CYB2001 Final Exam
Module 1: Introduction and Core Concepts
Cybersecurity Goals: Identify, Protect, Detect, Respond, Recover, Govern.
Types of Data:
CUI: Controlled Unclassified Information.
FCI: Federal Contract Information.
PII: Personally Identifiable Information.
PCI CHD: Payment Card Industry Cardholder Data.
PHI (ePHI): Protected Health Information and Electronic Protected Health Information (HIPAA-related data).
IP: Intellectual Property.
ITAR: International Traffic in Arms Regulation.
The CIA Triad:
Confidentiality: Ensures that unauthorized individuals cannot gain access to sensitive information.
Integrity: Ensures there are no unauthorized or illegitimate modifications to data.
Availability: Ensures information and systems are ready to meet the needs of legitimate users.
Assets, Threats, Vulnerabilities, Risks:
Asset: Something we protect.
Threat: Some outside force that could do us harm.
Vulnerability: Some negative quality of our asset.
Risk: The unwanted outcome that could occur by a threat and a vulnerability coming together on our asset.
Types of Security Infrastructure/Hardware
Firewalls: Protect “good internal systems from the bad internet”. Examples: Fortinet FortiGate, Cisco Meraki/Firepower, Palo Alto, Sonicwall.
High Availability Firewalls (HAFs): Apply two firewalls in a system; in case one fails, the second firewall stands in its place.
Web Application Firewalls (WAFs): Protect our web apps from the “bad” public internet. Example: Cloudflare.
Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS): Detect and prevent break-ins. Often performed by hardware firewall solutions, Snort software, Suricata software. Often uses a honeypot, which are systems that have no actual purpose, other than to raise an alarm if someone interacts with it.
Data Backups: A system that replicates our data, either physically onsite, remotely at a service provider, or both. Examples: RAID technology, Datto appliances.
Power Backups: Power generators, Uninterruptable Power Supplies, Battery backups. Examples: Generac generators, APC UPS’s.
Internet Connectivity Backups: Cellular or Satellite Internet as backups, or a second Landline internet connection from a different provider.
Physical Security: Alarm Systems, Door Control, Cameras, Guards.
Types of Security Software
Anti-virus/anti-malware:
“Traditional AV”: Signature-based (e.g., Norton, McAffee).
“Next-generation AV”: Endpoint Detection and Response (EDR) – signature and behavior-based, machine learning capabilities (e.g., CrowdStrike, SentinelOne, Microsoft Defender).
SOC - Security Operations Center: 24/7 cybersecurity monitoring by a security team. ArcticWolf, Blackpoint, or Huntress…
SIEM – Security Information and Event Management: Logging and data correlation. Examples: Elastic, Microsoft Sentinel, Splunk, Zeek.
SOAR – Security Orchestration and Response: Automation tooling.
DLP – Data loss prevention: Ensures our data stays with us.
FIM – File integrity monitoring: Detects file changes.
Email Security Gateways: Protect email systems from users clicking bad URLs, attachments, phishing. Examples: Mimecast, Proofpoint. Builds in sandboxes for securely detonating malware.
Vulnerability scanners: Performs vulnerability scanning/automated security checks. Examples: Nessus, OWASP ZAP, Nmap.
Phishing awareness: Send internal phishing emails to staff. Example: KnowBe4.
Secrets manager: Password safe/key management tools. Example: Keeper.
GRC tools: Tools for managing risk and compliance to-do’s, status, audit evidence, etc. Example: Drata.
Symmetric Encryption: Uses the same key to decrypt and encrypt. Example: AES – Advanced Encryption Standard.
Asymmetric Encryption: Uses different keys to decrypt and encrypt. Examples: RSA and SHA.
Module 2: Vulnerability & Threat Management
Threat Actors:
Script Kiddies: Generally unskilled, novice.
Skilled Hackers.
Hacktivists: Hack for a “cause” they care about.
Criminal Enterprises.
Nation States: Known as Advanced Persistent Threats (APTs).
Competitors/Corporate Espionage.
Insider Threats: Accidental human error, Negligence/knew better, Purposeful/deliberate.
Top Threat Actions:
Ransomware: Stealing and ransom’ing data by encrypting files with malware and extorting the victim.
Business Email Compromise – BEC: Hijacking emails/email accounts.
Denial of Service – DOS/DDOS: Impacting Service Availability.
Supply Chain Attacks: Impacting your security by hacking the vendors and third-party services/products you use.
Vulnerability Management Programs: Consist of:
Code Review.
Vulnerability Scanning:
Tools to see open ports, services running, patch levels.
SAST – static testing during code writing.
DAST – dynamic testing in production.
Penetration Testing: Human-led testing to “break the door down”, often outsourced. Simulates an attacker.
Threat Modeling: Types: DREAD, STRIDE, PASTA.
Defense in Depth/Layered Security
Network Segmentation: Using subnets/VLANs (virtual LANs) to split up the environment so the network isn’t “flat”.
Module 3: Governance, Risk, Compliance
What is GRC?:
Governing IT and IT security: The people, policies, processes, and procedures.
Risk management: Determining how threats and vulnerabilities could impact your organization.
Compliance: Following industry standards, laws, and regulations.
How Risk is Calculated:
Likelihood of risk occurrence.
Impact of the risk if it occurs.
Threat + Vulnerability = Risk.
Risk doesn’t exist without the presence of both.
ARO – Annual Rate of Occurrence – how many times in a year something will need to be done.
SLE – Single Loss Expectancy - How much it costs to replace something one-time.
ALE – Annual Loss Expectancy – How much it costs to replace something in a given year.
Example:
\$10,000 server that will fail once in 10 years.
Risk Management Strategies:
Risk acceptance: Making no changes.
Risk mitigation: Implementing additional security features.
Risk avoidance: Deciding not to do something any longer.
Risk transference: Shifting the risk (e.g., insurance, outsourcing).
Information Security Policies:
Information Security Policy: Broadly defines the why and what of an organization’s cyber objectives “don’t do this thing because it’s bad.”
Standards: Quantifiable measures that define the what and how “check the firewall rules once per month.”
Procedures: Specific steps “during a security incident, do this checklist.”
Guidelines: Recommendations and best practices “keep these items in mind when doing this activity.”
Security Frameworks:
NIST CSF: General cybersecurity framework.
NIST RMF: General risk management framework.
NIST PF: General data privacy framework.
NIST SP 800-53: Complex security framework mostly intended for US government agencies themselves
NIST SP 800-171: Moderate security framework mostly intended for organizations that work with the government (such as defense contractors)
CIS CSC: Computer Internet Security Critical Security Controls. A general security framework written by CIS, a non-profit cybersecurity organization.
CIS Implementation Group 1 – basic security
CIS Implementation Group 2 – moderate security
CIS Implementation Group 3 – complex security
ISO 27001/27002: General security framework, alternative to NIST, for global organizations.
HIPAA/HITECH/HITRUST: Compliance standards, frameworks and law for Healthcare Security.
CMMC: Cybersecurity Maturity Model Certification, built heavily from NIST SP 800-171. The government’s requirements for their defense contractors.
CMMC Protects:
Federal Contract Information (FCI)
Controlled Unclassified Information (CUI)
International Traffic in Arms Regulation (ITAR)
FedRAMP: Secure development framework for protecting software sold to the government.
FFIEC/GLBA Federal Financial Institutions Examination Council Gramm Leach Bliley Act Compliance standards and law for banking/finance security.
SOX: Sarbanes Oxley. Law for publicly traded companies.
PCI DSS/PCI SSF Payment Card Industry Data Security Standard Compliance standard for credit/debit card payments security Payment Card Industry Software Security Framework Compliance standard for security in payment software.
COBIT: General IT management framework developed by auditors.
ITIL: General IT management framework.
SOC: Service Organization Controls. A compliance standard for showing your clients that you are handling security well.
SOC 2 Type 1 – Point in Time “we are compliant as of this date”
SOC 2 Type 2 – Period of Time “we have been compliant for the past year, or six months”
NERC CIP: Cybersecurity in electric generation utilities.
Module 4: Digital Forensics and Incident Response
Digital Forensics Steps:
Identification: Determining a security event has occurred.
Preservation: Ensuring evidence is not destroyed.
Collection: Acquiring the evidence.
Examination & Analysis: Reviewing the evidence.
Attribution: Determining who did it.
Presentation: The final investigation report.
NIST 800-61 is the NIST standard for how to handle security incidents.
IRP – Incident Response Plan “our network has been ransomeware’d.”
DRP – Disaster Recovery Plan “our building caught fire overnight, or flooded.”
The Order of Volatility: CPU cache, RAM, disk storage, archive media (USB drive or data backup tool), printed paper.
Module 5: Emerging Topics
AI Security:
Attack Types: Evasion, Poisoning, Extraction, Inference, Prompt Injection.
AI helps with better, faster, and smarter security tools.
Bad guys are using AI/LLM for tools against us, such as better-crafted phishing messages and campaigns.
Zero Trust:
Utilizes real-time, continuous authentication practices, assumes “the network is always hostile”.
NIST SP 800-207 is a significant reference on Zero Trust considerations
Operational Technology Security:
The SRP Triad – Safety, Reliability, Performance.
Many of the same considerations as traditional IT security, plus:
“Segmentation” of OT from the IT environment.
Demilitarized Zone – a safe buffer between OT and the Internet.
Separate Active Directories/User Domains with no trust relationship between them.
Separate accounts/passwords for OT vs IT.
Deep packet inspection/monitoring.
Protecting OT-specific systems, like programmable logic controllers, human machine interfaces, and supervisory control and data acquisition systems.
Many tools such as Snort, Suricata, and Zeek, which can be found in the Security Onion distribution package, as examples.
Following frameworks like NIST SP 800-82, the NIST Special Publication for OT Security
Module 6: Law, Ethics and Management
Specific International Laws to Know Of:
GDPR: General Data Protection Regulation, the European Union’s and United Kingdom’s Data Security and Privacy regulation.
PIPEDA: Canada’s data security and privacy law.
PIPL: China’s data security and privacy law.
Specific US Law to Know Of:
CFAA: Computer Fraud and Abuse Act – making it illegal to hack or commit computer crime.
ECPA: Electronic Communications Privacy Act – makes it illegal to hack or wrongly intercept telecommunications – phone calls, data, emails, etc. Permits wiretapping if approved by law.
FERPA: Family Educational Rights and Privacy Act – Protects student data.
Specific State Laws to Know Of:
CCPA/CPRA: California’s Data Privacy Laws. The most substantial state privacy laws in the US.
Wisconsin Act 73 Wisconsin’s law for protecting data in the insurance industry
Wisconsin Statute 134.97 Wisconsin’s secure data disposal law
Wisconsin Statute 134.98 Wisconsin’s privacy/breach notification law
Types of State Cybersecurity Law:
Data Security
Data Privacy
Breach Notification
Data Disposal
Types of Federal Law:
Civil (Tort) Law - fines/loss of money
Criminal Law – jail/prison/loss of freedom
Administrative Law