GSEC OVERVIEW Cheat Sheet by xoulea

Wi-Fi Protected Setup (WPS) is a non-pr­opr­ietary and optional push-b­utton config­uration specif­ication that is considered a security vulner­ability and should not be used in the enterp­rise. It is commonly attacked either online or offline against the PIN generated by the Wireless Access Point (WAP) entered on the device.

According to the Wi-Fi Alliance, Protected Management Frames offers protection for unicast and multicast management action frames. Unicast management action frames are protected from both eavesd­ropping and forging, and multicast management action frames are protected from forging. They augment privacy protec­tions already in place for data frames with mechanisms to improve the resiliency of missio­n-c­ritical networks.

Zigbee is an IEEE 802.15.4-­based specif­ication for a suite of high-level commun­ication protocols used to create personal area networks with small, low-power digital radios, such as for home automa­tion, medical device data collec­tion, and other low-power low-ba­ndwidth needs.

The Internet of Things or IoT is a system of interr­elated computing devices, mechanical and digital machines, objects, animals or people. These objects are enabled with unique identi­fiers (UIDs) and the ability to transfer data over a network without requiring human-­to-­human or human-­to-­com­puter intera­ction. An IoT ecosystem consists of web-en­abled smart devices that use embedded systems, such as proces­sors, sensors and commun­ication hardware, to collect, send and act on data they acquire from their enviro­nments.

There are three components in the 802.1X archit­ecture: supplicant (or client), network author­ization device (NAD) or Authen­tic­ator, and authen­tic­ation server. The client is the NAD and the server is usually a RADIUS or TACACS­/TA­CACS+ server. The supplicant is a combin­ation of the endpoint attempting to get on the network and the software agent running on the device.

Netcat is the Swiss army knife of networking tools and it can be run standalone or in an exploit kit. The most common cracking uses for Netcat are setting up reverse and bind shells, piping and redire­cting network traffic, port listening, debugging programs and scripts and banner grabbing by making a raw connection to an FTP or Web server.

At AWS, Security groups (SGs) are tied to an instance whereas Network Access Control Lists ACLs are tied to the subnet. While NACLs allow or deny traffic before it reaches an SG, the SG controls the traffic flow to and from the instance.

The AWS Key Management System (KMS). It supports asymmetric keys. You can create, manage, and use public­/pr­ivate key pairs to protect your applic­ation data using the new APIs via the AWS SDK.

Auto-s­caling is the cloud platform’s capacity to react to the live traffic load on the applic­ati­on/­wor­kload by spinning up or down server instances on an ad-hoc basis. This ability to auto scale allows the provider to add or remove additional computing power to the instance cluster based on the demand and thus ensure the consistent handling of the traffic and optimize costs.

To create or delete management locks, you must have access to Micros­oft.Au­tho­riz­ation/ or Micros­oft.Au­tho­riz­ati­on/­locks/ actions. Of the built-in roles, only Owner and User Access Admini­strator are granted those actions.

An Availa­bility Zone (AZ) is a high-a­vai­lab­ility offering that protects applic­ations and data from data center failures. AZs are unique physical locations within an Azure region. Each zone is made up of one or more data centers equipped with indepe­ndent power, cooling, and networ­king. To ensure resili­ency, each enabled region has a minimum of three separate zones. The physical separation of Availa­bility Zones within a region protects applic­ations and data in the event of data center failures.

Office 365 uses Azure Active Directory (Azure AD), a cloud-­based user identity and authen­tic­ation service that is included with your Office 365 subscr­iption, to manage identities and authen­tic­ation for Office 365. In fact, any person with an existing Microsoft email account has an instance of Azure AD just waiting for activa­tion.

Infras­tru­cture as a service (IaaS) is an instant computing infras­tru­cture, provis­ioned and managed over the internet. IaaS quickly scales up and down with demand, letting you pay only for what you use. It helps you avoid the expense and complexity of buying and managing your own physical servers and other datacenter infras­tru­cture. Each resource is offered as a separate service component, and you only need to rent a particular one for as long as you need it.

Xen, Red Hat, KVM, VMware, and Hyper-V are examples of hyperv­isors. A hypervisor is software that creates and runs virtual machines or VMs. The hypervisor creates an abstra­ction of underlying hardware and the VMs that use its resources are guests. A hypervisor is sometimes also called a Virtual Machine Manager (VMM).

A hypervisor is the software that generates and controls a virtual infras­tru­cture allowing multiple OSs to run on a single physical machine my managing the finite resources of the system running the hypervisor called the “host” and the virtual machines running on the host called “guests”.

Containers isolate applic­ations from each other on a shared OS. Contai­nerized applic­ations run on top of a container host that in turn runs on the OS (Linux or Windows). Containers therefore have a signif­icantly smaller footprint than virtual machine (VM) images. Contai­ner­ization is an approach to software develo­pment in which an applic­ation or service, its depend­encies, and its config­uration are packaged together as a container image.

Identity and Access Management (IAM) ensures that users are who they say they are (authe­nti­cation) and that they can access the applic­ations and resources they have permission to use (autho­riz­ation). IAM solutions include single sign-on (SSO), multi-­factor authen­tic­ation (MFA) and access manage­ment, as well as directory for securely storing identity and profile data and data governance to ensure that only needed and relevant data is shared.

Center for Internet Security (CIS) is a forwar­d-t­hinking nonprofit that harnesses the power of a global IT community to safeguard public and private organi­zations against cyber threats. Following are the founda­tional controls defined by CIS.

Founda­tional CIS Controls:
• Email and Web Browser Protec­tions
• Malware Defenses
• Limitation and Control of Network Ports, Protocols and Services
• Data Recovery Capabi­lities
• Secure Config­uration for Network Devices, such as Firewalls, Routers and Switches
• Boundary Defense
• Data Protection
• Controlled Access Based on the Need to Know
• Wireless Access Control
• Account Monitoring and Control

The CIS 20 organi­zat­ional controls are as follows:
• Implement a Security Awareness and Training Program,
• Applic­ation Software Security,
• Incident Response and Manage­ment, and
• Penetr­ation Tests and Red Team Exercises.

Basic CIS Controls:
• Inventory and Control of Hardware Assets
• Inventory and Control of Software Assets
• Continuous Vulner­ability Management
• Controlled Use of Admini­str­ative Privileges
• Secure Config­uration for Hardware and Software on Mobile Devices, Laptops, Workst­ations and Servers
• Mainte­nance, Monitoring and Analysis of Audit Logs

NFC stands for “Near Field Commun­ica­tion” and, as the name implies, it enables short-­range commun­ication between compatible devices. This requires at least one transm­itting device, and another to receive the signal. A range of devices can use the NFC standard and will be considered either passive or active. NFC is a mainstream wireless techno­logy. Passive NFC devices include tags, and other small transm­itters, that can send inform­ation to other NFC devices without the need for a power source of their own. Active devices are able to both send and receive data and can commun­icate with each other as well as with passive devices.

Network Load Balancer (NLB) distri­butes traffic based on network variables, such as IP address and destin­ation ports. It is layer 4 (TCP) and below and is not designed to take into consid­eration anything at the applic­ation layer such as content type, cookie data, custom headers, user location, or the applic­ation behavior. Applic­ation Load Balancer (ALB) on the other hand distri­butes requests based on multiple variables, from the network layer to the applic­ation layer. ALB is full-f­eatured Layer-7 load balancer, HTTP and HTTPS listeners only.

A whaling attack is a phishing variant that targets senior management in an attempt to steal sensitive data like financial inform­ation or personal employee inform­ation typically for malicious reasons.

Typosq­uatting (also known as URL hijack­ing), is a form of cybers­qua­tting targeting people that mistype an intended website address into their web browser. Cybers­qua­tters register domain names that are a slight variation of the target URL, which is usually a common spelling error. Typosq­uatting is a form of social engine­ering attack that tries to lure users into visiting malicious sites with URLs that are common misspe­llings of legitimate sites. These sites can cause signif­icant damage to the reputation of organi­zations that are victimized by these attackers and harm users who are tricked into entering sensitive details into fake sites. For example, gooogle, facebooj.

Since ransomware encrypts files instead of exfilt­rating files, a rigorous backup and restore policy involving snapshots and disk imaging will eliminate most of the impact of the malware attack. Anti-r­ans­omware solutions enable organi­zations to fight against ransom­ware.

Since ransomware encrypts files instead of exfilt­rating files, a rigorous backup and restore policy involving snapshots and disk imaging will eliminate most of the impact of the malware attack. Anti-r­ans­omware solutions enable organi­zations to fight against ransom­ware.

The classi­fic­ation and labeling of all data assets is a combin­ation of uniform protection and inform­ati­on-­centric defens­e-i­n-d­epth. Vector­-or­iented defense in depth involves identi­fying all ingress and egress points and all probable threat agents and specific vectors.

The defens­e-i­n-depth approach is a layered approach to security. By providing various layers of security or security controls, for example, physical security, policies and proced­ures, firewalls at perimeter, IPS/IDS at DMZ, antivi­ruses and anti-m­alwares at host and network level, a network can be better protected against threats than deploying just one security control.

Defense in depth involves implem­enting multiple layers of security to defend property, facili­ties, systems, applic­ations, and data. According to the SANS institute, there are four fundam­ental approaches to defense in depth, based on risk treatment: Uniform protec­tion, Protected zoning, Inform­ation centric, and analyze threat vectors.

Honey tokens (aka Honey pots) are placed on systems in reasonable locations but not where the average end users would find them. A honeypot is a computer or computer system intended to mimic likely targets of cybera­ttacks. It can be used to detect attacks or deflect them from a legitimate valuable target system or Honeypots can also be used to gain inform­ation about how cyberc­rim­inals operate.

A honeypot is a computer or system intended to imitate the likely targets of cybera­ttacks. It can be used to detect attacks as well as deflect them from a legitimate target. It can also be used to gain inform­ation about how cyberc­rim­inals operate, getting logs of their operat­ions. The basic principle behind them is simple i.e. to prepare something (honeypot) that would attract the attacker’s interest and then wait for the attackers to show up.

Security expert John Strand and his team developed the Active Directory Active Defense (ADAD) security initiative using tools from his Active Defense Harbinger Distri­bution (ADHD).

The following are the three main attrib­ute­s/m­ech­anisms for active defense:
• Deception – The idea behind cyber deception follows the tactic of planting misinf­orm­ation to deceive the attacker and take their focus away from the original target. Traps in the network, endpoints, and servers can be set up to reveal attackers or malicious insiders without them even knowing.
• Attrib­ution – This is the process of tracking, identi­fying and laying blame on the perpet­rator of a cybera­ttack or attempting a hacking exploit.
• Counte­rattack – This is considered to be the most efficient means of forcing the attacker to abandon offensive plans. Cyber counter attacks are sometimes used as a means of self-d­efense to slow down or even stop cyber attacks

An indicator of compromise (IoC) shows that there is an artifact or series of artifacts discovered on an endpoint indicating a breach with high confid­ence. IOCs artifacts enable inform­ation security profes­sionals to detect intrusion attempts or other malicious activi­ties.

An elite team can find things your automated response systems may miss. It can learn from incidents that have taken place, aggreg­ating crowds­ourced data, and providing response guidance when malicious activity is discov­ered. Having expert hunters working 24/7 on your behalf matches the ingenuity of determined attackers like no automated technology can.

An Indicator of Attack (IoA) is a unique constr­uction of unknown attributes that are leveraged for a proactive approach to security. An IoA can consist of:
• Stealth behavior
• Persis­tence
• Code execution
• Command and Control
• Lateral movement

Indicators of Compromise (IOCs) are remnants, artifacts, and traces of a breach or attack on a system, network, applic­ation, or hosts. They can be precursors of a fully successful attack with all phases not being activated yet. Some practi­tioners call these indicators cyber observ­ables or malware observ­ances.

Attrib­ution as an active defense method­ology that determines data about an attacker and their goals and targets. It is a valuable activity for incident response team members although it may be ineffe­ctive since source addresses are likely spoofed.

The attack back strategy involves inform­ation gathering, seek and disrupt, and seek and destroy actions yet is the most dangerous for the counte­r-a­tta­cker.

Pivoting is a technique of using an instance (aka ‘plant’ or ‘footh­old’) to be moved around inside of a network. It leverages the first compromise to assist in vertical or horizontal (N/S or E/W) movement to aid in the compromise of other otherwise unreac­hable systems.

Crypto­jacking is the unauth­orized use of a personal device by cyberc­rim­inals to mine for crypto­cur­rency. Users can click on a malicious link in an email that loads crypto­mining code on the computer or cloud based workloads. This is a common attack towards cloud platforms (public or private).

Many attackers use botnets to launch DDoS attacks. A botnet is a collection of compro­mised machines that the attacker can manipulate from a command and control (C2 or CnC) system to partic­ipate in a DDoS, send spam emails, and perform other illicit activi­ties. Figure 4-3 shows how a botnet is used by an attacker to launch a DDoS attack. The figure illust­rates, the attacker sending instru­ctions to the C2 server; subseq­uently, the command and control server sending instru­ctions to the bots within the botnet to launch the DDoS attack against the victim.

Transport Layer Security (TLS) is a protocol that provides authen­tic­ation, privacy, and data integrity between two Internet applic­ations. It is the most widely deployed security protocol used today and is used for web browsers and other applic­ations that require data to be securely exchanged over a network. TLS evolved from Netscape's Secure Sockets Layer (SSL) protocol and has superseded it for the most part.

Monitoring the file size assumes that a malicious version of an applic­ation would have a different file size than the original. However, attackers can also change the size of any given file. It is better to use attributes such as digital signatures and crypto­graphic hashes e.g. Message Digest algorithm 5 (MD5) or Secure Hash Algorithm 1 (SHA).

Key stretching attempts to make passwords based on one-way hashes much harder to compro­mise. It uses a key derivation process combined with a specia­lized function such as PBKDF2, bcrypt, or scrypt.

RSA is one of the original public-key crypto­systems and is still commonly used for secure data transm­ission. The acronym RSA is the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who published the algorithm in 1977.

With forward secrecy every TLS connection to the web server is indivi­dually protected. One of the biggest flaws of RSA is that it does not natively provide forward secrecy for TLS.

Techni­cally speaking, a hash collision is a situation when the resultant hashes for two or more data input elements in a data set map to the same location in the hash table. A trustw­orthy hash function must be highly collision resistant. This is a known vulner­ability of MD5.

Asymmetric encryption (also known as public key crypto­graphy) uses two unique keys, a public key and a private key. The data is encrypted with the public key and only the matching private key can decrypt it. The private key is kept secret, whereas the public key can be given to anyone.

Message Digest 5 (MD5) algorithm is an example of a crypto­graphic hash function. The result of the hash is a fixed-­length small string of data and is sometimes referred to as the digest, message digest, or simply the hash. Most software vendors publish the MD5 hash of the software package. This way the receiver of the software can run the same hash against the software and compare the results against the results the vendor published. If the hash generated matches the hash that was published, the software is intact from an integrity perspe­ctive.

Digital signatures are based on public key crypto­graphy (asymm­etric crypto­gra­phy). The most common is RSA and provides integrity, origin authen­tic­ation, and non-re­pud­iation of transa­ctions. To achieve confid­ent­iality however, the digitally signed entity should be sent over a TLS or IPsec secure commun­ication channel (essen­tially an encrypted transm­ission medium).

IPsec is an end-to-end security technology that allows two (or more) devices to commun­icate securely over a possibly unsecure medium. While the transport mode encrypts the data that is sent between peers, the tunnel mode encaps­ulates the entire packet and adds a new IP header.

TLS, SSL, and IPsec are various methods and protocols that can be used to protect data in transit. These protocols and secure data traversal mechanisms allow data payload and headers to be encrypted in such a way that an attacker cannot snoop into the data midway between sender and receiver. TLS is an improved version of SSL.

Transport Layer Security (TLS) is arguably the most important protocol for global commun­ication and one of the most secure key exchange mechanisms that two parties can use is Elliptic Curve Diffie­-He­llman Ephemeral.

The following inform­ation is found in a typical X.509 certif­icate:
• Serial Number: Used to uniquely identify the certif­icate
• Subject: The person, or entity identified
• Signature Algorithm: The algorithm used to create the signature
• Signature: The actual signature to verify that it came from the issuer
• Issuer: The entity that verified the inform­ation and issued the certif­icate
• Valid-­From: The date the certif­icate is first valid from
• Valid-To: The expiration date
• Key-Usage: Purpose of the public key, for example, certif­icate signing
• Public Key: The key used to encrypt inform­ation (The private key is kept secret as it is used to decrypt inform­ation, and once made public or leaked, the key-pair is unsafe to use.)
• Thumbprint Algorithm: The algorithm used to hash the public key certif­icate
• Thumbp­rint: The hash itself, used as an abbrev­iated form of the public key certif­icate

The CA follows one of these validation processes: Domain Validated (DV), which is the most common, Organi­zation Validated (OV), and Extended Validation (EV) which shows the green padlock. Upon valida­tion, the CA issues the certif­icate and all interm­ediary certif­icates needed to chain to its root.

True positives: The security control, such as an IPS sensor, acted as a conseq­uence of malicious activity. This represents normal and optimal operation. True negatives: The security control has not acted, because there was no malicious activity. This represents normal and optimal operation. False positives: The security control acted as a conseq­uence of non-ma­licious activity. This represents an error, generally caused by too tight of proactive controls. False negatives: The security control has not acted, even though there was malicious activity. This represents an error, generally caused by too relaxed proactive controls (which permit more than just minimal legitimate traffic) or too specific reactive controls.

False negatives is the term used to describe a network intrusion device’s inability to detect true security events under certain circum­sta­nces—in other words, a malicious activity that is not detected by the security device. The broad term false positive describes a situation in which a security device triggers an alarm, but no malicious activity or actual attack is taking place. In other words, false positives are false alarms.

An acceptable use policy (AUP) is a document stipul­ating constr­aints and practices that a user must agree to for access to a corporate network or the Internet. Many businesses and educat­ional facilities require that employees or students sign an acceptable use policy before being granted network access.

Guidelines are recomm­end­ations to users when specific standards do not apply. They are designed to streamline certain processes according to establ­ished best practices. Policies on the other hand are mandatory processes.

Policies must be followed whereas guidelines are recomm­end­ations that may be followed.

A written inform­ation security policy is the keystone of an Inform­ation Security Program. The policy should mirror the organi­zat­ion’s mission, goals, and objectives based on how executive management positions and priori­tizes security.

Some examples of popular vulner­ability scanners include the following:
• Nessus from Tenable
• Retina from Beyond Trust
• Nexpose from Rapid7
• AppScan from IBM
• Nmap
• SAINT

The IP header is a total of 32 bits. The version field is 4 bits. The version field is the first header field in an IP packet.

Time-t­o-live (TTL) - designates the number of hops a packet can take before it reaches its destin­ation - is a value in an Internet Protocol (IP) datagram that tells a network router whether or not the packet has been in the network too long and should be discarded. In IPv6 the TTL field in each packet has been renamed the hop limit.


IPv4 Address Resolution Protocol (ARP) was replaced by the ICMPv6 Neighbor Discovery Protocol (NDP) in IP version 6. One of the functions of the IPv6 NDP is to resolve network layer (IP) addresses to link layer (for example, Ethernet) addresses. The Secure Neighbor Discovery (SEND) Protocol prevents an attacker who has access to the broadcast segment from abusing NDP or ARP to trick hosts into sending the attacker traffic destined for someone else, a technique known as ARP poisoning.

ARP (Address Resolution Protocol) converts an internet protocol (IP) address to its corres­ponding physical network address. IP networks, including those that run on Ethernet and Wi-Fi, require ARP to function properly.
Fragme­ntation is used to break up a datagram into smaller packets for a neighbor router that supports a smaller max transm­ission unit (MTU). This is accomp­lished using fields in the IP header.

The Traffic Class field indicates class or priority of IPv6 packet which is similar to Service Field in IPv4 packet. It helps routers to handle the traffic based on priority of the packet. If congestion occurs on router then packets with least priority will be discarded. As of now only 4-bits are being used (and remaining bits are under research), in which 0 to 7 are assigned to Congestion controlled traffic and 8 to 15 are assigned to Uncont­rolled traffic.

Encaps­ulating Security Payload EH is similar in format and use to the IPv4 ESP header defined in RFC2406. All inform­ation following the Encaps­ulating Security Header (ESH) is encrypted and for that reason, it is inacce­ssible to interm­ediary network devices. The ESH can be followed by an additional Destin­ation Options EH and the upper layer datagram.

TCP (Trans­mission Control Protocol) is a layer 4 protocol. TCP works with the Internet Protocol (IP) at layer 4 of the OSI model. It is connec­tio­n-o­rie­nted, ordered and should be used if your service needs a reliable transm­ission of datagrams. TCP is meant to provide error-free data transm­ission as it handles retran­smi­ssion of dropped or garbled packets and acknow­ledges all packets that arrive. TCP provides multip­lexing, demult­ipl­exing, and error detection. TCP is connec­tio­n-o­riented because before one applic­ation process can begin to send data to another, the two must first establish a "­han­dsh­ake­" with each other. UDP is connec­tio­nless, TTL is Time To Live – it is a value in an Internet Protocol (IP) packet that tells a network router whether or not the packet has been in the network too long and should be discarded. Real-Time Protocol (RTP) is based on UDP and is connec­tio­nless as it is used for transm­ission of real time voice and/or video packets.

TCP (Trans­mission Control Protocol) is a layer 4 protocol and a standard that defines how to establish and maintain a network conver­sation via which applic­ation programs can exchange data. TCP works with the Internet Protocol (IP) at layer 4 of the OSI model. It is connec­tio­n-o­rie­nted, ordered and should be used if your service needs a reliable transm­ission of datagrams. TCP is meant to provide error-free data transm­ission as it handles retran­smi­ssion of dropped or garbled packets and acknow­ledges all packets that arrive.

Wireshark and tcpdump are both examples of packet analyzers. Wireshark is a GUI-based free and open source packet analyzer. tcpdump is a CLI-based packet analyzer and is also free and open source (distr­ibuted under a BSD license). tcpdump, runs on Linux and Mac OS X systems.

Tcpdump, written in C, is a data-n­etwork packet analyzer computer program that runs under a command line interface. It allows the user display TCP/IP and other packets being transm­itted or received over a network to which the computer is attached.

ISO 31000:2009 involves risk management principles and guidel­ines. It offers princi­ples, a framework, and a process for managing risk. It can be used by any organi­zation regardless of its size, activity, or sector. The first phase will be to ascertain the purpose, context, and scope of the risk assessment and management program.

Vulner­ability Management begins with assessment and priori­tiz­ation of assets so that you can better determine the Return on Security Investment (ROSI). The next step is to start building the risk register (log or ledger) based on semi-q­uan­tit­ative or quanti­tative approach if one does not already exist.

Risk assessment can be done in two possible ways: quanti­tative and qualit­ative. Quanti­tative risk assessment involves dollar values and mathem­atical formulas and aims to determine tangible values. Qualit­ative risk assessment uses questi­oners and/or interv­iews.

The acronym RACI is as follows:
1. respon­sible,
2. accoun­table,
3. consulted, and
4. informed.

It is used for clarifying and defining roles and respon­sib­ilities typically in cross-­fun­ctional projects and/or processes.

The term "risk transf­er" is often used in place of risk sharing, although in practice the transfer of risk to an insurance or outsou­rcing company may result in loss if the company goes out of business.

Annualized Loss Expectancy (ALE) = Single Loss Expectancy ? Annualized Rate of Occurrence in classic quanti­tative analysis

An incident is an establ­ished negative occurrence that affects the state of data, network, applic­ation, or system. An incident can cause damage or loss, either directly (primary) or indirectly (secon­dary). All incidents are made up of events, but not all events are catego­rized as incidents.

Incident response lifecycle consists of six phases:
1. Prepar­ation
2. Identi­fic­ation
3. Contai­nment
4. Eradic­ation
5. Recovery
6. Lessons learned


Business Continuity Planning (BCP) consists of Business Impact Analysis (BIA), Backups and Restor­ation, and Disaster Recovery Planning (DRP). The BIA is a key step in implem­enting the Continuity Planning controls in NIST SP 800 53 and in the contin­gency planning process overall.

Two of the important parameters that define a Business Continuity Disaster Recovery (BCDR) plan are the Recovery Point Objective (RPO) and Recovery Time Objective (RTO). These are defined as follows:
• RPO is the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or tolerance.
• RTO is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacce­ptable conseq­uences associated with a break in contin­uity.
•
Recovery time objective (RTO) is the maximum required amount of time allowed between an unforeseen failure or disaster and the resumption of regular operations and service levels. The RTO describes the point in time after a failure or disaster at which the conseq­uences of the interr­uption become unacce­ptable. Recovery Time Objective (RPO) is the target time you set for the recovery of your IT and business activities after a disaster has struck. The goal here is to calculate how quickly you need to recover, which can then dictate the type or prepar­ations you need to implement and the overall budget you should assign to business contin­uity.

A cold site is the least expensive disaster recovery option as there is practi­cally nothing at the site except for electr­icity, HVAC, and utilities. It may have ethernet cable installed or may rely on a wireless network instal­lation.

Increm­ental backups begin with a full backup. But once that initial full backup is taken, increm­ental backups only copy the parts of files that have changed since the previous backup. Once the increm­ental backup has run, it won’t back up that file again until the next full backup, unless the file changes.

A differ­ential backup is a data backup that copies all of the files that have changed since the last full backup was performed. This includes any data that has been created, updated or altered in any way and does not copy all of the data every time. The term differ­ential backup is based on the concept that only data that is "­dif­fer­ent­" is copied. An increm­ental backup is a backup type that only copies data that has been changed or created since the previous backup activity was conducted.

Snapshots and tradit­ional backups essent­ially have a similar role. They both make copies of the data on your system which you can later restore. The first snapshot is a precise copy of the given virtual machine or data volume. Ensuing snapshots store data blocks (usually as object­/blob storage) that have been changed or added in the meantime. It can perform versioning and fallback activities much faster than tradit­ional backups.

When deploying a Windows Server Update Services (WSUS) implem­ent­ation, it is important to realize that a single server can handle more than 10,000 client systems.

A Windows network operating system domain controller is a server that handles network security, effect­ively functi­oning as the gatekeeper for user authen­tic­ation and author­iza­tion. Domain contro­llers are especially important in Microsoft directory services termin­ology, and function as the primary mode for authen­tic­ating Windows user identi­ties.

In order to have a domain implem­ented, you will need to configure a domain controller to centrally authen­ticate users who wants to connect and provides them the resources that they need. The domain contro­llers are also essential in adding an extra layer of security for the system beyond the normal usual security from individual computers in workgr­oups.

The user employs Remote Desktop Protocol (RDP) client software for this purpose, while the other computer must run RDP server software. This service should be disabled if not absolutely necessary as part of system hardening.

There are three Servicing Channels in Windows:
1. Semi Annual
2. Windows Insider, and
3. The Long-Term Channel.
Home edition users can defer quality (not feature) updates for up to 35 days.

According to Microsoft, BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufa­ctu­rers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. Microsoft offers BitLocker as a built-in encryption with Windows OS.

BitLocker uses the Advanced Encryption Standard (AES) for protecting data at rest. BitLocker uses (AES) as its encryption algorithm with config­urable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are config­urable by using Group Policy.
The AGULP model goes as follows: Accounts > Global Groups > Universal Groups > Local Groups > Permis­sions and Rights.

The shared folder is made possible by the File and Print Sharing service and the SMB protocol. Share permis­sions are Full Control, Change, and Read.

The Registry Key structure (registry hive) is similar to folders. A single folder stores all the inform­ation and data related to that folder. In a Registry Key, the highes­t-level folder is a Hive (or Registry Hive). Also, if you further classify any inform­ation then you create sub-fo­lders. The sub-folder in Windows Registry Key is classified as a Key and any folder under a sub-folder is called a Sub Key. The following figure gives an insight to the Windows Registry Hive.

Windows AppLocker is applicable to Windows 10 and Windows Server only. AppLocker helps reduce admini­str­ative overhead and helps reduce the organi­zat­ion's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps.

According to Microsoft, User Account Control (UAC) helps prevent malware from damaging a PC and helps organi­zations deploy a better­-ma­naged desktop. With UAC, apps and tasks always run in the security context of a non-ad­min­ist­rator account, unless an admini­strator specif­ically authorizes admini­str­ato­r-level access to the system. UAC can block the automatic instal­lation of unauth­orized apps and prevent inadve­rtent changes to system settings.

Group Policy and Group Policy Objects is the strategy for centra­lized admini­str­ation but works only in conjun­ction with Active Directory. Admini­str­ators can manage Group Policy using the Group Policy Management Console (GPMC).

Azure PowerShell modules can be installed by using PowerS­hellGet on Windows, macOS, and Linux platforms. PowerShell 7.x and later are the recomm­ended versions of PowerShell for use with Azure PowerShell on all platforms.

According to Microsoft, PowerShell is a cross-­pla­tform task automation and config­uration management framework, consisting of a comman­d-line shell and scripting language. PowerShell is built on top of the .NET Common Language Runtime (CLR) and accepts and returns .NET objects. This fundam­ental change brings entirely new tools and methods for automa­tion.

Windows Event Viewer displays the Windows event logs. This is the default applic­ation to view and navigate the logs, search and filter particular types of logs, export logs for analysis, and much more.

Before applying a security template using the SCA tool, you should always perform a full backup that includes the System State. There is no feature to revert back to a previous state or “undo” after applying the template.

Since there is no fallback or undo feature in the SCA tool, you should make a backup of the production server that includes the system state.

You should always set the sticky bit on these direct­ories so that only the owner can removed his own files, with the exception of the owner of the sticky bit directory (and the root user), who can delete all of the files in the directory. These direct­ories are intended for storing temporary files that may be made by anyone.

You can add a new user in Linux using the command:
$ sudo useradd username

To maintain a record of which files belong to which user and to enforce some security, Linux uses the concept of ownership. Every file belongs to an owner—a user—and to a group. On Unix-like operating systems, the chown command changes ownership of files and direct­ories in a filesy­stem.

The /dev directory holds device drivers; /usr is the primary read-only directory; /var contains log files, queues, and more; and /home has user home direct­ories.

Bash is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replac­ement for the Bourne shell. First released in 1989, it has been used as the default login shell for most Linux distri­butions and all releases of Apple's macOS prior to macOS Catalina.

Linux (and flavors of Unix) have following shells to offer:
• The Bourne Shell (sh): Developed at AT&T Bell Labs by Steve Bourne, the Bourne shell is regarded as the first UNIX shell ever. It is denoted as sh. It gained popularity due to its compact nature and high speeds of operation.
• The GNU Bourne­-Again Shell (bash): More popularly known as the Bash shell, the GNU Bourne­-Again shell was designed to be compatible with the Bourne shell.
• The C Shell (csh): The C shell was created at the University of California by Bill Joy. It is denoted as csh.
• The Korn Shell (ksh): The Korn shell was developed at AT&T Bell Labs by David Korn, to improve the Bourne shell. It is denoted as ksh.
• The Z Shell (zsh): The Z Shell or zsh is a sh shell extension that has all the features and more.
•
These are the tradit­ional init runlevels:
• 0 - Halt the system,
• 1 - Single­-user mode (for special admini­str­ation),
• 2 - Local Multiuser with Networking but without network service (like NFS),
• 3 - Full Multiuser with Networ­king,
• 4 - Not Used,
• 5 - Full Multiuser with Networking and X Window­s(GUI),
• 6 - Reboot.

iptables is an extremely flexible firewall utility built for Linux operating systems. iptables is a comman­d-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. iptables almost always comes pre-in­stalled on any Linux distri­bution and to update or install it, you can just retrieve the iptables package using the command: sudo apt-get install iptables

SELinux was first introduced in CentOS 4 and signif­icantly enhanced in later CentOS releases. SELinux follows the model of least-­pri­vilege more closely. By default under a strict enforcing setting, everything is denied and then a series of exceptions policies are written that give each element of the system (a service, program or user) only the access required to function. SELinux has three basic modes of operation as follows:
1. Enforcing
2. Permissive
3. Disabled

Bastille is a hardening program that locks down a Linux, HP-UX, and MacOS operating system, proact­ively config­uring the system for enhanced security and decreasing its suscep­tib­ility to compro­misse. Bastille can also assess a system's current state of hardening and generate a granular report on each of the security settings with which it works.

The recomm­ended method to perform this hardening feature is to edit the /etc/s­ysc­trl.conf file. Remember this fact for the exam as well as setting this to prevent source routing and two-way spoofed commun­ica­tions.

Trusted Platform Module (TPM) offers hardwa­re-­based, securi­ty-­related functions in the form of a secure crypto­-pr­ocessor chip that performs crypto­graphic operat­ions. The chip includes several physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM.

Ansible is an open-s­ource automation tool, or platform, used for IT tasks such as config­uration manage­ment, applic­ation deploy­ment, intra-­service orches­tra­tion, and provis­ioning.

Auditd is an access monitoring and accounting for Linux developed and maintained by RedHat. It was designed to integrate tightly with the kernel and look for intere­sting system calls. Also, likely because of this level of integr­ation and detail, it is the default logger in SELinux.

Each Syslog message Priority also has a decimal Severity level indicator. Severity values MUST be in the range of 0 to 7 inclusive. Debug has the highest number 7, repres­enting the lowest priority level.

Linux builds have a native stateful firewall called iptables. Append this rule to the input chain (-A INPUT) to view ingress traffic; look for TCP (-p tcp); if so, does it go to the destin­ation SSH port (-dport ssh)? If yes, then permit the traffic ( -j ACCEPT).

Every NTFS (NT file system) file or folder has an owner assigned to it. As part of the discre­tionary access model (DACL), If a user is the owner of an object the only recourse for the admini­strator is to take ownership away from the user. Other objects include printers, AD contai­ners, registry keys, processes, and threads.
It is vital to understand that NTFS (NT file system) permis­sions are always enforced, regardless of how the files are being accessed.
What happens if there is a conflict between an NTFS deny permission and an Allow permission when applied to a file? The user’s final effective permission on the file will be deny since that always takes preced­ence.

A write-­blo­cking is a tool is designed to avoid any write access to a hard disk when performing forensic invest­iga­tions. It allows read-only access to a data storage device without compro­mising the integrity of the data. If used properly, it can deliver a high degree of confidence in the protection of the chain of custody.

Domain Name System (DNS) uses TCP port 53 for connec­tio­n-o­riented tasks such as database replic­ation and UDP port 53 for unreliable activities like queries to DNS servers.

White box penetr­ation testing takes into account scenarios where almost all inform­ation is available to execute an attack. More often this type of pen testing produces very focused results. Black box approach is the opposite of white box, and the pen tester does not have any inform­ation about the system they are trying to breach. This is more accurate in simulating an external attack. Gray box, on the other hand, is halfway between a white box and a black box approach. In this approach, the pen tester has some inform­ation available, but not all.

The five key aspects of NIST Cyber Security Framework are:
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

The five steps of the NIST Enterprise Security Archit­ecture (ESA) are identify > protect > detect > respond > recover. Other activities of the “protect” phase are awareness training and inform­ation protection and proced­ures.

According to NIST, security controls are the manage­ment, operat­ional, and technical safeguards or counte­rme­asures employed within an organi­zat­ional inform­ation system to protect the confid­ent­iality, integrity, and availa­bility of the system and its inform­ation. Examples of operat­ional controls would be config­uration manage­ment, incident response, and system integrity.

Examples of deterrent controls would be signage, bollards, banners, guards, dogs, lighting, and visible video survei­llance.

According to NIST Special Public­ation 800-61, a computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. An employee knowingly crashing the e-commerce server is an example of a computer security incident. The security admini­strator changing the permis­sions of a directory and an employee accessing a file do not relate to an incident. The intruder breaking into office premises does constitute a security incident, just not a computer security incident.

Assume Device A has completed its transm­ission and indicates this by sending a segment to Device B with the FIN bit set to 1. Device B will acknow­ledge the segment with an ACK. At this point in time, Device B will no longer accept data from Device A. Device B can continue to accept data from its applic­ation to transmit to Device A. If Device B does not have any more data to transmit, it will also terminate the connection by transm­itting a segment to Device A with the FIN bit set to 1. Device A will then ACK that segment and terminates the connec­tion.

Confid­ent­iality, Integrity, and Availa­bility (also known as the CIA triad) are the corner­stones of Inform­ation Security. This is a model created to define security policies for organi­zations and it has everything to do with secure storage, transm­ission, retrieval, execution, and any action dealing with security of inform­ation.

The Parkerian hexad is a group of six inform­ation security elements offered by Donn B. Parker in 1998. The hexad adds three additional attributes to the three classic security attributes of the CIA triad (confi­den­tia­lity, integrity, availa­bil­ity). These elements are utility, authen­ticity, and possession (control).

Digital signatures provide peer authen­tic­ation, integrity, and non-re­pud­iation. They do not offer confid­ent­iality services or availa­bility between peers.

In the world of inform­ation security, integrity protects against unauth­orized changes to data. Integrity can be implem­ented using various tools and mechan­isms, for example, hashing algori­thms.

The least privilege principle involves granting just the right amount of access to data, applic­ations, and systems that are necessary for the job role and no more.

Threat enumer­ation is defined as a process which establ­ishes an active connection to the target hosts to discover potential attack vectors in the system, and the same can be used for further exploi­tation of the system. Enumer­ation is often considered as a critical phase in Penetr­ation testing as the outcome of enumer­ation can be used directly for exploiting the system.

Enumer­ation is defined as a process that establ­ishes an active connection to the target hosts to discover potential attack vectors in the system. Enumer­ation can be used for further exploi­tation of the system. Enumer­ation is used to gather: Usernames, group names, Hostnames, Network shares and services, IP tables and routing tables, SNMP and DNS details.

A mandatory access control (MAC) model, such a Bell-L­aPadula and Biba, is a system of access control that assigns security labels or classi­fic­ations to system resources and allows access only to principals with distinct levels of author­ization or clearance. Mandatory Access Control (MAC) requires allocation of labels to provide resource access. The labels are, for example, Public, Confid­ential, Secret, and so on. The labels can be managed at organi­zat­ional level.

When the owner of a file makes the decisions about who has rights or access privileges to it, the owner is using discre­tionary access control or DAC. The Nondis­cre­tionary access control on the other hand has a fixed set of rules that exist to manage access.

A next generation firewall (NGFW) provides capabi­lities beyond that of a stateful network firewall. A stateful firewall is a network security device that filters incoming and outgoing network traffic based upon Internet Protocol (IP) port and IP addresses. By intell­igently inspecting the payload of some packets, new connection requests can be associated with existing legitimate connec­tions. An NGFW adds additional features such as applic­ation control, integrated intrusion prevention (IPS) and often more advanced threat prevention capabi­lities like sandbo­xing.

A firewall is a network security device that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules. Ideally, a firewall should be placed at critical junctures in a network to provide segmen­tation between trusted and untrusted services or user access. Firewalls have been an integral part of security industry over the past 25 years.

A firewall is a software or hardware device that work as a filtration system for the data attempting to enter your computer or network. A firewall monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls are typically used to segment network to filter traffic from unsecure (untru­sted) to secure (trusted) zones and vice-v­ersa.

The intrusion prevention service (IPS) sensor is an inline, proactive, and preven­tative security control that can prevent the malicious payload from being delivered to the target. The IDS will take actions based on copies of the frame and is reactive.

A signat­ure­-based HIDS system is dependent entirely on availa­bility (and timely updating) of signatures as it can only detect attacks that correspond to attack signatures present in its signature database. Hence, a signat­ure­-based HIDS system wouldn’t be able to approp­riately identify any zero-day attacks.

Anomal­y-based detection is form of intrusion detection that relies upon observing network occurr­ences and discerning anomalous traffic through heuristics and statistics measured against an establ­ished baseline of normal operat­ions.

Endpoint Detection and Response (EDR) are tools that are mainly dedicated to detection and invest­igation of suspicious activities and indicators of compromise (IoCs) on hosts/­end­points. McAfee, Norton, and CrowdS­trike are examples of EDR solutions.

A multi-­phased logging analysis method­ology would be Phase 1: Log Collection using tools like Kiwi and syslog ng; Phase 2: Log Storage using databases such as MySQL and Postgr­eSQL; Phase 3: Log Analysis using Splunk, grep, or LogParser; and Phase 4: Log Correl­ation and Alerting with tools like OSSEC (Open Source HIDS SECurity) and OSSIM (Open Source SIEM).

All given examples are Security Inform­ation and Event Management (SIEM) solutions. A SIEM solution receives data from different sources, including IPS devices, firewalls, NetFlow generating devices, servers, endpoints, and syslogs from infras­tru­cture devices. It provides a central view of logging and related security activities across network.

SIEM has evolved from separate security event and security inform­ation monito­ring. It is the primary centra­lized log correl­ation, aggreg­ation, and normal­ization solution used in modern enterp­rises today. Common solutions would be SolarWinds Security Event Manager, Manage­Engine EventLog, and Azure Sentinel.

Following are the most commonly used network security logging platforms:
• Kiwi Syslog – SolarWinds Kiwi Syslog Server is a syslog management tool. It can receive syslog messages and SNMP traps from network devices (routers, switches, firewalls, etc.), and Linux/Unix hosts
• syslog-ng – It is a free and open-s­ource implem­ent­ation of the syslog protocol for Unix and Unix-like systems

Syslog messages include time stamps, event messages, severity levels (0-7), host IP addresses, and diagno­stics.

When using a SIEM system the Never Before Seen (NBS) analytics reporting is critical for identi­fying mew threats against systems.