0% found this document useful (0 votes)

118 views

SY0-071-Module 4 Powerpoint Slides

Uploaded by

unnifijo39

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

118 views

SY0-071-Module 4 Powerpoint Slides

Uploaded by

unnifijo39

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 358

4.

0 Security Operations
CompTIA Security+ SY0-701
• Secure Baselines
Computing • Attack Surface Reduction
•
Resources •
Wireless Installation
Wireless Security Settings
Security • Mobile Solutions
• Application Security Management
Secure Baselines
Establishing Secure Baselines
• A baseline is the minimum security level that should be implemented
• A security baseline is a structured document
• Defines a set of security criteria and capabilities that must be fulfilled
• Should be considered the standard for measuring your security posture
• A good security baseline helps you:
• Keep your data and systems secure
• Comply with regulatory requirements
• Minimize risk of oversight
• Reduce the likelihood of breaches and subsequent business effects
• Your baselines should never be an ad-hoc effort
• Should be driven by business requirements, industry standards, compliance (internal or
external), and regulatory requirements
• Use existing industry recommendations as a starting point (e.g. security policy templates
from sans.org)
• Have one baseline for all devices in the organization
• Then add requirements depending on designated usage, department, sensitivity level, etc.
Deploying and Maintaining Secure Baselines
• Use templates, policies, and “golden images” to deploy your baselines
and maintain consistency
• Consider using an automated tool that can:
• Inventory all devices on your network
• Scan devices for compliance levels
• Deploy software, security, and configuration baselines to new devices
• Install, update, or remove software to/from devices
• Remediate security inconsistencies and failures
• Baselines need to be regularly assessed and updated
• Baseline information should be documented in the risk registry
Attack Surface Reduction
Strategies for Hardening Workstations
• Change defaults
• Disable unnecessary services, features and protocols
• Require strong authentication
• Enable host firewall
• Enable built-in OS and OEM security features
• Install latest patches and security updates
• Install/enable antivirus/anti-malware software
• Regularly back up data
• Prefer to deploy from a golden image
Strategies for Hardening Servers
• Change defaults
• Disable unnecessary services, protocols and ports
• Implement OS security policies
• Implement strict access control based on “least privilege”
• Implement secure authentication, including MFA for admins
• Deploy in a secure physical location
• Configure the host firewall
• Place in a secure VLAN/network segment
• Monitor using network- and host-based IDS
Strategies for Hardening Servers (cont’d)
• Control traffic using a network firewall and/or IPS appliance
• Implement change management
• Patch regularly
• Test patches and be able to roll back changes if necessary
• Maintain backups
• Where appropriate, implement high availability and/or load
balancing key service(s)
• Forward logs to a syslog server
• Preferably, continuously monitor with a SIEM
• Have a disaster recovery plan with RTO and RPO for key services
Strategies for Hardening Mobile Devices
• Install updates
• Install endpoint protection
• Do not jailbreak or root the device
• Only install apps from trusted sources
• Use strong passwords/biometrics/MFA
• Use a VPN/avoid public or free Wi-Fi
• Encrypt your device
• Keep backups
• Prefer to manage using Mobile Device Management (MDM)
Strategies for Hardening IoT Devices
• Implement all manufacturer security recommendations
• Change default passwords, disable unnecessary features and services, etc.
• Deploy compensating controls, especially at the network level
• Network segmentation, firewall, IDS/IPS
• Include security considerations during the buying process
• Buy devices that have the new U.S. Cyber Trust Mark certification
U.S. CYBER TRUST MARK
• A voluntary cybersecurity certification and labeling program to be rolled out in 2024
• Intends to elevate the level of cybersecurity across connected (IoT) devices in the U.S.
• Aims to establish a baseline IoT device cybersecurity, strengthen security of smart
devices, and protect the privacy of their users
• Specifications come from NIST
• Help American consumers more easily identify and choose IoT devices that are less
vulnerable to attacks or security breach
• Would cover a large portion of consumer smart devices
• Including things like major home appliances, smart home systems, wearables, and others
• Products that meet the criteria laid out in the program would be eligible to bear the
distinct U.S. Cyber Trust Mark shield logo
• Like the Energy Star logo, this new mark will:
• Differentiate certified products from others
• Aid consumers in making more informed decisions when buying IoT devices
U.S. CYBER TRUST MARK Logo Candidates
NIST IoT Cybersecurity Criteria
Required for an IoT product to earn the U.S. CYBER TRUST MARK certification:

• Device Identification: The IoT device can be uniquely identified logically and physically.
• Device Configuration: The configuration of the IoT device’s software can be changed, and such
changes can be performed by authorized entities only.
• Data Protection: The IoT device can protect the data it stores and transmits from unauthorized
access and modification.
• Logical Access to Interfaces: The IoT device can restrict logical access to its local and network
interfaces, and the protocols and services used by those interfaces, to authorized entities only.
• Software Update: The IoT device’s software can be updated by authorized entities only using a
secure and configurable mechanism.
• Cybersecurity State Awareness: The IoT device can report on its cybersecurity state and make that
information accessible to authorized entities only.
• Device Security: The IoT device can operate securely by protecting its hardware and software
integrity and securely utilizing system resources, managing communications, and executing code

https://pages.nist.gov/IoT-Device-Cybersecurity-Requirement-Catalogs/
Strategies for Hardening ICS/SCADA Devices
• Implement any manufacturer recommendations or industry best practices
• Use a firewall to separate the corporate network from the production network
• Use VLANs and network segmentation on the production floor where possible
• Implement secure physical access
• Create an ICS/SCADA Asset Inventory
• Develop a Network Baseline
• Segment ICS/SCADA Networks
• Implement least privilege
Strategies for Hardening ICS/SCADA Devices (cont’d)

• Use IPS to identify known threats

• Visually inspect for rogue devices/connections
• Use a WIPS to monitor for rogue wireless devices (that might have
been planted)
• Secure any remote access to ICS Devices
• Implement EUBA to look for anomalies in user activity
• Implement compensating controls (including physical security) for
systems that cannot be patched or upgraded
• Fences, guards, cameras, lighting, cable protection
• Harden supervisor and operator systems
SANS.org ICS Cybersecurity Field Manual - http://tinyurl.com/5e977y6c
Strategies for Hardening Switches and Routers
Device Type Strategy
Switches • Disable unused ports
• Segment traffic into VLANs if applicable
• Set strong encrypted passwords at the console, for remote access, and
privileged commands
• Change the native VLAN if applicable
• Create a VLAN specifically for network device management
• Disable any unnecessary services or protocols
• Update firmware/OS version as applicable
• If possible, disallow web-based administration
Routers • Apply switch security strategies as applicable
• Consider applying access control lists to limit traffic to, from, and through
the device
Strategies for Hardening Embedded Devices
• Keep in mind that embedded systems are often overlooked as an attack vector
• The network or back end systems they connect to are typically configured to trust them
• Change all defaults as applicable including device name, administrator credentials, SSID,
• Disable any unused features, services, protocols, etc.
• Configure the embedded system for secure boot
• Make use of Firmware-over-the-Air (FOTA) updates
• Prefer devices that incorporate secure enclaves (hardware-enforced secure execution
environments) to protect cryptographic operations and sensitive data processing
• Follow any additional manufacturer security recommendations
• Use compensating controls for embedded devices that do not support modern security:
• Segmentation, firewall, IDS/IPS, restricted remote administration, physical/logical access control
• Always be guided by the principles of Zero Trust, Defense-in-Depth, and Least Privilege
Developer guidance - https://www.riscure.com/publication/device-security-checklist/
Strategies for Hardening RTOS Devices
• Where possible, apply similar hardening measures to an RTOS as you would a
“regular” operating system including:
• Separate the main components of the system into different partitions to minimize the
impact of any part of the system becoming compromised
• Enable secure boot
• Disable all unnecessary services
• Enable user authentication and privilege levels
• Prevent the execution of applications with administrator permissions
• Encrypt communications
• Enable the operating system firewall – most modern RTOSes have a built-in software firewall
• Test to ensure no adverse impact on the performance of the system
• Implement compensating controls as needed:
• Firewalls, segmentation, IDS/IPS, external monitoring, etc.
Developer guidance –
https://learn.microsoft.com/en-us/azure/iot-develop/concepts-azure-rtos-security-practices
Strategies for Hardening Cloud Infrastructure

• Harden virtual assets with the same care you would use to harden
physical devices
• Utilize your CSP’s Zero Trust features including:
• Zero knowledge encryption (only you possess the private key)
• Security policy at the tenant and subscription levels
• Code signing, deployment automation/orchestration
• Identity and Access Management (IAM) with MFA
• Conditional and Just-in-Time access
• End-user behavior analytics (EUBA)
• Microsegmentation
• Verbose Logging
Validating Hardening Effectiveness

• Run a vulnerability scan just before deploying a system into

production
• Use scan results to identify and remediate any remaining security
issues
Question

• A new plug-and-play storage device was installed on a PC in the

corporate environment.
• What should you make sure to change on the PC to protect it from
malicious files on the storage device?
• Any default settings
Question #2

• A newly identified network access vulnerability has been found in the

OS of legacy loT devices.
• You need the devices to stay on the network.
• What can you use to quickly mitigate the vulnerability?
• Segmentation with ACLs to allow selective connectivity to the
devices.
Question #3

• After a recent vulnerability scan, you realize you need to harden the
routers within your corporate network.
• What would you disable to disallow HTTP-based logins to the
router?
• Web-based administration
Wireless Installation
Wireless LAN (WLAN)

• LAN based on wireless (radio) technologies

• Wi-Fi is the most common implementation of a WLAN
• Adds security risks because the network is “unbounded”
Wireless Installation Considerations
• Wireless networks tend to be physically easier to install than wired
ones
• You don’t have to go through the labor of pulling cable and terminating every
drop (connection point)
• Wireless networks have their own challenges
• Signal can easily extend past your facility
• You will have to design for and manage coverage, capacity, availability,
encryption, authentication, access points and connectivity to your network
backbone
• Keep in mind that most hacking attacks that work on wired networks
also work on wireless ones
Site Survey
• Physical visit and walkthrough of an existing or potential location
• Used to identify existing or potential challenges to installing the network
• A wireless site survey focuses on:
• Required coverage
• Placement of wireless access points and controllers
• Antenna design
• Cable routing
• Cable distances to WAPs
• Power distribution to WAPs
• Physical obstructions to RF signal
• Potential RFI/EMI interference sources
Wireless Coverage Heat Map

• Visual representation of
Wi-Fi signal strength in a
facility
• Helps you quickly identify
“dead zones”
• Typically created using
automated measuring
tools
Wireless Security Settings
Wireless is Inherently Vulnerable
Service Set Identifier (SSID)

• The friendly name given to a wireless network

• Need not be unique
• Can be hidden (not advertised in beacon frames)
• You can still connect to the WLAN if you know the SSID
• You’ll have to manually enter the SSID
Authentication Modes for Wi-Fi
• Open-System Authentication Process
• No authentication
• Clients must have their own protection (such as firewall, anti-virus)
• Often used for guest Wi-Fi
• Pre-Shared Key (PSK) Authentication Process
• Password is set on WAP and clients
• Centralized Authentication
• Authentication forwarded to a centralized server
• Typically a RADIUS server
• 802.1x
• WAP or switch forwards authentication to a centralized server
• Uses the Extensible Authentication Protocol (EAP) to allow many authentication types
• If the connection is a browser to the Internet, the user is typically redirected to a captive
portal to authenticate
Wireless vs Wired Exploits
• Most wired exploits will also work against Wi-Fi wireless:
• Scanning
• Sniffing
• Spoofing
• MITM/Hijacking
• Deauthentication
• Denial-of-Service
• Password cracking
• In addition, wireless has its own vulnerabilities including:
• Eavesdropping
• Electromagnetic/radio frequency interference, signal jamming
• Evil twins and rogue access points
Evil Twin Attack Example
Frequency Jamming
• The simplest and crudest form of wireless attack
• Denial-of-Service at the radio frequency level
• The wireless system and all of its clients are overwhelmed by a
more powerful signal
• Authorized signals get buried in noise
Wi-Fi Jamming
• Targets specific channels, SSIDs, or
end devices
• Might used spoofed TCP RST or FIN
packets to continuously disrupt
connections
Wi-Fi Password Cracking

• Wi-Fi password cracking is much like any other password cracking

• The attacker captures packets that each contain a small amount of
encryption key material
• When enough key material is captured, the packets can be sent to a
password cracker
• Cracking can be dictionary-based or brute force
Comparing Wi-Fi Security Standards

Wireless IV Size Key Length

Auth Encryption Comment
Standard (Bits) (Bits)
WEP PSK RC4 24 40/104 Susceptible to replay attacks
Can crack a key in seconds
WPA PSK RC4 + TKIP 48 128 Anti-replay re-keying mechanism
Every packet has a unique
encryption key
Imperfect 4-way authentication
handshake
Susceptible to KRACK vulnerability
WPA 802.1x RC4 + TKIP 48 128 Enterprise RADIUS server makes
Enterprise spoofing authentication difficult
Comparing Wi-Fi Security Standards (cont’d)

Wireless IV Size Key Length

Auth Encryption Comment
Standard (Bits) (Bits)
WPA2 PSK AES-CCMP 48 128 Very Strong - not susceptible to
replay
WPA2 802.1x AES-CCMP 48 128 Uses 802.1x and RADIUS
Enterprise authentication
WPA3 SAE AES-CCMP 48 128 Uses zero-knowledge proof
Personal No elements of the password are
transmitted over the network
WPA3 SAE GCMP-256 48 192 Uses 802.1x and RADIUS
Enterprise authentication

Zero-knowledge proof is a cryptographic method used to prove knowledge about a piece of data (such as a
password), without revealing the data itself.
About WPA3
• The Wi-Fi Alliance now requires all devices that wish to be certified to support WPA3
• Mandates the adoption of Protected Management Frames that protect against
eavesdropping and forging
• Standardized 128-bit cryptographic suite and disallows obsolete security protocols
• Uses zero-knowledge proof
• No elements of the password are transmitted over the network
• Session key derived from the process
• QR codes can be used to gain network connection details
• Enterprise version has optional 192-bit security encryption and a 48-bit IV for better
protection
• GCMP - Galois/Counter Mode Protocol
• WPA3-Personal uses CCMP-128 and AES-128
Guest Wi-Fi Captive Portal

• When the client connects to the WAP, it is automatically sent to the

portal
• Configure the portal to use 802.1x with RADIUS authentication
• Require guest users to register a free, time-limited account
• Capture information about the guest and their device
• User name and email address
• Device name and MAC address
• Restrict amount of bandwidth each device can use
• Restrict the number of devices that can use the same account
• Require each client to provide its own firewall protection
Faraday Cage
• A room or small space
• Completely enclosed in metal
shielding that is grounded to
earth ground
• Radio signals and
electromagnetic emanations
cannot enter or escape
• Used for classified or highly
sensitive areas
• Used in hospital MRI rooms
Question

• Your company needs to implement stronger authentication by

adding an authentication factor to its wireless system.
• The wireless system only supports WPA with pre-shared keys, but
the backend authentication system supports EAP and TTLS.
• What should you implement?
• You can use RADIUS server for back-end authentication
• Also 802.1x using EAP with MSCHAPv2 for user authentication.
Question #2

• You want to set up a guest Wi-Fi that will capture users MAC
addresses and names, so that you can trace malicious activity back to
a specific person.
• What should you implement?
• A captive portal that captures user MAC addresses and names.
Mobile Solutions
Mobile Device Deployment Models
• Bring your own device (BYOD)
• Allows staff to use their personally owned devices for work-related activities
• Requires the IT dept to support more device types
• Corporate-owned, personally enabled (COPE)
• The organization provides its employees with mobile computing devices
• Typically issues one standard make/model to everyone
• Simplest for the IT dept to support
• Allows the employees to use them as if they were personally owned
• Choose your own device (CYOD)
• Allows employees to select from a predefined list of devices
• Provides flexibility in device preference while allowing the company to maintain
control and security over company data and infrastructure
• A good compromise between BYOD and COPE
Mobile Device Connection Methods
• Cellular
• Phone calls and Internet traffic are routed through the mobile carrier’s network
• Devices are identified by their phone number and IMEI number
• Incurs cost, based on your mobile carrier plan
• Has broader reach/is more widely available than Wi-Fi
• Wi-Fi
• The device connects to the local network; Internet traffic is routed through that
network
• Devices are identified by their MAC and IP addresses
• Typically free (some public hotspots might charge for the service)
• Connectivity is geographically limited to the coverage area of the hotspot
• Most home/small office implementations impose no data transfer constraints
• A public site/larger office administrator might configure restrictions
• Preferred over cellular for data transfer
Mobile Device Connection Methods (cont’d)
• Bluetooth
• Allows personal devices and IoT wearables to connect to the phone
• Meant for short-distance connectivity
• Often poorly secured due to limitations of the IoT device
• Near Field Communication (NFC)
• Enables very short distance communications/data transfer between devices
• Contactless payments, Bluetooth file transfer negotiation
• USB cable
• Allows you to plug your phone into a PC
• The PC can access the phone’s storage
• You can also control the phone in developer mode, using developer tools
Mobile Device Security Features
• Two-factor authentication - Passwords/PINs, swipe patterns, biometrics, one-time passcode
• App permissions
• Partitioning - Keep company data separate from personal data
• Data/full disk encryption
• Secure enclave (some models) -Separate processor for biometric info and cryptographic functions
• VPNs - For public hotspots
• Endpoint protection (firewall, anti-malware, etc.)
• Automated over-the-air updates
• Screen lock timer Many of these features must be
• Cloud-based backups enabled by the user
• Device tracking
• Remote lock and data wipe
• Vendor-specific features
Mobile Device Management (MDM)
• A system that allows IT administrators to control, secure and enforce policies
on smartphones, tablets and other endpoints
• Typically implemented as a cloud service
• Features include:
• Over-the-air app and patch installation/update/uninstallation
• Device tracking/geolocation
• Remote locking/remote wiping
• Jailbreak/root and malicious app detection/restriction
• Containerization to separate company data from personal data
• Can wipe company data from a BYOD without affecting personal data
• Enforce full storage encryption
• Geo-location
• Locate and track where a device is physically
• Geofencing
• Allow or disallow phone features (mic, camera) in sensitive geographical areas
• Examples: Microsoft Intune, Cisco Meraki, Kandji, Jamf
MDM Example
Question

• A company wants to enable BYOD for checking email and reviewing

documents.
• Many of the documents contain sensitive organizational information.
• What should be deployed first before allowing the use of personal
devices to access company data?
• MDM
Question #2

• You incorporate mobile device security controls including biometrics,

context-aware authentication, and full device encryption.
• Even with these settings in place, an unattended phone was used by a
malicious actor to access corporate data.
• What else should you have included?
• A screen lock timer.
Question #3

• Your company recently decided to allow its employees to use their

personally owned devices for tasks like checking email and messaging
via mobile applications.
• You would like to use MDM, but employees are concerned about the
loss of personal data.
• What should you implement to BEST protect the company against
company data loss while still addressing the employees’ concerns?
• Full Disk Encryption and/or partitioning
• Don’t enable bricking upon multiple bad logins (consider even disabling the
lock screen)
Question #4

• You need to implement security features across smartphones.

laptops, and tablets.
• What would be the most effective management tool across
heterogeneous platforms?
• MDM
Question #5

• You want to provide flexibility for employees using mobile devices

• You’re concerned about supporting too many different types of
hardware
• Which deployment model will provide the needed flexibility with the
GREATEST amount of control and security over company data and
infrastructure?
• CYOD
Application Security
Management
Application Security Strategies
• Developers: use these strategies to make your app more secure
Strategy Description
Input validation • Use regular expressions and language-specific filters to block
unexpected characters from being entered into your function
• Escape metacharacters such as . ^ $ * + - ? ( ) [ ] { } \ | (typically with a
preceding backslash) so they are not interpreted as part of a command
• Properly encode user input as HTML entities to prevent XSS attacks
Secure cookies • Set the Secure, HttpOnly and SameSite attributes on cookies to limit the
scope of cookies to “secure” channels
• Avoid storing sensitive information in cookies
Static and dynamic code analysis As part of your code review, run both static and dynamic code analysistools
to highlight possible vulnerabilities in source code
Code signing Digitally sign applications, drivers, executables and software programs so
that end users can verify that the code they receive has not been altered
or compromised by a third party
Sandboxing

• A cybersecurity practice where you run, observe and analyze code in

a safe, isolated environment on a network
• It mimics end-user operating environments
• Designed to prevent threats from getting on the network
• Frequently used to inspect untested or untrusted code
• Keeps the code relegated to a test environment so it doesn’t infect or
cause damage to the host machine or operating system
Application Monitoring

• The process of collecting log data in order to help developers track

availability, bugs, resource use, and changes to performance in
applications
• Includes a series of dashboards for various metrics pertaining to
network analytics, hardware utilization, and software performance
• You can also monitor the app for vulnerabilities and attacks
• Send the data to a SIEM for correlation and analysis
Question

• You are reviewing the findings in a report that was delivered after a third
party performed a penetration test.
• One of the findings indicated that a web application form field is vulnerable
to cross-site scripting.
• Which of the following application security techniques should you
recommend the developer implement to prevent this vulnerability?
• Secure cookies
• Version control
• Input validation
• Code signing
Question

• A software development manager wants to ensure the authenticity

of the code created by the company.
• Which of the following options is the most appropriate?
• Testing input validation on the user input fields
• Performing code signing on company-developed software
• Performing static code analysis on the software
• Ensuring secure cookies are used
Question #2

• A software development manager wants to ensure the authenticity

• Your organization recently updated its security policy to include the

following statement:
• Regular expressions are included in source code to remove special
characters such as $, |, ;. &, `, and ? from variables set by forms in a
web application.
• What is the most likely security technique your organization will
adopt to accommodate this addition to policy?
• Input validation
• Managing Assets
Asset • Acquisition/Procurement
Management • Assignment/Accounting
• Monitoring/Asset Tracking
What is an Asset?

• A resource with economic value that an individual or corporation

owns or controls
• An IT asset refers to any hardware, software, or technological
resource that an organization utilizes to manage and deliver its IT
services
• Can be hardware, software, cloud services, virtual machines, data,
licenses, subscriptions, or anything else that the organization values
and uses
Asset Lifecycle
Asset Management Challenges

• Effectively monitoring stock, ownership, and location.

• Tracking assets throughout their lifecycle.
• Detecting early signs of needed maintenance to expand asset
lifespan.
• Controlling warranties to avoid unnecessary costs.
Asset Management Policy

• A set of guiding principles, intentions, goals and methods for asset

management.
• Provides a template for decision-making so people can achieve the
best possible outcomes for each task while meeting the organization's
goals.
• Helps you maintain the data necessary to quantify risks associated
with your assets
Asset Procurement

• The process of identifying, acquiring, and managing assets to support

a business goal.
• Asset procurement can be used to fulfill a variety of needs for a
business including:
• Purchasing new equipment, supplies, or technology
• Procuring leases, contracts, rights or licenses
• Acquiring vehicles, buildings, and real estate
Asset Procurement Process
Asset Tracking
• Maintain an accurate inventory of all of your hardware, software, and
data assets for:
• Lifecycle management / budgeting
• Risk assessment – you can’t assess your risk if you don’t know what you have
• Put physical labels on your assets to assist with inventory and tracking
• Bar codes / QR codes
• Serial numbers
• Use a hand-held scanner to speed up inventory tasks
• Consider using automated enumeration tools to help you identify
assets on the network
• Especially for software and virtual assets
Assignment and Labeling

• Assign an asset to a specific individual

• Associate the device asset tag and serial number with the user
• This “ownership” makes them responsible for missing or damaged equipment
• When the user leaves the organization, you will know what equipment was
assigned to them, and what they must return
• If a security incident occurs, or if you find a lost device, you can quickly
identify to whom it belongs
• Classification
• Use additional labeling to visually mark equipment that is classified/sensitive,
or belongs to a specific program/business unit/budget
Disposal/Decommissioning
• Data retention
• Any data that must be retained is copied from the device and placed in longer-term
storage
• Sanitization
• Securely wiping all data from a device/storage media
• Perform if you intend to re-use the device
• Destruction
• Makes the device/storage media unusable
• The MOST secure way of decommissioning a device
• Certification
• Provides evidence that the vendor has followed the proper procedures and methods
to destroy the classified data and prevent unauthorized access or recovery
• May include details such as the date, time, location, and method of disposal, as well
as the names and signatures of the personnel involved
Question

• Your company requires hard drives to be securely wiped before

sending decommissioned systems to recycling.
• Which of the following best describes this policy?
• Sanitization
• Destruction
Question

• Your company requires hard drives to be securely wiped before

sending decommissioned systems to recycling.
• Which of the following best describes this policy?
• Sanitization
• Destruction
Question #2

• You have begun labeling all laptops with asset inventory stickers and
associating them with employee IDs.
• Name two security benefits these actions provide.
• If a security incident occurs on the device, the correct employee can
be notified.
• Company data can be accounted for when the employee leaves the
organization
Question #3

• How does an effective asset management policy help contribute to

security?
• It will make it easier to obtain data necessary to quantify your risk
Question #4

• You are discarding a classified storage array.

• You hire an outside vendor to complete the disposal.
• Which of the following should you request from the vendor?
• Certification
• Inventory list
• Classification
• Proof of ownership
• Identification
Vulnerability • Analysis
Management • Response and Remediation
• Reporting
Vulnerability Management Concepts

Concept Description
Confirmed vulnerability • The vulnerability has been tested and verified
• It is 100% real and exploitable
False positive • An alert that incorrectly indicates that a vulnerability is present
False negative • A scan report indicating that the system has no issues when a bug or
security vulnerability is in fact present
Prioritization • The act of ranking vulnerabilities based on their risk level and assigning
resources based on the level of risk
Remediation • A corrective control
• The process of eliminating detected weaknesses in your network
• Usually performed after a security incident or vulnerability scan
Vulnerability Management Concepts
Concept Description
Preventive control • Any measure designed to keep errors or irregularities from occurring in
the first place
Detective control • Any measure designed to detect errors and irregularities that have
already occurred and to assure their prompt correction
Compensating control • Any measure taken to address any weaknesses of existing controls or to
compensate for the inability to meet specific security requirements
Corrective control • A fix for a discovered vulnerability or breach
• Put in place when errors or irregularities have been detected
Patch management • A preventive or corrective control
• The process of applying updates to software, drivers, and firmware to
protect against/fix vulnerabilities
• Weak patch management can lead to inconsistent security and
unexpected malware infections
Vulnerability Management Concepts (cont’d)
Concept Description
Account audit • A subcategory of user account management
• A report of user account events such as when the account was: created,
changed, deleted, renamed, disabled/enabled, etc.
• Often used as a detective control to identify inactive (stale) user accounts
Exposure factor • The potential percentage of loss to a specific asset if a specific threat is
realized
• Typically a subjective judgment
Environmental variables • Physical environment conditions (temperature, humidity, shielding, etc.)
that might affect a system’s security
• (alternatively) external conditions that impact a vulnerability’s severity or
exploitability
Industrial/organizational impact • The degree to which a vulnerability might adversely affect the entire
organization or industry
Risk tolerance • The degree to which your organization requires its information to be
protected against confidentiality leaks or compromised data integrity
Vulnerability Management Concepts (cont’d)
Concept Description
Vulnerability classification • A method of ranking vulnerabilities so you can prioritize
your remediation efforts
• Used based on criticality and/or exploitability
Common Vulnerability Scoring System (CVSS) • An free, open set of standards used to assess a
vulnerability and assign a severity along a scale of 0-10
• Used to supply a qualitative measure of severity
• Vulnerabilities and their CVSS score can be found in the
NIST National Vulnerability Database
Common Vulnerability Enumeration (CVE) • A catalog of publicly disclosed cybersecurity vulnerabilities
• Each CVE # identifies a specific instance of a vulnerability
• Example: Log4j vulnerability = CVE-2021-44228
Common Weakness Enumeration (CWE) • A community-developed list of software and hardware
weakness types
• Complements CVE by focusing on the types of weaknesses
or vulnerabilities that can lead to vulnerabilities in
software
Vulnerability Identification Methods
Most of the methods listed below are detective controls

Concept Description
Application security • Security measures at the application level that aim to prevent data or code
within the app from being stolen or hijacked
Vulnerability scan • The process of identifying security weaknesses and flaws in systems and
software running on them
• Can be performed manually or via an automated tool
• Should also be run after remediation to verify that the fix was successful
Package monitoring • The process of automatically analyzing software packages (complete apps) for
known vulnerabilities
Static analysis • AKA static code analysis
• The analysis of computer software performed without actually executing the
code
• Searches for vulnerabilities, validates code against industry best practices
• Tool examples: SonarQube, Semgrep, Semmle, Codacy, DeepSource, Coverity
Vulnerability Identification Methods (cont’d)

Concept Description
Dynamic analysis • AKA Dynamic Application Security Testing (DAST)
• Testing a running application for potentially exploitable vulnerabilities
• Used to identify both compile time and runtime vulnerabilities, such
as configuration errors that only appear within a realistic execution
environment.
• Uses known malicious inputs to “fuzz” an application including:
• SQL queries (to identify SQL injection vulnerabilities)
• Long input strings (to exploit buffer overflow vulnerabilities)
• Negative and large positive numbers (to detect integer overflow
and underflow vulnerabilities)
• Unexpected input data (to exploit invalid assumptions by
developers)
Vulnerability Identification Methods (cont’d)

Concept Description
Threat feed • A stream of data about emerging cyberthreats
• Gathers information from a wide variety of sources
Open-source intelligence • The practice of collecting information from publicly available sources to be
(OSINT) used in an intelligence context
• Uses publicly available information from social media, websites, and news
articles to gather information about an individual or organization
Proprietary/third-party • A separate, non-public vulnerability database or threat feed created by a third
party
• Often part of a company’s product or service offering
Vulnerability Identification Methods (cont’d)
Concept Description
Information-sharing organization • Provides a central resource for gathering information on cyber
threats (in many cases to critical infrastructure)
• Allows two-way sharing of information between the private and the
public sector
• Typically nonprofit or government-sponsored
Dark web • A subset of the deep web that is intentionally hidden, requiring a
specific browser—Tor—to access
• While it does have legitimate sites and purposes, the dark web is
infamous for its illicit activities including selling drugs, credit card
numbers, counterfeit money, credentials, and hacking tools
Penetration testing • An authorized simulated attack performed on a computer system to
evaluate its security
Vulnerability Identification Methods (cont’d)

Concept Description
Responsible disclosure program • Allows security researchers to safely report found vulnerabilities to a
software company or developer team
Bug bounty program • A monetary reward given to ethical hackers for successfully
discovering and reporting a vulnerability or bug to the application's
developer/software company
System/process audit • An overall review of an organization’s IT system or process
• Seeks to identify inefficiencies and vulnerabilities
Credentialed vs. Uncredentialed Scan
• Where possible, configure the scanning software with privileged
credentials for the various systems it will test
• Credentials allow the scanner to log in to each device and obtain
considerably more information from system:
• User accounts
• Policies
• Installed software
• Patch levels, including for third-party software
• Registry and configuration information
• An uncredentialed scan provides less information, and is less accurate
• It would not detect missing patches for third-party software on Windows
workstations and servers.
Vulnerability Response and Remediation

• Segmentation/isolation
• Quarantine
• Patching
• Update configuration
• Re-installation
• Insurance
• Compensating controls
• Exceptions and exemptions
Methods to Validate Remediation
• Re-scan the system for the same vulnerability
• Use the same, and then different, tools
• Verify that the vulnerability no longer appears in a scan
• Do this BEFORE moving the system back into production
• Run a second audit
• Compare the results of your current audit with the results of your previous
audit
• See if the original issue was eliminated or reduced
• Verify whether the remediation actions taken were implemented
correctly and according to plan
Reporting
• Submitting a report is a step that is done after the vulnerability assessment, but
before the remediation.
• The report is a document that summarizes the findings and recommendations of
the vulnerability assessment.
• It is used to communicate the results to the stakeholders and the operations
team.
• The report may also include a follow-up plan and a timeline for the remediation
actions.
• However, submitting a report is not the final step after the remediation, as it does
not confirm that the network is secure.
• You must re-test the network for confirmation that the reported vulnerabilities
have been remediated.
• Results of the follow-up test should be appended or refer to the initial report
• The initial report and its follow-up should be added to the risk registry
Question

• You complete a vulnerability assessment on the network and find

several vulnerabilities, which the operations team remediates.
• What should be done next?
• Rescan the network.
Question #2

• You disable unneeded services and place a firewall in front of a

business-critical legacy system.
• What type of control have you implemented?
• Compensating control
Question #3

• What scoring system is used to quantitatively measure the criticality

of a vulnerability?
• CVSS
Question #4

• You find that users who left the organization six months ago still have
active user accounts.
• What could have been used to prevent this from happening?
• Account audit
Question #5

• You just completed a vulnerability scan.

• The scan found malware on several systems that were running older
versions of Windows.
• What is the MOST likely the cause of the malware infection?
• Improper or weak patch management.
Question #6

• What is a technique a software company would use that compensates

researchers for finding vulnerabilities?
• Bug bounty
Monitoring • Monitoring Activities
and Response • Monitoring Tools
Monitoring Activities
What Can You Monitor?
• System, network, or data access
• System performance
• Network traffic
• Connection attempts
• Storage
• Applications
• Data integrity
• User behavior
• Honey assets
• Environmental conditions (power, temperature, humidity, etc.)
Monitoring Activities
• Scanning
• Checking devices and device logs for evidence of anomalous behavior or compromise
• Alerting
• Automatically informing the administrator of a problem (typically via SMS or email)
• Forwarding
• Sending log entries to another system (typically a syslog server) for collection, aggregation,
and analysis
• Protects log data from tampering by creating a remote copy in real time
• Log management
• Ensuring that device logs do not become unwieldy or begin to overwrite entries
• Includes backing up, truncating, and clearing logs
• Aggregation
• Collecting and combining data from multiple sources or sensors to provide a comprehensive
view of the security posture
Monitoring Activities (cont’d)
• Reporting
• Creating a formatted, printable summary of an incident or time period
• Archiving
• Storing and preserving historical data or records for future reference or compliance
• Alert response
• Can include system quarantine, remediation, deploying compensating controls
• Quarantine
• Isolating a potentially infected or compromised device or system from the rest of the network to
prevent further damage or spread
• Remediation validation
• Verifying that the issue has been resolved satisfactorily
• Alert tuning
• Adjust the IDS/IPS/monitoring tool to optimize its performance and reduce false positives or false
negatives
• Tunes out normal or benign activity
• Improves efficiency by reducing the workload and operator “alert fatigue”
Monitoring Tools
Security Content Automation Protocol (SCAP)
• A formal checklist/procedure that enterprises follow to improve their
cybersecurity posture
• SCAP products are required to incorporate nine published NIST specifications
• Includes standardized compliance checks
• Helps automate and streamline processes such as known vulnerability
analysis, security configuration verification, and report generation
• Enhances organizational security
• Reduces the risk of data breaches and other cyber attacks
• Assists enterprises in compliance with relevant policies, laws, and regulations,
even those that are revised constantly
• SCAP tool examples:
• OpenSCAP, Tenable Nessus, Greenbone OpenVAS
SCAP Specifications
✓ Asset Identification
✓ Asset Reporting Format (ARF)
✓ Common Configuration Enumeration (CCE)
✓ Common Platform Enumeration (CPE)
✓ Applicability Language
✓ Dictionary
✓ Name Matching
✓ Naming
✓ Open Vulnerability Assessment Language (OVAL)
✓ Open Checklist Interactive Language (OCIL)
✓ Trust Model for Security Automation Data (TMSAD)
✓ Extensible Configuration Checklist Description Format (XCCDF)
✓ Software Identification (SWID)
https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Emerging-Specifications
Benchmark Testing

• Compares performance testing results against agreed-upon

performance metrics
• Helps determine the quality standards of a system or software
application
• Can include hardware, software, and network performance
• Used to maintain high-quality system or application standards
Benchmark Testing Report Example
Agent-based and Agentless Monitoring
• Two different approaches to monitoring and securing IT assets
• Agentless monitoring does not require installing any software on the target
devices
• Easier to scale, requires less IT work, is more vendor agnostic, and is more conducive
to network discovery
• The management system queries devices for information
• Agent-based monitoring requires software to be installed on the target
devices
• Helps collect data
• Proactively stays in contact with the management system
• Can cover broader metrics
• Provides more insight into the inventory and performance IT assets
• The choice of agentless or agent-based depends on the complexity and
frequency of change of the environment and workloads
Agent-based and Agentless Monitoring Example
Security Information and Event Management (SIEM)

• A detective and corrective technical control

• A centralized security alerting and monitoring tool that collects system,
application, and network logs from multiple sources
• Used for real-time monitoring/response, auditing, and compliance
• Analyzes the collected data, correlates events, generates alerts, and
provides reports and dashboards
• Can also integrate with other security tools (including AI)
• Can be a cloud service or installed on-premises
• Example products include:
• Splunk Enterprise Security, SolarWinds Security Event Manager, LogRhythm NextGen
SIEM, SolarWinds Threat Monitor, Datadog, Micro Focus ArcSight ESM, McAfee
Enterprise Security Manager, IBM QRadar
SIEM Example
SIEM Tool
Antivirus
• A detective, preventive, and corrective technical control
• Software that is designed to detect, protect against, and remove
malware on a computer or mobile device
• Many modern operating systems have built-in antivirus features
• Typically requires regular updates (virus signatures) from the vendor
Data Loss Prevention (DLP)
• A preventive technical control
• A set of tools and processes used to ensure that sensitive data is not lost,
misused, or accessed by unauthorized users
• Can be installed on-premises or cloud-based
• Used for:
• Personal Information protection / compliance
• Intellectual property protection
• Data movement visibility
• Examples:
• Forcepoint DLP, Digital Guardian Endpoint DLP, Symantec DLP, Clumio Protect and
Discover, Proofpoint Enterprise DLP, Trellix DLP
DLP Example
Simple Network Management Protocol (SNMP)

• A detective technical control

• Used to discover and centrally monitor devices on a network
• Devices must be configured to respond to SNMP
• An SNMP manager polls agents for information
• Polling is done round-robin style, on a regular interval (every few minutes)
• Manager is software on a server or workstation
• Agent is small software installed or built into a device OS
• The manager uses a Management Information Base (MIB) to know
what types of information an agent can provide
• A MIB is a set of counters (Object IDs) relevant to the device
SNMP Components

• Network Management System (NMS)

• Software typically installed on a dedicated computer
• Managed Devices
• Router, switch, hub, firewall, computer, server service (DHCP, DNS, etc.)
printer, IoT device
• Agents
• Software installed on the managed device
• Many operating systems have built-in SNMP agents
• Responds to the NMS
SNMP Example

agent
agent

agent

agent agent
Information You Can Enumerate Using SNMP
• Network devices ▪ IP and MAC addresses
• Hosts ▪ ARP tables
• Device CPU, RAM and disk ▪ Routing tables
utilization
▪ VLANs
• Users and groups
▪ Port and interface status
• Services
▪ Network traffic
• Installed software
▪ Security violations
• Network shares
▪ and much, much more
• Device configurations
SNMP Security
• SNMP has several versions that are still in use
• v1, v2, v2c all communicate in clear text
• v3 is encrypted
• Not all devices support v3
• Both the manager and agent are configured with a simple authentication
mechanism called the “community string”
• Simple text string
• An agent will only respond to a manager that has the same community string
• There are two default community strings:
• “Public” – for read-only queries
• “Private” – for read/write communications
• Many administrators do not change the default community strings
• SNMP Ports:
• UDP 161 - Manager queries and agent replies
• UDP 162 – Agents “raise traps” (send pre-configured alerts) to the manager
NetFlow

• A detective technical control

• A network protocol developed by Cisco for collecting IP traffic
information and monitoring network flow
• Although originally Cisco proprietary, NetFlow is supported by a wide
range of vendors and devices
• By analyzing NetFlow data, you can get a picture of network traffic
flow and volume
NetFlow Example
NetFlow Analyzer Dashboard Example
Vulnerability Scanner
• A detective technical control
• An automated tool that scans network devices, systems, services, and
applications for weaknesses and vulnerabilities
• Should create a report including details, applicable CVE number and
recommendations for remediation
• Discovered vulnerabilities must then be verified for exploitability
• Many vulnerabilities will not (yet) have associated exploits
• Use pentesting to verify if the vulnerability poses an immediate threat
• Some scanners focus on a specific target type, such as websites or IoT
devices
• Examples include:
• Acunetix, beSECURE, Burp Suite, GFI Languard, Frontline, Nessus, Nexpose, Nmap,
OpenVAS, Qualsys, SAINT, Tenable, Tripwire IP360, Metasploit Pro
Vulnerability Scanner Dashboard Example
Tuning Alerts

• Monitoring tools can produce false positives

• You will have to adjust (tune) the alert configurations to ignore events
that you know are harmless
• Tuning is specific to each environment
Question

• After a hardware incident, an unplanned emergency maintenance

activity was conducted to rectify the issue.
• Multiple alerts were generated on the SIEM during this period of
time.
• Why did this happen?
• The unexpected traffic correlated against multiple rules, generating
multiple alerts.
Question #2

• A security operations center determines that the malicious activity

detected on a server is normal.
• What describes the act of ignoring detected activity in the future?
• Tuning
Question #3

• Which of the following describes a security alerting and monitoring

tool that collects system, application, and
• network logs from multiple sources in a centralized system?
• SIEM
• DLP
• IDS
• SNMP
Question #3

• Which of the following describes a security alerting and monitoring

tool that collects system, application, and
• network logs from multiple sources in a centralized system?
• SIEM
• DLP
• IDS
• SNMP
Question #4

• What control type does a SIEM use to identify security events across
the enterprise?
• Detective
• Firewall Configuration
• Intrusion Detection Configuration
• Implementing Secure Protocols
Enhancing • DNS Filtering
•
Enterprise •
Email Security
File Integrity Monitoring
Security • DLP
• Network Access Control
• EDR / XDR
• UEBA
Firewall Configuration
Firewall Appliance
• A detective, preventive, and sometimes compensating technical control
• Separates the “trusted” network from the “untrusted” network
• Can be a separate hardware appliance to protect an entire network segment
• Can be an optional feature enabled on a router
• Enforces rules to filter out unwanted traffic
• Rules can be applied to specific interfaces for inbound or outbound traffic
• Often provides Network Address Translation (NAT) services
• Can work at Layers 3 – 7
• Might have a “subscription” with the vendor to download malware signatures for deep
packet inspection

Note: “Inbound” and “outbound” can refer to either:

• Traffic coming into the private network /going out to the Internet
• Traffic coming into/going out of a specific firewall interface
Firewall Example
Protects “trusted” private network from “untrusted” Internet

Foe
Private network

Internet
Friend
Firewall

Controls both inbound and outbound traffic based on rules set by the administrator
Demilitarized Zone (DMZ)

• AKA screened subnet

• IP addresses in DMZ can be public or private
• An untrusted network between two firewalls
• Internet-facing (bastion) hosts are placed here
• Typically used to isolate and (somewhat) protect public servers such as:
• DNS
• Web server
• MX (email relay)
• Spam and web traffic filtering appliances
Typical DMZ

I’m a bastion host

Private LAN DMZ Internet

Internal Firewall External Firewall

“Dirty” DMZ
• External “firewall” is a packet filtering router

Private LAN DMZ Internet

Packet Filtering Router

Firewall
Perimeter Network
• Like a “side yard” I’m still a bastion host

• A DMZ on a firewall’s third

interface Perimeter Network

• Still untrusted
• Contains the bastion host(s)

Private LAN Internet

Firewall
Access Control List (ACL)
• A set of rules used to control traffic in and out of a firewall, router, or multilayer
switch
• Each packet is compared to the rules in the ACL and processed accordingly
• Rules typically include:
• Name
• Action
• Protocol
• Source IP address
• Destination IP address
• Source port
• Destination port
• Most ACLs have an implicit “deny” at the end
• If you configure only deny rules, you need to have a “permit all” rule at the end to allow all
other traffic
Typical ACL Syntax
ACL
Action Protocol Source-IP Source-port* Dest-IP Dest-port**
name
eq 80 11.11.11.0/24 eq 80
101 permit tcp 10.10.10.0/24
deny udp Usually TCP or UDP only
icmp optional Can use name
igmp or number
ip

IP address variations Port operators

host 10.10.10.1 eq equals
Single host 10.10.10.1 0.0.0.0 gt greater than
10.10.10.1/32 ge greater than or equal to
Subnet 10.10.10.0/24 lt less than
10.10.10.0 0.0.0.255 le less than or equal to
All IPs any
0.0.0.0/0
ACL Example
End End Admin Firewall SSH / Telnet
Web
User User Station server Linux server

192.168.1.102 192.168.1.101 192.168.1.100 10.1.2.100 10.1.2.200

source destination destination port

access-list 101 deny tcp any any eq 23

access-list 101 permit tcp 192.168.1.0 0.0.0.255 host 10.1.2.100 eq http
access-list 101 permit tcp host 192.168.1.100 host 10.1.2.200 eq ssh
access-list 101 permit ip 0.0.0.0/0 any
ACL Example #2
End Admin Firewall Email
kiosk User Station Server SQL Server DNS Server

192.168.1.99 192.168.1.101 192.168.1.100 10.1.2.5 10.1.2.17 10.1.2.20

source destination destination port

access-list 101 permit udp any host 10.1.2.20 eq 53

access-list 101 permit tcp 192.168.1.0/24 host 10.1.2.5 eq 25
access-list 101 permit tcp host 192.168.1.100 host 10.1.2.17 eq smb
access-list 101 deny icmp 192.168.1.101 0.0.0.0 any
access-list 101 deny ip host 192.168.1.99 any
access-list 101 permit ip any any
Port Forwarding

• Aka “publishing”
• A technique that allows external devices to access computers on a
private network
• Uses an IP address plus port number to route network requests to
specific internal devices
• Typically configured on a firewall as a reverse proxy
Port Forwarding Example

Gaming Server
192.168.1.200 UDP 25565 Destination
192.168.1.200 TCP 25565 64.12.5.17:25565

Internet
64.12.5.17

192.168.1.200:25565

Internal LAN (Intranet) Firewall

Common Protocols and Ports
Port Protocol Name Description Encrypted
20/21 TCP FTP File Transfer Protocol data, commands No
22 TCP SSH Secure Shell – for text-based remote administration Yes
23 TCP telnet For text-based remote administration, replaced by SSH No
25 TCP smtp Simple Mail Transfer Protocol; for sending email No
53 UDP, TCP dns For querying a DNS server; TCP used for server replication No
67/68 UDP dhcp DHCP client and server ports No
69 UDP tftp Trivial FTP; for simple, unauthenticated file transfer No
80 TCP http Hypertext Transfer Protocol, for web traffic No
88 TCP kerberos For Active Directory authentication Yes
110 TCP POP3 Post Office Protocol; for downloading email from your mailbox No
Common Protocols and Ports (cont’d)
Port Protocol Name Description Encrypted
111 TCP, UDP SUN RPC For determining which a port server service is running on No
119 TCP NNTP Network News Transfer Protocol; for transferring news No
123 UDP NTP Network Time Protocol; for synchronizing clocks No
135 TCP RPC Remote Procedure Call; Microsoft endpoint mapper – most Depends
inter-MS communications happen over RPC on service
137 TCP, UDP NBNS NetBIOS name service (deprecated) No
138 UDP NBT NetBIOS over TCP datagram services (deprecated) No
139 TCP SMB v1 Server Message Block; Microsoft file and print protocol No
143 TCP IMAP4 Internet Messaging Access Protocol; for downloading email No
from your mailbox
161, 162 UDP SNMP Simple Network Management Protocol; for monitoring No
devices on a network
Common Protocols and Ports (cont’d)
Port Protocol Name Description Encrypted
389/636 TCP LDAP/LDAPS Lightweight Directory Access Protocol/Secure; for No/Yes
querying and editing an X.500-compliant directory
service database (such as MS Active Directory)
443 TCP HTTPS HTTP Secure; for SSL or TLS encrypted HTTPS Yes
445 TCP SMB v2 and For local logon to a Windows machine, and file and print v3.0 and
later services later
500 UDP IKE Internet Key Exchange, for negotiating an IPSEC VPN No
514 UDP syslog For forwarding log messages to a central syslog server No
587 TPC SMTP Encrypted SMTP Yes
993 TCP IMAP over SSL Encrypted IMAP Yes
995 TCP POP3 over SSL Encrypted POP3 Yes
Common Protocols and Ports (cont’d)
Port Protoco Name Description Encrypted
l
1433 TCP MSSQL Microsoft SQL No
1521 TCP Oracle SQL For connection to an Oracle SQL server Depends
1723 TCP PPTP Point-to-Point Tunneling Protocol; early Microsoft VPN Payload
only
3306 TCP MySQL For connection to a MySQL database server No
3389 TCP RDP Remote Desktop Protocol – provides a remote GUI Payload
connection to a Windows machine; used for remote only
administration
5060/5061 TCP, SIP Session Initiation Protocol; for establishing and managing No, Yes
UDP Voice-over-IP calls
Firewall Configuration Best Practices
• Start by disallowing all traffic in all directions
• Permit outbound traffic only as necessary
• When creating firewall rules, keep in mind that traffic will be
evaluated one rule at a time, from top to bottom
• When a packet matches a rule, the action is applied and no more rules are
checked for that packet
• Ensure that the rules are placed in an order that provides the desired
result
• Place the most specific rules at the top
• Place the less specific rules below
• Do not put a “permit any” above specific deny rules, and vice-versa
Firewall Configuration Best Practices (cont’d)

• If you have deny rules, and you want any remaining traffic to be
permitted, don’t forget to place a permit any any rule at the bottom
• Keep in mind that most firewalls have an implicit deny all rule at the
very end
• Back up the current firewall configuration BEFORE adding any
rules/changing its configuration
• Test any new configurations BEFORE deploying in production
Firewall Configuration Best Practices (cont’d)
• Place all Internet-facing hosts in a DMZ/screened subnet/perimeter
network
• If you must publish internal resources, prefer to put those hosts in a
separate segment/VLAN
• Treat the Internet and DMZ as untrusted networks
• Only manage the firewall from the inside network
• When possible, dedicate an inside interface just for firewall management
• The management network is a separate segment with its own subnet
• Dedicate a management workstation to be the only host connected to the mgmt
segment
• Use a secure protocol to make administrative connections
• Disallow any other protocols/connections to/from the firewall itself
Firewall Configuration Best Practices (cont’d)

• If you must permit an outside vendor to help configure the firewall:

• Require a VPN
• Create a permit rule for their specific host only
• Time-limit the connection
• Disable ICMP to/from/through the firewall
• Disable any protocols and IP address to/from the firewall itself, unless
used to manage the firewall
Question

• You determine that the source of a high number of unwanted

connections to a web server were initiated by ten different IP
addresses from another country.
• What can you use to prevent these connection attempts?
• Firewall rules
Question #2

• You are creating an inbound firewall rule to block a specific IP address

from accessing the organization’s network.
• What might your rule look like?

access-list inbound deny IP source 10.1.4.9/32 destination 0.0.0.0/0

Question #3

• An enterprise is trying to limit outbound DNS traffic originating from

its internal network.
• Outbound DNS requests will only be allowed from one device with
the IP address 10.50.10.25.
• How might you write the firewall ACL?

Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53

Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53
Question #4

• While troubleshooting a firewall configuration, you determine that a

“deny any” policy should be added to the bottom of the ACL.
• You update the policy, but the new policy causes several company
servers to become unreachable.
• How could you have prevented this?
• Test the policy in a non-production environment before enabling the
policy in the production network
Question #5

• Which two TCP ports should you block on the firewall to prevent
external inbound SMB connections?
• 139, 445
Question #6
• You want to create a firewall rule set for a subnet to only access:
• DHCP, web pages, and SFTP
• specifically block FTP
• What might the rule set look like?

Allow: Any Any 80

Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Allow: Any Any 22
Deny: Any Any 21
Deny: Any Any
Intrusion Detection
Configuration
Intrusion Detection System (IDS)

• A detective technical control

• Detects suspicious activity and tracks trends on the network
• Analyzes network traffic for signatures that match known
cyberattacks
• Must regularly update its signature database from the vendor
• Can be a network sensor or software on a device
• Logs findings to a dashboard
• Can send alerts to the administrator
IDS/IPS Rules

• An IDS rule typically contains the following:

• Action
• Protocol
• Direction
• Source/Destination IP and port
• Options
IDS Rule Example

This snort rule detects basic SQL injection:

"1=1"

alert tcp any any -> 192.168.1.200 80 (content: "GET"; http_method; content:""1%3D1"";
msg: "SQL Injection Detected"; sid: 1000001; rev: 1;)
IDS Risks

• A signature database that is outdated

• False negatives
• Cannot detect zero day (as yet unknown) attacks

There are a number of ways to evade detection by an IDS:

Scan very slowly, fragment malicious packets, tunnel, obfuscate.
Above all, you will need patience.
Intrusion Prevention System (IPS)
• A detective and preventive technical control
• Uses a signature database, but can also set a baseline of “normal” traffic and
then watch for anomalies in real-time
• Can detect zero day attacks if they have an unusual traffic pattern

• Installed inline between the firewall and the core switch

• Can block suspicious traffic

• Logs findings to a dashboard and can alert the administrator

IPS can identify new threats –

but only because they don’t look like the baseline
IPS Risks

• False positives (system is configured to be too sensitive)

• Might need considerable tuning in the first few weeks

• False negatives (if the baseline already included malicious traffic)

• Could potentially cut off legitimate new protocols and traffic types

IPS will require monitoring and tuning

IDS/IPS Best Practices
• Regularly download signatures from the vendor
• If you use the open source Snort IDS, download pre-created rules from snort.org
or the Snort community
• Test for effectiveness
• Rules are very explicit – they won’t catch everything
• Set alerts so you can respond immediately
• IPS-specific:
• Enable all of the signatures in alert only mode during the initial deployment phase, which
should last approximately one week
• Monitor carefully and tune to minimize disruptions
Question
• A hacker gained access to a system via a phishing attempt that was a
direct result of a user clicking a suspicious link
• The link laterally deployed ransomware, which laid dormant for
multiple weeks, across the network
• Which of the following would have mitigated the spread?
• IPS
• IDS
• WAF
• UAT
Question
• A hacker gained access to a system via a phishing attempt that was a
direct result of a user clicking a suspicious link
• The link laterally deployed ransomware, which laid dormant for
multiple weeks, across the network
• Which of the following would have mitigated the spread?
• IPS
• IDS
• WAF
• UAT
Question #2

• You want to monitor your network for known signature-based attacks

• What should you deploy?
• IDS
Question #3

• You discover multiple suspicious attempts to access company

resources
• These attempts were not detected on the network
• What can you implement to prevent such attempts?
• IPS
Web Traffic Filtering
Web Filter

• A preventive technical control

• A device or software that blocks or allows access to web content based on
predefined rules or categories
• Can filter by keywords, URLs, content categories, DNS, and website
reputation
Web Filter Deployment Types

• Separate inline appliance or cloud service

• Applies the same restrictions for all on-site clients (no exceptions)
• Integrated feature of a next generation firewalls (NGFW)
• Central management system with agents deployed on endpoints
• Applies configurable restrictions for all company-controlled devices, on- or off-site
• Will require installing agents on all devices
• Software (such as a browser plugin) installed directly on endpoints
• Simplest to deploy for small environments
• Not suitable for large environments
Web Filter Category Filtering Example
Web Filter URL Filtering Example
Website Reputation
• Web filters can use an online website reputation checker to block suspicious sites
• Websites are evaluated against:
• URL category
• Age of a URL
• History of a URL You can visit various
• Domain reputation online security providers
• IP reputation
• Presence of downloadable files or code to manually check a
• Previous association with malicious internet objects website’s reputation
• Current association with malicious internet objects
• Popularity
• Hosting location
• Real-time performance
• Website and/or network owner
• Presence on any block/allow lists
Web Filter Best Practices

• Consider using a product that uses AI with larger datasets

• Web Filter-as-a-Service
• On-premises device with a vendor subscription
• If using an agent-based product, use automated software deployment
for convenient, consistent installation
• Tune your web filter if it is incorrectly blocking/allowing certain sites
• You may need to change the site’s category, or add an exception
Question

• A new retail website that your team needs to visit is being blocked by
your web filter.
• The filter reports that the site is a gambling site, even though you
know that it is not.
• What must you do to correct this problem?
• Update the filter’s categorization of the site from gambling to
retail/shopping.
Operating System Policy
Security-Enhanced Linux (SELinux)
• A preventive technical control
• A Linux kernel security module that adds mandatory access controls (MAC)
capabilities to the operating system
• Separates security policy from enforcement
• You can configure targeted or multi-level security policy on the OS
• Requires extra work when deploying non-standard applications or configurations
• For example, by default SELinux will deny Apache web server from being installed in a
different directory, or using a non-standard port
• Can be installed on most Linux distributions
• You can also obtain a pre-installed version such as RHEL, Rocky Linux, or AlmaLinux

Note: SELinux has a competitor called AppArmor, which is

popular among Ubuntu/Debian administrators
SELinux Example
Group Policy

• A preventive technical control

• A built-in Windows infrastructure that allows you to specify managed
configuration settings for users and computers
• Changes registry settings and can run scripts for security, user
experience and Windows features
• Can be applied locally, or to multiple users/devices at once through
Active Directory
• A configured policy can be saved as a template for re-use across
multiple users or devices
Group Policy Example
Network Service Security
Unsecure Protocols and Their Secure Replacements

Unsecure Secure Comment

FTP – TCP 21 SFTP - TCP 22 Part of SSH
Telnet – TCP 23 SSH – TCP 22 Not supported on older systems
HTTP – TCP 80 HTTPS – TCP 443 Uses SSL or TLS
SMB v1 – TCP 139 SMB v3 – TCP 445 Also used by directory services on
the client
SNMP v1 – UDP 161, 162 SNMP v3 – UDP 161, 162 Not supported by all
implementations
LDAP – TCP 389 LDAPS – TCP 689 • Active Directory uses clear text
LDAP by default
• You can configure it to use
LDAPS
Unsecure Protocols and Their Secure Replacements

Unsecure Secure Comment

DNS – UDP 53 DNSSEC • A digital signature file that
accompanies DNS records
• Not a separate protocol
Syslog – UDP 514 Syslog over TLS – TCP 6514 Used by SIEM and syslog devices
SMTP – TCP 25 SMTPS – TCP 587, TCP 465 • SMTP over TLS
• TCP 465 has been deprecated
POP3 – TCP 110 POPS – TCP 995 POP over TLS
IMAP4 – TCP 143 IMAPS – TCP 993 IMAP over TLS
DNS filtering
A preventive technical control
• The process of using the Domain Name System to block client access to
malicious websites and filter out harmful or inappropriate content
• A DNS server filters sites by refusing to resolve (look up) queries for
domains that are tracked in a blocklist
• DNS can also use an allow list to always allow lookups for a domain
• A blocklist can use either a domain name or an IP address:
• Domain: The DNS server (resolver) does not resolve any address for the domain, any
of its subdomains, or any host in the domain/subdomain
• IP address: The DNS resolver attempts to resolve all addresses associated with the
domain, but if a particular IP address is on the blocklist, it will not send that result
back to the requesting client
DNS Filtering Example

1. A user receives a phishing email and is tricked into clicking a link

that leads to malicious-website.com.
2. Before the user's computer loads the website, it first sends a query
to the company's DNS server, which uses DNS filtering.
3. If that malicious site is on that company’s blocklist, the DNS resolver
will block the request, preventing malicious-website.com from
loading, thus thwarting the phishing attack.
Email Security
The following are preventive controls:
• Domain-based Message Authentication Reporting and Conformance (DMARC)
• Tells the email server what to do with outgoing messages from your organization that
don’t pass authentication (using SPF or DKIM)
• DomainKeys Identified Mail (DKIM)
• A standard email authentication method that adds a digital signature to outgoing
messages
• Receiving mail servers that get messages signed with DKIM can verify messages actually
came from the sender, and not someone impersonating the sender
• Sender Policy Framework (SPF)
• An email authentication method that helps to identify the mail servers that are allowed
to send email for a given domain
• Generally implemented as TXT records in DNS
• By using SPF, ISPs can identify email from spoofers, scammers and phishers as they try to
send malicious email from a domain that belongs to a company or brand
Email Security (cont’d)
• Secure Email Gateway (SEG)
• An email security product that uses signature analysis and machine learning
to identify and block malicious emails before they reach recipients' inboxes
• Can be an inline appliance in the DMZ or a cloud-based service
• Secure MIME (S/MIME)
• Encrypts and digitally signs the email payload (message and attachment)
• Separate from the secure send/receive protocols ( SMTPS, POPS, IMAPS)
• Requires participating users to have certificates and trade public keys
Question

• A company’s web filter is configured to scan the URL for strings and
deny access when matches are found.
• What search string should you employ to prohibit access to non-
encrypted websites?
• http://
Question #2

• You are implementing a new email architecture for your company.

• You would like the new architecture to support email encryption, as
well as provide for digital signatures.
• What should you implement?
• S/MIME
Question #3

• You are sending syslog data using UDP 514 to a SIEM server across an
unsecure network.
• How can you protect the traffic?
• Use TLS to encrypt TCP 6514
Data Loss Protection
File Integrity Monitoring (FIM)
• A detective technical control
• Tracks data integrity by detecting any changes or modifications to files,
directories, or registry keys
• Uses checksums/file hashes to track any unauthorized or malicious changes
to the data, as well as verify the integrity and compliance of the data
• Logs when changes were made, and by whom
• Some products can also send you alerts when a file changes
• Helps you enforce security policies and standards by comparing the current
state of the data with the baseline or expected state.
• Can support forensic analysis and incident response by providing evidence
and audit trails of the changes
Data Loss Prevention (DLP)
A detective, preventive, and/or compensating technical control
• The practice of detecting and preventing data breaches, exfiltration, or unwanted
destruction of sensitive data
• Can block, log, and notify the user and administrator of potential breaches
• Can be set to monitor only – good for pilots, tests, and initial deployments
• Can be configured for exceptions
• Some systems include agents installed on laptops and other devices
• Can record a breach attempt even when the device is not connected to a network (user
copies a file to external storage media, etc.)
• Will send an alert to the administrator when the device reconnects to the network
• Requires that you first:
• Create data classifications
• Identify data attributes for each classification (file extension, file type, key words, etc.) so
the DLP can automatically evaluate and tag data with its appropriate classification
DLP Example
DLP System
Network

Device Lock Service

Smart phone Removable media

USB
Printer

Wireless
Social Media
technologies

Clipboard
HTTP/S, FTP, TFTP, SSH,
Email
Collaboration Platforms Telnet, etc.
Shredder
• A preventive, physical control
• For data and storage media destruction
• Protects against dumpster diving and theft
• Common types include:
• Hard drive / storage media shredder
• Crosscut shredders for documents
• Burn bags for high security documents
Clean Desk Policy
• An administrative, preventive control
• A set of rules designed to help protect sensitive data
• Example rules:
• Don’t leave sensitive information lying around for the casual observer to find
• Pick up printed material promptly from the printer
• Shred or contain all physical documents each time you leave a work environment
• All devices, such as laptops and phones, must be password protected
Question

• Which tool can assist with detecting an employee who has

accidentally emailed a file containing a customer’s PII?
• DLP
Question #2

• You want to minimize the risk that proprietary information might be

inadvertently exposed during facility tours.
• What policy can you implement?
• Clean desk policy
Question #3

• Which technology is used to actively monitor for specific file types

being transmitted on the network?
• DLP
Question #4

• You want to perform a pilot test of a DLP solution

• You want to make sure that the DLP does not inadvertently interfere
with data operations
• How should you deploy it?
• Deploy the DLP in monitor mode
Question #5

• Which of the following is a solution that can be used to stop a

disgruntled employee from copying confidential data to a USB drive?
• DLP
Question #6

• A user is trying to upload a tax document, which the corporate

finance department requested, but a security program is prohibiting
the upload
• You determine the file contains Pll
• What can you do to allow the upload?
• Modify the exception list on the DLP to allow the upload
Question #7

• You need a method to secure data in an environment that includes

some form of checks so that you can track any changes
• What should you set up?
• SPF
• GPO
• NAC
• FIM
Question #7

• You need a method to secure data that includes some form of checks
so that you can track any changes to the data
• What should you set up?
• SPF
• GPO
• NAC
• FIM
Question #8

• You install several crosscut shredders as part of increased information

security practices targeting data leakage risks
• What specific risk does this address?
• Dumpster diving
Question #9

• You are concerned about employees using company-issued laptops to

steal data when accessing network shares
• What should you implement?
• DLP
Network Access Control
Network Access Control (NAC)

• A preventive technical control

• A technology that enforces security policies on devices that attempt to access a
network
• Mitigates network threats by enforcing security policies that block, isolate, and
repair noncompliant machines without administrator attention
• Non-compliant machines are usually placed in a quarantine VLAN
• The user sees a captive portal that helps them bring their device in compliance
• Can verify the identity, role, and compliance of the devices, and grant or deny
access based on predefined rules
Network Access Control (NAC) (cont’d)

• Typically uses 802.1x authenticators along with a Network Policy Server

• Supplicants can either have an installed agent or be agentless
• Can work in conjunction with other (Layer 2) protection mechanisms such as:
• Switchport security:
• Disabling unused ports
• Automatically shutting down ports that encounter a security violation such as an
unexpected connected MAC address or multiple connected MAC addresses
• MAC filtering:
• Disallowing specific or unknown MAC addresses to connect to a switch or wireless access
point
Endpoint Detection and Response (EDR)

• AKA endpoint detection and threat response (EDTR)

• A detective and preventive technical control
• An endpoint security solution that continuously monitors end-user
devices to detect and respond to cyber threats like ransomware and
malware:
• Records and stores endpoint-system-level behaviors
• Uses various data analytics techniques to detect suspicious system behavior
• Can block the automatic execution of downloaded programs, which can
prevent malicious code from running on the endpoint when a user clicks on a
link in a phishing message
• Can make recommendations for remediation
Extended Detection and Response (XDR)

• Successor to EDR
• Extends the range of EDR to encompass more deployed security solutions
• Has broader capability than EDR
• Collects and correlates data across email, endpoints, servers, cloud
workloads, and networks, enabling visibility and context into
advanced threats
• Applies analytics and automation to detect, analyze, hunt, and
remediate current and future threats
User Behavior Analytics
• AKA user and entity behavior analytics (UEBA)
• A detective and (potentially) preventive technical control
• A cybersecurity solution that uses AI and machine learning to detect
anomalies in the behavior of not only the users in a corporate network but
also the routers, servers, and endpoints in that network
• Can be used to detect the use of compromised credentials, lateral
movement, and other malicious behavior
• Uncovers patterns to identify:
• what’s “normal” behavior
• what may be evidence of intruder compromise, insider threats, or risky behavior on
a network
• If configured for response, can block suspicious behavior
UEBA Examples
1. A particular user on the network regularly downloads files of 20 MB every day
but starts downloading 4 GB of files
• The UEBA system would consider this an anomaly and either alert an IT administrator, or if
automations are in place, automatically disconnect that user from the network
2. A server in one branch office may suddenly receive thousands more requests
than usual one day, signaling the start of a potential distributed denial-of-
service (DDoS) attack
• There is a chance IT administrators might not notice this type of activity, but UEBA would
recognize it and take further action
Question #1

• You are concerned that, if an attacker is successful in entering the

building, they could plug a remotely controlled Kali Linux device into
the network
• What are some controls you can implement to protect against that
risk?
• 802.1x and Network Access Control (NAC)
• Additionally, you could implement switchport/WAP security such as
MAC filtering
Question #2

• You are reviewing the results of a recent phishing campaign

• The user click-through rate exceeded the acceptable risk threshold
• You want to reduce the impact when a user clicks on a link in a
phishing message
• How can you use EDR to assist with this goal?
• Configure the EDR policy to block automatic execution of
downloaded programs
Identity and
• Identity Management
Access • Access Management
Management
Identity Management
Provisioning/De-provisioning User Accounts

• A key component of Identity and Access Management (IAM)

• Involves creating, maintaining, updating, and deleting user accounts
and access from multiple applications and systems all at once
• Can be performed manually or via scripts and orchestration
• Similarly, accounts can be de-provisioned when no longer needed
Identity Proofing
• An identity verification process
• Used as part of the account creation process
• Designed to establish the authenticity of an individual’s claimed identity in
online transactions
• Can use:
• Document verification
• Biometrics
• PII
• Out-of-band authentication such as:
• Biometric readers for fingerprint scans or facial recognition
• Phone calls for voice authentication
• QR codes containing encrypted transaction data
• Push notifications to mobile devices
• Interaction with a human agent
Authentication Factors
• Something you (always) know
• Password, PIN, answers to personal questions
• Something you have
• Smart card, authentication token/hardware key, certificate
• Phone with authenticator app, receiving one-time SMS/email code
• Something you are
• Biometrics
• Somewhere you are
• Geolocation
Passwords
• A password is Something You (always) Know
• A string of characters that you enter along with your username
• Variations include:
• PIN - short string of numbers/characters
• Pass phrase - a sentence that is longer than a password, and may contain
symbols in place of certain letters, but is still easy to remember
• Passwords/PINs are typically used as one of the factors in multifactor
authentication
• A one-time code sent to your phone is not considered to be a
password
• It is considered to be Something You Have
• You must possess the phone to even receive the code
Password Strength
• Determined by length and complexity
• Especially length
• Complexity is defined by number of character sets used
• lower case, upper case, numbers, symbols, etc.
• Short passwords (e.g., 4-digit PIN) can be brute forced in a few seconds
• Each additional character adds orders of magnitude to cracking time
Password Strength Testing Example

https://www.security.org/how-secure-is-my-password/
Compromised Password Testing Example

https://haveibeenpwned.com/Passwords
Password Vault

• AKA password manager or password locker

• A program or device that stores credentials for multiple applications
securely, in encrypted format
• Examples: YubiKey, Google Password, NordPass, LastPass, Keeper, etc.
• Users access the vault via a single “master” password and/or biometrics.
• The vault then provides the password for the account they need to access
• Since users have to remember only one password, they’re more likely to
use complex passwords that cannot be easily stolen or compromised
Password Best Practices
• Length
• The longer the better
• Each additional character adds an order of magnitude to the password strength
• You should require a minimum password length of 8, 12, or even 16 characters
• Longer passwords are considered to be stronger than shorter complex passwords
• Complexity
• Adding numbers and symbols increases the character set size
• Use a password generator to recommend complex passwords
• Add symbols and numbers as their own characters, not as substitutions for letters
• Do not do this: @for a, 3 for e, $ for s, 1 for i, etc.
• Most password crackers will automatically try swapping symbols and numbers for letters
• Complexity should be used in conjunction with minimum password length
• Reuse
• Do not reuse passwords for multiple sites (can lead to credential stuffing attacks)
• When required to change your password, do not use the same password as before
Password Best Practices (cont’d)
• Expiration
• When a password gets to be a certain age, it should expire, requiring the user to
change it
• This reduces the time in which an attacker can use a compromised/stolen password
• Avoid using common words or finger patterns that are likely to be in a
password cracking dictionary
• Good password example:
• rB'jEDLof-(Wz8S
• Bad password examples:
• P@$$w0rd
• letmein
• qwerty
Password Best Practices (cont’d)

• Use a random password generator to suggest strong passwords

• Online random password generators, browser or app password generators
• Use a password manager to keep track of multiple or complex
passwords
• Makes it easier to follow password best practices
• Use an online site or app to test password strength
• Periodically check to see if your password has been
compromised/appeared in a breach
Biometrics

Facial
DNA Fingerprint Keystroke Signature Voice/speech
geometry
dynamics dynamics

Biometric methods vary widely in

strength, reliability, adoptability, and
false acceptance rate (FAR) / false
Hand Retina Finger vein
rejection rate (FRR) errors
Iris
geometry
Multifactor Authentication
• A preventive technical control
• Requires two or more authentication factors
• Users are prompted during the sign-in process for an additional form of identification
• E.g. code on their cellphone or a fingerprint scan
• Cannot simply be two authentication methods of the same factor type
• A password + a PIN is not MFA
• The additional factor is not easy for an attacker to obtain or duplicate
• Examples:
• Smart Card + PIN
• Password + one-time code sent to phone
• Password + biometrics
• FIDO2 Yubi key + fingerprint
Authentication Considerations
• When choosing an authentication solution, you must balance
strength with usability
• Consider adoptability, performance degradation, complexity to implement
and maintain, and other costs
• An ID badge with name and picture is considered to be an
identification method, but not an authentication method
• Even a strong, complex password can still be stolen and used
• Or in some cases its hash can be used
• Biometrics are very strong, but still considered to be only single factor
• Strong MFA is generally preferred over biometrics alone
Authentication Considerations (cont’d)
• DNA is currently the strongest, most reliable biometric authentication
type
• Retina was once considered the best, but it is also the most invasive, and eye
vein patterns can change over time due to disease or other health issues
• Iris and fingerprint biometrics have been widely adopted
• Strong, reliable, and convenient
• One-time passcodes sent to your phone are considered “something
you have”
• You have to possess the phone to receive the passcode
• SMS is very convenient, but also the least secure MFA second factor
• It’s sent in clear text, can be intercepted or redirected, and a SIM can be
swapped/duplicated
Single Sign-on (SSO)

• Authenticates a single credential across multiple systems

• Systems can be within a single organization, or across federated
organizations
• Makes it easier for users to do their job
• They no longer have to remember multiple passwords
• Reduces the amount of time IT spends on password resets
SSO Mechanisms

• Kerberos
• For authentication between trusted directory service domains
• Used by Active Directory and Linux Kerberos realms
• Open Authorization (OAuth)
• An authorization framework
• Allows resource owners to authorize third-party access to their server
resources without providing credentials
• Commonly used as a way for Internet users to grant websites or applications
access to their information on other websites
• But without giving them the passwords
OAuth Example
SSO Mechanisms (cont’d)
• Security Assertions Markup Language (SAML)
• Provides authentication by a trusted third party
• Identity provider (IdP) (Microsoft, Google, Apple, Facebook, Amazon, OKTA, SalesForce,
etc.)
• Service provider (SP) (Gmail, Box, any site that lets you log on using someone else’s
authentication)
• OpenID Connect (OIDC)
• Provides both authentication and authorization
• Built upon OAuth
• Allows users to sign on to an application through a trusted third party such as
Google, Apple, Microsoft, Facebook, etc.
• Simpler and more lightweight than SAML
• Starting to replace SAML
SAML and OIDC Example
Login Screen
User
Credentials
sent for
verification User enters
credentials

Request access User receives

Identity Provider’s
Display login to resource access to
User Database page resource
Sends
verification
status
Unauthenticated request is
sent to Identity provider
Identity provider sends response

Identity Provider Service Provider

(trusted third party) (site you want to go to)
SAML and OIDC Analogy
Federation Identity Management (FIM)
• The establishment of a trusted relationship between separate
organizations and third parties, such as application vendors or partners
• Enables single sign-on across company lines
• Allows organizations to share identities and authenticate users across
domains
• When two domains are federated, a user can authenticate to one domain and then
access resources in the other domain without having to perform a separate login
process
• May rely on a trusted third party to store the user’s credentials and provide them to
the requested resources or services without exposing them
• Achieved through the use of standard protocols like SAML, OAuth, OIDC
and SCIM
• SCIM - standardizes automatic user provisioning across domains
Question

• You are configuring authentication for a SaaS application

• You would like to reduce the number of credentials employees need
to maintain
• You prefer to use domain credentials to access new SaaS applications
• Which of the following methods would allow this functionality?
• MFA
• PEAP
• SSO
• LEAP
Question

• You are configuring authentication for a SaaS application

• A global company is experiencing unauthorized logins due to

credential theft and account lockouts caused by brute-force attacks
• The company is considering implementing a third-party identity
provider to help mitigate these attacks
• Which of the following would be the BEST control for the company to
require from prospective vendors?
• SSO
• Complex passwords
• MFA
• Federation
Question #2

• A global company is experiencing unauthorized logins due to

• You notice that several users are logging in from suspicious IP

addresses
• After speaking with the users, you determine that they did not
actually do this
• You reset the affected users’ passwords
• What should you implement to prevent this type of attack from
succeeding in the future?
• MFA
Question #4
• During the onboarding process, an employee needs to create a password for an
intranet account
• The password must include ten characters, numbers, and letters, and two special
characters
• Once the password is created, the company will grant the employee access to
other company-owned websites based on the intranet profile
• Which of the following is being used to grant access?
• Federation
• Identity proofing
• Password complexity
• Default password changes
• Password manager
• Open authorization
Question #4
• During the onboarding process, an employee needs to create a password for an
intranet account
• The password must include ten characters, numbers, and letters, and two special
characters
• Once the password is created, the company will grant the employee access to
other company-owned websites based on the intranet profile
• Which of the following is being used to grant access?
• Federation
• Identity proofing
• Password complexity
• Default password changes
• Password manager
• Open authorization
Question #5

• You are considering various types of multifactor authentication

mechanisms for your mobile devices including:
• SMS
• TOTP (Time-based One-Time Password)
• HOTP (HMAC-based One-Time Password)
• token keys
• Which of these choices is considered to be the least secure?
• SMS
Question #6

• Which of the following biometric authentication methods is the

MOST accurate?
• Iris
• Voice
• Fingerprint
• Retina
• Facial geometry
Question #6

• Which of the following biometric authentication methods is the

MOST accurate?
• Iris
• Voice
• Fingerprint
• Retina
• Facial geometry
Question #7

• You intend to create a user identity federation between two

organizations using SAML
• When done, what service will this provide for users?
• SSO
Question #8

• You want to protect the company's VPN by implementing multifactor

authentication that uses:
• Something you know
• Something you have
• Something you are
• Which of the following would accomplish your goal?
• Username, password, one-time SMS
• Push notification, face scan, voice command
• Password, authentication token, thumbprint
• One-time email, password, authentication token
Access Management
Access Control Concepts
Concept Description
Permission assignment • The process of granting or denying access to resources
based on the user’s identity, role, and/or need
Mandatory Access Control (MAC) • To gain access to a resource, a subject’s clearance level
must match or be greater than the object’s sensitivity
level
• Enforced by the system; cannot be modified
Discretionary Access Control (DAC) • The resource owner can grant and change permissions
at their discretion
Role-based Access Control (RBAC) • Simplifies permissions management
• A role is assigned permissions
• Users are then assigned to (or unassigned from) a role
• In Windows, roles are implemented as groups
Access Control Concepts (cont’d)
Concept Description
Rule-based Access Control (RuleBAC) • Each request is checked against a rule set, regardless of subject or
access history
• Typically used by firewalls and packet-filtering routers
Attribute-based Access Control (ABAC) • Uses dynamic characteristics, rather than roles, to approve access
• Examples: age, job title, manager, location, time of day, device used
• Lets you secure access on a contextual, fine-grained basis
Time-of-Day Restrictions • Helps mitigate insider threat behavior
• Example: a user has no business need to access this resource in the
middle of the night
Least Privilege • AKA “Need to Know” or “Need to Do” access
• Users, accounts, and applications should only be granted the
permissions absolutely necessary to perform their job
• No extra privileges beyond the minimal set should ever be assigned
Access Control Concepts (cont’d)
Concept Description
Privileged Access Management (PAM) • The process of entrusting select users with elevated (privileged)
access to business-critical resources
• Privileged users are typically administrators
• In the case of task-specific access, once the task is done, the access
provided to the user is revoked
Geo-fencing • Granting logical access based on a user’s physical location and
proximity
• Typically uses the user’s phone location services
• Can be used to:
• Instruct the phone to disable camera, mic, and other features
when the user enters a secure area
• Alert a manager when a user accesses or leaves an area
Access Life Cycle
Resource access scoped to
specific users

This entire process should be

User access revoked as automated as possible
after project ends

Access is reviewed Users request access

and revised

Access is approved and

granted
Attestation
• AKA access certification, automated micro-certification, user entitlement
review
• Helps manage access lifecycle
• A manager or resource owner periodically reviews and approves a user’s
access to the resource (data, application, system, platform)
• Validates that the user still requires—or no longer requires—access
• User often has to justify why they (still) want access
• If access is considered unnecessary, then it is removed
• Usually performed as a scheduled, automated workflow
• Meant to be as convenient as possible
• Parties receive emails and just have to click buttons/type a few words
Privileged Access Management (PAM)

• The process of entrusting select users with elevated (privileged)

access to business-critical resources
• Privileged users are typically administrators
• Can put additional identity proofing and authentication requirements
on privileged users/privileged access
• In the case of task-specific access, once the task is done, the access
provided to the user is revoked
• Most IaaS cloud services offer PAM features
• PAM product examples:
• Jumpcloud, BeyondTrust, ManageEngine, OKTA, Delinea
Privileged Access Management Tools
• Just-in-time permissions (JIT)
• Access is limited to predetermined periods of time, on an as-needed basis
• Helps minimize the risk of standing privileges that attackers can readily exploit
• Ephemeral credentials
• Dynamically generated credentials that are created at the moment they’re
needed, then discarded afterward
• Target systems are accessed without the need for permanent access
credentials, explicit access revocation or traditional key management
• The user will not need to know the key
• Hardware- or biometric-based MFA
• In addition to a password, privileged users should also be required to use a
smart card, YubiKey, biometrics, or some other authentication factor when
accessing sensitive resources and tools
Question
• You want to allow users to access a folder based on their job
responsibilities.
• You also want to apply the necessary access using a method that is
relatively easy to use, and will not require additional software or cost
• What would be your best choice?
• Biometric readers
• Hardware tokens
• One-time passcodes
• RBAC
Question
• You want to allow users to access a folder based on their job
responsibilities.
• You also want to apply the necessary access using a method that is
relatively easy to use, and will not require additional software or cost
• What would be your best choice?
• Biometric readers
• Hardware tokens
• One-time passcodes
• RBAC
Question #2

• You want to implement strong controls over administrator/root

credentials and service accounts including:
• Check-in/checkout of credentials
• The ability to use but not know the password
• Automated password changes
• Logging of access to credentials
• What should you use?
• A privileged access management (PAM) system
Question #3
• As part of annual audit requirements, the security team performed a
review of exceptions to the company policy that allows specific users the
ability to use USB storage devices on their laptops
• The review yielded the following results:
• The exception process and policy have been correctly followed by the majority of
users
• A small number of users did not create tickets for the requests but were granted
access
• All access had been approved by supervisors
• Valid requests for the access sporadically occurred across multiple departments
• Access, in most cases, had not been removed when it was no longer needed
• What should the company implement to ensure that appropriate access is
not disrupted but unneeded access is removed in a reasonable time frame?
• Attestation
Question #4

• You are developing a new initiative to reduce insider threats

• Which of the following should you focus on to make the greatest
impact?
• Privileged access management
• Least privilege
• Mandatory access controls
• Time-of-day restrictions
Question #4

• You are developing a new initiative to reduce insider threats

• Which of the following should you focus on to make the greatest
impact?
• Privileged access management
• Least privilege
• Mandatory access controls
• Time-of-day restrictions
Question #5

• You are thinking about granting logical access based on a user’s

physical location and proximity
• What solution offers this capability?
• Geo-fencing
Question #6

• An IT manager informs the entire help desk staff that only the IT
manager and the help desk lead will have access to the administrator
console of the help desk software
• What security technique is the IT manager setting up?
• Least privilege
• Automation and Scripting
Security • Orchestration
Automation • Compliance Checklist
• Considerations
Automation
• The process of using software, hardware, or other tools to perform tasks
that would otherwise require human intervention or manual effort
• Can be used to:
• Provision user and device accounts
• Enable/disable access
• Monitor, audit and enforce security settings
• Alert security personnel of any changes or anomalies that may indicate a security
breach or compromise
• Improve the efficiency, accuracy, and consistency of security operations
• Reduce human errors and costs
• Scripting and templates are common components of automation
• Most cloud providers offer automation services and features
Orchestration

• The process of automating multiple tasks across different systems and

applications
• Can help save time and reduce human error by executing predefined
workflows and scripts
• Most cloud providers offer orchestration capabilities across their own,
and other, platforms
Security Orchestration, Automation and Response (SOAR)

• A software solution that enables security teams to integrate and

coordinate separate tools into streamlined threat response workflows
• Combines three software capabilities:
• Orchestration
• Enables security tools (firewalls, IDS, etc.) to work together and communicate to streamline
the security process
• Automation
• Completes cybersecurity tasks without human intervention
• Response
• Can utilize automated or human response against threats
• Examples:
• Splunk SOAR, Palo Alto Networks Cortex XSOAR, Rapid7 InsightConnect, IBM Security
QRadar SOAR
Compliance Checklist

• An administrative preventive control

• A document that lists the security requirements, standards, or best
practices that an organization must adhere to
• Can help to ensure that the security settings on servers are aligned
with the organizational policies and regulations
• The checklist by itself cannot detect if/when your compliance level
changes
• You will need to complete the checklist on a periodic basis to ensure you
remain compliant
• You can use automation to help complete the compliance checklist
Manual Audit

• The process of examining or reviewing the security settings on servers

by human inspectors or auditors
• Can help to identify and correct any security issues or discrepancies
on servers
• Is time-consuming, labor-intensive, and prone to human errors
• May not be feasible or practical to perform on a daily basis
• Should be used periodically to “spot-check” the work performed by
automated tools
• You want to catch any errors caused by misconfiguration or other failures
Automation Considerations
• Automation adds complexity to your infrastructure
• An automated system, like any tool, might become a single point of failure
• If not selected and deployed carefully, automation can add to your technical debt
• Technical debt is a concept in software development that reflects the implied cost of
additional rework caused by choosing an easy solution now instead of using a better
approach that would take longer
• Technical debt can be compared to monetary debt. If technical debt is not repaid, it can
accumulate 'interest', making it harder to implement changes later on.
• Ongoing supportability
• Try to buy a solution that is future-proofed (can adapt to technology changes)
Automation Cost Considerations
As with any advanced technology, automation incurs cost at multiple levels
• Learning costs
• Never a one-time cost
• Learning is a recurring cost every time new features are added in a release and new team
members start working on the project
• Adoption costs
• Orders passed on in a top-down approach have rarely worked wonders in the long run
• If the team on the ground doesn’t embrace adopting the tool, the journey to successful
automation will be hard
• Maintenance costs
• Most of the time, any technological change demands a lot of rework, and the tool must
accommodate that
• A simple change (such as a different browser version) can sometimes break a script beyond repair
• Maturity costs
• How mature are the existing processes?
• How much value does automation add to an existing process?
Question

• You are creating a script that would save time and prevent human
error when performing account creation for a large number of end
users
• Which of the following would be a good use case for this task?
• Virtualization
• Attestation
• Orchestration
• Access control
Question

• What should you do to a user’s access when they leave the company?
• Disable it, preferably through automation
Question #3

• Which of the following is the best way to consistently determine on a

daily basis whether security settings on servers have been modified?
• Automation
• Compliance checklist
• Attestation
• Manual audit
Question #3

• Which of the following is the best way to consistently determine on a

daily basis whether security settings on servers have been modified?
• Automation
• Compliance checklist
• Attestation
• Manual audit
Question #4

• You notice that new accounts that are set up manually do not always
have correct access or permissions
• What automation technique could you use to streamline account
creation?
• User provisioning script
• Disaster Recovery Plan
Incident • Root Cause Analysis
Response • Threat Hunting
• Digital Forensics
Disaster Recovery Plan (DRP)

• An administrative, corrective control

• A set of policies and procedures that aim to restore the normal IT
operations of an organization in the event of a major system failure,
natural disaster, or other emergency
• All laid out in a single document
• Provides a clear and structured framework for recovering from a
disaster and minimizing downtime and data loss
DRP Elements
• A risk assessment that identifies the potential threats and impacts to
the organization’s critical assets and processes
• A business impact analysis that prioritizes the recovery of the most
essential functions and data
• A recovery strategy that defines the roles and responsibilities of the
recovery team, the resources and tools needed, and the steps to
follow to restore the system
• A testing and maintenance plan that ensures the DRP is updated and
validated regularly
• A plan for how the DR team will communicate during the disaster and
recovery with:
• Each other
• Stakeholders
Incident Management

• Incident
• An event that could lead to loss of, or disruption to, an organization's
operations, services or functions
• Can be anything from a failed hard drive or single security breach, to a major
disaster
• Incident management
• Processes to identify, analyze, prioritize, and resolve security incidents and
prevent future incidents
• The process of managing IT service disruptions and restoring services within
agreed service level agreements (SLAs)
NIST Incident Response Lifecycle
Incident Management Preparation

• Be proactive – minimize impact when the incident actually happens

• Select people, assign rules, define tools to handle the incident
• Create an incident response playbook
• Ensure that anyone would be able to follow the playbook to restore
operations
• Team members can include the incident manager, the incident
coordinator, the technical lead, the communications lead, and the
legal advisor
Incident Management Detection & Analysis
• Determine an incident has occurred
• Natural disaster, act of terrorism, IDS/SIEM/Log Analyzer/AV alert, someone makes a report, etc.
• Prioritize the incident
• Identify the priority (P) and severity (S) of the incident
• P and S on a scale of 1 – 3, 1 = highest, 3 = lowest
• Example: P1S1 = Major disruption that is felt company-wide; top priority
• Identify attack vectors
• Correlate events
• Maintain running documentation
• Notify appropriate stakeholders:
• Cybersecurity team, system owners, management, staff, legal department
• Have a communications plan to communicate with partners, law enforcement/regulators, the
news media, and the public
Analysis

• The process of understanding the source of an incident

• Involves collecting and examining evidence, identifying the root
cause, determining the scope and impact, and assessing the threat
actor’s motives and capabilities
• Performed at least twice:
• After detection, but before containment/eradication/recovery
• During root cause analysis and lessons learned
• Helps the incident response team to:
• Formulate an appropriate response strategy
• Prevent or mitigate future incidents
Incident Management Containment
• Choose a strategy to limit the damage
• If you need to capture forensic evidence:
• Do not yet turn off the computer
• Allow the malicious process to continue for awhile so you can study/capture its activities
• If the affected system is communicating with another system, allow it to think it is still on the
network
• Leave it plugged into the switch, but isolate its segment/VLAN from the rest of the network
• If you do not need to capture forensic evidence, then you can unplug/turn off the
system
• Keep in mind that being in the middle of a disaster does not excuse you from
maintaining regulatory compliance!
Incident Management Eradication & Recovery

• Remove the cause of incident

• Patch, repair, replace, restore backups as needed
• Get systems back into production
• Monitor affected systems
Incident Management Post-Incident Activities

• Investigate the root cause of the incident using an RCA model and
forensic tools:
• System logs, real-time memory, network device logs, application logs, etc.
• Post mortem / lessons learned
• Document what happened and why
• Transfer knowledge
• Improve controls to reduce future risk
Root Cause Analysis (RCA)
• The process of tracing a problem to its origin
• Helps people answer the question of why the problem occurred in the first place
• Seeks to identify the origin of a problem using a specific set of steps, with
associated tools, to find the primary cause of the problem, so that you can:
• Determine what happened
• Determine why it happened
• Figure out what to do to reduce the likelihood that it will happen again
• There are several popular models for RCA including:
• 5 Whys, Fishbone, Tree Diagram

Don’t let it happen again!

Root Cause Analysis - 5 Whys Example
Root Cause Analysis – Fishbone Method
Root Cause Analysis - Tree Diagram
Most Common Root Causes
• Physical causes
• Tangible, material items failed in some way
• For example, a car's brakes stopped working
• Human causes
• People did something wrong, or did not do something that was needed
• Human causes typically lead to physical causes
• For example, no one filled the brake fluid, which led to the brakes failing
• Organizational causes
• A system, process or policy that people use to make decisions or do their
work is faulty
• For example, no one person was responsible for vehicle maintenance, and
everyone assumed someone else had filled the brake fluid
Responsibilities of the Incident Response Team
• Manage security issues using a proactive approach and responding
effectively
• Develop and review processes and procedures
• Regularly review legal and regulatory requirements
• Provide a single point of contact for reporting security incidents
• Manage response to an incident
• Make sure all procedures are followed properly to minimize and control damage
• Review controls and recommend steps update technology
• Identify and analyze the incident including impact
• Work with local law enforcement and government agencies, partners and
suppliers
Training

• Ensure users and the IT team know how to recognize, report,

escalate, respond to an incident in progress
• Make sure that everyone’s role is clear, including:
• What to do/where to go during a disaster
• How and with whom to communicate
• Where to find/how to use emergency play books

Make sure everyone knows the plan so well that when the incident
actually occurs they automatically respond the way they’re supposed to!
Testing

• Tabletop exercise / structured walk-through

• Simplest, easiest, requires least effort
• Usually performed by team leads
• Simulation
• A “fire drill” that most closely resembles a real emergency
Threat hunting
• The process of proactively searching for signs of malicious activity or compromise
in a network
• Rather than waiting for alerts or indicators of compromise (IOCs) to appear
• Can help identify:
• New tactics, techniques, and procedures (TTPs) used by malicious actors
• Hidden or stealthy threats that have evaded detection by security tools
• Requires a combination of skills, tools, and methodologies, such as hypothesis
generation, data collection and analysis, threat intelligence, red/blue teaming,
research, and incident response
• Can also help improve the security posture of an organization
• Provides feedback and recommendations for security improvements
Question

• Why should root cause analysis should be included as part of incident

response?
• To prevent future incidents of the same nature
Question #2

• What is required for an organization to properly manage its restore

process in the event of system failure?
• DRP
Question #3

• You just found out that an unauthorized data spillage is occurring

on someone’s computer.
• It’s not clear yet how this is happening
• You go to the computer, disconnect it from the network, remove
the keyboard and mouse, and power it down
• What step in incident handling did you just complete?
• Containment
Question #4

• Stakeholders at an organization must be kept aware of any incidents

and receive updates on status changes as they occur
• Which plan would fulfill this requirement?
• Communication plan
Question #5

• During an investigation, an incident response team attempts to

understand the source of an incident
• Which incident response activity describes this process?
• Analysis
Question #6

• Malware is suddenly and rapidly spreading throughout your network

• So far, it appears that only older, unpatched versions of Windows are
affected
• You are not sure which remaining systems may be vulnerable, so you
run a vulnerability scan against the network to identify potential
targets
• During which step of the response process are you performing this
step?
• Eradication
Question #7

• Users from some of your locations are unable to access core network
services
• Other users report no problems
• Your network appears to be under attack
• As a proactive measure, you quickly disconnect the switches that
seem to be involved
• What should you do next?
• Initiate your incident response plan
Question #8

• A systems engineer thinks a business system has been compromised

and is being used to exfiltrate data to a competitor
• The engineer contacts the CSIRT team
• CSIRT tells the engineer to immediately disconnect the network cable
and to not do anything else
• What is the most likely reason for not shutting it down?
• Turning the power off will lose any evidence of running processes
loaded into RAM
Question #9

• You learn about a new tactic malicious actors are using to

compromise networks
• SIEM alerts have not yet been configured to detect this tactic
• What can you do to identify if this exists on your network?
• Threat hunting
Question #10

• Which of the following is the phase in the incident response process

when you review roles and responsibilities?
• Preparation
• Recovery
• Lessons learned
• Analysis
Question #10

• Which of the following is the phase in the incident response process

when you review roles and responsibilities?
• Preparation
• Recovery
• Lessons learned
• Analysis
Question #11

• A security manager created new documentation to use in response to

various types of security incidents
• Which of the following is the next step the manager should take?
• Conduct a tabletop exercise with the team
• Artifacts
Digital • Log Data
Forensics • Other Data Sources
• Legal Holds
Artifacts
• Any digital evidence that aids in the investigation of a security incident
• Can be in the form of log entries, files, running processes, scheduled tasks, open
ports, user accounts and more
• Be careful to not accidentally taint or destroy evidence:
• Isolate the network segment/VLAN that the device is on, rather than unplugging the device
from the network or turning it off
• Use forensic tools to create a bit copy of a drive or running volatile memory
• If you intend to use the evidence in a court of law, engage a digital forensic expert and law
enforcement so that:
• All procedures are properly followed
• Evidence remains admissible
Common Digital Artifacts
• Changes in file name, • Network connections
extension, size, hash,
contents, digital signature, • Open ports
or metadata • Changed local security
• New files or folders policies
• Unknown file extensions • Disabled or reconfigured
host firewall
• Encrypted files
• Disabled or reconfigured
• Registry entries antivirus
• Running processes • New user accounts
• Scheduled tasks • Contents of volatile RAM
Investigating Malicious Artifacts
Artifact Type What to check Example tool or command
Strange files, folders, file • File metadata for creator’s name File system information on the file
extensions, encrypted files and creation/last access time OS security log
• Compare hashes to known good sigverif Windows
values HIDS/HIPS log
• Security/audit logs that might ---------------------------------------------
list when the file/folder was last ls -l Linux
accessed and by whom md5sum, sha1sum
Hidden files • See if the file system reports any Use a commercial tool to find
hidden files hidden files
Windows
• Difference between reported dir,
available disk space and the ----------------------------------------------
total size of all files ls -a
du / Linux
df -a
Investigating Malicious Artifacts (cont’d)
Artifact Type What to check Example tool or command
Running processes • Check system performance Task Manager
levels – is CPU, RAM, disk or Resource Monitor
network utilization Performance Monitor Windows
unexpectedly high? Get-process
• Check owning files of unusual or -------------------------------------------
resource-consuming processes top Linux
ps
Open ports and network • Check for unexpected open netstat -naob Windows
connections ports and connections -------------------------------------------
• Check open ports for the owner netstat -na Linux
PID and source file
Registry entries • Check the Windows registry for Registry editor
new registry keys or changed Windows
values
Investigating Malicious Artifacts (cont’d)
Artifact Type What to check Example tool or command
User accounts • See if there are any new user accounts, Get-localuser
and the groups they belong to get-localgroupmember Windows
Net user
Net localgroup administrators
--------------------------------------------
getent passwd Linux
cat /etc/passwd
User logins • See when an account last logged on Windows Task Manager Users tab
• See who is currently logged on PS>query user /server:localhost
Get-localuser | fl Windows
---------------------------------------------
cat /var/log/lastlog
who Linux
Scheduled tasks • Examine Windows tasks Windows Task Scheduler
• Examine Linux cron jobs Get-ScheduledTask Windows
---------------------------------------------
cat /etc/crontab Linux
Windows Task Scheduler Example
Linux Top Command Example
Log Data

• A fundamental source of digital forensic evidence

• To be fully effective, requires all devices to have synchronized clocks
• Is at risk of tampering, deletion by an intruder who is covering their
tracks
• Can produce huge amounts of data that is difficult to manually
interpret
• Prefer to forward log data in realtime from servers, network devices, and
other important sources to a syslog/SIEM server
• Prefer to use a SIEM or some other log aggregator/analyzer to help aggregate,
cross-correlate, and interpret the data
Log Data (cont’d)

• Log sources can include:

• Firewalls, routers, switches
• Applications
• Services (email, database, logon, file and print, etc.)
• Servers, workstations, endpoints
• IPS/IDS
• Log metadata is additional information included with each log entry
• Usually added as a tag to provide context to a log entry
• Aids in log searches an analysis
• Can include event ID, time stamp, source/provider, computer, key words
Examining Server and Workstation Logs

• Windows
• Check Event Viewer
• Install Sysinternals Sysmon driver to detect and log common threat events
• Linux
• Check the /var/log/ directory for existing logs
• Use cat, less or tail commands to read the logfile contents
• Examples:
cat /var/log/syslog
less /var/log/syslog
tail –f /var/log/syslog
Event Viewer Example
Sysmon Example
Linux Syslog Example
Other Forensic Data Sources
• Windows Registry
• Can reveal system configurations and date/time stamps
• Windows Management Instrumentation (WMI)
• Can reveal stealthy APT backdoors and persistence mechanisms
• Recycle Bin / trash
• Can contain artifacts deleted by an intruder to cover their tracks
• Vulnerability scan output
• Can suggest possible points of entry that the attacker used
• Dashboards
• Can help correlate events from different sources
• Packet captures
• Copy of raw network traffic
• Analyze zero day attack mechanisms
• Recreate exfiltrated files including binaries
• Requires a sniffer in promiscuous mode, with a network tap or switchport spanning on the
segment you want to monitor
Registry Entry Artifact Example

The perpetrator last connected to the "HolidayInnColumbia" SSID

on November 5, 2014 at 7:03:02 am
Legal Hold
• AKA litigation hold
• A notification sent from an organization’s legal team to employees instructing
them not to delete electronically stored information (ESI) or discard paper
documents that may be relevant to a new or imminent legal case
• Intended to preserve evidence and prevent spoliation
• The intentional or negligent destruction of evidence that could harm a party’s case
• A legal hold can be triggered by various events, such as a lawsuit, a regulatory
investigation, or a subpoena
Data Retention Policy

• An administrative control, enforced by a technical control

• A set of rules that defines how long data should be stored and when it should be
deleted or archived
• Ensures information about customer transactions is archived for the proper time
period
• Helps the organization to comply with legal and regulatory requirements,
optimize storage space, and protect data privacy and security
• Specified by the legal and compliance team
• Implemented by the IT team
Chain of Custody
• An administrative control
• Also known as the paper trail or forensic link, or chronological documentation of
the evidence
• The procedure, documentation, tracking, and protecting of evidence on its
journey from a crime scene to the courtroom
• Protects evidence from contamination and tampering
• Documents details of each person who handled the evidence, date and time it
was collected or transferred, and the purpose of the transfer
• Demonstrates trust to the courts and to the client that the evidence has not been
tampered with
Chain of Custody Form Example
E-Discovery
• A form of digital investigation that attempts to find evidence that could be used
in litigation or criminal proceedings
• Encompasses all digital records including emails, chats/SMS/other messages, social media
posts, database records, or any other form of digital information
• The process starts by identifying potentially relevant electronically stored
information (ESI) sources, key witnesses or custodians, key timeframes, keywords,
and more
• Gathers all the different forms of digital information through a comprehensive
discovery process
• Consider using automated software or cloud services to help you sort through the
huge volumes of collected data
E-Discovery Process Example
Data Acquisition
• The gathering and recovery of sensitive data during a digital forensic investigation
• Produce a forensic image from digital devices and other computer technologies
• Ensure that all files and evidence related to the ongoing investigation have been
properly identified
• Conduct an appropriate examination of the device or network in question
• Interview individuals involved in the network breach
• Properly preserve the evidence
• Maintain the data in the state in which it is found
• Allow no one to access the preserved evidence
• Later, you will be able to copy, examine, and analyze the evidence
Data Acquisition Methods
• The gathering and recovery of sensitive data during a digital forensic investigation
• Common techniques include:
• Bit-stream disk-to-image files
• The most common cybercrime data acquisition method
• Involves cloning a disk drive, which allows for the complete preservation of all necessary
evidence
• Example programs include FTK, SMART, and ProDiscover
• Bit-stream disk-to-disk files
• Used when it is not possible to create an exact copy of a hard drive
• Certain parameters of the hard drive may be changed, but the files will remain the same
• Logical acquisition
• Used to collect files that are specifically related to the case under investigation
• Typically used when an entire drive is too large to be copied
Data Acquisition Example
Digital Forensics Report
• Used to present evidence in a way the court deems admissible
• Plays an instrumental role in coordinating the work between multiple
investigators, law enforcement officers, administrative, and legal personnel
involved in the case
• Convey information that is coherent and simple to understand
• Focus on relevant, concrete facts
• Avoid complex technical jargon
• Structure the report with:
• Title, table of contents, case summary
• Evidence, objectives
• Steps taken during the investigation, tools used
• Relevant findings
• Recommended next steps,
• Optional appendices, figures, and glossary
Digital Forensics Report Example
Question

• After a company was compromised, customers initiated a lawsuit

• The company's attorneys have requested that the security team
initiate a legal hold in response to the lawsuit
• What action will the security team most likely be required to take?
• Retain any communications related to the security breach until
further notice
Question #2

• You assist the legal and compliance team with ensuring information
about customer transactions is archived for the proper time period.
• What data policy are you carrying out?
• Retention
Question #3

• You locate a potentially malicious video file on a server

• You need to identify both the creation date and the file's creator
• What can you do to obtain that information?
• Query the file's metadata
Question #4

• A company is under investigation for possible fraud

• As part of the investigation, the authorities need to review all emails
and ensure data is not deleted
• What should be implemented to ensure that there are no time gaps
in the handling of the evidence?
• Chain of custody
Question #5

• Law enforcement officials sent a company a notification that states

electronically stored information and paper documents cannot be
destroyed
• What occurred to require this?
• Legal hold
Question #6

• You suspect that a user did not complete some reports on time
• The user claims to have sent you the reports before, and as proof has
included the reports in a new email message
• Although the reports seem to have the required date, you suspect
that they were not truly sent at the time claimed
• What can you check to see if the submission is fraudulent?
• The email server logs
Question #7

• You want to monitor the company's servers for SQLi attacks and
allow for comprehensive investigations if an attack occurs
• The company uses SSL decryption to allow traffic monitoring
• Which of the following strategies would best accomplish this goal?
• Logging all NetFlow traffic into a SIEM
• Deploying network traffic sensors on the same subnet as the servers
• Logging endpoint and OS-specific security logs
• Enabling full packet capture for traffic entering and exiting the
servers
Question #7

• You want to monitor the company's servers for SQLi attacks and allow
for comprehensive investigations if an attack occurs
• The company uses SSL decryption to allow traffic monitoring
• Which of the following strategies would best accomplish this goal?
• Logging all NetFlow traffic into a SIEM
• Deploying network traffic sensors on the same subnet as the servers
• Logging endpoint and OS-specific security logs
• Enabling full packet capture for traffic entering and exiting the
servers
Question #8

• You need to obtain a sample of a malicious binary that was

downloaded over HTTPS
• The malware is running in memory but was never committed to disk
• What should you do?
• Create an image of volatile memory (contents of RAM)

Steganography Techniques for Digital Images (Yahya, Abid) (Z-Library)
100% (1)
Steganography Techniques for Digital Images (Yahya, Abid) (Z-Library)
131 pages
Instant Download Cyber Threat Intelligence, 2023 Edition Martin Lee PDF All Chapters
100% (3)
Instant Download Cyber Threat Intelligence, 2023 Edition Martin Lee PDF All Chapters
50 pages
Nxlog User Guide
No ratings yet
Nxlog User Guide
1,480 pages
Ender CRS180 - ICTNWK403-ICTNWK416 - ICTNWK421 - AT1of2 - LEARNER - V2
0% (1)
Ender CRS180 - ICTNWK403-ICTNWK416 - ICTNWK421 - AT1of2 - LEARNER - V2
10 pages
SD Wan Networks Enable Digital Business Ecosystems
No ratings yet
SD Wan Networks Enable Digital Business Ecosystems
17 pages
Kaspersky security center
From Everand
Kaspersky security center
Mohammed Haytham Khabbaz samkary
No ratings yet
SY0-071-Module 3 Powerpoint Slides
No ratings yet
SY0-071-Module 3 Powerpoint Slides
232 pages
SY0-071-Module 5 Powerpoint Slides
No ratings yet
SY0-071-Module 5 Powerpoint Slides
113 pages
Technical University
No ratings yet
Technical University
847 pages
Certified IT Service Manager (CITSM) - Delegate Pack
100% (1)
Certified IT Service Manager (CITSM) - Delegate Pack
166 pages
Cyber Warfare Techniques Tactics and Tools For Security Practitioners Book
100% (2)
Cyber Warfare Techniques Tactics and Tools For Security Practitioners Book
434 pages
Downloadable_Official_CompTIA_CySA+_Exam_CS0_003_Student_Guide
No ratings yet
Downloadable_Official_CompTIA_CySA+_Exam_CS0_003_Student_Guide
394 pages
Download full CASP Practice Tests 1st Edition Nadean H. Tanner ebook all chapters
100% (2)
Download full CASP Practice Tests 1st Edition Nadean H. Tanner ebook all chapters
55 pages
Cybersecurity and Data Protection Guideline-2022
No ratings yet
Cybersecurity and Data Protection Guideline-2022
81 pages
Practical Industrial Data Communications Best Practice Techniques
No ratings yet
Practical Industrial Data Communications Best Practice Techniques
428 pages
IEC 62443-3-3-2013 cor1-2014
No ratings yet
IEC 62443-3-3-2013 cor1-2014
1 page
Download Complete SAP Security Configuration and Deployment The IT Administrator s Guide to Best Practices 1st Edition Joey Hirao PDF for All Chapters
100% (4)
Download Complete SAP Security Configuration and Deployment The IT Administrator s Guide to Best Practices 1st Edition Joey Hirao PDF for All Chapters
51 pages
SAP Security Configuration and Deployment The IT Administrator s Guide to Best Practices 1st Edition Joey Hirao download pdf
100% (3)
SAP Security Configuration and Deployment The IT Administrator s Guide to Best Practices 1st Edition Joey Hirao download pdf
61 pages
Cisco Ironport and Exchange 2016
No ratings yet
Cisco Ironport and Exchange 2016
10 pages
2282a 00
No ratings yet
2282a 00
16 pages
Information Security The Complete Reference Second Edition Rhodes Ousley Mark download pdf
100% (1)
Information Security The Complete Reference Second Edition Rhodes Ousley Mark download pdf
50 pages
Colorful Cybersecurity Presentation
No ratings yet
Colorful Cybersecurity Presentation
13 pages
Com Dcom
No ratings yet
Com Dcom
62 pages
Ethical Issues For IT Security Professionals
No ratings yet
Ethical Issues For IT Security Professionals
5 pages
Cyber Security
No ratings yet
Cyber Security
11 pages
Computer Report
No ratings yet
Computer Report
4 pages
Information Assurance - Defined and Explained
No ratings yet
Information Assurance - Defined and Explained
3 pages
Cybersecurity in The Remote Work Era A Global Risk Report
No ratings yet
Cybersecurity in The Remote Work Era A Global Risk Report
63 pages
Cybersecurity
No ratings yet
Cybersecurity
18 pages
Zero Trust For OT
No ratings yet
Zero Trust For OT
64 pages
Document 3 Cybersecurity Essentials
No ratings yet
Document 3 Cybersecurity Essentials
2 pages
Tech Advisor - Dec 2023
No ratings yet
Tech Advisor - Dec 2023
100 pages
Netwrix Hardened Services Guide
No ratings yet
Netwrix Hardened Services Guide
116 pages
Admin-UK 21 14 DigiSub
100% (1)
Admin-UK 21 14 DigiSub
100 pages
Isaca Code of Professional Ethics Is Auditing Standards Is Auditing Guidelines Tools and Techniques
No ratings yet
Isaca Code of Professional Ethics Is Auditing Standards Is Auditing Guidelines Tools and Techniques
20 pages
DAF Zero Trust Strategy v1.0 (002)
No ratings yet
DAF Zero Trust Strategy v1.0 (002)
27 pages
Schedule 3 - RACI Matrices
No ratings yet
Schedule 3 - RACI Matrices
18 pages
Cybersecurity 101: Cyber Risks
No ratings yet
Cybersecurity 101: Cyber Risks
2 pages
START HERE - Microsoft Security Workshop - Engagement and Delivery Guide
No ratings yet
START HERE - Microsoft Security Workshop - Engagement and Delivery Guide
9 pages
Palo Alto Network
No ratings yet
Palo Alto Network
4 pages
Penetration Testing
No ratings yet
Penetration Testing
12 pages
9780138225575_Sample
No ratings yet
9780138225575_Sample
91 pages
cs0-002_3
No ratings yet
cs0-002_3
29 pages
PracticalCyberIntelligence ColorImages PDF
No ratings yet
PracticalCyberIntelligence ColorImages PDF
122 pages
ITF+ CompTIA IT Fundamentals All-in-One Exam Guide, Second Edition (Exam FC0-U61) Mike Meyers - Ebook PDF 2024 Scribd Download
100% (5)
ITF+ CompTIA IT Fundamentals All-in-One Exam Guide, Second Edition (Exam FC0-U61) Mike Meyers - Ebook PDF 2024 Scribd Download
51 pages
Aklyde
No ratings yet
Aklyde
274 pages
OSI Security
No ratings yet
OSI Security
50 pages
Marc Steen - Ethics For People Who Work In Tech (2023, CRC Press _ Taylor & Francis Group) - libgen.li
No ratings yet
Marc Steen - Ethics For People Who Work In Tech (2023, CRC Press _ Taylor & Francis Group) - libgen.li
224 pages
Cissp Final Notes Cb#1
No ratings yet
Cissp Final Notes Cb#1
23 pages
Crowdstrike Falcon Identity Protection Modules Solution Brief
No ratings yet
Crowdstrike Falcon Identity Protection Modules Solution Brief
4 pages
NERC CIP ISA Comparative Analysis with IEC62443
No ratings yet
NERC CIP ISA Comparative Analysis with IEC62443
34 pages
5 IAM Infrastructure
No ratings yet
5 IAM Infrastructure
11 pages
CompTIA Security+ Study Guide SY0-501
No ratings yet
CompTIA Security+ Study Guide SY0-501
37 pages
Cloud Security Reference
No ratings yet
Cloud Security Reference
12 pages
Mike Meyers CompTIA Network+ Guide to Managing and Troubleshooting Networks Lab Manual, Sixth Edition (Exam N10-008), 6th Edition Mike Meyers & Jonathan S. Weissman - The ebook is ready for instant download and access
75% (4)
Mike Meyers CompTIA Network+ Guide to Managing and Troubleshooting Networks Lab Manual, Sixth Edition (Exam N10-008), 6th Edition Mike Meyers & Jonathan S. Weissman - The ebook is ready for instant download and access
48 pages
Information Security BDCR Plan DRAFT Nov 2019
No ratings yet
Information Security BDCR Plan DRAFT Nov 2019
11 pages
Delhi Police
No ratings yet
Delhi Police
27 pages
Bsi-Cs 005e PDF
No ratings yet
Bsi-Cs 005e PDF
20 pages
Information Security
No ratings yet
Information Security
138 pages
Mastering Active Directory
From Everand
Mastering Active Directory
VICTOR P HENDERSON
No ratings yet
Unit 3 - Risk Assessment-Nivedhitha
No ratings yet
Unit 3 - Risk Assessment-Nivedhitha
21 pages
New 1
No ratings yet
New 1
1 page
CNS Unit - 5
No ratings yet
CNS Unit - 5
17 pages
Nirali cyber-security
No ratings yet
Nirali cyber-security
110 pages
Class 7 Chap 9 Notes
No ratings yet
Class 7 Chap 9 Notes
4 pages
Cyber Security: Mohamed Adel
No ratings yet
Cyber Security: Mohamed Adel
21 pages
Template Script Mikrotik Routing Game Online: Ip Address Lokal - . Gateway Modem Game .
No ratings yet
Template Script Mikrotik Routing Game Online: Ip Address Lokal - . Gateway Modem Game .
6 pages
SSD Honor and Award Ebook FINAL
No ratings yet
SSD Honor and Award Ebook FINAL
45 pages
Bruce Kamugisha Assignment 2 (Personal) Week2
No ratings yet
Bruce Kamugisha Assignment 2 (Personal) Week2
6 pages
Chapter 8 Assignment - Ahmedalamri
No ratings yet
Chapter 8 Assignment - Ahmedalamri
6 pages
Major-1 MCQS
100% (1)
Major-1 MCQS
14 pages
Nascom Question Bank
No ratings yet
Nascom Question Bank
5 pages
Q FKyxe ZZ
67% (3)
Q FKyxe ZZ
4 pages
3ds Csirt rfc2350
No ratings yet
3ds Csirt rfc2350
11 pages
CH 13
No ratings yet
CH 13
22 pages
Abstract of Bid As Calculated
No ratings yet
Abstract of Bid As Calculated
1 page
MYP Community Project Report- Technosafety
No ratings yet
MYP Community Project Report- Technosafety
11 pages
Chapter 3 - Risks, Threats and Vulnerabilities
No ratings yet
Chapter 3 - Risks, Threats and Vulnerabilities
34 pages
Iap301 Lab6 Ia1406 This Is For Free Hehe
No ratings yet
Iap301 Lab6 Ia1406 This Is For Free Hehe
9 pages
Planner Diary
No ratings yet
Planner Diary
6 pages
MBST Clean Results
No ratings yet
MBST Clean Results
32 pages
1500
No ratings yet
1500
40 pages
Cyber Security Case Study
No ratings yet
Cyber Security Case Study
9 pages
Exabeam UEBA - Public
No ratings yet
Exabeam UEBA - Public
33 pages
Username & Password
No ratings yet
Username & Password
1 page
Getting Started With BHIS: SOC Analyst Key Skills: John Strand
No ratings yet
Getting Started With BHIS: SOC Analyst Key Skills: John Strand
49 pages
Certified Ethical Hacker Certified Ethical Hacker: 10 (Practical)
No ratings yet
Certified Ethical Hacker Certified Ethical Hacker: 10 (Practical)
12 pages
Types of Computer Viruses
No ratings yet
Types of Computer Viruses
14 pages
Module 11 digital citizenship
No ratings yet
Module 11 digital citizenship
14 pages
Introduction To Hacking
No ratings yet
Introduction To Hacking
7 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.