Published using Google Docs Report abuse Learn more

Updated automatically every 5

CC- Mike Chapels Notes minutes

Breakdown of Exam

Domain 1: Security Principles (26%)

Domain 2: Business Continuity, Disaster

Recovery, and Incident Response (10%)

Domain 3: Access Control Concepts (22%)

Domain 4: Network Security (24%)

Domain 5: Security Operations (18%)

_____

ISC2 Code of Ethics

1) Protect society and infrastructure

(Hacking)
● Anyone may file a complaint

2) Act honorably, justly and within laws

(Lying)
● Anyone may file a complaint

3) Serve principles diligently and

competently (Fulfill your duties)
● Only employers and clients
may file under a complaint,
due to the nature of the code

4) Advance the information security

profession (Helping cheat exams)
● Other Professionals may file
a complaint, due to the
nature of the complaint
● Professionals only

● You are required to report any

witness of violation of Code of
Ethics
○ Failure to report witnessed
violation is a violation
○ Submit a Complaints Form
to report
○ You must have a standing
before you make a complaint
■ Standing: Alleged
behavior must harm
you or your
profession in
someway
_____

3 Goals of Information Security

● Confidentiality
 ○
Protects information from
Published using Google Docs unauthorized disclosure Report abuse Learn more
● Integrity
○ Protects information from
unauthorized changes
Updated automatically every 5
CC- Mike Chapels Notes ● Availability minutes
○ Protects authorized access
to systems and data
○ Ensures information is
available to authorized users
= CIA
Confidentiality Concerns
● Snooping
○ Involves gathering
information that is left out in
the open
■ Clean desk policies
protect against
snooping
● Dumpster Diving
○ Looking through trash for
information
■ Shredding protects
against Dumpster
Diving
● Eavesdropping
■ Rules about sensitive
conversations
prevent
eavesdropping
● Wiretapping
○ Electronic Eavesdropping
■ Encryption protects
against wiretapping
● Social Engineering
○ Attacker uses psychological
tricks to persuade employee
to give it or give access to
information
■ Education and
Training protects
against social
engineering
_____

Integrity Concerns
● Unauthorized Modification
○ Attackers make changes
without permission (can be
internal=employees or
external
■ Follow the Rules of
Least Privilege to
prevent unauthorized
modification
● Impersonation
○ Attackers pretend to be
someone else
■ User education
protects against
Impersonation
● Man-in-the-Middle (MITM)
○ Attackers place the
themselves in the middle of
communication sessions
 ○ Intercepts network traffic as
Published using Google Docs users are logging in to their Report abuse Learn more
system and assumes their
role.
○ Impersonation on an
Updated automatically every 5
CC- Mike Chapels Notes electronic/digital level. minutes
■ Encryption prevents
man-in-the-middle
attacks
● Replay
○ Attackers eavesdrop on
logins and reuse the
captured credentials
■ Encryption prevents
Replay attacks
_____

Availability Concerns
● Denial of Service (DoS)
○ When a malicious individual
bombards a system with an
overwhelming amount of
traffic.
○ The idea to is to send so
many requests to a server
that it is unable to answer
any requests from legitimate
users
■ Firewalls block
unauthorized
connections to
protect against
Denial of Service
attacks
● Power Outages
■ Having redundant
power sources and
back-up generators
protect against power
outages
● Hardware Failures
○ Failure of servers, hard
drives, network gear etc
■ Redundant
components protect
against hardware
failure
■ Building systems that
have a built-in
redundancy, so that if
one component fails,
the other will take
over
● Destruction
■ Backup data centers
protect against
destruction
(ex=cloud)
● Service Outages
○ Service outage may occur
due to programming errors,
failure of underlying
equipment, and many more
reasons
■ Building systems that
are resilient in the
 fact of errors and
Published using Google Docs hardware failures Report abuse Learn more
protect against
service outages
_____
Updated automatically every 5
CC- Mike Chapels Notes minutes
Authentication & Authorization

Access Control Process

1) Identification
● Identification involves
making a claim of identity
(Can be false)
○ Electronic
identification
commonly uses
usernames
2) Authentication
● Authentication requires
proving a claim of identity
○ Electronic
authentication
commonly
uses passwords
3) Authorization
● Authorization ensures that
an action is allowed
○ Electronic
authorization
commonly takes the
form of access
control lists
■ Access
Control Lists
also provides
Accounting
functionality
●
Accounting
allows
to
track
and
maintain
logs of
user
activity
● Can
track
systems
and
web
browsing
history

Authentication + Authorization +
Accounting = AAA
_____

Password Security

Controls you can implement when setting

password requirements:
● Password length requirements
● Password complexity requirements
 ● Password expiration requirements
Published using Google Docs ○ Force password changes Report abuse Learn more
● Password history requirements
○ Cannot use previously used
passwords
Updated automatically every 5
CC- Mike Chapels Notes minutes
Every organization should make it easy
for users to change their passwords,
however, be careful of password reset
process as it may provide an
opportunity for attackers to take
advantage through unauthorized
password reset.

Password Managers
● Secured password vaults often
protected by biometric mechanisms
(ex=fingerprints)
● Facilitates the use of strong, unique
passwords
● Stores passwords
_____

Multi Factor Authentication

3 types of authentication factors

1) Something you know
● Passwords, Pins
2) Something you are
● Biometric Security
Mechanisms
● Fingerprints
● Voice
3) Something you have
● Software and Hardware
Tokens

You combine these factors all together =

Multi Factor Authentication

Note: Passwords combined with security

questions are NOT multi factor
authentication. Passwords and security
questions are both something you know

Single Sign-On (SSO)

● Shares authenticated sessions
across systems
● Organizations create SSO solutions
within their organizations to avoid
users repeatedly authenticating
_____

Non-repudiation
● Prevents someone from denying the
truth
○ Physical signatures can
provide non-repudiation on
contracts, receipts etc
○ Digital signatures use
encryption to provide non-
repudiation
○ Other methods can be
biometric security controls,
Video-surveillance etc
 _____
Published using Google Docs Report abuse Learn more
Privacy

Organization Privacy Concerns

Updated automatically every 5
CC- Mike Chapels Notes 1) Protecting our down data
minutes
● Protect your down
organizations data
2) Educating on users
● Educated users of how they
can protect their own
personal information
3) Protecting data collected by our
organizations
● Protecting data that was
entrusted to the organization
(ex= client’s data)

2 Types of Private Information

1) Personally-Identifiable Information
(PII)
● Any information that can be
tied back to a specific
individual
2) Protected Health Information (PHI)
● Health care records
○ Regulated by HIPPA

Reasonable expectation of privacy

● Many laws that govern whether
information must be protected are
based upon whether the person
disclosing the information had a
reasonable expectation of privacy
○ Ex= if you upload a YouTube
video, you do not have a
expectation of privacy
○ You do have some
expectation of privacy for
private electronic
communications such as:
email, instant chats etc
○ You do not have a
reasonable expectation of
privacy when sharing PII
with an organization
○ You do not have a
reasonable expectation of
privacy when using
employer resources
_____
Risk Management

1) Internal Risks
● Risks that arise from within
the organization
○ Internal control
prevents internal
risks
2) External Risks
● Risks that arise outside the
organization
○ Build controls that
reduce the chance of
attack/risks being
successful (ex= multi
 factor authentication,
Published using Google Docs or social engineering Report abuse Learn more
awareness
campaigns)
Updated automatically every 5
CC- Mike Chapels Notes 3) Multiparty Risks
minutes
● Risks that affect more than
one organization
● Intellectual property
theft poses a risk to
knowledge-based
organizations
● If attackers are able to alter,
delete or steal this
information, it would cause
significant damage to the
organization and its
customers/counterparties
● Software license
agreements issues risk fines
and legal actions for
violation of license
agreements
_____

Risk Assessment
● Identifies and triages risks

Threat
● Are external forces that jeopardize
security
● Threat Vector
○ Threat Vectors are
methods used by
attackers to get to
their target (ex=
social engineering,
hacker toolkit, etc)

Vulnerabilities
● Are weaknesses in your security
controls
○ Examples : Missing patches,
Promiscuous Firewall rules,
other security
misconfiguration

Threat + Vulnerability = Risk

______

Ranking of Risks
● We rank risks by likelihood and
impact

Likelihood
● Probability a risk will occur
Impact
● Amount of damage a risk will cause

2 Categories of Risk Assessment

1) Qualitative Techniques
● Uses subjective ratings to
evaluate risk likelihood and
impact: Usually in the form
 of low, medium or high on
Published using Google Docs both the likelihood and Report abuse Learn more
impact scales.
2) Quantitative Techniques
● Uses subjective numeric
Updated automatically every 5
CC- Mike Chapels Notes ratings to evaluate risk minutes
likelihood and impact
_____

Risk Treatment (Management)

● Analyzes and implements possible
responses to control risk

4 Types of Risk Treatment

1) Risk Avoidance
● Changes business practices
to make a risk irrelevant
2) Risk Transference
● Attempting to shift the
impact of a risk from your
organization to another
organization
● Example : Insurance policy
● Note that you cannot always
transfer the risk completely.
Reputation damage etc.
3) Risk Mitigation
● Actions that reduce the
likelihood or impact of a risk
4) Risk Acceptance
● Choice to continue
operations in the face of a
risk

Risk Profile
● Combination of risks that an
organization faces
_____
Inherent Risk
● Initial level of risk, before any
controls are put in place

Residual Risk
● Risk that is reduced and what is left
of it is known as the residual risk

Control Risk
● New risk that may have been
introduced by the controls applied to
mitigate risk
○ Example : Controls Applied
may be installing a firewall.
While that firewall may have
mitigated the inherent risk,
the risk of that firewall failing
is another newly introduced
risk

Inherent Risk → Controls Applied →

(Residual Risk + Control Risk)

Risk Tolerance
● Is the level of risk an organization is
willing to accept
 _____
Published using Google Docs Report abuse Learn more
Security Controls
● Are procedures and mechanisms
that reduce the likelihood or impact
Updated automatically every 5
CC- Mike Chapels Notes of a risk and help identify issues
minutes

Defense in Depth
● Uses overlapping security controls
● Different methods of security with a
common objective

Security professionals uses different

categories to group similar security controls

First you must group Controls by their

purpose. 3 Types of Control Purposes are:
1) Prevent
● Stops a security issue from
occurring
2) Detect
● Identify security issues
requiring investigation
3) Correct
● Remediate security issues
that have already occurred

Then group them by their Control

Mechanism: 3 Types of Control
Mechanisms are:
1) Technical
● Use technology to achieve
control objectives
● Examples: Firewalls,
Encryption, Data Loss
Prevention, Antivirus
Software)
● Technical Control a.k.a
Logical Control
2) Administrative
● Uses processes to achieve
control objectives
● Examples: User access
reviews, log monitoring,
performing background
checks)
3) Physical
● Controls that impact the
physical world
● Examples: Locks, Security
guard
_____

Configuration Management
● Tracks the way specific devices are
set up
● Tracks both operating system
settings and the inventory of
software installed on a device
● Should also create Artifacts that
may be used to help understand
system configuration (Legend,
Diagrams, etc)

Baselines
● Provide a configuration snapshot
 ● Dual Net
Published using Google Docs ● You can use the snapshot to assess Report abuse Learn more
if the settings are outside of an
approved change management
process system
Updated automatically every 5
CC- Mike Chapels Notes ● Basically the default configuration minutes
setting set by an organization
Versioning/Version Controls
● Assigns each release of a piece of
software and an incrementing
version number that may be used to
identify any given copy
● These verison #s are written as
three part decimals, with the
○ First number representing
the major version of software
○ Second number
representing a major
updates
○ Third number representing
minor updates
Ex= IPhone IOS 14.1.2

Standardizing Device Configurations by:

● Standardizing Naming conventions
● IP Addressing schemas

_____
Security Governance

You must first identify how domestic and

international Laws and Regulations apply
to an organization

Security Policy Framework

● A framework that everyone in an
organization must follow
● There are 4 types of documents in
a Security Policy Framework
1) Policies
● Provide the
foundation for an
organization’s
information security
program
● Describes
organization’s
security expectations
● Policies are set by
Senior Management
● Policies should stand
the test of time
anticipating future
changes
● Compliance with
Policies are
mandatory
2) Standards
● Describes the
specific details of
security controls
● Compliance with
Standards are
mandatory
3) Guidelines
 ● Provide advice to the
Published using Google Docs rest of the Report abuse Learn more
organization on best
practices
● Compliance with
Updated automatically every 5
CC- Mike Chapels Notes Guidelines are minutes
optional
4) Procedures
● Step-by-step
procedures of an
objective.
● Compliance can be
mandatory or
optional
_____
Best Practice of Security Policies
1) Acceptable Use Policies (AUP)
● Described authorized uses
of technology
2) Data Handling Policies
● Describe how to protect
sensitive information
3) Password Policies
● Describes password security
practices
● An area where all the
password requirements
(length, complexity) gets
officially documented
4) Bring Your Own Device Policies
(BYOD)
● Cover the usage of personal
devices with company
information
5) Privacy Policies
● Cover the use of personally
identifiable information
● Can be enforced by National
& Local authorities
6) Change Management Policies
● Cover the documentation,
approval, and rollback of
technology changes

_____

Business Continuity

Business Continuity Planning (BCP)

● The set of controls designed to keep
a business running in the face of
adversity, whether natural or man-
made
● Also known as Continuity Of
Operations Planning (COOP)
● Directly impacts the #3 goal of
security = Availability
● When planning, proactively as what
business activities, systems, and
controls will it configure

Business Impact Assessment (BIA)

● A risk assessment that uses a
quantitative or qualitative process
● Begins by identifying organization’s
mission essential functions and then
 traces those backwards to identify
Published using Google Docs the critical IT systems that support Report abuse Learn more
those functions

In Clouding, Business Continuity Planning

Updated automatically every 5
CC- Mike Chapels Notes requires collaboration between cloud
minutes
providers and customers

Redundancy
● The level of protection and against
the failure of a single component

Single Point of Failure Analysis

● Provides a mechanism to identify
and remove single points of failure
from their systems
● The SPOF analysis continues until
the cost of addressing risk
outweighs the benefit
● SPOF can be used in many areas
other than the IT Infrastructure, it
can be applied in management of
HR, 3rd party vendor reliance etc)
_____

Continued Operation of Systems

● Can be ensured in 2 ways:

1) High Availability
● Uses multiple systems to
protect against service
failure (Different from AWS
Cloud as in that it does not
just apply to AZs but rather
everything including multiple
firewalls etc)
2) Fault-Tolerance
● Makes a single system
resilient against technical
failures

Load Balancing
● Spreads demand across available
systems

Common Points of Failure

1) Power Supply
● Contains moving parts
● High failure rate
○ Can use multiple
power supplies
○ Uninterruptible
Power Supplies
(UPS) - supplies
battery to devices
during brief power
disruptions. UPS
may be backed up by
an additional power
generator
○ Power Distribution
Units (PDUs) provide
power clearing and
management for a
rack
2) Storage Media
 ● Protection against the failure
Published using Google Docs of a single storage divide Report abuse Learn more
○ Redundant Array of
Inexpensive Disks
(RAID) : Comes in
Updated automatically every 5
CC- Mike Chapels Notes many different forms minutes
but each is designed
to provide
redundancy by
having more discs
than needed to meet
business needs
○ There are 2 RAID
technologies
■ Mirroring
●
Considered
to be
RAID
Lvl 1
● Server
contains
2
identical
synchronized
discs
■ Striping
● Disc
Striping
with
parity
● RAID
Lvl 5
●
Contains
3 or
more
discs
● Also
includes
an
extra
disc
called
Parity
Block
● When
one of
the
disc
fails,
the
Parity
Block
is
used
to
regenerate
the
failed
disc’s
content
■ RAID is a
Fault-
Tolerance
technique
 NOT a Back-
Published using Google Docs up strategy Report abuse Learn more

Updated automatically every 5

CC- Mike Chapels Notes 3) Networking minutes
● Improve networking
redundancy by having
multiple Internet service
providers
● Improve networking
redundancy by having dual-
network interface cards
(NIC) or NIC Teaming
(similar to how you use
multiple power supplies)
● Implement Multipath
Networking

Fault-Tolerance mechanisms prevents

systems from failing, even if one of these
above points experience a complete failure

Always attempt to add Diversity in your

infrastructure to improve redundancy
● Diversity in Technology Used
● Diversity of Vendors Diversity of
Cryptography
● Diversity of Security Controls
_____

Incident Response

Incident Response Plans

● Provide structure during
cybersecurity incidents
● Outlines policies, procedures and
guidelines that govern cybersecurity
incidents

Elements of a Incident Response Plan

● Statement of Purpose
● Strategies and goals for incident
response
● Approach to incident response
● Communication with other groups
● Senior leadership approval

Tips on best practices:

● When developing your Incident
Response Plan, consult NIST SP
800-61 as you develop your plan
● Also review other organization’s
plan

NIST SP 800-61
● Assists organization mitigating the
potential business impact of
information security incidents
providing practical guidance.
_____

Building a Incident Response Team

IR Team should consist of:

 ● Management
Published using Google Docs ● Information Security Personnel Report abuse Learn more
● SMEs
● Legal Counsel
● Public Affairs
Updated automatically every 5
CC- Mike Chapels Notes ● Human Resources minutes
● Physical Security

If your organization lacks personnels from

these areas:
● Use incident response service
providers to assist if necessary
_____

Incident Communication Plan

● Communications Plans ensure that
all participants have timely, accurate
information
● Make sure to minimize or limit
communications to third parties
(Media etc)
● You will have to choose whether or
not to involve law enforcement
○ Drawbacks of law
enforcement engagement
can be release of sensitive
details to public which may
be unfavorable to the
organization
● Always involve your own
organization’s legal team to ensure
compliance with laws and
organization’s obligations with 3rd
parties.
● Describe communication paths on
how information will trickle down the
organization
_____

Incident Identification

● Organizations have a responsibility

to collect, analyze and retain
security information

Data is crucial to incidence detection

Incident Data Sources

● IDS/IPS - Intrusion Detection
System/Intrusion Prevention System
○ Designed to only provide
an alert about a potential
incident
● Firewalls
● Authentication Systems
● Integrity Monitors
● Vulnerability Scanners
● System Event Logs
● Netflow Records
● Antimalware Packages

Security Incident and Event Management

(SIEM)
● Security solution that collects
information from diverse sources,
 analyzes it for signs for security
Published using Google Docs incidents and retains it for later use. Report abuse Learn more
● Centralized log repositories
● Basically take a load of data, feed it
to the SIEM, and it will spit out
Updated automatically every 5
CC- Mike Chapels Notes details regarding risk minutes

When these systems and security

mechanisms FAIL do detect risks before
dealt with internally, an EXTERNAL source
(customer) may be first to detect a risk

Therefore, IR Team should have a

consistent method for receiving,
recording, and evaluating external
reports
_____

First Responder Duty

● First responders (whomever they
are, whom encounters the risk first)
have a set of responsibilities as they
may have the power to
tremendously reduce risk

Highest Priority
● The highest priority of a First
Responder must be containing
damage through isolation
_____

Disaster Recovery

Disaster Recovery (DR)

● Restores normal operations as
quickly as possible following a
disaster
● Disaster recovery plan steps in
when business continuity plan
fails
● Disaster recovery plan effort is not
finished until organization is
completely back to normal
● Flexibility is key during a disaster
response

Initial Response Goals

1) Contain the damage through
isolation
2) Recover normal operations

Communications required for an effective

DR
● Initial Report
● Status updates
● Ad hoc messages

Once Initial Response is implemented, the

DR team shifts to Assessment Mode
Assessment Mode
● Goal of this mode is to
triage/analyze the damage and
implement recover operations on a
permanent basis
 ● Depending on circumstances there
Published using Google Docs may be an intermediary mode of Report abuse Learn more
Temporary Recovery but will
gradually move to Permanent
Recovery
Updated automatically every 5
CC- Mike Chapels Notes minutes
Recovery Time Objective (RTO)
● Is the targeted amount of time to
restore service after disruption

Recovery Point Objective (RPO)

● Is the targeted amount of data to
recover

Recovery Service Level (RSL)

● Is the targeted percentage of
service to restore
● Also the percentage of service that
must be available during a disaster

_____

Backups
● Provides an organization with a fail-
safe way to recover their data in the
event of
○ Technology failure
○ Human error
○ Natural disaster

Backup Methods
1) Tape Backups
● Practice of periodically
copying data from a primary
storage device to a tape
cartridge
● Traditional method -
outdated
2) Disk-to-disk Backups
● Writes data from Primary
Disks to special disks that
are set aside for backup
purposes
● Backups that are sent to a
storage area network or a
network attached storage
are also fitting in this
category of backup
3) Cloud Backups
● AWS, Azure, GC

Different Types of Backups

1) Full Backups
● Include a complete copy of
all data
○ Snapshots and
images are types of
full backups
2) Differential Backups
● Includes all data modified
since the last full backup
● Supplements Full Backups
3) Incremental Backups
● Include all data modified
since the last full or
incremental backup
 Scenario: Joe performs full backups every
Sunday evening and differential backups
Published using Google Docs Report abuse Learn more
every weekday evening. His system fails on
Friday morning. What backups does he
restore?
Updated automatically every 5
CC- Mike Chapels Notes minutes
A: 1) Sundays Full Backup
2) Thursday’s differential backup

Scenario: Joe performs full backups every

Sunday evening and incremental backups
every weekday evening. His system fails on
Friday morning. What backup does he
restore?

A: 1) Sunday’s Full Backup

2) Monday, Tuesday, Wednesday,
Thursday incremental backups

Trade off: Incremental backups takes

longer to restore but requires smaller
storage

_____

Disaster Recovery Sites

● Provide alternate data processing
facilities
● Usually stay idle until emergency
situation arises

3 Types of Disaster Recovery

Sites/Alternate Processing Facility
1) Hot Site
● Premier for of disaster
recovery facility
● Fully operational Data
Centers
● Can be activated in
moments or automatically
deployed
● Very expensive
2) Cold Site
● Used to restore operations
eventually, but requires a
significant amount of time
● Empty Data Centers
● Stocked with core
equipment, network, and
environmental controls but
do not have the servers or
data required to restore
business
● Relatively Inexpensive
● Activating them may take
weeks or even months
3) Warm Site
● Hybrid of Hot and Cold
● Stocked with core
requirements and data
● Not maintained in parallel
fashion
● Similar in expense as a Hot
Site
● Requires significant less
time from IT Staff
 ● Activating them may take
Published using Google Docs hours or days Report abuse Learn more
Disaster Recovery Sites don’t only
provide a facility for technology operations,
but also serve as an Offsite Storage
Updated automatically every 5
CC- Mike Chapels Notes Location. They are: minutes
● Geographically distant
● Site Resiliency
● Allows backups to be physically
transported to the disaster recovery
facility either manually or
electronically called “Site
Replication”
● Online or offline backups
○ Online backups are available
for restoration immediately,
but is very expensive
○ Offline backups may require
manual intervention, but is
very inexpensive

Alternate Business Process

● A change of an organization’s
business protocols to match the
current Disaster Recovery Plan
_____

Disaster Recovery Testing Goals

1) Validate that the plan functions
correctly
2) Identify necessary plan updates

5 Types of Disaster Recovery Testing

1) Read-through
● Simplest form of Disaster
Recovery Testing
● Asks each team member to
review their role in the
disaster recovery process
and provide feedback
● Known as “Checklist
Reviews”
2) Walk-through
● A more comprehensive
approach but similar to
Read-Through
● Gathers the team together
for a formal review of the
disaster recovery plan
● Known as “Tabletop
Exercise ”
3) Simulation
● Uses a practice scenario to
test the Disaster Recovery
Plan
● Scenario based- very
specific circumstances
4) Parallel Test
● While above are all
theoretical approaches, the
Parallel Test actually
activates the Disaster
Recovery Environment
● However, they do not switch
operations to the backup
environment
 5) Full Interruption
Published using Google Docs ● Most effective Report abuse Learn more
● Activate Disaster Recovery
Environments
● Also switch primary
Updated automatically every 5
CC- Mike Chapels Notes operations to the backup minutes
environment
● Can be very disruptive to
business

Testing strategies often combine multiple

types of tests
_____
Physical Access Controls

Facilities that require Physical Security:

1) Data Centers
● Most important
2) Server Rooms
● Has sensitive information in
less secure locations
3) Media Storage Facilities
● If in a remote location may
require as much security as
the Data Centers
4) Evidence Storage Locations
5) Wiring Closets
● Literally a cluster of wires
● Needs to be protected as it
offers access to digital
eavesdroppers and network
intruders
6) Distribution Cabling
● Neatly organized cables in
the ceiling
7) Operations Center
_____

Types of Physical Security

1) Gates
● Allows you to focus on other
security controls
2) Bollards
● Block vehicles while allowing
pedestrian traffic

CPTED
● Crime Prevention Through
Environmental Design
○ Basically giving principles to
design your crime prevention
mechanisms in a way that is
appropriate with your
environmental surroundings

CPTED Goals
1) Natural Surveillance
● Design your security in a
way that allows you to
observe the natural
surroundings of your facility
○ Windows, Open
Areas, Lightning
2) Natural Access Control
 ●
Narrowing the traffic to a
Published using Google Docs single point of entry Report abuse Learn more
○ Gates, etc
3) Natural Territory Reinforcement
● Making it visually and
Updated automatically every 5
CC- Mike Chapels Notes physically obvious that the minutes
area is closed to the public
○ Signs, Lightnings
_____

Visitor Management
● Visitor management procedures
protect against intrusions

Visitor Procedures
● Describe allowable visit purposes
● Explain visit approval authority
● Describe requirements for
unescorted access
● Explain role of visitor escorts
● All visitor access to secure areas
should be logged
● Visitors should be clearly identified
with distinctive badges
● Cameras add a degree of
monitoring in visitor areas
● Cameras should always be
disclosed
_____

Physical Security (Human Security)

● Receptionists may act as Security
Guards
● Sometimes an “aggressive” look is
sometimes desirable
● Robots may replace human security
patrols

Two Person Rule (Two-Person Integrity)

● Two people must enter sensitive
areas together

Two Person Control

● Two people must have control
access to very sensitive functions,
requiring an agreement of 2 persons
before action
○ Ex=Requiring 2 Keys to
trigger a launch of Nuclear
Missiles
_____

Logical Access Controls

Account Management Tasks

● Implementing Job Rotation
schemes
○ Implementing for employees
to rotate job functions for
purpose of diversity and
integrity in work
● Mandatory Vacation policies
○ People on vacation should
not have access to sensitive
 data
Published using Google Docs ● Managing Account Lifecycle Report abuse Learn more
○ Ensuring that as employees
move around an
organization with different
Updated automatically every 5
CC- Mike Chapels Notes roles, that they are given minutes
access to corresponding
roles
_____

Account Monitoring Procedures

1) Account Audits
● Completed by pulling all
permission list, review, and
make adjustments
● Protects against Inaccurate
Permissions
○ Inaccurate
Permissions
■ Wrong
permissions
assigned that
results in too
little access to
do their job or
too much
access
(violates least
privilege)
■ Result of
Privilege
Creep
○ A
condition
that
occurs
when
users
switch
roles
and
their
previous
role’s
access
to
system
has
not
been
revoked

2) Formal Attestation Process

● Auditors review
documentation to ensure
that managers have formally
approved each user’s
account and access
permissions.

3) Continuous Account Monitoring

● Watch for suspicious activity
● Alert administrations to
anomalies
● Will catch any unauthorized
use of permissions or acts
 ●
Flags Access Policy
Published using Google Docs Violations Report abuse Learn more
○ Impossible travel
time logins
○ Unusual network
Updated automatically every 5
CC- Mike Chapels Notes location logins minutes
○ Unusual time-of-day
logins
○ Deviations from
normal behavior
○ Deviations i volume
of data transferred
4) Geotagging
● Adds user location
information to logs
5) Geofencing
● Alerts when a device leaves
defined boundaries
_____

Provisioning and Deprovisioning

● Involves the process of creating,
updating and deleting user accounts
in multiplace applications and
systems
● Crucial to Identity and Access
Management Task

Provisioning
● After onboarding, administrators
create authentication credentials
and grant appropriate authorization

Deprovisioning
● During the off-boarding process,
administrators disable accounts and
revoke authorizations at the
appropriate time.
● Prompt Termination (quickly
acting after off boarding) is critical
○ Prevents users from
accessing resources without
permission
○ More important if employee
leaves in unfavorable terms

Routine Workflow (For offboarding)

● Disable accounts on a scheduled
basis for planned departures
Emergency Workflow (For offboarding)
● Immediately suspends access when
user is unexpectedly terminated

Incorrect Timed Account-Deprovisioning

may:
● Inform a user in advance of pending
termination
● Allow user to access to resources
after termination

It is a good idea to Deactivate the account

first before permanent removal as it can be
reversed

_____

Authorization
 ● Final step in the Access Control
Published using Google Docs Process Report abuse Learn more
● Determines what an authenticated
user can do
Updated automatically every 5
CC- Mike Chapels Notes Principle of Least Privilege
minutes
● User should have the minimum set
of permission necessary to perform
their job
○ Protects against internal
risks as a malicious
employee’s damage will be
limited to their access
○ Protects against external risk
as if an account was hacked,
the damage they can do
would be limited to the
permissions on the stolen
account.

Mandatory Access Control (MAC) System -

Confidentiality
● Permissions are determined by the
system/operating system
● Users cannot modify any
permissions
● Rule-based access system
● Most Stringent/strict

Discretionary Access Control (DAC)

System - Availability
● Permissions are determined by the
file owners
● Most Common type of access
control
● Flexible

Role-Based Access Control (RBAC)

Systems - Integrity
● Permissions are granted to groups
of people/ job functions
● Group based
_____
Computer Networking

Network
● Connect computers together
● Can connect computers within an
office (LAN) or to the global internet

Local Area Networks (LANs)

● Connect devices in the same
building
● LANs are connected to Wide Area
Networks (WANs)

Wide Area Networks (WANs)

● Connect across large distances
● Connects to different office locations
and also to the internet
● When an LAN is connected to
WAN = Internet

How Devices Connect to a LAN

1) Ethernet
 ●
Connecting a physical
Published using Google Docs Ethernet cable to an internet Report abuse Learn more
jack behind the ball
● The Ethernet Cable is called
the RJ-45 connectors a.k.a 8
Updated automatically every 5
CC- Mike Chapels Notes Pins Connector minutes
● Super fast but requires
physical cables
● FYI: RJ-11 Cables are used
for telephone connections.
They have 6 Pins
2) Wireless Networks (Wi-Fi)
● Create Wireless LANs
3) Bluetooth
● Creates a Personal Area
Network (PANs)
● Designed to support a single
person
● Main purpose is to create a
wireless connection between
a computer and its
peripheral devices
4) Near Field Communication
(NFC) Technology
● Allows extremely short
range wireless connections
(ex= wireless payment)
_____

TCP/IP - Transmission Control

Protocol/Internet Protocol
● A set of standardized rules that
allow computers to communicate on
a network such as the internet.
● Protocol suite at the heart of
networking

Internet Protocols
● Main function is to provide an
addressing scheme, known as
the IP address
● Routes information across networks
● Not just used on the internet
● Can be used at home or an office
● Deliver packets(chunks of
information) from source →
destination
● Serves as a Network Layer
Protocol
○ Supports Transport Layer
Protocols - which have a
higher set of responsibilities

2 Types of Transport Layer Protocols

1) Transmission Control Protocol
(TCP)
● Responsible for majority of
internet traffic
● Is a Connection-Oriented
protocol
○ Connection Oriented
protocol means the
connection is
established
before data is
transferred
 ○ Connection is
Published using Google Docs ensured through TCP Report abuse Learn more
Three-Way
Handshake
■ TCP packets
Updated automatically every 5
CC- Mike Chapels Notes include minutes
special flags
that identify
the packets
known as
TCP Flags.
Within the
TCP Flags:
● SYN
Flag:
Opens
a
connection
● FIN
Flag:
Closes
an
existing
connection
● ACK:
Used
to
acknowledge
a SYN
or FIN
packet

TCP Three-Way
Handshake
1) Source SYN
sent to
request open
connection to
Destination
2) Destination
sends ACK +
request
(SYN) to
reciprocate a
open
connection
3) Source
acknowledges
and sends
ACK

● Guarantees delivery through

the destination system
acknowledging receipt
● Widely used for critical
applications (email , web
traffic etc)

2) User Datagram Protocol (UDP)

● Connectionless Protocol,
not connection-oriented
● Lightweight
● Does NOT use Three-Way
Handshake
● System basically send data
off to each other blindly,
 hoping that it is received on
Published using Google Docs the other end Report abuse Learn more
● Does not perform
acknowledgments
● Does not guarantee delivery
Updated automatically every 5
CC- Mike Chapels Notes minutes
● It's often used for voice and
video applications where
guaranteed delivery is not
essential. Every single
packet doesn't have to reach
the destination for video and
voice to be comprehensible.

OSI (Open Systems Interconnection) Model

● Describes networks as having 7
different layers

Layer 1: Physical Layer

● Responsible for
sending bits over the
network
● Uses wires, radio
waves, fiber optics or
other means
Layer 2: Data Link Layer
● Transfers data
between 2 Nodes
connected to the
same physical
network
Layer 3: Network Layer
● Expands networks to
many different nodes
● Internet Protocol
(IP)
Layer 4: Transport Layer
● Creates connection
between systems
● Transfers data in a
reliable manner
● TCP and UDP
Layer 5: Session Layerauthenti
● Manages the
exchange of
communications
between systems
Layer 6: Presentation Layer
● Translates data so
that it may be
transmitted on a
network
● Encryption and
Decryption
Layer 7: Application Layer
● How users interact
with data, using web
browsers or other
apps

TCP Model vs OSI Model

OSI TCP Model

Layer 1: Physical Layer

 Layer 2 :Data Link Layer Layer 1:
Network
Published using Google Docs Interface layer (Physical + Data) Report abuse Learn more
Layer 3 :Network Layer Layer 2:
Internet Layer
Layer 4 :Transport Layer Layer 3:
Updated automatically every 5
CC- Mike Chapels Notes Transport Layer minutes
Layer 5: Session Layer Layer 4:
Application Layer
(Session+Presentation+Application)
Layer 6: Presentation Layer
Layer 7: Application Layer

_____

For the Internet Protocol (IP) to

successfully deliver traffic between any
two systems on a network, it has to use an
addressing scheme

IP Addresses
● Uniquely identify systems on a
network
● Written in dotted quad
notation (ex- 192.168.1.100). Also
known as IPv4
○ Means 4 numbers separated
by periods
○ Each of these numbers may
range between 0-255
■ Why 255?
● Each number
is
represented
by 8-bit binary
numbers
● Those bits
can represent
2 to the
power of 8 =
256 possible
values
● But we start
at 0 so 256-
1=255

● No duplicates of IP addresses on
Internet-connected systems (Just
like your phone#)
● Allow duplicates if on private
networks
○ Your router or firewall takes
care of translating private IP
Addresses to public IP
addresses when you
communicate over the
internet
○ This translating process is
called NAT (Network
Address Translation)
● IP Addresses are divided into 2
parts
○ 1) Network Address
○ 2) Host Address

The divide of the 2 parts can come in

anywhere
 This uses a concept called sub-
netting
Published using Google Docs Report abuse Learn more
● Sub-
netting
divides
Updated automatically every 5
CC- Mike Chapels Notes domains minutes
so
traffic
is
routed
efficiently

● IPv4 (Containing 4 numbers) is

running out so we are shifting to →
IPv6
○ IPv6
■ Uses 128 bits
(compared to 32 bits
(8x4num bers = 32)
for IPv4
■ Consists of 8 groups
of 4 hexadecimal
numbers
● ex=
fd02:24c1:b942:01f3:ead2:123a:c3d2:cf2f

IP Addresses can be assigned in 2 ways

1) Static IPs
● Manually assigned IP
Address by an administrator
● Must be unique
● Must be within appropriate
range for the network
2) Dynamic Host Configuration
Protocol (DHCP)
● Automatic assignment of IP
Address from an
administrator configured
pool

Typically,
Servers are configured with Static IP
Addresses
End-user devices are configured with
Dynamically-Changing IP Addresses

_____

Network Ports
● Like Apartment #s, guide traffic to
the correct final destination
● IP addresses uniquely identifies a
system while the Network Ports
uniquely identifies a particular
location of a system associated with
a specific application
● Think of it as
○ IP Addresses - Street # of an
Apartment
○ Network Ports- Unit # of an
Apartment

Network Port Numbers

● 16-bit binary numbers
 ● 2 to the power of 16 = 65,646
Published using Google Docs possible values Report abuse Learn more
○ 65,646-1 (for 0) = 0-
65,535 possibilities
Updated automatically every 5
CC- Mike Chapels Notes Port Ranges
minutes
● 0 - 1,023 = Well-known ports
■ Reserved for
common applications
that are assigned by
internet authorities
■ Ensures everyone on
the internet will know
how to find common
services such as :
web servers, email
servers
● Web-servers
use the Well-
known port
80
● Secure Web-
servers use
the Well-
known port
443

● 1,024 - 49,151 = Registered ports

■ Application vendors
may register their
applications to use
these ports
● Examples
○
Microsoft
Reserve
port
1433
for
SQL
Server
database
connections
○ Oracle
Reserve
port
1521
for
Database

● 49,152 - 65,535 = Dynamic ports

■ Applications can use
on a temporary basis

Important Port #s

Administrative Services
● Port 21 : File Transfer Protocol
(FTP)
■ Transfers data
between systems

● Port 22 : Secure Shell (SSH)

■ Encrypted
administrative
 connections to
Published using Google Docs servers Report abuse Learn more
● Port 3389 : Remote Desktop
Protocol (RDP)
Updated automatically every 5
CC- Mike Chapels Notes ■ Encrypted
minutes
administrative
connections to
servers

● Ports 137, 138, and 139 : NetBIOS -

Windows
■ Network
Communications
using the NetBIOS
protocol

● Port 53 : Domain Name Service

(DNS)
■ All systems use Port
53 for DNS lookups

Mail Services
● Port 25 : Simple Mail Transfer
Protocol (SMTP)
■ Exchange email
between servers

● Port 110 : Post Office Protocol

(POP)
■ Allows clients to
retrieve mail

● Port 143 : Internet Message Access

Protocol (IMAP)
■ Allows to retrieve
mail

Web Services
● Port 80 : Hypertext Transfer
Protocol (HTTP)
■ For unencrypted web
communications

● Port 443: Secure HTTP (HTTPS)

■ For encrypted
connections
_____

Securing Wireless Networks

Service Set Identifier (SSID)

● The name of your Wi-Fi
● You can disable visibility of Wi-Fi
(Hide)
● Has an administrative password to
the access point (connection)
● Ensure to immediately change
default administrator passwords
● You can configure what Type of
Network you want
○ 1) Open Network
■ Open for anyone to
use (No Password
Wifi)
○ 2) Other authentication
required Network
 ■ 1) Preshared Keys
Published using Google Docs (Home Wifi, Office, Report abuse Learn more
Cafe)
○
Changing
Updated automatically every 5
CC- Mike Chapels Notes Preshared keys
minutes
is
difficult
○
Prevents
individual
identification
of
users
■ 2) Enterprise
Authentication
○ Uses
individual
passwords
○ 3) Captive Portals
■ Used in Starbucks,
Airports, Tim-Hortons
■ Provide
authentication on
unencrypted wireless
networks
■ Intercepts web
requests to require
Wi-Fi login
_____

Wireless Encryption
● A best practice for network security
● Encryption hides the true content of
network traffic from those without
the decryption key
● Takes, Radio Waves, and makes it
secure
The Original approach to Security was:
Wired Equival7ent Privacy (WEP)
● This is now considered insecure

The Second approach was : Wi-Fi

Protected Access (WPA)
● Changes keys with the Temporal
Key Integrity Protocol (TKIP)
● Changes the encryption key for
each packet : preventing an attacker
from discovering the key after
monitoring the network for along
period of time
● This is now considered insecure

The Improved approach is : Wi-Fi

Protected Access v2 (WPA2)
● Uses an advanced encryption
protocol called Counter Mode
Cipher Block Chaining Message
Authentication Code Protocol
(CCMP)
● WPA is now considered SECURE

The New approach is : Wi-Fi Protected

Access v3 (WPA3)
● Supports Simultaneous
Authentication of Equals (SAE)
 ○ SAE is a secure key
Published using Google Docs exchange protocol based Report abuse Learn more
upon the Diffie-Hellman
Technique, to provide more
secure initial setup of
Updated automatically every 5
CC- Mike Chapels Notes encrypted wireless minutes
communications
● Also supports CCMP protocol

In Summary,

Open Network : Insecure

WEP : Insecure
WPA: Insecure
WPA2 : Secure
WPA3: Secure
_____

Ping and Traceroute

Command Line Network (CLI)

● Provides quick and easy way to
access network
configurations and
troubleshooting information
● Used my giving Commands

Important Commands
1) ping
● Checks whether a remote
system is responding or
accessible
● Works using the Internet
Control Message Protocol
(ICMP)
○ Basically sending a
request and
acknowledgement to
confirm a connection
○
Troublingshooting with
Ping:
■ You can ping
the remote
system:
● a) if
you
receive
a
response
: it is
not a
network
issue
and a
local
web
server
issue
● b) if
you
don’t
receive
a
response
: you
 may
Published using Google Docs next Report abuse Learn more
ping
another
system located
Updated automatically every 5
CC- Mike Chapels Notes on the minutes
internet :
if that
responds
: this
will tell
you
your
internet
is
successful
and
the
issue
is with
the
web
server
or
network
connection
● c) if
you
ping
many
systems
on
internet
and
there
is no
response,
it is
likely
that
the
problem
is on
your
end
● d) You
can
ping a
system
on
your
Local
Network
: if that
responds,
there's
probably
an
issue
with
your
network’s
connection
to the
internet
 ● e) If a
Published using Google Docs Local Report abuse Learn more
Network
does
not
Updated automatically every 5
CC- Mike Chapels Notes respond minutes
:
Either
your
Local
network
is
down
or
there
is a
problem
with
your
computer
● f) Last
Resort
:
Repeat
process
on
another
computer
○ Some systems do
not respond to ping
requests
■ Example : A
firewall may
block ping
requests

2) hping
● Creates customized ping
requests
● A variant of the basic “ping”
command
● Allows you to interrogate a
system to see if it is present
on the network
● Old and not monitored but
still works

3) traceroute
● Determines the network
path between two systems
● If you want to know how
packets are traveling today
from my system Located in
Toronto to a LinkedIn.com
webserver, wherever that is
located
● Works only on Mac and
Linux
● In Windows, it is : tracert

4) pathping
● Windows only command
● Combines ping and
tracert functionality in a
single command

_____
 Network Threats
Published using Google Docs Report abuse Learn more

Malware
● One of the most significant threats Updated automatically every 5
CC- Mike Chapels Notes to computer security minutes
● Short for Malicious Software
● Might steal information, damage
data or disrupt normal use of the
system
● Malwares have 2 components:
○ 1) Propagation Mechanism
■ Techniques the
malware uses to
spread from one
system to another
○ 2) Payload
■ Malicious actions
taken by malware
■ Any type of malware
can carry any type of
payload

Types of Malware

1) Virus
● Spreads after a user takes
some type of user action
○ Example : Opening
an email attachment,
Clicking a Link,
Inserting an infected
USB
● Viruses do not spread
unless someone gives them
a hand
● User education protects
against viruses

2) Worms
● Spread on their own by
exploiting vulnerabilities
● When a worm infects a
system, it will use it as it’s
base for spreading to other
parts of the Local Area
Network
● Worms spread because the
systems are vulnerable
● Patching protects against
worms

3) Trojan Horse
● Pretends to be a useful
legitimate software, with
hidden malicious effect
● When you run the software,
it may perform as expected
however will have
payloads behind the scene
● Application Control protects
against Trojan Horses
○ Application Controls
limit software that
 can run on systems
Published using Google Docs to titles and versions Report abuse Learn more
_____

Botnets
Updated automatically every 5
CC- Mike Chapels Notes ● Are a collection of zombie
minutes
computers used for malicious
purposes
● A network of infected systems
● Steal computing power, network
bandwidth, and storage capacity
● A hacker creating a botnet begins
by
○ 1) Infecting a system with
malware through any
methods
○ 2) Once the malware takes
control of the system (hacker
gains control), he or she
joins/adds it to the
preconceived botnet

How are Botnets Used

● Renting out computing power for
profit
● Delivering spam
● Engaging in DDoS attacks
● Mining Bitcoin and Cryptocurrencies
● Perform Brute Force Attacks -
against passwords

Botnet Command and Control

● Hackers command botnets through
Command and Control Networks as
they relay orders
● Communication must be indirect
(hides the hackers true location)
and redundant
● Must be highly redundant (too
much, alot) because security
analysts will shut them down one by
one. Its a cat and mouse game,
whoever controls the Command and
Control channels retains control of
the Botnet the longest
Types of Command and Control
Mechanisms for Ordering Botnets
● Internet Relay Chat (IRC)
● Twitter
● Peer to Peer within the Botnet

In Summary Botnets:
1) Infect Systems
2) Convert to bots
3) Infect others
4) Check in through Command and
Control Network
5) Get Instructions
6) Deliver payload
_____

Eavesdropping Attacks
● All eavesdropping attacks rely on a
compromised communication path
between a client and a server
 ○ Network Device Tapping
Published using Google Docs ○ DNS poisoning Report abuse Learn more
○ ARP poisoning

● During poisoning attacks hackers

Updated automatically every 5
CC- Mike Chapels Notes may use the Man-in-the-Middle
minutes
technique to trick the user to
connect to the attacker directly, then
the attacker directly connects to the
server. Now the original user logs in
to a fake server set up by the
attacker and the attacker acts as a
relay, the man in the middle, and
can view all of the communications.
● The user will not know that there is
a Man-in-the-Middle intercepting
communications.

Man-in-the-browser Attacks
● Variation of Man-in-the-Middle
attack
● Exploit flaws in browsers and
browser plugins to gain access to
web communications

If the attacker is able to control the network

traffic, they may be able to conduct a Reply
Attack

Replay Attack
● Uses previously captured data, such
as an encrypted authentication
token, to create a separate
connection to the server that’s
authenticated but does not involve
the real end user
● The attacker cannot see the actually
encoded credentials
● They can only see the encoded
version of them
● Prevent Replay Attacks by including
unique characteristics:
○ Token
○ Timestamp

SSL Stripping
● Tricks browsers into using
unencrypted communications
● A variation of eavesdropping attack
● A hacker who has the ability to view
a user’s encrypted web
communication exploits the
vulnerability to trick the users
browser into reverting to
unencrypted communications for
the world to see
● Strips the SSL or TLS protection
_____

Implementation of Attacks

Cryptographic systems may have flaws =

vulnerability = attacks
 Fault Injection Attacks
Published using Google Docs ● Use externally forced errors Report abuse Learn more
● Attacker attempts to compromise
the integrity of a cryptic device by
causing some type of external fault
Updated automatically every 5
CC- Mike Chapels Notes ○ For example : Attacker might minutes
use high-voltage electricity
to cause malfunction that
undermines security
● These failures of security may
cause systems to fail to encrypt
data property.

Side Channel Attacks

● Measure encryption footprints
● Attackers use footprints monitor
system activity and to retrieve
information that is actively being
encrypted
○ For example : If a
cryptographic system is
improperly implemented, it
may be possible for an
attacker to capture the
electromagnetic radiation
emanating from that system
and use the collected signal
to determine the plain text
information that is being
encrypted
○ Timing Attacks
■ A type of Side
Channel Attack
■ Measure encryption
time
■ Attackers precisely
measures how long
cryptographic
operations take to
complete, gaining
information about
cryptographic
process that may be
used to undermine
security

_____

Threat Identification and Prevention

Intrusion Detection Systems (IDS)

● Monitors network traffic for signs of
malicious activity
● MIS USE DETECTION AND
ANOMALY DETECTION
○ Examples of malicious
activity
■ SQL Injections
■ Malformed Packets
■ Unusual Logins
■ Botnet Traffic
● Alerts administrators
● Requires someone to take action

Intrusion Prevention System (IPS)

 ● Automatically block malicious
Published using Google Docs activity Report abuse Learn more
● It is not a perfect system. They
make 2 errors
■ 1) False Positive
Updated automatically every 5
CC- Mike Chapels Notes Error minutes
● IDS/IPS
triggers an
alert when an
attack did not
actually take
place
■ 2) False Negative
Error
● IDS/IPS fails
to trigger an
alert when an
actual attack
occurs

Technology used to identify suspicious

traffic:

1) Signature Detection Systems

● Contain databases with rules
describing malicious activity
● Alert admins to traffic
matching signatures = Rule
based Detection
● Cannot detect brand new
attacks
○ Reduce false positive
rates
● Reliable and time-tested
technology

2) Anomaly Detection Systems

● Builds models of “normal”
activity, and finds an Outlier
● Can detect brand ne attacks
○ But has high false
positive rate
○
Anomaly Detection , Behavior-based
Detection , Heuristic Detection = Same
Thing
_____

IPS Deployment Modes

1) In-band Deployments
● IPS sits in the path of
network traffic
● It can block suspicious traffic
from entering the network
● Risk : It is a single point of
failure so it may disrupt the
entire network

2) Out-of-band (passive) Deployments

● IPS sits outside of network
traffic
● IPS is connected to a SPAN
port on a switch
 ○ Which allows it to
Published using Google Docs receive copies all Report abuse Learn more
traffic sent through
the network to scan
○ It cannot disrupt the
Updated automatically every 5
CC- Mike Chapels Notes flow of traffic minutes
● It can react after suspicious
traffic enters the network
● It cannot pre detect as it can
only know its existence once
it enters the network
_____

Malware Prevention
● Antimalware software protects
against many different threats
● Antimalware software protects
against viruses, worms, Trojan
Horses and spyware

Antivirus software uses 2 types of

mechanisms to protect:

1) Signature Detection
● Watches for known
patterns of malware activity

2) Behavior Detection
● Watches for deviations from
normal patterns of activity
● This type of mechanism is
found in advanced malware
protection tools like the
Endpoint Detection and
Response (EDR)
■ Offer real-
time,
advanced
protection
■ Goes beyond
basic
signature
detection and
performs
deep
instrumentation
of endpoints
■ They analyze:
●
Memory
●
Processor
use
●
Registry
Entries
●
Network
Communications
■ Installed on
Endpoint
devices
■ Can perform
Sandboxing
●
Isolates
 malicious
Published using Google Docs content Report abuse Learn more
_____

Port Scanners
Updated automatically every 5
CC- Mike Chapels Notes minutes
Vulnerability Assessment Tools
1) Port Scanner
● Looks for open network
ports
● Equivalent of rattling all
doorknobs looking for
unlocked doors
● nmap
○ Popular port
scanning tool
/command
2) Vulnerability Scanner
● Looks for known
vulnerabilities
● Scans deeper than Port
Scanner, actually looks at
what services are using
those ports
● Has a database for all
known vulnerability exploits
and tests server to see if it
contains any of those
vulnerabilities
● Nesssus
○ Popular vulnerability
scanner
3) Application Scanner
● Tests deep into application
security flaws
_____

Network Security Infrastructure

Data Centers
● Have significant cooling
requirements
● Current Standard of Temperatures
○ Maintain data center air
temperatures between 64.6
F and 80.6 F = Expanded
Environmental Envelope
● Humidity is also important
○ Dewpoint says : Humidity
41.9 F and 50.0 F
■ This temperature
prevents
condensation and
static electricity
● HVAC is important (Heating,
Ventilation and Air Conditioning
Systems)
● Must also look out for fire, flooding,
electromagnetic interference

Fire Suppression Methods

1) Wet Pipe Systems
● Contains water in the pipes
ready to deploy when a fire
strikes
 ● High Risk for data center
Published using Google Docs 2) Dry Pipe Systems Report abuse Learn more
● Do not contain water
until the valve opens during
a fire alarm.
Updated automatically every 5
CC- Mike Chapels Notes ● Prevents burst pipes, by minutes
removing standby water
3) Chemical Systems
● Removes oxygen

Always place MOUs

● Memorandum of
Understanding
● Outlines the
environmental
requirements
_____

Security Zones

● Firewalls divide networks into

security zones to protect systems of
differing security models

Types of Security Zones

1) Network Border Firewall

● Three network interfaces,
connects 3:
○ Internet
○ Intranet
■ Data Center
Network
■ Guest
Network
■ Wireless
Network
■ Endpoint
Network
○ DMZ
■ You can place
systems that
must accept
connections
from the
outside world
such as mail,
web servers
■ Because it is
open, higher
risk of
compromise
■ If the DMZ is
compromised,
firewalls will
still protect

Zero Trust Approach : Systems do not gain

any trust based solely upon their network
location

3 Special-Purpose Networks
1) Extranet
● Special intranet segments
that are accessible by
 outside parties like business
Published using Google Docs partners Report abuse Learn more
2) Honeynet
● Decoy networks designed to
attract attackers
Updated automatically every 5
CC- Mike Chapels Notes 3) Ad Hoc Networks minutes
● Temporary networks that
may bypass security controls

East-West Traffic
● Network traffic between systems
located in data center

North-South Traffic
● Networks traffic between systems
in the data center and systems on
the Internet
_____

Routers and Switches

Routers, Switches and Bridges are the

building blocks of computer networks

Switches
● Connect devices to the network
● Has many network ports
● Reside in wiring closets and
connect the computers in a building
together
● Ethernet jacks are at the other end
of network cables connected to
switches
● Wireless access points (WAPs)
connect to switches and create Wi-
Fi networks
○ The Physical APs itself has a
wired connection back to the
switch
● Switches can only create Local
Networks
● Layer 2 of OSI Model - Data Link
Layer
● Some switches can be in the Layer
3 of OSI Model - Network
Layer (can interpret IP Addresses)
○ For this to happen, they
must use Routers

Routers
● Connect networks to each other,
making intelligent packet routing
decisions
● Serves as a central aggregation
point for network traffic heading to
or from a large network
● Works as the air traffic controller of
the network
● Makes best path decisions for traffic
to follow
● Use Access Control Lists to limit
some traffic that are entering or
leaving a network, this type of
filtering does not pay attention to
Connection states and are called
Stateless Inspection
 _____
Published using Google Docs Report abuse Learn more
Virtual LANs (VLANs)
● Separates systems on a network
into logical groups based upon
Updated automatically every 5
CC- Mike Chapels Notes function
minutes
● Extend broadcast domain
○ Users on the same VLAN
will be able to directly
contact each other as if they
were connected to the same
switch
● We use VLANs to create network
segmentation which reduces
security risk by liming the ability of
unrelated systems to communicate
with each other
● Micro Segmentation
○ Extreme segmentation
strategy
○ Temporary

Configuring VLANs
1) Enable VLAN trunking
● Allow switches in different
locations on the network to
carry the same VLANs
2) Configure VLANs for each switch
port
_____

Firewalls
● Often sit at the network perimeter
● Between Router and Internet

Switch
I
I
I
Switch —------------- Router —-------------
Firewall —------------- Internet
I
I
I
Switch

Firewalls connect 3 networks together

1) Internet
2) Internal Network
3) DMZ
● Contains systems that must
accept direct external
connections
● Isolates those systems due
to risk of compromise
● Protects internal network
from compromised DMZ
systems

Older Firewalls use Stateless Firewalls

● Evaluate
each
connection
independently
 Modern Firewalls use Stateful Inspection
Published using Google Docs ● Keeps track Report abuse Learn more
of established
connection
Updated automatically every 5
CC- Mike Chapels Notes minutes
Firewalls are basically rules to enter or exit.

Firewall rule must provide

1) Source system address
2) Destination system address
3) Destination port and protocol
4) Action (Allow or Deny)

Firewalls operate on the Principle of

Implicit Deny
● If the
firewall
receives
traffic
not
explicitly
allowed
by a
firewall
rule,
then
that
traffic
must
be
blocked
●
Basically
saying,
if you
don’t
have a
passcard,
you
cannot
get in
as the
door is
always
closed

The Newest type of Firewalls are called

New Generation Firewalls (NGFW)
●
Incorporate contextual
information into
their
decision
making
●
Evaluate
requests
based
on
identity
of
user,
nature
of
 application,
Published using Google Docs time of Report abuse Learn more
day
etc.
Updated automatically every 5
CC- Mike Chapels Notes Other Firewall Roles
minutes
1) Network Address Translation (NAT)
Gateway
● The firewall translates
between the public IP
Addresses used on the
internet and private IP
Addresses used on the local
networks
2) Content/URL Filtering
3) Web application firewall
● Understands how HTTP
protocol works and dive
deep into those application
connections, looking for
signs of SQL Injection,
Cross-site scripting, and
other web application
attacks

Firewall Deployment Options

1) Choose deployment methodology

a) Network Hardware
● Physical
devices that
sit on a
network and
regulate
traffic
b) Host-Based software
Firewalls
● Software
applications
that reside on
a server that
performs
other
functions

Most organizations
choose to use both network firewalls

2) Choose between Open-source

Vs Proprietary technology
● Network Hardware
are always
Proprietary
● Software Firewalls
may be either
Proprietary or Open
Source

3) Choose Deployment Mechanism

a) Hardware Appliance
b) Virtual Appliance
_____

VPNs and VPN Concentrators

 VPNs provide 2 security functions:
Published using Google Docs 1) Site-to-Site VPNs Report abuse Learn more
● Connect remote offices to
each other and headquarters
● Ex= Branch → HQ
Updated automatically every 5
CC- Mike Chapels Notes minutes
2) Remote Access VPNs
● Provide remote access to
corporate networks for
mobile users

VPNs
● Works by using encryption to create
a virtual tunnel between two
systems over the internet
● Everything on one tunnel is
encrypted and decrypted when it
exits
● VPNs require an endpoint that
accepts VPN connections
● Endpoints can be many things:
■ Firewalls
■ Router
■ Server
■ Dedicated VPN
Concentrators -
Used for High
Volume

Firewalls, Router, Server does not

contain specialized hardware that
accelerates
Encryption

IPSec (Internet Protocol Security) Protocol

● Creates encrypted tunnels
● Works at Layer 3 : Network Layer
● Supports Layer 2 Tunneling
Protocol (L2TP)
● Provides secure transport
● Difficult to configure
● Often used for Static Site-to-Site
VPN Tunnels

SSL/TLS VPNs
● Works at the Application Layer over
TCP port 443
● Works on any system on a web
browser
● Port 443 = Almost bypass any
firewall

HTML5 VPNs
● Work entirely within the web
browser
● A remote access VPN

When implementing a remote Access VPN

admins must choose :
1) Full Tunnel VPN
● All network traffic leaving the
connected device is routed
through the VPN tunnel,
regardless of final
destination
 2) Split Tunnel VPN
Published using Google Docs ● Only traffic destined for the Report abuse Learn more
corporate network is sent
through the VPN tunnel
● Other traffic is routed directly
Updated automatically every 5
CC- Mike Chapels Notes over the Internet (risk of minutes
eavesdropping)
● Not as safe so not
recommended

Split-Tunnel VPN provides users with a

false sense of security

Always on VPN
● Connects automatically
● Takes control from the user
● Always protected by strong
encryption
_____

Network Access Control (NAC)

● Intercepts network traffic coming
from unknown devices and verifies
that the system and users are
authorized before allowing further
communication
● Uses 802.1x authentication. This
requires 3 devices
1) Supplicant - Device that
sends request
2) Authenticator - The switch
3) Authentication Server -
Backend

Supplicant(Sends credentials) →
Authenticator(Receives and passes it to
AS) → Authenticator Server (authenticates
and sends results to authenticator →
Authenticator → Supplicant → Access

NAC Roles
1) User and device authentication
(what we discussed above)
2) Role-based access
● Once authenticator learns
the identity of requested
user it places the user in the
network based upon that
user’s identity
3) Posture checking/Health Checking
● Before granting access, it
check for compliance
requirements
○ Validating current
signatures
○ Verifying for antivirus
presence
○ Ensuring proper
firewall configuration
○ If it Fails the posture
check
■ It will be
placed into a
quarantine
VLAN where
 they will have
Published using Google Docs limited Report abuse Learn more
internet
access and
no access to
Updated automatically every 5
CC- Mike Chapels Notes internal minutes
resources
○ Posture checking is
done through an
Agent or Agentless
_____

Internet of Things
● Smart devices

IOT Security Challenges

● Difficult to update
● Connect to home and office wireless
(Risk for malicious actors)
● Connects back to cloud services for
command and control, creating a
pathway for external attackers

Security of IOT
● Check for weak default passwords
● Make sure to regularly update and
patch
● Some have Automatic Updates and
some require Manual Websites
● If worried get Firmware Version
Control
○ Updates are applied in
orderly fashion

● Security Wrappers (For

organizations that must run
vulnerable systems)
○ Mini firewall for devices
○ Device is not directly
reached through network
○ Only process vetted
requests
● Most secure way is Network
Segmentation - isolating network to
a isolated section where they will
not have access to trusted networks
● Application firewalls provide added
protection for embedded devices

Network Segmentation is the most

important control for embedded devices
_____
Cloud Computing

Cloud Computing
● Delivering computing resources to a
remote customer over a network
● Official Definition: A model for
enabling ubiquitous, convenient, on-
demand network access to shared
pool of configurable computing
resources (networks, servers,
storage, applications, services) that
can be rapidly provisioned and
 released with menial management
Published using Google Docs effort or service provider interaction Report abuse Learn more
Cloud Service Categories
1) Software as a Service (SaaS)
Updated automatically every 5
CC- Mike Chapels Notes ● Customer purchases an
minutes
entire app
2) Infrastructure as a Service (IaaS)
● Customer purchase
servers/storage and create
their own IT solutions
3) Platform as a Service (PaaS)
● Customer purchases app
platform

Cloud Deployment Models

1) Private Cloud
● Dedicated Cloud
Infrastructure
2) Public Cloud
● Organization uses a multi-
tenancy infrastructure
(Shared)
3) Hybrid Cloud
● Uses both Private and Public
4) Multi Cloud
● Combines resources from
two different public cloud
vendors (AWS + Azure)
5) Community Cloud
● Shared Consortium

No cloud model is inherently superior to

other approaches. It all depends on
context
_____

Managed Service Providers (MSPs)

● Offer information technology
services to customers

Managed Security Service Providers

(MSSPs)
● Provide security services for other
organizations as a manage service
● Must be carefully monitored
● Lot of service
○ Manage an entire security
infrastructure
○ Monitor system logs
○ Manage firewalls
○ Manage Access & Identity
Management
● MSSPs are also known as Security
as a Service (SECaaS)

Cloud Access Security Brokers (CASB)

● Add a third-party security layer to
the interactions that users have with
other cloud
services
● Works in 2 ways
○ 1) Network-Based CASB
■ Broker intercepts
traffic between the
user and the cloud
 service, monitoring
Published using Google Docs for security issues Report abuse Learn more
■ Broker can block
request
○ 2) API- Based CASB
Updated automatically every 5
CC- Mike Chapels Notes ■ Does not sit on traffic minutes
unlike Network-
Based CASB
■ The broker queries
the cloud service via
API
■ Broker may not be
able to block
requests, depending
upon API capabilities
_____

Vendor Relationship Management

● Ensure that vendor security policies
are at least as stringent as your own
● Vendor lock-in makes it difficult to
switch vendors down the road. So
be careful
● Conduct due diligence
● Socialize with team
● Present to stakeholders
● Schedule weekly meetings

Steps of Vendor Selector

1) Vendor Selection
● Due Diligence
2) Onboarding
● Verify details of contract
● Confirm security incident
notification
3) Monitoring
4) Offboarding
_____

Vendor Agreements

Non-Disclosure Agreements (NDA)

● Keep your mouth shut

Service-Level Requirements (SLR)

● Document specific requirements
that a customer has about any
aspect of a vendor’s service
performance
● Once agreed sign the Service
Level Agreement (SLA)
Memorandum of Understanding (MOU)
● A letter that documents aspects of
relationship
● Commonly used when a legal
dispute is unlikely but customer and
vendor wish to document their
relationship to avoid future
misunderstanding
● Usually used when a department
another company is dealing with
another department

Business Partnership Agreement (BPA)

● Partnership agreement to conduct
business
 Interconnection Security Agreement (ISA)
Published using Google Docs ● Details that two organizations will Report abuse Learn more
interconnect their network

Master Services Agreement (MSA)

Updated automatically every 5
CC- Mike Chapels Notes ● Big project - documentation of
minutes
expected services
○ Statement of Work (SOW) is
used when another project
comes up
○ SOW is governed by terms
in MSA. SOW is like am
abeyance or patch

Ensure Security Requirements are

mentioned in all agreements
_____

Data Security

Encryption
● Uses math to make data unreadable
to unauthorized individuals
● Transforms text from plaintext to
ciphertext
● Uses decryption algorithm key to
read message

You can use Encryption in 2 different

environments:
1) Data at Rest
● Stored data
● Can be in:
○ File
○ Disk
○ Device
2) Data in Transit
● Data that is moving
● HTTPS
● Email
● Mobile Applications
● VPN (Network)
_____

Symmetric vs Asymmetric Cryptography

Symmetric Encryption
● You encrypt and decrypt with the
same shared secret key
● It's like a password to a message
● You will keep needing more keys as
network populates

Asymmetric Encryption
● You encrypt and decrypt with
different keys from the same pair

Keys used for Asymmetric encryption and

decryption (public & private) must be from
the same pair

Advanced Encryption Standard (AES) →

Symmetric
Rivest-Shamir-Adleman (RSA) →
Asymmetric
_____
 Hash Functions
Published using Google Docs ● One-way function that transforms a Report abuse Learn more
variable length input into a unique,
fixed-length output
Updated automatically every 5
CC- Mike Chapels Notes minutes
● One-way function = Cannot be
reversed
● The output of a hash function will
always be same length, regardless
of input size
● No two inputs to a hash function
should produce the same output

All criterias above must be met to have an

effective Hash Function

2 Ways Hash Function can fail:

1) If they are reversible
2) If they are not collision-resistant

Common Hash Functions

You must know which functions are

considered insecure and which remain
secure

1) Message Digest 5 (MD5)

● Ron Rivest created MD5 in
1991
● MD5 is the 5th series of
hash functions
● Message digest is another
term for hash
● MD5 produces 128-bit
hashes
● MD5 is no longer secure

2) SHA-1
● Produces a 160-bit hash
value
● Contains security flaws
● SHA-1 is no longer secure

3) SHA-2
● Replaced SHA-1
● Consists of a family of 6 has
functions
● Produces output of 224, 256,
384 and 512 bits
● Uses a mathematically
similar approach to SHA-1
and MD5
● SHA-2 is no longer secure
4) SHA-3
● Designed to replace SHA-2
● Uses a completely different
has generation approach
than SHA-2
● Produces hashes of user-
selected fixed strength
● Some people do not trust
SHA algorithms because
NSA created it

5) RIPEMD
 ● Created as an alternative to
Published using Google Docs government-sponsored hash Report abuse Learn more
functions
● Produces 128, 160, 256, and
320-bit hashes
Updated automatically every 5
CC- Mike Chapels Notes ● Contains flaws in the 128-bit minutes
version
● 160 bit is widely used. Even
in Bitcoin

Hash Based Message Authentication Code

(HMAC)
● Combines
symmetric cryptography and
hashing
● Provides authentication and integrity
● Create and verify message
authentication code by using a
secret key in conjunction with a
hash function
_____

Data Lifecycle
● Explains the different stages of data
in the cloud

Cycle
1) Create
2) Store
3) Use
4) Share
5) Archive
6) Destroy
● Must be done in a secured
manner
● Data Sanitization
Techniques
○ Clearing overwrites
sensitive information
to frustrate causal
analysis
○ Purging
○ Destroying,
shredding,
pulverization, melting
and burning
_____
Data Classification
● Assign information into categories,
known as classification, that
determine storage, handling, and
access requirements

Assign Classification Based Upon:

1) Sensitivity of Information
2) Criticality of Information

Classification Levels
1) High, Medium, Low
2) Public vs Private

Labeling Requirements
● Requirement to identify sensitive
information

3 Types of Information classified by

External Groups
 1) Personally Identifiable Information
Published using Google Docs (PII) Report abuse Learn more
● Traceable to a specific
person
2) Protected Health Information (PHI)
Updated automatically every 5
CC- Mike Chapels Notes ● Covered by HIPPA minutes
3) Payment Card Information (PCI)
● Covered by PCI DSS
_____

Logging and Monitoring

Logging establishes:
1) Accountability
● Who caused the event
● A.K.A Identity Attribution
2) Traceability
● Uncover all other related
events
3) Auditability
● Provide clear documentation
of the events

Realistically, logging data of a company can

be overwhelming. Artificial
Intelligence can help solve security data
overload

Security Information and Event

Management (SIEM) has 2 functions:
1) They act as a central secure
collection point
● All systems send log
entries directly to the
SIEM
● Firewall log, Web
server log, Database
log, Router log, they
are all sent to to
SIEM where it will
provide an overall
picture
2) Source of Artificial
Intelligence

Intrusion Detection System

● Triggers the initial alert

_____
Security Awareness and Training

Social Engineering
● Manipulating people into divulging
information or performing an action
that undermines security.

6 Reasons why Social Engineering works:

1) Authority
2) Intimidating
3) Consensus
4) Scarcity
5) Urgency
6) Familiarity

Education is the solution

_____
 Impersonation Attacks
Published using Google Docs Report abuse Learn more
Spam
● Unsolicited commercial email
● Phishing Updated automatically every 5
CC- Mike Chapels Notes minutes
○ Phishing is a category of
spam
○ Steales credentials
○ Spear Phishing
■ Highly target
phishing
■ Customized phishing
attacks
○ Whaling
■ Phishing targeted on
executives
○ Pharming
■ Using fake websites
○ Vishing
■ Voice phishing

● Sda
○ Smishing and Spim
■ SMS and IM spam
○ Spoofing
■ Faking an identity
_____

Security Awareness Training

● Programs help educate user about
risks

Security Training
● Provides users with the knowledge
they need to protect the
organization’s security

Security Awareness
● Keeps the lessons learned during
security training top of mind for
employees. Reminder

Security Training Methods

● Instruction in on-site classes
● Integration with orientations
● Education through online computer-
based training providers
● Participation in vendor-provided
classroom training
● Implement Role-based training
● Consider frequency of training
● Review training materials regularly
to ensure relevance

Use a Diversity of Training Techniques

● Phishing simulations
● Gamification
● Capture the Flag exercises
 Published using Google Docs Report abuse Learn more

Updated automatically every 5

CC- Mike Chapels Notes minutes