Given a scenario, analyze indicators of compromise

and determine the type of malware.

type of malware.
• Viruses
Malicous code that attaches itself to a
host application and runs when the
host is executed, enabling the virus to
take action.
• Crypto-malware
Type of ransomware that encrypts
user’s data in an attempt to extort
money
• Ransomware
Ransomware is a type of malware that
takes control of a user’s system or
data. Ransomware that encrypts the
user’s data is sometimes called
crypto-malware.
• Bots
A software robot
• RAT
A Remote Access Trojan is a type of malware that allows
attackers to take control of systems from remote
locations.
• Logic bomb
A logic bomb executes in response to an event, such as a
day, time or condition. For example, if someone gets
fired then the bomb can trigger.
• Backdoor
A backdoor provides someone an alternative way of
accessing a system or application.

Worm
A worm is self-replicating malware that
travels throughout a network without
user intervention
• Trojan
A trojan appears to be one thing, such
as pirated software or free antivirus
software, but is something malicious.
• Rootkit
A type of malware that has system-
level access to a compouter. Rootkits
are often able to hide themselves
from users and antivirus software.
• Keylogger
A keylogger captures a user’s
keystrokes. They are then stored in a
file and are either automatically sent
or manually retrieved by attacker.
• Adware
Software intent on learning user
habits for the purpose of targeted
advertising. Adware also applies to
 software that is free but includes
advertisements.
• Spyware
Software installed without user’s
knowledge or consent and it monitors
the user’s activites. It sometimes
includes a keylogger that records the
user’s activities.

Compare and contrast types of attacks.

Social engineering
The practice of using social tactics to gain information.
Social engineers attempt to gain information from people, or get people to do
things they wouldn’t normally do.
- Phishing
The practice of sending email to users with the purpose of tricking
them into revealing personal information or clicking on a link.

- Spear phishing
A targeted form of phishing. Spear phishing attacks attempt
to target specific group of users such as those in a business.
- Whaling
A form of spear phishing that attempts to target high-level
executives. When successful, attackers gain confidential company information
that they might not be able to get anywhere else.

- Vishing
Vishing attacks use the phone system to trick users into giving up
personal and financial information. It often uses Voice over IP (VoIP)
technology and tries to trick the user similar to other phishing attacks. When
the attack uses VoIP, it can spoof caller ID, making it appear as though the
call came from a real company.

- Tailgating

- Impersonation

- Dumpster diving

- Shoulder surfing
Shoulder surfing is using direct observation techniques, such as looking over someone’s shoulder, to get
information. Shoulder surfing is an effective way to get information in crowded places because it’s relatively easy
to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a
calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or
other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or
your keypad from view by using your body or cupping your hand.
- Hoax

- Watering hole attack

- Principles (reasons for effectiveness)

- Authority

- Intimidation

- Consensus

- Scarcity

- Familiarity

- Trust

- Urgency

Application/service attacks
- DoS

- DDoS

- Man-in-the-middle

- Buffer overflow

- Injection

- Cross-site scripting

- Cross-site request forgery

- Privilege escalation

- ARP poisoning

- Amplification

- DNS poisoning

- Domain hijacking

- Man-in-the-browser

- Zero day unknown vulnerability that leaves a system open to attack until it is patched.

- Replay
Attempt to capture packets through impersonation

- Pass the hash

- Hijacking and related attacks

- Clickjacking

- Session hijacking

- URL hijacking

- Typo squatting

- Driver manipulation

- Shimming

- Refactoring

- MAC spoofing

- IP spoofing

Wireless attacks
- Replay
Impersonation attack attempting to capture packets

- IV
- Evil twin

- Rogue AP
- Jamming
- WPS
- Bluejacking
Sending messages to device

- Bluesnarfing
Having control of a mobile device

- RFID
- NFC
- Disassociation
• Cryptographic attacks
- Birthday
- Known plain text/cipher text
- Rainbow tables
Libraries of precomputed hashes used for rainbow attacks

- Dictionary
uses a
dictionary of words and attempts every word in the dictionary to see if it
works. A dictionary in this context is simply a list of words and character
combinations.
- Brute force
- Online vs. offline
- Collision
- Downgrade
- Replay
- Weak implementations
Explain threat actor types and attributes

Types of actors
- Script kiddies
- Hacktivist
- Organized crime
- Nation states/APT
- Insiders
- Competitors

• Attributes of actors
- Internal/external
- Level of sophistication
- Resources/funding
- Intent/motivation
• Use of open-source intelligence

Explain penetration testing concepts

Active reconnaissance
all vulnerability scans use active reconnaissance techniques.

• Passive reconnaissance
Collecting information on a target using open source intel such as facebook, google etc

• Pivot
• Initial exploitation
• Persistence
• Escalation of privilege
• Black box
• White box
• Gray box
• Penetration testing vs.
vulnerability scanning

Explain vulnerability scanning concepts

• Passively test security controls
• Identify vulnerability
• Identify lack of security controls
• Identify common misconfigurations
• Intrusive vs. non-intrusive
• Credentialed vs. non-credentialed
• False positive
Explain the impact associated with types of vulnerabilities.

• Race conditions
• Vulnerabilities due to:
- End-of-life systems
- Embedded systems
- Lack of vendor support
• Improper input handling
• Improper error handling
• Misconfiguration/weak configuration
• Default configuration
• Resource exhaustion
• Untrained users
• Improperly configured accounts
• Vulnerable business processes
• Weak cipher suites and implementations
• Memory/buffer vulnerability
- Memory leak
- Integer overflow
- Buffer overflow
- Pointer dereference
- DLL injection
• System sprawl/undocumented assets
• Architecture/design weaknesses
• New threats/zero day
• Improper certificate and
key management

Install and configure network components, both hardwareand

software-based, to support organizational security.
• Firewall
- ACL
- Application-based vs. network-based
- Stateful filters packets based upon the state of a packet within a session.

Stateless filters traffic using ACL

- Implicit deny
WAF wireless access firewall
input validation
provide protection against xss attacks
waf acts as an additional firewal that monitors, filters and/or blocks http80 traffic
can be placed in dmx, also provides load balancing.

Host based firewall singe host

• VPN concentrator
- Remote access vs. site-to-site
- IPSec
- Tunnel mode
- Transport mode
- AH
- ESP
- Split tunnel vs. full tunnel
- TLS
- Always-on VPN
• NIPS/NIDS
- Signature-based
- Heuristic/behavioral
- Anomaly
- Inline vs. passive
- In-band vs. out-of-band
- Rules
- Analytics
- False positive not an actual threat
- False negative an undetected threatlinux
• Router
- ACLs
- Antispoofing
• Switch
- Port security
- Layer 2 vs. Layer 3
- Loop prevention
- Flood guard
• Proxy
- Forward and reverse proxy
- Transparent
- Application/multipurpose
• Load balancer
- Scheduling
- Affinity
- Round-robin
- Active-passive
- Active-active
- Virtual IPs
• Access point
- SSID
- MAC filtering
- Signal strength
- Band selection/width
- Antenna types and placement
- Fat vs. thin
- Controller-based vs. standalone
• SIEM security information event management system provides a centralized solution for collecting, analyzing, and
Managing data from multiple sources and can aggregate and correlate logs.
- Aggregation
- Correlation
- Automated alerting and triggers
- Time synchronization
- Event deduplication
- Logs/WORM
• DLP
- USB blocking
- Cloud-based
- Email
• NAC
NAC network access control inspects clients for health, including up to date virus def files
otherwise device gets redirected to remediation network

- Dissolvable(agentless) vs. permanent

Goes away after use vs remains on station
- Host health checks
- Agent vs. agentless
Permanent or dissolvable

• Mail gateway
- Spam filter
- DLP
- Encryption
• Bridge
• SSL/TLS accelerators
• SSL decryptors
• Media gateway
• Hardware security module

Given a scenario, use appropriate software tools

to assess the security posture of an organization.
• Protocol analyzer
A protocol analyzer can capture and analyze packets on a network. The
process of using a protocol analyzer is sometimes referred to as sniffing or
using a sniffer. Both administrators pand attackers can use a protocol analyzer
to view IP headers and examine packets
• Network scanners

a port scanner identifies open ports and is used to determine what services are running on the system
- Rogue system detection
- Network mapping
• Wireless scanners/cracker
• Password cracker
• Vulnerability scanner
• Configuration compliance scanner
• Exploitation frameworks
• Data sanitization tools
• Steganography tools
• Honeypot
• Backup utilities
• Banner grabbing
• Passive vs. active
• Command line tools
- ping
Checks connectivity with remote systems. Icmp.
- netstat
netstat shows act connections and other net stats on a local system, but it doesn't identify pathways.

- tracert
Tracks packet flow through the network

- nslookup/dig
- arp
Arp is a command-line tool that is related to the Address Resolution
Protocol (ARP); however, arp (the command) and ARP (the protocol) are not
the same thing

- ipconfig/ip/ifconfig
Tcp/ip config information ifconfig applies to linux based systems

- tcpdump
Cmd line tool used to capture packets, but doesn’t query systems for data
- nmap
Nmap is a sophisticated network scanner that runs from the command line

- netcat

netcat is useful for remotely adminsitering servers. can also be used for banner grabbing which yields info on OS and some onfo
on services and apps used by server.

Given a scenario, troubleshoot common security issues.

Given
• HIDS/HIPS
• Antivirus
• File integrity check
• Host-based firewall
• Application whitelisting
• Removable media control
• Advanced malware tools
• Patch management tools
• UTM
• DLP
• Data execution prevention
• Web application firewall

Given a scenario, deploy mobile devices securely.

• Connection methods
- Cellular
- WiFi
- SATCOM
- Bluetooth
- NFC
- ANT
- Infrared
- USB
• Mobile device management concepts
- Application management
- Content management
- Remote wipe
- Geofencing
- Geolocation
- Screen locks
- Push notification services
- Passwords and pins
- Biometrics
- Context-aware authentication
- Containerization
- Storage segmentation
- Full device encryption
• Enforcement and monitoring for:
- Third-party app stores
- Rooting/jailbreaking
- Sideloading
- Custom firmware
- Carrier unlocking
- Firmware OTA updates
- Camera use
- SMS/MMS
- External media
- USB OTG
- Recording microphone
- GPS tagging
- WiFi direct/ad hoc
- Tethering
- Payment methods
• Deployment models
- BYOD
Bring your own device
- COPE
- CYOD
- Corporate-owned
- VDI

Given a scenario, implement secure protocols

• Protocols
- DNSSEC
- SSH
- S/MIME
- SRTP
- LDAPS
- FTPS
- SFTP
- SNMPv3
- SSL/TLS
- HTTPS
- Secure POP/IMAP
• Use cases
- Voice and video
- Time synchronization
- Email and web
- File transfer
- Directory services
- Remote access
- Domain name resolution
- Routing and switching
- Network address allocation
- Subscription services
Explain use cases and purpose for frameworks, best
practices and secure configuration guides.

Industry-standard frameworks
and reference architectures
- Regulatory
- Non-regulatory
- National vs. international
- Industry-specific frameworks
• Benchmarks/secure configuration guides
- Platform/vendor-specific guides
- Web server
- Operating system
- Application server
- Network infrastructure devices
- General purpose guides
• Defense-in-depth/layered security
- Vendor diversity
- Control diversity
- Administrative
- Technical
- User training

Given a scenario, implement secure network architecture

concepts.
• Zones/topologies
- DMZ
Demilitarized zone, space between your internal network and internet

- Extranet
Partner site, set apart from intranet

- Intranet
Internal network

- Wireless

- Guest
Guest accounts to allow outsiders access to your network, normally in the DMZ

- Honeynets
Decoy networks

- NAT
Network address translation, hides internal computers from the internet. Converts public to private ip and back again.

- Ad hoc
Point to point connection without a network device such as a switch or a router.

• Segregation/segmentation/isolation
- Physical
- Logical (VLAN)
Creating separate managed channels to prevent crossover. Logical separation created at layer 2.
- Virtualization
Virtual environment used to maximize hardware or test software

- Air gaps
Physical isolation

• Tunneling/VPN
- Site-to-site
Uses two vpn servers that act as gateways for two networks separated geographically.
- Remote access

• Security device/technology placement

- Sensors
- Collectors
Network devices such as routers and firewalls

- Correlation engines
- Filters
- Proxies
server (or servers) used to forward requests for services
such as HTTP or HTTPS. A forward proxy server forwards requests from
internal clients to external servers. A reverse proxy accepts requests from the
Internet and forwards them to an internal web server. A transparent proxy does
not modify requests, but nontransparent proxies include URL filters. An
application proxy is used for a specific application, but most proxy servers are
used for multiple protocols.
- Firewalls
stateful firewall filters based on the packet state
stateless firewall filters based on ip address, port, or protocol id

- VPN concentrators
When using a VPN concentrator, you would typically place it in the
DMZ. The firewall between the Internet and the DMZ would forward VPN
traffic to the VPN concentrator. The concentrator would route all private
VPN traffic to the firewall between the DMZ and the intranet.
- SSL accelerators
- Load balancers
- DDoS mitigator
Placed inside DMZ near firewall to internet

- Aggregation switches
Core switch network

- Taps and port mirror

Monitoring device

• SDN
software defined network- uses virtualization technologies to route traffic

Given a scenario, implement secure systems design.

Hardware/firmware security
- FDE/SED
Full disk encryption, usually attributed to mobile devices.
SED, self encrypting drives, includes software to encrypt all data on the drive and securely store the encryption keys.
- TPM
Trusted platform module, includes an encryption key burned into the chip and this key provides a hardware root fo trust.
Internally mounted

- HSM
HSM-hardware sec module is an external sec device used to store crypto keys

- UEFI/BIOS
Motherboard operating system. Allows user to configure hardware

- Secure boot and attestation

- Supply chain
- Hardware root of trust
- EMI/EMP
• Operating systems
- Types
- Network
- Server
- Workstation
- Appliance
- Kiosk
- Mobile OS
- Patch management
- Disabling unnecessary
ports and services
- Least functionality
- Secure configurations
- Trusted operating system
- Application whitelisting/blacklisting
- Disable default accounts/passwords
• Peripherals
- Wireless keyboards
- Wireless mice
- Displays
- WiFi-enabled MicroSD cards
- Printers/MFDs
- External storage devices
- Digital cameras

Explain the importance of secure staging deployment concepts.

• Sandboxing
• Environment
- Development
- Test
- Staging
- Production
• Secure baseline
• Integrity measurement

integrity measurement-master image is the baseline that admins use to compare when identifying deviations

Explain the security implications of embedded systems.

• SCADA/ICS
• Smart devices/IoT
- Wearable technology
- Home automation
• HVAC
• SoC
System on a chip, raspberry pi micro computer

• RTOS
Realtime operating system, such as an ATM

• Printers/MFDs
• Camera systems
• Special purpose
- Medical devices
- Vehicles
- Aircraft/UAV

Summarize secure application development and deployment

concepts.

Development life-cycle models

- Waterfall vs. Agile
• Secure DevOps
agile-aligned software development methodology. Secure DevOps is a
software development process that includes extensive communication
between software developers and operations personnel. It also includes
security considerations throughout the project. When applied to a software
development project, it can allow developers to push out multiple updates a
day in response to changing business needs.

- Security automation
automated tests to check code

- Continuous integration
process of merging code
changes into a central repository. Software is then built and tested
from this central repository. The central repository includes a version
control system, and the version control system typically supports
rolling back code changes when they cause a problem

- Baselining
applying changes to the baseline code
every day and building the code from these changes

- Immutable systems
cannot be changed

- Infrastructure as code
managing and provisioning data
centers with code that defines virtual machines (VMs
• Version control and change management
helps ensure that developers do not make unauthorized changes.
Version control tracks the versions of software as it is updated, including who made the update and when.

• Provisioning and deprovisioning

Provisioning and deprovisioning typically refers to user accounts.

• Secure coding techniques

- Proper error handling
- Proper input validation
- Normalization
- Stored procedures
- Code signing
- Encryption
- Obfuscation/camouflage
- Code reuse/dead code
- Server-side vs. client-side
execution and validation
- Memory management
- Use of third-party libraries and SDKs
- Data exposure
• Code quality and testing
- Static code analyzers
- Dynamic analysis (e.g., fuzzing)
- Stress testing
- Sandboxing
- Model verification
• Compiled vs. runtime code

Summarize cloud and virtualization concepts.

• Hypervisor
Software that creates and manages VMs in hyper visor.
- Type I
run directly on the system hardware.
They are often called bare-metal hypervisors because they don’t need
to run within an operating system. Large scale data centers typically used type 1
- Type II
run as software within a host operating system. When implanting on a single pc you will use type 2. Each OS will
have its own kernel.
- Application cells/containers
Virtualization or container that runs services or application within isolated app cells. Host operating system kernel is shared.

• VM sprawl avoidance
When VMs are being setup and discarded but never actually removed from use, allowing them to waste resources.

• VM escape protection
• Cloud storage
• Cloud deployment models

- SaaS
Software as a Service (SaaS) includes any software or application
provided to users over a network such as the Internet. Internet users access the
SaaS applications with a web browser. It usually doesn’t matter which web
browser or operating system a SaaS customer uses. They could be using
Microsoft Edge, Chrome, Firefox, or just about any web browser.
As mentioned previously, web-based email is an example of SaaS

- PaaS
Platform as a Service (PaaS) provides customers with a preconfigured
computing platform they can use as needed. It provides the customer with an
easy-to-configure operating system, combined with appropriate applications
and on-demand computing.

- IaaS
Infrastructure as a Service (IaaS) allows an organization to outsource its
equipment requirements, including the hardware and all support operations.
The IaaS service provider owns the equipment, houses it in its data center,
and performs all the required hardware maintenance. The customer
essentially rents access to the equipment and often pays on a per-use basis

- Private
A private cloud is set up for specific organizations. For example, the
Shelbyville Nuclear Power Plant might decide it wants to store data in the
cloud, but does not want to use a third- party vendor. Instead, the plant
chooses to host its own servers and make these servers available to internal
employees through the Internet.

- Public
Public cloud services are available from third-party companies, such as
Amazon, Google, Microsoft, and Apple. They provide similar services to
anyone willing to pay for them.

- Hybrid
Two or more clouds

- Community
Communities with shared concerns (such as goals, security
requirements, or compliance considerations) can share cloud resources within
a community cloud. As an example, imagine that the Shelbyville Nuclear
Power Plant and several schools within Springfield decided to share
educational resources within a cloud. They could each provide resources for
the cloud and only organizations within the community would have access to
the resources.

• On-premise vs. hosted vs. cloud

• VDI/VDE
virtual desktop environment, users accerss virtual desktops hosted on remote servers. Persistence is being able to make
changes to desktop image , requires more system resources, compared to a non-persistent environment that reverts back to
preconfigured desktop every time users log off.

• Cloud access security broker

A cloud access security broker (CASB) is a software tool or
service deployed between an organization’s network and the cloud
provider.

• Security as a service

Another entry into cloud computing is Security as a Service. It includes any services provided via the cloud that provide
security services, and is commonly viewed as a subset of the Software as a Service (SaaS) model.A common example of a
Security as a Service application is antivirus software.
Explain how resiliency and automation strategies reduce risk
• Automation/scripting
- Automated courses of action
- Continuous monitoring
- Configuration validation
• Templates
• Master image
master image-only includes apps, services, and protocols needed to meet the principle of least functionality
• Non-persistence
- Snapshots
- Revert to known state
- Rollback to known configuration
- Live boot media
• Elasticity
• Scalability
• Distributive allocation
• Redundancy
• Fault tolerance
• High availability
• RAID

Explain the importance of physical security controls.

Lighting
• Signs
• Fencing/gate/cage
• Security guards
• Alarms
• Safe
• Secure cabinets/enclosures
• Protected distribution/Protected cabling
• Airgap
• Mantrap
• Faraday cage
• Lock types
• Biometrics
• Barricades/bollards
• Tokens/cards
• Environmental controls
- HVAC
- Hot and cold aisles
- Fire suppression
• Cable locks
• Screen filters
• Cameras
• Motion detection
• Logs
• Infrared detection
• Key management

Compare and contrast identity and access management

concepts
• Identification, authentication,
authorization and accounting (AAA)
identification-user claim or profess their identity
authentication-types of factors : something you know / password, pin
something you have / smart card., usb token
something you are / fingerprint, retina scan
somewhere you are/ location, geolocation tech
something you do/ gesture, gait

• Multifactor authentication multiple authentication factors, if two its dual, if three its, 3 way, etc
When answering any potential question pick most accurate.
- Something you have
biometrics
- Something you know
password
- Somewhere you are
Gps location
- Something you do
• Federation central authentication in non-homogeneous environment. Each environment uses the same username
And password, such as facebook, or google

• Single sign-on what air force portal is supposed to be. Sign in once and only once.

• Transitive trust indirect trust relationship. If A trust B and C, B and C can trust each other.

Given a scenario, install and configure identity and access

services.
• LDAP port 389 lightweight directory Access Protocol, specifies formats and methods to every directory
Cn= Student; OU=sec+; OU=users cn common name, ou organization unit

• Kerberos method of issuing tickets for authentication. KDC key distribution Center
-system of ticket granting tickets TGT
-time synchronization within 5 minutes
-a data base of users or subjects
Kerberos tickets are only temp, making it harder for replay or man in the middle attacks to occur.
Windows authentication protocol within a Microsoft windows active directory
If you only have one KDC then you have a SPOF, single point of failure
Uses symmetric key cryptography

AAA services authentication, accounting, authorization

• TACACS+ port 49 TCP/UDP cisco proprietary, encrypts entire authentication process, uses multiple challenges
Between server and client. Modular, can pick and choose features to use.

• CHAP Challenge Handshake Authentication Protocol. An authentication

mechanism where a server challenges a client

• PAP password authent. Protocol, password/pins sent in cleartext. Essentially telnet

• MSCHAP Microsoft challenge uses LANMANAGER as hash. Weak.

Version 2. Added mutual auth. Preventing data from getting sent to rogue server from client.

• RADIUS port TCP 1812/3 remote access dial-in user service

Centralized authentication service
User is called a supplicant
User connects to a radius client(vpn concentrator, RAS-remote access server, wifi)
 Supplicant tunnels in using pptp because otherwise RADIUS sends info in cleartext to client.
Protection begins at client
If configuring RADIUS ip address is supplicant, password is client, port is client, destination
radius server

• SAML Security Assertion Markup Language

Programming language, built off of xml which is based off html. Allows SSO and Federation
To work.

• OpenID Connect handles identification

• OAUTH handles identification? and authorization

• Shibboleth handles identification and authorization, open source, free

• Secure token

• NTLM new tech. LAN manager, mostly used on legacy systems, mostly used on Kerberos.

Given a scenario, implement identity and access management

controls.
• - Access control models/paradigms
- MAC mandatory access control-system admin control, security labels, need to know, think security clearances

- DAC discretionary access control-creator of file in charge, less admin overhead control, susceptible to trojans

- ABAC attribute based access controls-more granular(specific) than ROBAC, role based access control

- Role-based access control/ROBAC based off user role, admin, executive, project managers, team members

- Rule-based access control/RUBAC not considered to be part of the access control models/paradigms, ACL access
Control list, do not require users

• Physical access control

- Proximity cards
- Smart cards

• Biometric factors
- Fingerprint scanner
- Retinal scanner
- Iris scanner
- Voice recognition
- Facial recognition
- False acceptance rate FAR false acceptance rate, false match, lower score better

- False rejection rate FRR when system rejects authorized user

- Crossover error rate where FAR and FRR cross on a chart. Lower CER equals more accurate system

• Tokens
- Hardware
- Software
- HOTP/TOTP HMAC-OneTimePassword, based off events TimeBasedOneTimePassword

• Certificate-based authentication
- PIV/CAC/smart card
- IEEE 802.1x

• File system security encryption

• Database security DLP data loss prevention software, column encryption, don’t encrypt key files or regularly
Accessed, physical sec, SSL TSL

Given a scenario, differentiate common account management

practices.

• Account types
- User account
- Shared and generic
accounts/credentials
- Guest accounts
- Service accounts
- Privileged accounts
• General Concepts
- Least privilege
average user
avoid shared/generic
cannot be deleted but can be disabled
specific purpose is to run some services/applications
system admin accounts, usually no internet/email access to reduce threat vectors
only access to what is needed to perform job

- Onboarding/offboarding hiring/separation procedures

- Permission auditing and review regularly perform, making sure changes are up to date.

- Usage auditing and review

- Time-of-day restrictions

- Recertification user accounts or network

- Standard naming convention naming conventions, good for organization, but if attackers knows, can hide more
easily
- Account maintenance

- Group-based access control can help standardize entire network

- Location-based policies consideration of geographical location and local laws that apply

• Account policy enforcement

- Credential management yes don’t write passwords down
- Group policy
- Password complexity
- Expiration
- Recovery
- Disablement if it has a timer
- Lockout if admin must intervene to unlock
- Password history
- Password reuse
- Password length
4.1
4.2
4.3

in the importance of policies, plans and

procedures related to organizational security.
• Standard operating procedure

• Agreement types
- BPA Business partner agreement – how companies work together

- SLA Service Level Agreement- detail oriented, what and when, between vendor and company that stipulates
performance expectation

- ISA Interconnection Security agreement-specifies technical and security requirements for planning, establishing,
Maintaining and disconnecting a secure connection. Tech details.

- MOU/MOA memorandum of understanding/memorandum of agreement- expresses and understanding between two

or more parties indicating and intention to work together toward a common goal.

• Personnel management

- Mandatory vacations allows company to audit while employee is gone

- Job rotation job training, added redundancy and higher morale

- Separation of duties prevents any single person or entity from being to able to complete all the functions of a critical
Or sensitive process. Designed to prevent, fraud, theft, and errors.

- Clean desk reduces threat of security incidents, helps prevent possibility of data theft or inadvertent disclosure

- Background checks screenings prior to onboarding

- Exit interviews separation interview to gather intel

- Role-based awareness training executives, system admin, users, privileged,

- Data owner individual responsible for data

- Systems administrator System administrators are responsible for

the overall security of a system

- System owner
A system owner is typically a high-level executive or department head who has overall responsibility for the system.
- User
Regular end users need to understand common threats, such as malware and phishing attacks. They also need to understand
the risk posed by clicking an unknown link and how drive-by downloadscan infect their system.

- Privileged user
A privileged user is any user with more rights and permissions than typical end users

- Executive user
Executives need high-level briefings related to the risks that the organization faces, along with information on the
organization’s overall information security awareness program

- NDA Non-disclosure Agreement

- Onboarding hiring process

- Continuing education training

- Acceptable use policy/rules of behavior terms and conditions of use

- Adverse actions
• General security policies
- Social media networks/applications
- Personal email

Summarize business impact analysis concepts.

• RTO/RPO
Recovery Time Objective- max time for down network/ Recovery Point Objective- data you can afford to lose
Information identified in Business Impact Analysis BIA.

BCP Business continuity plan

• MTBF Mean Time Between Failure/average system up time.system reliability. Larger number is better

• MTTR Mean time to Recovery/ average time to restore a failed system, how fast to fix. Smaller # Better.
Rule of 5 9’s 99.999 ideal uptime

• Mission-essential functions essential processes used for business

• Identification of critical systems

• Single point of failure when task/service can only be performed in one area. Essentially a bottleneck.

• Impact can be good or negative

- Life
- Property
- Safety
- Finance
- Reputation

• Privacy impact assessment what happens if data is leaked? Attempts to identify potential risks related to PII and
Ensures the organization is complying with applicable laws and regulations

• Privacy threshold assessment how much of data can be leaked?

Explain risk management processes and concepts.

• Threat assessment
- Environmental
- Manmade
- Internal vs. external
• Risk assessment
- SLE Single loss Expectancy=asset value x exposure factor or ALE divided by ARO
- ALE Annual Loss Expectancy = AROxSLE
- ARO Annual Rate of Occurrence

- Asset value worth

- Risk register chart for measuring risk, list all known risks for an asset such as a web server, includes a risk score

- Likelihood of occurrence
- Supply chain assessment What happens if chain is broken?

- Impact

- Quantitative #based evaluation

- Qualitative SME- Subject Matter expert opinion

- Testing

- Penetration testing authorization permission to test

- Vulnerability testing authorization permission to test

- Risk response techniques

- Accept
Willing to take loss

- Transfer
Buy insurance

- Avoid

- Mitigate
Buy locks for laptops so they cannot be easily stolen

• Change management a process of requesting and reviewing change prior to implementation.

Given a scenario, follow incident response procedures.

5.
5.8
• Incident response plan
- Documented incident
types/category definitions
- Roles and responsibilities
- Reporting requirements/escalation
- Cyber-incident response teams
- Exercise
• Incident response process
incident response-if confiscation required, maintain a chain of custody
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons learned

Summarize basic concepts of forensics.

• Order of volatility CRSHR-Cpu cache, RAM, Swap file(temp mem), HDD, Remote Files/archives(logs)

• Chain of custody must always know where evidence is

• Legal hold how long devise under investigation can be held for investigation.
• Data acquisition Hash drive, system image, hash system image, put hdd back in evidence, investigate on image,
Hash system image, put image in evidence
- Capture system image
- Network traffic and logs
- Capture video
- Record time offset be aware of time frames and time zones

- Take hashes preserving integrity

- Screenshots pictures with phone

- Witness interviews objective, fact based. Avoid subjective

• Preservation holding onto evidence

• Recovery

• Strategic intelligence/

counterintelligence gathering

- Active logging

• Track man-hours can allocate if help is needed

Explain disaster recovery and continuity of operations concepts

• Recovery sites
- Hot site operational in under 24 hours, most expensive

- Warm site up to a week to activate

- Cold site from a week to a month , least expensive

• Order of restoration what takes precendece, router/switches, servers

• Backup concepts
- Differential does not reset archive bit, starts with full backup, 2 backups to restore. Fast restoral, slow
Archival(saving)
- Incremental resets archive bit. Archival Fast, Restoral Slow, requires multiple backups to restore

- Snapshots save file, snapshot in time

- Full complete backup. Resets archive bit. Slow Archival.

Shadow copy or shadow volume Microsoft proprietary daily backups

• Geographic considerations
- Off-site backups
- Distance
- Location selection
- Legal implications
- Data sovereignty laws of different countries
• Continuity of operations planning
- Exercises/tabletop Think D&D, verbal run downs
- After-action reports
- Failover
- Alternate processing sites
- Alternate business practices

Compare and contrast various types of controls.

• Deterrent doesn’t stop anything, a sign.

• Preventive keep someone out, a fence.

• Detective can be investigated or reviewed, CCTV

• Corrective

• Compensating temporary solution, patch

• Technical technological control, firewall

• Administrative managerial policy, AUP

• Physical

Given a scenario, carry out data security and privacy practices.

• Data destruction and media sanitization
- Burning

- Shredding can include hardware

- Pulping pureeing paper waste

- Pulverizing physical destruction, sledge hammer

- Degaussing magnetizing, zeroing

- Purging all sensitive data removed

- Wiping using a wipe tool

• Data sensitivity labeling and handling

- Confidential
- Private
- Public
- Proprietary
- PII
- PHI
• Data roles
- Owner overall responsible party
- Steward/custodian

- Privacy officer in charge of compliance with laws

• Data retention how long must be held

• Legal and compliance

6.0 Cryptography and PKI

Compare and contrast basic concepts of cryptography
• Symmetric algorithms single key

Blowfish/twofish 64 bit blocks key length 32-448 bits, fast except when changing keys. Can be faster than AES due to 64 bit
block size compared to AES 128/ 128 bit block, key 8-256 blocks, most commonkey128,192,256.

RC4 stream cipher, used in Secure Socket Layer, WEP encryptions and simple Windows, vpn over PPTP, not strong
enough, 40 and 128 key bits are common. Can go as high as 2048 bits

AES advanced encryption 128 bit block size. Key size 128,192,256. standard strength, speed ,small codesize

IDEA

DES/3DES Data Encryption Standard, 64 bit blocks, susceptible to brute force attks. 56 bit key/ 64 bit blocks, 3
separate passes
And uses multiple keys. Key sizes of 56,112,168. Used when legacy does not support AES

• Modes of operation

• Asymmetric algorithms two keys, private and public. Requires PKI public key infrastructure to issues certificates.

RSA Rivest,Shamir,Aldleman strong, uses prime #’s(resource intensive) used to protect email and other data
transmitted over the internet. Most common Asymmetric, key 1024-

ECDHE elliptical curve Diffie-Helman Ephemeral based off elliptical curve mathematics to reduce processing
Requirements, as opposed to using prime numbers, and temp keys

DH Diffie-Helman a key exchange algorithm used to privately share a symmetric key between two parties. Once
The two parties know the symmetric key they symmetric encryption to encrypt data. Used with ssh, ssl, ipSec.
DHE Diffie-Helman Ephemeral generates ephemeral(temp) keys per session.

• Hashing creates a fixed size string, from an infinite variety of inputs. Cannot be reversed, one way only. Assures
data integrity has been maintained.

MD5 Message digest 5 wide commercial use, deprecated government use, 128 bit hash

RIPEMD European standart 160 bit output, stand alone

SHA1/2 Secure Hash Algorithm / SHA2 collective name for 224,256,384,512

HMAC Hash Based Message Authentication, stand alone, implements both integrity and authenticity
Can be used in conjuction with SHA-1 or MD5, i.e. HMAC-MD5, HMAC-SHA1
A
S
H
• Salt, IV, nonce password strengthening

• Elliptic curve algorithms based on curves, less resource intensive. Ideal for mobile platforms.

• Weak/deprecated algorithms no longer recommended use

• Key exchange

• Digital signatures
• Diffusion change in input has change in output

• Confusion small change in input has drastic change in output.

• Collision when two hashes match creating a compromise of integrity.

• Steganography tools to obscure. Manipulating bits or white space.

• Obfuscation hiding things in plain sight. Security through obscurity.

• Stream vs. block

Stream encrypts data one bit at a time. Useful when data size is unknown.
Block cipher encrypts in predetermined chunks. Useful when data size is known.
• Key strength
• Session keys
• Ephemeral key
Temporary keys are have limited lifespan. One per session. Harder to crack.

• Secret algorithm

• Data-in-transit

• Data-at-rest
Data on HDD
• Data-in-use
Cannot be encrypted

• Random/pseudo-random
number generation

• Key stretching technique to increase strength of stored passwords

Two most common methods:
BCRYPT- based on blowfish block cipher, salts before encryption, can go through this process multiple times, results
In a 60 character string.
PBKFD2- uses salts of at least 64 bits and used pseudo random functions such as HMAC, bit sizes of 128,256,512
Most common
Both are commonly used to thwart brute force and rainbow attacks

• Implementation vs. algorithm selection

Strength or speed

- Crypto service provider

- Crypto modules
• Perfect forward secrecy
perfect forward secrecy ensures that the compromise of a long term key does not compromise a key used in the past
ECCDHE?

• Security through obscurity

Obfuscation

• Common use cases

- Low power devices
- Low latency
- High resiliency
- Supporting confidentiality encryption
- Supporting integrity hashes
- Supporting obfuscation steganography
- Supporting authentication
- Supporting non-repudiation
Digital signatures
- Resource vs. security constraints

Explain cryptography algorithms and their basic characteristics

• Symmetric algorithms
- AES Advanced Encryption System. 128 bit block.

- DES Data encryption standard 64 bit block, deprecated

- 3DES 64 bit block. Multiple passes. Only recommended with legacy systems if AES is not supported

- RC4 stream cipher. Used in SSL, WEP encryptions, and simple windows, VPN over PPTP, not strong enough.
40 and 128 key bits are common

- Blowfish/Twofish 64 bit block, fast except when changing keys. 32-448 bit key/128 bit, key 8-256 bits
Most common key 128-192-256

• Cipher modes
- CBC
- GCM
- ECB
- CTR

- Stream vs. block

Stream encrypts bit 1 at a time. Block encrypts bits it predetermined blocks.

• Asymmetric algorithms
- RSA
- DSA
- Diffie-Hellman
- Groups
- DHE
- ECDHE
- Elliptic curve
- PGP/GPG
• Hashing algorithms
- MD5 mesa
- SHA
- HMAC
- RIPEMD
• Key stretching algorithms
- BCRYPT
- PBKDF2
• Obfuscation
- XOR
- ROT13
- Substitution ciphers

Given a scenario, install and configure wireless security

settings.6.3
6.4
• Cryptographic protocols
- WPA
- WPA2
- CCMP
- TKIP
• Authentication protocols
- EAP
- PEAP
- EAP-FAST
- EAP-TLS
- EAP-TTLS
- IEEE 802.1x
- RADIUS Federation
• Methods
- PSK vs. Enterprise vs. Open
- WPS

Given a scenario, implement public key infrastructure.

- Captive portals
• Components
- CA
- Intermediate CA
- CRL
- OCSP
- CSR
- Certificate
- Public key
- Private key
- Object identifiers (OID)
• Concepts
- Online vs. offline CA

- Stapling an alternative to ocsp. The certificate presenter appends the certificate with a timestamped digitally
Signed ocsp response from the ca. reduces ocsp traffic to and from CA.

- Pinning
public key pinning is a security mechanism designed to prevent attackers from impersonating a web site
Using fraudulent certificates. Public key pinning includes a list of public key hashes in
HTTPS responses from the web server. While pinning helps validate
certificates, it is unrelated to OCSP. Digital signatures won’t reduce
traffic. Client side?

- Trust model
- Key escrow
third party that holds encrypted keys in the event that someone cannot provide their key, it can be
Recovered and used.

- Certificate chaining
certificate chaining combines all the certificates from the root CA down to the certificate issued
To the end user.

• Types of certificates

- Wildcard wildcard certificate starts with an asterisk (*) and

can be used for multiple domains, but each domain name must have
the same root domain. For example, Google uses a wildcard
certificate issued to *.google.com. This same certificate can be used
for other Google domains, such as accounts.google.com and
support.google.com. Wildcard certificates can reduce the
administrative burden associated with managing multiple
certificates.
- SAN Subject Alternative Name (SAN) is used for multiple
domains that have different names, but are owned by the same
organization. For example, Google uses SANs of
*.google.com, *.android.com, *.cloud.google.com, and more. It is
most commonly used for systems with the same base domain names,
but different top-level domains. For example, if Google used names
such as google.com and google.net, it could use a single SAN
certificate for both domain names. Similarly, a SAN certificate can
be used for google.com

- Code signing
Developers often use code signing certificates to
validate the authentication of executable applications or scripts. The
code signing certificate verifies the code has not been modified.
- Self-signed
A self-signed certificate is not issued by a trusted
CA. Private CAs within an enterprise often create self-signed
certificates. They aren’t trusted by default. However, administrators
can use automated means to place copies of the self-signed
certificate into the trusted root CA store for enterprise computers.
Self-signed certificates from private CAs eliminate the cost of
purchasing certificates from public CAs.

- Machine/computer
Certificates issued to a device or a computer

- Email
uses of email certificates are for encryption of emails and digi signatures

- User
Certificares issued to users, they can be encryption, authentication, and smarts. Example certificates on CAC
- Root
First certificate created created by the CA that identifies it, and the store is just a collection of these root certificates. If the
CA’s root certificate is placed in this store.

- Domain validation
Indicates that the certificate has some control over a DNS domain. The ca takes extra steps to contact the requestor such as
by email or telephone

- Extended validation
Additional steps beyond domain validation. You will see the company name prior to the URL to combat phishing attacks.

• Certificate formats
- DER
- PEM
PEM is derived from the Privacy Enhanced Mail format, but that is
misleading. It implies that PEM-based certificates are used for email only.
However, PEM-based certificates can be used for just about anything. They
can be formatted as CER (binary files) or DER (ASCII files). They can also
be used to share public keys within a certificate, request certificates from a
CA as a CSR, install a private key on a server, publish a CRL, or share the
full certificate chain.
You might see a PEM-encoded certificate with the. pem extension.
However, it’s more common for the certificate to use other extensions. For
example, a PEM-encoded file holding the certificate with the public key
typically uses the.cer or.crt extension. A PEM file holding just the private
key typically uses the. key extension.

- PFX
Personal Information Exchange (PFX) is a predecessor to the P12
certificate and it has the same usage. Administrators often use this format on
Windows systems to import and export certificates.

- CER

- P12
P12 certificates use the PKCS version 12 (PKCS#12) format and they
are CER-based (binary). They are commonly used to hold certificates with
the private key. For example, when installing a certificate on a server to
supports HTTPS sessions, you might install a P12 certificate with the private
key. Because it holds the private key, it’s common to encrypt P12
certificates. It’s also possible to include the full certificate chain in a P12
certificate.

- P7B
P7B certificates use the PKCS version 7 (PKCS#7) format and they are
DER-based (ASCII). They are commonly used to share public keys with
proof of identity of the certificate holder. Recipients use the public keys to
encrypt or decrypt data. For example, a web server might use a P7B
certificate to share its public key. P7B certificates can also contain a
certificate chain or a CRL. However, they never include the private key.
Personal Information Exchange (PFX) is a predecessor to the P12
certificate and it has the same usage. Administrators often use this format on
Windows systems to import and export certificates.
CER is a binary format for certificates and DER is an ASCII
format. PEM is the most commonly used certificate format and can
be used for just about any certificate type. P7B certificates are
commonly used to share public keys. P12 and PFX certificates are
commonly used to hold the private key.

ACRONYM SPELLED OUT

3DES Triple Digital Encryption Standard
AAA Authentication, Authorization, and Accounting
ABAC Attribute-based Access Control
ACL Access Control List
AES Advanced Encryption Standard
AES256 Advanced Encryption Standards 256bit
AH Authentication Header
ALE Annualized Loss Expectancy
AP Access Point
API Application Programming Interface
APT Advanced Persistent Threat
ARO Annualized Rate of Occurrence
ARP Address Resolution Protocol
ASLR Address Space Layout Randomization
ASP Application Service Provider
AUP Acceptable Use Policy
AV Antivirus
AV Asset Value
BAC Business Availability Center
BCP Business Continuity Planning
BIA Business Impact Analysis
BIOS Basic Input/Output System
BPA Business Partners Agreement
BPDU Bridge Protocol Data Unit
BYOD Bring Your Own Device
CA Certificate Authority
CAC Common Access Card
CAN Controller Area Network
CAPTCHA Completely Automated Public Turing
Test to Tell Computers and Humans Apart
CAR Corrective Action Report
CASB Cloud Access Security Broker
CBC Cipher Block Chaining
CCMP Counter-Mode/CBC-Mac Protocol
CCTV Closed-circuit Television
ACRONYM SPELLED OUT
CER Certificate
CER Cross-over Error Rate
CERT Computer Emergency Response Team
CFB Cipher Feedback
CHAP Challenge Handshake Authentication Protocol
CIO Chief Information Officer
CIRT Computer Incident Response Team
CMS Content Management System
COOP Continuity of Operations Plan
COPE Corporate Owned, Personally Enabled
CP Contingency Planning
CRC Cyclical Redundancy Check
CRL Certificate Revocation List
CSIRT Computer Security Incident Response Team
CSO Chief Security Officer
CSP Cloud Service Provider
CSR Certificate Signing Request
CSRF Cross-site Request Forgery
CSU Channel Service Unit
CTM Counter-Mode
CTO Chief Technology Officer
CTR Counter
CYOD Choose Your Own Device
DAC Discretionary Access Control
DBA Database Administrator
DDoS Distributed Denial of Service
DEP Data Execution Prevention
DER Distinguished Encoding Rules
DES Digital Encryption Standard
DFIR Digital Forensics and Investigation Response
DHCP Dynamic Host Configuration Protocol
DHE Data-Handling Electronics
DHE Diffie-Hellman Ephemeral
DLL Dynamic Link Library
DLP Data Loss Prevention

DMZ Demilitarized Zone

DNAT Destination Network Address Transaction

DNS Domain Name Service (Server)
DoS Denial of Service
DRP Disaster Recovery Plan
DSA Digital Signature Algorithm
DSL Digital Subscriber Line
DSU Data Service Unit
EAP Extensible Authentication Protocol
ECB Electronic Code Book
ECC Elliptic Curve Cryptography
ECDHE Elliptic Curve Diffie-Hellman Ephemeral
ECDSA Elliptic Curve Digital Signature Algorithm
EF Exposure Factor
EFS Encrypted File System
EMI Electromagnetic Interference
EMP Electro Magnetic Pulse
EOL End of Life
ERP Enterprise Resource Planning
ESN Electronic Serial Number
ESP Encapsulated Security Payload
EULA End User License Agreement
FACL File System Access Control List
FAR False Acceptance Rate
FDE Full Disk Encryption
FRR False Rejection Rate
FTP File Transfer Protocol
FTPS Secured File Transfer Protocol
GCM Galois Counter Mode
GPG Gnu Privacy Guard
GPO Group Policy Object
GPS Global Positioning System
GPU Graphic Processing Unit
GRE Generic Routing Encapsulation
HA High Availability
HDD Hard Disk Drive
HIDS Host-based Intrusion Detection System
HIPS Host-based Intrusion Prevention System
HMAC Hashed Message Authentication Code
HOTP HMAC-based One-Time Password
HSM Hardware Security Module
HTML Hypertext Markup Language
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol over SSL/TLS
HVAC Heating, Ventilation and Air Conditioning
IaaS Infrastructure as a Service
ICMP Internet Control Message Protocol
ICS Industrial Control Systems
ID Identification
IDEA International Data Encryption Algorithm
IDF Intermediate Distribution Frame
IdP Identity Provider
IDS Intrusion Detection System
IEEE Institute of Electrical and Electronic Engineers
IIS Internet Information System
IKE Internet Key Exchange
IM Instant Messaging
IMAP4 Internet Message Access Protocol v4
IoT Internet of Things
IP Internet Protocol
IPSec Internet Protocol Security
IR Incident Response
IR Infrared
IRC Internet Relay Chat
IRP Incident Response Plan
ISA Interconnection Security Agreement
ISP Internet Service Provider
ISSO Information Systems Security Officer
ITCP IT Contingency Plan
IV Initialization Vector
KDC Key Distribution Center
KEK Key Encryption Key
L2TP Layer 2 Tunneling Protocol
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
LEAP Lightweight Extensible Authentication Protocol
MaaS Monitoring as a Service
MAC Mandatory Access Control
MAC Media Access Control
MAC Message Authentication Code
MAN Metropolitan Area Network
MBR Master Boot Record
MD5 Message Digest 5
MDF Main Distribution Frame
MDM Mobile Device Management
MFA Multifactor Authentication
MFD Multi-function Device
MIME Multipurpose Internet Mail Exchange
MITM Man-in-the-Middle
MMS Multimedia Message Service

MOA Memorandum of Agreement

MOTD Message of the Day
MOU Memorandum of Understanding
MPLS Multi-Protocol Label Switching
MSCHAP Microsoft Challenge Handshake
Authentication Protocol
MSP Managed Service Provider
MTBF Mean Time Between Failures
MTTF Mean Time to Failure
MTTR Mean Time to Recover or Mean Time to Repair
MTU Maximum Transmission Unit
NAC Network Access Control
NAT Network Address Translation
NDA Non-disclosure Agreement
NFC Near Field Communication
NGAC Next Generation Access Control
NIDS Network-based Intrusion Detection System
NIPS Network-based Intrusion Prevention System
NIST National Institute of Standards & Technology
NTFS New Technology File System
NTLM New Technology LAN Manager
NTP Network Time Protocol
OAUTH Open Authorization
OCSP Online Certificate Status Protocol
OID Object Identifier
OS Operating System
OTA Over The Air
OVAL Open Vulnerability Assessment Language
P12 PKCS #12
P2P Peer to Peer
PaaS Platform as a Service
PAC Proxy Auto Configuration
PAM Pluggable Authentication Modules
PAP Password Authentication Protocol
PAT Port Address Translation
PBKDF2 Password-based Key Derivation Function 2
PBX Private Branch Exchange
PCAP Packet Capture
PEAP Protected Extensible Authentication Protocol
PED Personal Electronic Device
PEM Privacy-enhanced Electronic Mail
PFS Perfect Forward Secrecy
PFX Personal Exchange Format
PGP Pretty Good Privacy
PHI Personal Health Information
PII Personally Identifiable Information
PIV Personal Identity Verification
PKI Public Key Infrastructure
POODLE Padding Oracle on Downgrade Legacy Encryption
POP Post Office Protocol
POTS Plain Old Telephone Service
PPP Point-to-Point Protocol
PPTP Point-to-Point Tunneling Protocol
PSK Pre-shared Key
PTZ Pan-Tilt-Zoom
RA Recovery Agent
RA Registration Authority
RAD Rapid Application Development
RADIUS Remote Authentication Dial-in User Server
RAID Redundant Array of Inexpensive Disks
RAS Remote Access Server
RAT Remote Access Trojan
RBAC Role-based Access Control
RBAC Rule-based Access Control
RC4 Rivest Cipher version 4
RDP Remote Desktop Protocol
REST Representational State Transfer
RFID Radio Frequency Identifier
RIPEMD RACE Integrity Primitives
Evaluation Message Digest
ROI Return on Investment
RMF Risk Management Framework
RPO Recovery Point Objective
RSA Rivest, Shamir, & Adleman
RTBH Remotely Triggered Black Hole
RTO Recovery Time Objective
RTOS Real-time Operating System
RTP Real-time Transport Protocol
S/MIME Secure/Multipurpose Internet Mail Extensions
SaaS Software as a Service
SAML Security Assertions Markup Language
SAN Storage Area Network
SAN Subject Alternative Name
SCADA System Control and Data Acquisition
SCAP Security Content Automation Protocol
SCEP Simple Certificate Enrollment Protocol
SCP Secure Copy
SCSI Small Computer System Interface
SDK Software Development Kit
SDLC Software Development Life Cycle
SDLM Software Development Life Cycle Methodology
SDN Software Defined Network
SED Self-encrypting Drive
SEH Structured Exception Handler
SFTP Secured File Transfer Protocol
SHA Secure Hashing Algorithm
SHTTP Secure Hypertext Transfer Protocol
SIEM Security Information and Event Management
SIM Subscriber Identity Module
SIP Session Initiation Protocol
SIPS Session Initiation Protocol Secure
SLA Service Level Agreement
SLE Single Loss Expectancy
SMB Server Message Block
SMS Short Message Service
SMTP Simple Mail Transfer Protocol
SMTPS Simple Mail Transfer Protocol Secure
SNMP Simple Network Management Protocol
SOAP Simple Object Access Protocol
SoC System on Chip
SPF Sender Policy Framework
SPIM Spam over Internet Messaging
SPoF Single Point of Failure
SQL Structured Query Language
SRTP Secure Real-Time Protocol
SSD Solid State Drive
SSH Secure Shell
SSID Service Set Identifier
SSL Secure Sockets Layer
SSO Single Sign-on
SSP System Security Plan
STP Shielded Twisted Pair
TACACS+ Terminal Access Controller Access
Control System Plus
TCO Total Cost of Ownership
TCP/IP Transmission Control Protocol/Internet Protocol
TGT Ticket Granting Ticket
TKIP Temporal Key Integrity Protocol
TLS Transport Layer Security
TOTP Time-based One-time Password
TPM Trusted Platform Module
TSIG Transaction Signature
UAT User Acceptance Testing
UAV Unmanned Aerial Vehicle
UDP User Datagram Protocol
UEFI Unified Extensible Firmware Interface
UPS Uninterruptable Power Supply
URI Uniform Resource Identifier
URL Universal Resource Locator
USB Universal Serial Bus
USB OTG USB On The Go
UTM Unified Threat Management
UTP Unshielded Twisted Pair
VDE Virtual Desktop Environment
VDI Virtual Desktop Infrastructure
VLAN Virtual Local Area Network
VLSM Variable Length Subnet Masking
VM Virtual Machine
VoIP Voice over IP
VPN Virtual Private Network
VTC Video Teleconferencing
WAF Web Application Firewall
WAP Wireless Access Point
WEP Wired Equivalent Privacy
WIDS Wireless Intrusion Detection System
WIPS Wireless Intrusion Prevention System
WORM Write Once Read Many
WPA WiFi Protected Access
WPA2 WiFi Protected Access 2
WPS WiFi Protected Setup
WTLS Wireless TLS
XML Extensible Markup Language
XOR Exclusive Or
XSRF Cross-site Request Forgery
XSS Cross-site Scripting

EQUIPMENT
• Router
• Firewall
• Access point
• Switch
• IDS/IPS
• Server
• Content filter
• Client
• Mobile device
• VPN concentrator
• UTM
• Enterprise security managers/SIEM suite
• Load balancer
• Proxies
• DLP appliance
• ICS or similar systems
• Network access control servers
• DDoS mitigation hardware
SPARE PARTS/HARDWARE
• Keyboards
• Mice
• Network cables
• Monitors
• Wireless and Bluetooth dongles
HARDWARE TOOLS
• WiFi analyzers
• Hardware debuggers
SOFTWARE TOOLS AND SOFTWARE TOOLS
• Exploitation distributions (e.g., Kali)
• Proxy server
A server (or servers) used to forward requests for services
such as HTTP or HTTPS. A forward proxy server forwards requests from
internal clients to external servers. A reverse proxy accepts requests from the
Internet and forwards them to an internal web server. A transparent proxy does
not modify requests, but nontransparent proxies include URL filters. An
application proxy is used for a specific application, but most proxy servers are
used for multiple protocols. Can they forward email?

• Virtualization software
• Virtualized appliances
• Wireshark
• tcpdump
• NMAP
• OpenVAS
• Metasploit/Metaspoitable2
• Back Orifice
• Cain & Abel
• John the Ripper
• pfSense
• Security Onion
• Roo
• Any UTM
OTHER
• SourceForge

/var/log/fail ins't a valid log name in linux

/var/log/btmp contains information on users failed login attempts

/var/log/httpd directory includes logs from the apache web server when installed

/var/log/kern log contains information logged by the system kernel

syn stealth scan

A syn stealth scan sends a single SYN packet to each IP

address in the scan range. If a host responds, the scanner knows that a

host is operational with that IP address. However, instead of

responding with an ACK packet, a scanner typically sends an RST

(reset) response to close the connection