Ensures data is in usable format; data encryption occurs here.
Layer 5: Session
Maintains connections, controls ports and sessions.
Layer 4: Transport
Transmits data using TCP and UDP.
TCP (Transmission Control Protocol)
UDP (User Datagram Protocol)
TCP and UDP determine packet destination port using headers.
Layer 3: Network
Decides the physical data path.
IP (Internet Protocol)
Does not indicate which port the data packet should go to, as IP headers indicate only the destination IP address, NOT the port number at that IP address.
Used in conjunction with a transport layer protocol
ICMP (Internet Control Message Protocol)
Layer 2: Datalink
Defines the format of data on the network.
Layer 1: Physical
Transmits raw bit stream over the physical medium.
Firewalls
Security systems that block or allow network traffic based on security rules.
Typically sit between trusted and untrusted networks (e.g., the internet).
CIA Triad
Confidentiality
Availability
Integrity
AAA
Authentication: Verifies the identity.
Authorization: Validates access permissions.
Accounting: Tracks user access duration.
Cybersecurity Practice Test: Answers and Descriptions
Weaponization: Using reconnaissance info to develop a weapon against a target.
Delivery: Transmitting the weapon to the target.
Exploitation: Using the delivered weapon to compromise the target.
Reconnaissance: Researching a selected target.
Spyware: Malware to secretly gather data and send it to threat actors.
Rootkit: Malware tools for remote access and control.
Ransomware: Malware to encrypt hard drive content.
Adware: Malware that redirects the browser to predetermined websites.
Cryptojacking: Malware to take over computer resources for mining.
Netstat: Able to examine UDP packets over IPv6 protocols
Netstat -o: Lists applications on the network and TCP connections.
Netstat -a: Displays active TCP connections, but not the applications on the network and Displays UDP ports that the computer is listening on, but not UDP connections
Netstat -e: Displays ethernet statistics.
Netstat -r: Displays the routing table.
Netstat -p: Allows you to see only UDP connections
Netstat -n: Displays active TCP connections.
Netstat -s: Displays active connections for all protocols (not UDP specific).
SANS (SysAdmin, Audit, Network, Security) Institute:
Provides security training, certifications, and free resources.
Vulnerabilities, Threats, and Attacks
Vulnerability: A weakness in a computer device, system, or network.
Threat: A potential attack.
Attack: An actual act to harm a computer device or system.
Exploit: A computer attack via computer code.
Security Measures
Use Windows Update Baseline: Ensure devices receive monthly security updates.
Set up a Windows Server Update Services (WSUS): Roll out updates and set an update source.
Create a Security Policy Template: Rules for protecting resources.
Edit Account Security Policies using the local GPO: Define security configurations.
Unnecessary browser functions are disabled: Minimizes attacks from malicious code.
File encryption is enabled and functioning: Reduces risk of exposed data if stolen.
Devices are remotely managed by the CSIRT Team: Allows access, restoration, and security in case of theft.
Types of Attacks
HTTP Flooding: Application layer DoS attack that overwhelms the server with HTTP requests.
ARP Spoofing: Layer 2 attack; attacker sends frames with the attacker’s MAC address associated to the IP address of the legitimate host and receives packets intended for the legitimate host.
SYN Flooding: Layer 4 attack; overwhelms a server with TCP SYN requests.
IP Spoofing: Layer 3 attack; attacker creates IP packets with a modified source address.
Disaster Recovery and Data Protection
Disaster Recovery Plan: Defines how to react to destructive events.
Information Security Policy: Security policies to be implemented.
Preventive Controls Specification: How disasters can be prevented.
Recovery Point Objectives: Maximum data loss after recovery.
Regulations
GDPR (General Data Protection Regulation): Data protection and privacy for EU citizens.
HIPAA (Health Insurance Portability and Accountability Act): Protects health care privacy.
PCI-DSS (Payment Card Industry Data Security Standards): Reduces fraud and protects credit card information.
FERPA (Family Educational Rights and Privacy Act): Protects student educational records.
FISMA (Federal Information Security Modernization Act): Protects US federal information systems.
PIPEDA (Personal Information Protection Electronic Documents Act): Canadian privacy law for private-sector organizations.
Security Attack Types
Smurf attack: Spoofs ICMP source address and sends a broadcast.
Fingerprinting: Exploits ICMP echo packet vulnerability to get OS details.
Teardrop attack: Exploits overlapping IP fragments, causing the system to crash.
Security Controls
Conduct end-user security training: Prevents users from becoming victims.
Create a Business Continuity Plan: Guides personnel after an incident.
Deploy a syslog server to harden the network perimeter: Doesn’t perform this function.
Configure host-based anti-malware software to submit logs to a central server: Detects potential disasters.
Detection Methods
Heuristics-based detection: Uses rules to specify suspicious behavior.
Integrity Checking: Examines files for changes.
Signature-based detection: Uses a database of malware signatures.
Sandboxing: Separates a program from the operating system.
Threat Intelligence
Indicators of Compromise (IOC)
Reputation information:
Tools, techniques, and procedures (TTP)
APTs (Advanced Persistent Threats)
Unlike other attacks, APTs are initiated to steal data and not damage systems or networks.
APTs use advanced attack methods instead of legacy attack methods.
APTs are prolonged attacks that remain undetected for long periods of time, versus getting in and out of trager systems as quickly as possible.
APTs target systems they can infect for long periods of time to collect data, versus targeting loT devices
Security Concepts
Attack Surface: Combined sum of all attack vectors.
Vulnerability: A weakness that may be exploited.
Compromise: An attack by an unauthorized agent.
Risk: The possibility and damage of a cyberattack.
Tcpdump Commands
run tcpdump - c: Allows you to specify the number of packets to capture.
run tcpdump - n: Allows you to capture packets(IP addresses) for a particular interface.
run tcpdump - i: Allows you to capture packets(any packets are possible you just have to specify it at the end of the command) for a particular interface.
run tcpdump - a: It changes the packet display to ASCII format.
DHCP and DNS Spoofing
DHCP Starvation: An attacker attempts to lease all available IP addresses from the DHCP server.
DHCP Spoofing: Attacker responds to client DHCP and sends the client’s incorrect IP address information, such as the wrong default gateway or DNS server.
DNS Spoofing: An attacker alters DNS records to redirect online traffic to a fraudulent website.
IP Spoofing: An attacker creates IP packers with a modified source address, to impersonate another computer system.
Security Assessments
Audit Process: Examination of records to ensure compliance.
Information Assurance: Documentation providing confidence in security measures.
Security Assessment: Process to evaluate system security.
System Monitoring: Real-time awareness of network activity.
Security Tools
Nessus: Scans networks for vulnerabilities.
Wireshark: Is a protocol analyzer.
Metasploit: Is a penetration testing tool.
OpenSSL: Is a general-purpose cryptography Linux tool.
Sources Of Risk
External:
Global, political, and societal trends.
Natural disasters, terrorism, malicious activity in cyberspace, pandemics, transnational crime, man made accidents.
Internal:
Lack of encryption on local database files stores.
Failure to update program documentation.
Obsolete or end-of-support hardware installed.
Security Devices
Honeypot: A safe network site used to lure and study attackers.
DMZ: Allows external users to access servers while protecting the internal network.
Proxy Server: Hides internal addresses; sends traffic using the proxy server address.
IDS: Intrusion Detection System monitors the traffic on a network looking for malicious activity
Change Management Policy Goals
Ensure modifications to systems do not negatively impact security.
To ensure that documentation is updated when systems are installed or modified: Keeping accurate documentation, such as business continuity or disaster recovery plans, is important for incident response.
Change management policies should require all modifications to undergo an analysis of security implications of the change (vs ensure that configuration changes are made without an analysis of security implications).
A change management policy cannot guarantee the elimination of all threats and risks (vs To ensure that the proposed changes eliminate any future potential threats and security risks).
Network Security Measures
MAC Filtering: Permits or denies traffic based on MAC address.
Firewall: Restricts unauthorized network traffic.
WEP: It encrypts wireless traffic
SSID Hiding: Any device that knows the SSID can still access the network.
Security Frameworks
MITRE ATT&CK: A knowledge base of real-world exploits.
Cyber Kill Chain: Steps an adversary applies to accomplish their goal.
The Diamond Model of Intrusion Analysis: It models a time-bound security incident or event.
The Forensic Process: It provides guidance in developing digital forensics plans using a four-phase process.
IP Address Security
IP spoofing attacks, known IP addresses are cloned and used to disrupt the network (vs these types of addresses are easier to use for IP spoofing attacks).
Broadcast and private IP addresses are not routed across the internet. ISPs and businesses block them to avoid duplicate addresses, routing issuers, and broadcast storms (vs these types of addresses are commonly routed across the internet by businesses).
Firewalls can block any IP address that is properly defined in the rules or statements (vs Firewalls cannot detect and block private IP addresses).
IPv4 address depletion increases as the number of devices on the network increases (vs Blocking broadcast and reserved IP addresses can stop the depletion of IPv4 addresses).
Malware Types
Worm: Self-propagating code that consumes resources (leads to DoS) - vs A self-propagating malicious code that can propagate to other systems on the network and consume resources that could lead to a denial-of-service- attack is called a worm.
Virus: Malicious code that replicates and spreads - vs A computer malware code that replicates itself on the target computer and spreads through the network causing damage and distributing additional harmful payloads is called a virus.
Trojan horse: Appears useful but contains hidden, compromising code - vs A program that appears to be useful or harmless but contains hidden code that can compromise the target system on which it runs is called a trojan horse.
Risk Management Actions
Mitigation: Reducing the likelihood or severity of an exploit.
Remediation: Fully resolving the vulnerability.
Acceptance: Doing nothing to eliminate or lessen the likelihood of the exploit.
Authentication Methods
Something you know: Username, password, security question.
Something you have: Key, smartcard, token.
Something you are: Biometric scan -> Refers to biometric authentication through a biometric scan.
Somewhere you are: Location-based authentication -> Is based on location.
Windows Security Features
Enable Script Block Logging: Can be enabled through the Policy Editor or directly in the registry.
Enable BitLocker Drive Encryption: This is a data protection feature.
Enable Defender Firewall Monitoring: Used to track firewall activity.
Enable Virus and Threat Protection Notifications: Used for antivirus-related notifications.
Security Tools (SOAR, SIEM, PowerShell, SCAP)
SOAR: Automates security incident responses (Security orchestration, automation, and response).
SIEM: Used to aggregate and analyze log data (Security information and event management).
PowerShell: Open-source task automation and configuration management framework.
SCAP: Open standard for vulnerability management and policy compliance (Security content automation protocol).
Windows Tools
BitLocker: Entire hard drive encryption tool.
Firewall: Protects OS from external threats.
Security: Antivirus and malware protection.
Defender Credential Guard: Uses virtualization-based security to isolate secrets.
Network Devices and Protocols
DMZ: Allows users to access and untrusted network without compromising the internal network.
DHCP: Automatically assigns IP address, gateway, and DNS server.
VPN: Provides secure connection between two sites.
VLAN: Provides a mechanism to physically group ports on a switch.
Malware Incident Handling
Quarantining: Involves isolating the malware.
Executing: Would cause the malware to run.
Cleaning: Removing the malware.
Deleting: The malware would remove it entirely.
DHCP Attacks
DHCP Spoofing: Fake DHCP server issues addresses.
DHCP Starvation: Floods the DHCP server with requests.
DNS Attacks
DNS Amplification: Uses open DNS servers to flood a target.
DNS Hijacking: Changes the A record to point to a predetermined address.
Incident Response Phases
Detection & Analysis:Determining if an incident had occurred by correlating data and events (i.e., logs, alerts, …) from multiple sources.
Preparation: Organizing to respond to incidents (Jump Kit).
Containment, Eradication, and Recovery: Removing the malicious activity.
Post-Incident Activity: Documenting the incident and reviewing effectiveness.
Security Data Standards
CybOX: Standardized schema for cybersecurity functions.
STIX: Specifications for exchanging cyber threat information.
TAXII: Specifications for a protocol designed to support STIX.
FireEye Helix: IT is not a standard but rather a security operations platform.
Cisco Talos: It is not a standard but rather a threat intelligence team for protecting enterprise user, data, and infrastructure.
Authentication Servers for 802.1x
RADIUS: Server is the only supported authentication server for 802.2x (Remote Authentication Dial-In User Service).
LDAP: Is a protocol for accessing directory services (Lightweight Directory Access Protocol).
TACACS+: Is a security protocol for accessing networks, but is not supported by 802.1x (Terminal Access Controller Access - Control Systems +).
SNMP: Is a protocol for collecting information about network devices (Simple Network Management Protocol).
Driver Integrity
The Driver is not digitally signed: Windows 10 devices installations use digital signatures to verify the integrity of the driver packages and to verify the identity of the vendor who provides the driver packages for security purposes
A 32-bit digitally-signed driver can be installed in a 64-bit operating system (vs The driver has a 32-bit certificate)
Digital certificates can be issued from vendors that are verified by Microsoft (vs The driver does not have a digital certificate issued by Micrcosoft).
The digital certificate attached to the driver must be there for Microsoft to verify the identity of the vendor providing it(vs The driver has been issued by third-party vendor).
Windows Commands
Nslookup: Command to view IP address mapped to a domain name.
Netstat: Used to view active TCP sessions and Ethernet statistics.
IPconfig / all: Used to view the IP configurations on a Windows device.
Tracert: Used to view routed hops between devices.
Encryption Algorithms
Advanced Encryption Standard (AES): The recommended symmetric encryption standard.
Data Encryption Standard (DES): Legacy symmetric encryption algorithm.
3DES: Older symmetric encryption algorithm to avoid.
SPAN: Is a Switch Port Analyzer for port mirroring.
VPN Security
Using a one-time password(OTP), the VPN user is verified through multiple methods.
Vs.
Require a password reset every 30 days: It uses just one method to verify the user’s identity.
Increase the minimum password length: It uses just one method to verify the user’s identity.
Enforce password complexity: It uses just one method to verify the user’s identity.
Evidence Handling
Chain of custody: Collection, handling, and secure storage of evidence.
Best evidence: Evidence in its original state.
Direct evidence: Evidence in the possession of the accused.
Attack attribution: Determining who was responsible for an intrusion.
Security Measures
Implement a patch management system to automatically apply patches and updates: It directly addresses the threat from outdated software.
Email security software addresses spam and phishing threats (vs Install a professional enterprise email security software package to scan incoming email: It doesn’t address the direct threat of outdated software).
Firewalls and access lists can address the threat of malicious websites obtaining information or distributing malware (vs Employ firewalls and access lists to protect against malicious websites and web pages: It does not address the direct threat of outdated software).
Permissions policies address right elevation threats (vs Create a permissions security policy to restrict user access to confidential databases: It does not address the direct threat of outdated software).
Log Types
Data Log: Records data storage, access, or modification.
System Log: Updates by OS components.
File Replication Service Log: Records replication events on a domain controller.
Security Log: Records security events.
Secure Protocols
SSH: Provides an encrypted connection.
HTTPS: Adds encryption to HTTP using SSL.
Telnet: Is an older protocol that does not use encryption to send or receive data. Telnet is insecure because it sends messages in plain text.
FTP: Does not use encryption to upload or download data.
Threat Information Resources
Common Vulnerability and Exposures (CVE): The MITRE Corporation maintains a catalog of known security threats called CVE. The CVE serves as a dictionary of common names(i.e CVE Identifiers) for publicly known cybersecurity vulnerabilities. The MITRE Corporation CVE Identifiers make it easier to share data.
Structured Threat Information Expression (STIX): Is a set of specifications for exchanging cyber threat information between organizations.
Automated Indicator Sharing (AIS): Is provided for free by the U.S. Department of Homeland Security. AIS enables the real-time exchange of cyber threat indicators(e.g., malicious IP addresses, the sender address of a phishing email, etc.) between the U.S. Federal Government and the private sector.
Common Vulnerability Scoring System (CVSS): CVSS is maintained by FIRST. It is a risk assessment tool that assigns a score to the risk inherent in a vulnerability. The numeric score can be used to determine the urgency of the vulnerability and the priority of addressing it.
Virtualization
A computer can run multiple Virtual Machines that run their own operating system and applications.
A Container is a virtualized application that consists of its dependencies.
A Hypervisor is software that enables multiple operating systems to run on the same physical machine.
Security Policies
Identification and Authentication Policy: Specifies authorized access and verification procedures.
Acceptable Use Policy: Defines rules for computing resources.
Network Access Policy: Identifies acceptable network resources and usage.
Remote Access Policy: Defines access conditions across the WAN.
Password Policy: Defines password length and character types.
Encryption Algorithms
Asymmetric: Use a public key and a private key which are dynamically exchanged when between source and destination.
Symmetric: Use the same pre-shared key to encrypt and decrypt data. A pre-shared key, also called a secret key, is known by the sender and receiver before any encrypted communications can take place.
Hashing Algorithms
SHA-2: The is a hashing algorithm used.
MD5: Is a legacy hashing algorithm.
Security Environments
Virtual Machine: Used as a sandbox to provide an isolated environment where testing can occur and changes can be safely configured.
Honeypot: Runs in an isolated environment, it is intended as a lure for hackers to attempt to penetrate a system.
Demilitarized Zone: DMZ is a segment of a company’s network that provides limited public access and is used for servers that provide services used by the public, such as email or web server.
Quarantined Network: Provides an isolated environment for computers that are not in compliance with security standards. They are placed here after a user logs in and security standards aren't met.
Signature-based detection has a database of malware signatures and utilizes this to search for a bit pattern or hash.
DMZ: Allows users to access a trusted network without compromising the internal network
WLAN: Is a wireless computer network that links multiple wireless devices to form a LAN within a limited area
VM: Virtual Machine is software that can run operating systems, services, and deploy apps. One or more VMs can run on one physical host machine
VPN: Virtual Private Network provides secure connectivity by creating a virtual “tunnel” between two remote locations.
Quarantine: The infected file is isolated
Windows Update: This will not remove malware
Sandboxing: This lets the program run in a separate space
Windows Recovery: This will not remove malware.
Brute Force Attack Prevention
Limit the number of login retries:Will lock the account after a preset number of failed login attempts are reached. The attacker will have to wait until the account is unlocked.
Not Vs.
Increase the minimum password length: It doesn’t break a consecutive brute force attack
Reduce the password reset period: It doesn’t break a consecutive brute force attack
Enforce password complexity: It doesn’t break a consecutive brute force attack
Network Security Devices
The Proxy Server: Is placed between the internal network and the internet. The proxy server sends traffic received from the internal users to the internet using the proxy server address, thereby hiding the internal address
An intrusion detection system: An IDS monitors traffic to detect malicious activity - IDS = Intrusion Detection System
A virtual private network: A VPN creates a secure tunnel between two sites such as the home of a remote worker and the corporate office
A RADIUS server: RADIUS server contains the database for authentication in AAA - AAA = Authentication, Authorization, Accounting
Backup Solutions
Full: Are the most reliable method of copying data.
Incremental: Store all changes that were made sense the previous backup.
Differential: Only store changes made to files since the last backup.
Mirror: An exact copy is made of the source data.
Windows Tools For Driver Information
Msinfo32: Allows the display of all registered drivers in the system, the type of each driver, its current status(loaded/not loaded), and start mode(System/Manual).
Sigverif: Is a tool in Windows for file signature verification.
Driverquery: Can be used to obtain detailed information about all drives including their digital signature status.
SFC(System File Checker): Is used to check the integrity of the Windows system files from corruption and not for driver digital signature verification.
Task Manager: Is used to monitor the applications, princesses, and services running on your computer and not for driver digital signature verification.
Reasoning To Implement Security Techniques
Implement security techniques because each IP address that is routed on the internet or within a network must be uniquely assigned. A hacker can use the IP addresses along with other details to identify a physical, geographical area. (vs An IP address uniquely identifies a device on the network or the internet)
Not A valid reason to implement security techniques because IP addresses are needed to send data between devices on any network (vs IP addresses are only used internally and must not be exposed outside of your network).
Not A valid reason to implement security techniques because IPv4 is still in use (vs IPv4 addresses are outdated and not longer supported).
Implement security techniques because IPv6 has some of the same vulnerabilities to attack as IPv4 (vs IPv6 addresses are longer but still susceptible to attack).
Implement security techniques because IP addresses are unique. Applications, web serves, and ISPs log IP addresses to allow access to services and track online behavior (vs An IP address can be used to track online behavior).
Types Of Security Controls
Corrective Control: A failed disk is replaced and the backup is restored.
Preventive Control: New biometric door locks are installed.
Detective Control: Surveillance cameras are installed around the building perimeter.
Path Testing Strategy
Virtualization: Is a valuable part of a patch testing strategy. You can replicate various production environments on one computer and verify that applying patches will not result in unexpected or undesirable system behavior that would affect production computer within the company.
Application Control: It is security practice that blocks or restricts unauthorized applications from executing in ways that put data at risk on production systems. However, it does not allow for testing the software patches in a sterile environment.
Backup: It is used to restoration purposes in the event of catastrophic failure and not for software patching.
Cloud Computing: It is used for the delivery of computing services over the internet(“the cloud”) to offer faster innovation, flexible resources, and economies of scale and not for software patch testing.
Fileless Malware Attack Benefits
They are seen as trusted and legitimate processes by most applications: PowerShell is trusted and has full access to many Windows system functions.
They are easily detected by anti-malware running on the computer: Fileless malware has not executable files for anti-malware to detect.
PowerShell can execute fileless malware payloads from memory rather than from the hard drive (vs They are executed from the hard drive of the host computer)
These attacks use legitimate tools already installed on the computer (vs They require the attacker to create and install custom tools to launch the attack).
Threat Intelligence Subscriptions
Threat intelligence services use the data of their subscribers to stay current with the threat landscapes. Many organizations contribute to threat intelligence by sharing their intrusion data over the internet, typically through automation with subscribers services. Not sharing data reduces compatibility to stay current with the constantly emerging threat landscape.
Business Continuity Plan: It is a broad plan about what a business should do to continue operations if it has lost business-critical functionality.
Incident Response Plan: It is concerned with how employees respond to individual incidents, not a broad plan for business continuity.
Infrastructure Purchasing Plan: It is concerned with acquisition of infrastructure equipment.
Cybersecurity Plan: It is about an organization’s security policies, processes, and defensive measures.
Attacks
Man-in-the-Middle: This attack can intercept and alter data.
Dictionary: This attack is cracking passwords.
Phishing: This attack uses email to compromise victims.
SQL injections: This attack interferes with queries of a web application.
Linux Commands
chmod og-wx filename: This command removes the write and execute permissions from all users except the file owner.
chmod a-wx filename: This command would change the permissions for all users to read.
chmod og=wx filename: This command would change the permissions for all users except the file owner to write and execute.
chmod a=r filename: This command would change the permissions for all users to read.
Cyber Security Tools
SIEM: Software tools used for collecting security data, detecting threats, and investigating/analyzing threats.
SOAR: Software tools that are used for collecting data and analyzing threats and then using workflows to automate incident investigations to handle the threat.
Packet Capture: Monitoring tools that intercept and store network data.
SNMP: A protocol that enables network administrators to monitor and manage network performance.
Windows Commands
Run the nslookup set srchlist command: It allows modifications to the search list.
Run the nslookup set querytype command: It changes a query’s resource record type.
Run the nslookup set search command: It adds the DNS domain name in the DNS domain search list to the request until a response is received.
Run the nslookup set type command: It changes a query’s resource record type.
Patch Security Flaws
Virtualized sandbox: It provides a safe, isolated environment to test out the effects and security of the patch.
ANy security flaws in the patch could compromise the corporate network. It would also be difficult to replicate different environments to test the patch: Non-production system.
Baseline Image: This is the starting point of a singular environment and is open to security flaws that may compromise the network.
What An IdS Does
An IDS is a monitoring device only. The device reads traffic via sensors and compares the traffic signatures to a database to determine if it is suspected to be malicious. An IDS doesn’t take any action on its own.
An IPS also reads traffic and compares the traffic to a database. An IPS has the ability to accept or reject a packed based on a set of rules.
System Audit Events
Object Access: Determines attempts to access files and other objects.
Process Tracking: Determines events such as program activations and process exits.
Directory Services: Determines whether the operating system generates audi events when an Active Directory Domain Services (AD DS) object is accessed.
Audit Logon: Determines whether the operating system generates audit events when a user attempts to log on to the computer.
System File Access
By default the user, group, and others have read(r) and write(w) permission on a file: rw-rw-rw.
By default the user, group, and others have read(r) and write(w), but in this example it shows read(r) write(w) and execute(x): rwx-rwx-rwx.
By default the user, group, and others have read(r) and write(w), but in this example it shows read(r) write(w) for the user, read(r) write(w) and execute(x) for the group, and nothing(-): rw-rwx-.
By default the user, group, and others have read(r) and write(w), but in this example it shows read(r) write(w) and execute(x