Security+ Last Minute Review Guide (SY0-601)

Domain 1:
Threats, Attacks, and Vulnerabilities

Social engineering attacks exploit seven main

mechanisms: authority, intimidation, consensus,
Y

scarcity, familiarity, trust, and urgency.

LIT
TIA
EN

Social engineering attacks manipulate individuals to

ID

IN

gain unauthorized access or information. Variants of

NF

TE
CO

GR

social engineering attacks include:

ITY

AVAILABILITY
Attack Type Description
The three main goals of information security are:
Phishing Solicits information via email.
• Confidentiality prevents unauthorized disclosure
• Integrity prevents unauthorized alteration Spear Solicits information via highly targeted email
Phishing designed for one person.
• Availability ensures authorized access
Whaling Targets high value individuals, such as senior
executives.
Malware comes in many different forms. You should
be able to review a scenario and identify the type of Tailgating Accesses a building by having someone hold the
door open.
malware involved. Major malware types include:
Dumpster Discovers sensitive information discarded in the
Diving trash.
Malware Type Description
Shoulder Monitors user activity by watching them as they
Virus Spreads between systems based upon some user Surfing enter/read information.
action.
Watering Places malware on a site where users are known to
Worm Spreads between systems by exploiting
vulnerabilities; no user action required. hole congregate.

Trojan Horse Masquerades as desirable software to trick user

into installing it. Attackers vary widely in their sophistication, resources,
Remote Access Trojan horse that allows an attacker to gain and intent. Script kiddies are generally low-skilled
Trojan remote access to a system. attackers seeking a quick thrill. Advanced Persistent
Adware Displays advertisements on the user’s Threats (APTs) are extremely sophisticated attackers
system to generate ad revenue.
often sponsored by government agencies.
Spyware Monitors user activity, such as keystrokes and
web visits. Keyloggers are an example of spyware.
Black hat attackers are those with malicious intent,
Ransomware Encrypts user files and demands a ransom before while white hat attackers have benign intent and are
releasing the key.
authorized by the system owner. Grey hat attackers
Logic Bomb Waits until certain conditions are met before
triggering a malicious action. have benign intent but do not have authorization to
conduct their work.
Rootkit Elevates privileges of a normal user to gain
administrative rights.
Backdoor Provides an unauthorized mechanism for
accessing a system.
Botnet Network of compromised systems that an
attacker controls through the use of a command
and control mechanism. Commonly used in
denial of service attacks.

© 2020, CertMike.com 1
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 1:
Threats, Attacks, and Vulnerabilities

Network discovery scanning uses tools like nmap to Downgrade attacks attempt to convince the legitimate
check for active systems and open ports. Common participants in an encrypted session to reduce the
scanning techniques include: level of security of the connection, exposing it to
• TCP SYN scans send a single packet with the SYN eavesdropping.
flag set.
• TCP Connect scans attempt to complete the three Network vulnerability scanning first discovers active
way handshake. services on the network and then probes those services
• TCP ACK scans seek to impersonate an established for known vulnerabilities. Web application vulnerability
connection. scans use tools that specialize in probing for web
• Xmas scans set the FIN, PSH, and URG flags. application weaknesses.

Man-in-the-middle attacks intercept a client’s initial The vulnerability management workflow includes three
request for a connection to a server and proxy that basic steps: detection, remediation, and validation.
connection to the real service. The client is unaware
that they are communicating through a proxy and the Penetration testing goes beyond vulnerability scanning and
attacker can eavesdrop on the communication and attempts to exploit vulnerabilities. It includes five steps:
inject commands.

Password attacks seek to defeat the security of

password-based authentication. Common password Planning
attacks include:
• Brute force attacks attempt to simply guess
passwords repeatedly.
• Dictionary attacks guess passwords using a
dictionary of words and phrases. Information
• Password spraying attacks are similar to dictionary Reporting Gathering &
attacks, using lists of common passwords. Discovery
• Credential stuffing attacks take lists of usernames
and passwords from a compromised site and
attempt to use them to login at another site.
• Rainbow table attacks precompute the hashes of
common passwords and use them against a stolen
password file. Rainbow tables may be defeated by
using salted passwords.
• Pass the hash attacks reuse hashed credentials Vulnerability
Exploitation
from one machine to login to another machine. Scanning

Birthday attacks seek to find collisions in hash

functions, where the hash function generates the same
value for two different inputs.

© 2020, CertMike.com 2
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 1:
Threats, Attacks, and Vulnerabilities

There are three different types of penetration tests: Cybersecurity exercises involve the participation of four
• During white box penetration tests, testers have full different teams:
access to information about the target systems. • Red teams play the role of attackers, engaging in
• During black box penetration tests, testers conduct offensive tactics
their work without any knowledge of the target • Blue teams play the role of defenders, engaging in
environment. defensive tactics
• Gray box tests reside in the middle, providing • White teams play the role of moderators and
testers with partial knowledge about the referees
environment. • Purple teams convene the members of all three
red, blue, and white teams together to share lessons
Threat intelligence allows an organization to learn learned from an exercise
about changes in the threat landscape, including
attacker identities, tools, and techniques. Common
threat intelligence sources include:
• Open source intelligence (OSINT)
• Proprietary threat intelligence from security vendors
• Vulnerability databases
• Information sharing and analysis centers (ISACs)
• Dark web sites
• Indicators of compromise

Threat hunting exercises presume that attackers have

already compromised an organization and then seek out
evidence of that compromise.

Structured Threat Information Exchange (STIX) is

used to provide a standardized format for exchanging
threat information, while the Trusted Automated
eXchange of Indicator Information (TAXII) defines
a protocol for the transmission of this information
between components of a security automation
environment.

© 2020, CertMike.com 3
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 2:
Architecture and Design

When developing new systems, organizations move The spiral model uses a more iterative approach:
them through a four-stage process using different
Cumulative cost
environments:
1. Development environments are where developers 1. Determine Progress 2. Identity and
objectives resolve risks
create and modify the system.
2. Test environments are where the system is tested. If
flaws are discovered, it is returned to development.
3. Staging environments are where approved code is
placed, awaiting release to production.
4. Production environments contain systems that are
currently serving customer needs. Operational
Requirements
plan Prototype 1 Prototype 2 prototype

The waterfall model of software development is fairly

Concept of Concept of
operation Requirements Detailed
Requirements Draft
design
rigid, allowing the process to return only to the previous
step: Development
plan
Verification
& Validation
Code

Integration
Test plan Verification
& Validation
System Test
Requirements Implementation

4. Plan the Release 3. Development

next iteration and Test
Software
Requirements

While the agile approach eschews this rigidity for

Preliminary a series of incremental deliverables created using a
Design
process that values:
• Individuals and interactions instead of processes
Detailed and tools
Design • Working software instead of comprehensive
documentation
Code and
• Customer collaboration instead of contract
Debug negotiation
• Responding to change instead of following a plan

Testing In virtualized environments many guest systems

run on a single piece of hardware. The hypervisor is
Operations responsible for separating resources used by different
and guests. Type 1 hypervisors run directly on the “bare
Maintenance
metal” hardware while type 2 hypervisors run on a host
operating system. Application virtualization virtualizes
individual software apps instead of entire operating
systems.

© 2020, CertMike.com 4
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 2:
Architecture and Design

When deploying services in the cloud, organizations Fires require the combination of heat, oxygen, and fuel.
may choose from three major cloud strategies: They may be fought with fire extinguishers:
• Software-as-a-Service (SaaS) deploys entire • Class A: common combustible fires
applications to the cloud. The customer is only • Class B: liquid fires
responsible for supplying data and manipulating the • Class C: electrical fires
application. • Class D: metal fires
• Infrastructure-as-a-Service (IaaS) sells basic
building blocks, such as servers and storage. The Organizations may use wet pipe fire suppression
customer manages the operating system and systems that always contain water, dry pipe systems
configures and installs software. that only fill with water when activated, or preaction
• Platform-as-a-Service (PaaS) provides the systems that fill the pipes at the first sign of fire
customer with a managed environment to run their detection.
own software without concern for the underlying
hardware. Mantraps use a set of double doors to restrict physical
access to a facility.
Cloud services may be built and/or purchased in several
forms: Hot and cold aisle approaches manage cooling by
• Public cloud providers sell services to many aligning data centers so that the front of one row of
different customers and many customers may share servers faces the front of the adjacent row (cold aisle)
the same physical hardware. and the backs of servers also face each other (hot aisle).
• Private cloud environments dedicate hardware to a
single user. Software testers can have varying degrees of
• Hybrid cloud environments combine elements of knowledge about the software they are testing.
public and private cloud in a single organization. In a white box test, they have full knowledge of the
• Community cloud environments use a model software. In a black box test, they have no knowledge,
similar to the public cloud but with access restricted while grey box tests reside in the middle, providing
to a specific set of customers. testers with partial knowledge.

When managing the physical environment, you should The top ten security vulnerabilities in web applications,
be familiar with common power issues: according to OWASP are:
1. Injection attacks
Power Issue Brief Duration Prolonged Duration 2. Broken authentication
3. Sensitive data exposure
Loss of power Fault Blackout
4. XML external entities
Low voltage Sag Brownout 5. Broken access control
High voltage Spike Surge 6. Security misconfiguration
Disturbance Transient Noise 7. Cross-site scripting
8. Insecure deserialization
9. Using components with known vulnerabilities.
10. Insufficient logging and monitoring

© 2020, CertMike.com 5
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 2:
Architecture and Design

In addition to maintaining current and patched platforms, Authentication technologies may experience two types
one of the most effective application security techniques of errors. False positive errors occur when a system
is input validation which ensures that user input accepts an invalid user as correct. It is measured using
matches the expected pattern before using it in code. the false acceptance rate (FAR). False negative errors
occur when a system rejects a valid user, measured
The core activities of identity and access management are: using the false rejection rate (FRR). We evaluate the
• Identification where a user makes a claim of effectiveness of an authentication technology using the
identity. crossover error rate (CER), as shown in the diagram
• Authentication where the user proves the claim of below:
identity.
• Authorization where the system confirms that the
user is permitted to perform the requested action.
FAR
FRR
In access control systems, we seek to limit the access
Error Rate

that subjects (e.g. users, applications, processes) have

to objects (e.g. information resources, systems)
CER
Access controls work in three different fashions:
• Technical (or logical) controls use hardware
and software mechanisms, such as firewalls and
intrusion prevention systems, to limit access.
• Physical controls, such as locks and keys, limit
physical access to controlled spaces.
• Administrative controls, such as account reviews, Sensitivity
provide management of personnel and business
practices.
Business continuity planning conducts a business
Multifactor authentication systems combine impact assessment and then implements controls
authentication technologies from two or more of the designed to keep the business running during adverse
following categories: circumstances.
• Something you know (Type 1 factors) rely upon
secret information, such as a password. Backups provide an important disaster recovery control.
• Something you have (Type 2 factors) rely upon Remember that there are three major categories of backup:
physical possession of an object, such as a
smartphone. Backup Type Description
• Something you are (Type 3 factors) rely upon
Full Backup Copies all files on a system.
biometric characteristics of a person, such as a face
scan or fingerprint. Differential Copies all files on a system that have changed
Backup since the most recent full backup.
Incremental Copies all files on a system that have changed
Backup since the most recent full or incremental backup.

© 2020, CertMike.com 6
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 2:
Architecture and Design

Disaster recovery sites fit into three major categories: In asymmetric encryption, users each have their own
public/private keypair. Keys are used as follows:
Site Type Support Systems Configured Servers Real-time Data
Cold Site Yes No No Confidentiality Digital Signature

Warm Site Yes Yes No Sender Encrypts with… Recipient’s public key Sender’s private key

Hot Site Yes Yes Yes Recipient Decrypts with… Recipient’s private key Sender’s public key

Disaster recovery plans require testing. There are five Anything encrypted with one key from a pair may only
major test types: be decrypted with the other key from that same pair.

DR Test Type Description Symmetric Cryptography Asymmetric Cryptography Requires

Requires
Read-through/ Plan participants review the plan and their
tabletop specific role, either as a group or individually. n(n-1) 2 n keys
keys
2
Walkthrough The DR team gathers to walk through the steps
in the DR plan and verify that it is current and
matches expectations.
Simulation DR team participates in a scenario-based Secure symmetric algorithms include 3DES, AES, IDEA,
exercise that uses the DR plan without Twofish, and Blowfish. DES and RC4 are not secure.
implementing technical recovery controls. Secure asymmetric algorithms include RSA, El Gamal,
Parallel DR team activates alternate processing and elliptic curve (ECC).
capabilities without taking down the primary site.
Full DR team takes down the primary site to simulate The Diffie-Hellman algorithm may be used for secure
interruption a disaster. exchange of symmetric keys.

Hashes are one-way functions that produce a unique

Common use cases for encryption include: value for every input and cannot be reversed.
• Providing confidentiality for sensitive information
• Confirming the integrity of stored or transmitted Common hashing algorithms include SHA, HMAC, and
information RIPEMD. The MD5 hashing algorithm is still widely used
• Authenticating users but has significant security vulnerabilities.

The two basic cryptographic operations are substitution Security information and event management
which modifies characters and transposition, which (SIEM) systems aggregate and correlate security log
moves them around. information received from many different sources.
Security orchestration, automation, and response
Symmetric encryption uses the same shared secret key (SOAR) systems use runbooks to trigger automated
for encryption and decryption. responses after security incidents occur.

© 2020, CertMike.com 7
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 2:
Architecture and Design

Penetration testing uses testers who attempt to defeat

security controls using the tools and techniques of
attackers. Penetration testing may take place using
the same white box, grey box, or black box formats
used in software testing, depending upon the level of
information provided to the testers.

Bug bounty programs offer public rewards to security

researchers who submit reports of new vulnerabilities to
a firm.

Security professionals working with specialized systems,

such as Supervisory Control and Data Acquisition
(SCADA) and Industrial Control Systems (ICS) should
isolate those systems from other networks to the
greatest extent possible.

Specialized technologies support the Internet of

Things (IoT) and its embedded devices. These include
real-time operating systems (RTOS) that are designed
to serve as streamlined, efficient operating systems
for use on IoT devices as well as system on a chip
(SoC) technology that includes an operating system in
firmware stored directly on a device.

© 2020, CertMike.com 8
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 3:
Implementation

OSI Model Network switches generally work at layer 2 and

connect directly to endpoints or other switches.
Layer Description Switches may also create virtual LANs (VLANs) to
further segment internal networks at layer 2.
Application Serves as the point of integration for user
applications with the network
Presentation Transforms user-friendly data into machine-friendly Port(s) Service
data; encryption 20, 21 FTP
Session Establishes, maintains, and terminates sessions 22 SSH
Transport Manages connection integrity; TCP, UDP, SSL, TLS 23 Telnet
Network Routing packets over the network; IP, ICMP, BGP, 25 SMTP
IPsec, NAT
53 DNS
Data Link Formats packets for transmission; Ethernet, ARP,
MAC addresses 80 HTTP

Physical Encodes data into bits for transmission over wire, 110 POP3
fiber, or radio
123 NTP
135, 137-139, 445 Windows File Sharing
TCP is a connection-oriented protocol, while UDP is a
143 IMAP
connectionless protocol that does not guarantee delivery.
161/162 SNMP

TCP Three-Way Handshake 443 HTTPS

1433/1434 SQL Server
1521 Oracle
SYN 1720 H.323
SYN/ACK 1723 PPTP

ACK 3389 RDP

9100 HP JetDirect Printing

DNS converts between IP addresses and domain names.

ARP converts between MAC addresses and IP addresses. Routers generally work at layer 3 and connect networks
NAT converts between public and private IP addresses. to each other. Firewalls are the primary network
security control used to separate networks of differing
Load balancers distribute connection requests among security levels. TLS should be used to secure network
many identical servers. communications. SSL is no longer secure.

Most Virtual Private Networks (VPN) use either TLS

or IPsec. IPsec uses Authentication Headers (AH) to
provide authentication, integrity and nonrepudiation
and Encapsulating Security Payload (ESP) to provide
confidentiality.

© 2020, CertMike.com 9
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 3:
Implementation

Tool Description Split tunnel VPNs only send traffic destined for the
Intrusion Detection Monitor a host or network for signs of corporate network through the VPN while full tunnel
System intrusion and report to administrators. VPNs send all traffic through the VPN.
Intrusion Prevention Monitor a host or network for signs of
System intrusion and attempt to block malicious Network Admission Control (NAC) systems screen
traffic automatically.
devices before allowing them to connect to the
Security Aggregate and correlate security network. This screening may include both user
Information & information received from other systems.
Event Management authentication and device health checking.
System
Firewall Restricts network traffic to authorized Enterprises may deploy mobile devices in a variety of
connections. models. In a strict corporate-owned model, devices are
Application Limits applications to those on an approved for business use only. Users mix personal and business
Whitelisting list. use in a bring your own device (BYOD) or corporate
Application Blocks applications on an unapproved list. owned, personally enabled (COPE) model. Companies
Blacklisting should use mobile device management (MDM) tools to
Sandbox Provides a safe space to run potentially enforce a variety of mobile security controls, including:
malicious code. • Restricting applications
Honeypot System that serves as a decoy to attract • Remote wiping of lost/stolen devices
attackers. • Geolocation and geofencing services
Honeynet Unused network designed to capture • Screen locking and password/PIN requirements
probing traffic. • Full device encryption
DNS Sinkhole Uses false DNS replies to block access to
known malicious sites Know the secure alternatives to commonly used protocols:
VPN Concentrator Provides a central aggregation point
for VPN connections.
Insecure Protocol Secure Alternative(s)
Proxy Server Makes requests to other servers on behalf
of an end user, providing anonymization Telnet SSH
and performance enhancement. HTTP HTTPS
Data Loss Blocks the exfiltration of sensitive LDAP LDAPS
Prevention information from an organization.
FTP FTPS or SFTP
Mail Gateway Screen inbound messages for malicious
content. DNS DNSSEC
Cloud Access Service that intercepts requests headed for SNMPv1/2 SNMPv3
Security Broker cloud services to confirm their compliance
(CASB) with organizational security policies
Hardware Security Stores and manages encryption keys
Module (HSM)

© 2020, CertMike.com 10
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 3:
Implementation

The principle of defense-in-depth says that The implicit deny principle says that any action that is
organizations should use a variety of overlapping not explicitly authorized for a subject should be denied.
security controls to prevent against the failure of a
single control. When designing overlapping controls, Access control lists (ACLs) form the basis of many
strive for diversity of vendors and control types. access management systems and provide a listing of
subjects and their permissions on objects and groups of
The most common firewall deployment topology uses objects.
three zones: a trusted intranet, an untrusted Internet,
and a demilitarized zone (DMZ) that houses publicly Discretionary access control (DAC) systems allow the
accessible servers. These networks are often created owners of objects to modify the permissions that other
using a triple-homed firewall. users have on those objects. Mandatory access control
(MAC) systems enforce predefined policies that users
may not modify.

Role-based access control assigns permissions to

individual users based upon their assigned role(s) in the
Internet Firewall Internal Network organization. For example, backup administrators might
have one set of permissions while sales representatives
have an entirely different set.

DMZ Transport Layer Security (TLS) is the replacement

for Secure Sockets Layer (SSL) and uses public key
cryptography to exchange a shared secret key used to
secure web traffic and other network communications.

The Trusted Computing Base (TCB) is the secure core

of a system that has a secure perimeter with access
enforced by a reference monitor.
When managing security of a system, keep in mind the
following operating system security principles: Data State Description
• Disable unnecessary services and applications
Data at Rest Data stored on a system or media device
• Close unneeded network ports
• Disable default accounts and passwords Data in Motion Data in transit over a network
• Apply all security patches Data in Use Data being actively processed in memory

RADIUS is an authentication protocol commonly

used for backend services. TACACS+ serves a similar
purpose and is the only protocol from the TACACS
family that is still commonly used.

© 2020, CertMike.com 11
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 3:
Implementation

When configuring security for a wireless network, you Organizations not wishing to purchase a digital
should use recent versions of WiFi Protected Access certificate from a CA may create their own self-signed
(WPA2 or WPA3). The original version of WPA, which certificates. These certificates are fine for internal use
used the Temporal Key Integrity Protocol (TKIP) is no but will not be trusted by external users.
longer considered strongly secure. WPA2 uses the CCM
Mode Protocol (CCMP) to provide security, while WPA3
uses Simultaneous Authentication of Equals (SAE).

Digital certificates are a secure means to provide an

unknown third party with a trusted copy of the public
key belonging to an individual, organization, or device.
Digital certificates are issued by a trusted Certificate
Authority (CA). When creating a digital certificate, the
CA takes a copy of the subject’s public key along with
other certificate information and then digitally signs the
certificate using the CA’s private key. When a user or
application wishes to verify the digital certificate, they
do so by validating the digital signature using the CA’s
public key. If the signature is authentic and the CA is
trusted, the public key may then be trusted.

Certificate authorities may revoke a digital certificate

by placing it on the Certificate Revocation List (CRL).
However, this approach is slow and is replaced by the
Online Certificate Status Protocol (OCSP) which
provides real-time certificate verification.

Digital certificates issued by CAs come in three

varieties. They differ in the amount of verification
performed by the CA before issuing the certificate.

Certificate Validation Performed

Type
Domain CA verifies that the certificate subject controls
validation (DV) the domain name. Weakest form of validation.
Organization CA verifies the name of the business purchasing
validation (OV) the certificate in addition to domain ownership.
Extended CA performs additional checks to verify the phys-
validation (EV) ical presence of the organization at a registered
address.

© 2020, CertMike.com 12
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 4:
Operations and Incident Response

When responding to a security incident, organizations Security professionals use a variety of command-line
should follow a six-step incident response process, tools to assist in their work. You should be familiar with
shown in the figure below: the following tools when taking the exam:

Tool Purpose
Detection route Displays and modifies the network routes to different
destinations
curl Retrieves files from websites and remote servers

Lessons ping Verifies connectivity to a remote networked system.

Response
Learned netstat Lists open network connections and listening ports on
a system.
tracert Determines the network path between two systems.
nslookup Performs DNS queries.
Remediation Mitigation
dig dig Performs DNS queries.
(Newer alternative to nslookup)
arp Performs MAC address queries.
ipconfig Queries network configuration information on a
Recovery Reporting Windows system.
ifconfig Queries network configuration information on a Linux/
Mac system.
Forensic investigators must take steps to ensure that
nmap Scans for open network ports on a remote system.
they do not accidentally tamper with evidence and
that they preserve the chain of custody documenting netcat Reads and writes traffic to/from network connections.

evidence handling from collection until use in court.

When working at the Linux command line, system
When performing forensic analysis, be certain to administrators may also use a series of file
observe the order of volatility and capture information manipulation tools, including:
that is not likely to exist for a long period of time first.
Tool Purpose
Forensic analysts should perform their work using an
head Displays the first lines of a file
image of original evidence whenever possible. MInimize
the handling of the original evidence. tail Displays the last lines of a file
cat Displays an entire file
grep Searches a file for strings matching an expression
chmod Changes the permissions on a file
logger Adds messages to the system log file

© 2020, CertMike.com 13
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 4:
Operations and Incident Response

Analysts can collect network traffic using the graphical The stages of the Lockheed Martin Cyber Kill Chain
Wireshark packet capture tool or the command-line (CKC) are:
tcpdump packet capture tool. They may send captured 1. Reconnaissance
packets back out on the network using the tcpreplay 2. Weaponization
tool. 3. Delivery
4.Exploitation
Forensic investigations make use of a set of special- 5. Installation
purpose forensic tools, including: 6.Command and Control (C2)
7. Actions on Objectives
Tool Purpose
Data should be retained no longer than necessary. Use
dd Creates a disk image at the command line
sanitization technology to ensure that no traces of data
FTK imager Commercial disk imaging tool remain on media (data remnance) before discarding it.
WinHex Hexadecimal file editor
memdump Linux memory analysis tool • Erasing performs a delete operation on a file but the
Autopsy Suite of forensic tools
data remains on disk.
• Clearing overwrites the data with random values to
ensure that it is sanitized.
Metasploit is an exploitation framework used in both
penetration tests and malicious attacks.

The MITRE Adversary Tactics, Techniques, and

Common Knowledge (ATT&CK) model provides a
taxonomy for describing different tools and techniques
used by hackers.

The Diamond model provides an approach for

modelling attacks by describing the relationship
between the adversary, victim, infrastructure, and
capabilities, as shown here:

Adversary

Infrastructure Capability

Victim

© 2020, CertMike.com 14
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 5:
Governance, Risk, and Compliance

Security controls are divided into three categories, requirements (mandatory compliance).
based upon how they function: • Procedures which provide step-by-step processes
Category Description (mandatory compliance).
• Guidelines which offer advice and best practices
Managerial Procedural mechanisms that focus on the
mechanics of the risk management process (optional compliance).
Operational Processes that we put in place to manage
technology in a secure manner
Security baselines, such as NIST SP 800-53, provide a
standardized set of controls that an organization may
Technical Use technological means to meet a security
objective
use as a benchmark.

Typically, organization don’t adopt a baseline standard

We can also classify security controls into six different wholesale, but instead tailor a baseline to meet their
types, based upon what they are designed to achieve: specific security requirements.
Type Description
Audits of cloud service providers and other managed
Preventative Stops an adversary from violating security policies
service providers should take place using the Service
Detective Identifies potential violations of security policies Organization Controls (SOC) standard, published in the
Corrective Restores the original state after a security incident Statement on Standards for Attestation Engagements
Deterrent Discourages an adversary from attempting a #18 (SSAE 18).
violation of a security policy
Compensating Fills the gap left when it is not possible to There are three categories of SOC audits:
implement a required control • SOC 1 audits provide customers with the level of
Physical Uses physical constraints to meet a security assurance they need when conducting their own
objective financial audits.
• SOC 2 audits evaluate the service provider’s
Security activities must be aligned with business confidentiality, integrity, and availability controls.
strategy, mission, goals, and objectives. This requires They contain sensitive information.
strategic, tactical, and operational planning. • SOC 3 audits also evaluate confidentiality, integrity,
and availability but are meant for public disclosure.
Security frameworks provide templates for security
activities. These include COBIT, NIST CSF, and ISO And there are two types of SOC 1 and SOC 2 audits:
27001/2. • Type I audits describe the controls that the service
provider has in place and offer an opinion on their
Due care is taking reasonable steps to protect the suitability, but not their effectiveness.
interest of the organization. Due diligence ensures • Type II audits describe the controls that the service
those steps are carried out. provider has in place, offer an opinion on their
suitability, and also provide the results of auditors’
Security governance is carried out through effectiveness tests.
• Policies which state high-level objectives
(mandatory compliance). SOC 1 and 2 audits can have type I or II reports. SOC 3
• Standards which state detailed technical audits do not have different type reports.

© 2020, CertMike.com 15
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626
 Security+ Last Minute Review Guide (SY0-601)

Domain 5:
Governance, Risk, and Compliance

Personnel security principles include: • Payment card information (PCI) includes credit and
• Need to know requires a legitimate business need debit card data and is regulated by the Payment
to access information. Card Industry Data Security Standard (PCI DSS).
• Least privilege grants individuals the minimum • Proprietary information includes trade secrets
necessary permissions to perform their jobs. maintained by an organization.
• Separation of duties blocks someone from having TOP SECRET HIGHLY SENSITIVE
two sensitive privileges in combination.
• Two-person control requires two people to perform
a sensitive activity.

INCREASING SENSITIVITY

PR
NT
SECRET SENSITIVE
• Mandatory vacations and job rotation seek to prevent

IVA
ME
fraudulent activity by uncovering malfeasance.

RN

TE
SE
VE
CONFIDENTIAL INTERNAL

CT
GO
Risks are the combination of a threat and a

OR
corresponding vulnerability.
UNCLASSIFIED PUBLIC
Quantitative risk assessment uses the following formulas:
SingleLossExpectancy = INFORMATION CLASSIFICATION
AssetValue * ExposureFactor
AnnualizedLossExpectancy = Information should be labeled with its classification and
AnnualizedRateofOccurence * SLE security controls should be defined and appropriate for
each classification level.
Responses to a risk include:
• Avoid risk by changing business practices Data Role Description
• Mitigate risk by implementing controls
Data Owner Senior-level executive who establishes rules
• Accept risk and continue operations and determines controls
• Transfer risk through insurance or contract
System Owner Individual responsible for overseeing secure
operation of systems
Information should be classified based upon its
Data Processor Individual with access to personal or sensi-
sensitivity to the organization. tive information

Common classes of sensitive information include: Data minimization techniques lower risk by decreasing
• Personally identifiable information (PII) uniquely the amount of sensitive information maintained by
identifies individuals and is regulated by many the organization. When data can’t be eliminated, data
national, state, and local laws. The most well known obfuscation techniques may render it less sensitive.
of these are the European Union’s General Data Data obfuscation techniques include:
Protection Regulation (GDPR) and the California • Hashing uses a hash function to transform a value in
Consumer Privacy Act (CCPA). our dataset to a corresponding hash value.
• Protected health information (PHI) includes • Tokenization replaces sensitive values with a unique
individual health records and is regulated by the identifier using a lookup table.
Health Insurance Portability and Accountability • Masking partially redacts sensitive information by
Act (HIPAA). replacing some or all of sensitive fields with blank
characters.

© 2020, CertMike.com 16
Prepared exclusively for samy.mesbah@live.fr Transaction: 0104699626