Today’s Security Professional

Chapter 1
 OBJECTIVES COVERED

Domain 1.0: Threats, Attacks, and Vulnerabilities

1.5. Explain different threat actors, vectors, and
intelligence source.
• 1.6. Explain the security concerns associated
with various types of vulnerabilities.
EXPLORING CYBERSECURITY
THREATS
CLASSIFYING CYBERSECURITY THREATS

Level of sophistication/
Internal vs. external
capability

Characteristics that
differentiate cybersecurity
threat actors

Resources/funding Intent/motivation
 THREAT ACTORS

Script Kiddies
• A derogatory term for people who use hacking
techniques but have limited skills
• Script kiddies can be a real threat because simplistic
hacking tools are freely available on the Internet and
they are plentiful and unfocused in their work

Hacktivists
• People who use hacking techniques to accomplish
some activist goal.
• The motivations, skill levels, and resources of
hacktivists vary widely.
• There are some organized groups of hacktivists, such
as the hacking group Anonymous.
 CRIMINAL SYNDICATES

Cyber-dependent crime

Cybercrime categories
Child sexual exploitation

Payment fraud

Dark web

Terrorism

Cross-cutting crime factors

ADVANCED PERSISTENT THREATS (APTS)

Attackers used advanced techniques, not

1
simply tools downloaded from the Internet
Attacks are persistent, occurring over a
2
significant period of time

Political Economic
Motivation Motivation
 INSIDERS

1 Insider attacks occur when an employee,

contractor, vendor or other individual with
authorized access to information and systems
uses that access to wage an attack against the
organization.

2 Insiders’ skill levels and motivations vary

widely.

3 An insider will usually be working alone and

have limited financial resources and time;
however, he or she might have significant
access and knowledge based on the job role.
THREAT VECTORS

E-mail and Social Media

Direct Access

Wireless Networks

Removable Media

Cloud

Third-Party Risks
THREAT DATA AND
INTELLIGENCE
OPEN-SOURCE INTELLIGENCE
PROPRIETARY AND CLOSED-SOURCE
INTELLIGENCE
 ASSESSING THREAT INTELLIGENCE

1. Is it timely? A feed that is operating on delay can

cause you to miss a threat or to react after the
threat is no longer relevant.
2. Is the information accurate? Can you rely on
what it says, and how likely is it that the
assessment is valid? Does it rely on a single
source or multiple sources? How often are those
sources correct?
3. Is the information relevant? If it describes the
wrong platform, software, or reason for the
organization to be targeted, the data may be very
timely, very accurate, and completely irrelevant
to your organization.
THREAT INDICATOR MANAGEMENT AND
EXCHANGE

STIX

TAXII OpenIOC
 PUBLIC AND PRIVATE INFORMATION
SHARING CENTERS

• Information Sharing and Analysis Centers

• Specific US agencies or department partners
for each critical infrastructure area
• https://www.dhs.gov/cisa/critical-infrastruc
ture-sectors
• Outside the US - The UK’s Centre for Protection
of National Infrastructure
• https://www.cpni.gov.uk/
CONDUCTING YOUR OWN RESEARCH

Vendor security information websites

Vulnerability and threat feeds from vendors,

government agencies, and private organizations

Academic journals and technical publications

Professional conferences and local industry group

meetings

Social media accounts of prominent security

professionals
 OBJECTIVES COVERED

Domain 1.0: Threats, Attacks, and Vulnerabilities

• 1.6 Explain the security concerns associated
with various types of vulnerabilities.
Domain 2.0: Architecture and Design
• 2.1 Explain the importance of security concepts
in an enterprise environment.
Domain 5.0: Governance, Risk, and Compliance
• 5.1 Compare and contrast various types of
controls.
CYBERSECURITY OBJECTIVES
THREE KEY OBJECTIVES
DATA BREACH RISKS
 THE DAD TRIAD

<INSERT FIGURE
1.2 FROM BOOK
WHEN
AVAILABLE>
 BREACH IMPACT

Financial
Risk

Reputational Strategic
Risk Risk

Operational Compliance
Risk Risk
IMPLEMENTING SECURITY
CONTROLS
 SECURITY CONTROL CATEGORIES

• Enforce confidentiality, integrity,

Technical and availability in the digital
controls space

• Include the processes that we put

Operational in place to manage technology in
controls a secure manner

Managerial • Focus on the mechanics of the

controls risk management process
 SECURITY CONTROL TYPES

Preventive Detective
controls controls

Corrective Deterrent
controls controls

Compensating
Physical controls
controls
DATA PROTECTION
 THREE STATES

Data at rest

Data in Data in
processing motion
 DATA PROTECTION
Data Protection

Data Loss Data

Data Encryption
Prevention Minimization

Data
Host-based DLP
obfuscation

Network DLP Hashing

Pattern
matching Tokenization

Watermarking Masking
Cybersecurity Threat Landscape

Chapter 2
 OBJECTIVES COVERED

Domain 1.0: Threats, Attacks, and Vulnerabilities

1.5. Explain different threat actors, vectors, and
intelligence source.
• 1.6. Explain the security concerns associated
with various types of vulnerabilities.
EXPLORING CYBERSECURITY
THREATS
CLASSIFYING CYBERSECURITY THREATS

Level of sophistication/
Internal vs. external
capability

Characteristics that
differentiate cybersecurity
threat actors

Resources/funding Intent/motivation
 THREAT ACTORS

Script Kiddies
• A derogatory term for people who use hacking
techniques but have limited skills
• Script kiddies can be a real threat because simplistic
hacking tools are freely available on the Internet and
they are plentiful and unfocused in their work

Hacktivists
• People who use hacking techniques to accomplish
some activist goal.
• The motivations, skill levels, and resources of
hacktivists vary widely.
• There are some organized groups of hacktivists, such
as the hacking group Anonymous.
 CRIMINAL SYNDICATES

Cyber-dependent crime

Cybercrime categories
Child sexual exploitation

Payment fraud

Dark web

Terrorism

Cross-cutting crime factors

ADVANCED PERSISTENT THREATS (APTS)

Attackers used advanced techniques, not

1
simply tools downloaded from the Internet
Attacks are persistent, occurring over a
2
significant period of time

Political Economic
Motivation Motivation
 INSIDERS

1 Insider attacks occur when an employee,

contractor, vendor or other individual with
authorized access to information and systems
uses that access to wage an attack against the
organization.

2 Insiders’ skill levels and motivations vary

widely.

3 An insider will usually be working alone and

have limited financial resources and time;
however, he or she might have significant
access and knowledge based on the job role.
THREAT VECTORS

E-mail and Social Media

Direct Access

Wireless Networks

Removable Media

Cloud

Third-Party Risks
THREAT DATA AND
INTELLIGENCE
OPEN-SOURCE INTELLIGENCE
PROPRIETARY AND CLOSED-SOURCE
INTELLIGENCE
 ASSESSING THREAT INTELLIGENCE

1. Is it timely? A feed that is operating on delay can

cause you to miss a threat or to react after the
threat is no longer relevant.
2. Is the information accurate? Can you rely on
what it says, and how likely is it that the
assessment is valid? Does it rely on a single
source or multiple sources? How often are those
sources correct?
3. Is the information relevant? If it describes the
wrong platform, software, or reason for the
organization to be targeted, the data may be very
timely, very accurate, and completely irrelevant
to your organization.
THREAT INDICATOR MANAGEMENT AND
EXCHANGE

STIX

TAXII OpenIOC
 PUBLIC AND PRIVATE INFORMATION
SHARING CENTERS

• Information Sharing and Analysis Centers

• Specific US agencies or department partners
for each critical infrastructure area
• https://www.dhs.gov/cisa/critical-infrastruc
ture-sectors
• Outside the US - The UK’s Centre for Protection
of National Infrastructure
• https://www.cpni.gov.uk/
CONDUCTING YOUR OWN RESEARCH

Vendor security information websites

Vulnerability and threat feeds from vendors,

government agencies, and private organizations

Academic journals and technical publications

Professional conferences and local industry group

meetings

Social media accounts of prominent security

professionals
Malicious Code

Chapter 3
 OBJECTIVES COVERED

Domain 1.0: Threats, Attacks, and Vulnerabilities

1.2 Given a scenario, analyze potential indicators
to determine the type of attack.
• 1.4 Given a scenario, analyze potential
indicators associated with network attacks.
MALWARE
 MALWARE

Ransomware
• A kind of malware that takes over a computer then demands
a ransom.
• An effective backup system that stores files in a separate
location will not be impacted if the system or device it backs
up is infected and encrypted by ransomware.

Trojans
• A type of malware that is typically disguised as legitimate
software.
• They rely on unsuspecting individuals running them, thus
providing attackers with a path into a system or device.
 MALWARE

Worms
• Self-install and spread themselves.
• Worms can spread via email attachments, network file
shares, or other methods.

Rootkits
• Specifically designed to allow attackers to access a system
through a backdoor.
• The best ways to prevent rootkits are normal security
practices, including patching, use of secure configurations,
and ensuring that privilege management is used.
• Tools like secure boot and techniques that can validate live
systems and files can also be used to help prevent rootkits
from being successfully installed or remaining resident.
 MALWARE

Backdoors
• Provide access that bypasses normal authentication and
authorization procedures, allowing attackers access to
systems, devices, or applications.
• Can be both hardware and software based; can be included
in Trojans and rootkits.

Bots
• Are remotely controlled systems or devices that have a
malware infection.
• Groups of bots are known as botnets, and botnets are used
by attackers who control them to perform various actions
ranging from additional compromises and infection to denial
of service attacks or acting as spam relays.
CLIENT/SERVER BOTNET CONTROL
MODEL
PEER TO PEER BOTNET CONTROL MODEL
 MALWARE

Keyloggers
• Are programs that capture keystrokes from keyboards to
capture user input to be analyzed and used by an attacker.
• Preventing software keylogging typically focuses on normal
security best practices to ensure that malware containing a
keylogger is not installed.

Logic bombs
• Are functions or code that are placed inside of other
programs that will activate when set conditions are met.
• Logic bombs are a consideration in software development
and systems management and can have a significant impact
if they successfully activate.
 MALWARE

Viruses
• Are malicious programs that self-copy and self-replicate.
• Viruses come in many varieties, including: Memory resident
viruses, non-memory resident, boot sector viruses, macro
viruses, email viruses.

Fileless virus
• Spread via methods like spam email and malicious websites
and exploit flaws in browser plugins and web browsers
themselves.
FILELESS VIRUS ATTACK CHAIN
 MALWARE

Spyware
• A kind of malware that is designed to obtain information
about an individual, organization, or system.
• Spyware is most frequently combated using anti-malware
tools, although user awareness can help prevent the
installation of spyware that is included in installers for
software or through other means where spyware may
appear to be a useful tool or innocuous utility.

PUPs
• PUPs are typically installed without the user’s awareness or
as part of a software bundle or other installation.
• A discussion around awareness and best practices with the
end-user, removal with appropriate tools, and a return to
normal operation may be the best solution.
MALICIOUS CODE
 MALICIOUS CODE

Visual Basic for

Applications
(VBA)

PowerShell Macros

Target for
malicious
actors
(Windows
System)
ADVERSARIAL ARTIFICIAL
INTELLIGENCE
ADVERSARIAL ARTIFICIAL INTELLIGENCE

• Basic Actions
• Understand the quality and security of source
data.
• Work with AI and ML developers to ensure
that they are working in secure environments
and that data sources, systems, and tools are
maintained in a secure manner.
• Ensure that changes to AI and ML algorithms
are reviewed, tested, and documented.
• Encourage reviews to prevent intentional or
unintentional bias in algorithms.
• Engage domain experts wherever possible.
Social Engineering, Physical, and
Password Attacks
Chapter 4
 OBJECTIVES COVERED

Domain 1.0: Threats, Attacks, and Vulnerabilities

1.1 Compare and contrast different types of social
engineering techniques.
• 1.2 Given a scenario, analyze potential
indicators to determine the type of attack.
Domain 4.0: Operations and Incident Response
• 4.1 Given a scenario, use the appropriate tool
to assess organizational security.
SOCIAL ENGINEERING
 SEVEN KEY PRINCIPLES

Authority Intimidation Consensus

Scarcity Trust

Urgency Familiarity
SOCIAL ENGINEERING TECHNIQUES

Phishing
Credential harvesting
Website attacks
Spam
In-person techniques
Identity fraud and impersonation
Reconnaissance
PASSWORD ATTACKS
CRITICAL PASSWORD RELATED ATTACK

Brute force attacks

Password spraying attacks

Dictionary attacks
JOHN THE RIPPER
PHYSICAL ATTACKS
 PHYSICAL ATTACKS

Malicious flash drive attacks

Common examples
Malicious USB cables

Card cloning attacks

Supply chain attacks

Security Assessment and Testing

Chapter 5
 OBJECTIVES COVERED

Domain 1.0: Threats, Attacks, and Vulnerabilities

1.6. Explain the security concerns associated with
various types of vulnerabilities.
1.7. Summarize the techniques used in security
assessments.
1.8 Explain the techniques used in penetration
testing.
• 4.1 Given a scenario, use the appropriate tool
to assess organizational security.
VULNERABILITY
MANAGEMENT
 IDENTIFYING SCAN TARGETS

• Sample questions
• What is the data classification of the
information stored, processed, or transmitted
by the system?
• Is the system exposed to the Internet or other
public or semipublic networks?
• What services are offered by the system?
• Is the system a production, test, or
development system?
QUALYS ASSET MAP
DETERMINING SCAN FREQUENCY

Risk appetite

Licensing Regulatory
limitations requirements

Business Technical
constraints constraints
CONFIGURING A NESSUS SCAN
SAMPLE NESSUS SCAN REPORT
CONFIGURING VULNERABILITY SCANS

Scan Sensitivity Levels

Supplementing Network Scans

Scan Perspective
NESSUS SCAN TEMPLATES
DISABLING UNUSED PLUG-INS
CONFIGURING CREDENTIALED
SCANNING
CHOOSING A SCAN APPLIANCE
SCANNER SOFTWARE
VULNERABILITY PLUG-IN FEEDS
 VULNERABILITY SCANNING TOOLS

Infrastructure Web
Application
Vulnerability Application
Scanning
Scanning Scanning

Tenable’s
Static testing Nikto
Nessus

Qualys’s
Dynamic
vulnerability Arachni
testing
scanner

Rapid7’s Interactive
Nexpose testing

OpenVAS
NIKTO WEB APPLICATION SCANNER
ARACHNI WEB APPLICATION SCANNER
REVIEWING & INTERPRETING
SCAN REPORTS
REVIEWING & INTERPRETING
SCAN REPORTS
 UNDERSTANDING CVSS

Attack Vector Metric

Attack Complexity Metric
Privileges Required Metric
Eight metrics
User Interaction Metric
Confidentiality Metric
Integrity Metric
Availability Metric
Scope Metric
 CVSS ATTACK VECTOR METRIC

VALUE DESCRIPTION SCOR

E
Physical (P) The attacker must physically touch 0.20
the vulnerable device.

Local (L) The attacker must have physical or 0.55

logical access to the affected
system.
Adjacent The attacker must have access to 0.62
Network (A) the local network that the affected
system is connected to.

Network (N) The attacker can exploit the 0.85

vulnerability remotely over a
network.
 CVSS ATTACK COMPLEXITY METRIC

VALUE DESCRIPTION SCOR

E

High (H) Exploiting the vulnerability requires 0.44

“specialized” conditions that would
be difficult to find.

Low (L) Exploiting the vulnerability does not 0.77

require any specialized conditions.
CVSS PRIVILEGES REQUIRED METRIC

VALUE DESCRIPTION SCORE

High Attackers require administrative 0.270 (or

(H) privileges to conduct the attack. 0.50 if
Scope is
Changed)

Low (L) Attackers require basic user privileges to 0.62 (or

conduct the attack. 0.68 if
Scope is
Changed)

None Attackers do not need to authenticate 0.85

(N) to exploit the vulnerability.
 CVSS USER INTERACTION METRIC

VALUE DESCRIPTION SCOR

E

None (N) Successful exploitation does not 0.85

require action by any user other than
the attacker.

Required Successful exploitation does require 0.62

(R) action by a user other than the
attacker.
 CVSS CONFIDENTIALITY METRIC

VALUE DESCRIPTION SCOR

E

None (N) There is no confidentiality impact. 0.00

Low (L) Access to some information is possible, 0.22

but the attacker does not have control
over what information is
compromised.

High (H) All information on the system is 0.56

compromised.
 CVSS INTEGRITY METRIC

VALUE DESCRIPTION SCOR

E

None (N) There is no integrity impact. 0.00

Low (L) Modification of some information is 0.22
possible, but the attacker does not have
control over what information is
modified.

High (H) The integrity of the system is totally 0.56

compromised, and the attacker may
change any information at will.
 CVSS AVAILABILITY METRIC

VALUE DESCRIPTION SCOR

E

None (N) There is no availability impact. 0.00

Low (L) The performance of the system is 0.22

degraded.

High (H) The system is completely shut down. 0.56

 CVSS SCOPE METRIC

VALUE DESCRIPTION

Unchanged The exploited vulnerability can only affect

(U) resources managed by the same security
authority.

Changed (C) The exploited vulnerability can affect

resources beyond the scope of the security
authority managing the component
containing the vulnerability.
 INTERPRETING THE CVSS VECTOR

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

• Attack Vector: Network (score: 0.85)

• Attack Complexity: Low (score: 0.77)
• Privileges Required: None (score: 0.85)
• User Interaction: None (score: 0.85)
• Scope: Unchanged
• Confidentiality: High (score: 0.56)
• Integrity: None (score: 0.00)
• Availability: None (score: 0.00)
 SUMMARIZING CVSS SCORES

Calculating the Impact Sub-

Score (ISS)

Calculating the Impact Score

Calculating the Exploitability

Score

Calculating the Base Score

Categorizing CVSS Base Scores

CALCULATING THE IMPACT SUB-SCORE

• ISS = 1 – [(1 – Confidentiality) x (1-Integrity) x

(1-Availability)]
• Plugging in the values for our SSL vulnerability,
we obtain:
• ISS = 1 – [(1-0.56) x (1-0.00) x (1-0.00)]
• ISS = 1 – [0.44 x 1.00 x 1.00]
• ISS = 1 – 0.44
• ISS = 0.56
 CALCULATING THE IMPACT SCORE

• Impact = 6.42 * ISS

• Impact = 6.42 * 0.56
• Impact = 3.60
• If the scope metric is Changed, we use a more
complex formula:
• Impact = 7.52 x (ISS – 0.029) – 3.25 x (ISS –
0.02)15
 CALCULATING THE EXPLOITABILITY
SCORE

• Exploitability = 8.22 × AttackVector ×

AttackComplexity × PrivilegesRequired x
UserInteraction
• Plugging in values for our SSL vulnerability, we
get
• Exploitability = 8.22 x 0.85 x 0.77 x 0.85 x 0.85
• Exploitability = 3.89
 CALCULATING THE BASE SCORE

• If the impact is 0, the base score is 0.

• If the scope metric is Unchanged, calculate the
base score by adding together the impact and
exploitability scores.
• If the scope metric is Changed, calculate the
base score by adding together the impact and
exploitability scores and multiplying the result
by 1.08.
• The highest possible base score is 10. If the
calculated value is greater than 10, set the base
score to 10.
CATEGORIZING CVSS BASE SCORES

CVSS SCORE RATING

0.0 None
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10.0 Critical
 VALIDATING SCAN RESULTS

Report a Doesn’t report

vulnerability a vulnerability

Accurate True Positive True Negative

Inaccurate False Positive False Negative

RECONCILING SCAN RESULTS WITH
OTHER DATA SOURCES

Log reviews

Security
Configuration information
management and event
systems management
(SIEM) systems
SECURITY VULNERABILITIES
PATCH MANAGEMENT
LEGACY PLATFORMS
 WEAK CONFIGURATIONS

The use of default settings that pose a security risk

The presence of unsecured accounts

Open ports and services that are not necessary to

support normal system operations

Open permissions that allow users access that

violates the principle of least privilege
ERROR MESSAGES
INSECURE PROTOCOLS
 WEAK ENCRYPTION

The algorithm to use

to perform
encryption and
The encryption key to
decryption
use with that algorithm
INSECURE SSL CIPHER VULNERABILITY
PENETRATION TESTING
 ADOPTING THE HACKER MINDSET

Security cameras in high risk areas

Auditing of cash register receipts

Security Theft detectors at the main entrance/exit to

controls the store

Exit alarms on emergency exits

Burglar alarm wired to detect the opening of

doors outside of business hours
REASONS FOR PENETRATION TESTING

• Penetration testing provides us with visibility

into the organization’s security posture that
simply isn’t available by other means.
• Penetration testing complements and builds
upon those efforts.
• Penetration testers bring their unique skills and
perspective to the table and can take the
output of security tools and place them within
the attacker’s mindset.
BENEFITS OF PENETRATION TESTING

1
Penetration testing provides us with
knowledge that we can’t obtain elsewhere.

2
In the event that attackers are successful,
penetration testing provides us with an
important blueprint for remediation.

3
Penetration tests can provide us with
essential, focused information on specific
attack targets.
 PENETRATION TEST TYPES

White box Black box Gray box

 RULES OF ENGAGEMENT

• The timeline for the engagement and when

testing can be conducted
• What locations, systems, applications, or other
potential targets are included or excluded
• Data handling requirements for information
gathered during the penetration test
• What behaviors to expect from the target
• What resources are committed to the test
• Legal concerns should also be addressed
• When and how communications will occur
 RUNNING THE TEST

Initial access

Privilege
escalation

Pivoting (lateral
movement)

Persistence
TRAINING AND EXERCISES
 TRAINING AND EXERCISES

• Are the attackers who

Red Team attempt to gain access to
systems

• Are the defenders who

Blue Team must secure systems and
networks from attack

• Are the observers and

White Team judges
Secure Coding

Chapter 6
 OBJECTIVES COVERED

Domain 1.0: Threats, Attacks, and Vulnerabilities

• 1.3. Given a scenario, analyze potential
indicators associated with application attacks.
Domain 2.0: Architecture and Design
• 2.1. Explain the importance of security concepts
in an enterprise environment.
• 2.3 Summarize secure application development,
deployment, and automation concepts.
Domain 3.0: Implementation
• 3.2. Given a scenario, implement host or
application security solutions.
SOFTWARE ASSURANCE
BEST PRACTICES
THE SOFTWARE DEVELOPMENT
LIFE CYCLE
 SOFTWARE DEVELOPMENT PHASES

Analysis and
Feasibility requirements Design
definition

Training and Testing and

Development
transition integration

Ongoing
operations & Disposition
maintenance
SOFTWARE DEVELOPMENT MODELS

Waterfall

Agile Spiral
THE WATERFALL SDLC MODEL
THE SPIRAL SDLC MODEL
AGILE SPRINTS
DEVSECOPS AND DEVOPS

DevSecOps
DevOps
CONTINUOUS INTEGRATION AND
CONTINUOUS DEPLOYMENT
DESIGNING AND CODING
FOR SECURITY
 SECURE CODING PRACTICES

Define Security Requirements

OWASP’s top proactive controls for 2018

Leverage Security Frameworks and Libraries
Secure Database Access
Encode and Escape Data
Validate All Inputs
Implement Digital Identity
Enforce Access Controls
Protect Data Everywhere
Implement Security Logging and Monitoring
Handle All Errors and Exceptions
 API SECURITY

• APIs: Application programming interfaces

• Are interfaces between clients and servers
or applications and operating systems that
define how the client should ask for
information from the server and how the
server will respond.
 CODE REVIEW MODELS

Pair Programming

Over-the-Shoulder

Pass-Around Code Reviews

Tool-Assisted Reviews

Choosing a Review Method

Fagan Inspection
CODE REVIEW METHOD COMPARISON
FAGAN CODE REVIEW
SOFTWARE SECURITY
TESTING
ANALYZING AND TESTING CODE

Dynamic
Static code
code Fuzzing
analysis
analysis
INJECTION VULNERABILITIES
 INJECTION VULNERABILITIES

• SQL Injection Attacks

• Blind Content-Based SQL Injection
• Blind Timing-Based SQL Injection

• Code Injection Attacks

• Command Injection Attacks

BLIND CONTENT-BASED SQL INJECTION
BLIND CONTENT-BASED SQL INJECTION
COMMAND INJECTION ATTACKS
EXPLOITING AUTHENTICATION
VULNERABILITIES
 PASSWORD AUTHENTICATION
• A few of the possible ways that an attacker might discover a
user’s password:
• Conducting social engineering attacks that trick the user
into revealing a password, either directly or through a
false authentication mechanism
• Eavesdropping on unencrypted network traffic
• Obtaining a dump of passwords from previously
compromised sites and assuming that a significant
proportion of users reuse their passwords from that site
on other sites
 SESSION ATTACKS
• Session authentication with cookies

• Session cookie from CNN.com

 PASSWORD AUTHENTICATION

• There are several ways that an attacker might

obtain a cookie:
• Eavesdropping on unencrypted network
connections and stealing a copy of the cookie
as it is transmitted between the user and the
website.
• Installing malware on the user’s browser that
retrieves cookies and transmits them back to
the attacker.
• Engaging in a man-in-the-middle attack, where
the attacker fools the user into thinking that the
attacker is actually the target website and
presenting a fake authentication form.
SESSION REPLAY
EXPLOITING AUTHORIZATION
VULNERABILITIES
 AUTHORIZATION VULNERABILITIES

Insecure Direct Object References

Directory Traversal

File Inclusion

Privilege Escalation
 DIRECTORY TRAVERSAL

• INSERT FIGURE 6.15 FROM BOOK

WHEN AVAILABLE
FILE INCLUSION

Local file inclusion

attacks

Remote file inclusion

attacks
EXPLOITING WEB APPLICATION
VULNERABILITIES
 CROSS-SITE SCRIPTING (XSS)

Web-based exploits

Cross-Site Scripting
Request Forgery
(XSS)

Cross-Site Request
Reflected XSS
Forgery (CSRF/XSRF)

Server-Side Request
Stored/Persistent XSS
Forgery (SSRF)
 STORED/PERSISTENT XSS
• Message board post rendered in a browser

• XSS attack rendered in a browser

APPLICATION SECURITY
CONTROLS
APPLICATION SECURITY CONTROLS

Web Application
Input Validation
Firewalls

Database
Code Security
Security
WEB APPLICATION FIREWALL
 DATABASE SECURITY

• Normalization
• Prevent data inconsistency
• Prevent update anomalies
• Reduce the need for restructuring existing
databases, and
• Make the database schema more informative
• Parameterized Queries
• Obfuscation and Camouflauge
• Data minimization
• Tokenization
• Hashing
 CODE SECURITY

• Code Signing
• Code Reuse
• Software Diversity
• Code Repositories
• Integrity Measurement
• Application Resilience
• Scalability
• Elasticity
SECURE CODING PRACTICES
 SECURE CODING PRACTICES

• Source Code Comments

• Error Handling
• Hard-Coded Credentials
• Memory Management
• Race Conditions
• Unprotected APIs
• Driver Manipulation
SQL ERROR DISCLOSURE
 MEMORY MANAGEMENT

• Resource Exhaustion
• Pointer Dereferencing
• Buffer Overflows
• CVE 1999-1058: Buffer overflow in Vermillion
FTP Daemon
• CVE 2001-0876: Buffer overflow in Universal
Plug and Play (UPnP) on Windows 98, 98SE,
ME, and XP
• CVE 2002-0126: Buffer overflow in
BlackMoon FTP Server 1.0 through 1.5
• CVE 2003-0818: Multiple integer overflows in
Microsoft ASN.1 library
Cryptography and the Public Key
Infrastructure
Chapter 7
 OBJECTIVES COVERED

Domain 1.0: Threats, Attacks, and Vulnerabilities

• 1.2 Given a scenario, analyze potential
indicators to determine the type of attack.
Domain 2.0: Architecture and Design
• 2.1 Explain the importance of security concepts
in an enterprise environment.
• 2.8 Summarize the basics of cryptographic
concepts.
Domain 3.0: Implementation
• 3.9 Given a scenario, implement public key
infrastructure.
AN OVERVIEW OF
CRYPTOGRAPHY
HISTORICAL CRYPTOGRAPHY

Substitution Ciphers

Polyalphabetic Substitution

Transposition Ciphers

The Enigma Machine

Steganography
VIGENÈRE CIPHER TABLE
TRANSPOSITION CIPHERS
THE ENIGMA MACHINE
OPENSTEGO STEGANOGRAPHY TOOL
GOALS OF CRYPTOGRAPHY
GOALS OF CRYPTOGRAPHY

Confidentiality Integrity

Authentication Nonrepudiation
 CONFIDENTIALITY

• Two main types of cryptosystems enforce

confidentiality
• Symmetric cryptosystems
• Asymmetric cryptosystems
• Three types of data
• Data at rest
• Data in motion
• Data in use
AUTHENTICATION
CRYPTOGRAPHIC CONCEPTS
 CIPHERS

Block ciphers

• operate on “chunks,” or blocks, of a

message and apply the encryption
algorithm to an entire message block at the
same time.

Stream ciphers

• operate on one character or bit of a

message (or data stream) at a time.
MODERN CRYPTOGRAPHY
 CRYPTOGRAPHIC SECRECY

• Modern cryptosystems rely on the secrecy of

one or more cryptographic keys used to
personalize the algorithm for specific users or
groups of users.
• The length of a cryptographic key is an
extremely important factor in determining the
strength of the cryptosystem and the likelihood
that the encryption will not be compromised
through cryptanalytic techniques.
• The longer the key, the harder it is to break
the cryptosystem.
SYMMETRIC KEY ALGORITHMS
SYMMETRIC KEY ALGORITHMS’
WEAKNESSES

Key distribution is a major problem

Symmetric key cryptography does not

implement nonrepudiation

The algorithm is not scalable

Keys must be regenerated often

ASYMMETRIC KEY ALGORITHMS
 ASYMMETRIC KEY ALGORITHMS’
STRENGTHS

The addition of new users requires the generation of only one

public-private key pair

Users can be removed far more easily from asymmetric

systems

Key regeneration is required only when a user’s private key is

compromised

Asymmetric key encryption can provide integrity,

authentication, and nonrepudiation

Key distribution is a simple process

No preexisting communication link needs to exist

 COMPARISON OF SYMMETRIC AND
ASYMMETRIC CRYPTOGRAPHY SYSTEMS

SYMMETRIC ASYMMETRIC
Single shared key Key pair sets
Out-of-band exchange In-band exchange
Not scalable Scalable
Fast Slow
Bulk encryption Small blocks of data, digital
signatures, digital certificates
Confidentiality, integrity Confidentiality, integrity,
authentication, nonrepudiation
SYMMETRIC
CRYPTOGRAPHY
DATA ENCRYPTION STANDARD

Electronic Cipher Block

Codebook Mode Chaining Mode

Cipher Feedback Output

Mode Feedback Mode

Counter Mode
 TRIPLE DES

DES-EE3 E(K1,E(K2,E(K3,P)))

DES-EDE3 E(K1,D(K2,E(K3,P)))

DES-EEE2 E(K1,E(K2,E(K1,P)))

DES-EDE2 E(K1,D(K2,E(K1,P)))
ADVANCED ENCRYPTION STANDARD

128-bit keys require 10 rounds of encryption.

192-bit keys require 12 rounds of encryption.

256-bit keys require 14 rounds of encryption.

 SYMMETRIC KEY MANAGEMENT
• Creation and distribution of symmetric keys
• Offline distribution
• Public key encryption
• Diffie-Hellman
• Storage and destruction of symmetric keys
• Never store an encryption key on the same
system
• Provides two different individuals with half
of the key
• Key escrow and recovery
• Fair cryptosystems
• Escrowed encryption standard
ASYMMETRIC
CRYPTOGRAPHY
 ASYMMETRIC CRYPTOGRAPHY
• RSA
• Elliptic Curve
HASH FUNCTIONS
 FIVE BASIC REQUIREMENTS
1. They accept an input of any length.
2. They produce an output of a fixed length.
3. The hash value is relatively easy to compute.
4. The hash function is one-way (meaning that it
is extremely hard to determine the input
when provided with the output).
5. The hash function is collision free (meaning
that it is extremely hard to find two messages
that produce the same hash value).
 HASH FUNCTIONS
SHA
• SHA-1
• SHA-2
• SHA-256
• SHA-224
• SHA-512
• SHA-384
• SHA-3

MD5
• Processes 512-bit blocks of the message
• Has been demonstrated that MD5 protocol is subject to
collisions, preventing its use for ensuring message integrity
DIGITAL SIGNATURES
TWO DISTINCT GOALS

Digitally signed messages

assure the recipient that
the message truly came
from the claimed sender.

Digitally signed messages

assure the recipient that
the message was not
altered while in transit
between the sender and
recipient.
 HMAC

• The Hashed Message Authentication Code

(HMAC) algorithm implements a partial digital
signature—it guarantees the integrity of a
message during transmission, but it does not
provide for nonrepudiation.
• HMAC can be combined with any standard
message digest generation algorithm, such as
SHA-3, by using a shared secret key.
• HAMC represents a halfway point between
unencrypted use of a message digest algorithm
and computationally expensive digital signature
algorithms based on public key cryptography.
 DIGITAL SIGNATURE STANDARD

Three currently approved standard

The Digital Signature Algorithm (DSA)
encryption algorithms
as specified in FIPS 186-4

The Rivest, Shamir, Adleman (RSA)

algorithm as specified in ANSI X9.31

The Elliptic Curve DSA (ECDSA) as

specified in ANSI X9.62
PUBLIC KEY
INFRASTRUCTURE
 CERTIFICATES

• Certificates that conform to X.509 contain the

following certificate attributes:
• Version of X.509 to which the certificate
conforms
• Serial number
• Signature algorithm identifier
• Issuer name
• Validity period
• Subject’s Common Name
• Subject Alternative Names (SAN)
• Subject’s public key
 CERTIFICATES

• Certificates may be issued for a variety of

purposes. These include providing assurance for
the public keys of:
• Computers/machines
• Individual users
• Email addresses
• Developers (code-signing certificates)
 CERTIFICATE AUTHORITIES

Certificate
authorities (CAs) Registration
authorities (RAs)
 CERTIFICATE GENERATION AND
DESTRUCTION
• Enrollment
• Verification
• The digital signature of the CA is authentic
• You trust the CA
• The certificate is not listed on a CRL
• The certificate actually contains the data you are
trusting
• Revocation
• Certificate Revocation Lists
• Online Certificate Status Protocol (OCSP)
• Certificate Stapling
 CERTIFICATE FORMATS

STANDARD FORMAT FILE

EXTENSION(S)
Distinguished Binary .DER, .CRT, .CER
Encoding Rules (DER)
Privacy Enhanced Mail Text .PEM, .CRT
(PEM)
Personal Information Binary .PFX, .P12
Exchange (PFX)
P7B Text .P7B
ASYMMETRIC KEY
MANAGEMENT
 ASYMMETRIC KEY MANAGEMENT

Choose your encryption system

wisely

Select your keys in an appropriate

manner

Keep your private key secret when

using public key encryption

Retire keys when they’ve served a

useful life

Back up your key

CRYPTOGRAPHIC ATTACKS
CRYPTOGRAPHIC ATTACKS

Brute Force
Frequency Analysis
Known Plain Text
Chosen Plain Text
Related Key Attack
Downgrade Attack
Rainbow Tables, Hashing, and Salting
Exploiting Weak Keys
Exploiting Human Error
EMERGING ISSUES IN
CRYPTOGRAPHY
EMERGING ISSUES IN CRYPTOGRAPHY

Tor and the Dark

Blockchain
Web

Lightweight Homomorphic
Cryptography Encryption

Quantum
Computing
Identity and Access Management

Chapter 8
 OBJECTIVES COVERED

Domain 2.0: Architecture and Design

• 2.4. Summarize authentication and
authorization design concepts.

Domain 3.0: Implementation

3.7 Given a scenario, implement identity and
account management controls.
• 3.8 Given a scenario, implement authentication
and authorization solutions.
IDENTITY
 IDENTITY

Common ways to assert or claim an

Usernames

Certificates
identity
Tokens

SSH keys

Smart cards
AUTHENTICATION AND
AUTHORIZATION
AUTHENTICATION TECHNOLOGIES

EAP CHAP PAP

802.1X RADIUS TACACS+

Kerberos
CHAP CHALLENGE AND RESPONSE
SEQUENCE
802.1 AUTHENTICATION ARCHITECTURE
WITH EAP, RADIUS, AND LDAP
KERBEROS AUTHENTICATION PROCESS
 CLOUD AUTHENTICATION AND
AUTHORIZATION

OpenID

Security
Assertions
Markup OAuth
Language
(SAML)

Core
technologies
 FEDERATION

The • Is typically a user.

principal

• Or IdPs provide identity and

Identity authentication services via an attestation
providers process in which the IdP validates that
the user is who they claim to be.

• Or SPs provide services to users whose

Service identities have been attested to by an
providers identity provider.
DIRECTORY SERVICES
AUTHENTICATION
METHODS
MULTIFACTOR AUTHENTICATION

Something you
know

Something Something
you are you have
A TITAN KEY USB SECURITY KEY
 ONE TIME PASSWORDS

Time-based one-
time passwords HMAC-based one-
(TOTP) time password
(HOTP)
GOOGLE AUTHENTICATOR SHOWING
TOTP CODE GENERATION
A HOTP PAYPAL TOKEN
BIOMETRICS

Fingerprints
Retina scanning
Iris recognition
Facial recognition
Voice recognition
Vein recognition
Gait analysis
BIOMETRICS
MANAGING AUTHENTICATION

Password Password
key vaults

Trusted
Hardware
Platform
Security
Module
Modules
standard
(HSMs)
(TPM)
ACCOUNTS
 ACCOUNT TYPES

User accounts

Privileged or administrative accounts

Shared and generic accounts or credentials

Guest accounts

Service accounts
ACCOUNT POLICIES AND CONTROLS

Password
Complexity

Account
Password
policies & The time of day
lifespan
controls
The network
Other
location of the
information
system

Geolocation
data
ACCESS CONTROL SCHEMES
COMMON ACCESS CONTROL SCHEMES

Attribute-based access control (ABAC)

Role-based access control (RBAC)

Rule-based access control (RuBAC)

Mandatory Access Control (MAC)

Discretionary access control (DAC)

LINUX/UNIX FILE PERMISSIONS
WINDOWS FILE PERMISSIONS
Resilience and Physical Security

Chapter 9
 OBJECTIVES COVERED

Domain 2.0: Architecture and Design

2.1 Explain the importance of security concepts in
an enterprise environmen.
2.5 Given a scenario, implement cybersecurity
resilience.
• 2.7 Explain the importance of physical security
controls.
BUILDING CYBERSECURITY
RESILIENCE
 STORAGE RESILIENCY:
BACKUPS AND REPLICATION

RAID
Copy of the live storage system
Snapshot
Images
VDI
Copies of individual files
Backup media
Online backups
Offsite or on-site storage
 RAID
RAID Description Description Advantage Disadvantage
RAID 0 – Striping Data is spread across all drives Better I/O performance (speed), Not fault tolerant – all
in the array all capacity used data lost if a drive is lost

RAID 1 – Mirroring All data copied exactly to High read speeds from multiple Uses twice the storage
another drive or drives drives, data available if a drive for the same amount of
fails data

RAID 5 – Striping with parity Data is striped across drives, Data reads are fast, data writes Can only tolerate a
with one drive used for parity are slightly slower. single drive failure at a
(checksum) of the data. Parity is time.
spread across drives as well as Drive failures can be rebuilt as
data. long as only one drive fails. Rebuilding arrays after a
drive loss can be slow
and impact performance.

RAID 6 – Striping with double Like RAID 5, but additional Like RAID 5, but allows for Slower write
parity parity stored on another drive. more than once drive to fail at a performance than RAID
time. 5 as the additional parity
data is managed.

Rebuilding arrays after a

drive loss can be slow
and impact performance

RAID 10 – mirroring and Data is striped across 2 or more Combines the advantages and Combines the
striping drives and then mirrored to the disadvantages of both RAID 0 advantages and
same number of drives and RAID 1. disadvantages of both
RAID 0 and RAID 1.
COMMON BACKUP MEDIA

Tape Disks

Optical Flash
media media
CONSIDERATIONS FOR THIRD PARTY
BACKUP OPTIONS

Bandwidth requirements

Time to retrieve files and cost to

retrieve files

Reliability

New security models

RESPONSE AND RECOVERY
CONTROLS
TWO MAJOR CATEGORIES OF
SCALABILITY

Vertical scalability
requires a larger or
Horizontal scaling uses
more powerful
smaller systems or
system or device
devices but adds more
of them
THREE MAJOR TYPES OF DISASTER
RECOVERY SITES

Hot sites

Cold sites Warm sites

 SITE RESTORATION ORDER

Restore network connectivity and a bastion or shell host

Restore network security devices (firewalls, IPS)

Restore storage and database services

Restore critical operational servers

Restore logging and monitoring service

Restore other services as possible

PHYSICAL SECURITY
CONTROLS
 SITE SECURITY

Industrial
Fences
camouflage

Bollards Lighting

Fire suppression
Badges Alarms
systems

Signage Mantraps Locks

A BOLLARD
A MANTRAP
 GUARDS

• Can make decisions that technical control

systems cannot and can also provide additional
capabilities by providing both detection and
response capabilities.
• Can validate an individual’s identity, ensure that
they only enter the areas they are supposed to
be, and that they have signed a visitor log and
that their signature matches a signature on file
or on their ID card.
• Bring own challenges and risks, and are relatively
expensive.
 CAMERAS AND SENSORS

Motion Object Face

recognition detection recognition
cameras cameras systems
ENHANCED SECURITY ZONES
AND SECURE AREAS
 SECURE DATA DESTRUCTION
Destruction method Description Notes
Burning Most often done in a high Typically done offsite through a
temperature incinerator. Primarily third party service, leaves no
used for paper records, although recoverable materials
some incinerators may support
electronic devices.

Shredding Can be done on-site, can support Traditional paper shredders may
paper or devices using an industrial allow for recovery of documents,
shredder. even from cross-cut shredded
documents. For high security
environments, burning or pulping
may be required.

Pulping Breaks paper documents into wood Completely destroys documents,

pulp, removing ink. Materials can preventing recovery.
be recycled.

Pulverizing Breaks devices down into very The size of the output material can
small pieces, preventing recovery. determine the potential for recovery
of data, typically pulverizing results
in very small fragments of material.

Degaussing Magnetically wipes data from tapes Only effective on magnetic media,
and traditional hard magnetic media will not work on SSDs, flash media,
hard drives. optical media, or paper.
Cloud and Virtualization Security

Chapter 10
 OBJECTIVES COVERED

Domain 2.0: Architecture and Design

• 2.1 Explain the importance of security concepts
in an enterprise environment.
• 2.2 Summarize virtualization and cloud
computing concepts.
Domain 3.0: Threats, Attacks, and Vulnerabilities
• 3.6 Given a scenario, apply cybersecurity
solutions to the cloud.
Domain 5.0: Governance, Risk, and Compliance
• 5.2 Explain the importance of applicable
regulations, standards, or frameworks that
impact organizational security posture.
EXPLORING THE CLOUD
 CLOUD COMPUTING

Cloud computing is a model for enabling

ubiquitous, convenient, on-demand network access
to a shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal
management effort or service provider interaction.
 BENEFITS OF THE CLOUD

On-demand self-service computing

Scalability

Elasticity

Measured service

Agility and flexibility

VERTICAL VS. HORIZONTAL SCALING
CLOUD ROLES

Cloud service providers

Cloud consumers

Cloud partners

Cloud auditors

Cloud carriers
CLOUD SERVICE MODELS

Infrastructure
as a Service
(IaaS)

Platform as a Software as
Service a Service
(PaaS) (SaaS)
ACCESS SAAS THROUGH
A THIN CLIENT DEVICE
AWS LAMBDA FUNCTION
A SERVICE ENVIRONMENT
AWS LAMBDA FUNCTION
A SERVICE ENVIRONMENT

Public Private
Cloud Cloud

Community Hybrid
Cloud Cloud
EXAMPLE OF COMMUNITY CLOUD
COMPUTING - HATHITRUST
 AWS OUTPOSTS OFFER
HYBRID CLOUD CAPABILITY
SHARED RESPONSIBILITY MODEL
CLOUD STANDARDS AND GUIDELINES
CLOUD STANDARDS AND GUIDELINES
VIRTUALIZATION
HYPERVISORS - TYPE I HYPERVISOR
HYPERVISORS - TYPE II HYPERVISOR
CLOUD INFRASTRUCTURE
COMPONENTS
PROVISIONING A VIRTUALIZED SERVER
IN AWS
CONNECTING TO AN AWS VIRTUAL
SERVER INSTANCE WITH SSH
CONNECTING TO AN AWS VIRTUAL
SERVER INSTANCE WITH RDP
CLOUD STORAGE RESOURCES

Block storage
Object storage
AWS ELASTIC BLOCK STORAGE (EBS)
VOLUMES
AWS SIMPLE STORAGE SERVICE (S3)
BUCKET
THREE KEY SECURITY CONSIDERATIONS

Set permissions
properly

Consider high
Use encryption
availability and
to protect
durability
sensitive data
options
ENABLING FULL-DISK ENCRYPTION ON
AN EBS VOLUME
CLOUD NETWORKING
– SECURITY GROUP
 CLOUD NETWORKING
VIRTUAL PRIVATE CLOUD (VPC)
CREATING AN EC2 INSTANCE WITH
CLOUDFORMATION JSON
CLOUD SECURITY ISSUES
CLOUD SECURITY ISSUES

Availability

Data Sovereignty

Virtualization Security

Application Security

Governance and Auditing

CLOUD SECURITY CONTROLS
 CLOUD ACCESS SECURITY BROKERS

Cloud access security

brokers (CASBs)

API-based CASB
Inline CASB solutions
solutions
 CLOUD SECURITY CONTROLS

Cloud Security Controls Cloud Access Security Brokers

Resource Policies

Secrets Management