write themselves.
o Correlations: Based on more open-ended criteria using elaborate Boolean Logic and
wild card terms. A correlation can recognize a broader range of incidents than a
rule, but it is more likely to produce false positives.
o Models: Evaluate events using machine learning algorithms, allowing advanced
analytics. Useful for detecting unknown threats that rules and correlations cannot.
• SIEM Notifications
o Trend: The aggregate result of many minor events on the network that do not need
individual responses but form a meaningful pattern when taken as a whole.
o Alert: A low-priority notification regarding an event that may or may not need an
administrator response and isn't immediately critical.
o Alarm: A high-priority notification of a critical or ongoing incident requiring a
prompt response.
• Data Sources
o Network Traffic Log Files: Monitors the flow of traffic through switches, routers,
access points, VPN concentrators, and other infrastructure. Logs routing updates,
authentication issues, and network security events. Includes Intrusion Detection
data and protocol flow statistics.
o System Log Files: OS/file information, authentication details, and security events,
such as the detection of monitoring apps, brute force attempts, or file changes.
o Application Log File: Specific to the application, such as DNS, web, or VoIP.
o Security Log Files: Detailed security-related information, such as blocked and
allowed traffic flows, exploit attempts, blocked URL categories, or DNS sinkhole
traffic. Includes monitoring of security devices, such as Intrusion Prevention Systems
(IPSs), firewalls, and proxy servers.
o Web Log Files: Detailed log of all web server access, including any access errors,
exploit attempts, start-up and shut-down notices, or restart messages.
o DNS Log Files: View lookup requests and other DNS queries. See the IP address of
the request. Identify queries to known bad URLs, including malware sites, and
known Command and Control (C2) domains. Lock or modify known bad requests at
the DNS server. Log the results and report on malware activity.
o Authentication Log Files: Know who logged in or who didn't. Identify multiple
failures and potential brute force attacks. Correlate with other events, such as file
transfers, authentications to other devices, and installed applications.
o Dump Log Files: Stores all memory into a diagnostic file. Useful for developers.
o VoIP and Call Manager Log Files: View inbound and outbound call information,
endpoint details, gateway communication, and security information. Includes
Session Initiation Protocol (SIP) traffic logs, such as call setup, management, and
tear-down, and alerts on unusually numbered country codes.
o Host Log File: Network, system, security, and vulnerability scan outputs.
§ Security Orchestration Automation and Response (SOAR): A group of cybersecurity technologies
that allow organizations to respond to certain incidents automatically. These often integrate Cyber
Threat Intelligence (CTI) feeds and can act as the remediation and response engine to SIEM alerts.
Best used for Incident Response (IR) and Threat Hunting.
• User and Entity Behavior Analytics (UEBA): Uses Machine Learning and Data Analytics to
compare current Baselines and known good behavior to anomalous behavior. Unusual
behaviors generate a report or alert. Monitors use, performance, security, and trends.
 o Runbooks: A set of conditional steps that must be performed as part of any security
process, such as log review, vulnerability scanning, or Incident Response (IR). A set of
rules that can be largely automated. While it may involve a human element, little
human intervention is needed. Often used to automate features such as Threat
Response, Threat Intelligence Enrichment, and other activities that the platform can
orchestrate on its own. These rules are generally condition-based, so instead of
following a step-by-step pattern, they are triggered by pre-set conditions.
o Playbooks: A looser workflow or checklist that is used to organize or document a
security response process. Step-by-step actions that occur in the SOAR process
itself. Focuses on assisting security analysts in responding to large incidents or those
heavily reliant on human decision-making. These actions typically need to be
performed by humans, so playbooks serve as a definitive guides to ensure that any
documentation, required reporting, or other mandated actions that require human
involvement and decision-making, occur exactly when they should.
§ Network Access Control (NAC): A network security component, usually installed as a software agent
on an endpoint. A critical component of both network and endpoint security. Unifies endpoint
security, user and system authentication, and network security. When someone tried to connect on
a Bring-Your-Own-Device (BYOD), NAC performs a security posture/health assessment to determine
whether it is safe to allow the connection. Factors that may influence a posture assessment are: Is
this a trusted device? Is it running antivirus? Which one? Is it updated? Are the correct corporate
applications installed? Is it a mobile device? Is the disk encrypted? NAC software can authenticate
users and devices, ensure that devices comply with security policies, and regulate traffic between
devices. It can also automatically scan devices for updates and schedule security patches.
• Persistent Agents: Software installed on the local device.
• Dissolvable Agents: Software runs but does not stay installed on the machine.
• Agentless: Checks are made during login and log-off.
• Quarantine Network: Built for devices that don’t pass the health check.
§ Virtual Private Networks (VPNs): A mechanism for creating secure connections between a
computing device and a computer network, or between two networks, using an unsecure
communication medium, such as the public Internet.
• VPN/Tunneling Protocols: Communication and encryption methods for VPNs.
o Point-to-Point Protocol (PPP): Connects one computer to another. Computers use
PPP to communicate over the telephone network or the Internet. A PPP connection
exists when two systems physically connect through a telephone line.
o Point-to-Point Tunneling Protocol (PPTP): A network protocol used to create VPN
tunnels between public networks. Considered deprecated.
o Layer Two Tunneling Protocol (L2TP): An extension of the Point-to-Point Tunneling
Protocol (PPTP) used by Internet Service Providers (ISPs) to enable VPNs. Commonly
implemented with IPsec for encryption.
o Transport Layer Security (TLS) Tunneling: Mutual authentication using digital
certificates. TLS creates an encrypted tunnel for user authentication and data
transmission. Preferred for VPN access.
o IPSec Tunneling: Not a cryptographic protocol, but a Layer 3 framework, typically at
a VPN application’s core. It does not enforce a particular key method or encryption
algorithm. Connects sites over a Layer 3 network as if they were connected at a
Layer 2. It adds encryption and authentication to make the protocol more secure.
§ Authentication Header (AH): No encryption but does contain a hash of the
IPsec packet to provide integrity, origin authentication, and replay attack
protection. Authenticates the entire IP packet, including the IP header.
§ Encapsulating Security Payload (ESP): Encrypts the data and the IP packet.
Provides data integrity, confidentiality and encryption, limited traffic flow
 confidentiality, and replay attack protection. While AH authenticates the
entire IP packet, including the IP header, ESP authenticates only the IP
datagram portion of the IP packet.
• Transport Mode: Only encrypts the payload of the packet. Used for
host-to-host communication.
• Tunnel Mode: Provides end-to-end security by encrypting the entire
IP packet and adding a new IP header. Used for connecting entire
networks with a site-to-site VPN.
§ Internet Key Exchange (IKE): Authentication and key exchange for IPSec.
Negotiates security associations and establishes a secure channel between
hosts. Negotiations occur in two phases: Key Agreement and Cipher
Selection. IKEv2 enhances IKE with Extensible Authentication Protocol (EAP)
authentication and a simplified setup, providing reliability and support for
Network Address Translation (NAT) traversal.
• VPN Options
o Host-to-Host: Joins two computers as though they were directly wired together.
Securing traffic between two computers on an untrusted private network.
o Host-to-Site/Remote Access VPN: A computer joins a trusted network remotely, via
a VPN Gateway. Software is installed on the device that needs the VPN tunnel. The
encrypted tunnel is created to connect to a specific network. The VPN software
connects to a VPN Concentrator and can be configured as always-on. Always-On
VPNs establish connections automatically when detecting trusted networks.
Suitable for telecommuters and field employees.
§ Transport Layer Security (TLS)/ Secure Socket Layer (SSL) VPN: Enables
users to access a network, client-server applications, or internal network
utilities and directories, without the need for specialized software. Can be
run from a browser or light VPN client. Establishes a secure connection over
Port 443, encrypting data and ensuring user authentication.
§ HTML 5 VPN: Allows users to access internal resources via pre-configured
VPN Concentrator, using only a browser as a client.
o Site-to-Site: Connects two or more private networks. This could be a corporate
network where multiple offices work in conjunction with each other, or a network
with a central office and multiple branch locations. Done by installing a VPN on both
sides. Traffic is encrypted as it passes through the local VPN Concentrator and is
decrypted in the concentrator on the other side.
§ Full Tunnel: All data goes through the concentrator, which makes the
forwarding decisions.
§ Split Tunnel: Some information is sent through the tunnel and other
information can be sent outside of the tunnel. Only traffic to the corporate
network traverses the VPN tunnel. Traffic to all other sites is split from the
tunnel and is not encrypted.
§ Secure Web Gateway (SWG): A software application, hardware device, or cloud service that is
deployed at the boundaries of a network to monitor and stop malicious traffic from entering the
organization, and to block users from accessing malicious or suspicious web resources. Includes URL
Filtering, Spam Filtering, Malware Inspection, routing and switching, IDS/IPS, firewall, Bandwidth
Monitoring, and VPN endpoints. Next-Gen Firewalls (NGFW) perform these functions as well.
§ Content Filters/ Web Filters/ URL Filters: Control the content users can access over the
Internet. Can be hardware, software, or on a firewall. Issues include over-blocking, under-blocking,
handling of encrypted traffic and privacy concerns.
§ DNS Filters: Restrict web content.
 § Data Loss Prevention (DLP): Prevents the sharing or transmitting of sensitive data through E-mail,
cloud, USB, or other means. Also includes Pattern-Matching and Watermarking. DLP solutions can
inspect all data leaving the organization, including E-mail contents and attachments, copy to
portable media, File Transfer Protocol (FTP), posting to web pages/websites, applications, and
Application Programming Interfaces (APIs).
§ Software Defined Networking (SDN): An approach to network management that enables dynamic,
programmatically efficient network configuration to improve network performance and monitoring.
It separates the functions of routers, switches, and related devices into two planes. Administrators
can centrally manage the network through a network controller that separates the two planes.
• Data Plane: Does the work of moving individual frames and packets through the network. It
routes packets, schedules queues, and reads routing tables and ARP values.
• Control Plane: Makes decisions about the overall flow of traffic, and encompasses the
duties of routing protocols, switching protocols, Quality of Service (QoS) settings, and other
settings that store or communicate rules through the network.
• Network Controller: Communicates with upper-level SDN applications to govern the control
plane functions and with lower-level SDN data paths to adjust settings in the data plane.
§ Software-Defined Visibility (SDV): Visibility refers to being aware of everything within and moving
through the network with the help of network visibility tools, such as Next-Generation Firewalls
(NGFW), Web Application Firewalls (WAF) and Security Information and Event Management (SIEM)
solutions. SDV combines visibility with an automation framework. Gathers data from taps on the
physical network and redirects it according to its logical structure. SDV collects real-time data about
network traffic and host configurations for improved anomaly detection and incident response.
• Network Packet Brokers (NPB): Gathers and forwards visibility traffic and performs
additional tasks, such as data deduplication, SSL decryption, data masking, and other
features to improve security and reduce network load.
§ NIC Teaming/ Load Balancing Fail-Over (LBFO): The process of combining multiple network cards
for performance, load balancing, and redundancy reasons. Group two or more physical NICs into a
single logical network device, called a bond.
§ Traffic Shaping Devices: Regulate abusive users, safeguard applications and networks against traffic
spikes, and stop network attacks from overwhelming network resources.
§ Quality of Service (QoS): Creates an undesired list and gives priority to certain kinds of traffic over
others, such as giving VoIP traffic a higher priority than web browsing.
§ Domain Name Service Security Extensions (DNSSEC): A suite of extensions that improve Domain
Name System (DNS) security by verifying that DNS results have not been tampered with. Provides
authorization services when performing operations on the DNS. Must be digitally signed.
§ Domain-Based Message Authentication, Reporting, and Conformance (DMARC): An E-mail security
protocol that verifies E-mail senders and helps prevent spoofing.
§ Windows Registry: Primary configuration database that monitors unwanted application changes.
Backup the registry before making changes.
§ Configuration Management Systems (CMS): Tools/databases that are used to manage IT
infrastructure configuration and data for users, suppliers, locations, business units, and customers.
§ Configuration Management Database (CMDB): A central repository for infrastructure information.
• CM Diagrams: Includes workflows, physical and logical network diagrams, and rack layouts.
• Baseline Configurations: Note any static allocation of IP addresses, versus DHCP. May utilize
IP Address Management (IPAM) Suites for managing the assignment of IP addresses.
§ Asset Management Software: Automatically discover, track, and catalog various assets, providing a
centralized dashboard for management.
• Administrative Controls
o Onboarding Policies
§ Hiring Qualified Candidates.
 § Employee Background Check/ Clearances.
§ Social Media Analysis.
§ Code of Ethics.
§ Provision Accounts/ Credentials.
§ Employee Training.
• Gamification.
• Tabletop Exercises.
• Hands-On/ Live Demo.
• Audits/ Walk-Throughs.
• Phishing Simulations/Campaigns.
• Computer-Based Training (CBT).
• Capture the Flag (CTF): Jeopardy or Attack/Defense Style.
• Pen-Testing/ Attack Simulation.
o Role-Based Security Awareness Policies
§ End Users: Understanding threats and how to protect against them. Password security, phishing
awareness, and physical security may also be components of end-user training.
§ Customer-Facing Employees: Recognizing social engineering and protect the company’s reputation.
§ Privileged Users: Understanding the permissions they have been given, what responsibilities come
with them, and the importance of not sharing credentials.
§ Administrators: Understanding technical threats, network configuration, and security solutions.
§ Incident Response Teams: Understanding how to respond to physical threats, malware removal,
legal procedures and forensics investigations.
§ Management: High-level knowledge of current controls and how they could be compromised.
§ Recertification: Defines how frequently users must certify their need for a resource or membership.
o Privacy/User Agreement Policies
§ Terms of Service/ Terms of Use/ Terms and Conditions (T&C’s).
§ Standard Operating Procedures (SOP).
§ Privacy Notices/ Privacy Policy.
§ Acceptable Use Policies.
§ Non-Disclosure Agreements (NDA)/ Non-Competes.
o Password Policies
§ Change all default usernames and passwords.
§ Minimum/ Maximum Password Age.
§ Complexity: Length/ character/ Re-use restrictions.
§ Passphrase.
o Secure Personnel Policies
§ Principle of Least Privilege: The user is given a minimum level of access needed to perform a job.
§ Clean Desk Policy: Requires that employees shred or contain all physical documents each time they
leave a work environment. Requires all laptops and phones to be password-protected.
§ Mandatory Vacation: A policy that requires employees to take a set number of vacation days per
year. Used to detect fraud/malicious insiders, as well as to prevent employee burnout.
§ Separation/ Rotation of Duties: Users must not be granted enough privileges to misuse a system.
§ Two-Person/ Dual Integrity: Prohibits individual access to certain material by requiring the presence
of at least two authorized persons, each capable of detecting incorrect or unauthorized security
procedures concerning the task being performed.
§ M of N Control: A protection measure that requires that a minimum number of agents (M) out of
the total number of agents (N) work together to perform high-security tasks.
o Time-Based Access Policies: Disallow network access before or after business hours.
o Location-Based Policies: Disallow network access depending on device location.
§ Network Location: Disallowing network access from certain countries.
§ Geolocation: Process of determining the geographic position of an object or user.
 § Geofencing: A virtual perimeter for a real-world geographic area.
§ Impossible Travel: Office 365 includes a security feature to detect remote hacking attempts. With
each login from a new location, it calculates the travel time from the previous login location and
uses it to determine whether the travel is possible.
o Asset, Configuration, and Change Policies
§ Asset Management Policies: Asset Tracking, RFID Tagging, and procedures for lost/stolen devices.
§ Configuration Management (CM) Policies: The process of maintaining systems in a desired state.
CM requires inventory baselines, updates and patches.
§ Change Management Policies: Procedures for implementing a change, involving the Request for
Change (RFC), Approval, and Regression/Rollback processes.
o Risk Planning Policies
§ Cyber Risk Assessment: Identifying the risks to system security and determining the probability of
occurrence, the resulting impact, and the additional safeguards that mitigate this impact.
• Qualitative Risk Assessment: Quickly identify risks using numerical ratings (1-5) or colors
(green, yellow, red) that rank risks based on likelihood of occurrence and business impact.
• Quantitative Risk Assessment: Involves numerical values, statistical analysis, and
measurable data to provide a more precise and objective measure of cybersecurity risks.
o Single Loss Expectancy (SLE): The expected cost of one loss event.
o Annual Rate of Occurrence (ARO): The number of loss events expected in a year.
o Annual Loss Expectancy (ALE)= SLE x ARO: The total value lost over a year.
• Audit Risk Model: Assesses the potential implications, risks, and costs of a data breach or
cyber-attack on the organization and its stakeholders.
• Privacy Impact Assessment (PIA): An analysis of how Personally Identifiable Information
(PII) is handled to ensure compliance with regulations, determine privacy risks associated
with information systems or activities, and evaluate ways to reduce risk.
§ Risk Transference: A risk management technique in which risk is transferred to a third party.
• Cybersecurity Insurance Policies: Insurance is useful in the event of a data breach.
• Managed Detection and Response (MDR): A service where a vendor monitors firewalls and
other security tools to provide expertise in triaging events. Offers hosted security services.
• Managed Service Providers (MSPs): Companies that manage the IT assets and cybersecurity
of other companies.
• Security-as-a-Service (SECaaS): A business model in which a service provider integrates their
cloud-based security services into a corporate infrastructure on a subscription basis. May
include authentication, anti-malware, Intrusion Detection Systems, (IDSs), and Security
Information and Event Management (SIEM).
§ Vulnerability Management Policies: The process of identifying, evaluating, treating, and reporting
security vulnerabilities in systems and the software that runs on them. Frequently conduct
assessments to find vulnerabilities and possible attack vectors, as well as to harden the system.
§ Penetration Testing/ Ethical Hacking Policies: An authorized attempt to gain unauthorized access to
a computer system, application, or data. Carrying out an ethical hack involves duplicating the
strategies and actions of malicious attackers. Certain industries are required to conduct semi-regular
penetration tests to stay compliant with regulations, such as PCI DSS.
o Incident and Impact Planning Policies
§ Incident Response Plan (IRP): A written document, formally approved by the senior leadership
team, that helps the organization before, during, and after a security incident.
§ Business Impact Analysis (BIA): Predicts the consequences of a business disruption and develops
recovery strategies. Potential loss scenarios should be identified during a risk assessment.
§ Business Continuity Plan (BCP): The capability of an organization to continue the delivery of
products or services at pre-defined acceptable levels following a disruptive incident. A well-written
BCP should include preventative, corrective and recovery controls.
 § Disaster Recovery Plan (DRP): Maintaining or reestablishing vital infrastructure following a natural
or human-induced disaster, such as a storm or war. It employs policies, tools, and procedures.
• Site Resilience/ Redundancy/ Fault-Tolerance
o Hot Sites: A fully functional backup site that already has mirrored data.
o Warm Sites: Contains all elements of cold sites but adds storage hardware. Still
requires data to be transported, should a disaster occur.
o Cold Sites: Provides power, networking, and cooling, but no other hardware.
§ Functional Recovery Plan (FRP): A step-by-step guide from an outage to being back up and running.
§ Measurement System Analysis (MSA): A thorough assessment of a measurement process. Includes
an experiment that seeks to identify the components of variation in that measurement process.
o Offboarding Policies
§ Disabling Accounts and Passwords.
§ Disabling Permissions and Access to VPN, E-mail, Network, Servers, and Files.
§ Policy Enforcement, Conduct Requirements, and Discipline.
§ Exit Interviews.

Wireless Security
• Logical Controls
o Wireless Access
§ Captive Portals: Web page accessed with a web browser that is displayed to newly connected users
of a Wi-Fi or wired network before they are granted access to network resources.
§ Wi-Fi Protected Setup (WPS): A feature on many routers. It is designed to make the process of
connecting to a wireless network easier. Connect by pushing a button on the router, by bringing the
device near the router (NFC), or by entering a PIN/passphrase on the device. Best to disable this
feature or opt for the more secure Easy Connect DPP.
• Easy Connect DPP: Also known as Wi-Fi Easy Connect or Device Provisioning Protocol (DPP).
A Wi-Fi Alliance-certified standard that allows devices to be securely added to a network. It
uses techniques, such as QR Code scanning, to simplify the process.
o Wireless Authentication and Encryption
§ Wired Equivalent Privacy (WEP): A severely flawed security algorithm for 802.11 wireless networks.
§ Wi-Fi Protected Access (WPA): A stronger wireless authentication and encryption standard.
• WPA: Provides more sophisticated data encryption and stronger authentication than WEP.
Uses the RC4 encryption algorithm with TKIP. Was later replaced by WPA2.
o Temporal Key Integrity Protocol (TKIP): Provides more secure encryption than the
earlier WEP, without needing to replace existing hardware.
• WPA2: WPA2 replaces RC4 and TKIP with stronger encryption and authentication
mechanisms: Advanced Encryption Standard (AES), an encryption mechanism, and CCMP, an
authentication mechanism. Has a Pre-Shared Key (PSK) brute-force problem. Since there is
no Perfect Forward Secrecy, once an attacker has the PSK, they can easily ascertain all keys.
o WPA2-Personal-PSK: Pre-Shared Key (PSK). All users of a SOHO network use the
same key/password to authenticate. All passwords are 8 to 63 characters long.
o Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
(CCMP): Based on 128-bit AES. More secure than TKIP. Was advanced for its time.
Provides data confidentiality and message integrity.
• WPA3: Offers individualized data encryption for each device connected to the network,
even in open Wi-Fi networks. Each device has a unique encryption key, enhancing privacy
and security. Offers improved security with enhanced, open, updated cryptographic
protocols, key agreement, and mutual authentication. Creates a shared session key without
sending that key across the network. Includes Simultaneous Authentication of Equals (SAE),
Management Frame Protection (MFP), Galois/Counter Mode Protocol (GCMP), and Perfect
 Forward Secrecy (PFS). Eliminates the need for four-way handshakes and hashes. Has no
brute force problems.
o Simultaneous Authentication of Equals (SAE): Also known as Dragonfly Key
Exchange. A password-based protocol that authenticates and exchanges keys
between two parties.
o Management Frame Protection (MFP): Also known as Protected Management
Frames (PMF). A security feature that protects unencrypted management messages
and broadcast frames between wireless devices.
o Galois/Counter Mode Protocol (GCMP): An authenticated mode that combines
Counter Mode with a hash-based authentication code. Provides data authenticity
and integrity. Useful for hashes as well. Widely used.
o Perfect Forward Secrecy (PFS): Generates a new key each session. Prevents stolen
private keys from decrypting all past and current connections. Increases complexity
for attackers, which enhances security.
• Administrative Controls
o Wireless Security Policies and Procedures: Address how wireless networks can be used and what types of
information can be transmitted. Policies should also outline procedures for installation, protection,
management, and usage.
§ Enforce Access Control: Restrict access to the network based on the organization's security policies.
For example, limit access to certain IP addresses or only allow access from certain locations.
§ Restrict Wi-Fi Access: Choose a router that allows change to the strength of the signal to ensure
only authorized users can use the connection.
§ Require Automatic Firmware Updates: Keep networking equipment firmware current, as updates
often contain security patches.
§ Require Authentication: Ensures that data or control packets come from the right source.
§ Disable SSID Broadcasting: Prevent unauthorized users from seeing and connecting to the network.
§ Require VPNs: Encrypt data to make it unreadable to eavesdroppers on public Wi-Fi networks. Look
for VPNs that use industry-standard AES-256 encryption and open-source protocols.

Cloud Security
• Logical Controls
o Server-Side Encryption: The encryption of data at its destination by the application that receives it.
o Client-Side Encryption: Encrypting data on the sender's side before it is transmitted to a server.
o Cloud-Related Security Appliances
§ Virtual/ Cloud Firewall: A software-based security device or service that monitors and filters
network traffic for Virtual Machines (VMs). Also known as cloud firewalls, they are designed to offer
the same security and inspection capabilities as a physical firewall but with additional capabilities for
cloud deployment. Virtual firewalls provide valuable East/West network security.
§ Next-Gen Firewall (NGFW): Third-generation firewall technology, combining a conventional firewall
with other network device filtering functions. Can contain Intrusion Detection System (IDS), Intrusion
Prevention Systems (IPS), Content Filtering, Web Proxy, Anti-Bot, Anti-Malware, Virtual Private
Network (VPN), and Identity and Access Management (IAM) functionality. Also called an Application
Layer Gateway, Stateful Multi-Layer Inspection, or Deep Packet Inspection.
§ Next-Gen Secure Web Gateway (NG-SWG): A new cloud-native solution for protecting enterprises
from the growing volume of sophisticated cloud-enabled threats and data risks. It is the logical
evolution of the traditional Secure Web Gateway, also known as a Web Proxy or Web Filter.
§ Cloud-Based Intrusion Prevention System (IPS): Any IPS is based on implicit allow. Its rules are
designed to specify types of traffic that should be blocked.
• In-Line Monitoring: All traffic must flow through the appliance.
 • In-Band Response: Can monitor and block traffic on the spot. Can examine traffic for
signatures, baseline deviations, anomalies, and/or behavior heuristics.
§ Cloud Access Security Broker (CASB): An on-premises, client-side software, physical hardware
device, or cloud-based software that sits between cloud service users and cloud applications.
Monitors all activity and enforces security policies. Mediates access to cloud services, provides
visibility into application use and data security policy use, and enforces access controls. Other
functions include verification of compliance with formal standards and the monitoring and
identification of threats. Can be implemented as a forward proxy, reverse proxy, or API-based.
§ Service Integration and Management (SIAM): Allows the integration of many different cloud service
providers into a single management system. This simplifies the application management and
deployment process when using separate cloud providers.
• Administrative Controls
o Cloud Security Policies and Procedures: Govern network security and manage risk in the cloud.
§ Access Control: The process of granjng or denying users or enjjes access to cloud resources, such
as sensijve data and applicajons.
§ User Educadon: Training to help ensure security awareness.
§ Password Administradon: Managing passwords.
§ Background Checks: A prevenjve administrajve control.
§ Backup and Recovery: A policy for backing up and recovering data.
§ Incident Response: A policy for responding to incidents.
§ Audidng: A policy for audijng cloud security controls.

Endpoint Security
• Physical Controls
o Cable Locks: Secure laptops, desktop computers, audio equipment, and other hardware from theft.
o Server Racks: Organize and lock server racks. Consider standard naming conventions and rack layout
diagrams for easier servicing.
o Privacy Screens: Shields the content on a screen from everyone except the user.
o USB Data Blocker: Considered Data Loss Prevention (DLP) and prevents Malicious USB attacks.
o Port Security: Disable unused physical ports on routers, switches, and other network hardware.
• Logical Controls
o Power On Self-Test (POST): A hardware check that is performed before booting an OS.
o Hardware Root of Trust (RoT): A fundamental security component that provides a trusted source of
function, so a device can establish strong security levels. Highly reliable hardware, firmware, and software
components that perform specific, critical security functions. Often integrated as a chip and is considered
inherently trusted, so it must be secure by design. The RoT starts a chain of trust, which ensures that no
malicious code is present before the boot process begins. Utilizes Trusted Platform Modules (TPMs) which
store encryption keys, hashed passwords and user identification. A secure subsystem providing attestation.
§ Boot Integrity (Chain of Trust): Assures the integrity of a platform by demonstrating that the boot
process starts from a trusted combination of hardware and software and continues until the OS has
fully booted and applications are running.
• Secure Boot: In the BIOS EUFI, this checks the bootloader’s digital certificates and signature.
Password-protecting the BIOS EUFI creates an additional layer of security.
• Trusted Boot: Verifies the OS Kernel and starts the Early Launch Anti-Malware (ELAM)
process, which checks for trusted drivers and won’t load untrusted ones.
• Measured Boot: Verifies that nothing on the computer has been changed by malicious
software or other processes. Uses the TPM to check hashes of key system state data. The
attestation server receives a boot log report signed by the TPM for analysis. Changes are
monitored and managed.
 § Remote Attestation: A mechanism for hardware and software to prove their identity and integrity
while logging on. Uses a combination of a digital certificate and cryptographic hashes of relevant
software files and settings, to determine that they haven’t been tampered with.
§ File Integrity Monitoring: Validates the integrity of operating system and application software files
using a verification method between the current file state and a known good baseline.
• File Integrity Checks: Using hash algorithms to ensure that files have not been modified.
o (Identification), Authentication, Authorization, and Accounting (AAA): A cybersecurity framework that
controls access to computer resources and networks, enforces policies, and audits usage.
§ Identification: The management of identity controls. Digital Identity is represented by accounts
managed by network administrators. Cryptography enhances identity security on public networks.
§ Identity Proofing: Also known as Identity Verification. A process that verifies and
authenticates a person's identity when they try to access a service or system. The goal is to
confirm that the person's identity is true and that they are the rightful owner.
§ Authentication: The act of proving the identity of a user/system with passwords, keys, and tokens.
§ Authentication Protocols: A communications or cryptographic protocol specifically designed
for transfer of authentication data between two entities.
o Password Authentication Protocol (PAP): No encryption. Passwords are sent in
cleartext unless the application itself provides the encryption.
o Challenge Handshake Authentication Protocol (CHAP): Encrypted challenge sent
over the network.
§ 3-Way Handshake: After the link is established, the server sends a challenge
message. The client responds with the password hash calculated from the
challenge and the password. The server compares the received hash with
the stored hash. The challenge-response continues periodically during the
connection. No password is sent in the clear, unlike PAP.
o MS-CHAPv2: Microsoft's proprietary version of CHAP, which uses encrypted tunnels.
o Extensible Authentication Protocol (EAP): An authentication framework that
provides general guidance for authentication methods. Provides a secure way to
send identifying information across a wireless network.
§ Protected EAP (PEAP): A protocol that encapsulates EAP within an
encrypted and authenticated TLS tunnel. An extension of EAP that is
sometimes used with 802.1x. The authentication server uses a digital
certificate, but the client does not.
§ Lightweight Extensible Authentication Protocol (LEAP): A Cisco-proprietary
network authentication mechanism for wireless LANs.
§ EAP Flexible Authentication over Secure Tunneling (EAP-FAST): A Cisco-
designed replacement for LEAP. A method that enables secure
communication between a client and an authentication server. Works with
a RADIUS server. Supports certificates, but they are not required.
§ EAP Transport Layer Security (EAP-TLS): An IETF open standard that uses
public key cryptography and public key infrastructure to securely identify
both the client and the network. Uses certificates and TLS for mutual
authentication between a client and a server. Complex to implement
because it requires a digital certificate for the authentication server and all
other devices. One of the most secure EAP standards and is widely used.
§ EAP Tunneled Transport Layer Security (EAP-TTLS): A framework to support
authentication across several communication systems. All authentication
methods work inside the TLS tunnel. Allows for systems to use older
authentication methods, such as PAP, within a TLS tunnel. Requires a digital
certificate on the authentication server and builds a TLS tunnel using this
digital certificate. It does not require digital certificates on every device.
 o IEEE 802.1x: Port-Based Network Access Control (NAC): A hardware-based Network
Access Control (NAC). Centralized authentication for enterprise environments. An
authentication protocol used in VPNs, wired, and wireless networks. In VPNs, it is
used via a RADIUS server. Wired networks use it for port-based authentication.
Wireless networks use it in enterprise mode. Uses a centralized server so all users
can use their normal credentials to authenticate. Can be used with certificate-based
authentication. Requires integration with Extensible Authentication Protocol (EAP)
and an authentication server. Works alongside RADIUS, LDAP, and TACACS+. Can
also be used as a Network Access Server (NAS). No SSO functionality.
• Single Sign-On (SSO): An authentication scheme that allows a user to login to any of several
related, yet independent, software systems, with a single ID
o OAuth: Authorization framework, not an authentication protocol. Works with Open
ID Connect, which provides authentication. Determines which data is accessible to
the user. Users can allow one application to interact with another, without using a
password. Facilitates sharing of resources between sites. Doesn’t share password
data, but instead uses authorization tokens to prove identity.
o OpenID: An open standard authentication protocol. Adds authentication to OAuth
and validates user presence.
o Open ID Connect: Handles Single Sign-On (SSO) authentication over TLS. Establishes
trust between one account (Google, for example) and a third-party account. Users
decide how much access the third-party account will have to the original account.
Doesn’t contain security features, like encryption. It relies on TLS. This means it is
susceptible to any attacks that bypass TLS. Links between accounts can be removed
at any time. Example: Facebook Connect.
• Federated Identities: Extends network accessibility beyond employees. Allows access to
trusted accounts from different networks. Users provide attestation of identity to service
providers. Can log in with credentials from other sites, such as Google or Facebook. Provides
authentication for partners, suppliers, customers, and employees.
o Transitive Trust: If one party has explicit trust relationships with two other parties,
that can form an implied trust relationship between those two.
o Identity Provider (IdP): A system entity that creates, maintains, and manages
identity information, and also provides authentication services to applications
within a federated network. Identity Providers (IdP) offer user Authentication-as-a-
Service (AaaS).
o RADIUS Federation: Members of one organization can authenticate to the network
of another organization using their normal credentials. Uses 802.1x as the
authentication method, RADIUS on the backend, and EAP to authenticate.
o Security Assertion Markup Language (SAML): Open standard for authentication and
authorization for users to access third-party resources. Authenticates through a
third-party source to gain access. The resource is not responsible for authentication.
The request is passed through a trusted third-party server. The authentication
process starts with the Principal directly contacting the Service Provider (SP) and the
SP asking for an authentication token from the Identity Provider (IdP). If granted, the
SP gives access. If not granted, the principal automatically negotiates with the IdP
for authentication. The SP and the IdP do not need to communicate to maintain a
trusting relationship. Doesn’t work well for mobile applications.
§ Shibboleth: An open-source software that uses SAML to provide a third-
party Federated, Single Sign-On (SSO) authentication.
• Authentication Factors: Evidence that a person provides to verify their identity when trying
to sign in to an application, online account, or other resource.
o Knowledge-Based Authentication (KBA) Factors: Easy to memorize.
 § Something You Know: Password, PIN, or challenge question.
• Passphrase: A type of password that uses a text string or sentences,
with or without spaces.
• Static Codes: PINs that stay the same until they are changed.
• Secret Questions: Users answer at least one secret question.
o Static: Pre-configured secrets to recover a password, such
as the street you grew up on.
o Dynamic: Identity verification questions, such as which
address looks familiar to you?
o Possession Factors: Digital data that a human cannot be expected to memorize.
§ Something You Have: Cryptographic identification device, physical key, ID
badge, smartcard, or token.
• Smart Card: A physical electronic chip or integrated circuit card.
o Common Access Card (CAC): A verification card used by the
U.S. military and the Department of Defense (DoD), for
identification and access to secure systems and locations.
o Personal Identification Verification Card (PIV): A security
standard and smart card used by federal agencies in the
U.S. Used by civilians working in the federal government.
• Hardware Token/Token Key: Contains the security credentials for a
login session and identifies the user, the user's groups, the user's
privileges, and a particular application.
• Authenticator Applications: Adds an extra layer of security to
online accounts via Time-Based One-Time Passwords (TOTPs).
o HMAC-Based, One-Time Password (HOTP): HMAC stands
for Hash-Based Message Authentication Code. Used only
once before a new code must be generated.
o Time-Based One-Time Password (TOTP): Uses a randomly
generated code as an additional authentication token.
Provides an indicator of integrity, the current local time.
• SMS/Phone Call: Verifies phone numbers and phone access.
• Push Notifications: Enables user authentication by sending a push
notification directly to a secure application on the user's device.
• Digital Certificates: A file created and signed using cryptographic
algorithms, which demonstrates that the person presenting the
public certificate also holds its private key.
o Inherence Factors: A unique physical or behavioral trait.
§ Something You Are: Body measurements and calculations for human
characteristics. Biometrics are Personally Identifiable Information (PII), and
protocols must not reveal this data without consent. Fingerprints and other
scans are not usually stored. Data is stored as a mathematical computation.
• Physiological Biometric Systems: Measure characteristics of a
person, such as a fingerprint, iris scan, retinal scan, palm scan, or
venous scan. Some can check for pulse and temperature on a
fingerprint scanner to detect counterfeiting.
§ Something You Can Do: Actions, gestures, gait analysis, or signatures.
• Behavioral Biometric Systems: Measures how a person acts via
voice prints, gait, signature dynamics, or keystroke dynamics.
§ Something You Exhibit: Inherent behaviors, like personality traits or even
detectable neurological activities.
 • Evaluation Metrics for Biometric Patterns
o False Rejection Rate (FRR): Measures legitimate users not
recognized.
o False Acceptance Rate (FAR): Measures interlopers
accepted.
o Crossover Error Rate (CER): Where FRR and FAR meet,
indicating system efficiency.
o Context-Aware Factors: Time of day, physical location, behavior or risk-based
authentication, or relationship to someone trusted.
§ Somewhere You Are: Current location.
• Geofencing: A virtual perimeter for a real-world geographic area.
• Impossible Travel: Detects remote hacking attempts. With each
login from a new location, it calculates the travel time from the
previous login location and uses it to determine whether both logins
can belong to the same person.
§ Someone You Know: Connection to another person who is trusted via
personal relationships or chain of trust authentication systems.
• Two-Factor Authentication (2FA): Requires two forms of identification to access resources.
o 2-Step Verification: Also known as out-of-band mechanisms. Sends a software token
to a user-controlled resource via SMS, phone call, push notification, or E-mail.
Though considered two-factor authentication, intercepting the code within the time
frame would compromise security.
• Multi-Factor Authentication (MFA): A user is granted access only after successfully
presenting two or more pieces of evidence to an authentication mechanism. Most widely
used authentication option.
• Continuous Authentication: Monitors user activity post-login, enhancing security. Currently
in the research phase.
• Adaptive Identity: The process of tailoring each customer authentication to the specifics of
the request. It involves calibrating multiple sets of risk indicators to determine the type of
authentication needed, and how strong to make it.
• Password Vaults: Generates random passwords and securely stores them, reducing the risk
of data breaches. Risks include compromise of the master password, and other attacks
related to vendors, the cloud, or impersonation.
o Windows Credential Manager: Provides secure storage for credentials used to
access Windows computers, as well as storage for certificates and passwords used
for network services or websites.
o Keychain: Stores passwords, certificates, and other credentials in MacOS.
o The Credential Management API: Password management by web browsers and
applications. Includes federated credentials, such as Single Sign-On (SSO) tokens.
o KeePass: Third-party password manager that stores passwords or other credentials
in an encrypted file and is protected by a central account.
o LastPass: Third-party password manager that stores passwords online.
• Digital Signatures: Combines public key cryptography with hashing for authentication,
integrity, and non-repudiation. The sender creates a hash of the message and signs it with
their private key. The recipient verifies the signature using the sender's public key. Added to
clear text messages. Verifies the message has not been tampered with by a MitM.
§ Authorization: Specifying access rights and privileges for resources.
• Identity and Access Management (IAM): A framework of policies and technologies to
ensure that the right users have the appropriate access to technology resources. IAM
encompasses four main processes: Identification, Authentication, Authorization and
Accounting. Identification creates unique IDs, authentication verifies identities,
 authorization determines access rights, and accounting tracks authorized usage. Includes
Account Life Cycle Maintenance.
• Directory Services: Determines authorization by referencing a single database, or Directory,
composed of the organization’s usernames and passwords. Also contains computers,
printers, and other devices. All authentication requests must reference this directory. Each
user only needs one set of credentials. Access Directory Services via Kerberos or LDAP.
o Microsoft Active Directory (AD): A Directory Service that uses a combination of
Kerberos for authentication and Single Sign-On (SSO), and LDAP for resource
authorization queries.
§ Kerberos: Authentication through a cryptographic ticket-granting service.
Authenticate once, and the device is trusted by the system. Users can gain
access to multiple resources with one authentication. Still requires
individual servers to maintain their access databases. Allows for Single Sign-
On (SSO). Works well in Microsoft environments.
§ Lightweight Directory Access Protocol (LDAP): A database that stores
information about network users, systems, and services. Utilizes a
hierarchical tree database structure to store information about both
network users and resources. Network administrators can enter permissions
for various network resources into the LDAP database structure. This
provides centralized authorization for all servers in the network. Secure
LDAP (LDAPS) over TSL has a large attack surface, so it is not used over the
Internet. No SSO functionality.
• Simple Bind Authentication: A common way to authenticate LDAP
clients to a directory server. It's also known as password-based
authentication because the client provides a password to the
Directory Proxy Server.
• Privilege Management: A combination of people, processes, and technologies that help
organizations control access to critical resources.
o Privileged Access Management (PAM): Also known as Privileged Identity
Management (PIM). Manages privileged accounts (superuser, admin, and root
users) and their credentials. Policies, procedures, and controls to prevent the abuse
of privileged accounts. Privileges are granted by request, doled out for a short time,
and easily logged and audited. Privileged accounts are stored in digital vaults.
Requires stringent authentication, mandatory logging, and frequent audits.
o Just-In-Time (JIT) Permissions: Elevates privileges only when needed, for a limited
duration. Implemented through temporary elevation, password vaulting, or
ephemeral credentials. Ensures Zero Standing Privileges (ZSP), a security principle
that eliminates persistent, always-on access rights for accounts and identities.
§ Accounting: Account policies that enforce privilege management. They dictate what users can do
and enforce strong credential policies. This helps manage risk from compromised accounts. Auditing
and permissions reviews aid in detecting suspicious activity and preventing data breaches.
o Public Key Infrastructure (PKI): The policies, procedures, software, hardware, and employees needed to
create, distribute, manage, store, and revoke digital keys and digital certificates. Also includes the binding of
public keys to people or devices. The user maintains control over their private key but can share the public
key with any server that requires it for login. The user presents the private key, and the server matches it to
the public key already stored on the server. If not managed properly, PKI can lead to critical vulnerabilities.
§ Private and Public Keys: Sessions are encrypted with a recipient’s public key and decrypted with the
recipient’s private key. Compromised private keys endanger the authentication process and
therefore, data confidentiality.
• Static Keys: For use in many instances of a cryptographic key establishment process, over a
relatively long period of time.
 • Ephemeral Keys: Session keys created with the symmetric and asymmetric keys, generated
for each execution of a key establishment process.
• Symmetric Keys: A single, shared, public key. Also called a private, secret, or session key.
• Asymmetric Keys: Each user has a public key and a private key. The use of the public key is
the basis for Public Key Infrastructure (PKI).
§ Key Exchange: An encryption key is used to decrypt ciphertext back into plain/clear text. Users
cannot exchange, or decrypt encrypted data without first securely exchanging keys. Keys are
securely exchanged between two parties, with the help of a cryptographic algorithm.
• In-Band Key Exchange: Exchanging keys in the same communication channel that is going to
be encrypted. Poses a security threat.
• Out-of-Band Key Exchange: Exchanging keys in a separate, more secure communication
channel, such as sending a smart card via the mail, or communicating a password verbally.
Keys are more secure, but the communication is slower and less convenient.
• Digital Envelopes: Combine symmetric and asymmetric encryption to securely exchange
keys and ensure message confidentiality. The process is as follows: The sender encrypts the
message with the symmetric key to make a session key. The session key is then encrypted
with the recipient's public key and sent along with the encrypted message (Double
encryption). The recipient decrypts the session key with their private key and then decrypts
the message with the symmetric key.
§ Key Management: Technology, policies and procedures for protecting, storing, organizing, and
distributing public and private keys. The process of managing cryptographic keys and related
security parameters throughout their lifecycle. This includes the generation, storage, distribution,
use, rotation, and destruction of keys. Key management also involves establishing and controlling
access to keys, and ensuring that only authorized individuals can access them
• Key Generation: Create a strong key, using the proper cipher.
• Certificate Generation: Allocate a key to a user.
• Distribution: Make the key available to the user.
• Storage: Securely store and protect private keys against unauthorized use (usually in a
Trusted Platform Module (TPM).
• Revocation: Manage keys that have been compromised.
• Expirations: Monitoring the certificate’s shelf life.
§ Digital Certificates: Small data files that contain identity credentials. A public assertion of identity,
validated by a Certificate Authority (CA). An electronic document assigned to a person or device,
used to prove the validity of a public key. Binds the digital certificate owner to a public and private
key. Also used to encrypt data or create digital signatures. Based on x.509 standard, certificate
attributes are as follows: Serial number, signature algorithm, issuer, validity dates, subject name,
public key, extensions, and Certificate Authority (CA) signature.
• Certificate Authority (CA): A third-party organization that verifies the authenticity and
identity of an entity, such as a website, E-mail address, or person. CAs also provide
cryptographic keys for data encryption.
o Public/Commercial Certificate Authorities: Built into Browsers and trusted across
organizations and networks. Creates a key pair and signs the public key. Purchase a
website certificate from a CA that will be trusted by browsers.
o Private Certificate Authority (Self-Signed): An in-house CA used in medium-large
organizations. All devices must trust the internal CA. While useful for internal trust,
self-signed certificates should never be used in a production environment.
§ Single CA: The Single CA is both a root CA and an issuing CA. Simple to
implement, but risky, as a compromise could lead to a system collapse.
Often used on private networks.
 § Third Party/ Hierarchical CA: Several CAs share the load. Limits damage if
any CA becomes compromised. Requires a Chain of Trust, which lists all the
certificates between the server and the root CA. Adds layers of security, but
still vulnerable at the root level.
• Web of Trust: Adds other users who vouch for and self-sign each
other’s certificates.
• Mesh: Cross-certifying CAs. Doesn’t scale well.
• Mutual Authentication: A server and client mutually authenticate.
o Offline Certificate Authority (CA): A CA that is isolated from network access and is
often kept in a powered-down state. The purpose of keeping a CA offline is to
protect an organization's most valuable information by separating it from
potentially malicious third parties.
• Certificate Types
o Root Certificate: The certificate that identifies the Root Certificate Authority (CA).
Everything starts with this certificate. The root certificate issues other certificates.
Access to the root certificate allows for the creation of any trusted certificate.
o Web Server/SSL Certificate: A data file hosted on a website's origin server that
enables websites to use HTTPS. SSL certificates make SSL/TLS encryption possible.
They contain the website's public key, identity, and other related information.
§ Subject Alternative Name (SAN) Certificates: Allows the certificate to
contain multiple names, such as multiple website domains or the names of
both the website and the organization. Preferred over the Common Name
(CN), for specifying the identity of the certificate subject.
§ Domain Validation (DV) Certificate: Used to identify a DNS host or a
domain name for TLS-protected protocols like HTTPS.
§ Extended Validation (EV) Certificates: A certificate backed by a stricter
identity validation process than the CA's default.
§ Wildcard Certificates: A multi-domain certificate that can apply to any
number of sub-domains within a single domain.
o User or Machine Certificates: Used to identify an entity like a user or a computer.
Typically issued by a Private CA for use within an organization, so users and devices
within a corporate network trust each other.
§ Self-Signed Certificates: Used when PKI is too difficult or expensive. These
can be deployed on machines, web servers, or programs. They are trusted
within the corporate network but marked untrusted by the OS or browser.
Suitable for non-critical environments like development or testing.
o E-mail Certificates: Usable for sending and receiving E-mail messages. Usually only
requires proof that the user owns the associated E-mail address.
o Code-Signing Certificates: Used to authenticate the source and integrity of
executable files.
• Certificate Management: The process of monitoring and controlling digital certificates to
ensure network security and prevent disruption. It involves managing every step in a
certificate's lifecycle, including issuing, renewing, deploying, and revoking certificates.
o Registration Authority (RA): Identifies and authenticates certificate requesters,
maintains certificates for current certificate holders, and prevents the use of expired
certificates. Facilitates the identity verification process and submits CSRs to the CAs.
RAs do not issue certificates.
o Certificate Signing Request (CSR): The process for requesting certificates. The
subject generates a key pair and submits a CSR to the CA. The CA reviews and
validates the information before issuing the certificate. A private key is not a part of
the CSR and must be securely stored by the subject.
 o Certificate Chain of Trust: List of all the certificates between the server and the Root
Certificate. Any certificate between the SSL Certificate and the Root Certificate is a
chain or intermediate certificate. The web server needs to be configured with the
proper chain, otherwise the end user will receive an error.
o Key Escrow: A method of storing, archiving and recovering important keys. Escrow
involves archiving keys with a third-party for secure storage. Root CA keys require
stringent access controls. Key recovery mechanisms ensure encrypted data can be
accessed if keys are lost.
o Certificate Revocation List (CRL): A list of digital certificates that have been revoked
by the Certificate Authority (CA) before their scheduled expiration date. Revoked
certificates are no longer valid. Suspended certificates can be re-enabled.
o Online Certificate Status Protocol (OCSP): The method by which a browser can
automatically check for certificate revocation. OCSP servers provide real-time
certificate status checks. OSCP Stapling and Certificate Pinning enhance security.
§ OSCP Stapling: The device that holds the certificate will be the one to
provide status of any revocation. Stapling helps maintain the privacy of the
end user, as the OCSP request does not require a connection to the CRL.
§ Certificate Pining: Embeds or pins a certificate to a service. When the
application contacts the service, the service certificate will be compared to
the pinned certificate. If the certificate matches, the application knows that
it can trust the service. If the certificate doesn't match, then the application
can choose to shut down, show an error message, or make the user aware
of the discrepancy.
o Host-Based Security Appliances
§ Antivirus/Anti-Malware: Used to prevent, detect, and remove malware. Automated detection and
removal of heuristic viruses by checking files and code that may be behaving suspiciously.
§ Host-Based Firewall: Firewall software that runs on an individual computer or device connected to a
network. These types of firewalls are a granular way to protect individual hosts from malware.
Firewalls are based on an implicit deny rule and specify which traffic should be allowed. This is
contrary to IPSs, which are based on implicit allow, and specific which traffic to be blocked.
§ Host-Based Intrusion Detection System (HIDS): Monitors activity on a single computer, including
process calls and information recorded in the system, application, security, and host-based firewall
logs. Can pinpoint specific files compromised in an attack and also track processes employed by the
attacker. It can detect anomalies on the host system that a NIDS cannot detect. For example, it can
detect infections where an intruder has infiltrated a system and is controlling it remotely. HIDS are
more costly to manage than NIDS because they require administrative attention on each system.
HIDS cannot detect network attacks or prevent host attacks.
• Passive Monitoring: Examines a copy of traffic via a port mirror or network tap.
• Out-of-Band Response: Sends RESET frames to stop subsequent frames but cannot block
the first frame.
§ Host-Based Intrusion Prevention System (HIPS): Automatically detects and blocks attacks before
they affect target systems. Can examine traffic for signatures, anomalies compared to the baseline,
behaviors, or heuristics. Involved machine learning. Any IPS is based on implicit allow. Its rules are
designed to specify types of traffic that should be blocked.
• In-Line Monitoring: All traffic must flow through the appliance.
• In-Band Response: Can monitor and block traffic on the spot.
• Signature-Based: Methods that look for behavior characteristics of known attacks.
• Stateful Protocol Analysis: Methods that use Deep Packet Inspection (DPI) to examine traffic
by comparing it to a profile of how the protocol is supposed to work.
• Anomaly-Based: Heuristic methods that look for behavior that seems unusual relative to a
normal baseline.
 § End-Point Detection and Response (EDR) Solution: Also called Endpoint Threat Detection and
Response (ETDR), or Endpoint Protection Platform (EPP). Comprehensive endpoint security software,
which gathers security-related behaviors from individual network hosts, and then uses the data to
investigate suspicious activities and trends. Has rule-based automated response and analysis
capabilities. Data collected might include processes, configuration changes, file system activity, and
network connections. Machine learning and process monitoring look for and block malicious actions
instead of signatures. Provides real-time visibility, continuous monitoring, and containment.
• Behavioral Heuristics/User and Entity Behavior Analytics (UEBA): Uses machine learning
and data analytics to determine anomalous behavior by comparing known good behavior
baselines to the current state. Unusual behaviors generate use, performance, or security
alerts. Also conducts trend analysis.
§ Endpoint Data Loss Prevention (DLP): Prevents the sharing or transmitting of sensitive data. DLP
solutions inspect all data leaving the organization, including, E-mail contents, attachments, copy to
portable media, File Transfer Protocol (FTP), posting to web pages and websites, applications, and
Application Programming Interfaces (APIs).
§ Network Access Control (NAC): Performs a security posture and health assessment on the endpoint
to determine whether it is safe to connect. Primarily a software-based, network security component
that runs on or interacts with endpoints. Can be hardware-based (802.1x: Port-Based Network
Access Control (NAC)). Listed here because it does offer host-based security analysis.
§ Unified Endpoint Management (UEM): Manages mobile and non-mobile endpoint devices. An
evolution of the Mobile Device Manager (MDM).
§ Trusted Platform Module (TPM): Hardware for individual devices that helps with cryptographic
functions. Built into the motherboard of the device. Not susceptible to Dictionary Attacks.
• Administrative Controls
o Password Policies: Change all default usernames and passwords. Require password complexity and prevent
password re-use. Activate account lockout and require users to change their password frequently. Consider
a minimum/maximum password age and length.
§ NIST Guidance: While strict password policies seem more secure, research shows that they
encourage poor password storage and writing passwords down, which ultimately decreases
security. NIST recommends allowing user-selected passwords between 8 and 64 characters and
avoiding complexity rules. Aging policies should not be enforced. Users should choose when to
change passwords. Password hints should not be used for account recovery.
o Separate User Accounts: No shared or generic accounts. Restrict or disable guest accounts to avoid
potential privilege escalation. Only use privileged accounts when necessary. Choose usernames carefully
according to a standard naming convention. A username should not be easy to guess by knowing the name
of a job role or the account owner. It should be easy for users to remember their names and for help desk
employees to find the account of a particular user. For auditing purposes, usernames should never be
changed and should be easily filtered for reports.
o Account Limits: Users must only have access to what is needed to perform their job duties. Conduct
frequent Groups and Permissions audits to verify that resources are being provisioned and used correctly.
o Patch Management: Establish automated and scheduled patch management. Update firmware,
applications, and OS frequently. Consider using a trusted OS. Test in an isolated sandbox or VM before
deploying. Have a backup and rollback plan ready.
§ Patch: A set of changes to a program or its supporting data, designed to update, fix, or improve it.
§ Hotfix: A quick-fix engineering update that is a single, cumulative package, and includes information
that is used to address a problem in a software product.
§ Service Pack: Comprises a collection of updates, fixes, or enhancements to a software program
delivered in the form of a single installable package.
§ Upgrade: The process of replacing a product with a newer version of the same product.
 § Maintenance Release: A release of a product that does not add new features or content, but may
solve minor problems, typically bugs or security issues.
§ Definition Update: Updates to files that are used to identify spyware and other potentially
unwanted software.
§ Unofficial Patch: A patch for a piece of software, created by a third party such as a user community
without the involvement of the original developer.
§ Rolling Release: Also known as rolling update or continuous delivery. Frequently delivering updates
to applications.
o User Training/ Education: The process of educating end users about how to avoid social engineering and
malware attacks. Using guided digital learning tools is one of the most popular methods.

Virtualiza:on Security
• Logical Controls
o Virtual Machines (VM): Provides the functionality of a physical computer. Their implementations may
involve specialized hardware, software, or a combination of the two. A computer on which a hypervisor runs
one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.
§ Hypervisors: Type of software, firmware, or hardware that creates and runs virtual machines.
• Type 1: Also called bare metal hypervisors. These hypervisors directly access underlying
machine resources. They implement custom resource allocation to service the VMs.
• Type 2: Also called a hosted hypervisor. These hypervisors negotiate resource allocation
with the operating system, which makes the process slower and less efficient.
§ Virtual Network Interface Cards (VNICs): A software-based NIC that allows a VM to join a network.
They have a MAC address, IP address, and all other functions of a real card, except instead of
sending and receiving physical signals, all of its traffic passes through the hypervisor. Multiple VNICs
can correspond to one physical NIC. VNICs allow the hypervisor to behave as a virtual switch, router,
firewall or NAT. Since routers and firewalls are essentially network hosts themselves, users could
install one as a VM. Many firewall and router vendors offer virtual versions of their products.
§ Benefits of Virtualization
• Snapshots: Easily create a snapshot of a VM, a read-only copy of the disk file and
configuration information, much like a system image or a restore point on a physical host. By
creating a snapshot before risky activities or updates, users can quickly roll back if needed.
• Security Control Testing: Virtual test environments are an ideal place to thoroughly test
security protocols before deploying them on the real network.
• Patch Compatibility: A test VM is useful for testing any operating system or application
patches to make sure they don't introduce any problems.
• Host Availability and Elasticity: Easily maintain High Availability (HA) for services hosted on
a VM by transferring the VM if the physical host has problems or needs maintenance. Easily
provide elasticity by changing the resources allocated to the VM based on its load. Copy it to
create redundant systems for load balancing.
• Sheep Dip: The process of using a dedicated device to test inbound files on removable
media for viruses before they are allowed to be used with other computers.
§ Other VM Technologies
• Thin Clients: Optimized for establishing a remote connection with a server-based computing
environment. Relies on a network connection for computing and processes very little on the
actual hardware. Thin clients connect to VMs stored on company servers. Can use VMs to
provision corporate desktops, effectively replacing traditional desktop computers.
• Thick Clients: Systems that connect to servers even without a network. They do not rely on
server applications since they can process, store, and manage data independently.
• Containers: Instead of a bare metal or a hosted hypervisor, the host operating system runs a
container service that can host multiple containers. Like a VM, a container is isolated from
 other containers on the same computer. It can also perform relatively low-level operating
system tasks, such as defining its file system. Unlike a VM, containers do not have a guest
operating system. Instead, it shares the kernel of the host operating system. Containers are
somewhat less flexible than VMs, but they consume fewer resources and can be deployed
more quickly. Containers have similar security concerns as any other application
deployment method, such as bugs, insufficient security controls, or misconfigurations. Use
container-specific operating systems, which are minimal and designed specifically for
containers. Group container types on the same host by purpose, sensitivity, and threat
posture. This limits the scope of any potential intrusion.
• Storage Segmentation: Separates the information on a device into partitions.
• Sandboxes: Can be used as a test environment for code execution, patches, updates,
rollback planning, quarantining, segmentation during Incident Response, or reverse-
engineering malware.
• Virtual Desktop Infrastructure (VDI)/ Virtual Mobile Infrastructure (VMI): A virtual desktop
that allows users to access their desktop from a mobile endpoint. Applications and data are
managed externally from the device, on a separate server, or in the cloud. Minimizes risk
from device loss. Uses virtual machines to provision corporate desktops, replacing
traditional desktop computers.
o Non-Persistent VDI: The central server only stores one master image or golden
image of a fully configured computer. Whenever a user logs in, the server starts a
VM based on that master image, but it doesn't directly change any of its files or
settings. All changes are applied to a temporary copy or file system instead. When
the user logs out, all of the temporary data is deleted. When a user logs back in, or
when different users log in simultaneously, they each receive a new, generic VM.
Saves on storage space and also makes it easy to apply updates for configuration
changes. Prevents users from making changes that will cause security risks. Works
best for users that only need standard workstations without customization. They do
not work very well for users who have unique configurations or software needs.
o Application Layering: A given user can have a customized VM that includes all the
applications assorted with their user profile, without the server needing a separate
master image for each unique combination of installed applications.
§ VM Security
• Virtual Machine Life Cycle Management (VMLM) Software: A set of processes that help
oversee the implementation, delivery, operation, and decommissioning of VMs.
• Virtual/ Cloud Firewall: A software-based security device or service that monitors and filters
network traffic for Virtual Machines (VMs) and virtualized environments. Provides valuable
East/West network security.
• Network Segmentation: Allows administrators to isolate network traffic and organize
resources. Virtual networks use subnets, security groups, routing, and firewall rules to
manage network communications within and between segments.
• Role-Based Access Control: Allows administrators to grant access to users based on their
role, authorization, and permissions. This can help delegate administrative controls across a
company, allowing different users to access different parts of the environment.
• Just-in-Time (JIT) VM Access: Limits inbound traffic to VMs, reducing exposure to attacks.
• Administrative Controls
o VM Policies and Procedures: Enforced to help secure Virtual Machines (VMs).
§ Patching and Updates: Keeping VMs current with the latest patches and updates for their operating
systems and applications can help avoid vulnerabilities and exploits.
§ Deactivate Unnecessary Functionality: Deactivating features that are used infrequently can help
minimize potential points of attack.
 § VM Life Cycle Management: This includes restricting storage of VM images and snapshots, using
backup and failover systems, tagging VMs based on their sensitivity or risk level, and creating a
formal change management process for VM images.
§ Monitor Resource Utilization: Deploying monitoring tools to track resource usage across VMs can
help identify underutilized or overprovisioned VMs.
§ Use Separate Management APIs: Isolating service from infrastructure management and
orchestration can help protect the network.

Mobile Security
• Logical Controls
o Carrier Locking/ Unlocking: In the locked state, only the SIM card of a specific carrier will work. In the
unlocked state, the device has no carrier restrictions, and any SIM card will work.
o Mobile Device Management: A proven methodology and toolset used to provide workforce mobile
productivity tools and applications, while keeping corporate data secure.
§ Mobile Device Management (MDM): Centralized management of mobile devices. Can implement
screen locks, account lockout, patch management, Over-the-Air (OTA) updates, and remote wipe.
§ Mobile Application Management (MAM): Allows provisioning and access control for approved
enterprise apps. Has features for app delivery, configuration management, authentication, access
control, push notifications, and reporting. Creates an enterprise-approved application catalog to
choose from. Can also remotely wipe application data.
§ Mobile Content Management (MCM): Delivers centrally hosted data and services to mobile devices,
allowing device-specific formatting and security controls. Features include data encryption, secure
connection to web applications, and DLP rules.
§ Mobile Identity Management (MIM): Centralized Identity and Access Management (IAM) for mobile
devices. Features include Single Sign-On (SSO), certificate management, and device enrollment.
§ Enterprise Mobility Management (EMM): An evolution of MDM, with MAM, MCM, and MIM.
Popular in BYOD environments. Detects rooted/jailbroken devices to help protect enterprise data.
§ Unified Endpoint Management (UEM): A further evolution of EMM, which provides central
management of all endpoints from a single platform. In addition to mobile devices, it supports
desktops, printers, and IoT devices. Can detect rooted/jailbroken devices to protect enterprise data.
o Virtual Desktop Infrastructure (VDI)/ Virtual Mobile Infrastructure (VMI): A virtual desktop that allows
users to access their desktop from a mobile device. Apps and data are managed and stored externally from
the device, in the cloud. Minimizes risk from device loss. Managed from a single platform, like a remote
desktop. Works best for Android devices.
o SEAndroid: Security enhancements for Android devices. Considered a Trusted OS.
o MicroSD HSM: Provides security services for mobile devices, such as encryption, key generation, digital
signatures, authentication, and secure storage. Works well to securely store cryptocurrency.
o Lightweight Cryptography: Field of study in the pursuit of developing more powerful tools and algorithms
that use less computer power and resources.
o Elliptical Curve Cryptography (ECC): Math based on calculating the properties of curves, instead of prime
numbers. Uses a smaller key size and curve algorithms to secure data. Lower CPU usage. Stronger security
with much shorter keys than other asymmetric algorithms. Perfect for mobile and portable devices.
• Administrative Controls
o Corporate Device Deployment Models
§ Corporate Owned, Business Only (COBO).
§ Corporate Owned, Personally Enabled (COPE).
§ Choose Your Own Device (CYOD).
§ Bring Your Own Device (BYOD).
§ Virtual Desktop Infrastructure (VDI)/ Virtual Mobile Infrastructure (VMI).
o Mobile Device Management Policies: Logical controls enforced by administrative policies.
 § Acceptable Use Policies: Set policies on apps, data, camera usage, etc.
§ Application Management: Block the use of apps that have not been expressly approved.
§ Screen Locks: Set policies for auto-locking mobile devices.
§ Passcode/PIN Requirements: Implements Screen Locks and PINs, as well as a Screen Lockout after
too many failed login attempts. May require Biometrics, and/or Multi-Factor Authentication (MFA).
§ Authentication: Allow or disallow the use of Biometrics for authentication, and manage Context-
Aware Authentication, which takes additional factors into account, like location.
§ Data Management: Set policies for data backups, encryption, and remote wipe.
§ Over the Air (OTA) Firmware Updates: Push required firmware/OS updates and patches.
§ Geolocation/ Geofencing: A virtual perimeter for a geographic area. Can disable or enable location,
geotagging, camera, microphone, and recording devices, depending on location. Helps with DLP.
§ Data Loss Prevention (DLP): Can disable the ability to plug-in or read external storage devices, such
as flash drives, SD cards, USBs, or USB On-the-Go devices.

Web Security
• Logical Controls
o HTTPS: The primary protocol for sending data between a website and a browser. HTTPS uses encryption to
secure data transfer, making it important for transmitting sensitive data like login credentials, banking
information, and credit card numbers. Protects users from Eavesdropping, Man-in-the-Middle (MitM),
Domain Name System (DNS) Spoofing, and transaction tampering.
o Captchas: A type of challenge-response test used to determine whether the user is human, to deter bot
attacks and spam.
o Secure Cookies: An HTTP cookie that sets a Secure attribute. Limits a search to secure channels only.
o Web Application Firewalls (WAF)/ Application Layer Firewalls: An Application-Layer firewall that filters,
monitors, and blocks HTTP traffic to and from a web service. It monitors all traffic, encrypted or not, for
malicious behaviors, before passing commands to a web server. External traffic is filtered by a traditional or
Next Generation Firewall (NGFW) first. May take actions such as alerting, blocking, re-routing, or logging.
Protects web servers and back-end databases from code injection and Denial of Service (DoS) attacks. Uses
application-aware processing rules and pattern-matching to filter traffic and detect threats. Includes Deep
Packet Inspection. Can be deployed as a hardware appliance or plug-in software on a host/web server.
Firewalls are based on implicit deny and must specify which traffic will be allowed.
o Secure Web Gateways (SWG): A software application, hardware device, or cloud service that is deployed at
the boundaries of a network to monitor and stop malicious traffic from entering the organization, and to
block users from accessing malicious or suspicious web resources. Includes URL Filtering, Spam Filtering,
Malware Inspection, routing and switching, IDS/IPS, firewall, Bandwidth Monitoring, and VPN endpoints.
Next-Gen Firewalls (NGFW) perform these functions as well.
o Content Filters/Web Filters/URL Filters: Control the content users can access over the Internet. Can be
hardware, software, or on a firewall. Issues include over-blocking, under-blocking, handling of encrypted
traffic and privacy concerns.
o DNS Filters: Restrict web content.
o Remote Browser Isolation (RBI): A web security technology that neutralizes online threats by hosting users'
web browsing sessions on a remote server instead of the user's endpoint device. RBI separates web content
from the user's device to reduce its attack surface. An example of Zero Trust being applied to websites.
• Administrative Controls
o Access Control Management: Administrators manage access controls based on an organization's security
policies. For example, restricting access to only approved IP addresses.
o Web Security Awareness Training: Implementing an educational program to improve cybersecurity
awareness and skills among all users.
 o Information Privacy Policies: Also known as data privacy, this is the ability to control how personal
information is accessed, stored, and used. This includes information like names, addresses, contact
information, and online behavior. It also includes the right to consent to the collection, disclosure, and use
of data, and to ensure that data is accurate and current. Information privacy is important because it protects
individuals from criminals who may use their personal data for fraud or harassment, or from entities that
may sell their data to advertisers without their consent.

Applica:on Security
• Logical Controls
o Quality Assurance (QA): Logical controls/procedures for the secure development of applications.
§ Dynamic Analysis: Testing and evaluating a program, while the software is running.
§ Fuzzing: Also called Fault Injection, Robustness Testing, Syntax Testing or Negative Testing. Used to
test for code injection, errors, and other exploits.
• Protocol Fuzzing: Send modified, replayed, or nonstandard packets to an application.
• Application Fuzzing: Tests input/output functions of the application.
• File Format Fuzzing: Creates and saves randomly formatted file samples to be opened and
parsed by an application.
§ Stored Procedures: SQL queries that execute server-side instead of on the client side of the
application. The client application calls the stored procedure on the server. This prevents the client
from making any changes to the actual SQL queries.
§ Input Validation: The process of testing input received by the application for compliance against a
standard defined within the application. It can be as simple as strictly typing a parameter and as
complex as using expressions or business logic to validate input.
§ Output Encoding: Translating special characters into a different but equivalent form that is no
longer dangerous to the target interpreter.
§ Error Handling: Creating meaningful error messages for the user, useful diagnostic information to
the site maintainers, but no other useful information to an attacker.
§ Escaping: Adding a special character to avoid misinterpretation. For example, adding a \ character
before a " character so that it is interpreted as text and not as closing a string.
§ Data Execution Prevention (DEP): Memory regions are marked as non-executable, preventing code
from being executed. This protects against memory abuse attacks, such as Buffer Overflows.
§ Static Application Security Testing (SAST): Static code analyzer that identifies security flaws.
§ Code Signing: The process of digitally signing executables and scripts, to confirm the software
author and guarantee that the code has not been altered or corrupted. The encryption is
asymmetric, where a trusted CA signs the developer’s public key, and the developer signs the code
with their private key. Also employs a cryptographic hash to validate authenticity and integrity.
o Web Application Firewall (WAF)/ Application Layer Firewalls: An Application-Layer firewall that filters,
monitors, and blocks HTTP traffic to and from a web service. Includes Deep Packet Inspection. May take
actions such as alerting, blocking, re-routing, or logging. Uses application-aware processing rules and
pattern-matching to filter traffic and detect threats. Can be deployed as an appliance or plug-in software.
o Allow Lists and Deny Lists: The OS allows or disallows applications from running or being installed.
o Cryptographic Obfuscation: Taking something that is normally understandable and making it very difficult to
understand. Many developers will obfuscate their code to prevent others from following the logic used in
the application. Protects code from reverse engineering. Used by malware to hide itself from scanners.
o Compilers: Source code to binary for a computer-readable format.
o De-Compilers: Binary back to source code.
• Administrative Controls
o Application Development Models
§ DevOps: Focused on increasing the speed and quality of software development and delivery.
 § DevSecOps: Integrates security early and throughout the Software Development Life Cycle.
Developers and operations teams work together.
o Secure Deployment Policies
§ Harden the Underlying Host and Network: Ensure the host is kept updated. Disable unnecessary
applications, services, and user accounts. Apply antivirus and HIDS/HIPS software on the host.
Protect the network with firewalls, NIDS/NIPS, or a Web Application Firewall (WAF). If the
application uses multiple servers, make sure all of them are suitably hardened.
§ Securely Configure the Application: Choose securely coded applications using secure protocols.
Make sure that the app components and users operate in a least privilege environment. Apply
secure client-side validation features. Apply special protections against likely attack vectors.
§ Thoroughly Test the Application Before Deployment: Use a combination of human testing and
fuzzing techniques. For critical applications, consider outside security audits or penetration tests.
§ Maintain the Deployed Application Security Over Time: Use rigorous patch management to update
software without introducing new vulnerabilities. Conduct regular security audits. Educate users to
prevent attacks that rely on social engineering. Be aware of evolving network application threats.

Data Security
• Logical Controls
o Windows Group Policy Tool: Puts users into groups and grants privileges based on job function. Enforces
password policies, sets firewall rules, blocks access to folders or network shares, and restricts the use of
desktop features, like task manager. Includes manual and automated reviews of Identities and Access.
Windows has two types of permissions that restrict access: NTFS Permissions and Share Permissions.
§ NTFS Permissions: Apply to every file and folder stored on a volume formatted with the NTFS file
system. Permissions are inherited from a Root Folder to the files and subfolders beneath it by
default, but this can be disabled.
• Basic Permissions: A simpler way to set permissions. Each basic permission maps to one or
more advanced permissions.
• Advanced Permissions: Also known as special permissions. More granular settings that
divide basic permission levels.
§ Share Permissions: Apply only to shared folders. Takes effect when a folder is accessed from a
remote system. There are three types of share permissions: Full Control, Change, and Read.
• Full Control: Allows Users Read, Change, and Edit permissions, and file Ownership.
• Change: Allows Users to Read, Execute, Write and Delete folders and files within a share.
• Read: Allows Users to View the folders contents, including folder and subfolder names, file
data, and programs contained in the folder.
o Linux File Permissions: Each object in a file system has an Access Control List (ACL), which contains lists of
allowed accounts and permissions. chmod: Sets or modifies permissions using Symbolic or Absolute mode.
§ Symbolic Mode: Uses letters and symbols to add or remove permissions. For example, u+x gives the
Owner permission to Execute. Symbolic mode is good for small modifications, like adding Execute
permissions to files that already have Read permissions. Use commas to separate symbolic modes.
Read (r), Write (w), and Execute (x) can be applied to Owner/User (u), Group (g), and Others (o). Also
includes No Permissions (-). Math operators include + to add permissions, - to remove permissions,
and = to give no access.
• Examples of Symbolic Permissions
o u+r: Grants the User Read permission.
o g+rw: Grants the Group Read and Write permissions.
o o-rw: Removes Read and Write permission from Others.
o rw-r–r–: Users can Read and Write, while Groups and Others can Read.
 § Absolute Mode: Uses numeric octal values to represent permissions levels. For example, 6 gives
Read and Write, but not Execute access. Absolute mode is good for large modifications, like
removing all World and Group permissions. The sum of the values is added in a specific order: User,
then Group, then Others.
• Examples of Absolute Permissions
o chmod 700: Removes all permissions for the Group and World.
o chmod 701: Gives the Owner all permissions and World Execute permissions.
o chmod 705: Gives the Owner all permissions and World Read and Execute.
o chmod 640: Gives the Owner Read and Write permission, members of the Group
Read permissions, and no permissions for anyone else.

o Cryptography: The study and practice of techniques that help secure data and communication in the
presence of adversarial behavior.
§ Cryptographic Concepts
• Plaintext: Readable text before it is encrypted into ciphertext, or after it is decrypted.
• Ciphertext: The result of using an encryption algorithm or cipher, on plaintext.
• Confusion: Encrypted data made to be drastically different from the plaintext, making the
mathematical relationship between the plaintext and keys as complex as possible.
• Diffusion: Changing one character of the input will cause many characters to change in the
output. Breaking up patterns in the plaintext so they won't be at all apparent in the
ciphertext. Known contents won't be useful in decoding the ciphertext.
• Cryptographic Obfuscation: Taking something that is normally understandable and making
it very difficult to understand. Many developers will obfuscate their code to prevent others
from following the logic used in the application. Protects code from those who would try to
reverse engineer it. Sometimes used by malware to hide itself from scanners.
• Cryptographic Agility: The capability of an organization to quickly and efficiently switch
between cryptographic algorithms without disrupting existing systems. Ensures that an
organization can adapt to new cryptographic standards as threats evolve or new
vulnerabilities are discovered.
• Steganography: Representing information within another message or physical object, in
such a manner that the presence of the information is not evident to human inspection. An
example of Security Through Obscurity. Not innately secure, but harder to see.
§ Cryptographic Protocols
• Pretty Good Privacy (PGP): A security program that enables users to communicate securely
by decrypting and encrypting messages, authenticating messages through digital signatures,
and asymmetrically encrypting files. It was one of the first freely available forms of public-
key cryptography software. Perfect for lower-budget cryptography needs. Uses a peer-to-
peer, web of trust model for E-mail security.
 o GNU Privacy Guard (GPG): A free, open-source version of PGP that provides
equivalent encryption and authentication services.
• Secure Socket Layer (SSL): A security protocol that provides privacy, authentication, and
integrity to Internet communications. Certificate-based authentication that performs a key
exchange to set up symmetrically encrypted communication sessions that last until one side
breaks the connection. Can also perform two-way authentication, where both the client and
server must have a certificate to present to the other.
• Transport Layer Security (TLS): SSL eventually evolved into Transport Layer Security (TLS). It
works with HTTP to route encrypted web traffic. TLS employs symmetric encryption for the
data and a public key for confirming the system's identity. Data includes a Message
Authentication Code (MAC) to prevent alteration during transmission or MitM attacks. In
addition, TLS has restrictions that curb replay attacks.
• Datagram Transport Layer Security (DTLS): A secure communication protocol, that is
designed to employ only UDP packets. It is sometimes known as UDP TLS. Because UDP is a
connectionless protocol, DTLS is faster, and it does not suffer the performance problems of
other stream-based protocols. DTLS is based on SSL/TLS, and it provides similar security
protections. This makes it favorable to use for VPN software.
§ Early Ciphers
• Transposition Ciphers: Scrambles the positions of characters without changing the
characters themselves.
o Rail Fence/ Zigzag: The plaintext is written downwards or diagonally on successive
rails of an imaginary fence, then moving up when the bottom rail is reached, down
again when the top rail is reached, and so on.
• Substitution Cipher: Units of plaintext are replaced with the ciphertext, in a defined
manner, with the help of a key.
o Monoalphabetic Cipher: A cipher in which each letter in the plaintext is replaced by
a letter with some fixed number of positions down the alphabet.
§ Caesar: Replaces a letter with the letter 3 places after it in the Latin
alphabet. A becomes D.
§ ROT13: Replace a letter with the 13th letter after it in the Latin alphabet.
o Polyalphabetic Cipher: A substitution cipher, using multiple substitution alphabets.
§ Vigenère Cipher: A method of encrypting alphabetic text where each letter
of the plaintext is encoded with a different Caesar cipher, whose increment
is determined by the corresponding letter of another text, called the Key.
§ One-Time Pad (OTP): An encryption system that is unbreakable providing
certain conditions are met. Plaintext is paired with a random secret key that
is also called a One-Time Pad.
o Progressive Key Cipher: A primitive form of substitution encryption that uses a
rolling key. Can be used with any of the above ciphers. Includes an incremental shift.
§ Modern Ciphers
• Stream Ciphers: A symmetric cipher where plaintext digits are combined with a
pseudorandom cipher digit stream. Each plaintext digit is encrypted one at a time.
Examples: RC-4, Salsa, and SEAL. The most widely used stream cipher is RC-4. Mainly used
for symmetric encryption. High speed and low hardware complexity. The key is often
combined with an Initialization Vector (IV), so the starting state is never the same twice.
• Block Ciphers: A deterministic algorithm that operates on fixed-length groups of bits, called
blocks. Examples: AES, DES, 3DES, Twofish and Blowfish. The most widely used block cipher
is AES. While the block size is a fixed size, not all data matches the block size perfectly. Some
modes require padding before encrypting. Each block is encrypted and decrypted
independently. Mainly used for symmetric encryption.
 • Block Cipher Modes: Additional algorithms called modes of operation can be used to change
how the key is applied to successive blocks. Defines the method of encryption. May provide
a method of authentication. Available modes depend on the encryption protocol used.
Helps to avoid patterns in the encryption output.
o Electronic CodeBook Mode (ECB): Applies the key the same way to each block. It is
sufficient for a single block but provides little security for longer messages.
o Cipher Block Chaining Mode (CBC): Performs an XOR operation on each block of
plaintext using the previous block of ciphertext, then encrypts it with the key. A
corrupted block will prevent the decryption of the subsequent block, but not the
following blocks. Symmetric and uses an Initialization Vector (IV) for randomization.
Encryption that is dependent on the block before it. Slower than other modes.
§ Exclusive OR (XOR): A mathematical operation that's a part of all symmetric
operations. Done by comparing bits of plaintext and a key (same= 0,
different= 1). Can be reversed to get the plaintext back.
o Cipher FeedBack Mode (CFB): For each block, the key stream is modified using an
XOR of the previous ciphertext, making sure it's always different. CFB makes it easy
to encrypt a stream of values smaller than the standard block.
o Output FeedBack Mode (OFB): Like CFB, but the keystream is generated
independently of the previous ciphertext. Chaining still happens, but only after the
key is applied to the plaintext. It is better able to correct errors in transmitted
ciphertext, but it still can't correct for missing or added bits.
o Counter Mode (CTR): A stream cipher mode where each block encryption uses a
successively incremental counter. Converts blocks into streams. Uses an
Initialization Vector (IV). Its main benefit is performance. It has low overhead and is
well suited to parallelization during encryption and decryption. Widely used.
o Galois Counter Mode (GCM): An authenticated mode that combines Counter Mode
with a hash-based Galois authentication code. Provides data authenticity and
integrity. Minimal latency and operational overhead. Widely used.
o Offset Codebook Mode (OCB): An authenticated encryption mode that applies a
Message Authentication Code (MAC) and encryption in a single pass. OCB has very
high performance and is easier to implement than GCM, but it is under patent
protection, which has limitations.
o Data Encryption: Protects confidentiality of data by scrambling it and making it unreadable to humans. The
encryption key is stored in a file and can decrypt the ciphertext back into plaintext.
§ Categories of Encryption
• Transport Encryption: Protect data in transit, such as that being sent over the network.
• Storage Encryption: Protects data at rest, on some sort of persistent storage medium.
• Memory Encryption: Protects data in use, such as RAM data or data that is being processed.
Memory Encryption is challenging to implement without hurting performance and
interoperability, but it is increasingly desirable to organizations with strict security needs.
• Homomorphic Encryption: Ciphertext that can be analyzed as if it were in its original form.
Perform research or calculations without viewing the data. Uses a public key and is more
secure than traditional encryption. Decrypted data can only be viewed with the private key.
§ Symmetric Encryption: Uses a single, shared key. Also called Private/Secret/Session Key
Cryptography. Faster than asymmetric encryption but is considered less secure. Efficient enough to
handle bulk data encryption, but not secure enough to be used for secure key exchange.
• Algorithms
o Advanced Encryption Standard (AES): A symmetric, block cipher chosen by the U.S.
government to protect classified information. AES is the strongest block cipher and
is widely used, typically with 128-bit, 192-bit or 256-bit keys. No known
cryptographic weaknesses. This is the encryption standard used by WPA2.
 o Twofish: A symmetric block cipher with a 128-bit, 192-bit, or 256-bit key size. Uses a
very complex key structure with 128-bit blocks. No known cryptographic
weaknesses. Not limited by patents. As good as AES.
o Blowfish: A variable-length, symmetric, 64-bit block cipher, with a maximum key
size of 448 bits. Not limited by patents.
o Data Encryption Standard (DES): A symmetric-key block cipher. Its short key length
of 56-bits makes it too unsecure for modern applications. Was common until
replaced by AES. The block size is 64 bit. It can be easily brute forced.
o Triple Data Encryption Standard (3DES): A symmetric block cipher, which applies
DES three times to each block. Has an optional mode where a decryption operation
is applied in the middle of its procedures. Block size is 64-bit. Key sizes are 112-bit or
168-bit. Considered a secure upgrade over DES, although not widely used.
o RC-4: A symmetric algorithm that was part of the original WEP standard with SSL.
Removed in the next implementation. Key sizes between 40-bits and 2048-bits.
Considered deprecated due to biased output.
§ Asymmetric Encryption: Each user has a public key and a private key. Also called Public Key
Cryptography. Sessions are encrypted with the recipient’s public key and decrypted with their
private key. Allows for non-repudiation of origin and delivery, access control, and data integrity.
More secure than symmetric encryption, but slower, with more cryptographic processing overhead.
It is mathematically intensive, and impractical for everyday use or encrypting large amounts of data.
For that purpose, symmetric encryption is more efficient. Asymmetric encryption is more often used
for secure key exchange, digital certificates, and sharing public keys.
• Algorithms
o Rivest, Shamir, and Adleman (RSA): A type of asymmetric encryption, which uses
two different, but linked keys. In RSA, both the public and the private keys can
encrypt a message. The opposite key from the one used to encrypt is used to
decrypt. This was the first practical use of public key cryptography. It uses large
prime numbers as a basis for encryption. Most widely used asymmetric algorithm.
o Digital Signature Algorithm (DSA): A cryptographic algorithm used to generate
digital signatures, authenticate the sender of a digital message, and prevent
message tampering. DSA involves two keys: A private key owned by the sender and
a public key held by the receiver.
§ Elliptic Curve Digital Signature Algorithm (ECDSA): Offers a variant of the
Digital Signature Algorithm (DSA), using Elliptical-Curve Cryptography (ECC).
o Elliptical Curve Cryptography (ECC): Uses math based on the difficulties of
calculating properties of curves, instead of prime numbers. Use smaller key sizes
and curve algorithms to secure data. Lower CPU usage. Stronger security with much
shorter keys than other asymmetric algorithms. It is much faster than RSA and DSA.
Perfect for mobile and portable devices.
o Diffie-Hellman (Key) Exchange (DH/DHE): An asymmetric standard for exchanging
keys. Primarily used to send private keys over a public, unsecured network. Allows
two parties that have no prior knowledge of each other, to jointly establish a shared
secret key over an unsecure channel.
§ Diffie-Hellman (DH) Groups: Determines the strength of the key used in the
key exchange process. Higher group numbers are more secure but require
additional time to compute the key.
§ Diffie Hellman Ephemeral (DHE): A DH key exchange with different keys.
§ Elliptical Curve Diffie-Hellman Ephemeral (ECDHE): A key agreement
protocol that allows two parties, each having an elliptical curve public-
private key pair, to establish a shared secret over an unsecure channel.
 o ElGamal: An asymmetric algorithm for public-key cryptography, based on Diffie-
Hellman key exchange. It is probabilistic, meaning that a single plaintext can be
encrypted into many possible ciphertexts.
o Disk Encryption: A technology that protects information by converting it into code that cannot be
deciphered easily by unauthorized people or processes.
§ Full Disk Encryption (FDE): Encrypts the entire storage device, including metadata, via BitLocker or
FileVault software. FDE keys are securely stored in the TPM or on a USB drive.
§ Self-Encrypting Drive (SED): Hardware-based full-disk encryption based on the Opal Storage
Standard. Built-in encryption mitigates the performance issues of FDE.
§ Partition-Based Encryption: Allows selective encryption for different partitions.
§ Master Symmetric Key: A symmetric key that protects other keys, such as session keys. Also
protects Hard Disk Drive (HDD) data when whole drive encryption is implemented.
§ Recovery Agent: In the case of file encryption, the role of the recovery agent is to give a copy of the
recovered file back to the user in plaintext.
o Blockchain Technology: An advanced database mechanism that allows transparent information sharing
within a network. Stores data in blocks that are linked together in a chain. Each block is linked by hashing.
§ Public Ledger: Peer-to-peer transactions are public and cannot be deleted or reversed because to do
so would invalidate the hash.
o Hashing: The process of transforming any given key or a string of characters into another value. The hash
cannot be turned back into the original data but can be compared to the data to verify its integrity and or
authenticity. Also useful for generating keys from passwords created by humans.
§ Message Digest: A fixed-size numeric representation of the contents of a message, computed by a
hash function. A message digest can be encrypted, forming a digital signature.
§ Check Digit: One or more digits (or letters) computed by an algorithm from the other digits (or
letters) in the sequence input. With a check digit, one can detect simple errors in the input.
§ Checksum: A digital fingerprint or piece of data that helps check for unaltered copies of that data.
§ Salt/Pepper: A pepper is similar to a salt, a random bit of data that is added to the password before
it's hashed through an algorithm. But unlike a salt, it's not kept in the database along with the hash
value. Instead, it's usually hard coded into source code.
§ Key Stretching: An algorithm that increases key length through multiple iterations. Hashing a
password and then hashing that hashed value protects a weak password from brute-force attacks.
• Bcrypt: Protects passwords by repeating the Blowfish cipher.
• Password-Based Key Derivation Function 2 (PBKDF2): Applying the RSA function to
passwords to create a stronger key.
§ Hash Table: A data structure for stored hashes that allows for searching and organizing large
amounts of data, such as recognizing duplicate files stored in different folders. Identity hashing is
used for source code management systems, file-sharing networks, and image databases.
§ Password Hash Storage: Many password databases only store the hash, not the plaintext password.
When a user enters a password, it is hashed and compared to the stored hash in the database.
§ Hashing Algorithms
• Message Digest (Algorithm) 5 (MD5): A widely used hash function producing ONLY a 128-bit
hash value. Has collisions. Do not use.
• Secure Hash Algorithm (SHA-1): Produces ONLY 160-bit digest for the same input.
• Secure Hash Algorithm 3 (SHA-2): Commonly produces a 256-bit digest. The functions range
from 224 to 512-bit.
• Secure Hash Algorithm 3 (SHA-3): Six hash functions with digests (hash values) that are 128,
224, 256, 384, or 512 bits: Newer, more secure, but slower. SHA3-256 is the most widely
used algorithm.
• Hash-Based Message Authentication Code (HMAC): A hashing algorithm combined with a
symmetric key. Provides data integrity and authenticity. Faster than asymmetric encryption.
 • RACE Integrity Primitives Evaluation Message Digest (RIPEMD): It is based on MD.
Collisions were found, but with security improvements and additional functions to produce
hashes between 128-320 bits, it is more secure now. The most popular is RIPEMD-160,
which is similar to SHA-1 in performance, but has fewer known flaws.
o Redundant Data Storage: Remove single points of failure and create fault tolerance.
§ Multi-Pathing: Connections allowing multiple paths between two points, so that an interruption or
failure of one won't interrupt service. Most often used in Fiber Channel SANs and other storage
solutions, which use them to increase both reliability and performance.
§ Load-Balancing: Spreads traffic load across multiple servers or databases so that a server failure
won’t interrupt service. Provides fault-tolerance and redundancy.
§ Clustering: Multiple servers in a cluster supply redundant resources, are aware of each other, and
work toward a common goal. Clusters can dynamically reallocate duties when individual servers fail.
§ Virtualization: Virtual and cloud systems make it much easier to quickly deploy new copies of
existing systems. Beyond recovery from failure, it also includes elasticity to meet transient surges in
demand, and scalability to meet long-term growth.
§ Geographic Dispersal: Organizations maintain alternate facilities for the sake of redundancy and
fault tolerance. If a disaster disables one site, others pick up the slack until full service is restored.
§ Data Replication: Maintains exact copies of data at multiple locations, providing redundancy and
ensuring data availability in the case of disasters.
• Synchronous Replication: Writes data to all replicas simultaneously.
• Asynchronous Replication: Copies data to replicas at scheduled intervals.
§ Redundant Array of Independent/ Inexpensive Disks (RAID): A data storage virtualization
technology that combines multiple physical drive components into one or more logical units for data
redundancy, performance improvement, or both.
• Striping: The technique of segmenting logically sequential data, so that consecutive
segments are stored on different physical storage devices. Striping is useful when a
processing device requests data more quickly than a single storage device can provide it.
• Parity: A calculated value that's used to restore data from information found on the other
drives, if a drive fails.
• Mirroring: The replication of logical disk volumes onto separate physical hard disks in real-
time to ensure continuous availability.

RAID 0 Striping. Splits data into blocks that get written across all drives in an array.
Uses all storage capacity with no overhead. NOT redundant. No mirroring,
and no parity. Loss of any disk will cause complete data loss.
RAID 1 Mirroring. Two drives that contain the exact same data. No striping or parity.
Slower write speed but provides redundancy if one drive fails. Uses only 50%
of available disk space because saved data is duplicated on a second disk.
This does not minimize disk space compared to RAID 5.
RAID 5 Striping with Parity. No mirroring. Requires at least three drives. Writes data
evenly across disks in a striped set. Error recovery information is distributed
across disks, such that the failure of a single drive can be tolerated. If a drive
fails, data is recovered using parity. Requires less storage space and is more
cost effective compared to RAID 1. High read speeds and fault tolerance.

RAID 6 Striping with Dual Parity. Similar to RAID 5, but parity data is written to two
drives. Requires at least four drives and can withstand two drive failures.
RAID 10 Mirroring and Striping. Requires at least four drives. Provides speed of RAID
0 and redundancy of RAID 1. Most expensive way to provide redundancy.
o Data Backups
§ 3-2-1 Rule: 3 copies of data, across 2 media types, with one offline and one off-site.
§ Backup Types
• Online: Instant availability, but vulnerable to ransomware and other attacks.
• Offline: A manual connection is required. Better security, but less convenient.
• Full Backup: A complete copy of data assets. Requires all files to be backed up into a single
version. It is the best data protection option in terms of speed of recovery and simplicity.
• Incremental Backup: Successive copies of the data contain only the portion that has
changed since the preceding backup (of any kind) was made. When a full recovery is
needed, the restoration process requires the last full backup plus all the incremental
backups that took place up until the point of restoration.
• Differential Backup: Copies all of the files that have changed since the last full backup was
performed. This includes any data that has been created, updated, or altered in any way.
• Image: A full backup of an entire system, allowing it to be restored to full operation from a
bare metal state. Images are especially popular for freshly configured servers and
workstations and are valuable for horizontal scaling and non-persistence.
• Snapshot: A type of backup used to quickly capture the state of a system at a given point,
with limited impact on ongoing operations. Snapshots make a virtual copy of the active
system and then back up that copy. The backups can be full, incremental, or differential.
Popular for VMs or High Availability (HA) databases.
• Replication: Create redundant copies of data for availability and recovery. Enhances data
protection across multiple locations and systems.
o Remote Journaling: A data replication method that copies journal or transaction
logs from one system to another, often to a separate location.
o SAN Replication: A data protection technique that copies data from one device on a
Storage Area Network (SAN) to another.
o VM Replication: A process that creates a copy, or replica, of a VM and keeps it in
sync with the original. The replicas are stored in a powered-off state, so they don't
use compute resources. If the original VM's data is lost or corrupted, the replica can
be used to restore the machine.
 § Backup Utilities
• Backup and Restore: A traditional backup utility that allows manual or scheduled backups of
folders, volumes, or drive images. It does not include continuous backups.
• File History: By default, it copies the contents of libraries and user folders to an external
drive, but it can be configured to include any folder. Once configured, it operates
continuously, keeping data protected. It even stores multiple versions of each file, so if a
previous version is needed, it can be restored.
• Windows Server Backup: Similar to Backup and Restore but found on Windows Server
operating systems. It has additional options intended for use in a server environment.
• System Restore: Reverts the computer to a previous state, undoing system changes and
application installations. It does not copy user files, nor does it save data to external drives.
It allows users to revert unwanted system changes to a known good state. Automatically or
manually creates restore points before software or Windows Update installations.
• WinRE: Windows Recovery Environment (WinRE) is available from advanced boot options or
a system disk. It includes troubleshooting tools and can also attempt automated boot repair
or restore data from a system image. It isn't used to create backups, but if the data is still
available, it can be used to repair the system.
• Volume Shadow Copy Service (VSS): A technology used by Windows Backup and System
Restore, that allows Windows to take backup or replica copies of files or entire volumes,
even when they're already in use and would otherwise be locked from reading.
§ Backup Media
• Disk: Small Office/Home Office (SOHO) backups. They lack enterprise-level capacity,
scalability, and manageability.
• Tape: Enterprise-level capacity, scalability, and manageability.
• Network Attached Storage (NAS): A specialized hardware appliance with nothing but hard
drives, a network interface, and a stripped-down operating system optimized for sharing
files. Any host with appropriate permissions can access its storage. Allows file-level access.
• Storage Area Network (SAN): Block-level access to storage devices. Highly configurable with
mixed storage technologies to implement performance tiers. Looks and feels like a local
storage device. Very efficient reading and writing. Requires a lot of bandwidth. May use an
isolated network and high-speed network topologies. If one device fails, users can still work
with the data. It has very fast recovery times compared to traditional backups.
o SAN Snapshot: Create a data state at a point in time. Copy that state to other SANs.
o SAN-to-SAN Replication: Duplicate data from one data center to another.
• Cloud: Functions are distributed over multiple locations, each of which is a data center.
o Normalization: A technique used to design and redesign databases. It is a process or set of guidelines used
to optimally design a database to reduce redundant data.
o Database Management Systems (DBMS): Software systems used to store, retrieve, and run queries on data.
A DBMS serves as an interface between an end-user and a database, allowing users to create, read, update,
and delete data in the database. The identification methods are often implemented within DBMSs
o Content Management Systems: A software application that manages digital content. Provides indexing,
which allows for file-labeling (names, dates, and file types), and data classifications. Search and access
content across multiple websites and mobile apps. This feature provides more flexibility in how, where, and
when content files can be accessed.
o Data Loss Prevention (DLP): Prevents the sharing or transmitting of sensitive data. DLP solutions inspect all
data leaving the organization, including E-mail contents and attachments, copy to portable media, File
Transfer Protocol (FTP), posting to web pages/websites, applications, and Application Programming
Interfaces (APIs). Also includes Pattern-Matching and Watermarking.
o Information Rights Management (IRM): Controls printing, editing, copying, pasting, or screenshots.
Restricts file permissions and forwarding.
 o File Integrity Checks: An application that verifies that files have not been modified, using a hash algorithm.
o Advanced Intrusion Detection Environment (AIDE): A file and directory integrity checker, which creates a
database from the regular expression rules that it finds in the configuration files. Once this database is
initialized it can be used to verify the integrity of the configuration files.
o Hardware Security Module (HSM): High-end hardware to store and generate encryption and decryption
keys, and offload CPU overhead for cryptographic processing from other devices. Useful as network devices
in PKI environments. Can be a plug-in device or a network appliance.
o Trusted Platform Module (TPM): A cryptographic component in the motherboard of mobile devices.
o Quantum Computing: Performs very large calculations in a very short period. Monitoring conversations
would modify the keys, preventing verification. Prevents MitM attacks because the act of observing a
conversation would alter the conversation. Just theoretical at this point but will eventually render existing
cryptographic methods useless.
§ Qubit: The smallest unit of information.
§ Superposition: Zeros, ones, and any combination in between, at the same time.
§ Quantum Key Distribution (QKD): Create unbreakable encryption by sending a random stream of
qubits (the key), across a quantum channel. Both sides can verify the key. If it's identical, the key was
not viewed during transmission. Any attacker eavesdropping on the communication would modify
the data stream. This act would violate quantum physics.
• Administrative Controls
o Data Privacy Policies
§ Data Minimization: A data controller should limit the collection of personal information to what is
directly relevant and necessary to accomplish a specified purpose. They should also retain the data
only for as long as is necessary to fulfill that purpose.
§ K-Anonymity: Ensures that data cannot be linked to fewer than “K” individuals, reducing re-
identification risks. If identifiers for each person in a dataset are identical to at least (k – 1) other
people in the dataset, then the data is not unique to a certain individual and can't be used to
identify them. This is achieved by hiding individual records in groups of similar records, which
significantly reduces the possibility of identification.
§ Tokenization: A process by which a piece of sensitive data, such as a credit card number, is replaced
by a surrogate value known as a token. The sensitive data still generally needs to be stored securely
at one centralized location for subsequent reference. Requires strong protections.
§ Data Masking: ****
§ De-Identification: Removing the association between a set of identifying data and the data subject.
§ Anonymization: A de-identification technique that involves the complete and irreversible removal of
any information from a dataset that could lead to an individual being identified.
§ Pseudo-Anonymization: Removing personal identifiers and replacing them with placeholders.
o Data Governance Policies
§ Data Classification
• Public/Unclassified.
• Private/Classified.
• Restricted/Internal Use Only.
• Sensitive.
• Confidential.
• Secret.
• Critical.
• Top Secret.
§ Data Sensidvity Labels
• Proprietary.
• Personally Idenhfiable Informahon (PII).
• Protected Health Informahon (PHI).
§ Access Control Policies
• Discretionary Access Control (DAC): The owner has full control over the resource.
• Attribute-Based Access Control (ABAC): Fine-grained access control. Decisions are based on
a combination of subject, object, and context attributes.
• Rule-Based Access Control (RBAC): Access is based on pre-defined organizational rules.
• Role-Based Access Control (RBAC): Access is allocated to pre-defined organizational roles.
• Mandatory Access Control (MAC): Based on security clearance level.
• Conditional Access: Suspends account or requires re-authorization based on conditions.
§ Data Retention Policies
• Data Minimization: Collect as little data as possible.
• Purpose Limitation: Use data for only expressed purposes.
§ Data Sanitization Policies
• Purge: Destroy some of the data.
• Wipe: Unrecoverable deletion.
§ Secure Data Destruction Policies
• Pulping: Removes ink, breaks down paper, and recycles it.
• Shredding: Industrial shredder is used to break documents and drives into bits.
• Degaussing: Using a strong magnet to wipe the data.
• Destroying: Physically drilling a hole through the device or smashing it to pieces.
• Incinerating: Burning the medium.
• Third-Party Certificate of Destruction: Proof that a third-party destroyed the data.
 Security Tools
Security+ 701 Study Guide
By: Krystal Ballew

Network Monitoring | Defense-In-Depth | Network Hardening | Blue-Team Tools

• Network Monitoring Tools
o Hardware devices and software utilities that provide real-time information about a network's performance
and activity. These can be used to monitor connection speed, packet size, latency, bandwidth usage, and
availability. Network monitoring tools can help identify issues early on and prevent unintentional downtime.
§ Network Analyzers: Also known as packet analyzers, protocol analyzers, or packet sniffers. These
tools capture, inspect and analyze network traffic.
• Wireshark: Passively gathers and analyzes traffic on the network, for later inspection.
• Tcpdump: A Linux-based, command line packet analyzer.
• TCPreplay: Replays and edits packet captures to test firewalls and IPSs. Useful for sandbox
analysis and/or intrusion detection testing.
§ Wireless Network Analyzers: Used to identify congestion zones and reception on wireless networks.
Also useful for mapping coverage areas and detecting Rogue Access Points (APs).
• Kismet: A network detector, packet analyzer, and IDS for 802.11 wireless LANs.
• AirCrack-ng: A software suite consisting of a network detector, packet analyzer, WEP and
WPA/WPA2-PSK password cracker, and analysis tool for 802.11 wireless LANs.
• Wifite: An automated Wi-Fi security assessment tool that streamlines the process of
capturing wireless packets, deciphering intricate security protocols, and fortifying networks
against potential threats. Also used offensively for reconnaissance and Wi-Fi hacking.
§ Bandwidth Monitors/Traffic Flow Analyzers: Network traffic analysis tools use NetFlow data to
examine overall traffic levels on a network or specific devices and interfaces. Used to find
performance issues or detect unexpected traffic.
• NetFlow Analyzer: Can monitor network traffic in real-time, including bandwidth
performance, traffic patterns, and application and protocol usage. It can also help detect
internal and external attacks and diagnose network anomalies.
• IPFIX: A newer NetFlow-based standard. Flexible templates are used to describe the data.
• sFlow: Short for Sampled Flow. Only samples a portion of the network traffic. Usually
embedded in infrastructure devices such as switches or routers. Also provides helpful
information regarding video streaming and high-traffic applications.
• SolarWinds NetFlow Traffic Analyzer: Captures and analyzes NetFlow and sFlow data to
help identify the types and volume of traffic moving across a network.
• nProbe: This commercial tool can also monitor network traffic in real-time and can analyze
flow data from sources like NetFlow and sFlow.
• Remote Network Monitoring (RMON): Provides standard information that a network
administrator can use to monitor, analyze, and troubleshoot a group of distributed LANs.
• PERFMON: A Windows system monitoring tool that monitors computer activities (CPU,
memory usage). Measures the performance of hardware, software services, applications.
• Internet Performance Working Group (iPERF): A free, open-source tool that measures
network performance and bandwidth. It works by generating network traffic between a
client and a server and reporting the maximum bandwidth to the user. It can be used to
identify bottlenecks, detect congestion, and optimize network performance. It can also
simulate real-world traffic conditions and provide insights into latency and packet loss.
• Paessler Router Traffic Grapher (PRTG): A network monitoring software that can help
secure networks and industrial infrastructure. It can monitor devices, bandwidth, usage, and
 availability, and can help identify security loopholes, unusual traffic, and open ports. It can
also help prevent downtime and misconfigurations and can detect performance issues.
• Nagios: An open-source IT system monitoring tool. It was designed to run on the Linux
operating system, but it can monitor devices running Windows and Unix. It runs periodic
checks on critical parameters of application, network and server resources.
• Arkime: An open-source tool that helps security teams identify and resolve network and
security issues by storing and indexing network traffic.
• Cacti: An open-source, web-based network monitoring, graphing, performance, fault and
configuration management framework.
§ Load Balancers: A device that distributes network traffic across multiple servers or applications to
improve their performance and reliability.
§ Network Taps: A hardware device designed to perform port mirroring. A typical port tap has an A
Port, B Port and a Monitor Port. It can be placed between any two devices using an extra cable.
§ Port Mirrors: A port on a switch or other network device configured to copy traffic on other links
and forward it to a logging or analysis system.
§ Collectors: A hardware appliance or software service which receives, stores, and preprocesses
network monitoring data, especially in the context of NetFlow analysis. A collector might lie
between a traffic aggregator and analysis software.
§ Traffic Aggregators: An inexpensive network appliance that combines the input from port mirrors
and taps across the network and then filters the raw data and feeds it into monitoring systems.
§ Physical Sensors: Wired or wireless device that reports on physical conditions that can affect
network functions such as temperature, humidity, or electrical power quality, often part of an
environmental control or safety system.
§ SNMP: Often used to remotely manage network devices and gather network information.
§ Logs: Records kept by network hosts and devices about unusual or even routine network events.
• Syslog: Collects system logs from network devices on a central server for analysis.
• Journalctl: System logs are stored in a binary format optimized for storage and queries, but
these logs require a text editor to read them. Provides a method for querying the system
journal. Search, filter and view in plaintext.
• Command Line Interface (CLI) Network Analysis Tools
o Command line tools used to gather network information. Used for network analysis, or reconnaissance.
§ Ping: Test the reachability and latency of a given host using ICMP echo requests. A primary
troubleshooting tool. The name is based on the sound made by sonar.
§ Pathping: A Windows tool that provides statistics for latency and packet loss along a route over a
longer period. It behaves similarly to tracert by pinging every hop along the route.
§ Tracert (Windows) and traceroute (Linux + Unix): Report the round-trip time for hops between the
local host and a host on a remote network. Uses Internet Control Message Protocol (ICMP) Time to
Live (TTL) error messages to map the path of the packet.
§ Netstat: Network stats show which IP addresses communicate with network devices. Displays a
variety of network information, including active connections, routing tables, and traffic statistics.
• Netstat -a: All active connections.
• Netstat -b: Shows binaries in Windows.
• Netstat -n: Does not resolve names, just addresses.
§ Ipconfig: In Windows, displays IP settings for network interfaces and shows TCP/IP configurations.
§ ifconfig: In Unix-like OSs, displays/configures interface IP settings. Shows Linux interface settings.
§ Ip: Replaced ifconfig on Linux. Manipulates settings on the Network Interface Card (NIC).
§ Route: Used to view and configure the local routing table.
§ Nslookup: Performs DNS lookups and displays the IP address of a given host name. Displays the IPv4
ARP cache. Replaced by dig.
§ Dig: A more powerful alternative to nslookup. Particularly useful for zone transfers.
 § Arp -a: MAC address associated with an IP address. Views the local ARP table.
§ Route print and netstat -r (Linux): View the device’s routing table and packet path.
§ Net session: View the computer name and username of the users on a server to see if users have
files open and how long each session has been idle.
• File Manipulation Tools in Linux
o Linux command line tools that are used to interact with file systems and logs.
§ Cat: Concatenate (link together into a series).
§ Head: View the beginning of the file.
§ Tail: View the end of the file.
§ Grep: Find text in a file or more than one file at once.
§ Chmod: Change the mode of a file (permissions).
§ Logger: Add entries to the system log (syslog).
• Asset Enumeration
o Tools for gathering information about network assets and topology, to be used in an attack, or to create
defensible network visibility.
§ Network Scanning: Tools that automatically discover and enumerate network devices, including
open ports and services.
• Nmap: Short for Network Mapper, this is a free, open-source tool for network exploration
and security auditing. It sends packets to discover hosts and services on a network, and then
analyzes the responses. Can include IP addresses, port status, operating systems, and more.
• Zenmap: Like Nmap, but with a GUI. It is a multi-platform, free and open-source application
which aims to make Nmap easy for beginners to use while providing advanced features for
experienced Nmap users. Used to determine network vulnerabilities.
• Angry IP Scanner: A port scanner for network mapping, service enumeration, and more.
§ Asset Management Software: Solutions that automatically discover, track and catalog various
assets, providing a centralized dashboard for management.
• Lansweeper: An IT discovery and inventory platform which delivers insights into the status
of users, devices, and software licenses within IT environments. This platform inventories
connected IT devices, enabling organizations to centrally manage their IT infrastructure.
§ Cloud Asset Management: Cloud-native tools that discover and catalog cloud assets.
• AWS Config: Users assess, audit, and evaluate the configurations of their AWS resources.
• Cloudware: A modular multi-cloud management platform for enterprises who deploy
workloads across multiple cloud providers, whether hosted or on-premises.
• ScoutSuite: An open-source tool that assesses the security of cloud environments. It
provides a snapshot of a cloud account's security posture at a given time.
• Prowler: A configuration testing tool for AWS.
§ Configuration Management Databases (CMD): A central repository for infrastructure information.
• ServiceNow: A cloud-based workflow automation platform that enables enterprise
organizations to improve operational efficiencies by streamlining routine work tasks.
• BMC Remedy: A cloud-based IT Service Management (ITSM) tool that automates the
Information Technology Infrastructure Library (ITIL) process. ITIL is collection of best
practices for managing IT services and improving support and service levels.
§ Mobile Device Management (MDM): Manages mobile assets like smartphones and tablets.
• Microsoft Intune: A Microsoft cloud-based Unified Endpoint Management (UEM) service for
both corporate and BYOD devices. It extends the on-premises functionality of Microsoft
Configuration Manager to the Microsoft Azure cloud.
• VMware Workspace ONE: A digital workspace platform that manages an organization’s
digital workspace. It integrates access control, application management, and multiplatform
endpoint management to deliver and manage applications on any device.
• Identity and Access Management (IAM) Platforms
o IAM systems control how users access digital resources and what they can do with them. They ensure that
each user has the exact permissions they need to do their jobs and not more than that.
§ Centrify: Provides integrated software and cloud-based solutions that use Microsoft Active Directory
to govern, protect, and audit access to cross-platform computers, mobile devices, and applications.
§ Okta: A cloud-based software that helps companies manage and secure user authentication for their
applications, and for developers to build identity controls into applications, websites, web services,
and the devices they develop.
§ SailPoint: Manages all passwords, credentials, access requests, users, groups, and entitlements.
§ Ping Identity: Enables businesses of any size to implement Single Sign-On (SSO), Multi-Factor
Authentication (MFA), user provisioning, identity governance, and access management.
§ Provision IAM: A tool originally designed for community banks and credit unions, easing regulatory
compliance requirements. Provides both identity management and governance and actively
documents all data in a well-structured audit log.
• Intrusion Detection and Intrusion Prevention Tools
o Analyzes packets for malicious activity and alerts via a console or dashboard. Uses signature-based,
behavioral-based, anomaly-based, and trend analysis detection methods to either detect, or actively
prevent malicious connections.
§ Snort: A free, open-source NIDS and/or NIPS.
§ Suricata: A free, open-source analysis and threat detection tool that can act as a NIDS or NIPS.
§ Security Onion: Provides intrusion detection, network security monitoring, and log management.
§ Zeek/Bro: Zeek (formerly known as Bro) is an open-source network traffic analyzer and NIDS used to
monitor network security.
§ pfSense: A free, open-source security solution used as a firewall, router, or VPN server or client.
§ Open Source HIDS Security (OSSEC): A free, open-source HIDS with a variety of security functions.
• Endpoint Detection and Response (EDR)
o A cybersecurity technology that uses software to monitor devices for cyber threats. EDR can detect and
respond to threats like ransomware and malware that might evade antivirus software.
§ Cortex XDR: A detection and response application that natively integrates network, endpoint and
cloud data to stop sophisticated attacks. It detects threats with behavioral analytics and reveals the
root cause to speed up investigations.
§ Cynet 360: A complete cybersecurity system that includes AV endpoint protection through to device
detection, threat prediction, user behavior modeling, and vulnerability management.
§ FortiEDR: An automated incident response tool for workstations, servers, and cloud workloads.
§ Wazuh: A free and open-source security platform that combines Extended Detection and Response
(XDR) and Security Information and Event Management (SIEM) capabilities to help organizations
protect their data assets against security threats.
• Security Information and Event Management (SIEM)
o A security solution that detects, analyzes, and responds to security threats. SIEM tools combine Security
Information Management (SIM) and Security Event Management (SEM) into a single system. SIEMs collect
data from applications, devices, servers, and users, and use predetermined rules to define threats, generate
alerts, and identify abnormal activity. They aggregate this data into a central platform to provide real-time
analysis and security monitoring.
§ LogRhythm SIEM: A comprehensive security solution designed to consolidate log management,
security analytics, and endpoint monitoring/forensics. It detects threats and minimizes an
organization's risk exposure.
§ Splunk: Searching, monitoring, and analyzing machine-generated data via a web-style interface.
§ Elasticsearch, Logstash, Kibana (ELK) Stack: A powerful platform that collects and processes data,
stores that data in one central store, and provides a set of tools to analyze the data.
 § Hunting ELK (HELK): An open-source platform that adds data science features to the Elastic Stack
(ELK) to provide advanced analytics capabilities.
§ QRadar: A network security management platform that provides situational awareness and
compliance support. It uses a combination of flow-based network knowledge, security event
correlation, and asset-based vulnerability assessment.
§ Sawmill: A log processing and reporting tool that analyzes devices and software packages to
produce log files for web servers, firewalls, proxy servers, mail servers, network devices, syslog
servers, and databases. It also offers features for monitoring and alerting systems.
§ Event Log Analyzer: Monitors and manages logs for Security Information and Event Management
(SIEM) solutions. It can help improve network security and comply with IT audit requirements. It can
collect, analyze, search, report on, and archive logs from various sources.
§ OSSIM: An open-source SIEM, integrating a selection of tools for intrusion detection and prevention.
• Threat Intelligence
o The process of gathering, analyzing, and organizing evidence-based information about cyber-attacks.
§ Misp: An open-source platform that helps professionals share and store information about threats,
vulnerabilities, and malware.
§ MSTICPy: A tool that can be used for threat hunting and threat investigation.
• Incident Management
o Tools that provide a structured process that cybersecurity, DevOps, and IT professionals use to identify and
respond to incidents. The goal is to detect, investigate, and contain attacks, and to limit or prevent damage.
§ TheHive: A scalable, open-source and free Security Incident Response Platform, which provides a
process for SOCs, CSIRTs, and CERTs to use for incidents that must be investigated and acted upon.
§ GRR Rapid Response: An incident response framework focused on remote live forensics. The goal of
GRR is to support forensics and investigations in a fast, scalable manner, to allow analysts to quickly
triage attacks and perform analysis remotely.
• Vulnerability Scanners
o Tools that identify security vulnerabilities in networks, systems, applications, and procedures. They can be
hardware or software and can use a variety of signature strategies to identify vulnerabilities.
§ Nessus: A proprietary vulnerability scanner, which raises an alert if it discovers any vulnerabilities
that malicious hackers could use to gain access to a network.
§ OpenVAS: A free, open-source vulnerability scanner.
§ Qualys: Vulnerability scanner and assets inventory.
§ Rapid 7 NexPose: A vulnerability management software that scans networks for vulnerabilities in
real-time. It is available as a software product, virtual appliance, or private cloud.
• Content Filters/ URL Filters
o Tools that manage or limit access to specific content, such as E-mails or webpages, that may be considered
objectionable. It can be implemented as software or hardware, often in a Web Application firewall (WAF).
§ ModSecurity: An Apache module that helps protect websites from external attacks. As a Web
Application Firewall (WAF), it detects and blocks unwanted intrusions.
§ NAXSI: An open-source and high-performance WAF that can be used to protect webservers against
attacks like SQL Injections and Cross-Site Scripting (XSS).
• Counterintelligence Tools
o Tools that use offensive and defensive techniques to protect against cyber threats.
§ Kippo: A medium-interaction SSH honeypot written in Python. It is used to log brute-force attacks
and the entire shell interaction performed by an attacker.
§ Cowrie: An open-source honeypot that logs brute force and shell interactions on SSH and Telnet.
§ Dockpot: A high-interaction SSH honeypot based on docker.
§ HonSSH: Logs all SSH communications between a client and server.
 § Google Hack Honeypot (GHH): A system designed to be vulnerable to sophisticated search engine
queries for the purpose of attracting hackers and studying their behavior. It places an invisible link
on the user's website that can be detected through the use of advanced search operators.
§ Wordpot: A WordPress honeypot which detects and probes for plugins, themes and other common
files used to fingerprint a WordPress installation.
• Domain Reputation Monitoring
o Domain reputation monitors hijacked domains used for spam or malware distribution.
§ Talos Intelligence Reputation Center: A comprehensive, real-time threat detection network. The
data is derived from daily intelligence across millions of web, E-mail, firewall and IPS appliances.

PenetraAon TesAng | Ethical Hacking | Exploit and AEack | Red-Teaming Tools

• OSINT and Passive Reconnaissance Tools
o In the early stages of reconnaissance, especially during a penetration test, use OSINT tools to discover how
visible the network is to an outsider.
§ Whois: A public database that stores information about domain name registrants, such as their
contact and technical information.
§ Google: One can use special search operators in Google to find hidden information.
§ Shodan: A web-based search engine that scans the Internet for information about devices and
services. It can be used to identify a variety of devices, including computers, routers, webcams,
servers, and Industrial Control Systems (ICSs). It can also identify potential vulnerabilities in these
devices, such as open ports, unsecured devices, and services running on systems.
§ Censys: Provides Internet intelligence data to help organizations protect themselves from threats. It
includes tools that help security teams hunt for threats, defend attack surfaces, and understand
asset connections, current configurations, and threat details.
§ Dnsenum: A DNS harvesting tool that can locate all DNS servers and records for an organization.
§ theHarvester: An enumeration tool that gathers E-mail accounts, employee names, and other
contact information related to people.
§ Maltego: A commercial cyber investigation platform that gathers and connects data from the
Internet. It has a free community edition that uses graphs to visualize relationships between data.
§ Recon-NG: A broad-spectrum tool that can gather a wide variety of OSINT.
§ theHarvester: Gathers OSINT available to an outsider.
• Active Reconnaissance Tools
o Any kind of security assessment can involve reconnaissance from inside or outside of the network.
Administrators, and adversaries alike need to understand the network structure, services and exposed
OSINT before interacting with the network, and trying to discover vulnerabilities.
§ Nmap: Network mapper and port scanner. This is useful as a vulnerability scanner because it finds
open ports and unsecured access points.
§ Kismet: A wireless network detection, packet sniffing, and Wireless Intrusion Detection System
(WIDS) used for wardriving, network scanning, mapping, tracking interactions, or improving security.
§ InSSIDer: Shows essential details about Wireless Access Points (WAPs), including channel, channel
width, signal strength, Wi-Fi generation, maximum data rate, and security. It also shows how the
neighboring Wi-Fi networks are impacting the target Wi-Fi.
§ Wireless Geographic Logging Engine (wigle.net): A website that collects and organizes data about
wireless networks around the world. Users can register on the site and upload information about
hotspots, such as GPS coordinates, SSIDs, MAC addresses, and encryption types.
§ Netcat: Can make arbitrary network connections. They are useful for many penetration testing
tasks, including enumeration, remote access, or exploitation. It is a simple tool capable of a wide
range of network tasks, such as port scanning and fingerprinting, command prompt listening over an
arbitrary port, and file transferring over an arbitrary port.
 § Curl: Short for Client Uniform Resource Locator, this tool supplies raw data and source code for web
pages, FTP, E-mails, and databases. A command-line tool that can transfer data using various
protocols, such as HTTP, FTP, LDAP and various E-mail protocols.
§ Hping: A packet crafting utility that sends highly customized ping packets. Useful for enumeration,
exploitation, host and port detection, and firewall testing. Can be used for Denial of Service (DoS)
attacks. Offers an alternative to traceroute, if ICMP is blocked.
§ Sn1per: Combines several recon tools into one framework (Metasploit, theHarvester, nmap). This is
an automated scanner and exploitation tool which performs OSINT, recon, port enumeration,
vulnerability scanning and exploits with minimal human interaction.
§ Scanless: Run port scans from a different proxy host so the scans are less identifiable.
§ Mobile Security Framework (MobSF): An open-source, automated research platform for mobile
application security. It can be used for security assessment, penetration testing, malware analysis,
and privacy analysis. It can perform static and dynamic analysis on Android, iOS, and Windows
mobile applications. It can also capture web traffic and repeat that traffic to other security tools.
• Exploit Frameworks
o Simulates adversary tools for exploitation and backdoor access.
§ Kali Linux: A free, open-source Linux distro designed for cybersecurity professionals, ethical hackers,
and penetration testers. It includes over 600 tools for security auditing and penetration testing.
§ Metasploit: Used for penetration testing and exploiting vulnerabilities identified during
reconnaissance. Contains modules to exploit known code vulnerabilities. Couples exploit modules
with a payload and obfuscates the code to evade detection.
• Meterpreter: Used to dump keystrokes from victim machines.
§ fireELF: Exploitation framework for Linux hosts.
§ Linux-Exploit Suggester (LES): A Linux privilege escalation auditing tool that helps detect security
vulnerabilities for Linux-based machines. Can identify privilege escalation attack vectors.
§ RouterSploit: Exploitation framework for embedded systems.
§ Sn1per: Penetration test reporting and evidence gathering. Runs automated suites of tests.
§ Cobalt Strike: A penetration testing tool that simulates cyberattacks to help organizations assess
their IT infrastructure's resilience against advanced cyberattacks.
§ Core: A general-purpose exploit framework with modules to target hosts and services.
§ W3af: Specialized exploit framework focused on web applications.
§ Responder: Targets local Address Resolution Protocols (ARP). It can be used to redirect traffic and
steal credentials from vulnerable services.
§ Medusa: Functions as a Ransomware-as-a-Service (RaaS) platform, providing would-be attackers,
with malicious software and infrastructure required to carry out disruptive ransomware attacks.
§ Social Engineering Toolkit (SET): A collection of open-source Python scripts that automate social
engineering attacks.
§ Burp Suite: A software package that helps security researchers, penetration testers, and ethical
hackers identify vulnerabilities in web applications, which can then be exploited.
§ Interception Proxy: An exploit tool that intercepts traffic from web servers to web browsers, and
allows for injection, alteration, or manipulation.
§ Zed Attack Proxy (ZAP): Also called OWASP ZAP, it is a free, open-source penetration testing tool
that helps identify security flaws and vulnerabilities in web applications.
§ Burp Proxy: A web proxy server that acts as a middleman between a browser and target
applications, allowing users to intercept, inspect, and modify traffic in both directions.
• Attack Tools
o Some attack tools require reconnaissance software used for malicious purposes, or the modification of
legitimate tools which can be used more offensively.
 § Netcat and ncat: Standard networking utilities that can make arbitrary network connections. They
are useful for many penetration testing tasks, including enumeration, remote access, or
exploitation. Used to safely connect to a remote system using command line instead of front-end
application. Can also be used for banner grabbing.
§ SSH: Used for secure remote access. Can also create proxy connections to obscure network location.
§ Proxychains: A more focused proxy application.
§ Curl: A command line utility that can transfer data using various protocols, such as HTTP, FTP, LDAP,
and various E-mail protocols. It can be used to upload malicious code or download sensitive files.
§ TCPreplay: A tool which can replay or resend network traffic sent by another tool, such as TCPdump
or Wireshark. Can also replay malicious traffic to IDSs/IPSs.
§ Scanless: A port scanner designed for penetration testing. It uses websites to perform port scans on
the attacker’s behalf, hiding their IP address to prevent targets from seeing who is scanning them.
§ Pacu: An open-source AWS exploitation framework, designed for offensive security testing.
§ Bloover II: A Bluetooth attack tool.
§ Bluesniff: A Bluetooth device discovery tool.
• Web Application Scanners and Exploit Tools
o These scanners test for web-related vulnerabilities by performing attacks such as SQL Injection and Cross-
site Scripting (XSS). They analyze source code and database security for unsecured programming practices.
§ BurpSuite: A software package that helps security researchers, penetration testers, and ethical
hackers identify vulnerabilities in web applications, which can then be exploited.
§ Zed Attack Proxy (ZAP): Also called OWASP ZAP, it is a free, open-source penetration testing tool
that helps identify security flaws and vulnerabilities in web applications.
§ Nikto: A free command-line vulnerability scanner that scans web servers for dangerous files,
outdated server software and other vulnerabilities. It performs generic and server-type specific
checks. It also captures and prints any cookies received.
§ FuzzDB: An open-source database of attack patterns, predictable resource names, and other
resources that can be used to test the security of web applications.
§ Arachni: A free, open-source, Ruby-based framework that helps web application developers and
information security professionals assess the security of web applications.
§ Acunetix: Dedicated web scanner integrated with OpenVAS.
§ SQLmap: Detects injection vulnerabilities in SQL Servers.
§ BrowserCheck: A browser extension for other vulnerability scanners.
• Password Cracking Tools
o Password cracking tools can crack passwords, extract them from hashes, and discover weak credentials.
§ John the Ripper: A free, open-source password-cracking tool used by hackers, both ethical and
otherwise, to retrieve cleartext passwords from hashes.
§ Hydra: A command-line tool used by hackers and cybersecurity professionals to crack passwords
through brute-force attacks.
§ Reaver: Passphrase cracking.
§ Cain & Abel: A password recovery tool for Microsoft Windows.
§ Hashcat: A password cracking tool for wireless networks.
§ Patator: A multi-purpose brute-forcer, with a modular design and a flexible usage.
§ AirCrack-ng: A tool for capturing packets, packet injection, and cracking pre-shared keys.
• Packet Manipulation Tools
o Some reconnaissance techniques depend on sending forged or spoofed network traffic.
§ Dsniff: A network sniffer, that can also be used to disrupt the normal behavior of switched
networks. It causes network traffic from other hosts on the same segment to become visible.
§ Ettercap: An open-source tool used to perform Man-in-the-Middle (MiTM) attacks on networks. It
can capture and rewrite packets, allowing the attacker to divert and alter data in real-time.
 § Scapy: A packet manipulation tool, originally written in Python. It can forge or decode packets, send
them on the wire, capture them, and match requests and replies. It can also handle tasks like
scanning, tracerouting, probing, unit tests, attacks, and network discovery.
§ Firesheep: A Mozilla Firefox extension that allows hackers to hijack unencrypted Wi-Fi sessions as
well as capture unencrypted session cookies, which then can be used to access the users' accounts.

Secure ApplicaAon Development | DevSecOps | Web ApplicaAons | ScripAng Tools

• Scripting Environments
o Many security assessments involve command-line tools and scripts that are executed on a security
workstation, a system a user wants to secure, or a system a hacker is trying to exploit. Knowing how to use
those environments is critical for performing security assessments.
§ Bash: In Linux and Unix systems, bash is the most popular tool for command-line scripting.
§ PowerShell: In Windows, PowerShell is the most powerful CLI tool and can be used for scripting and
system management. The older command prompt tool is less capable, but still widely used.
§ Python: Many security scripts and programs are written in interpreted programming languages such
as Python. They are available in any system with the correct interpreter installed.
§ Ruby: Great for building desktop applications, static websites, data processing services, and even
automation tools. It's used for web servers, DevOps, and web scraping and crawling.
§ Perl: A high-level, interpreted, general-purpose programming language originally developed for text
manipulation. It borrows features from C and Shell script and is used for system administration,
networking, and other applications that involve user interfaces.
§ OpenSSL: A toolkit and crypto library for SSL and TLS. Build certificates, manage SSL/TLS
communication, manage Certificate Signing Requests (CSR) and manage message digests.
• Static Code Analyzers
o Identify vulnerabilities, errors, and non-compliant coding practices.
§ SonarQube: An open-source platform that helps improve software security and stability by
analyzing code for bugs, vulnerabilities, and other issues. It can be used to inspect code written in 29
different programming languages.
§ Coverity: A static analysis tool that helps security teams and developers find and fix security and
code quality issues in software. It can analyze over 200 frameworks in 22 programming languages.
§ Fortify: Uses algorithms and secure coding rules to analyze source code for vulnerabilities. It can
identify the root cause of issues, prioritize them, and provide guidance on how to fix them.
• Containers
o A type of operating system virtualization that can contain application code, libraries, configuration files, and
other executables. Containers are lightweight, portable, and can be automated.
§ Docker: Enforces resource separation at the OS level. Defines isolated cells for each user instance to
run in. Allocates CPU and memory resources for each container. Supports microservices and
serverless architecture. Used in implementing corporate workspaces on mobile devices.
• Sandboxes
o Essential for malware detection and forensic inspection.
§ Cuckoo Sandbox: A sandbox for testing a file for malware.
§ Joe Sandbox: A cloud-based malware analysis tool that allows users to upload and analyze
suspicious files and URLs.
• Infrastructure as Code (IaC)
o Automates deployment and management of infrastructure. Ensures consistency and repeatability.
§ Terraform: An open-source tool that automates the provisioning and management of code-based
infrastructure in any cloud or data center.
 Forensic Tool Kits | Hashing | Memory Analysis | Password Cracking
• Forensic Tools
o Tools to assist in the acquisition, documentation, and analysis of digital evidence.
§ File Integrity Monitoring (FIM): Checks for changes in files that should never change.
§ Dd: Short for Disk Image. Creates a bit-by-bit copy of information on a drive or in a directory.
§ Memdump: A Linux tool that copies information found in system memory.
§ Winhex: A hexadecimal editor and memory dumping utility that captures active process memory.
§ Forensic Tool Kit (FTK) Imager: A proprietary disk imaging tool for Windows.
§ EnCase: A proprietary tool that can capture bitwise copies of physical drive partitions.
§ Autopsy: A digital forensics tool that can recover data from hard drives or smartphones.
§ Volatility Framework: An open-source tool for memory analysis.
§ RegRipper: The fastest, easiest, and best tool for registry analysis in forensics examinations.
§ The Sleuth Kit (TSK): A collection of open-source Linux tools used to analyze file systems and
volumes. It recovers lost or deleted data and responds to security incidents. It can also be used to
access locked files without changing timestamps and see files that attackers have hidden.
§ Cellebrite: Mobile data retrieval tool.
§ CAINE: Short for Computer-Aided Investigative Environment. It is an open-source platform that
provides software tools for forensic analysis.
§ SIFT: The SIFT Workstation is a collection of free and open-source incident response and forensic
tools designed to perform detailed digital forensic examinations.
§ DumpIt: A tool that creates a physical memory dump of a Windows system, which is a snapshot of
the memory that contains data about any running processes at the time it was captured.
§ Memoryze: A free memory forensic software that finds malicious data in live memory. It can acquire
and/or analyze memory images and can include the paging file in its analysis.
§ Message Analyzer: Can parse and display headers in a structured format showing the delivery path
and added headers. Useful for viewing and analyzing metadata.
§ Foremost: A popular file carving program for Linux. Recovers files from storage volumes or forensic
disk images, even if they have been deleted from the file system.
§ MD5sum and SHAsum: Hashing utilities to preserve file integrity.
§ SANS Investigative Forensic Toolkit (SIFT): Forensic toolkits that provide comprehensive platforms
for analysis tasks. Available as an application on a forensic workstation or as a live CD.
§ Osquery: An easy-to-use OS monitoring tool that uses SQL to expose a device's operating system as
a relational database. In short, it allows the user to ask questions about their operating system.
§ John the Ripper: A multi-platform, password-cracking utility.
§ Cain & Abel: A popular password-cracking utility for Windows systems.
 System Hardening
Security+ 701 Study Guide
By: Krystal Ballew

Network Hardening
• General Network Hardening
o Physical Hardening
§ Use a Defense-in-Depth or Layered security posture.
§ Where possible, use vendor diversity on network appliances.
§ Physically protect cables from cu:ng, disconnec=ng, rearranging, stepping and/or tripping.
§ Lock server racks, and bulk cable connec=ons.
§ Consider standard naming conven6ons for server racks and cable organiza=on.
§ Make switch and router hardware less physically accessible.
§ Use fire suppression systems.
§ Consider intrusion sensors and personnel barriers.
§ Physically block unused router and switch ports.
§ Keep physical and logical network maps current with device names and IP address naming schemas.
§ Conduct semi-regular Site Surveys.
§ Consider backup power, redundant storage, and/or hot, warm or cold sites in the event of a disaster.
§ Consider the use of an Uninterrup6ble Power Supply (UPS).
§ Replace legacy/deprecated systems at the End of Life (EOL) or End of Service Life (EOSL).
§ If a legacy system cannot be replaced, use a hardware, soIware, or network wrapper.
o Logical Hardening
§ Implement logical separa6on: Divide the network into zones that can be co-allocated on the same
hardware or network cable.
§ Configure authen=ca=on on network appliances.
§ Change all default usernames and passwords/passphrases.
§ Enable usernames and passwords/passphrases on user, enable and config modes.
§ Require Mul6-Factor Authen6ca6on (MFA).
§ Disable Dynamic Trunking Protocol (DPT).
§ Disable old, insecure rou=ng protocols, like RIPv1.
§ Disable unused logical ports and use private ports where possible.
• Disable or password-protect Telnet.
• Password-protect and use SSH.
• Disable remote login, when not needed.
• Use secure and updated versions of all protocols.
§ Install a network firewall.
§ Consider security appliances, such as a NIDS/NIPS, or a Unified Threat Management (UTM) solu=on.
§ Use baselines for Trend Analysis and Integrity Measures Checks.
§ Implement Access Control Lists (ACL), whitelists and blacklists for MAC addresses and IP addresses.
§ Keep security patches current.
§ Consider requiring VPN use.
§ Implement user segmenta6on: Control which areas of the network individual users can access.
o Administra@ve Hardening
§ Enforce strong password/passphrase policies.
§ Define rules and policies for Internet use, remote login, personal and corporate account use.
§ Define rules and policies for hardware, soIware, and mobile device use.
§ Enforce policies for geofencing, context-aware authen6ca6on, 6me/loca6on-based login, and
impossible travel. Where possible, prevent aQer-hours logins.
§ Ini=ate Least Privilege, Dual Control, Separa6on of Du6es, Job Rota6on, and/or Mandatory Vaca6on.
 § Monitor and manage poten=al breaches in supply chain security.
§ Conduct frequent permissions and configura=ons audits.
§ Disable unused accounts: Ensure malicious ac=ons cannot occur aIer an employee’s exit.
§ Review MITRE’s CVE List and NIST’s Na6onal Vulnerability Database (NVD).
• Wireless Network Hardening
o Physical Hardening
§ Ensure that router and Wireless Access Point (WAP) hardware is not physically accessible.
§ Protect any physical network cables from cu:ng, disconnec=ng, rearranging, stepping, or tripping.
o Logical Hardening
§ Disable SSID Broadcas6ng.
§ Configure authen=ca=on on network appliances.
§ Change the default SSID and password/passphrase.
§ Disable the Wi-Fi Protected Setup (WPS) buTon on routers and Wireless Access Points (WAPs).
§ Consider op=ng for the more secure protocol, Easy Connect DPP.
§ Lower the Wi-Fi signal strength to prevent unauthorized use.
§ Choose non-overlapping channels (1, 6, and 11) in buildings with more than one Access Point (AP).
§ Use Heatmaps and Signal Strength Measures to look for Rogue Access Points or Evil Twins.
§ Use WPA3 (Wi-Fi Protected Access 3): WEP and WPA are deprecated.
§ Implement Access Control Lists (ACL), whitelists and blacklists for MAC addresses and IP addresses.
§ Keep security patches for hardware, firmware and soIware current.
§ Consider cap6ve portals with health checks, for new or guest devices.
§ Consider requiring VPN use.
o Administra@ve Hardening
§ Implement employee training on secure network use, and general threat awareness.
§ Enforce strong password/passphrase policies.
§ Define rules and policies for Internet use, remote login, personal and corporate account use.
§ Enforce policies for geofencing, context-aware authen6ca6on, 6me/loca6on-based login, and
impossible travel. Where possible, prevent aQer-hours logins.
§ Conduct frequent permissions and configura=ons audits.
§ Disable unused accounts: Ensure malicious ac=ons cannot occur aIer an employee’s exit.
§ Review MITRE’s CVE List and NIST’s Na6onal Vulnerability Database (NVD).
• Cloud Network Hardening
o Logical Hardening
§ Block public access.
§ Implement Iden6ty and Access Management (IAM).
§ Put users into groups based on job func=on.
§ Assign permissions to groups rather than individual accounts.
§ Avoid the use of generic accounts, such as guest accounts or others shared by mul=ple users.
§ Configure Mul=-Factor Authen=ca=on (MFA) for cloud environments.
§ Use a VPN for cloud access.
§ Configure cloud-based virtualized networks.
§ Use a cloud-based firewall and/or cloud-based IPS.
§ Consider a Next-Gen Secure Web Gateway (NG-SWG).
§ Create separate Availability Zones (AZ).
§ Duplicate data and store backups in different geographic loca=ons.
§ Use a cloud-based Security Informa6on and Event Manager (SIEM).
§ Use Load Balancers to provide High Availability (HA).
o Administra@ve Hardening
§ Implement employee training on secure cloud network use, and general threat awareness.
§ Enforce strong password/passphrase policies.
 § Define rules and policies for cloud access and Acceptable Use.
§ Enforce policies for context-aware authen6ca6on.
§ Conduct frequent permissions and configura=ons audits.
§ Disable unused accounts: Ensure malicious ac=ons cannot occur aIer an employee’s exit.
§ Consider the use of a Cloud Access Security Broker (CASB) or a Managed Service Provider (MSP).
§ Review MITRE’s CVE List and NIST’s Na6onal Vulnerability Database (NVD).

Endpoint Hardening
• General Endpoint Hardening
o Physical Hardening
§ Consider physically blocking the use of media, such as USB, USB OTG, and flash drives for DLP.
§ Consider cable locks on all endpoints that are accessible to the public.
§ Consider privacy screens to prevent shoulder surfing.
§ Replace legacy/deprecated systems that have reached End of Life (EOL) or End of Service Life (EOSL).
§ If a legacy system cannot be replaced, use a hardware, soIware, or network wrapper.
o Logical Hardening
§ Require Mul6-Factor Authen6ca6on (MFA).
§ Consider logically blocking the use of plug-in media, and disks for DLP.
§ Ensure all hardware and soIware is legi=mately sourced and unaltered.
§ Only install apps from trusted loca=ons.
§ Consider Trusted Opera6ng Systems (TOS): These sufficiently meet high security standards.
§ Apply secure configura=ons: Change the unsecured default se:ngs.
§ Apply the principle of Least Func6onality: Limit the OS to be able to perform only what is necessary.
§ Assign Administrators two accounts apiece, an administrator account for tasks that require escalated
privileges, and a standard user account for all other work.
§ When giving mul=ple accounts to a user, ensure that each account has a separate password.
§ Avoid the use of generic accounts, guest accounts, or accounts shared by mul=ple users.
§ Assign permissions to groups rather than individual accounts.
§ Manage permissions to avoid authoriza6on creep.
§ Ini=ate an Applica6on Blocklist/Approved List and quaran=ne any suspicious applica=ons.
§ Use host-based firewalls, spam filters, and HIDS/HIPS and SIEMs.
§ Configure security logs to record key indicators and review for suspicious ac=vity.
§ Ensure all systems have up-to-date an=-malware, with real-=me monitoring.
§ Regularly install security patches.
§ Encrypt all endpoint data.
o Administra@ve Hardening
§ Implement employee training on secure endpoint use, and general threat awareness.
§ Maintain Acceptable Use policies.
§ Enforce strong password/passphrase policies.
§ Define rules and policies for Internet use, remote login, and personal/corporate account use.
§ Enforce policies for geofencing, context-aware authen6ca6on, 6me/loca6on-based login, and
impossible travel. Where possible, prevent aQer-hours logins.
§ Conduct regular audits on group membership, permissions, and creden=als.
§ Disable unused accounts: Ensure malicious ac=ons cannot occur aIer an employee’s exit.
§ Review MITRE’s CVE List and NIST’s Na6onal Vulnerability Database (NVD).
• Virtual Machine (VM) Endpoint Hardening
o Logical Hardening
§ Use a library of standard VM images.
§ Archive or recycle underu=lized VMs.
 § Consider using Virtual Machine Lifecycle Management (VMLM) soIware.
§ Ensure all hardware and soIware is legi=mately sourced and unaltered.
§ Only install apps from trusted loca=ons.
§ Consider a Trusted Opera6ng Systems (TOS): These sufficiently meet high security standards.
§ Apply secure configura=ons: Change the unsecured default se:ngs.
§ Apply the principle of Least Func6onality: Limit the VM’s OS to perform only what is necessary.
§ Assign Administrators two accounts apiece, an administrator account for tasks that require escalated
privileges, and a standard user account for all other work.
§ When giving mul=ple accounts to a user, ensure that each account has a separate password.
§ Avoid the use of generic accounts, guest accounts, or accounts shared by mul=ple users.
§ Assign permissions to groups rather than individual accounts.
§ Manage permissions to avoid authoriza6on creep.
§ Use a host-based virtual firewall, spam filter, HIDS/HIPS and SIEMs.
§ Implement a Data Loss Preven6on (DLP) solu=on.
§ Configure security logs to record key indicators and review for suspicious ac=vity.
§ Ensure all systems have up-to-date an=-malware, with real-=me monitoring.
§ Regularly install security patches.
§ Encrypt the data stored on VMs.
o Administra@ve Hardening
§ To avoid VM Sprawl, administrators should enforce strict policies and procedure for deploying VMs.
§ Implement employee training on secure VM use, and general threat awareness.
§ Maintain Acceptable Use policies.
§ Enforce strong password/passphrase policies.
§ Define rules and policies for VM use, remote login, and personal and corporate account use.
§ Enforce policies for context-aware authen6ca6on, 6me/loca6on-based login, and aQer-hours logins.
§ Conduct regular audits on group membership, permissions, and creden=als.
§ Disable unused accounts: Ensure malicious ac=ons cannot occur aIer an employee’s exit.
§ Review MITRE’s CVE List and NIST’s Na6onal Vulnerability Database (NVD).
• Mobile Endpoint Hardening
o Physical Hardening
§ Disable the ability to plug-in or read external storage devices, such as flash drives, SD cards, USBs, or
USB On-the-Go (OTG) devices for DLP.
§ Consider cable locks for mobile devices and laptops, when in public areas.
§ For kiosks and public tablet use, consider using mechanisms and sensors to detect and respond to
physical breaches. Store in secure enclosures, especially when in public. Use tamper resistant and
tamper evident components.
o Logical Hardening
§ Consider using a Mobile Device Manager (MDM) solution.
§ Use strong passwords/passphrases, Multi-Factor Authentication (MFA), and Biometrics.
§ Ensure public or free Wi-Fi is protected before logging on.
§ Utilize a mobile VPN.
§ Encrypt the data on the device.
§ Install an anti-virus application.
§ Only install apps from trusted locations.
§ Ini=ate an Applica6on Blocklist/Approved List and quaran=ne any suspicious applica=ons.
§ Update to the latest software.
§ Keep OS, application, and firmware patches current.
§ Keep data backups, whether on a plug-in device, or in the cloud.
§ Implement a Data Loss Prevention (DLP) solution.
§ In a BYOD environment, use containerization to keep corporate data separate from personal data.
 § Block the use of apps that have not been expressly approved.
§ Implements Screen Locks and PINs.
§ Implement Screen Lockout aIer too many failed login aTempts.
§ Consider adding a virtual perimeter for a geographic area through geofencing or geoloca6on.
§ Disable or enable loca=on, geotagging, camera, microphone, and recording, depending on loca=on.
o Administrative Hardening
§ Determine which mobile deployment model is most suitable for the needs of the organiza=on.
§ Implement employee training on secure mobile device use, and general threat awareness.
§ Enforce strong password/passphrase policies.
§ Define rules and policies for mobile use, and personal and corporate account use.
§ Enforce policies for context-aware authen6ca6on, 6me/loca6on-based login, and aQer-hours logins.
§ Set Acceptable Use policies for applica=ons, data, camera usage, etc.
§ Set policies for auto-locking mobile devices.
§ Set policies for the use of Biometrics for authen=ca=on.
§ Set policies for data backups, encryp=on, and remote wipe.
§ Disable unused accounts: Ensure malicious ac=ons cannot occur aIer an employee’s exit.
§ In the event of device loss or theI, consider remote wipe.
§ Review MITRE’s CVE List and NIST’s Na6onal Vulnerability Database (NVD).
• IoT Endpoint Hardening
o Physical Hardening
§ Use tamper resistant and tamper evident components.
§ Store in secure enclosures, especially when in public.
§ Use mechanisms and sensors to detect and respond to physical breaches.
o Logical Hardening
§ IoT devices and embedded systems require segmenta6on.
§ Change all default usernames and passwords/passphrases.
§ Use strong passwords, MFA and encryp=on for devices and their applica=ons.
§ Only install apps from trusted loca=ons.
§ Push required firmware/OS updates and patches.
§ Patch all ac=ve devices and disconnect devices no longer in use.
o Administra@ve Hardening
§ Enforce strong password/passphrase policies.
§ Define rules and policies for IoT use, and personal/corporate account use.
§ Manage both ac=ve and inac=ve devices. Understand which devices are circula=ng on the network.
§ Review MITRE’s CVE List and NIST’s Na6onal Vulnerability Database (NVD).

Applica8on Hardening
• ApplicaAon Hardening
o Logical Hardening
§ Work with developers on secure coding techniques, to provide specific mi=ga=ons against aTacks.
§ Document the use of approved coding languages and launch loca=ons.
§ Use code signing to make malicious code easier to detect.
§ Review and test code using sta6c and dynamic analysis.
§ Use a combina=on of human tes=ng and fuzzing techniques.
§ For cri=cal applica=ons, consider outside security audits or penetra6on tests.
§ Choose securely coded applica=ons using secure protocols.
§ Make sure that the app components and users operate in a Least Privilege environment.
§ Apply special protec=ons against likely aTack vectors.
§ Pay par=cular aTen=on to input valida6on, output encoding, error handling, and data exposure.
 § Sani6ze input by filtering or subs=tu=ng dangerous characters that could modify SQL queries.
§ Validate input by making sure all data is in the expected format before submi:ng it as a query.
§ Apply secure client-side valida6on features.
§ Use Automa6on and Con6nuous Integra6on/Delivery/Deployment/Monitoring and Valida6on, to
ensure secure and consistent development, staging, and produc=on environments.
§ Restrict end-user error informa6on to the minimum.
§ Use Informa6on Rights Management (IRM): Control prin=ng, edi=ng, copying, pas=ng, or
screenshots. Restrict file permissions and forwarding.
§ Restrict user and applica=on privileges to limit the damage a code injec6on can do.
§ Disable all unnecessary services.
§ Passwords/passphrases should be stored on a server, not on the applica=on itself.
§ Redundancy: Remove single points of failure and create fault tolerance.
§ Implement Patch Management for the applica=on OS.
§ Manage Service Accounts, a server’s permission to access data and interact with the applica=on.
§ Implement Windows User Account Control (UAC): Allows the app only the permission it needs.
§ Harden the underlying host and network. Apply an=virus and HIDS/HIPS soIware on the host.
Protect the network with firewalls, NIDS/NIPS, or a Web Applica6on Firewall (WAF).
§ Disable unnecessary applica=ons, services, and user accounts.
§ If the applica=on uses mul=ple servers, make sure all of them are suitably hardened.
o Administra@ve Hardening
§ Use rigorous patch management to update soIware without introducing new vulnerabili=es.
§ Conduct regular security audits.
§ Educate users to prevent aTacks that rely on social engineering.
§ Be aware of evolving network applica=on threats.
§ Review MITRE’s CVE List and NIST’s Na6onal Vulnerability Database (NVD).

Data Storage Hardening

• Data Storage Hardening
o Logical Hardening
§ Analyze and configure databases to address security vulnerabili=es by applying best prac=ces.
§ Change default usernames and passwords/passphrases on endpoints, databases, and storage.
§ Set file permissions and groups.
§ Take steps to protect the confiden6ality, integrity, and availability of data in use and at rest.
§ Encrypt data at rest, and in transit.
§ Use principles of data privacy.
§ Require Mul6-Factor Authen6ca6on (MFA).
§ Implement a Data Loss Preven6on (DLP) solu=on on the endpoint, and the network.
§ Redundancy: Remove Single Points of Failure and create fault tolerance.
§ Consider a RAID op=on. Implement regular data backups.
§ Use the 3-2-1 Rule for backups: 3 copies, across 2 media types, with one offline and one off-site.
§ Consider file hashing on cri=cal date sets.
§ Monitor access and error logs.
§ Implement Normaliza6on: Op=mally design a database to reduce unnecessary redundant data.
§ Securely purge, sani6ze, wipe, or destroy data that no longer needs to be archived.
o Administra@ve Hardening
§ Use data classifica6on schemes.
§ Ini=ate Least Privilege, Dual Control, Separa6on of Du6es, Job Rota6on, and/or Mandatory Vaca6on.
§ Consult with local laws and regula=ons about how many years, and in which ways must data be
stored, protected, and later destroyed.
§ Review MITRE’s CVE List and NIST’s Na6onal Vulnerability Database (NVD).
 Common Vulnerabili.es and Their Mi.ga.ons
Security+ 701 Study Guide
By: Krystal Ballew

Common Vulnerabilities Mitigations

Configuration Issues
Missing Patches and Firmware Updates Patch and update.
VPN Issues Patch and update.
Use of SSL or outdated TLS Use a new version of TLS to avoid susceptibility to eavesdropping.
Use encrypted protocols, like SSH, or newer versions that use better
Unsecure Protocols like FPT, telnet, SSL, and http encryption, like FTPS.
Change the default “public” community name. Not changing the
Public SNMP default, could result in any user with an SNMP monitor accessing the
device using the public community string.
Update to a newer version, or where not feasible, isolate and
Unsupported Operating Systems or Applications
implement a compensating control.
Unsecure or Outdated Cipher Avoid outdated ciphers like RC4. Only use secure ciphers like AES.
Configuration Issues that Lead to IP address Exposure Configure NAT correctly.
Developers must ensure that debug modes can only be used by
Visible Debug Modes authenticated users on internal servers.
Get a new certificate. Ensure proper key usage, subject name
Certificate Expiration or Unknown Certificate Authority configuration, and time/date synchronization. Regularly audit
infrastructure for security, compliance, and validity.
Attacks
Disable Open Relay on SMTP, port 25. This prevents external mail
Spam clients from sending mail through the server.
Employee training, two-factor authentication, E-mail filtering, and
Phishing reputation-based sender rules.
Use firewalls/IPS to block known attack traffic, and/or purchase more
DoS and DDoS bandwidth/server capacity, or third-party DoS mitigation services.
Use stateful firewalls. These inspect entire conversations and block
DNS Attacks large influxes of packets.
Update Identity and Access Management (IAM) and Active Directory,
Privilege Escalation to ensure proper privileges and groups. To detect, monitor logs for
unauthorized event and process changes.
Malware and Rootkits Install up-to-date anti-malware software. Frequently update.
Input validity, block file names from being used in user-manipulatable
Directory Traversal fields and harden access controls on servers.
End-to-end encryption can prevent this, unless the attacker controls
MitM/Eavesdropping the endpoints, or has the encryption key.
Password Spraying/ Password Stuffing MFA, strong passwords, and avoid reuse.
Buffer Overflow Patch and update the application.
Arbitrary and Remote Code Execution Patch and update the application.
Work with developers to fix the code. Requires input validation (block
SQL Injection the use of an apostrophe) and least privilege (block the tables that
can be accessed by a web server).
Input validation and working with developers to implement
Cross-Site Scripting (XSS) appropriate controls, such as Blocking HTML tags, limiting input string
length, and escaping meta-characters.
Session Hijacking Encrypt network sessions and links.
Flash Drive Drop/ Malicious USB Cable Awareness training, Data Loss Prevention (DLP), and USB blockers.
Malicious Insiders Employee training, job rotation, and mandatory vacation.