CompTIA Cybersecurity Analyst+

Exam CY0-001

Copyright © 2016 30 Bird Media LLC

CompTIA Cybersecurity Analyst+
 Correctly use fundamental security technology, conduct risk
assessments, and identify threats and vulnerable
infrastructure
 Recognize common attacks including social engineering,
malware, network attacks, and application exploits.
 Plan vulnerability assessments, understand the penetration
testing process, and implement vulnerability management
programs
 Perform network reconnaissance using passive footprinting,
network scans, vulnerability analysis, and packet capture
 Detect and analyze network security threats using output
from security appliances, hosts and network devices, and
network monitoring tools.
continued…
Copyright © 2016 30 Bird Media LLC
CompTIA Cybersecurity Analyst+
 Understand the role of security frameworks, policies,
controls, and procedures in meeting security needs
and regulatory compliance requirements.
 Apply network security principles through
cryptography, hardening of hosts and networks, and
secure application development.
 Recognize threats to identity systems and
authentication technologies.
 Respond to security incidents through preparedness,
consistent response procedures, and use of
appropriate forensics tools.
Copyright © 2016 30 Bird Media LLC
Chapter 1:
Cybersecurity fundamentals
You will learn:
 About security concepts
 About risk management
 How to recognize and classify threats and
vulnerabilities

Copyright © 2016 30 Bird Media LLC

Module A: Security concepts
You will learn:
 About assets and threats
 About security controls
 How to evaluate security events

Copyright © 2016 30 Bird Media LLC

The CIA triad

Copyright © 2016 30 Bird Media LLC

Risks, threats, and vulnerabilities
 Risk: The chance of harm coming to an
asset
 Threat: Anything that can cause harm to
an asset
 Vulnerability: Any weakness an asset has
against potential threats.

Copyright © 2016 30 Bird Media LLC

Security standards organizations
 CIS – Center for Internet security
 IEEE – Institute of Electrical and Electronics Engineers
 IETF – Internet Engineering Task Force
 ISO – International Organization for Standardization
 ISOC – Internet Society
 ITU – International Telecommunication Union
 NIST – National Institute of Standards and Technology
 NSA – National Security Agency
 OWASP – Open Web Application Security Project
 W3C – World Wide Web Consortium

Copyright © 2016 30 Bird Media LLC

Security Controls
 Preventive
– Proactive controls which act to prevent loss
 Detective
– Monitoring controls that detect and/or record
 Corrective
– Follow-up controls used to minimize the harm
caused and prevent recurrence
 Deterrent
– Visible controls designed to discourage attack or
intrusion
Copyright © 2016 30 Bird Media LLC
Defense in depth

Copyright © 2016 30 Bird Media LLC

CIS Critical Security Controls for
Effective Cyber Defense
1. Inventory of Authorized and Unauthorized
Devices
2. Inventory of Authorized and Unauthorized
Software
3. Secure Configurations for Hardware and
Software on Mobile Devices, Laptops,
Workstations, and Servers
4. Continuous Vulnerability Assessment and
Remediation
5. Controlled Use of Administrative Privileges
Copyright © 2016 30 Bird Media LLC
CIS Critical Security Controls for
Effective Cyber Defense
6. Maintenance, Monitoring, and Analysis
of Audit Logs
7. Email and Web Browser Protections
8. Malware Defenses
9. Limitation and Control of Network Ports,
Protocols, and Services
10. Data Recovery Capability

Copyright © 2016 30 Bird Media LLC

CIS Critical Security Controls for
Effective Cyber Defense
11. Secure Configurations for Network
Devices such as Firewalls, Routers, and
Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to
Know
15. Wireless Access Control
Copyright © 2016 30 Bird Media LLC
CIS Critical Security Controls for
Effective Cyber Defense
16. Account Monitoring and Control
17. Security Skills Assessment and
Appropriate Training to Fill Gaps
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team
Exercises

Copyright © 2016 30 Bird Media LLC

Events and incidents
 True positive
– Problem occurred and was detected
 True negative
– No problem, and no alert
 False positive
– Alert triggered by benign event
 False negative
– Real problem went undetected

Copyright © 2016 30 Bird Media LLC

Assessment: Security concepts
A security program alerts you of a failed logon
attempt to a secure system. On investigation, you
learn the system's normal user accidentally had
caps lock turned on. What kind of alert was it?
A. True positive
B. True negative
C. False positive
D. False negative

It was a false positive, since you were alerted of a

potential incident but there was no real threat.
Copyright © 2016 30 Bird Media LLC
Assessment: Security concepts
Your security policy calls for the company's financial data
archive to have its confidentiality, integrity, availability,
and accountability protected. Presently it's stored on two
redundant servers protected by strong passwords and
transport encryption. What additional control would
achieve your security goals? Choose the best response.
A. A version management system that tracks all user
access and revisions
B. Full-disk encryption
C. Regular data backups
D. Two-factor authentication
A - a version management system
Copyright © 2016 30 Bird Media LLC
Assessment: Security concepts
You work for a contracting company closely
aligned with the US federal government. Which
organization's publications are likely to be most
closely related to your security compliance
standards? Choose the best response.
A. CIS
B. NIST
C. NSA
D. W3C
B - NIST
Copyright © 2016 30 Bird Media LLC
Assessment: Security concepts
 Your internal network is protected by a Cisco firewall
between the WAN and the internal network. While it's not
having any problems, your boss suggests installing a
Fortinet firewall between the Cisco firewall and the
trusted LAN in order to create a new DMZ. Which security
principles does this promote? Choose all that apply.
A. Availability
B. Defense in depth
C. Security by design
D. Security by obscurity
E. Vendor diversity
B – Defense in depth
Copyright © 2016 30 Bird Media LLC
Module B: Risk management
You will learn:
 How to identify assets and threats
 How to calculate risk
 How to manage risk

Copyright © 2016 30 Bird Media LLC

Risk assessment
1. Identify assets at risk.
2. Conduct threat assessment for each
asset.
3. Analyze business impact for each threat.
4. Determine likelihood of threat doing
damage.
5. Prioritize risks by weighing likelihood vs.
potential impact.
6. Create risk mitigation strategy.
Copyright © 2016 30 Bird Media LLC
Identifying assets
 Information and data:
– Customer information
– Intellectual property and trade secrets
– Operational data like financial and security information
– Technical information like security plans and system configurations
 Computing hardware and software
 Business inventory
 Building or other physical facilities
 Cash or other financial assets
 Personnel
 Branding and business reputation
 Business relationships, including partner assets in
organization's keeping
Copyright © 2016 30 Bird Media LLC
Threat assessments
 Environmental accident
 Natural disaster
 Equipment failure
 Supply chain failure
 Human error
 Malicious outsider
 Malicious insider

Copyright © 2016 30 Bird Media LLC

Impact analysis
 Replacement cost
 Revenue or opportunity loss
 Production loss
 Human costs
 Reputation
 Legal consequences

Copyright © 2016 30 Bird Media LLC

Threat probability
 MTTF – Mean time to failure
– Used for non-serviceable components
 MTTR – Mean time to repair
 MTBF – Mean time between failures
– Used for serviceable components
 MTBSI – Mean time between service
incidents

Copyright © 2016 30 Bird Media LLC

Qualitative and quantitative
assessment
 Quantitative risk assessment assigns an
objective value, typically a monetary figure,
to each risk based on the probability and
impact cost of the associated threat.
 Qualitative risk assessment also begins with
the probability and impact cost of each
threat, but instead of monetary values it
uses human judgment to calculate and
assign a priority to the associated risk.
Copyright © 2016 30 Bird Media LLC
Quantitative risk assessment values
 SLE – Single loss expectancy is cost of any
single loss
 ARO – Annual rate of occurrence is
expected number of times given loss may
occur per year
 ALE – Annual loss expectancy is expected
cost per year from threat (SLE × ARO).

Copyright © 2016 30 Bird Media LLC

Qualitative risk assessment
Probability Description Level
Very A theoretical possibility that should be accounted for but would be 1
Unlikely very unusual.
Unlikely A potential threat that's uncommon but not unheard of. 3
Likely A fairly common but not extremely frequent threat. 5
Very likely A very common threat that has a high chance of occurring. 8
Almost A threat that's almost guaranteed to occur sooner rather than later. 10
certain

Impact Description Level

Very low The threat can cause almost no damage. 1
Low The threat can cause minor but measurable damage. 3
Medium The threat can cause real damage with significant recovery cost. 5
High The threat can cause serious damage to overall business 8
operations.
Severe The threat can cause major damage or massive losses to the 10
organization.

Copyright © 2016 30 Bird Media LLC

Qualitative risk assessment

Copyright © 2016 30 Bird Media LLC

Risk management
 Avoidance
– Avoiding risky activities
 Transference
– Sharing risk with others
 Mitigation
– Applying security controls to reduce risk
 Deterrence
– Applying visible controls to discourage others
 Acceptance
– Choosing not to act on risk
 Residual risk
– Remaining risk after management strategy
Copyright © 2016 30 Bird Media LLC
Mitigation techniques
 Technology controls
 Policies and procedures
 Routine audits
 Incident management
 Change management

Copyright © 2016 30 Bird Media LLC

Assessment: Risk management
Order the steps of a complete risk
assessment.
1. Analyze business impact
2. Conduct a threat assessment
3. Create a mitigation strategy
4. Evaluate threat probability
5. Identify assets at risk
6. Prioritize risks
521463
Copyright © 2016 30 Bird Media LLC
Assessment: Risk management
Qualitative risk assessment is generally best
suited for tangible assets. True or false?
A. True
B. False
False

Copyright © 2016 30 Bird Media LLC

Assessment: Risk management
You're shopping for a new A/C unit for your server
room, and are comparing manufacturer ratings.
Which combination will minimize the time you'll
have to go without sufficient cooling? Choose the
best response.
A. High MTBF and high MTTR
B. High MTBF and low MTTR
C. Low MTBF and high MTTR
D. Low MTBF and low MTTR
B
Copyright © 2016 30 Bird Media LLC
Assessment: Risk management
Your company has long maintained an email server, but it's
insecure and unreliable. You're considering just
outsourcing email to an external company who provides
secure cloud-based email services. What risk management
strategy are you employing? Choose the best response.
A. Risk acceptance
B. Risk avoidance
C. Risk deterrence
D. Risk mitigation
E. Risk transference
E
Copyright © 2016 30 Bird Media LLC
Assessment: Risk management
What element of your risk mitigation
strategy helps keep future additions to your
network from introducing new security
vulnerabilities? Choose the best response.
A. Change management
B. Incident management
C. Security audits
D. Technical controls
A
Copyright © 2016 30 Bird Media LLC
Module C:
Threats and vulnerabilities
You will learn:
 How to classify threats
 How to identify vulnerable infrastructure
 About business continuity risks

Copyright © 2016 30 Bird Media LLC

Threat classification
 Adversarial
 Accidental
 Structural
 Environmental

Copyright © 2016 30 Bird Media LLC

Attacker qualities
 Intent
 Sophistication
 Resources
 Location
 Relationship
 Target information

Copyright © 2016 30 Bird Media LLC

Incident impact
 Downtime
 Recovery
 Data integrity
 Other economic costs
 Legal consequences

Copyright © 2016 30 Bird Media LLC

Vulnerable infrastructure
 Servers
 Endpoints
 Mobile devices
 Network infrastructure
 Network appliances
 Network interconnections
 Specialty networks

Copyright © 2016 30 Bird Media LLC

Vulnerable data
 PII (Personally identifiable information)
 PHI (Protected health information)
 Payment card information
 Accounting data
 Intellectual property
 Confidential corporate information

Copyright © 2016 30 Bird Media LLC

Assessment:
Threats and vulnerabilities
You've found signs of unauthorized access to a web server,
and on further review the attacker exploited a software
vulnerability you didn't know about. On contacting the
vendor of the server software, you learn that it's a recently
discovered vulnerability, but a hotfix is available pending the
next software update. What kind of vulnerability did they
exploit? Choose the best response.
A. APT
B. Structural
C. Unknown
D. Zero-day
C - Unknown
Copyright © 2016 30 Bird Media LLC
Assessment:
Threats and vulnerabilities
Through your organization you've seen a pattern of attacks
of different types. Login attempts, malware, phishing emails,
application exploits, and so on. None of the individual
techniques are that exotic or hard to stop, but they're
seemingly endless and most seem to be the work of the
same group of attackers. What kind of threat is this? Choose
the best response.
A. APT
B. Structural
C. Unknown
D. Zero-day
A – APT
Copyright © 2016 30 Bird Media LLC
Assessment:
Threats and vulnerabilities
For your new security consulting position, you're
helping a hospital secure its HR database. It includes
employee records such as contact information,
employment history, and payment data. What would
this information be classified as? Choose the best
response.
A. IP
B. PCI
C. PHI
D. PII
D - PII
Copyright © 2016 30 Bird Media LLC
Assessment:
Threats and vulnerabilities
You've been tracking a new form of malware on your
network. It seems to primarily work by attacking web
browsers when they visit certain external websites.
What parts of the network should your analysis
focus on? Choose the best response.
A. Endpoints
B. Network appliances
C. SCADA devices
D. Servers
A - Endpoints
Copyright © 2016 30 Bird Media LLC
Summary: Cybersecurity
fundamentals
You should now know:
 About security concepts such as the CIA triad and
security controls; how to distinguish between risks,
threats, and vulnerabilities; how to apply secure
design principles, and how to distinguish events
and incidents.
 How to identify assets and threats, and how to
calculate and manage risk
 How to classify threats according to source, vector,
and impact; and how to recognize vulnerable
points of your organization
Copyright © 2016 30 Bird Media LLC
Chapter 2:
Recognizing vulnerabilities
You will learn:
 About common cybersecurity
vulnerabilities
 About network vulnerabilities
 About application exploits

Copyright © 2016 30 Bird Media LLC

Module A:
Common vulnerabilities
You will learn:
 About common exploits and attack
strategies
 About malware
 How social engineering compromises
cybersecurity
 How to recognize common vulnerabilities
in hosts and devices
Copyright © 2016 30 Bird Media LLC
General attack categories
 Unintended or exploitable functions in
application software
 Unintended or exploitable functions in
operating systems and firmware
 Physical access to computer hardware,
network hardware, or media
 Weaknesses in network protocols
 Weaknesses in access control methods
 Human trust and fallibility
Copyright © 2016 30 Bird Media LLC
Attack goal categories
 Access or steal sensitive information
 Compromise data integrity
 Deny use of services to others (also known as Denial
of Service, or simply DoS)
 Run malicious code
 Alter application or system settings
 Disable security controls
 Steal money, goods, or services (including system
resources)
 Hurt personal or business reputations
 Endanger human health and safety
Copyright © 2016 30 Bird Media LLC
Privilege escalation
 Vertical escalation, or elevation, allows a
lower privilege user or application to
access resources normally reserved for
higher privilege users.
 Horizontal escalation allows one user to
access resources that normally belong to
another user of similar but different
privilege, such as accessing another user's
personal files or folders.
Copyright © 2016 30 Bird Media LLC
Privilege escalation strategies
 Accessing a vulnerable application
 Virtual machine escape
 Cross-zone scripting
 Session hijacking
 Jailbreaking or rooting

Copyright © 2016 30 Bird Media LLC

Unauthorized access
 Easily stolen credentials
 Forged authentication factors
 Code execution, injection attacks
 Stolen and reused transmitted credentials
 Interrupted and exploited the authentication
process.
– Session hijacking
– Man-in-the-middle attack
 Physical access to device or network segment

Copyright © 2016 30 Bird Media LLC

Data exposure
 Data stored in a location that is not protected by AAA
systems such as user-based security, or without suitable
permissions set
 Data stored in plaintext or protected by weak passwords
 Data transmitted using unsecured or poorly secured
protocols
 Data stored on media which can be physically stolen
 Stored data that can easily be copied to removable devices
or sent over the network by a malicious user
 Readable data left on retired or discarded devices and
media
 Sensitive data placed "out of sight" in insecure locations,
such as the source code of a web page
Copyright © 2016 30 Bird Media LLC
Malware vectors
 Virus
 Trojan horse
 Worm
 Logic bomb
 Direct installation

Copyright © 2016 30 Bird Media LLC

Malware payloads
 Spyware
 Adware
 Botnets
 Beaconing malware
 Ransomware
 Rootkits
 Retrovirus

Copyright © 2016 30 Bird Media LLC

Social engineering techniques
 Impersonation
 Befriending (or sometimes antagonizing)
 Security hoaxes
 Shoulder surfing
 Tailgating or piggybacking
 Phishing
 Baiting
 URL hijacking

Copyright © 2016 30 Bird Media LLC

Phishing variants
 Vishing
 Spear phishing
 Whaling
 Skimming

Copyright © 2016 30 Bird Media LLC

Common host vulnerabilities
 Unpatched operating systems or other applications
 Weak or missing passwords
 Hardware being left unlocked and unattended
 Inactive or outdated firewall and antivirus software
 User accounts given excessive privileges
 Security policies allowing use of removable drives
and other vectors for malware or data theft
 Unnecessary network services
 Insufficient logging and tracking of user activity
 Physical damage or theft
 Unauthorized software
Copyright © 2016 30 Bird Media LLC
Network appliance vulnerabilities
 Network infrastructure devices such as switches
and routers
 Security appliances such as HIDS and firewalls
 Network-attached peripherals such as NAS drives
and network printers
 VoIP phones and IP cameras
 Smart TVs and game consoles
 Vehicle computers
 Interactive kiosks
 Networked Internet of Things (IoT) appliances
 Industrial control systems
Copyright © 2016 30 Bird Media LLC
Assessment: Common vulnerabilities
According to firewall logs, exactly every ten minutes
a host on your internal network is attempting to
contact a foreign network domain that you've seen
associated with criminal activity. What kind of
attack is the most likely explanation? Choose the
best response.
A. A malware infection on an internal workstation
B. A session hijacking attempt
C. A user responding to a phishing attempt
D. A VM escape attempt
A
Copyright © 2016 30 Bird Media LLC
Assessment: Common vulnerabilities
You're testing an unknown program on a VM
to make sure it isn't malware. Another security
analyst suggests disabling the hypervisor's
resource sharing features first. What kind of
attack is this step meant to discourage?
Choose the best response.
A. Privilege escalation
B. Rootkit
C. VM escape
D. VM sprawl
C
Copyright © 2016 30 Bird Media LLC
Assessment: Common vulnerabilities
You've been tracking unauthorized access to a web
application. On examining the source code you find a
hidden routine that allows access to any account using
the password wrtsglz, regardless of the normal
password associated with that account. What kind of
vulnerability have you uncovered? Choose the best
response.
A. Backdoor
B. Logic bomb
C. Privilege escalation
D. Rootkit
A
Copyright © 2016 30 Bird Media LLC
Assessment: Common vulnerabilities
In further analysis of the web application you've
discovered a hidden combination of commands any
authenticated user can use to unlock a
management console that gives administrative
access to the application. What kind of vulnerability
have you uncovered? Choose the best response.
A. Backdoor
B. Logic bomb
C. Privilege escalation
D. Rootkit
C
Copyright © 2016 30 Bird Media LLC
Assessment: Common vulnerabilities
You overhear the end of a conversation about a recent
series of attacks against your organization. Your
supervisor says email filters might help but the solution
is going to have to rely partly on security awareness
training for end users. What kind of vulnerability is
most likely being discussed? Choose the best answer.
A. Internet of Things
B. Mobile devices
C. Phishing
D. VM sprawl
C

Copyright © 2016 30 Bird Media LLC

Module B:
Network vulnerabilities
You will learn:
 How to classify network vulnerabilities
 About denial-of-service attacks
 About password and encryption attacks
 About eavesdropping and man-in-the-
middle attacks
 About wireless vulnerabilities

Copyright © 2016 30 Bird Media LLC

Common network attacks
 Probing
 Spoofing
 Redirection
 Denial of Service
 Eavesdropping
 Cracking
 Man-in-the-middle
 Session hijacking
Copyright © 2016 30 Bird Media LLC
Network probes

Copyright © 2016 30 Bird Media LLC

Other scan techniques
 Spoofing addresses or spreading requests out
over time to hide the unusual nature of traffic
 Using ordinary requests in unusual ways, such
as only sending TCP SYN or FIN packets instead
of normal TCP handshakes
 Sending unusual packets with normally invalid
flags or data, such as Xmas tree packets, null
packets, or fuzzing input
 Performing other in-depth communication with
a given service, in order to detect known
vulnerabilities which could be exploited
Copyright © 2016 30 Bird Media LLC
Traffic redirection
 ARP poisoning
 DNS poisoning
 Hosts file alteration
 Pharming
 Domain hijacking
 VLAN hopping

Copyright © 2016 30 Bird Media LLC

Denial-of-service attacks
Denial-of-service (or DoS) is any attack,
network or not, which primarily targets
availability.
 Ping flood
 Xmas or other non-standard packets
 SYN floods

Copyright © 2016 30 Bird Media LLC

DDos

Copyright © 2016 30 Bird Media LLC

Reflected attacks

Copyright © 2016 30 Bird Media LLC

Cryptographic keys
 For symmetric encryption, NIST
recommends at least 112 bits for most
purposes, though high security
applications should use more
 Asymmetric encryption algorithms require
longer keys due to different mathematics
behind them
 If otherwise sound, a cryptographic
hashing algorithm has the bit strength of a
symmetric key half its size
Copyright © 2016 30 Bird Media LLC
Man-in-the-middle attacks

Copyright © 2016 30 Bird Media LLC

MitM variants
 Replay attack
 Session replay
 Session hijacking
 Downgrade
 Man-in-the-browser

Copyright © 2016 30 Bird Media LLC

Wi-Fi encryption vulnerabilities
 The oldest encryption standard, WEP, uses short keys
and a flawed IV standard
 Newer WPA and WPA2 standards also have problems
 The Wi-Fi Protected Setup (WPS) feature has a major
vulnerability
 Encryption based off a weak password can be cracked,
and multiple people can share the same password
 Encrypted Wi-Fi still leaves MAC addresses and general
traffic levels visible, enabling limited eavesdropping and
spoofing
– It also enables a spoofed disassociation attack that forces a
client to disconnect from the network
Copyright © 2016 30 Bird Media LLC
WAP vulnerabilities
 any administrators don't properly secure
their management interfaces
 An attacker could set up a malicious evil
twin of a legitimate WAP
 An inside attacker or careless user can
install an unauthorized rogue AP
connected to the wired network

Copyright © 2016 30 Bird Media LLC

Assessment:
Network vulnerabilities
You've taken the company Wi-Fi down for
maintenance, but your phone still shows a network
with the same SSID as available. What kind of
attack do you suspect? Choose the best answer.
A. ARP Spoofing
B. Denial of Service
C. Evil twin
D. Replay
C
Copyright © 2016 30 Bird Media LLC
Assessment:
Network vulnerabilities
You just found an unexpected configuration change
in a router's DHCP server. It now directs all
connecting clients to use a non-standard,
unauthorized DNS server. What kind of attack do
you suspect? Choose the best response.
A. Domain hijacking
B. DNS poisoning
C. Rogue AP
D. Session hijacking
B
Copyright © 2016 30 Bird Media LLC
Assessment:
Network vulnerabilities
Users are reporting a server responding slowly in what sounds like
a high network load, but overall traffic to the server isn't high
enough to explain the problem. What evidence can you look for in
that traffic to find out if it's a network DoS attack? Choose all that
apply.
A. Excessive ICMP ping packets
B. Excessive SYN packets
C. Malformed packets
D. Replay packets
E. VLAN hopping
B and C
Copyright © 2016 30 Bird Media LLC
Assessment:
Network vulnerabilities
An attacker remotely stole data from a server using an
employee's account. According to the employee, he couldn't
have done it: While he did log in that day, he was almost
immediately disconnected with a message about unplanned
server downtime. Assuming the employee is telling the truth,
what kind of attack took place? Choose the best response.
A. DoS
B. Downgrade
C. IP spoofing
D. Session hijacking
D
Copyright © 2016 30 Bird Media LLC
Module C: Application exploits
You will learn:
 How to classify application vulnerabilities
 About injection attacks
 About client-side attacks

Copyright © 2016 30 Bird Media LLC

Classifying application exploits
 Header manipulation
 Memory manipulation
 Injection
 Directory traversal
 Arbitrary code execution

Copyright © 2016 30 Bird Media LLC

Memory vulnerabilities
 Buffer overflow
 Integer overflow
 Memory leak

Copyright © 2016 30 Bird Media LLC

Injection attacks
SELECT * FROM users WHERE name='Bob'
AND password='P@ssw0rd';
SELECT * FROM users WHERE name='Bob'
AND password='' OR '1'='1';
SELECT * FROM users WHERE name='Admin'
AND password='' OR '1'='1';
SELECT * FROM users WHERE name=''
OR '1'='1' AND password='' OR '1'='1';

Copyright © 2016 30 Bird Media LLC

Other injection targets
 NoSQL injection
 LDAP injection
 XML injection
 Command injection

Copyright © 2016 30 Bird Media LLC

SQL injection techniques
 Unfiltered escape characters
 Improper input types
 Stacked queries
 Blind injection
 Signature evasion

Copyright © 2016 30 Bird Media LLC

Secure web applications
 Sanitize input by filtering or substituting
dangerous characters that could modify SQL
queries
 Validate input by making sure all data is in the
expected format before submitting it as a query
 Limit the damage an injection attack can do by
restricting the privileges of users and the
application
 Restrict end-user error information to the
minimum, preventing hackers from using error
messages to learn about server vulnerabilities
Copyright © 2016 30 Bird Media LLC
Client-side attack elements
 Application vulnerabilities
 Browser add-ons
 Cookies
 Attachments

Copyright © 2016 30 Bird Media LLC

JavaScript attacks could
 Access the site's tracking cookies to steal
user information
 Steal session cookies to allow a session
hijacking attack
 Read or make arbitrary modifications to the
contents of the page the script is running in
 Send HTTP requests to arbitrary destinations
 Access other system resources the user has
given the legitimate site permission to use,
like webcams, microphones, or local files
Copyright © 2016 30 Bird Media LLC
XSS techniques
 Stored
 Reflected
 DOM-based

Copyright © 2016 30 Bird Media LLC

Assessment: Application exploits
An attack on your web application began with a
long string of numbers sent to a field that's only
supposed to hold a four-digit variable. What
kind of attack was it? Choose the best response.
A. Buffer overflow
B. Integer overflow
C. LDAP injection
D. XSRF
A
Copyright © 2016 30 Bird Media LLC
Assessment: Application exploits
What application attacks directly target the
database programs sitting behind web
servers? Choose all that apply.
A. Command injection
B. Cross-site scripting
C. Session hijacking
D. SQL injection
E. XML injection
D and E
Copyright © 2016 30 Bird Media LLC
Assessment: Application exploits
What application vulnerability can be
exploited by providing a series of normal
data inputs with a specific sequence and
timing? Choose the best response.
A. Buffer overflow
B. Injection
C. Race condition
D. Request forgery
C
Copyright © 2016 30 Bird Media LLC
Assessment: Application exploits
An IDS sends you an alert with a form input to a
web application. When you view the packet, the
form input itself reads 1' OR '1'='1. What kind of
attack does this most likely indicate? Choose the
best response.
A. Buffer overflow
B. Cross-site scripting
C. Injection
D. Integer overflow
C
Copyright © 2016 30 Bird Media LLC
Assessment: Application exploits
You're hardening your web application against cross-
site scripting. The lead developer assures you that with
the new input sanitization routines the front-end
server won't allow executable scripts to be stored in
the database. What kind of XSS attacks might still
affect your users? Choose all that apply.
A. DOM based
B. Persistent
C. Reflective
D. XSRF
A and C
Copyright © 2016 30 Bird Media LLC
Summary:
Recognizing vulnerabilities
You should now know:
 About common cybersecurity vulnerabilities and
attack strategies, including software exploits,
malware, and social engineering
 About network vulnerabilities, including
spoofing, eavesdropping, DoS, cracking, and
wireless attacks
 About application exploits, including injection
attacks, memory vulnerabilities, and client-side
web attacks
Copyright © 2016 30 Bird Media LLC
Chapter 3:
Vulnerability management
You will learn:
 About vulnerability assessment programs,
including vulnerability scans and
penetration tests.
 How to design a vulnerability
management program

Copyright © 2016 30 Bird Media LLC

Module A:
Vulnerability assessment
You will learn:
 About vulnerability testing
 How to perform vulnerability scans
 How to plan a penetration test

Copyright © 2016 30 Bird Media LLC

Vulnerability assessment elements
 Baseline review
 Determining the attack surface
 Reviewing design
 Reviewing controls
 Reviewing procedures

Copyright © 2016 30 Bird Media LLC

Goals of vulnerability scanning
 Missing security controls
 Open ports
 Weak passwords
 Weak encryption
 Misconfigured security controls
 Unsecured data
 Compromised systems
 Exploitable vulnerabilities
 Unpatched systems
Copyright © 2016 30 Bird Media LLC
Penetration test tools
 Black box test - The tester is given no
knowledge of the system before the test
 White box test - The tester is given full
knowledge of existing security controls,
system configurations, policies, and other
documentation about the system and its
potential vulnerabilities
 Gray box test - The tester is given some
knowledge of the existing security
configuration, but not a complete picture
Copyright © 2016 30 Bird Media LLC
Penetration testing process

Copyright © 2016 30 Bird Media LLC

Testing teams
 Red team - The attackers, who perform
reconnaissance on the network, then
attempt to exploit vulnerabilities
 Blue team - The defenders, who secure
assets and monitor the network against
intrusion
 White team - Moderators and referees
who coordinate the exercise and monitor
its results
Copyright © 2016 30 Bird Media LLC
Planning security exercises
 What is the overall purpose of the exercise?
 How much time and resources are budgeted to the exercise?
 When will the exercise take place?
 How long will the exercise last?
 What targets are included in (or specifically excluded from) the
scope of the exercise?
 What knowledge will the red team have about the target
environment?
 What knowledge will the blue team or other technical staff have
about the exercise?
 What should the red team do if they're noticed in the discovery
or attack process?
 What communication will there be between the teams?
Copyright © 2016 30 Bird Media LLC
Performing target discovery
1. Gather target information, if it hasn't already been
provided.
– Host names/addresses and network structures
– Active ports and services
– System and application configuration details
– Network security appliances
– Employee names and information, for social engineering
purposes
– Physical facility layout and security controls
2. Analyze vulnerabilities based on gathered information.
– Check against vulnerability databases
– Apply tester knowledge of similar systems
– Verify whether apparent vulnerabilities are mitigated by other
controls or factors.
Copyright © 2016 30 Bird Media LLC
Exploiting targets
1. Gain access to the vulnerable target to
create a foothold for further actions.
2. Establish persistence, or ways that you
can regain access if you lose it.
3. Escalate privileges to get more control
over the infiltrated system.
4. Pivot to gain access to other systems on
the network you could not view or
access before.
Copyright © 2016 30 Bird Media LLC
Assessment:
Vulnerability assessment
Your supervisor wants a methodical way to find missing or
misconfigured security controls on your production network,
but it's unfortunately full of critical services fragile enough to
have problems when they receive excessive or non-standard
traffic. This makes it important to use the least intrusive
method possible. Which of the following would you
recommend? Choose the best response.
A. A black box penetration test
B. A credentialed vulnerability scan
C. A non-credentialed vulnerability scan
D. A white box penetration test
B
Copyright © 2016 30 Bird Media LLC
Assessment:
Vulnerability assessment
You've been charged with conducting a
vulnerability scan. Which of the following actions
are you likely to perform? Choose all that apply.
A. Bypassing security controls
B. Exploiting vulnerabilities
C. Finding open ports
D. Identifying vulnerabilities
E. Passively testing security controls
C, D, E
Copyright © 2016 30 Bird Media LLC
Assessment:
Vulnerability assessment
While conducting a vulnerability assessment, you're
given a set of documents representing the network's
intended security configuration along with current
network performance data. Which type of review are
you most likely to perform? Choose the best response.
A. Architecture review
B. Baseline review
C. Code review
D. Design review
B
Copyright © 2016 30 Bird Media LLC
Assessment:
Vulnerability assessment
You're instructed to assist outside penetration
testers by giving them complete documentation on
your network and its configuration. What kind of
test are they performing? Choose the best
response.
A. Black box
B. Black hat
C. White box
D. White hat
C
Copyright © 2016 30 Bird Media LLC
Assessment:
Vulnerability assessment
Once a third-party penetration test begins, it's
your job to secure the network and stop attacks
before the penetration testers achieve their goal.
What team are you on? Choose the best response.
A. Black team
B. Blue team
C. Red team
D. White team
B
Copyright © 2016 30 Bird Media LLC
Assessment:
Vulnerability assessment
While conducting a penetration test you've exploited an
application flaw to get temporary access on a proxy server. Part
of your goal is to use that server as a pivot. Which of the
following steps directly achieve that goal? Choose all that apply.
A. Creating a new account you can log in from again
B. Creating a tunnel through the proxy server to the
internal network
C. Establishing administrative credentials
D. Running a network scan from that server
E. Searching through data folders on the server
B and D
Copyright © 2016 30 Bird Media LLC
Module B: Vulnerability
management programs
You will learn:
 About vulnerability management phases
 How to plan vulnerability scans
 How to remediate vulnerabilities after a scan

Copyright © 2016 30 Bird Media LLC

Vulnerability management
phases
1. Identify your security requirements
2. Establish a scanning frequency based on your
requirements
3. Determine vulnerability scanning criteria, and
configure tools that will meet them
4. Perform the scans themselves
5. Generate and review a report based on scan results
6. Remediate the vulnerabilities discovered by the scan
7. Continue with ongoing scans and continuous
monitoring of the network.
Copyright © 2016 30 Bird Media LLC
FISMA scanning requirements
1. Scan for vulnerabilities in information
systems and hosted applications
2. Employ scanning tools and techniques
3. Analyze scan reports and security
control assessment results
4. Remediate legitimate vulnerabilities
5. Share information discovered during
scans and assessments

Copyright © 2016 30 Bird Media LLC

Additional control enhancements
 Updating scanning tools and criteria before each scan
 Procedures that can accurately identify the depth and breadth of
coverage
 Determining what information an outside adversary can discover,
and using it in prioritizing vulnerabilities
 Using credentialed scans for more complete vulnerability
discovery
 Performing automated comparisons between scans to determine
longer-term trends
 Reviewing audit logs to discover past exploitation of detected
vulnerabilities
 Correlating output from multiple scans and tools to find more
complex vulnerabilities and attack vectors a single scan would not
reveal
Copyright © 2016 30 Bird Media LLC
Vulnerability management
requirements
 What regulations apply to your
organization?
 What existing corporate policies apply?
 What is your organization's data
classification policy?
 Apart from data, what assets are covered
by the vulnerability management
program?
Copyright © 2016 30 Bird Media LLC
Establishing scanning frequency
 Determine your risk appetite, the amount of risk your
organization is willing to put up with
 Determine what regulatory requirements apply to
scanning frequency
 Examine technical constraints that might affect scanning
 Consider the impact scanning will have on overall
organizational workflow
 For additional security, consider performing unscheduled
as well as scheduled scans
 While continuous monitoring of the network is not the
same as vulnerability scanning, it's an important part of
your risk management practices, and the two should be
used in conjunction with each other
Copyright © 2016 30 Bird Media LLC
Security Content Automation
Protocol
 CPE
 CCE
 CVE
 CVSS
 OVAL
 XCCDF

Copyright © 2016 30 Bird Media LLC

Vulnerability reports
 Reports intended for non-technical managers and
executives should minimize jargon and focus on
readability
 Reports intended for technical personnel should include
in-depth description and analysis of each threat
 Change reports should focus on what has changed since
the last scan
 Trend reports should analyze changes over time, such as
new vulnerabilities found, fixes made, and patterns in
risk levels
 You may be able to configure your scanner for
automated distribution of reports
Copyright © 2016 30 Bird Media LLC
Remediation
1. Prioritizing responses
2. Identifying false positives
3. Identifying any reasons that would make
remediation more difficult.
4. Communicating the nature of the
vulnerability and its remediation
strategy
5. Testing solutions before they are applied
6. Ongoing monitoring
Copyright © 2016 30 Bird Media LLC
Prioritizing vulnerabilities
 Does the vulnerability really exist?
 How critical are the systems or data
affected?
 How severe is the vulnerability?
 How difficult will it be to correct the
vulnerability?
 What negative consequences might the
remediation have?

Copyright © 2016 30 Bird Media LLC

Inhibitors to remediation
 Contractual obligations
 Regulatory compliance
 Organizational governance
 Business process interruption
 Degrading functionality

Copyright © 2016 30 Bird Media LLC

Assessment: Vulnerability
management programs
Your manager wants you to plan a vulnerability scanning program using
agent-based credentialed scanning. What does that likely mean,
compared to the alternatives? Choose the best response.
A. It will be easy to set up and maintain, generate a lot of
network traffic, and find many vulnerabilities.
B. It will be easy to set up and maintain, generate little
network traffic, and find many vulnerabilities.
C. It will be hard to set up and maintain, generate little
network traffic, and find many vulnerabilities.
D. It will be hard to set up and maintain, generate little
network traffic, and find few vulnerabilities.
C
Copyright © 2016 30 Bird Media LLC
Assessment: Vulnerability
management programs
Your SCAP-compliant vulnerability feed includes
a long list of uniquely defined vulnerabilities.
Which SCAP component is used to actually
identify each vulnerability? Choose the best
response.
A. CCE
B. CPE
C. CVE
D. OVAL
C
Copyright © 2016 30 Bird Media LLC
Assessment: Vulnerability
management programs
You're asked to generate a vulnerability report
that shows the number and types of
vulnerabilities and fixes you've encountered every
month in the last year. What kind of report would
that be? Choose the best response.
A. Change report
B. Scope report
C. Trend report
D. Workflow report
C
Copyright © 2016 30 Bird Media LLC
Assessment: Vulnerability
management programs
After running a vulnerability scan you learn
that a number of the identified vulnerabilities
don't actually exist on the system. What
should you do? Choose the best response.
A. Mark them as false positives
B. Mark them as false negatives
C. Mark them as low criticality
D. File them as an SLA.
A
Copyright © 2016 30 Bird Media LLC
Assessment: Vulnerability
management programs
Your latest vulnerability scan uncovered a serious and
time-critical vulnerability, but you can't fix it immediately
because the company change management process
mandates a review period before making the necessary
changes. What kind of remediation problem are you
having? Choose the best response.
A. Business process interruption
B. Degrading functionality
C. MOU
D. Organizational governance
D
Copyright © 2016 30 Bird Media LLC
Summary: Vulnerability
management
You should now know:
 About vulnerability assessments, and how
to plan vulnerability scans and penetration
tests
 How to design a vulnerability
management program based on a cycle of
planned scans followed by vulnerability
remediation
Copyright © 2016 30 Bird Media LLC
Chapter 4: Reconnaissance
You will learn:
 About reconnaissance goals and passive
reconnaissance tools
 How to perform active reconnaissance to
attack or protect a network
 How to analyze vulnerability scan output

Copyright © 2016 30 Bird Media LLC

Footprinting
 Network structure and addresses
 Hosts and network devices
 Active network services
 Network security systems, such as IDS and
IPS
 Business details, such as locations, contact
information, and organizational structure
 Names and other details about individual
employees
Copyright © 2016 30 Bird Media LLC
Footprinting techniques
 Passive reconnaissance is anything that
doesn't require direct contact with the
target, or at least does so in a way that won't
reasonably alert security personnel to your
presence
 Active reconnaissance requires direct or
intrusive contact that could raise suspicion if
it's noticed, so you need to proceed more
carefully and plan for defensive
countermeasures
Copyright © 2016 30 Bird Media LLC
Reconnaissance
 Open-source intelligence
 Social engineering
 Topology discovery
 Service discovery
 OS fingerprinting
 Packet capture
 Log/configuration review

Copyright © 2016 30 Bird Media LLC

Email harvesting
 Mailing lists
 Web pages or forms
 Online forums such as IRC or Google Groups
 Directory harvesting, or brute force guessing of
common names at a known email server.
 Address books or stored messages in a
compromised computer
 Email addresses in online postings or messages
accessed through any other method
 DNS and WHOIS databases
Copyright © 2016 30 Bird Media LLC
DNS harvesting
Record code Common name
A Address record
AAAA IPv6 address record
CNAME Canonical name record
MX Mail exchange record
NS Name server record
PTR Pointer record
SOA Start of authority record
SRV Service locator

Copyright © 2016 30 Bird Media LLC

DNS harvesting methods
 nslookup
 dig
 Zone transfer
 traceroute

Copyright © 2016 30 Bird Media LLC

nslookup
Command Description
nslookup Enters interactive mode using the default DNS server.
nslookup -server Enters interactive mode using a specified server.
nslookup host Performs a single lookup using the default DNS server.
nslookup hostserver Performs a single lookup using a specified server.
nslookup -query=typehost Performs a single lookup with the query type specified, for
example AAAA or MX.

Copyright © 2016 30 Bird Media LLC

Assessment:
Reconnaissance techniques
As a penetration tester you want to get a username and
password for an important server, but lockout and
monitoring systems mean you'll be detected if you try
brute force guessing. What techniques might directly
find the credentials you need? Choose all that apply.
A. DNS harvesting
B. Packet capture
C. Phishing
D. Service discovery
E. Social engineering
B, C, and E
Copyright © 2016 30 Bird Media LLC
Assessment:
Reconnaissance techniques
For an outside attacker, what
reconnaissance method is much easier on
wireless networks than wired ones? Choose
the best response.
A. DNS harvesting
B. Log review
C. Packet capture
D. Service discovery
C
Copyright © 2016 30 Bird Media LLC
Assessment:
Reconnaissance techniques
For business reasons, your company isn't at all
secretive about its WHOIS information. What
reconnaissance type does this make easier for
attackers? Choose the best response.
A. OS fingerprinting
B. Packet capture
C. Social engineering
D. Topology discovery
C
Copyright © 2016 30 Bird Media LLC
Assessment:
Reconnaissance techniques
You're reviewing logs from a DNS server, and
filtered for requests from outside addresses.
Which of the following single query types against
your domain name is most likely to indicate a DNS
harvesting attempt? Choose the best response.
A. AAAA
B. AXFR
C. MX
D. SOA
B
Copyright © 2016 30 Bird Media LLC
Module B: Active reconnaissance
You will learn:
 How to perform network scans
 About vulnerability analyzers
 How to perform packet captures

Copyright © 2016 30 Bird Media LLC

Planning a scan
1. Recognize that your scan will likely be noticed (it might
even disrupt network functions) and that there can be
severe professional or legal consequences for
unauthorized network probes
2. Scan the network to find responsive hosts and network
infrastructure devices
3. Scan for open ports on each live host, in order to find
active network services
4. Scan active services in depth to determine more about
them
5. Analyze for vulnerabilities based on the results of the
scan
6. Update your network map based on your findings
Copyright © 2016 30 Bird Media LLC
Scanning tools
 Nessus
 OpenVAS
 Nexpose
 MBSA
 Nikto
 BrowserCheck
 ThreatPROTECT

Copyright © 2016 30 Bird Media LLC

Nmap

Copyright © 2016 30 Bird Media LLC

Zenmap

Copyright © 2016 30 Bird Media LLC

Zenmap presets
 Quick scan
 Ping scan
 Intense scan
 Intense scan, no ping
 Intense scan plus UDP
 Slow comprehensive scan
 Quick traceroute

Copyright © 2016 30 Bird Media LLC

Scanning for vulnerabilities

Copyright © 2016 30 Bird Media LLC

Packet analyzer uses
 Examining network problems at the packet level
 Finding active services by their traffic
 Viewing overall traffic flow patterns
 Isolating traffic based on source, destination,
protocol, or contents
 Gathering or auditing the security of sensitive
information, such as authentication processes and
encryption
 Verifying the status of network security controls
such as firewalls, filters, and proxies
 Logging network traffic for later use
Copyright © 2016 30 Bird Media LLC
Packet capture applications
 tcpdump
 Wireshark
 Sniffer
 Aircrack-ng

Copyright © 2016 30 Bird Media LLC

Wireshark

Copyright © 2016 30 Bird Media LLC

Assessment: Active reconnaissance
You're mapping a network and looking for
rogue devices and services. Which tool are
you most likely to use? Choose the best
response.
A. MBSA
B. Nessus
C. Nikto
D. Nmap
D
Copyright © 2016 30 Bird Media LLC
Assessment: Active reconnaissance
When scanning the local subnet with Zenmap you're about to
try an Intense scan, but a coworker suggests you run Intense
scan, no ping instead. If you take that advice, what will the
likely result be? Choose the best response.
A. It will complete faster but probably find fewer hosts and
services.
B. It will complete faster and probably find more hosts and
services.
C. It will take longer but probably find more hosts and
services.
D. It will take longer and probably find fewer hosts and
services.
C
Copyright © 2016 30 Bird Media LLC
Assessment: Active reconnaissance
What are vulnerability analyzer updates
typically called? Choose the best response.
A. ACLs
B. Rules
C. Plug-ins
D. Signatures
C

Copyright © 2016 30 Bird Media LLC

Assessment: Active reconnaissance
You think attackers are using packet sniffers on
your Wi-Fi network. The network is using strong
WPA2 encryption, but what can the attackers still
learn without the key? Choose all valid responses.
A. Active applications
B. IP addresses
C. MAC addresses
D. Most active hosts
E. SSIDs
C, D, E
Copyright © 2016 30 Bird Media LLC
Assessment: Active reconnaissance
You're looking for evidence of an unauthorized
network scan in a Wireshark log. While browsing
past a FIN packet you realize there's just too much
traffic to do this manually, so how can you find out
whether someone performed a FIN scan? Choose
the best response.
A. Apply a capture filter on FIN packets
B. Apply a display filter on FIN packets
C. Follow the TCP stream of that packet
D. Follow the UDP stream of that packet
B
Copyright © 2016 30 Bird Media LLC
Module C: Analyzing scan results
You will learn:
 How to interpret scan results
 About the Common Vulnerability Scoring
System
 How to identify false positives and
exceptions
 How to reconcile multiple data sources

Copyright © 2016 30 Bird Media LLC

OpenVAS

Copyright © 2016 30 Bird Media LLC

CVSS

Copyright © 2016 30 Bird Media LLC

CVSS metrics
 AV - Attack Vector how an attacker can access the vulnerability
– P (Physical) requires physical interaction
– L (Local) can be performed by any user with local access
– A (Adjacent) can be performed over the same L2 segment
– N (Network) can be performed over L3 networks
 AC - Attack Complexity how repeatable the attack is
 PR - Privileges Required is system access needed for the exploit
 UI - User interaction if human interaction is required
 S - Scope if the impact goes beyond the vulnerable component
 C - Impact on confidentiality
 I - Impact on integrity
 A - Impact on availability

Copyright © 2016 30 Bird Media LLC

CVSS temporal scores
 E - Exploit Code Maturity is the current
state of attacks against the vulnerability
 RL - Remediation level is whether there is
a way to correct the vulnerability
 RC - Report Confidence is whether the
vulnerability's base metric can be
considered accurate

Copyright © 2016 30 Bird Media LLC

Validating scan results
1. Identify false positives.
2. Identify existing security exceptions.
3. Analyze other data sources, such as related logs
or other scan results.
4. Reconcile differences between conflicting
reports.
5. Compare results to regulatory compliance or
general best practices.
6. Review trends in the threat landscape, and
determine how they may change your priorities.
Copyright © 2016 30 Bird Media LLC
Managing exceptions
 Exceptions must receive written approval
 Explore compensating controls you can use to reduce
risk
 Compliance requirements might restrict exceptions
 Exceptions must be documented
 When you perform a scan, refer to existing exceptions
 Configure scanner to factor the exception into its
reports
 Be careful of know false positives
 Exceptions be documented in relevant policies and
procedures, and disaster recovery plan
Copyright © 2016 30 Bird Media LLC
Evaluating scan results

Copyright © 2016 30 Bird Media LLC

Assessment:
Analyzing scan results
You researched an authentication system vulnerability last
month, and while it had serious impact in theory, there was
no demonstrated code that could exploit it. Last week a
security researcher demonstrated such code. How will this
affect the vulnerability's CVSS score? Choose the best
response.
A. It will change the Base metrics.
B. It will change the Environmental metrics.
C. It will change the Temporal metrics.
D. It will change all three metrics.
E. It won't change any metrics.
C
Copyright © 2016 30 Bird Media LLC
Assessment:
Analyzing scan results
After performing a vulnerability scan on a database
server, you manually verify that each reported
vulnerability actually exists on the server. What are
you looking for? Choose the best response.
A. False positives
B. False negatives
C. Both
D. Neither
A
Copyright © 2016 30 Bird Media LLC
Assessment:
Analyzing scan results
A web server with access to customer PII has a serious
vulnerability which is going to be very time-consuming and
expensive to fix. Fortunately, your company compliance officer
verified that you can configure a WAF as a compensating control
until you replace the server. In the meantime, how can you deal
with the serious vulnerability appearing every time someone
runs a scan? Choose the best response.
A. Mark it as a false positive.
B. Document it as a security exception.
C. Get used to reminding people.
D. Do nothing since the WAF will hide the vulnerability on the
scanner, too.
B
Copyright © 2016 30 Bird Media LLC
Summary: Reconnaissance
You should now know:
 About environmental reconnaissance goals and
techniques, including passive methods such as
open-source intelligence and DNS harvesting.
 How to perform network reconnaissance using
network mappers, vulnerability scanners, and
packet analyzers.
 How to analyze results from a vulnerability scan
using standard metrics, identify security
exceptions and false positives, and correlate data
from multiple sources.
Copyright © 2016 30 Bird Media LLC
Chapter 5: Monitoring networks
You will learn:
 About security appliances
 How to use logging tools
 About log analysis

Copyright © 2016 30 Bird Media LLC

Module A: Network security
systems
You will learn:
 About packet filtering
 How to classify and place firewalls
 About IDS and IPS
 About antimalware software
 About honeypots and sinkholes

Copyright © 2016 30 Bird Media LLC

Packet filtering

Copyright © 2016 30 Bird Media LLC

Implicit access
 Implicit Deny - Access is denied unless a
rule explicitly allows it. An ACL containing
only explicit allowances is often called a
whitelist.
 Implicit Allow - Access is allowed unless a
rule explicitly denies it. An ACL containing
only explicit denials is called a blacklist.

Copyright © 2016 30 Bird Media LLC

Creating antispoofing ACLs
 Martian packets with source addresses that would never be
found on a valid packet
– Multicast addresses
– Loopback addresses
– Non-routable reserved or link-local addresses
 Packets with valid source addresses, but arriving on invalid
interfaces
– Local addresses arriving from internet-facing ports
– Public addresses within the organization arriving from internet-facing
ports
– Addresses from internal subnets arriving from ports that cannot reach
that subnet
Note: Reverse path forwarding (RPF) functions on modern routers
allow them to verify that a valid path exists to a given IP address
from a given port.
Copyright © 2016 30 Bird Media LLC
Stateful filtering

Copyright © 2016 30 Bird Media LLC

Firewall placement

Copyright © 2016 30 Bird Media LLC

Firewall types
 Host-based firewall
 Network-based firewall
– Routed firewall
– Virtual wire firewall
– Proxy firewall

Copyright © 2016 30 Bird Media LLC

DMZ topology

Copyright © 2016 30 Bird Media LLC

DMZ topology –
three-homed firewall

Copyright © 2016 30 Bird Media LLC

DMZ topology – dual firewall

Copyright © 2016 30 Bird Media LLC

Firewall vendors
 Most operating systems include host-based firewalls,
like Windows Firewall or iptables for Linux
 Third-party host-based firewalls include Kaspersky
Internet Security, Norton 360, and ZoneAlarm
 Dedicated hardware firewalls are available from
vendors such as Cisco, Palo Alto, and Check Point
 You can create your own network firewall by installing
it onto existing hardware; popular options include
pfSense, Endian Firewall, and IPFire
 Firewalls of varying sophistication are included in most
consumer routers and WAPs, as well as many
combination security appliances.
Copyright © 2016 30 Bird Media LLC
Intrusion detection and
prevention
 Signature-based
 Stateful protocol analysis
 Anomaly-based (or heuristic)

Copyright © 2016 30 Bird Media LLC

IDS vs IPS
 Intrusion detection systems are
fundamentally passive monitoring systems
designed to keep administrators aware of
malicious activity
 Intrusion protection systems are active
protection systems, and are also known as
intrusion prevention systems or active IDS

Copyright © 2016 30 Bird Media LLC

Network- and host-based systems

Copyright © 2016 30 Bird Media LLC

Anti-malware utilities
 Real-time antivirus
 Anti-malware scanner
 Malware removal
 Browser protection
 Anti-spam
 Firewall
 DLP
 Removable device control
 File integrity monitor
Copyright © 2016 30 Bird Media LLC
Antivirus deployment
 Centralized administration and monitoring
server
 Antivirus hardware appliance or cloud
service
 Network-based scanners
 Posture assessments
 Online scanning
 Redundant systems
Copyright © 2016 30 Bird Media LLC
EMET
 DEP - Data execution prevention
 ASLR - Address space layout
randomization
 SEHOP - Structured exception handler
overwrite protection
 Certificate trust

Copyright © 2016 30 Bird Media LLC

Assessment:
Network security systems
ACLs are based on which assumption?
Choose the best response.
A. Explicit Allow
B. Explicit Deny
C. Implicit Allow
D. Implicit Deny
D

Copyright © 2016 30 Bird Media LLC

Assessment:
Network security systems
You're configuring a router, and want it to
check the properties of incoming traffic before
passing it on. What will this require? Choose
the best response.
A. Configuring ACLs
B. Configuring routing tables
C. Either would have the same effect
D. Only a fully featured firewall can do this
A
Copyright © 2016 30 Bird Media LLC
Assessment:
Network security systems
What DMZ topology is displayed? Choose
the best response.
A. Bastion Host
B. Dual firewall
C. Three-homed firewall
D. UTM firewall
C

Copyright © 2016 30 Bird Media LLC

Assessment:
Network security systems
The management interface for your firewall has some
known vulnerabilities, so you're worried that someone
already on the network could log onto the firewall and
change its settings. Which of the following methods
could reduce that threat? Choose the best response.
A. Deploy a sinkhole
B. Switch to in-band management
C. Switch to out-of-band management
D. Switch to stateful filtering
C
Copyright © 2016 30 Bird Media LLC
Assessment:
Network security systems
You want a system that can recognize and
block an unauthorized network scan. What
option should you use? Choose the best
response.
A. Application layer firewall
B. IDS
C. IPS
D. Stateful firewall
C
Copyright © 2016 30 Bird Media LLC
Assessment:
Network security systems
You want to take some proactive actions against a new
family of malware that's been spreading around. It has
spyware and botnet functions, and infected computers
connect to external servers. You have a list of the domain
names the malware contacts. What security tool would
help you to recognize that malware on your network?
A. Honeypot
B. IDS
C. Sinkhole
D. WAF
C
Copyright © 2016 30 Bird Media LLC
Module B:
Logging and monitoring
You will learn:
 About host-based monitoring and logging
tools
 About network logging and monitoring
protocols

Copyright © 2016 30 Bird Media LLC

pfSense

Copyright © 2016 30 Bird Media LLC

Monitoring tools
 Packet sniffing
 Interface monitor
 Port mirrors
 Top talkers/listeners
 Wireless analyzers
 SNMP management software
 Syslog
 SIEM
 Physical monitors
Copyright © 2016 30 Bird Media LLC
Resource Monitor in Windows 7

Copyright © 2016 30 Bird Media LLC

Event Viewer

Copyright © 2016 30 Bird Media LLC

System logs
 Windows logs
– Application
– Security
– Setup
– System
 Applications and services logs
– Admin
– Operational
– Analytic
– Debug
Copyright © 2016 30 Bird Media LLC
SNMP system
 Agent
 Manager
 Object
identifier (OID)
 Management
Information
Base (MIB)

Copyright © 2016 30 Bird Media LLC

SNMP packets
 Get
 Set
 Response
 Trap

Copyright © 2016 30 Bird Media LLC

NetFlow
 Router or switch interface receiving the
packet
 Source IP address and port
 Destination IP address and port
 Layer 3 protocol
 Class of Service

Copyright © 2016 30 Bird Media LLC

Syslog
 Header
 Facility
 Severity level
 Message

Copyright © 2016 30 Bird Media LLC

Syslog severity
Value Severity level
0 Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Informational
7 Debug

Copyright © 2016 30 Bird Media LLC

Network monitoring tools
 MRTG
 RRDtool
 Cacti
 Nagios
 NetFlow Analyzer

Copyright © 2016 30 Bird Media LLC

Assessment: Monitoring networks
You're checking a host for active network
connections and listening ports. Which of
the following tools would suit your
purposes? Choose the best response.
A. NetFlow Analyzer
B. Netstat
C. SNMP
D. Top
B
Copyright © 2016 30 Bird Media LLC
Assessment: Monitoring networks
A Linux server is behaving sluggishly and you
want to know what process is using all the CPU
and memory usage. Which of the following tools
would suit your purposes? Choose the best
response.
A. Event Viewer
B. Netstat
C. Sysinternals
D. Top
D
Copyright © 2016 30 Bird Media LLC
Assessment: Monitoring networks
In Event Viewer you're told to look for events
matching the following criteria. “Event ID: 4672;
Task Category: Special Logon; Keywords: Audit
Success”. Which log should you look in first?
Choose the best response.
A. Application
B. Security
C. Setup
D. System
B
Copyright © 2016 30 Bird Media LLC
Assessment: Monitoring networks
You want to gather statistics about the network
traffic between a particular webserver and its
back end database server. What protocol would
be most useful for that purpose? Choose the
best response.
A. NetFlow
B. Netstat
C. SNMP
D. Syslog
A
Copyright © 2016 30 Bird Media LLC
Assessment: Monitoring networks
You have a critical server configured as a SNMP
agent, in part so you can tell remotely when one
particularly fragile service on it crashes again.
What kind of PDU should the server immediately
send to the SNMP manager when the service fails?
A. Get
B. Put
C. Response
D. Trap
D
Copyright © 2016 30 Bird Media LLC
Assessment: Monitoring networks
One of a router's interfaces just failed. When it
reports the event to its Syslog server, what
severity level would indicate it needs immediate
attention, but that the router is not entirely
unusable?
A. Alert
B. Critical
C. Emergency
D. Error
A
Copyright © 2016 30 Bird Media LLC
Module C: Network analysis
You will learn:
 About analysis and analytics
 How to gather and interpret log data
 About SIEM software and appliances

Copyright © 2016 30 Bird Media LLC

Point-in-time analysis
 Traffic analysis
 NetFlow analysis
 Protocol analysis
 Packet analysis
 Signature analysis
 Wireless analysis

Copyright © 2016 30 Bird Media LLC

Data correlation
 Trend analysis
 Anomaly analysis
 Availability analysis
 Heuristic analysis
 Behavioral analytics

Copyright © 2016 30 Bird Media LLC

Data output
 Firewall logs
 IDS reports
 Packet captures
 Network scan results
 Event logs
 Syslog entries

Copyright © 2016 30 Bird Media LLC

Interpreting firewall logs
 Source addresses of blocked traffic
 Outbound communications initiated by internal servers
 Probes to ports that aren't running any application
services
 Blocked outbound traffic using ports and destination
associated with spyware or other malware
 Source routed packets that are routed along a sender-
defined path through the network overriding normal
routing protocols
 Unsuccessful logins to the firewall itself, or any other
services the firewall rules are capable of tracking
Copyright © 2016 30 Bird Media LLC
Analyzing system logs
 Authentication logs are important on nearly any system
 Activities by authenticated users should be reviewed for
accountability purposes
 Proxy and network appliance logs recognize events
related to network access
 Proxy servers in particular often serve as SSL proxies, so
their logs can be used to examine encrypted traffic a
normal NIDS cannot
 Web server logs can show a variety of web and
application attacks, whether or not an actual HIDS is
configured on the system
Copyright © 2016 30 Bird Media LLC
SIEM
 Aggregation
 Correlation
 Alerts
 Log retention
 Analysis tools

Copyright © 2016 30 Bird Media LLC

SIEM solutions
 Agent-based SIEM requires a software
agent to be installed on each logging
device
 Agentless SIEM relies on network traffic
capture or remote access tools and
protocols (such as SNMP) to pull data from
the network

Copyright © 2016 30 Bird Media LLC

SIEM products
 ArcSight
 QRadar
 Splunk
 AlienVault
 SolarWinds

Copyright © 2016 30 Bird Media LLC

SIEM applications
 Snort and Suricata for NIDS functions
 OSSEC for HIDS and log analysis
 OpenVAS for vulnerability scanning
 Nagios for network monitoring
 Munin for traffic analysis
 PRADS (Passive Real-time Asset Detection System), to
recognize devices and services on the network via
passively monitoring network traffic
 TCPtrack to monitor TCP communications on a per-
session basis
 FProbe, NFSen, and NFDump to generate, collect, and
analyze NetFlow information
Copyright © 2016 30 Bird Media LLC
SIEM alarms

Copyright © 2016 30 Bird Media LLC

Search and filters

Copyright © 2016 30 Bird Media LLC

Other security apps

Copyright © 2016 30 Bird Media LLC

Assessment: Network analysis
Which of the following are examples of
point-in-time data analysis? Choose all that
apply.
A. Anomaly analysis
B. Behavioral analysis
C. Packet analysis
D. Traffic Analysis
E. Trend analysis
B, C
Copyright © 2016 30 Bird Media LLC
Assessment: Network analysis
A normally quiet host has suddenly started to
generate a lot of traffic, but due to the size of the
network it hasn't made much impact on overall
network utilization. What kind of analytics would
most likely highlight it as a potential problem?
Choose the best response.
A. Anomaly analysis
B. Availability analysis
C. Heuristic analysis
D. Traffic analysis
A
Copyright © 2016 30 Bird Media LLC
Assessment: Network analysis
In the following log entry, what is the destination IP and
port number? Sep 3 15:12:20 192.168.99.1 Checkpoint:
3Sep2007 15:11:41 drop 192.168.99.1 >eth8 rule: 134;
rule_uid: {11111111-2222-3333-BD17-711F536C7C33};
src: 192.168.99.195; dst: 192.168.56.10; proto: tcp;
product: VPN-1 & FireWall-1; service: 3013; s_port:
1352; Choose the best response.
A. 192.168.56.10, port 1352
B. 192.168.56.10, port 3013
C. 192.168.99.195, port 1352
D. 192.168.99.195 port 3013
B
Copyright © 2016 30 Bird Media LLC
Assessment: Network analysis
You're reviewing a firewall log. Which of the following entries
might merit closer investigation even if they only happen once?
A. An attempted connection to a port with no running services.
B. An internal web server initiating a session with an external
host.
C. An external host initiating a session with an internal web
server.
D. A failed attempt to log into the firewall interface by an
unfamiliar internet address.
E. A successful attempt to log into the firewall interface by an
unfamiliar internet address.
B, E

Copyright © 2016 30 Bird Media LLC

Summary: Monitoring networks
You should now know:
 About network security systems such as
firewalls, IDS and IPS, anti-malware, and
honeypots
 How to use logging and monitoring tools to
record security-related events, both on
individual hosts and over the network
 About log analysis and analytics, interpreting
data output, and using SIEM software
Copyright © 2016 30 Bird Media LLC
Chapter 6: Policy design
You will learn:
 About security frameworks and regulatory
compliance
 About security policies
 About controls and procedures

Copyright © 2016 30 Bird Media LLC

Module A: Security frameworks
You will learn:
 About regulatory compliance
 About common IT policy frameworks

Copyright © 2016 30 Bird Media LLC

Regulatory compliance
 SOX
 FISMA
 HIPAA
 FERPA
 GLBA
 PCI DSS

Copyright © 2016 30 Bird Media LLC

Policy frameworks
 NIST
 ISO
 COBIT
 SABSA
 TOGAF
 ITIL

Copyright © 2016 30 Bird Media LLC

NIST CSF
1. Describe their current cybersecurity
posture.
2. Describe their target state for cybersecurity.
3. Identify and prioritize opportunities for
improvement within the context of a
continuous and repeatable process.
4. Assess progress toward the target state.
5. Communicate among internal and external
stakeholders about cybersecurity risk.

Copyright © 2016 30 Bird Media LLC

NIST CSF components

Copyright © 2016 30 Bird Media LLC

TOGAF

Copyright © 2016 30 Bird Media LLC

ITIL
 Service Strategy
 Service Design
 Service Transition
 Service Operation
 Continual Service
Improvement

Copyright © 2016 30 Bird Media LLC

Assessment: Security frameworks
Your company is developing an application a private
US-based hospital will use to give patients online
access to their medical records. Regardless of what
other data the application handles, what kind of
compliance do you already know you need to
research? Choose the best response.
A. FERPA
B. FISMA
C. HIPAA
D. PCI-DSS
C
Copyright © 2016 30 Bird Media LLC
Assessment: Security frameworks
Which framework incorporates five core
publications forming a Service Lifecycle?
Choose the best response.
A. COBIT 5
B. ISO 27000
C. ITIL
D. NIST CSF
C

Copyright © 2016 30 Bird Media LLC

Assessment: Security frameworks
Your company is contracting with a US Federal
agency, and you have to make sure your solutions
are compatible with their policy framework.
Which framework are you most likely to become
familiar with? Choose the best response.
A. COBIT 5
B. ISO 27000
C. NIST 800 series
D. NISF CSF
C
Copyright © 2016 30 Bird Media LLC
Assessment: Security frameworks
Coming in late to a meeting, you hear that one
new cybersecurity framework under evaluation
bases everything around the Architecture
Development Model. What framework is likely
being discussed? Choose the best response.
A. COBIT 5
B. ITIL
C. ISO 27001
D. TOGAF
D
Copyright © 2016 30 Bird Media LLC
Module B: Security policies
You will learn:
 How to distinguish policies, controls, and
procedures
 About typical cybersecurity policies

Copyright © 2016 30 Bird Media LLC

Policies, controls, and procedures
 Policies
 Standards
 Guidelines
 Procedures
 Controls

Copyright © 2016 30 Bird Media LLC

Policy documents
 Overview
 Scope
 Policy details
 Enforcement and auditing
 Definitions
 Revision history

Copyright © 2016 30 Bird Media LLC

Typical policies
 Acceptable use policies (AUPs)
 Account management
 Data management
– Data ownership
– Data classification
– Data retention
 Incident response
 Disaster planning and business continuity
 Change management
Copyright © 2016 30 Bird Media LLC
Acceptable use policies
 Internet
 Company accounts
 Hardware and software
 Mobile devices

Copyright © 2016 30 Bird Media LLC

Account management policies
 What kinds of accounts are there and what
permissions do they have?
 Who has the authority to create or alter accounts?
 Who is eligible for each kind of account?
 What passwords or other credentials are required
for an account?
 What rights and responsibilities does a user have?
 When are shared accounts permissible?
 When should a single user have multiple accounts
on the same system?
 When should an inactive account be disabled?
Copyright © 2016 30 Bird Media LLC
Password policies
 What is the minimum (or even maximum) length of a
password?
 How complex must a password be?
 How long may a password be used before it is changed?
 Passwords suspected of being compromised should be
changed immediately.
 What measures will be taken to prevent password reuse?
 Under what circumstances can a password be shared?
 How can passwords be written down or otherwise stored?
 What happens if users forget their passwords?

Copyright © 2016 30 Bird Media LLC

Data management policies
 Is it a temporary or permanent record?
 Does it represent intellectual property or legal
documentation?
 Is it subject to transparency or privacy laws?
 Might it be subject to legal discovery?
 Does it need to be accessed regularly, or only in
an unlikely event?
 Do any other regulations apply in this case?
 How can it be securely deleted once it is no
longer needed?
Copyright © 2016 30 Bird Media LLC
Business agreements
 Service-level agreement (SLA)
 Memorandum of understanding (MOU)
 Interconnection security agreement (ISA)

Copyright © 2016 30 Bird Media LLC

Third-party security concerns
 Onboarding/Offboarding
 Data ownership
 Data sharing
 Data backups
 Security policies
 Privacy considerations
 Review processes

Copyright © 2016 30 Bird Media LLC

Assessment: Security policies
What policy document generally describes
mutual goals between organizations?
Choose the best response.
A. BPA
B. ISA
C. MOU
D. SLA
C

Copyright © 2016 30 Bird Media LLC

Assessment: Security policies
You have a document specifying security
software and settings that must be enabled on
every user workstation in your department.
What would the document best be called?
Choose the best response.
A. Guideline
B. Procedure
C. Policy
D. Standard
D
Copyright © 2016 30 Bird Media LLC
Assessment: Security policies
You're writing a policy document using a rather
minimalist template. What kinds of information
would you put in the "Scope" section? Choose all that
apply.
A. What consequences there are for non-
compliance
B. What risk the policy is meant to reduce
C. What systems and data the policy protects
D. When the policy was last changed
E. Who is affected by the policy
D, E
Copyright © 2016 30 Bird Media LLC
Assessment: Security policies
While clearing space on an old server, you've
found some files associated with a long inactive
account. What policy would you most importantly
check to find out whether it's appropriate for
them to be deleted? Choose the best response.
A. Account management policy
B. Data classification policy
C. Data ownership policy
D. Data retention policy
D
Copyright © 2016 30 Bird Media LLC
Module C:
Controls and procedures
You will learn:
 About control types
 How to select security controls
 About security procedures
 How to plan defense in depth

Copyright © 2016 30 Bird Media LLC

Controls by function
 Administrative
 Logical
 Operational
 Physical

Copyright © 2016 30 Bird Media LLC

Security procedures
 Implementing and configuring logical controls
 Managing the patching process for systems and other
software
 Managing security exceptions
 Developing and deploying compensating controls
where necessary
 Regularly testing the effectiveness of installed
controls
 Continuous monitoring of detective controls and
other network information
 Collecting and retaining evidence of security incidents
Copyright © 2016 30 Bird Media LLC
Quality control procedures
 Assessment
 Audit
 Evaluation

Copyright © 2016 30 Bird Media LLC

Capability Maturity Model
Integration (CMMI)
1. Initial
2. Managed
3. Defined
4. Qualitatively Managed
5. Optimizing

Copyright © 2016 30 Bird Media LLC

Planning defense in depth
 Harden hardware, software, and other tools by configuring them securely
 Choose a network structure that makes it difficult for both insiders and
outsiders to easily reach the entire network
 Use administrative and operational controls to ensure secure behaviors
by personnel
 Supplement hardened systems by adding additional technological
controls
 Manually review logs on a regular basis to find evidence of security
incidents that aren't immediately detected
 Use analysis and analytics of security data to find problems that will be
less visible in manual review
 Regularly review security processes, in order to find out what works and
what needs to be improved or discarded
 Seek third party help when your in-house expertise and other resources
might not be enough
Copyright © 2016 30 Bird Media LLC
Secure procedures
 Separation of duties
 Dual control
 Cross training
 Mandatory vacations
 Succession planning
 Hiring
 Offboarding

Copyright © 2016 30 Bird Media LLC

Continual improvement

Copyright © 2016 30 Bird Media LLC

Outsourcing security
 A clear description of exactly what security
measures the third party is obligated to provide
 Assurance that the third party is legally permitted
to handle any sensitive information they will be
accessing
 A statement of legal and financial liability for
potential security breaches
 A process for periodic auditing of compliance with
the agreement
 Legal obligations for both parties when the
contract expires for any reason
Copyright © 2016 30 Bird Media LLC
Assessment:
Controls and procedures
Your company just created the root certificate for its CA.
Its private key won't be needed very often, so it will be
stored in a safe when not needed. What security
procedure could you use to make sure that no single
employee can open the safe and get the key? Choose the
best response.
A. Cross training
B. Dual control
C. Manual review
D. Separation of duties
B
Copyright © 2016 30 Bird Media LLC
Assessment:
Controls and procedures
For regulatory compliance, you're required to use unique user
IDs for all computer access, but there's one critical isolated
system that doesn't actually support user-based access and
must be used by multiple people. What might be a valid
compensatory control? Choose the best response.
A. Enabling system logging on that computer
B. Encrypting all connections from that computer
C. Placing a firewall between that computer and the network
D. Using security cameras and a logbook to track access to
the computer itself
D

Copyright © 2016 30 Bird Media LLC

Assessment:
Controls and procedures
A third-party team is going to formally examine your
organization's overall security practices in order to make
sure they meet regulatory compliance goals. Your
organization may be fined if it fails. What would this
verification process best be called? Choose the best
response.
A. Assessment
B. Audit
C. Certification
D. Evaluation
B
Copyright © 2016 30 Bird Media LLC
Assessment:
Controls and procedures
What order are the steps of the Deming
cycle? Choose the best response.
A. Check, Plan, Act, Do
B. Check, Plan, Do, Act
C. Plan, Do, Check, Act
D. Plan, Check, Do, Act
C

Copyright © 2016 30 Bird Media LLC

Assessment:
Controls and procedures
You're using CMMI as a maturity model for
application development. What maturity level are
you at if you've just established organized testing
and evaluation of security processes and controls
for the application? Choose the best response.
A. Defined
B. Managed
C. Optimizing
D. Qualitatively Managed
D
Copyright © 2016 30 Bird Media LLC
Summary: Policy design
You should now know:
 About regulatory compliance, and
common frameworks used to establish
secure policies
 About security policies used in typical
organizations.
 About security controls, secure
procedures, and how controls interact to
create defense in depth.
Copyright © 2016 30 Bird Media LLC
Chapter 7: Secure network design
You will learn:
 How to segment and isolate networks
 About cryptographic controls
 How to harden hosts and devices
 How to design secure applications

Copyright © 2016 30 Bird Media LLC

Module A: Hardening networks
You will learn:
 How to segment networks securely
 About access control
 About network access control

Copyright © 2016 30 Bird Media LLC

About secure networks
 Segmentation breaks the larger network into multiple
segments so that a compromise of one part of the network
doesn't compromise the whole thing
 Device hardening secures individual nodes through various
means including hardware and software choice, updates,
device configuration, and authentication systems
 Access control limits what users, devices, and traffic can
access the network itself, or specific resources on the
network
 Secure network protocols protect network data and
connections using authentication and encryption
 User policies and training protect the vulnerable human
element of the network.
Copyright © 2016 30 Bird Media LLC
Virtual segmentation

Copyright © 2016 30 Bird Media LLC

System isolation

Copyright © 2016 30 Bird Media LLC

Jump boxes

Copyright © 2016 30 Bird Media LLC

Access control
 DAC
 MAC
 Rule-based access control
 Role-based access control
 ABAC

Copyright © 2016 30 Bird Media LLC

Mandatory access control

Copyright © 2016 30 Bird Media LLC

Role-based access control

Copyright © 2016 30 Bird Media LLC

NAC models
 Time-based
 Role-based
 Location-based
 Rule-based

Copyright © 2016 30 Bird Media LLC

NAC methods
System integration
 Inline
 Out-of-band

Agents
 Permanent or persistent agents
 Dissolvable agents
 Agentless
Copyright © 2016 30 Bird Media LLC
Assessment: Hardening networks
What's the most essential tool for
segmenting broadcast domains? Choose the
best response.
A. Bridges
B. Routers
C. Switches
D. VLANs
B

Copyright © 2016 30 Bird Media LLC

Assessment: Hardening networks
You're evaluating NAC solutions. One feature you
need is to make sure that when sales users join the
network remotely they'll automatically be joined to
the Sales network and given access to its resources.
What kind of solution should you look for? Choose
the best response.
A. Agentless
B. Location-based
C. Role-based
D. Rule-based
C
Copyright © 2016 30 Bird Media LLC
Assessment: Hardening networks
Your secure ICS network is isolated enough to
prevent any direct logins from the main corporate
network, but you want to manage a device on the
ICS network from your own workstation. What
technology can you configure to do so? Choose the
best response.
A. Jump box
B. Mandatory access control
C. Network access control
D. VLAN segmentation
A
Copyright © 2016 30 Bird Media LLC
Assessment: Hardening networks
You're evaluating a new system that uses
Security Enhanced Linux to handle classified
government information. What kind of access
control model should you expect it to use?
Choose the best response.
A. ABAC
B. DAC
C. MAC
D. RBAC
C
Copyright © 2016 30 Bird Media LLC
Assessment: Hardening networks
You're helping to evaluate a NAC system for remote access
to a high security network. Client systems should have
their security postures monitored at all times, even when
not connected to the network. When they are connected,
each request to the network will be evaluated to make
sure it conforms with network policies. What kind of
solution would meet these needs?
A. Inline and agentless NAC
B. Inline NAC with a persistent agent
C. Out-of-band NAC with a dissolvable agent
D. Out-of-band NAC with a persistent agent
B
Copyright © 2016 30 Bird Media LLC
Module B: Cryptography
You will learn:
 About types of cryptography
 How to choose effective cryptographic
algorithms
 How to choose and recognize the use of
secure network protocols

Copyright © 2016 30 Bird Media LLC

Cryptography
 Transport encryption
 Storage encryption
 Memory encryption

 Symmetric encryption
 Asymmetric encryption
 Cryptographic hashing

Copyright © 2016 30 Bird Media LLC

Popular encryption algorithms
Asymmetric
 AES
 DES
 3DES
 RC4
 Blowfish
Symmetric
 RSA
 DSA
 ECC
 DH/DHE
Copyright © 2016 30 Bird Media LLC
Popular hashing algorithms
 MD5
 SHA-1
 SHA-2
 SHA-3
 RIPEMD

Copyright © 2016 30 Bird Media LLC

Password storage algorithms
 NTLM
 bcrypt
 PBKDF2

Copyright © 2016 30 Bird Media LLC

Assessment: Cryptography
What type of cryptography is usually used
for password storage? Choose the best
response.
A. Asymmetric encryption
B. Hashing
C. One-Time Pad
D. Symmetric encryption
B

Copyright © 2016 30 Bird Media LLC

Assessment: Cryptography
Order the following encryption ciphers from
weakest to strongest.
A. 3DES
B. AES
C. Blowfish
D. DES
D, A, C, B

Copyright © 2016 30 Bird Media LLC

Assessment: Cryptography
According to NIST, what is the effective
strength of a 168-bit 3DES key? Choose the
best response.
A. 56-bit
B. 80-bit
C. 112-bit
D. 168-bit
B

Copyright © 2016 30 Bird Media LLC

Assessment: Cryptography
What secure protocols add SSL/TLS security
to protocols which were insecure on their
own? Choose all that apply.
A. FTPS
B. HTTPS
C. SFTP
D. SNMPv3
E. SSH
A, B, D
Copyright © 2016 30 Bird Media LLC
Assessment: Cryptography
You want to disable use of insecure protocols
over an untrusted network segment. Which TCP
ports might you want to block? Choose all that
apply.
A. 21
B. 22
C. 23
D. 143
E. 443
A, C, D
Copyright © 2016 30 Bird Media LLC
Module C:
Hardening hosts and devices
You will learn:
 About reverse engineering
 How to harden hosts
 How to protect static environments

Copyright © 2016 30 Bird Media LLC

System hardening
 Secure configuration
 Application control
 Patching
 Account security
 Security software

Copyright © 2016 30 Bird Media LLC

Group policies

Copyright © 2016 30 Bird Media LLC

Managing group policies

Copyright © 2016 30 Bird Media LLC

Security templates

Copyright © 2016 30 Bird Media LLC

Static environments
 Embedded devices
 Kiosks
 Smart devices
 SCADA/ICS
 Legacy systems

Copyright © 2016 30 Bird Media LLC

Assessment:
Hardening hosts and devices
You've discovered users running an unauthorized
file sharing program. While it does no harm in itself,
it could be used for data exfiltration, digital piracy or
to spread malware. What security technique could
prevent this? Choose the best response.
A. Antimalware
B. Application whitelisting
C. Patching
D. Security templates
B
Copyright © 2016 30 Bird Media LLC
Assessment:
Hardening hosts and devices
What security feature makes it more difficult
for an attacker to trick you into installing a
fraudulent Ethernet driver that reports on your
network activities? Choose the best response.
A. Code signing
B. Firewall
C. HIDS
D. Trusted hardware
A
Copyright © 2016 30 Bird Media LLC
Assessment:
Hardening hosts and devices
You're installing a new web server, and your
coworker is downloading a CIS benchmark for
it. What part of the security process will that
help with? Choose the best response.
A. Patch management
B. Sandboxing
C. Security baselining
D. Source authenticity verification
C
Copyright © 2016 30 Bird Media LLC
Assessment:
Hardening hosts and devices
After some security incidents involving removable
USB drives on Windows systems, you'd like to
disable them on secure systems. What method
could you use to do this? Choose the best
response.
A. Antimalware
B. Application whitelisting
C. Group policies
D. Isolation
C
Copyright © 2016 30 Bird Media LLC
Assessment:
Hardening hosts and devices
Provided they have applications and data of similar
sensitivity, what hardening feature is more
important on a company-issued smartphone than
on a workstation in a secure area? Choose the best
response.
A. Antimalware suite
B. Full disk encryption
C. Host-based firewall
D. Operating system updates
B
Copyright © 2016 30 Bird Media LLC
Module D:
Secure application development
You will learn:
 About software development
 About secure coding principles
 How to review code
 How to test applications

Copyright © 2016 30 Bird Media LLC

Software assurance
 When buying software from a vendor, examine their
security features, and ask questions about their
approach to secure design
 When coding an application in-house or through a
contractor, ensure that developers are using secure
design principles
 Remember that vulnerabilities don't always lie in
individual software components, but in how they're
configured, integrated, and deployed together
 Ensure that your development and operations
teams work together with stakeholders to pursue a
secure product deployment cycle
Copyright © 2016 30 Bird Media LLC
Software development models

Copyright © 2016 30 Bird Media LLC

Secure DevOps practices
 Security automation
 Continuous integration
 Baselining
 Immutable systems
 Infrastructure as code

Copyright © 2016 30 Bird Media LLC

Program life cycles
 Development
 Compile
 Linking
 Distribution
 Installation
 Load time
 Runtime

Copyright © 2016 30 Bird Media LLC

Secure coding principles
 Least privilege
 Input validation
 Input sanitization
 Cryptography
 Code commentary
 Data exposure
 Memory management
 Error and exception handling
Copyright © 2016 30 Bird Media LLC
Input validation
 Improper characters
 Unicode characters
 Improper length
 Improper values
 SQL code
 Browser code

Copyright © 2016 30 Bird Media LLC

Client-side vs. server-side
validation
 Client-side validation uses browser scripts
in the page initially sent by the server
 Server-side validation uses code on the
web application server to validate code
before the rest of the program actually
acts on it

Copyright © 2016 30 Bird Media LLC

Application testing
 Static review
 Dynamic analysis
 Vulnerability scanning
 User acceptance testing
 Stress testing
 Model verification
 Security regression testing

Copyright © 2016 30 Bird Media LLC

Code review methods
Static analysis
 Data flow analysis
 Control flow graph
 Taint analysis
 Lexical analysis

Copyright © 2016 30 Bird Media LLC

Lightweight code review
 Over-the-shoulder
 Pair programming
 Email pass-around
 Tool-assisted

Copyright © 2016 30 Bird Media LLC

Fuzzing
 Application fuzzing
 Protocol fuzzing
 File format fuzzing

Copyright © 2016 30 Bird Media LLC

Interception proxies
 Zed Attack Proxy (ZAP)
 Burp Suite
 Vega

Copyright © 2016 30 Bird Media LLC

Provisioning
 Network provisioning
 Server provisioning
 User provisioning
 Deprovisioning

Copyright © 2016 30 Bird Media LLC

Hardening applications
 Harden the underlying host and network
 Securely configure the application
 Thoroughly test the application before
deploying it
 Maintain the deployed application's
security over time

Copyright © 2016 30 Bird Media LLC

Assessment:
Secure application development
You're reviewing a web application. Which of these
features are security warning signs? Choose all that apply.
A. Input errors are logged and clearly displayed to users
in full detail.
B. The web server and database software are on
separate physical servers, both similarly secured.
C. Input validation is performed more rigorously on the
client side than the server side.
D. The HTTPOnly flag is set on session cookies.
E. Secret cookies are used to prevent XSRF attacks.
A, C, E
Copyright © 2016 30 Bird Media LLC
Assessment:
Secure application development
While developing a web application, you're defining
security requirements. Which of the following would
be valid non-functional requirements? Choose all
that apply.
A. Ability to maintain 99.99% uptime
B. An online password reset page
C. Data sanitization following all user input
D. HIPAA-compliant protection of all PHI
E. Protection from web application attacks
A, C, D
Copyright © 2016 30 Bird Media LLC
Assessment:
Secure application development
You're researching a recent XSS attack against a web
application. The developer showed you the JavaScript code
used to sanitize and validate input in the browser; even if
you're not a coder, it seems like it would have prevented the
attack. What is the most likely reason the web application was
vulnerable? Choose the best response.
A. Client-side validation can be easily bypassed.
B. Input validation doesn't reliably protect against XSS attacks.
C. Server-side validation can be easily bypassed.
D. The attacker performed an injection attack to bypass input
validation.
A
Copyright © 2016 30 Bird Media LLC
Assessment:
Secure application development
You've just rebuilt the back end of an application to
boost server performance, and you're ready to test
the new version. What kind of test would discover if
the changes caused any problems with existing
security features? Choose the best response.
A. Protocol Fuzzing
B. Regression test
C. Stress test
D. User acceptance test
B
Copyright © 2016 30 Bird Media LLC
Assessment:
Secure application development
The development team has just created a
control flow graph for a new application. What
stage of development are they in? Choose the
best response.
A. Manual code review
B. Provisioning
C. Security requirements definition
D. Static code analysis
D
Copyright © 2016 30 Bird Media LLC
Summary:
Secure network design
You should now know:
 How to harden networks using segmentation,
access control, and encryption
 About cryptography and how cryptographic
protocols are used in security controls.
 How to harden hosts and devices using reverse
engineering, secure configuration, and
compensating controls
 How to design, review, test, and deploy
applications in a secure manner.
Copyright © 2016 30 Bird Media LLC
Chapter 8: Identity management
You will learn:
 About identities and authentication
 How to use identity management
standards and protocols.

Copyright © 2016 30 Bird Media LLC

Module A: Identity systems
You will learn:
 About identities and authentication
vulnerabilities
 How to use multifactor and context-based
authentication
 About single sign-on and federated
identities

Copyright © 2016 30 Bird Media LLC

About identities
 Information that can be used to identify and
describe that entity in the "real world", such as
PII
 User names, passwords, and other credentials
associated with the identity
 Permissions on individual systems and networks
 Group and role memberships
 Logged activities, preferences, and other
information describing the entity's history within
the system
Copyright © 2016 30 Bird Media LLC
Identity system vulnerabilities
 Personnel
 Endpoints
 Servers
 Services
 Applications
 Roles

Copyright © 2016 30 Bird Media LLC

The account life cycle

Copyright © 2016 30 Bird Media LLC

PKI solutions and vulnerabilities
 If the private key of a certificate falls into the wrong
hands, the certificate no longer proves identity
 A compromised CA by contrast can be used to
produce any number of fraudulent certificates
which will pass normal verification
 PKI structures are often very complex, with many
components which can be difficult to securely
configure
 Individual implementations frequently have
vulnerabilities which may not be quickly discovered
or patched
Copyright © 2016 30 Bird Media LLC
Multifactor authentication

Copyright © 2016 30 Bird Media LLC

Context-based authentication
 Device
 Time
 Location
 Frequency
 Behavioral

Copyright © 2016 30 Bird Media LLC

Single sign-on

Copyright © 2016 30 Bird Media LLC

Federated identities

Copyright © 2016 30 Bird Media LLC

Assessment: Identity systems
Your company is considering joining an identity federation with several
others providing related services. Which of the following are most likely
true? Choose all that apply.
A. A security compromise by one member can compromise the entire
federation.
B. Since providers never exchange user information, this shouldn't
affect existing user privacy policies.
C. The federation will make it easier to implement single sign-on
between your services.
D. You should consider a trusted third party that certifies all federation
members, depending on the size of individual members.
E. You should consider a trusted third party that certifies all federation
members, depending on the number of members in the federation.
A, C, E

Copyright © 2016 30 Bird Media LLC

Assessment: Identity systems
You require your users to log on using a user name,
password, and rolling 6-digit code sent to a keyfob
device. They are then allowed computer, network,
and email access. What type of authentication have
you implemented? Choose all that apply.
A. Basic single-factor authentication
B. Context-based authentication
C. Federated identity management
D. Multi-factor authentication
E. Single sign-on
D, E
Copyright © 2016 30 Bird Media LLC
Assessment: Identity systems
Which of the following are examples of context-based
authentication? Choose all that apply.
A. After hours logins are permitted, but send an alert to the
network administrator on duty.
B. All workstations on the secure network require both
passwords and smart cards for each login.
C. While running an automated script sending repeated network
requests, you're forced to enter your credentials again.
D. You give a mobile app access to your Facebook contact list, but
don't permit it to make posts on your behalf.
E. You must complete a two-factor authentication process the
first time you sign in from a new physical location.
A, C, E
Copyright © 2016 30 Bird Media LLC
Assessment: Identity systems
You're reviewing an automated password reset system. Which
element of it is the biggest security risk? Choose the best
response.
A. Before users get a new a password, they must either enter
the old password or verify their identity by other means.
B. No password hints are displayed to a user who hasn't
authenticated yet.
C. Users can verify their identities by requesting a password
reset link be sent to their primary email address,
D. Users can verify their identities by answering challenge
questions such as their childhood street or mother's
maiden name.
D
Copyright © 2016 30 Bird Media LLC
Assessment: Identity systems
You've been instructed to implement two-factor
authentication for a secure system. What of the
following would qualify? Choose all that apply.
A. Password and OTP
B. Smart card and OTP
C. Smart card and fingerprint scan
D. Iris scan and fingerprint scan
E. Password and iris scan
A, C, E
Copyright © 2016 30 Bird Media LLC
Module B:
Authentication technologies
 About RADIUS and TACACS+
 About directory services
 About popular SSO and identity federation
standards

Copyright © 2016 30 Bird Media LLC

RADIUS

Copyright © 2016 30 Bird Media LLC

RADIUS authentication

Copyright © 2016 30 Bird Media LLC

RADIUS vulnerabilities
 Guessing the shared secret between a
RADIUS client and server allows
compromise of the authentication process
 The MD5 hash used by RADIUS is no
longer cryptographically secure, and so
presents a vulnerability in high security
environments even when the shared
secret is sufficiently long
 Access-Request messages are not
authenticated, and so are easy to spoof
Copyright © 2016 30 Bird Media LLC
802.1X

Copyright © 2016 30 Bird Media LLC

LDAP
 LDAP isn't very useful for SSO in itself, even though it's
commonly used by intranet-based SSO authentication
services
 LDAP is not very secure against eavesdropping, since it's
meant to operate on trusted networks
 Even with TLS, LDAPS has a large attack surface and is
vulnerable to a variety of attacks including injection and
denial of service
 LDAP allows for anonymous, unauthenticated, and
authenticated connections
 LDAP frequently is configured to store passwords in
plaintext, which makes them vulnerable to anyone who
compromises the storage location
Copyright © 2016 30 Bird Media LLC
Kerberos

Copyright © 2016 30 Bird Media LLC

Kerberos authentication

Copyright © 2016 30 Bird Media LLC

SAML

Copyright © 2016 30 Bird Media LLC

OAuth and OpenID

Copyright © 2016 30 Bird Media LLC

Summary: Identity management
You should now know:
 About vulnerabilities associated with
identity systems, including the account life
cycle, authentication factors, SSO, and
federated identities
 About common authentication
technologies, including RADIUS, TACACS+,
directory services, Kerberos, SAML, and
OAuth
Copyright © 2016 30 Bird Media LLC
Chapter 9: Incident response
You will learn:
 About incident response planning
 How to respond to security incidents
 How to assemble a forensic toolkit

Copyright © 2016 30 Bird Media LLC

Module A:
Incident response planning
You will learn:
 About incident response planning
 How to design an incident response
strategy
 How to plan communication processes

Copyright © 2016 30 Bird Media LLC

Incident response policies
 Purpose and objectives
 Scope
 Authorities
 Definitions
 Organizational structure
 Prioritization
 Performance metrics
 Reporting and review
Copyright © 2016 30 Bird Media LLC
Incident Response teams
 Leadership
 Technical knowledge
 Security principles
 Human resources
 Legal advisor
 Ethical advisor
 Communications

Copyright © 2016 30 Bird Media LLC

Communication processes
 Incident reporters such as end users that might
notice something wrong in the first place
 Outside sources of technical assistance, such as
ISPs, hardware and software vendors, or IR
service providers
 Internal stakeholders, such as management,
human resources, marketing, or legal consultants
 External stakeholders, such as customers,
investors, and business partners
 Law enforcement and regulatory agencies
Copyright © 2016 30 Bird Media LLC
Incident communications
 Prevent inadvertent release of sensitive information
 Follow all regulatory or legislative requirements for
disclosing information – what and with whom
 Communicate with trusted parties in a consistent
and timely manner
 Designate a single primary line of communication
along critical pathways
 Use secure communication methods for all
sensitive information
 Make sure important communications are recorded
for later review
Copyright © 2016 30 Bird Media LLC
Assessment:
Incident response planning
Which of the following is not true of incident response teams?
Choose the best response.
A. A single spokesperson for the entire incident response team
can help prevent misunderstandings with other parties
B. First responders must have training in both technical issues
and security principles.
C. Human Resources should be involved from the beginning of
any security incident.
D. It's generally a good idea to train a variety of people as
incident responders and assemble teams as needed for
particular incidents.
C
Copyright © 2016 30 Bird Media LLC
Assessment:
Incident response planning
Which of the following is true for any security incident?
Choose the best response.
A. All parties who are being informed about the
incident should receive identical reports.
B. It's better to report too much about an ongoing
incident than too little
C. Reports to management should include full technical
details of the incident.
D. You should maintain a single line of communication
with a given outside party.
D
Copyright © 2016 30 Bird Media LLC
Assessment:
Incident response planning
Which of the following is true about working with law
enforcement? Choose the best response.
A. All computer-related crime reports should go directly
to federal agencies.
B. You should notify all relevant law enforcement
agencies about any criminal matter.
C. You should report an incident to only one law
enforcement agency unless otherwise instructed.
D. You should notify law enforcement whenever you
encounter the possibility of criminal activity.
C
Copyright © 2016 30 Bird Media LLC
Module B:
Incident response procedures
You will learn:
 About the incident response process
 How to recognize incident symptoms
 How to contain and eradicate security
incidents

Copyright © 2016 30 Bird Media LLC

The incident response process
1. Preparation
2. Identification
3. Containment
4. Investigation
5. Eradication
6. Recovery
7. Follow-up

Copyright © 2016 30 Bird Media LLC

Identifying incidents
1. Rely on multiple sources for information,
including IDS, administrator review of logs
and monitoring systems, and user reports
2. Examine anything that seems out of the
usual to determine if it requires immediate
action
3. Evaluate the incident's nature
4. Evaluate the incident's scope and severity
5. Escalate the incident appropriately by
communicating your findings to the IRT,
management, and whoever else is relevant
Copyright © 2016 30 Bird Media LLC
Recognizing host-based incidents
 High levels of processor use or memory consumption can be the
result of a malware infection or unauthorized application
 High levels of disk use could be due to unauthorized files such as
malicious employee data collection or a peer-to-peer file server
 Unauthorized software is a common security incident - It might
either manifest as a constantly running program or service, or an
application simply installed on a computer by a user
 Security can be compromised when users gain unnecessary
privileges or make unauthorized software or hardware changes,
whether the change was malicious or not
 Data exfiltration attacks, where a malicious user copies sensitive
data, are the most serious host-based incidents; frequently, the
entire goal of attacks is to steal data

Copyright © 2016 30 Bird Media LLC

Recognizing application-related
incidents
 Introduction of new accounts, especially with
administrative privileges, might indicate unauthorized
intrusion or privilege escalation
 Memory overflow attacks can be used to force an
application to run arbitrary or malicious code, either
in database commands, or directly on the server itself
 Similarly, other service interruptions such as
application crashes or slowdowns might be the result
of an attempted exploit or DoS attack
 Anomalous behaviors by an application can indicate
an ongoing attack or compromised server
Copyright © 2016 30 Bird Media LLC
Incident containment factors
 The level of damage done to your assets,
including theft of resources
 How critical the affected systems or services
are to your immediate and long-term business
needs
 How much time and labor will be needed to
contain the incident
 How complete the containment strategy is
 What forensic evidence you need to preserve
for later investigation and reporting
Copyright © 2016 30 Bird Media LLC
Eradicating problems
 Sanitization is the process of repairing
damage within an affected system
 If sanitization will be difficult or if you can't be
certain the damage will be eradicated, then
reconstruct the affected systems
 If affected systems have suffered permanent
damage, or cannot be updated to repair
vulnerabilities, you may need to replace them
 It's essential to make sure that you've totally
eradicated the problem
Copyright © 2016 30 Bird Media LLC
Change control process
1.Identify and document the reason for change
2.Research and document the steps needed for change,
impacts, and who will be affected
3.Go through your organization's approval process for
the specific change
4.Prepare for the change
a.Gather the resources you need
b.Schedule the change
c.Notify users when you will perform it
5.Implement and test the change
6.Follow-up on the change:
• Monitor for negative impacts.
• Change network documentation.
Copyright © 2016 30 Bird Media LLC
Incident summary report
 Brief overview and summary of the
incident
 Timeline of the incident
 List of personnel involved in the response
 Root cause of the incident
 Detailed list of actions taken
 Remaining vulnerabilities and steps to
prevent recurrence

Copyright © 2016 30 Bird Media LLC

Lessons learned meeting
1.Choose who to invite to the meeting
2.Collect input from participants about
expectations for the meetings and important
topics to cover
3.Examine the total extent of the incident
4.Review the response process
5.Examine how future incidents can be prevented
6.Draft the meeting's findings into a report, along
with recommendation for future changes

Copyright © 2016 30 Bird Media LLC

Assessment:
Incident response procedures
Order the steps of the incident response process.
1. Containment
2. Eradication
3. Follow-up
4. Identification
5. Investigation
6. Preparation
7. Recovery
6, 4, 1, 5, 2, 7, 3
Copyright © 2016 30 Bird Media LLC
Assessment:
Incident response procedures
What kind of symptom are you most likely to
see during a DoS attack? Choose the best
response.
A. Beaconing from a number of hosts on the
network
B. Creation of new user accounts
C. Scan sweeps
D. Unusual spikes in network traffic
D
Copyright © 2016 30 Bird Media LLC
Assessment:
Incident response procedures
How might you likely discover a data exfiltration
incident? Choose all that apply.
A. Detecting repeated buffer overflows
B. Detecting a ping scan
C. Monitoring memory consumption
D. Monitoring network traffic
E. Reviewing system logs
F. Tracking network outages
D, E
Copyright © 2016 30 Bird Media LLC
Assessment:
Incident response procedures
You've discovered multiple computers on your
network infected with the same spyware. Which of
the following would be valid short-term containment
options? Choose all that apply.
A. Isolate the affected systems from the network
B. Perform hard drive degaussing
C. Perform system sanitization
D. Reimage the affected systems
E. Shut down the infected systems
A, E
Copyright © 2016 30 Bird Media LLC
Assessment:
Incident response procedures
After malware was discovered on some workstations, you
instructed some technicians to reimage the systems rather than
bother with sanitizing them. On reflection, you're not entirely
sure the latest images incorporate the critical browser security
updates you just deployed the other day. In which phase of the
recovery process should the technicians make sure those
unrelated updates are applied? Choose the best response.
A. Eradication
B. Lessons learned
C. Validation
D. None: you will need to do this manually
C
Copyright © 2016 30 Bird Media LLC
Assessment:
Incident response procedures
Which of the following is not true about writing an
incident summary report?
A. It isn't the appropriate place to point out
shortcomings in initial staff response.
B. It should be filed as part of a compiled list of incident
statistics so that you can recognize developing trends.
C. It should contain a detailed list of actions taken
during the response process.
D. It should list any remaining vulnerabilities or steps
that could be taken to prevent recurrence.
A
Copyright © 2016 30 Bird Media LLC
Module C: Forensic toolkits
You will learn:
 About digital forensics
 How to preserve forensic evidence

Copyright © 2016 30 Bird Media LLC

Legal evidence categories
 Testimony
 Real evidence
 Circumstantial evidence
 Demonstrative evidence
 Digital evidence

Copyright © 2016 30 Bird Media LLC

Collecting evidence
1. Secure physical and remote access
2. Classify available evidence according
order of volatility
3. Capture evidence using relevant tools
4. Take hashes of all collected digital data
5. Analyze collected data for relevance
6. Assemble your findings into a report

Copyright © 2016 30 Bird Media LLC

Forensics kit elements
 Digital forensics workstation
 Media and connectors
 Cameras
 Barricade tape
 Tamper-proof seals
 Documentation and forms

Copyright © 2016 30 Bird Media LLC

Offline password cracks
 Brute force attacks try all possible
passwords in sequence.
 Dictionary attacks try passwords based on
a list of likely possibilities
 Hash attacks use precomputed tables
containing known hash values with their
corresponding passwords

Copyright © 2016 30 Bird Media LLC

Autopsy

Copyright © 2016 30 Bird Media LLC

Assessment: Forensic toolkits
What is eDiscovery? Choose the best response.
A. A process for identifying security incidents.
B. A process for sharing electronic forensic
data.
C. A standard for forensic backup software.
D. A software application used to track
security incidents.
B

Copyright © 2016 30 Bird Media LLC

Assessment: Forensic toolkits
Why is it important to record a time offset when
collecting evidence? Choose the best response.
A. To compensate for logging systems that
don't record precise times
B. To compensate for time differences between
multiple systems
C. To document the precise order of events
D. To document the precise timing of events
B
Copyright © 2016 30 Bird Media LLC
Assessment: Forensic toolkits
As part of a forensic investigation, you need
to analyze files on a USB drive. What tool
might be especially useful? Choose the best
response.
A. Log viewer
B. Password cracker
C. Process analysis
D. Write blocker
D
Copyright © 2016 30 Bird Media LLC
Assessment: Forensic toolkits
You want to take a complete forensic image
of a hard drive. Which tool might best suit
your needs? Choose the best response.
A. Cellebrite
B. dd
C. John the Ripper
D. MD5
B
Copyright © 2016 30 Bird Media LLC
Assessment: Forensic toolkits
After a security incident you rush to take a
screenshot of a telltale running process before
you leisurely take a backup of suspicious files on
the hard drive. What forensic principle are you
exercising? Choose the best response
A. Audit trail
B. Chain of custody
C. eDiscovery
D. Order of volatility
D
Copyright © 2016 30 Bird Media LLC
Summary: Incident response
You should now know:
 How to plan for security incidents by
assembling a team, training them, and
developing effective lines of communication
 How to respond to a security incident by
identifying the problem, containing the
incident, recovering securely, and following up
on what you've learned from the process.
 About forensic evidence and how to collect
and preserve it.
Copyright © 2016 30 Bird Media LLC