Security Plus

Chapter 1

Objective 1.1

Phishing → Practice of sending email to trick users to submit personal information or click a link
- Can be done to install malware, validate email address, get money
Smishing → SMS Phishing
Vishing → Phone Phishing → Phishing over Voice over IP (VoIP)
Spam → Unwanted / Solicited Email
SPIM → Unwanted messages over Instant Messaging Channels
Spear Phishing → Phishing target on specific group of people or even a single user
- Mitigation → Use digital signatures
Dumpster diving → Practice of searching through trash & recycling to gain info from discarded items
- Mitigation → Shredding or Burning Paper instead of throwing it away
Shoulder surfing → Looking over shoulder of someone to gain information
- Mitigation → Use screen filters
Pharming → Manipulates DNS server or client to redirect users to different websites
- Changes DNS entries on a local PC or on a trusted local DNS server
Tailgating → Practice of one person following closely behind another person without showing credentials
- Mitigation → Access Control Vestibules (Mantraps) → Allows only single person to pass at a time
Eliciting information → Act of getting information without asking for it directly
- Active Listening → Target is encouraged to keep talking
- Reflective Questioning → Repeat statements as a question & encourages to talk more
- False Statement → Give false info hoping that the target corrects it
- Bracketing → Try to get specific info by stating a specific number or range of numbers
Whaling → Phishing targeted on high level executives
Prepending → Add something to the beginning of something else. Ex. [SAFE] [EXTERNAL]
Pretexting → Adding a fictitious scenario to a conversation to make more believable request
Identity Theft → When someone steals personal info about you
Identity Fraud → Criminals use stolen identity information to commit identity fraud
Invoice Scams → Trick people or organizations into paying for goods or services they didn't request & usually didn't receive
Credential Harvesting → Collect usernames & passwords from users
- Phishing Email → Link to a website → Login with credentials → Redirect to original website & showing password is incorrect
- MFA helps to limit the impact of credential harvesting attacks
Reconnaissance → Gathering information about target
Hoax → Security threat that simply doesn't exists
Impersonation → Act of pretending to be another person
Watering Hole Attack → Attempts to discover which websites people are likely to visit & infect those websites with malware that can infect the visitors
Typosquatting → URL Hijacking → Occurs when someone buys a domain name that is close to the legitimate domain name
Smurf Attack → A smurf attack occurs when an attacker sends a ping to a subnet broadcast address and devices reply to spoofed IP (victim server), using up bandwidth and processing power.
- Occurs when the attacker floods the target network with infinite ICMP request packets
- A smurf attack is a DDoS attack in which an attacker attempts to flood a targeted server with Internet control message protocol (ICMP) packets.
Influence campaigns → Uses variety of sources to influence public perception
- Hybrid Warfare → Military strategy that blends conventional warfare with unconventional methods to influence people
- Social Media → To spread misinformation
Principles of Social Engineering
- Authority
  - Impersonation → Impersonate others to get people to do something
  - Whaling → Executives respect authorities such as legal entities
  - Vishing → Use phone to impersonate authority
- Intimidation → Scaring or Bullying an individual into taking a desired action
- Consensus → When attacker convinces victims that they can be trusted
  - People tend to want to do what others are doing to persuade themselves to take action → "Social Proof"
  - Ex. Everyone in the department has clicked on the link, Then I should also
  - Fake Testimonials → People are more willing to like something that other people like
- Scarcity → People are encouraged to act when they think there is limited quantity of items
- Urgency → Use urgency as a technique to encourage people to act
- Familiarity → Attackers attempts to use likability to get victim to complete the request
  - Companies hire well-liked celebrities
- Trust → Attackers attempts to build a trust relationship with victim

Objective 1.2

Malware

Ransomware → Malware that takes control of user's system & encrypts user's data using Cryptomalware & demand ransom from companies
Trojans → Looks like something beneficial but actually it's malicious
- Rogueware masquerades as a free antivirus program.
Backdoor → Methods or Tools that provide access that bypasses normal authentication & authorization procedures, allowing attackers access to systems, devices, apps, etc.
- Detection → Checking for unexpected open ports & services
Remote access Trojan (RAT) → Malware that allows attackers to control systems from remote locations
- Also called as stalkerware → Used in intimate relationships to spy on their partners
Worms → Self replicating malware that travels throughout the network without assistance of host application or user interaction
Potentially Unwanted Programs(PUP) → Programs that users may not want it, but user is consented to download it. Some PUP are legitimate, Some are malicious like RAT
- Ex. Spyware, Adware, Browser Toolbar Tracking Programs,
Fileless Virus → Malicious software that runs in the memory
- Scripts that are injected into malicious programs
- Memory Code Injection, Script based techniques, Windows Registry Manipulation
- Spread via methods like spam email & malicious websites & they exploit flaws in browser plugins & web browsers themselves
Command and control → Resources used to control infected computers
Cryptomalware → Malware used to encrypt user's data
Logic bombs → Script or Code that will execute in response to an event
Rootkit → A group of programs that hides the fact that system has been infected by malicious code
- Rootkit hides its running processes to avoid detection to antivirus scans
- Rootkit have system level access to systems
- Integrity checking & data validation can be useful for rootkit detection
Botnet → Remotely controlled systems or devices that have malware infection
- Uses command & control to operate in client-server mode
  - Beaconing → A call home message is an indicator of compromise known as beaconing.
    - It indicates that a workstation or server is infected and is trying to communicate with the attacker's command and control server.
- A botnet that uses Internet Relay Chat (IRC) as its command-and-control channel & IRC’s default port is TCP 6667
- Investigative authorities use DNS sinkholes to disrupt botnets and malware.
- Botnet Models
  - Command & Control → Client-Server Model
  - Peer-To-Peer → Connects bots to each other, making it harder to take down a single central server or known IP of bots
- Many botnets use Flux DNS → Flux DNS uses many IP addresses that are used to answer queries for one or more fully qualified DNS names
  - Taking down the domain names is the best way to defeat Flux-DNS
Virus Types
- Memory Resident Viruses → Remain in memory while system is running
- Non-Memory Resident → Execute, spread & then shut down
- Boot Sector Virus → Reside inside boot sector of drive or storage media
- Macro Virus → Use macros or code inside tools to spread
- Email Virus → Spread via emails via attachments or as part of email itself using flaws within email clients
Spyware → Malware that is designed to obtain information about an individual, organization or a system
Keylogger → Program that captures keystrokes from keyboards, although some keyloggers also capture other input like mouse movement, touchscreen inputs & credit card swipes from attached devices
Rogue Anti-Virus → Rogue anti-virus is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer, and to pay money for a fake malware removal tool (that actually introduces malware to the computer)

Password Attacks

Spraying → Single password tried on every account on the list
Dictionary → List of words
Brute force → Try all possible combinations of passwords
Rainbow Table → Attempt to discover password from Hash
Plaintext → If attacker have both plaintext & ciphertext, attacker can use it to perform plaintext attack

Physical Attacks

Malicious USB Cable → It has embedded WiFi Controller capable of receiving commands
Malicious Flash Drive → Includes malware configured to infect a computer when a drive is plugged in
Card Cloning → Making a copy of credit card
Skimming → Capturing credit card data at Point of Sale (POS)

Adversarial AI

Adversarial AI attempts to fool AI models by supplying it with deceptive input
Tainted Data for ML → Use tainted data to cause AI & ML to give inconsistent results
- Indicator → Sudden unexpected activity
- While training ML model for baselining of network, it is important to ensure that no malicious activity is occurring while baseline data capture to ensure data is not tainted
Security of ML Algos → Prevent unauthorized disclosure of algorithms; Attackers can use this info to attack
Best Practices to secure AIML
- Understand the quality & security of source data
- Work with the AI & ML developers to ensure that they are working in secure environments & that data sources, systems & tools are maintained in secure manner
- Ensure that changes to AI & ML algorithms are reviewed, tested & documented
- Encourage reviews to prevent intentional or unintentional bias in algorithms
- Engage domain experts whenever possible

Supply Chain Attacks

A supply chain become an attack vector if attacker can disrupt the supply chain

Cloud-based vs. on-premises attacks

On-Premises → Organization retains the complete control over all cloud based resources
Off-Premises → Organization doesn't know where the data is stored → Legal Implications

Cryptographic Attacks

Brute force → Involves trying every possible key
Frequency Analysis → Refers to looking at the blocks of an encrypted message to determine if any common pattern exists
Known Plaintext → This attack relies on the attacker having pairs of known plaintext along with corresponding cipher text
Chosen Plaintext → Attacker attempts to derive the key used & thus decrypt other messages encrypted with that key
Birthday → Attacker attempts to create a password that produces the same hash as the user's actual password → Also known as Hash Collision
Collision → Hashing algorithm creates the same hash from different inputs
Downgrade → Forces a system to downgrade its security → TLS → Down → SSL

Objective 1.3

Injections
- Dynamic-Link Library (DLL) Injection → Attack that injects a DLL into a system's memory & causes it to run
- LDAP Injection → Possible when web application used to query LDAP based database
Parameter Pollution → Attacker sends more than one value for the same input variable to bypass input validation
- Ex. http://www.mycompany.com/status.php?account=12345&account=12345'OR1=1;--
Pointer/Object Dereference → When object is null, it can cause problems if the program later tries to access the object
- Java → NullPointerException error
- C / C++ → Memory Leak in runtime
- Mitigation → Verify the value is not null before using it
Race Conditions → Two or more applications tries to access a program at a same time, it can cause a conflict that is known as race condition
- Attackers exploit time of check to time of use (TOCTOU) → This is called State Attack
Error Handling → Applications should show generic error messages but log detailed error messages in logging system.
Replay Attack → Replay attacks capture data in a session to impersonate one of the parties in the session.
- Mitigation → Timestamps and sequence numbers
Buffer Overflow → Writes more data to a buffer than it can hold
- ASLR → Address Space Layout Randomization
  - A security technique used to prevent memory corruption vulnerabilities such as buffer overflow
  - It randomizes the memory address used by the system & application processes, making it difficult for attackers to predict the location of functions, libraries & system calls
- Buffer overflows are most easily detected by conducting a static code analysis
Integer Overflow → Occurs when an application receives a numeric value that is too big for application to handle
Memory Leak → Causes application to consume more & more memory the longer it runs
- Indicator → system running slower & slower until it reboots
- Mitigation → A static code analyzer can check to see if all memory allocation commands (malloc, alloc , etc.) have a matching deallocation command.
SSL Striping → Changes HTTPS connection to HTTP connection
Driver Manipulation →
- Shimming → Provides a solution that makes it appear that older drivers are compatible
  - Driver shim is additional code to be run instead of original driver → When app attempts to call the older driver, system intercepts the call & redirects it to run the shim code instead
- Refactoring → Process of rewriting the code's internal processing without changing its external behavior
Pass the Hash → Attacker discovers the hash of user's password & uses it to log in to the system as the user
- Indicator → Event ID 4624 in Windows Security Log

Objective 1.4

Wireless

Evil Twin → Rogue Access Point with same SSID used to capture & exfiltrate data
Rogue Access Point → An access point placed in the network without official authorization
Bluetooth Attacks:
- Bluejacking → Practice of sending unsolicited messages to nearby bluetooth devices
- Bluesnarfing → Unauthorized access to, or theft of info from a bluetooth device
- Bluebugging → Gains access to the phone & install a backdoor
Disassociation → Removes a wireless client from wireless network
RFID Attacks:
- Sniffing / Eavesdropping → Attacker can collect RFID data by listening
- Replay → Replay captured data
- DOS → If attacker knows the RFID frequency, attacker can launch a jamming or interference attack, flooding the frequency with noise
Initialization vector (IV) → IV is the number used by encryption systems & a wireless IV attack attempts to discover the pre-shared key after discovering the IV
- Some wireless protocol use IV by combining it with pre-shared key to encrypt data in transit
- When an encryption system reuses the IV, IV attack can discover the IV easily

On-Path Attack

Also known as Man-In-The-Middle Attack
A form of active eavesdropping
SSH gives warning if previously established keys are changed

Layer 2 Attacks

ARP Poisoning → An attack that misleads computers or switches about the actual MAC address of a system
- ARP poisoning sometimes used in On-Path attacks
MAC Flooding → An attack against the switch that attempts to overload it with different MAC addresses associated with each physical port
- Switch runs out of memory & enters a fail-open state
- Mitigation → Use flood guard to limit amount of memory for each port
- Flood guard sends Simple Network Management Protocol(SNMP) trap or error message in response to the alert. It can also disable port.
MAC Cloning → Changing a system's MAC address

Domain Name System (DNS)

DNS data is frequently logged to help identify compromised systems or systems that have visited known phishing sites.
DNS logs can be used along with IP reputation and known bad hostname lists to identify issues like these.
Domain Hijacking → Attacker changes a domain name registration without permission from owner
DNS Poisoning → Attempts to modify or corrupt DNS data
- Mitigation → Use DNSSEC to protect DNS records & DNS poisoning attacks
Domain Reputation → It helps ISP to determine the likelihood that an email being sent by a legitimate organization or is it a malicious email.
Split Horizon DNS → Deploys distinct DNS servers for two or more environments, ensuring that those environments receive DNS information appropriate to the DNS view that their clients should receive.
- a term used when two zones for the same domain are created
  - one zone is used by the internal network
  - the other by the external network (usually the internet)
DNS Blackholing → A method used to prevent access to malicious domains by redirecting malicious queries for those domains to a non-routable IP address, effectively blackholing the traffic
- Suppose an organization wants to block access to a known malicious domain malicious.example.com. They can configure their DNS server to return 127.0.0.1 for any query to malicious.example.com.

DDOS

SYN Flood Attacks → Attacker never completes the TCP Handshake
- It is a resource exhaustion attack
- Half-Open connection consumes server's resources & it can crash the server
- Once the limit is reached, server won't accept new connections, blocking the legitimate users
- Mitigation → Linux use iptables to set threshold for SYN packets → Although it protects the system from crashing, it also denies the service to legitimate users

Malicious Script or Code Execution

Powershell → Use verb-noun pair for command → Invoke-Command
Bash → Calls /bin/bash or /bin/sh
Python → Runs .py* files is a potential indicator of malicious scripts
Macros → Short instruction that will run longer set of instructions.
- Attackers can edit macros & replace with malicious steps
Visual Basic for Application (VBA) → Runs as internal programming language for Microsoft Applications such as Microsoft Words

Objective 1.5

Actors & Threats

Advanced Persistent Threat(APT) → A group of organized threat actors that engage in targeted attacks against organizations.
- Typically sponsored by nation-states or governments
- APT members are State Actors
Shadow IT → Any unauthorized systems or applications installed on a network without authorization or approval.
Insider Threat → Behavioral assessments are very useful when you are attempting to identify insider threats.
- An insider threat is any current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

Threat intelligence sources

Closed/Proprietary intelligence → Trade secrets as an intellectual property
- Proprietary intelligence → This refers to the information that is owned, controlled & often generates by organization for its own use.
  - Owned & controlled by the organization
- Closed intelligence → Refers to the information that is not freely accessible to public
  - Owned by external entities → Accessed through subscriptions / permissions
OSINT → Types:
- Vulnerability databases → National Vulnerability Database (NVD), Common Vulnerability Exposures (CVEs) maintained by MITRE corp.
- Automated indicator sharing (AIS):
  - Trusted Automated eXchange of Indicator Information → TAXII → Open standard that defines a set of services & message exchanges used to share information.
    - It provides a standard way for organizations to exchange cyber threat information but it does not specify what information organizations should exchange.
    - TAXII is designed to support STIX data exchange
  - Structured Threat Information eXpression (STIX) → Open Standard that identifies what cyber threat information organizations should share.
    - It provides a common language for addressing wide range of cyber threat information.
    - STIX data is shared via TAXII
    - STIX is based on XML language
- Threat Maps → Visual Representation of active threats

Objective 1.6

Third-party risks

Vendor management → Vendor management systems include limiting system integration & understanding when vendor support stops
- Vendor Diversity → Provides cybersecurity resilience → Using more than one vendor for the same supply reduces the organizations's risk if the vendor no longer provide the product or service
Outsourced code development → Some organizations hire developers or outsource code development
Legacy platforms → Primary risk is that the vendor doesn't support them

Objective 1.7

Threat Hunting

It is a process of actively looking for threats within a network before an automated tool detects & reports on the threat
Threat Feeds → Provides subscribers with up-to-date information about current threats
Advisories and bulletins → Regularly release information on threats & vulnerabilities
Adversary Tactics, Techniques & Procedures → Refers to attackers' methods when exploiting a target
Intelligence fusion → Combines all the data to create a picture of likely threats & risks for an organization
Maneuver → A threat hunting concept that involves thinking like a malicious actor to help recognize indicators of compromise that might otherwise be hidden

Vulnerability Scans

Vulnerability Management → Identify, prioritize & remediate vulnerabilities
Credentialed Scan → Allows the scan to check security issues at much deeper level
- Credentialed scans only require read-only access to target servers.
Configuration review → A Configuration Compliance Scanner performs a configuration review of systems to verify that they are configured properly → Configuration Validation
- It is done with Credentialed Scan
Vulnerability Scanner is passive, non-intrusive & has little impact on the system during test
Penetration tests are active & intrusive, can potentially compromise a system.
Penetration testing is more invasive that a vulnerability scan
Controls that can affect vulnerability scan results:
- Firewall Settings
- Network Segmentation
- IDS & IPS
Network Vulnerability Scanners:
- Nessus → Well-known widely used network vulnerability scanner
- Qualys → Commercial network vulnerability scanner that offers management console to run scans
- Nexpose → Commercial network vulnerability scanner
- OpenVAS → Free alternative for commercial vulnerability scanners

Application Scanning

Static Testing → Analyzes code without executing it
Dynamic Testing → Executes code as part of a test, providing it with a input
Interactive Testing → Combines static & dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces

Web Application Scanning

Nikto → Web application scanning tool → Vulnerability Scanning
Arachni → Web application scanning tool → Used to access security of web applications
CVSS → Common Vulnerability Scoring System → Industry standard for assessing the severity of security vulnerabilities
- 0 → None
- 0.1 - 3.9 → Low
- 4.0 - 6.9 → Medium
- 7.0 - 8.9 → High
- 9.0 - 10.0 → Critical

Security Information & Event Management (SIEM)

It provides a centralized solution for collecting, analyzing & managing data from multiple sources.
It combines services of security event management (SEM) & security information management (SIM) solutions
SEM → Provides real-time monitoring, analysis & notification of security events, such as suspected security events
SIM → Provides long term storage of data, along with methods of analyzing the data looking for trends or creating reports needed to verify compliance with laws & regulations
SIEM systems use scripts to automate the monitoring & reporting
Capabilities:
- Log Collectors → SIEM collects log data from different devices throughout the network & stores these loges in searchable database
- Data Inputs → Firewalls, routers, network intrusion detection
- Log Aggregation → SIEM system collects data from multiple systems, SIEM systems can aggregate the data & store it so that it is easy to analyze & search
- Correlation Engine → Used to collect & analyze event log data from various systems within the network.
  - It aggregates the data looking for common attributes
  - It uses advanced analytics tools to detect patterns of potential security events & raise alerts.
- Reports → SIEM systems include built-in reports
- Packet Capture → SIEM includes protocol analyzer capabilities to capture network traffic
- User Behavior Analysis → UBA focuses what users are doing, monitor critical files looking for who accessed them & what they did & how frequently they access it.
  - Typically looks for abnormal patterns of activity that may indicate malicious intent
- Sentiment Analysis → Use UBA technologies to observe user behaviors to detect unwanted behaviors
  - Relies on AI to analyze large datasets
- Security Monitoring → Provides predefined alerts which can provides continuous monitoring of systems & provide notification of suspicious events
  - If it detect a new port on server, it will send email to admin
- Automated Triggers → Trigger can cause an action in response to a predefined number of repeated events
  - A SIEM includes the ability to modify predefined triggers & create new ones
- Time Synchronization → All servers sending data to the SIEM should be synchronized with the same time.
- Event Deduplication → Process of removing duplicate entities
- Logs / WORM → SIEM includes methods to prevent anyone from modifying log entries
Elements of SIEM Dashboard:
- Sensors → Collects logs from devices & send it to SIEM system
- Alerts → Sends out an alert when trigger fires
- Sensitivity → Setting sensitivity levels to limit false positives while avoiding false negatives
- Correlation → SIEM correlates & analyzes the data
- Trends → By analyzing the data, SIEM can identify trends

Security Orchestration, Automation & Response (SOAR)

Integrates with various security tools and automate responses to threats
Used to respond to low-level security events automatically
SOAR tools respond automatically which frees up administrators to focus on their administrative & cybersecurity tasks.
SOAR tool can open attachments within a sandbox & observe the activity
SOAR can perform steps to automatically verify the threat is real or not, implement the appropriate steps to mitigate it.
SOAR platform use playbook & runbooks
Playbook → Provides checklist of things to check for suspected incidents
- It is a set of rules that determine what actions will be performed when an event occurs
Runbook → Implements the playbook checklist using available tools within an organization
Functions:
- Security Orchestration → SOAR platforms integrate with various security tools, systems, and applications, such as SIEM, firewalls, endpoint protection, and threat intelligence feeds.
- Automation → Automates repetitive security tasks to improve efficiency and reduce manual workload.
- Incident Response → Facilitates and manages the response to security incidents, including the coordination of actions across different teams and tools.
- Case Management → Provides a centralized system for tracking and managing security incidents, including documentation and workflow management.
- Threat Intelligence Management → Aggregates and analyzes threat intelligence data to provide context for incidents and improve detection capabilities.
- Reporting & Analysis → Generates reports and dashboards to provide insights into security operations and incident trends.
SOAR Vs SIEM
- SOAR → Automation of incident response, workflow management, playbooks
  - Orchestrating and automating security operations and incident response
  - Uses data from SIEMs and other security tools to automate responses
- SIEM → Log collection, event correlation, threat detection
  - Aggregating and analyzing security event data for threat detection
  - Collects and correlates log data from multiple sources
- SOAR collects data and alerts security teams using a centralized platform similar to SIEM, but SIEM only sends alerts to security analysts
  - SOAR adds automation and response capabilities to the alerts it sends.
  - SIEM focuses on alerting and logging without automated response.
  - SOAR uses automated playbooks and workflows to respond to incidents.
- SIEM: Detects suspicious activity and sends an alert for manual investigation.
- SOAR: Automatically isolates an infected machine and removes a phishing email based on predefined playbooks.

Objective 1.8

Penetration Testing

Unknown Environment → Black box testing
Known Environment → White box testing
Partially Known environment → Gray box testing
Lateral movement → Refers to the way attackers maneuver throughout the network
Persistence → Attackers ability to maintain presence in the network
Cleanup → Removing all traces of penetration tester's activities
- It's common for testers to create a log of what they're doing as they're doing it. This makes easier to reverse all their actions
Pivoting → Process of using various tools to gain additional information
- It is process of using exploited system to target other systems.

Passive and Active Reconnaissance

War Driving → Attackers use war driving to discover wireless networks they can exploit
- Admins use war driving as a part of wireless audit: A wireless audit is a detective control & examines the signal footprint, antenna placement & encryption of wireless traffic.
- Ex. Detect rogue access points & evil twins by war driving
- Done by walking or driving around
War Flying → People fly around in private planes / Drone
- Same function as War Driving
Footprinting → Wireless footprinting creates a detailed diagram of APs, hotspots & dead spots within an organization.

Exercise Types

Red Team → Attacks
Blue Team → Defends
Purple Team → Can either do blue team or red team activities
White Team → Establishes rules of engagement for a test & oversee the testing

Chapter 2

Objective 2.1

Configuration Management

It helps organizations to deploy systems with secure configurations
Diagrams → Some organizations use diagrams to show processes in config management
- These sometimes use flowchart to document decision-making process involving in modifying a configuration.
Naming Conventions → Large organizations use naming conventions to identify standard configuration
- Ex. department or location, and the version → Desktop_Sales_3.0
Baseline Configuration → A baseline is a known starting point & organizations commonly use secure baseline to provide known starting points for systems.
- Primary Benefit → improve overall security posture of systems
- The use of baseline works in 3 steps:
  - Initial Baseline Configuration → Admins use various tools to deploy systems consistently in secure state
  - Integrity Measurements for Baseline Deviation → Automated tools monitor the systems for any baseline changes, which is a common security issue.
    - Some tools report any changes they detect
    - Other tools automatically reconfigure the systems to baseline config when they detect changes
  - Remediation → NAC methods can detect changes to baseline settings & automatically isolate or quarantine systems in a remediation network
Configuration Management Database (CMDB) → A centralized database that stores information about the configuration items in an organization's IT infrastructure

Data Sovereignty

Refers to legal implications when data is stored off-site.
If the backups are stored in other country, they are subject to that country's laws.

Data Protection

Data Loss Prevention(DLP) → Techniques & Technologies used to prevent data loss
- Ex. Block the use of USB & control the use of removable media
- Admins configure the DLP to look for specific words, phrases, character strings
- All documents associated with the project includes a specific keyword. The DLP includes this keyword in the searches. When it detects the keyword within an email or an attachment, it blocks it
- DLP Systems work in two different environments:
  - Host-based DLP → Uses software agents installed on systems that search those systems for the presence of sensitive information
    - It can also monitor system configuration & user actions (can block undesirable actions)
  - Network-based DLP → Sit on network & monitor outbound network traffic that contains sensitive information
    - It can block sensitive transmissions to prevent loss of sensitive information
- DLP Mechanisms:
  - Pattern Matching → Watch for the REGEX signs of sensitive information.
    - Ex. "Confidential"
  - Watermarking → Systems or Admins apply electronic tags to sensitive documents & then the DLP system can monitor systems & networks for unencrypted content containing those tags
    - Watermarking technology is commonly used in Digital Rights Management (DRM)
Rights Management → Refers to the technologies used to provide copyright protection from copyrighted works. → Also known as Digital Rights Management
- Copyright laws protects original creative works
Data Masking → Refers to modifying data to hide the original content
- Primary reason is to protect sensitive information as PII
- Substitution is the one method in data masking
- 1234-5678-9101-1121 → 1234-5678-XXXX-XXXX
Data Minimization → A process of ensuring that only data that is required for business functions is collected and maintained.
- The best way to achieve data minimization is to simply destroy data when it is no longer necessary to meet the business purpose
Data at rest → Any data stored on media
Data in Transit → Data in motion → Any data sent over the network
Data in processing → Data in use → Refers to data being used by a computer
Anonymization → Modifies data to protect the privacy of individuals by removing all PII within a data set
Pseudo-Anonymization → Replace PII data & other data with pseudonyms or artificial identifiers
- Anyone with separate data with matching the pseudonyms with original data set can reverse & re-create the original data
Anonymization is used to anonymize the data permanently. In contrast, pseudo-anonymization is used when an organization also needs the ability to reverse the process & access the original data
Tokenization → Data tokenization replaces the sensitive data with a token.
- The token is substitute value used in place of the sensitive data
- A tokenization system can convert the token back into its original form
- Credit Card Number: 1234-5678-9101-1121 → Token: 87654321

Geographical Considerations

Off-site storages → At least one copy of backups stored off-site
Distance → Many organizations have specific requirements related to the distance between the main site & off-site
Location Selection → The location is often dependent on environmental issues
Legal Implications → The legal implications related to backups depends on the data stored in the backups
Data sovereignty → Legal Implications when data is stored off-site. If backups are stored in the different country, they are subject to that country's laws.

Response and recovery controls

Attempt to reverse the impact of an incident or problem after it has occurred

API Considerations

Authentication → Strong authentication methods will prevent unauthorized entities from using the APIs
Authorization → Authorization methods secure access to the API.
Transport Level Security → The API should use strong security, such as TLS when transferring any traffic over the Internet.

Hashing

MD5 → Message Digest Algorithm 5
- Produces a 128-bit hash value (32 hexadecimal characters).
- Widely used in the past for checksums and verifying data integrity
- Considered insecure due to vulnerabilities to collision and pre-image attacks.
SHA-1 → Secure Hash Algorithm 1
- Produces a 160-bit hash value (40 hexadecimal characters).
- Once popular for digital signatures and certificates but now considered insecure due to collision vulnerabilities.
SHA-2 → Secure Hash Algorithm 2
- A family of hash functions that includes SHA-224, SHA-256, SHA-384, and SHA-512
- Produces hash values of varying lengths (224, 256, 384, or 512 bits)
- Currently considered secure and widely used in many security protocols.
- SHA-256: Produces a 256-bit hash value.
- SHA-512: Produces a 512-bit hash value.
SHA-3 → Secure Hash Algorithm 3
- The latest member of the Secure Hash Algorithm family, designed as an alternative to SHA-2
- Uses a different construction method called Keccak and produces hash values of varying lengths similar to SHA-2 (224, 256, 384, or 512 bits).

TLS/SSL inspection

involves intercepting encrypted traffic between the client and server.
TLS interception devices act as an on-path attack and decrypt traffic to scan and analyze it, often for malware or other signs of attacks, and then encrypt it to send it on to its destination.

Site Resiliency

A recovery site is an alternate processing site that organization uses for site resiliency.
If one site suffers a catastrophic failure, an alternate site can take over after the disaster.
Hot Site → Would be up 24 x 7 Days a week & would be able to takeover the functionality from primary site quickly after a failure
- It will include all equipment, software & communication capabilities of the primary site & all the data would be up to date → Mirrors the primary site's infrastructure, including servers, networking equipment, and data storage.
- In many cases, copies of backup tapes are stored at the Hot Site as the off-site location
- Hot site is another active business location that has the capabilities to resume operations during a disaster
- ETA: Few minutes to an Hour → It is ready to take over operations immediately after a disaster.
- Hot site is the most effective disaster recovery solution for high-availability requirements.
- A hot site is the most expensive to maintain and keep up to date.
Cold Site → Requires power & connectivity
- The organization brings all the equipment, software & data to the site when they activate it. → - Basic infrastructure such as power, cooling, and physical space but lacks IT equipment.
- Minimalistic off-site facility with basic infrastructure. → Requires significant setup and configuration before it can be used.
- A cold site is the cheapest to maintain, but it is also the most difficult to test.
Warm Site → A warm site provides a compromise that an organization can tailor to meet its needs.
- Contains hardware such as servers, network infrastructure, and storage but may lack up-to-date data.
- Requires some setup and configuration before it becomes operational.
- Hot sites are generally too expensive for most organizations, and cold sites sometimes take too long to configure for full operation.
Mobile Site → A self-contained transportable unit with all the equipment needed for specific requirements.
Mirrored Site → Identical to the primary location and provide 100 percent availability.
- They use real-time transfers to send modifications from the primary location to the mirrored site.
- Although a hot site can be up and operational within an hour, the mirrored site is always up and operational.
Restoration Order → Organizations return the least critical functions to the primary site first.

Deception & Disruption

Honeypots → a sweet-looking server
- Deceive the attackers and divert them from the live network.
- Allow observation of an attacker
Honeynets → A group of honeypots within a separate network or zone but accessible from an organization’s primary network.
- If the attacker is in the honeynet, he isn’t attacking the live network and administrators can observe the attacker’s actions.
Honeyfiles → A file designed to attract the attention of an attacker (passwords.txt)
Fake Telemetry → Corrupts the data sent over to monitoring systems & can disrupt a system
DNS Sinkhole → A DNS server that gives incorrect results for one or more domain names
- Investigative authorities have used sinkholes to disrupt botnets and malware.

Objective 2.2

Cloud Models

Software as a Service (SaaS) → Includes any software or application provided to users over a network such as the Internet
- Software that is hosted and managed by a service provider and made available to customers over the internet.
- Google Workspace, Microsoft Office 365, Salesforce, Dropbox
Platform as a Service (PaaS) → provides customers with a fully managed platform, including hardware, operating systems, and limited applications.
- The vendor keeps systems up to date with current patches.
- A platform allowing customers to develop, run, and manage applications without dealing with the infrastructure.
- Google App Engine, Microsoft Azure, Heroku, AWS Elastic Beanstalk
Infrastructure as a Service (IaaS) → Allows an organization to outsource its equipment requirements, including the hardware and all support operations.
- Provides virtualized computing resources over the internet, such as virtual machines, storage, and networks.
- The IaaS service provider owns the equipment, houses it in its data center, and performs all the required hardware maintenance.
- Customers are responsible for all operating system updates and patches.
- IaaS is often used as a serverless architecture. A serverless architecture allows an organization to build and run applications without managing the infrastructure.
- IaaS Cloud Service Providers do not allow direct access to the underlying hardware in most instances
- Ex. Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), IBM Cloud
Anything as a Service (XaaS) → Refers to cloud-based services other than SaaS, PaaS, or IaaS. XaaS includes services such as communications, databases, desktops, storage, security, and more.
Public Cloud → Available from third-party companies, such as Amazon, Google, Microsoft, and Apple
- Shared infrastructure among multiple tenants
- Managed by the cloud service provider
- AWS, Microsoft Azure, Google Cloud
Private Cloud → Set up for specific organizations → Host its own servers and make these servers available to internal employees through the Internet.
- Dedicated infrastructure for one organization
- Managed internally or outsourced
- On-premises data centers, VMware Private Cloud
Hybrid Cloud → A combination of two or more clouds.
- Mix of public and private infrastructures
- Managed by both organization and provider
- Mix of AWS and on-premises infrastructure
Community Cloud → Communities with shared concerns (such as shared goals, security requirements, or compliance considerations) can share cloud resources
- Shared infrastructure for a specific community
- Managed collaboratively by community members
- Government agencies, research institutions sharing resources
Multi Cloud → A cloud deployment model where the cloud consumer uses multiple public cloud services
Cost Comparison → Public cloud < Community cloud < Hybrid cloud < Private cloud
Security Comparison → Public Cloud < Community Cloud < Hybrid Cloud < Private Cloud
Scalability Comparison → Private Cloud < Community Cloud < Hybrid Cloud < Public Cloud
Deployment Speed → Private Cloud < Community Cloud < Hybrid Cloud < Public Cloud

Managed Service Provider & Managed Security Service Provider

MSSP is a third-party vendor that provides security services for an organization
MSP provides any IT services needed by an organization, including security services provided by an MSSP.

Edge Computing

The practice of storing & processing data close to the devices that generate & use the data.

Fog Computing

Almost same as edge computing
Fog computing uses a network close to the device & may have multiple nodes sensing & processing data within the fog network.
Edge computing stores & processes the data on single nodes or appliances.

Thin Client

A computer with enough resources to boot & connect to a server to run specific applications or desktops
A thin client is a lightweight computing device that relies on a server to perform most of its processing tasks
Unlike traditional desktops or laptops, thin clients are designed to connect to a centralized server or a virtual desktop infrastructure (VDI) to access applications, data, and processing power.
Virtual Desktop Infrastructure (VDI) → hosts a user's desktop OS on a server.
- A technology that allows the hosting of desktop environments on a centralized server
- Users can access these virtual desktops from various devices, providing a consistent and secure desktop experience regardless of the user’s physical location.

Containers

Container virtualization runs services or applications within isolated containers or application cells
Containers doesn't host an OS. Instead, host's OS & kernel run the service or app within each of the containers.
None of the apps or services can interfere with services or apps in other containers
Benefit → It uses fewer resources & can be more efficient than a system using traditional tye II hypervisor virtualization
Drawback → Containers must use the OS of the host

Microservices

Microservices are the code modules designed to do one thing well
Small code receives a value & responds with a value
Ex. Shipping Tracker

Infrastructure as Code

Refers to managing & provisioning data centers to define VMs & virtual networks
It reduces the complexity of creating virtual objects by allowing admins to run a script to create them.
Software Defined Networking (SDN) → Uses virtualization technologies to route the traffic instead of using hardware routers & switches
- An SDN separates the data planes & control planes within a network
- SDN separates the logic used to forward or block traffic (the data plane) & the logic used to identify the path to take (the control plane)
- SDN implements the data plane with the software & virtualization technologies, allowing organization to move away from proprietary hardware
- SDN can still use a routing protocols like OSPF & BGP but without the hardware routers
- Attribute Based Access Control is commonly used in SDNs that allows admins to create data plane policies to route traffic (Use plain language instead of complex rules in ACL)
Software Defined Visibility (SDV) → Refers to technologies used to view all network traffic
- By adding SDV capabilities, it ensures that all traffic is viewable & can be analyzed

Serverless Architecture

A serverless architecture allows an organization to build & run applications without managing the infrastructure

Transit Gateway

Transit gateway is used to connect VPCs to an on-premises network.

Virtualization

VM Sprawl Avoidance → VM Sprawl occurs when an organizations has many VMs that aren't appropriately managed.
- Each VM adds additional load onto a server. If personnel add unauthorized VMs to physical servers, they can consume systems resources. → The servers might become slower & potentially crash.
VM Escape Protection → VM escape is an attack allows an attacker to access the host system from within the virtual system.
- Host systems runs an application or process on hypervisor to manage virtual systems.
- Attacker can run code on the virtual system & interact with the hypervisor
- A successful VM escape attack often gives the attacker unlimited control over the host system & each virtual system within the host
- Virtual machine (VM) escape attacks rely on a flaw in the hypervisor that could allow an attacker to attack the hypervisor itself.
- Mitigation → Isolating the VM is more effective than antivirus to prevent VM Escape

Objective 2.3

Environment

Development → Software developers use an isolated development environment to create the application
Test → Attempt to discover any bugs or errors in the testing stage
Staging → Simulates the production environment &
- It provides a complete but independent copy of the production environment.
- It attempts to discover any bugs that might adversely impact the live environment.
Production → The application goes live as the final product.
Quality assurance (QA) → Ensure that an application maintains a high level of quality and meets the original requirements

Provisioning & Deprovisioning

Refers to user accounts
Provisioning refers to giving appropriate privileges to user account to access various resources
Deprovisioning refers to removing access to this resources & can be simple as disabling or deleting the account

Integrity measurement

Refers to the quality of code
Measures the quality of code based on how extensively & effectively the code was tested throughout the development life cycle

Secure Coding Techniques

Normalization → Refers to organizing the tables & columns to reduce redundant data & improve overall database performance.
- First Normal Form → DB is 1NF if it follows following 3 conditions
  - Each row within the table is unique & identified with a primary key
  - Related data is contained in separate table
  - None of the columns include repeating groups
  - Ex. A customer table where each customer has a unique customer ID, and addresses are stored in a separate address table to avoid multiple address fields in the customer table.
- Second Normal Form → Only applies to tables that have composite primary key, where two or more columns make up the full primary key
  - Database is 2NF if it meets the following criteria:
    - It is in 1NF
    - Non-primary key attributes are completely dependent on the composite primary key.
  - Ex. An order details table with a composite primary key (OrderID, ProductID) where all other attributes (e.g., Quantity, Price) are dependent on both OrderID and ProductID, and not on just one of them.
- Third Normal Form → Helps to reduce unnecessary redundancies within database
  - Database is 3NF if it meets the following criteria:
    - It is in 2NF. This implies it is also in 1NF.
    - All columns that aren’t primary keys are only dependent on the primary key.
    - None of the columns in the table are dependent on non-primary key attributes.
  - Ex. An employee table where all non-primary key columns (e.g., EmployeeName, DepartmentID) are dependent only on the primary key (EmployeeID), and DepartmentID is linked to a separate department table instead of including department details directly.
Stored Procedures → A group of SQL statements that execute as a whole
- It performs data validation & handles the parameter differently & prevents SQL injection
Obfuscation / Camouflage → Attempts to make something unclear or difficult to understand
- Code Obfuscation → Attempts to make the code unreadable
- Ex. removes white space, shortens variable names, and rearranges the text into a compact format
Code Reuse → Code reuse saves time and helps prevent the introduction of new bugs.
- Code Reuse Attack → Attacker executes the code that is meant for some other purpose
Dead Code → Dead code is code that is never executed or used.
Server-side vs. Client-side → Server-side validation is more secure than client- side validation
Software Diversity → Methods that use a compiler that mimics the compilers of multiple languages
- Adds a levels of randomness to the code allowing the same program to behave slightly differently on different systems but still achieving the same result
- Provides additional layer of security

Automation / Scripting

Automated courses of action → If developers make a change, the system will detect the change & verify that it doesn't break any other part of the application
Continuous Monitoring → Automatically monitors the code changes after every change.
Continuous Validation → Revalidates the code after every change
Continuous Integration → Practice of merging code changes into a version control repository regularly
Continuous Delivery → Code changes are released automatically to a testing or a staging environment
Continuous Deployment → Code changes are deployed automatically to the production

Scalability

System's ability to handle increased workload either by manually scaling up or scaling out
Additional resources are added manually

Elasticity

System's ability to handle increased workload by dynamically scaling up or scaling out as the need arises
Dynamically adds / removes resources

Vertical vs Horizontal

Vertical → Adding more resources to the existing machine
Horizontal → Adding more machines to the system

Objective 2.4

Authentication Methods

Directory Services → Network OSs commonly use a directory service to streamline management & implement secure authentication
- Used to provide secure access to the network
- Active Directory Domain Services (ADDS) → database of objects that provides a central access point to manage users, computers & other directory objects
- Group Policy Object (GPO) → A powerful feature in Windows environments that allows administrators to centrally manage and enforce system settings and configurations across multiple computers and users within an Active Directory domain
- Lightweight Directory Access Protocol (LDAP) → Specifies the format & methods used to query directories, such as Microsoft ADDS
  - LDAP is extension of X.500 standard
  - LDAP used TCP port 389
  - LDAP Secure (LDAPS) encrypts data using TCP port 636
  - When client connect to a server using LDAPS, the two systems establish a TLS session & TLS encrypts all data sent between the two systems
Federation → A federation requires a federated identity management system that all members of the federation use.
- Members of federation agree on standard for federated identities & then exchange the information based on the standard.
- A federated identity links user's credentials from different network or OS, but federation treats it as one identity
- Relying parties (RPs) (Service Provider (SP)) provide services to members of a federation.
- An identity provider (IdP) provides identities, makes assertions about those identities, and releases information about the identity holders
Technologies:
- HMAC Based One Time Password (HOTP) → HMAC uses a hash function & a cryptographic key for many different cryptographic functions
  - HMAC → Hash-based Message Authentication Code
  - HOTP is open standard used for creating one-time passwords
  - The algorithm combines a secret key & incrementing counter & creates HMAC to create the hash of the result
  - It then converts the results into HOTP value of 6-8 digits
  - A password created with HOTP remains valid until it's used
- Time-based One Time Password (TOTP) → Similar to HOTP, but uses a timestamp instead of incrementing counter
  - One time passwords created with TOTP typically expires after 30 seconds, but the time is adjustable
- Token Key → An electronic device about the size of remote key for a car.
  - LCD displays a number & number changes periodically, such as every 60 seconds
  - The token is synced with the server
Smart Card Authentication → Smart cards are often used with dual-factor authentication where users have something (the smart card) and know something (such as a password or PIN).
- Smart cards include embedded certificates used with digital signatures and encryption(Public Key Infrastructure PKI).
- They are used to gain access to secure locations and to log on to computer systems.
Smart Card Vs Proximity Card
- Smart Card → A smart card is a type of card embedded with a microprocessor or memory chip that can store and process data
  - It is used for secure access, identity verification, and various other applications.
  - Contact (insertion) or contactless (RFID)
  - Significant data storage capacity
  - High security, supports encryption and secure protocols
  - More complex infrastructure required
  - Secure access, payments, ID cards
- Proximity Card → A proximity card (or prox card) is a type of card that uses radio frequency identification (RFID) technology to communicate with a reader.
  - It is primarily used for access control systems.
  - Contactless (RFID)
  - Limited to unique identifier and minimal data
  - Basic security, susceptible to cloning and interception
  - Simple infrastructure
  - Building access, time and attendance tracking

Biometrics

Vein → Vein matching system identify individuals using near-infrared light to view their veins
- Many hospitals use palm scanners as a quick & easy way to identify patients & prevent patient misidentification
Retina → Retina scanners can scan the retina of one or both eyes & use the pattern of blood vessels at the back of the eye for recognition.
- This scanner can identify medical issues
- This scanner requires a physical contact with the scanner
Iris → Iris scanners use camera technologies to capture the patterns of the iris around the pupil for recognition.
- Used in many passport-free border crossings around the world
- It can take pictures from about 3-10 inches away
- No need of physical contact with scanner
Facial → Identifies people based on facial features
Voice → Identifies who is speaking using speech recognition to identify different acoustic features
Gait → Identifies individuals based on the way they walk
Efficacy Rates → Refers to performance of the system under ideal conditions
False Acceptance Rate (FAR) → Biometric system incorrectly identifies an unknown user as a registered user
False Rejection Rate → Biometric system incorrectly rejects a registered user
True Acceptance → Biometric system correctly identifies a registered user.
True Rejection → Biometric system correctly rejectes an unknown user.
Crossover Error Rate → CER is the point where the FAR crosses over FRR
- Lower CER indicates the biometric system is more accurate

Multi-Factor Authentication (MFA)

Factors:
- Something You Know → Refers to shared secrets such as passwords, static code or PIN
- Something You Have → Refers to something you can physically hold
  - Ex. Smart Card Authentication
- Something You Are → Uses biometrics for authentication
Attributes:
- Somewhere You Are → Identifies user's location
  - Many authentication system uses IP address for geolocation
  - Can be used to identify impossible travel time or risky login situations
- Something You Can Do → Refers to actions you can take such as gestures on touch screen
- Something You Exhibit → Refers to something you can show or display
  - Some military government organizations use Common Access Cards(CACs) or Personal Identity Verification (PIV) cards
  - They include picture of users along with personnel information such as name & badge
- Someone You Know → Refers to someone is vouching for you

Authentication, Authorization & Accounting (AAA)

Work together with identification to provide comprehensive access management system
Accounting methods track user activity & record the activity in the logs
Audit trial allows security professionals to re-create the events that proceeded as a security incident
Logging provides accounting

Objective 2.5

Redundancy

Redundancy adds duplications to critical systems & provides fault tolerance
Goal → Removes each single point of failure (SPOF)
Disk Redundancy → Allows system to continue to operate even if disk fails
- RAID → Redundant Array of Independent Disks
  - Provides fault tolerance for disks & increases system availability
- RAID-0 → (Striping) → It doesn't provide any fault tolerance or redundancy
  - It includes two or more physical disks
  - Files stored on RAID-0 are spread across each of the disks
  - Benefit → Increased read & write performance. Because the file is spread across multiple disks & different parts of the file can be read from or written to each of the disks simultaneously
  - If 3x 500 GB drives used in RAID-0 → You have 1.5 TB of storage
  - Minimum Disks: 2
  - Fault Tolerance: No
- RAID-1 → (Mirroring) → Uses two disks → Data written to one disk is also written to another disk.
  - If one disk fails, the other disk still has all data, so system can continue to operate without any availability loss
  - You can add an additional disk controller to a RAID-1 configuration to avoid disk controller as a single point of failure. Adding a second disk controller to a mirror is called disk duplexing
  - If you have two 500 GB drives in RAID-1, you will have 500 GB of storage & the other 500 GB of storage is for fault tolerance, mirrored volume.
  - Minimum Disks: 2
  - Fault Tolerance: 1
- RAID-2, RAID-3, RAID-4 are rarely used
- RAID 3 → Disk striping with dedicated parity
  - It has a dedicated drive containing all the parity bits.
  - It does protect against the loss of a single disk but not with distributed parity.
  - Minimum Disks: 3
  - Fault Tolerance: 1 (But not the parity disk)
- RAID-5 → 3 or more disks are stripped together (similar to RAID-0)
  - Striping with parity
  - Equivalent of one drives includes parity information
  - This parity information is stripped across each of the drives in RAID-5 & provides fault tolerance
  - If one drive fails, the disk subsystem can read information from remaining drives & recreate the original data
  - If two of the drives fail in RAID-5, the data is lost
  - Minimum Disks: 3
  - Fault Tolerance: 1
- RAID-6 → An extension of RAID-5 → Striping with double parity
  - Difference → It uses additional parity block & requires additional disk
  - Benefit → RAID-6 will continue to operate even if two disk drives fail
  - RAID-6 requires a minimum of 4 disks
  - Minimum Disks: 4
  - Fault Tolerance: 2
- RAID-10 → Combines features of mirroring (RAID-1) & stripping (RAID-0) but implements the drives differently
  - Also called as → "stripe of mirrors"
  - RAID-10 is also called RAID-1+0 → Data is first mirrored & then striped
  - When adding more drives, you need to add the disks in multiple of 2, 4, 6...
  - If you have used four 500 GB drives in RAID-10, you have 1 TB of usable storage
  - Minimum Disks: 4
  - Fault Tolerance: Multiple (Tolerates up to one disk failure per mirrored pair.)
- Comparison:
  - Number of Disks → RAID 0 < RAID 1 < RAID 5 < RAID 10
  - Read Performance → RAID 0 > RAID 10 > RAID 5 > RAID 1
  - Write Performance → RAID 0 > RAID 10 > RAID 1 > RAID 5
  - Fault Tolerance → RAID 0 < RAID 1 < RAID 5 < RAID 10
Disk Multipath → Multipath Input / Output (I/O) is another fault tolerance method for disks
- It uses a separate data transfer path to the storage hardware
- If one path fails, second path handles the transfer
- If both paths are operational, it provides increased performance
- One method of implementing Disk Multipath is via Storage Area Network (SAN) using Fibre Channel
Load Balancer → Load balancing increases the overall processing power of a service by sharing the load among multiple servers.
- A load balancer uses a scheduling technique to determine where to send new requests.
- Configurations can be active/passive or active/active.
- Scheduling methods include round-robin and source IP address affinity
- Source IP address affinity scheduling ensures clients are redirected to the same server for an entire session.
- Load balancers provide a virtual IP, or VIP → Traffic sent to the VIP is directed to servers in the pool based on the load-balancing scheme
- Load Balancer Algorithms
  - Least connection-based → takes load into consideration and sends the next request to the server with the least number of active sessions
  - Round Robin → simply distributes requests to each server in order
  - Weighted Time → Uses health checks to determine which server is currently responding the quickest, and routing traffic to that server.
  - Source IP Hash → Uses a unique hash key generated from the source and destination IP addresses to track sessions, ensuring that interrupted sessions can be seamlessly reassigned to the same server, thus allowing the sessions to continue uninterrupted.
NIC Teaming → Allows you to group two or more network physical adapters into a single software based virtual network adapter
- This provides increased performance. → Greater throughput and fault tolerance
- NIC team uses load balancing algorithms to distribute outgoing traffic equally among NICs
- Also eliminates physical NIC as single point of failure → Software detects the failure & logically removes the failed NIC
Dual Supply → A second power supply that can power a device if the primary power supply fails.
Managed power distribution units → Basic PDUs distribute power to devices, similar to how a power strip delivers power via multiple outlets
- Managed PDUs (sometimes called switched PDUs) monitor the quality of power such as voltage, current, and power consumption and report these measurements to a central monitoring console
- This allows administrators to use a single application to monitor power in all the racks within a data center.
Storage Area Networks (SAN) → Provides block-level data storage via full network
- Organizations use SAN to provide high speed access to disk arrays or tape libraries
- SAN can be used for real time replication of the data
- As soon as data changes in primary location, it is replicated to the SAN

Backup Types

Full Backup → Back up all the data specified in the backup
- Time → A full backup can take several hours to complete & can interfere with operations
- Money → Performing full backup everyday requires more media & it can be expensive
  - Instead, organizations combine full backups with differential or incremental backup
- A full backup is the easiest & quickest to restore
Differential Backup → It starts with a full backup
- Differential backups back up the data that has changed or different since last full backup
- Two backups needed to restore the data: Last Full Backup + Recent Differential Backup
- Take less time to restore
Incremental Backup → It starts with a full backup
- After the full backup, incremental backups back up the data that has changed since the last backup (Last full backup or Last incremental backup).
- Last full backup + Multiple Incremental Backups till the date
- Takes more time to restore
Snapshot → Snapshot backup is also known as image backup
- Captures the data at the moment in time
- Commonly used with virtual machines
Tape → Tape stores more media & are cheaper than other media
- Long-term archival storage, backup solutions for large datasets.
Network Attached Storage (NAS) → A dedicated computer used for file storage & accessible on a network
- It can handle multiple drives & often run stripped down version of linux for simplicity & reduces the cost
- NAS proves a file based data storage allowing users to access files on NAS devices & copy backup files to NAS devices
Online vs Offline Backup → An online backup is a hot backup → It backs up the database while it's operational → It captures the changes while they are occurring & applies to the backup when they are done
- An offline backup is a cold backup performed while database is offline → Local Backup

Non-persistence

Virtual desktops that support non-persistence serve same desktop for all users
When a user access the remote server, it provides a desktop OS from preconfigured snapshot
It can revert to the known state when users log off. → It rolls back to known configuration or last known good configuration
Some bootable USB drives are live media that can save any changes to OS on the USB drive

Objective 2.6

Embedded Systems

Field Programmable Gate Array (FPGA) → Programmable integrated circuit (IC) installed on circuit board
Arduino → A microcontroller board, and the circuit board contains the CPU, random access memory (RAM), and read-only memory (ROM).
- Doesn't need any OS to run → It has firmware
- It is used for simple repetitive tasks

ICA & SCADA Systems

ICS typically refers to systems within large facilities such as power plants or water treatment facilities
SCADA system typically controls the ICS by monitoring it & sending commands
Common uses of ICS & SCADA system:
- Manufacturing & Industrial → Can monitor every processing stage & report anomalies in real time
- Facilities → Monitors temperature & humidity to keep the environment relatively stable
- Energy → Oil & Gas processing
- Logistics → Include monitoring processes within shipping facilities
Some SCADA systems and ICSs are connected to the corporate network.

Heating, Ventilation, Air Conditioning (HVAC)

Keeps the computing system at a proper temperature & with proper humidity

Real Time Operating System (RTOS)

OS that reacts to an input within a specific time
If it can't respond within specified time, it doesn't process the data & reports an error
Ex. Automated assembly line to create Donuts

System on a Chip (SoC)

An integrated circuit that includes all the functionality of a computing system within the hardware
It typically includes an application contained within onboard memory such as ROM & Electronically Erasable Programmable (EEPROM) or flash memory
Many mobile devices include SoC
Integrates all the components of a computer or other electronic system into a single integrated circuit (IC)
The Apple A14 Bionic chip used in the iPhone and iPad is an example of an SoC

Communication Considerations

5G → Allows to transfer data more quicker than 4G
- 5G has limited range → This means 5G needs huge increase in infrastructure to support 5G towers & antennas.
- 5G signals can be blocked by physical barriers like trees, walls, glass limiting the range
Narrow Band → Narrow band signals have a very narrow frequency range
- Commonly used in two-way systems such as walkie-talkies
Baseband Radio → Include frequencies that are very near zero
- Typically used to transfer data over a cable than over an air
Zigbee → A suite of communication protocols user for smaller networks (Ex. Home Automation)
- It's designed to be simpler to use & cheaper than other wireless protocols
- It has relatively low data rate & low power consumption → Zigbee devices have battery life of two or more years
- It supports strong security including data encryption

Objective 2.7

Signage → "Authorized Personnels Only" will deter many people from entering the restricted area
- Discourages unwanted or unauthorized access, providing safety warnings, and helping with evacuation routes and other navigation information as part of a physical safety effort.
Industrial Camouflage → Many organization use camouflage to hide buildings, a part of building & wide variety of other items
Robot Sentries → It uses laser light detection sensors & 3D mapping to learn & navigate the environment, different sensors detect activity
- Provides surveillance, monitoring, and security functions in various environments
Two Person Integrity → A security control that requires the presence of at least two authorized individuals to perform a task
USB data blocker → Prevents someone from writing any data to USB drive
- Some blockers also prevents system from reading data from USB drive
Faraday Cage → A room that prevents radio frequency signals from entering into or emanating beyond a room.
- It includes electrical features that cause radio frequency signals to reflect back
Air Gap → Air gap provides physical isolation with a gap of air between systems
Screened Subnet → Also known as Demilitarized Zone
- It is a buffered zone between a private network & internet
- Provides a layer of protection for internet facing servers while allowing clients to connect with them
- Helps to segment access from internal network
Hot & Cold Aisles → Helps to regulate cooling in data centers with rows of cabinets
Secure Data Destruction →
- Shredding → Physically destroys the media by cutting it into small pieces.
  - Extremely effective, prevents any form of data recovery.
- Pulping → Pulping is an additional step taken after shredding paper. It reduces the shredded paper to mash or puree.
- Pulverizing → Pulverizing is the process of physically destroying media to sanitize it, such as with a sledge hammer (and safety goggles).
- Degaussing → A degausser is a very powerful electronic magnet. Passing a disk through a degaussing field renders the data on tape and magnetic disk drives unreadable.
  - Effective against magnetic storage devices (HDDs, tapes).
  - Does not work on SSDs or optical media; renders device unusable.
  - You cannot reuse a hard drive once it has been degaussed.
- Cryptographic Erase → This method involves encrypting the entire disk & then simply deleting the encryption key
  - Without the key, the data on the drive is essentially rendered unreadable
  - This is secure method because even if the data is physically recovered, it remains inaccessible without the key
- Zero Wipe → Writes zeros to all sectors of the storage device.
  - Not effective against advanced forensic recovery methods.
- Overwrite → Writes random or specific data patterns to storage sectors multiple times.
  - Time-consuming, may not be effective for SSDs due to wear leveling.
  - Also, known as Data Wiping / Clearing
- Incineration → Burns the media to ashes, completely destroying the data.
- Acid Bath → Uses strong acids to dissolve the storage media.
- Comparison:
  - Zero Wipe < Overwrite < Degaussing < Cryptographic Erase < Shredding = Incineration = Acid Bath
- sign a contract → The most common way to ensure that third-party secure destruction companies perform their tasks properly is to sign a contract with appropriate language and make sure that they certify the destruction of the materials they are asked to destroy.
  - Manual on-site inspection by third parties is sometimes done as part of certification.
  - Requiring pictures of every destroyed document would create a new copy, thus making it a flawed process. Thus, recording again is not recommended

Objective 2.8

Digital Signatures → Creates hash of the message
- In digital signature, the sender uses sender's private key to encrypt the hash of the message.
- The recipient uses sender's public key to decrypt the hash of the message
Key Stretching → An advanced technique used to increase the strength of stored passwords
- Instead of just adding salt to the password before hashing it, key stretching applies a cryptographic stretching algorithm to salted password.
- Benefit → Consumes more time & computing resources making hard for attackers
- Ex. bcrypt, PBKDF2, Argon2
  - PBKDF2 → Password Based Key Derivation Function V2 → Use thousands of iterations of salting & hashing to generate encryption keys that are resilient against attack
- They salt the password with additional bits and then send the result through a cryptographic algorithm.
- One way of implementing it is by repeatedly using a hash function or a block cipher, increasing the effort that an attacker would need to exert to attack the resulting hashed or encrypted data.
Key Exchange → A cryptographic method used to share cryptographic keys between two entities
Elliptic Curve Cryptography → Doesn't take as much processing power than other cryptographic methods → It uses mathematical equations to formulate an elliptical curve
- It graphs points on the curve to create keys
- Benefit of ECC keys → ECC keys are much smaller than non-ECC keys
- ECC is more often considered with low power devices
- ECC is used in SSL/TLS certificates to secure communications over the internet.
- ECC is employed in cryptocurrencies (e.g., Bitcoin) for creating public/private key pairs.
Ephemeral Keys → Ephemeral keys has short lifetime & is re-created for each session
- Ephemeral Key Pair = Ephemeral Public Key + Ephemeral Private Key
Perfect Forward Secrecy (PFS) → It indicates that cryptographic system generates random public keys for each session & it doesn't use deterministic algorithm to do so.
- This helps to ensure that systems do not reuse keys
- Goal → The compromise of key does not compromise any past keys
Modes of Operation →
- Authenticated Mode → Authenticated encryption provides both confidentiality & authenticity
- Counter Mode → CTR mode is form of authenticated encryption & CTR mode allow block ciphers to function as stream cipher
- Unauthenticated Mode → Unauthenticated mode provides confidentiality, but not authenticity
Blockchain → It is distributed, decentralized public ledger
- Public Ledger → Block refers to pieces of digital information
- Chain → Refers to public database
- Each block has 3 parts:
  - Information about transactions
  - Information about parties involved with transaction(s)
  - A unique hash that distinguishes the block from other block
Cipher Suites → Most symmetric algorithm use either stream cipher or block cipher
- Stream Cipher → Encrypts data a single bit/byte at a time
  - Ex. Caesar Cipher, One-Time Pad, RC4
- Block Cipher → Encrypts data in a specified sized block such as 64-bit or 128-bit block
  - Ex. Transposition Ciphers, Twofish, Blowfish, AES, DES
  - Cipher Block Chaining (CBC) → An operation for block ciphers that enhances security by introducing dependencies between plaintext blocks
    - By XORing each plaintext block with the previous ciphertext block, CBC ensures that identical plaintext blocks result in different ciphertext blocks, thus enhancing confidentiality.
  - Cipher Feedback (CFB) → A mode of operation of block ciphers that allows encryption of data in units smaller than the block size of the cipher
- Stream ciphers are more efficient than block ciphers when encrypting data in continuous stream
Symmetric Encryption → Uses same key to encrypt and decrypt the data
- Symmetric key cryptography can also be called secret key cryptography and private key cryptography.
- Rely on shared secret
- RADIUS uses symmetric encryption.
- Formula → Number of Keys required = n(n-1)/2 where n is number of people
- Limitations:
  - Key distributions is a major problem
  - Does not implement non-repudiation
  - Not scalable → Difficult for large groups to communication using symmetric crypto
  - Keys must be regenerated often
- Symmetric Algorithms:
  - Advanced Encryption Standard (AES) → 128 bit cipher
    - AES can use key sizes of 128, 192 & 256
    - AES is faster than 3DES
    - AES is more efficient than 3DES
    - AES is less resource intensive than 3DES
  - DES (Data Encryption Standard) → An older symmetric encryption algorithm.
    - 56 bits (with 8 bits used for parity).
  - Triple Digital Encryption Standard (3DES) → Encrypts data in 64 bit blocks
    - 3DES uses key sizes of 56 bits, 112 bits, or 168 bits.
  - Blowfish → Encrypts data in 64-bit blocks & supports key sizes between 32 & 448 bits
    - Blowfish is general purpose algorithm designed to replace DES
  - Twofish → Encrypts data in 128-bit blocks, and it supports 128, 192, 256-bit keys
  - RC4 → A stream cipher widely used in protocols like SSL/TLS (40 to 128 bits)
  - International Data Encryption Algorithm (IDEA) → A symmetric key block cipher algorithm used for encryption and decryption of data.
Asymmetric Encryption → Uses two keys in a matched pair to encrypt and decrypt data (a public key and a private key)
- A key element of several asymmetric encryption methods is that they require a certificate and a PKI.
- Asymmetric encryption is strong, but very resource intensive
- Takes a significant amount of processing power to encrypt and decrypt data as compared with symmetric encryption
- Most cryptographic protocols that use asymmetric encryption only use it for key exchange.
- Asymmetric Algorithms:
  - RSA (Rivest-Shamir-Adleman) → A widely used asymmetric encryption algorithm for securing data transmission. → Typically 1024, 2048, or 4096 bits.
  - DSA (Digital Signature Algorithm) → A digital signature algorithm used for verifying the authenticity of digital messages or documents. → 1024 or 2048 bits.
  - DSA (Elliptic Curve Cryptography) → A type of asymmetric cryptography based on the algebraic structure of elliptic curves over finite fields.
  - Diffie-Hellman → A key exchange algorithm used to securely exchange cryptographic keys over a public channel. → Typically 1024, 2048, or 4096 bits.
  - ECDH (Elliptic Curve Diffie-Hellman) → A variant of Diffie-Hellman using elliptic curve cryptography for key exchange.
  - ElGamal → An asymmetric encryption algorithm based on the difficulty of solving the discrete logarithm problem → Typically 1024 or 2048 bits.
Steganography → Hides messages or other data within a file
- Use hashing to detect changes in files that may indicate the use of steganography
Lightweight Cryptography → Refers to cryptography deployed to smaller devices such as RFID, sensor nodes, smart cards, IOT devices
Homomorphic Encryption → Allows data to remain encrypted while it is being processed.
- Allows to access and manipulate the data without being able to see it because it remains encrypted.
Common Use Cases:
- Supporting obfuscation → Steganography is used to support obfuscation.
- Supporting low power devices → ECC and other lightweight cryptography algorithms support deploying cryptography on low power devices.
- Supporting low latency → OCSP supports a use case of low latency.
Limitations:
- Entropy → Refers to the randomness of a cryptographic algorithm.
- Longevity → Refers to how long you can expect to use an algorithm.

Chapter 3

Objective 3.1

Insecure Protocols

Telnet → Port 23 → Telnet transmits data in plaintext, vulnerable to MITM & Eavesdropping
- Secure Alternative → SSH → Port 22 → SSH provides encrypted communication
FTP → Port 21 → FTP transmits data in plaintext, vulnerable to interception & tampering
- Secure Alternative →
  - FTPS (FTP Secure) → Port 990 / 989 → Uses SSL / TLS for encryption
  - SFTP (SSH File Transfer Protocol) → Port 22 → Uses SSH for file transfer
HTTP → Port 80 → HTTP transmits data in plaintext
- Secure Alternative → HTTPS → HTTP Secure → Port 443 → Uses SSL / TLS
SMTP → Port 25 → SMTP transmits emails in plaintext, vulnerable to interception & unauthorized access
- Secure Alternative →
  - SMTPS → SMTP Secure → Port 465 → use SSL/TLS to encrypt email communications
  - SMTP with STARTTLS → Port 587 → use SSL/TLS to encrypt email communications
POP3 → Port 110 → POP3 transmits emails in plaintext, vulnerable to eavesdropping
- Secure Alternative → POP3S → POP3 Secure → Port 995 → uses SSL/TLS
IMAP → Port 143 → IMAP transmits data in plaintext, vulnerable to interception
- Secure Alternative → IMAPS (IMAP Secure) → Port 993 → uses SSL / TLS
SNMP v1/v2 → Port 161/162 → Lacks encryption, vulnerable to interception & tampering
- Secure Alternative → SNMPv3 → Port 161/162 → Adds encryption, authentication & integrity protection to data
LDAP → Port 389 → LDAP transmits data in plaintext, vulnerable to interception & tampering
- Secure Alternative → LDAPS (LDAP Secure) → Port 636 → Uses SSL/TLS for encrypt directory service

Protocols

DNS Security Extensions (DNSSEC) → Provides validation for DNS responses
- It adds Resource Record Signature (RRSIG) (Digital Signature) to each record
- RRSIG provides data integrity & authentication for DNS replies
- Helps to prevent DNS poisoning attack
S/MIME → Secure/Multipurpose Internet Mail Extensions
- Used to digitally sign & encrypt an email
- Uses both asymmetric & symmetric encryption
SRTP → Secure Real Time Protocol → Uses port 5004
- RTP → Real Time Protocol → Delivers audio & video over IP networks
- SRTP provides encryption, message authentication & integrity for RTP
LDAPS → LDAP over TLS uses port 636
FTPS → FTP, Secure → uses TLS to encrypt FTP traffic
SNMPv3 → Simple Network Management Protocol → Monitors & manages network devices such as routers & switches
- Uses port 161/162
- Can modify devices' configuration & can check device report status
- SNMPv3 agents installed on devices send information to SNMP manager via notifications known as traps
- Flood guard sends SNMP trap messages in response to an alert
- SNMP Usage → Commonly used to gather information from routers, switches, and other network devices → It provides information about a device's status, including CPU and memory utilization, as well as many other useful details about the device
IPSec → Used to encrypt IP traffic
- Authentication Header → IPSec uses AH to allow each conversation hosts to authenticate with each other before exchanging the data
  - AH provides authentication & integrity
- Encryption → IPSec includes Encapsulating Security Payload (ESP) to encrypt data & provide confidentiality
- IPSec uses Internet Key Exchange (IKE) to authenticate clients in the IPSec conversation → Internet key exchange (IKE) is used to set up security associations (SAs) on each end of the tunnel.
- Modes:
  - Transport Mode → Only the payload (the data being transmitted) of the IP packet is encrypted and/or authenticated. The IP header remains intact.
    - Typically used for end-to-end communication between two hosts or devices.
  - Tunnel Mode → The entire IP packet (including the original IP header and payload) is encapsulated within a new IP packet with a new IP header
    - Commonly used for site-to-site VPN connections where entire packets need to be protected.
Post Office Protocol (POP3) → Transfers emails from servers down to clients
- POP3 → Port 110
- POP3S → Port 995
IMAP → Internet Message Access Protocol → Used to store email on the server & it allows users to organize & manage emails in folders on the server
- IMAP → Port 143
- IMAP Secure → Port 993

Use Cases

Voice and video →
- Real Time Protocol (RTP) → a network protocol designed for delivering audio and video over IP networks
- Secure Real Time Protocol (SRTP) → An extension of RTP that provides encryption, message authentication, and integrity, as well as replay protection for RTP data.
  - SRTP ensures secure transmission of real-time audio and video communications.
- Session Initiation Protocol (SIP) → A signaling protocol used to initiate, maintain, modify, and terminate real-time sessions that involve video, voice, messaging, and other communications applications and services.
Time Synchronization →
- Network Time Protocol (NTP) → A protocol used to synchronize the clocks of computers over a network.
- Simple Network Time Protocol (SNTP) → A simplified version of NTP, used for less complex and less demanding synchronization needs
  - It provides time synchronization but with reduced accuracy and fewer features compared to NTP.
Email and Web → Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), HTTP, HTTPS
File Transfer → File Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), SSH, SSL, TLS, IPSec, SFTP, FTPS
Directory Services → LDAP
Remote Access → Remote Desktop Protocol (RDP) → Uses port 3389
Domain Name Resolution → DNSSEC
Network Address Allocation → IPv4, IPv6

Objective 3.2

Endpoint Protection

Endpoint Detection & Response (EDR) → Provides continuous monitoring of endpoints
- Performs a deep investigation of all activity on endpoints
- Collect and analyze data from endpoints to detect anomalies, provide visibility into potential threats, and facilitate timely responses to incidents.
- Incident response, threat hunting, forensic analysis
Data Loss Prevention (DLP) → Prevent data loss
Next-Generation Firewall (NGFW) → An advanced firewall that adds capabilities that aren't available in first generation or second generation firewalls
- NGFW performs deep packet inspection, adding application level inspection as a core feature
- NGFW can identify application commands & detect potentially malicious traffic
- Features → Deep Packet Inspection (DPI), Integrated IPS, Identifies and controls applications, Sandboxing, malware detection, SSL/TLS decryption, Built-in URL filtering
- Comparison
  - First Gen → Packet Filtering → Based on IP addresses, ports, and protocols
  - Second Gen → Stateful Packet Inspection → Tracks active connections and the state of the connection
  - NGFW → Deep Packet Inspection (DPI) → Identifies applications, users, and content
HIDS → Host-Based Intrusion Detection System
- An additional software installed on a system such as workstation or a server
- For HIDS, the traffic passes through the network interface card (NIC)
- HIDS can help to detect malicious software (malware) that traditional antivirus can miss

Boot Integrity

UEFI → Unified Extensible Firmware Interface → Performs many of same functions as BIOS but provides some enhancement
- A specification for a software program that connects a computer's firmware to its operating system (OS)
- BIOS → provides instructions on starting → It runs some basic checks, locates the OS & boots
- BIOS & UEFI can be upgraded with using flashing → Flashing overwrites the software within the chip with newer software
BIOS vs UEFI
- BIOS → Initializes hardware components and boots the OS
  - Generally slower boot times due to the sequential initialization process.
- UEFI → More complex initialization process with support for modern hardware and boot methods
  - Faster boot times due to parallel initialization processes and optimized boot methods
Measured Boot → Goes through enough boot process to perform these checks without allowing a user to interact with a system.
- If it detects that system has lost integrity & can no longer be trusted, the system won't boot
- A security feature that helps ensure the integrity of the boot process by recording each step in the boot sequence and storing the measurements in a secure location, typically in a Trusted Platform Module (TPM)
Boot Attestation → Signature Key Files used to boot the computer
- Boot attestation requires that systems record and measure the boot process, and subsequently verify to a system that the process was secure.
Measured Boot Vs Secure Boot
- Measured Boot → Ensure integrity of the boot process through measurements
  - Records and stores measurements of each boot component in TPM
  - Can provide remote attestation of system integrity
  - Useful for environments requiring verifiable integrity
- Secure Boot → Ensure only trusted code is executed during boot
  - Verifies digital signatures of each boot component
  - Does not provide remote attestation
  - Useful for environments requiring strict execution control
- Trusted Boot → Verifies the operating system kernel signature and starts the ELAM(Early Launch Anti-Malware) process.
  - Cryptographically verifies each boot stage
  - Verifies each stage using digital signatures
  - Integrity and authenticity of entire boot process
  - Devices requiring complete boot process security

Database

Tokenization → Replaces sensitive elements with a token
- A tokenization can convert the token back into its original form
Salting → Adds random texts to passwords before hashing them
- Used to prevent rainbow table attacks, brute force & dictionary attack

Application Security

Secure Cookies → Cookie that has the secure attribute set
- When a cookie has the Secure attribute, the user agent includes the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTPS).
Code Signing → Identifies author & the hash verifies that code hasn't modified
- Verifies the originator of the component & thus make malware less likely

SED & FDE

Full Disk Encryption (FDE) → Encrypts the entire disk
- Users typically need to enter a password or use a cryptographic key stored on a separate device (like a smart card or USB token) to unlock the disk and access its contents.
- Ex. Veracrypt, BitLocker (Windows), FileVault (macOS), LUKS (Linux).
Self Encrypting Drive (SED) → Also known as hardware based FDE drives
- Automatically encrypts & decrypts data on a drive without user interaction
- A storage device that automatically encrypts data before it is written to the drive and decrypts it when read, without requiring any action from the operating system or user.
- SED doesn't need authentication
Opal → Set of specifications for SEDs
- It defines what hardware vendors must do to ensure SEDs are configured to prevent unauthorized access
- Opal-Compliant drives requires users to enter credentials to unlock the drive while booting the system

Trusted Platform Module

TPM is hardware chip on computer's motherboard that stores cryptographic keys used for encryption
TPM provides Full Disk Encryption capabilities
It keeps the hard drives locked or sealed until the system completes the system verification & authentication process
TPM supports boot attestation process → When TPM is configured, it captures signature of key files used to boot the computer & stores the report of signatures within the TPM
Uses burned-in cryptographic keys & Includes built-in protections against brute-force attacks
Secure Boot → When system boots, the secure boot process checks the files against the stored signatures to ensure that they haven't changed → If it detects that files have been modified, it blocks the boot process to protect the data on the drive
Remote Attestation → It uses a separate system instead of checking boot files reports in TPM
- It captures the signatures of key files & sends it to remote system
Hardware root of trust → When private key matched with the public key, it provides hardware root of trust also known as Known Secure Starting Point
A TPM includes a unique RSA asymmetric key burned into the chip that provides a hardware root of trust

Objective 3.3

Load Balancing

Active/Active → Can optimize & distribute data loads across multiple computers / networks
- Distributes traffic equally among all the servers in the web farm
Scheduling → Load balancers use a scheduling technique to determine where to send a new request.
- They use Round-Robin algorithm to send request
Persistence → Load balancers use source address affinity to direct the request
- Source affinity sends requests to the same server based on the requester's IP address & provides the user with persistence
Load balancers can detect when a server fails → If server stops responding, load balancers will not send request to this server → Contributes to high availability
Active/Passive → One server is active & another server is inactive
- If active server fails, the inactive server takes over
- Two servers have a monitoring connection to each other to check each other's health
Load Balancer Algorithms
- Least connection-based → takes load into consideration and sends the next request to the server with the least number of active sessions
- Round Robin → simply distributes requests to each server in order
- Weighted Time → Uses health checks to determine which server is currently responding the quickest, and routing traffic to that server.
- Source IP Hash → Uses a unique hash key generated from the source and destination IP addresses to track sessions, ensuring that interrupted sessions can be seamlessly reassigned to the same server, thus allowing the sessions to continue uninterrupted.

Network segmentation

Virtual Local Area Networks (VLAN) → Separates or Segments traffic on physical networks
- A logical network segment within a physical network infrastructure that allows devices to be grouped together even if they are not physically connected on the same network switch.
- We can create multiple VLANs with a single Layer 3 Switch
- A VLAN can locally group several computers together or logically separate computers without regard their physical location
- VLANs are used to separate various traffic types (voice, data)
Screened Subnet → Buffer zone between internet & intranet (internal network)
- It allows to access services while segmenting access to internal network
- An additional layer of security is implemented to protect internal networks from external threats
East-West → Refers to traffic between servers
Intranet → Internal Network
Extranet → Part of the network that can be accessed by authorized entities from outside of network
Zero Trust → A network that doesn't trust any devices by default, even if it's previously verified
- Helps to reduce attacks from internal clients
- Zero trust in not technology, instead it is a security model based on principle of zero trust

VPN

SSL/TLS → Some tunneling protocols use TLS to secure VPN channels
- Provides the easiest way for users to use VPN since it does not require a client. (most user-friendly)
Split Tunnel → A VPN admin determines what traffic should use the encrypted tunnel
Full Tunnel → All traffic goes through the encrypted tunnel while the use is connected to VPN
Site-to-Site VPN → Includes two VPN servers that acts as a gateways for two networks separated geographically
- IPSec VPNs are used for site-to-site VPNs
- Ex. Users in the remote office can connect to the servers in the HQ location easily
Always-On → Create a VPN connection as soon as user's device connect to the internet
Layer 2 tunneling protocol (L2TP) → L2TP is tunneling protocol → Uses port 1701
- Uses IPsec for encryption, providing confidentiality and integrity of data transmission.
- Combines the features of PPTP (Point-to-Point Tunneling Protocol) and L2F (Layer 2 Forwarding) to create a tunnel between two endpoints.
HTML5 VPN Portal → Allows users to connect to the VPN using their web browser
- It uses TLS to encrypt the session → Can be resource intensive
SSTP → Secure Socket Tunneling Protocol
- A VPN protocol developed by Microsoft for creating secure, encrypted connections over the internet
- SSTP is designed to provide secure remote access to networks by tunneling Point-to-Point Protocol (PPP) traffic through an SSL/TLS channel. → Port 443 TCP

Network access control (NAC)

Refers to a set of technologies and policies used by organizations to ensure that devices connecting to their networks are secure and compliant with established security policies
Features:
- Verifies the identity of users and devices attempting to connect to the network.
- Checks endpoints (devices) for compliance with security policies and configurations before granting network access.
- Defines rules and policies that dictate who and what can access specific parts of the network.
- Automatically corrects or isolates non-compliant devices to remediate security issues before allowing access.
- Monitors connected devices continuously to detect anomalies or suspicious behavior.
- Integrates with existing security solutions such as firewalls, IPS/IDS, SIEM
- Helps organizations improve network security by controlling access, enforcing policies, and detecting/responding to security threats in real-time.
Agent NAC → NAC uses agent when the client attempts to log on remotely
- A permanent agent installed on the client & stays on client
Agentless NAC → A dissolvable agent is downloaded & runs on client when clients logs on remotely
- It collect the information it needs, identifies the client as healthy or non-healthy & reports the status back to NAC system
- NAC agents remove themselves immediately after they report to the NAC system
- Other NAC agents remove themselves after session ends
- An agentless NAC system scans a client remotely without installing code on the client

Port Security

Port security limits the computers that can connect to physical ports on a switch
MAC Filtering → Restricts access to switch ports based on the MAC (Media Access Control) address of devices connected to the port.
- Ex. Each physical port is assigned to a single specific MAC address → MAC Address Sticky
Port security filters by MAC address, allowing whitelisted MAC addresses to connect to the port and blocking blacklisted MAC addresses.
Broadcast Storm → Caused when two ports of a switch connected together
- Spanning Tree Protocol (STP) & Rapid STP (RSTP) helps to prevent broadcast storm & loop prevention for switches
BPDU Guard → Bridge Protocol Data Unit Guard
- STP sends BPDU in the network to detect loops
- When the loops are detected, STP blocks the traffic from switch ports sending redundant traffic
DHCP Snooping → DHCP snooping is a preventive measure
- When DHCP snooping is enabled, the switch only send DHCP broadcast traffic (DHCP Discover Message) to trusted ports
- Prevents rogue DHCP servers as well as malicious or malformed DHCP traffic.
- It also allows the capture and collection of DHCP binding information to let network administrators know who is assigned what IP address.

Network Appliances

Jump Servers → Also called Jump box → A hardened server used to access & manage devices in another network with a different security zone
- A jump server is places between different security zones
- It can provide secure access to devices in screened subnet from internal network
Proxy Servers → Forwards requests from clients for services like HTTP or HTTPS → Forward Proxy Server
- Improves performance by caching content
- Can restrict users' access to inappropriate websites by filtering content
- A proxy server is located on the edge of the network bordering the internet & intranet
- A web proxy can be used to block certain websites.
- Transparent Proxy → Accepts & forwards requests without modifying them
- Non-Transparent Proxy → Use URL filters to restrict access to certain sites
- Both types of proxy log user activity
- Reverse Proxy Server → Accepts requests from internet for a single web server
  - It appears as a web server to clients but it forwards requests to the web server & serves pages returned by web server
  - Reverse proxy is configured to protect the web server
  - Reverse proxy server can be used for a web farm of multiple servers → When it is used with web farm → It can act as a load balancer
Forward Proxy Vs Reverse Proxy
- Forward Proxy → A forward proxy regulates client access to the internet, enhancing security and policy enforcement within an internal network
  - It sits between the client and the internet and forwards client requests to the internet.
  - In a corporate network, a forward proxy may be used to control access to the internet and enforce security policies.
- Reverse Proxy → A reverse proxy, manages external requests to servers, offering load balancing and concealing server identities for added security
  - It sits in front of servers and directs client requests to the appropriate backend servers.
  - A reverse proxy can distribute incoming web requests to multiple web servers in a server farm.
NIDS / NIPS
- Signature-based Detection → Detects known malware based on signature definitions
- Heuristic-Based Detection → Detects previously unknown malware based on behavior
  - Can detects unknown anamalies
- Inline → An IPS placed inline with traffic can detect, react to & prevent attacks
- Passive → Collects data passively
- Heuristic vs Anomaly-based detection
  - Heuristic: Heuristic IPS uses algorithms and rules to detect potentially malicious behavior, often identifying new and unknown threats. However, it does not specifically create a baseline of normal activity.
    - Heuristic IPS technology uses artificial intelligence to identify attacks that have no prior signature.
  - Anomaly-based: Anomaly-based IPS establishes a baseline of normal network behavior and then monitors traffic to detect and block deviations from this baseline. This makes it the best fit for the requirement of observing normal network activity and blocking deviations
Hardware Security Module (HSM) → A security device that can added to a system to manage, generate & securely store cryptographic keys
- HSM supports security methods of TPM
- Many server based applications use an HSM to protect keys
Aggregators → Store log entries from dissimilar systems
Firewalls
- Stateful → Inspects traffic & makes decisions based on the traffic context or state
- Unified Threat Management (UTM) → A single solution that combines multiple security controls
  - UTM will reduce the workloads of admins without sacrificing security
  - URL Filtering → Performs same job as a proxy server → Block access to sites based on the URL
    - Admins can configure URL filters to allow / block access to specific sites
  - Malware Inspection → Screens incoming data for known malware & blocks it
  - Content Inspection → Monitors incoming data streams & attempts to block any malicious content
    - Includes spam filter to inspect incoming emails
    - Can block specific type of transmissions such as audio or video & file types such as .zip
  - DDOS Mitigator → Attempts to detect DDOS attacks & blocks them
  - Common security issue of UTM is misconfigured content filter
  - Key Features → Firewall, IPS/IDS, Antivirus & Anti-malware, Content Filtering, Spam Filtering, Application Control, Web Filtering, DLP, Logging, Reporting
- Network Address Translation (NAT) Gateway → NAT is a protocol that translates public IP addresses to private IP addresses & private addresses back to public.
  - NAT gateway hosts NAT & provides internal clients with private IP addresses a path to internet
  - Benefits:
    - Public IP addresses don't need to be purchased for all clients
    - NAT hides internal computers from the internet
    - Hides the internal network structure, making it harder for attackers to target specific devices.
  - Static NAT → Uses single public IP address in one-to-one mapping
  - Dynamic NAT → Uses multiple public IP addresses in one-to-many mapping
Quality of service (QoS) → Refers to technologies running on a network that measure & control different traffic types
- It allows admins to prioritize certain types of traffic over others
Implications of IPv6 → All devices on internal network don't support IPv6 natively
Port Mirroring → Port Spanning → Port Tap → Allows admins to configure the switch to send all traffic the switch receives to a single port
- Port Mirroring is not passive (active)
Network Tap → Network taps copy all traffic to another destination, allowing traffic visibility without a device inline.
- Network tapping is completely passive
File Integrity Monitor (FIM) → Some antivirus scanners use file integrity monitors to detect modified system files by calculating hash of systems files as a baseline

Objective 3.4

Cryptographic Protocols

WEP → RC4 stream cipher → 64-bit or 128-bit
- Vulnerable to various attacks (e.g., IV attacks, dictionary attacks)
WiFi Protected Access (WPA) → Introduced to address the weaknesses of WEP.
- Introduced to address the weaknesses of WEP.
- TKIP (Temporal Key Integrity Protocol)
- Uses 802.1X for enterprise or PSK (Pre-Shared Key) for home networks
WiFi Protected Access 2 (WPA2) → WPA2 can operate in open, enterprise or Pre-Shared key (PSK) mode
- Utilizes Advanced Encryption Standard (AES) for encryption
- Supports both 802.1X (EAP) and PSK authentication methods.
- Open Mode → Doesn't use any security → All data transferred in cleartext
- PSK or Enterprise Mode → Users access the wireless network anonymously with a PSK or passphrase
  - Enterprise mode forces users to authenticate with unique credentials before granting them access to the wireless network
  - Enterprise mode uses 802.1X server, often implemented as RADIUS server (Authentication)
WiFi Protected Access 3 (WPA3) → Newest wireless cryptographic protocol
- It uses Simultaneous Authentication of Equals (SAE) instead of PSK used with WPA2
- SAE is a variant of Dragonfly Key Exchange which is based on Diffe-Hellman
  - A password-based authentication and key exchange protocol used primarily in wireless networks
- WPA3 is replacement for WPA2
- WPA3 also supports enterprise mode → Uses RADIUS server & requires users to authenticate
- SAE helps to prevent brute-force attacks against keys by making attackers interact with the network before each authentication attempt. This slows down brute-force attacks.
Comparison → WPA3 > WPA2 > WPA > WEP
Counter-mode/CBC-MAC Protocol (CCMP) → WPA2 uses strong cryptographic protocols such as AES & Counter Mode/CBC-MAC Protocol (CCMP)
- An encryption protocol used in WiFi networks to provide confidentiality, integrity & authentication.
Simultaneous Authentication of Equals (SAE) → WPA3 uses SAE instead of PSK

Authentication Protocols

Extensible Authentication Protocol (EAP) → EAP provides method for two systems to create a secure encryption key also known as Pairwise Master Key
- Systems use this key to encrypt all data transmitted in between the devices
- AES based CCMP uses this key
- Used with WPA-Enterprise or WPA2-Enterprise.
Lightweight EAP (LEAP) → LEAP is an early EAP method developed by Cisco Systems
- Uses a variant of MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol) for authentication.
- Deprecated due to security vulnerabilities.
Protected EAP (PEAP) → Provides an extra layer of protection for EAP
- PEAP protects the communication channel by encapsulating & encrypting the EAP conversation in TLS tunnel
- PEAP requires a certificate on the server but not on the client
- Ex. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
- Used in enterprise Wi-Fi networks with server-side certificates.
EAP-FAST → EAP - Flexible Authentication via Secure Tunneling → Replacement for lightweight EAP (LEAP)
- EAP fast supports certificates, but they're optional
- Uses a Protected Access Credential (PAC) to establish a TLS tunnel between the client and the authentication server.
- Provides mutual authentication and protection against man-in-the-middle attacks.
- Used in environments requiring lightweight and secure authentication.
EAP-TLS → EAP-TLS requires certificates on the 802.1X server & clients
- EAP-TLS is an EAP method that uses TLS for mutual authentication between the client and the server.
- Used in environments requiring strong mutual authentication and encryption.
EAP-TTLS → EAP-TTLS is an extension of PEAP
- EAP-TTLS is an EAP method that encapsulates EAP methods within a TLS tunnel.
- Allows systems to use older authentication methods such as password authentication protocol (PAP) within a TLS tunnel
- Used in environments where user credentials are stored centrally.
RADIUS Federation → Creates a federation using 802.1X & RADIUS servers

Methods

WiFi Protected Setup (WPS) → Allows users to configure wireless devices without typing in the passphrase
- Users can configure devices by pressing buttons or by entering a short eight-digit PIN
- WPS is susceptible to brute force attacks
Captive portals → A technical solution that forces clients using web browsers to complete a specific process before it allows them to the network
- Free internet access, paid internet access
- Alternative to 802.1X, as 802.1X can be expensive & sometimes not feasible to organizations

Installation Considerations

Site Survey → Examines the wireless environment to identify potential issues, such as areas with noise or other devices operating on the same frequency bands
- Admins can periodically perform site survey to verify that environment hasn't changed & detect potential security issues
Heat Maps → Gives you a color-coded representation of wireless signals
- Color red shows where the wireless signals are strongest
- Color blue shows where the wireless signals are weakest
- Also it shows dead spots
WiFi Analyzers → Identifies activity on channels within the wireless spectrum & analyze activity in 2.4 & 5 GHz frequency ranges
- Allows you to analyze one frequency range at a time & see each channel's activity on a graph
- BSSID → Basic Service Set Identifier → Unique identifier used in 802.11 WiFi networks to identify a specific access point within a Basic Service Set (BSS)

Objective 3.5

Mobile Device Management (MDM)

Vendors sell Unified Endpoint Management (UEM) solutions to manage mobile devices
Application Management → Can restrict what applications can run on mobile devices
- Use allow list to control applications & prevent unapproved application from installing
Full Device Encryption → Organizations use full device encryption on corporate-devices to provide device security, application & data security
Storage Segmentation → Used to isolate data
- Users might required to use external storage for any corporate data to reduce the risk of data loss if device is lost
Content Management → Can force user to authenticate again when accessing data within the encrypted segment
Containerization → Organizations can encrypt a container in mobile devices without encrypting the entire device
- Running organization application in container isolates & protects the application & data
- Useful when employees use their own device
Geolocation → Includes GPS capabilities to identify the location of the device & device movement
Geofencing → Organization use GPS to create a virtual fence or geographical boundary
GPS Tagging → Adds geographical information to the files such as pictures when posting them on social media
Context-Aware Authentication → Uses multiple elements to authenticate a user & mobile device
- It can include user's identity, geolocation & verification that the device is within a geofence, time of day & type of device
- These elements help prevent unauthorized users from accessing the app & data
SEAndroid → Security-Enhanced Android (SEAndroid) uses Security-Enhanced Linux (SELinux) to enforce access security
- It operates using default denial principle → Anything not allowed is denied
- Enforces Mandatory Access Control (MAC)
- SELinux supports two modes:
  - Enforcing Mode → This mode enforces SELinux policy.
    - Any activity that is denied by the policy is blocked & logged
  - Permissive Mode → This mode doesn't enforce SELinux Policy but it does log all activity that policy would block if it was in enforce mode
    - Admins use this mode to verify that policy works as intended before changing it to enforcing mode

Enforcement and Monitoring

Jailbreaking → Refers to removing all software restrictions from Apple Devices
Rooting → Process of modifying an Android device to give the user a root level access to device
Sideloading → Process of copying apk to the device & then activating / installing it
Over-The-Air (OTA) Updates → Updates to the OS overwrites the firmware using OTA updates
ad hoc → In ad hoc mode, wireless devices connect to each other without access point

Objective 3.6

Solutions

Cloud Access Security Broker (CASB) → A software tool or service deployed between an organization's network & the cloud provider
- It provides security by monitoring traffic & enforcing security policies
- Functions:
  - Visibility → Identifies and monitors cloud applications, data flows, and user activities.
  - Data Security → Protects data through DLP, encryption, tokenization, and access controls.
  - Threat Protection → Detects and blocks malware, identifies anomalies, and integrates threat intelligence.
  - Compliance → Enforces regulatory policies, provides audit trails, and supports legal holds.
  - IAM → Integrates SSO, MFA, and automates user provisioning and deprovisioning.
  - Shadow IT Control → Discovers, assesses, and mitigates risks associated with unauthorized cloud services.
  - Security Configuration → Manages and monitors cloud service configurations to ensure compliance with security policies.
  - Collaborating & Sharing Control → Controls and monitors data sharing and collaboration within cloud platforms.
- Types:
  - API-based → API-based CASBs integrate directly with cloud service providers' APIs to monitor and control user activity and data within the cloud environment.
    - Ex. A CASB uses the APIs provided by Google Workspace to monitor user activities, detect sensitive data sharing, and enforce data loss prevention policies.
  - Proxy-based → Proxy-based CASBs sit in-line between users and cloud services, intercepting and controlling traffic to enforce security policies.
    - Ex. A CASB is configured as a forward proxy to intercept all web traffic from employees accessing Office 365, inspecting and controlling the data flow to prevent unauthorized data sharing and malware uploads.
Next Generation Secure Web Gateway (SWG) → A combination of proxy server & stateless firewall
- Clients are configured to access all internet resources via the SWG & it filters the traffic to prevent threats from infiltrating the network
- SWG Includes:
  - URL filtering → prevent users from visiting unauthorized sites
  - Stateless Packet Filtering → To detect & block malicious traffic
  - Malware detection & filtering to block malware
  - Network-based Data Loss Prevention (DLP)
  - Sandboxing to check for threats

Objective 3.7

Identity

Identity provider (IdP) → Creates, maintains & manages identity information for principles

Account Types

Personal or End-User Account → Admins create these accounts & assign appropriate privileges based on user's responsibilities
- Basic credential policy
Administrator & Root Accounts → Privileges accounts that have additional rights & privileges beyond what regular user has
- Credential policy requires stronger authentication such as MFA
Service Accounts → Some application & services need to run under the context of account
- Admins create a regular user account for service like SQL, provide appropriate privileges & configure a SQL server to this account
- This account is like a regular user account but the difference is it is used by service or application not by user
- Credential policies may require long, complex passwords for this accounts & passwords should not expire
- It is common practice to prohibit interactive logins to a GUI or shell for service accounts.
- Use of a service account for interactive logins or attempting to log in as one should be immediately flagged and alerted on as an indicator of compromise (IoC).
Device Accounts → Computers & other devices also have accounts
- Ex. Microsoft Active Directory only allows users to log on to computers joined to the domain
Third-party Accounts → Accounts from external entities that have access to the network
- Strong Credential Policy
Guest Accounts → Useful if you want to grant someone limited access to compute or network without creating a new account
- Admins commonly disable guest accounts & only enable it in special situations
- Sponsored Authentication for Guest Accounts → Requires a guest user to provide valid identification when registering their wireless device for use on the network.
  - This requires that an employee validates the guest's need for access, which is known as sponsoring the guest.
Shared / Generic Account / Credentials → Organizations create a regular user account that temporary workers will share.
- If a temporary agency sending a different person everyday, a shared account may provide better solution than guest account because the access can be tailored for the shared account
- Basic credential policy

Account Policies

Time-based Logins → Referred as time of the restrictions → Ensure that users can only log on to computers during specific times

Objective 3.8

Authentication Management

Knowledge-based authentication → Organization use KBA to prove the identity of individuals
- Static KBA → Used to verify the identity when you've forgotten your password
  - Ex. Your first dog's name
- Dynamic KBA → identifies individuals without account
  - Organizations use this for high risk transactions such as financial institutions or healthcare industry
  - The site queries public & private data source such as credit reports
  - It craft MCQ questions that only the user would know & users typically have limited amount of time to answer these questions → This limits the amount of time an attacker can do searches on the Internet to identify accurate answers
- Cognitive password attack → A form of knowledge-based authentication that requires a user to answer a question, presumably something they intrinsically know, to verify their identity.
  - If you post a lot of personal information about yourself online, then this type of password can easily be bypassed.

Authentication / Authorization

Password Authentication Protocol (PAP) → Used with Point-To-Point protocol (PPP) to authenticate clients
- A significant weakness of PPP is that it sends passwords over network in cleartext
- Susceptible to sniffing attacks
Challenge-Handshake Authentication Protocol (CHAP) → Uses PPP & authenticates remote users, but it is more secure than PAP
- The goal of CHAP is to allow the client to pass credentials over a public network without allowing attackers to intercept the data & later use it in attack
- CHAP uses an encrypted challenge & three-way handshake to send credentials
- Prevents session hijacking
RADIUS → Remote Authentication Dial-In Service → Centralized Authentication Service
- It is a networking protocol used for centralized authentication, authorization, and accounting (AAA) management in computer networks.
- RADIUS servers are commonly used to authenticate users accessing network resources, such as Wi-Fi networks, VPNs, and other network services.
- Uses port 1812 / 1813
- Instead of each VPN server needing a separate database to identify & authenticate, VPN servers forwards the authentication requests to central RADIUS server
- RADIUS can be also used with 802.1X server with WPA2 Enterprise Mode
- Each VPN server is configured with a shared secret & the RADIUS server is configured with the matching shared secret for each of the VPN servers
- Centralized RADIUS servers holds a centralized database of user accounts → LDAP Server
- RADIUS uses UDP which provides best delivery mechanism
- RADIUS only encrypts password by default & can be used with EAP to encrypt the entire session
TACACS+ → Terminal Access Controller Access-Control System Plus → RADIUS alternative
- Uses port 49
- Uses TCP to provide Authentication, Authorization & Accounting services
- It provides two essential security benefits over RADIUS
  - It encrypts the entire authentication process
  - It uses multiple challenges & responses between the client & server
- It is authentication service for network devices & it can be used with Kerberos
SAML → Security Assertion Markup Language → an XML based format used for SSO on web browsers
- If organization trust each other, they can use SAML as a federated identity management system
- Users authenticate with one website & are not required to authenticate again when accessing the second website
- Many web based portal use SAML for SSO
- SAML defines three roles:
  - Principal → Principal is typically a user → User log once & if necessary, principal requests an identity from identity provider
  - Identity Provider (IdP) → Creates, maintains & manages identity information for principals
  - Service Provider → An entity that provides services to principals
Kerberos → A network authentication protocol used within Windows Active Directory domains & some unix environments known as realms
- It provides mutual authentication that can help to prevent on-path attacks & uses tickets to prevent replay attacks
- Uses port 88
- Kerberos includes several requirement to work properly:
  - A method of issuing tickets used for authentication:
    - A key distribution center uses a complex process of issuing ticket-granting tickets (TGTs) & other tickets
    - Tickets provide authentication for users when they access resource such as files on the file server
    - These tickets sometimes referred as tokens
  - Time Synchronization → Kerberos v5 requires all systems to be synchronized within 5 minutes of each other
    - Helps to prevent replay attacks
  - A database of subjects or users → DB of users
- When users log on to Kerberos, KDC issues a ticket to the user, typically with a lifetime of 10 hours to be useful for single workday
- When users try to access resource, they present ticket for authentication & user is issues a ticket to access the resource
- Kerberos uses symmetric key cryptography to prevent unauthorized disclosure & to ensure confidentiality
- Kerberos does not send the users password across the network. → When the user’s name is sent to the authentication service, the service retrieves the hash of the user’s password from the database → then uses that as a key to encrypt data to be sent back to the user. → The user’s machine takes the password that the user entered, hashes it, and then uses that as a key to decrypt what was sent back by the server.

Access Control Schemes

Attribute-based Access Control (ABAC) → Evaluates attributes & grants access based on the value of those attributes
- Attributes can be characteristics of user, the environment & the resource
- ABAC uses policies to evaluate attributes & grants access when the system detects a match in the policy
- Ex. Homer is nuclear safety inspector → Attributes → employee, inspector, nuclear aware
- Many Software Defined Networks (SDNs) use ABAC schemes
- ABAC policy statements typically include 4 elements:
  - Subject → Typically a user
  - Object → Resource such as file, database or application
  - Action → Action is what user is attempting to do such as reading or modifying file
  - Environment → Includes everything outside of subject & object attributes
- ABAC system has a lot of flexibility & can enforce both MAC & DAC scheme
Role-based Access Control (RBAC) → Uses roles to manage rights & permissions for users
- Useful for users within a specific department who perform same job functions
- Admins create roles & assigns specific rights & permissions to the roles
- Role-based Access Control is also called hierarchy-based or job-based
- A matrix is planning document that matches the roles with the required privileges
- Group-based Privileges → Reduce the administrative workload of access management
  - Admins put user accounts into security groups & assign privileges to the group
  - Users within the group automatically inherit the privileges assigned to the group
Rule-based Access Control (Rule-BAC) → Uses rules → Ex. Firewalls / Routers
- Routers & Firewalls use rules within access control lists (ACLs)
- It is based on set of approved instructions such as ACL
- Some Rule-BAC uses rules that trigger in response to an event, such as modifying ACL after detecting an attack or granting additional permissions to a user in a certain situations
Mandatory Access Control (MAC) → Uses labels (sometimes referred as sensitivity labels or security labels) to determine access
- Security admins assign labels to both subjects (users) & objects (files / folders)
- When the labels match, the system can grant access to subject for the object
- It is commonly used when access needs to be restricted based on need to know
- Security labels often reflect classification levels of data & clearances granted to individuals
Discretionary Access Control (DAC) → In DAC, objects have an owner & owner establishes access for the objects
- Many operating systems such as Windows & Unix-based systems use DAC scheme
- Ex. New Technology File System (NTFS) → Provides security by allowing users & admins to restrict access to files & folders with permissions
- DAC scheme is more flexible than MAC scheme
Conditional Access → Conditional Access policies use signals, which are similar to attributes in ABAC scheme
- Some common signals are:
  - User / Group membership, IP Location, Device
Privileged Access Management (PAM) → Allows an organization to apply more stringent security controls over accounts with elevated privileges such as admin / root account
- PAM implements the concept of just in-time administration → Admins won't have administrative privileges until they need them → When they need them, they send a request for the elevated privileges
- PAM system grant the request, typically by adding the account to a group with elevated privileges
- After a pre-set time (such as 15 minutes), their account is automatically removed from the group, revoking the privileges
- PAM Capabilities:
  - Allows users to access the privileged account without knowing the password
  - Automatically change privileges account passwords periodically
  - Limit the time users can use the privileged account
  - Allow users to check out credentials
  - Log all access of credentials
- It reduces opportunities for attackers to user administrative privileges
Filesystem Permissions →
- NTFS Permissions:
  - Write
  - Read
  - Read & Execute
  - Modify
  - Full Control

Objective 3.9

Public Key Infrastructure (PKI)

Key Management → Manage public & private keys within PKI
Certificate Authority (CA) → Issues, manages, validates & revokes certificates
Intermediate CA → Root CA issues certificates to Intermediate CAs & Intermediate CAs issues certificates to child CAs → Child CAs issues certificates to devices or end users
Registration Authority (RA) → Assists the CA by collecting registration information
- RA never issues certificates, instead it only assist in registration process
- The registration authority works with the certificate authority to identify and authenticate the certificate requester.
Certificate Revocation List (CRL) → CAs use CRL to revoke certificates
- CRL is version 2 certificate that includes a list of revoked certificates identified by their serial numbers
- Since public keys are distributed via certificates, adding certificate in CRL is best way to deauthorize a public key
Certificate Elements:
- Serial Number → Uniquely identifies the certificate
- Issuer → Identifies the CAs that issued the certificate
- Validity Dates → Includes "Valid From" & "Valid To" dates
- Subject → Identifies the owner of the certificate
- Public Key → Asymmetric encryption uses the public key in combination with the matching private key
- Usage → Some certificates are only for encryption or authentication
Certificates Attributes:
- CN → Common Name → fully qualified domain name (FQDN)
- o → Organization
- L → Locality
- S → State or Province
- C → Country
Online Certificate Status Protocol (OCSP) → Allows client to query the CA with the serial number of the certificate to determine if it is valid
- Indicates if certificate is good, revoked or unknown
- OCSP is a protocol used by the browser to check the revocation status of a certificate
DV (Domain Validation) Certificate → CA verifies that the certificate subject has control of the domain name
EV (Extended Validation) Certificate → prove that the X.509 certificate has been issued to the correct legal entity.
Certificate Signing Request (CSR) → Used to request a certificate
- The certificate signing request is sent with the public key to the certificate authority
- Once the certificate information has been verified, the CA will digitally sign the public key certificate.
Subject Alternative Name (SAN) → SAN certificate is used for multiple domains that have different names but are owned by the same organization → Ex. x.google.com, x.android.com

Certificate Formats

Distinguished Encoding Rules (DER) → Canonical Encoding Rules (CER) & DER are the best formats of certificates
- CER → Used for ASCII certificates
- DER → Used for binary certificates
PEM → Privacy Enhanced Mail (PEM) → Can be used for any certificate purpose → Most Commonly Used Certificate Format
P7B → Use PKCS version 7 format & they are CER-based
- Used to share public keys with proof of identity of the certificate holder
P12 → Use PKCS version 12 format & they are DER based
- Commonly used to store private key with a certificate
Personal Information Exchange (PFX) → Predecessor to the P12 certificate & it has same usage
- Binary Format
- Admins use this format on Windows Systems to import or export certificates

Concepts

Online Versus Offline CAs → Online CA → Accessible over network
- Offline CA only accept CSR manually
- Large organizations keep root CA offline to reduce the risk of compromise
Stapling → Alternative of OCSP
- The certificate presenter appends the certificate with a timestamped digitally signed OCSP response from the CA
- This reduces OCSP traffic to & from the CA
- Allows client to validate the certificate without contacting the OSCP server
Pinning → Helps to prevent attackers from impersonating a web site with a fraudulent certificate
- The web server sends a list of public key hashes that clients can use to validate certificates sent to clients in subsequent sessions
Trust Model → CAs are trusted by placing a copy of their root certificate into a trusted root CA store
Key Escrow → The process of placing a copy of a private key in a safe environment
- If the original key is lost, the organization retrieves the copy of the key to access the data
Certificate Chaining → Combines all certificates from the root CA down to the certificate issued to end user

Chapter 4

Objective 4.1

Network Reconnaissance and Discovery

pathping → Combines ping & tracert command
- Admins use it to locate potential problems between two systems
hping → This command is similar to ping command but it can send the ping using TCP, UDP & ICMP packets
- Useful to identify if firewall is blocking ICMP traffic
theHarvester → Passive recon CLI tool → Uses OSINT methods to gather data such as emails, employee names, host IPs, & URLs
- It uses popular search engine for queries & give you a report
sn1per → Automated scanner used for vulnerability assessment & to gather info on targets during penetration test
scanless → Python based CLI tool used to scan ports
dnsenum → Enumerate DNS records for domains
- It can perform many Domain Name System (DNS)-related functions, including querying A records, nameservers, and MX records, as well as performing zone transfers, Google searches for hosts and subdomains, and net range reverse lookups.
- It can work in automated fashion
Cuckoo → Open Source automated software analysis system / Sandbox
- Primary purpose → Analyze suspicious files

Forensics

dd → Disk Imaging Tool (Open Source Tool)
memdump → Can dump any addressable memory space to the terminal or redirect the output to the dump file
WinHex → Windows-based hexadecimal editor used for evidence gathering, data analysis, editing, recovering of data & data removal
- It can work directly with the memory
FTK imager → A part of Forensic Toolkit (FTK) sold by AccessData (Proprietary Tool)
- FTK Imager is a free tool that can image both systems and memory
- It can capture an image of a disk as a single file or multiple files & save the image in various formats
Autopsy → GUI Digital Forensic Platform → Forensic Utilities

Objective 4.2

Incident Response Plan

This plan provides details about incident response policy
It provides organizations with a formal, coordinated plan than personnel can use when responding to the event
Elements:
- Definitions of Incident Types → Helps to identify difference between an event & an actual incident
- Incident Response Team → This team is composed of employees with expertise in different areas
  - Also referred as → A computer incident response team (CIRT), Security Incident Response Team, Computer Emergency Response Team (CERT)
- Roles & Responsibilities → Many incident plan identify specific roles for incident response team along with their responsibilities

Communication

Communication is a part of incident response plan & it provides directions on how to communicate issues related to an incident
Communication Plan includes:
- First Responders → Initial responders should know when to inform incident response entities & who to contact
- Internal Communication → Incident Response Team should know when to inform senior personnel of an incident
- Reporting Requirements → Laws requires reporting requirements
- External Communication → Media
- Law Enforcement → Provides teams with Digital Forensics tools & knowledge
- Customer Communication → Laws indicate that when an organization must inform their customers regarding data breach

Incident Response Process

Preparation → This phase occurs before an incident & provides guidance to personnels on how to respond to an incident
Identification → Verify it is a actual incident or not
Containment → After identifying an incident, security personnel attempt to isolate or contain it
- This protects critical systems while maintaining business operations
- The goal of isolation is to prevent the problem from spreading to other areas in network
Eradication → After containing the incident, it's necessary to remove components from the attack
- Includes deleting or disabling the infected accounts
Recovery → During the recovery process, admins return all affected systems to normal operation & verify they are operating normally
Lessons Learned → After personnel handle an incident, security personnel perform the lessons learned review
- This incident may provide some valuable lessons & organizations might modify procedures or add additional controls to prevent reoccurrence of the incident

Exercises

Tabletop Exercise → Also known as Desktop Exercise → Discussion Based Exercise
- A coordinator gathers participants in a room & leads them through one or more hypothetical scenarios such as cyber-attack or natural disaster
- The coordinator introduces each stage of the scenario & the participants identify how they would respond based on organization's plan
- This exercise validates the plan & sometimes reveals flaws
Walkthroughs → Workshops or orientation seminars that train team members about their roles & responsibilities
- Helps the personnel to plan tabletop exercise to develop a formal tabletop test plan
Simulations → Functional exercises that allow personnel to test the plan in a simulated operational environment → Hands-On Exercises

Attack Frameworks

MITRE ATT&CK → Adversarial Tactics, Techniques And Common Knowledge
- It is a knowledge base of tactics, techniques used in real-world attacks
The Diamond Model of Intrusion Analysis → Focus on understanding the attacker by analyzing four key components of every intrusion event:
- Adversary → Can be identified by email addresses, handles used in online forums
- Capabilities → Refers to malware, exploits & other hacker tools used in intrusion
- Infrastructure → Refers to internet domain names & IP addresses used by adversary
- Victim → Victims can be identified by their names, emails or network identifiers
Cyber Kill Chain → Includes seven elements of tracking attack from recon to performing actions to achieve attacker's objectives
- Lockheed Martin cyber kill chain → Implicitly assumes a unidirectional workflow
  - It fails to consider that an adversary may retreat during an attack
- Workflow:
  1. Reconnaissance → Information gathering about the target
  2. Weaponization → Creating the malicious payload
  3. Delivery → Sending the malicious payload to the target
  4. Exploitation → Executing the malicious payload
  5. Installation → Installing malware to maintain access
  6. Command and Control (C2) → Establishing communication with the compromised system
  7. Actions on Objectives → Performing final objectives like data exfiltration or further compromise

Stakeholder Management

Stakeholder management involves working with stakeholders, or those who have an interest in the event or impacted systems or services

Disaster Recovery Plan

It identifies how to recover critical systems after a disaster & often prioritizes services to restore after an outage
Testing validates the plan
The final phase of disaster recovery includes a review to identify any lessons learned & may include an update to the plan
Disaster recovery is a part of an overall business continuity plan

Business Continuity Plan (BCP)

Helps an organization to predict & plan for potential outages of critical services or functions
The goal is to ensure that critical business operations continue & organization can survive the outage

Continuity of Operations Planning (COOP)

Focuses on restoring mission-essential functions at recovery site after a critical outage
Site Resiliency → If one site suffers a catastrophic failure, an alternate site can take over after the disaster.
Ensures critical functions can continue or be rapidly resumed during and after disruptions
COOP planning enhances organizational resilience, reduces financial losses, and helps maintain trust and confidence among stakeholders.

Retention Policies

This policy identifies how long data is retained & sometimes specifies how it is stored
Some laws mandates the retention of data for specific time frames. Proper data governance practices ensure that these time frames are known & followed

Objective 4.3

syslog → This protocol specifies general log entry format & details on how to transport log entries
- Originators → Any systems that sends syslog messages
- Collector → Originators send syslog log entries to the collector → syslog server
- Syslog protocol only specifies how to format the syslog messages & send them to the collector
- Linux systems include the syslogd daemon which is the service that handles the syslog messages → etc/syslog.conf → var/syslog
Syslog-ng → Extends syslogd, allowing a system to collect logs from any source
- It provides correlation, routing abilities to route log entries, rich filtering capabilities, content-based filtering,
- It supports TCP & TLS
Rsyslog → Improvement for syslog-ng → Ability to send log entries directly into database engines
- It supports TCP & TLS
NXLog → Log Management Tool similar to rsyslog & syslog-ng → Supports Linux & Windows
- It functions as a log collector & can be integrated with SIEM systems
journalctl → Command that displays several log entries from different sources on Linux system
Bandwidth Monitors → By comparing captures taken at different times, investigators can determine changes in network traffic.
- PRTG and Cacti are both network monitoring tools that can provide bandwidth monitoring information.
- Bandwidth monitors can help identify exfiltration, heavy and abnormal bandwidth usage, and other information that can be helpful for both incident identification and incident investigations.
NetFlow → A feature available on many routers & switches that can collect IP traffic statistics & send them to NetFlow collector
- Analysis software of NetFlow allows admins to view & analyze network traffic
- Netflow data provides detailed information about the network traffic → Metadata → source and destination IP addresses, ports, protocols, timestamps, and the amount of data transferred
sFlow → A sampling protocol → Provides traffic information based on a preconfigured sample rate
- Ex. It may capture 1 packet out of 10 packets & send this sample data to the collector
- As it captures & send only sample data, it is less likely to impact the device's performance, allowing it to work on devices with high volume of data
IP Flow Information Export (IPFIX) → Similar to NetFlow v9 → Replacement to NetFlow

Objective 4.5

Documentation / Evidence

Legal Hold → Refers to a court order to maintain different types of data as evidence
- Data retention policy applies here
Admissibility → When collecting documentation & evidence, it's essential to follow specific procedures to ensure that the evidence is admissible in a court of law
Chain of custody → A process that provides assurances that evidence has been controlled & appropriately handled after collection
- Forensics experts establish chain of custody when they first collect the evidence
- It provides a record of every person who was in possession of a physical asset collected as a evidence → Chain of custody forms are forms that list every person who has worked with or who has made contact with the evidence that is a part of an investigation
- A proper chain of custody procedure ensures that evidence presented in the court of law is the same evidence that security professionals collected
- A well-documented chain of custody can help establish provenance for data, proving where it came from, who handled it, and how it was obtained.
Provenance → Refers to tracing something back to its origin
- The provenance of a forensic artifact includes the chain of custody, including ownership and acquisition of the artifact, device, or image
Tags → A tag is places on evidence items when they are identified
Sequence of Events
- Timestamps
- Time Offset → Provides info about how the timestamps are recorded
Reports → After analyzing all the relevant evidence, digital forensics experts create a report documenting their findings
- Includes TTPs of attackers

Acquisition and Preservation

Order of Volatility → Refers to the order in which you should collect evidence
- You should collect evidence starting with most volatile & moving to least volatile
- Order of volatility from most to least:
  1. Registers, Cache → The contents of CPU cache and registers are extremely volatile, since they are changing all of the time. Literally, nanoseconds make the difference here. An examiner needs to get to the cache and register immediately and extract that evidence before it is lost.
  2. Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory
  3. Temporary File Systems
  4. Disk
  5. Remote Logging and Monitoring Data that is Relevant to the System in Question
  6. Physical Configuration, Network Topology, and Archival Media
- Old:
  - Cache → Data in cache memory including the processor & hard drive cache
  - RAM → Data in RAM used by OS & applications
  - Swap / Pagefile → Swap (pagefile) is the system disk drive → Extension of RAM & stored on hard drive
  - Disk → Data files stored on local disk drives & they remain there after rebooting
  - Attached Devices → USB drive also holds data when system is powered down
  - Network → Servers & shared folders accessible by users & used to store log files
Data Acquisition →
- Snapshot → Forensic experts use snapshots to capture data for forensics analysis
- Artifacts → Forensics artifacts are the pieces of data on a device that regular users are unaware of, but digital forensic experts can identify & extract
  - Web History
  - Recycle Bin
  - Windows Error Reporting
  - Remote Desktop Protocol (RDP) cache
- When artifacts are acquired as part of an investigation, they should be logged and documented as part of the evidence related to the investigation.

On-Premises Versus Cloud Concerns

Right to Audit Clauses → Allows customers to hire an auditor & review the cloud provider's record
- Auditing helps customer to ensure that the cloud provider is implementing adequate security
- Many cloud service providers do not allow customer-driven audits, either by the customer or a third party. They also commonly prohibit vulnerability scans of their production environment to avoid service outages.
- Instead, many provide third-party audit results in the form of a service organization controls (SOC) report or similar audit artifact.
Regulatory Jurisdiction → The company must comply with relevant laws
Data Breach Notification Laws → This law requires organizations to notify customers about a data breach & take steps to mitigate the loss

Integrity

Provenance → Refers to tracing something back to its origin

Others

eDiscovery → Electronic Discovery → It is the identification & collection of electronically stored information
Strategic Intelligence and Counterintelligence → Refers to collecting, processing & analyzing information to create long-term plans & goals
- Counterintelligence activities assume that attackers are also using strategic intelligence methods.

Chapter 5

Objective 5.1

Control types

Preventive Controls → Attempt to prevent security incidents
- Ex. Hardening systems, Training, Security guards, Change Management, Account Disablement Policy, Intrusion Prevention System (IPS)
Detective Controls → Attempt to detect when vulnerabilities have been exploited, resulting in a security incident
- Ex. Log monitoring, SIEM systems, Security Audits, Video Surveillance, Motion Detection, Intrusion Detection System (IDS)
Corrective & Recovery Controls → Attempts to reverse the impact of an incident or problem after it has occurred
- Ex. Backups & System Recovery, Incident handling processes, Antivirus
Physical Controls → Controls that you can physically touch
- Ex. Barricades, Control Vestibules (Mantraps)
Deterrent Controls → Attempt to discourage a threat → Attempt to discourage potential attackers from attacking & attempt to discourage from violating security policy
- Ex. Cable locks, Physical locks
Compensating Controls → Alternate controls used instead of primary control
- Organizations adopt compensating controls to address a temporary exception to a security requirement.
- Doesn't prevent attack but restores using other means
- Ex. Re-image or Restore from backup, Hot Site, Backup Power System
- Ex. PCI DSS Conditions:
  - The control must meet the intent & rigor of the original requirement
  - The control must provide similar level of defense as the original requirement
  - The control must be "above & beyond" other PCI DSS requirements
Response Controls → Incident Response Control → Controls designed to prepare for security incidents & respond them when they occur

Objective 5.2

Regulations, Standards, and Legislation

General Data Protection Regulation (GDPR) → This mandates the protection of privacy data for individuals who live in EU.
- Requires a data protection officer (DPO) to oversee the organization’s data protection strategy and implementation, and make sure that the organization complies with the GDPR.
Payment Card Industry Data Security Standard (PCI DSS) → When using credit cards, company should comply with PCI DSS
- Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard) → Send notification to your credit card processor

Key Frameworks

Center for Internet Security (CIS) → Identify, develop, validate, promote & sustain best practice solutions for cyber defense & build & lead communities to enable environment of trust in cyberspace
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/ Cybersecurity Framework (CSF) → Used to mitigate risks
- The NIST RMF’s process is.
  1. Prepare
  2. Categorize system
  3. Select controls
  4. Implement controls
  5. Assess controls
  6. Authorize system
  7. Monitor controls
Cloud Security Alliance (CSA) → A non-profit organization that promotes best practices related to the cloud
- CSA’s Cloud Control Matrix → Maps existing standards(COBIT, HIPAA, FedRAMP) to common control descriptions allowing control requirements to be compared and validated across many standards and regulations
Reference architecture → A document or set of documents that provides a set of standards

Objective 5.3

Personnel

Acceptable Use Policy (AUP) → It describes the purpose of computers systems & networks, how users can access them, and the responsibilities of users when they access the systems
Job rotation → A concept that has employees rotate through different jobs to learn the processes & procedures in each job.
- Helps to prevent or expose dangerous shortcuts or even fraudulent activity
Mandatory Vacation → Helps to detect when employees are involved in malicious activity such as fraud
- These policies help to deter fraud and discover malicious activities while the employee is away.
Separation of Duties → A principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process
- Two people perform separate actions to prevent inventory fraud
- This helps prevent potential fraud, such as if a single person prints and signs checks.
Least Privilege → Specifies that individuals and processes are granted only the privileges needed to perform assigned tasks or functions, but no more
Dual Control → A security mechanism that requires two individuals to simultaneously verify and approve an action or access to a system
Job Rotation vs Separation of Duties Vs Dual Control
- Job Rotation → Periodic movement of employees between roles
  - Skill enhancement, reduce fraud risk, reduce monotony
- Separation of Duties → Dividing tasks and privileges among multiple individuals
  - Minimize risk of fraud and errors
- Dual Control → Requiring two individuals to simultaneously verify an action
  - Prevent unauthorized access or actions

Third-Party Risk Management

Vendors → Implement vendor diversity to provide cybersecurity resilience
end of life (EOL) → Refers to the date when a product will no longer be offered for sale.
end of service life (EOSL) → Indicates the date when you expect a lack of vendor support because vendors no longer create patches or upgrades to resolve vulnerabilities for the product.
Service level agreement (SLA) → An agreement between a company & vendor that stipulates performance expectations, such as minimum uptime & maximum downtime levels
- UA → Uptime Agreement
  - UAs detail the agreed-on amount of uptime.
Memorandum of understanding (MOU) → Expresses an understanding between two or more parties indicating their intention to work together toward a common goal.
Business partners agreement (BPA) → A written agreement that details the relationship between business partners, including their obligations toward the partnership.
Measurement Systems Analysis (MSA) → Evaluates the processes & tools used to make measurements
Interconnection Security Agreement(ISA) → A formal agreement between organizations that governs the security requirements and responsibilities when connecting their information systems or networks.
Non-Disclosure Agreement (NDA) → Non-disclosure agreement (NDA) is the legal basis for protecting information assets.
- Non-disclosure agreements (NDAs) are legally binding agreements to keep information confidential
- If the employee or contractor breaks this agreement and does share such information, they may face legal consequences.

Objective 5.4

Risk Management Strategies

Risk management is the practice of identifying, monitoring, and limiting risks to a manageable level
Risk Awareness → Acknowledgement that risk exists & must be addressed to mitigate them
Inherent Risk → Refers to the risk that already exists before the controls are in place to manage the risk
Residual Risk → It is the amount of risk that remains after managing or mitigating risk to an acceptable level
Control Risk → Refers to the risk that exists if in-place controls do not adequately manage risks
- Control risks specifically apply to financial information, where they may impact the integrity or availability of the financial information.
Risk Appetite → Refers to amount of risk an organization is willing to accept
Risk Avoidance → Organization can avoid risk by not providing a service or not participating in a malicious activity
Risk Mitigation → The organization implements controls to reduce risks. These controls reduce the vulnerabilities or reduce the impact of threat
- Ex. Patching systems immediately after the release of patches, which helps to mitigate the risk of known security vulnerabilities being exploited by malicious actors
Risk Acceptance → The amount of risk that organization willing to accept
Risk Transference → The organization transfers the risk to the another entity or at least shares the risk with another entity
Cybersecurity Insurance → Helps to protect businesses & individuals from losses related to cybersecurity incidents such as data breaches & network damage

Risk Analysis

Risk Register → Lists all known risks for a system or an organization
Risk Matrix → Plots the risks onto a graph or a chart
Heat Map → Similar to Risk Matrix, but instead of using words, it uses colors such as green, red
Risk control assessment → Examines organization's known risks & evaluates the effectiveness of in-place controls
risk control self-assessment → Risk control assessment performed by employees
Internal Risk → Risks that the organization itself creates are internal risks.
External Risk → External risks are those created by factors outside the organization’s control.
Multiparty Risk → A multiparty risk involves multiple organizations.
Legacy System Risk → A legacy system risk is created by a system or process that is no longer supported or updated
IP Theft Risk → An intellectual property (IP) theft risk occurs when proprietary information or trade secrets might be exposed or lost.
Regulations that affect risk posture:
- Health Insurance Portability and Accountability Act (HIPAA) → Mandates organization to protect the health information
- Gramm-Leach Bliley Act (GLBA) → Financial Services Modernization Act → Includes financial privacy rules
  - a critical legislation safeguarding consumers' financial privacy
  - This requires financial institutions to provide customers with a privacy notice explaining what information they collect & how it is used
- Sarbanes-Oxley Act (SOX) → SOX requires the executives within an organization take individual responsibility for the accuracy of financial reports
  - Mandates financial and IT controls to protect against corporate fraud.
- General Data Protection Regulation (GDPR) → EU mandates the protection of privacy data for the individuals that live in EU
- HITECH → Health Information Technology for Economic and Clinical Health Act
  - This act extends HIPAA's privacy and security requirements and encourages healthcare organizations to invest in strong cybersecurity measures
- FISMA → Federal Information Security Management Act
  - Establishes a comprehensive framework for ensuring the security of information and information systems for all executive branch agencies
  - Sets standards for securing federal government information systems.
- COPPA → Children's Online Privacy Protection Act
  - Regulates online collection of personal information from children under 13.
- CCPA → California Consumer Privacy Act
  - Grants California residents rights over their personal data collected by businesses.
- CISA → Cybersecurity Information Sharing Act
  - Encourages sharing of cybersecurity threat information between the government and private sector.
- GAAP → Generally Accepted Accounting Principles
  - A set of accounting standards and principles used in the U.S.
  - Ensures consistency, reliability, and comparability in financial reporting.
  - Governed by the FASB → Financial Accounting Standards Board
- AICPA → American Institute of Certified Public Accountants
  - National professional organization for Certified Public Accountants (CPAs) in the U.S.
  - Sets ethical standards and auditing guidelines.
  - Develops and grades the CPA Examination.
- SAS → Statements on Accounting Standards
  - Issued by the AICPA.
  - Provide guidelines on auditing procedures and practices.
  - Ensure audits are conducted consistently and with high quality.
- PCAOB → Public Company Accounting Oversight Board
  - Established by the Sarbanes-Oxley Act of 2002.
  - Oversees the audits of public companies to protect investors.
  - Issues auditing and quality control standards for public company audits.
Risk assessment types
- Quantitative Risk Assessment → Measures the risk using a specific monetary amount.
  - It is the process of assigning numerical values to the probability an event will occur and what the impact of the event will have
  - This monetary amount makes it easy to prioritize risks
  - Single Loss Expectancy (SLE) → Cost of any single loss
  - Annual Rate of Occurrence (ARO) → Indicates how many times the loss will occur in a year
  - Annual Loss Expectancy (ALE) → SLE x ARO = ALE
- Qualitative Risk Assessment → Uses judgements to categorize risks based on likelihood of occurrence (probability) & impact.
  - Qualitative risk assessment is the process of ranking which risk poses the most danger using ratings like low, medium, and high.

Business Impact Analysis

It is important part of Business Continuity Plan (BCP)
It helps organization to identify critical systems & components that are essential to the organization's success
It helps to identify vulnerable business processes, which are mission essential functions
It identifies maximum downtime limits for these systems & components, various scenarios that can impact these systems & components, and the potential losses from an incident
Recovery Time Objective (RTO) → Identifies the maximum amount of time it can take to restore a system after an outage
Recovery Point Objective (RPO) → Identifies a point in time where the data loss is acceptable
- It is the period of time a company can tolerate lost data being unrecoverable between backups
Mean time between failures (MTBF) → Provides a measure of a system's reliability & usually represented in hours → Identifies the average time between failures
- A measurement to show how reliable a hardware component is
- a prediction of how often a repairable system will fail.
Mean Time to Failure (MTTF) → MTTF is the average time to failure for a non-repairable system or component. It measures the expected operational lifetime before failure.
- Helps in predicting the lifespan and planning replacements.
Mean time to repair (MTTR) → Identifies the average time it takes to restore a failed system
- Also called Mean time to recover
- Assessing and improving maintenance efficiency
Disaster recovery plan (DRP) → Identifies how to recover critical systems after a disaster and often prioritizes services to restore after an outage.
- The first step to developing an effective disaster recovery plan is to identify the assets.
Functional Recovery Plan → A recovery plan focused on a specific technical and business function

Standards

ISO 27001 → International standard for information security management systems (ISMS)
- Specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
ISO 27002 → An international standard for implementing and maintaining information security systems
- Provides guidelines and best practices for organizational information security standards and information security management practices.
ISO 27017 → An international standard for cloud security
- Provides guidelines for information security controls applicable to the provision and use of cloud services.
ISO 27018 → Establishes guidelines to protect personal data in cloud computing environments.
ISO 27019 → Provides guidelines for information security management in the energy utility industry, focusing on process control systems.
ISO 27031 → Provides guidelines for ICT readiness for business continuity to ensure information and communication technology systems can support business operations in the event of disruptions.
ISO 27032 → Provides guidelines for improving the state of cybersecurity, emphasizing the protection of cyberspace, including critical information infrastructure.
ISO 27033 → Provides guidelines for improving the state of cybersecurity, emphasizing the protection of cyberspace, including critical information infrastructure.
ISO 27701 → extends the ISO 27001 and 27002 standards to include detailed management of PII (Personally Identifiable Information) and data privacy
ISO 29100 → Establishes a high-level framework for protecting personally identifiable information (PII) and provides a privacy framework.
NIST 800-12 → A general security standard and it is a U.S. standard, not an international one
NIST 800-14 → A standard for policy development, and it is also a U.S. standard, not an international one
ISO 22301 → An international standard that outlines how organizations can ensure business continuity and protect themselves from disaster
NIST CSF → Cybersecurity Framework
- A voluntary framework that provides a set of standards, guidelines, and best practices for managing cybersecurity risks.
- Offers a risk-based approach for managing and reducing cybersecurity risks, focusing on critical infrastructure.
NIST SP 800-37 → Outlines the Risk Management Framework (RMF) for federal information systems to ensure they are secure and risk-managed.
NIST SP 800-115 → Provides technical guidance on conducting security testing and assessments.
NIST SP 800-122 → Offers guidelines for protecting the confidentiality of personally identifiable information (PII).
NIST SP 800-128 → Details best practices for security-focused configuration management of information systems.
NIST SP 800-137 → Provides guidance for continuous monitoring of information systems and organizations to maintain security posture.
NIST SP 800-145 → Defines cloud computing and its essential characteristics, service models, and deployment models.

Improvement Notes

Implicit Deny → It ensures that anything not specifically allowed in the rules is blocked
Private IP Addresses
- 10.x.x.x → 10.0.0.0/8 → 255.0.0.0 → Class A
- 172.16.x.x to 172.31.x.x → 172.16.0.0/12 → 255.240.0.0 → Class B
- 192.168.x.x → 192.168.0.0/16 → 255.255.0.0 → Class C
Difference between Dictionary & Rainbow table
- Dictionary → List of potential passwords (words)
- Rainbow Table → Precomputed table containing hash of potential passwords
Skimming vs Card Cloning
- Skimming → Capturing credit card data at Point of Sale (POS)
- Card Cloning → Making a copy of credit card
STIX & TAXII → Threat Feed
- Refer Notes
Difference between SOAR & SIEM
- Security orchestration, automation, and response (SOAR) services are designed to integrate with a broader range of both internal and external applications.
- SOAR includes security operations automation
Windows SAM → Database in Windows that stores user account information, including usernames & hashed passwords.
Intelligence Fusion → Combines all this data to create a picture of likely threats and risks for an organization
Maneuver → A threat hunting concept that involves thinking like a malicious actor to help recognize indicators of compromise that might otherwise be hidden
Types of DDOS → Operational, Network, Application
- Application (DDoS) → aimed at applications
- Network DDOS → A network DDoS would be aimed at network technology, either the devices or protocols that underly networks.
- OT DDOS → An operational technology (OT) DDoS targets SCADA, ICS, utility or similar operational systems.
Difference between Vulnerability Scan & Penetration Testing
- Vulnerability Scan → Vulnerability scans use automated tools to look for known vulnerabilities in systems and applications and then provide reports to assist in remediation activities.
- Penetration Testing → Penetration tests seek to actually exploit the vulnerabilities and break into systems.
- Security audits → Security audits usually focus on checking policies, incident reports, and other documents.
Known Vs Unknown Environment
- An unknown environment test is also called black-box or a zero-knowledge test because it does not provide information beyond the basic information needed to identify the target.
- A known environment, or white-box test, involves very complete information being given to the tester.
SOAR Functionalities
Bluejacking vs Bluesnarfing vs Bluebugging
- Bluejacking → Practice of sending unsolicited messages to nearby bluetooth devices
- Bluesnarfing → Unauthorized access to, or theft of info from a bluetooth device
- Bluebugging → Gains access to the phone & install a backdoor
Spyware & Adware are both common examples of PUPs
Pharming Attack Techniques
- changing the local hosts file
- exploiting a trusted DNS server.
Fileless viruses often take advantage of PowerShell to perform actions once they have used a vulnerability in a browser or browser plug-in to inject themselves into system memory.
Cross-site request forgery (XSRF or CSRF) takes advantage of the cookies and URL parameters legitimate sites use to help track and serve their visitors.
A botnet that uses Internet Relay Chat (IRC) as its command-and-control channel & IRC’s default port is TCP 6667
LDAP focuses on input validation & filtering the output rather than parameterization
SSL stripping attack is a on-path attack → An SSL stripping attack requires attackers to persuade a victim to send traffic through them via HTTP while continuing to send HTTPS encrypted traffic to the legitimate server by pretending to be the victim.
U.S. Trusted Foundry program → Intended to prevent supply chain attacks by ensuring end-to-end supply chain security for important integrated circuits and electronics.
Information Sharing and Analysis Centers (ISACs) help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards.
- ISACs collect, analyze and share actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency
Filesystem Permissions:
- 0 → --- → No permission
- 1 → --x → Execute
- 2 → -w- → Write
- 3 → -wx → Write + Execute
- 4 → r-- → Read
- 5 → r-x → Read + Execute
- 6 → rw- → Read + Write
- 7 → rwx → Read + Write + Execute
Threat Actors Vs Threat Vectors
- Threat Actors → Individuals or entities initiating attacks
- Threat Vectors → Methods used to carry out attacks
Subnet Calculation Formula
- /32 → 1
- /31 → 2
- /30 → 4
- /29 → 8
Power Outage → PDU, UPS, Generator
- Power Distribution Unit (PDU) → A device that distributes electrical power to multiple devices from a single source.
  - No battery backup; power is only distributed.
  - May provide surge protection, overload protection, and monitoring capabilities.
- Uninterruptible Power Supply (UPS) → A device that provides emergency power to connected equipment when the input power source fails.
  - Continues to supply power to connected devices during short-term outages.
- Generator → A device that converts mechanical energy into electrical energy.
  - Typically used as a backup power source for extended outages.
  - Provides long-term backup power during extended outages.
Air Gap is more efficient than separating in VLAN for preventing the malware.
Using both server-side execution and validation requires more resources but prevents client-side tampering with the application and data.
An Arduino is a microcontroller well suited for custom development of embedded systems.
- They are small, inexpensive, and commonly available.
If key length is increased by 1, potential factors will increase in factors of 2 (Twice as much)
Prime factorization algorithms and elliptic curve cryptography are believed to be vulnerable to future quantum computing–driven attacks against cryptographic systems.
Account Usage Auditing → Provide a warning that someone’s account is being used when they are not actually using it
Both Advanced Encryption Standard (AES) and Data Encryption Standard (DES) are block ciphers.
RADIUS provides AAA
Datacenter
- Hot aisle/cold aisle is a layout design for server racks and other computing equipment in a datacenter.
- The goal of a hot aisle/cold aisle configuration is to conserve energy and lower cooling costs by managing airflow.
- An infrared camera will detect heat levels on the aisles. Although the rest of the options are potential issues for a datacenter, an infrared camera won’t help with them.
Software-defined networking (SDN) makes the network very scalable.
A cloud access security broker (CASB) is used to monitor cloud activity and usage and to enforce security policies on users of cloud services.
Microservice architectures build applications as a set of loosely coupled services that provide specific functions using lightweight protocols.
Infrastructure as code (IaC) is the process of managing and provisioning computer datacenters through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.
RTOS Security → Using secure firmware, as well as using an RTOS with time and space partitioning, are both common methods to help ensure RTOS security.
Homomorphic encryption can perform computations on the ciphertext without access to the private key that the ciphertext was encrypted with.
Tape backups are the most common solution for cold backups off-site.
An advantage of compiling software is that you can perform static code analysis.
Version Numbering → ensures that the proper current version of software components is included in new releases and deployments
NIC Teaming → Greater throughput and fault tolerance
USB data blockers are used to ensure that cables can only be used for charging, and not for data transfer.
The Linux kernel uses user-driven events like keystrokes, mouse movement, and similar events to generate randomness (entropy).
OpenID vs OAuth
- OpenID → OpenID is an authentication protocol that allows users to log in to multiple applications or websites using a single set of credentials.
  - Logging in to different websites using a Google or Facebook account. → Single sign-on (SSO)
- OAuth → OAuth is an authorization protocol used for providing client applications delegated access to server resources on behalf of a user.
  - Allowing a mobile app to access your Google Drive files without sharing your Google password.
FIDO U2F → An open standard provided by the Fast IDentity Online Alliance, is a standard for security keys
Load Balancer Algorithms
- Least connection-based → takes load into consideration and sends the next request to the server with the least number of active sessions
- Round Robin → simply distributes requests to each server in order
- Weighted Time → Uses health checks to determine which server is currently responding the quickest, and routing traffic to that server.
- Source IP Hash → Uses a unique hash key generated from the source and destination IP addresses to track sessions, ensuring that interrupted sessions can be seamlessly reassigned to the same server, thus allowing the sessions to continue uninterrupted.
Global Positioning System (GPS) data and data about local Wi-Fi networks are the two most commonly used protocols to help geofencing applications determine where they are.
Hashing → Hashing is commonly used in databases to increase the speed of indexing and retrieval since it is typically faster to search for a hashed key rather than the original value stored in a database
Secrets management services provide the ability to store sensitive data like application programming interface (API) keys, passwords, and certificates
The three channels that do not overlap are 1, 6, and 11 in the U.S. installations of 2.4 GHz Wi-Fi networks
Infrared (IR) is the only line-of-sight method on the list
Digital certificates use the X.509 standard (or the PGP standard) and allow the user to digitally sign authentication requests.
Microsoft System Center Configuration Manager (SCCM) → provides remote control, patch management, software distribution, operating system deployment, network access protection, and hardware and software inventory.
Heuristic vs Anomaly-based detection
- Heuristic: Heuristic IPS uses algorithms and rules to detect potentially malicious behavior, often identifying new and unknown threats. However, it does not specifically create a baseline of normal activity.
  - Heuristic IPS technology uses artificial intelligence to identify attacks that have no prior signature.
- Anomaly-based: Anomaly-based IPS establishes a baseline of normal network behavior and then monitors traffic to detect and block deviations from this baseline. This makes it the best fit for the requirement of observing normal network activity and blocking deviations
Checksum vs Hash
Windows Log Files & Linux Log Files
Containment vs Isolation
Types of dashboard in SIEM
Multiple files could have the same checksum value, whereas a hashing algorithm will be unique for each file that it is run against. → Hashing > Checksum
1. CentOS and Red Hat both store authentication log information in /var/log/secure instead of /var/log/auth.log used by Debian and Ubuntu systems.
grep "Failed password" /var/log/auth.log → Command used check for bruteforce attack in Linux systems
1. Mapping networks using ping relies on pinging each host, and then uses time-to- live (TTL) information to determine how many hops exist between known hosts and devices inside a network. When TTLs decrease, another router or switch typically exists between you and the device.
Zero-wiping a drive can be done using dd → dd if=/dev/zero of=/dev/sda bs=4096
The Content-Addressable Memory (CAM) tables on switches contain a list of all the devices they have talked to.
Content Filter → A content filter is specifically designed to allow organizations to select both specific sites and categories of content that should be blocked.
The Windows swapfile is saved in the root of the drive by default. → C:/pagefile.sys
A system crash, or system dump, file contains the contents of memory at the time of the crash
- The infamous Windows blue screen of death results in a memory dump to a file, allowing analysis of memory contents.
Anti-forensics activities follow lateral movement in the Cyber Kill Chain model. It helps to remember that after an attacker has completed their attack, they will attempt to hide traces of their efforts, and then may proceed to denial-of-service or exfiltration activities in the model.
Jurisdictional boundaries exist between states and localities, as well as countries, making it challenging for local law enforcement to execute warrants and acquire data from organizations outside of their jurisdiction in many cases.
Virtual machine forensics typically rely on a snapshot gathered using the underlying virtualization environment’s snapshot capabilities. This will capture both memory state and the disk for the system and can be run on an independent system or analyzed using forensic tools.
The Volatility framework is a purpose-built tool for the acquisition of random access memory (RAM) from a live system.
Change management is the process of documenting all changes made to a company’s network and computers.
Privacy Roles:
- Data Owner → Responsible for the data's overall management and governance, including its security and integrity.
  - Data owners assign labels such as top secret to data
  - A data controller or data owner is the organization or individual who collects and controls data.
  - Determines data usage policies, sets data access permissions, and is accountable for the data's accuracy and appropriateness.
  - Ultimate responsibility for maintaining confidentiality, integrity, and availability
  - Ex. Department head deciding access to datasets
- Data Processor → An entity or individual that processes data on behalf of the data controller
  - Data processors are service providers that process data for data controllers.
  - Follows data controller instructions, ensures regulatory compliance
  - Ex. Cloud service provider handling client data
- Data Steward → Ensures data quality and fitness for purpose
  - A data steward carries out the intent of the data controller and is delegated responsibility for the data.
  - Oversees data governance policies, ensures data quality, and manages data assets to ensure they meet business needs.
  - Ex. A data quality analyst who reviews data entries for accuracy and consistency.
- Data Custodians → Responsible for the safe custody, transport, storage of data, and the implementation of business rules.
  - Custodians assign security controls to data.
  - Manages and protects data, ensures proper handling and safeguarding of data, and maintains data integrity and availability.
  - Ex. IT professional managing data backups
- Privacy Officer → A privacy officer ensures that companies comply with privacy laws and regulations.
  - Ex. Compliance officer ensuring adherence to GDPR/HIPAA
- System administrators are responsible for the overall functioning of IT systems.
Security program administrators often use different types of training to ensure that trainees who react and respond differently to training are given training that helps them.
Customer data can include any information that a customer uploads, shares, or otherwise places in or creates via a service.
Standard for Attestation Engagements (SSAE)
- SOC 2 engagement assesses the security and privacy controls that are in place, and a Type 2 report provides information on the auditor’s assessment of the effectiveness of the controls that are in place.
- An SOC 1 report assesses the controls that impact the accuracy of financial reporting. Type 1 reports a review auditor’s opinion of the description provided by management about the suitability of the controls as designed.
Predictive analysis for Threat Intelligence come from:
- Large Security Datasets
- Behavior Patterns
- Current Security Trends
Polymorphism → Technique created by malware creators to shift the signature of malware to prevent detection by antivirus tools.
ISACs (Information Sharing and Analysis Centers) → Collaborative industry organizations that analyze and share cybersecurity threat information within their industry verticals in USA
Shimming & Refactoring
DVR → Ability to record video in CCTV
IP Spoofing is a technique used by attackers to create IP packets with a forged source IP address. → MITM Attack
Use secure firmware to secure RTOS
CIA & DAD Triad
- Confidentiality → Disclosure
- Integrity → Alteration
- Availability → Denial
Breach Impact
- Financial Risk → Risk of monetary damage to the organization as a result of data breach
- Reputational Risk → Occurs when the negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers & stakeholders
- Identity Theft → Use of exposed PII information in attacks
- Strategic Risk → Risk that organization will become less effective in meeting its major goals & objectives as a result of the breach
  - Strategic risk affects business plans
- Operational Risk → Risk to the organization's ability to carry out its day-to-day operations
  - Operational risk affects inefficiency & delay within the organization
- Compliance Risk → Occurs when a security breach causes an organization to violate legal or regulatory requirements
  - Ex. HIPAA → Health Information
Security Groups → Works as a virtual firewall for instances allowing rules to be applied to traffic between instances
SSH Tunneling → also known as SSH port forwarding
- A technique used to securely transmit data between a local and a remote host over an unsecured network
- It leverages the Secure Shell (SSH) protocol's encryption capabilities to create an encrypted tunnel for transmitting network traffic.
Difference between MDM & UEM
- MDM → Primarily manages mobile devices such as smartphones and tablets.
  - Functions → Device Inventory, Device Configuration, Security Management, App Management, Monitoring
- UEM → Manages a wide range of endpoint devices, including mobile devices, desktops, laptops, IoT devices, and wearables.
  - Functions → Device Management, Application Management, Content Management, Identity Management, Policy Management, Automation
Asymmetric Vs Symmetric Encryption Advantages & Disadvantages
- Symmetric Advantages
  - Faster compared to asymmetric encryption due to simpler algorithms and operations.
  - More efficient for bulk encryption and large data sets.
  - Shorter key lengths provide equivalent security levels compared to asymmetric encryption.
  - Widely used for securing data in transit and at rest.
- Symmetric Disadvantages
  - Key Distribution
  - Challenges in managing and storing keys securely.
  - Less scalable for secure communication among multiple parties compared to asymmetric encryption.
  - Does not inherently provide mechanisms for verifying sender identity or message integrity without additional protocols.
- Asymmetric Advantages
  - No need to securely distribute keys; each user has a public-private key pair.
  - Offers better security because the private key never leaves the owner's possession.
  - Provides digital signatures for verifying the sender's identity and integrity of the message.
  - Supports secure communication between multiple parties without requiring pre-shared secrets.
- Asymmetric Disadvantages
  - Slower compared to symmetric encryption due to more complex algorithms.
  - Requires longer key lengths for equivalent security levels compared to symmetric encryption.
  - Less efficient for bulk encryption and large data sets.
Which is the most commonly used certificate format → PEM
802.11x vs CHAP vs Kerberos
- 802.1X → Wi-Fi Authentication
  - EAP Methods (EAP-TLS, PEAP, etc.)
  - Network Access Control (NAC)
  - When 802.1X is enabled, devices connecting to the network do not gain access until they provide the correct authentication credentials.
  - This 802.1X standard refers to the client as the supplicant, the switch is commonly configured as the authenticator, and the back-end authentication server is a centralized user database such as Active Directory.
- CHAP → Network Authentication
  - Challenge-Response
  - Authentication for point-to-point connections
  - Mutual authentication, challenge-response mechanism
- Kerberos → Network Authentication
  - Network authentication protocol
  - Ticket-based authentication, SSO, mutual authentication
- RADIUS → Centralized authentication, authorization, and accounting
  - Centralized management, extensibility, supports various authentication methods
CSA's Cloud Control Matrix → A framework designed to provide fundamental security principles to guide cloud vendors and customers in assessing the overall security risk of a cloud service
Smart Card vs Proximity Cards
- Proximity Cards → A proximity card is a contactless card that usually utilizes RFID to communicate with the reader on a physical access system.
  - These are commonly used to access secured rooms (such as server rooms) or even a building itself (such as at a mantrap)
Hash Algorithm Sizes

Cynthia needs to prevent drones from flying over her organization's property. What can she do? When you are concerned about application security, what is the most important issue in memory management? Yasmine wants to implement a cloud-based authorization system. What protocol is she most likely to apply? What is the purpose of Unified Extensible Firmware Interface (UEFI) Secure Boot? What is the size of the wrapper applied by TKIP around the WEP encryption utilizing a key that is derived from the MAC address of the machine and the packet's serial number?

What containment techniques is the strongest possible response to an incident? When conducting forensic analysis of a hard drive, what tool would BEST prevent changing the contents of the hard drive during your analysis?

Hardware write blocker
Forensic drive duplicator
Software write blocker
Degausser

Acronyms

ASP → Active Server Pages
- A server side scripting environment developed by Microsoft
- .aspx
CAR → Corrective Action Report
- A document that records the actions taken to eliminate the causes of an existing nonconformity or other undesirable situation to prevent its recurrence
CP → Contingency Planning
- The process of developing proactive strategies & procedures to ensure an organization can effectively respond to & recover from unexpected events or emergencies that may disrupt normal operations
- Contingency plans are designed to minimize the impact of disruptions on critical business functions and services.
CRC → Cyclic Redundancy Check
- An error detection code used to detect accidental changes to raw data in storage or transmission
- It generates a fixed-size checksum based on the data content & appending it to the data
- Upon receiving the data, the checksum is recalculated, & if the checksum does not match the appended checksum, an error is detected.
CSU → Channel Service Unit
- A networking device used to interface a digital communication channel with a data terminal equipment (DTE) such as a router or a multiplexer
DEP → Data Execution Prevention
- A security feature implemented to prevent execution of code from certain regions of memory
DER → Distinguished Encoding Rules
- Used to encrypt data in consistent binary format
- A binary encoding format for data structures defined by ASN.1.
DKIM → Domain Keys Identified Mail
- An email authentication method used to detect email spoofing by allowing the receiver to check the email claimed to have come from specific domain authorized by owner of that domain
- Validates integrity & authenticity of email message
DMARC → Domain-based Message Authentication, Reporting & Conformance
- An email authentication protocol that builds on SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) to provide domain owners with the ability to protect their domains from unauthorized use, such as email spoofing
DNAT → Destination Network Address Translation
- Form of NAT where the destination address of IP packet is modified as it passes to router or firewall
- It is used to direct incoming traffic to correct internal host or service
DSL → Digital Subscriber Line
- A family of technologies that provide internet access by transmitting digital data over the wires of local telephone network
ECB → Electronic Code Book
- A mode of operation for block ciphers, such as AES → Plaintext is divided into blocks & each block is encrypted independently using the same key
EFS → Encrypted File System
- A feature on windows OS that allows users to encrypt individual files or folders on NTFS (New Technology File System) volume
ERP → Enterprise Resource Planning
- A software system that integrates core business processes & functions into single unified platform
ESN → Electronic Serial Number
- A unique identification number assigned to a mobile device for identification on cellular networks
ESSID → Extended Service Set Identifier
- A unique identifier assigned to a wireless network to differentiate it from other wireless networks
GRE → Generic Routing Encapsulation
- A tunneling protocol used to encapsulate & carry arbitrary network protocols over IP
- Usage: Site-to-Site VPNs, dynamic routing, network virtualization.
IDF → Intermediate Distribution Frame
- A key component of structured cabling systems, serving as an intermediate point for distributing network connections within a building or campus
ISA → Interconnection Security Agreement
- A formal agreement between organizations that governs the security requirements and responsibilities when connecting their information systems or networks.
ISFW → Internal Segmentation Firewalls
- Use firewalls to segment & control traffic within organization's internal network
MBR → Master Boot Record
- The MBR is the first sector of a storage device, typically a hard disk.
- It contains the boot loader and the partition table for the device.
MPLS → Multiprotocol Label Switching
- A high-performance telecommunications technique that directs data from one network node to the next based on short path labels rather than long network addresses.
NTLM → New Technology LAN Manager
- A suite of security protocols used to provide authentication, integrity, and confidentiality to users in Windows-based systems
NFV → Network Function Virtualization
- A network architecture concept that uses virtualization technologies to manage and deploy network functions through software rather than dedicated hardware appliances.
NTFS → New Technology File System
- A file system developed by Microsoft that is used by the Windows NT operating system for storing and retrieving files on a hard disk.
OVAL → Open Vulnerability & Assessment Language
- An open standard developed to promote sharing and standardization of security content.
PAC → Proxy Auto Configuration
- A technology that allows web browsers and other user agents to automatically determine the appropriate proxy server for fetching a URL
PAM → Pluggable Authentication Modules
- A flexible mechanism for authenticating users in a Linux or UNIX environment
PAT → Port Address Translation
- A type of Network Address Translation (NAT) where multiple devices on a local network can be mapped to a single public IP address but with a different port number assignment
PBX → Private Branch Exchange
- A private telephone network used within an organization that allows internal communication and provides connectivity to external telephone networks
PED → Portable Electronic Device
- Any small electronic device that is easily transportable and typically powered by a battery
POTS → Plain Old Telephone Service
PPTP → Point To Point Tunneling Protocol
- A network protocol used to create VPNs (Virtual Private Networks) over IP networks
RTBH → Remotely Triggered Black Hole
- A security technique used to mitigate large-scale Distributed Denial of Service (DDoS) attacks by diverting malicious traffic away from the intended target network
SCAP → Security Content Automation Protocol
- A suite of standards used to automate the management and reporting of security vulnerabilities and configuration compliance
SCEP → Simple Certificate Enrollment Protocol
- A protocol that simplifies the process of obtaining and managing digital certificates in a network environment.
SDP → Service Delivery Platform
- A set of components that provides a framework for the creation, delivery, management, and monetization of services in telecommunications and enterprise environments
SMB → Server Message Block → Port 445
- A network protocol primarily used for providing shared access to files, printers, and serial ports, as well as miscellaneous communications between nodes on a network
SOAP → Simple Object Access Protocol
- A messaging protocol specification for exchanging structured information in the implementation of web services in computer networks
SPF → Sender Policy Framework
- An email validation system designed to prevent email spoofing
STP → Shielded Twisted Pair
- A type of copper cabling used in telecommunications and data communications
- It consists of pairs of insulated copper wires twisted together, with an additional shielding to provide extra protection from electromagnetic interference (EMI) and radio frequency interference (RFI).
TGT → Ticket Granting Ticket
- A temporary set of credentials issued by the Key Distribution Center (KDC) that allows a user to obtain additional service tickets without repeatedly re-entering their password
TSIG → Transaction Signature
- A security feature used in DNS to authenticate and verify the integrity of DNS messages between servers
UAT → User Acceptance Testing
- A crucial phase in software development where end-users validate that the system meets their requirements and functions as expected in their real-world scenarios
VLSM → A technique used in IP addressing to create subnets with different sizes within a given network

PBQ

The PBQ were hard, I got 4 questions, one is attack vector and how to mitigate, one is reading the scanning and chose the appropriate method, one is setting up fire wall with 3 servers and 2 routers this is hardest, one is related to data classification like PII, Confidential and what method to destroying it
chmod → command in Unix/Linux is used to change the file permissions for a file or directory
- chmod u+x file.txt → Adds execute permission for the user.
- chmod g-w file.txt → Removes write permission for the group.
- chmod o=r file.txt → Sets read-only permission for others.
chown → command in Unix/Linux is used to change the owner and/or group of a file or directory.
- chown alice file.txt → Changes the owner of file.txt to alice.
- chown alice /path/to/directory → Changes the owner of the directory and its contents recursively to alice (with -Roption).
- chown -R bob:staff /home/bob → Recursively change the owner to bob and the group to staff for the directory
Cryptography
- Alice creates the SHA-1 hash of the original message (ABC) & then encrypts it with Alice's Private Key to create Digital Signature
- Next, Alice attaches the Digital Signature to the original message & delivers to Bob
- Bob decrypts the original message containing Digital Signature using Alice's Public Key → Resulting in the hash of the original message → (ABC)
- Bob then performs a comparison of the hash & finds his computed hash is XYZ → Therefore, Bob can NOT confirm message's integrity
Social Engineering

WEAK AREAS

[x] Blockchain & Ledger
[x] Linux Commands
[x] ACL Rules Syntax
[x] Subnet Formula
[x] 802.1X
[x] Hash Lengths
[x] RTO vs MTTR
[ ]

TODOs

[x] Chapter 4 & 5 Revise
[x] Acronyms
[x] Encryption Algorithms
[x] Telegram PBQ
[x] Ports
[x] Acts & Standards