Luke-How to think like a manager - 25 questions but

22
only the book talk about business/ciso view

0
/2
10
Sybex official practice test - very well balance set of questions to
test all out all concepts. you should score 80%++

ke
Lo
Shon All in one practice exam - more difficult but

ss
the question set try to align with real scenario

Je
Official Study Guide (1200++ pages) - just pick one book
Practice

by
Main book Boson 700 questions - question is straight forward but the
All in one (skim table and attempt the chapter question) questions rationale/explanation is the gold as it list out the

n
- a bit depth especially lot details in the

ow
process steps with details (remember cissp process driven)
steps/countermeasure but cover some topics not in OSG

d
an
Examcram from Pete Zerger - exam focus area, few Thor easy/med/hard - i did this in last stage as to cover some
gaps (quite number of questions out of discussion from the

ed
words precise to the definition and what you need
to know. Very easy and relax to read books i read). The question comprehension is bit difficult for

at
Power point me. There are many repetitive questions but it is trying to
re test your understanding (with few words changing but answer is
C
Kelly Handerson - truly high level but all points are important CISSP (3 months) different). I learn some additional facts from hard question
which I am trying to cover some edge area of "decision making"
Kelly handerhan cybrary - 16 hour
1. CISSP cheatsheet (8 pages)
CISSP mindmap - 6 hour
2. CISSP.Last.Minute.Review.By Certmike (11 pages)
How To Think Like A Manager for the Youtube
CISSP Exam - Director's Cut - 1 hour 3. John Sisler CISSP study guide_2019.pdf (126 pages)

CISSP Testing Tips Secrets All Students Should Summary 4. sunflower (37 pages)
Know from Andrew Ramdayal - 12 mins (last
week) 5. memory palace (144 pages)

6. 11 hour CISSP (240 pages)

7. Key table charts and flows (45 pages)

7. own mindmap (23 pages)

 1. Protect society

2. Honor, honestly, justly, responsibly, legally

Code of Ethic Cannons Least privilege
Confidentiality (disclosure): Authorized
3. Provide service access. E.g PII, encryption, data breach
Need-to-know
4. Advance profession
Authenticity
Integrity (Alternation). E.g digital
ISO 27001/2- framework for security management signature, hash, check sum
standard. 114 control, 14 domains Non-repudiation

COBIT - ISACA, audit framework, map IT Accessibility

goals to enterprise, ops level (Doc)
Availability (Destruction): accessible on
Usability
The committee of sponsoring organization (COSO) - financial time. E.g ransomware
risk management, focus on entire org, strategic level

22
Timeliness

0
NIST 800-53 RMF - security compliance for government Security Control framework Security concept
DAD-disclosure, alternation, destruction

/2
10
NIST Cybersecurity framework (CSF) - Obama AAA-Authentication, Authorization, Accounting
signed critical infra. 5 functions: identify,

ke
protect, detect, response, recover
5 elements of AAA - Identification, Authentication,
Authorization, Auditing, Accountability

Lo
ITIL (Ops) - UK, imrpove IT service management process,
E.g change management, configuration management
Identification - claim the identity [username]

ss
CIS Critical security control

Je
Authentication - prove the identity [password]
Zachman Architecture framework - 6W (what, why, ....),

by
different viewpoint, describe enterprise Authorization - permission

n
Accountable - Identification + Authentication

ow
Open Group Architecture Framework (TOGAF) - vendor
neutral platform, uses business requirement to Security Enterprise framework
develop broad range of architecture Defense in depth

d
an
Sherwood Applied Business Security Architecture Abstraction - similar elements in same group/class
(SABSA) - creates a chain of traceability Protection mechanism

ed
1.1: Professional Data hiding - prevent data being discovered
Facilitated Risk Analysis Process (FRAP) - low cost to evaluate one system

at
Ethnic, Security Concepts,

re
Valye at Risk (VAR) - determine most
Security Governance Encryption - hiding meaning
C
cost effective risk mitigation method
Strategic - Long term 5 years, organization's security purpose

NIST RMF 39,37,30

Tactical - 1 year, details on accomplishing goal
Security management plan
ISO 27005 - risk treatment Risk Assess Operational - short term monthly,
detailed plan updated frequently (how)
Operationally Critical Threat, Asset, and Vulnerability
(OCTAVE) - risk assessment (business owner)
Code of Fair Information Practice - personal info handling

FAIR - probabilities of incidents, impacts

IT Ethic Internet Activities Board (IAB) - RFC 1087 internet behaviour
fault tree analysis - label with actual number pertain to failure
probabilities. Identify failures in complex environment Computer Ethics Institue (CEI) - Ten Commandments of Computer Ethics

27001 - ISMS requirement (governance) Due diligence - senior management, continuous review policy,
preparation & research, accurate & timely matter. E.g laws &
regulation, industry standard, best practice
27002 - Best practice (security control) Liability

Due Care - Doing. Prudent man rule - senior take responsibility.

27003 - implementation guideline
E.g security awareness training, disabling access

27004 - monitoring, measurement ISO 27000 series Ultimate responsible for information security
Security Program in business - C-level management
27005 - risk management
align wigh goal/mission
27031 - Business continuity
involve in info security in org process (acquisitions,
27035 - Incident management Security governance divestitures, and governance committees)

Principles
NIST Cybersecurity Framework - secure government system Roles & Responsibilities

acquisitions - org purchase another company to become one Identify security control framework
of its subsidiaries [security standard high enough?]
Practice due diligence , due care
org process
divestitures - give up control of subsidiaries [who own IT infra]

governance committees - formal decision of org

 civil (European)- rule based, wrong act of individual or business,
no precedence [majority of proof, more likely than not]
U.S. Federal Privacy Act of 1974 - US citizen info

criminal - prison sentence,

HIPAA - PHI, healthcare provider, plan, clearing
beyond a reasonable doubt
house. ISO 27799 [breach, security, privacy]
common Law
civil - contract dispute between PCI-DSS - Card holder [NOT a law]
(England) - on
organization and service provider, Categories of Law
precedence
organization's matter
Privacy and data GLBA - consumer's financial info
protection laws
administrative Law - Regulatory
SOX - public traded company
religious
Family Educational Rights and Privacy Act

22
(FERPA) - student educational records
customary - cultural custom, common believes (china, india, muslim)

0
/2
Children’s Online Privacy Protection Act

10
Copyright - protects art, music, literature, source code created by (COPPA) - children age under 13
organization/individual, 70 years after creator's death [auto granted]

ke
SP 800-30 - Risk Management Guide for

Lo
Trademark -branding such as slogan, logo, 10 Information Technology Systems
years renewable [counterfeiting]

ss
Intellectual Property
SP 800-34 - Contingency Planning Guide

Je
Patent- right to use, create or sell an invention, 20 years for Information Technology Systems

by
Trade secret - not protect by law, protect SP 800-53 - RMF Security and Privacy
confidential info how product is created (secret

n
NIST Controls for Federal Information Systems and

ow
recipes), not disclose to public [NOT protected] Organization

d
U.S privacy law. Fourth amendment - requires search warrant SP 800-86 - Guide to Integrating Forensic Techniques into Incident Response

an
US Federal Privacy Act of 1974 - PII on federal db

ed
SP 800-88 - Guidelines for Media Sanitization

at
Electronic Communications Privacy 1.2: Compliance, SP 800-137 - Information Security Continuous Monitoring
Act of 1986 (ECPA) - email re Legal, Regulatory,
C
Intellectual Property HITECH Breach Notification rule
Communications Assistance for Law
Enforcement Act (CALEA) of 1994 - wiretap
US Privacy Laws Organisation for Economic
Co-operation and Development (OECD) -
EU-US Privacy Shield, Safe Harbour framework transborder flows of personal info
- US process personal info in EU

Cybercrime and California Consumer Privacy Act (CCPA)

California Online Privacy Protection Act (COPPA) - PII in commercial website data breach
USA PATRIOT Act of 2001 - electronic monitoring,
Canadian Privacy Law-PIPEDA restrict how commercial business collect PII allow search and seizure without disclosure

State Privacy Laws-California consumer privacy act (CCPA) US breach notification law - state rule, PII compromised

European Union Data Protection Directive (DPD) US federal sentencing guideline - prudent man rule

European union general data protection EU Privacy Laws US Computer Security Act of 1987 - non-military
(GDPR) - lawfulness, purpose, data min,
accuracy, storage, CI + accountability,
right to forgot Computer fraud and abuse act - cybercrime specific legislation

Computer
US companies can't export to Cuba, Federal Information Security Management Act (FISMA) -
Security
Iran, North Korea, Suda, Syria government contractors
Laws
Import/Export control-
cryptography
Wassenaar Arrangement (dual use)- 10 categories (info sec, Federal Sentencing Guidelines
telecom, encryption, marine, aerospace, electronic, computers)
Digital millennium copyright act (DMCA)
Contratual license - written contract
Economic Espionage Act - trade secrets
Shrink-wrap license agreement - outside of software packaging
Licensing IP Laws Lanham Act - trademark
Click through - accept button during installation
United States Patent and Trademark Office (USPTO) - registration of trademark
Cloud service licence agreement - click through/terms
 Policies (why, when) - high level overview of company security
posture (purpose, scope, responsibilities, compliance)
goal: understand what impact a disruptive event on business

Standards (what) - technical aspect

1. Select individual to interview for data gathering

Procedures (How)- step 1,2,3 Policies, Standard, Procedures,

2. Create data gathering technique
Baseline
Baseline (must) - min level of
3. Identify critical business function
security,non-mandatory

22
Guidelines (FYI)- recommend/best BIA Steps 4. Identify resources

0
practice, non-mandatory

/2
5. Calculate MTD (RTO < MTD)

10
1. Develop a BCP policy management (C-level) -

ke
laws, scope, goals, roles, approval 6. Identify vulnerabilities and threats

Lo
2. BIA - identify critical function, resources, MTD, threats, risks

ss
7. Calculate risk

Je
3. Identify preventive controls 8. Document finding and report

by
n
4. Develop recovery strategies - business process, facility, tech, user, data RPO (Recovery point objective) – amount of data lost

ow
d
5.Develop an IT contingency plan - procedures, emergency response RTO (Recovery time objective) - amount of time to restore in SLA (hardware)

an
BCP

ed
6.Perform DRP training and testing - test & improve plan, train (sustain, MTD (Maximum tolerable downtime) – MTD = RTO + WRT, max time of
recover, 1.3: Business

at
service idle without causing serious damage (back to prod)
protect) Continuity (People,
7. Perform BCP/DRP maintenance - integrate ito change re Process, Technology),
C
control process, update plan and distribute Personnel Security WRT (Work Recovery Time) = time to recover (software)

BCP documentation - goals, statement of importance/priorities/org's Priorities of BIA MTBF (Mean time to between failure) - how long
responsibility, urgency and timing, risk assessment & acceptance, will function before next fault (repairable)
mitigatio, emergency response guideline
MTTF (mean time to failure) - lifespan of
C-level role - priorities, obtain resource, arbitrating disputes among team member device (non-repairable)

Goal: ensure business will continue to operate before, after MOR (Minimum operating requirement) – min
disaster. Focus on bsuiness as a whole. Long term strategy requirement for critical system to function

Business Continuity Plan (BCP) - procedures (before incident) MTTR (Mean time to repair) - time to
repair/restore by service provider
Continuity of Operations Plan (COOP) - ensure
critical/mission service is continue at alternate site Hiring - background check, reference check,
financial history, security clearance
Disaster Recovery Plan (DRP) - restore IT service (after
incident), checklist to act immediately after disaster strike Onboarding - sign NDA, non-compete agreement (NCA)
Plan - conflict interest after leaving company, account
Personnel security provision (no access)
Crisis Communication Plan (New Employee)

Information System Contingency Plan (ISCP) - Employee oversight - audit job description, privilege
procedures of recovery of system
Offboarding - notify employee, disable account, restore org
Occupant Emergency Plan (OEP) - asset, revoke access (no incident after a period of time)
safety of personnel
 mitigate - lower chance of risk

avoid - eliminate use of tech/service

Asset - anything of value
Risk response
accept - leave asset unprotected when
Threat - potential cause damage safeguard>asset

Threat agent - attacker transfer - shift risk to third party insurance

Threat vector - path to gain access goal: align with mission, integrate into architecture/process, achieve
ISO 27005, NIST 800-37 more secure IS within federal, reduce risk to an acceptable level
Vulnerability - weakness/missing safeguard in asset
1. prepare - categorize IS (laws, goals, prioritise, resource)
Risk - likelihood that threat exploit vulnerability
2.select security control (tailor)

22
safeguard - security control, countermeasure NIST Risk
Risk terminology management 3.implement security control (How)

0
framework

/2
Risk = Threat * Vulnerability 800-37
4.assess security control

10
(periodically)
Inherent risk - default risk (absence of controls)
5.authorize information system

ke
Total risk - amount of risks if no safeguard.

Lo
Threat * Vulnerabilities * Asset 6.monitor security control

Risk Framework: OCTAVE, FAIR, TARA

ss
Residual risk - amount of risk after safeguard. [Total risk - controls gap]

Je
Value of safeguard - [ALE pre-safeg] - ALE post-safeg - annual cost of safeguard Administrative - Policies, social engineering

by
Total Cost of Ownership (TCO) - upfront+maintainance cost Security Control Categories Technical/Logical - Hardware/Software

n
1.Asset Value (AV) - $ Physical - Physically touch item

ow
2.Exposure factor (EF) - % Goal: identifying potential threats, assess

d
probability, potential harm, priority of

an
3. Single loss expectancy (SLE) - AV * EF attacks, reduce security defect, reduce
severity of remaining facts

ed
4. Rate of occurrence (ARO) - x times/ year Quantitative risk 1.4: Risk
analysis (monetary) management, threat 1. identify threats

at
modelling, supply chain
5. Annual loss expectancy (ALO) - SLE * ARO
reBIA (Risk
risk, social
engineering, security Steps
2. determine and diagramming potential attack
C
6. Perform cost/benefit analysis Assessment)
training
3. Perform reduction analysis (decomposing app)
numerical data, measurable results C/B, difficult to
perform and more time, experienced ppl in risk assessment 4. Rank the threats (Probability X Impact)

brainstorm, survey, 1:1, delphi technique (anonymous feedback) STRIDE (Microsoft software centric)- spoofing, tampering,
repudiation, info disclosure, DoS, Elevation privilege
Qualitative risk analysis
descriptive result, easier perform, less time, for (risk rating HML) ,
likelihood + impact PASTA (Risk centric) 7 stages - objective, scope,
ppl who not much experience in risk assessment but
app/threat/vulnerability analysis, attack & simulation, risk analysis
familiar with system or business process Model
VAST - Agile
Directive (Control subject's action)- AUP

DREAD (priority risk) - Damage, Reproducibility, Exploitability,

Deterrent (discourage)- warns, policies, acceptable use
Affected Users, Discoverability, rank threat numerically
Threat Modeling
Preventive (stop) - NDA, SoD, locks, ACL, Encryption, security awareness
spear phishing - msg is drafted to
Security Security Awareness - Acknowledge
group of target individuals
Detective - review logs, job rotation, cctv Control
Types Training - skills whaling - C- level, admin
Corrective (return normal) - AV, Fire suppresion, patches
Security Awareness Education - Learn more than need to hoax - audience perform action that
Recovery - DRP, BCP, backup/recover know, change behaviour, might cause security issue
understanding
Compensating - support security policy, examine logs baiting - USB stick
Gamification - rewarding , role based
on-site assessment - visit org, interview, observe operating habit training, point/score Social typo squatting - mistype domain name gooogle.com
Engineering
Attack
Doc exchange and review intimidation - threat to motivate someone
(if you don't do, bad things happend)
Supply Chain Risk
Process/Policy review - copies of security policies, procedures
Management
authority - imitate as CEO ask
Third party Audit
consensus - mimic what others doing in past
SLA, SRA
scarcity - if you don't act now, it is too late (discount)

familiarity - know victim ahead of time (common friend)

 Laws - OECD guideline, GDPR, EU-US
Privacy shield, NIST-88 sanitization
Owner - info classifying, control selection, backup frequency,
Top secret - grave image identify standard, set rules of protection by senior management
PHI PII
Secret - serious image Business owner - balance need of security control (CBA)
Government
Confidential - damage System owner - maintain system security plan, ensure
training, implement, accessing security control
Unclassified - Available to anyone with free of info act (FOIA)
Data Classifcation Controller - decide what&how data process
Confidential/Proprietary - grave image [trade secret]

22
Processor - third party handling data as

0
Private - serious damange [PII,PHI] Data Roles behalf of owner, cloud, healthcare, bank

/2
Non-government

10
Sensitive - damage [internal network] Custodian - day2day responsibilities

ke
of protection data, IT department

Lo
Public - no damage [website]
Auditor - evaluate security controls

ss
1. Create an Asset Inventory - HW (barcode, RFID)

Je
identify system. SW(Software Configuration, User - access data, responsible protection of data in use, due care

by
AD,LDAP, nmap, software license, DLP, system
inventory associate owner), network logs. Administrator - grant access

n
ow
2. Assign Ownership Data steward - ops responsibilities including grant access to user

d
Asset Classification Process

an
3. Classify based on value, impact, who access. Tips: 1. collection - min sensitive info
MIX classification use highest level security

ed
at
At rest - db, hard drive AES encryption (TPM, self
4. Protect based on classification
re 2: Asset
Security
encryption drive SED, file level encryption)
C
5. Assess and Review 2. location - store In motion - tls/ssl, VPN, link encryption (routing
point), end-to-end encryption [eavesdropping]
Cloud access security broker (CASB) - monitor user
activity and central control to enforce security In use - RAM, caches, registers

Data Loss Prevention (DLP) - endpoint, network, 3. maintenance - use and share, scrub data and remove data
states (rest, transit, use)

4. retention - archive. EOL - no new product (repair, spare spart, tech support)
Digital right management (DRM) - copyright, watermark Period based on
Data protection
regulatory, policy. Don't
Pseudonymization - alias represents data keep it if don't need it EOS - no more support, patching bugs (end life of product)
Data lifecyle
Tokenization - random string represents data 5. remanence - destroy. Tips: get a new drive is more cost
effective and data remanence is hard to get rid sometime
Anonymization - remove all PII data until
can't identify subject (Irréversible) Erasing/Delete file (recoverable) - least effective, data remain on drive

marking - physical marking of asset in human readable form, reflect laws, policies Clearing/Sanitization - prepare for reuse. Overwrite with all 0s
whole sector. TIPS: if disk is DAMAGE, we cant overwrite it
labelling - associate with security attributes (data classification). Metadata help DLP to flag Asset handling
Purging (not recoverable) - intensive form of clearing for resuse in lower
6. destruction
clean desk policy - minimal use of sensitive paper copies and used only in desk security level. E.g zeroization, crypto shredding, degaussing

Scoping (which) - select part of control Degaussing - tapes, magnetic disk. Not apply to optical disk, SSD
Requirements
Tailoring (fit)- modify control to align org's mission, better address with org's environment Destruction (cannot reuse) - SSD acidic spoil, shredding, incineration
(burnt), disintegration (pieces), most secure
 TCSEC (orange book-confidentiality) - earliest, US Defense DoD
address military requirement for os, NO network book. classes A1
Threat modelling - reduce security defects, severity of remaining defects verified , B1-3, C1-2, D minimal protection

Least Privilege - only rights to perform job Trusted Network Interpretation (TNI) - Red book

Defense in depth - compartment, segmentation, ITSEC - EU separate functionality and assurance. Address CIA
lattice, zone, protection ring
Goal: test security of product,
Fail secure/close - lock access after failure identify and remove vulnerabilities
Secure default
Fail safe/open - door open (human safety) protection profile (PP) - security requirements (what)
Select Control
Common
Separation of duties (SoD) - >1 person to complete a task , prevent fraud Criteria target of evaluation (ToE) - system/product to be tested (which)

Keep it simple (KISS) - least is power security target (ST) - doc describe ToE + requirement (how)
Secure Design
Zero trust - authenticate every request EAL 7 level - Func Struc 2Methodically 2Semi form Formally

Privacy by design certification - tested security control meet standard (internal audit)

Trust but verify - 1. authentication to secured verification - third party/external audit

environment --> 2. generic access control
accreditation - management formally accept
Shared responsibility - customer + cloud
ALU - math calculation
zero-knowledge proof - proof knowledge of fact to
another without revealing the fact
CU - fetching, execution/send instruction

split knowledge - info/privilege to perform

process: fetch, decode, execute, store
operation divided among multiple users

CPU Multitasking - tasks share in 1 CPU

Trusted computing base - hw+sw+control form a trusted base.

Multiprocessing - 1 task + more CPUs

Security perimeter - boundary separte TCB from outside Executing

2
TCB
types

02
(confidentiality, Multiprogramming - pc run more than 1 program (mainframe)
Properties: invoke everytime, cannot integrity)
alter (temper), small enough to verify Reference monitor (Laws) - validate access

/2
Multithreading - multiple process in 1 CPU concurrently

10
Security kernel (Police) - implement reference monitor
single-state (one security level), multistate - multiple security level

ke
Simple security - No read up
Protection Rings (-1 hypervisor, 0 - kernel/privilege, 1- OS, 2 - Driver, 3 - Application)
Lo
Bell-LaPadula (confidentiality,
* - No write down
MAC, lattice) - ^ process states - Ready, running, waiting, supervisory, stopped
ss

strong star - can read/write on same level

operation modes - user/non-privilege-limited instruction, privilege/kernel - controlled operation
Je

Simple integrity - No read down

Programmable PROM
by

integrity * - No write up Biba (integrity, MAC, lattice) - \ Read-only memory

Erasable EPROM - ultraviolet UPROM,
(ROM) - non-volatile
Electronically EEPROM
n

Invocation - no read/write up 3.1: Secure [BIOS]

ow

Design, TCB,
Security Model, PLD (Programmable logic devices)
Clark-Wilson (integrity) - subject-program-object
(access triple), SoD, auditing, well-fromed transaction Select Control,
d

Hardware Primary memory - Static SRAM (flip-flop, faster),

an

Memory Random access memory Dynamic (capacitor, slower, cheaper)

Brewer Nash/Chinese Wall - conflict of interest in 2
parties; dynamic access based on previous activity (RAM) - volatile
ed

Cache ram - L1,L2...improved performance

Take-grant (Confidentiality) - direct graph that how subject Security model Hardware
at

right pass to obj/sub- take, grant, create, remove rule (way to formalize Secondary memory - non-volatile, ssd, magnetic tapes, flash
security policy) drive (EEPROM), CD Data not immediately available to CPU
re

Information flow - design of bell+biba, brewer nash,

C

flow btw different security levels Virtual memory - simulate additional primary memory resource through
secondary storage. E.g low RAM use hard disk for cpu addressing
Non-inteference - High security A should not interfere
Low security B (not seen). Prevent covert channel primary - cache, RAM

State machine - Finite state machine (FSIM) system always secondary - non-volatile (disk drive)
secure no matter of state; Bell, Biba, Sutherland
Storage
random access storage - read any point [RAM, hard drives]
Goguen–Meseguer - predermined action on predetermined objects
sequential access storage - require scanning
Graham-Denning (DAC owner) - create,delete obj all before desired location [magnetic tape]
sub & read grant transfer delete access
TEMPEST - spying info through leaking
Harrison-Ruzzo-Ullman (DAC owner) - access electromagnetic emanations, sounds,
control matrix (capability table) Emanation
countermeasure: Faraday cage, white noise
Sutherland - prevent covert channel (broadcast false traffic), Control Zone

virtualization - host one or more OS within a host computer Input/output - monitor, printer, keyboard, modem (eavesdropping, tapping)

endorsement key - created when Firmware - software stored on a ROM chip that
TPM is manufacture (permanent) contains basic instruction to start a pc

trusted platform module (TPM) - a chip Memory protection - hw segmentation (maps process to hw memory location), paging,
storage root key - created when
in motherboard to store encrypted key DEP (prevent code run), protection keying (block size), isolation (logically
user takes ownership of TPM
(authenticate laptop) segregating process), swapping (copy entire process to disk)
binding, sealing: encrypt data. Remote Security capacities of IS
attestation create hash to verify integrity fail safe - terminate service
Recovery
hardware security module (HSM) - cryptoprocessor fail soft - terminate noncritical
used to manage/store digital encryption key process and system continue function

interface - restrict action based on privilege dedicated mode - all

fault tolerance system high - X need to know

Security mode
confinement - restrict action of program (memory) compartment - X access approval, X need to know

bounds - limit set on memory address how to ensure CIA multilevel- ntg

isolation - process confined run in isolation covert timing - exchange info by exerting some amount of
control. user types using a specific rhythm of Morse code
Covert channel - pass info
Maintenance hook - backdoor, provide developers with easy access over a hidden path
covert storage - space accessed by 2 processes
that have different security label
 large scale parallel data system - symmetric, asymmetric, massive

Table- relation Server based

grid computing - form of parallel distributed. loss of privacy
system
Row - tuple, cardinality peer to peer - no central management, workloads shared

Column - attribute, degree Distributed control system (DCS) - computerized

control system, large scale env, process driven
Keys: Primary key, Candidate key (sets of attribute to
uniquely identify), Alternate key (2nd PK), Foreign key
Supervisory control and data acquisition (SCADA) -
Industry
standalone device, data gathering & event drive, large
control system
Data Manipulation Language (DML) - select, delete, insert, update geographic area. NEVER designed for internet. DNP3

Data Definition Language (DDL) - create, alter, drop Programmable logic controller (PLCs) - controlling manufacturing
processes such as assembly lines, robotic devices
Object oriented DB - use data+function in code accessible
security issues: unauthorized,
Hierarchical DB - tree. [DNS] eavesdropping, lack of monitoring

Relational DB - relationship btw records in table by using PK Types Distributed system - cloud computing - privacy concern,
client-server, regulation compliance difficult
NoSQL - key value pair collection of
individual system work grid computing - content expose to world,
Flat file DB - store info as lines of text in a file [host file] together. [blockchain] compromise of central grid server

Atomicity - all or nothing (COMMIT) peer to peer - eavesdrop on distribute content, lack
of central control, bandwidth consume

2
Consistency - rules of data type

02
ACID Database 3 components: compute, network, storage
High performing computing -
Isolation - 2 transaction processes separate

/2
complex calculation
use case: RTOS, research lab

10
Durability - completed transaction (preserve)
Private - dedicate resource to an
Aggregation - data from multiple source to create sensitive ke organization (cloud in your data center,
Lo
info (collection facts). Defense: need-to-know, least privilege legacy, compliance)
ss

Attack
Inference - deduce higher level info by using non-sensitive Public - multi tenant, manage by external
Je

info. Defense: blurring data, database partitioning CSP (pay as your go, agility, scalability)
deployment model
by

Hybrid - sensitive in private,

semantic integrity - data type
n

3.2: non-sensitve info in public

ow

Information
referential integrity - FK System Community - share infra with multiple
d

org on common needs

an

entity integrity - PK Cloud

ed

SaaS (browser) - customer manage

cell suppression - hide individual db field Defense
identity, data, endpoint
at
re

Polyinstantiation -identical PK contain IaaS (compute) - customer manage OS

C

different data in different classficaiton level level above. CSP manage networking,
service model
hypervisor, server, data center
Noise and perturbation - insert false data
to redirect confidentiality attack PaaS (deploy custom code) - customer manage
app & data. CSP manage db, os, networking,
Removing data - 1FF - logically divide data, 2NF hypervisor, server, data center
partly depend PK, 3NF not depend on PK Normalization
Cloud access security broker (CASB) - security policy enforcement
Expert - if..condition
Internet of thing (IoT) - internet security issues: difficult to patch, no
Machine learning - supervised learning (algorithm) Knowledge-Based System connected device authentication, access, encryption.

Neural network - imitate biological reasoning Fog computing -centralised processing of data
Edge- CDN collected by distributed sensor
Applet: code object form server to client.
Java applet-sandbox, ActiveX-digital cert Attack surface: user, physical,
Client-Based System
sensor, output, processor
Javascript
Microcontroller - small computer Raspberry Pi,
Embedded system -
single point of failure, bypass control, Arduino open source 8 bit, field programmable
add to existing
buffer overflow (ADLR), TOCTOU gate array (FPGA) - flexible used in ICS
mechanical system

TEMPEST (shielding) against Van Eck phreaking, security concern: limited network, unable process high
white noise, control zone, faraday cage emanation end encryption, difficult patch, do not use
authentication, supply chain issues
covert channel Vulnerabilities
in system Static system - static env dont change. E.g check in kiosk at airport, ATM
aggregation & inference (Polyinstantion)
Network enabled device - smart TV, HVAC control, network attached-printer
salami - rounding down the last few digit
incremental attack Cyber-Physical system - robotics, sensor
data diddling - small, random changes
securing methods: network segmentation, security layers, app firewall,
manual update, firmware version control wrapper, policy mechanism
 Microservice - serverless support

Infrastructure as Code - app is programmatically provision

service-oriented architecture (SOA) - provide

independent services residing on different systems
in different business domains in one consistent
mobile device management - full drive

22
encryption, remote wiping (must connect

0
hypervisor - VMM -

/2
internet), device authentication, device
create/manage/operate virtual machine

10
lockout, app control
Virtualized

ke
Hypervisor I - install on bare metal System Bring your own device (BYOD) - staff

Lo
use his phone

ss
Hypervisor II - install on top of host (Virtual Box)

Je
Corporate-owned, Personally Enabled
3.3: Virtualization Mobile device

by
Virtual Software (COPE) - company phone but use for

n
both personal and work matter

ow
Virtualized Networking Deployment

d
Choose your own device (CYOD) - provide

an
list of approved devices to select
Software Defined everything - replacing software

ed
with virutalization

at
Corporate-owned Mobile Strategry
re (COMS) - company phone for work
C
Virtualization Security Management - protect host,
purpose only
backup, VM sprawl, sensitive data within VM,
unauthorized access to hypervisor

Containerization - eliminate duplication of

OS element in a virutal machine

Serverless - CSP manage platform, server

 Cryptography - Science
Pros - fast, strongest per bit
Cryptosystem - All in one sw, hw, algo,key
Cons - out of band key distribution, no
nonrepudiation, only confidentiality, algorithm is
Cryptology - study
not scalable, key must generate often

Cryptanalysis - decrypt/break
keys require = n(n-1) / 2

Kerckhoff’s principle - algorithm is public, key is secret

use case: encrypt bulk data

Key clustering - same plain text with different keys generate same cipher
Terminology AES (Rijndael)- 128B, 128/192/256 key, 10, 12, 14 rounds

Key space - range of key value

22
PAIN - privacy, authenticity, ECB - block, same encrypted block,
integrity, non-repudiation known-plaintext attack

0
One way function - math's output value but can't get input value

/2
10
CBC - block, IV, chain (error propagate),
Initialization Vector (IV) - is a random bit string (a nonce) that is unencrypted text XORed
XORed with the message, reducing predictability and repeatability.

ke
Lo
CFB - stream, IV, chain (error propagate)
Work function/work factor - measure strength of cryptography, effort to decrypt msg DES - 64B, 56
key, 16 rounds

ss
Symmetric - a
OFB - stream, IV, NO ERROR, XOR
Strength factor: algorithm, secrecy of key, key length, IV, random key shared secret

Je
plaintext with a seed value
key (80 - 256)

by
Dual control - 2 separate function/process for key recovery CTR - stream, IV, NO ERROR, use
increment counter instead of seed

n
Split knowledge - 2 separate pieces of knowledge.

ow
M of N Control (multiparty key recovery) Galois counter mode - adds authentication
Key management

d
an
Key escrow - third party hold the key and release with condition 3DES - 64B, K1-112 (more effective security), K3-168 key
(meet-in-the-middle attack)

ed
Rules: key length, store secure, key random, key lifetime

at
on sensitivity of data, backup key, destroy key 3.4: IDEA - PGP, 64B, 128 key
Modern
Cryptography
Transposition/Permutation (scytale) - REARRANGE letters, frequency analysis attack ||
re (Symmetric,
crypto (at
C
least 128 Blowfish - alternative to DES, IDEA but faster, variable
Asymmetric,
bits long) lengh keys up to 448 bit
Substitution (Caesar, ROT13) - RREPLACE letter --- Quantum)

Twofish - 128B, 128,192,256 key

Vigenere - polyalphabetic (running key) substitution
Skipjack/clipper - US government, escrow of keys
One time pad - Old crypto
Requirement - random, pad protected, unbreakable
used only once, key as long as msg (vernam) RC4,5,6 - RC4 is stream cipher 40-2048 bit, WEP,
WPA, SSL (no longer secure)

Enigma machine/purple machine - WWII, 3 rotors

broken, then german added one rotor = 4 Pros - easy key distribution, integrity,
authentication, nonrepudiation

SIGABA - US rotor machine (3X5)

Cons: Slow, small data

Confusion (substitution) - mix key, relationship is

keys require = n * 2
complicated. S-box input m X n output Block cipher - text divide into blocks
and encrypt one block at a time.
(software) use case: PKI (verify identity), encrypt keys
Diffusion (transposition) - mix location of plaintext
throughout ciphertext. Dissipated pattern
*RSA (factoring of large prime number) - Use in digital
Asymmetric - receiver's
signature, key distribution, encryption
Pros - quickly, scale, real time VoIP Stream cipher - operate one public key encrypt +
character/bit a time XOR receiver's private key
(hardware) decrypt (1024-2048) ElGamal (discrete)- free to use but double
Cons: less secure (RC4), require lot randomness, processing power
size of message, SLOWEST

security: asymmetric like RSA, DH could be broken. Stream

Elliptic Curve (discrete), more efficient than RSA
cipher least vulnerable. Lattice offer some resistance
(256 bits = 3072 bits in RSA). Use in encryption, digital
signature, key exchange
not for encrypt, solves key distribution problem Quantum - replace binary
with multidimensional Diffie-Hellman (discrete)- key exchange, middle man
Grover's algo - computer speeds up to attack with halve the key length quantum bits (qubits) attack. Use in SSL, TLS, SSH, IPSec, PKI

Shor's algo - easily break all public key algo based on Knapsack - obsolete
factoring and discrete logorithm problem
 TPM - full disk encryption

Pretty good privacy (PGP) - web of trust, file/disk encryption

Integrity only
Email S/MIME - RSA, x509 exchange key

5 requirement: input any length-->fix length output.

Easy to compute, one way, collision free SSH - protects eavesdropping, integrity, IP add
spoofing, DNS spoofing, IP source routing

Attack: collision (2 different doc produce same

hash)--> birthday attack SET - financial transaction Master/Visa
Hash (Message Digest)
SHA1- 160 bit,224,256,512,384 message digest key exchange - RSA, DH, ECDH

Applied authentication - RSA, DSA, ECDSA

MD5 - 512 block

HAVAL - faster than MD5 with 3 rounds used Web TLS/SSL encryption - AES, 3DES

RIPEMD, RIPEMD-128, RIPEMD-160 (remain secure) hash - SHA

Integrity, authentication, TLS_DH_RSA_WITH_AES_256_CBC_SHA384

non-repudiation (NO CONFIDENTIALITY)
link encryption - secure tunnel btw 2
Digital Signature (Digests) points (nodes)
To sign/create - sender's private key encrypt hash
Network Circuit
encryption, IPSec end-to-end encryption - btw client and
To verify - sender's public key to decrypt singature
server. Data is encrypted at origin
and decrypt at destination
cert body contain authenticated user's public key

2
02
cipher text
CA sign cert - CA's private key Digital certificate

/2
ciphertext only
most difficult attack, modern

10
validate digital's signature - CA's public key crypto guarded this attack

ke
authentication, integrity, (NO HMAC plaintext + corresponding ciphertext
Lo
NON-REPUDIATION), shared secret key (Message known plaintext
Authentication
linear cryptanalysis
ss

message + secret key --> MAC value Code) 3.5 Cryptography

Cryptanalytic
(HASH, HMAC, digital
Je

Attack offline attack, pair of

DSA，RSA, ECDSA Digital signature standard (DSS) signature, PKI, hybrid,
cryptanalytic Attack) plaintext+cipher text (crytosystem)
by

chosen plaintext
authentication, confidentiality,
n

differential cryptanalysis, MAC attack

integrity, non-repudiation
ow

piece of ciphertext (same cipher text msg)=

4 function service: directory, cert, key, crypto
d

get decrypted plaintext

an

chosen ciphertext
cert X.509 - version, serial number, signature algo, vulnerable: RSA
ed

issuer, subject public key. X.500 LDAP directory service

Public Key
at

Infrastructure brute force - try all possible key

re

CA - issue cert, RA - verify and register, CRL - (PKI)

contain list of revoke cert (serial number), OSCP -
C

real time. certificate stapling as OSCP is burden frequency analysis (eng letter) - transportation

cert file: DER, PFX (Binary); PEM, P7B (Text) - site channel - monitor power, timing, radiation/emission
.der & .crt, .pem & crt, .pfx & .p12
implementation attack - exploit weakness in software,
protocol, encryption algorithm
cert recipient verify cert using CA's public key

fault injection - external fault like electric, temperature

symmetric (encrypt msg) + asymmetric (encrypt key)
(physical attack)

1. client browser https://www

timing - how long cryptographic operation
Cryptographic
2. server send its public key attack man in the middle - fools both parties into communicating
with attacker instead of directly with each other
3. client browser generates a symmetric session key Hybrid (TLS,
PKI, S/MIME
PGP) differential cryptoanalysis
4. client use server's public key to encrypt the
symmetric key and sends it to server
replay attack - replay a valid session

5. server uses its private key to decrypt the symmetry key

pass the hash - windows active directory where attacker
resubmit cached authentication token. Use mimikatz tool
asymmetric keep ephemeral secret key secret + hash ensure
integrity and non-repudiation + symmetric bulk encryption
ransomware - encrypt victim's file and ask for payment to unlock

meet in the middle - 2DES, 3DES, 2 rounds of encryption. Extract

encryption keys when the plaintext and matching ciphertext are known
 power - fault, blackout [UPS, generator]

natural access control - guidance on people entering

high voltage - spike, surge [surge protector]
HVAC
natural surveillance - uneasy, maximize visibility Crime
Prevention low voltage - sag/dip, brownout
Through [constant voltage transformers]
natural territorial reinforcement - area Environmental
feel cared, sense of ownership Design Electromagnetic interference (EMI)
(CPTED) Noise
target hardening - entry/exit, windows & doors,
Radio frequency interference (RFI)
locks, power/water source, air con, fire control

Functional Voltage 1k - monitor, 1.5k hard drive, 2k-system

deter-->deny-->detect-->delay-->determine-->decide in order
UPS - momentary/short/temporary
Wiring closet - locks, area tidy, no flammable
item, cctv, log entries, do not give keys Generator - longer/sustained
Power

wave/pulse - microwave Dual power supplies - for critical network

device and concern on power supply
capacitance - electrical or magnetic Server room - away from water,
gas, smartcards and badges, Fence - 8 feet deter intruder
photoelectric - light motion detector, alarm

2
Gates (ATSM) - I residential, III limited access

02
infrared - heat

/2
Light - 8 feet high with 2 feet candle power

10
turnstile - prevent > 1 user enter (tailgating)

ke Temperature - 60-75F (15-23C)

Lo
mantrap - 2 doors prevent unauthorized user enter secure area
Humiditty - 40-60% (high-corrosion, low- static electricity)
ss

Physical
Je

bollard - stop cars

wet pipe - full of water
by

cctv large area - wide angle lens, small lens opening

n

dry pipe - compressed gas, closed

ow

3.6 Site and facility

Media storage - locked cabinet, custodian, sprinkler head, filled with compressed
air until the sprinkler heads open
d

entry, drive sanitization, integrity check

an

Water preauction system (most appropriable

ed

Evidence storage - dedicated storage system, keep storage

offline, block internet, limit access, encrypt all dataset, hash and delaying mechanism) - closed
at

sprinkler head, 2 stage detection

re
C

Restricted and work area security - walls, clean desk,

only authorized access deluge system - large volume of water,
sprinkler head open, empty until a fire
alarm sound
lock with keypad combination - brute force & should surfing

electronic access control lock - electromagnet to CO2 - effective but risk to human
keep the door locked, a credential reader for
authentication, and a sensor to reengage internal Halon - non environment friendly
Gas
security
programmable locks -multiple valid FE-13, FM-200, Inergen- safe for
access (smart card, cipher device) human (recommded)

badges - identification, authentication A - common combustibles (water or acid)

wall - real floor to real ceiling (slab to slab) B - liquid (gas or soda acid)

air circulation - cold isles C - electrical (gas)

Demarc - Point of Demarcation (POD) - ISP terminate D - metal (dry powder)

phone line and network begin (only one) Fire
K - cooking (alkaline)
white noise - broadcast false traffic
detection (flame, smoke, heat):
faraday cage - box with metal skin as EMI absorb TEMPEST ionization (electric), photoelectrial
(light), spot type detector (dual)
control zone - white noise + faraday cage on specific area
4 stages: incipient
(ionization)-->smoke-->flame-->heat
 HTTP, FTP, SMTP, Telnet, DNS Point-to-point protocol (PPP) - SLIP replace by PPP, transmit multiple
7 - Application network layer protocol, support syn & asyn link. Encapsulation protocol for
(data stream) point to point link. Security: PAP, CHAP, EAP
provides services

Encryption, IMAP, ASCII, image password authentication protocol (PAP) - credential in clear text
6 - Presentation
(data stream) challenge handshake authentication protocol (CHAP) - credential store in clear
transform data into OSI understandable format
Network text on server. used by PPP server to authenticate remote client. Periodic
authentication reauthentication by using 3 way handshake to prevent replay attack. MS-CHAPv2
TLS, RPC, SQL, NFS,P2P, Tunneling, SIP
5 - Session
(data stream) extensible authentication protocol (EAP) - support multiple
establish, maintain, terminate communication session authentication mechanism (MD5, OTP, Token card)

TCP (segment), UDP(datagram) -SMTP, DHCP port security - check MAC address ~authenticate port first (switch, router, wireless)

manage integrity of connection, 3 way handshake 4 - Transport (Segment)

quality of service (QoS) - efficiency network communication
(SYN, SYN ACK, ACK), segmentation, sequencing,
error checking, controlling flow
encrypt at various layers, support range of protocl in higher layers, flexibility and resiliency
Multilayer
Router, NAT, IPxx, ARP, ICMP, IKE, IPSEC [I protocol] protocol
security issues: covert channel, bypass filter, network segment boundaries

distance vector (hop count) - RIPv1,

IGRP, EIGRP (link+distance) interior Fibre Channel over Ethernet (FCoE) - high speed file transfer (network storage protocol)
Gateway 3-
Protocol Logical Network OSI 7 layers Internet Small Computer System Interface (iSCSI) - low cost vs
link state - OSPF
addressing, (Packet, fibre channel; network storage based on IP
routing broadcast
exterior domain) Converged
path vector (BGP) - best route Gateway Multiprotocol Label Switching (MPLS) - high-throughput, high-performance
protocol
based on entire path (internet) Protocol network tech based on best path. Support ATM, frame relay, SONET, DSL

broadcast address: 255.255.255.255 Voice over internet protocol (VoIP)

Switches, ARP, PPP, MAC, Ethernet, Frames, Session Initiation Protocol (SIP) - manage real time communication, caller identification
ATM, PPP, L2F, L2TP, PPtP (ALL PROTOCOLS)
divide internal network into numerous subzones, single device and
determining the destination physical address (IP to MAC) firewall at every connection point (zero-trust networks)

2
02
Logical link control layer (LLC) - 2 - Data link (Frame) benefits: performance. reduce congestion, isolating traffic, granular
control, simplify fw policies

/2
flow control and error notification
2 layers

10
Media Access Control (MAC) - physical addressing application plane - use programs to
communicate needs for resources via API

ke
broadcast address: FF:FF:FF:FF:FF:FF Software Defined control plane - receives instructions and sends
Lo
Networks (SDN) - them to the network, decision making, API
cables, repeater, NIC, hub, repeater, bluetooth, wifi, ethernet quickly change
Microsegmentation network
ss

1- Physical (bit) data plane - handle traffic based on control plane

convert frame to bit(1,0) and send out
Je

management plane - ssh, snmp, syslog

Application (data), Transport (segment), Internet (packet), Network (bit, frame) = 3112 TCP/IP 4 models
by

Software Defined Wide Area Network (SD WAN) - manage multiple ISP to ensure
simplex - 1 way, 1 send another receive speed, reliability, bandwidth. can use with MPLS, LTE, broadband.
n
ow

4.1: OSI, IP,

half duplex - bidirection, send/receive at a time communication types mark 2 different location appear to be same segment,
protocols
encapsulate an ethernet frame (layer 2) in UDP packet
d

VXLAN (csp used)

full-duplex - bidirection, both can send/receive simultanously
an

virtual extensible LAN (16 million network)

FTP 20,21, SSH 22, Telnet 23, TFTP 69, SMTP 25, DHCP 67,68, POP3
ed

110, NTP 123, SNMP 161, 162, NetBIOS 137-139, SQL Server 1433, Frequency Hopping Spread Spectrum (FHSS) - multiple frequencies. [bluetooth]
Oracle 1521, PPTP 1723, RDP 3389, HP printing 9100
at

Direct Sequence Spread Spectrum (DSSS) - data in series one a time. [802.11b]
re

0 - 1023 = well known, system Ports (2*16 = 65536)

C

Orthogonal Frequency-Division Multiplexing (OFDM) -

1024 - 46151 = registered, user frequencies simultaneously in parallel. [802.11a,g,n]

49152 - 65535 = random, dynamic, ephemeral, private site survey - investigate presence,
wireless speed strength, reach of wireless access point
IPv4 - 32 bit, 4 octets ., NAT
ad-hoc mode - connect 2 devices
migration concern - 128 address space
more source address to attack, upgrade IPv6 - 128 bit, 8 hex :, NOT standalone mode - wireless access point + no wired resource
issue, reduce privacy bcz NAT missing using NAT, multicast, IPSec,
mode
NO (checksum, packet
fragmentation, option infrastructure mode - connect endpoint to central network, not each other
benefits - greater address, simpler autoconfiguration, add field). [fe80: prefix
scope to multicast, drop IPv4 header, packet labeling, for link local add] wired extension mode - wireless access point + wired network
extension support to authenticaiton, integrity

WEP (RC4) - IV 24 bit too short

IPv4, IPv6 coexists in dual stack, tunneling, NAT-PT (mutual convert)
Wireless (802.11x) WPA (TKIP) - both client and AP authenticate each other
class A: 0 - 127, 255.0.0.0

personal (PSK) - home user

class B: 128-191, 255.255.0.0 WPA2/802.11i
(AES-CCMP) -
Internet protocol enterprise - requires user account
class C: 192-223, 255.255.255.0 classes (public) encryption Use on PEAP, EAP-TLS
and authenticated in RADIUS

class D: multicast WPA3 (GCMP-256) - replace simultaneous authentication

preshared key with SAE, zero of equals (SAE) - without
class E: experimental knowledge proof enterprise user account

10.0.0.0–10.255.255.255 (class A) captive portal - open guest network (hotel, cafe)

172.16.0.0–172.31.255.255 (class B) LEAP (lightweight) - CISCO, WEP

802.11X -
192.168.0.0–192.168.255.255 (class C) private IP PEAP (Protected)- encapsulated EAP within TLS
authentication
protocol
link local add, APIPA assign DHCP client with IP in range 169.254.0.1 EAP (extensible) - authentication framework
compatible with point to point connection
Loopback address - 127.0.0.1 (127.0.0.0/8)
SSID - broadcast SSID (beacon frame)
48 bit hex add - 01:23:34:67:89:ab (first 24 bit manufacturer
identifier + 24 bit unique identifier). IPv6 is 64 bit EUI/MAC-64 MAC (physical add) static NAT - 1 public to 1 private

ARP (IP to MAC) NAT (Private IP to Public IP) Pool NAT - many to many

Discover-->Offer-->Request-->Acknowledge = DORA DHCP (Assign IP) PAT NAT - 1 public to many private
 analog - continuous signal varies in frequency (wave shape).
analog vs digital
digital - electric signal, more reliable, voltage of 0,1
Intranet - private network (LAN)
synchronous - communication rely on time/clock
Extranet - btw internet and intranet [networking use for high rate transfer]
syn vs asyn
(other org access own org)
asynchronous - stop and start delimiter bit [PSTN]
Network segment
Screened subnet (DMZ) - btw internet and intranet
for low trust user to access specific system baseband - single communication channel, one signal [ethernet]
base vs broad
benefits: same segment (performance), reduce broadband - multiple simultaneous signal, high
congestion, isolating traffic (security) throughput, analog [TV, modem, ISDN, DSL, T1, T3]

hub (L1) - connect multiple system broadcast LAN tech, star or bus
topology, twisted pair cabling
modem (L1) - analog --> digital signal
broadcast: 1 to all, multicast:
bridge (L2) - connect 2 networks together 1 to many, Unicast 1 to 1
Ethernet
(IEEE
switch (L2) - connect system, create separate collision domain 802.3) CSMA/CD - listen for collision in
amount of time, if detected, send jam
signal. After collision, wired, 802.3
router (L3) - routing operation, logical IP addressing
Network device
LAN media access CSMA/CA - request permission (RTS).
bridge/switch (connect system) - forwarding tables, filter traffic Before collision, wireless, 802.11
based on MAC, no network address,forward broadcast traffic

Token ring (IEEE 802.5) - ring topology to

router (connect network)- routing table, filter traffic based on IP, assign release token to next system
different network address per port, does not forward broadcast traffic

Polling - primary pool secondary system if they need to

gateway (L7) - connect different types of network transmit then grant permission to transmit

2
02
LAN extender - remote access, multilayer switch connect distant network over WAN FDDI (IEEE 802.4) - bus(no collision), dual counter rotating
rings for fault tolerance, long distance at high speeds

/2
critical - redundant power. edge device - single power supply

10
Operation of hardware IEEE 802.1AE: MAC Security Standard (MACSec),
product training, warranty, vendor support encryption, integrity, origin authentication

prevent non-zero attack, traffic encryption, AAA

ke Layer 2 security standard
IEEE 802.1AR: unique Secure Device Identity
Lo
service, enforce security policy, access control
Network Access IEEE 802.1AF: Authenticated Key Agreement for MACSec
ss

pre-admin - test before they allow on network Control (NAC)

Je

inbound packet which have internal source address

post-admin - test after client on network
4.2 Secure
by

Network outbound packet which have external source address

asynchronous - simpler, less cost, parity for error blocking rules
Component
control,use for irregular transmission pattern
n

packet that have source/destination address

ow

from LAN but yet to assign to as host

synchronous - complex, costly, robust error checking through cyclic redundancy
checking (CRC), high speed, high volume transmission, minimal protocol overhead
d

examine msg header,

an

source/destination IP add, port (ACL)

shielded twisted-pair (STP) – metal foil static packet-filtering
(network++)
ed

copper twisted-pair weakness: limited logging, no

unshielded twisted-pair (UTP) – without foil authentication, can't detect
(telephone),
at

cheapest, 100m fragmentation attack

UTP categories 100m - Cat 5 100
re

Mbps, Cat 5e 1 Gbps, Cat 6 1 Gbps stateful/dynamic

C

(network3) evaluate state, sesstion, context of packet

center core of copper wire, fairly resist for EMI
transmission media circuit level decision based on protocol header & session info
Baseband (single signal), Broadband (session5) (SOCKS), protect wide range of protocls
coaxial (TV) cabling
(multiple signal simultaneously)
types deep packet inspection, WAF, filter
10Base5 (low EMI) - speed, base/broad, distance Firewall based on protocol, app, content

copper, best, least expensive, resist of metal (temperature) conductor each protocol require a unique proxy
application level
transmit light instead of electricity, fast, costly, good fiber optic proxy (app7) pros: extensive logging, authenticate
security (electromagnetic) interface. Fibre multimode 2km (data) user, address spoofing attack

avoid EMI: single-mode fiber, multi-mode fiber (cheaper) cons: not for high bandwidth or real
time app, limited support for new
noise, attenuation (weaker in distance), crosstalk (confidential issue when signal network app, performance issue
crossing among cables), eavesdropping, EMI (availability, integrity) threats
next generation firewall
single point of failure (multiple layers) VPN, Antivirus, IDPS, UTM
Ring (token along circle)
FDDI,token ring dual-homed - a single pc with separate NICs
connected to trusted & untrusted network

all systems transmit simultaneously (collision),

screened host (bastion host)- router filter external
central trunk single point of failure architecture
Bus (trunk or backbone cable) Network topology traffic to and from bastion host via ACL

ethernet
screened subnet (DMZ) - external router filter traffic before it
enters subject (2 firewalls)
Hub, switch Star (centralized connection)
forward - from internal client to outside service, build for
redundant connection (best) Mesh (numerous path) content filtering, email security
Proxy
reverse - from external system to internal service, build for
app delivery, load balancing, authentication and app firewall
 Public Switched Telephone Network (PSTN)

Voice over Internet Protocol (VoIP)

Digital Subscriber Line (xDSL)
real time transport protocol (RTP) - carries data in media
stream format. SRTP is secure version of RTP Integrated Services Digital Network (ISDN)- BRI (144 Kpbs), PRI (1.54 Mbps)
Voice
Protocol
Session Initialization Protocol (SIP) - SIPS is secure version of SIP (TLS encryption) Layer 2 Forwarding Protocol (L2F) - encapsulation
but no encryption (confidentiality)
RTP control protocol (RTCP) - provides statistic on QoS circuit (physical)- dedicated
pathway. fix delay, connection
Layer 2 Tunneling Protocol (L2TP) - IPSec
secure - use SRTP, SIPS, a dedicated VLAN for VoIP phones oriented, sensitive to connection
loss, for voice Point to Point
Point-to-Point Protocol (PPP) - most robust
links
remote meeting - authentication, encrypted tunnel,
end-to-end encryption, activies logged

22
Multimedia collaboration Point-to-Point Tunneling Protocol (PPTP) -
Microsoft, no encryption, rely on PAP, CHAP, EAP

0
instant messaging - malicious code, file transfer, social engineering

/2
Serial Line IP (SLIP) - TCP/IP low speed dial up

10
dial up modem, VPN, encrypt only
password, open source, SLIP, PPP, MD5 RADIUS (UDP 1645 18212) Centralized X.25 - oldest packet switched WAN tech, error correction

ke
remote

Lo
2FA, encrypt whole, separate AAA, Cisco, CHAP, PAP TACACS+ (TCP 49) authentication Frame relay - packet switched WAN tech, focus on speed
services Switching
rather than reliablity , data link layer (TCP)
WAN

ss
successor of RADIUS with added reliability Diameter

Je
ATM - cell switched WAN tech, fixed length cell
unsecure protocol (no authentication): SMTP (25), POP3
(110), IMAP (143) X.400 standard

by
Data communication packet (logical) - msg broken into Multi-Protocol Label Switching (MPLS) - high-speed &
(email) small segments. variable delay, scalable used to create fully meshed VPN

n
security goal: integrity, authenticity, classify sensitive content connectionless, sensitive for data

ow
loss, for any traffic Synchronous Optical Network (SONET) - HA, high
PPP (Point-to-Point Protocol) - serial cable, phone line speed, multiplexed, low latency on fiber optic

d
an
obsolete encapsulation protocol, data link Synchronous Data Link Control (SDLC) - IBM full-duplex serial
layer, transmit over IP, use for dial up protocol. Use in mainframe <--> remote

ed
Point-to-Point Tunneling
Protocol (PPTP)

at
authentication protocol: PAP, CHAP, High-level Data Link Control (HDLC) - synchronous
EAP, MS-CHAPv2 tunnelling
protocol, error detection, successor to SDLC
protocol re 4.3:
Communication
C
Layer 2 Forwarding (L2F) - Cisco Channel Permanent virtual circuits (PVCs) - fixed route, always up
virtual (logical)
PPTP + L2F. Use with IPSec Layer 2 Tunnelling Protocol Switched virtual circuits (SVCs) - routes create dynamically each time circuit is used
(L2TP) - no build in encryption
VPN over WAN (IP, X.25, frame relay) or confidentiality T Carrier, E Carrier = T1-1.544 Mbs, T3-44.736 Mbps, E1-2.048 circuit, E3-34.368 circuit

AH - authentication, integrity, and nonrepudiation Content Distribution geographically distributed network close to user. low
VPN
Network (CDN) latency, high performance, and high availability
(TLS,IPSec)
ESP - confidentiality
zigbee (802.15.4) - PAN, lower power, personal area
transport mode - encrypt only payload, host to host network, IoT. Support both centralized & distributed
(client-to-server) VPN , end at individual host security models, mesh topology
mode
tunnel mode - encrypt IP header+payload, site to site IPSec LiFi - use light to transmit data at high speed (cant penetrate
VPN (FW-FW), end at boundaries opaque wall), not susceptible to EM interference, speed 100 Gbit/s

OAKLEY - key generation satellite - LEO, MEO, GEO orbits support tel, tv, internet, military
Internet Key Exchange (IKE) -
SKEME - exchange keys establish authenticated keying NFC - very short range
material for SA other communication
ISAKMP - create security association infrared - requires line of sight - 5m

CHAP, MS-CHAP, EAP-TLS Authentication protocol (optional) bluetooth (802.15) - 2.4 Ghz for 10m

port mirror - duplicate traffic from one port on specific port broadband wireless WiMAX (802.16) - MAN, using AES, EAP

port tap - eavesdrop WPA2 (802.11i) - using AES-CCMP, compliant in FIPS 140-2

VLAN (802.1q)
trunk port - dedicated port with higher bandwidth Management frame protection (MEP) - 802.11w prevent
replay, DoS, wi-fi DE authentication attack
security issues: VLAN hopping (header with multiple tag) ~ access
other subnet by encapsulating packet ISP, cloud, vendor, partner, customer
Third-party connectivity
4G - IP based (WiMax), 1 Gbps MOU, MOA - agreement btw 2 entities

Cellular Network
5G - ICS, IoT, 10 Gbps but reduced network, mutual
authentication, enhanced subscriber identity protection
 wardriving - detect wireless network signal [WPA2 prevent]
human friendly domain name-->IP
warchalking - locates WAN, document SSID, chalk in public places
DNS cache poisoning - place incorrect
info in zone file or cache rogue access point - false WAP, duplicate SSID/MAC address

rogue DNS server - send client a DNS evil twin - false access point
response with false IP
wireless disassociation - disconnect client
DNS pharming - modify local host file
to redirect to fake website jamming - interference attack
attack
DNS
typosuqatting (illegal) - look alike genuine url [existing website] replay attack - defense: firmware updated, WIDS, OTP,
timestamp, challenge response authentication
cybersquatting (legal) - buy a look alike genuine
url then resell to business [no establish website] defense: update firmware, change default admin pass, enabling
WPA2/WPA3, disabling SSID broadcast, MAC filtering, IDS, WIDS,
domain hijacking - change registration VPN, captive portal, tracking wireless activities
of domain name without authorization
SMTP - open relay(no authenticate) send spam
DNSSEC (digital signature+PKI to verify the DNS
resposne to queries) , authenticate DMS resource virus, worm, trojan, spoofing source address, DoS, mail storm reply all
record via public key, DoH, ODoH, limit zone transfer defense
S/MIME (.p7s)- authentication, confidentiality through public
L5-7 - worm key , digital envelop, digital signature

LAND attack - IP with same source PGP - encrypt file and email msg
and destination address and port

transport (L4) PEM -authentication, integrity, confidentiality, and

fraggle - UDP spoof source nonrepudiation using RSA, DES, and X.509 certificates

SYN flood (network) - never complete TCP handshake Domain Keys Identified Mail (DKIM) -

2
domain validation for forged sender

02
smurf- ICMP spoof source email

/2
Sender Policy Framework (SPF) -

10
teardrop - fragment data packet against spam and spoofing (msg header)
defense
network (L3)
Domain Message Authentication Reporting

ke
ping of death - oversized ping packet
OSI layer and Conformance (DMARC) - uses SPF, DKIM
Lo
to mitigate phishing (policy)
defense: ACL
ss

configure securely mail relay server,

DHCP attack
filtering on email gateway
Je

4.4 Network
MAC flood Attack
black list (block), white list (allow), gray list (reject any
by

unknown sender and put on hold then resent)

ARP spoofing, ARP cache poisoning
data link(L2)
n
ow

MIME Object Security Services (MOSS) -

VLAN hopping MD2, MD5, RSA, DES
d

defense: port security in MAC sticky, VLAN vishing (falsify caller ID)
an

pruning for trunk port, static ARP table

phreaking (attack telephone system to make free call)
ed

L1 - eavesdropping
at

VoIP toll fraud (spam), identity fraud (caller ID),

telnet (23)-->SSH
re

eavesdropping, DoS
unsecure protocol
C

SFTP(69), FTP(20,21)-->FTPS(ssl,tls), SFTP(secure shell) defense: strong password/2FA, record call logs, block international
calling, outsource SaaS, firmware update, restrict physical access to
managing and monitoring network devices VoIP networking equipment, user training, NIPS

SNMPv1, v2 - credential in clear text SNMP eavesdropping, physical security

defense: use SNMPv3 encryption (CIA) replace remote access with credit card

privacy violating RFID authorized individual

PBX
defense
on-path attack, eavesdropping, data manipulation, and replay Attack NFC protect administrative interface

sniffing - network packet capturing deploy direct inward system access

(DISA) to reduce PBX fraud
smacking - DoS garbage traffic/signal jamming
intercept, provider susceptible for
Mitm/on-path attack, cell phone access
jacking - send unsolicited message
cellular to office

snarfing - data theft

VXLAN - MAC spoofing, DoS
bluetooth (802.15) network architecture
bugging - remote control
SDN - MiTm, DoS. Secure with TLS!

best practice: use for non-confidential activities, change

security issue: volume of data
default PIN, turn off discovery mode when no use

bluetoot 2.1 - weak encryption cipher least privilege, back up, SIEM, app whitelisting, file
endpoint encryption, automated patch, restrict use of removable media
defense
bluetooth 4.1 - use AES-CCM strong cipher
Endpoint detection and response (EDR) - evolution of
antimalware, IDS, firewall solution
 1. provisioning - create new account/enrollment (username)
min pass age - prevent user change password immediately
Access provisioning
type 1: know - password, pin, 2. management - account review, inactive, exceesive, creeping privilege
lifecycle (creation,
max pass age - change new password in a period/expiry days
passphrase (memorized) management, deletion)
3. deprovisioning/offboarding - disable account then delete acct after
password history - can't reuse old password 30 days. Collect hardware issued, terminate employee benefit

synchronous - a fix interval of OTP (TIME) RoleBAC - integrity, roles, job, tasks, group. Suit for high turnover env

asynchronous - challenge response RuleBAC - IF/THEN, global rules to all subject [Firewall]
type 2: have - passport,
smartcard, token,
magnetic stripe - swipe through reader hierarchical env - top to bottom access
cookie, single-use password/one 5 As of IAM - authentication,
time pad (physical) Mandatory access control (MAC) -
contactless card/smart card - read by proximity (RFID tag) authorization, access to data, audit
labels + clearance. Enforce on OS compartmentalized env - need clearance
policies, accountability
level and canot delegate rights for specific security level
contact card - inserted to machine to read [Confidentiality TOP]
hybrid
Access
retina (blood vessel) - most accurate,
control
invasiveness ~ privacy issue (reveal health) Discretionary access control (DAC) - owner grant right based on identity. Can delegate
type Authentication model
rights. Flexibility, scalability [ACL, windows file, NTFS, availability ]
factor
iris (coloured area of pupil) - accuracy affected by light
Attribute based access control (ABAC) - multiple attributes, granular control [SDN, policy]
False reject rate (FRR) - Type 1 type 3: are -
fingerprint, Risk based access control - evaluate environment [MFA enable, location, NAC]
False accept rate (FAR) - Type 2 accuracy biometric, location,
callback (human) Lattice based access control (LBAC) - use upper and lower limit
Crossover Error Rate (CER) - lower is better
Nondiscretionary (NDAC)- central authority (admin) defines rules.
role based (AD), rule based (FW ACL), attributed based

2
enrolment - registering with biometric system (one time)

02
process
throughput - authenticating/response time (<10 sec) XML based to exchange authentication, authorization

/2
btw security domain. Often use in SSO

10
Tips: 2FA authentication must be SEPARATE type (E.g smart card + PIN)
SAML principal (user), service provider (3rd party
key stretching - add 1-2 seconds (longer key space) to dashboard), identify provider (SSO portal)

ke
password verification against brute force attack
Web browser SSO - salesforce
Lo
clipping level - limit on wrong login attempts
Authorization [token]
ss

nounce (crytography) - arbitrary number/pseudo number used once

resource owner (user),client (third party app),
Je

nounce, salt
salt (rainbow attack)- random data used as additional input to hash a password OAuth authorization server (fb,google issue access token),
resource server (store resource)
by

knowledge-based - private info in financial

google login third party website, share a post to linkedin
n
ow

cognitive password - security question

decentralized authentication
5.1: Identity
mutual authentication - digital cert, VPN and Access Federated
d

user go to website (relaying party) and

Management (IAM) Identity OpenID
an

provide OpenID identity

Federated Identity Management (FIM) - link one system's user identity with other Idm (on-premised,
cloud,
use fb login to sportify app
ed

credential management system - create, maintain password, digital cert, biometric record hybrid) -
cross multiple
at

other authentication enterprise Authentication + Authorization [OAuth]

Single Sign On (SSO) - centralized access control authenticated
re

once then access multiple resource (kerberos, ADFS, CAS)

JSON web token
OpenID
C

Broker and remove access - a period access (justification) Connect

(OIDC) use google account login to eBay

Ephemeral accounts - one time use then dispose Just-In-Time (JIT)

3 flows: authorization code flow (token), implicit
flow (token+user info), hybrid flow
Temporary elevation - temporary elevation of privileges SSO

Extensible Access Control Markup Language (XACML): access control policies

clipping level - prevent admin overhead (allow user few tries)
Service Provisioning Markup Language (SPML) - exchange user, resource,
implicit deny - deny by default
service provisioning info for federated SSO

access control matrix - table contains subjects(user),

IDaaS + OIDC - identity as a service. Third party
objects(file), privilege(read,write). focus on objects
(cloud) service that manage IAM

capability table focus on subjects. ACL focus on objects.

FIM - access to company's data resources to
organization or parties that are not owned by company
constrained interface - restrict based on privilege (clark wilson) Authorization mechanism
AAA into separate processes, 2FA, centralized,
Content-Dependent Control - content within object TACACS+ encrypt all traffic, TCP 49 (network device)

Context-Dependent Control - access time, location, etc centralized authentication, MD5 (less secure),
AAA protocol encrypt only password, UDP 1645/1812
need to know (justification), least privilege (perform tasks), (network
RADIUS
separation of duties (sensitive tasks split into 2 person) devices)
network access server is client of RADIUS
server, VPN, dial-up access
Dictionary attack (dic words), brute force (all possible words)
Diameter RADIUS’ successor. Used in VoIP, mobile IP, wireless
spoofed logon screen, spoofing (phishing), social engineering
one way trust - one domain allow access to another but
horizontal priviledge (acct to acct), vertical priviledge (priviledge escalate) not allow other domain access own
LDAP
spraying attack - same guessed password but loops through different account & system (vendor two way trust - two domain allow access on both domains
neutry,
Access control attack
port
credential stuffing attack - try stolen credential on different sites 389) transitive trust - trust extend beyond two domains to other trusted domains in forest

Mimikatz - read password from memory, extract kerberos ticket, extract cert & private key non-transitive trust - one way trust that does not extend beyond two domains

pass the hash attack - send captured hash of password to authenticate (minikatz, DCSync) centralized (easy disable access): RADIUS, TACACS+, Diameter, LDAP, Kerberos, SESAME
access control
physical security, control access, hash and salt, 2FA, acct lockout, education defense inconsistent procedures, harder to
decentralized: SSO disable, faster than centralized
 1. user enter credential and
authenticated from KDC client send user ID in clear text to AS

22
2. KDC sends encrypted timestamp TGT+session key

0
encrypted with hash of user's password

/2
10
AAA (confidentiality, integrity), window ticket
authentication (symmetric AES), mutual 1. TGT + ID of service

ke
authentication, SSO, not susceptible to eavesdropping Encryption 3. client decrypts session key by

Lo
Process
using hash of user's password and 2. Authenticator (client id,

ss
Key Distribution Center (KDC) - maintain secret key send it along with TGT to TGS timestamp) encrypted by clitent/TGS

Je
session key

by
Kerberos Authentication Server - Ticket granting
service (TGS) + Authentication Service (AS) 4. TGS send user ST encrypted with key + 2nd session key

n
ow
Element
Ticket-Granting Ticket (TGT) - proof of 5. client send the ST + session key to

d
an
authenticated (key, expiration time, IP) the device want to access

ed
Ticket (ST) - encrypted msg that authorized to access single point of failure

at
re 5.2: Kerberos
C
overpass the hash - NTLM disabled, pass the key secret key stored on user's workstation

pass the ticket - impersonate user by harvest tickets held in Isass.exe session key is decrypted and reside on user's workstation

silver ticket - create TGS ticket Issues password guessing, brute force
Attack
golden ticket - create ticket within AD after obtaining service account network traffic is not protected

kerbrute.py - kerberos brute force clocks synchronized

kerberoasting - collect encrypted TGS ticket KDC must be scalable

successor of kerberos, use Privilege Attribute realm trust - existing kerberos K5 domain
Certificates (PAC), both symmetric + asymmetric SESAME
shortcus trust - transitive trust btw part of domain tree or fores
Trust
forest trust - transitive trust between two forest root domain

external trust is a nontransitive trust between AD domains in separate forest

 security test - verify control function properly
static testing - analyze source code without running
security assesment - comprehensive review of
security (doc, control, ops, who implement) Terminology use synthetic transaction (selenium
script) to verify system performance
security audit - independent auditor to dynamic
demonstrate effectiveness of control testing - IAST real time analysis of runtime behaviour
1. determine goal running env
org - CVE, CVSS, CCE, CPE, XCDF, OVAL runtime application self protection (RASP)
2. involve BU leader run on a server and intercepts calls
vulnerability scan - probe system, app,
network to look for weakness 3. determine scope mutation (dumb) - previous input values

network discovery scan - nmap scan range 4. choose audit team Security generation (intelligent) - create new fuzzed input

22
of IP for open port, service audit fuzz testing
vulnerability
process

0
assessment 5. plan audit drawback: cant cover full coverage,

/2
web vulnerability scan - scan all new app, before detect simple vulnerability

10
prod, recurring, before code change 6. conduct audit
access the interaction btw components ,

ke
database vulnerability scan - sqlmap 7. doc result different systems(correct function)
interface testing

Lo
vulnerability management workflow- detection 8. communicate result API, UI (GUI, command line), physical interface
(VA)-->validation-->remediation (machinery, logic con troller)

ss
Je
0 planning - scope, ROE, permission!! Software
misuse case testing negative testing on system react
testing

by
1. discovery - footprinting, gathering info of target regression testing ensure changes (bug fix) not introduce new issue

n
ow
2. enumeration - port scan compliance testing compliant with rules, regulation, laws

3. vulnerability mapping - identifying

d
operational testing ensure backup in place, patching, software is tested for vulnerabilities

an
vulnerabilities in identified system Security
control pro acceptance testing ensure live & dev environment work as expected

ed
4. exploitation - gain unauthorized access testing

at
user acceptance testing tested by end user and app manager
5. report to management and suggestion
re 6: Security
Assessment and branch coverage: if else
C
or Planning > Reconnaissance > Scanning (enumeration) > penetration
Testing
Vulnerability assessment > Exploitation > Reporting. testing test coverage analysis condition coverage: logic test

black box - zero knowledge, simulate external attack function coverage, loop, statement (line of code)

white box - detailed info, short timing, passive - real user monitoring (RUM) track user interaction
likelihood to find flaw (admin access) with website. Uses a span port or other method to copy
web site traffic and monitor it in real time
gray box - partial knowledge (normal user access) monitoring
types
active - synthetic monitoring (AI) to determine
double blind - no info provided, staff not informed response time. Discover before user notice

blind - no info provided, staff is informed boundary testing - negative testing

targeted - info provided, inform for test positive testing - working as designed
Misc test
breach attack scenario testing - perform correct by given a use case
automate some aspect of penetration (red + blue team) simulation
CRUS testing - ensure DB objects create correctly
verify control in compliance plan functioning properly compliance checks
logs review (systems are not misused) - concern: volume of data,
internal/unstructured audit - org's staff data storage security requirement, network bandwidth

external/third party/structured audit - outside audiit firm (no conflict interest) audit log issue: logs not review regular,timely. Log entries and
alert not prioritzed. Only audit bad stuffs
SOC 1 - financial
Security acct management (privilege user) review
SOC 2 - security (confidential) third-party audit Collect security
- on behalf (COBIT) process data key performance, key risk indicator (number of open
SOC 3 - security (public) of another vulnerabilities, time to resolve, no of compromised acct, no of
org for user attempt malicious site)
type 1 - description a single point of time (doc review) regulatory
backup verification, training & awareness, DR, BC
type 2 - effectiveness of control over a period of time (6 months)
ethical disclosure - report vulnerability to vendor,
fagan inspection - planning, overview,preparing, time to patch before disclose to public
inspection, rework, follow Code review
 1.info governance

2.identification - locate
International Organization on Computer
admissible - relevant (fact), material, competent (legally) Evidence (IOCE) 6 principles
3.preservation framework
rule: accurate, complete, authentic, convincing, admissible Electronic Discovery Reference Model (EDRM) 9 aspects
4.collection
real - physical object (computer equipment: hard drive) security logs - access/modification events
e discovery
5.processing - cut out
(EDRM)
secondary - copy of logs, doc system logs - start/stop
6. review - examine relavant
direct - prove or disprove based on 5 senses application logs - DB logs, web server logs
7.analysis - inspect content
log types
best evidence rule - original firewall logs - traffic to reach FW
doc must introduced documentary - 8. production - format and delivery

22
written form, logs
(must witness to proxy logs - user's visit on certain website

0
parol evidence rule - agreement testify) 9. presentation

/2
btw parties into written form
evidence change logs -change request

10
direct evidence - oral testimonial 1. discovery
based on direct observation log management - SIEM store centrally, backup lifecycle, access control to log.

ke
testimonial -
2. protection rollover logging - overwrite oldest events when reaching max log size
verbal/written testimony

Lo
expert opinion
3. recording continuous monitoring, log analysis, audit trails (reconstruct event) = accountable

ss
hearsay rule - someone told
4. collection monitor system failure, OS bugs, software error, malicious attack

Je
demonstrative - used to support testimonial evidence Evidence lifecycle
laws: SOX, HIPAA, EU privacy laws

by
(diagram of network, process of DoS) 5. analysis

eggress monitoring - monitor traffic leaving to internet [DLP first step inventory]

n
corroborative - supporting evidence but cannot stand on its own 6. storage, preserve

ow
7. present in court logging and correlation (detect abnormalities),
exigent circumstances - immediate threat to human life monitoring
monitoring aggregation into useful info

d
or of evidence destruction under "color of law" SIEM

an
8. return to owner
syslog - used in linux/unix (port 514)
DONT - power off, remove, attach

ed
media - hard disk,
tapes, CDs, DVSs sampling - extract small portion from pool
DO - write blocker (READ only tool), hash-->bit

at
by bit copy-->compute and check identical investigation 7.1:
re Investigation,
collection statistical sampling - use math function to extract meaningful info
C
memory - memory dump logging and
monitoring clipping - select only exceeded threshold (fail logon attempt)
network analysis - IDS/IPS log, packet captured, collection
firewall logs, SPAN port, software protocol analyzer SOAR - SIRP (incident response), SOA (security orchestration
automation), TIP (threat intelligence platform)
software analysis - source code, app or DB log files
automating incident playbook - how to verify
hardware/embedded - pc, smartphone, tablet, embedded computer response
runbook - implement playbook
security log - file access info. proxy log - website access
ML is part of AL - ML start with set of rules, AI start with zero knowledge
voluntarily surrender - user is not suspect
and damage by malicious attack threat feeds (raw data), threat hunting (actively searching cyber threats in network)

threat
subpoena - court issue and compel individual to cyber kill chain framework (lockheed martin) - 7 phrases
intelligene
surrender evidence (not apply for org's asset)
gathering MITRE ATT&CK - tactics
evidence
plain view doctrine - legally permissible duty without warrant
military & intelligence - obtain secret and restricted info,
search warrant - confiscate (suspect user) evidence with reasoning disrupt military planning, threaten national security

exigent circumstances exist - evidence believe to be destroyed business - jeopardizing CIA, IP

process
calling in law enforcement financial - obtain money or service. E.g steal
credit card number, funds transfer, shoplifting
computer
conduct investigation - never hack back, never conduct crime
investigation on compromised system terrorist - fear, disrupt life

interview individual - gather info. Interrogation - suspect grudge - damage an org by person (former employee)

protect integrity and retention of log file - digital signature to prove tampering thrill - script kiddies, website defacement

reporting and documentation hacktivist - with political motivation

forensic disk controller/write broker - prevent modifying data, return data by UEBA - user based activity on endpoint-->build profile-->highlight
read, return access significant info, report error to forensic host deviation for potential compromise. E.g compromised account, brute force
attack, changes in permission, super user acct creation, data breach
 need to know - only data or resources need to perform tasks NIDS - promiscuous port/span port, monitor & alert

least privilege - grant only privilege necessary to perform tasks HIDS - install on single workstation, monitor local host, resource drain

NIST 800-61 - incident handling guide

separation of duties - no single person control a critical system Knowledge-Based Detection/signature/pattern matching -
low FP, effective only against known attack
IDS types
two person control - approval required by 2 individual
(reactive) Behavior-Based Detection/statistical/anomaly/heuristic -
detect newer attack, many FP
privileged account management - special
administrative account for emergency use only

22
Sec ops concept components: sensor, analyzer, admin interface

0
/2
split knowledge - SoD + 2 person control
TP (detect and alert), FP (alerted but not valid

10
case), FN (missed the alert), TN (nothing happend)
job rotation - rotate job responsibilities, prevent fraud

ke
Lo
IPS (proactive) NIPS - inline, preventive & responsive
mandatory vacation - another employee take over

ss
individual's job responsibilities

Je
honeypot - trap for intruder to delay and detect
intrusion, gather info about intruder

by
service level agreement - use memorandum of
understanding (MOU) btw 2 entities to work

n
honeynet - network honeypot host on virtual system

ow
towards goal (less format and no penalties)

d
honeypot pseudo-flaws - false vulnerabilities implanted in system

an
goal: ensure system deploy secure
Configuration 7.2: sec

ed
Identification-->baseline-->version control-->auditing management (ops ops, incident enticement (attacker)- legal and ethical, honeypot

at
process) - management,
re
inventory, IDS/IPS, config entrapment (innocent person)- tricking user to
C
provisioning - install and configure OS & app licensing, management, patch commit crime, illegal and unethical,
change control management,
baselining - starting config change management management of software update to fix security issue
Patch management
security policy, marking, labelling, handling
Resource protection evaluate-->test-->approve-->deploy-->verify
and store securely, encrypt media, backup

1. detection - triage identify-->evaluate-->mitigate

Vulnerability
management vulnerability scanner (detect known security vulnerabilities),
2. response - activate incident response team
vulnerability assessment (review and audit)
3. mitigation - contain to limit impact (isolation)
goal: ensure changes do not cause damage
4. reporting - PII breach
Incident 1. request change - type of change, amount time of
management work, roll back plan, impact, how notified
5. recovery
2. review change - change advisory board (CAB)
6. remediation - RCA, apply control to prevent occuring
Change 3. approve/reject change
7. lesson learned management

4. test the change - non-prod env prefer

CBK: preparation, detection, analysis, response, review & improvement
5. schedule and implement - nonpeak hours, rollback
espionage (external competitor) vs sabotage (malicious insider) plan, maintenance window, backup config/data

zero day exploit - vulnerability unknown to anyone 6. document the change

 single point of failure - entire system fail
Goal of DR & BCP: responsiveness in
different situation, written procedures,
system resilience - able to maintain acceptable level of service an adverse event (fail over) make logical decision during crisis misc: BIA+DRP, crisis management, emergency communication, workgroup recovery

fault tolerance - fault yet continue operate (RAID)

electronic vaulting - db backup periodically
high availability - redundant tech (load balancing)
Terminology Database recovery remote journaling - transaction log transfer in frequent basis (per hour)
quality of service - bandwidth, latency (time), jitter (variation latency on business, facility, user,
packets), packet loss (retransmission), interference (electrical noise) technical, data recovery mirroring/db shadow - duplicate live DB

recovery (failover) - bring business & process to working state (most critical) full (1 disk) - complete backup, archive bit reset

restoration/failback/reconstitution (salvage team) - bring facility and env to working state (least critical) copy - full backup but not clear archive bit

0 22
natural - earthquake, flood, snow, tornado incremental (more disks) - modified files from most recent
Backup

/2
full or incremental. archive bit reset, slowest restore

10
human - strike, malware, careless
Disaster type differential (2 disks) - all files since most recent full backup, slower backup

ke
environment - power outage, hardware failure, provider issue

Lo
best practice: periodic backup, real time continuous backup, test u full backup
disruption types: non-disaster(service disrupt), disaster(facility unusable), catastrophe(facility destroy)

ss
Grandfather-Father-Son (GFS) 4 tapes daily
backup + 1 tape monthly

Je
goal: response to disaster, assess damage & time, perform salvage & repair
DRP
(procedures) Tape rotation

by
steps: restoring backup tapes, relocate to alternate site, restart business operation The Tower of Hanoi - 5 sets of tapes label A to E

n
Six Cartridge, HSM manually

ow
striping - write data over several drives (performance)

Software escrow - third party release source code to end user in failure of service provider

d
parity - rebuild lost or corrupted data

an
read-through, aware responsibilities, review plan
0 - performance, striping, 2 disks checklist (paperwork) and update, identify key personnel

ed
at
1 - redundant, mirroring, 2 disks structured walk-through tabletop exercise (talk only) - business

3,4 - striped sets with parity to provide fault tolerance (3-byte, 4-block)
re 7.3: Disaster recovery
(process flow) & tech expert walk through plans
C
RAID DRP test
team develop a response by a given scenario.
5 - strip + parity, 3 disks, best cost effective simulation Some non-critical function tested
for both performance & redundancy
parallel relocate to alternate site (production ops not interrupted)
6 - parity on 2 disks, 4 disks
full interruption shut down primary operation site then restore (need approval)
10 - stripe of mirror, 4 disks, for critical system
goals: efficient response to recover from disruptive event promptly
JBOD - use existing hard drive of various size. No fault tolerance & speed
BCP steps
project scope and planning-->BIA-->continuity
servers - failover cluster (>2 servers) planning-->approval and implementation

UPS - short, standby, graceful shutdown (<30 mins) Recovery project initiation - management support, scope, plan, resource
power strategies
generator - long term power, take time to startup, no protection from spike damage assessment - BIA
BCP phrases
fail secure - block all access recovery phrase - preparation offsite, rebuilding network, staff move to new facility
trusted recovery
fail open - grant all access reconstitution phase - move back to original site (restoration)

hot - full equipment, data is periodically replicate, high cost, hours fences, gates, turnstile (prevent more than 1 person entry), mantrap (2 doors to prevent
piggybacking), lighting in areas, security guard (decision making), dogs (liability issue)
Physical security
warm - equipment is configured, NO data, days
reception (visitor), keys and combination locks, occupant emergency plan (human is top priority)
cold - no computing, only water/electric, low cost, weeks to recover
travel - electronic device, free wifi, sensitive data
service bureau - company lease computer onsite/remote (outsource)
alternate site Personal safety security training and awareness, emergency management
mobile site - self contained trailer
duress - perform an action under threaten (press SOS button in bank)
2 org assist in each other by sharing
computing facilities. (inexpensive) Mutual assistance
agreements (MAAs) /
drawback: difficult enforce (trust), close reciprocal agreements
proximity (same threat), confidentiality (data)
 1. initiation and planning - objective, requirement
request control - user requests, manager conduct
2. functional requirement - build business logic to fit end user needs cost/benefit, developer prioritize task

3. control design spec - laid out modular system flow Change management
change control - analyse changes (software code quality)

4. development - coding SDLC release control - approve changes (acceptance testing)

5.code review gantt chart - graphical illustration (task, time interval) to plan, coordinate, track tasks

6.system test Project tool Program Evaluation Review Technique (PERT) - project scheduling tool to judge size of software in development

7.maintenance and change management critical path method (CPM) - insights to sequence of project tasks

traditional waterfall - 7 stages, each stage completed DevOps, DevSecOps - agility, automation, rapid development and frequent

22
then move to next (clear user requirement up front) delivery. Continuous integration (check in code) /Continuous Delivery (build)

0
/2
sashimi - waterfall but overlapping 2 phrases code repositories - do not commit sensitive info, access restrict, sign u work (Git)

10
iterative waterfall - can return previous phrase to correct defect (feedback loop) code libraries - core functions

ke
spiral model - multiple iteration of waterfall Code tool sets - source code editor, debugger, compiler,

Lo
(prototype), planning, risk analysis, engineering
IDE - combining of tools in single environemnt

ss
individuals and interactions over processes

Je
software configuration management (SCM) - track hardware, software setup (baseline>artifact>versioning)
working software over comprehensive documentation

by
agile philosophy
Security orchestration, automation, and response (SOAR) - speed the time to detect and response to securiy incidents
customer collaboration over contract negotiation
Development

n
methodologies G1 machine language - binary 1, 0

ow
responding to change over following a plan
G2 assembly language - use mnemonic to represent basic instruction (ADD SUB)

d
scrum (is framework not methodology) - daily team meeting, scrum master, short sprint (2

an
weeks), include product owner (customer), scrum master (facilitate), dev team (delivering)
G3 high level language - use meaningful words [c, python, java, javascript]

ed
integrated product team - multifunctional team together to achieve a goal
G4 very high level language - ColdFusion, Oracle Reports, SQL, PHP, Perl

at
rapid application development (RAD)- GUI prototyping + iterative
development (build quality code quickly), build design spec re 8.1: Software Programming
G5 natural language - AI
C
Development Security
joint analysis development (JAD) - developer work with business stakeholders to assure requirements interpreter - high level code to machine level code (during run time)

cleanroom - focus on defect prevention compiler - convert high level language into machine format (.exe, dll)

XP - programming pair, unit test, expect changing assembler - convert assembly language source code to machine language

1 initial - reactive, little or no process compiled code (easier embed backdoor in code). interpreted code
(readable by developer but everyone can modify the code)
2 repeatable - project planning, tracking, quality
assurance, configuration management, subcontract Object oriented polymorphism - multiple forms (input parameters) with different outputs
Capability Maturity
programming (OOP) -
Model (CMM) –
3 defined - standard, procedures bottom to up polyinstantiation - multiple instances with different response at different clearance level
software process
maturity
4 managed - proactive process, quantitative, software quality commercial-off-the-shelf (COTS) - bought from third party
vendor and manage by organisation, no source code
5 optimized - continous improvement, defect prevention, change management
open source software (OSS) - can modify
Acquired software
governance - policy, compliance, guidance
third party - custom
design - software requirement, threat modelling, security architecture
Software Assurance managed service - cloud (SaaS)
Maturity Model
implementation - build+deploy
(SAMM) - 5 business input validation, WAF, pameterized queries, store procedures, data minimization
function
verification - confirm code meet business & security requirement
practice - comments, error handling, hard-coded credential, memory management
operation - maintain security throughout sw lifecycle
code security - code signing (authenticity), code reuse (SDK), software diversity (single
Secure coding
point failure), code repositories (version control)
IDEAL model - initiating (business reason), diagnosing (recommend), establishing
(develop plan), acting (test&implement), learning (propose new action)
scalability (on demand) - vertical scale (add ram). horizontal scale (add instance)
application
software escrow - customer access the source code when provider go bankrupt resilience
elasticity - auto provision resource
tools (specific tasks), workbenches (specific part), environments (life cycle) Computer-aided software enginee (CASE)
free software freeware (free to use), shareware (trial), crippleware (key feature lock)
OOD - apply constraints to conceptual model,
OOM (heavily use by both OOA&OOD), OOA, OOR object-oriented analysis and design (OOAD) attack surface analysis - reduce amount of code running, code access to untrusted
user, reduce entry point, reduce privileged level, eliminate unnecessary service
open source - GNU, BSD(alter software), Apache
 buffer overflow - write data overflow input length (memory)

TOCTOU - authorization completed before

Master Boot Record (MBR) viruses - attack bootable drive authentication (race condition, incorrect order)
Application
attack
file infector virus - .exe, .com, .msc backdoor - bypass access restriction (often used in
development/debugging process)
service injection - trusted runtime process svchost.exe, exploerer.exe Virus
propagation rootkit - privilege escalate to root/admin

22
macro virus - excel, word doc (melissa virus)

0
/2
Boolean based ~ 52019' AND 1=2;-- //no results
sql injection - input sql

10
companion virus - self-contained executable files escape detection syntax in input field

ke
by using similiar filename. E.g type game, got game.com, game.exe Time based ~ WAITFOR DELAY '00:00:15'

Lo
multipartie virus - more than one propagation technique code injection - written code to LDAP, XML, DLL

ss
Je
stealth virus - hide by tempering os to fool command injection - OS command ~ o mchapple & rm -rf /home

by
antimalware thinking everything is fine

n
Virus tech insecure direct object reference - Documents.php?documentID=999

ow
polymorphic virus - modify their own code when travel

d
from system to system (signature different) directory traversal - ../../etc/shadow, double encoding technique

an
ed
encrypted virus - alter the way stored on disk (cryptographic) file inclusion - execute code contained a file (local file, remote file)

at
8.2: Malware,
hoaxes - wasted resource. Friends forwarding email re application attack reflected xss - malicious script from current HTTP request (victim browse a url
C
which contain xss payload to steal user's cookies)
logic bomb - triggered with condition like time, action
Web app attack stored/persistent xss - malicious script from website database (forum comment)
trojan horse - a software program appears like legitimate (bitcoin mining)
DOM xss -vulnerability exists in client-side code rather than server-side code
Other virus
remote access Trojans (RATs) - backdoor to remote admin (attacker construct malicious code in input value)

spyware (monitor user's action), adware (pop up ads), potentially cross site request forgery (CSRF) - cause user perform unwanted action in
unwanted programs (user consent to install but unwanted function carried) current authenticated session (change password)

worms - propagates without user interaction server-side request forgery (SSRF) - abuse functionality of
server to access internal resource/info
antimalware software - signature-based (known malware
from db), heuristic (analyse behavior os software) session hijacking - intercepts the communication between user
and server, learns initial sequence then hijack connection
integrity monitoring - unauthorized file modification and assume as authorized user. Stealing cookies
Malware prevention

Endpoint detection and response (EDR) - analyzing LDAP - submit LDAP syntax and attempt to change the query before
endpoint memory, auto isolate, threat intelligence forward to db, gain access to directory info, modify records
source, incident response automation
forced browsing - example.com/email/user/admin

Network reconnaissance - IP probes (ping), port scan (nmap), vulnerability scan (nessus, openVAS)