Mike Chapels Notes_CC (1).pdf

Full Transcript

Breakdown of Exam 3. Availability
Protects authorized access to
Domain 1: Security Principles (26%)
systems and data
Domain 2: Business Continuity, Disaster
Ensures information is available
Recovery, and Incident Response (10%)
to authorized users
Domain 3: Access Control Concepts (22%)
Domain 4: Network Security (24%) =CIA
Domain 5: Security Operations (18%)
Confidentiality Concerns

ISC2 Code of Ethics 1. Snooping
Involves gathering information
1. Protect society and infrastructure that is left out in the open
(Hacking) Clean desk policies protect
Anyone may file a complaint against snooping
2. Act honorably, justly and within laws 2. Dumpster Diving
(Lying) Looking through trash for
Anyone may file a complaint information
3. Serve principles diligently and Shredding protects against
competently (Fulfill your duties) Dumpster Diving
Only employers and clients may 3. Eavesdropping
file under a complaint, due to the Rules about sensitive
nature of the code conversations prevent
4. Advance the information security eavesdropping
profession (Helping cheat exams) 4. Wiretapping
Other Professionals may file a Electronic Eavesdropping
complaint, due to the nature of Encryption protects against
the complaint wiretapping
Professionals only 5. Social Engineering
You are required to report any Attacker uses psychological
witness of violation of Code of tricks to persuade employee to
Ethics give it or give access to
Failure to report witnessed information
violation is a violation Education and Training protects
Submit a Complaints Form to against social engineering
report
You must have a standing before Integrity Concerns
you make a complaint 1. Unauthorized Modification
Standing: Alleged behavior must Attackers make changes without
harm you or your profession in permission (can be internal:
someway employees, or external)
3 Goals of Information Security: Follow the Rules of Least
Privilege to prevent unauthorized
1. Confidentiality modification
Protects information from 2. Impersonation
unauthorized disclosure Attackers pretend to be
2. Integrity someone else
Protects information from User education protects against
unauthorized changes Impersonation
 3. Man-in-the-Middle (MITM) Service outage may occur due to
Attackers place themselves in programming errors, failure of
the middle of communication underlying equipment, and many
sessions more reasons
Intercepts network traffic as Building systems that are
users are logging in to their resilient in the fact of errors and
system and assumes their role. hardware failures protect against
Impersonation on an service outages
electronic/digital level.
Authentication & Authorization
Encryption prevents man-in-the-
middle attacks Access Control Process:
4. Replay
Attackers eavesdrop on logins 1. Identification
and reuse the captured Identification involves making a
credentials claim of identity (Can be false)
Encryption prevents Replay Electronic identification
attacks commonly uses usernames
2. Authentication
Availability Concerns Authentication requires proving a
claim of identity
1. Denial of Service (DoS)
Electronic authentication
When a malicious individual
commonly uses passwords
bombards a system with an
3. Authorization
overwhelming amount of traffic.
Authorization ensures that an
The idea to is to send so many
action is allowed
requests to a server that it is
Electronic authorization
unable to answer any requests
commonly takes the form of
from legitimate users
access control lists
Firewalls block unauthorized
Access Control Lists also
connections to protect against
provides Accounting functionality
Denial of Service attacks
2. Power Outages Accounting allows to track and
maintain logs of user activity
Having redundant power
sources and back-up generators Can track systems and web
protect against power outages browsing history
3. Hardware Failures Authentication + Authorization +
Failure of servers, hard drives, Accounting = AAA
network gear etc
Redundant components protect Password Security
against hardware failure Controls you can implement when setting
Building systems that have a password requirements:
built-in redundancy, so that if one
component fails, the other will Password length requirements
take over Password complexity requirements
4. Destruction Password expiration requirements
Backup data centers protect
against destruction (ex. cloud) Force password changes
5. Service Outages Password history requirements
 Cannot use previously used passwords Non-repudiation

Prevents someone from denying the truth
Every organization should make it easy for
users to change their passwords, however, be Physical signatures can provide non-
careful of password reset process as it may repudiation on contracts, receipts etc
provide an opportunity for attackers to take Digital signatures use encryption to
advantage through unauthorized password provide non-repudiation
reset. Other methods can be biometric security
controls, Video-surveillance etc
Password Managers
Privacy
Secured password vaults often protected
by biometric mechanisms (ex. Organization Privacy Concerns
fingerprints) 1. Protecting our down data - Protect your
Facilitates the use of strong, unique down organizations data
passwords 2. Educating on users - Educated users of
Stores passwords how they can protect their own personal
information
3. Protecting data collected by our
Multi Factor Authentication
organizations - Protecting data that was
3 types of authentication factors: entrusted to the organization (ex. client’s
data)
1. Something you know
Passwords and Pins 2 Types of Private Information:
2. Something you are
1. Personally Identifiable Information
Biometric Security Mechanisms
(PII)
Fingerprints
Any information that can be tied
Voice
back to a specific individual
3. Something you have
2. Protected Health Information (PHI)
Software and Hardware Tokens
Health care records
You combine these factors all together Regulated by HIPPA
= Multi Factor Authentication
Reasonable expectation of privacy
Note: Passwords combined with security
Many laws that govern whether information must
questions are NOT multi factor authentication.
be protected are based upon whether the person
Passwords and security questions are both
disclosing the information had a reasonable
something you know.
expectation of privacy.
Single Sign-On (SSO)
Example, if you upload a YouTube video, you do
Shares authenticated sessions not have an expectation of privacy.
across systems
You do have some expectation of
Organizations create SSO
privacy for private electronic
solutions within their
communications such as: email, instant
organizations to avoid users
chats etc
repeatedly authenticating
You do not have a reasonable
expectation of privacy when sharing PII
with an organization
 You do not have a reasonable Ranking of Risks - By likelihood and impact
expectation of privacy when using
1. Likelihood - Probability a risk will occur
employer resources
2. Impact - Amount of damage a risk will
Risk Management cause

1. Internal Risks 2 Categories of Risk Assessment:
Risks that arise from within the
1. Qualitative Techniques - uses
organization
subjective ratings to evaluate risk
Internal control prevents internal
likelihood and impact: Usually in the form
risks
of low, medium or high on both the
2. External Risks
likelihood and impact scales.
Risks that arise outside the
2. Quantitative Techniques - uses
organization
subjective numeric ratings to evaluate
Build controls that reduce the risk likelihood and impact.
chance of attack/risks being
successful (ex. multi factor Risk Treatment (Management) - analyzes and
authentication, or social implements possible responses to control risk
engineering awareness
Four Types of Risk Treatment:
campaigns)
3. Multiparty Risks 1. Risk Avoidance - Changes business
Risks that affect more than one practices to make a risk irrelevant
organization 2. Risk Transference - Attempting to shift
Intellectual property theft poses the impact of a risk from your
a risk to knowledge-based organization to another organization (ex.
organizations insurance policy)
If attackers are able to alter, ! Note that you cannot always transfer the
delete or steal this information, it risk completely. Reputation damage etc.
would cause significant damage 3. Risk Mitigation - Actions that reduce the
to the organization and its likelihood or impact of a risk
customers/counterparties 4. Risk Acceptance - Choice to continue
Software license agreements operations in the face of a risk
issues risk fines and legal 5. Risk Profile - Combination of risks that
actions for violation of license an organization faces
agreements
Types of Risks:
Risk Assessment - Identifies and triages risks
1. Inherent Risk - Initial level of risk, before
Threat - Are external forces that jeopardize any controls are put in place
security 2. Residual Risk – Risk that is reduced and
what is left of it is known as the residual
Threat Vector - Are methods used by attackers risk
to get to their target (ex. social engineering, 3. Control Risk - New risk that may have
hacker toolkit, etc) been introduced by the controls applied
Vulnerabilities - Are weaknesses in your security to mitigate risk
controls (missing patches, promiscuous firewall Example: Controls applied may be installing a
rules, other security misconfiguration) firewall. while that firewall may have mitigated the
Threat + Vulnerability = Risk inherent risk, the risk of that firewall failing is
another newly introduced risk.
Inherent Risk → Controls Applied → (Residual 3. Physical
Risk + Control Risk) Controls that impact the physical
world
4. Risk Tolerance - Is the level of risk an
Examples: Locks, CCTV
organization is willing to accept
Cameras, and Security guard
Security Controls
Configuration
Are procedures and mechanisms that
Configuration Management
reduce the likelihood or impact of a risk
and help identify issues Tracks the way specific devices are set
up
Defense in Depth
Tracks both operating system settings
Uses overlapping security controls and the inventory of software installed on
Different methods of security with a a device
common objective Should also create Artifacts that may be
used to help understand system
Security professionals uses different categories configuration (Legend, Diagrams, etc)
to group similar security controls
Baselines
(1) First you must group Controls by their
purpose. Provide a configuration snapshot
Dual Net
3 Types of Control Purposes are:
You can use the snapshot to assess if the
1. Prevent - Stops a security issue from settings are outside of an approved
occurring change management process system
2. Detect - Identify security issues requiring Basically the default configuration setting
investigation set by an organization
3. Correct - Remediate security issues that
Versioning/Version Controls
have already occurred
Assigns each release of a piece of
(2) Then group them by their Control
software and an incrementing version
Mechanism.
number that may be used to identify any
3 Types of Control Mechanisms are: given copy
These verison #s are written as three part
1. Technical
decimals, with the:
Use technology to achieve o First number representing the
control objectives major version of software
Examples: Firewalls, Encryption, o Second number representing a
Data Loss Prevention, and major updates
Antivirus Software o Third number representing
Also known as Logical Control minor updates
2. Administrative o Example: IPhone IOS 14.1.2
Uses processes to achieve
control objectives Standardizing Device Configurations by:
Examples: User access reviews,
Standardizing Naming Conventions
log monitoring, and performing
IP Addressing Schemas
background checks
Security Governance 3. Password Policies
Describes password security
You must first identify how domestic and
practices
international Laws and Regulations apply to an
An area where all the password
organization.
requirements (length,
Security Policy Framework - a framework that complexity) gets officially
everyone in an organization must follow. documented
4. Bring Your Own Device Policies
There are 4 types of documents in a Security (BYOD)
Policy Framework: Cover the usage of personal
1. Policies devices with company
Provide the foundation for an information
organization’s information 5. Privacy Policies
security program Cover the use of personally
Describes organization’s identifiable information
security expectations Can be enforced by National &
Policies are set by Senior Local authorities
Management 6. Change Management Policies
Policies should stand the test of Cover the documentation,
time anticipating future changes approval, and rollback of
Compliance with Policies are technology changes
mandatory
2. Standards Business Continuity
Describes the specific details of
security controls Business Continuity Planning (BCP)
Compliance with Standards are
The set of controls designed to keep a
mandatory
business running in the face of adversity,
3. Guidelines
whether natural or man-made
Provide advice to the rest of the
Also known as Continuity of
organization on best practices
Operations Planning (COOP)
Compliance with Guidelines are
Directly impacts the #3 goal of security =
optional
Availability
4. Procedures
When planning, proactively as what
Step-by-step procedures of an
business activities, systems, and
objective.
controls will it configure
Compliance can be mandatory
or optional Business Impact Assessment (BIA)

Best Practice of Security Policies: A risk assessment that uses a
quantitative or qualitative process
1. Acceptable Use Policies (AUP)
Begins by identifying organization’s
Described authorized uses of
mission essential functions and then
technology
traces those backwards to identify the
2. Data Handling Policies
critical IT systems that support those
Describe how to protect sensitive functions
information
In Clouding, Business Continuity Planning o Power Distribution Units
requires collaboration between cloud providers (PDUs) - provide power clearing
and customers and management for a rack
2. Storage Media
Redundancy
Protection against the failure of a
The level of protection and against the single storage divide
failure of a single component Redundant Array of
Inexpensive Disks (RAID):
Single Point of Failure Analysis Comes in many different forms
but each is designed to provide
Provides a mechanism to identify and
redundancy by having more
remove single points of failure from their
discs than needed to meet
systems
business needs.
The SPOF analysis continues until the
There are 2 RAID technologies:
cost of addressing risk outweighs the
o Mirroring
benefit
▪ Considered to be RAID
SPOF can be used in many areas other
Lvl 1
than the IT Infrastructure, it can be
▪ Server contains 2
applied in management of HR, 3rd party
identical synchronized
vendor reliance etc.)
discs
Continued Operation of Systems o Striping Mirroring
▪ Considered to be RAID
Can be ensured in 2 ways: Lvl 1
1. High Availability - Uses multiple ▪ Disc Striping with parity
systems to protect against service failure. ▪ RAID Lvl 5
(Different from AWS Cloud as in that it ▪ Contains 3 or more
does not just apply to AZs but rather discs
everything including multiple firewalls ▪ Also includes an extra
etc.) disc called Parity Block
2. Fault-Tolerance - Makes a single system ▪ When one of the disc
resilient against technical failures fails, the Parity Block is
3. Load Balancing - Spreads demand used to regenerate the
across available systems failed disc’s content
▪ RAID is a Fault-
Common Points of Failure Tolerance technique
NOT a Back-up
1. Power Supply
strategy
Contains moving parts
3. Networking
High failure rate
Improve networking redundancy
Can use multiple power supplies
by having multiple Internet
service providers
o Uninterruptible Power
Improve networking redundancy
Supplies (UPS) - supplies
by having dual-network interface
battery to devices during brief
cards (NIC) or NIC Teaming
power disruptions. UPS may be
(similar to how you use multiple
backed up by an additional
power supplies)
power generator
Implement Multipath Networking
Fault-Tolerance mechanisms - prevents Physical Security
systems from failing, even if one of these above
points experience a complete failure. If your organization lacks personnels from these
areas:
Always attempt to add Diversity in your
o Use incident response service providers
infrastructure to improve redundancy
to assist if necessary.
o Diversity in Technology Used
o Diversity of Vendors Diversity of Incident Communication Plan
Cryptography
o Diversity of Security Controls Communications Plans - ensure that all
participants have timely, accurate
Incident Response information.
Incident Response Plans Make sure to minimize or limit
communications to third parties (Media,
Provide structure during cybersecurity etc)
incidents You will have to choose whether or not to
Outlines policies, procedures and involve law enforcement.
guidelines that govern cybersecurity Drawbacks of law enforcement
incidents engagement can be release of sensitive
details to public which may be
Elements of a Incident Response Plan
unfavorable to the organization
Statement of Purpose Always involve your own organization’s
Strategies and goals for incident legal team to ensure compliance with
response laws and organization’s obligations with
Approach to incident response 3rd parties.
Communication with other groups Describe communication paths on how
Senior leadership approval information will trickle down the
organization
Tips on best practices:
Incident Identification
When developing Incident Response
Plan, consult NIST SP 800-61 Organizations have a responsibility to
Also review other organization’s plan collect, analyze, and retain security
information.
NIST SP 800-61
! Data is crucial to incidence detection
Assists organization mitigating the
potential business impact of information Incident Data Sources
security incidents providing practical Intrusion Detection System/Intrusion
guidance. Prevention System (IDS/IPS) -
Building an Incident Response Team Designed to only provide an alert about a
potential incident
IR Team should consist of: Firewalls
Authentication Systems
Management
Integrity Monitors
Information Security Personnel
Vulnerability Scanners
SMEs
System Event Logs
Legal Counsel
Netflow Records
Public Affairs
Antimalware Packages
Human Resources
Security Incident and Event Management Status updates
(SIEM) Ad hoc messages

Security solution that collects information ! Once Initial Response is implemented, the DR
from diverse sources, analyzes it for team shifts to Assessment Mode
signs for security incidents and retains it
for later use. Assessment Mode
Centralized log repositories Goal of this mode is to triage/analyze the
o Basically, take a load of data, damage and implement recover
feed it to the SIEM, and it will spit operations on a permanent basis
out details regarding risk Depending on circumstances there may
o When these systems and be an intermediary mode of Temporary
security mechanisms FAIL do Recovery but will gradually move to
detect risks before dealt with Permanent Recovery
internally, an EXTERNAL source
(customer) may be first to detect Recovery Time Objective (RTO) - is the
a risk targeted amount of time to restore service after
o Therefore, IR Team should have disruption.
a consistent method for
Recovery Point Objective (RPO) - is the
receiving, recording, and
targeted amount of data to recover.
evaluating external reports
Recovery Service Level (RSL) - is the targeted
First Responder Duty - First responders
percentage of service to restore; Also the
(whomever they are, whom encounters the risk
percentage of service that must be available
first) have a set of responsibilities as they may
during a disaster.
have the power to tremendously reduce risk
Backups - provides an organization with a fail-
Highest Priority - The highest priority of a First
safe way to recover their data in the event of:
Responder must be containing damage through
isolation 1. Technology failure
Disaster Recovery 2. Human error
3. Natural disaster
Disaster Recovery (DR)
Backup Methods
Restores normal operations as quickly as
possible following a disaster 1. Tape Backups - Practice of periodically
Disaster recovery plan steps in when copying data from a primary storage
business continuity plan fails device to a tape cartridge. (Traditional
Disaster recovery plan effort is not method – outdated)
finished until organization is completely 2. Disk-to-disk Backups - Writes data from
back to normal Primary Disks to special disks that are set
Flexibility is key during a disaster aside for backup purposes. Backups that
response are sent to a storage area network or a
network attached storage are also fitting
Initial Response Goals in this category of backup.
1. Contain the damage through isolation 3. Cloud Backups - AWS, Azure, and GC
2. Recover normal operations Different Types of Backups
Communications required for an effective DR: 1. Full Backups - include a complete copy
Initial Report of all data. (e.g, snapshots and images)
 2. Differential Backups - includes all data 2. Cold Site
modified since the last full backup Used to restore operations
(supplements full backups) eventually, but requires a
3. Incremental Backups - include all data significant amount of time
modified since the last full or incremental Empty Data Centers
backup. Stocked with core equipment,
network, and environmental
Scenario 1: ✓ Sundays controls but do not have the
Joe performs Full Backup servers or data required to
full backups ✓ Thursday’s restore business.
every Sunday differential
evening and backup Relatively Inexpensive
differential Activating them may take weeks
backups every or even months.
weekday 3. Warm Site
evening. His Hybrid of Hot and Cold
system fails on
Friday Stocked with core requirements
morning. What and data.
backups does Not maintained in parallel
he restore? fashion
Scenario 2: ✓ Sunday’s Similar in expense as a Hot Site
Joe performs Full Backup
Requires significant less time
full backups ✓ Monday,
every Sunday Tuesday, from IT Staff
evening and Wednesday, Activating them may take hours
incremental Thursday or days.
backups every incremental
weekday backups Disaster Recovery Sites don’t only provide a
evening. His facility for technology operations, but also serve
system fails on as an Offsite Storage Location. They are:
Friday
morning. What Geographically distant
backup does Site Resiliency
he restore?
Allows backups to be physically
transported to the disaster recovery
Disaster Recovery Sites
facility either manually or electronically
Provide alternate data processing called “Site Replication”
facilities. Online or offline backups
Usually stay idle until emergency Online backups are available for
situation arises. restoration immediately, but is very
expensive
3 Types of Disaster Recovery Sites/Alternate
Offline backups may require manual
Processing Facility
intervention, but is very inexpensive
1. Hot Site
Alternate Business Process – A change of an
Premier for of disaster recovery
organization’s business protocols to match the
facility
current Disaster Recovery Plan
Fully operational Data Centers
Can be activated in moments or
automatically deployed.
Very expensive
Disaster Recovery Testing Goals Physical Access Controls

1. Validate that the plan functions correctly Facilities that require Physical Security:
2. Identify necessary plan updates
1. Data Centers - Most important
5 Types of Disaster Recovery Testing 2. Server Rooms - Has sensitive
information in less secure locations
1. Read-through
3. Media Storage Facilities - If in a remote
Simplest form of Disaster location may require as much security as
Recovery Testing the Data Centers
Asks each team member to 4. Evidence Storage Locations
review their role in the disaster 5. Wiring Closets - Literally a cluster of
recovery process and provide wires; Needs to be protected as it offers
feedback access to digital eavesdroppers and
Known as “Checklist Reviews” network intruders
2. Walk-through 6. Distribution Cabling - Neatly organized
A more comprehensive cables in the ceiling
approach but similar to Read- 7. Operations Center
Through
Gathers the team together for a Types of Physical Security
formal review of the disaster 1. Gates - Allows you to focus on other
recovery plan security controls
Known as “Tabletop Exercise ” 2. Bollards - Block vehicles while allowing
3. Simulation pedestrian traffic
Uses a practice scenario to test
the Disaster Recovery Plan CPTED (Crime Prevention Through
Scenario based- very specific Environmental Design) - Basically giving
circumstances principles to design your crime prevention
4. Parallel Test mechanisms in a way that is appropriate with your
While above are all theoretical environmental surroundings
approaches, the Parallel Test CPTED Goals:
actually activates the Disaster
Recovery Environment 1. Natural Surveillance
However, they do not switch Design your security in a way
operations to the backup that allows you to observe the
environment natural surroundings of your
5. Full Interruption facility
Most effective Windows, Open Areas, Lightning
Activate Disaster Recovery 2. Natural Access Control
Environments Narrowing the traffic to a single
Also switch primary operations to point of entry
the backup environment Gates, etc
Can be very disruptive to 3. Natural Territory Reinforcement
business Making it visually and physically
Testing strategies often combine obvious that the area is closed to
multiple types of tests the public
Signs, Lightnings
Visitor Management - Visitor management roles, that they are given access to
procedures protect against intrusions corresponding roles

Visitor Procedures Account Monitoring Procedures

Describe allowable visit purposes 1. Account Audits
Explain visit approval authority Completed by pulling all
Describe requirements for unescorted permission list, review, and make
access adjustments
Explain role of visitor escorts Protects against Inaccurate
All visitor access to secure areas should Permissions
be logged Inaccurate Permissions
Visitors should be clearly identified with Wrong permissions assigned
distinctive badges that results in too little access to
Cameras add a degree of monitoring in do their job or too much access
visitor areas (violates least privilege)
Cameras should always be disclosed Result of Privilege Creep
A condition that occurs when
Physical Security (Human Security) users switch roles and their
Receptionists may act as Security previous role’s access to system
Guards has not been revoked
2. Formal Attestation Process
Sometimes an “aggressive” look is
sometimes desirable Auditors review documentation
to ensure that managers have
Robots may replace human security
formally approved each user’s
patrols
account and access
Two Person Rule (Two-Person Integrity) - Two permissions.
people must enter sensitive areas together 3. Continuous Account Monitoring
Watch for suspicious activity
Two Person Control - Two people must have
Alert administrations to
control access to very sensitive functions,
anomalies
requiring an agreement of 2 persons before
Will catch any unauthorized use
action.
of permissions or acts
Ex. Requiring 2 Keys to trigger a launch of Flags Access Policy Violations
Nuclear Missiles Impossible travel time logins
Unusual network location logins
Logical Access Controls
Unusual time-of-day logins
Account Management Tasks Deviations from normal behavior
Implementing Job Rotation schemes Deviations i volume of data
Implementing for employees to rotate job transferred
functions for purpose of diversity and 4. Geotagging
integrity in work Adds user location information to
Mandatory Vacation policies logs
People on vacation should not have 5. Geofencing
access to sensitive data Alerts when a device leaves
Managing Account Lifecycle defined boundaries
Ensuring that as employees move
around an organization with different
Provisioning and Deprovisioning Principle of Least Privilege

✓ Involves the process of creating, User should have the minimum set of
updating and deleting user accounts in permission necessary to perform their job
multiple applications and systems Protects against internal risks as a
✓ Crucial to Identity and Access malicious employee’s damage will be
Management Task limited to their access
Protects against external risk as if an
Provisioning
account was hacked, the damage they
After onboarding, administrators create can do would be limited to the
authentication credentials and grant permissions on the stolen account.
appropriate authorization
CIA
Deprovisioning
Mandatory Access Control (MAC) System —
During the off-boarding process, Confidentiality
administrators disable accounts and
Permissions are determined by the
revoke authorizations at the appropriate
system/operating system
time.
Users cannot modify any permissions
Prompt Termination (quickly acting after
Rule-based access system
off boarding) is critical
Most Stringent/strict
Prevents users from accessing
resources without permission Discretionary Access Control (DAC) System
More important if employee leaves in — Availability
unfavorable terms
Permissions are determined by the file
Routine Workflow (For offboarding) - Disable owners
accounts on a scheduled basis for planned Most Common type of access control
departures Flexible
Emergency Workflow (For offboarding) - Role-Based Access Control (RBAC) Systems
Immediately suspends access when user is — Integrity
unexpectedly terminated
Permissions are granted to groups of
Incorrect Timed Account-Deprovisioning people/ job functions
may: Group based
Inform a user in advance of pending Computer Networking
termination
Allow user to access to resources after 1. Network
termination Connect computers together
It is a good idea to Deactivate the Can connect computers within
account first before permanent removal an office (LAN) or to the global
as it can be reversed internet
2. Local Area Networks (LANs)
Authorization Connect devices in the same
Final step in the Access Control Process building
Determines what an authenticated user LANs are connected to Wide
can do Area Networks (WANs)
 3. Wide Area Networks (WANs) Internet Protocols
Connect across large distances
Main function is to provide an addressing
Connects to different office
scheme, known as the IP address
locations and also to the internet
Routes information across networks
When an LAN is connected to
Not just used on the internet
WAN = Internet
Can be used at home or an office
How Devices Connect to a LAN Deliver packets(chunks of information)
from source → destination
1. Ethernet
Serves as a Network Layer Protocol
Connecting a physical Ethernet
Supports Transport Layer Protocols -
cable to an internet jack behind
which have a higher set of
the ball
responsibilities
The Ethernet Cable is called the
RJ-45 connectors a.k.a 8 Pins 2 Types of Transport Layer Protocols:
Connector
Super fast but requires physical 1. Transmission Control Protocol (TCP)
cables Responsible for majority of
FYI: RJ-11 Cables are used for internet traffic
telephone connections. They Is a Connection-Oriented
have 6 Pins Protocol
2. Wireless Networks (Wi-Fi) Connection Oriented Protocol
Create Wireless LANs (COP) - means the connection is
3. Bluetooth established before data is
Creates a Personal Area transferred
Network (PANs) Connection is ensured through
Designed to support a single TCP Three-Way Handshake
person TCP packets include special
Main purpose is to create a flags that identify the packets
wireless connection between a known as TCP Flags. Within the
computer and its peripheral TCP Flags:
devices 1.1 SYN Flag: Opens a
4. Near Field Communication connection
(NFC) Technology 1.2 FIN Flag: Closes an existing
connection
Allows extremely short range
1.3 ACK: Used to acknowledge
wireless connections (ex=
a SYN or FIN packet
wireless payment)
TCP Three-Way Handshake
Transmission Control Protocol/Internet 1. Source SYN sent to request
Protocol (TCP/IP) open connection to destination
2. Destination sends ACK +
A set of standardized rules that
request (SYN) to reciprocate an
allow computers to communicate
open connection
on a network such as the
3. Source acknowledges and
internet.
sends ACK
Protocol suite at the heart of
o Guarantees
networking
delivery through the
 destination system TCP and UDP
acknowledging receipt
o Widely used for critical Layer 5: Session Layer
applications (email, web Manages the exchange of
traffic, etc.) communications between
2. User Datagram Protocol (UDP) systems
Connectionless Protocol, not
connection-oriented Layer 6: Presentation Layer
Lightweight
Translates data so that it may be
Does NOT use Three-Way
transmitted on a network
Handshake
Encryption and Decryption
System basically send data off to
each other blindly, hoping that it Layer 7: Application Layer
is received on the other end
How users interact with data,
Does not perform
using web browsers or other
acknowledgments
apps
Does not guarantee delivery
It's often used for voice and OSI Model vs TCP Model
video applications where
OSI TCP Model
guaranteed delivery is not
Layer 1: Physical Layer 1: Network Interface
essential. Every single packet Layer Layer
doesn't have to reach the (Physical + Data)
destination for video and voice to Layer 2: Data Link Layer 2: Internet Layer
Layer
be comprehensible. Layer 3: Network Layer Layer 3: Transport Layer
Layer 4: Transport Layer Layer 4: Application Layer
OSI (Open Systems Interconnection) Model (Session + Presentation +
Application)
Describes networks as having 7 different layers: Layer 5: Session
Layer
Layer 1: Physical Layer Layer 6: Presentation Layer
Layer 7: Application Layer
Responsible for sending bits
over the network
For the Internet Protocol (IP) to successfully
Uses wires, radio waves, fiber deliver traffic between any two systems on a
optics or other means network, it has to use an addressing scheme.
Layer 2: Data Link Layer IP Addresses
Transfers data between 2 Nodes Uniquely identify systems on a network
connected to the same physical
Written in dotted quad notation (ex-
network
192.168.1.100). Also known as IPv4
Layer 3: Network Layer Means 4 numbers separated by periods
Each of these numbers may range
Expands networks to many between 0-255
different nodes Why 255?
Internet Protocol (IP) Each number is represented by 8-bit
Layer 4: Transport Layer binary numbers
Those bits can represent 2 to the power
Transfers data in a reliable of 8 = 256 possible values
manner
 But we start at 0 so 256-1=255 o Automatic assignment of IP
No duplicates of IP addresses on Address from an administrator
Internet-connected systems (Just like configured pool
your phone#) o Typically, Servers are configured
Allow duplicates if on private networks with Static IP Addresses
Your router or firewall takes care of o End-user devices are configured
translating private IP Addresses to public with Dynamically-Changing IP
IP addresses when you communicate Addresses
over the internet
Network Ports
This translating process is called NAT
(Network Address Translation) Like Apartment #s, guide traffic to the
correct final destination
IP Addresses are divided into 2 parts:
IP addresses uniquely identifies a system
1. Network Address while the Network Ports uniquely
2. Host Address identifies a particular location of a system
The divide of the 2 parts can come in associated with a specific application
anywhere
Think of it as:
This uses a concept called sub-netting
o IP Addresses - Street # of an Apartment
Sub-netting divides domains so traffic is routed
o Network Ports - Unit # of an Apartment
efficiently.
Network Port Numbers
IP Address Version 4 (IPv4)
16-bit binary numbers
(Containing 4 numbers) is running out so
2 to the power of 16 = 65,646 possible
we are shifting to → IPv6
values
IP Address Version 6 (IPv6) 65,646-1 (for 0) = 0-65,535 possibilities

Uses 128 bits (compared to 32 bits Port Ranges
(8x4numbers = 32) for IPv4
1. Well-known Ports = 0 - 1,023
Consists of 8 groups of 4 hexadecimal
Reserved for common
numbers
applications that are assigned by
Ex.
internet authorities
fd02:24c1:b942:01f3:ead2:123a:c3d2:cf
Ensures everyone on the
2f
internet will know how to find
IP Addresses can be assigned in 2 ways: common services such as: web
servers, email servers
1. Static IPs Web-servers use the Well-known
o Manually assigned IP Address port 80
by an administrator
Secure Web-servers use the
o Must be unique
Well-known port 443
o Must be within appropriate range
2. Registered Ports = 1,024 - 49,151
for the network
Application vendors may register
their applications to use these
ports
2. Dynamic Host Configuration Protocol
Examples:
(DHCP)
 Microsoft Reserve port
o Ensure to immediately change default
1433 for SQL Server administrator passwords
database connections
o Oracle Reserve port You can configure what Type of Network you
1521 for Database want:
3. Dynamic Ports = 49,152 - 65,535 1. Open Network - Open for anyone to use
Applications can use on a (No Password Wifi)
temporary basis 2. Other authentication required network:
1.1 Preshared Keys (Home Wifi, Office,
Important Port #s
Café)
Administrative Services o Changing Preshared keys is
difficult
Port 21: File Transfer Protocol (FTP) - o Prevents individual
Transfers data between systems identification of users
Port 22: Secure Shell (SSH) - Encrypted 1.2 Enterprise Authentication
administrative connections to servers o Uses individual passwords
Port 3389: Remote Desktop Protocol 1.3 Captive Portals
(RDP) - Encrypted administrative o Used in Starbucks, Airports,
connections to servers Tim-Hortons
Ports 137, 138, and 139: NetBIOS – o Provide authentication on
Windows - Network Communications unencrypted wireless
using the NetBIOS Protocol networks
Port 53: Domain Name Service (DNS) - o Intercepts web requests to
All systems use Port 53 for DNS lookups require Wi-Fi login
Mail Services Wireless Encryption

Port 25: Simple Mail Transfer Protocol A best practice for network security
(SMTP) - Exchange email between Encryption hides the true content of
servers network traffic from those without the
Port 110: Post Office Protocol (POP) - decryption key
Allows clients to retrieve mail Takes, Radio Waves, and makes it
Port 143: Internet Message Access secure
Protocol (IMAP) - Allows to retrieve mail
1. The Original approach to Security
Web Services
was: Wired Equivalent Privacy (WEP)
Port 80: Hypertext Transfer Protocol This is now considered insecure
(HTTP) - For unencrypted web 2. The Second approach was: Wi-Fi
communications Protected Access (WPA)
Port 443: Secure HTTP (HTTPS) - For Changes keys with the Temporal
encrypted connections Key Integrity Protocol (TKIP)
Changes the encryption key for
Securing Wireless Networks
each packet: preventing an
Service Set Identifier (SSID) attacker from discovering the key
after monitoring the network for
The name of your Wi-Fi along period of time
You can disable visibility of Wi-Fi (Hide) This is now considered insecure
Has an administrative password to the
access point (connection)
 3. The Improved approach is: Wi-Fi You can ping the remote system:
Protected Access v2 (WPA2)
a. if you receive a response: it
Uses an advanced encryption
is not a network issue and a
protocol called Counter Mode
local web server issue.
Cipher Block Chaining Message
b. if you don’t receive a
Authentication Code Protocol
response: you may next ping
(CCMP)
another system located on
WPA is now considered
the internet
SECURE
b.1 if that responds: this will
4. The New approach is: Wi-Fi Protected
tell you your internet is
Access v3 (WPA3)
successful and the issue is
Supports Simultaneous
with the web server or
Authentication of Equals (SAE)
network connection
SAE is a secure key exchange
c. if you ping many systems on
protocol based upon the Diffie-
internet and there is no
Hellman Technique, to provide
response, it is likely that the
more secure initial setup of
problem is on your end
encrypted wireless
d. You can ping a system on
communications.
your Local Network: if that
Also supports CCMP protocol responds, there's probably
In Summary, an issue with your network’s
✘ Open Network: Insecure connection to the internet
e. If a Local Network does not
✘ WEP: Insecure
respond: Either your Local
✘ WPA: Insecure network is down or there is a
✔ WPA2: Secure problem with your computer
✔ WPA3: Secure f. Last Resort: Repeat
process on another
Ping and Traceroute computer
Command Line Network (CLI) ! Some systems do not respond to ping requests
Provides quick and easy way to access Example: A firewall may block ping requests
network configurations and 2. HPing
troubleshooting information Creates customized ping
Used my giving Commands requests
Important Commands A variant of the basic “ping”
command
1. Ping Allows you to interrogate a
Checks whether a remote system to see if it is present on
system is responding or the network
accessible Old and not monitored but still
Works using the Internet Control works
Message Protocol (ICMP) 3. Traceroute
Basically, sending a request and Determines the network
acknowledgement to confirm a path between two systems
connection If you want to know how packets
are traveling today from my
Troubling shooting with Ping
 system Located in Toronto to a Worms spread because the
LinkedIn.com webserver, systems are vulnerable
wherever that is located Patching protects against
Works only on Mac and Linux worms
In Windows, it is tracert 3. Trojan Horse
4. PathPing Pretends to be a useful
Windows only command legitimate software, with hidden
Combines ping and malicious effect
tracert functionality in a single When you run the software, it
command may perform as expected
however will have
Network Threats
payloads behind the scene
Malware Application Control protects
against Trojan Horses
One of the most significant threats to Application Controls limit
computer security software that can run on systems
Short for Malicious Software to titles and versions
Might steal information, damage data or
disrupt normal use of the system Botnets

Malwares have 2 components: Are a collection of zombie computers
used for malicious purposes
1. Propagation Mechanism - A network of infected systems
Techniques the malware uses to Steal computing power, network
spread from one system to another bandwidth, and storage capacity
2. Payload - Malicious actions taken by
malware; Any type of malware can carry A hacker creating a botnet begins by:
any type of payload
1. Infecting a system with malware through
Types of Malware any methods
2. Once the malware takes control of the
1. Virus system (hacker gains control), he or she
Spreads after a user takes some joins/adds it to the preconceived botnet
type of user action
Example: Opening an email How are Botnets Used:
attachment, Clicking a Link, and
Renting out computing power for profit
Inserting an infected USB
Delivering spam
Viruses do not spread unless
Engaging in DDoS attacks
someone gives them a hand
Mining Bitcoin and Cryptocurrencies
User education protects against
Perform Brute Force Attacks - against
viruses
passwords
2. Worms
Spread on their own by Botnet Command and Control
exploiting vulnerabilities
When a worm infects a system, it Hackers command botnets through
will use it as it’s base for Command and Control Networks as they
spreading to other parts of the relay orders
Local Area Network Communication must be indirect (hides
the hackers true location) and redundant
 Must be highly redundant (too much, If the attacker is able to control the
alot) because security analysts will shut network traffic, they may be able to
them down one by one. It’s a cat and conduct a Reply Attack
mouse game, whoever controls the
Replay Attack
Command and Control channels retains
control of the Botnet the longest Uses previously captured data, such as
Types of Command and Control Mechanisms an encrypted authentication token, to
for Ordering Botnets create a separate connection to the
server that’s authenticated but does not
Internet Relay Chat (IRC) involve the real end user
Twitter The attacker cannot see the actually
Peer to Peer within the Botnet encoded credentials
They can only see the encoded version
In Summary Botnets:
of them
1. Infect Systems
Prevent Replay Attacks by including unique
2. Convert to bots
characteristics:
3. Infect others
4. Check in through Command and Control Token
Network Timestamp
5. Get Instructions
6. Deliver payload SSL Stripping

Eavesdropping Attacks Tricks browsers into using unencrypted
communications
All eavesdropping attacks rely on a A variation of eavesdropping attack
compromised communication path A hacker who has the ability to view a
between a client and a server user’s encrypted web communication
Network Device Tapping exploits the vulnerability to trick the users
DNS poisoning browser into reverting to
ARP poisoning unencrypted communications for the
world to see
During poisoning attacks, hackers may use the
Strips the SSL or TLS protection
Man-in-the-Middle technique to trick the user to
connect to the attacker directly, then the attacker Implementation of Attacks
directly connects to the server. Now the original
user logs in to a fake server set up by the attacker Cryptographic systems may have flaws =
and the attacker acts as a relay, the man in the vulnerability = attacks
middle can view all of the communications. Fault Injection Attacks
The user will not know that there is a Man-in-the- Use externally forced errors
Middle intercepting communications.
Attacker attempts to compromise the
Man-in-the-browser Attacks integrity of a cryptic device by causing
some type of external fault
Variation of Man-in-the-Middle attack For example: Attacker might use high-
Exploit flaws in browsers and browser voltage electricity to cause malfunction
plugins to gain access to web that undermines security
communications These failures of security may cause
systems to fail to encrypt data property.
Side Channel Attacks 2. False Negative Error - IDS/IPS
fails to trigger an alert when an
Measure encryption footprints actual attack occurs
Attackers use footprints monitor system
activity and to retrieve information that is Technology used to identify suspicious
actively being encrypted. traffic:
For example: If a cryptographic system is
1. Signature Detection Systems
improperly implemented, it may be
Contain databases with rules
possible for an attacker to capture the
describing malicious activity
electromagnetic radiation emanating
Alert admins to traffic matching
from that system and use the collected
signatures = Rule based
signal to determine the plain text
Detection
information that is being encrypted.
Cannot detect brand new attacks
Timing Attacks Reduce false positive rates
Reliable and time-tested
A type of Side Channel Attack
technology
Measure encryption time
2. Anomaly Detection Systems
Attackers precisely measures how long
Builds models of “normal”
cryptographic operations take to
activity, and finds an Outlier
complete, gaining information about
Can detect brand new attacks
cryptographic process that may be used
But has high false positive rate
to undermine security.
Anomaly Detection, Behavior-based Detection,
Threat Identification and Prevention
and Heuristic Detection = Same Thing
Intrusion Detection Systems (IDS)
IPS Deployment Modes
Monitors network traffic for signs of
malicious activity 1. In-band Deployments
Misuse Detection and Anomaly Detection IPS sits in the path of network
traffic
Examples of malicious activity: It can block suspicious traffic
SQL Injections from entering the network
Malformed Packets Risk: It is a single point of failure
so it may disrupt the entire
Unusual Logins
network
Botnet Traffic
2. Out-of-band (passive) Deployments
Alerts administrators
IPS sits outside of network traffic
Requires someone to take action
IPS is connected to a SPAN port
Intrusion Prevention System (IPS) on a switch
Which allows it to receive copies
Automatically block malicious activity all traffic sent through the
It is not a perfect system. They make 2 network to scan
errors: It cannot disrupt the flow of traffic
1. False Positive Error - IDS/IPS
It can react after suspicious
triggers an alert when an attack did
traffic enters the network
not actually take place
It cannot pre detect as it can only
know its existence once it enters
the network
Malware Prevention Popular port scanning tool
/command
Antimalware software protects against
2. Vulnerability Scanner
many different threats.
Looks for known vulnerabilities
Antimalware software protects against
Scans deeper than Port
viruses, worms, Trojan Horses, and
Scanner, actually looks at what
spyware.
services are using those ports
Antivirus software uses 2 types of Has a database for all known
mechanisms to protect: vulnerability exploits and tests
server to see if it contains any of
1. Signature Detection those vulnerabilities
Watches for known patterns of Nesssus
malware activity Popular vulnerability scanner
2. Behavior Detection 3. Application Scanner
Watches for deviations from Tests deep into application
normal patterns of activity security flaws
This type of mechanism is found
in advanced malware protection Network Security Infrastructure
tools like the Endpoint Detection
Data Centers
and Response (EDR)
Offer real-time, advanced Have significant cooling requirements
protection Current Standard of Temperatures
Goes beyond basic signature Maintain data center air temperatures
detection and performs deep between 64.6 F and 80.6 F = Expanded
instrumentation of endpoints Environmental Envelope
Humidity is also important
They analyze:
Dewpoint says: Humidity 41.9 F and 50.0
o Memory F
o Processor use This temperature prevents condensation
o Registry Entries and static electricity
o Network HVAC is important (Heating, Ventilation
Communications and Air Conditioning Systems)
o Installed on Endpoint Must also look out for fire, flooding,
devices electromagnetic interference
o Can perform
Sandboxing Fire Suppression Methods
o Isolates malicious
1. Wet Pipe Systems
content
Contains water in the pipes
Port Scanners ready to deploy when a fire
strikes
Vulnerability Assessment Tools High Risk for data center
1. Port Scanner 2. Dry Pipe Systems
Looks for open network ports Do not contain water until the
Equivalent of rattling all valve opens during a fire alarm.
doorknobs looking for unlocked Prevents burst pipes, by
doors removing standby water
nmap
 3. Chemical Systems North-South Traffic - Networks traffic
Removes oxygen between systems in the data center and systems
Always place MOUs on the Internet
Memorandum of Understanding
Routers and Switches
Outlines the environmental
requirements Routers, Switches and Bridges are the
building blocks of computer networks.
Security Zones
Switches
Firewalls divide networks into security
zones to protect systems of differing Connect devices to the network
security models Has many network ports
Reside in wiring closets and connect the
Types of Security Zones:
computers in a building together
Network Border Firewall Ethernet jacks are at the other end of
network cables connected to switches
Three network interfaces, connects 3:
Wireless access points (WAPs) connect
o Internet
to switches and create Wi-Fi networks
o Intranet
The Physical APs itself has a wired
o Data Center Network
connection back to the switch
Switches can only create Local Networks
o Guest Network
Layer 2 of OSI Model - Data Link Layer
o Wireless Network
o Endpoint Network Some switches can be in the Layer 3 of
OSI Model - Network Layer (can interpret
Demilitarized Zone (DMZ) IP Addresses)
For this to happen, they must use
You can place systems that must accept
Routers
connections from the outside world such
as mail, web servers Routers
Because it is open, higher risk of
compromise Connect networks to each other, making
intelligent packet routing decisions
If the DMZ is compromised, firewalls will
still protect Serves as a central aggregation point for
network traffic heading to or from a large
Zero Trust Approach: Systems do not gain any network
trust based solely upon their network location Works as the air traffic controller of the
network
3 Special-Purpose Networks
Makes best path decisions for traffic to
1. Extranet - Special intranet segments that follow
are accessible by outside parties like
Stateless Inspection - Use Access Control Lists
business partners
to limit some traffic that are entering or leaving a
2. Honeynet - Decoy networks designed to
netwo