Incident Response

& Forensics
Well, an incident response is a set of procedures that an investigator follows when
they're examining a computer security incident. These incident response procedures
are part of your organization's overall computer security incident management
program. This program should consist of the monitoring and detection of security
events on a computer network and the execution of proper responses to those
security events. Now, every organization has their own way of doing incident
response.
But a basic six-step procedure looks something like this:
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned.

For the exam, you want to know these six steps and you want to know the right
order.

Incident Response Planning

IR Team
Well, your incident response team is key people that are going to be available to
respond to any incident that meets the severity and priority thresholds that are set
out by your incident response plan, because not everything that you run into is going
to require you to activate your incident response team. Some things can just be
handled by your incident handlers and you don't need the full team to do it. But if you
have a big issue, like an ongoing data breach or something like that, you're going to
want the entire incident response team. So, what type of positions are on this
incident response team?

Well, first, you're going to have an incident response manager or team lead, this
person is going to oversee and prioritize actions during the detection, analysis, and
containment of an incident. This is a position that I have personally filled numerous
times. And I can tell you, it is a difficult position that requires a lot of good soft skills
in addition to those traditional in-depth technical skills that some other positions are
going to require.

The second position we have is a security analyst. Your team needs to have one or
more security analysts assigned in order to work directly on the affected network and
to play detective in order to determine what happened up to this point. Your security
analyst may be assigned into two categories, although some analysts may be
working in both categories simultaneously when dealing with a smaller-scale
incident. The first of these is known as a triage analyst. A triage analyst is a security
analyst that's assigned to work on the network during the incident response. Triage
analysts are going to help filter out false positives by properly configuring intrusion
detection and protection systems, as well as performing ongoing monitoring and
analysis to detect any new or potential intrusions during your incident response.
Another type of security analysts we use is what's known as a forensic analyst. Now,
a forensic analyst, on the other hand, is going to be more focused on the detective
work and trying to piece together what has already occurred on the network. They're
going to focus on recovering key artifacts and evidence from the network and then
use these to build a timeline of the different events that led up to the incident itself
and that way, we can understand what happened up to this point.

Beyond that, you’re also going to want to have a threat researcher, this is another
key part of your team. These threat researchers are able to complement your
analysts by providing threat intelligence and overall context during your incident
response. These specialists work to always remain up-to-date on the current threats
that are facing your organization and your specific industry, as well as keeping
up-to-date with previous incidents that may have occurred. I like to think about these
folks as both a combination of a futurist in terms of guessing what the bad guys
might do, as well as a historian because they know all the bad things that the bad
guys have done in the past.

Finally, we have cross functional support. In addition to all the critical roles I
already talked about, we also want to expand our team with additional cross
functional support. This includes people from management or the executive team,
somebody from human resources, if you're dealing with an employee insider threat,
or an attorney or lawyer in the case that the company may want to take legal action
against the perpetrator or the attacker.
Now, this incident response team is often known as a CSIRT. A CSIRT is the
computer security incident response team, and your CSIRT should be the single
point of contact for security incidents. Now, the CSIRT may be part of the SOC, the
Security Operations Center, or they could be an independent team. It just depends
on how your organization has set this up. In fact, some organizations have chosen to
outsource their security response and their CSIRT teams. This way, whenever
there's an incident, they would call on this third-party contractor who will bring their
experts to help you bring your systems back online and get the bad guys out of your
network.

When you have an incident, you need to start thinking about who are the affected
stakeholders? There are lots of them out there, inside and outside your organization.

Senior Leadership
When we talk about senior leadership, this is the executives and managers who are
responsible for business operations and various functional areas within your
company. Now, the reason this is important is because a lot of our incident
responders tend to be technical people. And so, we might, as technical people say,
the quickest way to solve this incident is to shut down that server. But if we're not
understanding the business impact to those actions, that could have second and
third-order effects that'd be very bad for our organization. So, we're going to have to
get senior leadership involved to understand if I do this, it's going to have this and
that and the other effect, and we have to mitigate those.

Regulatory Bodies
The next key stakeholder we have to consider is regulatory bodies. These are
governmental organizations that oversee the compliance with specific regulations
and laws. For example, if we're talking about HIPAA, which has to do with health
care, you're going to have to be overseen by Health and Human Services, because
they're the ones who run the HIPAA program.

Legal
The next stakeholder we have to consider is legal. Now, legal is the business or
organization's legal counsel, and they're going to be responsible for mitigating risk
from civil lawsuits. For example, as you're planning out your response of what you're
going to do to stop the breach of data, you want to make sure legal is in the room
because your actions could come up later on if your company is sued for its
response.

Law Enforcement

On the other side of the coin, we have law enforcement, and law enforcement is an
external stakeholder, they may provide services to assist in your incident into
handling efforts, or to prepare for legal action against the attacker in the future. Now,
one quick thing to note, your decision to involve law enforcement has to be made by
senior executives with guidance from your internal legal counsel. You, as an incident
responder, should not immediately pick up the phone and call the FBI or the local
police. This is something your business has to decide. Now, there are cases where it
is legally required to bring in law enforcement. But in a lot of cases, it is more of a
civil issue. And you have the determination and the right to decide if you want to
press charges and bring in law enforcement. So, keep that in mind. And remember,
your senior executives get to make that decision.

HR
Our next stakeholder is human resources, and this is an internal stakeholder. They're
going to be used to ensure there's no breaches of employment law or employee
contracts during the incident response. For example, if you're a suspecting that
there's an internal threat, and you start questioning employees, or you want to start
going through employee files, you're going to have to consult human resources,
because you could be breaching employment law or employee contracts, so, make
sure you involve human resources.

PR
Public relations is used to manage the negative publicity from a serious incident.
Now, this is important because you want to make sure, as the technical lead, as an
incident responder, you're not the one answering questions to the media. You don't
want to be the one up there behind all those microphones with a sea of reporters
asking you questions. You have people in your organization whose job it is to handle
that. And they're going to come up with a clear, concise message that can be said
over and over again to all the inquiries reporters have.
 Investigative Data

SIEM
Now, the first thing we’re going to talk about is a SIEM. Now, we've talked about
SIEMs before, but a SIEM is a Security Information and Event Monitoring System.
Now, this is important because it's going to be a combination of a lot of different data
sources into this one SIEM tool. And this provides us with real-time analysis of
security alerts that are generated by applications and network hardware.

The first thing we have to think about is our sensor. This is the actual end point that's
being monitored. That sensor can then feed that data up into the SIEM. Another
thing we have to think about with our SIEMs is their sensitivity. Now, the sensitivity is
focused on how much or how little you're going to be logging. Based on how you
configure that sensor, that's going to determine how much data is being sent to the
SIEM. Now, you may think it's great to send everything to the SIEM and in a lot of
cases, it is, but you have to remember that a SIEM can become overloaded with too
much information. Another thing we have to think about is trends. By using a SIEM
and its graphical ability to look across these logs, we can start seeing trends in our
network. We might say that every time there is five failed login attempts, I want to
have an alert sent to a system administrator to look into that account. That would be
an example of an alert based on different inputs across the SIEM. And then, finally,
correlation. This is one of the big things within a SIEM because we're getting data
from all sorts of different sources across all different types of hosts and network
devices. All these things need to be correlated so that we have a good picture of
what is really happening.
Log Files
We have web log files, and this might be like your proxy server logs, where we could
see what websites have been accessed by your users, or if you're running a web
server, what files are being touched by an outsider as they're accessing that server.

Syslog
Now, the next thing we want to talk about is syslog, rsyslog, and syslog-ng. Now, all
three of these are basically three variations that do the same thing. They all are
going to permit logging of data from different types of systems into a central
repository. One of the things our SIEM relies heavily on is using syslog or rsyslog or
syslog-ng to grab that information from all the various end points and dump it into our
SIEM.
Journalctl
The next tool we want to talk about is journalctl. And this is actually a Linux
command line utility that's used for querying and displaying logs from the journald,
which is the journal daemon, which is basically, the logging service for systemd on a
Linux machine. And so, if you want to be able to look at the logs on a Linux machine,
you can use journalctl to do it.

Nxlog
Now, this is a multi-platform log management tool that helps us to easily identify
security risks, policy breaches, or analyze operational problems and server logs,
operational system logs, and application logs. Now, when you think about nxlog, I
want you to remember that it is a multi-platform or cross-platform tool, and it's also
open source. This also means that it has a lot of similarities with our syslog or
syslog-ng. So, what's the difference? Well, rsyslog and syslog-ng only work on Linux
and Unix systems, but nxlog is cross-platform. So, you can use on Unix, Linux, and
Windows, too.

Netflow
Now, netflow is used in networking and it's a network protocol system that was
created by Cisco. And it's going to collect active IP network traffic as it's flowing into
or out of an interface. So, as you start thinking about things going into or out of your
network, through the firewall or through a router, netflow can actually capture that
information. Now, some of the information it captures is things like the point of origin,
the destination, the volume, and the paths on the network. This is not a packet
capture. We're not capturing everything, every single one and zero that is going in or
out of our network. Instead, netflow is more of a summarization of that data that's
going in and out of our network.

Sflow
And this stands for Sampled Flow. Essentially, this was an open source version of
netflow, where netflow is made by Cisco and it's proprietary, sflow was more of the
generic version. It's to provide a means for exporting truncated packets, as well as
having an interface counter that is going to be used for network monitoring

IPfix
The next thing we have is IPfix, which is the Internet protocol flow information export.
Now, this is a universal standard for the export of Internet protocol flow information
from your routers, your probes, and other devices that's going to be used by
mediation systems, accounting and billing systems, and network management
systems to facilitate services such as measurement, accounting, and billing by
defining how IP flow information is to be formatted and transferred from an exporter
to a collector. Wow, that is a mouthful. And you may be wondering, what did I just
say? Well, really, what IPfix is used for is on the back end of service management.

Metadata
Metadata is going to be data that describes other data, basically, by providing an
underlying definition or description by summarizing basic information about the data
that makes finding and working with particular instances of data, much easier.
 Forensic Procedures
Now, the first thing you need to know about forensics is everything we do we use
written procedures. These written procedures are going to ensure that personnel
handle forensics properly, effectively, and in compliance with the required
regulations. This way, we always follow what is written down and we always do it the
same way. Now, as we go through our forensic procedures, there are four main
areas. We have identification, collection, analysis, and reporting.

1-Identification

2-Collection
3-Analysis

4-Reporting

Legal Hold
Ethics
Timeline
Analysis

Tools
● EnCase
● Autopsy
 Data Collection Procedures

For the Security+ exam, no one is going to ask you to conduct this operation, but it's
going to give you a taste of digital forensics and see if the idea of being a digital
forensics examiner interests you. If it does, you may want to download and play with
some forensic tools like Forensic Toolkit that I'm going to use in the next lesson or
EnCase.
 Demo: Disk Imaging
Now, I’m going to show you how we can do this using the Forensic Toolkit Imager or
FTK Imager to take a disk image of a hard drive or a USB thumb drive. In my
example, I'm going to take a disk image of a 2 GB thumb drive with a Windows
machine and then, I'm going to show you a very basic introduction to the Forensic
Toolkit or FTK Tool that'll allow you to do a forensic investigation and find deleted
files, hidden files, and other things from the evidence drive that we collected as part
of this instant response.
 Security Tools

Networking
Manipulation
Shells and Scripts
Packet Capture
Forensic
Exploitation
 Monitoring and
Auditing

Monitoring
It's either:

1. Signature-based
2. Anomaly-based
3. Behavior-based

Signature-based
Now, when we talk about signature-based monitoring, this is where your network
traffic is analyzed for predetermined attack patterns. And so, if I said, every time you
see somebody walk through the door who is five foot eight with brown hair and
whose name is Jason, that's a signature. So, you would stop me at the door because
I met that criteria.

Anomaly-based
Now, when we do anomaly-based monitoring, we have to create a baseline of what
normal is first. And once we established the baseline, then we can look at any other
network traffic that starts following outside that baseline for further evaluation.

Behavior-based
The third type we have is what’s known as behavior-based. Behavior-based is an
activity that's going to be evaluated based on previous behaviors of the applications,
the executables, and the operating system in comparison to the current activity of the
system. Now, the problem with behavior-based analysis or behavior-based
monitoring is that it tends to result in a lot of false positives because there's a large
number of applications and lots of different relationships between those applications.
If you think about your computer, how many different applications are installed? And
how many ways do they talk to each other? You probably have Word, and
PowerPoint, and Excel and Chrome, and Firefox, and maybe Outlook. And probably
50 or 60 other applications. For you to be able to create a good baseline for all those
applications would take time.

Baselining
Well, it’s a process of measuring changes in networking, hardware, software, or
applications. If we know what the baseline is, what is normal, we can then see what
is abnormal. Now, baselining our network is really important because it's going to
define what normal is. By defining what normal is, it allows us to monitor for changes
and report on those changes whenever we find something that's anomalous or
abnormal.

Baseline Reporting
Baseline reporting is the process of documenting and reporting on the changes that
you find in a baseline. So, if I said that this computer was a Windows 10 machine
with these five apps on it, and now you find that there are six apps, that is something
we'd have to report because it's outside the normal baseline. We also have a
baseline for the system that we create as part of our security posture.

Security Posture
Now, a security posture is basically the risk level to which a system or other
technology element is going to be exposed.

One of the ways that most people use is a tool called Performance Monitor. It's a tool
in Windows that you can use to monitor the performance of an individual server or
workstation. You can check things like the processing power being utilized, the
amount of memory being utilized, the amount of disk space, the network utilization,
and other things like that. If you go to a command prompt and type in Perfmon and
hit enter, it will bring up the performance monitor and you can see how your system
is currently performing.
 Protocol Analyzer
They can be connected in either promiscuous mode, or non-promiscuous mode. If
they're in promiscuous mode, that means the network adapter is going to be able to
capture all of the packets on the network regardless of who the destination MAC
address is. And this is going to allow them to capture all of the frames that carry that
information. So, promiscuous, it doesn't matter if you're addressing it to me, I'm still
going to collect it and listen to it. Now, if I'm in non-promiscuous mode, I'm only
going to capture packets that are addressed directly to myself, the protocol analyzer.
That's the difference with promiscuous versus non-promiscuous mode.

Now, to capture the most information, you're going to need to be put into
promiscuous mode. Not all network adapters support this, so, you need to make sure
you have one that does. Now, you also need to set up a port on the switch that is
going to allow you to see all that traffic. Because in the old days of a hub, all that
information was broadcast across every port. But with switches, everything is going
based on the MAC address to specific ports based on its CAM table. So, to be able
to get all that data, you need to be able to set up port mirroring.

Port Mirroring
Port mirroring is where you have one or more switch ports that's configured to
forward all of their packets to another port on the switch. This port is normally called
a SPAN port. And it's being used to do port mirroring of all the other ports so that the
protocol analyzer can see it.

Network Tap
Now, sometimes you don’t have ability to configure the SPAN port yourself. Because
maybe you're an analyst, but you're not a network administrator. If that's the case,
you can also put in a network tap. Now, when you talk about a network tap, you have
to really understand how a mirrored port works. When a mirrored port or a SPAN port
is being used, it's using a logical method to replicate the traffic across all of the other
ports on to that SPAN port. This does put a lot of additional processing requirements
on the switches CPU, though. And it can slow down your network or cause packets
to drop. If this is a concern, or you can't configure a SPAN port yourself, you can use
a network tap instead, which is a physical device. A network tap is a physical device
that allows you to intercept the traffic between two points on the network. So, maybe
I want to put a network tap between the router and the switch at the boundary of the
network. This is going to allow me to see everything that's coming in or out of the
network that way. And it puts no additional load on the router or on the switch. I
basically cut the cable in between, unplug it between the two devices, and put my
device in between the two, and I get a copy of all of the data going between them.
That's the idea with a network tap. Either can be used, either a SPAN port or a
network tap to accomplish the same thing, but a network tap is going to be much
more efficient because it is a physical device using the logical capability inside of the
switch.

SNMP
SNMP. SNMP is the Simple Network Management Protocol. It's a TCP protocol that
aids in the monitoring of network-attached devices and computers. I want to remind
you that SNMP is incorporated into network management and monitoring systems
and it's heavily used in the concept of management and monitoring. SNMP is broken
down into three components. There is the managed devices, the agent, and the
network management systems themselves.

Managed Devices
When we talk about managed devices, this is computers and other network-attached
devices that are monitored through the use of agents by a network management
system.

The Agent
Agents are software that’s loaded onto a managed device and this allows us to
redirect information to the network management system that's going to do the
monitoring.

Network Management Systems

And the Network Management System or NMS is the software that's run on one or
more servers that controls the monitoring of all of the network-attached devices and
computers across the network.

SNMP is the glue that makes all three of these talk to each other using that SNMP
protocol.
Now, when we talk about SNMP from a security standpoint, we need to think about
the three different versions. There's version one, version two, and version three.
Now, version one and version two are considered insecure because they use
community strings to access a device. These are default community strings of public,
which are read-only, or private, which allows read and write access to the devices
and they are considered a fairly big security risk. For this reason, you should be
using SNMP v3. SNMP v3 is a version of SNMP that provides integrity,
authentication, and encryption of the messages being sent over the network.

Demo-Analytic Tools

Open Files

Now that it's on, we have to reboot this machine so that it will enable it to track all of
the open files.
Open Sessions
 Auditing
Auditing is essentially a detective control. We're looking to make sure everything was
being done correctly, and if anything went wrong, we can go back and put together
those pieces. Now, when you think about auditing, auditing can be conducted
manually or using tools. For a manual audit, you're going to review the organization's
security logs, access control lists, user rights and permissions, their group policies,
their vulnerability scans, their written organizational policies, and you may interview
personnel. When I think of auditing, especially on the exam, think of the fact that logs
are part of auditing because those get tied together very frequently inside the
auditing concept. Now, when we talk about auditing, there's also software tools that
we can use to conduct auditing. Programs like the built-in auditing and logging
features inside Windows and Linux are really useful, but there's also complex
auditing suites available that you can buy as commercially available products.

Demo Auditing
 Logging
Now, logs are simply data files that contain the accounting and audit trails for actions
performed by a user on the computer or on the network.
If you’re looking for the logs on a Linux System, check the /var/log directory.
Now, when we talk about this on a Windows System, there are three types of logs
that you have to be familiar with.
There are Security, System, and Application logs, and all three of those should be
audited when you're looking at a Windows System.

Now, Security Logs are logs for events such as successful and unsuccessful user
logons to the system.

Now, if we look at a System Log for instance, these are logs that have events such
as a system shutdown or driver failure. So, if you're trying to investigate why that
computer or server was shut down at midnight, you can go into the System Log and
hopefully find out.

Now, if you're having a problem with an application, you're going to look at the
Application Logs. Application Logs are going to log the events for the operating
system and third-party applications and so, those are the three types of logs you
need to be aware of inside of Windows.

Now, in Windows, if you want to view these log files, you're going to use the Event
Viewer. Some logs like the System, Security, and the Application logs are going to
exist on both work stations and servers. All of these can be accessed from the Event
Viewer, but the Event Viewer isn't the most efficient way to view them. In fact, I much
prefer a SYSLOG Server. This will allow you to consolidate all of the logs into a
single repository and then you can use a SYSLOG Client to read through them and
help correlate them.

Syslog
SYSLOG is simply a standardized format for computer message logging that allows
the separation of the software that generates the message, the system that stores
them, and the software that reports and analyzes them. What does that really all
mean? Well, when it comes to SYSLOG Servers, I can actually have different
servers around the world, all sending their log files back to a single logging server.
So, the DNS Server, the DHCP Server, the authentication server, and your client
work station can all send their logs back to a centralized monitoring system, known
as a SYSLOG Server. SYSLOG does this by sending all of that data back over UDP
using port 514.

Log Files
Now, when it comes to log files, where should they be saved? Well, I believe that log
files shouldn't be saved on the same device that is being logged. So, if my server is
being logged, I need to make sure those logs are actually being saved to a different
partition, a separate hard disk, or to an external server. This means that if that server
gets attacked or it crashes, the log files will still be safe so I can put together the
pieces and figure out what happened. Now, in addition to that, you have to think
about the size and scope of what you're logging, which I already talked about, right?
If you log everything but you never move those log files off, you can actually have
those files get so large that they overwhelm the system by eating up all of its
resources and it can cause the server to crash. This can become another big issue,
and so, it's really important to understand how you configure your logging. Another
issue you have to consider is what do you do when the maximum log file size is
reached? If you want to overwrite those events, this will allow you to overwrite the
oldest events to make room for the newest events in the case that the maximum log
file size is reached.

Log files should also be archived and backed up to ensure that they're always
available when you need them.

Remember, if it’s on the server that’s been attacked, those log files could have been
compromised, and so, we want to make sure those log files are constantly being
pushed to a syslog server or to another backup server someplace else where we
have good confidentiality and good integrity of those files. One way to ensure that is
to use a write once, read many methods of data storage.

You should save your logs to an encrypted folder on the server, or better yet, to the
backup server and have good file encryption being used on your backup and archival
processes.

SIEM
Security information and event management systems, SIEMs.

Now, a SIEM is a solution that provides real-time or near-real-time analysis of

security alerts generated by network hardware and applications. Now, as we look at
a SIEM, there's a lot of uses for one, but one of the best things they do is they help
us correlate events.

A SIEM is a great place with a centralized repository of lots of different data. And so,
it's a great place for auditors and analysts to look through as they're doing their
analysis.

We’re going to cover things like Splunk, ELK, or Elastic Stack, ArcSight, QRadar,
AlienVault and OSSIM, and GrayLog.

Splunk
Splunk is a market-leading big data information gathering and analysis tool and it
can import machine-generated data via a connector or a visibility add-on. Now,
Splunk is really good at connecting lots of different data systems. In fact, it has
different connectors built for most network operating systems and different
application formats. Essentially, all the data from all the different systems can be
indexed as it's taken off those systems and then written to a centralized data store.
This allows Splunk to be able to go through historical or real-time data and be able to
search through it using its proprietary search algorithms called the search processing
language. Now, once you get those results, you can start visualizing it using different
tools.
ELK
Now, ELK and Elastic Stack is a collection of free and open-source SIEM tools that
provide storage, search, and analysis functions. Now, ELK and Elastic Stack is
actually made up of four different components. These are the Elasticsearch, which
covers the query and analytics, Logstash, which is your log collection and
normalization, Kibana, which does your visualization, and Beats, which is your
endpoint collection agents that are installed on the machines. The way these all work
together is you're going to have the different Beats installed on different servers or
hosts. And they can then send out either directly back to the Elastic Stack, or it can
go into Logstash first. Now, when it goes into Logstash first, it's going to do the
parsing and the normalization for you and then send it into Elastic. If you go directly
to Elastic, it has to be in a format that it already understands.

ArcSight
ArcSight is a SIEM log management and analytics software that can be used for
compliance reporting for legislation and regulations like HIPAA, SOX, and PCI DSS.
When you look at ArcSight, it looks like another dashboard. And again, you can drill
down into that information and display it in lots of different ways.

QRadar
And QRadar is a SIEM log management, analytics, and compliance reporting
platform created by IBM. It does a lot of the same stuff we've just talked about. And
again, it comes with a nice dashboard.
AlienVault and OSSIM
Our fifth one is Alien Vault and OSSIM, the open-source security information
management system. Now, this is a SIEM solution that was originally developed by
Alien Vault which is why it's called Alien Vault, but now it's owned by AT&T and
they've been rebranding it recently as AT&T Cybersecurity. Just like the other ones, it
does come with a dashboard where you can search and dig into the different
information that could be presented here. Now, one of the nice things about Alien
Vault and OSSIM is that OSSIM can integrate other open-source tools such as Snort
IDs and OpenVAS vulnerability scanners and it can provide an integrated web
administration tool for you to manage the entire security environment. So, it does
give you this nice all-in-one solution. Also, because you're using a lot of open source
tools here, it does keep your costs low.
GrayLog
GrayLog is an open-source SIEM with an enterprise version that's focused on
compliance and supporting IT operations and DevOps. And again, it has a nice
dashboard where you can drill down and search for things. The big difference with
GrayLog is that it's really focused on DevOps and supporting IT operations, as
opposed to doing more of the log analysis and the incident response that some of
the things like Splunk are much better suited for.

Syslog
Now, Syslog is a protocol for enabling different appliances and software applications
to transmit their logs or event records to a centralized server. Syslog is one of the
things we talked about back when we talked about SIEMS because it was one of the
protocols we could use to send data to the SIEM. Now, Syslog is going to follow a
standard client server model and this is the de facto standard for logging of events
from distributed systems across a network.
Syslog message
It contains a PRI code, which is a priority code. It contains a header and it contains a
message portion.

Syslog Newer Implementations

1. First, newer implementations use port 1468 for TCP for consistent delivery.
This way, if the network gets congested and that message can't get there, it
will redeliver it over and over again because it's using TCP.
2. The second improvement, newer implementations can use TLS or transport
layer security to encrypt your messages being sent to servers. That way, that
data in transit can't be read by somebody else on the network. It can only be
read by the endpoint who sent it and the server who's receiving it.
3. The third thing is that newer implementations also use MD-5 and SHA-1 to
provide authentication and integrity.

4. Additionally, we have this fourth thing, which is that some newer

implementations can use message filtering, automated log analysis, event
response scripting, and alternate message formats.

Now, this newer version of the server is usually called Syslog-ng for syslog
next generation, or rsyslog.

Now, the final thing I want to mention about Syslog before we end this lesson
is that Syslog is often used to mean three things. It can refer to the protocol
that we send the data over, it can refer to the server as in a Syslog server, or it
can refer to the log entries themselves as in Syslog data. People will often just
say Syslog and they mean all three or any of these three, depending on the
context. So, just be careful about that as you hear people talking in the
industry to make sure you understand which one of the three they're talking
about.

SOAR
SOAR is an acronym and it stands for the Security Orchestration, Automation, and
Response, also known as SOAR. This is a class of security tools that helps facilitate
incident response, threat hunting, and security configurations by orchestrating and
automating runbooks and delivering data enrichment. Basically, think about this as a
SIEM version 2.0. Now, when you're dealing with SOAR, SOAR is primarily used for
incident response, but there is a large part of it that's used for threat hunting, as well.
But really, the number one place you're going to see SOAR used is incident
response because it can automate so many of your actions. Now, as I said, I like to
think about this as SIEM 2.0. Essentially, it's a next-generation SIEM. This takes a
security information and event monitoring system and integrates it in with SOAR, and
when you put those two together, this really does become your next-generation
SIEM, just like when you deal with next-generation firewalls.
 Securing Networks
Securing Network Devices
● Default accounts
● Default device username
● Weak passwords
● Privilege Escalation
● Backdoor
● Network attacks

Securing Network Media

Network media is the cabling that makes up our network. This can be copper, fiber
optic, or coaxial. And they're going to be used as a connectivity method inside of our
wired networks. Now, in addition to all the cables, there's other parts of the cabling
plant we have to think about. All those intermediate devices like patch panels,
punch-down blocks, and network jacks all make up this cabling plant that runs
throughout our organisation.

EMI
This stands for electromagnetic interference. Electromagnetic interference is a
disturbance that can affect electrical circuits, devices, and cables due to radiation or
electromagnetic conduction that occurs. Now, EMI is something that happens
normally inside our businesses and inside our homes. EMI is caused by all sorts of
things, like televisions, microwaves, cordless phones, baby monitors, motors like
inside your vacuum, and other devices.

Now, to minimize EMI, you need to install shielding around the source, for instance,
your air conditioner lets off a lot of EMI. You could put shielding around that. Or you
can shield the cable itself by choosing shielded twisted-pair. Now, STP cables, or
shielded twisted-pair, have foil around either each twisted-pair in the cable or around
the entire bundle of twisted-pairs to prevent emanations out of the cable or
interference entering into the cable. STP gives you double benefit, it keeps things
out, and it keeps things in.

RFI
RFI is just another type of interference like EMI. Like EMI, it's a disturbance that can
affect your electrical circuits, your devices, and your cables. But instead of being
caused by electrical waves, it's caused by radio waves. Most often from AM and FM
transmission towers or cellular phone towers. Now, cell towers and radio towers near
your office can be a big source of RFI in your wireless networks.

Crosstalk
Another vulnerability we have is what’s known as crosstalk. Crosstalk occurs when a
signal is transmitted on one copper wire, and it creates an undesired effect on
another copper wire. So, when we think about having two copper wires, like inside of
a twisted-pair cable, if the shielding inside that protects those wires comes off, then
we can actually have crossover from one wire to another. And that causes
interference because of the data emanations and EMI. Crosstalk is essentially that,
but in very close proximity.

Data Emination
Well, data emanation is the opposite. It comes from inside your cable, and it starts
generating a field around that cable, that when you're transmitting information over
the network, could be picked up by somebody who's trying to capture that. This is
things on your network trying to escape. So, if somebody is nearby, they can actually
capture those data emanations, and they could reconstruct that data that was
travelling over your network.

Split Wires
Now, if you can’t find an open jack but you still want to collect things completely
passively, you can do this by splitting the wires of a twisted-pair connection. You can
open up the cable in an area that nobody is seeing. You can cut the wire and solder
on additional wires to each of the twisted-pair's internal cables. This will give you a
copy of the data and you can plug it back in and give the network a copy of the data.
This lets you capture the data as it transmits back and forth over the network
completely passively, and no one's going to see it.
PDS
To prevent this, you can install a protected distribution system, or a PDS. A PDS is a
secured system of cable management to ensure that the wired network remains free
from eavesdropping, tapping, data emanations, and other threats. They are kind of
expensive, though, because they add locks to every network closet. They enclose
every cable distribution point. And they run cables through a protected conduit that
runs throughout the ceiling. Because of this expense, I've only really seen this used
in very large organisations that are really worried about security, government
buildings, or the military.

Securing Wifi Devices

SSID
It takes me about five seconds to find out your SSID if you're not broadcasting. So,
by disabling it, you're just making operations harder for yourself and you're not really
gaining any security here. Now, all of that said, if you're asked on the exam, disable
SSID broadcast is considered good security in the Security+ exam and you should
implement it.

Rogue Access Point

A rogue access point is an unauthorised wireless access point or wireless router that
somebody connected to your network and it's going to give access to your secure
network. For example, if you walk around your office and somebody decided that
they didn't want to plug into that RJ45 jack all the way in the back wall over there, so,
they put a wireless access point so they can access it throughout the whole room.
That makes operations easy for them, but that wireless access point wasn't properly
configured. This is going to extend your wired network into the wireless realm, and it
can introduce its own DHCP server and cause all sorts of other issues. To prevent
this, you should enable MAC filtering on the network, network access control, and
run a good IDS or IPS on your network that can detect or prevent these devices
when they initially try to connect.

Evil Twin
An evil twin is a rogue, counterfeit, and unauthorised wireless access point that's
broadcasting on the same SSID that your broadcast is. So, for example, if I went to
Starbucks, you can go and connect and there's Starbucks' Wi-Fi. You know,
Starbucks' free Wi-Fi and I can connect my laptop and I can get on the Internet.
That's great, that's what all these people here are doing. Now, if I go and sit in the
back corner, and I turn on my laptop and I start broadcasting as Starbucks' free Wi-Fi
and I broadcast louder and stronger than Starbucks' own access point, I can have
you connecting to me instead of connecting to them. I'm the evil twin. Now, by doing
that, I can then be in the middle of your communications, acting as a man in the
middle, collecting all of your information and seeing everything that goes on.

Wireless encryption

WEP
WEP is the Wired Equivalent Privacy. This came from the original 802.11 wireless
security standard, and it claimed to be as secure as a wired network. I'm going to
prove this wrong to you, in our demonstration later, because we're going to brute
force WEP, and break it in about three minutes. WEP was originally used with a
static 40-bit pre-shared encryption key, but later it was upgraded to a 64-bit key, and
then, again, to a 128-bit key. This isn't the main problem with WEP, though. The main
problem is a 24-bit Initialization Vector, or IV, that it uses in establishing the
connection, and it's sent in clear text.

WPA
WPA is the Wi-Fi Protected Access standard. It uses a Temporal Key Integrity
Protocol, or TKIP, which uses a 48-bit Initialization Vector instead of the 24-bit
Initialization Vector used by WEP. The encryption that it uses is the Rivest Cipher 4,
or RC4, and it added Message Integrity Checking, or MIC. And it uses all of this to
make sure that the data is secure, and ensuring that it's not modified in transit.
Overall, it's a pretty good standard, but it does have some flaws, and so version 2
was released to fix those.

WPA2
WPA version 2, or Wi-Fi Protected Access version 2 was created as part of the
802.11i standard to provide stronger encryption and better integrity checking. The
integrity checking is conducted through CCMP, which is the Counter Mode with
Cipher Block Chaining Message Authentication Code Protocol. And the encryption
uses AES, the Advanced Encryption Standard. AES supports a 128-bit key or higher,
and WPA2 uses either a personal mode, with pretty short keys, or an enterprise
mode, with centralised authentication via a radio server, or another centralised
server, to handle that password distribution we were talking about.
WPS
WPS is the Wi-Fi Protected Setup, which was designed to make setting up new
wireless devices easier. For example, if you have a new printer you want to
configure, you'd push a button on your wireless access point, you'd push a button on
the printer, and you'd enter a PIN number, and boom, those devices would do a
handshake, they would pass over the secret credentials, and both would now be
encrypted. This is great, but, it was horribly executed. WPS relies on an eight-digit
code, but when they sent that code, they actually break it up into two four-digit
chunks. This takes something that would have been eight-digits long, and,
essentially, makes it four-digits long. And that makes it a lot easier to brute force,
because each four-digit chunk only has 10,000 possible combinations. Your
computer and my computer can go through 10,000 combination pretty darn quickly,
and brute force that password.

Never trust Wifi

Finally, in addition to using the WPA2 standard for your encryption, you should also
set up a VPN for your wireless devices. Anytime you connect to a Wi-Fi, even your
own, you should always use a VPN to protect the data that's going across it. Never,
never, never, never, never trust a wireless network. If you use one, you should
always have a VPN. This is an encrypted tunnel inside of this encrypted wireless
tunnel that adds security. Trust me, encryption and VPNs are your friend on the
Security+ exam. They're almost never the wrong answer. Those two things come up
time and time again. Remember, you can have an encrypted WPA2 tunnel, and then
put a VPN encrypted inside of it. That gives you two layers of encryption and makes
your wireless networks much, much more secure.
 Wireless Access Points

So, how do you determine what signals are around your office that may be causing
jamming or interference? Well, you can do this by conducting a wireless site survey,
using a tool like Netstumbler, or you can pull out a spectrum analyzer. This will allow
you to see what frequencies are in use and how strong they are to see if they're
having an effect on your network. Now, most wireless access points do have some
built-in security features that you can configure, as well. This includes things like a
basic firewall with stateful packet inspection, MAC filtering, different levels of
encryption that we've already talked about, and the ability to disable your SSID
broadcast. Some more advanced wireless access points, though, also feature
access point isolation. Access point isolation creates a network segmentation
between each client that's connecting to the access point, and it prevents them from
communicating with any other client and only allows them direct access to the
network's resources or the Internet.
 Wireless Attacks

War driving
War driving is the act of searching for wireless networks by driving around until you
find them. You could try this tonight. You can go sit in the backseat of your car, have
your friend or your wife drive you around the neighbourhood and see which networks
you can connect to.

Warchalking
The next type of attack is called war chalking. War chalking is the act of physically
drawing symbols in public places to denote the open, closed, or protected networks
that are in range. It gets its name because in the early days, people would actually
take chalk and draw on a telephone pole different symbols to tell other people what it
is.

IV Attack
An IV attack occurs when an attacker observes the operation of a cipher being used
with several different keys and they find this mathematical relationship between
those keys to determine the clear text data. Now, I know that sounds really
complicated, but the good news is you don't have to do the math to do it. There's
programs that do it for you. This happened with WEP because of that 24-bit
initialization vector.

Wi-Fi disassociation attack

This is going to target an individual client that's connected to the wireless network.
It's going to force it offline by sending deauthentication packets to it, and then it's
going to capture the handshake that that client makes when it attempts to reconnect.
This is used as part of an attack on WPA or WPA2. Our final attack is known as a
brute force attack.

Brute Force
A brute force attack occurs when an attacker continually guesses at a password until
they finally get the correct one. So, an example of this might be that you have the
password of dog, and I know that your password is three characters long. So, I start
out guessing AAA, AAB, AAC, and I keep going until I get to DOF and finally DOG,
dog, I've found your password.
Demo
 WPA3
Now, WPA3 has an equivalent cryptographic strength of 192-bits when you're using it
in Enterprise Mode, now, that means it is much stronger than we had in WPA2. Now,
as we move into WPA3, we have two different modes, we have the Enterprise Mode
mentioned here and we have Personal Mode.

When we talk about WPA3-Enterprise Mode, we're talking about the business use
case and this gives you additional security. It's going to use an AES algorithm with
256-bits of encryption and it's going to use a SHA-384 hash for integrity checking.

When you look at WPA3-Personal Mode, it uses CCMP-128 and that means it's
using a 128-bit key inside of an AES algorithm inside CCMP. Now, this is the
minimum encryption required for secure connectivity within Personal Mode. Now,
when we start talking about WPA3, what was really the big change here, besides
increasing the cryptography a little bit by increasing those key sizes, there was one
really big improvement and it's the removal of the Pre-Shared Key exchange.

Now, if you remember when we talked about WEP and WPA and WPA2, we talked
about the fact that they all had this Pre-Shared Key and when we exchange that key
over the network, we could have a man-in-the-middle attack or somebody snooping
and grab that key out and then crack it. Now, with WPA3, that's not possible because
we've removed that key exchange, instead, we use what's known as a Simultaneous
Authentication of Equals or SAE. This is a secure password-based authentication
and password-authenticated key agreement method. Now, by doing this, what we
end up doing is using this thing known as forward secrecy.

Other Wireless Technologies

Bluetooth
Bluejacking sends information to a device where Bluesnarfing takes information from
a device.

RFID
RFID devices have an embedded radio frequency signal that's used to transmit
identifying information about the device or the token to a reader that's trying to pick it
up. RFID refers to a large category of devices and technologies, but, for the exam,
the specifics of RFID are not that important. Instead, you need to focus on the fact
that RFID devices can send information from a card to a reader to provide
authentication or identification. For example, one of the most common devices that
we use RFID for is a card that looks like a credit card.

NFC
Near Field Communication or NFC allows two devices to transmits information when
they're in close proximity to each other. This occurs using an automated pairing
process and transmission process of that data. For example, some cellphones have
the ability where you can touch the cellphones together to pass photographs back
and forth. Other uses of NFC are commonplace in payment systems. For example, I
have an iPhone, and I can hold it over a credit card terminal to pay with my credit
card that's linked through Apple Pay. This is an example of a Near Field
Communication device. Just like RFID, we do have to worry about the possibility of
interception of that wireless information, though, because it could be replayed and
rebroadcast.
Others
Now, there’s a few other types of wireless communication out there. For example,
your cellphone uses cellular data networks as part of its communication. This might
be 2G, 3G, 4G or even LTE. All of these are a type of wireless network. As I said
before, your employer should use cellular over wireless whenever possible because
cellular is a point-to-point connection between your device and the cellphone tower.

GPS
This time, I want to focus on GPS from the vulnerability that system has if your
organisation relies upon it. For example, if you use GPS as a way for you to know
where all of your devices are and how your devices are going to drive around a
parking lot, you need to worry a little bit because GPS relies on your device being
able to receive a GPS signal from three of 24 satellites that are orbiting around the
planet. Your device then uses that information to calculate your position. This signal,
though, is very weak as it transmits all the way down from the satellite down to Earth.
If a malicious attacker wanted to disrupt that communication, it doesn't take very
much power to jam the GPS signal. Therefore, if your organisation relies upon GPS,
you need to design your IT systems to not rely solely on GPS, but instead, have
some sort of back up function especially if you're using it for critical navigation or
other functions.

Satellite
Satellite communication is used for long-distance communicating over large
distances in areas that other networks may not be around. You may use this to
connect to viewer networks or connect yourself to the Internet. Satellite is heavily
used in areas that other normal communication networks simply can't reach. For
example, if you're the adventurous type and you're climbing a mountain in a remote
area of the world, it's unlikely that they have a fiber optic cable or cellphone service
up there. But you could bring a satellite phone with you and you could still remain
connected and be able to reach back to the ground stations, in case an emergency
happens. Another area that satellites are commonly used for is for merchant
mariners. As they're traveling around the oceans, they don't have any fiber optic
lines in the middle of the Pacific, and so, they have to use satellite as a way to reach
back to shore.
 Physical & Facility
Security
Surveillance

● CCTV
○ Wired
○ Wireless
● PTZ
● Heat sensor
● Sound

Door Locks
Now, door locks, again, come in many different varieties. Some use a key. Some use
a PIN number. Some use wireless signals. And some even use biometrics, like a
thumbprint, to open and shut the lock. Now, better security does exist as you move
up the ladder, but so does cost.
At the bottom of the ladder, we have a basic office door lock. Another type of door
lock is known as a cipher lock. Now, a cipher lock provides excellent protection using
a mechanical locking mechanism with push buttons that are numbered that require a
person to enter the correct combination in order to open that door. These are often
used on server rooms, network closets, and other high security locations. Next, we
have electronic access systems.
These electronic access control systems have become quite popular in recent years
as the price has been falling. These can use an RFID reader to scan an employee's
badge and grant them access based on those credentials. Some of these will
actually be combined with a badge and a PIN number, to create multi-factor
authentication that allows for logging and auditing, as well. In addition to these door
locks, we also might use something called a mantrap.

Now, a mantrap is an area between two doorways that holds people until they're
identified and authenticated. Sometimes, these are automated, like using that
electronic badge and PIN system we talked about. And sometimes, they are manned
by security personnel who actually look at your ID badge to verify that you are who
you claim to be.

Biometric Readers
It’s your eye, it’s your fingerprint, it’s your voice, it's something that is innately part of
your ability and part of your person. Now, when we talk about fingerprints,
fingerprints have become a very common identification system. At this point, it's even
gone beyond door locks, and it's now integrated into our smartphones and our
laptops for log in. Now, the newest iPhones have done away with touch ID in favor of
face ID. So, if you have an iPhone X or newer, they actually have the front-facing
camera scan your face and measure the distance between different areas of your
face to uniquely identify you. The crossover error rate uses a measure of the
effectiveness of a given biometrics system. So, when you're looking to purchase one,
you can use this as a factor in your decision-making process. You want one that
doesn't have a huge error to the positive side or a huge error to the negative side. If
you can get one that has a good crossover error rate, that's going to make sure that
your people are getting authenticated when you should be and rejected when they
should be.

Fire Suppression

Now, there are three types of fire suppression that we have to discuss for the
Security+ exam. There's:
1. handheld fire extinguishers
2. sprinkler systems
3. special hazard protection systems that we use especially in our server rooms

Fires are broken down into five different categories: Class A, B, C, D, and K.
The first is an ABC extinguisher, which uses dry chemicals to put out fires. If
possible, you should avoid using this on computer equipment, though, because the
dry chemical is corrosive and destructive to computer and electrical components.
The second and probably most common type you're going to see is called a BC
extinguisher, which is used on B and C fires. This most often uses CO2 to put out a
fire. This is useful for both gas fires, Class B, and electrical fires, Class C, and it's
also safe to use on computers.

The third type is a yellow extinguisher and these bottles are used for Class D or
metal fires. These are less common but you should be aware of where they are in
case you need one inside your organisation.
 HVAC
Over time, though, the room will become hotter and hotter and hotter if we didn't
have a good HVAC system to cool it down. Now, to best circulate the air around the
server room, you should design it with hot and cold aisles. This allows all of the front
of the server racks to be facing each other, making designated cold aisles where
you'll be working, while expending all of their heat out the rear of their cabinets to
what we call the designated hot aisle. Now, by focusing on the hot and cold aisles,
this allows us to set up better ventilation systems, using our raised floors in a server
room, and dissipating that heat much more effectively. Now, another use of an HVAC
system is to maintain the right humidity level in that server room. After all, if there's
too little humidity, static electricity can build up and cause electrostatic discharge that
can damage your components. Now, many HVAC systems are also connected to
your organization's ICS, or industrial control systems, or your SCADA systems, your
supervisory control and data acquisition systems. This is a specialized network that's
going to control all of your manufacturing and facility systems.

Shielding
First, to reduce EMI in your network cables, you should be opting for STP, or
Shielded Twisted Pair cables, instead of using unshielded twisted pair, or UTP.
These cables do cost a little bit more money, but they do provide a nice foil wrapping
around the twisted pairs that's inside the cable itself. You need to make sure you put
some shielding around that HVAC because it's basically a large motor or a large
generator, and anything with a large motor or generator is going to put off EMI.
Another type of shielding used in high-security environments is the use of a Faraday
cage.

Now, this type of shielding is usually installed around the entire room so that
electromagnetic energy cannot get into the room or get out of it. In fact, the U.S.
government created a standard called the TEMPEST standard that certifies facilities
that meet its stringent requirements for shielding. If your organisation is going to
work for the U.S. government as a contractor, your facility may have undergone this
level of security inspection to determine if your facility has the appropriate shielding
to ensure that it isn't subject to emissions or interference. These TEMPEST-certified
buildings are usually used to process classified, secret, and top secret government
information and so they want to make sure nothing is leaking in and nothing is
leaking out.
Another side benefit of a TEMPEST-certified building is that it's resistant to the
effects of an electromagnetic pulse. An EMP is a high-energy pulse that could
otherwise destroy the electronics that are within range of that EMP. And so, this is a
nice side benefit that we get if we happen to work inside a TEMPEST-certified
building.

Vehicular Vulnerabilities
These systems all have to connect some way. And so we take all these different
subsystems, like the HVAC and the steering and the cruise control and all of these
different functions, and they all get passed over what's called a Controller Area
Network or a CAN.
Now, when you talk about a Controller Area Network, this is a digital serial data
communications network that's used within a vehicle. Now, if you look at an airplane,
for instance, they have miles and miles of cabling and all that cabling connects
together. That is a CAN. In your car, the same thing, just not as large or not as big of
an extent.

Well, they have to get to the CAN bus and there's really three ways to do it.

One is they can do it locally. They can attach an exploit locally to the OBD-II. Now
you might think, well, that means you have to be in the car with you. Well, not
necessarily. You can create a plug that plugs into the OBD-II. And most OBD-IIs are
underneath the dashboard where somebody doesn't see it visibly. So let's say you
went to a local restaurant and you actually handed your car off to some valet. While
you're in there, he could have a plugged in something to the OBD-II, and now he has
a connection that they can run an exploit from.
Now, another thing they can do is they can actually exploit over the onboard cellular.
If your car has a cell modem built into it, that means you have a connection to the
outside world, which means they have a connection to you. Now, most cars have two
networks. They have the entertainment network and the vehicular CAN network and
they are separated. For instance, I have a Tesla that I drive. It has a cell modem built
in that runs through the entertainment system, so I can listen to the radio, I can listen
to songs over Pandora and Spotify and things like that. That is one system. And then
there's the system that controls the driving of the car. They've built that as two
separate systems because of this vulnerability. But if you have a manufacturer who
doesn't have a clear separation of the two, that could be an issue.
And then the third, you can have an exploit over the onboard wifi. Again, a lot of cars
have onboard wifi as a feature that was added within the last five to 10 years. And so
if I'm driving close to you and I can reach your wifi, and there's a link between that
wifi and the CAN, I can then get messages into your can and cause issues. So
again, this isn't a big area that we as cyber security analysts are really going to work
in, except to know that this vulnerability exists. For the exam, if you can remember
these three vulnerabilities, you'll do fine when it comes to vehicle questions.
 IOT Vulnerabilities
It can be things like trains, planes, and automobiles. It can be shopping carts. It can
be your Smart TV. It can be your cell phone. Pretty much anything that can connect
to the Internet could be considered an Internet of Things. For instance, there's some
refrigerators out there right now that have the ability of connecting to the Internet and
using things like Alexa to be able to add things or take things away from your
shopping list. All of that is part of the Internet of Things. So, when we define the
Internet of Things, or IoT, we're really just talking about a group of objects, and they
could be electronic or not, and they all have to be connected to the wider Internet by
using embedded electronic components. But the biggest problem with these things is
they're not always secure, and security is most often an afterthought to convenience
when we start talking about smart devices. Now, most of our smart devices are going
to use an embedded version of Linux or Android as their operating system. And so,
because they have Linux or Android as their operating system, they are vulnerable to
attack. If there's a Linux vulnerability out there and you're using a Linux version on
that smart device, and that vulnerability matches, it can actually attack your Smart
speaker, for instance. And so, these are things you have to think about as you start
looking at your network, because if they're connected to your network, 'cause you
have a Smart TV in the conference room, that could be an attack vector for
somebody to get into your network. And that is one of the most common places I see
people getting into a network through, is things like smart devices that are now
connected to the corporate network.

Embedded system vulnerabilities

Now, when we talk about an embedded system, this is a computer system that is
designed to perform a specific and dedicated function. Now, oftentimes, when we
talk about an embedded system, we're talking about things more in the
manufacturing space or automation space. So, we might have a microcontroller in a
medical drip system that has one job, it's to measure the amount of volume of fluid
that goes through that machine and into your IV so you can give the patient what
they need.
Now, when we talk about embedded systems, there's a term called PLC, which is a
programmable logic controller. This is a type of computer that is designed for
deployment in industrial or outdoor setting, and it can automate and monitor
mechanical systems. Now, when you think about a PLC, I want you to think of
something like manufacturing that's going to open or shut a valve to let more or less
water come in. That's the idea of a PLC. It is a programmable logic controller. Now,
these PLCs run on firmware, because again, these are embedded systems. So, the
firmware which is software at a chip can be patched and reprogrammed to fix
vulnerabilities when they occur, but again, there's a very specific process and there's
usually limited support from the manufacturer.
Now, another way we can do this is using what's called a system on a chip. This is
another form of embedded systems. This is where our processor integrates the
platform functionality of multiple logical controllers onto a single chip. So, instead of
having all these big PLCs all over the place, we can get all that down to one single
chip. Now, this system on a chip can be very power efficient, and therefore, they're
often used with smaller devices that need to have an embedded system.

Now, the other thing we want to talk about is some of these operating systems they
use. So, there's this thing known as an RTOS, which is a real-time operating system.
Now, this is a type of operating system that prioritizes deterministic execution of
operations. And this will help us to ensure consistent response for time-critical tasks.
Now, think about this. If you're running something that has to open or shut a valve
inside of a nuclear plant, can you have the ability for that to be offline at any time?
Probably not, right? Well, that's the idea of where we would use an RTOS, a
real-time operating system. This is because a lot of our embedded systems typically
can't tolerate reboots or crashes, and they have to have these response times that
are predictable within milliseconds.

Now, the last thing I want to talk about is an FPGA, which is a field programmable
gate array. This is a type of processor that can be programmed to perform a specific
function by a customer, rather than at the time of manufacture. So, if I'm going to use
something like a system on a chip, that is going to be programmed by the
manufacturer and whatever it's programmed to do, that's what it's going to do. But
with a field programmable gate array, I, as the customer, can actually program what I
want it to do. This is really useful if I have a more generic function like open or shut a
valve, but I need to tell it what time I want it to do it. Or if I want to tell it how many
seconds it should be open for and how many seconds it should be closed for.

Now, the end customer here has the ability to program these things by configuring
the programming logic. And we can do this to run a specific application instead of
using an application-specific integrated circuit, like I was talking about a system on a
chip design would. When you burn a system on a chip, that is the program you're
going to have. When you're dealing with a field programmable gate array, you have
the ability to change that.

ICS and SCADA vulnerabilities

But when we start talking about ICS and SCADA, we are talking about OT, which is
operational technology. This is a communications network that's designed to
implement an industrial control system rather than data networking. So, here, we're
really not talking about end-user machines. We're not talking about having a
Windows 10 host sitting on this network. Instead, with OT, we're talking about things
that's using technology and computers to be able to do things in the physical world,
like open or shut a valve, like do manufacturing, like create power generation in a
power plant, things like that. So, if I look here, for instance, this is what OT looks like.
Usually, they look like big cabinets with dials and gauges and buttons.

ICS
Now, let’s start with ICS. ICS is an Industrial Control System. When you hear ICS,
this is essentially just a network that manages embedded devices. So, if I work in
some place like an electrical power station or a water supplier, or I work in a hospital
doing health services, I might work in telecommunications in the backbones. Now,
one of the things that ICS uses is what's known as Fieldbus. Fieldbus is a digital
serial data communications that are used in operational technology networks to link
different PLCs together. So, we talked about those PLCs in a previous lesson, right?
I might have a PLC that opens and shuts this valve to let more gas into the engine,
so that we can go faster on a ship, for instance. Well, that is just one PLC, but I
might have another PLC that opens and shuts a breaker that allows electricity to go
to a different part of the ship. And if I want to connect all those things together, I need
a way to do it. And that's what we use Fieldbus for. It's this digital serial data
communications that we use to link all these things together. Now, another thing we
have to be able to do is we need to be able to talk to these machines and tell them
what to do. And that's where we use an HMI: a Human Machine Interface. This is the
input and output controls on a PLC that allows a user to configure and monitor the
system. So, when I'm trying to tell the system to do something, like open a valve, I
need a way to give it that input. I can do that by pushing a button. That could be a
Human Machine Interface. And so, as a cybersecurity analyst, one of the things you
want to look for is the data historian. Now, the data historian is a software that
aggregates and catalogs data from multiple sources within an industrial control
system. Now, again, as an analyst, this is important for you to know because if you're
working in a place that has an industrial control system, you want to find out where
the data historian is and how you can use it, because that's going to have valuable
information for you.

SCADA
SCADA is a Supervisory Control and Data Acquisition. This is a type of industrial
control system. So, it's a type of ICS that manages large-scale, multi-site devices
and equipment spread over a geographic region. So, when I'm talking about ICS, I'm
looking at one plant. When I talk about SCADA, I'm talking about multiple plants.
That's really the way I like to distinguish these two. So, when you deal with SCADA,
this typically runs a software on ordinary computers and it gathers data and
manages it across the different plant devices and the different equipment that has
embedded PLCs. So, when you're dealing with SCADA, it typically is going to use
some kind of a wide area network connection. So, I mentioned earlier, I have a smart
meter on my house. They don't have to come out once a month and read my
electrical meter to know how much to bill me. Why don't they have to do that?
Because it's part of a SCADA network, and all the houses in my area are part of that
SCADA network. They have a cellular chip in there, and it takes that reading once a
month, sends it back over cellular as a text message or data format, whatever they
use, to their SCADA server, collates that information, passes it to the billing system,
and then I get a bill.

Modbus
Now, the third part of this we need to talk about was Modbus. Now, because ICS and
SCADA are really focused on operational technology, they don't have to use things
that we'd only use in the IT world. But they have to have a way to communicate with
each other. And Modbus is that way. Modbus is a communications protocol that's
used in operational technology networks. So, in our IT networks, what do we usually
use? TCP/IP, right? Well, we don't have to use that inside these OT networks. And
often, we don't. Modbus is instead what we use. So, Modbus is going to give the
control servers and the SCADA host the ability to query and change configurations of
each PLC. Now, this is important to know. Because this is more of a proprietary
protocol, it looks different than TCP/IP. So, if you're trying to do an incident response,
and you think somebody's in your ICS SCADA network, and you've been studying
how to do TCP/IP your entire life, are you going to know what you're looking at?
Most likely not. And that's why there are experts in ICS and SCADA systems.
Because it is a different way of thinking. It is a different way of communicating, and
they use a different protocol.

Mitigating Vulnerabilities
Well, the go-to guide for this is going to be the NIST Special Publication 800-82.
Now, again, this is a good read if you happen to work in a manufacturing
environment or someplace that uses ICS and SCADA.

Now, the first thing we want to talk about is how you can establish administrative
control over operational technology networks. The best way to do this is by recruiting
staff who have expertise with these things. Because, as I said, these are not your
normal IT networks.
The second big tip, you want to make sure you're implementing the minimum
network links by disabling any unnecessary links, services, and protocols.
Essentially, when you have an operational technology network, you want to eliminate
it from all of the rest of the networks, as much as possible.

The third thing we want to talk about is how we can develop and test a patch
management program for operational technology networks. Again, these OT
networks are different than our information technology networks. You can't just go
ahead and use your Microsoft SCCM servers. That's not going to work for you. So,
you want to make sure you understand what options you have and how you're going
to do a patch management program. Remember, these are things unlike PLCs, they
have firmware that needs to be upgraded sometimes, that's going to require
maintenance windows, that's going to require downtime.

And then, the fourth thing we need to think about is how we're going to perform
regular audits of logical and physical access to these different systems so that we
can detect possible vulnerabilities and intrusions.

Premise System Vulnerabilities

Well, a premise system is a system used for building automation and physical
access security. And these are a different type of network, as well. Oftentimes, you'll
have this as a third network in your organization. When you're dealing with this and
you go to your front door of your building and you try to get in and use your card and
your PIN, that has to go through some kind of an access control system. Now, in
addition to this, we also have building automation systems. Now, building automation
systems, they have components and protocols that facilitate the centralized
configuration and monitoring of your different mechanical and electrical systems
within offices or data centers. Now, the final thing I want to talk about in this lesson is
the idea of PACS, which is the Physical Access Control System.
Now, the Physical Access Control System is all of the components and protocols that
facilitate the centralized configuration and monitoring of security mechanisms within
offices and data centers. So, when we start talking about all the security cameras
and the access control to badge in and badge out of your building, that is all part of
your Physical Access Control Systems.
 PKI
Now, Public Key Infrastructure is an entire system of hardware, software, policies,
procedures, and people that is based on asymmetric encryption. If you have ever
connected to a website using an https connection, you've been part of PKI. Now, if
you want to establish a secure connection to [Link], you would enter
[Link] [Link] into your web browser. Your web browser would go to a
trusted third party called the certificate authority, and they're going to ask them for a
copy of my web server's public key. Then, your web browser is going to pick a
random long number to use as a shared secret key for use with the symmetric
algorithm, something like AES that we're going to use for bulk encryption of the data
between your browser and my web server. But, you have to get that random shared
secret to my web server securely, and for that, we're going to use Public Key
Encryption, known as asymmetrical encryption. Now, using my public key, your
computer is going to encrypt that random shared secret key that you've created. In
the example here, I'm using 51363 as our shared secret. Now, once you encrypt that
using my server's public key, which anyone in the world has access to, it's then going
to be sent over the Internet. Now, because it's encrypted with my public key, though,
no one on the Internet can decrypt it unless they have my private key. And the only
person who has that is me. So, as we go across the Internet, no one can see the fact
that it's 51363 as that secret code. Now, once my web server receives the encrypted
cipher text, it's going to use my server's private key to decrypt it and get it back to
that shared secret key that you submitted. And now that I have it in plain text, I know
what that number is, that 51363. So far, this is just using asymmetrical encryption,
like we discussed in the last section.
Now, both you and my server know this shared secret key, though. So, we can
create a symmetric tunnel. We can do that by using something like AES to create a
secure TLS or SSL tunnel over the Internet and communicate safely and securely
from anybody's prying eyes.
PKI & Public Key Cryptography
Well, PKI and Public Key Cryptography are closely related, but they are not the
same thing. When we talk about PKI, this is the system that creates the
asymmetrical key pairs that consist of those public and private keys that are used in
the encryption and decryption process, as well as managing those key pairs to make
sure they're valid and can be trusted. When we talk about Public Key Cryptography,
on the other hand, we're just talking about the encryption and decryption process.
So, it's a small part of the overall PKI architecture.

Remember, PKI uses Public Key Cryptography to do its function, but PKI is the entire
system of things that are done to be able to create the secure connection from end
to end. Now, when we talk about Public Key Encryption, on the other hand, it's just
the asymmetric encryption and decryption piece.

Certificate Authority
For all of this to occur successfully, we need to have a trusted third party involved,
though. This trusted third party is known as a certificate authority. These certificate
authorities are going to issue digital certificates, and these certificate authorities are
also going to keep the level of trust between all of the certificate authorities around
the world. In this section of the course, we're going to focus on all of those other
parts of the process that allow PKI to work, including those certificate authorities.

Digital Certificate
A certificate is a digitally-signed electronic document that binds a public key with a
user's identity. Now, when I talk about a user here, the user can be a real live person
like you and I or it can be a server, a work station, or another device for the purposes
of a digital certificate. These certificates commonly use the X.509 standard for digital
certificates. This is the common standard used inside of PKI and the certificates
contain the owner's or user's information like their name, their organization, or even
their public key and it also is going to contain the certificate authority's information.
The certificate authority is the trusted third party who is going to issue these digital
certificates, and therefore, the certificate is also going to contain their name, their
digital signature, their serial number for that certificate, the issue date and the
expiration dates, and the version of the certificate.
SAN
For example, I own [Link] but I also own [Link]. Now, if I wanted
to use one certificate to cover both of those domains because they don't have the
same root domain, I would have to modify the Subject Alternate Name or the SAN
field. Now, the SAN field in a certificate specifies what additional domains and IP
addresses are going to be supported by that certificate. Two other types of
certificates that we have to think about are single-sided and dual-sided certificates.

Single-sided - Dual-sided Certificates

Two other types of certificates that we have to think about are single-sided and
dual-sided certificates. Now, for example, when you connect on my website there's a
secure session that's established and my server's going to identify itself to your web
browser using my server's digital certificate. Now, you aren't required to have your
own digital certificate to be authenticated back to me, though. This is known as a
single-sided certificate because only one side of this authentication is happening with
the certificate. Now, some organizations require both the server and the user to
validate each other using certificates. When this occurs, this is called a dual-sided
certificate. Now, using dual-sided certificates, it's better for security but it does
require twice the processing power on the server, so, it's usually only used in high
security environments. Now, with digital certificates, each certificate is validated
using the concept of a chain of trust, moving from the bottom upward.

Certificate Encodings
As I said before, digital certificates are usually based on the X.509 standard but the
certificate itself must be encoded before it can be used. Now, there are three
different encoding methods that are classified under the X.690 standard. They're
known as BER, CER, and DER.
BER is the Basic Encoding Rules and it's the original ruleset governing the encoding
of data structures for certificates. But there are several different encoding types that
can be used as part of BER. Now, for the Security+ exam, you don't need to know
the specific encoding types underneath BER. So, we're not even going to cover them
here but just realize that BER has the ability to have multiple encoding types. And
that makes it different than CER.
CER is the Canonical Encoding Rules, which is a restricted version of BER that only
allows the use of one encoding type.
DER is the Distinguished Encoding Rules. And this is another restricted version of
BER, and it only allows one encoding type, as well, but it has more restrictive rules
for length, character strings, and how a particular element of a digital certificate is
stored. In fact, DER is what is used commonly for X.509 encoding of certificates.

Certificate Formats
When dealing with digital certificates you may come across a few different file types
on your machine, including the PEM, CER, CRT, KEY, P12, PFX, and P7B.

The .pem format is used for Privacy-enhanced Electronic Mail and it uses the DER
encoding method. Sometimes, it also stores itself as a .cer, .crt, or .key file.

The .p12 file is going to be used to store a server certificate, an intermediate

certificate, and a private key in one encrypted file. It's called the .p12 because it's a
binary format of the Public Key Cryptographic System #12 or PKCS#12 certificate.

Now, the .pfx file is called the Personal Information Exchange and it's used by
Microsoft for release signing. This file is going to contain both the private and public
keys in it.

The .p7b file is used as the basis for S/MIME, the secure email protocol. And this is
also going to be used for single sign-on. It's called the .p7b because it's based on the
PKCS#7.

Certificate Authority
For a digital certificate to be issued, a user first has to request a digital certificate
from a Registration Authority known as an RA. The Registration Authority, then,
requests the identifying information from the user and forwards that certificate
request up to the CA known as the Certificate Authority. This Certificate Authority
then creates the digital certificate, including the user's public key and their identity
information, and passes that back to the user. There are many root certificate
authorities out there including companies like Verisign, Digisign, and numerous
others. They act as a trusted third party to validate the certificates are being issued
to the correct people. The certificate authority also maintains a publicly-accessible
copy of that user's public key and this allows them to have that for use by other users
who wish to send them confidential information.
CRL
Now, they also maintain what’s known as a CRL which is a Certificate Revocation
List. The Certificate Revocation List is an online list of digital certificates that the
certificate authority has already revoked. Usually, this is because those certificates
have become comprised. The Certificate Revocation List is a full list of every
certificate that has ever, ever been revoked by that particular certificate authority.
Whenever your computer tries to connect to a new server, it requests the current
public key digital certificate from the certificate authority. The certificate authority first
checks the Certificate Revocation List before they send you that public key or digital
certificate to ensure it hasn't already been revoked.

OCSP
Now, if you want to determine if a certificate was revoked, we're going to use a
protocol known as the OCSP or Online Certificate Status Protocol. This protocol is
going to allow you to determine the revocation status of any digital certificate using
its serial number. This is an alternative to the Certificate Revocation List and
operates much more quickly and much more efficiently because it doesn't use
encryption, but that makes it less secure. Just as OCSP was an alternative to
Certificate Revocation List, OCSP Stapling is an alternative to OCSP. This process
used to be known as the TLS Certificate Status Request Extension. This OCSP
Stapling allows the certificate holder to get the OCSP record from the server at a
regular interval and include it as part of the SSL or TLS handshake. By doing so, it
eliminates an additional connection being required at the time of the user's request
and this speeds up the secure tunnel creation process. Now, one concern with digital
certificates is if an attacker can impersonate a server.

Public Key Pinning

Now, one concern with digital certificates is if an attacker can impersonate a server.
To prevent this from occurring, public key pinning was created. Public key pinning
allows an HTTPS website to resist impersonation attacks from those who are trying
to present fraudulent certificates by presenting a set of trusted public keys to the
user's web browser as part of its HTTP header. Now, if the web browser doesn't get
the matching public key from the certificate authority, then, it knows that website was
compromised and it's going to alert the user.
Key escrow
Key escrow occurs when a secure copy of a user's private key is held, just in case
that user accidentally loses their key. If your organization simply can't accept any
data loss, then you need to ensure key escrow has been setup. Now, remember,
whenever you use key escrow, you have to protect that key store from anybody
who's trying to steal those keys. It's recommended that key escrow services require
two different administrators be present anytime a key is being taken out of escrow.

Key Recovery Agent

A key recovery agent is a specialized type of software that allows the restoration of a
lost or corrupted key to be performed. Think of it as a backup for all of the certificate
authority's keys, just in case an incident or disaster occurred.

Web of Trust
The web of trust is a decentralized trust model that addresses issues associated with
the public authentication of public keys within a CA-based PKI system. One of those
issues is that you have to pay to get one of these digital certificates from a CA. Now,
with a web of trust, we instead use a peer-to-peer model, where I trust you and you
trust me, and because of that, we now can give that trust to other people as we go
around. So, how do we know who we're going to be able to trust, when there's no
third party? Well, one of the ways we can do it is by trusting somebody just because
they said so. So, if I have a web server and I want you to trust it, I can install a
self-signed certificate. That says hey, trust me because I said I'm Jason and you can
trust me. Now, you have to decide if you're really going to trust me, though. If you
see one of these self-signed certificates, your web browser's going to give you a
error, like this one in Firefox. Now, you can choose to trust them by clicking on the I
understand the risks, or you can say, you know, I don't trust that. I'm going to go to a
different website and get my information there. For security purposes it's not a good
idea to trust a self-signed certificate and so, this is kind of frowned upon. You should
probably, if you're having a website, you should spend the money and get a real
digital certificate from a trusted third party.

The second thing we can do is trust the collective intelligence of others. This is the
system that's used by Pretty Good Privacy. It's basically a web of trust, where every
person who trusts you starts helping to increase your rating and then, as more
people know you and trust you, other people are going to know you and trust you.
The same thing kind of happens on Twitter and Facebook and other social media.
 Cryptography

Symmetric vs Asymmetric
Encryption ciphers are categorized as either symmetric or asymmetric algorithms
and this is based on the type of key that they utilize to secure the data. When you're
using a symmetric key encryption, you're going to have a single key that's used to
encrypt and decrypt the data. With asymmetric encryption, you're going to use two
different keys. One key is used to encrypt the data and the second key is used to
decrypt it. Beyond the challenge of proving who used the key, there's another
challenge with symmetric algorithms and that's the distribution of that shared secret
key. So, if you wanted to encrypt emails and send them to your five closest friends,
each of you would have to have a set of shared secret keys set up for each of you,
so there would be five different pairs of keys.

The second category that we have for encryption ciphers is known as asymmetric
algorithms. Unlike symmetric algorithms, asymmetric algorithms do not require a
shared secret key. For this reason, they're often referred to as public key
cryptography which we're going to discuss in its own lesson. Now, with asymmetric
algorithms, two separate keys are used. One is used to encrypt the data and another
one is used to decrypt the [Link] most commonly used types of asymmetric
algorithms are the Diffie-Hellman algorithm, RSA, and ECC.

For example, symmetric algorithms are very popular because they tend to be about
100 to 1000 times faster than an asymmetric algorithm. But asymmetric algorithms
allows to overcome the key distribution challenge that we face with symmetric
algorithms. Often, though, like most things, implementations are going to use a
hybrid approach that combines both of these to get you the best benefits.

Now, in addition to classifying algorithms as symmetric or asymmetric based on their

key type, we also categorize an algorithm as a stream or a block cipher based on the
mathematical algorithm that they're using to do their encryption and decryption.
Stream ciphers perform their computations and encryption a single byte at a time.
Making it a bit by bit process, they utilize a key stream generator to create a bit
stream that is mixed with the input plaintext using a mathematical exclusive XOR
function and this creates the encrypted cipher text. Because these stream ciphers
can perform bit by bit encryption, they are well-suited for securing real-time
communication data streams like streaming audio or streaming video. Now, stream
ciphers also tend to be symmetric algorithms and they use the same key for
encryption and decryption.

A block cipher, on the other hand, is able to break the input into fixed length blocks of
data before performing the [Link] ciphers are also easily implemented
through software solutions where stream ciphers tend to be used in hardware
solutions. In fact, most of the algorithms that we're going to talk about in this course
are block ciphers, things like DES, 3DES, AES and IDEA.

Symmetric Algorithms
In this lesson, we’re going to cover a little bit of detail about the common symmetric
algorithms that you have to know for this Security+ exam. This includes DES, triple
DES, IDEA, AES, Blowfish, Twofish, and the Rivest Ciphers, RC4, RC5, and RC6.

DES
The Data Encryption Standard or DES uses a 64-bit key with eight bits of that being
used for parity. Therefore, DES only really has an effective key length of 56-bits,
which is, you probably guessed by now, means it's not very secured against modern
computing power. DES was heavily used in the 1970s and used all the way up until
the early 2000s. With DES, each message is broken up in this 64-bit blocks and put
through 16 rounds of transposition and substitution to create the cipher text. Due to
DES's weakness and its key, a modified version of it known as Triple DES, written as
3DES, was also created. And in this version, there was three 56-bit keys used. The
input data was subjected to encryption through the DES algorithm with the first key
then decrypted through the algorithm using the second key. Again, this jumbles it up
even more and then puts it through the DES algorithm again through another
encryption function using that third key. This effectively created an algorithm that had
a 112-bit key but it was three times slower than DES because of all those encrypting,
decrypting, and encrypting functions.

IDEA
IDEA stands for the International Data Encryption Algorithm and it's another
symmetric block cipher which uses a 64-bit block as its input and it uses that to
encrypt the data. The key size here is 128-bits and it's faster and harder to break
than DES but it's not as widely used as the more common one, AES, which we're
going to talk about in a moment. IDEA is commonly known only because it's really
used inside a pretty good privacy suite which we'll talk about a little bit later on in the
future lesson. Ultimately, DES and triple DES simply weren't strong enough, though,
and so there was this contest held to design a replacement. IDEA was one entrant to
the contest but ultimately, it didn't win.

AES
The one that won is known as AES which is the Advanced Encryption Standard.
AES was chosen as the replacement for DES and triple DES by the US government.
AES can be used with a 128-bit, 192-bit, or 256-bit key, and a matching block size.
AES is known as the Rijndael algorithm, as well, which is named after its creator but
most people simply call it AES. AES is widely used and it has become the de facto
standard in encryption. In fact, it's the encryption standard that's used by the federal
government for any encryption of sensitive but unclassified information.

Blowfish
Next, we have Blowfish, which is a block cipher that uses a 32-bit to 448-bit
encryption key to encrypt 64 bits of data in blocks at a time. It was originally
developed as a replacement for DES but wasn't widely utilized.

Twofish
Another variant, called Twofish, was also developed and this one provides the ability
to use 128-bit blocks in its encryption algorithm and use 128-bit, 192-bit, or 256-bit
encryption keys. Both Blowfish and Twofish were never patented and they were
available for use as open source.

Rivest Ciphers
Another set of symmetric algorithms was created by Ron Rivest, a cryptographer
who's created six algorithms under the name RC which stands for the Rivest Cipher.
RC1 was never published. RC2 was considered weak originally and skipped over.
And RC3 was cracked before it was even released to the public. But RC4, RC5, and
RC6 were released and can be found in common use today. RC4 is a stream cipher
and it uses a variable key size from 40-bits all the way up to 2048-bits. RC4 is used
in both Secure Sockets Layer, SSL and Wired Equivalent Privacy, WEP. Now, RC5 is
a block cipher using key sizes up to 2048-bits. And RC6 is based on the RC5 cipher
and it was originally considered as the replacement for DES until Rijndael cipher was
chosen as the winner and became the Advanced Encryption Standard or AES.
 Public Key Cryptography
With asymmetric algorithms, we use a key pair to encrypt and decrypt the data.
These two keys are called the public key and the private key. Now, public key
cryptography can provide us with confidentiality, integrity, authentication, and
non-repudiation for the messages being sent. To provide confidentiality of the data,
the data should be encrypted using the receiver's public key. So, if I wanted to send
a document to Mary, as you could see here on the screen, I would encrypt that
document using Mary's public key. By doing so, only Mary is able to read it, because
only Mary is going to have Mary's private key. And this is going to be used to decrypt
the contents, ensuring that the message I sent is safe from anybody else's prying
eyes.

Now, to provide non-repudiation, the message should be encrypted using the

sender's private key, so, in this case, I would use my private key. By doing so,
anyone who has access to the sender's public key, which could be anyone in the
world, is going to be able to open that message and read it. This isn't going to give
us any kind of confidentiality, but I'm not worried about confidentiality right now.
Instead, I'm worried about making people know I'm really the person who sent the
message. That's the non-repudiation we're working at. This is going to make sure
that only I can send it, because only I have my private key.

Digital Signature
We want both of those things. And we also want to add to that list, we want integrity
and we want authentication to make sure we have this message being sent where
nobody else can read it, and we know who it came from, and that it was never
changed in transit. To accomplish all of this with our emails, we often implement a
process to create a hash digest based on the message being sent, and then we
encrypt that hash digest using the sender's private key. This is known as a digital
signature and it provides us with the integrity of the message that's being sent, as
well as giving us non-repudiation, because only the sender had access to their
private key. Then, we take the message we're sending and we encrypt that using the
receiver's public key. This provides us confidentiality, as well. So, now I've got
integrity of the message, non-repudiation, as well as confidentiality. To make this
whole system of public and private keys work smoothly, there's another concept that
we're going to cover in a future section called public key infrastructure, or PKI.
 Asymmetric Algorithms
So, in this lesson, we're going to cover the three asymmetric algorithms that you
have to know for the Security+ exam. They are Diffie-Hellman, RSA, and the ECC or
Elliptic curve cryptography.

Diffie-Hellman
Diffie-Hellman is named for its two inventors. The Diffie-Hellman algorithm is used to
conduct key exchanges and secure key distribution. It's used widely when you're
setting up VPN tunnels and other encryption tunnels that require a symmetric
algorithm's shared secret key, that private key, to be exchanged first before setting
up that symmetric tunnel and by using this asymmetric Diffie-Hellman, we can do
that. Diffie-Hellman is susceptible to man-in-the-middle attacks, though. So, if you
want to secure it, you need to make sure you have some form of authentication,
such as requiring a password, or a digital certificate, at the beginning of the
exchange process. When you see Diffie-Hellman on the exam, I want you to
remember two big things. First, it's an asymmetric algorithm and second, it's used for
the key exchange inside of creating a VPN tunnel establishment as part of IPSec.

RSA
Our second asymmetric algorithm is known as RSA. It's also named for its creators,
Ron Rivest, Adi Shamir, and Leonard Adleman. RSA is widely used for key
exchange, encryption, and digital signatures. The algorithm relies on the difficulty of
mathematically factoring large prime numbers and this protects its public and private
key pairs. RSA can support key sizes between 1024-bits and 4096-bits. RSA is
widely used in organizations around the globe. If you happen to have one of those
secure tokens on your key chain, where every 30 to 60 seconds, the six digit number
changes and you use that as part of your login and multi factor authentication, well,
guess what? You're using RSA! Because that token stores RSA asymmetric
one-time use keys.

ECC
ECC is heavily used in mobile devices and it's based on the algebraic structure of
elliptical curves over finite fields to define its keys. ECC is very efficient and provides
better security than an equivalent RSA key of the same size. In fact, ECC's algorithm
is six times more efficient than an RSA algorithm. So, if you're going to have a
256-bit key with ECC, you'd require a 2048-bit key with RSA to be just as secure. For
this reason, you're going to see ECC used in a lot of things like tablets, smartphones,
and other mobile-based implementations because these devices have much less
processing power available than does a standard desktop or laptop. There are a few
variations of ECC, as well, and you might come across these in the field. The first is
ECDH, which is the Elliptic Curve Diffie-Hellman, which you might have guessed is
an ECC version of our popular Diffie-Hellman key exchange protocol. Another
variant is known as the ECDHE, which is the Elliptic Curve Diffie-Hellman Ephemeral
protocol, which uses a different key for each portion of the key establishment
process inside the Diffie-Hellman key exchange. The final one you might come
across is known as the ECDSA, which is the Elliptic Curve Digital Signature
Algorithm, which is used as a public key encryption algorithm by the US Government
in their digital signatures. For the exam, remember that ECC and all of its variants
are most commonly used for mobile devices and low-power computing devices
because it gives you equivalent protection to other asymmetric algorithms with a
lower key size.

Pretty Good Privacy

Pretty Good Privacy, also known as PGP, is an encryption program that's used for
signing, encrypting, and decrypting emails. Over the years, PGP's use has expanded
beyond emails, though, and includes an entire suite of protocols that can encrypt
emails, files, and even entire hard disks. PGP uses an older algorithm, though,
known as IDEA, which you may remember from our symmetric algorithm lesson.
Now, you may be wondering, why didn't I just cover PGP all the way back in the
symmetric algorithm lesson, then? Well, PGP is actually a hybrid cryptographic tool
because it uses a symmetric cipher for the bulk data encryption, but it uses RSA, an
asymmetric cipher, to create the digital signatures used in signing its emails and to
send the session keys over an untrusted network. This is what I meant before when I
said that we often combine both symmetric and asymmetric ciphers to give us a
hybrid approach or implementation. Now, PGP uses key sizes of 128 bits or more for
symmetric functions and key sizes between 512 bits and 2,048 bits for its
asymmetric function. Over time, PGP became an open-source encryption cipher, and
as such, it was able to be forked and used for further development. The result of that
was GPG. This stands for the GNU Privacy Guard, and it's an implementation of
cryptography that's used to provide you with confidentiality in your data by encrypting
it like PGP did. Now, GPG is actually a newer version of PGP, or the Pretty Good
Privacy encryption suite. The newer GPG uses the more modern AES encryption
algorithm instead of that weaker IDEA symmetric algorithm. Now, GPG is a
freely-available and non-patented encryption solution that's available for Linux,
Windows, and Macintosh operating systems. So, if you're looking for one to try out,
you can download GPG and get started today.
 One-Time Pad
This is called a One-Time Pad. Now, a One-Time Pad is a stream cipher that
encrypts plaintext information with a secret random key that is the same length as
the plaintext input. This secret random key is known as a keystream and it's
comprised of a series of random bits. If the keystream is truly random, the only way
an attacker could decrypt the information back to the plaintext is if they had access
to that randomly created keystream.

Pseudo-Random Number Generator, or PRNG. This is an algorithm that spits out

what looks, to you and me, like random numbers, but to other computers, they can
figure out what the initial seed was and then that takes away the randomness. These
numbers are used for a variety of purposes, including encryption, as well as game
development and other things that you might need a random number for. For
example, you may wish to have images uploaded by your users and assign a
random filename made out of a series of numbers. In truth, though, the numbers
aren't purely random, because computer create them based on mathematical
functions.

Unfortunately, though, we don’t have a truly random sequence of numbers that we

can rely on. So, one-time pads aren't often used. Instead, we use the concept of
one-time use passwords. You've seen this discussed inside our multi-factor
authentication lesson. For example, you could use a random number that's texted to
you by your website whenever you attempt to log in. Or, you might have an RSA
secure token that displays pseudo-random numbers that you use to prove you have
possession of that token as your second fact of authentication. These are two good
examples of where we use pseudo-random numbers in the security of our network.
 Demo: Steganography

More

Blockchain
A blockchain is a shared immutable ledger for recording transactions, tracking
assets, and building trust. Now, when we talk about the blockchain, you're probably
thinking about cryptocurrencies because these are some of the most famous
examples out there. For example, Bitcoin has been all the rage for about a decade,
and this was really the first commercially available type of thing that was using the
blockchain.

Quantum Computing
Now, quantum computing is where we take a computer that uses quantum
mechanics to generate and manipulate quantum bits known as qubits in order to
access enormous processing power. Now, I know this is a weird definition because in
the definition we're actually using both terms inside of it. We're using the word
quantum and the word computing, or computer in this case. And I really don't like
doing that in a definition, but there's really no better way to explain this. When you
think about a classic computer, like the one you're watching this course on right now,
it uses ones and zeros to process information. And the faster you can process those
ones and zeros, that means, the faster you can get information done, and that's
going to be a faster computer. Well, at a certain point, we can't make our computers
really any faster. And we run out of computing capability. So, what we ended up
doing was taking single processors and putting in two processors, or we made
quad-core, which had four processors, or we made octa-core, which has eight
processors. And that's the way we've been able to speed up computers. Well, with
quantum computing, it is a completely different ball game. Instead of using ones and
zeros, we use these things known as quantum bits or qubits. Now, this can be done
in computing or in communications. When we deal with communications, we're
talking about quantum communications being a communications network that relies
on using qubits made of photons, in our case, light, to send multiple combinations of
ones and zeros simultaneously, which will result in tamper-assistant and extremely
fast communications.

Qubit
Well, a qubit is really just a quantum bit. It's composed of either electrons or photons,
so, it can be electrical or made by light, and it can represent numerous combinations
of ones and zeros at the same time using something known as superposition. And
this is really the main benefit of using quantum computing, because you're not just
having a single one or a zero and you can do multiple combinations of ones and
zeros at the same time with this one qubit, you can actually crunch through a wide
variety of potential outcomes simultaneously.

Quantum in Cryptography
In fact, asymmetric encryption algorithms, those that are relying on this hard math
problem, have been mathematically proven to be broken by quantum computers.
Now, the only good thing we have going for us is there's no real quantum computers
in use today. The ones they have are only prototypes and they are very small scale,
and they have been spending millions and millions of dollars to create these. Right
now, the estimate is that we won't have a working quantum computer until at least
2025 or 2030 in some sort of a production environment, maybe even later than that.

Post-Quantum Cryptography
Now, post-quantum cryptography is a new kind of cryptographic algorithm that can
be implemented using today's classical computers, but would still be impervious to
attacks from future quantum computers when they are available. Now, there's really
two methods that we can use to try to create this post-quantum cryptography. The
first method is just to increase our key size, to increase the number of permutations
that are needed to be brute-forced. This works well when you're dealing with a
symmetric encryption algorithm, something like AES. If I take AES 128 and I
increase it to AES 256, for instance, I doubled the key length. But I now have
actually squared the number of possible combinations that are going to have to be
figured out by the quantum computer. And that extends the time and makes it much
stronger and harder to crack. Now, the other way we can do this is by working on
other approaches, and researchers are doing this right now. They're looking into
things like lattice-based cryptography and super singular isogenic key exchanges.

Ephemeral
The next thing we want to talk about is ephemeral. When we talk about ephemeral
cryptography or ephemeral keys, we're talking about a cryptographic key that's
generated for each execution of a key establishment process. Essentially, when you
hear the word ephemeral, I want you to think about the fact that it is short-lived, it's
something we're going to pick for a short period of time and then throw away.

Homomorphic Encryption
Now, homomorphic encryption is an encryption mechanism that allows calculations
to be performed on data without decrypting it first.
 Cloud
Well, cloud computing is defined as a way of offering on-demand services that
extend the traditional capabilities of a computer or a network, out into the Internet.

For cloud computing to gain its intended cost savings and efficiencies, though, it
relies heavily on the concept of virtualization.
By using virtualization, numerous logical servers can be placed on a single physical
server. This, in turn, can help us reduce the amount of physical space, power, and
cooling that's needed inside your data center.
Additionally, by using virtualization, we can achieve higher levels of availability by
spinning up additional virtual servers, when necessary.

Most of the same security issues that we have with physical servers also get carried
over into the cloud computing environment, too.
Many cloud service providers, though, have taken virtualization a step further with
the concept of hyper-converged infrastructure. This allows providers to fully integrate
the storage, network, and servers without having to perform hardware changes.
Instead, they rely on a software and virtualization technology to perform all of the
needed integrations.

Many cloud providers are also offering Virtual Desktop Infrastructure as one of their
services. VDI allows a cloud provider to offer a full desktop operating system to an
end user from a centralized server.

Now, when we look at these numerous logical servers being stored on a single
physical server, we also have to consider that there has to be a way to keep the data
confidential and separated from the other logical servers, too.

To do this, we use
1. Secure Enclaves
2. Secure Volumes

Secure Enclaves utilize two distinct areas that the data may be stored and accessed
from. Each enclave can be accessed by the proper processor. This is a technique
that's used by Microsoft Azure and many other cloud service providers.

Secure volumes, on the other hand, are a method of keeping data at rest, secure
from prying eyes. When data on the volume is needed, a secure volume is mounted
and it's properly decrypted to allow that access.
 Cloud Types
For the Security+ exam, you should know that there are four different cloud types.

1. Public
2. private
3. hybrid
4. community

Public
The most common type of cloud architecture is the public cloud. Under this model, a
service provider makes resources available to the end user over the Internet. There
are numerous public cloud solutions available today, including those from Google,
Microsoft, and Amazon. For example, Google Drive is a public cloud service that's
offered both as a free and pay-for-use model.

Private
This service requires that a company create its own cloud environment that only it
can utilize as an internal enterprise resource to manage its cloud. With a private
cloud, your organization is responsible for the design, implementation and operation
of the cloud resources, and the servers that host them. For example, the United
States Government runs a private cloud for use by different organizations within the
government. But my company and yours can't get access to it, like we could with
Google Drive. Generally, a private cloud is chosen when security is more important
to the organization than cost.

Hybrid
A hybrid cloud solution combines the benefits of both the public cloud and the private
cloud options. Under this architecture, some resources are developed and operated
by the organization itself like a private cloud would be, but the organization can also
utilize the publicly-available resources or outsource services to another service
provider like a public cloud does! Because of this mixture of private and public cloud
resources, strict rules should be applied for what type of data is hosted in each
portion of this hybrid cloud.

Community
Under this model, the resources and cost are shared among several different
organizations who have a common service need. This is similar to taking several
private clouds and connecting them together. Now, the security challenge here is that
each organization may have their own security controls. Remember, if you connect
your network to another network, you inherit their security risks, as well. This doesn't
change just because we've moved to the cloud environment.

Cloud Service Types

The four types you need to be aware of are
1. Software as a Service
2. Infrastructure as a Service
3. Platform as a Service
4. Security as a Service

SaaS
With Software as a Service, you're going to be provided with a complete solution.
This includes the hardware, the operating system, the software, the applications,
everything that's needed for that service to be delivered. For example, if you use
Office 365 for Microsoft, this is considered Software as a Service, and it allows your
end users to access their email, their Word documents, their PowerPoint
presentations, and all of that directly from within their web browser.

IaaS
In this case, you might only need the service provider to give you the hardware, the
operating system, and the backend server software. With Infrastructure as a Service,
you get the benefit of this dynamic allocation of additional resources known as
elasticity, but you don't have to deal with the headache of long-term commitments
and contracts, buying the hardware, and installing the underlying operating systems.
PaaS
The third type of service is called Platform as a Service. Under this model, the third
party vendor will provide your organization with all the hardware and software
needed for a specific service to operate. For example, if your company is developing
a new piece of software, they might have a development platform that's provided by
a third-party cloud provider. This might be an example of Platform as a Service.

SECaaS
The fourth one is Security as a Service. This allows smaller organizations that don't
have the necessary security skills to essentially outsource them to some larger
company. This can provide them with a lower cost than trying to hire a team of
cybersecurity professionals to work directly for your organization. It can give your
company an immediate security expertise, and you can outsource common tasks
and provide the organization's information technology staff with a simple interface
that they can use.

Sandbox
Another security technique that can be provided by cloud services is the use of
sandboxing. Sandboxing utilizes separate virtual networks to allow security
professionals to test suspicious or malicious files. For example, if your organization
is conducting an incident response, your responders could place a piece of malware
in a cloud-hosted sandboxed environment to see the effects of the malware as it's
run in real time. This will allow them to do a dynamic analysis of it.

Defending Servers

File Servers
First, we have file servers. File servers are used to store, transfer, migrate,
synchronize, and archive your files.

Email Server
These servers are a frequent target of attacks because they contain a lot of valuable
data from within your organization. In a Windows environment, the most common
email server is Microsoft Exchange. Microsoft Exchange and its Unix and Linux
counterparts all support the POP3 IMAP and SMTP protocols for receiving and
sending email.

Web Server
Next, we have a web server. In the Windows environment, this is usually hosted by
Internet Information Services or IIS server. For Linux or Mac, this is usually going to
be an Apache web server. Either way, web servers are, by default, open to the
Internet to perform their job. So, it's important for us to properly secure them. They
should always be placed in your organization's DMZ. They should be properly
firewalled, monitored, logged, audited, and patched to ensure their security.
FTP Server
An FTP server is a specialized type of file server that's used to host files for
distribution across the web. These servers can be set up to allow anonymous login
and receipt of files or they can be secured with a username, password, or other
credentials.

Domain Controller
The final type of server we're going to discuss in this lesson is called a domain
controller. For a Windows environment, this is known as Active Directory.
In a Linux environment, you're likely going to use an LDAP server, instead. Either
way, this server acts as the central repository of all of your user accounts, your
computer accounts, and their associated passwords for the network. Because of this,
hackers often target the Active Directory server as a method of privilege escalation,
or at the very least, lateral movement, by gaining another administrator or user's
account credentials and exploiting the server.

Cloud Infrastructure

VPC
Just like you can use your virtual private networks to connect your home users back
to your corporate network and give them those protections underneath that corporate
umbrella, virtual private clouds can be configured as a private network segment
made available to single cloud consumers within a public cloud.
This is a way that we give security. VPC is considered an infrastructure as a service
product, so if you're using something like AWS, they have a virtual private cloud
service. If you're using Azure, they have their virtual private cloud service.

When we talk about a virtual private cloud, a virtual private cloud is typically going to
be used to provision Internet-accessible customer-facing applications or corporate
applications that need to be accessed from geographically remote sites. If you're
thinking of something that might be a good place inside a DMZ, a virtual private
cloud might be a good place to put it, as well.
Cloud vs On-Premise
Well, when you deal with the cloud, you're putting it in somebody else's data center.
You're putting it someplace where you're just seeing it as a virtual instance
somewhere on the Internet. You don't actually get to go touch that thing. You don't
know if it's in Virginia or London or Washington or even care a lot of times because
you just care that you have access to it and that's the benefit of having the cloud. It's
everywhere you want to be.

Now, when you deal with on-premise, this means it's something in your own data
center. You can walk down the hall and you can touch those servers. A lot of the
places I've worked over the years, we've run our own data centers. Nowadays, we're
starting to use more and more cloud resources, but for the last 20 years, I spent a lot
of time in a lot of organizations spending tons and tons of money, millions and
millions and millions of dollars, building out data centers and running our own
servers.

Cloud access security broker

What is a cloud access security broker, also known as a CASB? Well, this is an
enterprise management software designed to mediate access to cloud services by
users across all types of devices. Essentially, it's going to be a middle man that helps
you with your authentication and ensure that people are using the services they're
supposed to use. Now, there are many different vendors who sell this type of
product.
They include people like Symantec, which uses the Blue Coat Proxy, which I've
personally used in a lot of my organizations.
There's Skyhigh Networks which is made by McAfee, there's Forcepoint, there's
Microsoft's Cloud App Security, which is their version.
And Cisco has their version called Cloudlock.

Now, when you talk about a cloud access service broker, I want you to remember
they provide visibility into how your clients and other network nodes are using your
cloud services. When you start moving everything out to the cloud, you have to think
about how my users are using those things? How much time are they spending? Are
they using it the right way? Are they taking data and putting it where it shouldn't be?
And to do that, we have three different things. We can set it up as either a forward
proxy, a reverse proxy, or using API access.
 API
When we talk about an API, this is an application programming interface. It's a library
of programming utilities that are used to enable software developers to access
functions of another application. And this is one of the key things we use when we
start talking about piecing things together by using things that are service-oriented in
their architecture. Now, when we deal with an API, this is going to allow for the
automated administration, management, and monitoring of cloud services, as well as
lots of other applications.
Now these APIs are commonly going to use either REST or SOAP, the simple object
access protocol as their frameworks. Now, when we talk about APIs, we think about
these from the perspective of integration.

FAAS and Serverless

Well, it's a cloud service model that supports serverless software architecture by
provisioning runtime containers in which code is executed in a particular
programming language. Now, that's a really long way of saying we are going to be
able to run things and make applications without actually having our own servers.
Now, that sounds pretty cool, right?
Because, now, I don't know about you, but I've been a system administrator for a
long time, about 20 years, and the idea of having to run all my own servers and be
able to run my own patches and do the updates and do all the testing and do all that
stuff, just to be able to run a simple integration program like the one I talked about
between Freshdesk and Udemy to able to make tickets go back and forth, sounds
like a lot of work.
And so, function as a service eliminates the need for me to do that. Instead, I can
write the code in something like Python and then run it in this environment. Now,
when we talk about serverless, you notice that keyword in this definition. Serverless
is a software architecture that runs functions within virtualized runtime containers in a
cloud rather than on dedicated server instances.

An Example
Netflix delivers over 10 billion hours of video to 125 million customers every quarter
and they do this using serverless. They do this because they're able to serve that
large of an audience by using a wide range of highly complex infrastructure that
relies on AWS, specifically its serverless capability known as Lambda. Now, all of
this is done using this AWS Lambda, which is a serverless environment. Essentially,
Amazon runs all of these underlying servers and Netflix doesn't have to worry about
them at all. All Netflix needs to do is know that when they give them code that's
written in Python or some other language, Lambda can run it and they don't care
about what that looks like underneath that.

Cloud Threats
1. Insecure APIs
2. Improper key management
3. Improper logging and monitoring
4. Unprotected storage

Insecure APIs
Now, the first thing I want to give you is a word of warning here. When you're using
an API, you should always use it over an encrypted channel. That means SSL or
TLS using an HTTPS connection. If you don't do that, and you just use HTTP, you
are asking for somebody to be able to get there and see what you're doing, be able
to steal things like your authorization tokens, and then use that against you. This is a
major issue, so you want to make sure you secure your APIs by having end-to-end
encryption.

Improper key management

Now, this is a really important thing, because a lot of the things you're going to use
your keys for are things like cryptography, authentication, and authorization. And so,
these are the areas to help you secure your stuff. And if you're not having proper key
management, you're going to have a very insecure API. Whenever you're using an
API, you need to make sure you're using secure authentication and authorization,
things like SAML and OAuth and OIDC, and you want to use those things to do your
authentication and authorization before you access data. Another word of warning I
have for you here, do not hardcode or embed your key in the source code.

Improper logging and monitoring

And one of the big problems is insufficient logging and monitoring of cloud services.
Now, again, here's a word of warning. If you're dealing with a software as a service,
many times, you're not going to have any ability to access log files or monitoring
tools. For instance, think about Gmail. That is a software as a service tool. If you use
Gmail, can you go in there and look at your log files? Can you go in there and look at
your audit logs? Can you go in there and look at your monitoring tools to see if the
service is up and down? No, because that's Google's job, not your job. And so, this
is a weak area for us if we start using a lot of software as a service inside of our
companies. Now, remember, when you're dealing with logs, your logs have to be
copied from these elastic workstations into some place for long term storage. For
example, when we have a cloud service and we spin up a new virtual machine and
we use it for a while because we have a higher demand, and then that demand is
gone, if we're storing those logs on that machine and that machine now is
deprovisioned, we just lost all the logs.

Unprotected storage
Now, there are lots of ways you can do storage inside the cloud, but most storage
containers are going to be referred to as one of two things. They're either going to be
called buckets or blobs. When you call them buckets, this is something that we use
inside of AWS. When we talk about blobs, it's usually in Microsoft Azure. Either way,
we're talking about cloud storage here. Essentially, when we have a file and we want
to save it someplace, we have to put it in a container, and that container, a bucket or
a blob, is going to be someplace that we store it. And that can be actually located in
lots of different places. For instance, your container could be in the East Coast or the
West Coast. It could be in a specific region or any region. But the big thing is you
can't nest one container in another. Each container is going to host its own data
objects, which are those files that we want to store on that system. Now, once you
have that, you have to set up access control. And this is where my word of warning
comes in. Access control to storage is administered through your container policies.
It's also done through your IAM authorizations, and it's done through object ACLs. By
combining these three things, you can get a good level of security.
 Conclusion/Recap
1)Attacks, threats, and vulnerabilities
It makes up 24% of the questions on the exam

2)Architecture and design

It makes up 21% of the questions on the exam

3)Implementation
It makes up 25% of the questions on the exam

4)Operations and incident response

It makes up 16% of the questions on the exam

5)Governance, risk and compliance

It makes up 14% of the questions on the exam
5 Tips
(Now actual cheating but the whiteboard provided to make notes at the first minutes
of the exam)

(Skip the Sims and put these at the end)

(take a guess if you have doubts. There is no negative scoring)

(Best it suits you)

(Be confident)
 Planning for the
Worst
Redundant Power
A redundant power supply is simply an enclosure that provides two or more
complete power supplies inside of one. You learned about this back in your A+
studies. Now, most servers are going to utilize two individual power supplies in the
server's case to ensure that power is always available to that server at all times. This
eliminates a single point of failure that really does exist inside your desktop
computer. If you look in your desktop computer, you only have a single power supply.
If it fails, the entire computer is going to fail with it. But, with servers, we have two
power supplies, those redundant power supplies. And so, this is going to ensure that
we can mitigate the threat of power supplies failing on us and taking down the entire
server or system.

Surge
A surge in electrical power means that there is an unexpected increase in the
amount of voltage that's being provided. So, here in the United States, our power
supply is 120 volts. If that went up to, say, 124 or 125 volts, that's only a little bit of an
increase in power. So, that would be considered a surge.

Spike
Now, a spike is going to be a short transient voltage that's going to be due to a short
circuit, a tripped circuit breaker, a power outage, or even a lightning strike. This might
jump from 120 volt up to maybe 140 or 150, or even more. Now, to protect against a
surge or a spike, you should use a surge protector. A surge protector is going to help
you against those little surges, but if you have a really good surge protector, it can
help when you have those large spikes, as well.

Sags
A sag is kind of like a surge, but in reverse. Where a surge went up, a sag is an
unexpected decrease in the amount of voltage provided. So, it's going to go down.
Typically, sags are only for a short duration of time, and usually, it's not even going to
make the power get lost to your computers.

Brownouts
However, when that voltage reduces for longer than that, it becomes known as a
brownout. A brownout is when a voltage drops to such an extent, that usually your
lights start dimming and your computer would even shut off.

Blackouts
Now, a blackout occurs when there is a total loss of power for a long period of time.
So, if you're sitting in your house and the lights all go out and the computers turn off
and it happens for 30 seconds or a minute, that's considered a prolonged amount of
time for a blackout.

Backup Power
In the last lesson, we discussed the different types of power conditions that can
affect our systems. Now, to mitigate these, we used different forms of backup power.

UPS
The first type of backup power we have is called a UPS or an Uninterruptible Power
Supply and this is going to combine the functionality of a surge suppressor with a
battery backup. Now, the great thing about these is they can also provide line
conditioning. So, they can protect against things like brownouts, sags, and surges.
So, if you have short durations of times where the power goes down or goes up, that
line conditioning function can help protect your machines and keep them running
smoothly. Now, backups like these are good for short durations of time but they
usually don't last more than 15 or 30 minutes. Some of the largest ones I've seen
and most expensive ones I've seen can actually last up to about 60 minutes.

Backup Generator
A backup generator is part of an emergency power system. It's used when there's an
outage of your regular power supply for the electric grid. Now, some emergency
power systems might include things like lighting for your hallways or special fuel
cells. Larger commercial backup generators can actually power the entire building or
large portions of it. Now, it just depends on how much fuel you have available and
how much power you need to generate. There's really three types of generators that
we're going to talk about. There's portable gas-engine generators, permanently
installed generators, and battery-inverter generators.

A portable gas-engine generator is the least expensive type to run and it usually
uses gasoline or sometimes even solar power. These tend to be noisy when they're
gas engines. They're have high maintenance and they have to be started manually
and you'll usually plug in an extension cord and run that into your building.

Now, when you start going to larger generators, you start talking about permanently
installed generators. These are much more expensive and much more complex to
install. But they're always there. Generally, these will run on natural gas, propane, or
diesel fuel. They tend to be quieter and they can be connected directly to your
organizations' electric panel. So, if you lose power to the building, somebody can go
and turn on this generator and bring it back online.

The third type of generator that we have is known as a battery inverter generator.
These are based on lead acid batteries. They're super quiet and they require very
little user interaction, aside from, maybe, an uncommon restart once in a while and
changing out the batteries every couple of years. They are well matched to
environments that require a low amount of wattage or are the victims of short power
outages only. They can't withhold your whole facility or data center for a long period
of time. But if you combine something like the battery generators with the diesel
commercial generators, you can actually have the battery take over the short period
of time and the diesels take over the long period of time.

Data Redundancy
If you remember, a RAID is a redundant array of independent disks which is
essentially going to allow you to combine multiple physical hard disks into a single
logical hard disk drive inside of the operating system. Now, for the Security+ exam,
you need to know about a couple of RAID types including RAID 0, RAID 1, RAID 5,
RAID 6, and RAID 10.

RAID 0
A RAID 0 provides data striping across multiple disks and is used to increase your
performance. The keyword here is striping. For example, you might use a RAID 0
when you need performance but you don't care about fault tolerance, so, a good
example of this is I do a lot of video editing and so, I really care about performance
there as I'm editing these raw videos and so, by having these two drives working
together, I can do things much quicker than I could with a single drive. Now, to do a
RAID 0, you do need at least two disks to work in tandem with each other.

RAID 1
The next one we have is a RAID 1, and this is going to provide redundancy by
mirroring the data identically to two hard drives. So, if one drive fails, the other can
continue to operate because it has a full copy of everything that was on there. This
provides the least amount of downtime because there is always that complete copy
of data ready at a moment's notice to take over. This provides wonderful fault
tolerance, but it can only be used with two physical hard disks and that provides you
with one single logical hard disk inside the operating system. A good example of this
is once I'm finished editing all my videos and I have the final product, I want to make
sure I don't lose it, so, I can actually move that over to a RAID 1 where I get two
identical copies of that file one on each of those drives.

RAID 5
Now, the next one we’re going to talk about is a RAID 5. A RAID 5 is known as a
striping disk with parity. It requires at least three physical disk drives to work, and it
provides fault tolerance by striping the data across multiple disks and writing parity
data to the multiple disks, too. If one disk fails, the other two can reconstruct the data
based on the parity and they continue to operate. This means that if one of those
drives fails, I can pull it out, put in a new drive, and it will rebuild itself inside the
RAID as it keeps moving and operating for the rest of the system.

RAID 6
Next, we have a RAID 6, and a RAID 6 is a modified form of a RAID 5. In fact, it's
one better than a RAID 5 that's why we call it a RAID 6. Now, it's going to use data
striping across multiple disks just like a RAID 5 did, but instead of having one stripe
for parity data, it's actually going to have two stripes for parity data. This requires
another disk in the array to work so, you need at least four physical disks, but that
does provide you additional fault tolerance because you can lose up to two of these
four disks and the RAID will still continue to function.

RAID 10
The last RAID we have is known as a RAID 1-0 which is written as RAID 10. This
combines the advantages of a RAID 1 and a RAID 0 because one plus zero equals
10. This requires four physical disks, just like a RAID 6, and it's going to provide you
with a redundant mirror of striped drives and it is fully fault-tolerant. This gives us all
the speed of a RAID 0 by splitting up the load across two sets of RAIDs, but it also
gives us the full redundancy of a RAID 1 by having those two RAID 1s in there. Now,
this all works as one combined logical drive, even though it uses those four drives
split up into two pairs of two.

So, when we think of RAIDs, they can be categorized as failure-resistant,

fault-tolerant, and disaster-tolerant. These are our three categories for RAIDs. Now,
if you have a failure-resistant RAID, that's going to be something like a RAID 1 or a
RAID 5 because it's going to protect against the loss of the array's data if a single
disk fails inside of it. Now, when we talk about fault-tolerant disk systems, this will be
something like a RAID 1 or a RAID 5 again, or even RAID 6, because even if a
single component fails, one of those drives or even one of the cards inside of it, then
that RAID can continue to function properly. Now, our final category is known as
disaster-tolerant, and so, if we call a RAID disaster-tolerant, this means that the
RAIDs has two independent zones with full access to the data at all times. A RAID
10 is a good example of a disaster-tolerant RAID.
 Demo

Network Redundancy
Network redundancy is focused on ensuring our network remains up and running at
all times to increase its availability. This includes the server's connections to the
network, the connections between our switches and our routers, and our connections
to the Internet. To accomplish this, our servers often have two or more network
interface parts, and they can be operated as a pair or in a low balancing
configuration. Now, this can paired for redundancy, or you can split them and put
them into two groups so you can have additional throughput by operating more than
one at a time, simultaneously. In this example, I might create two groups, one with
four network cards in it and one with a single network card by itself. That gives me
the total of five. Four network cards can operate in a shared load capacity, meaning,
that all four will work together. So, if they were each 100 megabytes per second
each, that gives me a combined 400 megabytes per second, but that fifth one is
sitting there by itself and it has 100 megabytes per second to use. We use that as
our backup redundancy.
 Server Redundancy
To create redundancy for our servers, we're going to use a concept known as
clustering. A cluster is when you take two or more servers and have them work
together to perform a particular job function. We can cluster our servers as either
failover clusters or load-balancing clusters.

Redundant Site
What’s a redundant site? Well, let's consider if your office building was flooded.
You're going to need a new place to work. That's a redundant site. Now, if you're
really concerned about downtime, you could have a redundant site up and ready to
go at all times. Redundant sites are classified as one of three categories. They're
either hot sites, warm sites, or cold sites.

Now, a hot site is a near duplicate of your original location. It's going to have it where
the organization can move in and be up and running within minutes. That means,
they have servers, phones, desks, lights, power, connectivity, everything. It's just as
if you've picked up and went to a different building that day.

A warm site, instead, is going to have some of those capabilities, but not all of them.
It's going to have things like the computers and phones and servers there, but they
may not be configured or patched or updated. And so, when people show up, you're
going to have to install their user accounts or set up their configurations and things
like that before the users can start working.

Now, a cold site is going to have things like tables and chairs and bathrooms and
maybe some technical setup like basic phones and data and electric lines. But it
doesn't have computers, it doesn't have servers. And none of it is configured. And
so, if you have a cold site, that might take you a couple of days to get back online.

Data Backups
Data backups can be conducted using full backups, incremental backups, or
differential backups.

1. Now, the first kind we have is known as a full backup. When you do a full
backup, all of the contents of your drive are backed up, that's every single file.
 2. Now, when we go to an incremental backup, which is our second type, this is
going to back up only the contents of the drive that have changed since the
last full backup, or since your last incremental backup.

3. Differential backups will only back up the contents of the drive that have
changed since the last full backup.

Now, you can see the tough choice we have between using incrementals and
differentials, because incrementals take a lot less time to backup, but the differentials
make it a lot quicker when we need to restore, and so, this going to be a choice you
have to make. Do you want quick backups and lengthy restores, or do you want long
backups and quick restores?

Tape Rotation
Now, there are three main rotation schemes that we're going to cover in Security+.
We have the 10 tape rotation, the grandfather-father-son, and the towers of Hanoi.

10 tape rotation
Now, the 10 tape rotation is a simple method that provides easy access to the data
that's been backed up. It could be accomplished during a two-week backup period.
Why is it called a 10 tape rotation instead of a 14 tape rotation? Well, because most
companies are open Monday through Friday, so, weekends don't count. If you
wanted to do it seven days a week for two weeks, you could simply call it a 14 tape
rotation instead and use 14 tapes. Either way, the concept is the same. Each tape is
going to be used once per day for two weeks, and then, the entire set is reused
again. This means, after two weeks, you don't have any more backups, though.

Grandfather-father-son
Now, the second method is known as a grandfather-father-son, and it's a backup
rotation system that's very commonly used. It's actually one of my favorites. When
attempting to use this design, there are three sets of backup tapes that have to be
defined. Usually, we call these the daily, the son; the weekly, the father; and the
monthly, the grandfather. These tapes are then rotated on a daily basis, and the last
one of the week will be graduated to father status. Then, these tapes, the weekly
ones, are then rotated on a weekly basis, and after four weeks, they become the
monthly, or the grandfather, and that is how we get our grandfather, fathers, and
sons. Generally, your monthly tapes are kept offsite, and this will allow you to ensure
that they're safe in case of an emergency at your regular facility or site. I mean, it
would be horrible if your site burned down and you couldn't do any backups because
all your tapes were in the server room, right? So, you want to make sure you have
some good offsite backups, as well.

Towers of Hanoi
Now, the third type we have is called the towers of Hanoi, and this a rotation system
that's based on the puzzle called the towers of Hanoi that you might've played as a
kid. Much like the grandfather, father, and son, this system also uses three sets of
backups, but they're rotated a bit differently. Basically, your first tape is used every
second day, and the second tape is used every fourth day, and the third tape is used
every eighth day, and so, this system helps prevent tapes from being worn out as
quickly as the 10 tape rotation does, and it does allow for three different categories
of backups like the grandfather, father, and son method, but because of this
complexity, it makes it harder to remember what tapes do I use to backup and in
which order, and then, when I go to restore, I have to figure that out, as well.

Snapshots
With a snapshot, all of the applications, the hard drives, and even the operating
system is backed up to create a full backup of the system as a virtual disk image.
This makes it very quick to redeploy that system onto a cloud server or another
offsite location, but it does take up a lot of storage space, so, you need to plan for
that extra storage resources and costs that are involved in using snapshots instead
of regular backups. Snapshots are also commonly used with virtualized systems, so,
if you're running VMware or VirtualBox, you can take a snapshot of your server and
create that full backup of the entire virtual system.

Disaster Recovery Planning

Disaster recovery planning is a development of an organized and in-depth plan for
problems that could affect the access of your data or your organization's building.
So, if you think about the fact that you might have a cyber attack, or a flood, or a fire,
all of these things might be things that are covered by your disaster recovery plan.
Now, planning should also include information regarding redundancy, such as what
sites you have, are they warm sites, cold sites, or hot sites. How your backups are
done and where they're going to be restored from, but it shouldn't include any
information that deals with day-to-day operations of your organization.

Now, a good disaster recovery plan should always be written down, it shouldn't be
here in my head. Everyone in the organization needs to know what those policies
are. We should have clearly outlined disaster recovery policies, procedures, and
information.

Business Impact Analysis

Now, when I talk about a business impact analysis, this is also abbreviate as a BIA.
This is a systemic activity that identifies organizational risks and determines their
effect on ongoing mission-critical operations.

Now, when we start talking about these metrics there are lots of different ones we
have to consider. We have things like our Maximum Tolerable Downtime or MTD. We
have Recovery Time Objective RTO. The Work Recovery Time WRT, or Recovery
Point Objective RPO.

MTD
Now, when we talk about a Maximum Tolerable Downtime or MTD, this is the longest
period of time a business can be inoperable without causing irrevocable business
failure. Essentially, how long can you be down without going out of business? Now,
the MTD is going to be different for each organization and even within each
organization, each of your business processes can have its own MTD. For example,
some may be just a couple of minutes or a couple hours for critical functions. You
may have up to 24 hours for urgent functions and up to seven days or longer for
normal functions.

RTO
Now, the next one we want to talk about is our RTO. This is our recovery time
objective. Now, this is the length of time it takes after an event to resume your
normal business operations and activities. When you start thinking about recovery
time objective, I want you to think about the fact of something went down. We lost
power. How quickly do you need it back? In my case, we have a 60-second time for
power. We want to make sure our power is back up and online within 60 seconds.
Now, is that achievable? Yes. If you have a backup diesel generator, it will turn on in
about 45 seconds and transfer power to the diesel generator. Now, my wife wasn't
happy with 45 seconds or 60 seconds and she wanted a recovery time of zero. Now,
can I achieve that? The answer is yes. And that's one of the reasons why we have
those battery backup systems. Because if power goes away, those batteries come
on instantly. There is zero lag time there. And so, we're able to hit a recovery time
objective for power of zero seconds. Now, the overall power of getting it back to the
grid, we can't control that. That's up to our local power company. But we can make
sure that we can recover our business and make sure we're on battery, on solar, or
on generator within zero seconds.

WRT
Now, the next one want to talk about is work recovery time or WRT. This is the length
of time in addition to the RTO of individual systems to perform re-integration and
testing of a restored or upgraded system, following an event. So, let me give you an
example. Let's say in my organization, we had a power outage and we didn't have
the batteries yet. We had to rely on those generators. So, we had a 60-second
recovery time. Well, in 45 seconds, power comes back up. But if those systems went
down because of a power surge, and I had to replace one of my servers, well, that's
going to take additional work recovery time. I fixed the main problem, the recovery
time objective of getting the power up, but now, I have to fix the second and third
order effects to get work product going again, which might be rebooting your
computer. It might be rebuilding a computer. It might be replacing a hard drive.
Whatever those things are, I have to perform that re-integration and testing to bring
those systems back online in an upgrade or restored state to be able to get us back
to regular work product.

RPO
And our final one we want to talk about is RPO. This is our recovery point objective.
This is the longest period of time that an organization can tolerate lost data being
unrecoverable. Now, the way I like to think about this one, when I think about RPO is
think about ransomware. If you have ransomware on a system, it's going to encrypt
your files. Now, you've got a couple of choices here. You can pay the ransom, which
we never recommend. You could try to crack the ransomware key, which could take
you days, weeks, or months, or years, depending on how strong it is, or you can
actually wipe that system and recover from a known good backup. Well, that's great.
Let's go ahead and choose that option. Well, if we do that, what is the longest period
of time that we can tolerate data loss? Well, there's going to be time that we're going
to be lagging as we're recovering all that data back. And that data may have several
hours since it was last backed up. For instance, if you run your backup once a day at
midnight, that's when your data was backed up. And if this ransomware hits you at
six in the morning, you have six hours worth of lost data because you don't have a
backup of that. This is what we're talking about when we're talking about recovery
point objective. That six hours is going to be lost period of time. And so, if your RPO
was 12 hours, that's fine. If your RPO was four hours, you've just broken your RPO.
 Malware
Virus
A computer virus is simply made up of malicious code that's run on a machine
without the user's knowledge. And this code allows it to infect the computer
whenever it's being run.

Viruses require user action in order to reproduce and spread.

Win10 prog to create virus: JPS Virus maker 3.0

Security+ exam is going to separate viruses into 10 different types:

1. boot sector
2. macro
3. program
4. multipartite
5. encrypted
6. polymorphic
7. metamorphic
8. stealth
9. armor
10. hoax

Boot Sector
A boot sector virus is one that's stored in the first sector of a hard drive and is loaded
into memory whenever the computer boots up. These are actually very difficult to
detect because they're installed before the operating system boots up.

Macro
Macros are a form of code that allows a virus to be embedded inside another
document. And when that document is opened by the user, that virus then is
executed. The most common examples of macros are ones that are found inside
Word documents or Excel spreadsheets, or PowerPoint presentations. By default,
macros aren't malicious.

Program
Program viruses seek out executables or application files to infect. For example, if
you went and loaded a virus and was able to install itself into your Microsoft Word
program, every time you opened up Word you'd be loading that virus again and
again. And that's why a program virus targets programs.

Multipartite
A multipartite virus is a combination of a boot sector type virus and a program virus.
By using this combination, the virus is able to place itself in the boot sector and be
loaded every time the computer boots. And by doing so, it can then install itself in a
program where it can be run each and every time the computer starts up. This allows
it to have a persistence and be able to be there over and over again.

Encrypted
This virus is going to use a cipher to encrypt the contents of itself to avoid detection
by any antivirus software. Because our antivirus providers are getting better and
better all the time at understanding viruses and how they work and how to stop them,
encrypted viruses are making it harder for virus makers to find these types of
viruses.

Polymorphic
A polymorphic virus is an advanced version of an encrypted virus. But instead of just
encrypting the contents, it's actually going to change its code each time it's executed
by altering the decryption module in order for it to evade detection. Now, I know this
sounds really complicated, but what it's doing is it's trying to morph the way its code
looks so that a signature-based antivirus can't detect it anymore.

Metamorphic
Metamorphic viruses are able to rewrite themselves entirely before it attempts to
infect a file. And essentially, this is an advanced version of a polymorphic virus. And
so we went from encrypted to polymorphic to now metamorphic.
Stealth
And these aren't necessarily a specific type of virus as much as a category of a virus
protecting itself. When we talked about encrypted and polymorphic and metamorphic
viruses, these are all examples of stealth viruses. They're viruses that are using
various different techniques to avoid detection by antivirus software.

Armor
And armored viruses have a layer of protection to confuse a program or a person
who's trying to analyze it. Again, this is another way that the virus is trying to protect
itself and increase its odds of being able to spread to other users without being
detected.

Hoax
Now, a hoax is actually not a virus in the traditional sense. Instead, when we get a
virus hoax, we're trying to trick a user into infecting their own machine. This might
come in the form of a message or a website that pops up. It may be that we call
them on the phone and pretend that we're from Microsoft tech support and tell them
that their machine has been infected.

Worms
Well, a worm is a piece of malicious software, much like a virus. But it has a key
difference. A worm can replicate itself without any user interaction. If you remember
when I talked about viruses, I said that a user has to install a program, or open a file,
for that virus to be able to take its action. But with worms, that's simply not the case.
Worms are able to self-replicate and spread throughout your network, without a
user's consent, or their action.
 Trojans
Trojan horses are a piece of malicious software that's disguised as a piece of
harmless or desirable software. Basically, a Trojan says, I'm going to perform this
function for you. And it will perform that desired function, but it will also perform a
malicious one, too.

Remote Access Trojan - RAT

A RAT is a type of Trojan that is in use today, and it's widespread. It provides the
attacker with remote control of a victim machine.

Win10 RAT creator: ProRat V1.9

Ransomware
Ransomware is a type of malware that restricts access to a victim's computer or their
files until a ransom is received. That's right, someone is going to go break into your
computer, encrypt your files or change your password or do something else to hold
your system until you pay up. Ransomware is going through and using some
vulnerability in a piece of software to gain access to your machine and then
encrypting your files and once they do that, you have no way to decrypt them unless
you pay the ransom or you restore from a known good back-up.

Spyware
Well, spyware is a type of malicious software that's installed on your system and
gathers information about you without your consent. Normally, this will be installed
from a website or some third-party software that you've installed on your system.

Adware
Adware is a specific type of spyware where it's going to display advertisements to
you, based on what it saw when it spied on you.
Grayware
Grayware isn't really good and it isn't really bad, it's kind of in the middle. Grayware
is some kind of software that's usually used to make something behave improperly
without any serious consequences. For example, there's one called Crazy Mouse,
that if you start this program on your friend's computer, the mouse will start jumping
over the screen.

Rootkit
A rootkit is a specific type of software that's designed to gain administrative level
control over a given computer system without being detected. Now, this is really
important, because when we talk about root or administrative level permissions, this
is the highest level permissions that someone can have on a given computer system.
If you're using a Windows machine, for example, this is called the Administrator
account.

DLL Injection
With a DLL injection, what ends up happening is malicious code is inserted into a
running process on a Windows machine by taking advantage of the DLLs, or
Dynamic Link Libraries, that are loaded at runtime. This means that the Windows
system doesn't even understand the fact that it has a rootkit installed.

Driver Manipulation
This also can occur by doing driver manipulation. This also can occur by doing driver
manipulation. This is an attack that relies on compromising the kernel-mode device
drivers that operate at a privileged or system level.

Shim
Both DLL injection and driver manipulation occur by the use of a shim. A shim is
simply a piece of software code that is placed between two components, and that
intercepts the calls and redirects them. So, the rootkit will allow an interception to
happen between the Windows operating system and the Dynamic Link Library, and
then redirect that call with the malicious code embedded into it.
 Summary
Viruses are code that infect a computer when a file is opened or executed. When
you think about a virus, remember, if it requires user action to be able to be opened,
installed, or spread, it's likely a virus.

Worm.
A worm acts a lot like a virus but instead, it's able to do self-replication. It doesn't
need any user action to be able to spread itself.

A Trojan.
A Trojan is a program that appears to do one desirable function but instead it does
the desired function and malicious functions as well. Remember, the most common
type nowadays is what's known as a RAT, a Remote Access Trojan.

Ransomware.
Ransomware is going to take control of your computer or your data unless you pay
them some money. Again, they're holding it for ransom. They usually do this by
encrypting your files.

Spyware.
Spyware is a software that collects your information without your consent. They're
spying on you and then they're advertising to you or doing other things of that nature.

A rootkit.
A rootkit is going to gain administrative level control over your system by targeting
the boot loader or the kernel of the operating system.

And finally, spam.

Spam is the abuse of electronic messaging systems, whether chat, email, or instant
message. The most common of these though, is definitely email.

Malware Infections

Threat Vector
A threat vector is the method used by an attacker to access a victim's machine.
Attack Vector
An attack vector is the means by which the attacker is going to gain access to that
computer in order to affect you with malware.

Watering Hole

Malware is placed on a website that you know your potential victims will access.

Phishing
Phish Insight - Trend Micro provides phishing testing

Botnet/Zombies
A botnet is simply a collection of compromised computers under the control of a
master node.

That's right, a zombie becomes part of the botnet and a botnet is simply a collection
of compromised computers under the control of a master node.
Most common attack type of Botnet and Zombies is DDOS attack

Active Interception/Privilege Escalation

Active interception occurs when a computer is placed between your sending
computer and your receiving computer.

Now privilege escalation occurs when you're able to exploit a design flaw or a bug in
a system to gain access to resources that a normal user isn't able to access.

To Scan network with GUI(uses nmap): ZENMAP

Backdoor/Login Bombs

A backdoor was originally placed in computer programs to bypass the normal

security and authentication functions.

But, there is something that acts just like a backdoor. What do you think that might
be?Well, it's a remote access trojan.

Logic bombs are a descendant of those earlier Easter Eggs. But logic bombs were
designed with malicious intent in mind. Logic bombs are malicious code that's
inserted into a program, and it will execute only when certain conditions have been
met.

Now, logic bombs and Easter Eggs and backdoors are all things that should not be
found inside our code.
 Symptoms of Infection
If your computer is acting funny or strange, you may be infected with malware and so
it's best to boot up into safe mode or boot from an external drive and then scan your
computer with a good antivirus software.

Removing Malware
1. Identify the symptoms of the malware infection
2. Quarantine the infected systems
3. Disable your system restore if you're using a Windows machine
4. Remediate the infected machine
5. Schedule automatic updates and scans
6. Re-enable our system restore and we want to create a new restore point
7. Provide end-user security awareness training

Malware Exploitation
Now, a dropper is a specialized type of malware that's designed to install or run
other types of malware embedded in a payload on an infected host. Usually, this will
be a stage one dropper, it's that code you first got. And once you get that code and
run it, it's then going to go out and get some other code, and it uses a downloader to
do that

Now, a downloader is a piece of code that connects to the Internet to retrieve

additional tools after the initial infection happens by a dropper.

Now, shellcode is any lightweight code that's designed to run an exploit on a target.
This can include any type of code format, it can be scripting languages, all the way
down to a compiled binary.

Shellcode originally referred to malware code that would give the attacker a shell or
a command prompt on the target system.
If you take the PenTest+ exam, that's how they're going to use that term.

For this exam, they want you to use the definition of the more generic shellcode that
I just provided, which is any lightweight code designed to run an exploit on a target.
Code injection is an exploit technique that runs malicious code with the
identification number of a legit process.

Living off the land, this is an exploit technique that uses standard system tools and
packages to perform their intrusions.
 Access Control
Access Control Models
1. DAC
2. MAC
3. RBAC
4. ABAC

DAC
This is an access control policy that's determined by the owner. Every file out there
and every folder is considered an object, and then you, the user, is considered an
owner or whoever owns that file or folder. Now, the owner gets to decide who gets to
read that. So, on this example, for instance, I have a folder and inside this folder it's
owned by Jason. Jason has decided that I can read and write it because I'm Jason
but my staff members can only read it, and everybody else on the network can only
read it. This is why DAC is commonly used because you have very granular control
to decide who has access to the things you've created. This works great if you want
to be able to tell who can use which files and which folders, as the person who
created it. Now, the problem with this is that you have to have two things being met.
First, every object in a system has to have an owner. Nothing can be out there
without an owner because if it had no owner, nobody would know who had the right
permissions to it because the owner sets the permissions. And second, you need to
make sure that each owner determines the access rights and permissions for each
object. If I'm the owner of a file and I never set permissions on it, nobody is going to
be able to read it.

MAC
MAC is going to be Mandatory Access Control. It's an access control policy where
the computer system gets to decide who gets access to what objects. Now, how
does it do that? Well, with Discretionary Access Control you, the owner, got to
choose who got permissions. But in MAC, the computer's going to do that for you
and it does this through data labels. So, with MAC, data labels create this trust level
for all subjects and all objects. So, every person out there gets a label of if we have
high trust, medium trust or low trust for them, and each data object gets a label, as
well, high trust, medium trust, or low trust. Well, the most common use of Mandatory
Access Control is in military context for high security systems. So, if you've seen a
war movie at any time in your life, you've probably seen the words 'top secret' on
some document. Well, there's really four levels of documentation inside the military
context. They have the unclassified level. They have the confidential level. They
have the secret level. And then, they have the top secret, which is the most secret.
Now, each person gets a clearance level of what they're allowed to see. So, maybe
the private only gets to see confidential information, and maybe the colonel, he gets
to see the top secret information, and the captain only gets to see the secret. And so,
each person gets a label associated with them and their clearance, and then the
documents all get labeled with whatever they are, unclassified, confidential, secret,
or top secret. If you want to access something, you need to not just meet the
minimum level, but you also have to have what's called a need-to-know. So, for
instance, let's say I have an army guy and a navy guy, and they both have a top
secret clearance but it's about a navy operation. Then, maybe that army guy doesn't
need to know about it, and he's not going to get access. Even though he has that
clearance, right? So, these labels are very in-depth and they get very, very
complicated. That's the idea here with MAC. Now, MAC is implemented through one
of two ways. It can be Rule-based or it can be Lattice-based, and these are two
different access control methods that are sub-methods of Mandatory Access Control.

RBAC
Role-Based Access Control is an access model that's controlled by the system, like
MAC does, but instead, it focuses on a set of permissions vice an individual's
permissions. So, we don't have to actually label each individual person on every
single file. Instead, we can use roles for those people. So, the way I like to think
about this is we create roles for each job function, and then we assign roles for each
person's permissions to each object. So, let me give you an example. Role-Based
Access Control is an access model that's controlled by the system, like MAC does,
but instead, it focuses on a set of permissions vice an individual's permissions. So,
we don't have to actually label each individual person on every single file. Instead,
we can use roles for those people. So, the way I like to think about this is we create
roles for each job function, and then we assign roles for each person's permissions
to each object. So, let me give you an example.

ABAC
ABAC stands for Attribute-Based Access Control. This is an access control model
that's dynamic and context-aware, and uses if-then statements to decide on what
permissions to use. So, the idea here is that we have something like, if Jason is in
HR, then we'll give him access to the file server that contains the HR files. Attributes
are going to use these tags and dynamic authentication to combine different
attributes, and they can do this using all sorts of different software automation, and
this is one of the newest forms of access control. It's not heavily used in a lot of
places yet but it is trying to gain a lot of traction. The idea here is that we can look at
Jason and we can start saying, is he part of this, is he part of this, is he part of this?
And if so, we can get a consolidated list of all the things Jason can do and give him
permissions to that. That's the idea with attribute-based. When you think of
attribute-based, I want you to think of dynamic authentication and tags because this
is all about tagging things so you can give them the right permissions.

Best Practises
The first one is known as implicit deny. All access to a resource should be denied
by default and only allowed when it's explicitly stated. So, for instance, when I create
a new folder, by default, I want it to not allow people to have access, and then I
would go ahead and give access to the people that need access to it. This gives you
a higher security environment.

The next one we want to think about is least privilege. Users are only given the
lowest level of access they need to perform their job functions. This kind of goes
back to, do I want them to be a user, a power user, or an admin? Well, if they don't
need all the functions of an admin, then don't make them an admin, make them a
power user. If they don't need the power user, then make them a regular user and
take away as much permissions as you can to give people the least they need.

The next best practice is maintaining a separation of duties. This means that you're
going to require more than one person to conduct a sensitive task or operation. So,
I'll give you a great example of this from the corporate world. If you look in the
corporate world, they have lots of money in their checking accounts, right? Well,
who's going to be able to sign the checks for a corporation, and does it only require
one person or two? Let's say that they were going to write a check for $10,000, that
should probably have two signatures so that no one employee can write themselves
a check for $10,000 and steal it.

Now, the last best practice I want to talk about here is called job rotation. This
occurs where users are cycled through various jobs to learn the overall operations
better, it reduces their boredom, it enhances their skill level, and most importantly, it
actually increases our security. Now, how does all this happen? Well, job rotation
helps the employee become more well-rounded and learn new skills.
 Users/Groups
Now, permissions in Windows can be set into multiple ways. You can have full
control, you can have modify, you can have read and execute, you can have listing
of the folder contents, reading or writing.

Now, when we look at our permissions, they're usually broken down in Linux into
three categories. Read, write, and execute. They're much simpler than what you saw
there in Windows. Now, when we look at this, though, we actually have these
assigned to our owners, our groups, and all users. And for some reason, owners is
called U, groups is called G, and all users is either symbolised by O or A.

Permissions

Permission inheritance is going to happen by default. Whenever a new folder is

created, it's going to inherit whatever the permissions are of the folder above it,
which is called the parent. Now, the idea with inheritance is that whatever the parent
says, the child is going to follow. And so, if the parent folder has permissions added
or removed from it, guess what's going to happen? The child is going to have those
added or removed from it, as well. This is a default action inside the Windows
operating system. Now, when it moves from the parent to the child this is called
propagation. Propagation occurs when permissions are passed to a subfolder from
the parent through inheritance. There are two key things to remember though, in
case it's been a while for you since you've taken the A+. The first thing is when you
copy files. Let's pretend that I am copying a file or folder and I am copying it from C
drive to a USB thumb drive. What will the permissions look like on that new copy?
Well, when I move the file from the hard drive to the thumb drive, if I copy that folder,
then permissions are going to be inherited from the folder that it gets copied into.
Whatever its new parent is. Basically, it's going to lose its existing permissions. Now,
if instead, I moved it from the C drive working folder to the C drive archive folder,
they are both in the same hard drive and I move it instead of copying it. What do you
think is going to happen this time? Well, if you move a folder, then the permissions
are retained from its original permissions. And so, whatever that original parent was
that it inherited from, it's going to take those permissions with it to the new folder.
This is an important concept because if you forget the fact that when you copy
something, you are getting new permissions, you can actually lighten the
permissions of what it was and people can access documents that they weren't
suppose to.

Policies Demo
 Social Engineering
Now, social engineering is any act that manipulates users into revealing confidential
information or performing other actions that are detrimental to that user or the
security of our systems. Now, there's lots of different types of social engineering.
There's things like pretexting, malicious insider threats, diversion theft, phishing,
hoaxes, shoulder surfing, eavesdropping, dumpster diving, baiting, piggybacking,
and watering hole attacks.

Demo: Pretexting
Alright, so that’s the basic idea of a pretexting call. I didn't know anything about the
organization, but giving this receptionist some kind of likely facts, like the fact that
she's running an HP system or a large printer in the copy room, which most
businesses have, then I can trick her into giving me some kind of information. Now, if
you've ever gotten one of those calls that says, "Hey, this is John from Microsoft and
your Windows machine has been reporting that it's been infected with malware. I'm
calling you to help clean it up. I just need you to do step one two and three," this is a
pretexting call. In fact, this is one of the more common pretexts out there. The
reason why I even use this example of a Windows machine calling out with Malware
is because I had the conversation with my mom earlier this week.

And so, we want to make sure we train our employees to not fall for pretext and don't
fill in the gaps for other people when they're calling you or even if they're doing it in
person, because pretexting is a way that we give some amount of information that
seems true so that you'll give us more information to fill in the gaps.

Insider Threat
An insider threat is simply somebody who works for your organization, but they have
ulterior motives and they want to do something negative to your organization.

And so, you have to keep an eye on that and there's lots of ways to do that. One of
the ways we talked about before was DLP, Data Loss Protection, right? You install
Data Loss Protection and it will keep track of all the files that are being copied and
downloaded so you can go back and figure out, was that person really stealing from
you or were they just doing their job?

Phishing

Phishing has become very commonplace. Basically, a victim is contacted by email,

telephone, text message, or some other method posing as a legitimate organization.
Now, when you see the word phishing on the exam, I want you to think of email
because they have a distinct difference for telephone and text messages.
Telephones are called vishing and text messages are called smishing.

Spear Phishing
Well, with spear phishing, I really want to focus on creating a message tailored to a
specific person.

Whaling
Well, whaling is focused on spear phishing, but specifically at a high-level executive.
So, these are your CEOs, your CFOs, your CIOs, your CSOs, or other chief-level
executives.

Smishing
Now, the next thing we want to look at is smishing, or SMS phishing. This is short
message service. It's text messages.

Vishing
Now, vishing, this is voice phishing. Voice phishing is phishing that occurs over a
telephone.
Pharming
If we try to do it, we're trying to trick somebody to go to a different website. (usually
by modifying hosts file)

Motivation Factors
1. Now, the first one is authority. People are much more willing to comply and
do what you tell them to if they think it's coming from somebody who's in
authority.

2. Now, the next one that we have is what’s called urgency. And urgency is all
about the fact that people know that we're in a rush a lot of the time, we're
busy these days, right? And people want to help others by nature. It's just in
our human nature.

3. The next one we have is social proof. Let's say that I put up a website out
there that was fake and scammy, right? And I was trying to phish people to
get them to go there. Well, if I can get some social engineering done through
Facebook or Twitter where I get people to like that site or share that site for
me, that starts showing social proof and people are more likely to click on it,
right? People are much more likely to click on things that have a lot of likes, a
lot of shares, and a lot of their friends doing it.

4. The next one we have is scarcity. Now, scarcity is when you use a technique
to get people to act quick, much like urgency, but the difference here is that
usually, you're going to do it through like an email campaign or phishing,
right? You go sign up now, supplies are limited. We only have five spots left,
you've got to sign up right now if you want to get part of this, right? And so,
you'll get this email and you'll be like, wow, this is a really good deal on a new
MacBook computer.

5. The next one we have is likability. People want to be and interact with people
they like. Social engineers are some of the most friendly and likable people
you will ever meet. You don't have these crusty, angry people as good social
engineers. It just doesn't happen. You have friendly people, you have pretty
people. One of the things that a lot of my pentesting teams like to do is they
will take a very pretty woman and put her on the team because a lot of the
people who work in IT are men.
 6. Now, the last one we have here is fear, and fear is a great motivator if used
properly. In fact, ransomware and any virus scans, they live off fear, right? It's
if you don't do this, then this other bad thing is going to happen. It's a threat or
a demand.

More Threats

Diversion Theft
Diversion theft occurs when a thief tries to divert a shipment and take responsibility
for it, and send it to a different location. So, for example, maybe I call up FedEx
because I know you have a new laptop being shipped to your office today, and I
pretend that I'm you and say, "Oh, I'm not at my office, I'm actually at my house. It's
at 123 Main Street." And now, FedEx brings that over to me, that was a diversion
theft.

HOAX
Now, a hoax is an attempt at deceiving people into believing something is false even
if it's true, or making them believe something is true, even if it's false. Basically,
there's an idea of like a virus hoax. I might send an email out to all of my friends and
say, "Hey everybody, there's a virus going around. To protect yourself from it, go to
your C drive and delete your [Link] file." Now, there really was no virus, but if they
delete that [Link] file, they can mess up their systems and prevent it from booting,
causing them a problem, right? The hoax was I made them believe there was
something there and made them take action into it.

Shoulder Surfing
That’s when you’re sitting at the office working, and somebody comes up behind you
and uses direct observation to obtain authentication information. So, for example, as
you're sitting there logging into your computer, if I look over your shoulder and watch
your fingers, and see you type in "P-A-S-S-W-O-R-D," "password," I now know your
password, right? That's the idea here with shoulder surfing.
Eavesdropping
The next one we have is eavesdropping. Maybe I'm going to stand around while
you're talking with your boss, and overhear you telling him some information that I
want to get. By listening in and doing that direct observation through my ears, I'm
able to listen in to that conversation and get the information I want.

Dumpster Diving
This is when a person actually scavenges for personal or confidential information in
garbage or recycling containers. Yes, I know it sounds dirty, but guess what?
Hackers are willing to do it.

Baiting
The next one we have is baiting. Baiting is when a malicious individual leaves behind
a malware-infected thumb drive or USB drive or a CD someplace around that
somebody might have curiosity to pick up and insert into their computer. One of the
ways that you do baiting if you're not inside the organization is you can walk through
their parking lot and drop a nice 64-gigabyte thumb drive in there.

Piggybacking
The next one we have is piggybacking, and we talked about this back in physical
security. This is going to occur when an unauthorized person tags along with an
authorized person to gain access into a restricted area. For example, let's say I have
a server room door that's protected by a combination lock or a cipher lock. I'm
authorized because I'm assistant administrator. If I go in there and I PIN in and open
the door, and somebody walks in behind me, that's called piggybacking.

Watering Hole Attack

Finally, we have a watering hole attack. Now, watering hole attack we've mentioned
before, as well. This is when an attacker figures out where your users like to go, like
a common website, they attack that website, embed their own malware, so, next time
when you go to that website, you download the malware and again, get access.
Because you're trying to trick a user here into doing something you want, it also falls
into this larger area of social engineering.
 Fraud & Scams

Fraud
Well, when you’re dealing with a fraud, you're dealing with the wrongful or criminal
deception intended to result in financial or personal gain. So, if I'm trying to commit
fraud against you, I'm trying to essentially steal from you in some way. But I'm not
really stealing like picking your pocket, you're actually giving it to me because I'm
going to trick you into doing it. And that's why this is part of social engineering. Now,
one of the most common frauds that we deal with inside of cybersecurity is identity
fraud. Identity fraud is the use by one person of another person's personal
information without their authorization to commit a crime or to deceive or defraud that
other person or some other third party. Really, what this sounds like is identity theft,
right? We hear that term a lot these days. When we talk about somebody who stole
your social security number, or your date of birth, or your personal information, or
where you were born, all of that information can be used to steal your identity. Now,
when somebody commits identity theft, they're actually stealing another person's
identity and using it as their own. So, they're going to actually become you. They
want to take your social security number, and they're going to apply for new credit as
if they're you. They're taking over your identity. That's the idea with identity theft.
Now, often, we hear identity fraud and identity theft being used interchangeably.
Now, there's really a misconception here because there is a difference between
identity fraud and identity theft. With identity fraud, I might just take your credit card
number and then go make charges as if I'm you. That's not technically identity theft,
that's just identity fraud. But these days, most people will use both terms
interchangeably and more commonly, you'll hear identity theft as the term.

Scam
Well, a scam is a fraudulent or deceptive act or operation. That's it. It's really simple.
Essentially, it's somebody trying to deceive you into doing something. Now, I can do
that in a lot of different ways, but the one that we are most worried about as
cybersecurity professionals is what's known as an invoice scam. This is because it is
commonly used against small businesses, medium-sized businesses, and large
businesses. When we talk about an invoice scam, this is a scam in which a person is
tricked into paying for a fake invoice for a product or service that they did not actually
order.
Prepending

Influence Campaigns
Now, when I talk about influence operation, this is a collection of tactical information
about an adversary, as well as the dissemination of propaganda in pursuit of a
competitive advantage over an opponent. Now, that's a really nice fluffy way of
saying you want to take information and use it against someone. That's what
influence operations is all about. Now, influence operations is really the military term,
but in the CompTIA objectives, they use the term influence campaign instead. An
influence campaign is one small part of a larger influence operation, but we're going
to use these terms interchangeably throughout this lesson.

Hybrid Warfare
Now, as I said, influence operations are something that's often done by militaries.
And it's a form of hybrid warfare. When we talk about hybrid warfare, this is a military
strategy that employs the full spectrum of warfare. It's going to use political warfare
and blending conventional warfare like dropping bombs and shooting guns. It's going
to use a regular warfare like special operation teams and even cyber warfare. And
when you're doing cyber warfare, you can use influencing methods, things like
putting out fake news, things like using diplomacy or foreign electoral intervention.
There's lots of things you can do as part of this hybrid warfare, and under hybrid
warfare, influence operations is part of the grander military strategy.
Now, you may be wondering, why are we talking military strategy in a class on
cybersecurity? Well, it's because it's being used in the cyber realm and it's being
used inside our corporate networks. For instance, some of our large companies out
there like Facebook and Twitter have been used to do these influence campaigns. If
you look back to our 2016 election in the United States, there has been proof that the
Russians were running an influence campaign. According to the New York Times,
the Russian influence campaign on social media in the 2016 election made an
extraordinary effort to target African-Americans and used an array of tactics to try to
suppress voter turnout among those democratic voters and unleashed a blizzard of
activity on Instagram that was actually higher or exceeded the amount of posts on
Facebook.

User Education
The problem is, users are our number one vulnerability in the network. As a security
professional, I can install all the technology I want, but if I don't fix the user, it's all
going to be for nothing. I can put firewalls and intrusion prevention systems, and
host-based security systems, and all sorts of other stuff to protect my network, but if
the user clicks okay or accept and lets the bad guy in, it's just going to go right
through all of it, right?

● Never share auth info

● Clean desk policy
● Log events
● Encrypt emails and VoIP
● Never use unknown usb/media
● Shred unused physical paper
● Follow data policies
● Track shipments
● Teach good web security
● Whitelist over blacklist
 Vulnerability
Management
A vulnerability assessment seeks to identify issues in a network, application,
database, or other IT systems prior to it being inadvertently or purposely used to
compromise a system. Vulnerability assessments are a formalized process that
define, identify, and classify the security holes in an enterprise network architecture.

Now, once these countermeasures are put in place, a follow-up vulnerability

assessment can help you to determine how effective your countermeasures truly are
in protecting that network from attack. The management and oversight of this
process is known as vulnerability management. Vulnerability management is the
practice of finding and mitigating the vulnerabilities in your computers in your
networks. This is a very cyclical process. Sometimes, you'll hear this referred to as
scan, patch, scan because you need to scan the network for vulnerabilities to identify
them, then you're going to prioritize all these vulnerabilities, you're going to fix them
and patch them, and then you're going to scan again, and you're going to keep doing
this until hopefully one day, you have no vulnerabilities left.

Common choices:
 Penetration Testing
A penetration test is conducted by a team of professionals to simulate an attack on
your network, its system, or its applications. Often, this is called a pentest. And the
idea here is for the team to break into your network, just like a real hacker would.

Pentest vs Vuln Assessment

But, how does a penetration test differ from a vulnerability assessment? Well,
vulnerability assessments are conducted often as a credentialed scan, where the
tool can be provided with a username and password for the systems. This is going to
provide you with an inside out look of your networks, just like a system administrator
would see. Now, instead, a pentest is seeking to look at your networks as an attacker
would, from the outside in. Often, your penetration tests are going to be conducted in
the form of a black-box test, where the pentesters have to hunt for any information
that they need in order to be able to penetrate the network's defenses. But some
organizations are going to hire a pentester to perform the assessment as a white-box
test, instead. This means they'll give them some kind of information about the
network, usually IP addresses, the types of servers being run, maybe the software,
and sometimes, even a basic standard user account.

Penetration tests follow five basic steps:

1. First, you get permission and you document information about the target
network.
2. Second, you gather information about the target through reconnaissance.
3. Third, you're going to enumerate the target to identify known vulnerabilities.
4. Fourth, you're going to exploit the network to gain user or privilege access.
5. And fifth, you're going to document all of your results of the pentest and give
that report to the organization.

Training & Exercises

Tabletop Exercises - TTX

Now, when we talk about tabletop exercises, we mentioned before that these are
exercises that use an incident scenario against a framework of controls or a red
team. So, what we're going to do here is we are going to carry a discussion of
simulated emergency situations and security events. These are great because
they're really simple to set up, but they tend to be more theoretical in nature and they
don't provide practical evidence of what could go wrong during a real event. For
example, how long will a particular task take to complete? You really can't gather that
from a tabletop, but if you actually go through the actions and motions in something
like a penetration test, you'll be able to see that instead.

Pentest
Now, when you’re dealing with a penetration test, this is a test that uses active tools
and security utilities to evaluate security by simulating an attack on a system to verify
that a threat really does exist, they actively test that threatened vulnerability, they
bypass security controls, and then, finally, exploit those vulnerabilities on a given
system.

Red Team
When we talk about red teams, these are the hostile or attacking teams in a
penetration test or an incident response exercise. If you hire that third-party team,
that is a red team. They're trying to attack your systems.

Blue Team
When we’re talking about blue teams, this is our defensive teams in a penetration
test or an incident response exercise. This is our system administrators. This is our
network defenders. This is our cybersecurity analysts, like you. You're going to be
part of the blue team.

White Team
And then we have the white team. This is a staff who administers, evaluates, and
supervises a penetration test or incident response exercise. They're also going to be
responsible for building the network if you're going to be using a third-party network
as part of your test. Sometimes, organizations don't want to do active testing on their
real live networks, so, they'll build a training ground and they'll put their red teams
and their blue teams, if they have internal red teams and internal blue teams, against
each other in this simulated environment. Well, somebody has to build and support
this entire ecosystem, and that's what the white team will do. I like to think about the
white team as the referees. They're also going to be the ones who are going to
report after the event and say, this is what the red team did well, this is what the blue
team did well, and here's what they both did not so well.

OVAL
The Open Vulnerability and Assessment Language, or OVAL as it's known, is a
standard that was designed to regulate the transfer of secure public information
across networks and the Internet to utilize any security tools and services available
at the time. Now, what does this really mean in layman's terms? Well, OVAL is an
attempt to create a standard way for vulnerability management software, scanners,
and other tools to share their data with each other and with other programs. Now,
OVAL is comprised of two different parts. There's a language component to it, and
an interpreter. The OVAL Language is written as an XML schema that's used to
define and describe the information that's being created by the OVAL Language, and
it's allowing it to be shared among various programs and tools. Now, the OVAL
Interpreter, on the other hand, is a reference model that was developed to make sure
that the information being passed around by all of these programs, it actually
complies with the OVAL schemas and definitions that the language created.
Because OVAL can be used by lots of different tools, it has become a large part of
vulnerability assessments, patch management, auditing, the sharing of threat
indicators, and multiple other uses. Now, for the Security+ exam, you just have to
remember that OVAL stands for the Open Vulnerability and Assessment Language,
and that it's used to share data between lots of different tools that are focused on
vulnerability assessments and management. And if you do that, you're going to do
just fine.

Tools for Vuln Assessments

Network Mapping
Network mapping tools are used for discovery and documentation of your physical
and logical connectivity that exists within your network. By using these tools, you can
determine how the network is set up, how the data is going to flow over that network,
and all sorts of other things like that. This is usually one of the first tools that's used
when you conduct a vulnerability assessment, because you have to understand how
all these different network connections are, so you can understand the vulnerabilities
that are going to lie within the network. For example, SolarWinds is a very popular
commercially available network mapping tool. As you can see here on the screen, it's
going to search your network and create a graphical representation of it for you. A
good open source and free option you can use is known as Zenmap. Zenmap is
going to allow you to create a graphical topology of your network, as you can see
here.

Vulnerability Scanning
A vulnerability scan is a technique that’s going to be used to identify threats that exist
on the network, but it doesn't exploit those threats. Now, vulnerability scanners can
vary greatly in their complexity and their level of detail. Some are very basic and only
do a scan for open ports. Others can probe those open ports and determine the
exact service and software that's being run by the server. Now, for example, Nmap is
a port scanner that can perform a basic port scan or a more in-depth vulnerability
scan of those ports once it finds one that's open. I'm going to show you that in a
demonstration later on. There is very complex vulnerability scanning suites out there,
things like Nessus and Qualysguard, and these can scan for open ports, enumerate
the services on those ports, and then determine if a vulnerability exists on those
services by checking if they've been patched for known exploits.

Network Sniffing
Network sniffing is the process of finding and investigating other computers on the
network by analyzing the active network traffic, or capturing the packets as they're
going across the network for later analysis. Network sniffing tools are also called
packet sniffers, or protocol analyzers, because all three of these can conduct the
concept of packet capturing on the network, but a protocol analyzer has the ability to
give you much more information than just a network sniffer or a packet sniffer does.
With a protocol analyser, you can actually capture, reassemble and analyze those
packets that have gone across the network, look at them as packets, frames, or even
at the bit level. The most commonly used protocol analyzer is the open source
program known as Wireshark. Wireshark is free, available on just about every
operating system out there, and it is really, really powerful.

Password Analysis
Well, it’s a tool that’s used to test the strength of your passwords to ensure that your
password policies are being followed properly. Another name for these is a password
cracker. Now, a password cracker uses comparative analysis to break passwords
and systematically guess them until the password is finally determined. There's a
bunch of different password crackers out there, but by far, the two most well-known
are Cain and Abel and John the Ripper. There's password guessing, a dictionary
attack, a brute-force attack, and a cryptanalysis attack.
Password Guessing
With password guessing, this occurs when a weak password is simply figured out by
a person.

Brute Force Attack

A brute-force attack is where the computer program attempts to try every single
combination of a password until it can find the right one. Now, this can take a lot of
computing processing power, as well as a lot of time, depending on how long and
strong your password is. But eventually, it will always find it.

Dictionary Attack
The next method is called a dictionary attack. In this type of attack, the password
cracking program is going to attempt to use a dictionary to automatically guess the
password by trying each and every word in that dictionary file. Now, a dictionary
attack doesn't just use common dictionary words, though, because hackers have
created their own dictionaries that consist of other variations, like commonly-used
passwords, variations on real dictionary words using numbers, letters, and special
characters, and other such variations.

Cryptanalysis Attack
Now, the final method covered by Security+ is called the cryptanalysis attack. This
attack relies on comparing a precomputed, encrypted password to a value found in a
lookup table. But if I have a database of all of those values already, I can just
compare the encrypted password to the values found in the table, and if I find it, I
can then look in the column next to it for its unencrypted value.
These tables of precomputed values are known as a Rainbow Table, and these files
can be massively large. One of my favorite rainbow tables is actually found online at
[Link]. Their table contains 15 billion entries and is 190 gigabytes in size.
That is a really, really big text file.
 Network Attacks
Ports/Protocols
There are 65,536 ports available for your computer and your network to use.

FTP
It's used to transfer files from host to host and operates over port 21 using TCP.

FTPS
This is used to transfer files from host to host over an encrypted connection. By
default, FTP doesn't provide any encryption and it sends everything in the clear. But
with FTPS going over port 989 and 990, this is going to give us a TCP connection
that is secured with an encryption tunnel and this is going to make it much more
secure for us to send our files.

SSH
It's used to remotely administer network devices and systems over port 22 using
either TCP or UDP.
Also over port 22, we have secure copy called SCP and it's used to securely copy
files over a network.
Also on port 22, we have SFTP or secure FTP.

Telnet
Telnet which is used to remotely administer network devices, but it doesn't provide
any security. In fact, Telnet will send everything over the network in an unencrypted,
clear text format, making it very dangerous for you to use.
For this reason, you should disable Telnet in your network. For the exam, remember
that Telnet is operated over port 23 and uses both TCP and UDP.
SMTP
It's used to send email over the Internet. It operates over port 25 using a TCP
connection.

SMTP Secure
Simple Mail Transfer Protocol over SSL or TLS. This is going to be used to send
email over the Internet inside of an encrypted tunnel to make sure you maintain
confidentiality. This is going to use one of two ports, either 465 or 587 and it's going
to use it over a TCP connection. Just like we had HTTP and HTTPS, this is the same
thing with SMTP and SMTP Secure.

DNS
It's used to resolve host names to IPs and IPs to host names. When you look at
something like [Link] and convert it to [Link], this is DNS
operating at work. DNS is going to operate over port 53 and uses both TCP and
UDP connections.

TFTP
It's used as a simplified version of FTP to put a file on a remote host or get a file from
a remote host. It operates over port 69 using a UDP connection. It isn't one of the
most secure types of file transfer but it is lightweight, so often it's used to boot a
network operating system off of a server and onto a thin client.

HTTP
It's used to transmit webpage data for a client over an unencrypted connection
whenever you're browsing the Internet. HTTP uses port 80 and transmits using TCP.

HTTPS
Hyper Text Transfer Protocol Secure which is what you're using to watch this course
right now. It's used to transmit web pages to a client over an SSL or TLS encrypted
connection. Essentially, this is the same thing as HTTP over port 80, except it's going
to use an encrypted tunnel to secure that information and make sure nobody can see
it. This is going to ensure confidentiality for us. HTTPS uses port 443 and a TCP
connection.

Kerberos
Our next one is Kerberos. Kerberos is used for network authentication using a
system of tickets within a Windows domain. It operates using both TCP and UDP
and operates on port 88.

POP3
It's used to receive mail from a mail server. It operates over TCP port 110. This port
is for the unencrypted POP3 services. We'll talk about the encrypted version later on.

POP3 Secure
is used to receive email from a mail server using an SSL or TLS-encrypted
connection. This is going to provide us better confidentiality by ensuring everything is
encrypted. It's going to operate over port 995 over TCP.

NNTP
Which is the Network News Transfer Protocol. It's used to transport Usenet articles
to a client. It operates using TCP over port 119.

RPC
The Remote Procedure Call and it's used to locate DCOM ports to request a service
from a program on another computer over the network. This is commonly used in
Windows-based networks and operates using both TCP and UDP over port 135.
NetBIOS
It's used to conduct name querying, sending of data and other functions over a
NetBIOS connection. This operates over three ports, 137, 138, and 139 using both
TCP and UDP.

IMAP
or the Internet Message Access Protocol is used to receive email from a mail server
with more features than your POP3 servers do. It's going to operate over port 143
using TCP when unencrypted.

IMAP Secure
IMAP is the Internet Message Access Protocol and it's used to receive email from a
mail server. But this time, we're going to do it over an SSL or TLS-encrypted
connection. When we do that, we're going to use port 993 using TCP.

SNMP
is the Simple Network Management Protocol. It's used to remotely monitor network
devices using a UDP connection over port 161. Now, we go to 162, this is the port
reserved for SNMPTRAP. This is used to send Trap and InformRequests to the
SNMP Manager on a network using both TCP and UDP connections.

LDAP
Lightweight Directory Access Protocol. It's used to maintain directories of users and
other objects. If you're using Active Directory inside a Windows environment, this
relies on LDAP to function. LDAP will use port 389 over both TCP and UDP
connections.

LDAP Secure
LDAP over SSL or TLS operates over port 636 using either TCP or UDP.
SMB
It's used to provide shared access to files and other resources over a network. It's
going to operate on port 445 using a TCP connection.

Syslog
Syslog is going to be used to conduct computer message logging, especially for
routers and firewall logs. It operates over port 514 using UDP.

Syslog Secure
is going to be used to conduct computer message logging, especially for routers and
firewalls over a TLS-encrypted connection. Syslog over TLS operates on port 6514
using TCP.

iSCSI
iSCSI is used for linking data storage facilities over IP. This is commonly used in
storage area networks. iSCSI is going to operate on port 860 and it's using TCP.

iSCSI Target is a listening port for iSCSI-targeted devices when they're linking data
storage facilities over IP. It's going to operate on port 3260 over TCP.

MS SQL Server
Port 1433 which is used by the Microsoft SQL server to receive SQL database
queries from its clients. This is going to use a TCP connection.
RADIUS
RADIUS which is the Remote Authentication Dial-In User Service and it's used for
authentication and authorization over port 1645 and accounting over port 1646. Now,
these two ports are an alternative to its standard ports of 1812 and 1813. RADIUS
operates using UDP.

L2TP
Is our first VPN-related protocol. L2TP operates over port 1701 using UDP. L2TP
stands for the Layer 2 Tunneling Protocol and is used as an underlying VPN protocol
but has no inherent security. Because of this, if you use L2TP, you need to make
sure that you're pairing it with IPsec to ensure you have good security.

PPTP
Point-to-Point Tunneling Protocol. It's another underlying VPN protocol but this one,
unlike L2TP, has built-in security. PPTP operates over port 1723 using both TCP and
UDP connections.

FCIP
FCIP or the Fibre Channel IP is used to encapsulate Fibre Channel frames within
TCP/IP packets. This is usually used for storage area networks, as well. Now, FCIP
operates over port 3225 over both TCP and UDP.

RDP
the Remote Desktop Protocol which is used to remotely view and control other
Windows systems via a graphical User Interface. It does this over port 3389 using
both TCP and UDP. Now, be careful with this one because it's 3389 for RDP but 389
for LDAP and a lot of times, students will get those two confused.
Diameter
Is a more advanced AAA protocol than RADIUS and it serves as a replacement for
RADIUS. It also operates over port 3868 and it uses TCP as its connection
mechanism.

Unnecessary ports
Well, an unnecessary port is simply one that's associated with a service or a function
that you don't need or is considered non-essential. For example, if you have a server
whose entire function is to act as a mail relay server, all it's designed to do is send
mail out, then the only thing it needs is a couple of ports open. It needs port 25 for
SMTP and port 465 or 587 for SMTP over SSL and TLS. Now, every other port on
that server can be shut or disabled or closed and you wouldn't care, because only
those three ports are the ones you need. Remember, every open port represents an
unnecessary vulnerability being left exposed if you didn't need to have that port
open.

DoS Attack
There are five subcategories of Denial of Service attacks:

1. Flooding Attacks
2. the Ping of Death
3. the Teardrop
4. the Permanent Denial of Service attack
5. the Fork Bomb

Flood Attack
This is a specialized type of Denial of Service which attempts to send more packets
to a single server or host than it can handle. So, in this example, we see an attacker
sending 12 requests at a time to a server. Now, normally, a server wouldn't be
overloaded with just 12 requests, but if I could send 12 hundred or 12,000, that might
allow me to flood that server and take it down.
Now, under a Flood Attack we have a few different specialized varieties that you're
going to come across on the exam.
The first is called a Ping Flood. This attack is going to happen when somebody
attempts to flood your server by sending too many pings. Now, a ping is technically
an ICMP echo request packet, but they like to call it a ping on the exam.

Next, we have a Smurf Attack. This is like a Ping Flood, but instead of trying to flood
a server by sending out pings directly to it, the attacker instead tries to amplify this
attack by sending a ping to a subnet broadcast address instead, using the spoofed
IP of the target server. This causes all of the devices on that subnet to reply back to
the victimised server with those ICMP echo replies, and it's going to eat up a lot of
bandwidth and processing power.

The next kind of Flood Attack is what we call Fraggle. Fraggle is a throwback
reference to the kids show Fraggle Rock from the 1980s which aired around the
same time as the Smurf TV show. So, you can guess that Fraggle and Smurf are
kind of related. Well, with Fraggle, instead of using an ICP echo reply, Fraggle uses
a UDP echo instead. This traffic is directed to the UDP port of seven, which is the
echo port for UDP, and the UDP port of 19, which is the character generation port.
This is an older attack, and most networks don't have this vulnerability anymore, and
both of these ports are usually closed, 'cause again, they're unnecessary. Notice that
I didn't have them in your port memorization chart, either. Now, because of this,
Fraggle attacks are considered very uncommon today. That said, a UDP Flood
Attack, which is a variant of Fraggle, is still heavily used these days. It works
basically the same way as a Fraggle attack, but it uses different UDP ports.

The next Flood Attack we're going to cover is a SYN Flood. Now, this attack is a
variant on a Denial of Service attack, where the attacker is going to initiate multiple
TCP sessions but never complete the 3-way handshake. You could see here, how
the attacker is sending four SYN packets to the server, but they're using made up IP
addresses. The server then replies to those IP addresses in an attempt to establish
that 3-way handshake, but of course, the other people weren't expecting that call,
and so, no one responds. This causes a server to set aside resources for these
supposed clients while it waits for their response and acknowledgement, but the
acknowledgement never comes. If the attacker creates enough requests, the server
will simply run out of resources, and be unable to establish any real connections with
those who really want to do business with the server, and this creates the Denial of
Service condition.

Now, the final type of Flood Attack is known as a Christmas Attack. This is a type of
attack that's conducted by setting the FIN, the PSH, and the URG flags inside a TC
packet to the on [Link]'ll cause a device to crash or reboot anytime that
packet's received because it's a nonstandard format. Now, this attack got its name
from the way it looks when you look at these packets inside a protocol analyzer like
Wireshark, because all of those flags are turned on, and it looks like a Christmas
tree. Most devices today will simply block this type of attack and discard the packet
because they don't understand how to handle it.

Ping of Death
This attack sends an oversized and malformed ping packet to another computer or
server. When it’s received, these systems don’t know what to do with it, and they
would crash. This, again, is an older attack, and one that modern operating systems
aren’t vulnerable to anymore. Now, essentially, the standard for a packet size is
supposed to not exceed 65,535 bytes or 64k, but some smart attackers built ways to
force larger packets to be sent. When they were received, this could override areas
of system memory, much like a buffer overflow, or it would simply crash the machine.
Why do we still cover the Ping of Death in Security+ when no one’s vulnerable to it
anymore? Well, I think CompTIA likes to still cover it because of the history. The Ping
of Death was one of the first types of Denial of Service attack that was really
effective in the field.

Teardrop Attack
Teardrop Attack, which breaks apart packets into IP fragments, modifies them with
overlapping and oversized payloads, and sends them back to a victim machine. This
gets its name because if you have enough teardrops, you could form a large puddle
and, essentially, this attack attempts to create numerous smaller packets that can't
be reformed into this larger puddle, and when they're trying to put those back
together, the system simply crashes or reboots itself because it doesn't understand
how to handle it. This will create the desired Denial of Service condition that the
attacker was trying to create.

Permanent Denial of Service attack or PDOS.

This is an attack which exploits a security flaw to permanently break a networking
device by reflashing its firmware. This can cause a device to be unable to reboot
itself because its operating system is overwritten. It's also called a Permanent Denial
of Service attack because a quick reboot won't bring the system back online.
Instead, the device has to be taken offline, have a full firmware reload done, and
then it can be brought back online.
Fork Bomb
With the Fork Bomb, the attacker creates a large number of processes to use up
available processing power of a computer. This attack gets its name because a
process is called a fork, and it can be forked into two processes, and then four
processes and so on, until it eats up all of the resources. Now, some people think of
this as a worm because of the self-replicating nature, but they're not a worm,
because they don't infect programs, and they don't use the network to spread.
Instead, Fork Bombs only spread out inside the processor's cache on a single
computer that it's being attacked with, and it causes a Denial of Service attack, and a
Denial of Service condition, which is why it's considered not to be a worm.

DDoS
Now, a distributed denial of service attack, instead of using a single attack targeting
one server, they use hundreds or even thousands of machines to launch an attack
simultaneously against a single server, and force it offline to create that denial of
service condition. Usually, these machines that conduct the attack don't even realize
that they're a part of it, though. Generally, these machines have become zombies or
bots inside a large botnet and then when they receive that command to attack, they
all simultaneously send all their payloads against a single victim.

DNS amplification
Now, in addition to most basic forms of DDoS attacks, there is one specific type of
DDoS attack called a DNS amplification attack that could be performed. This
specialized DDoS allows an attacker to generate a high volume of packets that's
intended to flood a victim's website by initiating DNS requests from a spoof version
of the target's IP address. This causes the DNS servers to respond to that request
and send the response back to the server, thinking that it's valid. Because a DNS
request uses very little bandwidth to send, but the response usually takes up a lot
more bandwidth, this allows the attack to be amplified against the victim's server.
Also, if this is happening because thousands of simultaneous requests are being
made by a bunch of zombies and a botnet on behalf of your victim's server, you can
easily become overwhelmed with a lot of information and eat up lots of bandwidth
pretty quickly, causing that denial of service condition to occur.

Methods to eradicate DDos

The first one is called blackholing or sinkholing. This technique identifies attacking
IP addresses and routes all of their traffic to a non-existent server through a null
interface. This effectively will stop the attack. Unfortunately, the attackers can move
to a new IP and restart the attack all over again, and so, this is only a temporary
solution. Intrusion prevention systems can also be used to identify and respond to
denial of service attacks. This can work for small-scale attacks against your network,
but you're not going to have enough processing power to handle a large-scale attack
or a big DDoS. Now, one of the most effective methods to utilize is to have an elastic
cloud infrastructure. If you've built your infrastructure so that it can scale up when
demand increases, you can ride out a DDoS attack.

Spoofing
Spoofing is a category of network attacks that occur when an attacker masquerades
as another person by falsifying their identity. Just like a person uses a mask to cover
up their face to hide their true identity, spoofing is the electronic equivalent. We have
briefly discussed spoofing a few times already, such as in the case of the DNS
amplification attack when attempting a distributed denial of service by spoofing the
IP address of the victim server when making that request.

Hijacking
Is the exploitation of a computer session in an attempt to gain unauthorised access
to data, services, or other resources on a computer or server. There are eight types
of session hijacking that can be performed. Session theft, TCP/IP hijacking, blind
hijacking, clickjacking, Man-in-the-Middle, Man-in-the-Browser, the watering hole
attack, and cross-site-scripting attacks.

Session Theft
With session theft, the attacker is going to guess the session ID for a web session
and that enables them to takeover the already authorised and established session of
that client.
TCP/IP Hijacking
it can also occur at the network or transport layer, too. Now, when it does, it's called
TCP/IP hijacking because it occurs when an attacker takes over a TCP session
between two computers without the need of a cookie or other host access. Because
TCP sessions only authenticate during the initial three-way handshake, the attacker
can jump into the session at any time they want if they can guess the next number in
the packet sequence.

Blind Hijacking
Now, the next type of hijacking is called blind hijacking because it occurs when the
attacker blindly injects data into a communication stream and won't be able to see
the results whether they're successful or not.

Clickjacking
This attack uses multiple transparent layers to trick a user into clicking on a button or
link on a page when they were intending to click on something else. Basically, the
hyperlink to the malicious content is hidden under some legitimate clickable content.
So, you think you're clicking on an image and you're actually clicking on some link
that takes you elsewhere.

Man-in-the-Middle Attack
A Man-in-the-Middle attack causes data to flow through the attacker's computer
where it can then be intercepted or manipulated as it passes through. This is
considered an active type of interception. So, let's pretend that you've got some kind
of malware on your computer and now all of your traffic is going to route through this
attacker's machine.

Man-in-the-Browser
Man-in-the-Browser is very similar to the Man-in-the-Middle, except it's limited to
your browser's web communication instead of looking at the entire communication.
This can occur because you have a Trojan that's infected your vulnerable web
browser and it modifies web pages or transactions that are being done within that
browser.
Watering Hole
And a watering hole is something that we described all the way back in the beginning
of this course. It occurs when malware is placed on a website that the attacker
knows his potential victims are going to access. Now, this can also be modified to
allow for session hijacking too because the attacker can take over that website and
grab the information between your client and the server itself.

XSS
Finally, we have cross-site scripting which we've also discussed before. Now, I'm
mentioning it here briefly because cross-site scripting is another way that you can
use this vulnerability to conduct session hijacking against a victim. It does this by
targeting that client's computer and tricking it into thinking the code came from a
trusted web server. And if you can trick it successfully, then the client is going to
execute that code and this can give that attacker a hijack place inside that
communication stream.

Replay Attack
A replay attack is a network-based attack where valid data transmissions are
fraudulently or maliciously re-broadcast, repeated, or delayed. This works a lot like a
session hijack but it's a little bit different. With a session hijack, the attacker is trying
to modify the information being sent and received at real time, but with a replay
attack, we're simply trying to intercept it, analyse it, and decide whether or not to let it
be passed on later again.

One place where replay attacks have been used quite successfully, though, is in the
world of wireless authentication. By capturing a device's handshake onto the
wireless network, you can replay it later to gain access to that network yourself as if
you were them. This is extremely common in the older protocols, especially the wired
equivalent privacy or WEP when using a wireless network. So, you should be using
the latest protocols like WPA2 to help prevent and minimise your risk.
 Null Session
Well, a null session is a connection to the Windows interprocess communications
share known as the IPC dollar sign. This is an administrative share that you don't
see as a normal user, but it allows computers across the network to send information
that they know about files, folders, users, groups, computers, and servers to each
other. Now, as an attacker, if you're able to create a null connection to a computer,
you can use that as part of your information gathering and enumeration and be able
to use all of that data as part of your follow-on attack.

Transitive Attacks
Transitive attacks aren’t really an actual type of attack but more of a conceptual
method. It gets its name from the Transitive Property we learned back in
mathematics. Essentially, the Transitive Property says that if A equals B and B
equals C, then by all logic, A also equals C. Now, when it comes to Security+, and
they talk about the idea of a transitive attack, they're really focusing on the idea of
trust. If one network trusts a second network and that second network trusts a third
network, then that first network really trusts the third network, and so, if an attacker
can get into any one of those three networks, he can then get into the other two, as
well. This is based on that transitive trust. This is really important in the world of
security because whoever you trust, you're also trusting everyone else that they've
ever trusted.
 DNS Attacks
There are four different DNS attacks that you have to know for the Security+ exam.
There're DNS poisoning, unauthorised zone transfers, altered hosts files, and
domain name kiting.

DNS Poisoning
Now, DNS poisoning occurs when the name resolution information is modified in the
DNS server's cache. This modification of the data is done to redirect client
computers to fraudulent or incorrect websites, usually as part of follow-on attacks.
Now, DNS poisoning usually occurs on a company's internal DNS servers instead of
on public-facing DNS servers around the Internet. With this type of attack, the
internal client on the network has to make a request to go to a website like
[Link] and whenever they make that request, the client first checks with
their local network's primary DNS server to see if it knows the IP address for that
URL. If someone has gone there recently, that IP address is already going to be
stored in the local cache, but if the cache was poisoned, that user is now going to be
redirected to a malicious website instead of the desired one. To counteract DNS
poisoning, secure DNS also known as DNSSEC, has been created. DNSSEC uses
encrypted digital signatures when passing DNS information between servers to help
protect it from poisoning. You can also prevent your DNS servers from being
poisoned by ensuring that you're running the latest patches and the latest updates to
make sure it's protected.

Unauthorised Zone Transfer

to provide DNS data to a zone transfer which replicates information to other servers.
With an unauthorised transfer, though, an attacker requests a copy of that zone
transfer information and if they receive it, they now have a list of all of your server
names and IP addresses and this helps them plan for future attacks. Because of this,
zone transfers should always be restricted between two known and trusted servers
only and not let other people ask for zone transfers.

Altered Host Files

The third type of DNS attack is focused on the client itself. Every computer and
workstation has a file on it called the host file. The host file is a plain text file and it
contains IP addresses and names. This is a reference that the operating system is
going to check every time a DNS lookup is requested prior to going to a DNS server.
So, if the host file has a domain name being requested, it's simply going to provide
the host file version of that DNS information instead of going out to a DNS server
requesting it.
Pharming
Pharming occurs when an attacker redirects one website's traffic to another website
that is bogus or malicious. This is done by poisoning the DNS or by modifying the
host file on a system. Anyway you do it, if you're trying to redirect somebody to
another website that's usually considered pharming.

Domain Name Kiting

Now, our final attack is called domain name kiting. This attack exploits the way that
the registration process works for a domain name. Normally, you're given a five-day
grace period when you're adding a domain name, but if you delete it before that five
days is up and you re-add it again, the five days restarts. So, this lets an attacker
gobble up domain names without ever having to pay for them. And they can just
keep them in this limbo state. This is more of an abuse of the system than a real
attack but it does prevent a legitimate buyer from obtaining that domain name and
so, we do consider it an attack in the Security+.

ARP Poisoning
Now, ARP stands for the address resolution protocol, like you learned back in
Network+, and it's used to convert an IP address into a MAC address. If you
remember back from Network+ and our OSI model lesson, as data moves down the
OSI stack, it uses IP addresses to transmit packets all over the world from router to
router. But once it finds the right router, that router converts that IP address into a
MAC address and passes it on to the switches inside of its own network, and that is
going to help it to deliver the information using frames inside the data link layer.

Now, ARP poisoning is going to exploit the way that an ethernet network works. It's
going to enable an attacker to steal, modify, or redirect frames of information on the
network. The concept here is that the attacker is going to associate their MAC
address with the IP address of another device within the network. This way,
whenever the router asks for the MAC address that's associated with that IP, they get
the attacker's MAC address instead of the legitimate user's. This allows the attacker
to essentially take over any session that would involve MAC addresses at the layer
two of the OSI model.

To prevent ARP poisoning, you should set up good VLAN segmentation within your
network, and also set up DHCP snooping to ensure that IP addresses aren't being
stolen and taken over by an attacker.
 Policies &
Procedures
Now, when I discuss policies and procedures, I'm not talking specifically about
technical controls necessarily but instead, I'm focusing a lot on administrative
controls. Policies are one part of a larger concept known as IT governance. IT
governance is used to provide us a comprehensive security management framework
for the organization to build upon. We do this by using Policies, Standards,
Baselines, Guidelines, Procedures, and Information classification and even an entire
lifecycle approach to our information technology systems. Policies are used to define
the role of security inside of an organization and it establishes the desired end state
for that security program.

Policies tend to be very broad and they provide the basic foundation upon which the
Standards, Baselines, Guidelines, and Procedures are going to be built. Security
policies are built to fill in one of three levels. They can be Organizational,
System-specific, or Issue-specific.

Organizational Policies
Organizational security policies are going to provide direction and goals. They're
going to give you a framework to meet the business goals and define the roles,
responsibilities, and terms associated with it.

System-specific Policies
System-specific policies are going to address the security of a specific technology,
application, network, or computer system. These system-specific policies tend to be
much more technical and they focus on protecting a certain piece of the system or a
certain piece of technology.

Issue-specific Policies
Finally, we have Issue-Specific Policies and these are built to address a specific
security issue such as email privacy, employee termination procedures, or other
specific issues. Now, in addition to those three areas, our policies can be further sep
Now, in addition to those three areas, our policies can be further separated down into
one of three categories inside of information security. They're regulatory, advisory, or
informative.

Regulatory Policies
When I talk about regulatory policies, I'm talking about things that address
mandatory standards and laws that are going to affect the organization.

Advisory Policies
Advisory policies are going to provide us guidance on what is and what is not
considered an acceptable activity. The most common example of this type of policy
is known as the acceptable use policy or AUP. And this is something that companies
provide to their employees to tell them what they can and can't do on the network.

Informative Policies
The third type is an Informative policy. Now, an Informative Policy is going to focus
on a certain topic and it's designed to be educational in nature.

Standard
So, as we move beyond the policy, we then go into Standards. And Standards are
used to implement a policy in an organization. These are going to include things like
mandatory actions, steps, or rules that are needed to achieve the desired level of
security.

Baseline
Beyond that, we have Baselines. And Baselines are created as reference points.
And these are used to document any kind of system so, you can later go back and
compare it for later analysis. We talked about Baselines in terms of security earlier
and we also talked about Baselines of the network, where you know what the
network pattern is and then you can decide if something is above that Baseline or
below that Baseline which becomes an anomaly.
Guidelines
Now, guidelines are not required actions but instead, these are the recommended
ones. Guidelines tend to be flexible in nature. They allow for exceptions and
allowances when in a unique situation occurs.
So, for example, let's say I have a guideline that every employee gets one terabyte
of storage on our cloud servers. That might be fine for most people and if we have
secretaries or accountants or somebody who does a lot of contract work, those are
fairly small files and so, one terabyte is plenty of information and plenty of storage.
But my video editor might come up and say you know what, one terabyte is not
sufficient for me, I need five terabytes because I'm dealing with these large video
files all the time. Well, because it's a guideline, we can make an exception in an
allowance for that person, we could say you know what, normally, we give one
terabyte but because of your specific job role we're going to break that and we're
going to go beyond that and give you more storage and break that guideline that we
normally have.

Procedures
And Procedures are our detailed step-by-step instructions that are created to ensure
personnel can perform a given action. These procedures are where those high-level
policies are transferred all the way down through those standards and guidelines into
actionable steps.

Tips
Now, further the Security+ exam, the big concept from this lesson that I want you to
remember is the idea of a policy and a procedure. Remember that a policy is
something that gives you generic guidance to the organization. For example, your
password policy might say that all passwords have to be long, strong, complex, and
be changed every 90 days. Then, we have a procedure which is very specific. And if
I had a password procedure, that might detail exactly how to configure that password
policy on a Windows 2016 server. Or, I might have a password procedure that's
going to tell the user how they can change their password every 90 days by going
into Windows and following steps one through five.

Data Classifications
Data classification is based on the value to the organization and the sensitivity of that
information if it's going to be disclosed. The person that decides the level of data
classification is the data owner. Now, what exactly would we consider sensitive data
or information? Well, sensitive data is any information that can result in the loss of
security or loss of advantage to a company, especially if it's accessed by
unauthorized persons. Now, basically, this is the data that we need to be protecting.
Anything that is sensitive, we want to make sure there is protection around it.

There are two different classification schemes that are normally used by
organizations. And the way you choose yours is based on whether you're a
commercial business, or a governmental organization.

Commercial Business
So, if you’re a commercial business like we are, you're going to use one of four
common classification levels. And these go from lowest to highest as:
1. public
2. sensitive
3. private
4. confidential

Governmental Organization
Now, if you work in a military or government sector, you're going to have five different
classification levels going from lowest to highest. These are probably what you hear
inside movies all the time. Things like:
1. Unclassified
2. Sensitive but unclassified
3. Confidential
4. Secret
5. Top secret

Data Ownership
Now, when we talk about data ownership, this is the process of identifying the person
responsible for the confidentiality, integrity, availability, and privacy of the information
assets. Now, you might think that the data owner is the person who created that file,
but that's not what we're talking about. In an enterprise environment, there are
different roles that fall under this idea of data ownership. These include things like
the data owner themselves, the data steward, the data custodian, and the privacy
officer.

Data owner
This is going to be a senior executive role, and they have the ultimate responsibility
for maintaining the confidentiality, integrity, and availability of the information asset.
So, what is their real role here as the data owner? It's not the person who created
the file. It's the senior executive, and this data owner is going to be responsible for
labeling the asset and ensuring that it's protected with the appropriate controls.

Data steward
Now, the data steward is a role that’s focused on the quality of the data and the
associated metadata. This data steward is going to be somebody who is working for
the data owner. They're going to be involved with making sure that the data is
appropriately labeled and classified. So, we said that all financial data should be
labeled financial data, and it should be taken care of this way. That's going to be the
role of the data steward to make sure that's actually done.

Data custodian
This is a role that’s responsible for handling the management of the system on which
the data assets are stored. So, who might be a data custodian? Well, a system
administrator. These are the people responsible for enforcing the access control, the
encryption, and the backup and recovery measures that protect this data based on
the requirements set forth by that data owner.

Privacy officer
Now, this is a role that’s responsible for the oversight of any kind of privacy-related
data, things like PII, SPI, or PHI. Any of those things that are managed by the
company fall under the realm of the privacy officer. This is the person who's going to
really be on the hook if you have a data breach because, normally, when you have a
data breach, what people are concerned about is the private user data that has been
expelled. And so, that is going to be what they're focused on.
 PII and PH
One of the largest privacy concerns inside most organizations today is how you're
going to collect, process, and store PII, known as personally identifiable information.

Now, the first step in protecting PII is to understand what constitutes this class of
information. If a piece of data can be used either by itself or in combination with
some other piece of data to identify a singular person, then it's considered PII.

Well, this is things like your full name, your driver's license number, you social
security number, your date of birth, your place of birth, digital versions of your
biometric features like your fingerprints or your retina scans, financial account
numbers, your addresses, your email addresses, and even your social media
usernames.

Federal Privacy Act of 1974

The first one is Federal Privacy Act of 1974. This affects any U.S. government
computer system that collects, stores, uses, or disseminates personally identifiable
information. If you work for the government or one of its contractors, then this law is
going to apply to your organization.

HIPPA
HIPAA is the Health Insurance Portability and Accountability Act and it affects health
care providers, facilities, insurance companies, and other medical data
clearinghouses. If your organization is processing or storing medical data, you're
likely going to be affected by HIPAA. It's enforced by the Department of Health and
Human Services in the United States and it provides you with the standards and
procedures that have to be used, at a minimum, for storing, using, and transmitting
medical information and healthcare data.

SOX
The third law you should know is Sarbanes-Oxley or SOX, as it's also known. This
was originally enacted by Congress back in 2002 as the Public Company Accounting
Reform and Investor Protection Act of 2002, but you're almost always going to hear it
referred to as SOX or Sarbanes-Oxley. If your organization is a publicly-traded U.S.
corporation, it's affected by this regulation and it has to follow certain accounting
methods and financial reporting requirements. Now, the important thing to keep in
mind with Sarbanes-Oxley is that if you fail to follow it, your senior leadership, like
your CEO, can actually receive jail time for it.

GLBA
The next regulation we’re going to talk about is known as GLBA or the
Gramm-Leach-Bliley Act of 1999. Now, this affects banks, mortgage companies, loan
offices, insurance companies, investment companies, and credit card providers.
Basically, if you work for a financial institution, this is going to affect you. GLBA
directly affects the security of personal identifiable information and it prohibits
sharing of financial information with any third parties and it also provides guidelines
for securing that financial information.

FISMA
Another law that affects you if you’re working for the federal government is the
Federal Information System Security Management Act of 2002, also known as
FISMA. Now, FISMA requires each agency in the government to develop, document,
and implement an agency-wide information systems security program to help protect
their data. Basically, FISMA is all about cybersecurity. The goal here is to create
more secure networks across the entire U.S. government.

PCI DSS
Now, the final thing we’re going to talk about here is a standard, not an actual law or
regulation. But it's one that affects you if you take credit card payments. It's known as
PCI DSS or the Payment Card Industry Data Security Standard. This is an
agreement that any organization who collects, stores, or processes credit card
information for a customer has to follow. Again, this isn't a law or regulation, but it is
a contractual obligation or agreement and it's a standard that must be followed if
your organization wants to be able to handle credit card transactions.

HAVA
Now, another federal law that you should know about is known as HAVA, which is the
Help America Vote Act of 2002, or HAVA. Now, it was designed to help replace the
old punch card systems back in the voting machines that we used and it provides
regulations that govern the security, confidentiality, and integrity of the personal
information that's collected, stored, or processed during the election cycle and the
voting process.
SB 1386
Now, the last law we’re going to talk about is actually a California law, so it only
affects businesses that operate in California as a California corporation. Now, why
are we covering it then? Because this doesn't even apply to my company. Well, it's
because a lot of IT companies out there do business in California or they're based
out there and this makes them a California business under this law. This law is called
the SB 1386, which is the number that was assigned to this regulation. Now, it was
created in 2003 and requires any California business that stores computerized
personal information to immediately disclose any breach of security that it becomes
aware of.

Legal Requirements
When we talk about privacy, we're really talking about a data governance
requirement that arises when you're collecting and processing personal data to
ensure the rights of the subject's data. So, if I collect information from you when you
sign up for my course, I get your name, your email, maybe your credit card
information, I have to keep that information private. It doesn't necessarily mean that I
have to have it encrypted in my database, although we do that, we just have to make
sure that nobody else can get that data who doesn't have a need to know inside our
organization. That's the idea of privacy.

GDPR
Now, one of the biggest requirements and one of the best requirements in terms of
privacy is GDPR. This is the General Data Protection Regulation. And this says that
personal data cannot be collected, processed, or retained without the individual's
informed consent. Now, when I talk about informed consent, this means that the data
must be collected and processed only for the stated purpose and that purpose must
be clearly described to the user in plain language, not legalese.
So, if you go to a website and they say give us your name, your email, and your
home address so that we can sell you this product and then deliver it to your house,
that's the stated purpose. That doesn't mean that they can now send you mailers
every single week to your home address to try and get you to buy more stuff unless
that was part of their privacy policy that you accepted. So, GDPR says they have to
be upfront with this.
Now, GDPR also provides the right for a user to withdraw consent at any time. It also
gives them the ability to inspect, amend, or erase data that's held about them. We
like to call this the right to be forgotten. If you're a resident and citizen of the
European Union, you can call up the company or fill out their form and say, I want
you to forget everything you've ever known about me and they have to go into their
database and scrub you out of it.
That is part of that law. It gives you a lot of protections if you're a European citizen.

Now, what happens if you have a data breach? Well, this depends again where you
are and what laws you fall under. For instance, if you deal with GDPR, you have
responsibilities. Within 72 hours, if you're doing business within Europe, you have to
notify the regulators and the users that you had a data breach. So, once again, this
is an area where the European citizens have better rights than the Americans do
based on the laws that are in each of those countries at the time of this filming. Now,
let me give you a quick word of warning. Data breaches can happen both
accidentally and through malicious interference. Just because you had a data breach
doesn't mean that some hacker got in.

Privacy Technologies

De-identification
When I’m talking about de-identification, this is the methods and technologies that
remove identifying information from data before we distribute that data. Now, the real
benefit of de-identification here is to be able to take data that may be protected by
privacy. And once we do the de-identification, that data now becomes usable by us
again for other purposes. Now, this doesn’t violate anybody’s privacy because we
are de-identifying the data. Oftentimes, your de-identification is going to be
implemented as part of your database design. Now, there are lots of different things
that we have to talk about when we talk about de-identification. This includes things
like data masking, tokenization, aggregation and banding, and re-identification.

Data Masking
Now, when we talk about data masking, this is where a de-identification method is
used where a generic or placeholder label is substituted in for real data while
preserving the structure or format of the original data. So, let's say you're going to
give me all your credit cards. I take all your credit cards and I take away all of the
information from your 16 digits and I put XXXX in front of all those 16 digits. That
would mask the data. Nobody would be able to identify that credit card anymore as
yours because we don't have the credit card. We just have XXXXX. That's a form of
data masking.
Tokenization
The next one we have is what’s known as tokenization. Now, this is a
de-identification method where a unique token is substituted in for real data. Now,
when you do tokenization, one of the things you have to worry about is if you have
the ability to go back and be reversible and usually with tokenization, it is. So, again,
let's say I had your social security numbers. Instead of changing them all to one, I
assign a random number to each of my students. That's now their student ID. That
student ID is now substituted in for that social security number field. But I might have
a master list in my safe that says this student ID matches this social security number.
That's what we're talking about with tokenization.

Aggregation/Banding
Now, aggregation and banding is where you de-identify people by gathering the data
and generalizing it to protect the individuals involved. So, if we were using
aggregation and banding, we might take all of our subjects in a medical trial and
instead of identifying them as the person or the subject number, we would say out of
the 100 people who participated in this trial, 90% of them didn't have side effects.
Now, that doesn't mean any of those 90 quickly identifies as you. It just means
somebody didn't have a side effect. It's one of those 90. And if we knew that you
didn't have side effects, well, you're just one of 90. We don't know you individually.
And that's where we're able to protect your privacy.

Re-identification
Re-identification is an attack that combines de-identified data sets with other data
sources, things that you know, to discover how secure the de-identification method
is. And so, if we use that system in our company, that would not be secure.

Security Policies
Now, there are things that you legally must follow, and that's all those things we just
talked about. But your organization will also create a lot of policies that they want
their own employees to follow, as well. Now, these aren't legally binding or required,
but they are used as part of a good, overarching security program by adding these
administrative security controls to your security systems.
This privacy policy is going to govern the labeling of data to ensure that all
employees understand what data they're looking at and handling happens to be
personal information. And this will help prevent the mishandling of confidential
information.

Next, we have what's known as the AUP, or the acceptable use policy. An
acceptable use policy is used to define the rules and restrict how computer, network,
or other system can be used. For example, your organization might have a policy
that states you can't use the Internet to browse -- or gambling websites while you're
at work.

Change management is our next policy. And change management is a structured

way of changing the state of a computer system, network, or IT procedure. Back
when we talked about creating a secure, known good baseline for the security of our
systems, I mentioned that we want to control the configuration changes to be made
to that secure baseline. And that's exactly what change management does for us. A
good change management policy is designed to make sure that you're going to get
the changes that you want in a secure and methodical manner.

Next, we have the separation of duties. Separation of duties is a preventative type

of administrative control, and it's one that should be considered when you're drafting
up your organizational authentication and authorization policies. Separation of duties
is designed to prevent fraud and abuse by distributing various tasks and approval
authorities across a number of different users.

Now, the next policy is to consider job rotation. Job rotation is a detective type of
administrative control. And with job rotation, different users are trained to perform the
tasks of the same position in order to help prevent and identify fraud that could occur
if one employee had the job the entire time themself.

Another administrative control you need to consider is what are you going to do
when you hire or fire somebody. We also call this onboarding and offboarding.
When we consider this, we're talking specifically about information system security,
and not the human resource part of this process. But you should consult your human
resources team whenever you're developing this part of your security policy.
These aren’t necessarily policies, but they are concepts that you have to keep in
mind when you're writing your policies.

Due diligence means that you’re ensuring the IT infrastructure risks are known and
managed properly. To achieve due diligence, you need to ensure that you conduct
proper risk assessment and conduct risk management activities to keep operations
running smoothly over time.

Due care is the mitigation actions that an organization takes to defend itself against
risks that have been identified during your due diligence. So, let's say I do due
diligence, and I find that our company is not utilizing a modern operating system.
And this represents a big vulnerability. So, maybe I find they're using XP still, for
instance. Well, if I want to exercise due care, I would allocate money to upgrade the
system from Windows XP all the way up to Windows 10.

Due process is a legal term, and it refers to how an organization must respect and
safeguard personnel's rights. For example, if you're the federal government, you
can't eavesdrop or wiretap on any US citizen you want. You can't just go and say,
hey, I'm going to listen to Johnny's phone calls today. No, this is prohibited by the US
constitution's fourth amendment, which protects us against illegal search and
seizure.
Now, basically, when you hear due process in terms of the Security+ exam, I want
you to think about the fact that due process is used to protect a person from the
government, but it can also protect your organization from frivolous lawsuits.

User Education

Security Awareness Training

So, the first type of training is known as security awareness training, and it's used to
reinforce the importance of having users help you secure the organization's valuable
resources. This includes things like educating your end users on the current threats
facing the organization, phishing campaigns, how to protect their passwords, as well
as what to do in the event of an incident.

Security Training
Now, security training is our second category, and it's used to teach the
organization's personnel the skills they need to perform their job in a more secure
manner. So, this training is usually going to be focused on IT staff and
administrators, as well as other technical employees. For example, let's say I sent
my system administrators down to get some training to learn the most secure way to
set up a user account and create passwords, and this training would be a form of
security training.

Vendor Relationships
Whenever you’re dealing with vendors outside your organization, you're going to
need to have some agreements and contracts in place. That's what we're going to
talk about in this lesson. We're going to discuss NDAs, MOUs, SLAs, ISAs, and
BPAs.

NDA
An NDA is a non-disclosure agreement, and it's an agreement between two parties
that define what data is considered confidential and can't be shared outside of that
relationship.

MOU
MOUs are a memorandum of understanding. And this is a non-binding agreement
between two or more organizations to detail what common line of action they're
intending to take. Now, essentially, this is a formal version of a gentleman's
agreement because it's actually written down and signed by all parties. But it's pretty
much like a handshake, right? If you and I agreed to go into business together and I
understand you're going to do x, y, and z, and you understand that I'm going to do a,
b, and c, that's what an MOU does. An MOU is often referred to as a letter of intent,
and it's most often used within an organization by two of its smaller internal divisions.

SLA
Another business document to consider using is what's known as a service-level
agreement or SLA. Now, this agreement is concerned with the ability to support and
respond to problems within a given timeframe while providing the agreed-upon level
of service to the user.

ISA
Next, let’s talk about information sharing. Often, multiple organizations want to work
together and that requires them to share information between their networks. An
agreement that focuses on connecting two systems from two different organizations
is called an interconnection service agreement or ISA. An ISA is an agreement that
allows the owners and operators of the two IT systems to document what technical
requirements each organization has to meet. If your organization is planning to
connect its network to another organization, it's a good idea to ensure you have an
interconnection security agreement in place, detailing exactly what level of security
each organization needs to meet.

BPA
Now, business partnership agreement is conducted between two business partners
that establishes the conditions of their relationship. These include things like each
person's responsibility, as well as the revenue, system, and data sharing details. One
example of this is my company. We entered into a business partnership agreement
with another company to produce an online training course on the CompTIA
Advanced Security Practitioner or CASP+ Exam. Now, in our agreement, it clearly
stated that I was responsible for writing all of the scripts and all of the videos, flying
out to their studios to film it, but my partner was responsible for providing me travel
expenses.

Disposal Policies
Asset disposal occurs whenever a system is no longer needed by an organization.
And it doesn't mean it has to be some old worn out piece of junk computer. It may be
that you have a new iPhone and you just got a brand new one three weeks later.
What are you going to do with that one that was there three weeks earlier? Well,
you're going to have to dispose of it somehow, and it can be reused, resold, or
completely thrown away. This disposal might require the system to be destroyed, it
could be that the assets can be reused for another purpose, or it's resold to get you
some money back.

Now, in organizations that require a high level of security for their data, it's
commonplace for data storage devices to be electronically or physically destroyed
first.

If your organization is using hard drives for storage, these can be destroyed through
a degaussing process. Degaussing exposes the hard drive to a powerful magnetic
field, and this causes the previously-written data to be wiped from the drive, and the
drive to become a blank slate once again.
Now, if all of that sounds a little too violent for you, that's okay, there's electronic
mechanisms to do this too. This is known as purging. Purging, also known as
sanitizing, is the act of removing data in such a way that it cannot be reconstructed
using any known forensic techniques. This includes using special bit-by-bit erasing
software that can allow you to rewrite the hard drive many times over with a series of
ones and zeros. And if you do this at least seven times or even 35 times for real
high-security applications, you can actually erase that drive and then reuse it again.
Another technique you can use is to encrypt the drive, and if you destroy the
encryption key, this again makes the data on it impossible to read, and this is
another way to basically sanitize your drive.

Now, if you want to reuse that hard drive more easily, though, you would use a
clearing technique. A clearing technique is the removal of data with a certain amount
of assurance that it can't be reconstructed. For example, if you delete a file or a
folder from your hard disk, and then you replace the area that was stored on it with a
series of zeros, this would constitute clearing. This is also used to do a secure-erase
function inside of some operating systems. Now, unfortunately, the data is actually
recoverable with special techniques and forensic procedures, though. And so, if you
want to conduct something like a low-level format of the hard disk, this would be
categorized as clearing, as well. The bottom line, if you're working in a high-security
environment, you shouldn't use clearing. Instead, you should opt for purging or
physical destruction.

IT Security Frameworks

SABSA
First, we have the Sherwood Applied Business Security Architecture, also known as
SABSA. SABSA is a risk-driven architecture, and it seeks to consider the security
problem by thinking about the what, where, when, why, who, and how of a problem.
And they think about this as it intersects with six different layers. The operational,
component, physical, logical, conceptual, and contextual layers.

COBIT
Next, we’ll consider COBIT. COBIT stands for the Control Objectives for Information
and Related Technology. And it's a security controlled development framework that
divides IT into four domains. Plan and Organize, Acquire and Implement, Deliver and
Support, and Monitor and Evaluate. Each of these domains is then broken down into
one of 34 other processes. And this is very similar to other service management
frameworks like ITIL or ISO 27000.
NIST Special Publication 800-53
Next, let's take a quick look at the NIST Special Publication 800-53. This is a security
control framework developed by the U.S. Department of Commerce. Each control is
placed into one of three categories. It is technical, operational, or management. We
talked about this back in our security controls lesson. Each of these classes contains
numerous security controls, as well. And if you're working for a government agency,
you're likely going to be using the framework that is the NIST Special Publication
800-53.

ITIL
ITIL is a framework that used to be known as the IT Infrastructure Library because it
was very focused on service operations and security of your networks. But it has
grown into something larger now, with the new ITIL 4. ITIL is still the de facto
standard for IT service management. But now, it's being expanded to include all sorts
of other service-based connections that we have with our organizations to provide
value to our end users.

Exam Tips
Now, for the Security+ exam, you don't need to know ITIL in depth. But I would
recommend checking out an ITIL 4 course because most employers rely heavily on
ITIL for their operations. And being able to discuss ITIL, its processes, and its
concepts is a great thing to have in your back pocket during a job interview. After all,
ITIL is the language of IT operations, and as security professionals, we need to fit in
to that system effectively. Now, in the Security+ exam, you're not going to be asked a
lot of questions about frameworks. But you should know that there are frameworks
that exist, such as SABSA, COBIT, the NIST Special Publications, ISO 27000, and
ITIL. On the exam, the most I would expect you to see on the exam about
frameworks is the fact that we use frameworks as a basis for our policies, our
procedures, and our standards.

Key Frameworks

CIS
The Center for Internet Security creates a framework that's based on a
consensus-developed secure configuration guidelines for hardening, these are
known as benchmarks, as well as some prescriptive, prioritized, and simplified sets
of cybersecurity best practices, these are known as configuration guides. Now, when
we look at benchmarks, this tells us what are the things that we should be using as
we go through and make sure our systems are up to snuff. When we look at the
configuration guides, this will be actually step by step instructions.

RMF
The next framework we’re going to cover is known as the Risk Management
Framework or RMF. Now, RMF is something that has become very popular in recent
years. This is a process that integrates security and risk management activities into
the system development lifecycle early on. This way, we can do this as an approach
to security control selection and specification that considers the effectiveness,
efficiency, and constraints due to the different laws, directives, executive orders,
policies, standards, and regulations. You should just know that the Risk Management
Framework is made by NIST and it's used in federal government systems.

CSF
The other one that’s made by NIST is known as the Cybersecurity Framework or
CSF. This is a set of industry standards and best practices that were created by
NIST to help organizations manage their cybersecurity risks. Often, you will find that
Risk Management Framework and the CSF work together inside of an organization.
Again, it's not something you need to know in depth for the exam, but you should be
aware that the CSF, the Cyber Security Framework, is made by NIST, and you
should be aware of the five category functions that we have, identify, protect, detect,
respond, and recover.

ISO 27001
The next framework we’re going to talk about is an international one. This is known
as ISO 27001. ISO is the International Organization for Standardization. And this is
an international standard that details the requirements for establishing,
implementing, maintaining, and continually improving an information security
management system or ISMS. Now, when you hear ISO 27001, I just want you to
think about the fact that this is a basic procedure for cybersecurity, and it is an
international standard.

ISO 27002
The next one we have is ISO 27002. This again is an international standard and it
provides best practice recommendations on information security controls for use for
those responsible, for initiating, implementing, or maintaining information security
management systems, ISMSs. So, again, you can see how 27001 and 27002 could
work together. With 27001, we're talking about the requirements for establishing and
maintaining these systems. When we're talking about 27002, we're talking
specifically about the controls that we're going to choose to protect those systems.

ISO 27701
Next, we have the ISO 27701. This, again, is an international standard and it acts as
a privacy extension to the ISO 27001. It's used to enhance the existing ISMS with
additional requirements in order to establish, implement, maintain, and continually
improve privacy information management systems. So, if you have 27001, that's
your information systems. If you have 27002, that's the controls to protect those
systems. When you talk about 27701, you're talking about adding privacy on top of
that.

ISO 31000
The final international standard we want to talk about is ISO 31000. This is an
international standard for enterprise risk management, and it provides a
universally-recognized paradigm for practitioners and companies to employ risk
management processes to replace the myriad of existing standards, methodologies,
and paradigms that differed between different industries, subject matters, and
regions. So, essentially, if you think about risk management framework, the RMF,
how it's used in the United States, the ISO 31000 was trying to do this globally.
They're trying to figure out how we can make everybody use the exact same Risk
Management Framework, and that's where ISO 31000 comes into play.

SOC
Now, the next framework we’re going to talk about is System and Organization
Controls, also known as SOC. Now, this is a suite of reports that are going to be
produced during an audit. And this is going to be used by service organizations to
issue validated reports of internal controls over those information systems to the
users of those services. Now, if you're going to go ahead and get a SOC audit done,
this is going to be something that is going to be used in conjunction with some of
your other frameworks. So, if you're using NIST RMF or NIST Cybersecurity
Framework, that tells you what controls you wanted to put in place. The SOC is
going to do the audit of those controls and make sure you're in compliance. They
mentioned the SOC 2 and they mentioned type II underneath this idea of a SOC.
When we talk about SOC 2, this means it is a trusted services criteria. And this is
basically when you go and look at the manual for SOC, it'll tell you what those
requirements are as part of that audit. That's what the trusted services criteria is
used for. Now, when I talk about the type II, this is going to address the operational
effectiveness of the specified control over a given period of time. Normally, that's
going to be 9 to 12 months. So, if I'm doing an audit and I'm looking to make sure
you have multifactor authentication to prevent people from logging onto your
systems, I can then say how effective is your implementation of multifactor
authentication over a 9 to 12 month period and I can put that into my report, as well,
if I'm doing a SOC 2, type II report.

Cloud Control Matrix

The next framework we want to talk about comes from the Cloud Security Alliance. It
is the Cloud Control Matrix. This is a framework that's designed to provide
fundamental security principles to guide cloud vendors and to assist prospective
cloud customers in assessing the overall security risk of a given cloud provider. So, if
you're trying to decide are you going to go with Azure or AWS or Google cloud, you
can run it through your Cloud Control Matrix to figure out which one is best going to
meet your needs and provide you the best security.

Reference Architecture
Now, the final thing we want to talk about also comes from the Cloud Security
Alliance and it's the Reference Architecture. This is a methodology and a set of tools
that enable security architects, enterprise architects, and risk management
professionals to leverage a common set of solutions that fulfill their common needs
to be able to assess where their internal IT and their cloud providers are in terms of
security capabilities, and to plan a roadmap to meet the security needs of their
business. Essentially, when we talk about a reference architecture, we're saying, this
is the thing we're going to build towards, this is how we want to build this thing to
make sure it's secure. Now, once we do that over time, that may change and things
go and deviate away from that reference architecture, that's when we go away from
baseline, but what we designed as a reference architecture gives us the outline of
what we want and how we want everything to match up so we can have the best
security and we meet our roadmap to meet those needs.
 Network &
Perimeter Security
OSI Model
Now, going back to your Network+ studies, you probably remember the mnemonic of
Please Do Not Throw Sausage Pizza Away.
This represents the seven layers of the OSI Model, going from the bottom to the top.
This is:
1. Physical
2. Data Link
3. Network
4. Transport
5. Session
6. Presentation
7. Application.

Switch
Now, this is because hubs were dumb. They had no intelligence. As networks got
larger, hubs caused a lot of collisions and slowed down the network. To solve this
problem, something came along called a bridge, and this was used to separate
physical LANs or WANs into two logical networks, or connect two logical networks
together.
Now, switches are the evolution of hubs and bridges. Essentially, every single port
on a switch acts as if it was a bridged hub on each one. This means that it improves
the data transfer and security through the intelligent use of MAC addresses, being
able to figure out where a device is and only sending the information out that
particular port of the switch and ignoring the rest.

Now, switches are subject to three main types of attack:

1. MAC flooding
2. MAC spoofing
3. Physical Tampering
 Routers
Now, routers are devices that make routing decisions and they do this by using IP
addresses. These layer three IP addresses are used to determine what network a
particular host is on and what path the traffic should take to go across the wide area
network until it reaches its destination network.

Network Zones
Most networks are segmented into at least three different zones:

1. LAN
2. WAN
3. DMZ.

Extranet
is a specialized type of DMZ that's created for your partner organizations to access
over a wide area network.

Intranet
An Intranet is something that allows you to expand your internal network within your
organization across multiple areas. This is usually done using VPN tunnels.

Jumpbox
Now, any kind of hosts you put in the DMZ should really be what we consider a
Bastion Host. This is a host or serve that we put into the DMZ, which is not
configured with any services that run on the local network. So, I don't want to run
something like Active Directory inside the DMZ. That's an internal network service.
Instead, I only want to run things that should be on the Internet, things like email,
things like web, things like remote access.
Now when we want to configure our devices inside the DMZ, what are we going to
do?
Well, we're going to use something known as a jumpbox.
Now, a jumpbox is a hardened server that provides access to other hosts within the
DMZ.
And what ends up happening is the administrator will connect to the jumpbox, and
then the jumpbox will connect to the host in the DMZ. So, we call it a jumpbox cause
we're almost pivoting off of it.

Network Access Control

Network Access Control or NAC is used to protect your network from both known
and unknown devices. With NAC, a device is scanned to determine its current state
of security prior to it being allowed access to your network. Now, NAC can be used
for computers that are within your internal network that are physically located in your
buildings and connected to it or it can be applied to devices that are connected into
your network remotely through a VPN.

VLANs
VLANs are implemented to segment our network, reduce collisions, organize our
networks, boost performance and increase security. Unfortunately, attackers have
created VLAN hopping which allows them to break out of our VLANs and access
other VLAN data, though.

Subnetting

Subnetting is the act of creating subnetworks logically through the manipulation of IP

addresses. So, if I take a large chunk of IPs, like a 256 block, I can break it down into
four blocks of 64 IPs, or eight blocks of 32 IPs, however you want to break it down in
your subnetting. Now, subnetting has some benefits to our network.
 NAT

Network Address Translation or NAT is the process of changing an IP address while

it transits across a router. Now in Network+, we discussed how this was used
because we wanted to conserve public IP addresses because they were limited in
IPv4.

Class A is anything that starts with a 10, so [Link] all the way up through
[Link].

Now in class B, we have IP addresses that start with [Link] all the way up
through [Link], essentially, anything that starts with a 172.16 all the way up
through 172.31.

Class C is really easy to remember as well, and it's probably what you are using at
home. It's [Link] all the way up to [Link].

Telephony devices

Telephony is a term that's used for a device that provides voice communication to
your end users. Originally, telephony was used in networks to make connections with
the outside world such as through your modem. So, a modem was this old device
that we used to use that would allow us to modulate and demodulate digital
information into an analog signal that could transmit over a standard dial-up
connection.

War dialing
War dialing is simply when an attacker starts dialing random phone numbers to see if
any modems would answer on the other side. So, a lot of servers back in those days
will have dial-up modems so that remote technicians could dial into the server, gain
access, and make changes to due support.

PBX
A PBX equipment is something you're going to find much more often in your
networks than you are going to find modems. A PBX system stands for a Public
Branch Exchange. Essentially, this is the telephone system that runs all of the
internal phone lines for your company.

VoIP

Well, it's Voice Over Internet Protocol. VoIP is much cheaper than the traditional PBX
system and it's a lot more secure and easier to run if you can figure it properly. Some
organizations will actually run two different networks now. One for data and one for
the VoIP network.

Firewalls
1. software-based
2. hardware-based
3. embedded firewalls

Software-based firewalls are run as a piece of software on a host or a server. In fact,

if you're running a Windows server, those have a built-in Windows Firewall that you
can enable.

Hardware firewalls, on the other hand, are a standalone device that's actually an
appliance that's installed into your network. It looks like another switch or another
router that goes into your network stack.

Embedded firewalls work as a single function out of many on a single device. So, if
you have a small office, home office router or a unified threat management device,
these are examples of an embedded firewall.

Packet Filtering
Packet filtering is going to inspect each packet as it passes through the firewall, and
it'll accept it or reject it based on the rules that it's been given.

There are two types of packet filtering:

1. stateless
 2. stateful.

With stateless packet filtering, it's simply going to accept or reject packets based on
the IP address and the port number that was requested. So, if I'm running a web
server and you requested to come in on port 80, I would allow that, but if you
requested to come in on port 53, I would deny it because it's not in my access control
list.

Now, a stateful packet filter, on the other hand, is going to keep track of requests that
leave through the firewall. So, if I make a request from a host through the firewall, it
will temporarily open up a port number that I made the request from, some random
high port number like 50,000 or 56,000. By using stateful packet inspection, you can
almost entirely eliminate IP spoofing as a threat because the firewall is going to
inspect the header of each packet being received. It's then going to compare that
against what it was expecting based on the request that recently went out, and then,
it's going to make its accept or reject decisions based on this additional information.

NAT filtering
This is going to filter traffic according to the port, whether it's a TCP or UDP port.
This filtering can be done by simply checking the endpoint connections, by matching
the incoming traffic to the requesting IP, and by matching the incoming traffic to the
requesting IP address and port.

ALG

This is going to apply security mechanisms to specific applications such as FDP or

Telnet. Now, instead of blocking traffic based on the Telnet port of port 23, instead,
it's going to inspect each packet and determine which application it was meant for,
and if it finds out that it was meant for Telnet, it would block it because that was
unauthorized. This is a resource-intensive process, but it is a powerful layer of
security that can be added onto your network.

Circuit-level gateway
which works at the session layer of the OSI model and applies security mechanisms
when a TCP or a UDP connection is first established. Now, once that connection is
established, the packets can then be sent or received without any further inspection
or checks because all of that was done during the session establishment.

MAC filtering

We use MAC filtering, this is going to filter out computers and prevent them from
accessing beyond the firewall based on their MAC addresses. This is used as part of
your local area network before it gets out into the routing and Layer 3 logical
addresses that go out beyond the network.

More recently, though, application firewalls have begun rising in popularity. These
application firewalls operate at Layer 7 of the OSI model, the application layer, and
this makes traffic control decisions based on the applications being used, things like
FTP, HTTP, Telnet, and others.

WAF
Now, one modern type of firewall you may come across is known as a web
application firewall, or WAF. A web application firewall is installed on a server in your
environment, and it provides traffic control in the data that's being sent to and from
your web applications. These are useful in helping to mitigate threats like cross-site
scripting and SQL injection attacks because these web application firewalls are
designed to specifically look for these type of threats and block them.

Proxy Server
There are four types of proxies in use today:

1. IP Proxy
2. Caching Proxy
3. Content Filter
 4. Web Security Gateways.

IP Proxy
An IP Proxy is used to secure a network by keeping machines behind it anonymous.
When your work computer decides to connect to Dion Training through the proxy in
my example above, my server doesn't know which particular computer is actually
connected to it from your company's network. All I see is the proxy server itself. This
is because your proxy is using NAT to translate your request from your machine into
a request from the proxy.

Caching Proxies
Caching Proxies are used to attempt to serve client requests without actually
connecting to the remote server each time. Let's say that you went to my website at
[Link], and then your coworker, five minutes later, tried to go to
[Link], just like you did.

PAC, a Proxy Auto-Configuration file. This file contains the settings needed for a host
to connect to the proxy server. Unfortunately though, these files are subject to
modification, and could be used to redirect the user to an attacker's control proxy
instead of your organization's. For this reason, it is better to disable the PAC files,
and manually configure your proxy settings on your host machines, or you can push
these out using a global policy object, or GPO update.

Internet Content Filter

These are used in large organizations as a way to prevent users from getting to stuff
that they don't want you to access at work. It can filter out all types of different
Internet activities, such as websites that aren't allowed to be accessed, email
services they don't want you to get to, or even instant messaging.

Web Security Gateway

And this type of proxy acts as a go-between for devices that will scan them for
viruses, filter out contents like ads, and then can act as a data loss prevention device
as well. This type of proxy is looking at what's being sent out of the network, and
what is coming back into the network to ensure that it aligns with your organization's
policies.

Honeypots and honeynets

Honeypots and honeynets are used to attract and trap potential attackers to
counteract any attempts at unauthorized access to your organization's network.

Now, a honeypot is generally a single computer, but it could also be a file, a group of
files, or an area of unused IP address space that might be considered attractive to a
would-be attacker.

A honeynet, on the other hand, is one or more computers, servers, or an area of the
network. And often, this is used when a single honeypot is not deemed to be
sufficient for your purposes.

Data loss prevention

Data loss prevention, or DLP systems, are designed to protect data by conducting
content inspection of your data as it's being sent out of your organization's network.
While data loss prevention is the most commonly used term, it's also referred to as
ILP for Information Leak Prevention, or EPS, Extrusion Prevention Systems. Usually,
these systems are installed as a network-based DLP or a Cloud-based DLP. For
example, my company happens to use a Cloud-based DLP through Google's G
Suite. Anytime one of our employees tries to send information outside of our own
domain through email, that email is flagged and they have to verify that they
understand the data is being sent outside of Dion Training.

NIPS & NIDS

Now, we've already spoken a little bit about intrusion detection and intrusion
prevention systems earlier on in this course. In this lesson, though, we're going to
focus on the differences between a network-based IDS and a network-based IPS.

A Network Intrusion Detection System, or a NIDS, is a type of IDS that attempts to

detect malicious network activities, for example, port scans and denial of service
attacks. Generally, your Network Intrusion Detection System will be placed into
what's known as promiscuous mode. This allows it to see all of the traffic that
crosses the network instead of just the traffic that's destined for its own Mac address.

A Network Intrusion Prevention System, or NIPS on the other hand, is a type that's
designed to inspect traffic and based on its configuration or security policy, it can
also remove, detain, or redirect that malicious traffic.
That means a NIPS can not only detect it and log it like an IDS does, but it can also
stop that ongoing attack by blocking the IP address that's causing issues or shutting
down the connection.

Now, a NIPS or a NIDS may have a built-in protocol analyzer embedded into their
system. This is usually done to allow the device to decode application layer protocols
like HTTP, SMTP, FTP, Telnet, and others. And then, it passes that data that's
contained in those protocols, over to the signature engine of the NIDS or the NIPS
for further analysis. This allows the devices to create their own baseline of what
normal looks like for the network and also helps to identify what abnormal might be
for its behavioral or anomalous traffic detection functions.

UTM

The unified threat management or UTM system is a newer concept that was
introduced in the last five to 10 years. Basically, security professionals realize, as I'm
sure you're realizing now too, that relying on a single firewall is not enough to protect
our networks, and so a UTM was created. Now, a unified threat management system
is a combination of network security devices and technologies that are added to a
network to better protect it. Simply put, a UTM is a single device that combines many
other devices and technologies into it. For example, your UTM might include a
firewall, a network intrusion detection system, or a network intrusion prevention
system, a content filter or a proxy, an antivirus or anti-malware gateway, a data loss
prevention system, and maybe even a site-to-site VPN, if you have the need.
You may have also heard the term, Next Gen Firewall, or Next Generation
Firewall, also known as NGFW. If you've heard this term, it's because it's being
used in the industry instead of using the term UTM or unified threat management.
These are those all-in-one security devices and that's all a Next Generation Firewall
is.
 Authentication
Authentication Models
These include context-aware authentication, Single Sign-On authentication, and
Federated Identity Management.

Context-Aware Authentication
The most common form of Context-aware authentication occurs by limiting the time
or the day that the user is able to log on to a particular client or server. Another
common use of this is to limit the geographic location that the user can log in from.
For example, if you're a small company in the United States, you don't have any
international employees, then you might be able to prevent any users from outside
the United States from logging into your systems.

Single Sign-On authentication

Due to the large number of resources and websites that the average person
accesses on a daily basis, many organizations are beginning to adopt an SSO
environment. When adopted, the organization establishes a default user profile for
each user, and then they link that profile to all of the different resources that that user
is going to have to access. Now, under this type of system, the user is able to have a
single long, strong password that they can memorize. This replaces the 30 or 40
different login credentials that the average user has. And since they let you
memorize one, they can make it more complex and easier to learn. Additionally, if
you're using multi-factor authentication, like we talked about in the last lesson, you
now have a single strong dual factor or multi-factor authentication to use.

Federated Identity Management

The final model is called the Federated Identity Management or FIDM. Many
organizations are now grouping together to create these Federations. Each
organization that joins this Federation has agreed to a common set of standards and
policies for the use of identification. This allows a Federated Identity to be created for
that user. This identity can then be used across all of those different businesses that
are part of the Federation, as well as all their systems. These Federations support
the provisioning and management of identification, authentication, and authorization.
This can be done through two basic models, either Cross-Certification or Trusted
Third-Party. The Cross Certification model is going to utilize a web of trust between
these organizations. Now, that brings us to the second type, which is called a
Trusted Third-Party Model. This is also known as a bridge model. This allows
organizations to place their trust in a single third party. This third party, then,
manages the verification and certification for all of the organizations within the
Federation. This is more similar to the way a traditional certificate authority on the
Internet is going to work. In this model, it's quite efficient even with a large number of
organizations within the Federation, because everybody goes to that one trusted
person to get their verification done.

SAML/OpenID
Security Assertion Markup Language, or SAML, is an attestation model that's built on
top of XML, and it supports this federated identity management. SAML is used for
the authentication and authorization between different systems, especially over the
Internet using a Single Sign-On method. To perform this function, SAML is going to
use an attestation ticket that's provided to the user being authenticated. Another
possible solution that you might find is OpenID, which is an open standard
decentralized protocol to authenticate users. OpenID allows the user to log into an
identity provider and they can then utilize that same account across all of the
cooperating websites. These cooperating websites are known as RP's or Relying
Parties. One of the largest and most well-known OpenID identity providers is actually
Google. Anytime you've gone to a website outside of Google, and you click that
Google login button, you're using an OpenID system, to have Google authenticate
you to that third-party website. OpenID is also much less difficult to implement than
SAML. But SAML does perform these functions a lot more efficiently than OpenID.
Which one you're using is really going to be up to you.

802.1x
802.1x is a standardized framework that's used for port-based authentication on both
wired and wireless networks. Now, since 802.1x is just the framework, it's actually
going to utilize other mechanisms to do the real authentication for us. For example,
both the remote authentication dialling user service, known as RADIUS, and the
terminal access controller access control system plus, or TACACS+, can both be
utilised to conduct the authentication, using the 802.1x protocol. There are three
roles that are required for an authentication to occur under 802.1x. The first is the
supplicant, which is the device or user that's requesting access to the network, such
as PC1 in this image. Then, there's an authenticator, which is the device through
which the supplicant is attempting to access the network. Normally, this is going to
be something like a switch, a wireless access point, or a VPN concentrator. Finally,
there's the authentication server, which is going to be the centralized device that
performs the authentication, which is usually going to be your RADIUS or your
TACACS+ server. Now, 802.1x is certainly something that should be considered in
your network architecture as it's considered one of the best protections that you can
add to your internal network connectivity to prevent rogue devices from gaining
access to your organization's devices and connections.

EAP
802.1x also allows for us to encapsulate the extensible authentication protocol, or
EAP, when we're using a wired or wireless connection. EAP is actually not a single
protocol by itself, but a framework in a series of protocols that allows for numerous
different mechanisms of authentication, including things like simple passwords,
digital certificates, and public key infrastructure.

EAP-MD5 is a variant of the EAP and it utilizes simple passwords and the challenge
handshake authentication process to provide remote access authentication. If you're
using this method, you have to ensure that you're using long, strong, and complex
passwords in order for you to maintain the security of your system. EAP-MD5 is a
one-way authentication process and it's not going to provide mutual authentication.

EAP-TLS is a form of EAP that's going to use public key infrastructure, with a digital
certificate being installed on both the client and the server, as the method of
authentication. This makes it immune to password-based attacks, since neither side
is going to use a password and instead, they're going to use digital certificates to
identify themself. This is considered a form of mutual authentication between both
devices, the client, and the server, because each one is going to authenticate with
the other.

Another variant of this is called EAP-TTLS. This form is going to require a digital
certificate on the server, but not on the client. Instead, the client is going to use a
password for its authentication. This makes it more secure than the traditional
EAP-MD5, which just uses passwords, but it is less secure than the EAP-TLS
because that one removes the password vulnerability by using two-digit certificates.

Now, EAP-FAST, or EAP flexible authentication via secure tunneling, is our fourth
variant of EAP. And this is going to use a protected access credential, instead of a
certificate, to establish that mutual authentication between devices.
The fifth and final type of EAP is called PEAP, or protected EAP. This variant also
supports mutual authentication by using server certificates and the Microsoft Active
Directory databases for it to authenticate a password from the client.

Now, in addition to all these cross platform variants of EAP, there's also a proprietary
protocol from Cisco, called LEAP, or the lightweight EAP. But, for you to be able to
use this in your organization, you have to be running a Cisco-based network and all
of your clients have to support it.

LDAP/Kerberos
LDAP is the lightweight directory access protocol. This is a database that's used to
centralize information about your clients and your objects on the network. LDAP is
essentially a simplified version of X.500, which is a directory service, and it contains
a hierarchical organization of the users, groups, servers, and systems inside your
network. LDAP communicates over port 389 when it's doing it unencrypted. And if
you decide to encrypt it using SSL or TLS, it's going to use port 636. Both of these
are ports you should know for the Security+ exam. Now, while LDAP is considered
cross platform, Microsoft created their own implementation of this, known as AD or
Active Directory. This is yet another example of a single sign-on system. Now,
Kerberos, on the other hand, is focused on authentication and authorization. This is
performed through our Kerberos ticketing system in a Windows domain. Kerberos is
an authentication protocol that provides for two-way or mutual authentication. When
a user logs on to the domain, they first contact the domain controller which acts as
the key distribution center, or KDC. This KDC has two basic functions, authentication
and ticket granting. So, if your client is authenticated properly, the KDC will issue
them a TGT, which is called a ticket-granting ticket. This ticket-granting ticket is then
provided to the domain controller anytime that user wants to access a resource. And
then the domain controller can provide that user with a service ticket or a session
key to use, whichever one's appropriate for their needs. These tickets are presented
to the resource and the access is then granted, because the resource always trusts
the domain controller's provided tickets. If your domain controller is running
Kerberos, it's going to have port 88 open so it can receive those inbound service
login requests from the clients. Now, because Kerberos relies on the domain
controller to serve as that key distribution center, this is a single point of failure in the
domain. If the domain controller is down, ticket-granting services are also shut down.
To prevent this, though, what most people will do is have a primary and a secondary
active domain controller. That will give you this form of redundancy to ensure
Kerberos is up and LDAP is still running.
 Remote Desktop Services

RDP
RDP is a proprietary protocol that was developed by Microsoft to allow
administrators and users to remotely connect to another computer and have a
graphical user interface instead of the command line provided by tools like Secure
Shell and Terminal Services. This allows the user to operate the computer as if they
were simply sitting in front of a Windows Desktop. Now, remote desktop protocol
provides native encryption as part of the design, but it doesn't provide for
authentication. Therefore, you have to enable SSL or TLS for service authentication
and require some kind of a digital certificate for increased security when RDP is
being implemented within your network.

VNC
Virtual Network Computing or VNC. This is similar to RDP, but it's
platform-independent. Where RDP works on Windows machines, VNC works on
Linux, OSX, or Windows, making it cross platform and an easy way to get a
graphical user interface that you can remotely connect to. VNC becomes a great
solution for us to consider anytime you're using things that are just beyond the
Windows domain. In order to use VNC or Virtual Network Computing, you have to
have a VNC server set up on the machine that you want to access. You also have to
have a VNC client on the machine you're going to access it from and the VNC
protocol, known as the remote framebuffer, to communicate between the two. VNC
or Virtual Network Computing, normally, is going to operate over port 5900 or 59
hundred and it should only be used internal to your own network. For connections
outside of your enterprise network, it's much more secure to use VPN or an SSH
connection first and then, tunnel VNC over that secure connection.

Remote Access
When implementing remote access to your network, you have to carefully select the
method of network authentication. There are various options to choose from,
including:

● PAP, the Password Authentication Protocol

● CHAP, the Challenge Handshake Authentication Protocol
● EAP, the Extensible Authentication Protocol
PAP
The first remote access authentication that was widely used is known as PAP, the
Password Authentication Protocol. Now, PAP is a really old protocol and because of
that, it was never built with security in mind. In fact, whenever they sent the
username and passwords, those user credentials over the network during the
authentication, it didn't even encrypt them. They were sent in plain text. This makes
PAP an insecure choice for any modern network and you simply shouldn't use it.

CHAP
Well, because after PAP, came CHAP and with CHAP, it's an evolution to PAP, and
it's the Challenge Handshake Authentication Protocol. This is going to solve the
problem of sending credentials over the network in clear text. Instead, they're going
to have the server send the client a string of random text called a challenge. This
random text is then encrypted by the client using their password and this text is then
sent back to the server. The server then unencrypts that text using the user's stored
password and checks if the encrypted text matches the original text that it sent in the
challenge. Using this method, the password is never sent across the network and the
security can be achieved and ensure that we have it safe. Now, CHAP was popular
for many years and Microsoft even created their own proprietary version called
MS-CHAP. MS-CHAP provides stronger encryption keys and mutual authentication
so, it was an improvement over standard CHAP.

EAP
Now, while the CHAP and MS-CHAP were used widely for many, many years, both
of these have been overtaken by EAP, the Extensible Authentication Protocol, that
we discussed earlier in this section.

VPN
Virtual private networks, or VPNs, allow end users to create a tunnel over an
untrusted network like the Internet and remotely and securely connect back to our
enterprise networks. These VPN connections provide a layer of encryption around
that connection, creating this virtual and secure circuit between your end user's
device and the VPN concentrator that terminates that connection back inside our
enterprise networks. VPNs are commonly used by teleworkers and traveling
employees so that they can remotely access the corporate resources, things like our
intranets and our file servers.
VPNs rely on two different protocols when they're being operated. One is called the
point-to-point tunneling protocol and the other one is the layer two tunneling protocol.

Client-to-Site VPN
This type of VPN is what we call a remote access VPN or a client-to-site VPN,
because one person is connecting back to the larger site.

Site-to-Site VPN
Now, in addition to this, VPNs can also be used to connect two different sites
together. So, instead of having to purchase a dedicated lease line between two
offices, I can use the Internet as my transport path. For example, if a company has a
small satellite office in Washington DC and wants to connect it back to their
headquarters out in San Francisco, it could be less expensive to implement a
site-to-site VPN instead of having to purchase a dedicated lease line that goes that
3,000 miles between those two cities. Now, when you're creating a site-to-site VPN
connection, routers on both sides are going to be configured with an encryption key
and this key's going to be used to encrypt all of the traffic between the sites to keep it
safe from prying eyes and confidential as it goes over that untrusted and dirty
Internet between the two locations.

VPN concentrator
For your organisation to allow VPN connections, though, you have to have a server
sitting there and answering all of those requests for connection. If you don't want to
have a dedicated server to do that, you can, instead, buy a hardware device known
as a VPN concentrator. Now, a VPN concentrator can allow hundreds of
simultaneous VPN connections from all of your remote workers to easily connect
back into your company's intranet, and this frees up your server.

Split Tunnelling
One area of concern we have with VPNs is how do we ensure that clients aren't
using split tunnelling? Well, when they're using split tunnelling, what this means is
that a remote worker's device will use their own Internet connection for their web
request, but they're going to use your VPN connection for all of their intranet
requests like your file server request. Now, this is efficient from a bandwidth
perspective, because they don't have to send all of their requests over the VPN to
your company and then out to the Internet and then back to the company and then
back over the VPN to get to them. But by doing split tunnelling, you are allowing a
security risk to occur. This is because your company now has an alternate path to
the Internet because it can go from your file servers out to the remote worker's laptop
and then out to the Internet, bypassing a lot of your network perimeter defences.

Radius/TACACS+

Radius
RADIUS is the Remote Authentication Dial-In User Service. It provides centralised
administration of dial-up, VPN, and wireless authentication so that you can use that
with both 802.1x and the Extensible Authentication Protocol, or EAP. RADIUS is a
client/server protocol that runs over the seventh layer of the OSI model, the
application layer. RADIUS is usually configured to be run on a separate server, but it
can also be loaded up on a Windows server in smaller domain environments.
RADIUS is used to authenticate users, authorise them to services, and account for
their usage of those services. This is the typical AAA that we spoke about all the way
back in section one of the course, Authentication, Authorization, and Accounting.
RADIUS also utilises UDP for making its connections, making it fairly fast during its
authentication to authorization functions. RADIUS commonly uses port 1812 for its
authentication messages and port 1813 for its accounting messages. Some
proprietary versions of RADIUS may also use ports 1645 and 1646, instead. Now,
exam tip here, I would have these ports memorised as part of the things you need to
know before test day because you may see some test questions on them.

TACACS+
Now, while RADIUS is a cross-platform standard, there is a proprietary protocol from
Cisco called TACACS+ that we've mentioned before. This is the Terminal Access
Controller Access Control System Plus which can perform the role of an
authenticator in an 802.1x network. Now, it's up to you to determine which one is
best for your organisation's needs. Personally, I've used RADIUS almost exclusively
within my organisations. I've found that TACACS+ is a little bit slower to operate
because it's relying on TCP instead of UDP, and operates over port 49. But
TACACS+ does have some benefits. It gives you some additional security and
independently conducts its authentication, authorization, and accounting processes.
TACACS+ supports all network protocols. But RADIUS, on the other hand, doesn't
support the remote access protocol, NetBIOS Frame protocol, X.25 PAD
connections, and some others.

Summary

802.1x
First, 802.1x is an IEEE standard that defines Port-Based Network Access Control or
PNAC. 802.1x is a data link layer authentication technology that's used to connect
devices to a wired or wireless LAN. Also, it defines the EAP protocol.

LDAP
Second, LDAP is the lightweight directory access protocol. It's an application layer
protocol for accessing and modifying directory services data. Microsoft's Active
Directory uses LDAP.

Kerberos
Third, Kerberos is an authentication protocol that's used in Windows to identify
clients to a server using mutual authentication. In Windows, this in implemented
through a series of tickets.

Remote Access Service

Fourth, Remote Access Services or RAS is a service that enables dial-up and VPN
connections to occur from remote clients.

CHAP
Next, the Challenge Handshake Protocol or CHAP is an authentication scheme that's
used for standard dial-up connections.

Radius
Next, RADIUS is a centralised administration system for dial-up, VPN, and wireless
authentication. It's going to use 1812 and 1813 or ports 1645 and 1646 using UDP
for its transport mechanism. RADIUS is used with 802.1x and EAP.
TACACS+
Finally, TACACS+. TACACS+ is a Cisco-proprietary remote authentication system
that provides separate authentication and authorization functions using port 49 over
a TCP connection. TACACS+ is similar to RADIUS, but it is not considered
cross-platform.

Authentication Attacks
● Spoofing
● Man-in-the-middle
● Password spraying
● Credential stuffing
● Broken authentication

Spoofing
Now, when we talk about spoofing, this is a software-based attack where the goal is
to assume the identity of a user, a process, an address, or other unique identifier.
Spoofing is used a lot to try to bypass authentication and be able to present yourself
as if you're somebody else.

Man-in-the-middle
Now, one of the things attackers love to try is the man-in-the-middle attack. Now, a
man-in-the-middle attack, or MitM, is an attack where the attacker is going to sit
between two communicating hosts and transparently captures, monitors, and relays
the communications between those hosts. Now, we've talked about a
man-in-the-middle before, but essentially, if you're on a wireless network, somebody
could be sniffing the air, capturing those packets, and then being a
man-in-the-middle. They can capture what's being said. Now, they put themselves
directly in the middle of the communication, you might be connecting to them, and
they would be connecting to the server and they're listening to everything you say.

Now, a variation on this is what's known as a man-in-the-browser. This is an MitB.

This is an attack that intercepts the API calls between the browser process and its
DLLs. And so, if you're attacking the network or between two clients or a client in the
server, you're a man-in-the-middle. If you're using the browser to do it, you're a
man-in-the-browser.
Password spraying
This is a brute force type of attack in which multiple user accounts are tested with a
dictionary of common passwords.

Credential stuffing
Now, credential stuffing is another type of brute-force attack. In this one, they're
going to try and take stolen user account names and passwords and test them
against multiple websites. So, let's say there was a new story and there was a new
data breach that happened and Facebook got hacked. And now, all of Facebook's
usernames and passwords are known. So, everybody knows what the usernames
are, which are emails and the passwords.

Broken authentication
Broken authentication is a software vulnerability where the authentication
mechanisms allow the attacker to gain entry. Essentially, the coders did a really bad
job. Now, when this happens, you can have bad things happen like displaying clear
text credentials, using weak session tokens, or permitting brute-force login requests.
Security Applications
and Devices
Software Firewalls

Personal Firewalls

These are software-based applications that protect just a single computer or server
from unwanted Internet traffic. Now, these are also referred to as host-based
firewalls. These firewalls work by applying a set of rules and policies against traffic
that's attempting to come into or go out of our protected computer.

Windows firewall
One is a basic version that's found within your control panel, and then there's a more
advanced version called the Windows firewall with advanced security. This advanced
firewall can be accessed by typing [Link] at the command prompt. The basic
firewall is useful for most home users, while the more advanced version is
well-suited for businesses and systems where more in-depth configurations of your
inbound and outbound traffic is required.

OSX - PF and IPFW firewalls

A basic version of the firewall is accessed through the system preference panel
under the security and privacy panel. In addition to the graphic user interface-based
firewall, there's also a command line version. This version is called PF for packet
filter. It's available in OSX 10.10 and higher operating systems. Packet filter is the
name because it's essentially what a firewall is designed to do. It filters packets. In
older versions of OSX, there was a different command line firewall used called IPFW,
which stood for Internet protocol firewall, but that program was replaced by PF for
most modern versions of the OSX operating system. Both PF and IPFW are also
used in the FreeBSD operating system, which is what OSX is actually based on.

Linux - iptables
In Linux systems, this program is called iptables and can be configured from the
command line using different accept and reject rules based upon the type of network
traffic that's expected and the port being utilized for that communication.

IDS

Host-based Intrusion Detection System(HIDS)

This usually takes the form of a piece of software that's installed on your computer or
on a server and it will protect it. Now, the host-based Intrusion Detection System will
sit there and log everything that it thinks is suspicious.

Network-based Intrusion Detection System(NIDS)

This is a piece of hardware that's installed on your network. And all the traffic goes
through that switch, and then it will get a copy of that sent down to the Network
Intrusion Detection System. If it's suspicious, it'll log it and it'll alert on it.

Alert Types

1. signature-based
2. policy-based
3. anomaly-based detection

Data loss prevention

Data loss prevention is set up to monitor the data of a system while it's in use, in
transit, or at rest. These systems come as either software or hardware solutions.
Endpoint DLP system
An endpoint system is usually a piece of software that's installed on a workstation or
a laptop, and it's going to monitor the data that's in use on that computer. And if
someone tries to do a file transfer, it'll either stop that file transfer, or it'll alert the
admin of the occurrence based on certain rules and policies. Very much like an IDS
or an IPS would, but focused on data. DLPs can be set to detection mode or
prevention mode.

Network DLP system

This is a piece of software or hardware that's a solution placed at the perimeter of
your network. It's sole function in life is to check all of the data going into and out of
your network, with a special focus on things going out of the network. They want to
detect data in transit that shouldn't be leaving the building.

Storage DLP
This is a software that's installed on a server in the data center and inspects the data
while its at rest on the server. This is usually because they've encrypted it or
watermarked it, and we want to make sure that nobody's accessing the data at times
that they shouldn't be.

Cloud-based DLP system

These systems are usually offered as software-as-a-service, and it's part of your
cloud service and storage needs. They're going to protect your data when it's stored
inside those cloud services.

Bios
BIOS is a type of firmware which is software on a chip.

The BIOS stands for the basic input output system. It's firmware that provides the
computer's instructions for how it's going to accept input and send output. So,
anytime the motherboard is going to talk to a keyboard, a mouse, a network card, a
hard drive, a video card, whatever it is, it has to have instructions on how to do that.
That's what the BIOS provides.

Now, most modern computers don't have a traditional or legacy BIOS anymore.
Instead, they use a U-E-F-I, or UEFI, known as the Unified Extensible Firmware
Interface, but it's essentially the same thing. It's just more of an updated and robust
version of it.

Flashing the BIOS

Flashing the BIOS is simply ensuring that it has the most up-to-date software on that
chip. Because it's firmware, you have to do a process called flashing the BIOS to
upgrade the BIOS.

BIOS password
This'll prevent anyone from being able to log into the BIOS and change the boot
order or other settings without having this administrative password.

BIOS’ boot order

As you can see here on the screen, I've deselected the disk drive, the CD drive, and
the USB drive. I only want to be able to boot from the internal hard disk and then
from the network card. This helps me protect somebody from putting in a bootable
distribution of a Linux CD or something like that and taking control of my computer. If
I control the boot order, I control what's loaded.

Disable any external ports and devices

For example, do you still use a parallel port? Most people don't, and so you should
disable it. The same thing happens with a serial port. No one really uses them
anymore. We use USB, so you can disable it. You might have an onboard network
card that you don't use. Whatever you're not using, you should always disable. It's
one less thing for somebody to use as part of their attack.

Secure boot
When you enable the secure boot option, your computer is going to go through
additional processes as it boots up. When the BIOS or the UEFI is loaded, it's going
to go through and load the public key from the trusted platform module chip, known
as the TPM, that's sitting inside your processor. It's going to use this to verify the
code of the operating system that's being loaded and ensure that it's been digitally
signed by the manufacturer and that it hasn't been modified since.
Securing Storage Devices

● USB thumb stick that already has hardware encryption built in

● removable media controls
○ Ex: technical controls inside your group policies

● administrative controls
○ policies

● NAS - Network Attached Storage device

○ These storage devices connect directly into your organization's network
○ NAS systems are going to implement some form of a RAID array that
gives you high availability

● Storage Area Network or a SAN

○ A SAN is a network designed specifically to perform block storage
functions and it may consist of many NAS devices connected together

Disk Encryption

Two types of encryption:

● hardware-based
● software-based

Hardware-based Encryption

ex: self-encrypting drive. It looks like an external hard drive and it has embedded
hardware that performs full disk or whole disk encryption. These are very fast,
unfortunately, they're also very expensive, so they're not commonly used.

Software-based Encryption
 ● Mac. On a Mac, we have a system called FileVault where we can turn on
whole disk encryption with a single click. This is located under your system
preferences and under the security tab.
● Windows. On Windows, we use a system called BitLocker. BitLocker, again,
is very easy to turn on. If I want to encrypt my D drive I simply right-click it,
turn on BitLocker, and then I'll be able to encrypt the entire drive with a single
click.
BitLocker specifically, you're actually going to be using a hardware key that
resides on your motherboard. It's called the Trusted Platform Module, or
TPM.

This TPM chip resides on the motherboard and it contains the encryption key
inside of it.

Both BitLocker and FileVault use the same type of encryption. They use Advanced
Encryption Standard, also known as AES. AES is a symmetric key encryption that
supports 128-bit and 256-bit keys and is considered unbreakable as of the time of
this recording.

Drawbacks
Encryption adds additional security for us, but it comes with a lower performance for
your system. If I'm doing whole disk encryption, that means before I can even boot
up the computer and read things from that drive, I have to decrypt it, and that takes
time and processing. So, you have to remember there is a sacrifice in speed and
performance when you're using full disk encryption. Because of this performance hit,
some people decide not to use full disk encryption. Instead, they rely on file-level
encryption. In Windows, we use a system called EFS or the Encrypting File System.

Counter
But going back to our security performance issue, there is a way that we can speed
up encryption. We can use hardware-based encryption. It's much faster than using
software-based encryption because we have dedicated hardware to do the
processing for us. One of the ways we do that is using a hardware security module,
or HSM.

An HSM is a physical device that acts as a secure cryptoprocessor during the

encryption process or during digital signing, which is also an encryption process.
HSMs come in many forms, but most commonly you'll see them as an adapter card
that plugs in through a USB or a network-attached device.
Endpoint Analysis
An endpoint is simply any device that we may use to connect to our network. Now,
for example, your desktop or your laptop at the office, that's considered an endpoint,
so is your smartphone or your tablet. As a cybersecurity analyst, you must be able to
use tools to identify behavioral anomalies and then identify the techniques used by
malware to achieve privilege escalation and persistence on your host.

Now, there are lots of different endpoint protection tools out there

These are

● antivirus AV
● host intrusion detection systems IDS
● host intrusion prevention systems IPS
● endpoint protection platforms EPP
● endpoint detection response platforms EDR
● user and entity behavioral analytics UEBA

AV

Antivirus is a software that's capable of detecting and removing virus infections. And
in most cases, other types of malware, such as worms, Trojans, rootkits, adware,
spyware, password crackers, network mappers, denial of service tools, and others.
Often, you'll hear this called antivirus or anti-malware.

Host-based IDS and IPS - HIDS or HIPS

This is a type of IDS or IPS that monitors a computer system for unexpected
behavior and drastic changes to the system state on a given endpoint. Now, most of
these are going to use signature-based detection using log or file monitoring systems
to figure out if something bad is trying to happen to your endpoint. They may use file
system integrity monitoring too to see if your operating system files have been
changed, or drivers have been changed, or an application has been changed. All of
these things are things that a host-based intrusion detection system or intrusion
prevention system can help you with that a network-based intrusion detection or
intrusion prevention system really can't see.

EPP
This is a software agent and monitoring system that performs multiple security tasks.
They can do things like antivirus. They can do host intrusion detection or prevention
systems. It can have a firewall. It can have data loss prevention, or DLP, and it can
have file encryption, all of this in a single product. Essentially, it's your Swiss army
knife of security tools. We call this an EPP. Now, there are a lot of EPPs on the
market and every year, there's a thing called the Magic Quadrant that's put out by
Gartner. Gartner goes and rates all the different systems to see who's the best,
which ones are the leaders, who are the challengers, who of them are niche players,
and who of them are visionaries. The top three is Microsoft, CrowdStrike, and
Symantec.

EDR

Now, where EPP is mostly based on signature detection, EDR is focused more on
behavioral and anomaly analysis. It starts logging the endpoint's observables and
indicators and combines that with analysis and tries to figure out what's wrong. So,
this is a software agent that's going to collect system data and logs for analysis by
monitoring the system to provide early detection of threats. Now, because of that, the
aim of EDR is not to prevent an initial execution, but instead, to provide runtime and
historical visibility into a compromise, and once you've been detected, it can start
responding to that and it helps you as an incident responder to gather more
information and facilitate your remediation to get it back to its original state.

UEBA

This is a system that can provide automated identification of suspicious activity by

user accounts and computer hosts Now, this solution is less about endpoint data
collection and more about the actual process of analyzing the data you're getting.
The idea here is to have a baseline of good knowledge, and then we're going to
compare anything that goes outside that baseline and start thinking that might be
suspicious and look into it further. Now, a lot of UEBA is focused on the analytics and
because of that, there's a lot of data that has to be processed. So, UEBA solutions
are heavily dependent on advanced computing techniques, things like artificial
intelligence and machine learning. There's a lot of these different players out there in
the marketplace that are doing UEBA. Two of the big ones out there right now is
Microsoft and Splunk. Microsoft has the Microsoft Advanced Threat Analytics.

What’s next

Many companies are starting to market advanced threat protection-ATP,

advanced endpoint protection-AEP, and NextGen AV, which is NGAV, and all of
this just becomes essentially a hybrid of the different technologies we talked about
before, like the endpoint protection platform, the endpoint detection response, or the
user and entity behavior analytics.
 Risk Assessments
Risk is, at its core, the probability that a threat will be realised. Risk is a continual
balancing act of vulnerability versus threat. In future lessons, we're going to discuss
how we balance these against each other in order to manage risk well. Now, as
cybersecurity professionals, our job is to minimise vulnerabilities.

Vulnerabilities are any weakness in the design or implementation of a system.

We're given control over vulnerabilities because they come from internal factors such
as software bugs, misconfigured software, improperly protected network devices,
lacking physical security, or other such issues. Vulnerabilities are within our control,
or at least within our organisation's control. Whether we choose to address those
vulnerabilities, though, is a decision in risk management.

This is because a threat is any condition that can cause harm, loss, damage, or
compromise to our information technology systems. These threats come from
external sources, such as natural disasters, cyber attackers, data integrity breaches,
disclosure of our confidential information, and numerous other issues that arise
during our daily operations. Remember, threats are external to you and you can't
control them, you can only mitigate them. If somebody wants to attack you, they are
the threat. You can't control whether or not they're going to attack you, right? You
can only try to minimise your vulnerabilities so that their attack won't be successful.
Vulnerabilities are completely within your control, threats are not.

Risk Avoidance
The first one is risk avoidance, this is a strategy that requires stopping the activity the
has the risk or choosing a less risky alternative.

Risk Transfer
Now, the second thing we could do is we could transfer the risk. Risk transfer is a
strategy that passes the risk to a third party, most commonly to an insurance
company. A good example of this would be if your organisation is worried about the
risk of your offices being destroyed by floods. If this is a concern for you, you could
purchase an insurance policy to transfer the risk of losing all of your computers and
all of your assets to another third party, the insurance company.
Risk Mitigation
Risk mitigation is a strategy that seeks to minimise the risk to an acceptable level,
where the organization can then accept the remaining risk. For example, if you're
running a server that's been identified to have five critical vulnerabilities, two high
vulnerabilities, four medium, and 17 low vulnerabilities, you can then decide which
ones you're going to deal with first.

Risk Acceptance
With risk acceptance, we're seeking to accept the current level of risk and the costs
that are associated with it, if that risk was realized. Generally, this would be a proper
strategy if the asset is a very low cost item, or the impact to the organization overall
would be rather low.

Residual Risk
Now, even if we avoid the risk, transfer the risk, or mitigate the risk, there may still be
some amount of risk left over. This is known as residual risk. Residual risk is simply
the risk that's left over after you've tried avoiding, transferring, and mitigating the risk.
It's uncommon that there is no residual risk leftover because risk simply exists in
every single thing that we do.

Qualitative Risk
Qualitative risk analysis uses intuition, experience, and other best practices to assign
relative values to a given risk. These values could be low, medium, high, and critical.
Or you can use any other designated categorization system that you want. You can
even use numbers. But numbers aren't really an exact measure in this case. For
example, if I asked you to score this lesson, you can give it a one through a five star
rating. This isn't a mathematical analysis, it's just a number that's representing your
opinion, with five being great and one being horrible. Therefore, it's qualitative in
nature, not quantitative in nature. The best practices here include techniques to
measure risk such as brainstorming sessions, focus groups, surveys, interviews, and
estimating the likelihood of events.
 Quantitative Risk
Now, we’re going to look at the other side of the equation, quantitative risk analysis,
which heavily relies on numbers and monetary values for all parts of the risk
analysis. This includes numerically assigning values to the value of the assets, the
threat frequency, the severity of the vulnerabilities, and the impact of the realization
of a given threat. Now, with quantitative risk analysis, this is going to remove much of
the estimation and guesswork from a risk assessment because it's going to turn this
into a large math problem instead. Equations are used to determine the total and
residual risk, as well as provide you with a cost directly associated with those risks.
This is going to allow us to have a numerical method to represent the magnitude of
the impact of a risk. The magnitude of impact is an estimation of the amount of
damage that a negative risk might achieve. This is also known as a risk impact, and
it can be measured financially using quantitative methods or qualitative methods.

The three most common calculations used in determining the magnitude of an

impact in a quantitative risk analysis is the Single Loss Expectancy, or SLE, the
Annualized Rate of Occurrence, or ARO, and the Annualized Loss Expectancy or
ALE.

Single Loss Expectancy

Single Loss Expectancy is the cost associated with the realization of each
individualized threat that occurs. It's calculated by multiplying the asset's value times
an exposure factor. Now, the exposure factor is simply the amount of the asset that's
going to be lost if the threat is realized.

Annualized Rate of Occurrence

ARO is calculated simply by determining how many times per year is a threat going
to be realized.

Annualized Loss Expectancy

Now, the Annual Loss Expectancy, on the other hand, is the expected cost of a
realized threat over a given year. This is calculated by multiplying the Single Loss
Expectancy times the Annual Rate of Occurrence.
 Methodologies
Well, there’s many different types of security assessments that are used by an
organization to protect their enterprise networks.
And these security assessments verify that the organization's security posture is
designed and configured properly to help thwart all those different types of attacks
and threats that are out there.
These security assessments include vulnerability assessments, penetration testing,
internal and external audits, self-assessments, password analysis, and many other
types.

Now, there are two main types of methodologies that are used in these
assessments. There's active and passive.

Active
Active assessments utilize a more intrusive technique, more things like scanning and
hands-on testing, and probing your network to determine what vulnerabilities might
exist. This can actually result in your networks or servers being forced offline if you're
too aggressive in your active scans.

Passive
Now, a passive assessment, on the other hand, utilizes open source information, the
passive collection and analysis of network data, and other unobtrusive methods
without ever making direct contact with the targeted networker systems.

Security Controls
Now, security controls are first broken down into three types, physical, technical, and
administrative.

Physical
Physical controls are security measures that are designed to deter or prevent
unauthorized access to sensitive information or the systems that contain it, by
preventing physical access. So, when we discussed physical security earlier in this
course, we were focused on a lot of physical controls like fences and door locks and
alarm systems and security guards, all of these things are focused on protecting the
physical computers, servers, and networks from being accessed by people outside
our organization.

Technical
Our second type of security control is called the technical control. Technical controls
are safeguards and countermeasures. They're used to avoid, detect, counteract, and
minimize our security risks to our systems and information. So, when we talk about
using passwords and access controllers, and encryption for our hard drives, and
multi-factor authentication, we're really talking about technical controls here.

Administrative
The third type of security control is called an administrative control. Administrative
controls are focused on changing the behaviour of people instead of removing the
actual risk involved. So, if I create a policy or procedure, that states that every
employee has to lock their computer whenever they're going to be away from their
desk. This is an administrative control.

Now, the National Institute of Standards and Technology or NIST, actually has three
other categories that we organize Security Controls in, as well. These are
management controls, operational controls, and technical controls.

Management Controls
Management controls are security controls that are focused on decision-making and
the management of risk. This usually includes things like policies, procedures, legal
compliance, software development methodologies that you choose, setting up a
good vulnerability management program, and other things like that. Management
controls are all about how your system's security is going to be managed and
overseen.

Operational Controls
Now, operational controls are focused on things that are done by people. With
operational controls, I'm trying to increase the security of the system by controlling
the actions of the individuals and the groups who use it. This includes user training,
configuration management, testing our disaster recovery plans, and conducting
incident handling. These controls are performed by technical people in order to carry
out the overall direction that was provided by management controls
Technical Controls
The third category NIST uses is called technical controls. These are logical controls
that are put into a system to help secure it. This is things like AAA, the
authentication, authorization, and accounting, access control, encryption technology,
passwords, and configuring your security devices. Anything that is technical and
performed by the computer can really be put into this category.

We have yet another group of three that can be used to describe security controls.
They are preventive, detective, and corrective.

Preventive
Preventative/deterrent controls are security controls that are installed before an
event happens and they're designed to prevent something from occurring. For
example, you might install a technical control like a RAID in your file server to ensure
that your data always has redundancy available and prevent data loss from
occurring.

Detective
The second type of control is called a detective control. Detective controls are used
during an event to find out whether or not something bad may have happened. If you
have a closed-circuit TV system being monitored by a security guard, this is a type of
detective control. Intrusion detection systems, audit logs, and alarms are all different
types of detective controls, as well, when they have logging enabled.

Corrective
The third type of control is called a corrective control. Corrective controls are used
after an event occurs. So, let's say somebody hacks into your server and they erase
your hard drive. Well, if this happens, you're going to hope you have a good backup
copy somewhere. If you've been doing good tape backups, this is called a corrective
control because it's going to allow you to recover from this data loss and by fixing
something after it happens, it becomes a corrective control.

Compensating Control
Now, a compensating control is used whenever you can’t meet the requirements for
a normal control. For example, let's say your organization has a physical security
policy that states that every door to a networking closet or server room has to have a
retina scan-enabled door lock to protect the devices in those rooms. Well, maybe
one of your branch offices is located in some far off country overseas and they have
no retina scan-enabled door locks being sold in that region. Well, instead of using a
retina scan door lock, you decide to install a cipher door lock. The cipher lock will be
considered a compensating control until you can get a retina scan-enabled door lock
ordered, shipped, and installed at this location.

Types of Risk
This includes external risk, internal risk, legacy systems, multiparty, intellectual
property theft, and software compliance and licensing.

External risk
This is a type of risk that is produced by a non-human source and is beyond human
control. Now, what are some good examples of external risk? Well, we have things
like wildfires. If there are wildfires burning in your area, you really can't control that.

Internal risk
Now, when we start talking about internal risk, internal risk is those risks that are
formed within the organization itself. They arise during normal operations and often
they're forecastable, meaning, you can see them coming and therefore, you can plan
around them. A great example of this would be server crashes.

Legacy systems
Now, when I talk about a legacy system, this is any old method, technology,
computer system, or application program which includes an outdated computer
system that's still in use. A great example of this is if you just look down into your ICS
and SCADA networks. Most of these have outdated things that are still being run.
For example, many of them are still running on Windows XP.
Multiparty
Well, a multiparty risk is any risk that's referring to the connection of multiple systems
or organizations, with each of them bringing their own inherent risks. So, let's say
you owned a company and I own a company and we decided we wanted to go into
business together. Well, if we did that and we start connecting our systems together,
that is a multiparty risk because I am now assuming the risk that you're bringing to
the party and you're assuming the risk that I bring into the party.

Intellectual property theft

A lot of times when hackers are breaking into networks, it's not because they want to
cause you harm or take down your systems necessarily, it's because they want to
steal what you have. Now, again, that is going to cause you harm but not harm in the
way of taking down your servers harm. And so, when we think about IP theft, we're
really talking about the risks associated with business assets and property being
stolen from your organization. And this can cause economic damage, the loss of a
competitive edge, or a slowdown in business growth. All of these things are risks
associated with IP theft. Now, when you're dealing with IP theft, you really are
worried about protecting your stuff. And so, one of the greatest ways to protect
against IP theft is making sure you have data loss prevention systems.

Software compliance and licensing

Now, when we talk about software compliance and licensing, we have some risks
associated with this, too. And I know you might be thinking, "What kind of risk do I
have with software compliance and licensing? If I buy a licence, there is no risk."
Well, there are risks associated with a company not being aware of what software
components are actually being installed on their network. And that's what software
compliance is all about. So, for example, if I'm running an organization with 10,000
people, and somebody decides to go to the store and buy a program and put it on
the network, even though they have the licence for it and they install that thing on the
network, I still am now assuming the risks of that software because when they
installed it, that is now something else that brings vulnerabilities to the network.
Now, on the other side of this, we also have the licensing angle. Now, when you
have people who are installing software, a lot of times they're just downloading it off
the Internet or bringing it in from home and they don't have the proper licensing in
place. So, let's say you wanted to create some new servers and you decided to just
download the Windows Server 2016 and install on some systems. Well, if you don't
have the proper licensing for that and Microsoft finds out, they might cripple that
server or they might sue you for damages because you're using their programs
without licensing.
 Application
Security & Secure
Software
Development
Web Browser Security

1. Implement good policies

2. Train users
3. User proxy & content filtering
4. Prevent malicious code

Cookies
1. Tracking cookies
2. Session cookies

Now, a tracking cookie is usually used by spyware to gather details on you. They're
trying to learn what websites you go to, for how long, and what type of things you
click on.

Now, session cookies, on the other hand, are used to keep track of users and their
preferences and maybe even the things that they're putting into their shopping carts.

Now, many sites are realizing that cookies are not something that people like
anymore, and so they're starting to migrate over to what's called server-side tracking
instead.
LSOs
The second thing we want to cover in this lesson is locally shared objects, or LSOs.
These are also known as Flash cookies, and they're stored in your Windows user
profile under the Flash folder inside your roaming AppData folder. This is used by
Adobe's Flash Player and it's less of an issue these days because Adobe Flash nis
being phased out in favor of HTML5. LSOs can be disabled within your Flash Player
settings if you're still using Flash, and this is also found inside the local settings
manager in most of today's operating systems.

Software Development
SLDC
The software development life cycle is an organized process of developing a secure
software application throughout its life cycle throughout the project.
The seven phases:

Planning and analysis

During this stage, the goals of the software project are determined, the stakeholder
needs are assessed, and all of the high-level planning work is conducted.
Essentially, this is where things go from a rough idea that someone had for a piece
of software into a bit more formalized and well-developed concept that we can plan
the rest of our development cycle against.

Software or systems design

It's during this stage that the application or system is defined, outlined, and
diagrammed in detail. Essentially, this is where we focus on the overarching inputs
and outputs of each function that are going to make up the final software that's going
to be released to our customer.

Implementation
During implementation, programmers will begin to code all of the various functions
that are needed for the final product. As each piece of the code is developed, the
programmers will conduct some basic debugging and testing to ensure that its
functionality is working properly. But, at this point, there's been no formal testing
completed yet.

Testing

It's during this phase that we get the code and we check it through a myriad of
different testing methodologies.

Integration

Whereas in phase four, we focused on testing the individual application or system, in

phase five, the integration phase, we're focused on testing the end-to-end service to
ensure that all of the pieces and all of the parts can communicate effectively and
correctly.

Deployment
During deployment, your application or system will be moved into the production
environment where your customers and your end users can now utilize it to perform
their work.

Maintenance

This means that once your product is released into deployment, your work is still not
finished. Instead, the programmers are now focused on bug fixes, patches, and
updates to the version of the software that you're going to end up using.

Agile development
In a strict Waterfall scenario, you wouldn't even be able to add additional features
until the initial product was already delivered. This means you're going to have to
wait for the next version to release those and get those changes out to your end
users. In response to this, a different way of software development has risen in
popularity.
This is known as Agile development. Agile software development is performed in
time-boxed or small increments to allow it to be more adaptive to changing
requirements. In Agile, we still perform most of the phases that make up the
Waterfall model, but the big difference is we do them much, much quicker.

DevOps
DevOps is a term created from the words development and operations. This is a way
of conducting business where the software developers and the IT operations
personnel work closely together to speed up the development and deployment of the
applications and to get things out to the end user quicker. Because of the reduced
timeline, it's a good idea to embed a security-minded person into the DevOps team
as well to ensure that good cybersecurity is not sacrificed in an effort to get the
product out quicker.

Testing Methods

The first type of testing is known as System Testing.

This comes in three varieties:

black-box testing, white-box testing, and gray-box testing.

Static Analysis is conducted by somebody who understands the language the

program is written in and they can analyze the code for errors.

Dynamic Analysis, on the other hand, is performed on a program while it's being
run. The most common type of dynamic analysis includes the use of fuzzing.

Software Vulns and Exploits

Backdoors
Backdoors consist of software code that's been placed in computer programs to
bypass our normal authentication and other security mechanisms. These are often
created by developers themselves in order to make it easier for them to update
custom programs in the future. But, this is a horrible practice in terms of security.

Directory Traversal
A directory traversal, which is going to exploit insecurely-coded web applications and
servers. A directory traversal is a method of accessing unauthorized directories by
moving through the directory structure on a remote server.

Arbitrary code execution

Arbitrary code execution occurs when an attacker is able to execute or run
commands on a victim computer. This might occur if someone walks by your desk at
work, sees you're logged into the computer, but you're away from your desk. They
start running a program on your computer.

RCE

A remote code execution occurs when the attacker is able to execute or run
commands on a remote computer. Notice the key difference here between an
arbitrary and a remote code execution. With a remote code execution, the attacker
can run the commands remotely, such as through an interactive shell session or
some other kind of attack. This is considered one of the worst type of exploits in the
security world, and a vulnerability that allows this to occur is classified as critical
under the Common Vulnerability Scoring System whenever there's a remote code
execution that's possible.

Zero-day exploit

This is an attack against a vulnerability that is unknown to the original developer or

manufacturer. Because of this, zero-day vulnerabilities have become a big business,
with some companies paying thousands of dollars to penetration testers who can
help to identify these vulnerabilities and report them under their bug bounty
programs.
Buffer Overflow

A stack is a reserved area of memory where the program saves the return address
when a function call instruction is received. Here is an example of a stack that's
organized as first in, last out.

One of the mitigations against a buffer overflow attack is the use of address space
layout randomization, also known as ASLR.
This is a programming technique that helps prevent an attacker's ability to guess
where the return pointer for a non-malicious program has been set to call back by
randomizing the memory addresses used by well-known programs, such as parts of
the operating system.

XSS & XSRF

Cross-site scripting occurs when an attacker embeds malicious scripting commands

into a trusted website. When this occurs, the attacker is trying to gain elevated
privileges, steal information from the victims cookies, or gain other information stored
by the victim's web browser. During a cross-site scripting attack, the victim is the
user, not the web server. The web server has already been compromised, possibly.

There are three types of cross-site scripting attacks:

1. stored and persistent

2. reflected
3. DOM-based attacks

Whereas cross-site scripting focuses on exploiting the trust between a user's web
browser and a website, cross-site request forgery instead exploits the trust that a
website has in a user.
In a cross-site request forgery, the attacker forces the user to execute actions on a
web server that they already have been authenticated to. For example, let's say that
you've already logged into your bank's website and provided your username and
your password. At this point, you're already authenticated and the website trusts you.
If an attacker can send a command to the web server through your authenticating
session, they are forging the request to make it look like it came from you.
SQL Injection

Well, SQL injection and code injections can be prevented very easily if you do proper
input validation and use the concept of least privilege when you're accessing a
database from a web application.

XML vulnerability
And so, when you're dealing with XML data, you want to make sure that it's
submitted with encryption or input validation. If you submit XML data without
encryption or without input validation, it's going to be vulnerable to spoofing, request
forgery, and injection of arbitrary code. So, we want to make sure we prevent that.

● XML bomb: Now, this is where they take XML and they use this encoding to
encode those entities that I just showed you and expand them to exponential
sizes, consuming memory on the host and potentially crashing it.
● XXE: Now, this is an attack that embeds a request for a local resource.

Race Condition
Well, a race condition is a software vulnerability that occurs when the resulting
outcome from execution processes is directly dependent on the order and timing of
certain events. And those events failed to execute in the order and timing intended
by the developer.

One of the most common ones was actually in 2016, and it's known as Dirty COW.
Now, Dirty COW is a great example of a race condition that was used to exploit a
computer vulnerability. Now, when I talk about COW, I'm not really talking about a
cow like you see here on the screen. The COW actually stands for Copy On Write.
Now, this exploit affected Linux operating systems in 2016, including some Android
versions, because it's based on Linux. The exploit would cause a local privilege
escalation bug that could be exploited through this race condition vulnerability
because of the implementation of the programming for Copy On Write that was using
the kernel's memory management system.
 Hashing
Hashing is a one-way cryptographic function which takes an input and produces a
unique message digest as its output. Because this function is one-way, there's no
way to determine the original message based on the message hash or hash digest
it's outputted. The resulting message digest acts like a digital fingerprint for the
original file. Another unique thing about a hash digest is that they are always the
same length, regardless of how long your input is. Whether I input a file containing
one word or a file containing millions of words, the output will always be the same
length based on the hashing algorithm chosen. By far, the most commonly-used
algorithm is MD5. The MD5 algorithm creates a 128-bit hash value that is unique to
the input file.

Unfortunately, because the hash value output is only 128 bits long, it can create only
a limited number of unique values, and this can lead to two files having the exact
same resulting hash digest. When this occurs, this is known as a collision.

Due to the limited number of unique hash values associated with MD5, a newer
algorithm called the Secure Hash Algorithm, or SHA, was created. SHA-1, for
example, creates a 160-bit hash digest, which significantly reduces the number of
collisions that occurred. SHA-2 is a family of hash functions that contains longer
hash digests. This includes the SHA-224, SHA-256, SHA-348, and SHA-512 hash
functions, each of which has a digest between 224 bits up to 512 bits.

SHA-3 is the newest family of hash functions, and its hash digest can go between
224 bits and 512 bits, just like SHA-2. The major increase in security, though, with
SHA-3, is that it uses 120 rounds of computations to create its message digest for
each unique file.

Now, there are other hash functions available that you may come across in your daily
work. These include things like RIPEMD and HMAC.

RIPEMD is the RACE Integrity Primitive Evaluation Message Digest. It comes in

160-bit, 256-bit, and 320-bit versions. But the 160-bit version is by far the most
common among these. It's written as RIPEMD-160 and it's an open-source hashing
algorithm created as a competitor to the SHA family, but it hasn't really gained the
same level of popularity that SHA has.

Another hashing algorithm is known as the HMAC, or Hash-based Message

Authentication Code. This is used to check the integrity of a message and provide
some level of assurance that its authenticity is real. HMAC actually uses other
hashing algorithms to do the work, though, and it's called something like the
HMAC-MD5, the HMAC-SHA1, or the HMAC-SHA256, depending on the underlying
hash being used.

Digital Signature - Integrity - Non Repudiation

A digital signature is created by hashing a file and then taking that resulting hash
digest and encrypting it with a private key. So, if I was going to send an email that is
a couple of pages long and I wanted to digitally sign it to make sure you know that
nothing was changed inside that email, I can run that email message through a
hashing algorithm, like SHA-1. Then, I take that resulting 160-bit hash and I encrypt
it using my private key. When I send the email to you, I'm going to attach the
resulting encrypted hash with it, as well, and this is going to prove the integrity of the
message and create non-repudiation. When your system receives the email, it will
then decrypt the digital signature using my public key, which is going to provide you
with that original 160-bit hash digest. Your system, then, takes my multiple-page
email, runs it through the SHA-1 algorithm, and compares your message digest that
you calculated with the one that I sent as part of my digital signature. If those two
things match, then you can be assured that the email was not modified in-transit
between my system and yours, and this provides us with that integrity check.

Now, since I also encrypted my SHA-1 digest with my private key, and only I have
my private key, this also assures you that the person who sent the message is the
only person who could have sent you the message. This provide us with the
non-repudiation on the email. This non-repudiation means I can't claim that I didn't
send the email to you because I'm the only one who could have because I'm the only
person who has my private key.

DS-Algorithms & Code Signing

For digital signatures to be utilized, you should use either the Digital Security
Algorithm, DSA, the Rivest-Shamir-Adleman cipher, RSA, or the Ecliptic Curve
Cryptography version of DSA or SHA. The federal government has decided to use
the Digital Security Standard, called DSS, which relies upon a 160-bit message
digest created by DSA. Now, most commercial entities rely upon the RSA standard,
though, because it's faster and can be used for digital signatures, encryption, and
key distribution. Digital signatures have been expanded beyond just email, too. Code
signing of our files relies upon the digital signature for a program or file. For example,
if I created a mobile app and I wanted to put it into the app store like Google Play or
the Apple App Store, the installer file would have to be digitally signed and that is
called code signed. Every developer must register with Apple or Google and they
receive a private key. Just as in the email example I provided earlier, the application
file is hashed and that hash is encrypted using the developer's private key. This is
known as code signing and ensures that the installer hasn't been modified or
corrupted since that developer published it.

Windows Password Hashing

In a Windows machine, passwords aren’t stored in cleartext, and they're not even
stored in an encrypted format. No, they're actually stored as hashes. The original
version of this was known as LANMAN, or the LAN Manager hash, or simply the LM
hash. This was created all the way back in the late 1980s, even before Windows and
T-servers roamed the Earth. This hash was based on the DES algorithm and was
limited to 14 characters. Not only is this weak because it used DES, but it's even
worse because Microsoft had the password broken into two seven-character chunks
first and then one of those was converted to uppercase and then it was run through
the encryption algorithm to create the hash. This reduced the number of possible
combinations and lead to decreased security in the LM hash. Because of this, you
should always disable the LM hash on your modern Windows OS and, by default, it
is disabled.
To replace the LANMAN hashes, Microsoft created a replacement known as the
NTLM hash, or NT LAN Manager hash. This was created to replace the LM hash
once NT servers became popular in the early 1990s, and it first shipped in 1993,
beginning with NT 3.1. That shows you how old this is. The NTLM used RC4 instead
of DES for the way it created its hash, so again, something stronger is definitely
needed.
On modern Windows machines, like the LM hash, NTLM is disabled by default. The
final and newest version of password hashing for Windows is known as NTLM
version two. It relies on the HMAC-MD5 hash, and is therefore, a little bit more
difficult to crack. It's been around since Windows NT version four, but it's still used by
any Windows machines that don't rely on Kerberos for authentication. If you're using
Kerberos, such as in a domain environment, then NTLM version two is simply not
used.
 Hashing Attacks

Pass the Hash

Pass the Hash is a hacking technique that allows the attacker to authenticate to a
remote server or service by using the underlying hash of a user's password instead
of requiring the associated plaintext password as you normally would have to do.
Now, if an attacker is able to sniff that hash or steal it some other way, they don't
need to brute force to clear text password. Instead, they can simply reuse the hash
of that arbitrary user account as they go and authenticate against remote systems
and impersonate that user.
In other words, from an attacker's perspective, hashes are functionally equivalent to
the original password that they generated and it doesn't mean that they need to
know your actual password to use your account as if they were you. The Pass the
Hash attack is very difficult to defend against because there are many possible
exploits in Windows, as well as the applications that run on top of it. And any of
these can by used by an attacker to elevate their permissions and then be able to
pull off credential harvesting or hash harvesting that they can then use in a further
attack using Pass the Hash.

Mimikatz
There are many penetration tools out there such as Mimikatz that give you the
ability to automate this process of harvesting the hashes and conducting the attack.
To prevent the Pass the Hash attack, you should ensure that only trusted operating
systems are allowed to connect to your servers, that your Window's domains have
their trusts set up properly, and that workstations are all patched and updated, that
your multifactor authentication is being used properly in the network, and that user
accounts have been set up to use the concept of least privilege.

Birthday Attack
The Birthday Attack occurs when an attacker is able to send two different messages
through a hash algorithm and it results in the same identical hash digest causing a
collision. This attack gets its name from something called the Birthday Paradox,
which says that if you have a random group of people, the chances are that you are
going to have two people in that group with the same birthday. When I teach this
course in person to a group of 30 people, most of the time, two people in the class
have the same birthday. At least the same month and day, if not also the year. In
fact, even though there are 365 days in a year, you only need 57 people in a room to
get a 99% chance of having two identical birthdays. With 23 people in a room, your
odds are 50/50. That's why in my classes of 30 students, more often than not, we
have identical birthdays. In the world of hashes, two identical hash digest would
result in a collision. Now, if a hacker can find two identical messages with the same
hash, they can use this as an attack against your system.

Increase Hash Security

Key Stretching
Key stretching is a technique that's used to mitigate a weaker key by increasing its
effectiveness and thereby increasing the time needed to crack it. When you stretch a
weaker key, the weaker key is run through an algorithm to create a longer, more
secure key than is normally used. And it has to be at least 128-bits long. Many
systems are going to utilize key stretching to increase the security they provide.
Systems like Wi-Fi Protected Access, Wi-Fi Protected Access version 2, Pretty Good
Privacy, BeCrypt, and others all use key stretching.

Salting
Salting is a technique of adding random data into a one-way cryptographic hash to
help protect against password cracking techniques like dictionary attacks, brute-force
attacks, and rainbow tables.

Nonce
Using a nonce is another method to help secure a weaker password, where a
number used once, known as a nonce, is added to the password-based
authentication to help prevent an attacker from reusing your password if they're able
to steal it somehow.
 SCM
Due diligence is a legal principle that says the subject has used best practice or
reasonable care when setting up, configuring, and maintaining a system. When
you're trying to hire a vendor, you need to ensure that they have done due diligence
on their supply chain and you need to do your due diligence on them.

This includes things like ensuring that their cybersecurity program is properly
resourced. You also want to make sure that they have security assurance and risk
management processes and programs in place. And by doing this, this will help
make sure that they have a valid organization and a way of doing due diligence
within themselves. Another thing you want to look at is the product support lifecycle.
If you're going to buy a product, you need to make sure that they're going to be able
to support it for the long term.

If you're giving them access to your data because they're doing something like
Software-as-a-Service, you want to make sure they have the proper security controls
in place to ensure your data remains confidential. Another thing you have to think
about is when things go wrong, will they be there to help you? If you have to conduct
an incident response or do forensic investigations, will that company be able to
support you and provide you assistance?

Trusted Foundry
Now, one of the organizations that has a very low tolerance or low risk appetite for
hardware is the Department of Defense, and so they create something known as the
trusted foundry. Now, the trusted foundry is a microprocessor manufacturing utility
that's part of a validated supply chain, one where the hardware and software does
not deviate from its documented function. And again, this was created and operated
by the Department of Defense, which is the US military because if they're going to
put up a microprocessor to run a jet or a bomb or something like that, they want to
make sure it does exactly what it's supposed to do each and every time.

Root of Trust
In this lesson, we're going to talk about the concept of a hardware Root of Trust or
ROT.
Now, this is a cryptographic module embedded within a computer system that can
endorse trusted execution and attest to boot settings and metrics.

If you think about your TPM module inside your BIOS, that is a root of trust.

TPM
You really need to remember that TPM, the trusted platform module, is this part of
your system that allows you to have the ability to ensure that when you're booting up,
it is done securely and we can take those reports and digitally sign them using the
TPM.

Now, when you're dealing with TPM, your TPM can be managed inside of Windows
using [Link], which is a console or you could do it through group policy.

HSM
This is an appliance for generating and storing cryptographic keys that is less
susceptible to tampering and insider threats than using storage-based solutions.

Anti-Tamper
These are methods that make it difficult for an attacker to alter the authorized
execution of software. Now, if you think about anti-tamper and you think about the
physical world, you buy a thing like aspirin and you open up the bottle. What do you
see on top? That sealed layer that says this has been protected, this is sealed for
your protection.
This is an anti-tamper device.

And there are two main ways of doing that. We have anti-tamper mechanisms that
include things like an FPGA, which is a Field Programmable Gate Array or a
physically unclonable function or PUF.
Both of these are anti-tamper mechanisms that could be used and designed inside
your systems.

This means that if somebody tries to tamper with the system, what these things will
do is actually zero out your cryptographic key, which then can automatically wipe out
the information on that system, making sure you know it's been tampered with and
therefore, nobody can get the information.

Trusted Firmware
Now, as I talk about trusted firmware, we have to think about the idea of a firmware
exploit because we're trying to prevent firmware exploits by using trusted firmware. A
firmware exploit is going to give an attacker an opportunity to run any code at the
highest level of CPU privilege. Because if you're at the firmware, for instance, in the
BIOS or the UEFI, you can actually have essentially a rootkit that runs over the entire
system, and that's loaded even before Windows is. So, your anti-malware is not
going to find it.

Terms to cover:

1. UEFI
2. secure boot
3. measured boot
4. attestation
5. eFuse
6. trusted firmware updates
7. self-encrypting drives

UEFI
Unified Extensible Firmware Interface or UEFI. This is a type of system firmware
providing support for 64-bit CPU operations at boot. It also gives you a full GUI and
mouse operations at boot and better boot security.

To be able to run a lot of the other things we're going to talk about in this lesson, you
have to have UEFI and not BIOS for your system.

Secure Boot
This is a feature of UEFI that prevents unwanted processes from executing during
the boot operation. Essentially, as a computer is booting up, it's going to check things
and make sure that there's digital signatures installed from those operating system
vendors. If Microsoft Windows isn't signed by Microsoft, we're not going to boot it.
Measured Boot
Now, a measure boot is a UEFI feature that gathers secure metrics to validate the
boot process in an attestation report. So, as you're booting up, it's going to be taking
different measurements, how much time does it take for you to do this? How much
process should it take to do that, and based on that, it's going to collect that data, it's
going to create a report, and then it's going to attest to it. Which brings us to the idea
of attestation.

Attestation
Now, an attestation is a claim that the data presented in a report is valid, and it does
this by digitally signing it using the TPM's private key. So, the UEFI, it's going to take
that report, it's going to sign it with that digital key, and then send it on to the
operating system into the processor. This way we know we can trust it.

eFUSE
Now, eFuse is a means for software or firmware to permanently alter the state of a
transistor on a computer chip. Now, this comes from the idea of a fuse. If you've ever
worked with electricity before, and you've worked in a breaker panel, you may have
seen things like these, these are fuses.

Trusted Firmware Update

So, when we have a trusted firmware update, this is a firmware update that is
digitally signed by the vendor and trusted by the system before it's installed. Anytime
you're going to go and do a firmware update, you need to make sure that it is trusted
because if it's trying to do something that's not trusted, you have the potential to blow
one of these eFuses that we just talked about.

Self Encrypted Drive

The idea with these self-encrypting drives is that they have firmware on them that is
used to do the encryption when data is being written to the drive. It also decrypts that
information when data is being read from the drive. All of this is done at the hardware
level, so it takes the processing load off of your own computer and off of your
operating system, because it's all done here in the firmware.
 Secure Processing
Now, when we talk about secure processing, this is a mechanism for ensuring the
confidentiality, integrity, and availability of software code and data as it's executed in
volatile memory. Because after all, we're going to take data off of our hard drive or off
of our network and we're going to put it into RAM and then from RAM into our
processor. And all of that time going from RAM to the processor or while it's stored in
RAM, has the potential for it to be modified or for it to be stolen or for it to be not
available.

Processor Security Extensions.

Now, these are low-level CPU changes and instructions that enable secure
processing. And these are built into your microprocessor. Now, they're called
different things depending on if you're using an AMD or an Intel processor. If you're
using an AMD processor, this is known as Secure Memory Encryption (SME) or
Secure Encrypted Virtualization (SEV). On the other hand, if you're using Intel
processors, you're going to be using Trusted Execution Technology or TXT or
Software Guard Extensions (SGX).

Trusted Execution
The CPU's security extensions invoke TPM and a secure boot attestation to ensure a
trusted operating system is running. So, any time we want to boot up the system, we
want to make sure that we are using that trusted firmware using UEFI and using
TPM and secure boot to tell us that this operating system that's being booted is
something we trust.

Secure Enclave
Now, a secure enclave is an extension that allows a trusted process to create an
encrypted container for sensitive data.
This will help us prevent things like buffer overflow attacks, and typical application
usage here, we'll be able to store encryption keys and other sensitive data inside of
the secure enclave.
Atomic Execution
Now, there are certain operations that should only be performed once or not at all.
For example, initializing a memory location. This should only happen one time, right?
And so, once you've initialized it, that should be it. Well, the idea of atomic execution
is there are these extensions in place to make sure somebody can't reuse or hijack
an atomic execution operation like doing a memory initialization. This can help you
prevent buffer overflows and race conditions by being able to control these
processes and again, this is something that's built into those processors these days.

Bus Encryption
Now, bus encryption is data that is encrypted by an application prior to being placed
on the data bus. This will ensure that the data being sent over the network or over a
bus is going to be protected because it's going to end up as encryption. Now, for this
to work, we have to ensure the device at the other end of the bus is trusted to
decrypt that data.
 Mobile Device
Security
Securing Wireless Devices

Wi-Fi
Currently, that's WPA2 or Wi-Fi Protected Access Version 2.

This relies on the advanced encryption standard for its encryption algorithm, also
known as AES.

Bluetooth
Well, by default, Bluetooth requires you to pair the device. And when you pair the
device, the two devices will communicate via that shared link and give each other a
shared link key. They use that key to encrypt their data.

Mobile Malware
1. Do not jailbreak or root your device. When you do that, you're bypassing the
natural protections that your system has and that's going to make you more
vulnerable to attack.
2. Don't use custom firmware or a custom ROM. When you're using a custom
firmware or a custom ROM, this is specific to Android users, you're using an
alternate version of the operating system. It's been forked off the original
source code, so when Google has something that's been patched, it doesn't
necessarily make its way into those custom firmwares or custom ROMs and
so, you're still going to be vulnerable.
 3. Also, only load official apps from the official stores. The reason for this, again,
is because those have at least some quality control and some level of check
before they're released into the public.
4. And finally, always update your phone's operating system. Any time there's an
update or a patch for your operating system, or your applications, you want to
make sure you're installing it because that's going to patch up the known
vulnerabilities.

Sim Cloning & ID theft

SIM cloning allows two cellphones to utilize the same service and allows the attacker
to gain access to the phone's personal data. So, if I'm cloning your SIM card, the
towers think I'm you.
The first versions of SIM cards were very easy to clone, but the newer SIM version 2
cards are much, much harder. So, this gives us a lot more security.

If the attacker is able to take over your phone number, they can now pretend to be
you and log into your bank, your Facebook, your Gmail, or whatever else you have
for two-factor authentication.

Well, you can go and get a Google Voice number, or something of that nature, where
you have a single phone number that people call and then nobody knows your actual
cell phone number that's behind it.

Bluetooth

Bluejacking
Bluejacking is sending unsolicited messages to Bluetooth-enabled devices. This
often happens by having somebody who will pair to your device and then send the
data to you.
Bluesnarfing
This is unauthorized access of information from a wireless device over a Bluetooth
connection.

BYOD
Bring Your Own Device is a policy that a lot of organizations have been adopting.

This means when you come to work, you can bring your own device and use it on
their network.

Now, when you use Bring Your Own Device, it brings a lot of security issues for you
to consider. If I have somebody's laptop that now gets plugged into my network, I'm
also introducing all of the vulnerabilities that device had.

Now, on the flip side, a lot of companies really like Bring Your Own Device because it
means they don't have to buy laptops, cellphones, and all those types of devices for
their employees because the employee is bringing their own.

A lot of organizations that have adopted Bring Your Own Device will use storage
segmentation. This will create a clear separation between personal, and company
data on a single device.

I can install Mobile Device Management on it. That would allow me to have a
centralized software solution for remote administration and configuration of your
mobile device.

But when I do Bring Your Own Device, are you going to let me install Mobile Device
Management on your system?
You might not.
And, so this is why a lot of companies are now switching from a Bring Your Own
Device, because of all those security issues, into a Choose Your Own Device, or
CYOD model.
CYOD gives the employee a choice of a couple of phones.
 Hardening Mobile Devices
1. Number one, update your device to use the latest version of the software.
Whether this is your operating system, your apps, or your firmware, you
should always be updating it. By updating it, you're making sure that you have
all known vulnerabilities patched and secured. Just like your desktop, most
devices are hacked because they're not patched from a known vulnerability,
So, when an update comes out, make sure you apply it.
2. Number two, install antivirus. A lot of people figure that it's a mobile device
and it's not a computer so it doesn't need antivirus. But, just like a computer,
your mobile devices do need to have antivirus and anti-malware installed.
3. Number three, train your users on proper security and use of the device. This
includes showing them how to use social media appropriately, what sites are
safe to browse, and what apps are allowed to be installed. Remember, these
are all vulnerabilities that your employee, who's holding the device, can install
and use on your device. You have a right to train them the correct way.
4. Next, number four, only install applications from the official mobile stores. At
least if you've done that, they have malware checks and security checks and
you're much less likely to have issues. Again, this is the App Store for Apple
and the Google Play store for Android.
5. Number five, don't root or jailbreak your device. That's going to bypass the
security and the built-in protections that Apple and Android have already put
in there for you. If you do this, you're asking for trouble.
6. Number six, only use version two SIM cards with your devices. As we talked
about in the SIM cloning lecture, version two is very hard to clone but version
one is actually quite easy. So, you should always use version two SIM cards
to help counter SIM cloning.
7. Next, we have number seven, turn off all unnecessary features. Whether this
is Wi-Fi, Bluetooth, near-field communication, mobile hotspots, tethering,
location tracking, and more. Turn it off if you're not going to use it. If you do
have to use Bluetooth, make it undiscoverable.
8. Number eight, turn on encryption for your voice and data. This'll ensure things
like Bluetooth, near-field communications, Wi-Fi, and others have encryption
enabled whenever you're using them.
9. Number nine, use strong passwords or biometrics for log on. That means you
shouldn't be using a four-digit PIN. You want to use things like a thumbprint, a
face scan, or long, strong passwords, whichever of those three your device
supports. Also, you should turn on Find My Phone, enable remote lockout,
and remote wipe capabilities before you need them.
10. Number ten, don't allow BYOD. I know I talked about in the BYOD lecture,
that you can allow your organization to make the choice, but let's just be
honest: bringing your own device means bringing your own disaster. It
introduces a ton of risk; if you use it, you need to ensure that you have
storage segmentation and good mobile device management and having your
 employees allow you to install it. It's much better to choose your own device
or employer furnished devices where you control the device and you control
what goes on on it. It's your data, after all, you have to protect it.

After you do all those 10 things you need to make sure your organization has a good
security policy in place for mobile devices This will tell your employees what's
expected of them and it'll tell your administrator what they have to secure too.
 Security Protocols
S/MIME
S/MIME is the Secure/Multipurpose Internet Mail Extensions, also known as
S/MIME. It's a standard that provides cryptographic security for electronic
messaging, things like email. Now, when we talk about S/MIME, it is built into most
email clients you're going to use. So, if you're using Apple Mail or Microsoft Outlook
or even Gmail, it has the capability to support S/MIME. S/MIME is going to use
separate session keys for each email message that's being sent or received. We can
use digital IDs within Outlook or digital signatures within many different programs to
give our emails authentication, integrity, and non-repudiation through S/MIME.

Now, S/MIME is a way that we can encrypt our emails and their content. The
problem with that is it also encrypts all of their contents, including malware. So, if I
wanted to send you an email and I was going to encrypt the content, and I put a
piece of malware in there and encrypted it and sent it to you, guess what? Your
boundaries may not detect it. Your filter may not detect it because it's going through
encrypted, and if they don't have access to your private key to decrypt it, they're not
going to be able to see it and protect you from it. So, how do you overcome this?
Well, a lot of email gateways will actually load up the user's private key so, they can
decrypt the emails, look at the contents, make sure they're safe, and then pass them
on to the user. Again, though, if you're giving up your private key, that can reduce the
security of the system.

SSL/TLS
Well, SSL stands for the Secure Socket Layer and TLS stands for Transport Layer
Security. These are cryptographic protocols that provide secure Internet
communications for web browsing, instant messaging, email, VoIP, and many other
services. I know we talk a lot about it in web browsing, but it can be used for all of
these other things, too. Now, when we talk about SSL and TLS, let's start with SSL
because it's the older protocol. SSL was what was created first. It was a way to start
securing the web as we wanted to start doing ecommerce. The last time SSL was
updated, though, was 1996 with SSL version three. It's really old. You shouldn't use
SSL. Instead, it's been replaced by TLS, Transport Layer Security. Now, everyone
watching this should be using TLS version 1.3, which is the latest and greatest right
now as of this filming. Now, often you're going to hear people call it SSL even if it's
TLS that you're using. This is just something that people call incorrectly because it's
a creature of habit.

Downgrade Attack
A downgrade attack is when a protocol is tricked into using a lower quality version
instead of using the higher quality version that it was supposed to.

SSH
SSH or Secure Shell is another protocol that we often use to tunnel other protocols
through. Secure Shell is a protocol that we can create a secure channel between two
computers or network devices and this allows one device to actually take control
over another device. So, if I wanted to connect my laptop to a server so that I can do
remote execution of commands as a system administrator, I would use Secure Shell
to do that. Basically, Secure Shell was designed as a replacement for Telnet
because Telnet, we've already said, is bad. Telnet sends everything in the clear and
unencrypted. SSH, on the other-hand, allows us to have this nice encrypted tunnel
that protects our data. SSH was originally used in Unix and Linux, but now, you're
finding it in Windows, as well. It is very heavily used as a text-based remote control
method for anything that you need to be able to get into and do remote control of,
things like routers and switches, you Telnet into them to get to their command line
and be able to set up commands.

The earlier versions, version 1 and 1.5, had issues with unauthorized insertion of
content, improper forwarding of those secure connections to other servers, and
integer overflow issues. But all of that was fixed, thankfully, in SSH version 2.
Version 2 also added Diffie-Hellman for secure key exchanges and the use of MACs,
which are Message Authentication Codes, and this provides us integrity checking of
the data as it's being transferred over the network. This makes SSH a great tool for
us and something that we heavily, heavily use as security administrators and
network administrators.
 VPN Protocols

PPTP
This is a protocol that encapsulates PPP packets and ultimately sends data out as
encrypted traffic. Now, what is PPP? PPP is the Point-to-Point Protocol, and it was
originally used for dial-up connections, but it's used in combination with the PPTP
protocol over Port 1723 to allow servers and devices to connect over a wide area
network like the Internet. Now, PPTP uses CHAP-based authentication, and that
makes it vulnerable to attack. If you're going to use PPTP for your VPNs, you should
always require a strong authentication mechanism be used, instead, something like
EAP-TLS, like we've talked about before. This is going to rely on PKI and digital
certificates for stronger authentication. Otherwise, you should look at something like
L2TP or IPSec.

L2TP
L2TP is the Layer 2 Tunneling Protocol. This is going to give you a connection
between two or more computers or devices that aren't on the same private network.
Notice, here I didn't use the word secure. That is because L2TP is not secure on its
own and it provides no encryption and no confidentiality by itself. Instead, we usually
are going to pair it with IPSec to provide that security. IPSec is going to provide us
with the encryption and confidentiality while we're using L2TP, and this is going to
enable us to use things like PKI with L2TP if we're using Windows Servers as part of
that authentication process. L2TP is used over Port 1701 as you may have
remembered from our Ports and Protocol lesson.

IPSec
Now, IPSec is a TCP protocol that authenticates and encrypts IP packets effectively,
securing those communications between computers and devices using the protocol.
This is going to create a nice secure tunnel for us that we can send our traffic and
create our VPNs across. This is what we use heavily inside of VPNs. Now, when we
talk about IPSec, IPSec is going to provide us confidentiality by giving us encryption.
It's going to provide integrity for us by using hashing and it's going to give us
authentication by performing a key exchange.
When we talk about that key exchange, it's known as IKE, the Internet Key
Exchange. This is a method that's used by IPSec to create a secure tunnel by
encrypting the connection between authenticated peers. This can occur in one of
three ways. A Main mode, an Aggressive mode, or a Quick mode.

1. In Main mode, there are three separate exchanges that are going to occur.
 2. When we use Aggressive mode, the key exchange is going to happen more
quickly, but it still achieves basically the same result as Main mode but it only
uses three packets.
3. If we decide to use Quick mode, only the negotiated parameters of the IPSec
session are going to be handled. This key exchange occurs during the
establishment of an IPSec tunnel in two different phases. So, let's take a look
at how this happens.

SA

Well, a Security Association, or an SA, is an establishment of secure connections

and shared security information using certificates or cryptographic keys. So,
basically, it's you trust me and I trust you, we've shared information and now, we
know each other and we've verified our identities.

AH

Now, the next thing we have to talk about is this concept of an Authentication
Header, this is because the Authentication Header is a protocol using IPSec to
provide integrity and authentication. The Authentication Header is actually hashed to
provide that integrity and it's often used with an Encapsulating Security Payload
known as an ESP.

ESP

An ESP is going to provide you integrity, confidentiality, and authentication for the
packets by encapsulating them and encrypting them.

So, by using just the Authentication Header, we're going to get integrity and
authenticity. But, if we use ESP as well, we’re going to get integrity, confidentiality,
and authenticity. So, a lot of times we'll use both of them to get us a more secure
tunnel.
Modes

When we talk about Transport mode, this is where there's a Host-to-Host transport
mode using only encryption of the payload of an IP packet but not its header. And
Tunnel mode is going to create an end-to-end network tunnel that's created, that's
going to encrypt the entire IP packet, the payload, and the header.
 Hardening
We can mitigate the risk by minimizing the vulnerabilities in an effort to reduce our
exposure to threats, but we can't eliminate the risk completely. Risk can only be
minimized because there's always some kind of threat and some kind of vulnerability
in a given system.

Restricting Applications & Services

In our corporate networks, it's common for us to create a secure baseline image that
we use for all of the work stations across the company. This image will have the
operating system, the minimum applications required, and strict configuration
policies that are set up for all of those machines.

We can use Microsoft's system center configuration management or the SCCM tool
that allows us as admins to manage large amounts of software across the network,
as well as push out new configurations and policy updates to all of our PCs.

With application whitelisting, only applications that are on the approved list are
allowed to be run by the operating system. All the other applications are blocked
from running.
With application blacklisting, any application that's placed on a list will be prevented
from running, while all of the other applications will be permitted to run.

Using application whitelisting is much more secure, because everything is denied by

default, and only the applications listed can actually run.

Windows Services
We're going to hit on the Windows key in the corner, the start menu, and we're going
to type in [Link] and hit enter.

We can do this same thing inside the command prompt. To do that, just click on your
Windows key and type command prompt, or CMD.
From here, you can use sc, which is to control it through the services, stop, and the
name. For that program that we just stopped, it is the wuauserv, which is the name of
the Windows Update program.

The other way you can stop this in Windows is using the net command. And it's net
stop and the name of the service that you want to stop.

Mac OS X Services
To do that, you can go ahead and first we're going to create something to kill. So, I'm
just going to create a Textpad, and I'm going to call it kill this process when ready,
and that just gives me something that I'm going to be able to kill. Now, to find it, I'm
going to go ahead and use the Activity Monitor, which is under your applications,
then go to utilities, and then Activity Monitor. From here, I'm going to sort by process
name and find TextEdit.

And if I want to get rid of this, all I have to do is quit. It's going to ask me if I want to
quit it cleanly, like you normally would quit an application, or force quit it, which
terminates it immediately.

Linux Services
I can use the command top. Top will show me what processes are currently running.
Processes are also known as services.
In this case, it's the TextEdit, and the process ID is 2513. So, what I'm going to do is
I'm going to quit. And to kill it, you just type in kill and the process ID, 2513, and
watch on the right side as TextEdit goes away.

Trusted OS & Patches

What operating systems meet the criteria to be called a Trusted Operating System?
Well, every version of Windows since Windows 7 is considered a Trusted Operating
System. This includes Windows 8, Windows 10, Windows Server 2012, and
Windows Server 2016. Also, every version of Mac OS X since version 10.6 is
classified as a Trusted Operating System. If you're using FreeBSD, if you load the
TrustedBSD extensions, this is also considered trusted, as well as Red Hat
Enterprise Server.
For a Windows machine, you simply run the [Link] program from the
Command Prompt and it'll display the exact version and build of the software.

Originally, a hotfix was different from a patch. A hotfix could be installed without
requiring a reboot of your system. But a patch required a system reboot. Over time,
patches and hotfixes began to be used interchangeably by most manufacturers.
Today, whether you call it a patch or a hotfix, it really refers to the same thing.

Update Categories

1. First, we have a Security Update. Security updates are a type of software

code that's specifically issued from a product-specific security-related
vulnerability. So, if a hacker finds a bug in the code for Microsoft Word, that
may allow them to breach your security. Microsoft would release a security
update that contains a patch to correct the bug in the code.

2. The second type of update is a Critical Update. A critical update is a piece of

software that's designed for a specific problem that addresses a critical,
non-security bug in a piece of software.

3. A third type of update we have is a Service Pack. A service pack is actually a

grouping of other patches. It contains hotfixes, security updates, critical
updates, and possibly even some feature or design changes. Service packs
are commonly seen with an operating system update.

4. The next type is called a Windows Update. This is a recommended update to

fix a non-critical problem that certain users have found, and it may also
provide some additional features or capabilities.

5. The final type of update is a Driver Update. Driver updates provide either a
security fix or additional features for a supported piece of hardware.

Patch Management
There are four steps to patch management:
1. Planning
2. testing
3. implementing
4. auditing
Microsoft actually provides a useful tool that can help us in determining the status of
our system, and whether or not a patch needs to be applied. This is known as the
Microsoft Baseline Security Analyzer or MBSA.

Group Policies
A Group Policy is a set of rules or policies that can be applied to a set of users or
computer accounts within an operating system. Now, to Access the Group Policy
Editor, simply go to the run prompt and enter gpedit.

A large part of hardening the operating system occurs through loading different
Group Policy objectives or GPOs against the workstation or against the server.
These Group Policies are also used to create a secure baseline as part of your
larger Configuration Management Program.

FS
We have things like:

1. NTFS
2. FAT32
3. ext4
4. Hierarchical File System Plus - HFS+
5. Apple File System.

FS Checks
If you're running Windows, you can do this by running Check Disc, and the System
File Checker.

If you're using Linux, you should do a file system check by typing fsck in the terminal.

If you're using OS X, you can run first aid from within the disc utility application.
 Automation
Workflow orchestration
In this lesson, we're going to start talking about orchestration because orchestration
is the automation of multiple steps in a deployment process.

Orchestration is the automation of automations.

Now, when you start talking about orchestration, there's really three types of
orchestration.
The first one is resource orchestration, this is to provision and allocate resources
within a cloud environment or other solution.

When you talk about workload orchestration, this is for the management of
applications and other cloud workloads that need to be performed, and basically
looking at the components to create the product you need.

The third one that we have, is what's known as service orchestration, this is going to
be used to deploy services into cloud environments.

Notice the differences here, resources is like an EC2 instance in Amazon. You're
going to start up a new server, a new VM. If you're dealing with workload
orchestration, this is about managing apps and other things that are working
together. And then we talk about service orchestration, this is working on those
services themselves.

CI/CD
1. Development
2. Testing/Integration
3. Staging
4. Production

Continuous integration is a software development method where code updates are

tested and committed to a development or build server or code repository rapidly.
So, this allows us to create something, test it, and then once we know it's good, we
can say, this is ready to be implemented in the environment.

Now, when I talk about continuous delivery, this is a software development method
where the application and platform requirements are frequently tested and validated
for immediate availability.

Now, with continuous deployment, we take the concept of continuous integration

and continuous delivery, and we take it even one step further. Now, we have a
software development model where application and platform updates are committed
to production rapidly. Essentially, I'm going to create some new piece of code, maybe
a security fix. It's going to go through integration testing. Once that's been approved,
it goes back to the code repository.

Now, when we talk about continuous delivery, I want you to remember that
continuous delivery is focused on automated testing of code in order to get it ready
for release. Not released, just ready for release. Now, when I talk about continuous
deployment, I'm taking it a step further. I'm focusing on automated testing and the
release of code in order to get it into the production environment much more quickly.

DevSecOps

DevOps
Now, DevOps was created to speed up the development and get things into
production faster. As I mentioned, DevOps really relies on the concepts of
continuous integration so that we all can be working together on the same thing and
make sure we don't have big divergent changes. Now, when we talk about DevOps,
this is an organizational culture shift that's going to combine the software
development and the systems operations people into one team. This is basically the
practice of integrating these two disciplines within a company.

DevSecOps
Now, this is development, security, and operations, and it's a combination of software
development, security operations, and systems operations by integrating with all
those disciplines together in one team. Now, this is a great way of doing things
because when you're using DevSecOps, this is going to utilize a shift-left mindset.
Infrastructure as Code or IAC
Now, when we talk about infrastructure as code, this is a provisioning architecture in
which the deployment of resources is performed by scripted automation and
orchestration. Now, we mentioned the fact that we use scripted automation and
orchestration in cloud computing all the time.

AI/ML

Artificial Intelligence
Now, artificial intelligence is the science of creating machines with the ability to
develop problem solving and analysis strategies without significant human direction
or intervention.

Machine Learning
Machine learning is a component of AI that really enables the machines to develop
strategies for solving a given task. Now, if you get a labeled dataset where the
features have been manually identified, but they don't have further explicit
instructions. mAnd so, machine learning, the concept here is, you have to train the
machine.

Artificial Neural Network or ANN

This is an architecture of input, hidden, and output layers that can perform
algorithmic analysis of a dataset to achieve outcome objectives. Now, essentially,
when we have an artificial neural network, this is the pathways that are being created
based on that learning it's doing.

Deep Learning
Now, when we talk about deep learning, this is refinement of machine learning that
enables a machine to develop strategies for solving a task, given a labeled dataset.
Now, all of that, so far, sounds like machine learning, but here's the difference,
without further explicit instructions. So, I can just hand it a dataset and it will start
making its own determinations.
 Virtualization
Virtualization is the creation of a virtual resource. Now, I know that's pretty broad, but
that's because virtualization itself is a broad category. We can virtualize anything.
This includes servers, desktops, file systems, hard drives, and even an entire
network.
A virtual machine is a container that contains an emulated computer that can run an
entire operating system inside of it. This includes emulation of all of the hardware
that's required to run the system. This means you have the hard drives, the optical
drives, video cards, processors, and even the BIOS being emulated.

Two main types of virtual machines:

1. System Virtual Machines

2. Processor Virtual Machines

A system virtual machine is a complete platform that's designed to take the place of
an entire computer. That means you can run the entire operating system virtually.

A processor virtual machine, on the other hand, is designed to run a single

application. Often, this is used to run something like a web browser or possibly even
a simple web server.

Hypervisors

A hypervisor may adjust the distribution of the physical resources of the server to the
virtual machines. This includes the processor, the memory, and the hard disk space.

Hypervisors come in two distinct flavors, Type 1 and Type 2.

A Type 1 hypervisor is known as bare metal, or native, since it runs directly on the
host hardware and functions as a type of operating system. Microsoft's Hyper-V,
Citrix's XenServer, and VMWare's ESXi and vSphere are all considered Type 1
hypervisors.
A Type 2 hypervisor runs from within a normal operating system, something like
Windows, Mac, or Linux.

But there is a third type of virtualization that's becoming popular in our networks
today.
This is called Application Container-Based Virtualization. With this type of
virtualization, the operating system kernel is shared across multiple virtual machines,
but the user space for each of these virtual machines is uniquely created and
managed. Often called Application Containerization, this allows an organization to
deploy and run distributed applications without launching a resource-heavy, full
virtual machine with a full operating system.

Container Virtualization is commonly used with Linux servers, and some examples of
Container-Based Virtualization software include things like Docker, Parallels
Virtuozzo, and the OpenVZ project.

Threats to VMs

VM escape
Virtual machine escape, or VM escape, occurs when an attacker is able to break out
of one of these normally isolated virtual machines and they can begin to interact
directly with the underlying hypervisor. From this position, the attacker could migrate
themselves out, and into another virtual machine being hosted on the same physical
server. Now, VM escape techniques are extremely difficult to conduct. They rely on
exploiting the physical resources that are shared between the VMs.

Data Remnants
When a server is scaled up, a new virtual instance is created on a physical server.
This instance takes up some hard drive space for all those files that represent the
virtual hard disk and the configurations. When this is no longer needed because the
load has decreased, the virtual machine can be deprovisioned, which means it's shut
down and the files are deleted. When this occurs, the confidential files from that
virtual machine are left on the physical server. This is known as a data remnant.
These data remnants could be recovered by an attacker, and therefore, it could
breach the confidentiality of that data.

Privilege elevation
Privilege elevation occurs when a user is able to grant themselves the ability to run
functions as a higher-level user, such as the root or the administrator. While this can
be bad on a single server, it can be catastrophic on a physical server if the attacker
is able to perform this on the hypervisor itself.