Security + SUCCESS SECRETS

Take exam within 3 weeks of this Friday!

Optimal if exam taken within 10 days
Did you take A+ & Network+?
Most students need 20-40 MORE hours studing after Friday
On Friday I will ask you how many more hours you need

Challenges: Not enough times, 81.25%, exhibits

Poor test banks in back of books
Extra: optional buy hands-on labs from comptia.org(store) Handout 2 should help you decide.
Extra: optional buy exam simulator from comptia.org and/or use securitytutoring.com
securitytutoring.com, free for 10 days
OWASP.org
https://www.comptia.org/certifications/security
https://www.securitytutoring.com/
https://www.encryptionconsulting.com/certificate-authority-and-hierarchy/
Patrick_Fuller@learningtree.me
703-408-6828
HOMEWORK: Study handouts 1 & 2, port numbers, create comptia account, pearsonvue.com

CHEAT SHEET
Follow policy & procedures
Life first
Loss of life
Disgruntled employee
Resource = has IP Address
Hashing is not reversible, Encryption is reversible
How are password stores in system? Hash
8 bits = 1 byte = 1 octet
Hash = Integrity
HMAC = Auth + I (Non-R) - FAST (Both need password)
DIG SIG = Auth + I - SLOW (Don't need password)
What is the only cipher that is deemed unbreakable? OTP (One-time pad)
What does BitLocker use for encryption? Requires a TPM (Trusted Platform Module)
Is TPM better than HSM? HSM (Hardware Security Module) you can take with you and TPM is on your m
What does TPM hold? Storage Root Key
There is a signature in your certificate.
What does PKI gives you? Confidentiality, Integrity, Authentication
What does SSH give you? Confidentiality, Integrity, Authentication
What does HTTPS give you? Confidentiality, Integrity, Authentication
What is a wildcard certificate? *.
What is the last step in the process?
Lesson Learned, Documentation, Follow ups
What is a SOC Report?
Who needs them?
Most detailed, least detailed, public report?
SE = Social Engineering
How to stop all attacks? Input validation (Character sanitization)
EAP is an authentication framework
Vulnerability = Exploit
Threats = Human Commucation
Exception - Temporary deviation
Exemption - Permanent deviation

Saying ...
Following policy & procedures
Firewalls have rules, routers have ACL's
ACL = Access Control List. Administrator config file
Flaring = Blinding a camera with a laser

Pop Quiz: Controls

1. Management
2. Operational
3. Operational
4. Technical

Domain 1: Match the items to the Topics

Always verify - ZTNA
Penetration test - Management
When patch no longer available - Gap analysis
Reporting suspicious behavior - Operational
Performing an audit - Detective
Protecting cables - STP (Shield twisted pair)
Using a unique or secret phrase - Honeytoken
May delay patching - Application restart

Domain 5: Match the items to the Topics

Linkelihood x Impact - Heat Map
Specifying permissions - Authorization
Logest SDLC phase - Maintenance
Before eradication - Contain
Performs backups - Custodian
Detailed instructions - Playbook
Does not specify exact solution - Standards
Tracking Risk - Risk Register

Domain 2: Match the Items to the Topic

Fake AP - Evil Twin
Target breach - Supply chain
defenseless - Embedded System
Distributed Denial of Service - C2
../../../../../ - Traversal
Discovered via malvertizing - Malicious Update
IOS Unapproved - Jailbreak
Found USB - Keylogger

Domain 6: Match the Items to the Topics

WAN Security - SASE
No Sex, Gambling, Anarchy - DNS filter
Hard to see, not encrypted - obfuscation
Scalable cloud apps - Containers
Least secure VPN - Split tunnel
IaC - SDN
Access to a strict area - Jumpbox
More than a UTM - NGFW
IPS - Inline
Secure access by 802.1x - VLAN

Pop Quiz
BBQ sauce product recipe - Trade secret
Your name and address - PII
Company logo - TM
Binary data with health records - PHI

Pop Quiz: Connection Protocol

1. At a high-security organization, it is desired to implement turnstile security

2. A requirement is that a mobile devices be possessed by an individial that broadcasts a signal to per
3. Which protocol should be used? NFC

Domain 4: Match the Items to the Topics

Traffic collection - Netflow
Standards, guilines, and best practices - NIST CSF
Centralized - RADIUS
Compensating - Reducing/lessening damage
Reads code - Static scanner
Audit method - interview
HTTPS only - Secure cookie
Paid to hack - Big Bounty

Pop Quiz: Multi-Factor Authentication

How many factors?
1. One factor
2. One factor
3. One factor
4. 2 factor

Pop Quiz: Automation

1. Guardrail
2. technical Debt
Domain 4: Match the Items to the Topics
Saving code changes frequently - Continuous integration
Email and DNS - SPF (Sender Policy Framework)
Opposite of MAC - Discretionary
Follows eradication - Recovery
A rogue user created - IoC
Authorized when needed - JIT Permissions
Automated ticketing - SOAR
Authorized app - OAuth2
Authentication Servers
Kerberos (Best server)
tickets
AAA
Authen > Author > Accounting/Auditing
Ticket > Service
TGT > TGS

Radius
certs
AAA

Diameter
European improvement of Radius

FRR
FAR
CER

SYMMETRIC
Static key, same
Super fast
Key = password
Problem: Key Distribution

Confid
Private key only
32braids
2DES
2FISH
blowfish
RC4
IDEA
AES, Rijndael, block 128, Ket 128/192/256
DES
Serpent

IV (initialization Vector)
FIREWALL
Filter > decisions > rules
WAF (input validaton)
Stateless packet inspection - current
Stateful packet inspection - previous and current
Application Proxy - Best firewall

NGFW - DPI (Deep Packet Inspection)

UTM (Unified Threat Management) - everything, very simple
NAT (Network Address Translation) - translate public IP to private non-routable

ASYMMETRIC
Public key (public/private)
Very slow
Solves sym key exchange problem
Problem: MITM
Deer
Diffie Hellman
El-Gamal
ECC - smart cards, low overhead
RSA - 2 large prime numbers

IV (initialization Vector)
Security Controls
Technical
Administrative (mgmt)
Operational

Categories:
Detective: lights,
Preventive: Firewall, door access control
Corrective: Backups, redundant servers, Crossing training, patching
Deterrent: Clean desk policy, guards, warning signs
Compensating: Fire extinguishers
Directive: policy

Key Exchange
DEERIODE
Diffie Hellman
El-Gamal
ECC - smarrt cards, low overhead
RSA - 2 prime numbers
IKE = IP sec
OOB
DHE
ECDHE

Salt
PII
PCI-DSS = Credit card
PHI = Personal Health
HIPAA = US Medical
GLBA = Financial
GDPR = Strict of all, EU
PIPEDA - Canadian

Hash
Integrity
Detects changes
Passwords = hash
Rainbow Tables = Precomputed table for hashing
Collision

Mr Sh or shrm
MD5
Ripemd
Havel

SHA-0
SHA-1
SHA-2
SHA-3
IDS
WIPS
NIDS
HIDS

PKI
Manages public key & certificates
CA = Certificate Authority - root. CA = a trusted third party
RA = Registration Authority
RA = Recovery Agent
Key Escrow = back door = the password to everything
What is the world standard? x.509v3
CRL = Certification Revocation List
OCSP = Online Certificate Status Protocol
Whos sig is in your cert? CA or the creator (ie. Go Daddy, Verisign..)
sig = encrypted hash
sig = nonrepudiation = Authentication + integrity
Non-repudiation = cant deny.

Q) When do I use a Sig vs a Cert?

SIG = documents, software, Non-repud (Auth +int)
Cert = devices, servers. Similar to an electronic version of a drivers license/passport.
Cert = Conf + I + Auth
IPS
WIPS
NIPS
HIDS

PROTOTCOL/SERVICE
See page 5-45, 310
Study tonight
FTP
Radius
DNS
HTTP
HTTPS
SMB
LDAP
RDP
SSH
SFTP
SCP
DHCP
TFTP
FTPS
Telnet
IKE (Key exch IP sec)
IP sec in ESP (Encapsulated Security Payload)
IP sec in AH
IMAP
POP
POP3
SMTP
Microsoft SQL Server
NetBIOS
Syslog
SNMP
NTP
LDAPS
LEGAL/CONTRACTS
Due care = careful
Due diligence + demonstrate doing due care

ROE - Rules of Engagement

MSA - Master-level service agreement
BPA - Business Partnership Agreement
EULA - End user license agreement
NDA - Non-discloser agreement
AUP - Acceptable use policy

SLA - Service Level Agreement

SOP = Step by step = Standard operating procedures
SOW = Statement of Work
MOU - Memordium of Understanding
MOA - Memoradium of Agreement
Page 330
Copyright
Trademark
Patent

PORT#

21/20
1812
TCP & UDP/53
80
443
135,139,445
389
3389
22
22
22
UDP/67 & UDP/68
UPD/69
TCP/990
23
UPD/500
50
51
993
110
995
 25
1433/1434
137/138
514
161/162(trap)
123
636
UDP
UDP

(139 UDP)

UDP
UDP

UDP
UDP
UDP
(v1/v2 UDP)
IEEE 802 7 layer OSI

802.3 = ethernet (cable) 7Application

802.11 = Wifi 6Presentation
802.1D = STP = allows loops, Availability 5Session
4Transport
802.1X =Port based access control = Switch 3Network
802.1Q = VLAN 2Data Link
1Physical

CIA MODEL CONT.

Threat
C-onfid Eavsdropping
I-ntegrity Spoofing, Changed
A-vailability DDOS, DDOS
CONT.

Best layer for protection

Represents
Syncs
TCP = connection or., UDP = connectionless, ICMP
Packets, Routers, IP Address, Subnetting, IP Sec
Frames (ethernet), switches, VLANs, MAC Address
bits, cable, hubs/conc/repeater

CONT.
Solution
Encrypt
Hashing, digital signature
Redundant, resiliant, patching
FORENSICS
Stego = Hiding a message in a picture
Chain of custody
OOV - Order of Volitility
Evidence use write blocker

ACCESS CONTROL

RBAC = Rule (Firewall)base Access Control

RBAC = Role base Access Control
DAC = Weakest
MAC = Military, labels
ABAC = Attribute base access control
POLICIES, STANDARDS, PROCEDURES
Page 102
Policy = Higher-level goals
Standard = are ways of achieving a policy goal
Procedures detailed and related to a specific solution

Guidelines = recommended, not required

RISK MITIGATION/RESPONSE
- maatd
make An Assessed Timely Decision
Mitigate
accept
avoid
Transfer - Insurance
Deterr
RISK/BC/DR VULN TEST PEN TEST
BIA Safe NOT SAFE
AV Full access = root no access
EF Internal External
ALE = SLE * ARO (SLEARO) Due care Due Diligence (Audit)
SLE = AV * EF (SLEAVE +F)
Qual = L/M/H or simple scale 1-10
Quant = 4.2 mil

RPO <I> RTO

RPO
RTO

DR TESTING
tabletop
failover
simul
parallel

ALTERNATE SITES
Hot site - most expensive
Warm site
Cold site

SOC 1 SOC 2 SOC 3

Private Private Public
Audit on Financials Most detailed Least Detailed
Internal Controls CIA

Type 1 = 12-31-2023
Type 2 = 1-1 to 12-31-24
WEB SERVER ATTACKS COMMANDS
XSS (CSS) - Cookie stealing HO 2! Put them here
XSRF - Advanced Cookie stealing
XSRF - Advanced Cookie stealing (XS > RF) ../
Buffer Overflowing = Giving too much memory netstat
SQL-Injection (1=1) ping
traceroute
STOP? Input validation

WIFI CLOUD SERVICES

802.11 SaaS
Evil Twin = SSID PaaS
Rogue IP = unauthorized IaaS - Data center in the cloud
Bluebooth FaaS - serverless architecture
Bluejacking XaaS
bluesnarfing
power and replacement

MDM = Mobile data management

Power & replacement
Ad-hoc vs infrastructure mode
v1 = WEP
RC4
PSK

V2 = WPA
TKIP
PSK or ENT

V3 = WPA/2
AES-CCMP
PSK or ENT
V4 = WPA/3
CLOUD TYPES Infrastructure
Private P282
Public
Community
Hybrid

CLOUD LOCATION VPN TYPES

Private/On-Premise IP SEC
Host AH = Auth + I
Page 272 ESP (Tunnel Mode) = Auth + I + Confidentiality
VPCloud L2TP
GRE
AH
ESP (Tunnel Mode)
PPTP
DO NOT CONFUSE DATA LABELS
X.500 vs X.509 Page 329, 5-64
RC4 vs RSA
Critical
Sensitive
Condifdential
Restricted
Private
Public

IPV4 IPV6
8-bits=octet = BYTE 128 bits
32 bits
Unicast Unicast
Multicast Multicast
Broadcast Anycast
SEC = OFF SEC = ON
IP sec IP sec
Backup Types
Imaging
Snapshot
Full - Slowest to backup, fastest to restore
Incremental - Fastest to back up, slowesy to restore
Differential

Full
C/D
Increm

Deployment Models
BYOD = Bring your own device
CYOD = Choose your own device
COPE = Corporate Owned, Personally Enabled
VDI = Virtual Desktop Infrastructure
FRAUD REDUCTION Capability Maturity Model
Least priv Initial
Job Rotation managed
separation of duties Defined
Mandatory Vacations Quantitatively managed
Optimized

AUTHENTICATION SANITIZATION & DESTRUCTION

R U who you say u r? page 385
something you: Sanitiz
Know = password Burning
Have = token, usb, CAC, PIV Shredding
Are = BIOMETRIC - Best Pulping
fingerprint, facial, voice, palm Pulverizing
retina, Iris, Degaussing
Iris is the best biometrics Disposal
Purging
Somewhere you are: Wipe and clearing
Geofencing
GPS

BIO
Type 1 = FRR - False Rejection Rate
Type 2 = FAR - Far Acceptance Rate
CER - Cross Error Rate
ATTACK FRAMEWORK SSO Outside SSO INTRANET
Kill Chain SAML Kerberos
RWDEICA Oauth

WEBSITE SNMP
cve.MITRE.org remote management
nvd Trap is a predefined threshold
Community string = Password
owasp.org V1, V2 broken
SOO INTERNET
SAML
Authen and Author

Oauth
Authorization

OpenID (Paired with Oauth)

Authentication