ISC2 Security Exam Breakdown PDF

Summary

This document outlines the breakdown of an exam focusing on security principles, business continuity, and disaster recovery. It also explores access controls, network security, and security operations. The document touches on areas like confidentiality, integrity, and availability concerns.

Full Transcript

Breakdown of Exam

Domain 1: Security Principles (26%)

Domain 2: Business Continuity, Disaster Recovery, and Incident Response (10%)

Domain 3: Access Control Concepts (22%)

Domain 4: Network Security (24%)

Domain 5: Security Operations (18%)

_____

ISC2 Code of Ethics

Protect society and infrastructure (Hacking)
Anyone may file a complaint

Act honorably, justly and within laws (Lying)
Anyone may file a complaint

Serve principles diligently and competently (Fulfill your duties)
Only employers and clients may file under a complaint, due to the nature of the code

Advance the information security profession (Helping cheat exams)
Other Professionals may file a complaint, due to the nature of the complaint
Professionals only

You are required to report any witness of violation of Code of Ethics
Failure to report witnessed violation is a violation
Submit a Complaints Form to report
You must have a standing before you make a complaint
Standing: Alleged behavior must harm you or your profession in someway
_____

3 Goals of Information Security

Confidentiality
Protects information from unauthorized disclosure
Integrity
Protects information from unauthorized changes
Availability
Protects authorized access to systems and data
Ensures information is available to authorized users
= CIA

Confidentiality Concerns

Snooping
Involves gathering information that is left out in the open
Clean desk policies protect against snooping
Dumpster Diving
Looking through trash for information
Shredding protects against Dumpster Diving
Eavesdropping
Rules about sensitive conversations prevent eavesdropping
Wiretapping
Electronic Eavesdropping
Encryption protects against wiretapping
Social Engineering
Attacker uses psychological tricks to persuade employee to give it or give access to information
Education and Training protects against social engineering
_____

Integrity Concerns

Unauthorized Modification
Attackers make changes without permission (can be internal=employees or external
Follow the Rules of Least Privilege to prevent unauthorized modification
Impersonation
Attackers pretend to be someone else
User education protects against Impersonation
Man-in-the-Middle (MITM)
Attackers place the themselves in the middle of communication sessions
Intercepts network traffic as users are logging in to their system and assumes their role.
Impersonation on an electronic/digital level.
Encryption prevents man-in-the-middle attacks
Replay
Attackers eavesdrop on logins and reuse the captured credentials
Encryption prevents Replay attacks
_____

Availability Concerns

Denial of Service (DoS)
When a malicious individual bombards a system with an overwhelming amount of traffic.
The idea to is to send so many requests to a server that it is unable to answer any requests from legitimate users
Firewalls block unauthorized connections to protect against Denial of Service attacks
Power Outages
Having redundant power sources and back-up generators protect against power outages
Hardware Failures
Failure of servers, hard drives, network gear etc
Redundant components protect against hardware failure
Building systems that have a built-in redundancy, so that if one component fails, the other will take over
Destruction
Backup data centers protect against destruction (ex=cloud)
Service Outages
Service outage may occur due to programming errors, failure of underlying equipment, and many more reasons
Building systems that are resilient in the fact of errors and hardware failures protect against service outages
_____

Authentication & Authorization

Access Control Process

Identification
Identification involves making a claim of identity (Can be false)
Electronic identification commonly uses usernames
Authentication
Authentication requires proving a claim of identity
Electronic authentication commonly uses passwords
Authorization
Authorization ensures that an action is allowed
Electronic authorization commonly takes the form of access control lists
Access Control Lists also provides Accounting functionality
Accounting allows to track and maintain logs of user activity
Can track systems and web browsing history

Authentication + Authorization + Accounting = AAA

_____

Password Security

Controls you can implement when setting password requirements:

Password length requirements
Password complexity requirements
Password expiration requirements
Force password changes
Password history requirements
Cannot use previously used passwords

Every organization should make it easy for users to change their passwords, however, be careful of password reset process as it may provide an opportunity for attackers to take advantage through unauthorized password reset.

Password Managers

Secured password vaults often protected by biometric mechanisms (ex=fingerprints)
Facilitates the use of strong, unique passwords
Stores passwords
_____

Multi Factor Authentication

3 types of authentication factors

Something you know
Passwords, Pins
Something you are
Biometric Security Mechanisms
Fingerprints
Voice
Something you have
Software and Hardware Tokens

You combine these factors all together = Multi Factor Authentication

Note: Passwords combined with security questions are NOT multi factor authentication. Passwords and security questions are both something you know

Single Sign-On (SSO)

Shares authenticated sessions across systems
Organizations create SSO solutions within their organizations to avoid users repeatedly authenticating
_____

Non-repudiation

Prevents someone from denying the truth
Physical signatures can provide non-repudiation on contracts, receipts etc
Digital signatures use encryption to provide non-repudiation
Other methods can be biometric security controls, Video-surveillance etc

_____

Privacy

Organization Privacy Concerns

Protecting our down data
Protect your down organizations data
Educating on users
Educated users of how they can protect their own personal information
Protecting data collected by our organizations
Protecting data that was entrusted to the organization (ex= client’s data)

2 Types of Private Information

Personally-Identifiable Information (PII)
Any information that can be tied back to a specific individual
Protected Health Information (PHI)
Health care records
Regulated by HIPPA

Reasonable expectation of privacy

Many laws that govern whether information must be protected are based upon whether the person disclosing the information had a reasonable expectation of privacy
Ex= if you upload a YouTube video, you do not have a expectation of privacy
You do have some expectation of privacy for private electronic communications such as: email, instant chats etc
You do not have a reasonable expectation of privacy when sharing PII with an organization
You do not have a reasonable expectation of privacy when using employer resources
_____

Risk Management

Internal Risks
Risks that arise from within the organization
Internal control prevents internal risks
External Risks
Risks that arise outside the organization
Build controls that reduce the chance of attack/risks being successful (ex= multi factor authentication, or social engineering awareness campaigns)

Multiparty Risks
Risks that affect more than one organization
Intellectual property theft poses a risk to knowledge-based organizations
If attackers are able to alter, delete or steal this information, it would cause significant damage to the organization and its customers/counterparties
Software license agreements issues risk fines and legal actions for violation of license agreements
_____

Risk Assessment

Identifies and triages risks

Threat

Are external forces that jeopardize security
Threat Vector
Threat Vectors are methods used by attackers to get to their target (ex= social engineering, hacker toolkit, etc)

Vulnerabilities

Are weaknesses in your security controls
Examples : Missing patches, Promiscuous Firewall rules, other security misconfiguration

Threat + Vulnerability = Risk

______

Ranking of Risks

We rank risks by likelihood and impact

Likelihood

Probability a risk will occur
Impact

Amount of damage a risk will cause

2 Categories of Risk Assessment

Qualitative Techniques
Uses subjective ratings to evaluate risk likelihood and impact: Usually in the form of low, medium or high on both the likelihood and impact scales.
Quantitative Techniques
Uses subjective numeric ratings to evaluate risk likelihood and impact
_____

Risk Treatment (Management)

Analyzes and implements possible responses to control risk

4 Types of Risk Treatment

Risk Avoidance
Changes business practices to make a risk irrelevant
Risk Transference
Attempting to shift the impact of a risk from your organization to another organization
Example : Insurance policy
Note that you cannot always transfer the risk completely. Reputation damage etc.
Risk Mitigation
Actions that reduce the likelihood or impact of a risk
Risk Acceptance
Choice to continue operations in the face of a risk

Risk Profile

Combination of risks that an organization faces
_____

Inherent Risk

Initial level of risk, before any controls are put in place

Residual Risk

Risk that is reduced and what is left of it is known as the residual risk

Control Risk

New risk that may have been introduced by the controls applied to mitigate risk
Example : Controls Applied may be installing a firewall. While that firewall may have mitigated the inherent risk, the risk of that firewall failing is another newly introduced risk

Inherent Risk → Controls Applied → (Residual Risk + Control Risk)

Risk Tolerance

Is the level of risk an organization is willing to accept
_____

Security Controls

Are procedures and mechanisms that reduce the likelihood or impact of a risk and help identify issues

Defense in Depth

Uses overlapping security controls
Different methods of security with a common objective

Security professionals uses different categories to group similar security controls

First you must group Controls by their purpose. 3 Types of Control Purposes are:

Prevent
Stops a security issue from occurring
Detect
Identify security issues requiring investigation
Correct
Remediate security issues that have already occurred

Then group them by their Control Mechanism: 3 Types of Control Mechanisms are:

Technical
Use technology to achieve control objectives
Examples: Firewalls, Encryption, Data Loss Prevention, Antivirus Software)
Technical Control a.k.a Logical Control
Administrative
Uses processes to achieve control objectives
Examples: User access reviews, log monitoring, performing background checks)
Physical
Controls that impact the physical world
Examples: Locks, Security guard
_____

Configuration Management

Tracks the way specific devices are set up
Tracks both operating system settings and the inventory of software installed on a device
Should also create Artifacts that may be used to help understand system configuration (Legend, Diagrams, etc)

Baselines

Provide a configuration snapshot
Dual Net
You can use the snapshot to assess if the settings are outside of an approved change management process system
Basically the default configuration setting set by an organization
Versioning/Version Controls

Assigns each release of a piece of software and an incrementing version number that may be used to identify any given copy
These verison #s are written as three part decimals, with the
First number representing the major version of software
Second number representing a major updates
Third number representing minor updates
Ex= IPhone IOS 14.1.2

Standardizing Device Configurations by:

Standardizing Naming conventions
IP Addressing schemas

_____

Security Governance

You must first identify how domestic and international Laws and Regulations apply to an organization

Security Policy Framework

A framework that everyone in an organization must follow
There are 4 types of documents in a Security Policy Framework
Policies
Provide the foundation for an organization’s information security program
Describes organization’s security expectations
Policies are set by Senior Management
Policies should stand the test of time anticipating future changes
Compliance with Policies are mandatory
Standards
Describes the specific details of security controls
Compliance with Standards are mandatory
Guidelines
Provide advice to the rest of the organization on best practices
Compliance with Guidelines are optional
Procedures
Step-by-step procedures of an objective.
Compliance can be mandatory or optional
_____

Best Practice of Security Policies

Acceptable Use Policies (AUP)
Described authorized uses of technology
Data Handling Policies
Describe how to protect sensitive information
Password Policies
Describes password security practices
An area where all the password requirements (length, complexity) gets officially documented
Bring Your Own Device Policies (BYOD)
Cover the usage of personal devices with company information
Privacy Policies
Cover the use of personally identifiable information
Can be enforced by National & Local authorities
Change Management Policies
Cover the documentation, approval, and rollback of technology changes

_____

Business Continuity

Business Continuity Planning (BCP)

The set of controls designed to keep a business running in the face of adversity, whether natural or man-made
Also known as Continuity Of Operations Planning (COOP)
Directly impacts the #3 goal of security = Availability
When planning, proactively as what business activities, systems, and controls will it configure

Business Impact Assessment (BIA)

A risk assessment that uses a quantitative or qualitative process
Begins by identifying organization’s mission essential functions and then traces those backwards to identify the critical IT systems that support those functions

In Clouding, Business Continuity Planning requires collaboration between cloud providers and customers

Redundancy

The level of protection and against the failure of a single component

Single Point of Failure Analysis

Provides a mechanism to identify and remove single points of failure from their systems
The SPOF analysis continues until the cost of addressing risk outweighs the benefit
SPOF can be used in many areas other than the IT Infrastructure, it can be applied in management of HR, 3rd party vendor reliance etc)
_____

Continued Operation of Systems

Can be ensured in 2 ways:

High Availability
Uses multiple systems to protect against service failure (Different from AWS Cloud as in that it does not just apply to AZs but rather everything including multiple firewalls etc)
Fault-Tolerance
Makes a single system resilient against technical failures

Load Balancing

Spreads demand across available systems

Common Points of Failure

Power Supply
Contains moving parts
High failure rate
Can use multiple power supplies
Uninterruptible Power Supplies (UPS) - supplies battery to devices during brief power disruptions. UPS may be backed up by an additional power generator
Power Distribution Units (PDUs) provide power clearing and management for a rack
Storage Media
Protection against the failure of a single storage divide
Redundant Array of Inexpensive Disks (RAID) : Comes in many different forms but each is designed to provide redundancy by having more discs than needed to meet business needs
There are 2 RAID technologies
Mirroring
Considered to be RAID Lvl 1
Server contains 2 identical synchronized discs
Striping
Disc Striping with parity
RAID Lvl 5
Contains 3 or more discs
Also includes an extra disc called Parity Block
When one of the disc fails, the Parity Block is used to regenerate the failed disc’s content
RAID is a Fault-Tolerance technique NOT a Back-up strategy

Networking
Improve networking redundancy by having multiple Internet service providers
Improve networking redundancy by having dual-network interface cards (NIC) or NIC Teaming (similar to how you use multiple power supplies)
Implement Multipath Networking

Fault-Tolerance mechanisms prevents systems from failing, even if one of these above points experience a complete failure

Always attempt to add Diversity in your infrastructure to improve redundancy

Diversity in Technology Used
Diversity of Vendors Diversity of Cryptography
Diversity of Security Controls
_____

Incident Response

Incident Response Plans

Provide structure during cybersecurity incidents
Outlines policies, procedures and guidelines that govern cybersecurity incidents

Elements of a Incident Response Plan

Statement of Purpose
Strategies and goals for incident response
Approach to incident response
Communication with other groups
Senior leadership approval

Tips on best practices:

When developing your Incident Response Plan, consult NIST SP 800-61 as you develop your plan
Also review other organization’s plan

NIST SP 800-61

Assists organization mitigating the potential business impact of information security incidents providing practical guidance.
_____

Building a Incident Response Team

IR Team should consist of:

Management
Information Security Personnel
SMEs
Legal Counsel
Public Affairs
Human Resources
Physical Security

If your organization lacks personnels from these areas:

Use incident response service providers to assist if necessary
_____

Incident Communication Plan

Communications Plans ensure that all participants have timely, accurate information
Make sure to minimize or limit communications to third parties (Media etc)
You will have to choose whether or not to involve law enforcement
Drawbacks of law enforcement engagement can be release of sensitive details to public which may be unfavorable to the organization
Always involve your own organization’s legal team to ensure compliance with laws and organization’s obligations with 3rd parties.
Describe communication paths on how information will trickle down the organization
_____

Incident Identification

Organizations have a responsibility to collect, analyze and retain security information

Data is crucial to incidence detection

Incident Data Sources

IDS/IPS - Intrusion Detection System/Intrusion Prevention System
Designed to only provide an alert about a potential incident
Firewalls
Authentication Systems
Integrity Monitors
Vulnerability Scanners
System Event Logs
Netflow Records
Antimalware Packages

Security Incident and Event Management (SIEM)

Security solution that collects information from diverse sources, analyzes it for signs for security incidents and retains it for later use.
Centralized log repositories
Basically take a load of data, feed it to the SIEM, and it will spit out details regarding risk

When these systems and security mechanisms FAIL do detect risks before dealt with internally, an EXTERNAL source (customer) may be first to detect a risk

Therefore, IR Team should have a consistent method for receiving, recording, and evaluating external reports

_____

First Responder Duty

First responders (whomever they are, whom encounters the risk first) have a set of responsibilities as they may have the power to tremendously reduce risk

Highest Priority

The highest priority of a First Responder must be containing damage through isolation
_____

Disaster Recovery

Disaster Recovery (DR)

Restores normal operations as quickly as possible following a disaster
Disaster recovery plan steps in when business continuity plan fails
Disaster recovery plan effort is not finished until organization is completely back to normal
Flexibility is key during a disaster response

Initial Response Goals

Contain the damage through isolation
Recover normal operations

Communications required for an effective DR

Initial Report
Status updates
Ad hoc messages

Once Initial Response is implemented, the DR team shifts to Assessment Mode

Assessment Mode

Goal of this mode is to triage/analyze the damage and implement recover operations on a permanent basis
Depending on circumstances there may be an intermediary mode of Temporary Recovery but will gradually move to Permanent Recovery

Recovery Time Objective (RTO)

Is the targeted amount of time to restore service after disruption

Recovery Point Objective (RPO)

Is the targeted amount of data to recover

Recovery Service Level (RSL)

Is the targeted percentage of service to restore
Also the percentage of service that must be available during a disaster

_____

Backups

Provides an organization with a fail-safe way to recover their data in the event of
Technology failure
Human error
Natural disaster

Backup Methods

Tape Backups
Practice of periodically copying data from a primary storage device to a tape cartridge
Traditional method - outdated
Disk-to-disk Backups
Writes data from Primary Disks to special disks that are set aside for backup purposes
Backups that are sent to a storage area network or a network attached storage are also fitting in this category of backup
Cloud Backups
AWS, Azure, GC

Different Types of Backups

Full Backups
Include a complete copy of all data
Snapshots and images are types of full backups
Differential Backups
Includes all data modified since the last full backup
Supplements Full Backups
Incremental Backups
Include all data modified since the last full or incremental backup

Scenario: Joe performs full backups every Sunday evening and differential backups every weekday evening. His system fails on Friday morning. What backups does he restore?

A: 1) Sundays Full Backup

2) Thursday’s differential backup

Scenario: Joe performs full backups every Sunday evening and incremental backups every weekday evening. His system fails on Friday morning. What backup does he restore?

A: 1) Sunday’s Full Backup

2) Monday, Tuesday, Wednesday, Thursday incremental backups

Trade off: Incremental backups takes longer to restore but requires smaller storage

_____

Disaster Recovery Sites

Provide alternate data processing facilities
Usually stay idle until emergency situation arises

3 Types of Disaster Recovery Sites/Alternate Processing Facility

Hot Site
Premier for of disaster recovery facility
Fully operational Data Centers
Can be activated in moments or automatically deployed
Very expensive
Cold Site
Used to restore operations eventually, but requires a significant amount of time
Empty Data Centers
Stocked with core equipment, network, and environmental controls but do not have the servers or data required to restore business
Relatively Inexpensive
Activating them may take weeks or even months
Warm Site
Hybrid of Hot and Cold
Stocked with core requirements and data
Not maintained in parallel fashion
Similar in expense as a Hot Site
Requires significant less time from IT Staff
Activating them may take hours or days
Disaster Recovery Sites don’t only provide a facility for technology operations, but also serve as an Offsite Storage Location. They are:

Geographically distant
Site Resiliency
Allows backups to be physically transported to the disaster recovery facility either manually or electronically called “Site Replication”
Online or offline backups
Online backups are available for restoration immediately, but is very expensive
Offline backups may require manual intervention, but is very inexpensive

Alternate Business Process

A change of an organization’s business protocols to match the current Disaster Recovery Plan
_____

Disaster Recovery Testing Goals

Validate that the plan functions correctly
Identify necessary plan updates

5 Types of Disaster Recovery Testing

Read-through
Simplest form of Disaster Recovery Testing
Asks each team member to review their role in the disaster recovery process and provide feedback
Known as “Checklist Reviews”
Walk-through
A more comprehensive approach but similar to Read-Through
Gathers the team together for a formal review of the disaster recovery plan
Known as “Tabletop Exercise ”
Simulation
Uses a practice scenario to test the Disaster Recovery Plan
Scenario based- very specific circumstances
Parallel Test
While above are all theoretical approaches, the Parallel Test actually activates the Disaster Recovery Environment
However, they do not switch operations to the backup environment
Full Interruption
Most effective
Activate Disaster Recovery Environments
Also switch primary operations to the backup environment
Can be very disruptive to business

Testing strategies often combine multiple types of tests

_____

Physical Access Controls

Facilities that require Physical Security:

Data Centers
Most important
Server Rooms
Has sensitive information in less secure locations
Media Storage Facilities
If in a remote location may require as much security as the Data Centers
Evidence Storage Locations
Wiring Closets
Literally a cluster of wires
Needs to be protected as it offers access to digital eavesdroppers and network intruders
Distribution Cabling
Neatly organized cables in the ceiling
Operations Center
_____

Types of Physical Security

Gates
Allows you to focus on other security controls
Bollards
Block vehicles while allowing pedestrian traffic

CPTED

Crime Prevention Through Environmental Design
Basically giving principles to design your crime prevention mechanisms in a way that is appropriate with your environmental surroundings

CPTED Goals

Natural Surveillance
Design your security in a way that allows you to observe the natural surroundings of your facility
Windows, Open Areas, Lightning
Natural Access Control
Narrowing the traffic to a single point of entry
Gates, etc
Natural Territory Reinforcement
Making it visually and physically obvious that the area is closed to the public
Signs, Lightnings
_____

Visitor Management

Visitor management procedures protect against intrusions

Visitor Procedures

Describe allowable visit purposes
Explain visit approval authority
Describe requirements for unescorted access
Explain role of visitor escorts
All visitor access to secure areas should be logged
Visitors should be clearly identified with distinctive badges
Cameras add a degree of monitoring in visitor areas
Cameras should always be disclosed
_____

Physical Security (Human Security)

Receptionists may act as Security Guards
Sometimes an “aggressive” look is sometimes desirable
Robots may replace human security patrols

Two Person Rule (Two-Person Integrity)

Two people must enter sensitive areas together

Two Person Control

Two people must have control access to very sensitive functions, requiring an agreement of 2 persons before action
Ex=Requiring 2 Keys to trigger a launch of Nuclear Missiles
_____

Logical Access Controls

Account Management Tasks

Implementing Job Rotation schemes
Implementing for employees to rotate job functions for purpose of diversity and integrity in work
Mandatory Vacation policies
People on vacation should not have access to sensitive data
Managing Account Lifecycle
Ensuring that as employees move around an organization with different roles, that they are given access to corresponding roles
_____

Account Monitoring Procedures

Account Audits
Completed by pulling all permission list, review, and make adjustments
Protects against Inaccurate Permissions
Inaccurate Permissions
Wrong permissions assigned that results in too little access to do their job or too much access (violates least privilege)
Result of Privilege Creep
A condition that occurs when users switch roles and their previous role’s access to system has not been revoked

Formal Attestation Process
Auditors review documentation to ensure that managers have formally approved each user’s account and access permissions.

Continuous Account Monitoring
Watch for suspicious activity
Alert administrations to anomalies
Will catch any unauthorized use of permissions or acts
Flags Access Policy Violations
Impossible travel time logins
Unusual network location logins
Unusual time-of-day logins
Deviations from normal behavior
Deviations i volume of data transferred
Geotagging
Adds user location information to logs
Geofencing
Alerts when a device leaves defined boundaries
_____

Provisioning and Deprovisioning

Involves the process of creating, updating and deleting user accounts in multiplace applications and systems
Crucial to Identity and Access Management Task

Provisioning

After onboarding, administrators create authentication credentials and grant appropriate authorization

Deprovisioning

During the off-boarding process, administrators disable accounts and revoke authorizations at the appropriate time.
Prompt Termination (quickly acting after off boarding) is critical
Prevents users from accessing resources without permission
More important if employee leaves in unfavorable terms

Routine Workflow (For offboarding)

Disable accounts on a scheduled basis for planned departures
Emergency Workflow (For offboarding)

Immediately suspends access when user is unexpectedly terminated

Incorrect Timed Account-Deprovisioning may:

Inform a user in advance of pending termination
Allow user to access to resources after termination

It is a good idea to Deactivate the account first before permanent removal as it can be reversed

_____

Authorization

Final step in the Access Control Process
Determines what an authenticated user can do

Principle of Least Privilege

User should have the minimum set of permission necessary to perform their job
Protects against internal risks as a malicious employee’s damage will be limited to their access
Protects against external risk as if an account was hacked, the damage they can do would be limited to the permissions on the stolen account.

Mandatory Access Control (MAC) System - Confidentiality

Permissions are determined by the system/operating system
Users cannot modify any permissions
Rule-based access system
Most Stringent/strict

Discretionary Access Control (DAC) System - Availability

Permissions are determined by the file owners
Most Common type of access control
Flexible

Role-Based Access Control (RBAC) Systems - Integrity

Permissions are granted to groups of people/ job functions
Group based
_____

Computer Networking

Network

Connect computers together
Can connect computers within an office (LAN) or to the global internet

Local Area Networks (LANs)

Connect devices in the same building
LANs are connected to Wide Area Networks (WANs)

Wide Area Networks (WANs)

Connect across large distances
Connects to different office locations and also to the internet
When an LAN is connected to WAN = Internet

How Devices Connect to a LAN

Ethernet
Connecting a physical Ethernet cable to an internet jack behind the ball
The Ethernet Cable is called the RJ-45 connectors a.k.a 8 Pins Connector
Super fast but requires physical cables
FYI: RJ-11 Cables are used for telephone connections. They have 6 Pins
Wireless Networks (Wi-Fi)
Create Wireless LANs
Bluetooth
Creates a Personal Area Network (PANs)
Designed to support a single person
Main purpose is to create a wireless connection between a computer and its peripheral devices
Near Field Communication (NFC) Technology
Allows extremely short range wireless connections (ex= wireless payment)
_____

TCP/IP - Transmission Control Protocol/Internet Protocol

A set of standardized rules that allow computers to communicate on a network such as the internet.
Protocol suite at the heart of networking

Internet Protocols

Main function is to provide an addressing scheme, known as the IP address
Routes information across networks
Not just used on the internet
Can be used at home or an office
Deliver packets(chunks of information) from source → destination
Serves as a Network Layer Protocol
Supports Transport Layer Protocols - which have a higher set of responsibilities

2 Types of Transport Layer Protocols

Transmission Control Protocol (TCP)
Responsible for majority of internet traffic
Is a Connection-Oriented protocol
Connection Oriented protocol means the connection is established before data is transferred
Connection is ensured through TCP Three-Way Handshake
TCP packets include special flags that identify the packets known as TCP Flags. Within the TCP Flags:
SYN Flag: Opens a connection
FIN Flag: Closes an existing connection
ACK: Used to acknowledge a SYN or FIN packet

TCP Three-Way Handshake

Source SYN sent to request open connection to Destination
Destination sends ACK + request (SYN) to reciprocate a open connection
Source acknowledges and sends ACK

Guarantees delivery through the destination system acknowledging receipt
Widely used for critical applications (email , web traffic etc)

User Datagram Protocol (UDP)
Connectionless Protocol, not connection-oriented
Lightweight
Does NOT use Three-Way Handshake
System basically send data off to each other blindly, hoping that it is received on the other end
Does not perform acknowledgments
Does not guarantee delivery
It's often used for voice and video applications where guaranteed delivery is not essential. Every single packet doesn't have to reach the destination for video and voice to be comprehensible.

OSI (Open Systems Interconnection) Model

Describes networks as having 7 different layers

Layer 1: Physical Layer

Responsible for sending bits over the network
Uses wires, radio waves, fiber optics or other means
Layer 2: Data Link Layer

Transfers data between 2 Nodes connected to the same physical network
Layer 3: Network Layer

Expands networks to many different nodes
Internet Protocol (IP)
Layer 4: Transport Layer

Creates connection between systems
Transfers data in a reliable manner
TCP and UDP
Layer 5: Session Layerauthenti

Manages the exchange of communications between systems
Layer 6: Presentation Layer

Translates data so that it may be transmitted on a network
Encryption and Decryption
Layer 7: Application Layer

How users interact with data, using web browsers or other apps

TCP Model vs OSI Model

OSI TCP Model

Layer 1: Physical Layer

Layer 2 :Data Link Layer Layer 1: Network Interface layer (Physical + Data)

Layer 3 :Network Layer Layer 2: Internet Layer

Layer 4 :Transport Layer Layer 3: Transport Layer

Layer 5: Session Layer Layer 4: Application Layer (Session+Presentation+Application)

Layer 6: Presentation Layer

Layer 7: Application Layer

_____

For the Internet Protocol (IP) to successfully deliver traffic between any two systems on a network, it has to use an addressing scheme

IP Addresses

Uniquely identify systems on a network
Written in dotted quad notation (ex- 192.168.1.100). Also known as IPv4
Means 4 numbers separated by periods
Each of these numbers may range between 0-255
Why 255?
Each number is represented by 8-bit binary numbers
Those bits can represent 2 to the power of 8 = 256 possible values
But we start at 0 so 256-1=255

No duplicates of IP addresses on Internet-connected systems (Just like your phone#)
Allow duplicates if on private networks
Your router or firewall takes care of translating private IP Addresses to public IP addresses when you communicate over the internet
This translating process is called NAT (Network Address Translation)
IP Addresses are divided into 2 parts
1) Network Address
2) Host Address

The divide of the 2 parts can come in anywhere

This uses a concept called sub-netting

Sub-netting divides domains so traffic is routed efficiently

IPv4 (Containing 4 numbers) is running out so we are shifting to → IPv6
IPv6
Uses 128 bits (compared to 32 bits (8x4num bers = 32) for IPv4
Consists of 8 groups of 4 hexadecimal numbers
ex= fd02:24c1:b942:01f3:ead2:123a:c3d2:cf2f

IP Addresses can be assigned in 2 ways

Static IPs
Manually assigned IP Address by an administrator
Must be unique
Must be within appropriate range for the network
Dynamic Host Configuration Protocol (DHCP)
Automatic assignment of IP Address from an administrator configured pool

Typically,

Servers are configured with Static IP Addresses

End-user devices are configured with Dynamically-Changing IP Addresses

_____

Network Ports

Like Apartment #s, guide traffic to the correct final destination
IP addresses uniquely identifies a system while the Network Ports uniquely identifies a particular location of a system associated with a specific application
Think of it as
IP Addresses - Street # of an Apartment
Network Ports- Unit # of an Apartment

Network Port Numbers

16-bit binary numbers
2 to the power of 16 = 65,646 possible values
65,646-1 (for 0) = 0-65,535 possibilities

Port Ranges

0 - 1,023 = Well-known ports
Reserved for common applications that are assigned by internet authorities
Ensures everyone on the internet will know how to find common services such as : web servers, email servers
Web-servers use the Well-known port 80
Secure Web-servers use the Well-known port 443

1,024 - 49,151 = Registered ports
Application vendors may register their applications to use these ports
Examples
Microsoft Reserve port 1433 for SQL Server database connections
Oracle Reserve port 1521 for Database

49,152 - 65,535 = Dynamic ports
Applications can use on a temporary basis

Important Port #s

Administrative Services

Port 21 : File Transfer Protocol (FTP)
Transfers data between systems

Port 22 : Secure Shell (SSH)
Encrypted administrative connections to servers

Port 3389 : Remote Desktop Protocol (RDP)
Encrypted administrative connections to servers

Ports 137, 138, and 139 : NetBIOS - Windows
Network Communications using the NetBIOS protocol

Port 53 : Domain Name Service (DNS)
All systems use Port 53 for DNS lookups

Mail Services

Port 25 : Simple Mail Transfer Protocol (SMTP)
Exchange email between servers

Port 110 : Post Office Protocol (POP)
Allows clients to retrieve mail

Port 143 : Internet Message Access Protocol (IMAP)
Allows to retrieve mail

Web Services

Port 80 : Hypertext Transfer Protocol (HTTP)
For unencrypted web communications

Port 443: Secure HTTP (HTTPS)
For encrypted connections
_____

Securing Wireless Networks

Service Set Identifier (SSID)

The name of your Wi-Fi
You can disable visibility of Wi-Fi (Hide)
Has an administrative password to the access point (connection)
Ensure to immediately change default administrator passwords
You can configure what Type of Network you want
1) Open Network
Open for anyone to use (No Password Wifi)
2) Other authentication required Network
1) Preshared Keys (Home Wifi, Office, Cafe)
Changing Preshared keys is difficult
Prevents individual identification of users
2) Enterprise Authentication
Uses individual passwords
3) Captive Portals
Used in Starbucks, Airports, Tim-Hortons
Provide authentication on unencrypted wireless networks
Intercepts web requests to require Wi-Fi login
_____

Wireless Encryption

A best practice for network security
Encryption hides the true content of network traffic from those without the decryption key
Takes, Radio Waves, and makes it secure
The Original approach to Security was: Wired Equival7ent Privacy (WEP)

This is now considered insecure

The Second approach was : Wi-Fi Protected Access (WPA)

Changes keys with the Temporal Key Integrity Protocol (TKIP)
Changes the encryption key for each packet : preventing an attacker from discovering the key after monitoring the network for along period of time
This is now considered insecure

The Improved approach is : Wi-Fi Protected Access v2 (WPA2)

Uses an advanced encryption protocol called Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP)
WPA is now considered SECURE

The New approach is : Wi-Fi Protected Access v3 (WPA3)

Supports Simultaneous Authentication of Equals (SAE)
SAE is a secure key exchange protocol based upon the Diffie-Hellman Technique, to provide more secure initial setup of encrypted wireless communications
Also supports CCMP protocol

In Summary,

Open Network : Insecure

WEP : Insecure

WPA: Insecure

WPA2 : Secure

WPA3: Secure

_____

Ping and Traceroute

Command Line Network (CLI)

Provides quick and easy way to access network configurations and troubleshooting information
Used my giving Commands

Important Commands

ping
Checks whether a remote system is responding or accessible
Works using the Internet Control Message Protocol (ICMP)
Basically sending a request and acknowledgement to confirm a connection
Troublingshooting with Ping:
You can ping the remote system:
a) if you receive a response : it is not a network issue and a local web server issue
b) if you don’t receive a response : you may next ping another system located on the internet : if that responds : this will tell you your internet is successful and the issue is with the web server or network connection
c) if you ping many systems on internet and there is no response, it is likely that the problem is on your end
d) You can ping a system on your Local Network : if that responds, there's probably an issue with your network’s connection to the internet
e) If a Local Network does not respond : Either your Local network is down or there is a problem with your computer
f) Last Resort : Repeat process on another computer
Some systems do not respond to ping requests
Example : A firewall may block ping requests

hping
Creates customized ping requests
A variant of the basic “ping” command
Allows you to interrogate a system to see if it is present on the network
Old and not monitored but still works

traceroute
Determines the network path between two systems
If you want to know how packets are traveling today from my system Located in Toronto to a LinkedIn.com webserver, wherever that is located
Works only on Mac and Linux
In Windows, it is : tracert

pathping
Windows only command
Combines ping and tracert functionality in a single command

_____

Network Threats

Malware

One of the most significant threats to computer security
Short for Malicious Software
Might steal information, damage data or disrupt normal use of the system
Malwares have 2 components:
1) Propagation Mechanism
Techniques the malware uses to spread from one system to another
2) Payload
Malicious actions taken by malware
Any type of malware can carry any type of payload

Types of Malware

Virus
Spreads after a user takes some type of user action
Example : Opening an email attachment, Clicking a Link, Inserting an infected USB
Viruses do not spread unless someone gives them a hand
User education protects against viruses

Worms
Spread on their own by exploiting vulnerabilities
When a worm infects a system, it will use it as it’s base for spreading to other parts of the Local Area Network
Worms spread because the systems are vulnerable
Patching protects against worms

Trojan Horse
Pretends to be a useful legitimate software, with hidden malicious effect
When you run the software, it may perform as expected however will have payloads behind the scene
Application Control protects against Trojan Horses
Application Controls limit software that can run on systems to titles and versions
_____

Botnets

Are a collection of zombie computers used for malicious purposes
A network of infected systems
Steal computing power, network bandwidth, and storage capacity
A hacker creating a botnet begins by
1) Infecting a system with malware through any methods
2) Once the malware takes control of the system (hacker gains control), he or she joins/adds it to the preconceived botnet

How are Botnets Used

Renting out computing power for profit
Delivering spam
Engaging in DDoS attacks
Mining Bitcoin and Cryptocurrencies
Perform Brute Force Attacks - against passwords

Botnet Command and Control

Hackers command botnets through Command and Control Networks as they relay orders
Communication must be indirect (hides the hackers true location) and redundant
Must be highly redundant (too much, alot) because security analysts will shut them down one by one. Its a cat and mouse game, whoever controls the Command and Control channels retains control of the Botnet the longest
Types of Command and Control Mechanisms for Ordering Botnets

Internet Relay Chat (IRC)
Twitter
Peer to Peer within the Botnet

In Summary Botnets:

Infect Systems
Convert to bots
Infect others
Check in through Command and Control Network
Get Instructions
Deliver payload
_____

Eavesdropping Attacks

All eavesdropping attacks rely on a compromised communication path between a client and a server
Network Device Tapping
DNS poisoning
ARP poisoning

During poisoning attacks hackers may use the Man-in-the-Middle technique to trick the user to connect to the attacker directly, then the attacker directly connects to the server. Now the original user logs in to a fake server set up by the attacker and the attacker acts as a relay, the man in the middle, and can view all of the communications.
The user will not know that there is a Man-in-the-Middle intercepting communications.

Man-in-the-browser Attacks

Variation of Man-in-the-Middle attack
Exploit flaws in browsers and browser plugins to gain access to web communications

If the attacker is able to control the network traffic, they may be able to conduct a Reply Attack

Replay Attack

Uses previously captured data, such as an encrypted authentication token, to create a separate connection to the server that’s authenticated but does not involve the real end user
The attacker cannot see the actually encoded credentials
They can only see the encoded version of them
Prevent Replay Attacks by including unique characteristics:
Token
Timestamp

SSL Stripping

Tricks browsers into using unencrypted communications
A variation of eavesdropping attack
A hacker who has the ability to view a user’s encrypted web communication exploits the vulnerability to trick the users browser into reverting to unencrypted communications for the world to see
Strips the SSL or TLS protection
_____

Implementation of Attacks

Cryptographic systems may have flaws = vulnerability = attacks

Fault Injection Attacks

Use externally forced errors
Attacker attempts to compromise the integrity of a cryptic device by causing some type of external fault
For example : Attacker might use high-voltage electricity to cause malfunction that undermines security
These failures of security may cause systems to fail to encrypt data property.

Side Channel Attacks

Measure encryption footprints
Attackers use footprints monitor system activity and to retrieve information that is actively being encrypted
For example : If a cryptographic system is improperly implemented, it may be possible for an attacker to capture the electromagnetic radiation emanating from that system and use the collected signal to determine the plain text information that is being encrypted
Timing Attacks
A type of Side Channel Attack
Measure encryption time
Attackers precisely measures how long cryptographic operations take to complete, gaining information about cryptographic process that may be used to undermine security

_____

Threat Identification and Prevention

Intrusion Detection Systems (IDS)

Monitors network traffic for signs of malicious activity
MIS USE DETECTION AND ANOMALY DETECTION
Examples of malicious activity
SQL Injections
Malformed Packets
Unusual Logins
Botnet Traffic
Alerts administrators
Requires someone to take action

Intrusion Prevention System (IPS)

Automatically block malicious activity
It is not a perfect system. They make 2 errors
1) False Positive Error
IDS/IPS triggers an alert when an attack did not actually take place
2) False Negative Error
IDS/IPS fails to trigger an alert when an actual attack occurs

Technology used to identify suspicious traffic:

Signature Detection Systems
Contain databases with rules describing malicious activity
Alert admins to traffic matching signatures = Rule based Detection
Cannot detect brand new attacks
Reduce false positive rates
Reliable and time-tested technology

Anomaly Detection Systems
Builds models of “normal” activity, and finds an Outlier
Can detect brand ne attacks
But has high false positive rate

Anomaly Detection , Behavior-based Detection , Heuristic Detection = Same Thing

_____

IPS Deployment Modes

In-band Deployments
IPS sits in the path of network traffic
It can block suspicious traffic from entering the network
Risk : It is a single point of failure so it may disrupt the entire network

Out-of-band (passive) Deployments
IPS sits outside of network traffic
IPS is connected to a SPAN port on a switch
Which allows it to receive copies all traffic sent through the network to scan
It cannot disrupt the flow of traffic
It can react after suspicious traffic enters the network
It cannot pre detect as it can only know its existence once it enters the network
_____

Malware Prevention

Antimalware software protects against many different threats
Antimalware software protects against viruses, worms, Trojan Horses and spyware

Antivirus software uses 2 types of mechanisms to protect:

Signature Detection
Watches for known patterns of malware activity

Behavior Detection
Watches for deviations from normal patterns of activity
This type of mechanism is found in advanced malware protection tools like the Endpoint Detection and Response (EDR)
Offer real-time, advanced protection
Goes beyond basic signature detection and performs deep instrumentation of endpoints
They analyze:
Memory
Processor use
Registry Entries
Network Communications
Installed on Endpoint devices
Can perform Sandboxing
Isolates malicious content
_____

Port Scanners

Vulnerability Assessment Tools

Port Scanner
Looks for open network ports
Equivalent of rattling all doorknobs looking for unlocked doors
nmap
Popular port scanning tool /command
Vulnerability Scanner
Looks for known vulnerabilities
Scans deeper than Port Scanner, actually looks at what services are using those ports
Has a database for all known vulnerability exploits and tests server to see if it contains any of those vulnerabilities
Nesssus
Popular vulnerability scanner
Application Scanner
Tests deep into application security flaws
_____

Network Security Infrastructure

Data Centers

Have significant cooling requirements
Current Standard of Temperatures
Maintain data center air temperatures between 64.6 F and 80.6 F = Expanded Environmental Envelope
Humidity is also important
Dewpoint says : Humidity 41.9 F and 50.0 F
This temperature prevents condensation and static electricity
HVAC is important (Heating, Ventilation and Air Conditioning Systems)
Must also look out for fire, flooding, electromagnetic interference

Fire Suppression Methods

Wet Pipe Systems
Contains water in the pipes ready to deploy when a fire strikes
High Risk for data center
Dry Pipe Systems
Do not contain water until the valve opens during a fire alarm.
Prevents burst pipes, by removing standby water
Chemical Systems
Removes oxygen

Always place MOUs

Memorandum of Understanding
Outlines the environmental requirements