Sample

®
CompTIA Security+
SY0-601 Cert Guide
Omar Santos
Ron Taylor
Joseph Mlodzianowski
A01_Santos_Fm_pi-plii_1.indd 1 01/06/21 2:49 pm

CompTIA® Security+ SY0-601 Cert Guide Editor-in-Chief
Copyright © 2022 by Pearson Education, Inc. Mark Taub
All rights reserved. No part of this book shall be reproduced, stored in Product Line Manager
a retrieval system, or transmitted by any means, electronic, mechanical, Brett Bartow
photocopying, recording, or otherwise, without written permission from
the publisher. No patent liability is assumed with respect to the use of the Executive Editor
information contained herein. Although every precaution has been taken in Nancy Davis
the preparation of this book, the publisher and author assume no respon-
Development Editor
sibility for errors or omissions. Nor is any liability assumed for damages
Christopher A. Cleveland
resulting from the use of the information contained herein.
ISBN-13: 978-0-13-677031-2 Managing Editor
ISBN-10: 0-13-677031-2 Sandra Schroeder
Library of Congress Control Number: 2021935686 Senior Project Editor

ScoutAutomatedPrintCode Tonya Simpson
Copy Editor
Trademarks
Chuck Hutchinson
All terms mentioned in this book that are known to be trademarks or ser-
vice marks have been appropriately capitalized. Pearson IT Certification Indexer
cannot attest to the accuracy of this information. Use of a term in this book Erika Millen
should not be regarded as affecting the validity of any trademark or service
mark. Proofreader
Abigail Manheim
Warning and Disclaimer
Technical Editor
Every effort has been made to make this book as complete and as accurate
Chris Crayton
as possible, but no warranty or fitness is implied. The information provided
is on an “as is” basis. The authors and the publisher shall have neither li- Publishing Coordinator
ability nor responsibility to any person or entity with respect to any loss or Cindy Teeters
damages arising from the information contained in this book.
Cover Designer
Special Sales Chuti Prasertsith
For information about buying this title in bulk quantities, or for special
Compositor
sales opportunities (which may include electronic versions; custom cover
codeMantra
designs; and content particular to your business, training goals, marketing
focus, or branding interests), please contact our corporate sales department
at corpsales@pearsoned.com or (800) 382-3419.
For government sales inquiries, please contact

governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact
intlcs@pearson.com.
9780136770312_print.indb 2 30/05/21 4:24 pm

Contents at a Glance
Introduction xliv
Part I: Threats, Attacks, and Vulnerabilities

CHAPTER 1
Comparing and Contrasting Different Types of Social Engineering
Techniques 3
CHAPTER 2 Analyzing Potential Indicators to Determine the Type of Attack 29
CHAPTER 3 Analyzing Potential Indicators Associated with
Application Attacks 61
CHAPTER 4 Analyzing Potential Indicators Associated with Network Attacks 95
CHAPTER 5
Understanding Different Threat Actors, Vectors, and Intelligence
Sources 117
CHAPTER 6
Understanding the Security Concerns Associated with Various
Types of Vulnerabilities 133
CHAPTER 7 Summarizing the Techniques Used in Security Assessments 171
CHAPTER 8 Understanding the Techniques Used in Penetration Testing 193
Part II: Architecture and Design

CHAPTER 9
Understanding the Importance of Security Concepts in
an Enterprise Environment 209
CHAPTER 10 Summarizing Virtualization and Cloud Computing Concepts 227
CHAPTER 11
Summarizing Secure Application Development, Deployment,
and Automation Concepts 253
CHAPTER 12
Summarizing Authentication and Authorization Design Concepts 285
CHAPTER 13 Implementing Cybersecurity Resilience 311
CHAPTER 14
Understanding the Security Implications of Embedded
and Specialized Systems 335
CHAPTER 15 Understanding the Importance of Physical Security Controls 367
CHAPTER 16 Summarizing the Basics of Cryptographic Concepts 391
Part III: Implementation

CHAPTER 17 Implementing Secure Protocols 423
CHAPTER 18 Implementing Host or Application Security Solutions 447
CHAPTER 19 Implementing Secure Network Designs 483
CHAPTER 20 Installing and Configuring Wireless Security Settings 547
9780136770312_print.indb 3 30/05/21 4:24 pm

iv CompTIA Security+ SY0-601 Cert Guide
CHAPTER 21 Implementing Secure Mobile Solutions 567

CHAPTER 22 Applying Cybersecurity Solutions to the Cloud 595
CHAPTER 23 Implementing Identity and Account Management Controls 619
CHAPTER 24 Implementing Authentication and Authorization Solutions 651
CHAPTER 25 Implementing Public Key Infrastructure 685
Part IV: Operations and Incident Response

CHAPTER 26 Using the Appropriate Tool to Assess Organizational Security 703
CHAPTER 27
Summarizing the Importance of Policies, Processes,
and Procedures for Incident Response 755
CHAPTER 28 Using Appropriate Data Sources to Support an Investigation 781
CHAPTER 29 Applying Mitigation Techniques or Controls to Secure an
Environment 819
CHAPTER 30 Understanding the Key Aspects of Digital Forensics 837
Part V: Governance, Risk, and Compliance

CHAPTER 31 Comparing and Contrasting the Various Types of Controls 865
CHAPTER 32 Understanding the Importance of Applicable Regulations, Standards,
or Frameworks That Impact Organizational Security Posture 875
CHAPTER 33 Understanding the Importance of Policies to
Organizational Security 893
CHAPTER 34 Summarizing Risk Management Processes and Concepts 913
CHAPTER 35 Understanding Privacy and Sensitive Data Concepts
in Relation to Security 935
Part VI: Final Preparation

CHAPTER 36 Final Preparation 953
Glossary of Key Terms 955
APPENDIX A Answers to the “Do I Know This Already?”
Quizzes and Review Questions 1023
APPENDIX B CompTIA Security+ (SY0-601) Cert Guide Exam Updates 1087
Index 1089
Online Elements:
APPENDIX C Study Planner
Glossary of Key Terms
9780136770312_print.indb 4 30/05/21 4:24 pm

Table of Contents
Introduction xliv
Part I: Threats, Attacks, and Vulnerabilities

Comparing and Contrasting Different Types of Social Engineering
Chapter 1
Techniques 3
“Do I Know This Already?” Quiz 3
Foundation Topics 7
Social Engineering Fundamentals 7
Phishing and Spear Phishing 9
Smishing 12
Vishing 12
Spam and Spam over Internet Messaging (SPIM) 13
Dumpster Diving 13
Shoulder Surfing 14
Pharming 14
Piggybacking or Tailgating 15
Eliciting Information 15
Whaling 16
Prepending 17
Identity Fraud 17
Invoice Scams 17
Credential Harvesting 18
Reconnaissance 18
Hoaxes 19
Impersonation or Pretexting 19
Eavesdropping 19
Baiting 20
Watering Hole Attack 20
Typo Squatting 20
Influence Campaigns, Principles of Social Engineering,
and Reasons for Effectiveness 21
9780136770312_print.indb 5 30/05/21 4:24 pm

vi CompTIA Security+ SY0-601 Cert Guide
User Security Awareness Education 22

Chapter Review Activities 24
Review Key Topics 24
Define Key Terms 25
Review Questions 26
Chapter 2 Analyzing Potential Indicators to Determine the Type of Attack 29
Foundation Topics 33
Malicious Software (Malware) 33
Ransomware and Cryptomalware 33
Trojans 35
Remote Access Trojans (RATs) and Rootkits 35
Worms 36
Fileless Virus 37
Command and Control, Bots, and Botnets 37
Logic Bombs 39
Potentially Unwanted Programs (PUPs) and Spyware 40
Keyloggers 42
Backdoors 43
Malware Delivery Mechanisms 43
You Can’t Save Every Computer from Malware! 45
Password Attacks 45
Dictionary-based and Brute-force Attacks 45
Password Spraying 46
Offline and Online Password Cracking 46
Rainbow Tables 47
Plaintext/Unencrypted 47
Physical Attacks 48
Malicious Flash Drives 48
Malicious Universal Serial Bus (USB) Cables 48
Card Cloning Attacks 48
Skimming 49
9780136770312_print.indb 6 30/05/21 4:24 pm

Table of Contents vii
Adversarial Artificial Intelligence 50

Tainted Training Data for Machine Learning 50
Security of Machine Learning Algorithms 50
Supply-Chain Attacks 51
Cloud-based vs. On-premises Attacks 52
Cloud Security Threats 52
Cloud Computing Attacks 54
Cryptographic Attacks 55
Collision 55
Birthday 56
Downgrade 56
Define Key Terms 58
Review Questions 59
Analyzing Potential Indicators Associated with Application
Chapter 3
Attacks 61
Privilege Escalation 67
Cross-Site Scripting (XSS) Attacks 68
Injection Attacks 70
Structured Query Language (SQL) Injection Attacks 70
SQL Injection Categories 73
Dynamic Link Library (DLL) Injection Attacks 74
Lightweight Directory Access Protocol (LDAP) Injection Attacks 74
Extensible Markup Language (XML) Injection Attacks 74
Pointer/Object Dereference 75
Directory Traversal 76
Buffer Overflows 77
Arbitrary Code Execution/Remote Code Execution 78
Race Conditions 79
Error Handling 79
9780136770312_print.indb 7 30/05/21 4:24 pm

viii CompTIA Security+ SY0-601 Cert Guide
Improper Input Handling 80

Compile-Time Errors vs. Runtime Errors 81
Replay Attacks 82
Request Forgeries 85
Application Programming Interface (API) Attacks 86
Resource Exhaustion 87
Memory Leaks 88
Secure Socket Layer (SSL) Stripping 88
Driver Manipulation 89
Pass the Hash 89
Define Key Terms 92
Review Questions 92
Chapter 4 Analyzing Potential Indicators Associated with Network Attacks 95
Wireless Attacks 98
Evil Twin Attacks 98
Rogue Access Points 99
Bluesnarfing Attacks 99
Bluejacking Attacks 100
Disassociation and Deauthentication Attacks 101
Jamming Attacks 102
Radio Frequency Identifier (RFID) Attacks 102
Near-Field Communication (NFC) Attacks 102
Initialization Vector (IV) Attacks 103
On-Path Attacks 103
Layer 2 Attacks 105
Address Resolution Protocol (ARP) Poisoning Attacks 105
Media Access Control (MAC) Flooding Attacks 106
MAC Cloning Attacks 106
Best Practices to Protect Against Layer 2 Attacks 106
9780136770312_print.indb 8 30/05/21 4:24 pm

Table of Contents ix
Domain Name System (DNS) Attacks 107

Domain Hijacking Attacks 108
DNS Poisoning Attacks 108
Uniform Resource Locator (URL) Redirection Attacks 110
Domain Reputation 110
Distributed Denial-of-Service (DDoS) Attacks 111
Malicious Code or Script Execution Attacks 113
Define Key Terms 115
Review Questions 115
Understanding Different Threat Actors, Vectors, and Intelligence
Chapter 5
Sources 117
Actors and Threats 120
Attributes of Threat Actors 122
Attack Vectors 122
Threat Intelligence and Threat Intelligence Sources 123
Structured Threat Information eXpression (STIX) and the Trusted
Automated eXchange of Indicator Information (TAXII) 125
Research Sources 127
The MITRE ATT&CK Framework 128
Chapter 6 Understanding the Security Concerns Associated with Various Types
of Vulnerabilities 133
Cloud-based vs. On-premises Vulnerabilities 137
Other “Cloud”-based Concerns 143
Server Defense 144
9780136770312_print.indb 9 30/05/21 4:24 pm

x CompTIA Security+ SY0-601 Cert Guide
File Servers 144
Network Controllers 144
Email Servers 145
Web Servers 146
FTP Server 147
Zero-day Vulnerabilities 149
Weak Configurations 150
Third-party Risks 155
Improper or Weak Patch Management 160
Patches and Hotfixes 161
Patch Management 163
Legacy Platforms 165
The Impact of Cybersecurity Attacks and Breaches 165
Chapter 7 Summarizing the Techniques Used in Security Assessments 171
Threat Hunting 175
Security Advisories and Bulletins 177
Vulnerability Scans 180
Credentialed vs. Noncredentialed 182
Intrusive vs. Nonintrusive 182
Common Vulnerability Scoring System (CVSS) 182
Logs and Security Information and Event Management (SIEM) 186
Security Orchestration, Automation, and Response (SOAR) 188
9780136770312_print.indb 10 30/05/21 4:24 pm

Table of Contents xi
Chapter 8 Understanding the Techniques Used in Penetration Testing 193

Penetration Testing 197
Bug Bounties vs. Penetration Testing 202
Passive and Active Reconnaissance 203
Exercise Types 205
Part II: Architecture and Design

Understanding the Importance of Security Concepts in an Enterprise
Chapter 9
Environment 209
Configuration Management 213
Data Sovereignty and Data Protection 214
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Inspection 215
API Considerations 216
Data Masking and Obfuscation 216
Encryption at Rest, in Transit/Motion, and in Processing 218
Hashing 218
Rights Management 219
Geographical Considerations 220
Data Breach Response and Recovery Controls 220
Site Resiliency 221
Deception and Disruption 222
Fake Telemetry 223
DNS Sinkhole 223
9780136770312_print.indb 11 30/05/21 4:24 pm

xii CompTIA Security+ SY0-601 Cert Guide

Chapter 10 Summarizing Virtualization and Cloud Computing Concepts 227
Cloud Models 231
Public, Private, Hybrid, and Community Clouds 232
Cloud Service Providers 233
Cloud Architecture Components 234
Fog and Edge Computing 234
Thin Clients 235
Containers 236
Microservices and APIs 240
Infrastructure as Code 241
Serverless Architecture 243
Services Integration 246
Resource Policies 246
Transit Gateway 246
Virtual Machine (VM) Sprawl Avoidance and VM Escape Protection 247
Understanding and Avoiding VM Sprawl 247
Protecting Against VM Escape Attacks 248
Summarizing Secure Application Development, Deployment, and
Chapter 11
Automation Concepts 253
Software Development Environments and Methodologies 257
Application Provisioning and Deprovisioning 260
Software Integrity Measurement 261
9780136770312_print.indb 12 30/05/21 4:24 pm

Table of Contents xiii
Secure Coding Techniques 261

Core SDLC and DevOps Principles 263
Programming Testing Methods 266
Compile-Time Errors vs. Runtime Errors 266
Input Validation 267
Static and Dynamic Code Analysis 269
Fuzz Testing 269
Programming Vulnerabilities and Attacks 270
Testing for Backdoors 271
Memory/Buffer Vulnerabilities 271
XSS and XSRF 272
More Code Injection Examples 273
Directory Traversal 274
Zero-Day Attack 275
Open Web Application Security Project (OWASP) 276
Software Diversity 278
Automation/Scripting 278
Elasticity and Scalability 279
Summarizing Authentication and Authorization Design
Chapter 12
Concepts 285
Authentication Methods 289
Directory Services 291
Federations 292
Attestation 294
Authentication Methods and Technologies 295
Time-Based One-Time Password (TOTP) 295
HMAC-Based One-Time Password (HOTP) 295
9780136770312_print.indb 13 30/05/21 4:24 pm

xiv CompTIA Security+ SY0-601 Cert Guide
Short Message Service (SMS) 296

Token Key 297
Static Codes 298
Authentication Applications 298
Push Notifications 299
Phone Call Authentication 299
Smart Card Authentication 300
Biometrics 300
Fingerprints 300
Retina 301
Iris 301
Facial 301
Voice 302
Vein 302
Gait Analysis 302
Efficacy Rates 302
False Acceptance 303
False Rejection 303
Crossover Error Rate 304
Multifactor Authentication (MFA) Factors and Attributes 304
Authentication, Authorization, and Accounting (AAA) 306
Cloud vs. On-premises Requirements 306
Chapter 13 Implementing Cybersecurity Resilience 311
Redundancy 315
Geographic Dispersal 315
Disk Redundancy 315
Redundant Array of Inexpensive Disks 316
9780136770312_print.indb 14 30/05/21 4:24 pm

Table of Contents xv
Multipath 319
Network Resilience 319
Load Balancers 319
Network Interface Card (NIC) Teaming 320
Power Resilience 320
Uninterruptible Power Supply (UPS) 320
Generators 321
Dual Supply 321
Managed Power Distribution Units (PDUs) 322
Replication 323
Storage Area Network 323
Virtual Machines 324
On-premises vs. Cloud 325
Backup Types 326
Full Backup 328
Differential Backup 328
Incremental Backup 328
Non-persistence 328
High Availability 329
Restoration Order 330
Diversity 331
Technologies 331
Vendors 331
Crypto 331
Controls 332
Understanding the Security Implications of Embedded and
Chapter 14
Specialized Systems 335
9780136770312_print.indb 15 30/05/21 4:24 pm

xvi CompTIA Security+ SY0-601 Cert Guide
Embedded Systems 339
Supervisory Control and Data Acquisition (SCADA)/Industrial Control
Systems (ICS) 341
Internet of Things (IoT) 344
Specialized Systems 346
Medical Systems 347
Vehicles 347
Aircraft 348
Smart Meters 350
Voice over IP (VoIP) 351
Heating, Ventilation, and Air Conditioning (HVAC) 352
Drones 353
Multifunction Printers (MFP) 354
Real-Time Operating Systems (RTOS) 355
Surveillance Systems 355
System on a Chip (SoC) 356
Communication Considerations 357
5G 357
NarrowBand 358
Baseband Radio 359
Subscriber Identity Module (SIM) Cards 360
Zigbee 360
Embedded System Constraints 361
Power 361
Compute 361
Network 362
Crypto 362
Inability to Patch 362
Authentication 363
Range 363
Cost 363
Implied Trust 363
9780136770312_print.indb 16 30/05/21 4:24 pm

Table of Contents xvii

Chapter 15 Understanding the Importance of Physical Security Controls 367
Bollards/Barricades 370
Access Control Vestibules 372
Badges 373
Alarms 374
Signage 374
Cameras 375
Closed-Circuit Television (CCTV) 376
Industrial Camouflage 377
Personnel 377
Locks 378
USB Data Blockers 379
Lighting 380
Fencing 380
Fire Suppression 381
Sensors 381
Drones 382
Visitor Logs 383
Faraday Cages 383
Air Gap 384
Screened Subnet (Previously Known as Demilitarized Zone [DMZ]) 384
Protected Cable Distribution 385
Secure Areas 385
Secure Data Destruction 386
9780136770312_print.indb 17 30/05/21 4:24 pm

xviii CompTIA Security+ SY0-601 Cert Guide
Chapter 16 Summarizing the Basics of Cryptographic Concepts 391

Digital Signatures 395
Key Length 396
Key Stretching 397
Salting 397
Hashing 398
Key Exchange 399
Elliptic-Curve Cryptography 399
Perfect Forward Secrecy 400
Quantum 401
Communications 401
Computing 402
Post-Quantum 402
Ephemeral 403
Modes of Operation 403
Electronic Code Book Mode 404
Cipher Block Chaining Mode 405
Cipher Feedback Mode 406
Output Feedback Mode 407
Counter Mode 408
Blockchain 409
Cipher Suites 410
Symmetric vs. Asymmetric Encryption 411
Lightweight Cryptography 414
Steganography 415
Audio Steganography 415
Video Steganography 416
Image Steganography 416
Homomorphic Encryption 417
Common Use Cases 417
Limitations 418
9780136770312_print.indb 18 30/05/21 4:24 pm

Table of Contents xix

Part III: Implementation

Chapter 17 Implementing Secure Protocols 423
Protocols 426
Domain Name System Security Extensions 426
SSH 427
Secure/Multipurpose Internet Mail Extensions 428
Secure Real-Time Transport Protocol 430
Lightweight Directory Access Protocol over SSL 432
File Transfer Protocol, Secure 432
Secure (or SSH) File Transfer Protocol 434
Simple Network Management Protocol Version 3 434
Hypertext Transfer Protocol over SSL/TLS 436
IPsec 437
Authentication Header/Encapsulating Security Payloads 437
Tunnel/Transport 438
Post Office Protocol/Internet Message Access Protocol 438
Use Cases 439
Voice and Video 440
Time Synchronization 440
Email and Web 441
File Transfer 441
Directory Services 442
Remote Access 442
Domain Name Resolution 442
Routing and Switching 443
Network Address Allocation 443
Subscription Services 444
9780136770312_print.indb 19 30/05/21 4:24 pm

xx CompTIA Security+ SY0-601 Cert Guide

Chapter 18 Implementing Host or Application Security Solutions 447
Endpoint Protection 451
Antivirus 451
Antimalware 452
Endpoint Detection and Response 452
Data Loss Prevention 453
Next-Generation Firewall 453
Host-based Intrusion Prevention System 454
Host-based Intrusion Detection System 456
Host-based Firewall 457
Boot Integrity 458
Boot Security/Unified Extensible Firmware Interface 459
Measured Boot 459
Boot Attestation 460
Database 461
Tokenization 461
Salting 462
Hashing 463
Application Security 463
Input Validations 464
Secure Cookies 465
Hypertext Transfer Protocol Headers 465
End-to-End Headers 466
Hop-by-Hop Headers 466
Code Signing 466
Allow List 467
Block List/Deny List 467
9780136770312_print.indb 20 30/05/21 4:24 pm

Table of Contents xxi
Secure Coding Practices 468

Static Code Analysis 468
Manual Code Review 470
Dynamic Code Analysis 470
Fuzzing 471
Hardening 471
Open Ports and Services 471
Registry 472
Disk Encryption 473
Operating System 473
Patch Management 474
Self-Encrypting Drive/Full-Disk Encryption 475
OPAL 476
Hardware Root of Trust 476
Trusted Platform Module 477
Sandboxing 478
Chapter 19 Implementing Secure Network Designs 483
Load Balancing 488
Active/Active 488
Active/Passive 488
Scheduling 488
Virtual IP 488
Persistence 489
Network Segmentation 489
Application-Based Segmentation and Microsegmentation 489
Virtual Local Area Network 490
Screened Subnet 491
9780136770312_print.indb 21 30/05/21 4:24 pm

xxii CompTIA Security+ SY0-601 Cert Guide
East-West Traffic 492
Intranets and Extranets 492
Zero Trust 494
Virtual Private Network 494
Remote Access vs. Site-to-Site 496
IPsec 497
IKEv1 Phase 1 498
IKEv1 Phase 2 501
IKEv2 504
SSL/TLS 505
HTML5 508
Layer 2 Tunneling Protocol 508
DNS 509
Network Access Control 510
Out-of-Band Management 510
Port Security 511
Broadcast Storm Prevention 512
Bridge Protocol Data Unit Guard 512
Loop Prevention 512
Dynamic Host Configuration Protocol Snooping 512
Media Access Control Filtering 513
Network Appliances 513
Jump Servers 514
Proxy Servers 514
Network-Based Intrusion Detection System/Network-Based Intrusion
Prevention System 516
NIDS 517
NIPS 518
Summary of NIDS vs. NIPS 519
Signature-Based 520
Heuristic/Behavior 521
Anomaly 521
Inline vs. Passive 523
9780136770312_print.indb 22 30/05/21 4:24 pm

Table of Contents xxiii
HSM 524
Sensors 524
Collectors 525
Aggregators 526
Firewalls 526
Hardware vs. Software 534
Appliance vs. Host-based vs. Virtual 534
Access Control List 535
Route Security 535
Quality of Service 536
Implications of IPv6 536
Port Spanning/Port Mirroring 537
Monitoring Services 538
Performance Baselining 539
File Integrity Monitors 542
Chapter 20 Installing and Configuring Wireless Security Settings 547
Cryptographic Protocols 551
Wi-Fi Protected Access 2 (WPA2) 551
Wi-Fi Protected Access 3 (WPA3) 551
Counter-mode/CBC-MAC Protocol (CCMP) 552
Simultaneous Authentication of Equals 552
Wireless Cryptographic Protocol Summary 552
Authentication Protocols 553
802.1X and EAP 553
IEEE 802.1x 556
Remote Authentication Dial-In User Service (RADIUS)
Federation 556
9780136770312_print.indb 23 30/05/21 4:24 pm

xxiv CompTIA Security+ SY0-601 Cert Guide
Methods 557
Wi-Fi Protected Setup 558
Captive Portals 559
Installation Considerations 559
Controller and Access Point Security 562
Wireless Access Point Vulnerabilities 563
Chapter 21 Implementing Secure Mobile Solutions 567
Connection Methods and Receivers 570
RFID and NFC 571
More Wireless Connection Methods and Receivers 572
Secure Implementation Best Practices 573
Mobile Device Management 574
MDM Security Feature Concerns: Application and Content
Management 576
MDM Security Feature Concerns: Remote Wipe, Geofencing,
Geolocation, Screen Locks, Passwords and PINs, Full Device
Encryption 578
Mobile Device Management Enforcement and Monitoring 581
Mobile Devices 585
MDM/Unified Endpoint Management 587
SEAndroid 588
Deployment Models 588
Secure Implementation of BYOD, CYOD, and COPE 589
9780136770312_print.indb 24 30/05/21 4:24 pm

Table of Contents xxv
Chapter 22 Applying Cybersecurity Solutions to the Cloud 595

Cloud Security Controls 598
Security Assessment in the Cloud 598
Understanding the Different Cloud Security Threats 598
Cloud Computing Attacks 601
High Availability Across Zones 603
Resource Policies 603
Integration and Auditing 604
Secrets Management 604
Storage 605
Permissions 605
Encryption 605
Replication 605
High Availability 606
Network 606
Virtual Networks 606
Public and Private Subnets 606
Segmentation 607
API Inspection and Integration 607
Compute 607
Security Groups 607
Dynamic Resource Allocation 607
Instance Awareness 608
Virtual Private Cloud Endpoint 608
Container Security 608
Summary of Cloud Security Controls 609
Solutions 611
CASB 611
Application Security 612
Next-Generation Secure Web Gateway 613
Firewall Considerations in a Cloud Environment 613
9780136770312_print.indb 25 30/05/21 4:24 pm

xxvi CompTIA Security+ SY0-601 Cert Guide
Cost 613
Need for Segmentation 613
Open Systems Interconnection Layers 614
Summary of Cybersecurity Solutions to the Cloud 614
Cloud Native Controls vs. Third-Party Solutions 615
Chapter 23 Implementing Identity and Account Management Controls 619
Identity 623
Identity Provider (IdP) 623
Authentication 625
Authentication by Knowledge 625
Authentication by Ownership 625
Authentication by Characteristic Attributes 625
Certificates 626
Tokens 627
SSH Keys 628
Smart Cards 629
Account Types 629
Account Policies 633
Introduction to Identity and Access Management 633
Phases of the Identity and Access Lifecycle 633
Registration and Identity Validation 634
Privileges Provisioning 635
Access Review 635
Access Revocation 635
Password Management 636
Password Creation 636
Attribute-Based Access Control (ABAC) 638
9780136770312_print.indb 26 30/05/21 4:24 pm

Table of Contents xxvii
Rights, Permissions, and Policies 640

Users, Groups, and Account Permissions 640
Permission Inheritance and Propagation 645
Chapter 24 Implementing Authentication and Authorization Solutions 651
Authentication Management 655
Password Keys 655
Password Vaults 655
Trusted Platform Module 656
Hardware Security Modules 656
Knowledge-Based Authentication 656
Authentication/Authorization 657
Security Assertion Markup Language 659
OAuth 661
OpenID and OpenID Connect 663
802.1X and EAP 664
LDAP 667
Kerberos and Mutual Authentication 668
Remote Authentication Technologies 670
Remote Access Service 670
RADIUS versus TACACS+ 672
Access Control Schemes 674
Discretionary Access Control 674
Mandatory Access Control 676
Role-Based Access Control 677
Attribute-Based Access Control 678
Rule-Based Access Control 678
Conditional Access 678
Privileged Access Management 678
9780136770312_print.indb 27 30/05/21 4:24 pm

xxviii CompTIA Security+ SY0-601 Cert Guide
Summary of Access Control Models 679

Access Control Wise Practices 680
Chapter 25 Implementing Public Key Infrastructure 685
Public Key Infrastructure 688
Key Management 688
Certificate Authorities 689
Certificate Attributes 691
Subject Alternative Name 693
Expiration 693
Types of Certificates 694
SSL Certificate Types 694
Certificate Chaining 696
Certificate Formats 697
PKI Concepts 698
Trust Model 698
Certificate Pinning 698
Stapling, Key Escrow, Certificate Chaining, Online vs. Offline CA 698
Part IV: Operations and Incident Response

Chapter 26 Using the Appropriate Tool to Assess Organizational Security 703
Network Reconnaissance and Discovery 707
tracert/traceroute 707
9780136770312_print.indb 28 30/05/21 4:24 pm

Table of Contents xxix
nslookup/dig 709
ipconfig/ifconfig 710
nmap 711
ping/pathping 714
hping 717
netstat 718
netcat 720
IP Scanners 721
arp 721
route 723
curl 724
theHarvester 725
sn1per 726
scanless 727
dnsenum 728
Nessus 730
Cuckoo 731
File Manipulation 732
head 733
tail 734
cat 734
grep 735
chmod 736
Logger 737
Shell and Script Environments 738
SSH 739
PowerShell 740
Python 741
OpenSSL 741
Packet Capture and Replay 742
Tcpreplay 742
Tcpdump 742
Wireshark 743
9780136770312_print.indb 29 30/05/21 4:24 pm

xxx CompTIA Security+ SY0-601 Cert Guide
Forensics 744
dd 744
Memdump 745
WinHex 746
FTK Imager 747
Autopsy 747
Exploitation Frameworks 747
Password Crackers 748
Data Sanitization 750
Summarizing the Importance of Policies, Processes, and Procedures
Chapter 27
for Incident Response 755
Incident Response Plans 760
Incident Response Process 761
Preparation 762
Identification 763
Containment 763
Eradication 764
Recovery 764
Lessons Learned 764
Exercises 765
Tabletop 765
Walkthroughs 766
Simulations 766
Attack Frameworks 767
MITRE ATT&CK 767
The Diamond Model of Intrusion Analysis 768
Cyber Kill Chain 770
9780136770312_print.indb 30 30/05/21 4:24 pm

Table of Contents xxxi
Stakeholder Management 771
Communication Plan 771
Disaster Recovery Plan 772
Business Continuity Plan 773
Continuity of Operations Planning (COOP) 774
Incident Response Team 775
Retention Policies 776
Chapter 28 Using Appropriate Data Sources to Support an Investigation 781
Vulnerability Scan Output 785
SIEM Dashboards 786
Sensors 787
Sensitivity 788
Trends 788
Alerts 788
Correlation 788
Log Files 789
Network 790
System 791
Application 792
Security 793
Web 794
DNS 795
Authentication 796
Dump Files 797
VoIP and Call Managers 799
Session Initiation Protocol Traffic 800
9780136770312_print.indb 31 30/05/21 4:24 pm

xxxii CompTIA Security+ SY0-601 Cert Guide
syslog/rsyslog/syslog-ng 800
journalctl 802
NXLog 803
Bandwidth Monitors 804
Metadata 805
Email 808
Mobile 808
Web 808
File 809
NetFlow/sFlow 809
NetFlow 809
sFlow 810
IPFIX 811
Protocol Analyzer Output 813
Applying Mitigation Techniques or Controls to Secure an
Chapter 29
Environment 819
Reconfigure Endpoint Security Solutions 822
Application Approved Lists 822
Application Block List/Deny List 822
Quarantine 823
Configuration Changes 824
Firewall Rules 825
MDM 825
Data Loss Prevention 828
Content Filter/URL Filter 828
Update or Revoke Certificates 829
Isolation 830
9780136770312_print.indb 32 30/05/21 4:24 pm

Table of Contents xxxiii
Containment 830
Segmentation 831
SOAR 832
Runbooks 833
Playbooks 834
Chapter 30 Understanding the Key Aspects of Digital Forensics 837
Documentation/Evidence 842
Legal Hold 842
Video 842
Admissibility 843
Chain of Custody 844
Timelines of Sequence of Events 844
Timestamps 844
Time Offset 845
Tags 845
Reports 846
Event Logs 846
Interviews 846
Acquisition 847
Order of Volatility 848
Disk 848
Random-Access Memory 848
Swap/Pagefile 849
Operating System 850
Device 850
Firmware 851
Snapshot 851
Cache 852
9780136770312_print.indb 33 30/05/21 4:24 pm

xxxiv CompTIA Security+ SY0-601 Cert Guide
Network 852
Artifacts 853
On-premises vs. Cloud 853
Right-to-Audit Clauses 854
Regulatory/Jurisdiction 855
Data Breach Notification Laws 855
Integrity 856
Hashing 856
Checksums 857
Provenance 857
Preservation 858
E-discovery 858
Data Recovery 859
Nonrepudiation 859
Strategic Intelligence/Counterintelligence 860
Part V: Governance, Risk, and Compliance

Chapter 31 Comparing and Contrasting the Various Types of Controls 865
Control Category 868
Managerial Controls 868
Operational Controls 868
Technical Controls 868
Summary of Control Categories 869
Control Types 869
Preventative Controls 869
Detective Controls 869
Corrective Controls 870
Deterrent Controls 870
9780136770312_print.indb 34 30/05/21 4:24 pm

Table of Contents xxxv
Compensating Controls 871
Physical Controls 871
Summary of Control Types 872
Understanding the Importance of Applicable Regulations,
Chapter 32
Standards, or Frameworks That Impact Organizational Security
Posture 875
Regulations, Standards, and Legislation 878
General Data Protection Regulation 879
National, Territory, or State Laws 879
Payment Card Industry Data Security Standard (PCI DSS) 881
Key Frameworks 881
Benchmarks and Secure Configuration Guides 885
Security Content Automation Protocol 885
Understanding the Importance of Policies to Organizational
Chapter 33
Security 893
Personnel Policies 897
Privacy Policies 897
Acceptable Use 898
Separation of Duties/Job Rotation 898
Mandatory Vacations 898
Onboarding and Offboarding 899
Personnel Security Policies 900
9780136770312_print.indb 35 30/05/21 4:24 pm

xxxvi CompTIA Security+ SY0-601 Cert Guide
Diversity of Training Techniques 900

User Education and Awareness Training 901
Third-Party Risk Management 902
Data Concepts 904
Understanding Classification and Governance 904
Data Retention 906
Credential Policies 906
Organizational Policies 908
Change Management and Change Control 909
Asset Management 909
Chapter 34 Summarizing Risk Management Processes and Concepts 913
Risk Types 917
Risk Management Strategies 918
Risk Analysis 919
Qualitative Risk Assessment 921
Quantitative Risk Assessment 922
Disaster Analysis 924
Business Impact Analysis 926
Disaster Recovery Planning 928
Understanding Privacy and Sensitive Data Concepts in Relation to
Chapter 35
Security 935
Organizational Consequences of Privacy and Data Breaches 940
9780136770312_print.indb 36 30/05/21 4:24 pm

Table of Contents xxxvii
Notifications of Breaches 941
Data Types and Asset Classification 941
Personally Identifiable Information and Protected Health
Information 943
PII 943
PHI 944
Privacy Enhancing Technologies 944
Roles and Responsibilities 945
Information Lifecycle 947
Impact Assessment 948
Terms of Agreement 948
Privacy Notice 949
Part VI: Final Preparation

Chapter 36 Final Preparation 953
Hands-on Activities 953
Suggested Plan for Final Review and Study 953
Summary 954
Glossary of Key Terms 955

Appendix A Answers to the “Do I Know This Already?” Quizzes
and Review Questions 1023
Appendix B CompTIA Security+ (SY0-601) Cert Guide Exam Updates 1087
Index 1089
Online Elements:
Appendix C Study Planner
Glossary of Key Terms
9780136770312_print.indb 37 30/05/21 4:24 pm

xxxviii CompTIA Security+ SY0-601 Cert Guide
About the Authors
Omar Santos is an active member of the cybersecurity community, where he leads

several industry-wide initiatives. He is a best-selling author and trainer. Omar is the
author of more than 20 books and video courses, as well as numerous white papers,
articles, and security configuration guidelines and best practices. Omar is a principal
engineer of the Cisco Product Security Incident Response Team (PSIRT), Security
Research and Operations, where he mentors and leads engineers and incident man-
agers during the investigation and resolution of cybersecurity vulnerabilities.
Omar co-leads the DEF CON Red Team Village, is the chair of the Common Secu-
rity Advisory Framework (CSAF) technical committee, is the co-chair of the Forum
of Incident Response and Security Teams (FIRST) Open Source Security working
group, and has been the chair of several initiatives in the Industry Consortium for
Advancement of Security on the Internet (ICASI). His active role helps businesses,
academic institutions, state and local law enforcement agencies, and other partici-
pants dedicated to increasing the security of their critical infrastructures. You can
find additional information about Omar’s current projects at h4cker.org and can
follow Omar on Twitter @santosomar.
Ron Taylor has been in the information security field for more than 20 years work-
ing in various areas focusing on both offense and defense security roles. Ten of those
years were spent in consulting. In 2008, he joined the Cisco Global Certification
Team as an SME in information assurance. From there, he moved into a position
with the Security Research and Operations group, where his focus was mostly on
penetration testing of Cisco products and services. He was also involved in develop-
ing and presenting security training to internal development and test teams glob-
ally, and provided consulting support to many product teams as an SME on product
security testing. His next role was incident manager for the Cisco Product Security
Incident Response Team (PSIRT). Currently, Ron is a security architect specializing
in the Cisco security product line. He has held a number of industry certifications,
including GPEN, GWEB, GCIA, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP,
PenTest+, and MCSE. Ron has also authored books and video courses, teaches,
and is involved in organizing a number of cybersecurity conferences, including
the BSides Raleigh, Texas Cyber Summit, Grayhat, and the Red Team Village at
DEFCON.
Twitter: @Gu5G0rman
Linkedin: www.linkedin.com/in/-RonTaylor
9780136770312_print.indb 38 30/05/21 4:24 pm

About the Authors xxxix
Joseph Mlodzianowski is an information security aficionado and adventurer; he

started multiple villages at RSA Conference, DEFCON, and BLACK HAT, among
others, including founding the Red Team Village with the help of great friends.
He has been in the information technology security field for more than 25 years
working in infrastructure, security, networks, systems, design, offense, and defense.
Joseph is currently an enterprise security architect of Cisco Managed Services. He
spent more than 10 years in the Department of Defense as an operator, principal
security network engineer, and SME designing and deploying complex technologies
and supporting missions around the world in multiple theaters. He has consulted,
investigated, and provided support for multiple federal agencies over the past
15 years. Joseph continues to contribute to content, reviews, and editing in the cer-
tification testing and curriculum process. He spent almost 15 years in the energy
sector supporting refineries, pipelines, and chemical plants; specializing in industrial
control networks; and building data centers. Joseph holds a broad range of certifica-
tions, including the Cisco CCIE, CNE, CSNA, CNSS-4012, CISSP, ITILv4, NSA
IAM, NSA IEM, OIAC1180, FEMA IS-00317, ACMA, First Responder, Hazmat
Certified, Member of Bexar County Sheriff’s Office CERT, MCSE, and Certified
Hacking Investigator. He also is a founding contributor to the CyManII | Cyberse-
curity Manufacturing Innovation Institute, a member of Messaging Malware Mobile
Anti-Abuse Working Group (M3aawg.org), and founder of the Texas Cyber Summit
and Grayhat Conferences. He believes in giving back to the community and sup-
porting nonprofits.
Twitter: @Cedoxx
Linkedin: www.linkedin.com/in/mlodzianowski/
9780136770312_print.indb 39 30/05/21 4:24 pm

xl CompTIA Security+ SY0-601 Cert Guide
Dedication
I would like to dedicate this book to my lovely wife, Jeannette, and my two beautiful children,
Hannah and Derek, who have inspired and supported me throughout the development
of this book.
—Omar
I would not be where I am today without the support of my family. Mom and Dad, you taught
me the importance of work ethic and drive. Kathy, my wife of 20 years, you have supported me
and encouraged me every step of the way. Kaitlyn, Alex, and Grace, you give me the strength and
motivation to keep doing what I do.
—Ron
Without faith and spiritual guidance, none of us would be where we are. I would like to thank my
Creator; Linda, my lovely wife of more than 20 years; and my daughter Lauren, for their
unwavering support, patience, and encouragement while I work multiple initiatives and projects.
—Joseph
9780136770312_print.indb 40 30/05/21 4:24 pm

Acknowledgments xli
Acknowledgments
It takes a lot of amazing people to publish a book. Special thanks go to Chris

Cleveland, Nancy Davis, Chris Crayton, and all the others at Pearson (and beyond)
who helped make this book a reality. We appreciate everything you do!
9780136770312_print.indb 41 30/05/21 4:24 pm

xlii CompTIA Security+ SY0-601 Cert Guide
About the Technical Reviewer
Chris Crayton is a technical consultant, trainer, author, and industry-leading tech-

nical editor. He has worked as a computer technology and networking instructor,
information security director, network administrator, network engineer, and
PC specialist. Chris has authored several print and online books on PC repair,
CompTIA A+, CompTIA Security+, and Microsoft Windows. He has also served as
technical editor and content contributor on numerous technical titles for several of
the leading publishing companies. He holds numerous industry certifications, has
been recognized with many professional and teaching awards, and has served as a
state-level SkillsUSA final competition judge. Chris tech edited and contributed to
this book to make it better for students and those wishing to better their lives.
9780136770312_print.indb 42 30/05/21 4:24 pm

Reader Services xliii
We Want to Hear from You!

As the reader of this book, you are our most important critic and commentator.
We value your opinion and want to know what we’re doing right, what we could
do better, what areas you’d like to see us publish in, and any other words of wisdom
you’re willing to pass our way.
We welcome your comments. You can email or write to let us know what you did or
didn’t like about this book—as well as what we can do to make our books better.
Please note that we cannot help you with technical problems related to the topic of this book.
When you write, please be sure to include this book’s title and author as well as your
name and email address. We will carefully review your comments and share them
with the author and editors who worked on the book.
Email: community@informit.com
9780136770312_print.indb 43 30/05/21 4:24 pm

xliv CompTIA Security+ SY0-601 Cert Guide
Introduction
Welcome to the CompTIA Security+ SY0-601 Cert Guide. The CompTIA Security+
certification is widely accepted as the first security certification you should attempt
to attain in your information technology (IT) career. The CompTIA Security+
certification is designed to be a vendor-neutral exam that measures your knowledge
of industry-standard technologies and methodologies. It acts as a great stepping
stone to other vendor-specific certifications and careers. We developed this book to
be something you can study from for the exam and keep on your bookshelf for later
use as a security resource.
We would like to note that it’s unfeasible to cover all security concepts in depth in
a single book. However, the Security+ exam objectives are looking for a basic level
of computer, networking, and organizational security knowledge. Keep this in mind
while reading through this text, and remember that the main goal of this text is to help
you pass the Security+ exam, not to be the master of all security. Not just yet, at least!
Good luck as you prepare to take the CompTIA Security+ exam. As you read
through this book, you will be building an impenetrable castle of knowledge, culmi-
nating in hands-on familiarity and the know-how to pass the exam.
Goals and Methods

The number one goal of this book is to help you pass the SY0-601 version of the
CompTIA Security+ certification exam. To that effect, we have filled this book and
practice exams with hundreds of questions/answers and explanations, including
two full practice exams. The exams are located in Pearson Test Prep practice test
software in a custom test environment. These tests are geared to check your knowl-
edge and ready you for the real exam.
The CompTIA Security+ certification exam involves familiarity with computer se-
curity theory and hands-on know-how. To aid you in mastering and understanding
the Security+ certification objectives, this book uses the following methods:
■■ Opening topics list: This list defines the topics to be covered in the chapter.
■■ Foundation Topics: The heart of the chapter. The text explains the topics
from a theory-based standpoint, as well as from a hands-on perspective. This
includes in-depth descriptions, tables, and figures that are geared to build your
knowledge so that you can pass the exam. Each chapter covers a full objective
from the CompTIA Security+ exam blueprint.
■■ Key Topics: The Key Topic icons indicate important figures, tables, and lists
of information that you should know for the exam. They are interspersed
throughout the chapter and are listed in table format at the end of the chapter.
9780136770312_print.indb 44 30/05/21 4:24 pm

Introduction xlv
■■ Key Terms: Key terms without definitions are listed at the end of each chap-
ter. See whether you can define them, and then check your work against the
complete key term definitions in the glossary.
■■ Review Questions: These quizzes and answers with explanation are meant to
gauge your knowledge of the subjects. If an answer to a question doesn’t come
readily to you, be sure to review that portion of the chapter.
■■ Practice Exams: The practice exams are included in the Pearson Test Prep
practice test software. These exams test your knowledge and skills in a realistic
testing environment. Take them after you have read through the entire book.
Master one; then move on to the next.
Who Should Read This Book?

This book is for anyone who wants to start or advance a career in computer security.
Readers of this book can range from persons taking a Security+ course to individuals
already in the field who want to keep their skills sharp or perhaps retain their job due
to a company policy mandating they take the Security+ exam. Some information assur-
ance professionals who work for the Department of Defense or have privileged access to
DoD systems are required to become Security+ certified as per DoD directive 8570.1.
This book is also designed for people who plan on taking additional security-related
certifications after the CompTIA Security+ exam. The book is designed in such a
way to offer an easy transition to future certification studies.
Although not a prerequisite, it is recommended that CompTIA Security+ candidates
have at least two years of IT administration experience with an emphasis on security.
The CompTIA Network+ certification is also recommended as a prerequisite. Be-
fore you begin your Security+ studies, it is expected that you understand computer
topics such as how to install operating systems and applications, and networking
topics such as how to configure IP, what a VLAN is, and so on. The focus of this
book is to show how to secure these technologies and protect against possible ex-
ploits and attacks. Generally, for people looking to enter the IT field, the CompTIA
Security+ certification is attained after the A+ and Network+ certifications.
CompTIA Security+ Exam Topics

If you haven’t downloaded the Security+ certification exam objectives, do it now
from CompTIA’s website: https://certification.comptia.org/. Save the PDF file and
print it out as well. It’s a big document; review it carefully. Use the exam objectives
list and acronyms list to aid in your studies while you use this book.
The following tables are excerpts from the exam objectives document. Table I-1 lists
the CompTIA Security+ domains and each domain’s percentage of the exam.
9780136770312_print.indb 45 30/05/21 4:24 pm

xlvi CompTIA Security+ SY0-601 Cert Guide
Table I-1 CompTIA Security+ Exam Domains

Domain Exam Topic % of Exam
1.0 Attacks, Threats, and Vulnerabilities 24%
2.0 Architecture and Design 21%
3.0 Implementation 25%
4.0 Operations and Incident Response 16%
5.0 Governance, Risk, and Compliance 14%
The Security+ domains are then further broken down into individual objectives.
Table I-2 lists the CompTIA Security+ exam objectives and their related chapters in
this book. It does not list the bullets and sub-bullets for each objective.
Table I-2 CompTIA Security+ Exam Objectives

Objective Chapter(s)
1.1 Compare and contrast different types of social engineering techniques. 1
1.2 Given a scenario, analyze potential indicators to determine the type 2
of attack.
1.3 Given a scenario, analyze potential indicators associated with 3
application attacks.
1.4 Given a scenario, analyze potential indicators associated with 4
network attacks.
1.5 Explain different threat actors, vectors, and intelligence sources. 5
1.6 Explain the security concerns associated with various types of 6
vulnerabilities.
1.7 Summarize the techniques used in security assessments. 7
1.8 Explain the techniques used in penetration testing. 8
2.1 Explain the importance of security concepts in an enterprise environment. 9
2.2 Summarize virtualization and cloud computing concepts. 10
2.3 Summarize secure application development, deployment, and 11
automation concepts.
2.4 Summarize authentication and authorization design concepts. 12
2.5 Given a scenario, implement cybersecurity resilience. 13
2.6 Explain the security implications of embedded and specialized systems. 14
2.7 Explain the importance of physical security controls. 15
2.8 Summarize the basics of cryptographic concepts. 16
3.1 Given a scenario, implement secure protocols. 17
9780136770312_print.indb 46 30/05/21 4:24 pm

Introduction xlvii
Objective Chapter(s)
3.2 Given a scenario, implement host or application security solutions. 18
3.3 Given a scenario, implement secure network designs. 19
3.4 Given a scenario, install and configure wireless security settings. 20
3.5 Given a scenario, implement secure mobile solutions. 21
3.6 Given a scenario, apply cybersecurity solutions to the cloud. 22
3.7 Given a scenario, implement identity and account management controls. 23
3.8 Given a scenario, implement authentication and authorization solutions. 24
3.9 Given a scenario, implement public key infrastructure. 25
4.1 Given a scenario, use the appropriate tool to assess organizational security. 26
4.2 Summarize the importance of policies, processes, and procedures 27
for incident response.
4.3 Given an incident, utilize appropriate data sources to support an 28
investigation.
4.4 Given an incident, apply mitigation techniques or controls to secure 29
an environment.
4.5 Explain the key aspects of digital forensics. 30
5.1 Compare and contrast various types of controls. 31
5.2 Explain the importance of applicable regulations, standards, or 32
frameworks that impact organizational security posture.
5.3 Explain the importance of policies to organizational security. 33
5.4 Summarize risk management processes and concepts. 34
5.5 Explain privacy and sensitive data concepts in relation to security. 35
Companion Website
Register this book to get access to the Pearson Test Prep practice test software and
other study materials plus additional bonus content. Check this site regularly for
new and updated postings written by the authors that provide further insight into
the more troublesome topics on the exam. Be sure to check the box that you would
like to hear from us to receive updates and exclusive discounts on future editions of
this product or related products.
To access this companion website, follow these steps:
1. Go to www.pearsonitcertification.com/register and log in or create a
new account.
9780136770312_print.indb 47 30/05/21 4:24 pm

xlviii CompTIA Security+ SY0-601 Cert Guide
2. On your Account page, tap or click the Registered Products tab, and then tap
or click the Register Another Product link.
3. Enter this book’s ISBN (9780136770312).
4. Answer the challenge question as proof of book ownership.
5. Tap or click the Access Bonus Content link for this book to go to the page
where your downloadable content is available.
Please note that many of our companion content files can be very large, especially
image and video files.
If you are unable to locate the files for this title by following the preceding steps,
please visit http://www.pearsonitcertification.com/contact and select the “Site
Problems/Comments” option. Our customer service representatives will assist you.
Pearson Test Prep Practice Test Software

As noted previously, this book comes complete with the Pearson Test Prep practice
test software containing two full exams. These practice tests are available to you ei-
ther online or as an offline Windows application. To access the practice exams that
were developed with this book, please see the instructions in the card inserted in the
sleeve in the back of the book. This card includes a unique access code that enables
you to activate your exams in the Pearson Test Prep software.
NOTE The cardboard sleeve in the back of this book includes a piece of paper. The
paper lists the activation code for the practice exams associated with this book. Do not
lose the activation code. On the opposite side of the paper from the activation code is
a unique, one-time-use coupon code for the purchase of the Premium Edition eBook
and Practice Test.
Accessing the Pearson Test Prep Software Online

The online version of this software can be used on any device with a browser and
connectivity to the Internet including desktop machines, tablets, and smartphones.
To start using your practice exams online, simply follow these steps:
1. Go to www.PearsonTestPrep.com and select Pearson IT Certification
as your product group.
2. Enter your email/password for your account. If you do not have an account on
PearsonITCertification.com or InformIT.com, you will need to establish one
by going to PearsonITCertification.com/join.
9780136770312_print.indb 48 30/05/21 4:24 pm

Introduction xlix
3. On the My Products tab, tap or click the Activate New Product button.
4. Enter this book’s activation code and click Activate.
5. The product will now be listed on your My Products tab. Tap or click the
Exams button to launch the exam settings screen and start your exam.
Accessing the Pearson Test Prep Software Offline

If you wish to study offline, you can download and install the Windows version of
the Pearson Test Prep software. There is a download link for this software on the
book’s companion website, or you can just enter this link in your browser:
http://www.pearsonitcertification.com/content/downloads/pcpt/engine.zip
To access the book’s companion website and the software, simply follow these steps:
1. Register your book by going to http://www.pearsonitcertification.com/register
and entering the ISBN: 9780136770312.
2. Respond to the challenge questions.
3. Go to your account page and select the Registered Products tab.
4. Click the Access Bonus Content link under the product listing.
5. Click the Install Pearson Test Prep Desktop Version link under the
Practice Exams section of the page to download the software.
6. Once the software finishes downloading, unzip all the files on your computer.
7. Double-click the application file to start the installation, and follow the
onscreen instructions to complete the registration.
8. Once the installation is complete, launch the application and click the Activate
Exam button on the My Products tab.
9. Click the Activate a Product button in the Activate Product Wizard.
10. Enter the unique access code found on the card in the sleeve in the back of
your book and click the Activate button.
11. Click Next and then the Finish button to download the exam data to your
application.
12. You can now start using the practice exams by selecting the product and click-
ing the Open Exam button to open the exam settings screen.
Note that the offline and online versions will synch together, so saved exams and
grade results recorded on one version will be available to you on the other as well.
9780136770312_print.indb 49 30/05/21 4:24 pm

l CompTIA Security+ SY0-601 Cert Guide
Customizing Your Exams

Once you are in the exam settings screen, you can choose to take exams in one of
three modes:
■■ Study Mode
■■ Practice Exam Mode
■■ Flash Card Mode
Study Mode enables you to fully customize your exams and review answers as you
are taking the exam. This is typically the mode you would use first to assess your
knowledge and identify information gaps. Practice Exam Mode locks certain cus-
tomization options, as it is presenting a realistic exam experience. Use this mode
when you are preparing to test your exam readiness. Flash Card Mode strips out
the answers and presents you with only the question stem. This mode is great for
late-stage preparation when you really want to challenge yourself to provide answers
without the benefit of seeing multiple-choice options. This mode will not provide
the detailed score reports that the other two modes will, so it should not be used if
you are trying to identify knowledge gaps.
In addition to these three modes, you will be able to select the source of your ques-
tions. You can choose to take exams that cover all of the chapters or you can narrow
your selection to just a single chapter or the chapters that make up specific parts in
the book. All chapters are selected by default. If you want to narrow your focus to
individual chapters, simply deselect all the chapters and then select only those on
which you wish to focus in the Objectives area.
You can also select the exam banks on which to focus. Each exam bank comes com-
plete with a full exam of questions that cover topics in every chapter. You can have
the test engine serve up exams from all banks or just from one individual bank by
selecting the desired banks in the exam bank area.
There are several other customizations you can make to your exam from the exam
settings screen, such as the time of the exam, the number of questions served up,
whether to randomize questions and answers, whether to show the number of cor-
rect answers for multiple-answer questions, or whether to serve up only specific
types of questions. You can also create custom test banks by selecting only questions
that you have marked or questions on which you have added notes.
Updating Your Exams

If you are using the online version of the Pearson Test Prep software, you should al-
ways have access to the latest version of the software as well as the exam data. If you
are using the Windows desktop version, every time you launch the software, it will
check to see if there are any updates to your exam data and automatically download
9780136770312_print.indb 50 30/05/21 4:24 pm

Introduction li
any changes that were made since the last time you used the software. This requires
that you are connected to the Internet at the time you launch the software.
Sometimes, due to many factors, the exam data may not fully download when you
activate your exam. If you find that figures or exhibits are missing, you may need to
manually update your exams.
To update a particular exam you have already activated and downloaded, simply
select the Tools tab and click the Update Products button. Again, this is only an
issue with the desktop Windows application.
If you wish to check for updates to the Pearson Test Prep exam engine software,
Windows desktop version, simply select the Tools tab and click the Update
Application button. This will ensure you are running the latest version of the
software engine.
Premium Edition eBook and Practice Tests

This book also includes an exclusive offer for 80 percent off the Premium Edition
eBook and Practice Tests edition of this title. Please see the coupon code included
with the cardboard sleeve for information on how to purchase the Premium Edition.
9780136770312_print.indb 51 30/05/21 4:24 pm

lii CompTIA Security+ SY0-601 Cert Guide
Figure Credits
Cover image: TippaPatt/Shutterstock
Chapter opener image: Charlie Edwards/Photodisc/Getty Images
Figures 4-2 and 4-3 courtesy of Cisco Systems, Inc
Figure 5-1 © 2015-2021, The MITRE Corporation
Figure 7-5 courtesy of Cisco Systems, Inc
Figures 10-1, 10-7, 10-10 courtesy of Cisco Systems, Inc
Figure 10-8 © 2021, Amazon Web Services, Inc
Figure 12-3 courtesy of Secret Double Octopus
Figure 12-4 courtesy of Active-Directory-FAQ
Figure 12-5 courtesy of Robert Koczera/123RF
Figures 13-1 and 13-2 © AsusTek Computer Inc.
Figure 14-1 Raspberry Pi courtesy of handmadepictures/123RF
Figure 14-3 courtesy of CSS Electronics
Figure 14-4 courtesy of strajinsky/Shutterstock
Figure 14-5 courtesy of RingCentral
Figures 14-6 and 15-4 from rewelda/Shutterstock
Figure 15-1 courtesy of Kyryl Gorlov/123RF
Figure 15-2 courtesy of Aliaksandr Karankevich/123RF
Figures 16-9 and 16-10 courtesy of ssl2buy.com
Figure 17-1 courtesy of hostinger.com
Figure 17-3 courtesy of wiki.innovaphone.com
Figure 17-4 courtesy of Adaptive Digital Technologies
Figure 18-4 © Microsoft 2021
Figure 18-5 courtesy of Microsoft Corporation
Figure 18-7 courtesy of Checkmarx Ltd
Figures 19-5, 19-8 through 19-11, 19-15, and 19-16 courtesy of Cisco Systems, Inc
Figures 20-2 and Figure 24-4 © Microsoft 2021
Figure 20-4 © D-Link Corporation
Figures 21-1 and 21-2 © 1992-2020 Cisco
Figures 23-5 through 23-9 © Microsoft 2021
Figures 24-6 through 24-10 © Microsoft 2021
Figures 25-1 and 25-2 ©1998–2021 Mozilla Foundation
Figure 26-1 © OffSec Services Limited 2021
Figures 26-2, 26-5, 26-6, 26-10 through 26-15, 26-18, 26-19 © 2021 The Linux Foundation
Figures 26-3, 26-4, 26-7 through 26-9 © Microsoft 2021
Figure 26-16 © 2021 Tenable, Inc
Figure 26-17 © 2010-2020, Cuckoo Foundation
Figure 26-21 © Wireshark Foundation
Figure 26-22 © X-Ways Software Technology AG
Figure 27-4 courtesy of Evolve IP, LLC
Figure 28-1 © 2021 Tenable, Inc
9780136770312_print.indb 52 30/05/21 4:24 pm

Figure Credits liii
Figure 28-2 © 2021 LogRhythm, Inc

Figure 28-3 © MaxBelkov
Figure 28-4 © 1992-2020 Cisco
Figure 28-5, 28-6, 28-10, 28-11, and 28-18 © Microsoft 2021
Figures 28-7 through 28-9, 28-14, and 28-15 © 2021 The Linux Foundation
Figures 28-12 and 28-13 © 1992-2020 Cisco
Figure 28-16 © 2021 NXLog Ltd
Figure 28-20 © 2021 SolarWinds Worldwide, LLC
Figure 28-21 © 2003-2021 sFlow.org
Figure 28-22 © Plixer, LLC
Figures 29-1 and 29-2 © Microsoft 2021
9780136770312_print.indb 53 30/05/21 4:24 pm

CHAPTER 7
Summarizing the
Techniques Used in
Security Assessments
This chapter starts by introducing threat hunting and how the threat-hunting
process leverages threat intelligence. Then you learn about vulnerability man-
agement tasks, such as keeping up with security advisories and performing
vulnerability scans. You also learn about the importance of collecting logs (such
as system logs [syslogs]) and analyzing those logs in a Security Information and
Event Management (SIEM) system. In addition, you learn how security tools
and solutions have evolved to provide Security Orchestration, Automation, and
Response (SOAR) capabilities to better defend your network, your users, and
your organizations overall.
“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should
read this entire chapter thoroughly or jump to the “Chapter Review Activities”
section. If you are in doubt about your answers to these questions or your
own assessment of your knowledge of the topics, read the entire chapter.
Table 7-1 lists the major headings in this chapter and their corresponding “Do
I Know This Already?” quiz questions. You can find the answers in Appendix A,
“Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”
Table 7-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section Questions
Threat Hunting 1–3
Vulnerability Scans 4–6
Syslog and Security Information and Event Management (SIEM) 7–8
Security Orchestration, Automation, and Response (SOAR) 9–10
9780136770312_print.indb 171 30/05/21 4:25 pm

172 CompTIA Security+ SY0-601 Cert Guide
CAUTION The goal of self-assessment is to gauge your mastery of the topics in this
chapter. If you do not know the answer to a question or are only partially sure of the
answer, you should mark that question as wrong for purposes of the self-assessment.
Giving yourself credit for an answer you correctly guess skews your self-assessment
results and might provide you with a false sense of security.
1. What is the act of proactively and iteratively looking for threats in your
organization that may have bypassed your security controls and monitoring
capabilities?
a. Threat intelligence
b. Threat hunting
c. Threat binding
d. None of these answers are correct.
2. Which of the following provides a matrix of adversary tactics, techniques, and

procedures that modern attackers use?
a. ATT&CK
b. CVSS
c. CVE
d. All of these answers are correct.
3. Which identifier is assigned to disclosed vulnerabilities?

a. CVE
b. CVSS
c. ATT&CK
d. TTP
4. Which broad term describes a situation in which a security device triggers an

alarm, but no malicious activity or actual attack is taking place?
a. False negative
b. True negative
c. False positive
d. True positive
9780136770312_print.indb 172 30/05/21 4:25 pm

Chapter 7: Summarizing the Techniques Used in Security Assessments 173
5. Which of the following is a successful identification of a security attack or a

malicious event?
a. True positive
b. True negative
c. False positive
d. False negative
6. Which of the following occurs when a vulnerability scanner logs in to the

targeted system to perform deep analysis of the operating system, running
applications, and security misconfigurations?
a. Credentialed scan
b. Application scan
c. Noncredentialed scan
7. Which of the following are functions of a SIEM?

a. Log collection
b. Log normalization
c. Log correlation
8. Which solution allows security analysts to collect network traffic metadata?

a. NetFlow
b. SIEM
c. SOAR
9. Which solution provides capabilities that extend beyond traditional SIEMs?

a. SOAR
b. CVSS
c. CVE
d. IPFIX
9780136770312_print.indb 173 30/05/21 4:25 pm

10. Which of the following can be capabilities and benefits of a SOAR solution?
a. Automated vulnerability assessment
b. SOC playbooks and runbook automation
c. Orchestration of multiple SOC tools
9780136770312_print.indb 174 30/05/21 4:25 pm

Foundation Topics
Threat Hunting
No security product or technology in the world can detect and block all security
threats in the continuously evolving threat landscape (regardless of the vendor or
how expensive it is). This is why many organizations are tasking senior analysts
in their computer security incident response team (CSIRT) and their security
operations center (SOC) to hunt for threats that may have bypassed any security
controls that are in place. This is why threat hunting exists.
Threat hunting is the act of proactively and iteratively looking for threats in
your organization. This chapter covers details about threat-hunting practices, the
operational challenges of a threat-hunting program, and the benefits of a threat-
hunting program.
The threat-hunting process requires deep knowledge of the network and often is
performed by SOC analysts (otherwise known as investigators, threat hunters, tier 2
or tier 3 analysts, and so on). Figure 7-1 illustrates the traditional SOC tiers and
where threat hunters typically reside. In some organizations (especially small
organizations), threat hunting could be done by anyone in the SOC because the
organization may not have a lot of resources (analysts). The success of threat hunting
completely depends on the maturity of the organization and the resources available.
Senior SOC Analysts

Typical Threat Hunters
Tier 3
Mid-level to Senior
SOC Analysts
Tier 2
Junior SOC Analysts Tier 1
FIGURE 7-1 The SOC Tiers
9780136770312_print.indb 175 30/05/21 4:25 pm

Some organizations might have a dedicated team within or outside the SOC to per-
form threat hunting. However, one of the common practices is to have the hunters
embedded within the SOC.
Threat hunters assume that an attacker has already compromised the network.
Consequently, they need to come up with a hypothesis of what is compromised and
how an adversary could have performed the attack. For the threat hunting to be suc-
cessful, hunters need to be aware of the adversary tactics, techniques, and procedures
(TTPs) that modern attackers use. This is why many organizations use MITRE’s
ATT&CK framework to be able to learn about the tactics and techniques of adver-
saries. Later in this chapter you learn more about how MITRE’s ATT&CK can be
used in threat hunting.
Threat hunting is not a new concept. Many organizations have performed threat
hunting for a long time. However, in the last decade many organizations have
adopted new ways to enhance the threat-hunting process with automation and
orchestration.
Threat hunting is not the same as the traditional SOC incident response (reactive)
activities. Threat hunting is also not the same as vulnerability management (the pro-
cess of patching vulnerabilities across the systems and network of your organization,
including cloud-based applications in some cases). However, some of the same tools
and capabilities may be shared among threat hunters, SOC analysts, and vulner-
ability management teams. Tools and other capabilities such as data analytics, TTPs,
vulnerability feeds, and threat feeds may be used across the different teams and ana-
lysts in an organization.
A high-level threat-hunting process includes the following steps:
Step 1. Threat hunting starts with a trigger based on an anomaly, threat intelli-
gence, or a hypothesis (what could an attacker have done to the organiza-
tion?). From that moment you should ask yourself: “Do we really need to
perform this threat-hunting activity?” or “What is the scope?”
Step 2. Then you identify the necessary tools and methodologies to conduct the
hunt.
Step 3. Once the tools and methodologies are identified, you reveal new attack
patterns, TTPs, and so on.
Step 4. You refine your hunting tactics and enrich them using data analytics.
Steps 2–3 can take one cycle or be iterative and involve multiple loops
(depending on what you find and what additional data and research need
to be done).
9780136770312_print.indb 176 30/05/21 4:25 pm

Step 5. A successful outcome could be that you identify and mitigate the threat.
However, you need to recognize that in some cases this may not be the
case. You may not have the necessary tools and capabilities, or there
was no actual threat. This is why the success of your hunting program
depends on the maturity of your capabilities and organization as a whole.
You can measure the maturity of your threat-hunting program within your organiza-
tion in many ways. Figure 7-2 shows a matrix that can be used to evaluate the matu-
rity level of your organization against different high-level threat-hunting elements.
These threat-hunting maturity levels can be categorized as easily as level 1, 2, and 3,
or more complex measures can be used.
When it comes to threat intelligence and threat hunting, automation is key! Many
organizations are trying to create threat intelligence fusion techniques to automati-
cally extract threat intelligence data from heterogeneous sources to analyze such
data. The goal is for the threat hunter and network defender to maneuver quickly—
and faster than the attacker. This way, you can stay one step ahead of threat actors
and be able to mitigate the attack.
Security Advisories and Bulletins

In Chapter 5, “Understanding Different Threat Actors, Vectors, and Intelligence
Sources,” you learned how vendors, coordination centers, security researchers, and
others publish security advisories and bulletins to disclose vulnerabilities. Most of
the vulnerabilities disclosed to the public are assigned Common Vulnerability and
Exposure (CVE) identifiers. CVE is a standard created by MITRE (www.mitre.org)
that provides a mechanism to assign an identifier to vulnerabilities so that you can
correlate the reports of those vulnerabilities among sites, tools, and feeds.
NOTE You can obtain additional information about CVE at https://cve.mitre.org.
One of the most comprehensive and widely used vulnerability databases is the
National Vulnerability Database (NVD) maintained by the National Institute of
Standards and Technology (NIST). NVD provides information about vulnerabilities
disclosed worldwide.
NOTE You can access the NVD and the respective vulnerability feeds at
https://nvd.nist.gov.
9780136770312_print.indb 177 30/05/21 4:25 pm

178
9780136770312_print.indb 178
Threat Hunting Maturity Level
Initial (Minimal) Intermediate Innovative and Leading
Level 1 Level 2 Level 3
Limited access of threat High collection of certain types High collection of many types
Threat Intelligence and Data
intelligence and collection of of threat intelligence and data of threat intelligence and data
Collection data
Responds only to existing Combines traditional logs with Combines traditional logs with
SIEM, IPS/IDS, firewall logs, TTPs and threat intelligence TTPs and threat intelligence
CompTIA Security+ SY0-601 Cert Guide
Hypothesis Creation etc. and develops automated threat

risk scoring
Reactive alerts and SIEM Simple tools and analytics Advanced search capabilities,
Tools and Techniques for searches leveraging some visualizations, visualizations, creating new
Hunting Hypothesis Testing but mostly a manual effort tools and not depending on
traditional tools
None, only traditional SIEM Identification of indicators of Able to detect adversary TTPs,
reactive detection compromise (IoCs) and new IoCs, and create automation
TTP Detection attack trends for the SOC to routinely detect
them in the future
Threat Hunting High-level Elements

None Limited analytics and Create automated tools for
Analytics and Automation automation the SOC to routinely detect
threats in the future
FIGURE 7-2 Threat-Hunting Maturity
30/05/21 4:25 pm
Most mature vendors such as Microsoft, Intel, and Cisco publish security advisories
and bulletins in their websites and are CVE Numbering Authorities (CNAs). CNAs
can assign CVEs to disclosed vulnerabilities and submit the information to MITRE
and subsequently to NVD.
NOTE You can find additional information about CNAs at https://cve.mitre.org/cve/

cna.html.
The following links include examples of security advisories and bulletins published
by different vendors:
■■ Cisco: https://www.cisco.com/go/psirt
■■ Microsoft: https://www.microsoft.com/en-us/msrc
■■ Red Hat: https://access.redhat.com/security/security-updates
■■ Palo Alto: https://security.paloaltonetworks.com
Vulnerability disclosures in security advisories are often coordinated among mul-

tiple vendors. Most of the products and applications developed nowadays use open-
source software. Vulnerabilities in open-source software could affect hundreds or
thousands of products and applications in the industry. In addition, vulnerabilities
in protocols such as TLS, TCP, BGP, OSPF, and WPA could also affect numerous
products and software. Patching open-source and protocol-related vulnerabilities
among upstream and downstream vendors is not an easy task and requires good
coordination. Figure 7-3 shows the high-level process of a coordinated vulnerability
disclosure and underlying patching.
“Defenders”
Coordination (i.e., Security
Center Vendors)
...
Upstream Downstream
Vendor One or More
Vendor
Vulnerability (End User)

Finder Technology
Consumer
...
Upstream Downstream
One or More
Vendor Vendor
FIGURE 7-3 Coordinated Vulnerability Disclosures
9780136770312_print.indb 179 30/05/21 4:25 pm

The following steps are illustrated in Figure 7-3:

1. The finder (this can be anyone—a security researcher, customer, security
company, an internal employee of a vendor) finds a security vulnerability and
reports it to a vendor. The finder can also contact a vulnerability coordination
center (such as www.cert.org) to help with the coordination and disclosure.
2. The upstream vendors triage and patch the vulnerability.
3. There could be one or more downstream vendors that also need to patch the
vulnerability. In some cases, the coordination center may also interact with
downstream vendors in the notification.
4. Security vendors (such as antivirus/antimalware, intrusion detection, and pre-
vention technology providers) may obtain information about the vulnerability
and create signatures or any other capabilities to help the end user detect and
mitigate an attack caused by the vulnerability.
5. The end user is notified of the patch and the vulnerability.
TIP The preceding process can take days, weeks, months, or even years! Although
this process looks very simple in an illustration like the one in Figure 7-3, it is very
complicated in practice. For this reason, the Forum of Incident Response and Secu-
rity Teams (FIRST) has created a Multi-Party Coordination and Disclosure special
interest group (SIG) to help address these challenges. You can obtain details about
guidelines and practices for multiparty vulnerability coordination and disclosure at
https://www.first.org/global/sigs/vulnerability-coordination/multiparty/.
Vulnerability Scans
Vulnerability management teams often use other tools such as vulnerability scanners
and software composition analysis (SCA) tools. Figure 7-4 illustrates how a typical
automated vulnerability scanner works.
The following are the steps illustrated in Figure 7-4. Keep in mind that vulnerability
scanners are all different, but most follow a process like this:
1. In the discovery phase, the scanner uses a tool such as Nmap to perform host
and port enumeration. Using the results of the host and port enumeration, the
scanner begins to probe open ports for more information.
2. When the scanner has enough information about the open port to determine
what software and version are running on that port, it records that informa-
tion in a database for further analysis. The scanner can use various methods to
make this determination, including banner information.
9780136770312_print.indb 180 30/05/21 4:25 pm

Target System
Sends Analyzes
1 2
Probe Response
CVE Database
3 OpenSSL 3.0 4
Nginx 1.19.2
Vulnerability Records OpenSSH 8.3 Correlates to
Scanner Response Known Security
Vulnerabilities
FIGURE 7-4 Coordinated Vulnerability Disclosures
3. The scanner tries to determine if the software that is listening on the target
system is susceptible to any known vulnerabilities. It does this by correlating
a database of known vulnerabilities against the information recorded in the
database about the target services.
4. The scanner produces a report on what it suspects could be vulnerable. Keep
in mind that these results are often false positives and need to be validated.
One of the main challenges with automated vulnerability scanners is the number
of false positives and false negatives. False positive is a broad term that describes a
situation in which a security device triggers an alarm, but no malicious activity or
actual attack is taking place. In other words, false positives are false alarms, and they
are also called benign triggers. False positives are problematic because by trigger-
ing unjustified alerts, they diminish the value and urgency of real alerts. Having too
many false positives to investigate becomes an operational nightmare, and you most
definitely will overlook real security events.
There are also false negatives, which is the term used to describe a network intru-
sion device’s inability to detect true security events under certain circumstances—in
other words, a malicious activity that is not detected by the security device.
A true positive is a successful identification of a security attack or a malicious event.
A true negative occurs when the intrusion detection device identifies an activity as
acceptable behavior and the activity is actually acceptable.
9780136770312_print.indb 181 30/05/21 4:25 pm

There are also different types of vulnerability scanners:

■■ Application scanners: Used to assess application-specific vulnerabilities and
operate at the upper layers of the OSI model
■■ Web application scanners: Used to assess web applications and web services
(such as APIs)
■■ Network and port scanners: Used to determine what TCP or UDP ports are
open on the target system
Credentialed vs. Noncredentialed

To reduce the number of false positives, some vulnerability scanners have the
capability to log in to a system to perform additional tests and see what programs,
applications, and open-source software may be running on a targeted system. These
scanners can also review logs on the target system. They can also perform configu-
ration reviews to determine if a system may be configured in an unsecure way.
Intrusive vs. Nonintrusive

Vulnerability scanners sometimes can send numerous IP packets at a very fast pace
(intrusive) to the target system. These IP packets can potentially cause negative
effects and even crash the application or system. Some scanners can be configured
in such a way that you can throttle the probes and IP packets that it sends to the tar-
get system in order to be nonintrusive and to not cause any negative effects in the
system.
Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (or CVSS) is an industry standard used
to convey information about the severity of vulnerabilities. In CVSS, a vulnerability
is evaluated under three aspects, and a score is assigned to each of them. These three
aspects (or groups) are the base, temporal, and environmental groups.
■■ The base group represents the intrinsic characteristics of a vulnerability that
are constant over time and do not depend on a user-specific environment. This
is the most important information and the only mandatory information to
obtain for a vulnerability score.
■■ The temporal group assesses the vulnerability as it changes over time.
■■ The environmental group represents the characteristic of a vulnerability tak-
ing into account the organization’s environment.
9780136770312_print.indb 182 30/05/21 4:25 pm

The CVSS score is obtained by taking into account the base, temporal, and environ-
mental group information. The score for the base group is between 0 and 10, where
0 is the least severe and 10 is assigned to highly critical vulnerabilities (for example,
for vulnerabilities that could allow an attacker to remotely compromise a system
and get full control). Additionally, the score comes in the form of a vector string that
identifies each of the components used to make up the score. The formula used to
obtain the score takes into account various characteristics of the vulnerability and
how the attacker is able to leverage these characteristics. CVSS defines several char-
acteristics for the base, temporal, and environmental groups.
TIP You can read and refer to the latest CVSS specification documentation, exam-
ples of scored vulnerabilities, and a calculator at www.first.org/cvss.
The base group defines exploitability metrics that measure how the vulnerability can
be exploited, and impact metrics that measure the impact on confidentiality, integ-
rity, and availability. In addition to these two, a metric called scope change (S) is used
to convey the impact on systems that are affected by the vulnerability but do not
contain vulnerable code.
Exploitability metrics include the following:
■■ Attack Vector (AV): Represents the level of access an attacker needs to have
to exploit a vulnerability. It can assume four values:
■■ Network (N)
■■ Adjacent (A)
■■ Local (L)
■■ Physical (P)
■■ Attack Complexity (AC): Represents the conditions beyond the attacker’s

control that must exist in order to exploit the vulnerability. The values can be
one of the following:
■■ Low (L)
■■ High (H)
■■ Privileges Required (PR): Represents the level of privileges an attacker must

have to exploit the vulnerability. The values are as follows:
■■ None (N)
■■ Low (L)
■■ High (H)
9780136770312_print.indb 183 30/05/21 4:25 pm

■■ User Interaction (UI): Captures whether user interaction is needed to per-

form an attack. The values are as follows:
■■ None (N)
■■ Required (R)
■■ Scope (S): Captures the impact on systems other than the system being
scored. The values are as follows:
■■ Unchanged (U)
■■ Changed (C)
The Impact metrics include the following:

■■ Confidentiality Impact (C): Measures the degree of impact to the confiden-
tiality of the system. It can assume the following values:
■■ Low (L)
■■ Medium (M)
■■ High (H)
■■ Integrity Impact (I): Measures the degree of impact to the integrity of the
system. It can assume the following values:
■■ Low (L)
■■ Medium (M)
■■ High (H)
■■ Availability Impact (A): Measures the degree of impact to the availability of

the system. It can assume the following values:
■■ Low (L)
■■ Medium (M)
■■ High (H)
The temporal group includes three metrics:

■■ Exploit code maturity (E): Measures whether or not public exploits are
available
9780136770312_print.indb 184 30/05/21 4:25 pm

■■ Remediation Level (RL): Indicates whether a fix or workaround is available

■■ Report Confidence (RC): Indicates the degree of confidence in the existence
of the vulnerability
The environmental group includes two main metrics:

■■ Security Requirements (CR, IR, AR): Indicate the importance of confiden-
tiality, integrity, and availability requirements for the system
■■ Modified Base Metrics (MAV, MAC, MAPR, MUI, MS, MC, MI, MA):
Allow the organization to tweak the base metrics based on specific characteris-
tics of the environment
For example, a vulnerability that could allow a remote attacker to crash the system
by sending crafted IP packets would have the following values for the base metrics:
■■ Access Vector (AV) would be Network because the attacker can be anywhere
and can send packets remotely.
■■ Attack Complexity (AC) would be Low because it is trivial to generate mal-
formed IP packets.
■■ Privilege Required (PR) would be None because no privileges are required by
the attacker on the target system.
■■ User Interaction (UI) would also be None because the attacker does not need
to interact with any user of the system in order to carry out the attack.
■■ Scope (S) would be Unchanged if the attack does not cause other systems to
fail.
■■ Confidentiality Impact (C) would be None because the primary impact is on
the availability of the system.
■■ Integrity Impact (I) would be None because the primary impact is on the avail-
ability of the system.
■■ Availability Impact (A) would be High because the device becomes completely
unavailable while crashing and reloading.
CVSS also defines a mapping between a CVSS Base Score quantitative value and a
qualitative score. Table 7-2 provides the qualitative-to-quantitative score mapping.
9780136770312_print.indb 185 30/05/21 4:25 pm

Table 7-2 Qualitative-to-Quantitative Score Mapping

Rating CVSS Base Score
None 0.0
Low 0.1–3.9
Medium 4.0–6.9
High 7.0–8.9
Critical 9.0–10.0
TIP Organizations can use the CVSS score as input to their own risk management
processes to evaluate the risk related to a vulnerability and then prioritize the vulner-
ability remediation.
Logs and Security Information and Event

Management (SIEM)
Security Information and Event Management (SIEM) is a specialized device or
software used for security monitoring; it collects, correlates, and helps security
analysts analyze logs from multiple systems. SIEM typically allows for the following
functions:
■■ Log collection: This includes receiving information from devices with mul-
tiple protocols and formats, storing the logs, and providing historical reporting
and log filtering. A log collector is software that is able to receive logs from
multiple sources (data input) and in some cases offers storage capabilities and
log analysis functionality.
■■ Log normalization: This function extracts relevant attributes from logs
received in different formats and stores them in a common data model or
template. This allows for faster event classification and operations. Non-
normalized logs are usually kept for archive, historical, and forensic purposes.
■■ Log aggregation: This function aggregates information based on common
information and reduces duplicates.
■■ Log correlation: This is probably one of the most important SIEM functions.
It refers to the capability of the system to associate events gathered by various
systems, in different formats and at different times, and create a single action-
able event for the security analyst or investigator. Often the quality of SIEM is
related to the quality of its correlation engine.
9780136770312_print.indb 186 30/05/21 4:25 pm

■■ Reporting: Event visibility is also a key functionality of SIEM. Reporting

capabilities usually include real-time monitoring and historical base reports.
Most modern SIEMs also integrate with other information systems to gather addi-
tional contextual information to feed the correlation engine. For example, they can
integrate with an identity management system to get contextual information about
users or with NetFlow collectors to get additional flow-based information.
NOTE NetFlow is a technology created by Cisco to collect network metadata about

all the different “flows” of traffic on your network. There’s also the Internet Proto-
col Flow Information Export (IPFIX), which is a network flow standard led by the
Internet Engineering Task Force (IETF). IPFIX was designed to create a common,
universal standard of export for flow information from routers, switches, firewalls, and
other infrastructure devices. IPFIX defines how flow information should be formatted
and transferred from an exporter to a collector. IPFIX is documented in RFC 7011
through RFC 7015 and RFC 5103. Cisco NetFlow Version 9 is the basis and main
point of reference for IPFIX. IPFIX changes some of the terminologies of NetFlow,
but in essence they are the same principles of NetFlow Version 9.
Several commercial SIEM systems are available. Here’s a list of some commercial
SIEM solutions:
■■ Micro Focus ArcSight
■■ LogRhythm
■■ IBM QRadar
■■ Splunk
Figure 7-5 shows how SIEM can collect and process logs from routers, network
switches, firewalls, intrusion detection, and other security products that may be in
your infrastructure. It can also collect and process logs from applications, antivirus,
antimalware, and other host-based security solutions.
Security operation center analysts and security engineers often collect packet
captures during the investigation of a security incident. Packet captures provide
the greatest detail about each transaction happening in the network. Full packet
capture has been used for digital forensics for many years. However, most malware
and attackers use encryption to be able to bypass and obfuscate their transactions.
IP packet metadata can still be used to potentially detect an attack and determine
the attacker’s tactics and techniques.
9780136770312_print.indb 187 30/05/21 4:25 pm

Intrusion Detection
Firewalls and Other Security Products
Routers Switches
Applications,
Antivirus,
Antimalware, etc.
SIEM
FIGURE 7-5 SIEM Collecting and Processing Logs from Disparate Systems
One of the drawbacks of collecting full packet captures in every corner of your net-
work is the requirement for storage because packet captures in busy networks can
take a significant amount of disk space. This is why numerous organizations often
collect network metadata with NetFlow or IPFIX and store such data longer than
when collecting packet captures.
Several sophisticated security tools also provide user behavior analysis mechanisms
in order to potentially find insiders (internal attackers). Similarly, they provide
insights of user behavior even if they do not present a security threat.
Organizations can also deploy sentiment analysis tools and solutions to help moni-
tor customer sentiment and brand reputation. Often these tools can also reveal
the intent and tone behind social media posts, as well as keep track of positive or
negative opinions. Threat actors can also try to damage a company’s reputation by
creating fake accounts and bots in social media platforms like Twitter, Facebook, or
Instagram. Attackers can use these fake accounts and bots to provide negative public
comments against the targeted organization.
Security Orchestration, Automation, and

Response (SOAR)
CSIRT analysts typically work in an SOC utilizing many tools to monitor events
from numerous systems (firewalls, applications, IPS, DLP, endpoint security solu-
tions, and so on). Typically, these logs are aggregated in a SIEM. Modern SOCs also
use Security Orchestration, Automation, and Response (SOAR) systems that extend
beyond traditional SIEMs.
9780136770312_print.indb 188 30/05/21 4:25 pm

The tools in the SOC are evolving and so are the methodologies. For example, now
security analysts not only respond to basic cyber events but also perform threat
hunting in their organizations. SOAR is a set of solutions and integrations designed
to allow organizations to collect security threat data and alerts from multiple
sources. SOAR platforms take the response capabilities of SIEM to the next level.
SOAR solutions supplement, rather than replace, the SIEM. They allow the cyber-
security team to extend its reach by automating the routine work of cybersecurity
operations.
TIP Unlike traditional SIEM platforms, SOAR solutions can also be used for threat
and vulnerability management, security incident response, and security operations
automation.
Deploying SOAR and SIEM together in solutions makes the life of SOC analysts
easier. SOAR platforms accelerate incident response detection and eradication times
because they can automatically communicate information collected by SIEM with
other security tools. Several traditional SIEM vendors are changing their products
to offer hybrid SOAR/SIEM functionality.
Another term adopted in the cybersecurity industry is Extended Detection and
Response (XDR). XDR is a series of systems working together that collects and cor-
relates data across hosts, mobile devices, servers, cloud workloads, email messages,
web content, and networks, enabling visibility and context into advanced threats.
The goal of an XDR system is to allow security analysts to analyze, prioritize, hunt,
and remediate cybersecurity threats to prevent data loss and security breaches.
Chapter Review Activities

Use the features in this section to study and review the topics in this chapter.
Review Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in
the outer margin of the page. Table 7-3 lists a reference of these key topics and the
page number on which each is found.
9780136770312_print.indb 189 30/05/21 4:25 pm

Table 7-3 Key Topics for Chapter 7

Key Topic Description Page Number
Element
Paragraph Defining threat hunting 175
Paragraph Understanding security advisories, bulletins, and 177
what a CVE is
Paragraph Understanding false positives and false negatives 181
Section Credentialed vs. Noncredentialed 182
Section Intrusive vs. Nonintrusive 182
Paragraph Defining what SIEM is 186
Paragraph Understanding the SOAR concept 188
Define Key Terms

Define the following key terms from this chapter, and check your answers in the
glossary:
threat hunting, threat feeds, intelligence fusion, security advisories, Common
Vulnerability and Exposures (CVE), false positives, false negatives, true positive,
true negative, application scanners, web application scanners, network and port
scanners, review logs, configuration reviews, intrusive, nonintrusive, CVSS, base
group, temporal group, environmental group, Security Information and Event
Management (SIEM), security monitoring, log collector, data input, Log
aggregation, IPFIX, packet captures, user behavior analysis, sentiment analysis,
Security Orchestration, Automation, and Response (SOAR)
Review Questions
Answer the following review questions. Check your answers with the answer key in
Appendix A.
1. What type of vulnerability scanner can be used to assess vulnerable web
services?
2. What documents do vendors, vulnerability coordination centers, and security
researchers publish to disclose security vulnerabilities?
3. What term is used to describe an organization that can assign CVEs to
vulnerabilities?
M07_Santos_C07_p170-191.indd 190 02/06/21 1:03 pm

4. What public database can anyone use to obtain information about security
vulnerabilities affecting software and hardware products?
5. How many score “groups” are supported in CVSS?
6. A vulnerability with a CVSS score of 4.9 is considered a ___________ severity
vulnerability.
7. What is the process of iteratively looking for threats that may have bypassed
your security controls?
9780136770312_print.indb 191 30/05/21 4:25 pm

Index
Symbols identity and access management

../ (dot-dot-slash) attack 76, 274–275 (IAM) 605, 633
; (semicolon) 73 implicit deny 680
' (single quotation mark) 73 least privilege 264, 630, 681, 908
_ (underscore) 740 mandatory 676, 679
0phtCrack 44 network 510–511
2FA (two-factor authentication) 298 permissions 640–645
5G communications 357–358 cloud computing 605, 610
802.1X standard 510, 553–556, 562, inheritance 644–646
664–667, 673 open 150
types of 646
A privileged access management (PAM)
A record (Address mapping record) 796 678, 679
AAA (authentication, authorization, and role-based 677, 679
accounting) framework 306 rule-based 677, 678, 679
AAR (after action report) 928–929 summary of 679
ABAC (attribute-based access control) user access recertification 645
638–645, 678, 679 vestibules 372–373
acceptable use policies (AUPs) 898, 900 access control entries (ACEs) 643
acceptance of risk 919 access control lists (ACLs) 490, 528,
access control. See also 802.1X standard; 535, 643, 831
identity; passwords access points (APs)
access control entries (ACEs) 643 rogue 99
access control lists (ACLs) 490, 528, security 562–563
535, 643, 831 accounting, AAA framework for 306
attribute-based 638–645, 678, 679 accounts 629–633. See also access
best practices 680–681 control; passwords
centralized versus decentralized 679 administrator 908
centralized/decentralized 640 auditing 635, 639
conditional access 678, 679 harvesting 18
delegation of access 662 permissions 640–645
discretionary 674–676, 679 cloud computing 605, 610
inheritance 644–646
Z04_Santos_Index_p1089-0000.indd 1089 31/05/21 1:27 pm

1090 accounts
open 150 actors, threat

types of 646 attack vectors 122–123
policies 633 attributes of 122
root 908 types of 120–121
service 908 AD. See Active Directory (AD)
ACEs (access control entries) 643 additional or associated data (AEAD) 404
ACI (Application Centric Infrastructure) Address mapping record (A record) 796
243 Address Resolution Protocol. See ARP
acknowledgement (ACK) packets 84 (Address Resolution Protocol)
ACLs (access control lists) 490, 528, 535, address space layout randomization
643, 831 (ASLR) 76, 265, 272
acquisition, forensic addresses
artifacts 853 IPv4 443–444
cache 852 IPv6 536–537
checksums 857 MAC (media access control) 101, 511
data breach notification laws network address allocation 443–444
855–856 network address translation 501, 529, 562
definition of 847 virtual IP 488
device 850–851 administrator accounts 908
disk 848 admissibility, evidence 843
firmware 851 ADSP (Author Domain Signing
hashing 856–857 Practices) 110
integrity 856 ADUC (Active Directory Users and
network 852–853 Computers) 640
operating system 850 Advanced Encryption Standard (AES).
order of volatility 848 See AES (Advanced Encryption
on-premises versus cloud 853–854 Standard)
random-access memory (RAM) Advanced IP scanner 721
848–849 advanced persistent threats (APTs) 35,
regulatory and jurisdictional 855 120–121, 451, 770
right-to-audit clauses 854 AE (authenticated encryption) 404
snapshot 851–852 AEAD (additional or associated data) 404
swap/pagefile 849–850 aerospace application-embedded systems
Active Directory (AD) 291–292 348–350
Active Directory Certificate Services AES (Advanced Encryption Standard)
(AD CS) utility 691 412, 430, 475, 552
Active Directory Users and Computers AES-GCM 498
(ADUC) 640 AES-GMAC 498
active reconnaissance 18, 204–205 AFL (American Fuzzy Lop) 269
active/active load balancing 488 after action report (AAR) 928–929
active/passive load balancing 488 aggregation, log 186
Activity Monitor 542 aggregators 526

Apple 1091
Agile development methodology 258–259 ALTER DATABASE statement 71

agreement, terms of 948 ALTER TABLE statement 71
AH (Authentication Header) 437, 520 Alureon rootkit 35–36
AI (artificial intelligence) 50–51 always-on VPN functionality 495
AI (Asset Identification) 885, 941–942 Amazon Web Services (AWS) 232–233,
AICPA (American Institute of Certified 244, 603, 853, 870
Public Accountants) 883 American Fuzzy Lop (AFL) 269
AI/ML (artificial intelligence and American Institute of Certified Public
machine learning) 50–51 Accountants (AICPA) 883
AIR (As-if Infinitely Ranged) integer amplification attacks 112
model 77 analytics logs 383
air gaps 384, 385 Android Auto 347
air traffic control (ATC) 349–350 Angry IP scanner 721
aircraft systems 348–350 annualized loss expectancy (ALE) 922
AirMagnet 99 annualized rate of occurrence (ARO) 922
AIS (automated indicator sharing) 125 anomaly-based analysis 521–523
aisles, hot/cold 386 anonymization 945
alarms 374, 870 anti-forensics 770
ALE (annualized loss expectancy) 922 antimalware 452
alerts, SIEM 788 antivirus software 451
ALG (application-level gateway) 529 anycast addresses 537
algorithms 50–51 anything as a service (XaaS) 139, 232
Grover’s 402 AP isolation 562
hashing 218–219, 856–857 Apache
Digital Signature Algorithm (DSA) HTTP Server 146
396, 412 Mesos 240
Elliptic Curve Digital Signature web servers 794
Algorithm (ECDSA) 551–552 APIs (application programming
Message Digest Algorithm 5 (MD5) interfaces) 86
55, 219 API-based keyloggers 42
Secure Hash Algorithm (SHA) 55, attacks 55, 85–86, 602
551–552 definition of 240–241
key generation 395 infrastructure as code 241–243
message authentication code (MAC) 410 inspection and integration 607, 610
online resources 498 micro-segmentation 240–241
public key 411 security considerations 216
scheduling 488 Shodan 203–204
Shor’s 402 APP (Australia Privacy Principles) 220
signature verifying 395 Apple
signing 395 Apple Pay 462, 584
allocation, network address 443–444 CarPlay 347
allow lists 467, 578, 583, 822 macOS Activity Monitor 542

1092 appliances, network
appliances, network 513–514. See also programming testing methods

firewalls compile-time errors 266–267
aggregators 526 fuzz testing 269–270
hardware security modules (HSMs) 524 input validation 80, 267–268
jump servers 514 penetration testing 266
network intrusion detection systems runtime errors 266–267
(NIDSs) 517–518 static and dynamic code
advantages/disadvantages 519–520 analysis 269
anomaly-based analysis 521–523 stress testing 80, 266
definition of 519–520 scalability 279–280
heuristic-based analysis 521 secure coding 261–263
inline versus passive 523–524 software development environments
promiscuous mode 517 257–260
signature-based 520–521 software development lifecycle (SDLC)
stateful pattern-matching 78, 261–262, 263–265, 468, 868
recognition 521 vulnerabilities and attacks 74–75
network intrusion prevention systems API attacks 55, 85–86, 602
(NIPSs) backdoors 149, 271, 275
advantages/disadvantages 519–520 buffer overflows 75–76, 77, 149,
anomaly-based analysis 521–523 271–272, 275
definition of 518–520 code injection 149, 273–274, 276
false positives/false negatives 519 cross-site request forgery (XSRF)
heuristic-based analysis 521 149, 272, 275
inline versus passive 523–524 cross-site scripting (XSS) 54, 68–70,
signature-based 520–521 110, 149, 272, 275, 601
proxy servers 514–516 directory traversal 75–76, 149,
sensors 524–525 274–275, 276
application allow lists. See allow lists DLL injection 74
application block/deny lists. See block/ driver manipulation 89
deny lists error handling 79–82
Application Centric Infrastructure (ACI) LDAP injection 74
243 memory/buffer 77–78, 88, 149,
application development. See also 271–272, 275
application security pass the hash 89–90
application provisioning and pointer dereferencing 75–76
deprovisioning 260 privilege escalation 67–68, 201, 770
automation and scripting 278–279 race conditions 79
diversity 278 remote code execution (RCE) 78,
elasticity 279–280 146, 149, 275
integrity measurement 261 replay 82–85
Open Web Application Security Project request forgeries 85–86
(OWASP) 204, 276–277 resource exhaustion 87–88

ATC (air traffic control) 1093
SQL injection (SQLi) 54, 70–74, application service providers (ASPs) 139,
273–274 231
SSL stripping 88–89 application-aware devices 518
summary of 275–276 application-based segmentation 489–490
XML injection 74–75 application-level gateways (ALGs) 529
zero-day attack 149, 275, 276 approved lists 822
application logs 792–793 AppScan 204
application management, mobile 576–578 APs (access points)
application programming interfaces. See rogue 99
APIs (application programming security 562–563
interfaces) APT29 (Cozy Bear) 346
application scanners 182 apt-get install snmp snmpwalk command
application security 463–464, 475– 436
476, 612. See also application APTs (advanced persistent threats)
development 120–121, 451, 770
allow lists 467, 578, 583, 822 archive.org 147
application shielding 471 Arduino 340
authentication 298 ARF (Asset Reporting Format) 885
block/deny lists 467–468, 822–823 ARO (annualized rate of occurrence) 922
code signing 466–467 ARP (Address Resolution Protocol)
disk encryption 473 poisoning 105, 722
dynamic code analysis 470–471 spoofing 513
fuzzing 471 arp command 721–722
hardening 471 artifacts, forensic 853
hardware root of trust 476–477 artificial intelligence and machine
Hypertext Transfer Protocol (HTTP) learning (AI/ML) 50–51, 788
436–437, 465–466, 577 As-if Infinitely Ranged (AIR) integer
input validation 464 model 77
manual code review 470 ASLR (address space layout
mobile devices 581 randomization) 76, 265, 272
open ports/services 471–472 ASPs (application service providers) 139,
operating system 473–474 231
patch management 474–475 assertion parties (SAML) 659
registry 472 assertions 623
sandboxing 452, 478–479 assessments, security. See security
secure coding practices 468 assessments
secure cookies 465 Asset Identification (AI) 885, 941–942
self-encrypting drives (SEDs) 475–476 asset management 909–910
static code analysis 468–469 Asset Reporting Format (ARF) 885
Trusted Platform Module (TPM) asset values 921, 922
477–478 asymmetric encryption 411–413
whitelisting 578, 583 ATC (air traffic control) 349–350

1094 ATT&CK framework (MITRE)
ATT&CK framework (MITRE) 18, by characteristic attributes 625–626

128–129, 176, 205, 223, CIA (confidentiality, integrity,
767–768 availability) 289
Attack Complexity (AC) metric 183 cloud versus on-premises requirements
Attack Vector (AV) metric 183 306–307
attestation 294, 460–461 context-aware authentication 658
attribute-based access control (ABAC) definition of 289–291, 625
638–645, 678, 679 directory services 291–292
audio steganography 415–416 embedded systems 363
auditing 635, 639 Extensible Authentication Protocol
audit logs 869–870 (EAP) 553–556, 664–667
audit trails 870 EAP-FAST 556, 666
cloud computing 604, 609 EAP-MD5 556, 666
auditors 947 EAP-TLS 556, 666
AUPs (acceptable use policies) EAP-TTLS 556, 666
898, 900 LEAP 666
Australia Privacy Principles (APP) 220 PEAP 556, 666
802.1X standard 510, 553–556, 562, federation 292–293, 556–557, 658
664–667, 673 hardware security modules (HSMs) 656
AAA framework 304–306 HMAC-based one-time password
attestation 294 (HOTP) 295–296
authenticated encryption (AE) 404 Kerberos 82–83, 89, 292, 553, 668–670,
authenticated modes 404 673
authentication applications 298 by knowledge 625, 656–657
biometric systems 300, 378, 625–626, Lightweight Directory Access Protocol
869 (LDAP) 291, 442, 667–670
crossover error rate (CER) 304 injection attacks 74, 144
efficacy of 302 Lightweight Directory Access
errors with 626 Protocol over SSL (LDAPS) 432
false acceptance rate (FAR) 303, 626 logs 789–796
false rejection rate (FRR) 303, 626 multifactor 304–306, 657
fingerprints 300–301 mutual 668–670
gait analysis 302 OAuth 661–662
iris recognition 301 OpenID and OpenID Connect
retina scanning 301 663–664
vein authentication 302 by ownership 625
voice/speech recognition 302 phone call 299–300
captive portals 559 push notifications 299
Challenge-Handshake Authentication remote
Protocol 673 Challenge-Handshake
challenge-response authentication Authentication Protocol (CHAP)
(CRA) 571–572 670–672, 673

Bell-LaPadula 1095
RADIUS 556–557, 672–673 Availability Impact (I) metric 184

Remote Access Service (RAS) avalanche effect 463
670–672 avoidance, risk 918
TACACS+ 672–673 awareness, risk 921
Security Assertion Markup Language AWS (Amazon Web Services) 244, 603,
(SAML) 659–661 853
Short Message Service (SMS) 296–297 Azure 232–233, 603, 853
single sign-on (SSO) 292, 373, 624,
658–659 B
smart card 299–300, 629 backdoors 42–43, 149, 271, 275
static codes 298 background checks 899
summary of 673 backups 158
time-based one-time password (TOTP) cloud 326
295 comparison of 326–327
token key 297 copy 326
Trusted Platform Module (TPM) 294, differential 326, 328
655 disk 326
two-factor 298 full 326, 328–331
Wi-Fi Protected Setup (WPS) 558–559 image 326
authentication attacks 55, 602 incremental 326, 328
Authentication Header (AH) 437, 520 NAS (network-attached storage) 326
authentication servers 555, 665 offsite 327
authenticators 555, 665 online versus offline 326
Author Domain Signing Practices snapshot 326
(ADSP) 110 tape 326
authorization 290, 306 badges 373, 382
authorized hackers 121 baiting 19
Auto (Android) 347 balancers, load 319–320
automated indicator sharing (AIS) 125 bandwidth monitors 804
automation barricades 370–371
application development 278–279 base groups 182
auto-updates 474–475 baseband radio 359
facility 345 baselining 213, 539–542
autonomous underwater vehicles (AUVs) Bash 113
353–354 Basic Encoding Rules (BER) 697
Autopsy 747, 850 basic input/output system (BIOS) 851
AUVs (autonomous underwater vehicles) BCDR (business continuity and disaster
353–354 recovery) 139, 232
availability 289 BCPs (business continuity plans)
resource exhaustion 87–88 773–774, 929
restoration order 330–331 beamforming 560
site resiliency and 221–222 Bell-LaPadula 677

1096 benchmarks
benchmarks 885–888 blue teams 205, 902

BER (Basic Encoding Rules) 697 Bluetooth 570–571
BGP (Border Gateway Protocol) bluejacking 100, 570–571
hijacking 535–536 bluesnarfing 99–100, 570–571
BIA (business impact analysis) 773, bollards 370–371
926–927 Boolean technique 74
Biba 677 boot integrity
binaries 278 boot attestation 460–461
binary planting 74 definition of 458–459
biometric systems 300, 378, 625–626, 869 measured boot 459–460
crossover error rate (CER) 304 Unified Extensible Firmware Interface
efficacy of 302 (UEFI) 459
errors with 626 Border Gateway Protocol (BGP)
false acceptance rate (FAR) 303, 626 hijacking 535–536
false rejection rate (FRR) 303, 626 bots and botnets 37–38, 111–112, 580
fingerprints 300–301 BPAs. See blanket purchase agreements
gait analysis 302 (BPAs); business partnership
iris recognition 301 agreements (BPAs)
retina scanning 301 BPDU (Bridge Protocol Data Unit)
vein authentication 302 guard 512
voice/speech recognition 302 bring-your-own-device (BYOD) 215, 572,
BIOS (basic input/output system) 851 574–576, 581, 588–590, 826, 898
birthday attacks 56 broadcast storm prevention 512
BiSL (Business Information Services BPDU guard 512
Library) 882 DHCP snooping 512–513
Bitcoin-related SMS scams 12 loop protection 512
BitTorrent 529 MAC filtering 513
black hat hackers 121 brute-force attacks 45, 749
black-box testing 80 buckets 605
blackhole DNS servers 223 buffer overflows 75–76, 77, 149, 271–272,
Blackhole exploit kit 44, 111–112 275, 522
blacklisting 578, 583 bug bounties 202–203
blanket purchase agreements (BPAs) 903 BugCrowd 203
blind hijacking 84 building loss 925
blind SQL injection 73 burning 386
block all. See implicit deny Burp Suite Professional 204
block ciphers 411 buses, controller area network (CAN)
blockchain 409–410 347–348
block/deny lists 467–468, 578, 583, business continuity and disaster recovery
822–823 (BCDR) 139, 232
blocking 417 business continuity plans (BCPs)
Blowfish 412 773–774, 929

certificate signing requests (CSRs) 1097
business impact analysis (BIA) 773, card cloning attacks 48–49

926–927 CarPlay, Apple 347
business partnership agreements (BPAs) carrier unlocking 584
903 CAs (certificate authorities) 466, 556,
BYOD. See bring-your-own-device 689–691, 829
(BYOD) CASBs (cloud access security brokers)
142–143, 611–612, 614
C cat command 734–735
cables CBC (Cipher Block Chaining) mode 405
locks 379 CBT (computer-based training) 901
malicious USB 48 CBWFQ (class-based weighted fair
CAC (Common Access Card) 629 queuing) 536
cache CCE (Common Configuration
ARP cache poisoning 105 Enumeration) 886
caching proxy 514 CCleaner 51
DNS cache poisoning 108–110 CCPA (California Consumer Privacy Act)
forensic acquisition 852 214, 220, 880
Cain and Abel 44 CCSS (Common Configuration Scoring
California Consumer Privacy Act (CCPA) System) 886
214, 220, 880 CCTV (closed-circuit television)
call management systems (CMSs) 351 376–377, 870
Call Manager log files 799–800 CD (continuous delivery) 279
CAM (content addressable memory) 106 CDP (clean desk policy) 23, 899, 900
cameras Cellebrite 850–851
centralized versus decentralized 375 cellular connection methods and receivers
closed-circuit television (CCTV) 572–573
376–377, 870 Center for Internet Security (CIS) 164,
motion recognition 376 881, 883
object detection 376 centralized access control 640, 679
camouflage 265, 377 centralized cameras 375
CAN (controller area network) bus centralized controllers 242
347–348 CER (Canonical Encoding Rules) 697
Canada, Personal Information Protection CER (crossover error rate) 304, 626
and Electronic Data Act .cer file extension 697
(PIPEDA) 220 CERT (Community Emergency
Canonical Encoding Rules (CER) 697 Response Team) 77
capital expenditure (CapEx) 598 certificate authorities (CAs) 466, 556,
captive portals 559 689–691, 829
capture, packet. See packet capture and certificate revocation lists (CRLs) 533,
replay 689–690, 691, 829
capture the flag 902 certificate signing requests (CSRs) 689

1098 certificates
certificates 625, 626–627 CISA (Cybersecurity and Infrastructure

attributes 691–692 Security Agency) 353–354
chaining 696 Cisco
expiration 693 Application Centric Infrastructure
formats 697 (ACI) 243
pinning 698 Application Policy Infrastructure
Subject Alternative Name 693 Controller (APIC) 243
types of 694–696 Cisco Discovery Protocol (CDP) 107
updating/revoking 829–830 Email Security Appliance (ESA) 111
CFB (Cipher Feedback) mode 406 Identity Services Engine (ISE) 590
chain of custody 789, 844 Mutiny Fuzzing Framework 269
chain of trust 699 NetFlow 187, 525, 809–810
Challenge-Handshake Authentication OpenDNS 509–510
Protocol (CHAP) 673 security advisories and bulletins 179
challenge-response authentication (CRA) Talos 347
49–50, 102, 571–572 Umbrella 509
change management 909 Clark-Wilson 677
CHAP (Challenge-Handshake class-based weighted fair queuing
Authentication Protocol) 82–83, (CBWFQ) 536
670–672, 673 classification
characteristic attributes, authentication by asset 941–942
625–626 data 904–905
Check Point 518 classless interdomain routing (CIDR)
checksums 857, 870 netblock 203–204
chief information officers (CIOs) 903 clean desk policy (CDP) 23, 899, 900
chief security officers (CSOs) 930 clean pipe 112
chkdsk command 157 clickjacking 84
chmod command 644–645, 736–737 client-based VPNs (virtual private
choose-your-own-device (CYOD) 588– networks) 497
590 clientless VPNs (virtual private networks)
CI (continuous integration) 279 497, 507–508
CIA (confidentiality, integrity, availability) clientless web access 507
221, 263, 289 clients, thin 235–236, 508
CIDR (classless interdomain routing) client-side execution 267
netblock 203–204 client-side validation 268
CIOs (chief information officers) 903 clock, secure 477
Cipher Block Chaining (CBC) mode 405 cloning
Cipher Feedback (CFB) mode 406 MAC (media access control) 106
cipher suites 409–411 SIM (subscriber identity module) cards
CIRT. See incident response (IR) teams 580, 584
CIS (Center for Internet Security) 164, closed-circuit television (CCTV)
881, 883 376–377, 870

code security 1099
cloud access security brokers (CASBs) network 606–607, 610

142–143, 611–612, 614 resource policies 603, 609
cloud computing secrets management 604, 609
advantages of 138 security groups 607, 611
attacks and vulnerabilities 52–55, 123, storage 605, 610
137–143, 601–603 summary of 608–609
authentication 306–307 virtual private cloud endpoint 608,
backups 326 611
cloud access security brokers (CASBs) security solutions
142–143, 611–612, 614 application security 612
cloud service providers (CSPs) 139, cloud access security brokers
233, 598, 853–854 (CASBs) 611–612, 614
community cloud 140, 233 firewalls 613–614, 615
definition of 138 Secure Web Gateway (SWG) 613,
fog and edge computing 234–235 614
forensic acquisition 853–854 summary of 614–615
hybrid cloud 140, 233 storage
managed detection and response encryption 605
(MDR) 234 high availability 606
managed service providers (MSPs) permissions 605
233–234 replication 605
models 231–232 thin clients 235–236
off-premises versus on-premises VPCs (virtual private clouds) 607, 608,
services 234 611
private cloud 140, 232–233 Cloud Controls Matrix 884
public cloud 140, 232 Cloud Security Alliance (CSA) 139, 603,
resilience 325 884
security assessments 598 Cloud Service (Google) 603
attacks 601–603 cloud service providers (CSPs) 139, 233,
threats 598–600 598, 853–854
security controls 595, 598 Cloudflare 440
API inspection and integration 607, cloudlets 235
610 Cluster Server 488
compute 607, 611 CMSs (call management systems) 351
container security 608–609 CMSS (Common Misuse Scoring
dynamic resource allocation System) 887
607–608, 611 COBIT framework 882
high availability across zones 603, code, infrastructure as 241–243
609 code security 261–263
instance awareness 608, 611 code camouflage 265
integration and auditing 604, 609 code checking 79, 265
native versus third-party 615 code injection 149, 273–274, 276

1100 code security
code reuse 179, 270 communications

code signing 466–467, 695, 696 communication plans 771–772
dynamic code analysis 470–471 embedded systems
manual code review 470 5G 357–358
static code analysis 468–469 baseband radio 359
cold aisles 386 NarrowBand 358
cold sites 222 subscriber identity module (SIM)
collection, log 186 cards 360
collisions 55–56, 463 Zigbee 360–361
command-and-control (C2) servers community cloud 140, 233
37–38, 107 Community Emergency Response Team
commands. See individual commands (CERT) 77
comment delimiters 73 community ports 491
Common Access Card (CAC) 629 company policies 878–879
Common Configuration Enumeration compensating controls 871, 872
(CCE) 886 compilers 278
Common Configuration Scoring System compile-time errors 81–82, 266–267
(CCSS) 886 compliance, software 918
Common Misuse Scoring System computer certificates 696
(CMSS) 887 computer incident response teams. See
common names (CNs) 692 incident response (IR) teams
Common Object Request Broker computer-based training (CBT) 901
Architecture (CORBA) 86 Concealment 415
Common Platform Enumeration (CPE) concentrators, VPN 495
886 conditional access 678, 679
Common Remediation Enumeration confidence tricks 19
(CRE) 886 Confidential information 905, 941–942
Common Security Advisory Framework Confidentiality Impact (C) metric 184
(CSAF) 164 configuration management 164, 213
Common Vulnerabilities and Exposures configuration reviews 182
(CVEs), Wi-Fi 78, 125, 146, 177, mitigation techniques 824
571, 886 certificates, updating/revoking
Common Vulnerability Reporting 829–830
Framework (CVRF) 164 content filter/URL filter 828–829
Common Vulnerability Scoring System data loss prevention (DLP) 825–826
(CVSS) 182–186, 886 firewall rules 825
Common Weakness Enumeration (CWE) mobile device management (MDM)
75, 886 825–826
Common Weakness Scoring System secure configuration guides 885–888
(CWSS) 887 weak configurations 150–155

cracking passwords 1101
connection methods and receivers managerial 868

Bluetooth 570–571 operational 868, 869
cellular 572–573 physical 871–872
Global Positioning System (GPS) preventative 869, 872
572, 584 technical 868, 869
near-field communication (NFC) convert command 156
570–571 cookie hijacking 465
Radio frequency identification (RFID) cookies 465
571–572 cookies, secure 465
satellite communications (SATCOM) COOPs (continuity of operations plans)
573 774–775, 929
secure implementation best practices Coordinated Universal Time (UTC) 440,
573–574 845
containers 236–240, 608–609 COPE (corporate-owned, personally
containment, incident response (IR) enabled) environments 572, 588
763–764, 830–831 copy backups 326
content addressable memory (CAM) 106 CORBA (Common Object Request
content filters 533, 828–829 Broker Architecture) 86
content management 576–578 corporate incidents 775
context-aware authentication 658 corporate-owned, personally enabled
continuity of operations plans (COOPs) (COPE) environments 572,
774–775, 929 588–590
continuous delivery (CD) 279 corrective controls 870, 872
continuous deployment 279 correlation, log 186
continuous integration (CI) 279 correlation, Security Information and
continuous monitoring 139, 278 Event Management (SIEM)
continuous validation 278 788–789
Control Objectives for Information Counter (CTR) mode 404, 408–409
and Related Technology counterintelligence 860
(COBIT) 882 Counter-mode/CBC-MAC protocol
control systems, diversity in 332 (CCMP) 552
controller area network (CAN) bus counters, secure 477
347–348 county names, certificate 692
controller-pilot data link communications cover-files 416
(CPDLC) 349–350 Cozy Bear 346
controllers 562–563, 946 CPE (Common Platform Enumeration)
controls. See also physical security 886
compensating 871, 872 CRA (challenge-response authentication)
corrective 870, 872 49–50, 102, 571–572
detective 869–870, 872 cracking passwords 46
deterrent 870–871, 872

1102 CRE (Common Remediation Enumeration)
CRE (Common Remediation definition of 391

Enumeration) 886 digital signatures 395–396, 520
CREATE DATABASE statement 70 diversity in 331
CREATE INDEX statement 71 elliptic-curve cryptography (ECC)
CREATE TABLE statement 71 399–400
credentials encryption 159, 362
credentialed vulnerability scans 182, cloud computing 605, 610
349–350 data at rest 218
harvesting 18 data in transit/motion 218
policies 906–908 data in use/processing 218
crimeware 44 disk 473
criminal syndicates 120 entropy 419
Critical information 942 homomorphic 417
critical systems, identification of 929 international mobile subscriber
CRLs (certificate revocation lists) 533, identity (IMSI) 49, 358, 584
689–690, 691, 829 mobile device management (MDM)
crossover error rate (CER) 304, 626 578–580
cross-site request forgery (XSRF) 85–86, symmetric/asymmetric 411–413
149, 272, 275, 602 vulnerabilities 150–151
cross-site scripting (XSS) 54, 68–70, 110, entropy 419
149, 272, 275, 464, 601 keys
.crt file extension 697 ephemeral 403
cryptography 396. See also encryption; key exchanges 399
hashing; secure protocols key signing keys (KSKs) 427
algorithms 498 length of 396
blockchain 409–410 password 655
cipher suites 409–411 personal unblocking keys (PUKs)
common use cases 417–418 360
cryptographic attacks public/private 436–437
birthday 56 Secure Shell (SSH) 625, 628
collision 55–56 stretching 397
cryptographic protocols 551 zone signing keys (ZSKs) 427
Advanced Encryption Standard lightweight 414–415
(AES) 552 limitations of 418–420
Counter-mode/CBC-MAC protocol modes of operation 403–409
(CCMP) 552 authenticated 404
Simultaneous Authentication of Cipher Block Chaining (CBC) 405
Equals (SAE) 551, 552 Cipher Feedback (CFB) 406
summary of 552 counter 404
Wi-Fi Protected Access 2 (WPA2) Counter (CTR) 408–409
551 Electronic Code Book (ECB) 404
Wi-Fi Protected Access 3 (WPA3) Output Feedback (OFB) 407
551–552 unauthenticated 404

data breaches 1103
perfect forward secrecy 400–401 cyber kill chain 770–771

post-quantum 402 Cybersecurity and Infrastructure Security
Public Key Cryptography Standards Agency (CISA) 353–354
(PKCS) 412 Cybersecurity Framework (CSF) 882, 884
quantum 401–402 cybersecurity insurance 918
communications 401–402 cybersecurity resilience. See resilience
computing 402 CYOD (choose-your-own-device) 588
definition of 401
salting 397–398, 462–463 D
steganography 415 DAC (discretionary access control)
audio 415–416 674–676, 679
homomorphic 417 DAEAD (deterministic authenticated
image 416–417 encryption with associated data)
video 416 404
cryptomalware 33–34 DAI (Dynamic ARP Inspection) 105
CSA (Cloud Security Alliance) 139, 603, dark web 124–125, 143
884 Darkleech 146–147
CSAF (Common Security Advisory dashboards, SIEM 786–789
Framework) 164 DAST (dynamic application security
CSF (Cybersecurity Framework) 882, 884 testing) 470–471
CSIRT. See incident response (IR) teams data at rest 156, 218
CSOs (chief security officers) 930 data blockers, USB 379–380
CSPs (cloud service providers) 139, 233, data breaches
598, 853–854 data types and asset classification
CSRF (cross-site request forgery) 602 941–942
CSRs (certificate signing requests) 689 fines 940
CTR (Counter) mode 404, 408–409 identity theft 940
Cuckoo 731–732 impact assessment 948
curl command 724–725 information lifecycle 947–948
custodians, data 946 intellectual property theft 940
custody, chain of 789, 844 notifications of 855–856, 941
CVE (Common Vulnerability and personally identifiable information
Exposure) 78, 125, 146, 177, 886 (PII) 943
CVE Numbering Authorities (CNAs) 179 privacy enhancing technologies
CVRF (Common Vulnerability Reporting 944–945
Framework) 164 privacy notices 949
CVSS (Common Vulnerability Scoring protected health information (PHI)
System) 182–186, 886 944
CWE (Common Weakness Enumeration) reputation damage from 940
75, 886 response and recovery controls
CWSS (Common Weakness Scoring 220–221
System) 887

1104 data breaches
security roles and responsibilities security 793

945–947 Session Initiation Protocol (SIP)
terms of agreement 948 800
data classification 904–905 syslog/rsyslog/syslog-ng 800–801
data controllers 946 system 791–792
data custodians/stewards 946 Voice over Internet Protocol (VoIP)
data destruction, secure 386–387 799–800
Data Encryption Standard (DES) 412 web server 794
data exfiltration 907–908 metadata 805–806
data exposure 267 in email 808
data governance 904–905 in files 809
data in transit/motion 156, 218 on mobile devices 808
data in use/processing 156, 218 on web pages 808–809
data input 186 NetFlow 809–810
data labeling 676 protocol analyzers 813
data loss prevention (DLP) 139, 214–215, Security Information and Event
453, 582, 586, 699, 825–826, 871 Management (SIEM)
data masking 216–218, 945 alerts 788
data minimization 944–945 correlation 788–789
data owners 946 dashboards 786–789
data privacy. See privacy breaches sensitivity 788
data privacy officers (DPOs) 905 sensors 787
data processors 946 trends 788
data protection 214–215 sFlow 810–811
data protection officers (DPOs) 947 vulnerability scan output 785–786
data recovery 859 data sovereignty 214–215
data retention policies 775–776, 906 data types 941–942
data sanitization 748–749 databases 461–462
data sources DC (direct current) 380
bandwidth monitors 804 DCOM (Distributed Component Object
Internet Protocol Flow Information Model) 86
Export (IPFIX) 811–813 DCS (distributed control systems) 343
log files 789 DCT (Discrete Cosine Transforms) 417
application 792–793 dd utility 744–745
authentication 789–796 DDoS (distributed denial-of-service)
Call Manager 799–800 attacks 37–38, 54, 111–113, 601
Domain Name System (DNS) dead box forensic collection 858
795–796 dead code 270
dump files 797 Dead Peer Detection (DPD) 501
journalctl 802 deauthentication attacks 101
network 790 decentralized access control 640, 679
NXLog 803–804 decentralized cameras 375

discovery of identity 1105
decentralized trust models 698 development environments 257–260

deception and disruption techniques development lifecycle. See software
fake telemetry 223 development lifecycle (SDLC)
honeyfiles 223 devices, forensic acquisition 850–851
honeypots 221–223 devices, mobile. See mobile solutions
DeepSound 415 DevOps 259, 263–265, 278–279
defense in depth 264 DevSecOps 259, 278–279
defrag command 158 DFIR (Digital Forensics and Incident
defragmentation 158 Response) 744
degaussing 387 DHCP (Dynamic Host Configuration
delegation of access 662 Protocol) 443
DELETE statement 70 snooping 512–513
delivery starvation attack 513
continuous 279 diagrams, configuration 213
malware 43–45 Diamond Model of Intrusion Analysis
demilitarized zones (DMZs) 384, 491 768–770
denial-of-service (DoS) attacks 88, 122, dictionary attacks 45, 749
267, 601, 770 differential backups 326, 328
deny lists 467–468, 578, 583, 822–823 Diffie-Hellman 500–501
Department of Defense (DoD) security dig command 709–710
standards 674 DigiCert 691
deployment, continuous 279 digital forensics. See forensics, digital
deprovisioning, application 260 Digital Millennium Copyright Act 220
DER (Distinguished Encoding Rules) digital rights management (DRM) 67,
697 219–220
dereferencing, pointer 75–76 digital signal processors (DSPs) 359
DES (Data Encryption Standard) 412 Digital Signature Algorithm (DSA) 396,
design constraints, embedded systems 361 412
authentication 363 digital signatures 395–396, 520
compute 361–362 digital video recorders (DVRs)
cost 363 376–377
crypto 362 direct current (DC) 380
implied trust 363 directory services 291–292, 442
inability to patch 362 directory traversal 75–76, 149, 274–275,
network 362 276
power 361 disablement 635, 639
range 363 disassociation attacks 101
destruction and disposal services 387 disaster analysis 924–925
detective controls 869–870, 872 disaster recovery plans (DRPs) 330–331,
deterministic authenticated encryption 772–773, 926, 928–930
with associated data (DAEAD) 404 disclosures, public 940
deterrent controls 869, 870–871, 872 discovery of identity 623–624

1106 discovery tools
discovery tools DKIM (Domain Keys Identified Mail)

definition of 707 110, 426
dig 709–710 DLL (dynamic link library) injection 74,
hping 717 274
ifconfig 710–711 DLP (data loss prevention) 139,
ipconfig 710 214–215, 453, 582, 586, 699,
netcat 720–721 825–826, 871
netstat 718–720 DLT (Distributed Ledger Technology)
nmap 711–714 409
nslookup 709–710 DMARC (Domain-based Message
pathping 716–717 Authentication, Reporting &
ping 714–716 Conformance) 111
ping6 716 DMSSEC (Domain Name System
tracert/traceroute 707–709 Security Extensions) 796
Discrete Cosine Transforms (DCT) 417 DMZs (demilitarized zones) 384, 491
discretionary access control (DAC) DNS (Domain Name System) 442–443
674–676, 679 attacks 54
Disk Cleanup 157 cloud-based 601
Disk Defragmenter 158 DDoS (distributed denial-of-
disks service) 37–38, 54, 111–113, 601
backups 326 DNS amplification attack 112
encryption 473 DNS poisoning 108–110, 223
forensic acquisition of 848 domain hijacking 108
hardening 157–159 domain name kiting 109–110
redundancy domain reputation 110–111
definition of 315–316 prevalence of 107
multipath 319 URL redirection attacks 110
Redundant Array of Inexpensive DNS Security Extensions (DNSSEC)
Disks (RAID) 315–316 108, 426–427
Redundant Array of Inexpensive Disks DNS sinkholes 223
(RAID) 869 logs 795–796
self-encrypting 475–476 OpenDNS 509–510
Distinguished Encoding Rules (DER) dnsenum 728–729, 796
697 DNSSEC (Domain Name System
Distributed Component Object Model Security Extensions) 108, 426–427,
(DCOM) 86 442–443
distributed control systems (DCS) 343 Docker 237–240
distributed denial-of-service (DDoS) docker images command 237
attacks 37–38, 54, 111–113, 601 docker ps command 238
Distributed Ledger Technology (DLT) docker search command 239
409 Document Object Model (DOM)
diversity 278, 331–332 68–69

e-discovery 1107
documentation, forensic DTP (Dynamic Trunking Protocol) 106

admissibility of 843 dual parity, striping with (RAID) 316, 318
chain of custody 844 dual power supplies 321
event logs 845–846 dual supply power 321–322
interviews 846–847 due care 900
legal hold 842 due diligence 900
reports 846 due process 900
tagging of 845–846 dump files 797
timelines and sequence of events dumpster diving 13
844–845 duties, separation of 898, 900
time offset 844 DV (domain validation) certificates 694
timestamps 844 DVRs (digital video recorders) 376–377
video 842–843 dynamic application security testing
DOM (Document Object Model) 68–69 (DAST) 470–471
Domain Keys Identified Mail (DKIM) Dynamic ARP Inspection (DAI) 105
110, 426 dynamic code analysis 269, 470–471
domain name kiting 109–110 Dynamic Host Configuration Protocol.
domain name resolution 442–443 See DHCP (Dynamic Host
Domain Name System. See DNS Configuration Protocol)
(Domain Name System) dynamic link library (DLL) injection 74,
domain reputation 110–111 274
domain validation (DV) certificates 694 dynamic resource allocation 607–608, 611
Domain-based Message Authentication, Dynamic Trunking Protocol (DTP) 106
Reporting & Conformance
(DMARC) 111 E
DoS (denial-of-service) attacks 88, 601, EAP (Extensible Authentication Protocol)
770 553–556, 664–667
DPD (Dead Peer Detection) 501 EAP-FAST 556, 666
DPOs (data privacy officers) 905 EAP-MD5 556, 666
Dragonfly 101, 552 EAP-TLS 556, 666
driver manipulation 89 EAP-TTLS 556, 666
drives. See disks LEAP 666
DRM (digital rights management) 67, PEAP 556, 666
219–220 Easter eggs 39–40
drones 205, 353–354, 382–383 east-west traffic 492
DROP INDEX statement 71 ECB (Electronic Code Book) 404
DROP TABLE statement 71 ECC (elliptic-curve cryptography)
DRPs (disaster recovery plans) 772–773, 399–400
926, 928–930 ECDSA (Elliptic Curve Digital Signature
DSA (Digital Signature Algorithm) 396, Algorithm) 551–552
412 edge computing 234–235
DSPs (digital signal processors) 359 e-discovery 858–859

1108 EDR (endpoint detection and response)
EDR (endpoint detection and response) NarrowBand 358

452–453 subscriber identity module (SIM)
education, user 22–24, 899, 901–902 cards 360
EEA (European Economic Area) 214, 220 Zigbee 360–361
EER (equal error rate). See crossover constraints 361
error rate (CER) authentication 363
eEye Digital Security, Retina Web compute 361–362
Security Scanner 204 cost 363
EFS (Encrypting File System) 694 crypto 362
EIGamal 412 implied trust 363
elasticity 279–280 inability to patch 362
electrical metallic tubing (EMT) 385 network 362
electromagnetic (EM) frequency band power 361
102 range 363
Electronic Code Book (ECB) 404 definition of 339
electronic locks 379 drones 353–354
electronic serial numbers (ESNs) 49, 584 Field-Programmable Gate Array
eliciting information 15–16 (FPGA) 340
Elliptic Curve Digital Signature heating, ventilation, and air
Algorithm (ECDSA) 551–552 conditioning (HVAC) 352–353
elliptic-curve cryptography (ECC) 399– industrial control systems (ICSs)
400 341–343
elliptic-curve techniques 412 Internet of Things (IoT) 38, 98, 113,
EM (electromagnetic) frequency band 344–346, 358, 414
102 medical systems 347
email multifunction printers (MFPs) 354
attack vectors 122 Raspberry Pi 339
certificates 696 real-time operating systems (RTOSs)
email protocol port numbers 441 355
email servers 145 smart meters 350
metadata in 808 supervisory control and data
Spam 13 acquisition (SCADA) 341–343
SPIM (Spam over Internet Messaging) surveillance systems 355–356
13 system on a chip (SoC) 356–357
synchronization 440 vehicles 347–348
Email Security Appliance (ESA) 111 Voice over Internet Protocol (VoIP)
embedded systems 350, 799–800
aircraft 348–350 emergency preparedness logs 383
Arduino 340 EMT (electrical metallic tubing) 385
communication considerations Encapsulating Security Payload (ESP)
5G 357–358 437, 503, 520
baseband radio 359 EnCase 850–851

error handling 1109
Encrypting File System (EFS) 694 configuration management 213,

encryption 159, 362 215–216
cloud computing 605, 610 data masking 216–218
data at rest 218 data protection 214–215
data in transit/motion 218 data sovereignty 214–215
data in use/processing 218 deception and disruption techniques
disk 473 fake telemetry 223
entropy 419 honeyfiles 223
homomorphic 417 honeypots 221–223
international mobile subscriber identity digital rights management (DRM)
(IMSI) 49, 358, 584 219–220
mobile device management (MDM) DNS sinkholes 223
578–580 encryption 218
modes of operation 403–409 hashing 218–219
authenticated 404 response and recovery controls
Cipher Block Chaining (CBC) 405 220–221
Cipher Feedback (CFB) 406 site resiliency 221–222
Counter (CTR) 404, 408–409 enterprise resource planning (ERP) 883
Electronic Code Book (ECB) 404 entropy 419
Output Feedback (OFB) 407 enumerations 886
unauthenticated 404 env command 739
symmetric/asymmetric 411–413 environmental disaster 924
vulnerabilities 150–151 environmental groups 182
end of life (EOL) 904 environmental variables 740
end of service life (EOSL) 904 environments, software development
end users 947 257–260
endpoint detection and response (EDR) known 198
452–453 partially known 199
endpoint DLP systems 214 unknown 198–199
endpoint protection 451 EOL (end of life) 904
endpoint security solutions 822 EOSL (end of service life) 904
approved lists 822 ephemeral keys 403
block/deny lists 467–468, 578, 583, equal error rate. See crossover error rate
822–823 (CER)
quarantine 823–824 eradication phase, incident response (IR)
end-to-end headers (HTTP) 466 764
energy management, SCADA control ERP (enterprise resource planning) 883
systems 342–343 error handling 79–82
engagement, rules of 200 compile-time errors 81–82, 266–267
enterprise environments error-based technique 74
API considerations 216 input handling 80
runtime errors 81–82, 266–267

1110 escalation, privilege
escalation, privilege 67–68, 201, 941 random-access memory (RAM)

escape attacks, VM (virtual machine) 848–849
248–249 regulatory and jurisdictional 855
escrow, key 699 right-to-audit clauses 854
ESNs (electronic serial numbers) 49, 584 snapshot 851–852
ESP (Encapsulating Security Payload) swap/pagefile 849–850
437, 503, 520 admissibility of 843
ethical hacking. See penetration testing chain of custody 844
ETSI (European Telecommunications e-discovery 858–859
Standards Institute) 235 event logs 845–846
EU (European Union) interviews 846–847
European Economic Area (EEA) 214, legal hold 842
220 preservation 858
European Telecommunications provenance 857–858
Standards Institute (ETSI) 235 reports 846
General Data Protection Regulation tagging of 845–846
(GDPR) 42, 214, 220, 356, 434, timelines and sequence of events
453, 760, 855, 878–879, 947 844–845
Information Society Directive 220 time offset 844
EV (extended validation) certificates 694 timestamps 844
event logs 845–846 video 842–843
Event Viewer 791–792 evil twin attacks 98–99
events, sequence of 844–845 exam preparation
time offset 844 final review and study 953–954
timestamps 844 hands-on activities 953
evidence, forensic Pearson Test Prep practice test 954
acquisition 847–854 test lab, building 953
artifacts 853 exam updates 02.0004–02.0026
cache 852 exchanges, key 399
checksums 857 executives, security roles and
data breach notification laws responsibilities 945–947
855–856 exercises
definition of 847 simulations 766–767
device 850–851 tabletop 765–766
disk 848 walkthrough 766
firmware 851 exFAT 850
hashing 856–857 exfiltration 770, 907–908
integrity 856 expiration, certificates 693
network 852–853 explicit allow/deny 528
operating system 850 Exploit code maturity (E) metric 184
order of volatility 848 exploit kits 44
on-premises versus cloud 853–854 Exploitability metrics 183–184

files 1111
exploitation frameworks 747–748, 770 Federal Aviation Administration (FAA)

Extended Detection and Response (XDR) 348–349, 353, 382–383
189 Federal Information Security
extended validation (EV) certificates 694 Management Act (FISMA) 776
Extensible Authentication Protocol. See Federal Risk and Authorization
EAP (Extensible Authentication Management Program
Protocol) (FedRAMP) 599
Extensible Configuration Checklist Federal Trade Commission (FTC) 17,
Description Format (XCCDF) 221
885 federated identity management (FIM)
Extensible Markup Language (XML) 658
injection 74–75, 273–274 federation 292–293, 623–624, 658, 672
external actors 122 FedRAMP (Federal Risk and
external risk 917. See also risk Authorization Management
management Program) 599
extinguishers, fire 381 fencing 380–381
extranets 492–493, 899 FFmpeg 416
FIDO (Fast Identity Online) 297
F Field-Programmable Gate Array (FPGA)
f8-mode (SRTP) 430 340
FAA (Federal Aviation Administration) file and code repositories 127
348–349, 353, 382–383 file integrity monitors 542
facility automation 345 file manipulation 732–733
facility codes 373 cat command 734–735
fail-closed 927 chmod command 736–737
fail-open 927 grep command 735–736
failure, single point of 156, 926 head command 733
failure in time (FIT) 926 logger command 737–738
fake telemetry 223 tail command 734
false acceptance rate (FAR) 303, 626 file servers 144
false negatives 181, 519, 520 file transfer 440
false positives 181, 518, 520 File Transfer Protocol. See FTP (File
false rejection rate (FRR) 303, 626 Transfer Protocol)
Faraday cages 383, 562–563 fileless viruses 37
FAST (Flexible Authentication via Secure files
Tunneling) 556 log 789
Fast Identity Online (FIDO) 297 application 792–793
FAT 850 authentication 789–796
FDE (full-disk encryption) 473, 475–476 Call Manager 799–800
fdisk -l command 157 Domain Name System (DNS)
FEAT command 433 795–796
dump files 797

1112 files
journalctl 802 rules 528, 825

network 790 unified threat management (UTM) 524
NXLog 803–804 virtual 534–535
security 793 web application 531
Session Initiation Protocol (SIP) wireless security 562
800 firmware
syslog/rsyslog/syslog-ng 800–801 firmware over-the-air (OTA) updates
system 791–792 583
Voice over Internet Protocol (VoIP) forensic acquisition of 851
799–800 FIRST (Forum of Incident Response and
web server 794 Security Teams) 180
metadata in 809 FISMA (Federal Information Security
filtering Management Act) 776
content/URL 533, 828–829 FIT (failure in time) 926
MAC (media access control) 513 flash drives, malicious 47–48
packet 528 Flexible Authentication via Secure
financial information. See personally Tunneling (FAST) 556
identifiable information (PII) flood, disaster analysis for 925
Financial Services Information Sharing flooding, MAC (media access control) 106
and Analysis Center (FS-ISAC) FM200 381
124 fog computing 234–235
fines 940 footprinting 205
fingerprint authentication 300–301 Forcepoint 533
fire Forefront Identity Manager 658
disaster analysis for 924–925 Foremost 415
suppression 381 Forensic Toolkit (FTK) 747, 850–851
firewalls 146, 198 forensics, digital
appliance 534 acquisition
application-level gateway (ALG) 529 artifacts 853
in cloud 613–614, 615 cache 852
configuration 529–533 checksums 857
content URL/filtering 533 data breach notification laws
hardware versus software 534 855–856
host-based 457–458, 534 definition of 847
multihomed connections 532 device 850–851
NAT gateway 529 disk 848
network-based application layer 530 firmware 851
next-generation firewall (NGFW) hashing 856–857
453–454, 524 integrity 856
packet filtering 528 network 852–853
personal 534 operating system 850
purpose of 526–528 order of volatility 848

general-purpose I/O GPIO framework extension (GpioClx) 1113
on-premises versus cloud 853–854 frameworks

random-access memory (RAM) exploitation 747–748
848–849 IT security 881–884
regulatory and jurisdictional 855 FreeBSD 676
right-to-audit clauses 854 frequency distributions 159
snapshot 851–852 FRR (false rejection rate) 303, 626
swap/pagefile 849–850 fsck command 158
data recovery 859 FTC (Federal Trade Commission) 17,
definition of 744, 837 221
Digital Forensics and Incident FTK (Forensic Toolkit) 747, 850–851
Response (DFIR) 744 FTP (File Transfer Protocol)
documentation/evidence FTP servers 147–148
admissibility of 843 FTPS (File Transfer Protocol, Secure)
chain of custody 844 432–433
event logs 846 SFTP (Secure File Transfer Protocol)
interviews 846–847 434
legal hold 842 full backups 326, 328–331
reports 846 full tunnel mode, SSL/TLS VPN 508
tagging of 845–846 full-disk encryption (FDE) 473, 475–476
timelines and sequence of events functions, hash 218–219
844–845 fuzz testing 80, 269–270, 471
video 842–843 fuzzers 269–270
e-discovery 858–859
nonrepudiation 859–860 G
preservation 858 gait analysis 302
provenance 857–858 Galois Message Authentication Code
strategic intelligence/ (GMAC), AES in 498
counterintelligence 860 Galois/Counter Mode (GCM) 498,
tools 551–552
Autopsy 747 gamification 902
dd 744–745 gapping 384
FTK Imager 747 gateways
memdump 745 application-level 529
WinHex 746 NAT 529
forgeries, request 85–86 transit 246–247
formats, certificate 697 GCM (Galois/Counter Mode) 498,
Forum of Incident Response and Security 551–552
Teams (FIRST) 180 GDPR (General Data Protection
forward proxy 516 Regulation) 42, 214, 220, 356, 434,
forward secrecy 400–401 453, 760, 855, 878–879, 947
FPGA (Field-Programmable Gate general-purpose I/O GPIO framework
Array) 340 extension (GpioClx) 477

1114 generators
generators 321 groups

generic accounts 629 base 182
Generic Routing Encapsulation (GRE) environmental 182
520 security 607, 611
geofencing 572–573, 578–580 temporal 182
geographic dispersal 315 Grover’s algorithm 402
geolocation 578–580, 639 guards 377
geotagging 572–573, 584, 586, 639 guest accounts 629
GitHub repositories 8, 18, 127, Guidelines for Evidence Collection and
203, 258 Archiving 848
GitLab 127, 258
Global Positioning System (GPS) H
572, 584 HA (high availability) 329–330
Global Regular Expression Print (grep ) across zones 603, 609
735–736 cloud computing 605, 610
GMAC (Galois Message Authentication HackerOne 203
Code), AES in 498 hackers 121. See also penetration testing
Gnutella 530 hacktivists 120, 122
Golden SAML attacks 293 hands-on activities 953
Google hard disks
Cloud 233, 603, 853 backups 326
Google Pay 584 encryption 473
Kubernetes 239–240 forensic acquisition of 848
OAuth 2.0 292 hardening 157–159
Secret Manager 604 redundancy
governance, risk, and compliance (GRC) definition of 315–316
880, 904–905 multipath 319
GpioGlx (general-purpose I/O GPIO Redundant Array of Inexpensive
framework extension) 477 Disks (RAID) 315–316
GPOs (group policy objects) 474 self-encrypting 475–476
GPS (Global Positioning System) 572, hardening
584 applications 471
Gramm-Leach-Bliley (GLB) Act 880 hard disks 157–159
GraphQL 86 operating systems 473–474
gray hat hackers 121 hardware root of trust 476–477
gray-box testing 80 hardware security modules (HSMs) 478,
GRC (governance, risk, and compliance) 524, 587, 656
880, 904–905 Hardware Shield 851
GRE (Generic Routing Encapsulation) hashcat 749
520 HashCorp Nomad 240
grep command 735–736 Hashed Message Authentication Mode
group policy objects (GPOs) 474 (HMAC) 295–296, 551–552

host security 1115
hashing 218–219, 463, 856–857 TCP/IP 84

avalanche effect 463 URL 44
collisions 463 hijacking, domain 108
definition of 398–399 HIPAA (Health Insurance Portability and
Digital Signature Algorithm (DSA) 396 Accountability Act) 453, 880, 940,
Elliptic Curve Digital Signature 944
Algorithm (ECDSA) 551–552 HIPSs (host intrusion prevention
Hashed Message Authentication Mode systems) 454–455, 523
(HMAC) 295–296 Hitachi 476
Message Digest Algorithm 5 (MD5) HMAC (Hashed Message Authentication
55, 219 Mode) 295–296, 551–552
padding 463 HMAC-based one-time password
pass the hash 89–90 (HOTP) 295–296
salting 47, 82 HMI (human-machine interface) 341
Secure Hash Algorithm (SHA) 55, 463, hoaxes 19
551–552 holds, legal 842
SHA-256 463 HOME environment variable 740
HAVA (Help America Vote Act) 880 homomorphic encryption 417
head command 733 homomorphic steganography 417
headers, HTTP (Hypertext Transfer honeyfiles 223
Protocol) 465–466 honeypots 221–223
Health Insurance Portability and hop-by-hop headers (HTTP) 466
Accountability Act (HIPAA) 453, horizontal privilege escalation 67–68
880, 940, 944 host command 716
heat maps 559 host intrusion detection systems (HIDS)
heating, ventilation, and air conditioning 215, 456, 578, 586
(HVAC) 352–353 host intrusion prevention systems
Help America Vote Act (HAVA) 880 (HIPSs) 454–455, 523
heuristic-based analysis 521 host security. See also application security
heuristic-based intrusion antimalware 452
detection 521 antivirus software 451
HID Global 629 boot integrity
HIDSs (host intrusion detection systems) boot attestation 460–461
215, 456, 578, 586 definition of 458–459
high availability (HA) 329–330 measured boot 459–460
across zones 603, 609 Unified Extensible Firmware
cloud computing 605, 610 Interface (UEFI) 459
hijacking data loss prevention (DLP) 453
BGP 535–536 databases 461–462
blind 84 endpoint 451, 452–453
cookie 465 hashing 463
session 54, 83, 465, 601

1116 host security
host intrusion detection systems IaC (infrastructure as code) 241–243, 260

(HIDS) 215, 456, 578, 586 IACS 342
host intrusion prevention systems IACS (industrial automation and control
(HIPSs) 454–455, 523 systems) 342, 343
host-based firewalls 457–458 IAM (identity and access management)
next-generation firewall (NGFW) 633
453–454 identity and access lifecycle 633–635
salting 462–463 account audits 635
Host-based IPSs (HIPSs) 523 disablement 635
hot aisles 386 privileges provisioning 635
hot sites 221 registration and identity validation
hotfixes and patches 160–164, 179–180, 633–635
362, 474–475 policy 605
HOTP (HMAC-based one-time IBM
password) 295–296 AppScan 204
hotspots 585 Data Encryption Standard (DES) 412
hping command 717 QRadar 526
Hping.org 717 IC (integrated circuit) cards 373
HSMs (hardware security modules) 478, ICCIDs (unique serial numbers) 360
524, 587, 656 ICS-CERT (Industrial Control Systems
HTTP (Hypertext Transfer Protocol) Cyber Emergency Response
465–466, 577 Team) 362
HTML5 505–508 ICSs (industrial control systems) 353–354
HTTPS 82, 268, 436–437, 577 identification phase, incident response
human resources (HR) personnel 901 (IR) 763
human-machine interface (HMI) 341 identity. See also authentication;
HUMINT (human intelligence) 18 certificates; passwords
HVAC (heating, ventilation, and air discovery of 623–624
conditioning) 352–353 federation 623
hybrid attacks 749 identity and access management (IAM)
hybrid cloud 140, 233 633–635
hyper-jacking 248 identity and access lifecycle 633–635
Hypertext Transfer Protocol. See HTTP policy 605
(Hypertext Transfer Protocol) identity fraud 17, 638
hypervisors 325 baiting 19
attacks 601 credential harvesting 18
hypervisor-based keyloggers 42 hoaxes 19
identity theft 940
I impersonation/pretexting 19
IA (information assurance). See risk invoice scams 17
management reconnaissance 18
IaaS (infrastructure as a service) 139, 231, typo squatting 20, 44
603, 853 watering hole attacks 20, 85

influence campaigns 1117
identity providers (IdPs) 292, 623–624, communication plans 771–772

661 continuity of operations plans
Secure Shell (SSH) keys 628 (COOPs) 774–775, 929
smart cards 629 cyber kill chain 770–771
tokens 627–628 data retention policies 775–776
Identity Services Engine (ISE) 590 definition of 760–761
IdPs (identity providers) 292, 623–624, Diamond Model of Intrusion Analysis
661 768–770
IDSs (intrusion detection systems). See disaster recovery plans (DRPs)
HIDSs (host intrusion detection 772–773
systems); network intrusion exercises
detection systems (NIDSs) simulations 766–767
IEEE 802.1X standard 510, 553–556, tabletop 765–766
562, 664–667, 673 walkthrough 766
IETF (Internet Engineering Task Force) incident response teams 175, 760,
IPFIX (Internet Protocol Flow 775–776
Information Export) 187 MITRE ATT&CK framework 18,
RFC (request for comments) 128 128–129, 176, 205, 223, 767–768
ifconfig command 710–711 process and lifecycle
IIS (Internet Information Services) 146, containment 763–764
697, 794 eradication 764
IKE (Internet Key Exchange) identification 763
IKEv1 Phase 1 negotiation 498–501 lessons learned 764–765
IKEv1 Phase 2 negotiation 501–503 overview of 761–762
IKEv2 504–505 preparation 762–763
image backups 326 recovery 764
image steganography 416–417 stakeholder management 771–772
IMAP (Internet Message Access Protocol) incident response (IR) teams 175, 760,
438–439 775–776
IMEI (international mobile equipment incremental backups 326, 328
identity) 49, 584 indicators of compromise (IoCs) 123,
immutability 263 762, 832, 853
impact assessment 184, 920, 921, 948 industrial automation and control systems
impersonation 19 (IACS) 342, 343
implicit deny 528, 680 industrial camouflage 377
impossible travel time 639 Industrial Control Systems Cyber
IMSI (international mobile subscriber Emergency Response Team
identity) encryption 358, 584 (ICS-CERT) 362
in-band SQL injection 73 industrial control systems (ICSs)
incident response (IR) plans 341–343, 353–354
business continuity plans (BCPs) Industry 4.0 342
773–774, 929 influence campaigns 21

1118 information assurance (IA)
information assurance (IA). See risk integrity 289

management boot
information lifecycle 947–948 boot attestation 460–461
Information Sharing and Analysis Centers definition of 458–459
(ISACs) 123–125 measured boot 459–460
Information Society Directive 220 Unified Extensible Firmware
information systems security officers Interface (UEFI) 459
(ISSOs) 930, 947 forensic acquisition 856
Information Technology Infrastructure integrity control 378
Library (ITIL) 882 measurement of 184, 261, 887
information technology operations 263 Intel Hardware Shield 851
InfraGard 128 intellectual property theft 917, 940
infrastructure as a service (IaaS) 139, 231, intelligence
603, 853 automated indicator sharing (AIS) 125
infrastructure as code (IaC) 241–243, 260 Information Sharing and Analysis
inherent risk 921 Centers (ISACs) 123–125
inheritance, of permissions 644–646 intelligence fusion 177
Initial Contact 501 MITRE ATT&CK framework 18,
initialization vectors (IVs) 103, 403 128–129, 176, 205, 223, 767–768
injection 70 research sources 127–128
code 149, 273–274, 276 strategic 860
DLL (dynamic link library) 74 Structured Threat Information
LDAP (Lightweight Directory Access eXpression (STIX) 125–127
Protocol) 74, 144 Trusted Automated eXchange of
SQL (Structured Query Language) 54, Indicator Information (TAXII)
70–74, 273–274, 464 125–127
XML (Extensible Markup Language) vulnerability databases 125
74–75 interconnection security agreements
inline prevention detection systems (IPSs) (ISAs) 903
523–524 intermediate certificate authorities 696
input handling 79–82 internal actors 122
input validation 80, 81, 267–268, 464 internal information 905
INSERT INTO statement 70 internal risk 917. See also risk
inspection, API 607, 610 management
instance awareness 608, 611 international mobile equipment identity
insurance, cybersecurity 918 (IMEI) 49, 584
integer overflows 77, 271 international mobile subscriber identity
integrated circuit (IC) cards 373 (IMSI) 49, 358, 584
integration International Organization for
API 607, 610 Standardization (ISO) 881, 884,
cloud computing 604, 609 893
continuous 279 Internet Engineering Task Force (IETF)

IP (Internet Protocol) 1119
IPFIX (Internet Protocol Flow Domain Name System (DNS)

Information Export) 187 795–796
RFC (request for comments) 128 dump files 797
Internet Information Services (IIS) 146, journalctl 802
697, 794 network 790
Internet Key Exchange. See IKE (Internet NXLog 803–804
Key Exchange) security 793
Internet Message Access Protocol (IMAP) Session Initiation Protocol (SIP)
438–439 800
Internet of Things (IoT) 38, 98, 113, syslog/rsyslog/syslog-ng 800–801
344–346, 358, 414 system 791–792
Internet Protocol. See IP (Internet Voice over Internet Protocol (VoIP)
Protocol) 799–800
Internet Protocol Flow Information web server 794
Export (IPFIX) 187, 524, 811–813 metadata
Internet Security Association and Key in email 808
Management Protocol (ISAKMP) in files 809
497 on mobile devices 808
Internet service providers (ISPs) 808 types of 805–806
interviews, forensic 846–847 on web pages 808–809
Intigriti 203 NetFlow 809–810
intranets 492–493 protocol analyzers 813
intrusion detection systems. See host Security Information and Event
intrusion detection systems Management (SIEM)
(HIDS) alerts 788
intrusion detection systems (IDSs). correlation 788–789
See network intrusion detection dashboards 786–789
systems (NIDSs) sensitivity 788
intrusion phase, cyber kill chain 770 sensors 787
intrusion prevention systems. See host trends 788
intrusion prevention systems sFlow 810–811
(HIPSs) vulnerability scan output 785–786
intrusive scans 182 invoice scams 17
Investigate 509–510 IoCs (indicators of compromise) 123,
investigations, data sources for 762, 832, 853
bandwidth monitors 804 IoT (Internet of Things) 38, 98, 113,
Internet Protocol Flow Information 344–346, 358, 414
Export (IPFIX) 811–813 IP (Internet Protocol). See also IPsec
log files 789 addresses
application 792–793 IPv4 443–444
authentication 789–796 IPv6 536–537
Call Manager 799–800 virtual 488

1120 IP (Internet Protocol)
configuration management 213 ISAs (interconnection security

IP proxy 514 agreements) 903
IP scanners ISE (Identity Services Engine) 590
arp command 721–722 ISO (International Organization for
Cuckoo 731–732 Standardization) 881, 884, 893
curl command 724–725 isolation 491, 562, 830
definition of 721 ISPs (internet service providers) 808
dnsenum 728–729 ISSOs (information systems security
Nessus 730–731 officers) 930, 947
route command 723–724 issuers, certificate 692
scanless 727–728 IT contingency planning (ITCP) 929
sn1per 726–727 IT security frameworks 881–884
theHarvester 725–726 ITIL (Information Technology
IP-Box 850–851 Infrastructure Library) 882
ipconfig command 710 ITU-T X.690 encoding formats 697
IPFIX (Internet Protocol Flow IVs (initialization vectors) 103, 403
Information Export) 187, 524,
811–813 J
IPsec 247, 437–438, 497. See also IKE jamming 102, 561–562
(Internet Key Exchange) Japan’s Personal Information Protection
attributes 501–502 Act (JPIPA) 220
Authentication Header (AH) 437 JavaScript Object Notation (JSON)
Encapsulating Security Payload (ESP) injection 273–274
437, 503 JavaScript-based keyloggers 43
IKEv1 Phase 1 negotiation 498–501 job rotation 898, 900
IKEv1 Phase 2 negotiation 501–503 John the Ripper 44, 749
IKEv2 504–505 journalctl 802
modes 438, 503 jump servers 514
passthrough 501 jurisdictional forensic intervention 855
IPSs (intrusion prevention systems). See
HIPSs (host intrusion prevention K
systems); network intrusion Kali forensics 850
detection systems (NIDSs) Kali Linux 415, 953
IR. See incident response (IR) plans Katacoda 239
iris recognition 301 KBA (knowledge-based authentication)
ISACA COBIT framework 882 625, 656–657
ISACs (Information Sharing and Analysis KDC (key distribution center) 668
Centers) 123–125 KE (Key Exchange) 500
ISAKMP (Internet Security Association Kerberoasting TGS 292
and Key Management Protocol) Kerberos 82–83, 89, 292, 553, 668–670,
497 673

lifecycle 1121
kernel-based keyloggers 42 laws 879–880

Key Exchange (KE) 500 Layer 2 attacks
.key file extension 697 ARP cache poisoning 105
key recovery agents 699 MAC cloning attacks 106
key signing keys (KSKs) 427 MAC flooding attacks 106
keyloggers 42–43, 108, 113 security best practices 106–107
keys 688 Layer 2 Forwarding Protocol (L2F) 508
ephemeral 403 Layer 2 security 512
escrow 699 Bridge Protocol Data Unit (BPDU)
generation algorithms for 395 guard 512
key distribution center (KDC) 668 DHCP snooping 512–513
key exchanges 399 loop protection 512
key signing keys (KSKs) 427 MAC filtering 513
length of 396 Layer 2 Tunneling Protocol (L2TP) 494,
mobile device management (MDM) 505–508
577–578 LCP (Link Control Protocol) 44
password 655 LDAP (Lightweight Directory Access
personal unblocking keys (PUKs) 360 Protocol)
Public Key Cryptography Standards injection attacks 144, 273–274, 291,
(PKCS) 412 442, 667–670
public/private 436–437 Lightweight Directory Access Protocol
Secure Shell (SSH) 625, 628 over SSL (LDAPS) 432
stretching 397 LDAPS (Lightweight Directory Access
zone signing keys (ZSKs) 427 Protocol over SSL) 432
kiting, domain name 109–110 leaks, memory 78, 88
knowledge-based authentication (KBA) LEAP (Lightweight EAP) 666
625, 656–657 least functionality 152
known environment/white box testing least privilege 264, 630, 681, 908
198, 468–469 least significant bit (LSB) steganography
KSKs (key signing keys) 427 416–417
Kubernetes 239–240, 279–280 least-trusted zones 825
ledgers, public 409–410
L legacy platforms 165
L0phtCrack 47 legal hold 842
L2F (Layer 2 Forwarding Protocol) 508 lessons learned phase, incident response
L2TP (Layer 2 Tunneling Protocol) 494, (IR) 764–765
505–508 libraries, third-party 265
LANG environment variable 740 licensing 918
last known good configuration (LKGC) lifecycle
329 identity and access 633–635
lateral movement 201, 770 account audits 635
lateral traffic 492 disablement 635

1122 lifecycle
privileges provisioning 635 locality attribute (certificates) 692

registration and identity validation Lockheed Martin 770
633–635 locks and lockout programs 378–379,
incident response (IR) 579, 639
containment 763–764 log collectors 186
eradication 764 log files 789
identification 763 aggregation 186
lessons learned 764–765 analytics 383
overview of 761–762 application 792–793
preparation 762–763 audit 869–870
recovery 764 authentication 789–796
information 947–948 Call Manager 799–800
penetration testing 199–202 collection of 186
lighting, security 380 correlation of 186
lightweight cryptography 414–415 Domain Name System (DNS) 795–796
Lightweight Cryptography Project 415 dump files 797
Lightweight Directory Access Protocol. emergency preparedness 383
See LDAP (Lightweight Directory event 845–846
Access Protocol) journalctl 802
Lightweight Directory Access Protocol network 790, 852–853
over SSL (LDAPS) 432 normalization of 186
Lightweight EAP (LEAP) 666 NXLog 803–804
Link Control Protocol (LCP) 44 review 182
Linux risk 920
Kali Linux 415 security 383, 793
Linux Kernel 236 Session Initiation Protocol (SIP) 800
System Monitor 542 syslog/rsyslog/syslog-ng 800–801
lists system 791–792
allow 467, 578, 583, 822 visitor 383
block/deny 467–468, 822–823 Voice over Internet Protocol (VoIP)
certificate revocation 829 799–800
live boot media 329 web server 794
live box forensics 858 logger command 737–738
load balancers 319–320 logic bombs 39–40
load balancing logistics, SCADA control systems 343
active/active 488 loop protection 512
active/passive 488 LS_COLORS environment variable 740
definition of 488 LsaLogonUser 90
scheduling 488 LSASS (Local Security Authority
Virtual IP address 488 Subsystem Service) 47–48
Local Security Authority Subsystem LSB (least significant bit) steganography
Service (LSASS) 47–48 416–417

MDM (mobile device management) 1123
M Trojans 35, 104, 113

MaaS (monitoring as a service) 139, 232 worms 36–37
MAC (mandatory access control) 588, MAM (mobile application management)
676, 679, 905 585–587
MAC (media access control) 511 managed detection and response (MDR)
addresses 511 234
cloning attacks 106 managed power distribution units
filtering 513 (PDUs) 322–323
flooding attacks 106 managed security service providers
spoofing 101 (MSSPs) 233–234
MACB (Modified, Accessed, Changed, managed service providers (MSPs)
and Birth) times 844 233–234
machine certificates 696 management
machine learning. See AI/ML (artificial managerial controls 868
intelligence and machine learning) roles and responsibilities 945–947
macOS Activity Monitor 542 Management Information Bases
macros 113 (MIBs) 436
MACs (message authentication codes) mandatory access control. See MAC
399, 410 (mandatory access control)
MAIL environment variable 740 mandatory vacation policies 900
malicious software. See malware man-in-the-middle (MITM) attacks.
Maltego 203 See on-path (man-in-the-middle)
malware 113 attacks
antimalware 452 manipulating files. See file manipulation
backdoors 42–43 manual code review 470
bots and botnets 37–38, 111–112 manufacturing, SCADA control systems
cryptomalware 33–34 342
definition of 33 mapping
delivery mechanisms 43–45 many-to-one 690
fileless viruses 37 one-to-one 690
keyloggers 42–43 masking, data 945
logic bombs 39–40 Mavituna Security Netsparker 204
malvertising 40 maximum transmission unit (MTU)
mobile device security countermeasures discovery 717
580 MBR (master boot record) 35–36, 851
permanent damage from 45 MD5 algorithm 55, 219
potentially unwanted programs (PUPs) MDM (mobile device management) 152,
40–42 574–576, 825–826, 908
ransomware 33–34, 111–112 application and content management
spyware 40–42 576–578
time bombs 39

1124 MDM (mobile device management)
bring-your-own-device (BYOD) 215, static random-access memory (SRAM)

572, 574–576, 581, 588–590, 826, 340
898 virtual 850
choose-your-own-device (CYOD) vulnerabilities 77–78, 149, 271–272,
588–590 275
corporate-owned, personally enabled memory-injection-based keyloggers 43
(COPE) 572, 588–590 Men & Mice Logeater 796
enforcement and monitoring 581–585 Mentor Nucleus RTOS 347
metadata 808 message authentication codes (MACs)
mobile application management 399, 410
(MAM) 585–587 Message Digest Algorithm 5 (MD5) 55,
SEAndroid 588 219
security concerns and countermeasures metadata
578–581 in email 808
unified endpoint management (UEM) in files 809
587–588 on mobile devices 808
virtual desktop infrastructure (VDI) types of 805–806
589 on web pages 808–809
MDR (managed detection and response) Meterpreter scripts 90
234 MFA (multifactor authentication)
mean time between failures (MTBF) 926 304–306, 579, 656–657
mean time to failure (MTTF) 926 MFPs (multifunction printers) 354
mean time to repair (MTTR) 926 MicroSD hardware security modules
measured boot 459–460 (HSMs) 587
Measurement System Analysis (MSA) 904 microsegmentation 240–241, 489–490
MEC (multi-access edge computing) 235 microservices 236–240
media access control. See MAC (media Microsoft
access control) Active Directory (AD) 291–292
medical systems 347 Azure 232–233, 603, 853
MEIDs (mobile equipment identifiers) Cluster Server 488
49, 584 Defender Antivirus 823–824
memdump 745 Disk Defragmenter 158
memorandum of understanding (MOU) Exchange 145
903 Forefront Identity Manager 658
memory management 265. See also buffer Internet Information Services (IIS) 146
overflows MS-CHAP 670–671
ARP cache poisoning 105 security advisories and bulletins 179
content addressable 106 Security Bulletins 146
leaks 78, 88, 271 SQL Server 273
random-access memory (RAM) Visual Basic for Applications (VBA)
849–850 113
runtime 477 Web Application Proxy 516

Modified, Accessed, Changed, and Birth (MACB) times 1125
Windows Defender Firewall 457 mobile solutions

Windows Server 144 Common Vulnerabilities and
Mimikatz 90 Exposures (CVEs) 571
minimal privilege 681 connection methods and receivers 570
minimization, data 944–945 Bluetooth 570–571
mirroring 316, 318, 537–538 cellular 572–573
mission-essential functions 929 Global Positioning System (GPS)
mitigation 919, 921. See also segmentation 572, 584
configuration changes 824 near-field communication (NFC)
certificates, updating/revoking 570–571
829–830 radio frequency identification
content filter/URL filter 828–829 (RFID) 571–572
data loss prevention (DLP) 828 satellite communications
firewall rules 825 (SATCOM) 573
mobile device management (MDM) secure implementation best
825–826 practices 573–574
containment 763–764, 830–831 mobile application management
endpoint security solutions 822 (MAM) 585–587
application approved lists 822 mobile device management (MDM)
application block list/deny list 215, 574–576
822–823 application and content
approved lists 822 management 576–578
block/deny lists 467–468, 578, 583, bring-your-own-device (BYOD)
822–823 572, 574–576, 581, 588–590, 826,
quarantine 823–824 898
isolation 830 choose-your-own-device (CYOD)
Security Orchestration, Automation, 588–590
and Response (SOAR) 188–189, corporate-owned, personally
832 enabled (COPE) 572, 588–590
playbooks 834 enforcement and monitoring
runbooks 833 581–585
MITRE Corporation 18, 458 mobile application management
ATT&CK framework 18, 128–129, (MAM) 585–587
176, 205, 223, 767–768 SEAndroid 588
Common Vulnerabilities and security concerns and
Exposures (CVE) 125, 146, 177 countermeasures 578–581
Common Weakness Enumeration 75 unified endpoint management
PRE-ATT&CK framework 18 (UEM) 587–588
MMS (Multimedia Messaging Service) virtual desktop infrastructure (VDI)
583, 585 589
mobile equipment identifiers (MEIDs) Modified, Accessed, Changed, and Birth
49, 584 (MACB) times 844

1126 Modified Base Metrics
Modified Base Metrics 185 Mutiny Fuzzing Framework 269

moisture detection systems 382 mutual authentication 668–670
monitoring 537–538 MySQL 273
bandwidth 804
continuous 139, 278 N
file integrity monitors 542 NAC (network access control) 510–511,
mobile device management (MDM) 871. See also 802.1X standard
581–585 name resolution 442–443
monitoring as a service (MaaS) 139, naming conventions 213
232 NarrowBand 358
performance baselining 539–542 NarrowBand-Internet of Things
motion detection 382, 869–870 (NB-IoT) 358
motion recognition 376 NAS (network-attached storage) 326, 375
MOU (memorandum of understanding) NAT (network address translation)
903 443–444, 501, 529, 562
moves, MAC 511 Nation State attacks 346
MSA (Measurement System Analysis) 904 National Cyber Awareness System
MS-CHAP 670–671 (NCAS) 576
MSPs (managed service providers) 233– National Institute of Standards and
234 Technology (NIST) 884
MSSPs (managed security service cloud computing defined by 139
providers) 233–234 Cybersecurity Framework (CSF) 884
MTBF (mean time between failures) 926 Digital Signature Algorithm (DSA) 396
MTTF (mean time to failure) 926 firewall guidelines 825
MTTR (mean time to repair) 926 isolation guidelines 830
MTU (maximum transmission unit) mobile device security guidelines 826
discovery 717 National Vulnerability Database
multi-access edge computing (MEC) 235 (NVD) 125, 177, 199
multicast addresses 537 NIST Cybersecurity Framework (CSF)
multifactor authentication (MFA) 882
304–306, 579, 656–657 Protecting Controlled Unclassified
multifunction printers (MFPs) 354 Information 828
multihomed connections 532 Risk Management Framework (RMF)
Multimedia Messaging Service (MMS) 884
583, 585 National Security Agency (NSA) 55, 498
Multi-Party Coordination and Disclosure National Vulnerability Database (NVD)
special interest group 180 125, 177, 199
multiparty risks 918 NAT-T (NAT Traversal) 501
multipath I/O 319 NB-IoT (NarrowBand-Internet of
multitenancy 601 Things) 358
Multi-User Multiple Input (MU-MIMO) NCAS (National Cyber Awareness
560–561 System) 576

network design, secure 1127
nCircle WebApp360 204 delivery mechanisms 43–45

NDA (nondisclosure agreement) 901 fileless viruses 37
near-field communication (NFC) 50, 100, keyloggers 42–43
102–103, 570–571 logic bombs 39–40
negatives, false 181, 519, 520 permanent damage from 45
Nessus 204, 730–731 potentially unwanted programs
net time command 669 (PUPs) 40–42
netcat command 720–721 ransomware 33–34, 111–112
NetFlow 187, 525, 809–810 spyware 40–42
netstat command 668, 718–720 time bombs 39
NetStumbler 99 Trojans 35–36, 104, 113
network access control (NAC) 510–511, worms 36–37
871. See also 802.1X standard on-path attacks 54, 84–85, 103, 602
network ACLs (access control lists) 535 password attacks
network address translation (NAT) 443– brute-force 45
444, 501, 529, 562 dictionary-based 45
network and port scanners 182 password cracking 46
network attached storage (NAS) 375 password spraying 45
network attacks. See also network design, plaintext/unencrypted 47–48
secure rainbow tables 47
DDoS (distributed denial-of-service) replay attacks 82–85
113 script execution 113
DNS (Domain Name System) wireless 98
DDoS (distributed denial-of- bluejacking 100
service) 37–38, 54, 111–113, 601 bluesnarfing 99–100
DNS amplification attack 112 disassociation and deauthentication
DNS poisoning 108–110 101
domain hijacking 108 evil twin 98–99
domain name kiting 109–110 initialization vector (IV) 103
domain reputation 110–111 jamming 102, 561–562
prevalence of 107 near-field communication (NFC)
URL redirection attacks 110 102–103
Layer 2 radio frequency identification
ARP cache poisoning 105 (RFID) 49, 102
MAC cloning attacks 106 rogue access points 99
MAC flooding attacks 106 network controllers 144
security best practices 106–107 network design, secure. See also firewalls;
malware 113 network attacks; network
backdoors 42–43 reconnaissance; network resilience
bots and botnets 37–38, 111–112 access control lists (ACLs) 535, 643,
cryptomalware 33–34 831
definition of 33 broadcast storm prevention 512

1128 network design, secure
Bridge Protocol Data Unit (BPDU) out-of-band management 510–511

guard 512 port security 511, 537–538
DHCP snooping 512–513 route security 535–536
loop protection 512 IPv6 536–537
MAC filtering 513 port spanning/port mirroring
DLP (data loss prevention) systems 215 537–538
Domain Name System (DNS) 509–510 quality of service (QoS) 536
load balancing virtual private networks (VPNs) 507,
active/active 488 606
active/passive 488 always-on VPN functionality 495
definition of 488 clientless versus client-based 497
scheduling 488 concentrators 495
Virtual IP address 488 definition of 494
monitoring services 538–539 description of 494–496
file integrity monitors 542 example of 494–495
performance baselining 539–542 HTML5 508
network access control (NAC) 510–511 IKEv1 Phase 1 negotiation 498–501
network appliances 513–514 IKEv1 Phase 2 negotiation 501–503
aggregators 526 IKEv2 504–505
hardware security modules (HSMs) IPsec 497
524 Layer 2 Tunneling Protocol (L2TP)
jump servers 514 508
network intrusion detection systems remote-access 496–497
(NIDSs) 215, 223, 517–524, 870. site-to-site 495, 496–497
See also network reconnaissance split tunneling 495–496
network intrusion prevention SSL (Secure Sockets Layer) 505–
systems (NIPSs) 99, 519, 869 508
network-based intrusion prevention network forensic analysis tools (NFATs)
system (NIPS) 518–524 852–853
proxy servers 514–516 network interface card (NIC) teaming
sensors 524–525 320
network segmentation network intrusion detection systems
application-based 489–490 (NIDSs) 99, 215, 223, 517–
east-west traffic 492 518, 870. See also network
example of 489 reconnaissance
extranets 492–493 advantages/disadvantages 519–520
intranets 492–493 anomaly-based analysis 521–523
microsegmentation 489–490 definition of 519–520
screened subnets 491 heuristic-based analysis 521
virtual local-area networks (VLANs) inline versus passive 523–524
490–491 promiscuous mode 517
zero trust 494 signature-based 519–520

Nomad 1129
stateful pattern-matching recognition NFATs (network forensic analysis tools)

521 852–853
network intrusion prevention systems NFC (near-field communication) 50,
(NIPSs) 99, 519, 869 570–571
network logs 790 NFC (near-field communication) attacks
Network Policy Server (NPS) 495 102–103
network reconnaissance 18, 770 NGFW (next-generation firewall)
active 204–205 453–454, 524
definition of 707 nginx 236, 794
dig 709–710 NGIPSs (next-generation IPS systems)
hping 717 523
ifconfig 710–711 NIC (network interface card) teaming
ipconfig 710 320
netcat 720–721 NIDSs (network intrusion detection
netstat 718–720 systems) 99, 215, 223, 517–518,
nmap 711–714 869, 870. See also network
nslookup 709–710 reconnaissance
passive 203–204 advantages/disadvantages 519–520
pathping 716–717 anomaly-based analysis 521–523
ping 714–716 definition of 519–520
ping6 716 heuristic-based analysis 521
tracert/traceroute 707–709 inline versus passive 523–524
network resilience promiscuous mode 517
definition of 319 signature-based 519–520
load balancers 319–320 stateful pattern-matching recognition
network interface card (NIC) teaming 521
320 Nikto 204
network segmentation. See segmentation Nimda 37
Network Time Protocol (NTP) 112, 440, NIPSs (network intrusion prevention
490, 790 systems) 99, 523, 869
Network Time Security (NTS) 440 advantages/disadvantages 519–520
network video recorders (NVRs) 375 anomaly-based analysis 521–523
network-attached storage (NAS) 326 definition of 518–520
network-based application layer firewalls false positives/false negatives 519
530 heuristic-based analysis 521
New Technology File System (NTFS) inline versus passive 523–524
156, 646, 850. See also permissions signature-based 520–521
Nexpose 204 NIST (National Institute of Standards
next-generation firewall (NGFW) 453– and Technology) 396, 881
454, 524 Nmap 204, 527, 711–714
next-generation IPS systems (NGIPSs) noise detection 382
523 Nomad 240

1130 nonces
nonces 82–83, 500 OEM (original equipment manufacturer)

noncredentialed vulnerability scans 182 459
nondisclosure agreements (NDAs) 901 OFB (Output Feedback) mode 407
nonintrusive vulnerability scanners 182 offboarding policies 575, 899, 900
non-persistence 328–329 Office of Personnel Management (OPM)
nonrepudiation 859–860 attack 300–301
normalization 186, 273–274 offline backups 326
NoSQL databases 273–274 offline password cracking 46
notifications off-premises services 234
of privacy and data breaches 941 offsite storage 327
public 940 Off-The-Record Messaging 400–401
push 299 OIDC (OpenID Connect) 663–664
Novec 1230 381 OIDs (object identifiers) 691
NPS (Network Policy Server) 495 OLDPWD environment variable 740
NSA (National Security Agency) 55, 498 onboarding policies 575, 899, 900
nslookup command 709–710 one-time passwords (OTPs) 627
NT LAN Manager (NTLM) 89 HMAC-based 295–296
NTFS (New Technology File System) time-based 295
156, 646, 850. See also permissions one-to-one mapping 690
NTLM (NT LAN Manager) 89 one-way functions 219
NTP (Network Time Protocol) 112, 440, online backups 326
490 Online Certificate Status Protocol
NTS (Network Time Security) 440 (OCSP) 691, 698
Nucleus RTOS 347 online password cracking 46
null pointer dereferences 75, 271–272 on-path (man-in-the-middle) attacks 54,
NVD (National Vulnerability Database) 84–85, 103, 602
125, 177, 199 on-premises environments, vulnerabilities
NVRs (network video recorders) 375 in 137–143
NXLog 803–804 on-premises services 234
Opal 476
O Open Checklist Interactive Language
Oakley 497 (OCIL) 885
OAS (OpenAPI Specification) 87 Open Network Environment 882
OAuth 292, 578, 661–662 open permissions 150
obfuscation 79, 265, 770 open ports/services 471–472
object detection 376 Open Source Security Testing
object identifiers (OIDs) 691 Methodology Manual (OSSTMM)
OCIL (Open Checklist Interactive 199
Language) 885 Open Systems Interconnection (OSI)
OCSP (Online Certificate Status model 103, 614, 615
Protocol) 691, 698 Open vSwitch Database Management
Protocol (OVSDB) 243

organizational security 1131
Open vSwitch (OVS) 243 benchmarks and secure configuration

Open Vulnerability and Assessment guides 885–888
Language (OVAL) 164, 885 data sanitization 748–749
Open Web Application Security exploitation frameworks 747–748
Project. See OWASP (Open Web file manipulation 732–733
Application Security Project) cat command 734–735
Open1X 554 chmod command 736–737
OpenAPI Specification (OAS) 87 grep command 735–736
OpenCv 416 head command 733
OpenDNS 509–510 logger command 737–738
OpenFlow 243, 882 tail command 734
OpenID 663–664 IP scanners
open-source intelligence (OSINT) 7–8, arp command 721–722
18, 120–121, 124, 203 Cuckoo 731–732
OpenSSL 236, 741–742 curl command 724–725
OPENSSL_CONF environment variable definition of 721
740 dnsenum 728–729
operating systems (OSs) Nessus 730–731
forensic acquisition 850 route command 723–724
hardening 473–474 scanless 727–728
trusted operating systems (TOSs) 905 sn1per 726–727
operation, modes of (encryption) theHarvester 725–726
authenticated 404 IT security frameworks 881–884
Cipher Block Chaining (CBC) 405 network reconnaissance
Cipher Feedback (CFB) 406 definition of 707
Counter (CTR) 404, 408–409 dig 709–710
Electronic Code Book (ECB) 404 hping 717
Output Feedback (OFB) 407 ifconfig 710–711
unauthenticated 404 ipconfig 710
operational controls 868, 869 netcat 720–721
operational expenditure (OpEx) 598 netstat 718–720
operational technology (OT) 113 nmap 711–714
The Orange Book 674 nslookup 709–710
order of volatility 848 pathping 716–717
organization attribute (certificates) 692 ping 714–716
organizational incidents 775 ping6 716
organizational security. See also forensics, tracert/traceroute 707–709
digital; incident response (IR) packet capture and replay
plans definition of 742
Tcpdump 742–743

1132 organizational security
Tcpreplay 742 reputation damage 940

Wireshark 743 security roles and responsibilities
password crackers 748–749 945–947
policies terms of agreement 948
acceptable use 898, 900 regulations and standards
asset management 909–910 company policies 878–879
breadth and scope of 897 General Data Protection Regulation
change management/change control (GDPR) 214, 220, 878–879, 947
909 laws 879–880
classification and governance Payment Card Industry Data
904–905 Security Standard (PCI DSS) 881
clean desk policy 23, 899, 900 shell and script environments
credential 906–908 definition of 738–740
data retention 906 OpenSSL 741–742
definition of 893 PowerShell 740
due care 900 Python 741
due diligence 900 Secure Shell (SSH ) 739–740
due process 900 organizational units (OUs) 692
job rotation 898, 900 organizational validation (OV) certificates
mandatory vacations 898–899, 900 694
onboarding/offboarding 899, 900 organized crime 120
privacy 897 original equipment manufacturer (OEM)
procedures versus 893 459
separation of duties 898, 900 orthogonal frequency-division multiple
user education and awareness access (OFDMA) 561
training 901–902 OSI (Open Systems Interconnection)
privacy and data breach consequences model 103, 614, 615
data types and asset classification OSINT (open-source intelligence) 7–8,
941–942 18, 120–121, 124, 203
fines 940 OSSTMM (Open Source Security
identity theft 940 Testing Methodology Manual) 199
impact assessment 948 OT (operational technology) 113
information lifecycle 947–948 OTA (over-the-air) technology 572–573,
intellectual property theft 940 583, 585
notifications 941 OTPs. See one-time passwords (OTPs)
personally identifiable information out-of-band management 510–511
(PII) 943 out-of-band SQL injection 73
privacy enhancing technologies Output Feedback (OFB) mode 407
944–945 outsourced code development 155
privacy notices 949 OV (organizational validation) certificates
protected health information (PHI) 694
944

passwords 1133
OVAL (Open Vulnerability and PADs (packet assemblers/disassemblers)

Assessment Language) 164, 885 137–138
overflows Paessler PRTG 561–562
buffer 75–76, 77, 149, 271–272, 275, pagefiles, forensic acquisition of 849–850
522 palette modification 417
integer 77, 271 Palo Alto security advisories and bulletins
over-the-air (OTA) technology 572–573, 179
583, 585 PAM (privileged access management)
OVS (Open vSwitch) 243 678, 679
OVSDB (Open vSwitch Database PAMs (pluggable authentication modules)
Management Protocol) 243 670
OWASP (Open Web Application Security PAMs (Programmable Attribute Maps)
Project) 204, 276–277 851
OWASP Proactive Controls 276–277 PANs (personal area networks) 570
OWASP Testing Project 276 PAP (Password Authentication Protocol)
OWASP Web Security Testing Guide 670–671
199 parity, striping with (RAID) 316, 318
top 10 vulnerabilities in web partially known environment 199
applications 70 passive prevention detection systems
Top 10 Web Application Security Risks (IPSs) 523–524
277 passive reconnaissance 203–204
Zed Attack Proxy 204 pass-the-hash attacks 89–90
owners, data 946 Password Authentication Protocol (PAP)
ownership, authentication by 625 670–671
password crackers 748–749
P passwords
P12/PFX format 697 attacks
PaaS (platform as a service) 139, 232, 853 brute-force 45
PAC (proxy autoconfiguration) file 515 dictionary-based 45
packet assemblers/disassemblers (PADs) password cracking 46
137–138 password spraying 45
packet capture and replay 187 plaintext/unencrypted 47–48
definition of 742 rainbow tables 47
Tcpdump 742–743 cracking 748–749
Tcpreplay 742 creating 636–638
Wireshark 743 definition of 636
packet filtering 528 HMAC-based one-time password
packet sniffers 559 (HOTP) 295–296
PacketFence 510 mobile device management (MDM)
packet-switching exchanges (PSEs) 579, 582
137–138 one-time passwords (OTPs) 627
padding 463

1134 passwords
Password Authentication Protocol unknown environment 198–199

(PAP) 670–671 Penetration Testing Execution Standard
password keys 655 (PTES) 199
password vaults 655 Perfect Forward Secrecy (PFS) 399–400,
policies 906–907 502
system-generated 638 performance baselining 539–542
time-based one-time password (TOTP) Performance Monitor tool 540–542
295 Performance tool 539
user-generated 638 permissions 640–645
Pastebin 18 cloud computing 605, 610
patches and hotfixes 160–164, 179–180, inheritance 644–646
362, 474–475 open 150
PATH environment variable 740 privilege creep 645
pathping command 716–717 types of 646
pattern-matching, stateful 521 persistence 201
payment methods, mobile 584, 586 personal area networks (PANs) 570
PCI DSS (Payment Card Industry Data personal firewalls 534
Security Standard) 453, 881 personal identification numbers (PINs)
PDS (protective distribution system) 385 360, 579
PDUs (power distribution units) 322–323 Personal Identity Verification (PIV) cards
Peach 270 629
PEAP (Protected Extensible Personal Information Protection and
Authentication Protocol) 554, 556, Electronic Documents Act
666 (PIPEDA) 220, 880
Pearson Test Prep practice test 954 personal unblocking keys (PUKs) 360
peer to peer (P2P) networks 143 personally identifiable information (PII)
PEM (Privacy-enhanced Electronic Mail) 82, 216–218, 268, 577, 856, 897,
697 901, 943
.pem file extension 697 person-made disasters 924
penetration testing 121, 266 personnel policies 377–378
active reconnaissance 204–205 acceptable use 898, 900
advantages of 197–198 breadth and scope of 897
bug bounties versus 202–203 clean desk policy 23, 899, 900
cleanup 202 data retention 906
definition of 193, 197 definition of 893
exercise types 205–206 due care 900
known environment 198 due diligence 900
lifecycle 199–202 due process 900
methodologies 199 job rotation 898, 900
partially known environment 199 mandatory vacations 898–899, 900
passive reconnaissance 203–204 onboarding/offboarding 575, 899, 900
post-exploitation techniques 201 personnel credential policy 906–908

PKI (public key infrastructure) 1135
privacy 897 screened subnets 384

procedures versus 893 secure areas 385–386
separation of duties 898, 900 secure data destruction 386–387
summary of 900 sensors 381–382
PFS (Perfect Forward Secrecy) 399–400, signage 374–375
502 USB data blockers 379–380
pharming 14–15, 109 visitor logs 383
PHI (protected health information) 856, PIA (Privacy Impact Assessments) 948
944 piggybacking 15
phishing 9–12, 902 PII (personally identifiable information)
phone call authentication 299–300 82, 216–218, 268, 577, 856, 897,
physical controls 871–872 901, 943
physical security 872 ping command 714–716
access control vestibules 372–373 Ping of Death 88
air gap 384 ping6 command 716
alarms 374 PINs (personal identification numbers)
attacks 360, 579
card cloning 48–49 PIPEDA (Personal Information
cloud-based attacks 52–55, 601–603 Protection and Electronic
malicious flash drives 48 Documents Act) 220, 880
malicious USB cables 48 PIR (Post Incident Review) 764–765
skimming 49–50 PIV (Personal Identity Verification) cards
supply-chain attacks 51 629
badges 373, 382 pivoting 201
bollards/barricades 370–371 PKCS (Public Key Cryptography
cameras Standards) 412
centralized versus decentralized 375 PKI (public key infrastructure) 84–85,
closed-circuit television (CCTV) 556
376–377 certificate authorities (CAs) 556,
motion recognition 376 689–691, 829
object detection 376 certificates
drones 382–383 attributes 691–692
Faraday cages 383–384 chaining 696
fencing 380–381 expiration 693
fire suppression 381 formats 697
industrial camouflage 377 pinning 698
lighting 380 Subject Alternative Name 693
locks 378–379 types of 694–696
personnel 377–378 definition of 685
physical locks 379 key escrow 699
protected cable distribution system 385 key management 688

1136 PKI (public key infrastructure)
key recovery agent 699 PNAC. See 802.1X standard

stapling 698 pointer dereferencing 75–76, 271–272
trust model 698 point-of-sale (POS) systems 353
PKIX (Public Key Infrastructure Point-to-Point Tunneling Protocol
Exchange) 694 (PPTP) 494, 558
plaintext 47–48 poisoning
plans ARP (Address Resolution Protocol)
business continuity 773–774, 929 105, 722
communication 771–772 DNS (Domain Name System) 108–110
disaster recovery 772–773, 926 policies 878–879
incident response (IR) account 633
business continuity plans (BCPs) asset management 909–910
773–774, 929 change management/change control
communication plans 771–772 909
continuity of operations planning classification and governance 904–905
(COOP) 774–775 credential 906–908
cyber kill chain 770–771 data retention 775–776, 906
data retention policies 775–776 definition of 893
definition of 760–761 group policy objects (GPOs) 474
Diamond Model of Intrusion Identity and Access Management
Analysis 768–770 (IAM) 605
disaster recovery plans (DRPs) personnel
772–773, 926 acceptable use 898, 900
exercises 765–767 breadth and scope of 897
incident response teams 760, clean desk policy 23, 899, 900
775–776 due care 900
MITRE ATT&CK framework due diligence 900
128–129, 176, 205, 223, due process 900
767–768 job rotation 898, 900
process and lifecycle 761–765 mandatory vacations 898–899, 900
stakeholder management 771–772 onboarding/offboarding 575, 899,
platform as a service (PaaS) 139, 232, 853 900
platform configuration registers (PCRs) personnel credential policy
294 906–908
playbooks 834 privacy 897
PLCs (programmable logic controllers) separation of duties 898, 900
341, 343 summary of 900
pluggable authentication modules (PAMs) procedures versus 893
670 resource 246, 603, 609
PlugX RAT 35 user education and awareness training
PMBOK (Project Management Body of 901–902
Knowledge) 882 POP (Post Office Protocol) 438–439

private cloud 1137
port security 106, 511. See also 802.1X PREMIS (Preservation Metadata
standard Implementation Strategies) 805
open ports 471–472 preparation phase, incident response (IR)
port numbers 441 762–763
port spanning/port mirroring 537–538 prepending 17
port taps 538 preservation, forensic 858
port-based network access control Preservation Metadata Implementation
(PNAC) 553–554 Strategies (PREMIS) 805
protocols associated with 152–154 preshared key (PSK) 103, 551, 557–558
Switched Port Analyzer (SPAN) pretexting 19
537–538 preventative controls 869, 872
vulnerabilities 151 principals 623
portals, captive 559 printenv command 739
PortSwigger Burp Suite Professional 204 Privacy Act of 1974 879, 897
POS (point-of-sale) systems 353 privacy breaches 220. See also identity
positives, true/false 181–182, 518, 520 data types and asset classification
POST (power-on self-test) 851 941–942
Post Incident Review (PIR) 764–765 fines 940
Post Office Protocol (POP) 438–439 identity theft 940
post-exploitation techniques 201 impact assessment 948
post-quantum cryptography 402 information lifecycle 947–948
potentially unwanted programs (PUPs) intellectual property theft 940
40–42 notifications of 941
power distribution units (PDUs) 322–323 personally identifiable information
power loss 925 (PII) 943
power resilience privacy enhancing technologies
definition of 320 944–945
dual supply 321–322 privacy notices 949
generators 321 privacy policies 897
managed power distribution units protected health information (PHI)
(PDUs) 322–323 944
uninterruptible power source (UPS) reputation damage from 940
320–321 security roles and responsibilities
power-on self-test (POST) 851 945–947
PowerShell 113, 630, 740 terms of agreement 948
PPTP (Point-to-Point Tunneling privacy enhancing technologies 944–945
Protocol) 494, 558 Privacy Impact Assessments (PIA) 948
PRE-ATT&CK 18 Privacy-enhanced Electronic Mail (PEM)
predictive analysis 127 697
preferred roaming list (PRL) 572 private cloud 140, 232–233

1138 Private information
Private information 942 protocol analyzers 813

private information sharing centers 124 protocols. See individual protocols
private keys 436 provenance, forensic 857–858
private subnets 606, 610 provisioning, application 260
privilege proximity readers 373, 382
creep 645 proxy autoconfiguration (PAC) file 515
escalation 67–68, 201, 770, 941 proxy servers 514–516
least 681 forward proxy 516
minimal 681 reverse proxy 506–507, 516
provisioning 635 transparent proxy 516
privileged access management (PAM) PSEs (packet-switching exchanges) 137–138
678, 679 pseudo-anonymization 945
Privileges Required (PR) metric 183 pseudocodes 79
PRNG (pseudorandom number pseudorandom number generator
generator) 49–50, 102, 571–572 (PRNG) 49–50, 102, 571–572
procedures, policies versus 879, 893 PSK (preshared key) 103, 551, 557–558
production 260 PTES (Penetration Testing Execution
Programmable Attribute Maps (PAMs) Standard) 199
851 public cloud 140, 232
programmable logic controllers (PLCs) public incidents 775
341, 343 public information 905
programming testing methods public information sharing centers 124
compile-time errors 266–267 public key algorithms 411
fuzz testing 269–270 Public Key Cryptography Standards
input validation 80, 267–268 (PKCS) 412
penetration testing 266 public key infrastructure. See PKI (public
runtime errors 266–267 key infrastructure)
static and dynamic code analysis 269 Public Key Infrastructure Exchange
stress testing 80, 266 (PKIX) 694
programming vulnerabilities. See public keys 437
vulnerabilities public ledgers 409–410
Project Management Body of Knowledge public notifications and disclosures 941
(PMBOK) 882 public subnets 606, 610
promiscuous mode 517 PUKs (personal unblocking keys) 360
promiscuous ports 491 pulping 386
Proprietary information 942 pulverizing 387
protected cable distribution system 385 PUPs (potentially unwanted programs)
Protected Extensible Authentication 40–42
Protocol (PEAP) 554, 556, 666 purple team 205–206
protected health information (PHI) 856, push notifications 299
944 PWD environment variable 740
protective distribution system (PDS) 385 Python 113, 741

redundancy 1139
Q Rapid STP 512

QKD (quantum key distribution) Rapid7 Nexpose 204
401–402 RAs (registration authorities) 690
QoS (quality of service) 536 RAS (Remote Access Service) 670–672
QRadar 526 Raspberry Pi 339
qualitative risk management 921–922, RATs (remote access Trojans) 148
923 RBAC (role-based access control) 677,
qualitative-to-quantitative score mapping 679, 899
186 RC4 (Rivest Cipher 4) 412
quality assurance (QA) 260, 261 RCE (remote code execution) 78, 146,
quality of service (QoS) 536 149, 275
Qualys 204 RCS (Rich Communication Services) 585
quantitative risk management 922–923 RCSA (risk control self-assessment) 920
quantum cryptography 401–402 RDBMS (relational database management
communications 401–402 system) 273
computing 402 RDP (Remote Desktop Protocol) 472
definition of 401 readers, proximity 373, 382
quantum key distribution (QKD) Real-Time Monitoring Tool (RTMT)
401–402 799
quarantine 823–824 real-time operating systems (RTOSs) 347,
quick mode, IKE 501 355
Real-Time Transport Protocol (RTP)
R 152. See also Secure Real-Time
Transport Protocol (SRTP)
race conditions 79
reception desks 378
Radamsa 269
recertification, user access 645
radio, baseband 359
reconnaissance. See network
radio frequency identification (RFID)
reconnaissance
attacks 49, 102, 571–572
Recon-ng 203
radio frequency interference (RFI)
recovery 764, 859
383–384
disaster recovery planning 928–930
RADIUS (Remote Authentication
recovery point objective (RPO) 929
Dial-In User Service) 556–557,
recovery time objective (RTO) 929
672–673
restoration order 330–331
RAID (Redundant Array of Inexpensive
Red Hat security advisories and bulletins
Disks) 315–316, 869
179
Rainbow Series 674
red teams 205, 902
rainbow tables 47
redaction 945
RainbowCrack 47
redirection attacks, URL 110
RAM (random-access memory), forensic
reduced sign-on 656
acquisition of 848–849
redundancy 926–927
ransomware 33–34, 111–112
definition of 315
rapid application development (RAD) 262

1140 redundancy
disk Reliable Event Logging Protocol (RELP)

definition of 315–316 800
multipath 319 relying parties (SAML) 659
Redundant Array of Inexpensive Remediation Level (RL) metric 185
Disks (RAID) 315–316 remote access 442
diversity of 331–332 Remote Access Service (RAS) 670–672
geographic dispersal 315 remote access Trojans (RATs) 148
network remote-access VPNs 496–497
definition of 319 remote authentication
load balancers 319–320 Challenge-Handshake Authentication
network interface card (NIC) Protocol (CHAP) 670–672, 673
teaming 320 RADIUS 556–557, 672–673
power Remote Access Service (RAS) 670–672
definition of 320 TACACS+ 672–673
dual supply 321–322 Remote Authentication Dial-In User
generators 321 Service (RADIUS) 556–557,
managed power distribution units 672–673
(PDUs) 322–323 remote code execution (RCE) 78, 146,
uninterruptible power source (UPS) 149, 275
320–321 Remote Desktop Connection 152
Redundant Array of Inexpensive Disks Remote Desktop Protocol (RDP) 472
(RAID) 315–316, 869 remote terminal units (RTUs) 341
refactoring, driver 89 remote wipe 579, 582
reference architecture 884 remotely operated underwater vehicles
Reflected XSS attacks 68 (ROVs) 353–354
reflection 112 removable media 123
regedit command 472 replay, packet
registers, risk 920 definition of 742
registration, identity 633–635 replay attacks 82–85
registration authorities (RAs) 690 Tcpdump 742–743
registry 472 Tcpreplay 742
regulations and standards Wireshark 743
company policies 878–879 replication
General Data Protection Regulation cloud computing 605, 610
(GDPR) 214, 220, 878–879, 947 storage area networks (SANs) 323
laws 879–880 virtual machines (VMs) 324–325
Payment Card Industry Data Security escape attacks 248–249
Standard (PCI DSS) 881 sprawl avoidance 247–248
regulatory forensic intervention 855 Report Confidence (RC) metric 185
relational database management system reports
(RDBMS) 273 after action report (AAR) 928–929
baseline 539–542

RFI (radio frequency interference) 1141
forensic 846 on-premises versus cloud 325

SIEM (Security Information and Event redundancy
Management) 187 definition of 315
repositories, file/code 127 disk 315–319
Representational State Transfer (REST) diversity of 331–332
86 geographic dispersal 315
reputation 110–111, 940 network 319–320
request for comments (RFC) 128 power 320–323
request forgeries 85–86 Redundant Array of Inexpensive
residual risk 919, 921 Disks (RAID) 315–316, 869
resilience 221–222 replication
backups storage area networks (SANs) 323
cloud 326 virtual machines (VMs) 247–249,
comparison of 326–327 324–325
copy 326 restoration order 330–331
differential 326, 328 scalability 279–280, 328
disk 326 resolution, domain name 442–443
full 326, 328–331 resource allocation, dynamic 607–608,
image 326 611
incremental 326, 328 resource exhaustion 87–88
NAS (network-attached storage) resource policies 246, 603, 609
326 resource records (RRs) 795
offsite storage 327 response and recovery controls 220–221
online versus offline 326 REST (Representational State Transfer)
snapshot 326 86
tape 326 RESTful APIs 240
definition of 311 restoration 158, 330–331
high availability (HA) 329–330 retention, risk 919
network retention policies 775–776, 906
definition of 319 retina scanning 301
load balancers 319–320 Retina Web Security Scanner 204
network interface card (NIC) reuse, code 270
teaming 320 reverse proxy 506–507, 516
non-persistence 328–329 revert to known state 329
power review, exam 953–954
definition of 320 review logs 182
dual supply 321–322 reviews, configuration 182
generators 321 revoking certificates 829
managed power distribution units RFC (request for comments) 128
(PDUs) 322–323 RFI (radio frequency interference)
uninterruptible power source (UPS) 383–384
320–321

1142 RFID (radio frequency identification) attacks
RFID (radio frequency identification) RMF (Risk Management Framework)

attacks 49, 102, 571–572 884
Rich Communication Services (RCS) robot sentries 378
583, 585 rogue access points 99
riding, session 602 role-based access control (RBAC) 677,
rights management 219–220, 640–645 679, 899
right-to-audit clauses 854 role-based training 902
Rijndael. See Advanced Encryption roles and responsibilities, security 945–
Standard (AES) 947
risk management 155, 913 rolling codes 102
business impact analysis 926–927 root accounts 150, 908
disaster analysis 924–925 root certificate authorities 696
disaster recovery planning 928–930 root certificates 696
external versus internal risk 917 root of trust 476–477
residual risk 919 route command 723–724
risk assessment 919–921 route security 443, 535–536
control risk 921 IPv6 536–537
inherent risk 921 port spanning/port mirroring 537–538
qualitative 921–922, 923 quality of service (QoS) 536
quantitative 922–923 Routing and Remote Access Service
residual risk 921 (RRAS) 495
risk appetite 921 ROVs (remotely operated underwater
risk awareness 921 vehicles) 353–354
risk control assessment 920 RPO (recover point objective) 929
risk control self-assessment (RCSA) RRAS (Routing and Remote Access
920 Service) 495
risk matrix/heat map 920 RRs (resource records) 795
risk mitigation 921 RSA 412
steps of 919–920 rsyslog 800–801
risk avoidance 918 RTMT (Real-Time Monitoring Tool)
Risk Management Framework (RMF) 799
884 RTO (recovery time objective) 929
risk matrix/heat map 920 RTOSs (real-time operating systems) 347,
risk mitigation 919 355
risk registers 920 RTP (Real-Time Transport Protocol)
risk transference 918 152. See also Secure Real-Time
risk types 917–918 Transport Protocol (SRTP)
strategies for 918–919 RTUs (remote terminal units) 341, 343
supply chain risk management (SCRM) rule-based access control 677, 678, 679
920 runbooks 833
third-party risks 155–160 runtime errors 81–82, 266–267
risky login 639 runtime memory 477

secure areas 1143
S Common Vulnerability Scoring

SaaS (software as a service) 138, 231, 444, System (CVSS) 182–186
853 false negative 181
SAE (Simultaneous Authentication of false positives 181
Equals) 101, 551, 552 how it works 180–181
safes 385 intrusive versus nonintrusive 182
salting 47, 82, 397–398, 462–463 noncredentialed 182
SAM (Security Accounts Manager) 89 SCAP (Security Content Automation
SAML (Security Assertion Markup Protocol) 883, 885–888
Language) 659–661 scheduling algorithms 488
Samsung 476 SCP (secure copy) 456
SAN (Subject Alternative Name) field screen locks 579
694–695 screened subnets 384, 491
sandboxing 266, 452, 478–479 script environments 278–279
sanitization, data 748–749 definition of 738–740
sanitizing mobile devices 579 OpenSSL 741–742
SANs (storage-area networks) 142, 323 PowerShell 740
Santos, Omar 953 Python 741
Sarbanes–Oxley (SOX) 880, 882 Secure Shell (SSH ) 739–740
SASE (Secure Access Service Edge) 582 script kiddies 120
SAST (static application security testing) SCRM (supply chain risk management)
468–469 166, 920
SATCOM (satellite communications) 573 Scrum 258
SCADA (supervisory control and data SDLC (software development lifecycle)
acquisition) systems 341–343 78, 261–262, 263–265, 468, 868
scalability 279–280, 328 SDN (software-defined networking)
scanless 727–728 241–243, 882
scans SDV (software-defined visibility) 243
biometric. See biometric systems SD-WAN (software-defined wide-area
IP scanners network) 246
arp command 721–722 Seagate Technology 476
Cuckoo 731–732 SEAndroid 588
curl command 724–725 search engine optimization (SEO) 808
definition of 721 SEC (Securities and Exchange
dnsenum 728–729 Commission) 941
Nessus 730–731 SECaaS (security as a service) 139
route command 723–724 secrecy, forward 400–401
scanless 727–728 Secret information 905, 941–942
sn1per 726–727 Secret Manager 604
theHarvester 725–726 secrets management 604, 609
vulnerability 785–786 Secure Access Service Edge (SASE) 582
secure areas 385–386

1144 secure copy (SCP)
secure copy (SCP) 456 security assessments. See also SIEM

Secure File Transfer Protocol (SFTP) (Security Information and Event
434, 441 Management)
Secure Hash Algorithm (SHA) 55, 463, in cloud 598
551–552 attacks 601–603
Secure Key Exchange Mechanism threats 598–600
(SKEME) 497 risk 919–921
secure protocols. See also individual control risk 921
protocols inherent risk 921
definition of 426 qualitative 921–922, 923
use cases quantitative 922–923
directory services 442 residual risk 921
domain name resolution 442–443 risk appetite 921
email and web 440 risk awareness 921
file transfer 441 risk control assessment 920
network address allocation 443–444 risk control self-assessment (RCSA)
remote access 442 920
routing and switching 443 risk matrix/heat map 920
subscription services 444 risk mitigation 921
time synchronization 440 steps of 919–920
voice and video 440 security advisories and bulletins
Secure Real-Time Transport Protocol 177–180
(SRTP) 152, 430–431 Security Orchestration, Automation,
Secure Shell (SSH) 427–428, 625, 628, and Response (SOAR) 188–189,
739–740 832
Secure Sockets Layer (SSL) 82–83, 436, threat hunting 175–180
441 vulnerability scans
certificate types 694–696 credentialed versus noncredentialed
SSL-based VPNs 505–508 182
Transport Layer Security Inspection false negatives 181
(TLSI) 215–216 false positives 181
Secure Web Gateway (SWG) 613, 614 how it works 180–181
Secure/Multipurpose Internet Mail intrusive versus nonintrusive 182
Extensions (S/MIME) 428–429 Security Content Automation Protocol
Securities and Exchange Commission (SCAP) 883, 885–888
(SEC) 941 security controls
Security Accounts Manager (SAM) 89 cloud
security administrators 947 API inspection and integration 607,
security as a service (SECaaS) 139 610
Security Assertion Markup Language compute 611
(SAML) 292, 659–661 high availability across zones 603,
609

servers 1145
integration and auditing 604, 609 east-west traffic 492

network 606–607, 610 example of 489
resource policies 603, 609 extranets 492–493
secrets management 604, 609 intranets 492–493
storage 605, 610 microsegmentation 489–490
cloud computing screened subnets 491
compute 607 virtual local-area networks (VLANs)
container security 608–609 490–491
dynamic resource allocation zero trust 494
607–608, 611 Segmented Integer Counter Mode
instance awareness 608, 611 (SRTP) 430
native versus third-party 615 SEH (structured exception handling) 81,
security groups 607, 611 267
security solutions 611–614 SELECT statement 70
summary of 608–609 self-encrypting drives (SEDs) 475–476
virtual private cloud endpoint 608, self-signed certificates 695, 698
611 SELiux (Security-Enhanced Linux) 588
security incident response simulations semi-authorized hackers 121
(SIRS) 766–767 semicolon (;) 73
security incident response team (SIRT). Sender Policy Framework (SPF) 110, 426
See incident response (IR) teams sensitive data exposure 82
Security Information and Event Sensitive information 942
Management. See SIEM sensors 345, 381–382, 524–525, 787
(Security Information and Event sentiment analysis 188
Management) Sentinel 204
security logs 383, 793 SEO (search engine optimization) 808
security officers 947 separation of duties 898, 900
Security Onion 953 serial numbers, certificate 692
security operations centers (SOCs) 123, serverless architecture 243–244
175–176, 223, 379, 760, 762, 776 servers 144
Security Orchestration, Automation, and authentication 665
Response (SOAR) 188–189, 832 command-and-control [C2] 108
playbooks 834 email 145
runbooks 833 file 144
security posture assessments (SPAs) 539 FTP 147–148
Security Requirements metrics 185 hardening 159–160
Security-Enhanced Linux (SELinux) 588, jump 514
676 Microsoft Cluster Server 488
SEDs (self-encrypting drives) 475–476 network controllers 144
segmentation 607, 610, 831–832 Network Time Protocol (NTP) 490
application-based 489–490 proxy 514–516
in cloud 613, 615 forward proxy 516

1146 servers
reverse proxy 506–507, 516 SHELL environment variable 740

transparent proxy 516 shielding, application 471
virtual network computing (VNC) 632 shimming, driver 89
web Shodan 203–204
log files 794 Shor’s algorithm 402
vulnerabilities 146–147 Short Message Service (SMS) 12,
server-side execution 267 296–297, 583, 585
server-side request forgery (SSRF) 85–86 shoulder surfing 14
server-side validation 268 shredding 386
service accounts 629, 908 side-channel attacks 54, 602
service nxlog start command 803 sideloading 581
service providers (SPs) 292, 623, 661 SIEM (Security Information and Event
service set identifiers (SSIDs) 98, 205, Management) 186–188, 526,
532 869–870
service-level agreements (SLAs) 53, alerts 788
273–274, 600, 902–903 correlation 788–789
services, open 471–472 dashboards 786–789
services integration 246 sensitivity 788
session hijacking 54, 83, 465, 601 sensors 787
Session Initiation Protocol (SIP) 351, trends 788
431, 800 SIFT workstation 850
session replay 83 signage 374–375
session riding 54, 602 signatures, digital 395–396, 466–467, 520
session theft 83 signature verifying algorithms 395
SET (Social Engineering Toolkit) 10 signature-based intrusion detection
SFC (System File Checker) command 519–520
158 signing algorithms 395
sFlow 810–811 SIM (subscriber identity module) cards
SFTP (Secure File Transfer Protocol) 49, 360, 580, 584
434, 441 Simple Network Management Protocol
SHA (Secure Hash Algorithm) 55, version 3 (SNMPv3) 434–436, 443
551–552 Simple Object Access Protocol (SOAP)
shadow IT 121 86
share permissions 646. See also simulations 766–767
permissions Simultaneous Authentication of Equals
shared accounts 629 (SAE) 101, 551, 552
shell and script environments single loss expectancy (SLE) 922
definition of 738–740 single point of failure 156, 926
OpenSSL 741–742 single quotation mark (') 73
PowerShell 740 single sign-on (SSO) 292, 373, 624,
Python 741 658–659
Secure Shell (SSH ) 739–740 sinkholes, DNS 223

software as a service (SaaS) 1147
SIP (Session Initiation Protocol) 351, social engineering attacks

431, 800 description of 7–9
SIRS (security incident response dumpster diving 13
simulations) 766–767 eliciting information 15–16
SIRT. See incident response (IR) teams hybrid warfare 22
site resiliency 221–222 identity fraud 17
site surveys 559, 561–562 baiting 19
sites, physical 385 credential harvesting 18
site-to-site configuration 495 hoaxes 19
site-to-site VPNs 496–497 impersonation/pretexting 19
SKEME (Secure Key Exchange invoice scams 17
Mechanism) 497 reconnaissance 18
SKEYID 500 typo squatting 20, 44
skimming 49–50 watering hole attacks 20, 85
SLAs (service-level agreements) 53, influence campaigns 21
273–274, 600, 902–903 pharming 14–15
SLE (single loss expectancy) 922 phishing and spear phishing 9–12
Sleuth Kit 850 piggybacking 15
smart cards 299–300, 625, 629 prepending 17
smart devices 345 principles of 21
smart factories 342 reasons for effectiveness 21
smart meters 350 shoulder surfing 14
S/MIME (Secure/Multipurpose Internet smishing 12
Mail Extensions) 428–429 Spam 13
smishing 12 Spam over Internet Messaging (SPIM)
SMS (Short Message Service) 12, 13
296–297, 583, 585 tailgating 15
sn1per 726–727 user security awareness education 22–24
snapshots 326, 851–852 vishing 12–13
SNMPv3 (Simple Network Management war-dialing 13
Protocol version 3) 434–436, 443 whaling 9, 16–17
snmpwalk v3 command 436 Social Engineering Toolkit (SET) 10
snooping, DHCP 512–513 social media
SOAP (Simple Object Access Protocol) attacks and vulnerabilities 22, 123, 143
86 as research source 128
SOAR. See Security Orchestration, social media analysis 899
Automation, and Response SOCs (security operations centers) 123,
(SOAR) 175–176, 223, 379, 760, 762, 776
SOC (System and Organization Controls) software application development. See
884 application development
SoC (system on a chip) 356–357, software as a service (SaaS) 138, 231, 444,
477, 571 853

1148 software compliance/licensing
software compliance/licensing 918 compute 361–362

software development environments cost 363
257–260 crypto 362
software development lifecycle (SDLC) implied trust 363
78, 261–262, 263–265, 468, 868 inability to patch 362
software diversity 278 network 362
software integrity measurement 261 power 361
Software of Unknown Providence range 363
(SOUP) 347 drones 353–354
software-defined networking (SDN) heating, ventilation, and air
241–243, 882 conditioning (HVAC) 352–353
software-defined visibility (SDV) 243 medical systems 347
software-defined wide-area network multifunction printers (MFPs) 354
(SD-WAN) 246 real-time operating systems (RTOSs)
SolarWinds 721, 789 355
solid-state drives (SSDs), forensic smart meters 350
acquisition of 848 surveillance systems 355–356
SOUP (Software of Unknown system on a chip (SoC) 356–357
Providence) 347 vehicles 347–348
sovereignty, data 214–215 Voice over Internet Protocol (VoIP)
SOX (Sarbanes–Oxley) 880, 882 350, 799–800
Spam 13 speech recognition 302
Spam over Internet Messaging (SPIM) 13 SPF (Sender Policy Framework) 110, 426
SpamCop 13 SPI (stateful packet inspection) 528, 562
SPAN (Switched Port Analyzer) ports SpiderFoot 203
537–538 SPIM (Spam over Internet Messaging) 13
spanning, port 537–538 split tunneling 495–496
Spanning Tree Protocol (STP) 105, 512 Splunk 526
spanning-tree portfast bpduguard spoofing
command 512 ARP (Address Resolution Protocol)
SPAs (security posture assessments) 539 105, 513
specialized embedded systems 346–347 MAC (media access control) 101, 106
aircraft 348–350 sprawl avoidance 247–248
communication considerations spraying, password 45
5G 357–358 SPs (service providers) 292, 623, 661
baseband radio 359 spyware 40–42
NarrowBand 358 SQL (Structured Query Language) 273
subscriber identity module (SIM) SQL injection (SQLi) 54, 70–74,
cards 360 273–274, 464, 602
Zigbee 360–361 SQL Server 273
constraints 361 SquidProxies 514
authentication 363

structured exception handling (SEH) 1149
SRAM (static random-access memory) static application security testing (SAST)

340 468–469
SRTP (Secure Real-Time Transport static code analysis 269, 468–469
Protocol) 152, 430–431 static codes 298
SSAE (Statement on Standards for static random-access memory (SRAM)
Attestation Engagements) 881, 340
883, 884 Stegais 415
SSDs (solid-state drives), forensic steganography 415
acquisition of 848 audio 415–416
SSH (Secure Shell) 427–428, 625, 628, homomorphic 417
739–740 image 416–417
ssh command 427 video 416
SSIDs (service set identifiers) 98, 205, Steghide 415
532 stego-files 416
SSL (Secure Sockets Layer) 82–83, 436, stewards, data 946
441 sticky sessions 489
certificate types 694–696 STIX (Structured Threat Information
SSL-based VPNs 505–508 eXpression) 125–127
stripping 88–89 storage
Transport Layer Security Inspection cloud 610
(TLSI) 215–216 encryption 605
SSL Inspection (SSSI) 215 high availability 605
SSO (single sign-on) 292, 373, 624, permissions 605
658–659 replication 605
SSRF (server-side request forgery) 85–86 secure 477
SSSI (SSL Inspection) 215 storage DLP systems 215
staging 259 vulnerabilities 156
stakeholder management 771–772 storage-area networks (SANs) 142, 323
standard load 540 Stored (persistent) XSS attacks 68
standards. See regulations and standards stored procedures 273
stapling 698 STP (Spanning Tree Protocol) 105, 512
starvation attack, DHCP 513 strategic intelligence 860
state actors 120–121 stream ciphers 410
state laws 879–880 stress testing 80, 266
stateful packet inspection (SPI) 528, 562 stretching, key 397
stateful pattern-matching recognition 521 striping (RAID) 316, 317–318
stateless packet inspection 528 with dual parity 316, 318
Statement on Standards for Attestation with parity 316, 318
Engagements (SSAE) 881, 883, stripe and mirror 316, 319
884 stripping, SSL 88–89
statements, SQL (Structured Query structured exception handling (SEH) 81,
Language) 70 267

1150 Structured Query Language
Structured Query Language. See SQL system integration 155

(Structured Query Language) system logs 791–792
Structured Threat Information System Monitor 542
eXpression (STIX) 125–127 system on a chip (SoC) 356–357, 477, 571
Stuxnet 363 system owners 946–947
Subject Alternative Name (SAN) 693, System Restore 158
694–695 systemd 802
subnets system-generated passwords 638
public/private 606, 610 systeminfo command 161
screened 384, 491
subscriber identity module (SIM) cards T
49, 360, 580, 584 tables, rainbow 47
substitution 216, 416–417 tabletop exercises 765–766
supervisory control and data acquisition TACACS+ (Terminal Access Controller
(SCADA) systems 341–343 Access Control System Plus)
supplicants 555, 665 672–673
supply chains tactics, techniques, and procedures
attacks 51, 123, 156 (TTPs) 128, 176, 767, 809
business partnership agreements tags, evidence 845–846
(BPAs) 903 tail command 734, 795
supply chain risk management (SCRM) tailgating 15
166, 920 Talos 347
surge protectors 159 tamper resistance 477
surveillance systems 355–356 tape backups 326
surveys, site 559, 561–562 taps, port 538
svStrike 850–851 TAXII (Trusted Automated eXchange of
Swagger (OpenAPI) 87 Indicator Information) 125–127
swap files, forensic acquisition of 849–850 TCB (trusted computing base) 676
SWG (Secure Web Gateway) 613, 614 TCG (Trusted Computing Group), Opal
Switched Port Analyzer (SPAN) ports 476
537–538 Tcl 241
switching 443 TCP (Transmission Control Protocol)
symmetric encryption 411–413 503
synchronization 82–83 Tcpdump 742–743
email and web 440 TCP/IP hijacking 84
time 440 Tcpreplay 742
synchronization (SYN) packets 84 TCSEC (Trusted Computer System
syslog 800–801 Evaluation Criteria) 674
syslog-ng 800–801 teaming, network interface card (NIC)
System and Organization Controls (SOC) 320
884 teams, incident response (IR) 760,
System Information 161 775–776

thumbprint algorithm 1151
Teardrop 88 runtime errors 266–267

technical controls 868, 869 static and dynamic code analysis 269
Technical Guide to Information stress 80, 266
Security Testing and Assessment white-box 80
(NIST) 199 tethering 584
TEE (trusted execution environment) TGTs (ticket-granting tickets) 668
476 THC Hydra 749
telemetry, fake 223 theft
temperature sensors 382 disaster analysis 925
temporal groups 182 identity 940
Temporal Key Integrity Protocol intellectual property 917
(TKIP) 552 mobile device 580
temporary files 157 session 83
Tenable Network Security Nessus 204 theHarvester 203, 725–726
TERM environment variable 740 thin clients 235–236, 508
Terminal Access Controller Access “third countries” 220
Control System Plus (TACACS+) third-party destruction and disposal
672–673 services 387
terms of agreement 948 third-party libraries 265
testing 259 third-party risks 155–160
black-box 80 threat actors
compile-time errors 266–267 attack vectors 122–123
fuzz 80, 269–270 attributes of 122
gray-box 80 types of 120–121
input validation 80, 267–268 threat feeds 176
known environment/white box threat hunting 175–180
468–469 threat intelligence
penetration 121, 266 automated indicator sharing (AIS) 125
active reconnaissance 204–205 Information Sharing and Analysis
advantages of 197–198 Centers (ISACs) 123–125
bug bounties versus 202–203 MITRE ATT&CK framework
cleanup 202 128–129
definition of 193, 197 research sources 127–128
exercise types 205–206 Structured Threat Information
known environment 198 eXpression (STIX) 125–127
lifecycle 199–202 Trusted Automated eXchange of
methodologies 199 Indicator Information (TAXII)
partially known environment 199 125–127
passive reconnaissance 203–204 vulnerability databases 125
post-exploitation techniques 201 threat maps 127
rules of engagement 200 threat modeling 264
unknown environment 198–199 thumbprint algorithm 692

1152 ticket-granting tickets (TGTs)
ticket-granting tickets (TGTs) 668 traffic

tickets, Kerberos 668 east-west 492
time 844–845 lateral 492
delay 74 training, user 22–24, 899, 901–902
offset 844 Transaction Signature (TSIG) 108
synchronization 440 transference of risk 918
time bombs 39 transit gateways 246–247
time of check (TOC) attacks 79 transitive trust 577–578
time of use (TOU) attacks 79 Transmission Control Protocol (TCP)
time-based logins 639 503
time-based one-time password (TOTP) transparent proxy 516
295 Transport Layer Security Inspection
timestamps 82–83, 844 (TLSI) 215–216
Time Machine 158 Transport Layer Security (TLS) 82–83,
time-to-live (TTL) 795 88, 108, 351, 410, 436, 441, 556,
TKIP (Temporal Key Integrity Protocol) 577, 656, 698
552 transport mode, IPsec 438, 503
TLS (Transport Layer Security) 82–83, traversal, directory 75–76, 149, 274–275,
88, 108, 351, 410, 436, 441, 556, 276
577, 656, 698 Triple DES 412
TLSI (Transport Layer Security TRNG (true random number generators)
Inspection) 215–216 477
TMSAD (Trust Model for Security Trojans 35, 104, 108, 113
Automation Data) 887 true random number generators
TOC (time of check) attacks 79 (TRNGs) 477
token key 297 trust
token-based authentication 297 models 698
tokenization 218, 461–462, 945 root of 476–477
tokens 461, 625, 627–628 transitive 577–578
Top 10 Web Application Security Risks Trusted Computer System Evaluation
277 Criteria (TCSEC) 674
Top Secret information 905, 941–942 zero 494
TOS (trusted operating system) 160, 905 Trust Model for Security Automation
ToS (type of service) bits 536 Data (TMSAD) 887
Toshiba 476 Trusted Automated eXchange of
TOTP (time-based one-time password) Indicator Information (TAXII)
295 125–127
TOU (time of use) attacks 79 trusted computing base (TCB) 676
TPM (Trusted Platform Module) 294, Trusted Computing Group (TCG) 476
459–460, 477–478, 524, 655 trusted execution environment (TEE)
traceroute command 707–709 476
tracert command 707–709 trusted operating system (TOS) 160, 905

user access recertification 1153
Trusted Platform Module (TPM) 294, Unified Extensible Firmware Interface

459–460, 477–478, 524, 655 (UEFI) 459, 851
trusted zones 825 unified threat management (UTM) 495,
trustworthy computing 39–40 524
Try-SQL Editor 71 uniform resource locators (URLs)
TSIG (Transaction Signature) 108 redirection attacks 110
TTLS (Tunneled Transport Layer URL hijacking 44
Security) 556 uninterruptible power source (UPS)
TTPs (tactics, techniques, and 320–321
procedures) 128, 176, 767, 809 union operator 73
tunnel mode, IPsec 438, 503 unique serial numbers (ICCIDs) 360
Tunneled Transport Layer Security Universal Serial Bus. See USB (Universal
(TTLS) 556 Serial Bus)
tunneling 495–496, 505–508, 556 UNIX 144
two-factor authentication (2FA) 298 unknown environment 198–199
Twofish 412 unmanned aerial vehicles (UAVs)
two-person integrity control 378 353–354
Type I errors 626 UPDATE statement 70
Type II errors 626 updates, exam 02.0004–02.0026
type of service (ToS) bits 536 UPN (User Principal Name) 696
typo squatting 20, 44 UPS (uninterruptible power source)
320–321
U URLs (uniform resource locators)
UAC (User Account Control) 67 filtering 828–829
UAs (user agents) 800 redirection attacks 110
UAVs (unmanned aerial vehicles) URL hijacking 44
353–354 US Computer Emergency Readiness
ubuntu keyword 239 Team (US-CERT) 576
UDP (User Datagram Protocol) 503 US Office of Personnel Management
UEFI (Unified Extensible Firmware (OPM) attack 300–301
Interface) 459, 851 USB (Universal Serial Bus)
UEM (unified endpoint management) condoms 379
587–588, 825 data blockers 379–380
Umbrella 509 malicious flash drives 47–48
unauthenticated modes 404 malicious USB cables 48
unauthorized hackers 121 USB OTG (USB On-The-Go) 583
Unclassified information 941–942 USB sticks 123
underscore (_) 740 US-DMCA (Digital Millennium
unicast addresses 537 Copyright Act) 220
unified endpoint management (UEM) use case analysis 882
587–588, 825 user access recertification 645

1154 User Account Control (UAC)
User Account Control (UAC) 67 vertical privilege escalation 67

user accounts. See accounts vestibules, access control 372–373
user agents (UAs) 800 video
user behavior analysis 188 forensic video analysis 842–843
user certificates 696 secure 440
User Datagram Protocol (UDP) 503 steganography 416
user education 899, 901–902 virtualization 606, 610. See also VPNs
USER environment variable 740 (virtual private networks)
User Interaction (UI) metric 184 APIs (application programming
User Principal Name (UPN) 696 interfaces)
user security awareness education 22–24 definition of 240–241
user-controlled input 464 infrastructure as code 241–243
user-generated passwords 638 micro-segmentation 240–241
users command 631–632 cloud computing
UTC (Coordinated Universal Time) 845 cloud models 231–232
UTM (unified threat management) 495, cloud service providers (CSPs) 233
524 community cloud 233
fog and edge computing 234–235
V hybrid cloud 233
vacations, mandatory 898–899, 900 managed detection and response
validation (MDR) 234
continuous 278 managed service providers (MSPs)
identity 633–635 233–234
input 267–268, 464 off-premises versus on-premises
validity dates, certificate 692 services 234
variables, environmental 740 private cloud 232–233
/var/log directory 791 public cloud 232
vaults 385, 655 thin clients 235–236
VBA (Visual Basic for Applications) 113 VPCs (virtual private clouds) 607,
VDEs (virtual desktop environments) 608, 611
139, 232 containers 236–240
VDIs (virtual desktop infrastructures) definition of 247
139, 232 firewalls 534–535
vectors, attack 122–123 IP addresses 488
vehicle systems 347–348 memory 850
vein authentication 302 microservices 236–240
vendor management 155, 156, 331, resource policies 246
902–903 serverless architecture 243–244
ver command 161 services integration 246
Veracode Web Application Security 204 transit gateways 246–247
Verisign 112, 577 VDEs (virtual desktop environments)
version control 258, 279 139, 232

vulnerabilities 1155
VDIs (virtual desktop infrastructures) Layer 2 Tunneling Protocol (L2TP)

139, 232, 589 508
VLANs (virtual local-area networks) remote-access 496–497
490–491, 831 SCADA systems 341–342
VMs (virtual machines) 324–325 site-to-site configuration 495, 496–497
attacks 248–249, 601 split tunneling 495–496
sprawl avoidance 247–248 SSL-based 505–508
VNC (virtual network computing) VPN concentrators 495
servers 632 vulnerabilities
VPCs (virtual private clouds) 607, 608, backdoors 149, 271, 275
611 cloud-based versus on-premises
viruses 137–143
antivirus software 451 code injection 149, 273–274, 276
fileless 37 cross-site request forgery (XSRF) 149,
vishing 12–13 272, 275
visitor logs 383 cross-site scripting (XSS) 54, 68–70,
Visual Basic for Applications (VBA) 113 110, 149, 272, 275, 601
VLANs (virtual local-area networks) dark web 143
490–491, 831 directory traversal 149, 274–275, 276
VMs (virtual machines) 324–325 error handling 79–82
attacks 248–249, 601 compile-time errors 81–82
sprawl avoidance 247–248 input handling 79–82
VNC (virtual network computing) servers runtime errors 81–82
632 impact of cybersecurity breaches and
voice, secure 440 attacks 165–166
voice recognition 302 legacy platforms 165
VoIP (Voice over Internet Protocol) 350, memory/buffer 77–78, 149, 271–272,
799–800 275
volatility, order of 848 peer to peer (P2P) networks 143
VPCs (virtual private clouds) 607, 608, remote code execution (RCE) 78, 146,
611 149, 275
VPNs (virtual private networks) 99 server defense 144
always-on functionality 495 email servers 145
clientless versus client-based 497, 507 file servers 144
definition of 494 FTP servers 147–148
description of 494–496 network controllers 144
example of 494–495 web servers 146–147
HTML5 508 social media 143
IKEv1 Phase 1 negotiation 498–501 summary of 149–150, 275–276
IKEv1 Phase 2 negotiation 501–503 third-party risks 155–160
IKEv2 504–505 vulnerability databases 125
IPsec 497, 501–502 weak configurations 150–155

1156 vulnerabilities
weak patch management 160–164 web of trust 698

zero-day 149, 275, 276, 522 web pages, metadata from 808–809
vulnerability scans 180–181, 559 web protocol port numbers 441
Common Vulnerability Scoring System web servers
(CVSS) 182–186 logs 794
false negative 181 vulnerabilities 146–147
false positives 181 Web Services Description Language
intrusive versus nonintrusive 182 (WSDL) documents 87
noncredentialed 182 web synchronization 440
output 785–786 WebApp360 204
VUPEN Web Application Security webification 507
Scanner 204 Websense 533
WebSploit 72, 238, 953
W weighted random early detection
w command 631 (WRED) 536
WADL (Web Application Description WEP (Wired Equivalent Privacy) 102
Language) documents 87 WER (Windows Error Reporting) 853
WAF (web application firewall) 198, 531 Western Digital 476
walkthrough exercises 766 whaling 9, 16–17
WannaCry 34, 37 white box testing 468–469
WAP (Wireless Application Protocol) white hat hackers 121
558, 585 white teams 206
WAPs (wireless access points) 98, 101, white-box testing 80
513, 559 WhiteHat Sentinel 204
war driving 205 whitelisting 578, 583
war flying 205 who command 631–632
war-dialing 13 whoami command 632
warm sites 221 whois 108, 203
waterfall development methodology Wi-Fi
257–258 vulnerabilities and exposures 571
watering hole attacks 20, 85 Wi-Fi ad hoc 584
weak configurations 150–155 Wi-Fi Analyzers 559, 561
weak defaults 346 Wi-Fi direct 584
weak patch management 160–164 Wi-Fi disassociation attack 101
wearables 345 WPA2 (Wi-Fi Protected Access 2)
Web Application Description Language 551
(WADL) documents 87 WPA3 (Wi-Fi Protected Access 3) 551
web application firewall (WAF) 198, 531 WPS (Wi-Fi Protected Setup)
Web Application Proxy 516 558–559
web application scanners 182 Wigle 205
Web form–grabbing keyloggers 43 wildcard certificates 694–695

wuapp.exe 1157
Windows Defender Firewall 457 Wi-Fi Protected Access 3 (WPA3)

Windows Error Reporting (WER) 853 551–552
Windows Event Viewer 791–792, 846 installation considerations
Windows Performance Monitor 540–542 AP isolation 562
Windows Performance tool 539 captive portals 559
Windows PowerShell 630 controller and access point security
WinGate 514 562–563
WinHex 746 firewalls 562
Wired Equivalent Privacy (WEP) 102 heat maps 559
wireless access points (WAPs) 98, 101, IEEE 802.1X standard 562
513, 559 Multi-User Multiple Input
Wireless Application Protocol (WAP) (MU-MIMO) 560–561
558, 585 orthogonal frequency-division
wireless LAN (WLAN) controllers 558 multiple access (OFDMA) 561
wireless networks 547, 557–558 site surveys 559, 561–562
attacks 98, 122 Wi-Fi Analyzer tools 559
bluejacking 100 Wi-Fi Protected Setup (WPS)
bluesnarfing 99–100 558–559
disassociation and deauthentication wireless access point (WAP)
101 placement 559
evil twin 98–99 Wireless Transport Layer Security
initialization vector (IV) 103 (WTLS) 558
jamming 102, 561–562 Wireshark 539, 559, 743
mobile device security WLAN (wireless LAN) controllers 558
countermeasures 580 workstations, hardening 159–160
near-field communication (NFC) WORM (write once read many) device
102–103 789
radio frequency identification worms 36–37
(RFID) 49, 102 WPA2 (Wi-Fi Protected Access 2)
rogue access points 98–99 551
authentication protocols WPA3 (Wi-Fi Protected Access 3) 551
556–557 WPS (Wi-Fi Protected Setup)
cryptographic protocols 551 558–559
Advanced Encryption Standard wrap 77
(AES) 552 write once read many (WORM) devices
Counter-mode/CBC-MAC protocol 789
(CCMP) 552 WSDL (Web Services Description
Simultaneous Authentication of Language) documents 87
Equals (SAE) 551, 552 WTLS (Wireless Transport Layer
summary of 552 Security) 558
Wi-Fi Protected Access 2 (WPA2) wuapp.exe 161
551

1158 X.509 standard
X Y
X.509 standard 694 YOLO (You Only Look Once) 376
X.690 encoding formats 697 YubiKey 297
XaaS (anything as a service) 139, 232
XCCDF (Extensible Configuration Z
Checklist Description Format) 885 Zed Attack Proxy 204
XDR (Extended Detection and Response) zero trust 494
189 zero-day vulnerabilities 149, 275, 276,
Xiao 415 522
XML (Extensible Markup Language) Zigbee 360–361
XML injection 74–75, 273–274 Zimbra 145
XSD (XML Schema Definition) 86 zombies 111–112
XXE (XML External Entity) 74 zones
XSRF (cross-site request forgery) 85–86, high availability across 603, 609
149, 272, 275 zone signing keys (ZSKs) 427
XSS (cross-site scripting) 54, 68–70, 110, zone transfers 109
149, 272, 275, 464, 601 ZSKs (zone signing keys) 427
Xways 850–851 Zune 850–851
X-Ways Software Technology AG 746
XXE (XML External Entity) 75

Sample

Uploaded by

Copyright:

Available Formats

Sample

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sample

Uploaded by

Copyright:

Available Formats

What is the book about?

What is the book about?

What security concepts are discussed in the book?

What security concepts are discussed in the book?

®

A01_Santos_Fm_pi-plii_1.indd 1 01/06/21 2:49 pm

Library of Congress Control Number: 2021935686 Senior Project Editor

For government sales inquiries, please contact

9780136770312_print.indb 2 30/05/21 4:24 pm

Part I: Threats, Attacks, and Vulnerabilities

Part II: Architecture and Design

Part III: Implementation

9780136770312_print.indb 3 30/05/21 4:24 pm

CHAPTER 21 Implementing Secure Mobile Solutions 567

Part IV: Operations and Incident Response

Part V: Governance, Risk, and Compliance

Part VI: Final Preparation

9780136770312_print.indb 4 30/05/21 4:24 pm

Part I: Threats, Attacks, and Vulnerabilities

9780136770312_print.indb 5 30/05/21 4:24 pm

User Security Awareness Education 22

9780136770312_print.indb 6 30/05/21 4:24 pm

Adversarial Artificial Intelligence 50

9780136770312_print.indb 7 30/05/21 4:24 pm

Improper Input Handling 80

9780136770312_print.indb 8 30/05/21 4:24 pm

Domain Name System (DNS) Attacks 107

9780136770312_print.indb 9 30/05/21 4:24 pm

9780136770312_print.indb 10 30/05/21 4:24 pm

Chapter 8 Understanding the Techniques Used in Penetration Testing 193

Part II: Architecture and Design

9780136770312_print.indb 11 30/05/21 4:24 pm

Review Key Topics 224

9780136770312_print.indb 12 30/05/21 4:24 pm

Secure Coding Techniques 261

9780136770312_print.indb 13 30/05/21 4:24 pm

Short Message Service (SMS) 296

9780136770312_print.indb 14 30/05/21 4:24 pm

9780136770312_print.indb 15 30/05/21 4:24 pm

9780136770312_print.indb 16 30/05/21 4:24 pm

Chapter Review Activities 364

9780136770312_print.indb 17 30/05/21 4:24 pm

Chapter 16 Summarizing the Basics of Cryptographic Concepts 391

9780136770312_print.indb 18 30/05/21 4:24 pm

Chapter Review Activities 420

Part III: Implementation

9780136770312_print.indb 19 30/05/21 4:24 pm

Chapter Review Activities 444

9780136770312_print.indb 20 30/05/21 4:24 pm

Secure Coding Practices 468

9780136770312_print.indb 21 30/05/21 4:24 pm

9780136770312_print.indb 22 30/05/21 4:24 pm

9780136770312_print.indb 23 30/05/21 4:24 pm

9780136770312_print.indb 24 30/05/21 4:24 pm

Chapter 22 Applying Cybersecurity Solutions to the Cloud 595

9780136770312_print.indb 25 30/05/21 4:24 pm

9780136770312_print.indb 26 30/05/21 4:24 pm

Rights, Permissions, and Policies 640

9780136770312_print.indb 27 30/05/21 4:24 pm