{"id":21585685,"url":"https://github.com/cyb0rgdoll/isc2-cc","last_synced_at":"2026-01-27T12:36:53.023Z","repository":{"id":259434523,"uuid":"877866746","full_name":"cyb0rgdoll/ISC2-cc","owner":"cyb0rgdoll","description":"IS2C - CC Cybersecurity Course Notes to help you prepare for the exam","archived":false,"fork":false,"pushed_at":"2025-09-27T09:24:16.000Z","size":609,"stargazers_count":13,"open_issues_count":0,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-27T11:27:24.297Z","etag":null,"topics":["cc","cybersecurity-education","isc2","isc2-cc"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cyb0rgdoll.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-24T11:34:28.000Z","updated_at":"2025-09-27T09:24:19.000Z","dependencies_parsed_at":"2024-10-25T10:51:38.434Z","dependency_job_id":"70675de3-4190-45f0-a3c1-67693d136855","html_url":"https://github.com/cyb0rgdoll/ISC2-cc","commit_stats":null,"previous_names":["cyb0rgdoll/is2c-cc"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cyb0rgdoll/ISC2-cc","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyb0rgdoll%2FISC2-cc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyb0rgdoll%2FISC2-cc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyb0rgdoll%2FISC2-cc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyb0rgdoll%2FISC2-cc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cyb0rgdoll","download_url":"https://codeload.github.com/cyb0rgdoll/ISC2-cc/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyb0rgdoll%2FISC2-cc/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28813215,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T12:25:15.069Z","status":"ssl_error","status_checked_at":"2026-01-27T12:25:05.297Z","response_time":168,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cc","cybersecurity-education","isc2","isc2-cc"],"created_at":"2024-11-24T15:11:29.208Z","updated_at":"2026-01-27T12:36:53.005Z","avatar_url":"https://github.com/cyb0rgdoll.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"\nISC2 - CC Cybersecurity Course Notes (Chapple, Mike) to help you prepare for the exam\n\nThe Certified in Cybersecurity℠ (CC) is for anyone interested in gaining a basic understanding of cybersecurity concepts. This is an entry-level certification\n\nThe CC exam covers various topics, including:\n\n    Security Principles\n    Incident Response, Business Continuity (BC), and Disaster Recovery (DR) Concepts\n    Access Controls Concepts\n    Network Security\n    Security Operations\n\nThe duration of this exam is 2hrs, number of items is 100 and passing grade is 700 out of 1000.\n\n\n[Certified-in-Cybersecurity-Exam-Outline-August-2022-English.pdf](https://github.com/user-attachments/files/17511953/Certified-in-Cybersecurity-Exam-Outline-August-2022-English.pdf)\n\n[ISC2 cc notes.docx](https://github.com/user-attachments/files/17511952/is2c.cc.notes.docx)\n\n\n**ISC2-CC Breakdown of Exam**\n\n\tDomain 1: Security Principles (26%)\n\tDomain 2: Business Continuity, Disaster Recovery, and Incident Response (10%)\n\tDomain 3: Access Control Concepts (22%)\n\tDomain 4: Network Security (24%)\n\tDomain 5: Security Operations (18%)\n\n**ISC2 Code of Ethics**\n\t\n\t-\tProtect society and infrastructure (Hacking)\n\t-\tAnyone may file a complaint\n\t-\tAct honorably, justly and within laws (Lying)\n\t-\tAnyone may file a complaint\n\t-\tServe principles diligently and competently (Fulfill your duties)\n\t-\tOnly employers and clients may file under a complaint, due to the nature of the code\n\t-\tAdvance the information security profession (Helping cheat exams)\n\t-\tOther Professionals may file a complaint, due to the nature of the complaint\n\t-\tProfessionals only\n\t-\tYou are required to report any witness of violation of Code of Ethics\n\t-\tFailure to report witnessed violation is a violation\n\t-\tSubmit a Complaints Form to report\n\t-\tYou must have a standing before you make a complaint \n\t-\tStanding: Alleged behavior must harm you or your profession in someway \n\n**3 Goals of Information Security**\n\n- \tConfidentiality\n-\tProtects information from unauthorized disclosure\n-\tIntegrity\n-\tProtects information from unauthorized changes\n-\tAvailability\n-\tProtects authorized access to systems and data\n-\tEnsures information is available to authorized users\n\n**Confidentiality Concerns**\n\n-\tSnooping\n-\tInvolves gathering information that is left out in the open\n-\tClean desk policies protect against snooping\n-\tDumpster Diving\n-\tLooking through trash for information\n-\tShredding protects against Dumpster Diving\n-\tEavesdropping\n-\tRules about sensitive conversations prevent eavesdropping\n-\tWiretapping\n-\tElectronic Eavesdropping\n-\tEncryption protects against wiretapping\n-\tSocial Engineering\n-\tAttacker uses psychological tricks to persuade employee to give it or give access to information\n-\tEducation and Training protects against social engineering\n\n**Integrity Concerns**\n\n-\tUnauthorized Modification\n-\tAttackers make changes without permission (can be internal=employees or external \n-\tFollow the Rules of Least Privilege to prevent unauthorized modification\n-\tImpersonation\n-\tAttackers pretend to be someone else\n-\tUser education protects against Impersonation\n-\tMan-in-the-Middle (MITM)\n-\tAttackers place themselves in the middle of communication sessions\n-\tIntercepts network traffic as users are logging in to their system and assumes their role. \n-\tImpersonation on an electronic/digital level. \n-\tEncryption prevents man-in-the-middle attacks\n-\tReplay\n-\tAttackers eavesdrop on logins and reuse the captured credentials \n-\tEncryption prevents Replay attacks\n\n**Availability Concerns**\n\n-\tDenial of Service (DoS)\n-\tWhen a malicious individual bombards a system with an overwhelming amount of traffic. \n-\tThe idea to is to send so many requests to a server that it is unable to answer any requests from legitimate users\n-\tFirewalls block unauthorized connections to protect against Denial of Service attacks \n-\tPower Outages\n-\tHaving redundant power sources and back-up generators protect against power outages\n-\tHardware Failures\n-\tFailure of servers, hard drives, network gear etc\n-\tRedundant components protect against hardware failure \n-\tBuilding systems that have a built-in redundancy, so that if one component fails, the other will take over\n-\tDestruction\n-\tBackup data centers protect against destruction (ex=cloud)\n-\tService Outages\n-\tService outage may occur due to programming errors, failure of underlying equipment, and many more reasons\n-\tBuilding systems that are resilient in the fact of errors and hardware failures protect against service outages\n\n**Authentication \u0026 Authorization**\n\nAccess Control Process\n\n1.\tIdentification\n-\tIdentification involves making a claim of identity (Can be false)\n-\tElectronic identification commonly uses usernames\n  \n2.\tAuthentication\n\n-\tAuthentication requires proving a claim of identity\n-\tElectronic authentication commonly uses passwords\n  \n3.\tAuthorization\n-\tAuthorization ensures that an action is allowed \n-\tElectronic authorization commonly takes the form of access control lists \n-\tAccess Control Lists also provides Accounting functionality\n-\tAccounting allows to track and maintain logs of user activity\n-\tCan track systems and web browsing history \n\n**Authentication + Authorization + Accounting = AAA**\n\n**Password Security**\n\nControls you can implement when setting password requirements:\n-\tPassword length requirements\n-\tPassword complexity requirements\n-\tPassword expiration requirements\n-\tForce password changes\n-\tPassword history requirements\n-\tCannot use previously used passwords\n\n**Password Managers**\n-\tSecured password vaults often protected by biometric mechanisms (ex=fingerprints) \n-\tFacilitates the use of strong, unique passwords\n-\tStores passwords\n\n**Multi Factor Authentication**\n\n\t3 types of authentication factors\n\t\n\t1.\tSomething you know -Passwords, Pins\n\t2.\tSomething you are - Biometric Security Mechanisms Fingerprints Voice \n\t3.\tSomething you have - Software and Hardware Tokens\n\nYou combine these factors all together = Multi Factor Authentication\n\nNote: Passwords combined with security questions are NOT multi factor authentication\nPasswords and security questions are both something you know\n\n**Single Sign-On (SSO)**\n\n-\tShares authenticated sessions across systems\n-\tOrganizations create SSO solutions within their organizations to avoid users repeatedly authenticating  \n\n**Non-repudiation **\n\n-\tPrevents someone from denying the truth \n-\tPhysical signatures can provide non-repudiation on contracts, receipts etc  \n-\tDigital signatures use encryption to provide non-repudiation\n-\tOther methods can be biometric security controls, Video-surveillance etc\n\n**Privacy**\n\nOrganization Privacy Concerns\n\n1.\tProtecting our down data\n-\tProtect your down organizations data\n2.\tEducating on users\n-\tEducated users of how they can protect their own personal information\n3.\tProtecting data collected by our organizations\n-\tProtecting data that was entrusted to the organization (ex= client’s data)\n\n**2 Types of Private Information**\n\n1.\tPersonally-Identifiable Information (PII)\n-\tAny information that can be tied back to a specific individual \n\n2.\tProtected Health Information (PHI)\n-\tHealth care records and Regulated by HIPPA\n\n**Reasonable expectation of privacy**\n-\tMany laws that govern whether information must be protected are based upon whether the person disclosing the information had a reasonable expectation of privacy \n-\tEx= if you upload a YouTube video, you do not have a expectation of privacy\n-\tYou do have some expectation of privacy for private electronic communications such as: email, instant chats etc\n-\tYou do not have a reasonable expectation of privacy when sharing PII with an organization\n-\tYou do not have a reasonable expectation of privacy when using employer resources\n\n**Risk Management**\n\nInternal Risks \n-\tRisks that arise from within the organization\n-\tInternal control prevents internal risks\n  \nExternal Risks\n-\tRisks that arise outside the organization\n-\tBuild controls that reduce the chance of attack/risks being successful (ex= multi factor\n-\tauthentication, or social engineering awareness campaigns)\n\nMultiparty Risks\n-\tRisks that affect more than one organization\n-\tIntellectual property theft poses a risk to knowledge-based organizations\n-\tIf attackers can alter, delete or steal this information, it would cause significant damage\n-\tto the organization and its customers/counterparties \n-\tSoftware license agreements issues risk fines and legal actions for violation of license agreements\n\n**Risk Assessment**\n\nIdentifies and triages risks\n\nThreat\n-\tAre external forces that jeopardize security \n-\tThreat Vector\n-\tThreat Vectors are methods used by attackers to get to their target (ex= social engineering, hacker toolkit, etc)\n-\tVulnerabilities\n-\tAre weaknesses in your security controls \n-\tExamples : Missing patches, Promiscuous Firewall rules, other security misconfiguration\n\n\tThreat + Vulnerability = Risk\n\nRanking of Risks\n-\tWe rank risks by likelihood and impact \nLikelihood\n-\tProbability a risk will occur\nImpact\n-\tAmount of damage a risk will cause\n\n**2 Categories of Risk Assessment**\n\n**Qualitative Techniques**\n\n-\tUses subjective ratings to evaluate risk likelihood and impact: Usually in the form of low, medium or high on both the likelihood and impact scales. \n\n**Quantitative Techniques**\n\n-\tUses subjective numeric ratings to evaluate risk likelihood and impact\n\nRisk Treatment (Management)\n-\tAnalyzes and implements possible responses to control risk\n\n**4 Types of Risk Treatment **\n\n1.\tRisk Avoidance\n\tChanges business practices to make a risk irrelevant\n2.\tRisk Transference\n\tAttempting to shift the impact of a risk from your organization to another organization\n\tExample : Insurance policy\n\tNote that you cannot always transfer the risk completely. Reputation damage etc.\n3.\tRisk Mitigation\n\tActions that reduce the likelihood or impact of a risk\n4.\tRisk Acceptance\n\tChoice to continue operations in the face of a risk\n\n\nRisk Profile\n-\tCombination of risks that an organization faces\nInherent Risk\n-\tInitial level of risk, before any controls are put in place\nResidual Risk\n-\tRisk that is reduced and what is left of it is known as the residual risk \nControl Risk\n-\tNew risk that may have been introduced by the controls applied to mitigate risk\n-\tExample : Controls Applied may be installing a firewall. While that firewall may have mitigated the inherent risk, the risk of that firewall failing is another newly introduced risk\n\n**Inherent Risk → Controls Applied → (Residual Risk + Control Risk)**\n\nRisk Tolerance\n-\tIs the level of risk an organization is willing to accept \n\nSecurity Controls\n-\tAre procedures and mechanisms that reduce the likelihood or impact of a risk and help identify issues\n\nDefense in Depth\n-\tUses overlapping security controls\n-\tDifferent methods of security with a common objective \n\n**3 Types of Control Purposes are:**\n\t\n\t1.\tPrevent\n\t-\tStops a security issue from occurring\n\t2.\tDetect \n\t-\tIdentify security issues requiring investigation\n\t3.\tCorrect\n\t-\tRemediate security issues that have already occurred\n\n**3 Types of Control Mechanisms are:**\n\t\n\t1.\tTechnical\n\t-\tUse technology to achieve control objectives \n\t-\tExamples: Firewalls, Encryption, Data Loss Prevention, Antivirus Software)\n\t-\tTechnical Control a.k.a Logical Control\n\t\n\t2.\tAdministrative\n\t-\tUses processes to achieve control objectives\n\t-\tExamples: User access reviews, log monitoring, performing background checks)\n\t\n\t3.\tPhysical\n\t-\tControls that impact the physical world\n\t-\tExamples: Locks, Security guard\n\n**Configuration Management**\n-\tTracks the way specific devices are set up\n-\tTracks both operating system settings and the inventory of software installed on a device\n-\tShould also create Artifacts that may be used to help understand system configuration (Legend, Diagrams, etc)  \n  \nBaselines\n-\tProvide a configuration snapshot\n-\tDual Net\n-\tYou can use the snapshot to assess if the settings are outside of an approved change management process system\n-\tBasically, the default configuration setting set by an organization\n\n**Versioning/Version Controls**\n-\tAssigns each release of a piece of software and an incrementing version number that may be used to identify any given copy\n-\tThese verison #s are written as three part decimals, with the \n-\tFirst number representing the major version of software\n-\tSecond number representing a major updates\n-\tThird number representing minor updates Ex= IPhone IOS 14.1.2\n\n**Standardizing Device Configurations by:**\n-\tStandardizing Naming conventions\n-\tIP Addressing schemas\n\n**Security Governance / Security Policy Framework**\n\n-\tYou must first identify how domestic and international Laws and Regulations apply to an organization.  A framework that everyone in an organization must follow\n\n**There are 4 types of documents in a Security Policy Framework**\n\n\tPolicies\n\t\t-\tProvide the foundation for an organization’s information security program\n\t\t-\tDescribes organization’s security expectations \n\t\t-\tPolicies are set by Senior Management \n\t\t-\tPolicies should stand the test of time anticipating future changes\n\t\t-\tCompliance with Policies are mandatory\n\t\n\tStandards\n\t\t-\tDescribes the specific details of security controls\n\t\t-\tCompliance with Standards are mandatory\n\t\n\tGuidelines\n\t\t-\tProvide advice to the rest of the organization on best practices\n\t\t-\tCompliance with Guidelines are optional\n\t\n\tProcedures\n\t\t-\tStep-by-step procedures of an objective. \n\t\t-\tCompliance can be mandatory or optional\n\n**Best Practice of Security Policies**\n\n1.\tAcceptable Use Policies (AUP)\n-\tDescribed authorized uses of technology\n  \n2. \tData Handling Policies\n-\tDescribe how to protect sensitive information\n-\t\n3.\tPassword Policies\n-\tDescribes password security practices\n-\tAn area where all the password requirements (length, complexity) gets officially documented\n  \n4.\tBring Your Own Device Policies (BYOD)\n-\tCover the usage of personal devices with company information\n  \n5.\tPrivacy Policies\n-\tCover the use of personally identifiable information \n-\tCan be enforced by National \u0026 Local authorities\n\n6.\tChange Management Policies\n-\tCover the documentation, approval, and rollback of technology changes\n\n**Business Continuity **\n\n\t**Business Continuity Planning (BCP)**\n\t-\tThe set of controls designed to keep a business running in the face of adversity, whether natural or man-made\n\t-\tAlso known as Continuity Of Operations Planning (COOP)\n\t-\tDirectly impacts the #3 goal of security = Availability\n\t-\tWhen planning, proactively as what business activities, systems, and controls will it configure \n\t\n\t**Business Impact Assessment (BIA)**\n\t-\tA risk assessment that uses a quantitative or qualitative process\n\t-\tBegins by identifying organization’s mission essential functions and then traces those backwards to identify the critical IT systems that support those functions\n\nIn Clouding, Business Continuity Planning requires collaboration between cloud providers and customers\n\n**Redundancy**\n\n-\tThe level of protection and against the failure of a single component \n\n**Single Point of Failure Analysis**\n\n-\tProvides a mechanism to identify and remove single points of failure from their systems \n-\tThe SPOF analysis continues until the cost of addressing risk outweighs the benefit\n-\tSPOF can be used in many areas other than the IT Infrastructure, it can be applied in management of HR, 3rd party vendor reliance etc)\n\n**Continued Operation of Systems**\n\n1.\tHigh Availability\n-\tUses multiple systems to protect against service failure (Different from AWS Cloud as in that it does not just apply to AZs but rather everything including multiple firewalls etc)\n2.   \tFault-Tolerance \n-\tMakes a single system resilient against technical failures\n-\tLoad Balancing\n-\tSpreads demand across available systems \n\n**Common Points of Failure**\n\n1.\tPower Supply\n-\tContains moving parts\n-\tHigh failure rate\n-\tCan use multiple power supplies\n-\tUninterruptible Power Supplies (UPS) - supplies battery to devices during brief power disruptions. UPS may be backed up by an additional power generator  \n-\tPower Distribution Units (PDUs) provide power clearing and management for a rack\n\n2.\tStorage Media\n-\tProtection against the failure of a single storage divide\n-\tRedundant Array of Inexpensive Disks (RAID) : Comes in many different forms but each is designed to provide redundancy by having more discs than needed to meet business needs  \n-\tThere are 2 RAID technologies\n-\tMirroring\n-\tConsidered to be RAID Lvl 1\n-\tServer contains 2 identical synchronized discs\n-\tStriping\n-\tDisc Striping with parity\n-\tRAID Lvl 5\n-\tContains 3 or more discs\n-\tAlso includes an extra disc called Parity Block\n-\tWhen one of the disc fails, the Parity Block is used to regenerate the failed disc’s content\n-\tRAID is a Fault-Tolerance technique NOT a Back-up strategy\n  \n3.\tNetworking\n\n-\tImprove networking redundancy by having multiple Internet service providers\n-\tImprove networking redundancy by having dual-network interface cards (NIC) or NIC Teaming (similar to how you use multiple power supplies)\n-\tImplement Multipath Networking  \n\nFault-Tolerance mechanisms prevents systems from failing, even if one of these above points experience a complete failure . Always attempt to add Diversity in your infrastructure to improve redundancy \n\n-\tDiversity in Technology Used\n-\tDiversity of Vendors Diversity of Cryptography\n-\tDiversity of Security Controls \n\n**Incident Response Plans**\n\n-\tProvide structure during cybersecurity incidents\n-\tOutlines policies, procedures and guidelines that govern cybersecurity incidents\n\n**Elements of a Incident Response Plan**\n\n-\tStatement of Purpose\n-\tStrategies and goals for incident response\n-\tApproach to incident response Communication with other groups\n-\tSenior leadership approval\n\t\t\n**Tips on best practices:**\n\n\t\t-\tWhen developing your Incident Response Plan, consult NIST SP 800-61 as you develop your plan\n\t\t-\tAlso review other organization’s plan NIST SP 800-61\n\t\t-\tAssists organization mitigating the potential business impact of information security incidents providing practical guidance. \n\n**Building a Incident Response Team**\n\nIR Team should consist of:\n-\tManagement\n-\tInformation Security Personnel\n-\tSMEs\n-\tLegal Counsel\n-\tPublic Affairs\n-\tHuman Resources\n-\tPhysical Security\n\nIf your organization lacks personnels from these areas:\n-\tUse incident response service providers to assist  if necessary\n\n**Incident Communication Plan**\n\n-\tCommunications Plans ensure that all participants have timely, accurate information\n-\tMake sure to minimize or limit communications to third parties (Media etc)\n-\tYou will have to choose whether or not to involve law enforcement\n-\tDrawbacks of law enforcement engagement can be release of sensitive details to public which may be unfavorable to the organization \n-\tAlways involve your own organization’s legal team to ensure compliance with laws and organization’s obligations with 3rd parties. \n-\tDescribe communication paths on how information will trickle down the organization\n\n**Incident Identification**\n\n-\tOrganizations have a responsibility to collect, analyze and retain security information\n\n**Data is crucial to incidence detection**\n\n\tIncident Data Sources\n\t-\tIDS/IPS - Intrusion Detection System/Intrusion Prevention System\n\t-\tDesigned to only provide an alert about a potential incident\n\t-\tFirewalls\n\t-\tAuthentication Systems\n\t-\tIntegrity Monitors\n\t-\tVulnerability Scanners\n\t-\tSystem Event Logs\n\t-\tNetflow Records\n\t-\tAntimalware Packages\n\n**Security Incident and Event Management (SIEM)**\n-\tSecurity solution that collects information from diverse sources, analyzes it for signs for security incidents and retains it for later use. \n-\tCentralized log repositories \n-\tBasically take a load of data, feed it to the SIEM, and it will spit out details regarding risk\n\nWhen these systems and security mechanisms FAIL do detect risks before dealt with internally, an EXTERNAL source (customer) may be first to detect a risk. Therefore, IR Team should have a consistent method for receiving, recording, and evaluating external reports\n\n**First Responder Duty**\n-\tFirst responders (whomever they are, whom encounters the risk first) have a set of responsibilities as they may have the power to tremendously reduce risk\n-\tHighest Priority\n-\tThe highest priority of a First Responder must be containing damage through isolation\n\n**Disaster Recovery (DR)**\n-\tRestores normal operations as quickly as possible following a disaster\n-\tDisaster recovery plan steps in when business continuity plan fails \n-\tDisaster recovery plan effort is not finished until organization is completely back to normal\n-\tFlexibility is key during a disaster response\n\n**Initial Response Goals**\n1.\tContain the damage through isolation\n2.\tRecover normal operations\n\n**Communications required for an effective DR**\n-\tInitial Report\n-\tStatus updates\n-\tAd hoc messages\n  \nOnce Initial Response is implemented, the DR team shifts to Assessment Mode\nAssessment Mode\n\n-\tGoal of this mode is to triage/analyze the damage and implement recover operations on a permanent basis\n-\tDepending on circumstances there may be an intermediary mode of Temporary Recovery but will gradually move to Permanent Recovery\n  \n**Recovery Time Objective (RTO)**\n-\tIs the targeted amount of time to restore service after disruption\n  \n**Recovery Point Objective (RPO)**\n-\tIs the targeted amount of data to recover\n  \n**Recovery Service Level (RSL)**\n-\tIs the targeted percentage of service to restore\n-\tAlso the percentage of service that must be available during a disaster\n\n**Backups**\n\n-\tProvides an organization with a fail-safe way to recover their data in the event of\n-\tTechnology failure\n-\tHuman error\n-\tNatural disaster\n\n**Backup Methods**\n\n1.\tTape Backups\n-\tPractice of periodically copying data from a primary storage device to a tape cartridge \n-\tTraditional method - outdated \n2.\tDisk-to-disk Backups\n-\tWrites data from Primary Disks to special disks that are set aside for backup purposes\n-\tBackups that are sent to a storage area network or a network attached storage are also fitting in this category of backup\n3.\tCloud Backups - AWS, Azure, GC\n\n**3 Types of Backups **\n\n1.\tFull Backups\n-\tInclude a complete copy of all data\n-\tSnapshots and images are types of full backups\n\n2.\tDifferential Backups\n-\tIncludes all data modified since the last full backup\n-\tSupplements Full Backups\n\n3.\tIncremental Backups\n-\tInclude all data modified since the last full or incremental backup\n\n\t\tScenario: Joe performs full backups every Sunday evening and differential backups every weekday evening. His system fails on Friday morning. What backups does he restore?\n\t\t\n\t\tA: 1) Sundays Full Backup\n\t\t    2) Thursday’s differential backup\n\t\t\n\t\tScenario: Joe performs full backups every Sunday evening and incremental backups every weekday evening. His system fails on Friday morning. What backup does he restore?\n\t\t\n\t\tA: 1) Sunday’s Full Backup\n\t\t    2) Monday, Tuesday, Wednesday, Thursday incremental backups\n\n_Trade off: Incremental backups takes longer to restore but requires smaller storage_\n\n**Disaster Recovery Sites**\n\n-\tProvide alternate data processing facilities\n-\tUsually stay idle until emergency situation arises\n\n**3 Types of Disaster Recovery Sites/Alternate Processing Facility**\n\n_1.\tHot Site_\n-\tPremier for of disaster recovery facility\n-\tFully operational Data Centers\n-\tCan be activated in moments or automatically deployed\n-\tVery expensive\n  \n_2.\tCold Site_\n-\tUsed to restore operations eventually, but requires a significant amount of time\n-\tEmpty Data Centers\n-\tStocked with core equipment, network, and environmental controls but do not have the servers or data required to restore business\n-\tRelatively Inexpensive\n-\tActivating them may take weeks or even months\n  \n_3.\tWarm Site_\n-\tHybrid of Hot and Cold\n-\tStocked with core requirements and data\n-\tNot maintained in parallel fashion\n-\tSimilar in expense as a Hot Site \n-\tRequires significant less time from IT Staff\n-\tActivating them may take hours or days\n\n Disaster Recovery Sites don’t only provide a facility for technology operations, also serve as an Offsite Storage Location. They are:\n-\tGeographically distant\n-\tSite Resiliency\n-\tAllows backups to be physically transported to the disaster recovery facility either manually or electronically called “Site Replication”\n-\tOnline or offline backups\n-\tOnline backups are available for restoration immediately, but is very expensive\n-\tOffline backups may require manual intervention, but is very inexpensive\n\nAlternate Business Process\n-\tA change of an organization’s business protocols to  match the current Disaster Recovery Plan\n\n**Disaster Recovery Testing Goals**\n\n1.\tValidate that the plan functions correctly\n2.\tIdentify necessary plan updates\n\n**5 Types of Disaster Recovery Testing**\n\n1.\tRead-through\n-\tSimplest form of Disaster Recovery Testing\n-\tAsks each team member to review their role in the disaster recovery process and provide feedback\n-\tKnown as “Checklist Reviews”\n2.\tWalk-through\n-\tA more comprehensive approach but similar to Read-Through\n-\tGathers the team together for a formal review of the disaster recovery plan\n-\tKnown as “Tabletop Exercise ”\n3.\tSimulation\n-\tUses a practice scenario to test the Disaster Recovery Plan\n-\tScenario based- very specific circumstances\n-\tParallel Test\n-\tWhile above are all theoretical approaches, the Parallel Test actually activates the Disaster Recovery Environment\n-\tHowever, they do not switch operations to the backup environment \n5.\tFull Interruption\n-\tMost effective\n-\tActivate Disaster Recovery Environments\n-\tAlso switch primary operations to the backup environment \n-\tCan be very disruptive to business\n\n\n**Physical Access Controls**\nFacilities that require Physical Security:\n\n1.\tData Centers\n-\tMost important\n2.\tServer Rooms\n-\tHas sensitive information in less secure locations\n3.\tMedia Storage Facilities\n-\tIf in a remote location may require as much security as the Data Centers\n4.\tEvidence Storage Locations\n5.\tWiring Closets\n-\tLiterally a cluster of wires\n-\tNeeds to be protected as it offers access to digital eavesdroppers and network intruders\n6.\tDistribution Cabling\n-\tNeatly organized cables in the ceiling\n7.\tOperations Center\n\n**Types of Physical Security**\n1.\tGates\n-\tAllows you to focus on other security controls\n2.\tBollards\n-\tBlock vehicles while allowing pedestrian traffic\n  \n**CPTED**\n-\tCrime Prevention Through Environmental Design\n-\tBasically giving principles to design your crime prevention mechanisms in a way that is appropriate with your environmental surroundings \n  \n**CPTED Goals**\n1.\tNatural Surveillance\n-\tDesign your security in a way that allows you to observe the natural surroundings of your facility\n-\tWindows, Open Areas, Lightning\n2.\tNatural Access Control\n-\tNarrowing the traffic to a single point of entry \n-\tGates, etc\n3.\tNatural Territory Reinforcement\n-\tMaking it visually and physically obvious that the area is closed to the public\n-\tSigns, Lightnings\n\n**Visitor Management**\n-\tVisitor management procedures protect against intrusions\n  \n**Visitor Procedures**\n-\tDescribe allowable visit purposes\n-\tExplain visit approval authority \n-\tDescribe requirements for unescorted access\n-\tExplain role of visitor escorts\n-\tAll visitor access to secure areas should be logged\n-\tVisitors should be clearly identified with distinctive badges\n-\tCameras add a degree of monitoring in visitor areas\n-\tCameras should always be disclosed\n\n**Physical Security  (Human Security)**\n-\tReceptionists may act as Security Guards\n-\tSometimes an “aggressive” look is sometimes desirable\n-\tRobots may replace human security patrols\n  \n**Two Person Rule (Two-Person Integrity)**\n-\tTwo people must enter sensitive areas together\n\n**Two Person Control**\n-\tTwo people must have control access to very sensitive functions, requiring an agreement of 2 persons before action\n-\tEx=Requiring 2 Keys to trigger a launch of Nuclear Missiles\n\n**Logical Access Controls**\nAccount Management Tasks\n-\tImplementing Job Rotation schemes\n-\tImplementing for employees to rotate job functions for purpose of diversity and integrity in work\n-\tMandatory Vacation policies\n-\tPeople on vacation should not have access to sensitive data\n-\tManaging Account Lifecycle\n-\tEnsuring that as employees move around an organization with different roles, that they are given access to corresponding roles\n\n**Account Monitoring Procedures**\n\n1.\tAccount Audits\n-\tCompleted by pulling all permission list, review, and make adjustments \n-\tProtects against Inaccurate Permissions\n-\tInaccurate Permissions\n-\tWrong permissions assigned that results in too little access to do their job or too much access (violates least privilege)\n-\tResult of Privilege Creep\n-\tA condition that occurs when users switch roles and their previous role’s access to system has not been revoked\n\n2.\tFormal Attestation Process\n-\tAuditors review documentation to ensure that managers have formally approved each user’s account and access permissions.\n\n3.\tContinuous Account Monitoring\n-\tWatch for suspicious activity\n-\tAlert administrations to anomalies\n-\tWill catch any unauthorized use of permissions or acts\n-\tFlags Access Policy Violations\n-\tImpossible travel time logins\n-\tUnusual network location logins\n-\tUnusual time-of-day logins\n-\tDeviations from normal behavior\n-\tDeviations i volume of data transferred\n\n4.\tGeotagging\n-\tAdds user location information to logs\n\n5.\tGeofencing\n-\tAlerts when a device leaves defined boundaries \n\n**Provisioning and Deprovisioning**\n-\tInvolves the process of creating, updating and deleting user accounts in multiplace applications and systems\n-\tCrucial to Identity and Access Management Task\n\n**Provisioning**\n-\tAfter onboarding, administrators create authentication credentials and grant appropriate authorization\n\n**Deprovisioning**\n-\tDuring the off-boarding process, administrators disable accounts and revoke authorizations at the appropriate time.\n-\tPrompt Termination (quickly acting after off boarding) is critical\n-\tPrevents users from accessing resources without permission\n-\tMore important if employee leaves in unfavorable terms \n\n**Routine Workflow (For offboarding)**\n-\tDisable accounts on a scheduled basis for planned departures\n  \n**Emergency Workflow (For offboarding)**\n-\tImmediately suspends access when user is unexpectedly terminated\n  \nIncorrect Timed Account-Deprovisioning may:\n-\tInform a user in advance of pending termination\n-\tAllow user to access to resources after termination\n-\tIt is a good idea to Deactivate the account first before permanent removal as it can be reversed\n  \n**Authorization**\n-\tFinal step in the Access Control Process\n-\tDetermines what an authenticated user can do\n\n**Principle of Least Privilege**\n\n-\tUser should have the minimum set of permission necessary to perform their job\n-\tProtects against internal risks as a malicious employee’s damage will be limited to their access\n-\tProtects against external risk as if an account was hacked, the damage they can do would be limited to the permissions on the stolen account. \n\n**Mandatory Access Control (MAC) System - Confidentiality**\n\n\t-\tPermissions are determined by the system/operating system\n\t-\tUsers cannot modify any permissions\n\t-\tRule-based access system\n\t-\tMost Stringent/strict\n\n**Discretionary Access Control (DAC) System - Availability**\n\n\t-\tPermissions are determined by the file owners \n\t-\tMost Common type of access control\n\t-\tFlexible\n\n**Role-Based Access Control (RBAC) Systems - Integrity**\n\t\n\t-\tPermissions are granted to groups of people/ job functions\n\t-\tGroup based\n\n**Computer Networking**\n\n\tNetwork\n\t-\tConnect computers together\n\t-\tCan connect computers within an office (LAN) or to the global internet\n\t\n\tLocal Area Networks (LANs)\n\t-\tConnect devices in the same building\n\t-\tLANs are connected to Wide Area Networks (WANs)\n\t\n\tWide Area Networks (WANs)\n\t-\tConnect across large distances\n\t-\tConnects to different office locations and also to the internet\n\t-\tWhen an LAN is connected to WAN = Internet\n\n**How Devices Connect to a LAN**\n\n\t1.\tEthernet\n\t-\tConnecting a physical Ethernet cable to an internet jack behind the ball\n\t-\tThe Ethernet Cable is called the RJ-45 connectors a.k.a 8 Pins Connector\n\t-\tSuper fast but requires physical cables\n\t-\tFYI: RJ-11 Cables are used for telephone connections. They have 6 Pins\n\t2.\tWireless Networks (Wi-Fi)\n\t-\tCreate Wireless LANs\n\t3.\tBluetooth\n\t-\tCreates a Personal Area Network (PANs)\n\t-\tDesigned to support a single person\n\t-\tMain purpose is to create a wireless connection between a computer and its peripheral devices\n\t4.\tNear Field Communication (NFC) Technology \n\t-\tAllows extremely short range wireless connections (ex= wireless payment)\n\n**TCP/IP - Transmission Control Protocol/Internet Protocol**\n\n-\tA set of standardized rules that allow computers to communicate on a network such as the internet.\n-\tProtocol suite at the heart of networking\n\n**Internet Protocols**\n\n-\tMain function is to provide an addressing scheme, known as the IP address\n-\tRoutes information across networks \n-\tNot just used on the internet\n-\tCan be used at home or an office \n-\tDeliver packets (chunks of information) from source → destination\n-\tServes as a Network Layer Protocol\n-\tSupports Transport Layer Protocols - which have a higher set of responsibilities\n  \n**2 Types of Transport Layer Protocols**\n\n**1.\tTransmission Control Protocol (TCP)**\n   \n\t-\tResponsible for majority of internet traffic\n\t-\tIs a Connection-Oriented protocol\n\t-\tConnection Oriented protocol means the connection is established before data is transferred \n\t-\tConnection is ensured through TCP Three-Way Handshake \n\t-\tTCP packets include special flags that identify the packets known as TCP Flags.\n  \n\tWithin the TCP Flags:\n\t-\tSYN Flag: Opens a connection\n\t-\tFIN Flag: Closes an existing connection\n\t-\tACK: Used to acknowledge a SYN or FIN packet \n\n**TCP Three-Way Handshake**\n\t\n\t1.\tSource SYN sent to request open connection to Destination\n\t2.\tDestination sends ACK + request (SYN) to reciprocate a open connection\n\t3.\tSource acknowledges and sends ACK\n\t-\tGuarantees delivery through the destination system acknowledging receipt \n\t-\tWidely used for critical applications (email , web traffic etc)\n\n**2.\tUser Datagram Protocol (UDP)**\n\n\t-\tConnectionless Protocol, not connection-oriented\n\t-\tLightweight\n\t-\tDoes NOT use Three-Way Handshake\n\t-\tSystem basically send data off to each other blindly, hoping that it is received on the other end\n\t-\tDoes not perform acknowledgments\n\t-\tDoes not guarantee delivery  \n\t-\tIt's often used for voice and video applications where guaranteed delivery is not essential. Every single packet doesn't have to reach the destination for video and voice to be comprehensible. \n\n\n**OSI (Open Systems Interconnection) Model -  Describes networks as having 7 different layers**\n\nLayer 1: Physical Layer \n-\tResponsible for sending bits over the network\n-\tUses wires, radio waves, fiber optics or other means\n\nLayer 2: Data Link Layer\n-\tTransfers data between 2 Nodes connected to the same physical network\n\nLayer 3: Network Layer\n-\tExpands networks to many different nodes\n-\tInternet Protocol (IP)\n\n Layer 4: Transport Layer\n-\tCreates connection between systems\n-\tTransfers data in a reliable manner \n-\tTCP and UDP\n\n  Layer 5: Session Layer aauthenti\n-\tManages the exchange of communications between systems\n\n   Layer 6: Presentation Layer\n-\tTranslates data so that it may be transmitted on a network\n-\tEncryption and Decryption\n\n  Layer 7: Application Layer\n-\tHow users interact with data, using web browsers or other apps\n\n\nOSI                                             \t\tTCP Model\n\nLayer 1: Physical Layer                       \nLayer 2 :Data Link Layer          \t \tLayer 1: Network Interface layer (Physical + Data)\nLayer 3 :Network Layer           \t \tLayer 2: Internet Layer\nLayer 4 :Transport Layer            \t\tLayer 3: Transport Layer\nLayer 5: Session Layer             \t\tLayer 4: Application Layer (Session+Presentation+Application)\nLayer 6: Presentation Layer\nLayer 7: Application Layer\n\nFor the Internet Protocol (IP) to successfully deliver traffic between any two systems on a network, it has to use an addressing scheme\n\n**IP Addresses**\n\n-\tUniquely identify systems on a network\n-\tWritten in dotted quad notation (ex- 192.168.1.100). Also known as IPv4\n-\tMeans 4 numbers separated by periods\n-\tEach of these numbers may range between 0-255\n-\tWhy 255?\n-\tEach number is represented by 8-bit binary numbers\n-\tThose bits can represent 2 to the power of 8 = 256 possible values\n-\tBut we start at 0 so 256-1=255\n-\tNo duplicates of IP addresses on Internet-connected systems (Just like your phone#)\n-\tAllow duplicates if on private networks\n-\tYour router or firewall takes care of translating private IP Addresses to public IP addresses when you communicate over the internet\n-\tThis translating process is called NAT (Network Address Translation)\n\nIP Addresses are divided into 2 parts \n-\tNetwork Address\n-\tHost Address\n\nThe divide of the 2 parts can come in anywhere\nThis uses a concept called sub-netting\n-\tSub-netting divides domains so traffic is routed efficiently \n-\tIPv4 (Containing 4 numbers) is running out so we are shifting to → IPv6\n-\tIPv6\n-\tUses 128 bits (compared to 32 bits (8x4num bers = 32) for IPv4\n-\tConsists of 8 groups of 4 hexadecimal numbers\n-\tex= fd02:24c1:b942:01f3:ead2:123a:c3d2:cf2f\n\nIP Addresses can be assigned in 2 ways\n\n1.\tStatic IPs\n-\tManually assigned IP Address by an administrator\n-\tMust be unique \n-\tMust be within appropriate range for the network \n\n2.\tDynamic Host Configuration Protocol (DHCP)\n-\tAutomatic assignment of IP Address from an administrator configured pool\n  \nServers are configured with Static IP Addresses\nEnd-user devices are configured with Dynamically-Changing IP Addresses \n\n**Network Ports**\n-\tLike Apartment #s, guide traffic to the correct final destination\n-\tIP addresses uniquely identifies a system while the Network Ports uniquely identifies a particular location of a system associated with a specific application \n-\tThink of it as\n-\tIP Addresses - Street # of an Apartment\n-\tNetwork Ports- Unit # of an Apartment\n  \n**Network Port Numbers**\n-\t16-bit binary numbers\n-\t2 to the power of 16 = 65,646 possible values\n-\t65,646-1 (for 0) = 0-65,535 possibilities\n  \n**Port Ranges**\n-\t0 - 1,023 = Well-known ports\n-\tReserved for common applications that are assigned by internet authorities\n-\tEnsures everyone on the internet will know how to find common services such as : web servers, email servers\n-\tWeb-servers use the Well-known port 80\n-\tSecure Web-servers use the Well-known port 443\n-\t1,024 - 49,151 = Registered ports\n-\t\n  Application vendors may register their applications to use these ports. Examples\n-\tMicrosoft Reserve port 1433 for SQL Server database connections\n-\tOracle Reserve port 1521 for Database\n-\t49,152 - 65,535 = Dynamic ports\n-\tApplications can use on a temporary basis\n\n**Important Port #s**\n\nAdministrative Services\n\t-\tPort 21 : File Transfer Protocol (FTP)\n\t-\tTransfers data between systems\n\t-\tPort 22 : Secure Shell (SSH)\n\t-\tEncrypted administrative connections to servers\n\t-\tPort 3389 : Remote Desktop Protocol (RDP)\n\t-\tEncrypted administrative connections to servers\n\t-\tPorts 137, 138, and 139 : NetBIOS - Windows\n\t-\tNetwork Communications using the NetBIOS protocol\n\t-\tPort 53 : Domain Name Service (DNS)\n\t-\tAll systems use Port 53 for DNS lookups\n\nMail Services\n\t-\tPort 25 : Simple Mail Transfer Protocol (SMTP)\n\t-\tExchange email between servers\n\t-\tPort 110 : Post Office Protocol (POP)\n\t-\tAllows clients to retrieve mail \n\t-\tPort 143 : Internet Message Access Protocol (IMAP)\n\t-\tAllows to retrieve mail \nWeb Services\n\t-\tPort 80 : Hypertext Transfer Protocol (HTTP)\n\t-\tFor unencrypted web communications\n\t-\tPort 443: Secure HTTP (HTTPS)\n\t-\tFor encrypted connections \n\n**Securing Wireless Networks**\n\nService Set Identifier (SSID)\n\t-\tThe name of your Wi-Fi\n\t-\tYou can disable visibility of Wi-Fi (Hide)\n\t-\tHas an administrative password to the access point (connection)\n\t-\tEnsure to immediately change default administrator passwords \n\nYou can configure what Type of Network you want\n1) Open Network Open for anyone to use (No Password Wifi)\n\nOther authentication required Network\n\n1) Preshared Keys (Home Wifi, Office, Cafe)        \n-\tChanging Preshared keys is difficult \n-\tPrevents individual identification of users\n  \n2) Enterprise Authentication\n-\tUses individual passwords\n  \n3) Captive Portals\n-\tUsed in Starbucks, Airports, Tim-Hortons\n-\tProvide authentication on unencrypted wireless networks\n-\tIntercepts web requests to require Wi-Fi login\n  \n**Wireless Encryption**\n\n•\tA best practice for network security \n•\tEncryption hides the true content of network traffic from those without the decryption key \n•\tTakes, Radio Waves, and makes it secure           \n\nThe Original approach to Security was: Wired Equival7ent Privacy (WEP)\n-\tThis is now considered insecure\n  \nThe Second approach was : Wi-Fi Protected Access (WPA)\n-\tChanges keys with the Temporal Key Integrity Protocol (TKIP)\n-\tChanges the encryption key for each packet : preventing an attacker from discovering the key after monitoring the network for along period of time \n-\tThis is now considered insecure\n  \nThe Improved approach is : Wi-Fi Protected Access v2 (WPA2)\n-\tUses an advanced encryption protocol called Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP)\n-\tWPA is now considered SECURE\n  \nThe New approach is : Wi-Fi Protected Access v3 (WPA3)\n-\tSupports Simultaneous Authentication of Equals (SAE)\n-\tSAE is a secure key exchange protocol based upon the Diffie-Hellman Technique, to provide more secure initial setup of encrypted wireless communications \n-\tAlso supports CCMP protocol\n  \n**Ping and Traceroute**\nCommand Line Network (CLI)\n-\tProvides quick and easy way to access network configurations and troubleshooting information\n-\tUsed my giving Commands\n  \n**Important Commands**\n\n**1.\tping **\n-\tChecks whether a remote system is responding or accessible\n-\tWorks using the Internet Control Message Protocol (ICMP)\n-\tBasically sending a request and acknowledgement to confirm a connection\n-\tTroublingshooting with Ping:\n-\tYou can ping the remote system:\n-\ta) if you receive a response : it is not a network issue and a local web server issue\n-\tb) if you don’t receive a response : you may next ping another system located on the internet : if that responds : this will tell you your internet is successful and the issue is with the web server or network connection \n-\tc) if you ping many systems on internet and there is no response, it is likely that the problem is on your end\n-\td) You can ping a system on your Local Network : if that responds, there's probably an issue with your network’s connection to the internet \n-\te) If a Local Network does not respond : Either your Local network is down or there is a problem with your computer\n-\tf) Last Resort :  Repeat process on another computer\n-\tSome systems do not respond to ping requests\n-\tExample : A firewall may block ping requests\n  \n**2.\thping**\n \t\n-\tCreates customized ping requests\n-\tA variant of the basic “ping” command \n-\tAllows you to interrogate a system to see if it is present on the network \n-\tOld and not monitored but still works\n  \n**3.\ttraceroute**\n \t\n-\tDetermines the network path between two systems \n-\tIf you want to know how packets are traveling today from my system Located in Toronto to a LinkedIn.com webserver, wherever that is located \n-\tWorks only on Mac and Linux \n-\tIn Windows, it is : tracert\n  \n**4.\tpathping**\n-\tWindows only command\n-\tCombines ping and tracert functionality in a single command\n\n**Network Threats**\n\nMalware\n-\tOne of the most significant threats to computer security\n-\tShort for Malicious Software\n-\tMight steal information, damage data or disrupt normal use of the system\n-\tMalwares have 2 components:\n1) Propagation Mechanism\n-\tTechniques the malware uses to spread from one system to another \n2) Payload \n-\tMalicious actions taken by malware \n-\tAny type of malware can carry any type of payload \n\n**Types of Malware**\n\n\t1.\tVirus \n\t-\tSpreads after a user takes some type of user action\n\t-\tExample : Opening an email attachment, Clicking a Link, Inserting an infected USB\n\t-\tViruses do not spread unless someone gives them a hand\n\t-\tUser education protects against viruses\n  \n\t2.\tWorms\n\t-\tSpread on their own by exploiting vulnerabilities\n\t-\tWhen a worm infects a system, it will use it as it’s base for spreading to other parts of the Local Area Network \n\t-\tWorms spread because the systems are vulnerable\n\t-\tPatching protects against worms\n  \n\t3.\tTrojan Horse\n\t-\tPretends to be a useful legitimate software, with hidden malicious effect\n\t-\tWhen you run the software, it may perform as expected however will have payloads behind the scene\n\t-\tApplication Control protects against Trojan Horses\n\t-\tApplication Controls limit software that can run on systems to titles and versions\n  \n\t4.\tBotnets\n\t-\tAre a collection of zombie computers used for malicious purposes\n\t-\tA network of infected systems \n\t-\tSteal computing power, network bandwidth, and storage capacity\n\t-\tA hacker creating a botnet begins by \n\t-\t1) Infecting a system with malware through any methods\n\t-\t2) Once the malware takes control of the system (hacker gains control), he or she joins/adds it to the preconceived botnet\n\nHow are Botnets Used\n-\tRenting out computing power for profit\n-\tDelivering spam  \n-\tEngaging in DDoS attacks\n-\tMining Bitcoin and Cryptocurrencies \n-\tPerform Brute Force Attacks - against passwords\n  \nBotnet Command and Control \n-\tHackers command botnets through Command and Control Networks as they relay orders\n-\tCommunication must be indirect (hides the hackers true location)  and redundant\n-\tMust be highly redundant (too much, alot) because security analysts will shut them down one by one. Its a cat and mouse game, whoever controls the Command and Control channels retains control of the Botnet the longest\n\nTypes of Command and Control Mechanisms for Ordering Botnets\n-\tInternet Relay Chat (IRC)\n-\tTwitter\n-\tPeer to Peer within the Botnet\n  \n**In Summary Botnets:**\n\n\t1.\tInfect Systems\n\t2.\tConvert to bots\n\t3.\tInfect others\n\t4.\tCheck in through Command and Control Network\n\t5.\tGet Instructions\n\t6.\tDeliver payload\n\n**Eavesdropping Attacks**\n\n-\t All eavesdropping attacks rely on a compromised communication path between a client and a server  \n-\tNetwork Device Tapping  \n-\tDNS poisoning\n-\tARP poisoning\n-\tDuring poisoning attacks hackers may use the Man-in-the-Middle technique to trick the user to connect to the attacker directly, then the attacker directly connects to the server. Now the original user logs in to a fake server set up by the attacker and the attacker acts as a relay, the man in the middle, and can view all of the communications.\n-\tThe user will not know that there is a Man-in-the-Middle intercepting communications.   \n\n**Man-in-the-browser Attacks**\n-\tVariation of Man-in-the-Middle attack\n-\tExploit flaws in browsers and browser plugins to gain access to web communications\n\nIf the attacker is able to control the network traffic, they may be able to conduct a Reply Attack\n\n**Replay Attack**\n-\tUses previously captured data, such as an encrypted authentication token, to create a separate connection to the server that’s authenticated but does not involve the real end user \n-\tThe attacker cannot see the actually encoded credentials\n-\tThey can only see the encoded version of them \n-\tPrevent Replay Attacks by including unique characteristics:\n-\tToken \n-\tTimestamp\n  \n**SSL Stripping**\n-\tTricks browsers into using unencrypted communications \n-\tA variation of eavesdropping attack \n-\tA hacker who has the ability to view a user’s encrypted web communication exploits the vulnerability to trick the users browser into reverting to unencrypted communications for the world to see\n-\tStrips the SSL or TLS protection \n\n**Implementation of Attacks - Cryptographic systems may have flaws = vulnerability = attacks **\n\n**Fault Injection Attacks**\n\n-\tUse externally forced errors\n-\tAttacker attempts to compromise the integrity of a cryptic device by causing some type of external fault \n-\tFor example : Attacker might use high-voltage electricity to cause malfunction that undermines security \n-\tThese failures of security may cause systems to fail to encrypt data property.\n  \n**Side Channel Attacks**\n-\tMeasure encryption footprints\n-\tAttackers use footprints monitor system activity and to retrieve information that is actively being encrypted\n-\tFor example : If a cryptographic system is improperly implemented, it may be possible for an attacker to capture the electromagnetic radiation emanating from that system and use the collected signal to determine the plain text information that is being encrypted\n  \n  **Timing Attacks**\n-\tA type of Side Channel Attack\n-\tMeasure encryption time \n-\tAttackers precisely measures how long cryptographic operations take to complete, gaining information about cryptographic process that may be used to undermine security\n\n**Threat Identification and Prevention**\n\n**Intrusion Detection Systems (IDS)**\n\t-\tMonitors network traffic for signs of malicious activity\n\t-\tMIS USE DETECTION AND ANOMALY DETECTION\n\t-\tExamples of malicious activity\n\t-\tSQL Injections\n\t-\tMalformed Packets\n\t-\tUnusual Logins\n\t-\tBotnet Traffic \n\t-\tAlerts administrators \n\t-\tRequires someone to take action\n  \n**Intrusion Prevention System (IPS)**\n\n\t-\tAutomatically block malicious activity \n\t-\tIt is not a perfect system. They make 2 errors\n\t-\t1) False Positive Error\n\t-\tIDS/IPS triggers an alert when an attack did not actually take place\n\t-\t2) False Negative Error\n\t-\tIDS/IPS fails to trigger an alert when an actual attack occurs\n \nTechnology used to identify suspicious traffic:\n\n1.\tSignature Detection Systems \n-\tContain databases with rules describing malicious activity\n-\tAlert admins to traffic matching signatures = Rule based Detection\n-\tCannot detect brand new attacks\n-\tReduce false positive rates\n-\tReliable and time-tested technology\n  \n2.\tAnomaly Detection Systems \n-\tBuilds models of “normal” activity, and finds an Outlier \n-\tCan detect brand ne attacks\n-\tBut has high false positive rate\n  \n**Anomaly Detection , Behavior-based Detection , Heuristic Detection = Same Thing **\n\n**IPS Deployment Modes**\n\n1.\tIn-band Deployments\n-\tIPS sits in the path of network traffic\n-\tIt can block suspicious traffic from entering the network \n-\tRisk : It is a single point of failure so it may disrupt the entire network \n\n2.\tOut-of-band (passive) Deployments \n-\tIPS sits outside of network traffic\n-\tIPS is connected to a SPAN port on a switch \n-\tWhich allows it to receive copies all traffic sent through the network to scan \n-\tIt cannot disrupt the flow of traffic \n-\tIt can react after suspicious traffic enters the network \n-\tIt cannot pre detect as it can only know its existence once it enters the network \n\n**Malware Prevention**\n\n-\tAntimalware software protects against many different threats\n-\tAntimalware software protects against viruses, worms, Trojan Horses and spyware\n\n**Antivirus software uses 2 types of mechanisms to protect:**\n\n**1.\tSignature Detection**\n-\tWatches for known patterns of malware activity\n  \n**2.\tBehavior Detection**\n-\tWatches for deviations from normal patterns of activity \n-\tThis type of mechanism is found in advanced malware protection tools like the Endpoint Detection and Response (EDR)\n-\tOffer real-time, advanced protection\n-\tGoes beyond basic signature detection and performs deep instrumentation of endpoints \n-\tThey analyze:\n-\tMemory\n-\tProcessor use\n-\tRegistry Entries\n-\tNetwork Communications\n-\tInstalled on Endpoint devices\n-\tCan perform Sandboxing\n-\tIsolates malicious content\n  \n**Port Scanners\nVulnerability Assessment Tools **\n\n1.\tPort Scanner\n-\tLooks for open network ports\n-\tEquivalent of rattling all doorknobs looking for unlocked doors \n-\tnmap \n-\tPopular port scanning tool /command\n2.\tVulnerability Scanner\n-\tLooks for known vulnerabilities \n-\tScans deeper than Port Scanner, actually looks at what services are using those ports\n-\tHas a database for all known vulnerability exploits and tests server to see if it contains any of those vulnerabilities  \n-\tNesssus\n-\tPopular vulnerability scanner \n3.\tApplication Scanner\n-\tTests deep into application security flaws \n\n**Network Security Infrastructure**\n\nData Centers\n-\tHave significant cooling requirements \n-\tCurrent Standard of Temperatures\n-\tMaintain data center air temperatures between 64.6 F and 80.6 F = Expanded Environmental Envelope\n-\tHumidity is also important\n-\tDewpoint says : Humidity 41.9 F and 50.0 F \n-\tThis temperature prevents condensation and static electricity \n-\tHVAC is important (Heating, Ventilation and Air Conditioning Systems)\n-\tMust also look out for fire, flooding, electromagnetic interference\n\nFire Suppression Methods\n1.\tWet Pipe Systems\n-\tContains water in the pipes ready to deploy when a fire strikes\n-\tHigh Risk for data center  \n2.\tDry Pipe Systems\n-\tDo not contain water until the valve opens during a fire alarm. \n-\tPrevents burst pipes, by removing standby water\n3.\tChemical Systems\n-\tRemoves oxygen\n\nAlways place MOUs\n-\tMemorandum of Understanding\n-\tOutlines the environmental requirements \n\nSecurity Zones \n-\tFirewalls divide networks into security zones to protect systems of differing security models \n\nTypes of Security Zones\n\n1.\tNetwork Border Firewall\n   \n-\tThree network interfaces, connects 3:\n-\tInternet \n-\tIntranet\n-\tData Center Network\n-\tGuest Network\n-\tWireless Network\n-\tEndpoint Network\n\n2.\tDMZ\n-\tYou can place systems that must accept connections from the outside world such as mail, web servers  \n-\tBecause it is open, higher risk of compromise \n-\tIf the DMZ is compromised, firewalls will still protect \n  \n**Zero Trust Approach : Systems do not gain any trust based solely upon their network location**\n\n**3 Special-Purpose Networks**\n\n1.\tExtranet\n-\tSpecial intranet segments that are accessible by outside parties like business partners\n\n2.\tHoneynet\n-\tDecoy networks designed to attract attackers\n\n3.\tAd Hoc Networks\n-\tTemporary networks that may bypass security controls \n-\tEast-West Traffic\n-\tNetwork traffic between systems located in data center\nNorth-South Traffic\n-\tNetworks traffic between systems in the data center and systems on the Internet \n\n**Routers and Switches **\n\nRouters, Switches and Bridges are the building blocks of computer networks\n\n\tSwitches\n\t\n\t-\tConnect devices to the network\n\t-\tHas many network ports \n\t-\tReside in wiring closets and connect the computers in a building together \n\t-\tEthernet jacks are at the other end of network cables connected to switches \n\t-\tWireless access points (WAPs) connect to switches and create Wi-Fi networks\n\t-\tThe Physical APs itself has a wired connection back to the switch \n\t-\tSwitches can only create Local Networks\n\t-\tLayer 2 of OSI Model - Data Link Layer \n\t-\tSome switches can be in the Layer 3 of OSI Model - Network Layer (can interpret IP Addresses) \n\t-\tFor this to happen, they must use Routers\n  \n\tRouters\n\t-\tConnect networks to each other, making intelligent packet routing decisions\n\t-\tServes as a central aggregation point for network traffic heading to or from a large network \n\t-\tWorks as the air traffic controller of the network \n\t-\tMakes best path decisions for traffic to follow \n\t-\tUse Access Control Lists to limit some traffic that are entering or leaving a network, this type of filtering does not pay attention to Connection states and are called  Stateless Inspection\n  \n\tVirtual LANs (VLANs)\n\t-\tSeparates systems on a network into logical groups based upon function \n\t-\tExtend broadcast domain \n\t-\tUsers on the same VLAN will be able to directly contact each other as if they were connected to the same switch \n\t-\tWe use VLANs to create network segmentation which reduces security risk by liming the ability of unrelated systems to communicate with each other\n\t-\tMicro Segmentation\n\t-\tExtreme segmentation strategy\n\t-\tTemporary \n\n**Configuring VLANs**\n\n-\tEnable VLAN trunking\nAllow switches in different locations on the network to carry the same VLANs\n-\tConfigure VLANs for each switch port\n\n**Firewalls**\n-\tOften sit at the network perimeter \n-\tBetween Router and Internet\n  \n\tSwitch\n\t    I\n\t    I\n\t    I\n\tSwitch  —------------- Router —------------- Firewall —------------- Internet\n\t    I\n\t    I\n\t    I\n\tSwitch\n\n**Firewalls connect 3 networks together**\n\n1.\tInternet\n2.\tInternal Network\n3.\tDMZ\n-\tContains systems that must accept direct external connections\n-\tIsolates those systems due to risk of compromise\n-\tProtects internal network from compromised DMZ systems\n  \nOlder Firewalls use Stateless Firewalls\n-\tEvaluate each connection independently\nModern Firewalls use Stateful Inspection\n-\tKeeps track of established connection\n\nFirewalls are basically rules to enter or exit.\n\n\tFirewall rule must provide\n\t1.\tSource system address\n\t2.\tDestination system address\n\t3.\tDestination port and protocol\n\t4.\tAction (Allow or Deny)\n\n**Firewalls operate on the Principle of Implicit Deny**\n-\tIf the firewall receives traffic not explicitly allowed by a firewall rule, then that traffic must be blocked \n-\tBasically saying, if you don’t have a passcard, you cannot get in as the door is always closed \n-\tThe Newest type of Firewalls are called New Generation Firewalls (NGFW)\n-\tIncorporate contextual information into their decision making\n-\tEvaluate requests based on identity of user, nature of application, time of day etc. \n\n\n**Other Firewall Roles**\n\n1.\tNetwork Address Translation (NAT) Gateway\n-\tThe firewall translates between the public IP Addresses used on the internet and private IP Addresses used on the local networks\n2.\tContent/URL Filtering\n3.\tWeb application firewall \n-\tUnderstands how HTTP protocol works and dive deep into those application connections, looking for signs of SQL Injection, Cross-site scripting, and other web application attacks \n\n**Firewall Deployment Options **\nChoose deployment methodology\n\n**1.\tNetwork Hardware**\n-\tPhysical devices that sit on a network and regulate traffic \n**2.\tHost-Based software Firewalls**\n-\tSoftware applications that reside on a server that performs other functions\n\nMost organizations choose to use both network firewalls  \n \nChoose between Open-source Vs Proprietary technology\n-\tNetwork Hardware are always Proprietary\n-\tSoftware Firewalls may be either Proprietary or Open Source\nChoose Deployment Mechanism \n**1.\tHardware Appliance\n2.\tVirtual Appliance **\n\n**VPNs and VPN Concentrators **\n\nVPNs provide 2 security functions:\n\n1.\tSite-to-Site VPNs\n-\tConnect remote offices to each other and headquarters \n-\tEx= Branch → HQ\n2.\tRemote Access VPNs\n-\tProvide remote access to corporate networks for mobile users\n  \n**VPNs**\n\n\t-\tWorks by using encryption to create a virtual tunnel between two systems over the internet\n\t-\tEverything on one tunnel is encrypted and decrypted when it exits\n\t-\tVPNs require an endpoint that accepts VPN connections\n\t-\tEndpoints can be many things:\n\t-\tFirewalls\n\t-\tRouter\n\t-\tServer\n\t-\tDedicated VPN Concentrators - Used for High Volume \n\t-\tFirewalls, Router, Server does not contain specialized hardware that accelerates    \n\n**Encryption**\n\nIPSec (Internet Protocol Security) Protocol\n-\tCreates encrypted tunnels \n-\tWorks at Layer 3 : Network Layer \n-\tSupports Layer 2 Tunneling Protocol (L2TP) \n-\tProvides secure transport\n-\tDifficult to configure \n-\tOften used for Static Site-to-Site VPN Tunnels\n  \nSSL/TLS VPNs\n-\tWorks at the Application Layer over TCP port 443\n-\tWorks on any system on a web browser\n-\tPort 443 = Almost bypass any firewall\n\nHTML5 VPNs\n-\tWork entirely within the web browser\n-\tA remote access VPN\n\nWhen implementing a remote Access VPN admins must choose :\n\n1.\tFull Tunnel VPN\n-\tAll network traffic leaving the connected device is routed through the VPN tunnel, regardless of final destination \n2.\tSplit Tunnel VPN\n-\tOnly traffic destined for the corporate network is sent through the VPN tunnel\n-\tOther traffic is routed directly over the Internet (risk of eavesdropping)\n-\tNot as safe so not recommended\n\nSplit-Tunnel VPN provides users with a false sense of security \nAlways on VPN\n-\tConnects automatically\n-\tTakes control from the user\n-\tAlways protected  by strong encryption\n\n\n**Network Access Control (NAC)**\n-\tIntercepts network traffic coming from unknown devices and verifies that the system and users are authorized before allowing further communication\n-\tUses 802.1x authentication. This requires 3 devices\n\n1.\tSupplicant - Device that sends request \n2.\tAuthenticator - The switch\n3.\tAuthentication Server – Backend\n**\nSupplicant(Sends credentials) → Authenticator(Receives and passes it to AS) → Authenticator Server (authenticates and sends results to authenticator → Authenticator → Supplicant → Access**\n\n**NAC Roles**\n\n1.\tUser and device authentication (what we discussed above)\n2.\tRole-based access\n-\tOnce authenticator learns the identity of requested user it places the user in the network based upon that user’s identity\n3.\tPosture checking/Health Checking\n-\tBefore granting access, it check for compliance requirements\n-\tValidating current signatures\n-\tVerifying for antivirus presence\n-\tEnsuring proper firewall configuration\n-\tIf it Fails the posture check\n-\tIt will be placed into a quarantine VLAN where they will have limited internet access and no access to internal resources\n-\tPosture checking is done through an Agent or Agentless\n\n**Internet of Things**\n\n-\tSmart devices\n  \n**IOT Security Challenges**\n\n-\tDifficult to update\n-\tConnect to home and office wireless (Risk for malicious actors) \n-\tConnects back to cloud services for command and control, creating a pathway for external attackers \n\n**Security of IOT **\n\n-\tCheck for weak default passwords\n-\tMake sure to regularly update and patch\n-\tSome have Automatic Updates and some require Manual Websites\n-\tIf worried get Firmware Version Control\n-\tUpdates are applied in orderly fashion\n-\tSecurity Wrappers (For organizations that must run vulnerable systems)\n-\tMini firewall for devices\n-\tDevice is not directly reached through network\n-\tOnly process vetted requests\n-\tMost secure way is Network Segmentation - isolating network to a isolated section where they will not have access to trusted networks\n-\tApplication firewalls provide added protection for embedded devices\n-\tNetwork Segmentation is the most important control for embedded devices\n\n**Cloud Computing**\n\n-\tDelivering computing resources to a remote customer over a network\n-\tOfficial Definition: A model for enabling ubiquitous, convenient, on-demand network access to shared pool of configurable computing resources (networks, servers, storage, applications, services) that can be rapidly provisioned and released with menial management effort or service provider interaction\n\n**Cloud Service Categories**\n1.\tSoftware as a Service (SaaS)\n-\tCustomer purchases an entire app\n2.\tInfrastructure as a Service (IaaS)\n-\tCustomer purchase servers/storage and create their own IT solutions \n3.\tPlatform as a Service (PaaS)\n-\tCustomer purchases app platform \n\n**Cloud Deployment Models**\n1.\tPrivate Cloud\n-\tDedicated Cloud Infrastructure\n2.\tPublic Cloud\n-\tOrganization uses a multi-tenancy infrastructure (Shared)\n3.\tHybrid Cloud\n-\tUses both Private and Public\n4.\tMulti Cloud\n-\tCombines resources from two different public cloud vendors (AWS + Azure)\n-\tCommunity Cloud\n\n**Managed Service Providers (MSPs)**\n-\tOffer information technology services to customers\n  \n**Managed Security Service Providers (MSSPs)**\n-\tProvide security services for other organizations as a manage service  \n-\tMust be carefully monitored\n-\tLot of service\n-\tManage an entire security infrastructure\n-\tMonitor system logs\n-\tManage firewalls\n-\tManage Access \u0026 Identity Management\n-\tMSSPs are also known as Security as a Service (SECaaS)\n  \n**Cloud Access Security Brokers (CASB) **\n-\tAdd a third-party security layer to the interactions that users have with other cloud \n-\tservices\n  \nWorks in 2 ways\n\n\t1) Network-Based CASB\n\t-\tBroker intercepts traffic between the user and the cloud service, monitoring for security issues\n\t-\tBroker can block request \n\t2) API- Based CASB\n\t-\tDoes not sit on traffic unlike Network-Based CASB\n\t-\tThe broker queries the cloud service via API\n\t-\tBroker may not be able to block requests, depending upon API capabilities\n\n**Vendor Relationship Management**\n\n-\tEnsure that vendor security policies are at least as stringent as your own \n-\tVendor lock-in makes it difficult to switch vendors down the road. So be careful\n-\tConduct due diligence\n-\tSocialize with team\n-\tPresent to stakeholders\n-\tSchedule weekly meetings\n  \nSteps of Vendor Selector\n\t1.\tVendor Selection\n\t-\tDue Diligence\n\t2.\tOnboarding\n\t-\tVerify details of contract\n\t-\tConfirm security incident notification\n\t3.\tMonitoring\n\t-\tOffboarding\n\n**Vendor Agreements**\n\n**Non-Disclosure Agreements (NDA)**\n\n-\tKeep your mouth shut\n-\tService-Level Requirements (SLR)\n-\tDocument specific requirements that a customer has about any aspect of a vendor’s service performance \n-\tOnce agreed sign the Service Level Agreement (SLA)\n-\tMemorandum of Understanding (MOU)\n-\tA letter that documents aspects of relationship\n-\tCommonly used when a legal dispute is unlikely but customer and vendor wish to document their relationship to avoid future misunderstanding\n-\tUsually used when a department another company is dealing with another department\n-\tBusiness Partnership Agreement (BPA)\n-\tPartnership agreement to conduct business\n-\tInterconnection Security Agreement (ISA)\n-\tDetails that two organizations will interconnect their network\n-\tMaster Services Agreement (MSA)\n-\tBig project - documentation of expected services\n-\tStatement of Work (SOW) is used when another project comes up\n-\tSOW is governed by terms in MSA. SOW is like am abeyance or patch \n-\tEnsure Security Requirements are mentioned in all agreements \n\n**Data Security Encryption**\n\n-\tUses math to make data unreadable to unauthorized individuals \n-\tTransforms text from plaintext to ciphertext\n-\tUses decryption algorithm key to read message\n  \nYou can use Encryption in 2 different environments:\n\n1.\tData at Rest\n\t-\tStored data \n\t-\tCan be in:\n\t-\tFile\n\t-\tDisk\n\t-\tDevice\n  \n2.\tData in Transit\n\t-\tData that is moving\n\t-\tHTTPS\n\t-\tEmail\n\t-\tMobile Applications\n\t-\tVPN (Network) \n\n\n\n**Symmetric vs Asymmetric Cryptography\nSymmetric Encryption**\n\n-\tYou encrypt and decrypt with the same shared secret key\n-\tIt's like a password to a message\n-\tYou will keep needing more keys as network populates\n\n**Asymmetric Encryption**\n\n-\tYou encrypt and decrypt with different keys from the same pair\n-\tKeys used for Asymmetric encryption and decryption (public \u0026 private) must be from the same pair\n\n**Advanced Encryption Standard (AES) → Symmetric\nRivest-Shamir-Adleman (RSA) → Asymmetric**\n\n**Hash Functions**\n\n-\tOne-way function that transforms a variable length input into a unique, fixed-length output\n-\tOne-way function = Cannot be reversed\n-\tThe output of a hash function will always be same length, regardless of input size\n-\tNo two inputs to a hash function should produce the same output\n\nAll criterias above must be met to have an effective Hash Function\n\n2 Ways Hash Function can fail:\n\n1.\tIf they are reversible\n2.\tIf they are not collision-resistant\n\n**Common Hash Functions**\n\nYou must know which functions are considered insecure and which remain secure \n\n**1.\tMessage Digest 5 (MD5)**\n-\tRon Rivest created MD5 in 1991\n-\tMD5 is the 5th series of hash functions\n-\tMessage digest is another term for hash\n-\tMD5 produces 128-bit hashes\n-\tMD5 is no longer secure\n  \n**2.\tSHA-1**\n-\tProduces a 160-bit hash value\n-\tContains security flaws \n-\tSHA-1 is no longer secure\n  \n**3.\tSHA-2**\n-\tReplaced SHA-1\n-\tConsists of a family of 6 has functions\n-\tProduces output of 224, 256, 384 and 512 bits\n-\tUses a mathematically similar approach to SHA-1 and MD5\n-\tSHA-2 is no longer secure\n  \n**4.\tSHA-3 **\n-\tDesigned to replace SHA-2\n-\tUses a completely different has generation approach than SHA-2\n-\tProduces hashes of user-selected fixed strength\n-\tSome people do not trust SHA algorithms because NSA created it\n  \n**5.\tRIPEMD**\n-\tCreated as an alternative to government-sponsored hash functions\n-\tProduces 128, 160, 256, and 320-bit hashes\n-\tContains flaws in the 128-bit version\n-\t160 bit is widely used. Even in Bitcoin\n  \n**Hash Based Message Authentication Code (HMAC)**\n-\tCombines symmetric cryptography and hashing\n-\tProvides authentication and integrity\n-\tCreate and verify message authentication code by using a secret key in conjunction with a hash function\n**\nData Lifecycle**\n-\tExplains the different stages of data in the cloud\n  \n\t\t1.\tCreate\n\t\t2.\tStore\n\t\t3.\tUse\n\t\t4.\tShare\n\t\t5.\tArchive\n\t\t6.\tDestroy\n\n   \n-\tMust be done in a secured manner\n-\tData Sanitization Techniques\n-\tClearing overwrites sensitive information to frustrate causal analysis\n-\tPurging\n-\tDestroying, shredding, pulverization, melting and burning\n\n**Data Classification**\n-\tAssign information into categories, known as classification, that determine storage, handling, and access requirements\n\n**Assign Classification Based Upon:**\n\n1.\tSensitivity of Information\n2.\tCriticality of Information\n\n**Classification Levels**\n1.\tHigh, Medium, Low\n2.\tPublic vs Private\n\n**Labeling Requirements**\n-\tRequirement to identify sensitive information\n**\n3 Types of Information classified by External Groups**\n\n1.\tPersonally Identifiable Information (PII)\n-\tTraceable to a specific person\n2.\tProtected Health Information (PHI)\n-\tCovered by HIPPA\n3.\tPayment Card Information (PCI)\n-\tCovered by PCI DSS\n\n**Logging and Monitoring**\n\nLogging establishes:\n1.\tAccountability\n-\tWho caused the event\n-\tA.K.A Identity Attribution\n2.\tTraceability\n-\tUncover all other related events\n3.\tAuditability\n-\tProvide clear documentation of the events\n-\tRealistically, logging data of a company can be overwhelming. Artificial Intelligence can help solve security data overload\n\n**Security Information and Event Management (SIEM)** has 2 functions: \n\n1.\tThey act as a central secure collection point \n-\tAll systems send log entries directly to the SIEM\n-\tFirewall log, Web server log, Database log, Router log, they are all sent to to SIEM where it will provide an overall picture \n2.\tSource of Artificial Intelligence\n\n**Intrusion Detection System**\n-\tTriggers the initial alert\n\n**Security Awareness and Training**\n\n**Social Engineering**\n-\tManipulating people into divulging information or performing an action that undermines security. \n\n6 Reasons why Social Engineering works:\n\t\n\t1.\tAuthority\n\t2.\tIntimidating\n\t3.\tConsensus\n\t4.\tScarcity\n\t5.\tUrgency\n\t6.\tFamiliarity \n\n**Impersonation Attacks**\n\n-\tUnsolicited commercial email\n-\tPhishing\n-\tPhishing is a category of spam\n-\tSteales credentials\n-\tSpear Phishing\n-\tHighly target phishing \n-\tCustomized phishing attacks\n-\tWhaling\n-\tPhishing targeted on executives\n-\tPharming\n-\tUsing fake websites\n-\tVishing\n-\tVoice phishing\n-\tSda\n-\tSmishing and Spam\n-\tSMS and IM spam\n-\tSpoofing\n-\tFaking an identity\n\n**Security Awareness Training**\n-\tPrograms help educate user about risks\n-\tProvides users with the knowledge they need to protect the organization’s security\n  \n**Security Awareness**\n-\tKeeps the lessons learned during security training top of mind for employees.\n  \n**Security Training Methods**\n-\tInstruction in on-site classes\n-\tIntegration with orientations\n-\tEducation through online computer-based training providers\n-\tParticipation in vendor-provided classroom training\n-\tImplement Role-based training\n-\tConsider frequency of training\n-\tReview training materials regularly to ensure relevance\n-\t\n**Use a Diversity of Training Techniques**\n-\tPhishing simulations\n-\tGamification\n-\tCapture the Flag exercises\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyb0rgdoll%2Fisc2-cc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyb0rgdoll%2Fisc2-cc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyb0rgdoll%2Fisc2-cc/lists"}