Cheat Sheet

For

CompTIA Security+ (SY0-701)

Version 1.0
2025 edition

Presented by
YMT Knowledge Sharing – Cyber Security

Human knowledge belongs to the world

CIA Encryption IAAA Hashing
Confidentiality: Ensuring only Encryption: transform data to unreadable format Identification: The thing that represent to you ( Username, User ID ) Hash: generates the unique value ( Checksum ) for data
authorized person can access to Encrypted data = Cipher text Authentication: proving that your legitimate or not ( Password, token, Hash not transform data to another format ( no like
asset Human readable data = Plain Text or Clear text fingerprint et c..) encryption)
Integrity: Ensuring Encryption requires key for encryption Authorization: privilege access level ( permission ) based on what your Hash is used for data verification
change/modification is valid or Key need to be secure and not expose to other role. Hash supports integrity
not Encryption provides confidentiality Accounting: recording your activities ( Logs file ) Famous hashes are MD5, MD4.SHA1, SHA2
Availability: Ensuring uptime to Two major elements of encryption are key and algorithm Username must be unique. Currently SHA2 and SHA3 are most secured
access Famous encryption algorithms: AES, RSA, RC4, ECC Shared account should not be used.
ECC is mainly used for mobile encryption Authorization should be granted based on the least privilege. Avoid MD5 and SHA-1 for cryptographic purposes. Coz of
message collision

Availability Message Collision: where two different inputs (messages) produce the same hash
Main purpose: Ensuring uptime and reducing down time as much as possible. value when passed through a cryptographic hash function
Must avoid SPOF ( single point of failure )
High Availability ( HA is redundant design for mission critical systems ). Encryption and hash different
Hard disk redundancy: RAID Encryption
RAID-0 = Stripping ( No Redundancy, 2 HDD required, Half data only can be recovered, Faster I/O ) Data + ( Key and Algorithm ) = Cipher text
RAID-1 = Mirroring ( Redundancy: yes, 2 HDD required, Full data can be recovered, slower I/O. Cipher text is not human unreadable format
RAID-5 = Stripping priority ( Redundancy: yes, 3 HDD required, full data can be recovered, good I/O performance, cost is high. Decryption
Server redundancy: Fail-over ( Passive ) and Clustering ( Active ) Cipher text + (Key + Algorithm) = Plain text
Fail-over = 1 server ( primary ) is running, another server is no running and prepare to be ready to replace when primary server is down. Plain text is the human readable format
Clustering = running multiple servers ( same service ) at the same time. If one server down, other will carry on, Load balancer is required) Algorithm is open. Key is most important element and without having the key no one can
Site redundancy decrypt the cipher text to plain text ( e.g like Password protection for Win Rar file ).
Cold site: Nothing but space and basic facility , recover time is the longest, cheap Hashing
Warm site: All infra facility to run application ( Server, Network devices, Rack, UPS etc ..) but no data Data + Hash Algorithm = Checksum of Data
Hot site: All facility + Data. But Data is not recent
Mirror site: Most redundant site ever, all is set. Infra facility + Recent Data ). Very expensive. Non-reputation
Rolling hot site: aka mobile site. Temporary small location like container space. Compact but enough facility for running core services. provides evidence for the existence of a message or transaction and ensures its contents
MAA site: Shared facility. cannot be disputed once sent.
Business Continuity Planning ( BCP ) = ensures company leaders can react quickly and efficiently to a business interruption. Can’t deny his action
Logs and digital signature supports for non-reputation.
Authentication type Defense in Depth
Something you know: What you know, the knowledge ( password, PIN code etc .. = aka layer Control
Something you have: What you have, the physical item! ( Card, Physical Token security! Using Main purpose: to detect and protect attack and incident.
Something you are: What you are, your body parts! ( finger-print, face scan, Iris etc .. ) multiple security Technical control: aka logical control, that technically detect and prevent attack and
MFA ( Multi-Factor Authentication ) – more then one authentication type ( Authentication should not be the same ). control in different incident. Engineer or technician must implement to run effectively. ( e.g firewall, IDS,
All critical systems must be used MFA for authentication. layer to protect the Anti-Virus ).
MFA → Are → Have → Known attack Managerial control: high level documents and procedures for security improvement. (
Information security policy, Data encryption policy etc .. ). GRC team and information
Control type ( Based on Function ) security management team normally write these policies.
Detective Control: Only monitor and detect the incident and intrusion , can’t prevent ( e.g CCTV, IDS etc .. Physical Control: To detect and prevent intruder entering. ( e.g Mantrap, CCTV etc ...
Preventive Control: Can prevent the incident and intrusion ( EDR, Firewall etc ..
Corrective Control: able to reverse the impact of that particular event ( e.g Backup, patching ) Zero-Trust Model
Deterrent Control: Discouragement or have attackers think twice about the attack that they’re planning (e.g Warning Banner, Guard Dogs ) Objective: ensuring that only authenticated and authorized entities can access
Directive Control: Instructions, Policy to be followed. (e.g Security Policy, AUP etc .. ) networked resources.
Compensating control: A temporary control that place to satisfy the requirement for a security measure that is deemed too difficult or Control Plane is the most important in Zero-trust model acting like Gatekeeper to monitor
impractical to implement at the present time. and restrict every access to our assets.
Deception Change Management
Honeypot is popular for deception to attacker Process of making sure changes are made smoothly and efficiently
Fake system that lures to attacker. and do not negatively affect systems reliability, security,
Honeyfile = the fake files in Honeypot (e.g password.txt, credential.txt confidentiality, integrity, and availability. Change Management is
Honeynet = a group of honeypots which are interconal in a network that simulates an entire preventive control
fake network that enables attackers to find fake servers, routers and firewalls.
Honeytoken = fake credentials that is given to attackers to track the malicious attackers.
Why using honeypot?
Ans: to study, analyze and deflect the hacking attempt, especially to zero-day attacks.
Caution: Legal issue
entrapment – illegal (lured into committing a crime ) DoS DDoS
Entrapment – Legal (capturing evidence of unauthorized access by someone who willingly
targets the system.) Attack from single IP Attack from multiple Ips (
Zombie Ips )
Security Through Obscurity (STO) Small scale Large
A security approach that primarily relies on secrecy for securing networks, systems, or scale
applications from unauthorized access. ( e.g changing ssh port from 22 to 2222 )
Weak and unreliable security method Easy to detect Hard to detect

DNS Sinkhole
Can redirect the user bad request ( Bad Domain URL) to sinkhole IP ( Control IP). Control: Block IP Control: DDoS mitigation
Corrective control and deception technique. system
Blackhole Route
Aka Null route Rollback plan: switch back to the secondary system, which at
Mainly used for DDoS attack mitigation. Redirect the DDoS traffic to blackhole IP. this point, you haven’t made any changes to.

Bot Zombie Botnet

Zero-Day Vulnerability
A bot is an automated program or script that A zombie is a compromised device (infected A botnet is a network of zombies A software flaw that is unknown to the vendor and lacks a patch,
performs specific tasks, which can be either by malware) controlled by an attacker without (compromised devices) controlled by an making it vulnerable to attacks.
legitimate (e.g., chatbots) or malicious. the owner’s knowledge. attacker (botmaster/herder). Zero-Day Exploit
A tool or technique used by attackers to actively exploit a zero-day
Change Management Freeze time: No Change happen! vulnerability before it is patched.
Change request: Should start from Product owner
CAB: Change Authorization Board, who authority to approve or reject change request Patch Management
Change should be tested in UAT first Patch management is the process of identifying, acquiring, testing, and deploying updates (patches) to
Change windows must be included in CR software and systems to fix vulnerabilities
Roll back plan: if something happen, go back to original state ( must be included in CR )
CAB aka Change Control Committee Patch Management Process
CAB main job: to balance the risk of not making the change versus implementing the change and having a problem. •Assessment: Evaluate the urgency and risk of unpatched vulnerabilities.
Every successfully changes must be recorded •Testing: Validate patches in a controlled environment to avoid disruptions.
owner is responsible for testing their systems and verifying that everything is working properly, after changes complete. •Deployment: Apply patches to production systems in a phased or prioritized manner.
Need to research and identify any of the stakeholders who might be affected by this change. ( Stakeholder - the •Verification: Ensure patches were applied successfully and address the issue.
individuals or departments that will be impacted by the change that you’re proposing. •Documentation: Maintain records of patches applied for compliance
Downtime need to be added in CR
 Threat type Pentest: hack to know the existing vulnerabilities Penetration testing Vulnerability Scanning
Script kitty: Beginner of hacking, uses hacking tools to make attack Need NDA before start pentesting
Hacker: skillful hacking, professional Scope is important
White Hat: Aka ethical hacker or Pentester, good guy, Hack for security improvement White box: provides full information to Pentester an active attack on the Vulnerability scans
Black Hat: Bad guy, hack for personal gain Black box: just share company name, Domain, least network to exploit passively scans and
Gay Hat: look for vulnerabilities in a system without the owner's permission or knowledge. If issues are information to pentester vulnerabilities, can assess identifies the existing
found, they report them to the owner, sometimes requesting a small fee to fix the problem. Gray box: partial information to pentester, ( e,g IP address, potential damages and the vulnerabilities and
APT: Entire government behind it, nation state sponsor (e.g Stuxnet ) Network map etc .. ) potential of the exploits misconfigurations.
Hacktivism: uses hacking techniques for political or social causes. Background check need to be done for pentest company being found
Insider: The highest risk, too much knowledge about organization structure and nature. Hard to control.
organized crime: motivated by profits, targeting high profile company, selling PII information in dark Vulnerability Scanning
web Can identify the missing updates, vulnerabilities, misconfigured security settings.
Intrusive scan: deep scanning, can identify much more info, can interrupt service, exploits the existing vulns.
DAST Vs SAST Vs SCA Vs Network-Based Vulns Scan Threat vector: aka attack vector, Non-intrusive scan: does not exploit vulnerabilities and does not disrupt service.
DAST: can identify app level vulns, web application vulns scan the methods to gain access to a Auth-Scan: need credential of system, can get more information and accuracy is high. inside the network, emulates an
SAST: can identify code level vulns, source code scan system insider attack.
SCA: can identify third party libraries and plugins’ vulns Non-Auth Scan : no need credential, less info than auth-scan. outside the network, emulates an outside attack
Network-based Vuln Scanner: can identify the vulnerabilities WSUS is a Microsoft tool that Agent Scan: Agent need to be installed, can get more reliable info, accuracy is high.
of operation system and misconfigurations. allows organizations to manage Vuln scan could impact service reliability, need to announce first to Product owner before scanning.
and deploy updates and patches Scan template can be used for specific vulns detection.
for Windows-based systems in a
Vulnerability, Exploit and Patch relation centralized manner Vulnerabilities
Race condition: when a system's outcome depends on the timing or sequence of multiple operations, allowing attackers to
Vulnerability A flaw or weakness in a system (e.g., software bug, misconfiguration). manipulate the process
Improper input handling: System can not properly validate data, allows for an attacker to create an input that is not
Exploit A tool, code or method attackers use to take advantage of the vulnerability expected.
Improper error handling: Error message that showing sensitive information.
Resource exhaustion: number of resources to execute an action are expended
Patch A fix or update provided by the vendor to close the vulnerability and stop exploits Memory leak: a program repeatedly allocates memory for temporary data but forgets to free it after use
Integer overflow: Large integer exceeds data storage capacity.
Buffer overflow: Too much data for the computer’s memory to buffer
Pointer dereference: : Failed deference can cause memory corruption and the application to crash
Exploit Vendor releases
Vulnerability Vulnerability DLL injection: Allows for the running of outside code
Developed by the patch to fix
Discovered close System sprawl: No proper asset inventory, allowing unsecure devices and systems to connect to the network
Hacker vulnerability Weak Cipher: Using insecure cipher for data encryption.

Aspect Hotfix Patch Service Pack

Purpose Urgent fix Regular update Comprehensive package

Scope Specific issue Multiple issues All previous fixes + features

Release Frequency As needed (urgent) Scheduled (e.g., monthly) Rare (e.g., once a year)

Testing Minimal Moderate Extensive

Examples Fix for critical bug Security patch Major OS update package
IDS: Detect attack, can’t prevent Aspect
Forward Proxy Reverse Proxy Transparent Proxy SOCKS Proxy HTTP Proxy
IPS: Detect and prevent attack
NIDS: Network-based
HIDS: Host-based ( can inspect encrypted traffic ) Intercepts traffic
Between the client Between the client Between the client Between the client
Detection Methods Position invisibly (in the
and the internet. and backend servers. and the internet. and the internet.
Signature-based: can detect known attacks, can’t detect zero-day (unknown middle).
attack) Filters and monitors Handles non-web Specifically handles
Heuristic/behavioral: Can detect zero-day attack by checking with Baseline. Hides the client’s Hides and protects
Purpose traffic without traffic (e.g., FTP, web traffic
Anomaly: Can detect unknown attack patterns. identity. the server.
awareness. SMTP). (HTTP/HTTPS).
Modes
Inline: connect to network and check the traffic in real time No client No client knowledge
Requires client Requires client Requires client
Passive: connect to switch and copy the traffic to monitor Client Knowledge configuration or configuration
configuration. configuration. configuration.
SPAN port in switch is used for passive mode. needed. required.
SPAN port = port mirroring
In-band: real time protection and blocking , Latency need to be considered Traffic Supported Mostly HTTP/HTTPS. Mostly HTTP/HTTPS. Mostly HTTP/HTTPS. Any type of traffic. Only HTTP/HTTPS.
Out of the band: Passive monitoring, can’t block the traffic, no latency issue.
IPS/IDS rules need to be tuned properly to avoid false positives.
Bypassing Load balancing, Content filtering, File sharing, Content filtering and
Application nature is key for IPS/IDS tuning. Use Case
restrictions, privacy. security for servers. monitoring traffic. torrenting, or gaming. web caching.

Router Load balancer DLP

For traffic routing to another network. A reverse proxy that distributes network or application traffic across a number of servers. Detect and prevent data leak to
ALC is used for basic access rule setup. Scheduling: Sends requests to servers using set rules. outside parties.
Should not use the default configuration. Affinity: Sends client requests to the same server based on the client's IP address. USB storage device, Email, FTP site
Anti-spoofing Round-robin: Sends requests in a predefined order. etc. ..
Rejects the packet that have invalid source addresses Active-passive: Some servers are not active and only go active to take excess traffic or if an active server fails. Network DLP: Sending sensitive
Active-active: All servers are actively processing requests data via email, FTP, HTTP
Virtual IPs: An IP address and a specific port number that can be used to reference different physical servers. Endpoint DLP: Copying files to
Switch Provides IP addresses that can float between two or more physical network nodes and provide redundancy. USB or taking screenshots
to connects devices together on a computer network. Cloud DLP: Unsecured sensitive
Port security: restricts the invalid devices ( MAC Address ) Wireless Access Point files in cloud storage
Loop prevention: uses STP, detecting and blocking redundant paths that can 802.11 Standard
cause broadcast storms Open Authentication = No Authentication = No Security SIEM
Flood guard protects against excessive network flooding by limiting the number Famous wireless auth protocols: WEP, WPA, WPA2, WPA3 Aggregation: Gathering the logs from different sources
of MAC addresses learned on a port. Cell sizing: Placement and Antenna positioning Correlation: Relating various events to identifiable patterns
Don’t use default configuration. SSID Hiding: Disable SSID broadcasting ( weak security ) Automated alerting and triggers: Sending alert when specific event
WEP and WPA are not secured trigger
WPS WEP uses small IV and easy to crack ( RC4 is used ) Event deduplication: Ensuring same event is not recorded over and
- To connect devices to a Wi-Fi network without needing to manually enter the MAC filtering: Restricts invalid MAC address over again
Wi-Fi password MAC spoofing can bypass MAC filtering WORM: Prevents alteration of logs and archives the source logs with
Push Button Method: Press a physical WPS button on the router and on the War driving: searching nearby Wifi network. write protection.
device to establish a connection InSSIDer, Aircrack, Netstumblers are famous war driving tools Time sync is very important for log correlation.
PIN Method: Enter an 8-digit PIN displayed on the router or device to connect War-chalking: symbols of wireless network
- Not Recommended for Sensitive Networks WPA/WPA2 Mode: PSK ( personal ) and Enterprise ( RADIUS server , AAA ) Zero Trust Network Access: Concept that "Never trust, always verify."
- PIN Method: Vulnerable to bruteforce attack Enterprise mode is most secure No implicit trust for any user/device, inside or outside the network
SSL/TLS accelerators Firewall Domain Name System Security Extensions (DNSSEC) : provides
Offloading processor-intensive public-key encryption for TLS or its SSL to a Uses ACL( Access Control List ) to restrict inbound and outbound traffic. validation for DNS responses by adding a Resource Record Signature
hardware accelerator. Handling multiple https requests for both encryption Filtering: IP, Port, Application (RRSIG)
and decryption. Next Gen Firewall = L7 firewall ( can filter app ) RRSIG : provides data integrity and authentication and helps prevent
SSL decryptors Traditional Firewall = L3/L4 ( Port and IP ) DNS poisoning attacks.
Decrypts SSL/TLS traffic for inspection. Throughput is the max traffic that can inspect in second
HSM UTM = All in one security box, including ( URL filtering, Malware inspection, Dynamic ARP Inspection (DAI): ensures that only trusted ARP replies
Ensures keys are securely generated, stored, and used in cryptographic Firewall, Web security etc .. are accepted, blocking spoofed or malicious ARP traffic ( prevent ARP
operations without exposing them to untrusted system. UTM throughput is low spoofing and poisoning attack )
NGFW throughput is high
Feature TPM HSM Implicit deny last rule in an ACL that indicates that, "all traffic that isn't explicitly NetFlow is a feature on many routers and switches that can collect IP
allowed is implicitly denied traffic statistics
Stateful Firewall: Smart and remembers connections ( state table )
Data Small Bulk Stateless Firewall: Simple, fast, and works on fixed rules ( Rules ) SASE is a cloud-based security framework that combines networking
Encryption and security services to deliver secure and fast access to applications,
Zoning
Public: open to all (e.g web server ) no matter where users are locate
Cryptographic Small Large
Private: only accessible to internal network, sensitive info ( e.g DB, File server ) SASE = Networking + Security in the Cloud
power
DMZ: buffer zone between the public and private networks, limited access (e.g email server, reverse
Scalability Scalable for Mail gateway
proxy )
Not scalable enterprise Monitoring incoming and outgoing emails. Mail gateway can support the
Two firewalls use for zone segmentation.
needs following features
Extranet: Private network that can only be accessed by authorized individuals. Links a company with
- Spam filter
its suppliers and customers
Scalable for Built-in Device Additional - DLP
Intranet: Network that exclusively for the use of the members of the organization, cannot be
enterprise ( Motherboard ) Appliance - Malware check.
accessed by anyone outside the organization
needs
AirGap: Physically isolated network, high end security
Feature FED SED
Personal high-security
Computer vault for Secure boot: ensures that only trusted software components (e.g., OS loaders, firmware) are loaded
managing and during boot and preventing malicious files. Encryption Method Software Hardware
performing Attestation: verifies and reports that the device is in or has remained in a trusted state during or after
Usage
cryptography the boot process
at an local attestation, a security agent running on the system verifies the measurements against known Performance Impact High Low
organizational good values
scale remote attestation, the signed report is sent to a verifier (e.g., a cloud service, administrator server)
Cost Low High
NAC Application Whitelisting: Applications allowed on the system, the rest of them is denied.
Enforcing security policies on devices that access Application Blacklisting: Applications denied on the system, the rest of them is allowed.
networks. Sandbox: Activity monitoring in isolated area. Mainly uses for malware
Compliance fail need to go to remediation center to analysis.
System hardening: disables unnecessary services/ports/functions to be secured. Avoiding default
be fixed.
configurations ( e.g Default username and password. FIM : Continuously monitoring and comparing files and directories for
Posture Checking (or) Health Check
Golden image : aka Master image, already hardening OS image ( e.g USGCB/CIS ) changes to ensure their integrity
Agent base NAC: Device need to install agent
Dissolvable agent: Disappears after reporting
Data execution prevention (DEP): Memory regions are marked as non-executable which prevents NAT (Network Address Translation): Translates private IP addresses
information to the NAC device.
code from being executed. Can prevent buffer overflow attack into public and public IP addresses to private.
VLAN: Separate areas are segmented for different networks, but still
Protocol analyzer
Web application firewall : to detect web application attacks like SQL injection, XSS etc .. housed on the same switch
Can be hardware or software that can that captures
VLAN Hopping Attack: where an attacker tricks a switch into sending
packets to decode and analyze their contents. Aka
Jump servers: placed between different security zones and provide secure access from devices in traffic from one VLAN (Virtual Local Area Network) to another. Port
Packet sniffer.
one zone to devices in the other zone security must be used.
Famous Protocol analyzer: Wireshark, Tcpdump
 Chain of Custody : ensures that evidence is properly handled, documented, and preserved from the time it is collected until it is presented in legal or investigative
Reconnaissance: aka foot printing, gathering information proceedings
about targeted system.
Active Recon: Directly involved with targeted system, sending Step Description
data and understanding the response ( e.g port/vulns scanning
). Easy to be detected, result accuracy is high.
Passive Recon: Not directly touch the systems, sniffing, Identificatio Determine what constitutes evidence (e.g., logs, devices, files).
gathering already available information ( e.g whois, social n
network ). Hard to detect, result accuracy is low.
Collection Collect the evidence carefully using appropriate tools and techniques
to avoid contamination
Vulnerability Scanning: Detecting existing vulnerabilities to be
exploited Documentati Record details such as who collected the evidence, the time, date,
on location, and description of the evidence
Exploitation: Using exploit to take advantage of a vulnerability
or weakness in a system, application, or network to gain Storage Secure the evidence in a tamper-proof and secure location
unauthorized access.

Privilege Escalation: Allows for a normal user privilege to get a Transfer Document each time the evidence is transferred, including who
higher-level access. received it, why, and when.

Analysis Ensure that forensic analysis is performed by authorized individuals

Pivot: Aka Island hopping, using a compromised machine to and is documented.
attack other machines on the same network.
Presentation Present evidence in a way that retains its integrity and complies with
Persistence: To maintain unauthorized access to a legal standards.
compromised system or network over an extended period
Installing Backdoor, running the malicious task using task Kill Chain Step Definition Controls to Mitigate
schedular ( corn in Linux ), adding malware in registry startup. Reconnaissance Researching and identifying targets, gathering information. - Network segmentation
- Threat intelligence
Aspect Vertical Horizonal - Employee awareness training
Escalation Escalation
Weaponization Preparing a payload (e.g., malware) to exploit vulnerabilities. - Secure development lifecycle (SDL)
Privilege Level Gains higher Maintains the - Malware detection tools
privileges same privilege
level Delivery Transmitting the payload (e.g., phishing, USB drops). - Email filtering
- Endpoint protection
Objective Gain admin or root Impersonate or - USB port control
access act as another
user Exploitation Exploiting a vulnerability to execute malicious actions. - Regular patching
- Vulnerability management
Covering tracks in hacking refers to the methods attackers use - EDR (Endpoint Detection and Response)
to erase evidence of their activities to evade detection and
forensic analysis. Installation Installing malware or a backdoor for persistence. - Application whitelisting
e.g Log Deletion, Log manipulation - File integrity monitoring

Command and Control (C2) Establishing communication with attacker-controlled systems. - DNS filtering
Store logs in a secure, remote location (e.g., SIEM solutions) to - Anomaly-based monitoring
prevent tampering - Network segmentation
Anti-Forensic: Techniques and tools used by attackers to Actions on Objectives Performing the intended attack (e.g., data exfiltration, - Data loss prevention (DLP)
obstruct, delay, or prevent forensic investigators from gathering destruction). - Continuous monitoring
evidence of their activities - Incident response plan
Vulnerability assessment Physical Pen Testing Snapshots to capture data for forensic analysis
to assess the security posture of systems and networks, Tests physical security controls ( e.g Bypassing locks, doors, guards ) Artifacts are pieces of data on a device ( web history, Recycle bin etc .. )
identifying vulnerabilities or weaknesses within systems,
networks, and organizations Offensive Pen Testing Legal Hold: A legal instruction to preserve all relevant data for a pending
Vuln assessment is one of the risk management plan. Simulates real-world attacks from an external/internal hacker investigation or lawsuit.
(Breaking systems like a hacker)
Common Vulnerabilities and Exposures (CVE) : a dictionary of E-Discovery : The process of identifying, collecting, and reviewing
publicly known security vulnerabilities and exposures. Funded by Defensive Pen Testing digital evidence for legal use.
the U.S. government Focuses on blue team response & resilience (e.g Testing detection &
response ) Chain of Custody : A documented record showing who handled
Vulnerability scanner: can identify a wide range of weaknesses evidence, when, and how, to ensure integrity (Tracks who touched the
and known security issues that attackers can exploit Integrated Pen Testing Combines offensive + defensive testing (e.g evidence )
Red team attacks vs. Blue team defenses (Purple Team) Admissibility: The legal acceptability of evidence in court—must be
SCAP : automate and standardize security compliance checks, reliable, relevant, and obtained properly. (Is the evidence allowed in
making it easier to ensure systems follow best practices. Rules of Engagement (RoE) court? )
Developed by NIST A formal agreement that defines how a penetration test or security
assessment will be conducted. Windows Log info
Credentialed scan - System: OS events (e.g., driver failures).
Uses valid credentials to log in to systems Key Elements: - Application: App-level events.
Deep Scan (sees inside OS & software configs) Scope – What systems, IPs, and services can be tested - Security: Login/logout, file access (important for auditing).
More accurate – fewer false positives Timing – When testing can occur (e.g., business hours only) - Setup: OS install/setup logs.
Limitations – Actions not allowed (e.g., no DoS attacks) - Forwarded Events: Logs from other systems
Non-Credentialed Scan Emergency Contacts – Who to call if issues arise
No login; scans from outside like a hacker would Authorization – Proof that testing is approved by management Linux Logs
Surface-level scan Data Handling – How sensitive data will be treated •Location: Stored in /var/log/
More false positives and false negatives •Common Log Files:
Intrusive = Tests by exploiting or changing things, Test real-world •/var/log/syslog or /var/log/messages: System events.
impacts of vulnerabilities, May cause disruptions or crashes •/var/log/auth.log or /var/log/secure: Authentication attempts.
Non-Intrusive = Looks only, does not modify systems, Identify •/var/log/kern.log: Kernel messages.
weaknesses without risk, Safe •/var/log/dmesg: Boot process logs.
•/var/log/faillog: Failed login attempts.
Common Vulnerability Scoring System (CVSS) : assesses
vulnerabilities and assigns severity scores in a range of 0 to 10, with 10
being the most severe and helping security professionals prioritize their
OSINT – Open-Source Intelligence work in mitigating known vulnerabilities. ( 10 is highest, 0 is lowest.
The process of gathering publicly available information from legal, open
sources for intelligence or security purposes Digital forensics techniques when collecting information after an
incident to prosecute a crime
Responsible Disclosure Programs
A formal process for security researchers to report vulnerabilities to an
organization ethically and legally.
Acquisition and Preservation : follow specific procedures to ensure
that the data is not modified.
Bug bounty
A responsible disclosure program that incentivizes individuals or Order of volatility : to the order in which you should collect evidence,
organizations to report vulnerabilities by offering monetary or should collect evidence starting with the most volatile and moving to
other rewards for valid submissions. the least volatile
(Cache > RAM > Swap > Drive > Network)
Virus An unsolicited and unwanted malicious program. Phishing Sending a false email pretending to be legitimate to steal valuable information from the user, Fake
website login
Crypto-malware A malicious program that encrypts programs and files on the computer in order to Spear Phishing Phishing attack but target to specific group
extort money from the user

Ransomware Denies access to a computer system or data until a ransom is paid Whaling Phishing attack but target to high position/profile person ( e.g CEO )

Worm A self-contained infection that can spread itself through networks, emails, and Vishing Phishing Attack via phone call ( VoIP )
messages

Trojan A form of malware that pretends to be a harmless application Smishing Phishing via SMS or text messages

Rootkit Runs in kernel mode, uses for evade, hard to remove Pretexting

Keylogger Saves all the keystrokes of the infected machine Impersonation Taking on the identity of an individual to get access into the system

Adware A program that produces ads and pop ups using your browser, may replace the Tailgating Following authorized personnel into restricted areas without proper credentials
original browser

Spyware : Software that installs itself to spy on the infected machine, sends the stolen Dumpster diving Going through a business’s or person’s trash to find thrown away valuable information or
information over the internet back to the host machine possessions
Bots AI that when inside an infected machine performs specific actions, for DDoS Shoulder surfing Watching as a person enters information
especially.

Watering Hole Attack Watering hole attack targets a specific highly secured group by infecting a commonly visited
RAT (Remote A specific type of Trojan designed to provide attackers remote control over a system website by the group’s members
Access Trojan)

Logic bomb A malicious program that lies dormant until a specific date or event occurs. USB Baiting Attack Where attackers leave infected USB drives in public places to lure victims into plugging them into
their computers, leading to malware infections or data breaches
Backdoor Allows for full access to a system, persistence
Principle of Social Engineering
Authority: The actor acts as an individual of authority.
PUP Comes packaged with free or shareware applications, often installed without clear Intimidation: Frightening or threatening the victim.
user consent Consensus: Influenced by what others do, everyone else does it.
Scarcity: Limited resources and time to act. Familiarity: The victim is well known.
Dropper a program designed to install or "drop" other malicious payloads onto a target Trust: Gain their confidence, be their friend.
system. Urgency: Limited time to act, rush the victim.
Virus Hoax False information, that leads user to do some serious tasks.

Social engineering: Manipulation technique used by attackers to trick individuals into revealing sensitive
information or performing actions that compromise security.
Control: User Awareness Training
Man-In-the-Middle Attack intercepts communication between two parties to eavesdrop or alter data ( active or passive )

On-path Attack attacker positions themselves between two communicating parties to intercept, observe, or manipulate data being transmitted ( Passive only )

Buffer overflow Attack Sending the more data than its allocated memory buffer can handle, causing the excess data to overwrite adjacent memory.

DNS Poisoning Attack manipulates DNS records to redirect users from legitimate websites to malicious ones

ARP Poisoning Attack tricks a network's ARP cache into associating an attacker’s MAC address with the IP address of another device, like a gateway

Pharming Attack A pharming attack redirects users from legitimate websites to malicious ones by manipulating DNS settings or local host files

DNS Amplification Attack Exploiting open DNS resolvers to send large DNS responses

Domain hijacking Attack attacker gaining unauthorized control over a domain name, redirecting traffic or locking out the legitimate owner

Man-in-the-browser Attack a type of man-in-the-middle attack where malware infects a web browser, allowing attackers to intercept and manipulate browser activities without the user’s knowledge.

Replay Attack attacker intercepts and retransmits valid data or messages to gain unauthorized access or perform malicious actions

Pass the hash Attack attacker intercepts and retransmits valid data or messages to gain unauthorized access or perform malicious actions

Password Spray Attack attacker tries a few common passwords (e.g., "Password123", "Welcome2024") against many accounts

Clickjacking Attack attack tricks a user into clicking on something different from what they perceive, potentially triggering unintended actions or revealing sensitive information

Session hijacking an attacker steals a valid session token to gain unauthorized access to a user's active session on a website or application

URL hijacking AKA Typosquatting, registering domain names that are similar to legitimate websites in order to exploit user typing mistakes or misdirection to trick them into visiting malicious sites.

Shimming ( driver manipulation ) Attackers add a small piece of code (the shim) that intercepts and manipulates API calls or system operations, often enabling privilege escalation or evading security controls

Refactoring modifying or restructuring code to hide malicious activities, often without changing the program’s external functionality, making it difficult to detect by traditional security measures

IP Spoofing attacker sends a packet to a server with the source IP address of a trusted internal device, tricking the server into responding to the fake device

Evil Twin Attack attacker sets up a fake Wi-Fi access point that mimics a legitimate network, tricking users into connecting to it. Once connected, the attacker can intercept data or launch other attacks

Rouge AP an unauthorized wireless access point is installed on a network by an attacker, potentially allowing them to intercept, monitor, or manipulate network traffic.

Jamming Attack Sending RF signal, causing disruptions or complete failure in communication.

Deauth Attack an attacker sends deauthentication frames to a targeted device or access point, forcing legitimate users to disconnect from the Wi-Fi network.

Living off the LAND Attack attacker leverages existing system tools (e.g., PowerShell, Bash scripts, or Windows Management Instrumentation) to perform tasks like data exfiltration, privilege escalation, or persistence

Rainbow table attack crack password hashes by using precomputed tables that store hash values for many possible password combinations, allowing an attacker to quickly find the corresponding plaintext
password.

MAC Spoofing attacker changes the MAC address of their device to match that of a legitimate device on the network

Bluejacking Attack Bluetooth-based attack where an attacker sends unsolicited messages or content (like a text or contact card) to nearby Bluetooth-enabled devices

Bluesnarfing Attack Bluetooth-based attack where an attacker gains unauthorized access to the data on a Bluetooth-enabled device, such as contacts, messages, or calendars
Smurf Attack attacker sends ping requests to a broadcast address of a network using the victim’s IP address. All devices on the network reply to the victim, flooding their system with traffic

LAND Attack attacker sends a TCP SYN packet to the victim with both source and destination IPs set to the victim’s IP address, causing the victim to endlessly reply to itself

Ping of Death Attack attacker fragments a large packet into smaller chunks and sends them to a target. When the target attempts to reassemble the fragments into an oversized packet, it crashes.

VLAN Hopping Attack exploits vulnerabilities in Virtual Local Area Networks (VLANs) to gain unauthorized access to traffic on other VLANs, bypassing network segmentation and isolation

DHCP Starvation Attack Attacker generates thousands of DHCP requests with random MAC addresses, causing all IPs in the DHCP pool to be allocated, leaving none for legitimate users

Cross Domain Attack exploits the interaction between different security zones, domains, or trust boundaries to bypass security controls and access unauthorized data or functionality, CORS misconfiguration

SQL Injection Attack web application attack where an attacker manipulates a website's SQL queries by injecting malicious SQL code into input fields, enabling unauthorized access to or manipulation of the database

XSS ( Cross site Scripting ) Attack attacker injects malicious scripts into a trusted website or application, targeting other users and stealing their data or executing actions on their behalf.

XSRF/CSRF Attack tricks a victim into performing unintended actions on a web application where they are authenticated, without their knowledge or consent

Directory Traversal an attacker manipulates file paths to access restricted files or directories outside the intended web directory structure, potentially exposing sensitive data or system files

Command Injection an attacker injects malicious commands into an application’s input fields, causing the application to execute unintended system-level commands on the underlying operating system

Sub Domain Takeover Attack attacker takes control of an unused or misconfigured subdomain of a website, typically due to a DNS or hosting misconfiguration, and uses it to carry out malicious activities such as phishing

RFI Attack when an attacker is able to include a file (usually a script) from a remote server into a vulnerable web application

LFI Attack attacker is able to include files from the local file system on a vulnerable web server.

Birthday Attack targets hash functions, aiming to find two different inputs that produce the same hash value (a collision), which can compromise the integrity of the cryptographic system

Disassociation Attack attack where an attacker sends DE authentication or disassociation frames to disconnect devices from a wireless network

Dictionary Attack cracking passwords or encryption keys by systematically trying a list of commonly used words, phrases, or password combinations (the "dictionary") until the correct one is found.

Brute force Attack trying every possible combination until the correct password is found.

Downgrade Attack attacker forces a system to switch to a less secure protocol or version, making it easier to exploit known vulnerabilities or weaknesses

Sweet32 Attack exploits vulnerabilities in older, small block cipher encryption algorithms (like 3DES and Blowfish) by taking advantage of their short block size (64 bits). This allows attackers to perform a birthday attack to
extract plaintext data from encrypted communications.
POODLE Attack attacker forces a client and server to downgrade their secure connection from TLS (a modern protocol) to SSL 3.0 (an outdated protocol).

TOC/TOU ( race channel ) Attack attacker exploits the gap between the time of check (when a system verifies a resource or condition) and the time of use (when the system actually uses the resource).

Malvertising Attack embedding malicious code or links within online advertisements. These malicious ads are displayed on legitimate websites, potentially infecting users with malware or redirecting them to phishing sites.

DoS A single source overwhelms a target system, server, or network with traffic or resource requests, causing service disruption.

DDoS Attack Multiple sources (often a botnet) flood a target system or network, making it inaccessible to legitimate users.

USB Baiting Attack a social engineering technique where attackers leave malicious USB drives in public places, hoping victims will plug them into their computers, unknowingly executing malware or exposing sensitive data.

DNS Amplification Attack a type of DDoS attack where an attacker exploits the functionality of open DNS resolvers to amplify the volume of traffic sent to a target, overwhelming its resources

CAM flooding Attack sending a high volume of bogus MAC addresses to the switch, the attacker floods the CAM table, causing the switch to fail in forwarding traffic correctly, leading to network disruption or unauthorized access
Mobile device management Segmentation type
- Application management: Restricting applications can be installed on a device. Physical: Devices are separate physically. Does not scale well.
- Content m:anagement Limiting access to content hosted on company systems Logical (VLAN): Separate areas are segmented for different networks, but still housed on the same switch
- Remote wipe: Allows for the deletion of all data from a device remotely. Virtualization: The hardware to separate networks is virtualized, including routers, switches, and other devices apart from the
- Geofencing: Using GPS to define geographical boundaries where the app can be used. infrastructure. Easier to manage from a security standpoint and everything can be segmented.
- Geolocation: Tracking the location of a device identified by GPS. Air gaps: Network where the devices are physically separate from another and don’t share any components to communicate.
- Screen locks: Prevents someone from being able to pick. Great for security but be careful with removable media.
- Push notification services: Using SMS texts to send messages to selected users or groups. Sandboxing: Isolated area for application/malware analysis, displaying details activities.
- Passwords and pins: Authentication for mobile devices something you know.
- Biometrics: Authentication for mobile devices, fingerprint etc .. Environment Testing Staging UAT Demo Production
- Context-aware authentication: Uses multiple elements to authenticate a user and a mobile device.
- Containerization: isolating and protecting the application, including any data used by the
application. Purpose Bug fixing Final testing User validation Showcase app End-user usage
- Storage segmentation: Separates the information on a device into partitions. ( Work/Personal )
- Full device encryption: Protects against loss of confidentiality Users QA, developers QA, stakeholders End-users, Clients, sales Public/end-users
clients
Rooting/jailbreaking
Rooting: for Android OS, the process of modifying the device to gain root-level (full administrator) access. Data Used Mock/test data Near-production Realistic test Demo-specific Live, real data
Jailbreaking: for Apple OS, the process removing all software restrictions from the device. data data

Sideloading SCADA (Supervisory Control and Data Acquisition)/ICS (Industrial Control System): technologies used to monitor, control,
The process of installing applications or files onto a device from an unofficial source and automate industrial processes. SCADAs can be protected with VLANs and NIPS, and they require extensive network
segmentation. Segmentation is most important for SCADA security.
Custom firmware Smart devices/IoT (Internet of Things): A mobile device that allows the user: customizable options, applications to help make
An unofficial operating system or software installed on a mobile device, replacing or modifying the original daily activities easier, and an AI to assist in tasks.
manufacturer’s firmware The IoT is the class of devices that help provide automation and remote control of appliances and devices in the home or office.
1. Wearable technology: Contains personal and health information on a person.
Carrier unlocking 2. Home automation: Technology in the home is not updated frequently and are susceptible to attacks
Allows a mobile device to work with different carriers by removing restrictions imposed by the original Zigbee and Z-Wave: Wireless communication protocol for IoT devices, encryption must be used.
carrier MQTT (Message Queuing Telemetry Transport): Lightweight protocol for IoT communication, must use encryption.
Unlocking could interfere with receiving official firmware or security updates Modbus, DNP3: Famous proprietary protocols for SCADA/ICS.
IEC 62443: International standards for industrial cybersecurity.
Firmware OTA updates CISA Recommendations: U.S. agency guidance for critical infrastructure security
Wireless updates sent directly to your mobile device by the manufacturer or carrier NIST SP 800-82: Guidelines for securing ICS environments.

IoT security SoC (System on a Chip): An embedded device where the entire system is on
BYOD (Bring Your Own Device): Employees to connect their own personal devices to the corporate - Regular patching the chip. RTOS (Real Time Operating System): Attempts to use predictability
network to work. - Change default credentials and setting to see what happens to meet real time requirements, the guesses must be
COPE (Corporate Owned, Personally Enabled): Are owned by the organization, but can be used - Enable encryption secured.
personally by employees. - Network segmentation
CYOD (Choose Your Own Device): Employees can purchase devices on the list and bring them to work. - Disable unused features
The company then supports, monitors, and manages the device. - Monitoring traffic
Corporate-owned: Company owns and controls all aspects, no personal info at all, most secure for - IPS
company.

Mobile Device Management ( MDM ) Platform

Managing and securing mobile devices (smartphones, tablets, laptops) used within an organization to
protect sensitive data and ensure compliance
Model Description Control Basis Example

DAC (Discretionary Access Control) Access is granted/managed by the resource owner Owner-defined permissions A file owner allows a colleague to edit a document (NTFS)

RBAC (Role-Based Access Control) Access is based on predefined roles in the organization. Roles and responsibilities Only HR staff can access payroll data

MAC (Mandatory Access Control Central authority enforces strict rules, typically using security Security labels Only employees with "Top Secret" clearance can view certain documents
classifications (e.g., clearance).

ABAC (Attribute-Based Access Control) Access is granted dynamically based on attributes like user, Attributes (dynamic) Grant access to a document if the user is in the "Finance" department,
resource, action, or environment. accessing during work hours, from a secure location

Rule-Based Access Control Access is controlled by specific, pre-defined rules (if-then Rule conditions Deny access to an IP address outside business hours ( Firewall ACL )
conditions).

Guest accounts: Limited privilege Authentication Factors

Service accounts: Performs specific maintenance actions, such as a backup, account and server operators. Something you are: Physical parts ( Biometric, Iris, fingerprint etc .. )
Privileged accounts: Access is set to access rights, generally referred to as system or network administrative accounts. Something you have: Items ( Token, Card )
Least privilege: Rights and permission are set to job requirement, minimum as possible. Something you know: Knowledge ( PIN, Password )
Onboarding: Integrating a new employee into the organization securely Somewhere you are Location ( GPS, Country )
Offboarding: Securing the organization's data and systems when an employee exits. Something you do: Action ( Writing, Speaking )
Permission Auditing and Review: To ensure that users have appropriate access rights and that there are no unauthorized or unnecessary permissions MFA/2FA: using more than one factors for authentication.
Time-of-day restrictions: Certain privileges are permitted or restricted based on the time of day
Transitive Trust: when trust
between two entities can be
Feature SSO (Single Sign-On) Federation extended to a third entity through an
intermediate relationship.
Scope Within a single Across multiple organizations or domains.
organization or domain.

Example One login for Gmail, Drive, Logging into Zoom with Microsoft credentials.
and Youtube

Identity Managed internally within Trust is established between organizations.

Provider the organization.

Term Role Example Non-Transitive Trust :is a type of

trust relationship where trust does
not extend beyond two entities
Identity Authenticates the user and Google, Microsoft, or Okta.
Provider confirms identity. The MAC scheme uses sensitivity
labels for users and data. It is
Service Provides the service and Zoom, Slack, or Dropbox. commonly used when access
Provider relies on the IdP. needs to be restricted based on a
Principal The user who needs access. You (the person logging in). need to know. Sensitivity labels
often reflect classification levels of
Image ref: https://doubleoctopus.com/ data and clearances granted to
individuals.
.•.
LDAP (Lightweight Directory Access Protocol): Queries information Personal Account: the personnel working in the organizations - SID identifies the user or group.
about the directory, AD (windows). Port 389, 636 for SSL/TLS Administrator/Root Account: privileged accounts that have additional rights - ACE is an entry that ties a SID to a permission (e.g., "Read" or "Write")
encryption. and privileges beyond what a regular user has - DACL is the complete list of ACEs for a specific object, showing which
CN=John Doe, OU=HR, DC=example, DC=com Service account: used by the service or application, not an end user. should not users/groups (by their SIDs) have which permissions
•CN=John Doe → Refers to the user. expire
•OU=HR → Located in the HR department. Third-party account: external entities that have access to a network. - Oauth: Open standard for authorization that many companies use to provide
•DC=example, DC=com → Part of the example.com Guest account: limited access to a computer or network secure access to protected resources. For Authorization
Kerberos: Developed by MIT, for mutual authorization between client Share account: user account that temporary workers will share - SAML - Authentication; OAuth – Authorization
and server. It uses a ticket granting system for authorization. - SAML - Identity verification and SSO; OAuth - Access delegation

•EAP is a framework; it allows plug-in methods (like TLS, TTLS, PEAP).

- PAM implements the concept of just-in-time permissions.
SAML: federated identity management system, (XML)–based data •EAP-TLS = most secure (requires certs on both sides).
- Just-in-time permissions that provide administrative permissions to a user
format used for SSO on web browsers. used to exchange •PEAP & EAP-TTLS = server cert only + username/password = common and
account when they are needed.
authentication and authorization information between different - Requiring administrators to use two accounts, one with administrator privileges
easier to deploy.
parties. SAML provides SSO for web-based applications. •EAP-FAST = fast, lightweight, no certs — Cisco proprietary.
and another with regular user privileges, helps prevent privilege escalation
•LEAP = outdated, vulnerable to attacks, avoid
attacks.
Purpose Real-World - Users should not use shared accounts.
Control VPN
Example - Deprovision: disable a user’s account when they leave the organization (
•Remote Access VPN: A sales rep connects to the corporate intranet via SSL
Separation of Split responsibilities to One person Disable and Delete )
VPN.
Duties (SoD) prevent fraud or error approves payments; - Disable first coz of security key ( deleting can also remove security key as well
•Site-to-Site VPN: A company HQ and remote office are linked using IPsec VPN
another processes - Time-based login: only can log on to computers during specific times
between routers.
them - User account audit review: checking rights and permissions assigned to users
•Always-On VPN: Employees’ laptops auto-connect to corporate network via
and helps enforce the least privilege principle
IKEv2 VPN when online
Job Rotation IT staff rotate roles - Privilege creep: when a user is granted more and more privileges due to
Reduce fraud, increase •Split Tunneling: Sends corporate traffic through VPN, but local/internet traffic
every 6 months to changing job requirements, but unneeded privileges are never removed
skill redundancy goes directly
uncover anomalies - Attestation: process of verifying and confirming for user access and
•Full Tunnel: Routes all traffic (internal + internet) through VPN
permission by manager
Mandatory Force employees to Bank employee •VPN Concentrator: A dedicated device that handles multiple VPN connections
Vacation take leave to detect must take 1-week (especially remote access VPNs)
fraud vacation—audit •Encryption & Integrity: VPNs use encryption (AES/IPsec) & hashing (SHA) to
reveals misuse protect confidentiality & integrity

Protocol Purpose Port Encryption Used for Key Feature •PPTP is obsolete – avoid it (easy question!)
•L2TP uses IPsec for encryption – not secure
alone
Kerberos Authentication only UDP/TCP 88 Encrypted tickets (symmetric) Internal AD domains Time-based TGT & mutual authentication •SSL VPN = web-based, easier for non-technical
users
•IPsec uses AH (integrity) and ESP (encryption +
RADIUS AAA (centralized) UDP 1812/1813 Password only encrypted VPN, Wi-Fi, switches integrity)
Fast and scalable
•Split tunneling can improve performance but
poses data leakage risk
DIAMETER AAA (RADIUS replacement) TCP/SCTP 3868 Full message (via IPsec) Telecom (LTE/5G, IMS) AVPs, better error handling
802.1X
TACACS Authentication only (obsolete) TCP Legacy Cisco systems No longer use - Port based network access control
None - Used in enterprise environments with
WPA2/WPA3-Enterprise wireless
TACACS+ AAA (Cisco proprietary) TCP 49 Full packet encrypted Device admin access (Cisco) Command-level access control - Main three components Supplicant( device ),
Authenticator (Switch/WAP), Authentication
Server( RADIUS server )
Project - Obtain management support and funding RTO (Recovery Time Objective)
Initiation Assign a BCP team with representatives from all key departments. •Definition: The maximum acceptable time your systems or business processes can be down after a disruption.
- Define the scope and objectives of the BCP. •Example: If your website goes down, you may want it to be back online within 4 hours. So, your RTO is 4 hours.
- Identify legal, regulatory, and business requirements RPO (Recovery Point Objective)
•Definition: The maximum amount of data loss you're willing to accept. It indicates the point in time to which you can recover after a
Business - Identify critical processes and resources. disruption.
Impact - Determine the Maximum Tolerable Downtime (MTD) for each process. •Example: If you're running a database and back it up every 24 hours, then your RPO is 24 hours, meaning you're okay with losing up
Analysis - Define Recovery Time Objectives (RTO) and Recovery Point Objectives to a day of data.
(BIA) (RPO) for systems and data. MTBF (Mean Time Between Failures)
- Prioritize processes based on their importance to the organization. •Definition: The average time between system failures, representing how reliable a system is.
Risk - Analyze potential risks like natural disasters, cyberattacks, hardware •Example: If a piece of machinery typically operates for 1000 hours before breaking down, the MTBF is 1000 hours.
Assessme failures, etc. MTTR (Mean Time To Repair)
nt - Assess the likelihood and impact of each risk.Identify existing controls and •Definition: The average time it takes to fix a system or component after a failure.
gaps in protection. •Example: If a server crashes, and the average time it takes to restore it is 2 hours, then the MTTR is 2 hours.
•MTTF (Mean Time To Failure)
Strategy - Avoidance strategies: Reduce the likelihood of risks (e.g., better fire •Definition: The average time until a component or system fails, often used for non-repairable items.
Developm suppression). •Example: A light bulb typically lasts for 500 hours before it burns out, so the MTTF is 500 hours.
ent - Mitigation strategies: Reduce the impact (e.g., data backups). MTTA (Mean Time To Acknowledge)
- Acceptance strategies: Recognize low-priority risks without mitigation. •Definition: The average time it takes to recognize that a failure or issue has occurred.
- Decide on redundancies (e.g., alternate sites, backup power, failover •Example: If an alarm system goes off, the time it takes for a technician to acknowledge the alert is the MTTA. If it takes 5 minutes on
systems). average, that's your MTTA.

Plan - Emergency response procedures (e.g., evacuation plans).

Developm - Recovery procedures for systems, data, and operations.
BCP DRP Legal implications. The
ent - Communication plans for employees, stakeholders, and media.
legal implications related
- Contact lists for emergency services, vendors, and key personnel.
to backups depend on
The focus is on overall business operations and The focus is on IT systems—servers, databases, the data stored in the
Testing - Perform tabletop exercises (discussion-based tests).
continuity. This includes not only IT systems but applications, and other technology—that backups. For example, if
and - Conduct simulation drills to test recovery processes.
also people, facilities, communication, and support business operations the backups include
Training - Train employees on their specific responsibilities.
supply chains Personally Identifiable
- Test communication systems like alert notifications.
Example: If a natural disaster causes an office to If a server crashes or a data center is flooded, Information (PII) or
Maintenan - Regularly review the BCP to reflect changes Business Protected Health
be unavailable, the BCP would outline how the DRP would detail how to restore data, bring
ce and processes,technology or infrastructure.,Personnel or vendors. Information (PHI), the
employees can work remotely, how critical systems back online, and minimize downtime.
Review - Update after testing or real-world incidents. backups need to be
services will be delivered, and how suppliers will
- Schedule periodic reviews (e.g., annually or biannually). protected according to
be contacted
governing laws
Snapshot backup:captures the data at a moment in time. It is commonly used with virtual machines Offside storage: Storing Offside storage: Storing Backup
Replication is the process of creating an exact copy of data or a system in real-time or near-real-time. backups in a separate backups in a separate frequency is Data sovereignty: Data
Maintaining a secondary site or system that can be quickly brought online in case of a primary site failure geographic location protects geographic location protects depended on sovereignty refers to the
or data corruption them against a disaster such as them against a disaster such as storage space and legal implications when
Journaling is a backup technique that records changes to data or files sequentially in a separate log, also a fire or a flood. Even if a disaster a fire or a flood. Even if a disaster backup time. data is stored off-site. If
known as a journal. In case of a system failure or data corruption, the journal can be used to recover the destroys the site, the destroys the site, the the backups are stored in
data to its most recent state by applying the changes recorded in the journal to a previous backup. Mostly organization will still have organization will still have a different country, they
uses in Database. another copy of the critical data another copy of the critical data are subject to that
country’s laws.
Geographic dispersion is important for recovery site location Continuity of operations planning (COOP) focuses on restoring site risk assessment is a focused assessment of a specific
and it should not be located close to your primary site or the mission-essential functions at a recovery site after a critical location or site. Choosing low crime rate areas, avoiding flood
same disaster may affect both locations outage. areas etc ..
Test Type Description Pros Cons Example

Checklist Testing A review of the BCP document to ensure - Easy to perform - Limited real-world testing Reviewing a checklist to verify contact
all components are accurate and - Quick verification - Surface-level validation details, resources, and recovery
complete. procedures are up-to-date.

Walkthrough Testing A structured meeting where team - Involves multiple stakeholders - Does not simulate real-world events Key staff members review recovery
members discuss the BCP to identify - Identifies process gaps - Limited practical feedback steps in a group session to ensure roles
gaps or inconsistencies. and responsibilities are clear.

Tabletop Testing A scenario-based discussion where - Helps identify weak points - No practical execution Team simulates a power outage and
participants talk through their roles and - Encourages collaboration - Limited realism discusses how to recover critical
responses to a disaster scenario. business operations.

Simulation Testing A simulated disaster is staged to test the - Provides realistic feedback - Can be time-consuming IT simulates a server failure to test
BCP without disrupting actual - Tests preparedness effectively - May incur costs backup and recovery procedures.
operations.

Parallel Testing Recovery systems are activated in - Minimizes operational disruption - Resource-intensive Running backup servers alongside live
parallel to production systems to test - Validates recovery systems - Can reveal issues late servers without switching fully to the
their readiness. backup environment.
Fail Over Testing/full interruption A complete implementation of the BCP, - Tests the full plan - High cost Shutting down the primary data center
tests switching operations to backup systems - Identifies all gaps - Potential operational risk and operating entirely from a backup
or locations. site for a specified period.

Full Backup Differential Backup Incremental Backup

A full backup means making a copy of everything in your folder, no A differential backup only saves the changes made since the last full An incremental backup only saves what changed since the last
matter what. It’s like taking a snapshot of the entire folder. backup. backup (of any type).

Example: On Day 1, you copy A, B, C, and D into the backup. Example: Example:
On Day 1, you do a full backup (A, B, C, D). On Day 1, you do a full backup (A, B, C, D).
Every time you do a full backup, it saves everything, even if nothing On Day 2, only files E and F are added. The backup saves On Day 2, only file E was added. The incremental backup
changed. only E and F. saves E.
On Day 3, files G and H are added. The differential backup On Day 3, file F was added. The backup only saves F.
now saves E, F, G, and H (everything changed since Day 1). On Day 4, file G was added. It only saves G.

This means differential backups grow larger each day until the next Incremental backups are much smaller and faster, but restoring files
full backup. takes longer because you need every backup in sequence.

Business Impact Analysis: identify critical systems and components Backup Time Full: Slowest, as all data is backed up every time
that are essential to the organization’s success. It also identifies Incremental: Fastest, as it only backs up changed data.
maximum downtime limits for these systems and components Differential: Starts fast but slows as more changes accumulate

Restore Time Full: Fastest, as it requires only one backup file

Incremental: Slowest, as it needs the full backup plus all incremental backups in sequence.
Differential: Faster than incremental, as it needs only the full backup and the most recent differential backup
Industrial Camouflage: a concept where Perimeter: fence, security guard, barricades to block vehicles
organizations intentionally obscure, disguise, Buildings: locked doors restrict entry, lighting and video cameras to monitor the entrances and exits.
or mask digital assets, processes, or Secure work areas: restrict access to specific work areas for only authorized person, visitors should not be able to enter internal work areas without an escort.
infrastructure to avoid detection by cyber Server rooms: Only the appropriate IT personnel can access servers and network devices, locking a wiring closet prevents an attacker from installing illicit monitoring hardware
attackers. Hardware: Cable locks protect laptop computers, smaller devices can be stored in safes, locking cabinets to protect servers and other equipment installed in the equipment bays

Access badges: Proximity cards use these for Video surveillance: CCTV, to monitor entrances of high- Perimeter Security Internal Security
access points, such as the entry to a building. Some security areas ( Server room and Data center. Must not •Fencing: Deters unauthorized access, defines boundaries. •Locked Doors / Cabinets: Prevents unauthorized
access control points use proximity cards with PINs record voice ( privacy concerns ). •Lighting: Increases visibility and deters intruders. internal access.
for authentication Can also enhance safety by deterring threats. •Security Guards: Human deterrents and responders. •Security Zones: Segmented areas by trust level.
Many cameras include motion detection and object •CCTV: Video surveillance for deterrence and evidence. •Visitor Logs & Escorts: Required in sensitive
Environmental Controls detection capabilities •Signage: Warns of restricted areas or surveillance areas.
•HVAC: Temperature and humidity control to PTZ function: Pan, Tilt, Zoom; can be manually or •Access Control Lists (ACLs): Who can go where,
protect hardware. automatically controlled when.
•Fire Suppression: Thermal Cameras: Detect heat signatures; useful in Access Control
• Smoke Detectors low-light or total darkness •Mantraps: Two-door system to prevent tailgating. Device Protection
(ionization/photoelectric) •Turnstiles: Restricts access to one person at a time. •Cable Locks: Prevent laptop/theft removal.
• Fire Extinguishers (ABC types) Monitoring & Response •Badges/ID Cards: Verifies identity for entry. •Laptop Safe: Secure storage.
• Gas-based Systems (e.g., FM-200) •Security Alarms: Detect break-ins or fire. •Biometric Readers: Fingerprint, retina, facial recognition. •Port Security (Physical): Block unused
•Water Detection: Alerts on leaks or floods. •Motion Sensors: Detect unauthorized movement. •Keypads / PINs: Simple access control. USBs/network ports.
•Shielding: Prevents EMI and TEMPEST attacks. •Duress Alarms: Silent panic alerts. •Smart Cards / Proximity Cards: Secure entry. •Faraday Cages: Block electromagnetic
•Security Incident Response: SOP for breaches or emissions.
Physical Security of LAN Cables alerts.
•Secure Cable Routing: Use conduits, run cables
in ceilings/floors away from public access. Hot Aisle and Cold Aisle: data center cooling strategies,
•Lockable Wiring Closets: Prevents physical for managing airflow and temperature around IT
access to switches and patch panels. equipment.
•Port Security: Disable unused switch ports or use
MAC filtering. •Visitor Management: Procedures for registering,
•Cable Locks: Prevent physical disconnection or escorting, and monitoring visitors.
tampering. •Asset Management: Tracking the location and
Use plenum-rated cables in ceilings/floors security of physical assets.

Cold Aisle Containment (CAC) Fire Extinguishers (Portable)

•Encloses the cold aisle to prevent mixing with hot air. •Class A: Ordinary combustibles (wood, paper)
•Improves cooling efficiency. •Class B: Flammable liquids (gasoline, oil)
•Cold air is directed only to the front of servers. •Class C: Electrical fires (computers, wiring)
Hot Aisle Containment (HAC) •Class D: Flammable metals (rare in IT)
•Encloses hot aisle so hot air is extracted directly. •Class K: Kitchen fires (oils and fats)
•Requires overhead or rear cooling ducts.
•Reduces the overall room temperature. Gaseous Fire Suppression (Data Centers)
•FM-200 / HFC-227ea:
• Suppresses fire without
TEMPEST: A standard/program to prevent leakage of data damaging electronics
via electromagnetic emissions • Leaves no residue
Faraday Cage: An enclosure made of conductive material •CO₂ Systems:
that blocks electromagnetic signals (Secure Facilities ) • Smothers fire by removing oxygen
• Dangerous to humans in confined
spaces
•Input validation – Sanitize all user input
•Output encoding – Prevent XSS
•Least privilege – Use minimal permissions
•Error handling – Avoid detailed error messages
•Secure defaults – Disable insecure features by default
•Use MFA (Multi-Factor Authentication)
•Store hashed and salted passwords (e.g., bcrypt)
•Use secure cookies,
•Set short session timeouts
•Use token-based authentication (e.g., OAuth2,
JWT
•Use authentication (API keys, OAuth)
•Rate-limit access to prevent abuse
•Use HTTPS to protect data in transit
•Validate all API input and output
•Keep software and libraries up to date
•Use container security best practices
•Remove unused features or sample apps
•Protect against open-source dependency risks

Application Testing Tools

•SAST – Static Application Security Testing (e.g.,
SonarQube)
•DAST – Dynamic Application Security Testing (e.g.,
OWASP ZAP) Memory leak: a bug in a
•Fuzzing – Send random data to detect crashes computer application DLL Injection: Inject malicious DLL into a running process(App control,
•Code reviews – Manual review of critical logic that causes the privilege escalation).
application to consume XML Injection: Inject malicious XML content to alter logic or extract data
Common Secure Coding Standards more and more memory (Logic bypass, data disclosure).
•OWASP Top 10 – Avoid common web app the longer it runs LDAP Injection: Inject into LDAP queries to alter or retrieve unauthorized
vulnerabilities data (Login bypass, unauthorized queries)
•NIST SP 800-64 – Security in SDLC Code Obfuscation: attempts to make something Sandboxing: isolated area specifically
•CERT Coding Standards – Secure C/C++ coding unclear or difficult to understand. created for testing (Dev playground) Integer overflow: occurs if an application receives a numeric value that is
too big for the application to handle.
Model Description Pros Cons Focus
Buffer overflow: when an application receives more input, or different
input, than it expects. Attacker can exploit it and overwrite memory
Waterfall A linear and sequential - Easy to manage Hard to adapt to changes Security is often added at the end. locations with their own code ( Memory injection )
model; each phase must be - Clear documentation - Late testing - High risk of late discovery of
completed before next. vulnerabilities. Strict-Transport-Security (HSTS): Forces browser to only use HTTPS
(prevents downgrade attacks).
Spiral Combines iterative design - Good for complex, high-risk - More expensive - Security is integrated at each loop.
Content-Security-Policy (CSP): Controls what resources (scripts, styles)
with risk assessment at each projects - Requires skilled risk analysts - Risk-based approach helps identify
can load on a page.
loop or phase - Risk analysis threats early.
X-Frame-Options: Prevents site from being embedded in an iframe ( to
Agile Iterative and incremental - Fast delivery - May lack full documentation - Security is embedded in every sprint. prevent clickjacking attack
model with frequent updates - Adaptive to change - Needs disciplined teams - Encourages DevSecOps and X-Content-Type-Options: Prevents browsers from MIME-sniffing content
and collaboration. - DevSecOps fit continuous security testing. types.
Encryption: Converting plaintext into ciphertext Symmetric Asymmetric Hash Algorithms
Decryption: Reversing ciphertext back to plaintext MD5: Legacy; weak - avoid in modern systems
Hashing: One-way function - creates a fixed-length output (digest) - One key (same for encryption/decryption) - Two keys (public + private) SHA-1: Deprecated - vulnerable to collisions
Key Exchange: Securely sharing encryption keys over an untrusted - Fast - Used for file encryption, VPN (AES) - Slower SHA-256/512: Modern hashing - SHA-2 family
network - Algorithms: AES, DES, 3DES, RC4 - Used for SSL/TLS, Email Signing, Secure Key SHA-3: Future-ready - based on Keccak
Digital Signature: Proves integrity + authenticity using hashing + private Exchange
key - Algorithms: RSA, ECC, DSA
Salt: Random data added to passwords before hashing (thwarts rainbow
tables) Format Extension Encoding Description
Nonce: Number used once - adds randomness (e.g., in IVs or auth)
PEM .pem, .crt, Base64 Easy to read and copy. Often used
Root Issued by the root CA; highest level of trust. CSR Process .cer, .key (ASCII) in web servers.
Certificate:

Intermediate Issued by root CA; used to sign end-user certs. DER .der, .cer Binary Used in Java platforms and
Certificate: Windows. Not human-readable.

End-Entity Issued to users, servers, or devices. PFX/P12 .pfx, .p12 Binary Contains both certificate + private
Certificate: key (often password protected).

Wildcard Covers all subdomains (e.g., *.example.com). CER .cer DER or PEM Just the certificate (no key).
Certificate Extension used on Windows.

SAN Supports multiple domains (Subject Alternative Names). .pfx or .p12, it likely includes the private key. Handle with care!
Certificate
Self-signed certificate: signed by the same entity it certifies, not issued by
Code Signing Verifies publisher and integrity of software. CA, Browsers often display a warning/error , susceptible to Man-in-the-
Certificate Middle (MitM) attack, mostly used internally ( network devices ).

•Certificate Authority (CA): Issues and signs digital certificates. Description

Attack Type Example / Impact
•Registration Authority (RA): Verifies the identity of users before certificate
issuance.
•Certificates: Digital files that link a public key to an identity. Brute Force Attack Tries every possible key or password until the correct one is
Cracking weak encryption like DES
•Public/Private Key Pair: Keys used for encryption and digital signatures. found
•CSR (Certificate Signing Request): Request sent to CA to get a certificate. Rainbow Table Attack Uses precomputed hash values to reverse cryptographic Bypasses hashed password storage
•CRL (Certificate Revocation List): List of certificates revoked by the CA. hashes
•OCSP (Online Certificate Status Protocol): Checks certificate validity in real-time
•OSCP stapling: server checks with the CA in advance, and sends a signed proof Birthday Attack Exploits the probability of hash collisions
Affects MD5, SHA-1 (non-collision resistant)
(OCSP response) to the browser during the TLS handshake

Certificate Authority (CA): Centralized, High Scalability, mostly used in Website ( Known-plaintext Attack Attacker has both plaintext and ciphertext to discover key Used in historical cipher breaking
SSL/TLS certificate ).
Web of Trust (WoT): Decentralized (Peer-to-peer), Low Scalability, mostly used in Chosen-plaintext Attack Attacker can encrypt chosen plaintexts to observe outputs Common against block ciphers
Email (PGP),

Trusted Path: ensures a certificate can be validated through an unbroken chain Ciphertext-only Attack Only has access to ciphertext, trying to guess plaintext or key
More difficult, but feasible with weak ciphers
back to a known trusted root CA

End-Entity Certificate (Leaf) → Intermediate Certificate → Root CA Certificate Pass-the-Hash Uses stolen NTLM hash to authenticate without decrypting Exploits Windows authentication flaws
X.509 Certificate Feature Block Stream Cipher
•Standard: Most widely used certificate format (defined by ITU-T). Cipher
•Used In: SSL/TLS, digital signatures, email security, VPNs.
•Contains: Data Handling Encrypt
• Version s fixed-
• Serial number size
• Signature algorithm blocks Encrypts one bit or byte at a time
• Issuer (CA) (e.g.,
• Subject (owner of the cert) 128
• Validity period bits)
• Public key
Speed Slow Fast
• Extensions (optional)
• Signature
Common Use File Voice, video, and streaming data
Digital Signature Cases encrypt encryption
- Proves the authenticity and integrity of a message or file ( ion
Email ) (e.g.,
- A hashed and encrypted digest of data disk,
- Created by the sender of the data email)
- Used by the recipient to verify the digital signature
- Sender hashes the message and encrypts hash with Key Often Requires careful synchronization
private key (the signature) Management simpler

Algorithms AES, RC4, Salsa20, ChaCha20

Message Authentication Code (MAC)
DES,
- Short piece of information used to
Blowfis
- Verify the integrity and authenticity of a message.
h
- Used in TLS, IPSec, JWT, and APIs to prevent tampering.
Perfect Forward Secrecy
Key Scrambling: Randomizing or transforming a key to increase
- Ensures that even if a long-term private key is compromised,
security
past communications remain secure
•Key Stretching: where a weak or short key (like a password) is
- Relies on using ephemeral keys so that each session has a
processed to make it more secure and resistant to brute-force
unique key
attacks. (PBKDF2,bcrypt
- Protects past sessions even if keys are compromised
,scrypt ,Argon2 )
Ephemeral Key
ECC
- Important part of PFS
- Cryptography method based on the mathematics of
- Temporary session-specific encryption key
elliptic curves over finite fields
- Ensures session uniqueness
- High security with smaller key sizes
- TLS 1.2/1.3 often uses Ephemeral Diffie-Hellman
- Mobile devices, SSL/TLS (with ECDHE), Bitcoin wallets, etc
(DHE/ECDHE) for key exchange, providing Perfect Forward
Secrecy
•Obfuscation = Make code/data confusing.
•Steganography = Hide data in plain sight (e.g., inside media).
Entropy: represents how unpredictable or random a piece of data
•Tokenization = Replace with unrelated placeholder (no
is
mathematical link).
Lack of entropy results in a weaker algorithm and makes it much
•Masking = Blur/obscure part of data for privacy.
easier for the algorithm to be cracked
File & Directory Navigation File Viewing & Search Network Commands System Cleanup & Processes
ls / dir: List files and folders cat file.txt: View file contents ipconfig / ifconfig / ip a: Show IP/network settings tasklist / ps aux: Show running processes
cd: Change directory more / less file.txt: View file page-by-page ping <ip>: Test network connectivity kill PID: Kill process by ID
pwd: Print working directory grep 'keyword' file.txt: Search keyword in file (Linux/macOS) tracert / traceroute: Trace route to host cls / clear: Clear screen
mkdir: Make a new directory find . -name file.txt: Find a file netstat -an: Show network connections shutdown /r: Restart system
rmdir / rm -r: Remove directory / files type file.txt: Display contents of a file (Windows) nslookup: Resolve domain names
nmap: Scan ports/services
•nmap <target>
→ Basic scan (default TCP scan of top 1000 ports)
•nmap -v <target> DNS (Domain Name Service): Does not have any security in its original design, use for name resolution
→ Verbose output DNSSEC (Domain Name Service Security Extensions): Primary purpose is to provide a reliable authorization service between devices
•nmap -p 80,443 <target> when performing operations on the DNS
→ Scan specific ports (80 and 443) SSH (Secure Shell): Replaces Telnet. TCP over Port 22 and use encryption
•nmap -p- <target> S/MIME (Secure/Multipurpose Internet Mail Extensions): Digitally signed email content using public key encryption.
•→ Scan all 65535 TCP ports SRTP (Secure Real-time Transport Protocol): Protected and encrypted voice communications.
LDAPS (Lightweight Directory Access Protocol Secure): TCP ports 389 and 636. Protocol used for reading and writing directories over an
•nmap -sV <target>
IP network. AD service, using encryption.
→ Detect service versions
FTPS (File Transfer Protocol Secure): TCP Ports 989/990. File transfer using SSL/TLS.
•nmap -A <target> SFTP (Secure File Transfer Protocol): TCP Port 22. FTP over an SSH channel.
→ Aggressive scan: includes OS detection, version, script scanning, and traceroute SNMPv3 (Simple Network Management Protocol Version 3): Ports 161/162. Encrypted statistics gathering from network devices.
•nmap -O <target> SSL (Secure Sockets Layer)/TLS (Transport Layer Security): HTTPS connection! Encryption technology developed for web and email over
→ OS detection the transport layer.
•nmap -sS <target> TLS (Transport Layer Security): The replacement for SSL, more secure. Used to encrypt the communication of servers in an organization.
→ SYN (stealth) scan Secure POP (Post Office Protocol)/IMAP (Internet Message Access Protocol): 1. Secure POP (Post Office Protocol): Sends from port 110
•nmap -Pn <target> to 995. Encrypted email communications used for retrieving email from a mail server over SSL/TLS.
→ Skip host discovery (assumes host is up) Secure IMAP (Internet Message Access Protocol): Sends from port 143 to 993. Is standard email protocol for storing email messages on a
•nmap -f <target> mail server over SSL/TLS.
→ Fragment packets to evade firewalls SASL (Simple Authentication and Security Layer): Provides a source of additional authentication using many different methods, such as
Kerberos or client certificates.
•nmap -D RND:10 <target>
RADIUS: AAA service, uses 1812,1813
→ Use decoy IPs to hide real source
TACACS+: AAA service, uses TCP 49
•nmap -sI <zombie_ip> <target> ICMP- Uses for ping, network connectivity test
→ Idle (zombie) scan for stealth TFTP – hackers use to upload backdoor
•nmap -T0 <target> → Paranoid (very slow, stealthy) IPSec – AH ( Only Authentication , Header only) ESP ( payload encryption )
•nmap -T4 <target> → Aggressive (faster for LAN scanning)
•nmap -T5 <target> → Insane (very fast, may miss packets)
•nmap -oN output.txt <target>
→ Normal output to file
•nmap -oX output.xml <target>
→ XML output
•nmap -oG output.gnmap <target>
→ Grepable output

File Operations Permissions & Ownership (Linux)

cp file1 file2: Copy file chmod 755 file: Change file permissions
mv file1 file2: Move or rename file chown user:group file: Change file owner
rm / del file.txt: Delete file umask: View/set default permissions
Port Protoco UDP/TC Service Name Usage Summary Port Protocol UDP/T Service Name Usage Summary
l P CP

20 FTP TCP File Transfer Protocol Data transfer 389 LDAP UDP/TC Directory Service Directory lookups (e.g., Active Directory)
P

21 FTP TCP File Transfer Protocol FTP control (commands) 443 SSL TCP Secure HTTP Encrypted web traffic (SSL/TLS)

22 SSH TCP Secure Shell 445 SMB TCP Server Message Block
Secure remote login and file transfer File/printer sharing (Windows)

23 Telnet TCP Telnet Unencrypted remote login (legacy) 500 IKE UDP IPsec VPN negotiation VPN tunnel establishment

25 SMTP TCP Mail Transfer Email sending 636 LDAPS UDP Secure LDAP
Encrypted LDAP (TLS/SSL)

53 DNS UDP Domain Name Service DNS queries (UDP) / zone transfers (TCP) 993 IMAPS TCP Secure IMAP
Encrypted email access

67/68 DHCP UDP DHCP Offer/Request IP 995 POP3 TCP Secure POP3 Encrypted email retrieval

69 TFTP UDP Trivial FTP Lightweight file transfers 1433 MSSQL TCP Microsoft SQL Server SQL database connections

80 HTTP TCP Web Plain Text transmission ( Web ) 3389 RDP TCP Remote Desktop Remote Windows GUI access

110 POP3 TCP Post Office Protocol Receiving emails (legacy) 49 TACACS+ TCP AAA AAA

119 NNTP TCP Usenet/news groups 1812/181 RADIUS UDP AAA for network AAA
Network News Transfer
3 access

123 NTP UDP Network Time Protocol Time synchronization 88 Kerberos TCP TGT Network authentication (AD)

143 IMAP TCP Internet Mail Access Accessing email on server 53 DNS TCP Domain Name Service Zone Transfer
Zone
transfer
161/162 SNMP UDP Network Management Network device monitoring
Cybersecurity framework: A structure of basic concepts, and they Audit: confirming that the organization has put security controls Due Diligence Due Care
provide guidance to professionals on how to implement security in in place
various systems Internal audit : performed by an auditing team within the
ISO 27001, NIST etc .. organization itself Taking steps to research and assess risks Taking reasonable steps to protect assets
External audit : performed by an independent auditing firm before taking action after taking action
ISO 27001 : “Information Security Management Systems,” provides Assessment : are less formal reviews of an organization’s Example : Reviewing a vendor’s security Example : Regularly patching systems to
information on information security management systems (ISMS) cybersecurity defenses posture before signing a contract. prevent vulnerabilities.
requirements Gap analysis : comparing current state vs desired state to
ISO 27002 : “Information security, cybersecurity and privacy identify what’s missing or needs improvement. Data governance : refers to the processes an organization uses to manage, process, and
protection Attestation : outcome of an audit made by auditor. Independent protect data. ensuring that critical data elements are identified
ISO 27701 : “Privacy Information Management System (PIMS),” validation + formal report. Example - Auditor attests that security
ISO 31000 : “Risk management,” is a family of standards related to controls meet ISO 27001 requirements External Considerations : include regulatory requirements, legal obligations, industry
risk management standards, and the security environment at local, regional, national, and global levels

NIST SP 800-37: NIST Risk Management Framework, U.S. federal Term What it Defines Mandatory? Level Example
government agencies must adopt the RMF
Policy Overall rule or intention Yes High “All users must use multi-factor authentication.”
NIST Cybersecurity Framework (CSF) aligns with the RMF. Many
private sector organizations have adopted it to improve their ability to
prevent, detect, and respond to cyberattacks. Standard Specific requirement Yes Mid-Level “MFA must use TOTP-based apps like Google Authenticator.”
Main component: Core, Tier, Profile

Security Governance: set of responsibilities and practices used to Procedure How to do it Yes Detailed “How to enroll a device in MFA.”
direct and control an organization's security efforts. Ensures
alignment with business goals, compliance, and risk management.
Baseline Minimum acceptable level Yes Technical “All laptops must have antivirus and disk encryption.”
Centralized Governance: Central authority ( CISO ). One team
controls security
Decentralized Governance: Security decisions are made at the Best Practice Industry-recommended approach No Advisory “Rotate passwords every 90 days and use passphrases.”
department or business-unit level, flexible but hard to control

Protects Applies To Focus Area Role Responsibility

Framework

PCI-DSS Merchants, Card Data Environment (CDE) Data Owner Person or department accountable for data — defines access & classification
Cardholder data
processors

HIPPA Health data (PHI) Healthcare sector Privacy, data protection Data Steward Ensures data quality and accuracy — manages metadata, policies, and standards.

SOX Financial records Public companies Accountability, audit trails Data Processor A third party that processes data on behalf of the controller (e.g., a cloud provider).

GLBA Financial info (PII) Financial institutions Consumer privacy, safeguards Data Custodian Handles day-to-day maintenance and protection of data (e.g., backups, security controls).

ISO 27001 Information assets All industries Risk-based security framework Data Controller Entity that determines why and how personal data is processed. Legally accountable

SOC 2 Customer Cloud & SaaS Security controls (5 Trust Areas) Data User End user who accesses and uses the data under policy guidelines.
data/services companies
Vendor Assessment Right to Be Forgotten
The process of evaluating third-party vendors for security posture, risks, and compliance before or during •A data privacy right that allows individuals to
engagement. request the deletion of their personal data
Right-to-Audit Clause from an organization’s systems.
A contract term that allows an organization to inspect a vendor’s systems, processes, and controls to ensure •Common under laws like the GDPR (EU).
compliance and security. •Applies when data is no longer needed,
Vendor Diversity inaccurate, or the person withdraws
Using multiple suppliers for similar services/products to reduce reliance on a single vendor. Increases consent
resilience and availability

Document Short Note Definition

SLA (Service Level Agreement) Service guarantees Defines performance expectations (e.g., uptime, response time) between
provider and client.

MOU (Memorandum of Understanding) Intent to work together A non-binding agreement showing mutual intent to collaborate.

BPA (Business Partnership Agreement) Partnership terms Formal contract between business partners detailing roles, responsibilities, and
profit/loss.

NDA (Non-Disclosure Agreement) Keep it secret Legal contract to protect confidential information from being shared.

MSA (Master Service Agreement) Master rules for work A broad agreement that sets terms for future contracts or projects between
parties.

SOW (Statement of Work) ask-level detail A document that defines the specific work, timelines, and deliverables of a
project.

Supply Chain Analysis •Data Inventory = Know what data you

The process of identifying, evaluating, and securing all components and have
third parties involved in delivering a product or service. Helps detect •Data Retention = Know how long to keep
security risks, dependencies, or disruptions it
Risk Management Process Risk The potential for loss or damage when a threat exploits a vulnerability. Risk Awareness
1.Identify Risks – Spot threats and vulnerabilities. Understanding potential risks and their impact within an
2.Assess Risks – Analyze likelihood and impact. organization
3.Prioritize Risks – Rank based on risk level. Threat Something that can cause harm (e.g., hacker, natural disaster). Inherent Risk
4.Treat Risks – Choose a mitigation strategy The natural level of risk before any controls are applied. (e.g., data
5.Monitor & Review – Continuously reassess and improve Vulnerability A weakness that can be exploited breach risk without encryption).
Residual Risk
Treatme Action The remaining risk after controls are implemented. (e.g., risk still
nt Impact The consequence or effect of a risk event. present after firewalls).
Control Risk
Avoid Eliminate the risk source. The risk that security controls may fail or be bypassed.
Risk Appetite
Likelihood The probability that a threat will occur.
Mitigate Reduce the likelihood or impact. The total amount of risk an organization is willing to accept in
pursuit of objectives.
Asset Anything valuable to the organization (data, people, systems) Risk Tolerance
Transfer Share the risk (e.g., insurance The acceptable variation from the risk appetite — how much
deviation is tolerable.
Exposure The extent to which an asset is at risk Note
Accept Acknowledge and take no action •Inherent → Control → Residual (risk lifecycle)
•Appetite = What org is OK with
Risk Appetite The amount of risk an organization is willing to accept
•Tolerance = How much wiggle room allowed
Risk = Threat × Vulnerability × Impact •Awareness = How well people understand the risks
Type Definition Example
Risk Register – Short Note
•A documented list of all identified risks.
Qualitative Uses subjective values (e.g., High/Medium/Low) based on expert opinion, "A data breach is High Risk due to sensitive info exposure." •Includes details like:
experience, or risk matrices. • Risk description
• Likelihood & impact
Quantitative Uses measurable numbers (e.g., $ loss, % likelihood) to calculate actual "A data breach could cost $100,000 and has a 20% chance/year." • Owner
risk value. • Response plan
• Status
Quantitative Risk Calculation Qualitative Risk Assessment
Asset Value (AV) : The dollar value of the asset (e.g., server worth $10,000). Evaluate risks using descriptive values like High, Medium, Low.
Exposure Factor (EF) : The % of asset lost in an event (e.g., 50% = 0.5). Formula
Single Loss Expectancy (SLE) : Expected loss from one event. Formula ( AV x EF = SLE ) Risk = Likelihood × Impact
Annual Rate of Occurrence (ARO) : How often the event is expected to occur per year. Likelihood: High (attacks are frequent in the industry)
Annual Loss Expectancy (ALE) : Expected loss per year. Formula: ( SLE x ARO = ALE Impact: Critical (could stop operations and cause major data loss)
Resulting Risk Level: High or Critical
Example Often visualized using a Risk Matrix
Let’s say:
•Asset Value (AV) = $20,000 •Subjective (uses words, not numbers)
•Exposure Factor (EF) = 0.5 (50% damage) •Prioritizes risks using expert opinion and risk matrices
•ARO = 2 (incident expected twice per year) •Formula: Risk = Likelihood × Impact
SLE = 20,000 × 0.5 = $10,000
ALE = 10,000 × 2 = $20,000/year
Personal Account: the personnel working in the organizations Log Aggregation Log Normalization
Administrator/Root Account: privileged accounts that have additional rights •What It Means: Collecting and combining logs from multiple •What It Means: Converting logs from various devices and formats into a
and privileges beyond what a regular user has sources into a central repository for analysis and storage. standard, unified structure that the SIEM can process and analyze.
Service account: used by the service or application, not an end user. should not •Why It’s Important: Simplifies monitoring by providing a single •Why It’s Important: Different devices (e.g., firewalls, routers, and
expire view of events across the network. applications) generate logs in unique formats. Normalization ensures that all
Third-party account: external entities that have access to a network. Example: logs are standardized for easier analysis.
Guest account: limited access to a computer or network •Scenario: Logs are generated by: Example:
Share account: user account that temporary workers will share • A firewall tracking incoming connections. •Before Normalization:
• A server recording login attempts. Firewall Log: src_ip=192.168.1.10, dst_ip=10.0.0.5, action-allow
• An antivirus system detecting malware. Server Log: source=192.168.1.10 accessed 10.0.0.5 success
- PAM implements the concept of just-in-time permissions. •Aggregation:
- Just-in-time permissions that provide administrative permissions to a user • The SIEM collects logs from all these sources and After Normalization:
account when they are needed. consolidates them into a unified dashboard. Normalized Log: Source IP: 192.168.1.10, Destination IP: 10.0.0.5, Event:
- Requiring administrators to use two accounts, one with administrator privileges •Outcome: You can see all security events in one place, rather than Access Allowed
and another with regular user privileges, helps prevent privilege escalation logging into multiple devices to view logs.
attacks. Outcome: All logs now follow the same structure, making it easier to analyze
- Users should not use shared accounts. across devices
- Deprovision: disable a user’s account when they leave the organization ( Log Correlation
Disable and Delete ) •What It Means: Analyzing logs to find relationships between events
- Disable first coz of security key ( deleting can also remove security key as well that may indicate a security incident. Redundancy: Use of extra components or systems
- Time-based login: only can log on to computers during specific times \ •Why It’s Important: Detects patterns or threats that may not be Fault Tolerance: The ability of a system to keep running despite a failure,
- User account audit review: checking rights and permissions assigned to users obvious when looking at individual logs. without interruption. Builds on redundancy.
and helps enforce the least privilege principle Example: SPOF (Single Point of Failure): A component or process that, if it fails, will
- Privilege creep: when a user is granted more and more privileges due to •Scenario: bring down the whole system
changing job requirements, but unneeded privileges are never removed • A firewall log shows multiple failed login attempts
- Attestation: process of verifying and confirming for user access and from IP 192.168.0.10 Horizontal = Add more servers
permission by manager • A server log shows a successful login from the same Vertical = Make one server stronger
IP a few minutes later. Scalability = Can grow with demand
• An antivirus log detects malware being executed Elasticity = Can auto-adjust with demand
- Oauth: Open standard for authorization that many companies use to provide from that server. Resiliency = Bounce back fast and keep running, even after failure or attack.
secure access to protected resources. For Authorization •Correlation:
- SAML - Authentication; OAuth – Authorization • The SIEM links these events together:
- SAML - Identity verification and SSO; OAuth - Access delegation • Failed logins → Brute force attack. VM Sprawl: Uncontrolled growth of virtual machines, leading to inefficiency,
• Successful login → Potential compromise. management issues, and security risks.
- SID identifies the user or group. • Malware detection → Post-exploitation VM Escape: A serious exploit where a malicious program breaks out of a VM
- ACE is an entry that ties a SID to a permission (e.g., "Read" or "Write") activity. to access the host or other VMs.
- DACL is the complete list of ACEs for a specific object, showing which •Outcome: The SIEM raises an alert: “Suspicious login followed by Resource Reuse: When virtual resources (e.g., memory, storage) are
users/groups (by their SIDs) have which permissions malware execution. Possible breach. reallocated but may still contain residual data if not properly cleared.

Shared Responsibility: Cloud provider secures the infrastructure; customer API Security CASB = Security guard for cloud
secures data & apps API (Application Programming Interface) : Interface that allows systems to communicate securely apps (placed between cloud service
Authentication : Use API keys, OAuth, or JWT tokens to verify identity users and cloud providers )
Multi-tenancy : Isolation needed between different customer data in shared Authorization : Ensure access control via RBAC / ABAC or scopes Controls access, ensures
cloud environments Rate Limiting : Protects APIs from DoS attacks and abuse compliance, and protects data in
Input Validation : Prevents injection attacks (e.g., SQLi, XSS) through user input cloud environments
Container Security : Protect each service container (e.g., Docker) with image HTTPS Only : Enforce encrypted communication between clients and APIs
scanning and runtime protection
Secure Web Gateway (SWG) : A cloud-based or on-prem security NVD (National Vulnerability Database) Threat Map
solution that monitors and filters outbound web traffic to prevent - U.S. government repository of known software - Definition: A visual, real-time display showing global or regional cyber attack activity.
unauthorized access, malware, and data leaks. vulnerabilities. - Use: Gives security teams situational awareness of current threats.
Including URL Filtering, SSL filtering, Malware Scanning, DLP etc .. - Provides CVEs (Common Vulnerabilities and Exposures), - Example: FireEye or Fortinet live threat maps
severity scores, and fix info.
IaC : is the practice of managing and provisioning infrastructure - Helps in patch management and risk assessments Predictive Analysis
(servers, networks, etc.) using code instead of manual setup - Definition: Uses machine learning and data trends to forecast potential threats.
STIX (Structured Threat Information Expression) - Use: Helps proactively defend against likely attacks (e.g., based on past patterns).
Edge Computing : Processes data close to the source/device (e.g., - What: A standard format for sharing threat intelligence - Example: Predicting phishing spikes during tax season
IoT sensors), reducing latency and bandwidth use (e.g., IOCs, TTPs).
Fog Computing : Extends cloud closer to the edge by using - Use: Enables automation and interoperability between Secure Web Gateway (SWG) : A cloud-based or on-prem security solution that monitors and
intermediate devices (e.g., routers, gateways) to process data before threat tools. filters outbound web traffic to prevent unauthorized access, malware, and data leaks.
reaching the cloud. - Example: Describes a phishing campaign with attacker Including URL Filtering, SSL filtering, Malware Scanning, DLP etc ..
details
UEM : a centralized solution that manages and secures all Edge Computing : Processes data close to the source/device (e.g., IoT sensors), reducing latency
endpoints (laptops, smartphones, tablets, desktops, IoT devices) TAXII (Trusted Automated eXchange of Indicator and bandwidth use
from a single platform. Information) Fog Computing : Extends cloud closer to the edge by using intermediate devices (e.g., routers,
- What: A protocol for sharing cyber threat data (often in gateways) to process data before reaching the cloud.
Context-aware authentication : enhances login security by STIX format).
evaluating additional factors such as location, device, time, - Use: Automates secure, real-time threat data exchange Context-aware authentication : enhances login security by evaluating additional factors such as
behavior, or network before granting access. between systems location, device, time, behavior, or network before granting access.

Shadow IT : refers to unauthorized systems or applications used AIS (Automated Indicator Sharing) Shadow IT : refers to unauthorized systems or applications used within an organization without
within an organization without authorization or approval. - What: DHS/CISA program that shares threat indicators in authorization or approval.
Regular Audits is essential to detect shadow IT real time with partners. Regular Audits is essential to detect shadow IT
- Use: Helps organizations defend against known threats
Bloatware = Unwanted pre-installed apps that waste resources and faster Bloatware = Unwanted pre-installed apps that waste resources and pose security risks.
pose security risks.
Dark Web IaC : is the practice of managing and provisioning infrastructure (servers, networks, etc.) using
BEC – Business Email Compromise - What: Part of the internet not indexed by search engines code instead of manual setup
A type of cyberattack where attackers impersonate a trusted and accessed via tools like Tor.
executive, vendor, or employee via email to trick victims into sending Log Normalization
- Risks: Often used for illegal activity, such as selling
money or sensitive data. •What It Means: Converting logs from various devices and formats into a standard, unified
credentials, malware, or exploits.
structure that the SIEM can process and analyze.
- Security Role: Monitoring it can reveal compromised
•Why It’s Important: Different devices (e.g., firewalls, routers, and applications) generate logs in
Bluetooth Security data or threats
unique formats. Normalization ensures that all logs are standardized for easier analysis.
- Use strong pairing methods (e.g., PIN, encryption).
Example:
- Disable Bluetooth when not in use. Indicators of Compromise (IoCs)
•Before Normalization:
- Set devices to non-discoverable mode. - Definition: Artifacts or clues that indicate a system may
Firewall Log: src_ip=192.168.1.10, dst_ip=10.0.0.5, action-allow
- Keep firmware updated be compromised.
Server Log: source=192.168.1.10 accessed 10.0.0.5 success
- Examples: Malicious IPs, file hashes, suspicious registry
Jamming Attack changes, unusual traffic.
After Normalization:
A Denial-of-Service (DoS) attack where a malicious actor floods a - Use: Helps in detecting and responding to cyberattacks.
Normalized Log: Source IP: 192.168.1.10, Destination IP: 10.0.0.5, Event: Access Allowed
wireless frequency (like Bluetooth or Wi-Fi) with noise or signals
BEC – Business Email Compromise
UEM : a centralized solution that manages and secures all Outcome: All logs now follow the same structure, making it easier to analyze across devices
A type of cyberattack where attackers impersonate a
endpoints (laptops, smartphones, tablets, desktops, IoT devices) trusted executive, vendor, or employee via email to trick
from a single platform. victims into sending money or sensitive data.
Log Aggregation SPAM NetFlow: A protocol that captures metadata about traffic (e.g., IPs, ports, protocol, bytes)
•What It Means: Collecting and combining logs from multiple •Definition: Unsolicited, bulk email messages. to help monitor and analyze network activity for anomalies or trends.
sources into a central repository for analysis and storage. •Channel: Email •NetFlow Collector: A tool or server that receives and stores NetFlow data from network
•Why It’s Important: Simplifies monitoring by providing a single •Purpose: Advertising, phishing, spreading malware devices to enable analysis and reporting (e.g., bandwidth usage, suspicious behavior).
view of events across the network. •Example: Fake prize emails or product ads in your inbox.
Example: Reference Architecture (RA): A pre-defined, standardized blueprint that guides secure
•Scenario: Logs are generated by: SPIM (Spam over Instant Messaging) system design by outlining components, configurations, and best practices—used to ensure
• A firewall tracking incoming connections. •Definition: Unsolicited messages sent via messaging apps. consistency, security, and compliance
• A server recording login attempts. •Channel: IM platforms like Skype, WhatsApp, or Slack
• An antivirus system detecting malware. •Purpose: Malicious links, scams, social engineering Acceptable Use Policy (AUP): defines the approved and prohibited ways users can access
•Aggregation: •Example: Random chat message with a suspicious link and use an organization’s IT resources to ensure security and responsible behavior. Do and
• The SIEM collects logs from all these sources and Don’t
consolidates them into a unified dashboard.
•Outcome: You can see all security events in one place, rather than Nmap: Port scanning, service identification, OS detection Data Classification
logging into multiple devices to view logs. Netcat: Read/write to network connections; backdoors, banner - Organizes data by sensitivity.
grabbing - Common levels: Public, Internal, Confidential, Restricted.
Scanless: Performs port scans using third-party sites to avoid - Helps apply proper security controls.
Log Correlation detection - Supports compliance and risk management.
•What It Means: Analyzing logs to find relationships between events DNSEnum: DNS enumeration; gathers subdomains and IPs.
that may indicate a security incident. Sn1per: Automated recon, vulnerability scanning, and reporting. Incident Response Phases
•Why It’s Important: Detects patterns or threats that may not be Metasploit: Framework for developing and executing exploits 1.Preparation – Policies, tools, training
obvious when looking at individual logs. Burp Suite: Web vulnerability scanning, intercepting HTTP/S 2.Identification (Detection ) – Detect & report incident
Example: traffic 3.Containment – Short-term & long-term isolation
•Scenario: Hydra: Brute-force login cracker (supports many protocols). 4.Eradication – Remove root cause
• A firewall log shows multiple failed login attempts Medusa: Fast brute-forcer similar to Hydra; supports parallel 5.Recovery – Restore & validate systems
from IP 192.168.0.10 attacks 6.Lessons Learned – Review and improve process
• A server log shows a successful login from the same Mimikatz: Extracts credentials from Windows memory (hashes,
IP a few minutes later. plaintext). War Room
• An antivirus log detects malware being executed Wireshark: GUI-based packet capture and analysis. Tshark is CLI - Secure coordination hub for incident response
from that server. version. - incident response team base
•Correlation: Tcpdump: CLI-based network packet sniffer and analyzer - Real-time updates & decisions
• The SIEM links these events together: HashCat: GPU-powered hash cracking (passwords, keys).
• Failed logins → Brute force attack. Pwdump: Extracts password hashes from Windows systems First responders : Initial responders, such as a help-desk technician, should know when to
• Successful login → Potential compromise. Curl: Sends HTTP requests, tests APIs, downloads files. inform incident response entities of an incident and who to contact.
• Malware detection → Post-exploitation IP Scanner: Finds live hosts and open ports in a network.
activity. Nessus: Professional vulnerability scanner for full system audits. Threat Hunting
•Outcome: The SIEM raises an alert: “Suspicious login followed by Netstumbler: Wireless network discovery tool (Windows); shows - Proactive detection of threats
malware execution. Possible breach. signal, SSID, encryption. - Goes beyond automated alerts
SQLmap: Automates SQL injection attacks to extract database - Uses intel + analyst expertise
Lateral movement: refers to the way attackers maneuver data.
throughout a network. Mostly uses Windows Management Aircrack: Cracks WEP/WPA/WPA2 Wi-Fi passwords via captured
Instrumentation (WMI) and PowerShell handshakes
Qualys: Cloud-based vulnerability management and compliance
General Data Protection Regulation (GDPR) : European Union (EU) platform.
directive mandates the protection of privacy data for individuals Tcpreplay : a suite of utilities used to edit packet captures and
who live in the EU. then send the edited packets over the network.
Method Action Medium Use Case

File Shredding Deletes & overwrites file data Digital (HDD/SSD) Secure file-level deletion

Wiping Overwrites entire drive Digital (HDD/SSD) Full disk sanitization

Erasing Deletes pointers (not secure) Digital Basic file removal

Overwriting Writes random data multiple times Digital Secure deletion, prevents recovery

Paper Shredding Cuts paper into strips/pieces Physical (Paper) Disposes sensitive documents

Burning Incinerates material Physical (Paper/Media) Total destruction

Pulping Mixes paper into slurry Physical (Paper) Irreversible destruction

Pulverizing Crushes material into powder Physical (Drives, CDs) Final destruction step

Degaussing Removes magnetic fields Magnetic (HDD/Tapes) Destroys data on magnetic media

Third-party Solutions Outsourced destruction Digital/Physical Professional/compliant disposal

SOAR (Security Orchestration, Automation, and Playbook Antivirus (AV) XDR (Extended Detection and Response)
Response) - A standardized set of steps to handle specific incidents - Basic software that detects and removes known - Unified threat detection across multiple
- A platform that helps coordinate, automate, and (e.g., phishing email response). malware. layers: endpoints, network, email, cloud,
streamline security operations. - Guides analysts through the detection and response - Signature-based detection, some heuristic analysis. etc.
- Speeds up incident response by integrating tools process. - Protects individual devices (endpoints). - Aggregates and correlates data across
and automating repetitive tasks. - A phishing playbook includes user alert, header analysis, - No – user or admin manages it. systems for more contextual detections.
- Automatically isolating a compromised endpoint after URL inspection, and blocking sender. - Avast, Norton, Windows Defender. - Endpoints + other layers (network, email,
a malware alert etc.).
EDR (Endpoint Detection and Response) - No – typically managed in-house but can
MDR (Managed Detection and Response) Runbook - Advanced security for endpoints that detects and integrate with MDR.
- A third-party service that monitors, detects, and - A more detailed, technical procedure—often part of a investigates threats. - Example: Palo Alto Cortex XDR, Microsoft
responds to threats on your behalf playbook. - Real-time monitoring, behavioral analysis, forensic Defender XDR.
- Helps organizations that lack in-house security - Contains step-by-step instructions for system tasks tools.
expertise or resources. (manual or automated). - Endpoint only. MDR (Managed Detection and Response)
- E.g - CrowdStrike Falcon Complete providing 24/7 - How to block a domain in a firewall or how to isolate a - No – requires in-house analysts or a security team. - A service (not a tool) provided by a third-
threat hunting and response device via EDR. - CrowdStrike Falcon, SentinelOne. party team to monitor, detect, and respond to
threats. 24/7 monitoring