Answers will vary.

The ISACA Certified Information Systems Auditor (CISA) and

Certified Information Security Manager (CISM) certifications are often mentioned.
The (ISC)2 Certified Information Systems Security Professional CISSP exam is also
mentioned frequently. (Note that the (ISC)2 also offers Certified in Cybersecurity
(CC) certification for entry-level job candidates). The GIAC Security Essentials
(GSEC) certification is also suitable for entry-level positions. Furthermore, the
CompTIA PenTest+ and Security+ exams are mentioned. Also relevant are the Cisco
CCNP and CCIE Security certfications. Finally, the EC-Council offers the Certified
Ethical Hacker (CEH)

b. Investigate training options for the certifications that you identified as being
appropriate to the prospective positions. Where can you take courses to prepare you
for those certifications?
Answer Area
Answers will vary. There are many ways to prepare for cybersecurity certifications.
Aside from books and free internet videos, formal education is available from
colleges and universities, either remotely or in person near you. Education course
sites, such as Coursera and Udemy, offer pathways to careers in Ethical Hacking. In
addition, the organizations that offer the certifications often also offer
training. Cybersecurity institutes, such as [Link] and InfoSec institute, have
training courses. Finally, Skills for All by Cisco offers a cybersecurity pathway
which will be adding new courses in the future.
.

Do you find that jobs are concentrated in any one area, or are they distributed?
Answer Area
The jobs are usually distributed because security services, such as penetration
testing, are required by many businesses.

What are the most common duties mentioned?

Answer Area
Answers will vary. Examples: Conduct penetration tests of applications, APIs, web
services, and networks. Assess physical security. Conduct security audits. Write
assessment reports. Verbal and written communication skills and reporting. Conduct
internal and external penetration testing and vulnerability assessment of servers,
web applications, web services, and databases.

THREAT ACTORS

Organized Crime
Several years ago, the cybercrime industry took over the number-one spot,
previously held by the drug trade, for the most profitable illegal industry. As you
can imagine, it has attracted a new type of cybercriminal. Just as it did back in
the days of Prohibition, organized crime goes where the money is. Organized crime
consists of very well-funded and motivated groups that will typically use any and
all of the latest attack techniques. Whether that is ransomware or data theft, if
it can be monetized, organized crime will use it.

Hacktivists
This type of threat actor is not motivated by money. Hacktivists are looking to
make a point or to further their beliefs, using cybercrime as their method of
attack. These types of attacks are often carried out by stealing sensitive data and
then revealing it to the public for the purpose of embarrassing or financially
affecting a target.

State-Sponsored Attackers
Cyber war and cyber espionage are two terms that fit into this category. Many
governments around the world today use cyber attacks to steal information from
their opponents and cause disruption. Many believe that the next Pearl Harbor will
occur in cyberspace. That’s one of the reasons the United States declared
cyberspace to be one of the operational domains that U.S. forces would be trained
to defend.

Insider Threats
An insider threat is a threat that comes from inside an organization. The
motivations of these types of actors are normally different from those of many of
the other common threat actors. Insider threats are often normal employees who are
tricked into divulging sensitive information or mistakenly clicking on links that
allow attackers to gain access to their computers. However, they could also be
malicious insiders who are possibly motivated by revenge or money.

ENVIRONMENTAL COSIDERATION

Network Infrastructure Tests

Testing of the network infrastructure can mean a few things. For the purposes of
this course, we say it is focused on evaluating the security posture of the actual
network infrastructure and how it is able to help defend against attacks. This
often includes the switches, routers, firewalls, and supporting resources, such as
authentication, authorization, and accounting (AAA) servers and IPSs. A penetration
test on wireless infrastructure may sometimes be included in the scope of a network
infrastructure test. However, additional types of tests beyond a wired network
assessment would be performed. For instance, a wireless security tester would
attempt to break into a network via the wireless network either by bypassing
security mechanisms or breaking the cryptographic methods used to secure the
traffic. Testing the wireless infrastructure helps an organization to determine
weaknesses in the wireless deployment as well as the exposure. It often includes a
detailed heat map of the signal disbursement.

Application-Based Tests
This type of pen testing focuses on testing for security weaknesses in enterprise
applications. These weaknesses can include but are not limited to
misconfigurations, input validation issues, injection issues, and logic flaws.
Because a web application is typically built on a web server with a back-end
database, the testing scope normally includes the database as well. However, it
focuses on gaining access to that supporting database through the web application
compromise. A great resource that we mention a number of times in this book is the
Open Web Application Security Project (OWASP).

Penetration Testing in the Cloud

Cloud service providers (CSPs) such as Azure, Amazon Web Services (AWS), and Google
Cloud Platform (GCP) have no choice but to take their security and compliance
responsibilities very seriously. For instance, Amazon created the Shared
Responsibility Model to describe the AWS customers’ responsibilities and Amazon’s
responsibilities in detail (see [Link]
responsibility-model).
The responsibility for cloud security depends on the type of cloud model (software
as a service [SaaS], platform as a service [PaaS], or infrastructure as a service
[IaaS]). For example, with IaaS, the customer (cloud consumer) is responsible for
data, applications, runtime, middleware, virtual machines (VMs), containers, and
operating systems in VMs. Regardless of the model used, cloud security is the
responsibility of both the client and the cloud provider. These details need to be
worked out before a cloud computing contract is signed. These contracts vary
depending on the security requirements of the client. Considerations include
disaster recovery, service-level agreements (SLAs), data integrity, and encryption.
For example, is encryption provided end to end or just at the cloud provider? Also,
who manages the encryption keys–the CSP or the client?

Overall, you want to ensure that the CSP has the same layers of security (logical,
physical, and administrative) in place that you would have for services you
control. When performing penetration testing in the cloud, you must understand what
you can do and what you cannot do. Most CSPs have detailed guidelines on how to
perform security assessments and penetration testing in the cloud. Regardless,
there are many potential threats when organizations move to a cloud model. For
example, although your data is in the cloud, it must reside in a physical location
somewhere. Your cloud provider should agree in writing to provide the level of
security required for your customers. As an example, the following link includes
the AWS Customer Support Policy for Penetration Testing:
[Link]

Unknown-Environment Test
In an unknown-environment penetration test, the tester is typically provided only a
very limited amount of information. For instance, the tester may be provided only
the domain names and IP addresses that are in scope for a particular target. The
idea of this type of limitation is to have the tester start out with the
perspective that an external attacker might have. Typically, an attacker would
first determine a target and then begin to gather information about the target,
using public information, and gain more and more information to use in attacks. The
tester would not have prior knowledge of the target’s organization and
infrastructure. Another aspect of unknown-environment testing is that sometimes the
network support personnel of the target may not be given information about exactly
when the test is taking place. This allows for a defense exercise to take place as
well, and it eliminates the issue of a target preparing for the test and not giving
a real-world view of how the security posture really looks.

Known-Environment Test
In a known-environment penetration test, the tester starts out with a significant
amount of information about the organization and its infrastructure. The tester
would normally be provided things like network diagrams, IP addresses,
configurations, and a set of user credentials. If the scope includes an application
assessment, the tester might also be provided the source code of the target
application. The idea of this type of test is to identify as many security holes as
possible. In an unknown-environment test, the scope may be only to identify a path
into the organization and stop there. With known-environment testing, the scope is
typically much broader and includes internal network configuration auditing and
scanning of desktop computers for defects. Time and money are typically deciding
factors in the determination of which type of penetration test to complete. If a
company has specific concerns about an application, a server, or a segment of the
infrastructure, it can provide information about that specific target to decrease
the scope and the amount of time spent on the test but still uncover the desired
results. With the sophistication and capabilities of adversaries today, it is
likely that most networks will be compromised at some point, and a white-box
approach is not a bad option.
Partially Known Environment Test
A partially known environment penetration test is somewhat of a hybrid approach
between unknown- and known-environment tests. With partially known environment
testing, the testers may be provided credentials but not full documentation of the
network infrastructure. This would allow the testers to still provide results of
their testing from the perspective of an external attacker’s point of view.
Considering the fact that most compromises start at the client and work their way
throughout the network, a good approach would be a scope where the testers start on
the inside of the network and have access to a client machine. Then they could
pivot throughout the network to determine what the impact of a compromise would b

*NOTE A red team is a group of cybersecurity experts and penetration testers hired
by an organization to mimic a real threat actor by exposing vulnerabilities and
risks regarding technology, people, and physical security. A blue team is a
corporate security team that defends the organization against cybersecurity threats
(that is, the security operation center analysts, computer security incident
response teams [CSIRTs], information security [InfoSec] teams, and others).

regulatory compliance considration

1 PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) regulation aims to
secure the processing of credit card payments and other types of digital payments.
PCI DSS specifications, documentation, and resources can be accessed at
[Link]

2HIPAA
The original intent of the Health Insurance Portability and Accountability Act of
1996 (HIPAA) regulation was to simplify and standardize healthcare administrative
processes. Administrative simplification called for the transition from paper
records and transactions to electronic records and transactions. The U.S.
Department of Health and Human Services (HHS) was instructed to develop and publish
standards to protect an individual’s electronic health information while permitting
appropriate access and use of that information by healthcare providers and other
entities. Information about HIPAA can be obtained from
[Link]

3 FedRAMP
The U.S. federal government uses the Federal Risk and Authorization Management
Program (FedRAMP) standard to authorize the use of cloud service offerings. You can
obtain information about FedRAMP at [Link]