Welcome to the CompTIA CySA+ CS0-001 exam study notes. You know the type of study guides to expect by now. Prepare for a wall of formatted text.

The information in this guide is organized by the CS0-001 exam objectives and has some blanks filled in by the great Keith Barker of CBT Nuggets fame.

Know going into this that you won’t retain all industry knowledge at all times. I’ll happily admit I don’t have this entire page of notes memorized. What’s more important is taking notes and knowing where to look when you need to recall something or fix an issue.

The good news is that this certification heavily recommends creating documentation and relying on said documentation so you don’t have to memorize a whole lot of random computer facts. This is especially helpful in an incident response situation.

Treat these notes as a review. You should be shaking your head yes as you go through these notes. Learn and retain as much of the concepts as possible. There’s no shortcut to being a security pro. Put in the work and and do great.

Let me know how you do. Good luck!

Table of Contents

Table of Contents

  1. Threat Management
  2. Vulnerability Management
  3. Cyber Incident Response
  4. Security Architecture and Tool Sets

1. Threat Management

1. Vocabulary Related to Threats and Attacks

  • Hack value – something is worth doing in regards to target
  • Vulnerability – weakness either in design, implementation, or configuration that can lead to an unexpected event
  • Exploit – attack that is or could be successful
    • Exploits can be successful because of the vulnerability that exists
  • Payload – component of an attack that performs the intended malicious action
  • Zero day attack – attack that exploits a computer system or network that leverages a vulnerability that doesn’t yet have a patch
    • This is more common that you think
    • An example: no alerts are being generated by the anti-virus software or by the intrusion detection system, but a workstation is performing very slowly and there is an unauthorized VPN between that local workstation and a computer located in a foreign country
  • Pivoting – daisy chaining, getting access to one network or computer and then using information or credentials from one device to turn and do further investigation on other devices
  • Doxing – publishing personally identifiable information derived from publicly available sources
  • Bot – software application that can be controlled remotely to execute or automate a defined task
    • Botnet is a collection of bot computers used to launch an attack

2. Attack Categories, Types, and Vectors


  • Advanced persistent threats (APT) – sophisticated and done over a long period of time
    • Part of a bigger system
    • Gathering information on a day to day basis
  • Botnets – Can cause a denial of service attack (distributed)
  • Cloud computing – Many “as a service”
    • Weak link may lead to a compromise of systems and leads to additional attacks
  • Insider attacks – by a person who currently has access to the system
    • Usually done with malicious intent
  • Mobile threats – mobile devices can be at many locations
    • Many potential points of attack
  • Viruses, worms, and malware – have many ways to enter systems
    • Examples: links, USB drive, etc.


  • Operating systems – bugs, unpatched OS
  • Misconfiguration – can be almost anywhere
    • Shrinkwrap / Defaults – as it came
    • Attackers would be able to get this information easily
  • Application level – using application running at target site to compromise organization
    • Examples: buffer overflow, SQL injection, cross-site scripting, man-in-the-middle, session hijacking, etc.

3. Reconnaissance and Footprinting Overview

  • Footprinting is the very first attack on a system
    • Attacker is going to gather publicly available information without the target knowing
    • Getting to know their security posture
    • Reduce focus area by finding range of network and systems in use
    • Identifying potential vulnerabilities
  • Search engines (archives, portals, services, etc.)
    • Google hacking – using advanced search parameters such as inurl:userRpm or inurl:LoginRpm.htm for a router
  • Netcraft to see OS web services are running
  • Anywho for people searches
    • Residential addresses
    • Email addresses
    • Contact numbers
    • Date of birth
  • Marketwatch to find details about the company
    • Market value
    • Competitive details or advantages
    • Company profile and more
  • Job sites – if a company is hiring a specific programming language or system
  • Social media – looking for low security settings and start the social engineering process
    • Can happen over weeks or months
  • Monitor company website and even look at HTML source, analyzing cookies left on client computer
  • Email – not just as an attack vector, but also the raw information available through headers
    • Headers give away a lot of information: names IP addresses and so on
  • Looking for competitive information
  • Whois – domain name details
    • Contact details
    • When the domain was registered and more
  • DNS – key host and network by looking at various record types
    • A and MX for example
  • Then you can go forth with tools such as tracert to get a general idea from the outside
  • Social engineering for exploiting human behavior for our own benefit
    • Threaten confidential information that shouldn’t be revealed
    • Getting a user to click on something or do something that would give us a vector or path within a system
    • Users may not be aware that it even happened
  • Have employee training and period verification

4. Using DNS for Reconnaissance

  • Public DNS can provide information and if the internal DNS is compromised the information provided can be very useful
  • Tools
    • nslookup
    • dig
    • dnsenum
  • Web based tools
    • Whois
    • GUI tools like maltego
      • Harvest DNS
      • Social media
      • Additional information that’s available on the Internet
  • Kali
    • dnsenum domain
    • Shows IP of domain
    • Nameservers
    • Attempts DNS transfer
  • Dig domain, DNS records, DNS server
  • Nslookup domain
    • All IPs associated with domain name
  • Nslookup enter to put in interactive mode
    • Set type=ns enter
    • domain enter
    • respond with nameserver entries
    • Nslookup –type=ns domain

5. Direct Network Scanning Overview

Actively sending packets so there is a likelihood of getting identified through an IPS

  • Live devices
    • OS (fingerprinting)
    • IPs in use for devices (IPv4 and IPv6)
  • Ports
    • Open or closed
    • Mostly looking for well known ports
  • Vulnerabilities
    • Finding a well known port and finding a specific version of an OS can give the attacker their next target

6. Direct Network Scanning Methodology

  • Looking for live systems
    • Using ping
    • Tools to do pingsweep: request to every IP address
  • Just because a ping isn’t answered, doesn’t mean a system is down or not there
  • If a device doesn’t respond to an ICMP Echo request, they may respond to an ARP (Address Resolution Protocol) request
    • This is sent as a broadcast
  • Nmap –sn does a simple sweep of a network but it won’t go further into port scans
  • Check for open ports
    • This helps reveal what types of services they are running
  • Evade IDS
  • Banner grabbing (fingerprinting)
    • Banner grabbing is one of several techniques used to discover the type and/or version of software in use
  • What devices are up, what services they are running, and potentially what versions and applications are running
    • We can do specific vulnerability scanning to know which exploits to launch
    • Can be based on OS itself or poor configuration
  • Document what we’re learning and build network diagrams
  • Use proxies to hide source IP address
    • This also can help get into areas with access control rules
  • Document everything and produce a deliverable report

7. Port Discovery Overview

  • If we identify what ports are available that usually hints at what services are running
    • With knowledge of services available, we can look at vulnerabilities those services may have
  • De-encapsulation
    • Packet sent to server
    • Addressed to layer 2 from Ethernet to network card of server and will de-encapsulate and pass up to layer 3, network layer (IP)
  • A TCP SYN request could be sent to a server on port 80 to determine whether or not a web services are running
  • L4 Protocols
    • Protocols operate in predictable ways
  • TCP behavior – 3-way handshake
    • Start: SYN, SEQ#
    • Reply: SYN+ACK, ACK#, SEQ#
    • Confirm reply: ACK, ACK#, SEQ#
    • This sets up TCP session
    • Session termination
      • Notice: Fin, SEQ
      • Reply: ACK, ACK#, SEQ#
      • Session termination confirm: FIN, SEQ#
      • Notice confirm: ACK, ACK#, SEQ#

Scan Types

  • If you send a SYN request and you get a SYN+ACK packet back, you know services are running
  • After this an attacker can send a RST (reset) flag to cancel the 3-way handshake
  • An attacker can do a port scan quickly without tying up a bunch of resources
  • If the system sends a RST packet back instead of SYN+ACK packet, you’ll know the port is closed
  • TCP flags:
    • ACK (acknowledge)
    • SYN (synchronize)
    • FIN (finish)
    • RST (reset)
    • PSH (push)
    • URG (urgent)
  • These flags allow you to leverage how systems respond to strange packets

8. OS and App Fingerprinting

  • Active: attacker directly sending stuff to victim (normal 3-way handshake or specially crafted packets using packet tools) to see how they respond
  • Passive: analyze traffic (eavesdropping or MITM)
  • Example: Banner grabbing: See how device responds and determine what OS is running based on result
    • Then align vulnerabilities based on result
  • If you telnet to a non-standard port, you’ll get a reaction
  • In Kali
    • telnet 80, GET / HTTP/1.0, notice telnet over HTTP
    • Or nc 80, GET / HTTP/1.0, enter a couple times (nc= netcat)
  • Or zenmap, enter IP and add –sn to do a quick ARP scan
    • Intense scan with –O, for a longer scan
    • Animated bar next to details button will be there as long as it’s scanning
    • Intense scan will show type of server that’s running, methods used, how far away the device is
    • Ports that are open as well as host details
    • The icon will change once the OS is identified

9. Using NMAP for Host, Port, and OS Discovery: VLab

  • One way we know our network is secure is by engaging with a 3rd party to do pen testing
  • The terms will be specified in the SOW (Statement of work)
    • Includes rules of engagement
  • Another way we can test is through war games
    • Red team (offense) and Blue team (defense) exercises
    • Red team will also be scanning
    • Also want to have clear rules
    • If the red team finds a vulnerability and launches a denial of service attack, it would need to be on a non-production system
  • Looking for:
    • Hosts
    • Ports
    • OS/App information
  • Lookup how to add nmap to command prompt
  • Nmap –sn (target)
  • Hitting enter will show status as it’s scanning
  • Ping scan shows:
    • IPs and whether hosts are up
    • The first 6 characters of a hardware address will show it’s vendor. Hyper-V will show as Microsoft
    • DNS reverse lookup
    • Scan summary (hosts up and scan time)
  • The GUI from Zenmap has profiles which are a collection of commands
  • The result is the same as a command line scan but in an easier to read format
  • You can drill down and enter the specific IP in the target field
  • This is good for throwing more traffic at a host
  • Looking at quick scan plus profile:
    • -sV is for version scanning, return version
    • -T4 is for timing and 4 is aggressive (0-5)
      • The lower aggression takes longer but would be more likely to avoid detection by staying below IPS timeout
    • -O is to attempt operating system detection to determine operating system on target
    • -F is for fast option to only scan top 100 most common ports as opposed to the top 1000 popular ports
    • --version-light makes scanning much faster and slightly less likely to determine services that are running
  • Changing profile to intense scan plus UDP may take a few minutes to complete
    • Scanning in progress will show the animated icon near the details button
  • Scans tab will show previous and currently running scans
  • Ports / Hosts tab show open ports found so far
  • Topology tab shows network in topology view
    • Click on yellow circle to make current host the center of ring
  • Host details show host information based on scans already completed
  • After a scan of the server, NMAP reports that TCP port 389 is open and port 636 is not open
    • What security recommendation should be taken based on this information? Using LDAP on port 389 is a vulnerability
    • Use TLS to protect LDAP communications with the server
  • Keep scans local
    • Only active scan networks that either you own or have authorization to do so (written permission)

10. Vulnerability Scanning Tools

  • Identify App, Service and System:
    • Vulnerabilities
    • Weaknesses
  • Nessus is one of the most popular scanners out there
  • Web interface at https://localhost:8834
  • Click on policies tab
    • You can specify details on what you would like to scan here
    • The templates allow for different types of scans
    • You can add different scan types for future scans
  • This tool allows for a lot of customization through discovery and assessment options depending on the requirements of your network
    • Customization is saved to a custom policy you specific
    • These are located at the bottom of the policies page under User Created Policies
  • A checkmark on the scans page shows when a scan is complete
    • To see the details, you’ll have to click on the scan itself
  • Vulnerabilities show as a color criticality:
    1. Critical – red
    2. High – orange
    3. Medium – yellow
    4. Low – green, may also just be informational
    5. Informational – blue
  • Vulnerability details are available by clicking on the host
  • History can be exported to HTML
    • The reports also show a plugin Id for each item
    • To keep the plugins or signatures up to date, you may want to routinely run a script before each use of the vulnerability scanner
  • The plugin ID link shows a page with a synopsis, description, further reading, and a solution

11. Vulnerability Scan Scenario

  • What do you do when you learn of a vulnerability and you don’t have an inventory of your infrastructure or what application versions they are running?
  • For zenmap:
    • Ping scan to see what’s up
    • Quick scan plus to see OS and app version that’s running on hosts
    • Looking for versions that are vulnerable
  • Don’t download plugins to your favorite vulnerability scanner and scan everything
    • This takes too much time
  • Test patch for vulnerability and regression test to match sure system still works
    • Change control through authorized methods to implement updates
  • Most commercial scanners have plugins that supports SCAP (Security Content Automation Protocol) put out by NIST (National Institute of Standards and Technologies)
  • Scan again after patching to make sure vulnerability is actually gone
  • Then update documentation and move one
    1. Scan to discover which devices are up
    2. Perform a fingerprinting scan on systems
    3. Patch relevant systems
    4. Perform regression testing to verify functionality
    5. Document changes that have been made

12. Network Mapping

In scanning, one of the steps is to build network topology diagrams so we know where stuff is. You can enumerate your own network but automated tools are available. Network Topology Mapper from Solarwinds:

  • Uses SNMP
  • By having and using credentials, it provides more volume and accurate details
  • WMI credentials (web based management credentials)
  • VMWare credentials
  • network selection, add subnet and mask
  • Discovery settings, number of hops 0 to stay within subnet
  • Scheduling, run once or give a frequency
  • You can create dynamic network maps with a ton of information
  • Summary

13. Understanding System Hacking

  • Stages of system hacking
  • Goals:
    • Bypass controls – Gaining access (1)
    • Non-electronic attack (social engineering)
    • Active online attack (dictionary attack)
    • Passive online attacks (packet capture)
    • Offline attack (copied password database)
  • Get access rights – escalating privileges (1)
    • Even without admin rights, take user we have and try to take it a step further
    • Regular accounts can get access through design flaw, configuration oversight, bug, or programming error
  • Maintain remote access – executing applications (2)
    • Backdoors
    • Keyloggers
    • Rremote access tools
    • Rootkits
    • Record audio and video
  • Hide activities – hiding files (2)
    • SMTP server
    • Covert channel (like through ICMP)
    • Steganography
  • Covering tracks (3)
    • Disabling auditing
    • Clearing logs
    • Manipulating log files
  • Example: User with FTP sign on a server
    • An attacker sniffing the network collected packets between FTP user and server and extracted the username and password
    • Which type of attack occurred? Passive online

14. Honeypot Overview

  • Attackers can have access for extended periods of time before they are ever detected
    • An advanced persistent threat (APT) is an attack that could last for months or years
  • One technique that could be used is a honeypot
    • A device that could be placed somewhere on the network for the specific purpose of identifying who is trying to probe and attack a system
  • They collect payloads from attackers, without impacting production servers
  • Timestamps, IP addresses and ports, keystrokes, login information
  • Low interaction – appears to have port 80 open but refuses to fully accept the 3-way handshake, appear to have file sharing service but the file service isn’t functioning
  • High interaction – behaves like the real deal
  • A server with port 80 is actually running web services, or a file server actually has files
  • Honeynet – collection of servers or big facade of systems that work together with no confidential or sensitive data
    • Honeypot in multiple points in a network
  • You can have a physical appliance, something small like a Raspberry Pi or a dedicated box sold by a vendor
  • Can be virtual with emulation like a Cisco router or windows system
  • The personality could be storage (NAS), layer 2 device (switch), or some old version of a system
  • Analyze and be able to stop the attacker getting to real systems
  • Detection and evasion is import so avoid having what appears to be a too good to be true setup

15. Using a Network Scanner to See a Honeypot

  • Zenmap in Kali Linux
    • Applications 01 > Information Gathering > zenmap
  • Do a regular scan at first
  • If a scan finishes with a ton of open ports, this would be a dead giveaway that this is a honeypot
  • The services button organizes open ports by service
    • In the Ports/Hosts tab on the right, it will display hosts with those open ports
  • Just because the ports are open doesn’t mean the services are running
    • But this honeypot is actually running
    • If port 80 is open for example and you put the IP in the address bar of a web browser, you may see an under construction
  • Use 09 – Sniffing & Spoofing > Wireshark
    • Wireshark is a free tool that performs protocol analysis and extensive details of individual packets that have been captured on the network
    • Run eth0 and refresh the page
    • Then hit the stop button and see what was captured
    • Type http in the filter bar and hit enter
    • Scroll down to view data
    • You can view the GET and OK response codes
    • Clicking the Line-based text data: text/html will show the information returned

16. Social Engineering Overview

  • One of the easiest ways to compromise a system
  • This can occur over email, phone, and by paper
  • Virustotal.com has a URL section to get an opinion for a website
  • Never click on links directly
  • Curiosity can kill security
  • It’s a huge risk due to behaviors
  • Factors:
    • Trust
    • Ignorance to devastation
    • Fear, like through vishing (something really bad will happen)
    • Greed, personal gain through illegal or unethical means at the cost of the company
    • Moral obligation, feel like they are doing the right thing, tailgating for example

17. Phases and Methods of Social Engineering

  • Research target company
    • Dumpsters
    • Websites
    • Employees
    • Tour company
  • Choose victim
    • Identify frustrated employees of target company
  • Build relationship
    • Develop relationship with target employee
  • Exploit relationship
    • Collect sensitive information and current technologies
  • Techniques:
    • Impersonation
    • Eavesdropping
    • Shoulder surfing
    • Dumpster diving
    • Tailgating / Piggybacking
    • Popup windows
    • Hoax letters or chain letters
    • Spam
    • Fake websites and redirection

Spear phishing vs regular phishing (specific versus general)

18. Phishing Overview

  • Baiting users with fake emails
  • Reveal information that normally isn’t available
  • Enticing or urgent request
  • Email phishing includes these types of emails:
    1. Security alerts
    2. Vacation time/policy
    3. Deliveries – USPS, UPS, FedEx, DHL
    4. Invoice or file attachments
    5. Greeting cards (these used to be a lot bigger)
  • Spear phishing – targeted phishing campaigns to specific users
  • Whaling – multiple big phish targets like senior executives
    • Think of requesting a large wire transfer from targets to unknown source where everything thinks the transfer is approved
  • Vishing is phishing over the phone (VoIP phishing)
  • In the past these were extremely easy to spot as they had poor grammar and spelling
    • Emails are now looking more authentic
  • The greatest positive impact to security regarding email is end user awareness training and testing centered on phishing
  • Phishing training can sometimes be referred to as building a human firewall

19. Defending Against Phishing

  • Don’t trust links in emails
  • Never give out personal or sensitive info based on an email request
  • Look for typos in sender addresses or links
  • Don’t open attachments in inauthentic emails or even in general
    • Use supported IT supplied technologies like OneDrive or SharePoint
  • Type real address of where you want to go or run a search in your browser
  • Report phishing attacks to IT
  • Options to assist a user in not being tricked by a phishing attack:
    1. Don’t use phone numbers that are sent in an email without verification of those numbers
    2. Don’t click on links that are sent in an email
    3. Hover over a link to identify the real URL or destination

20. Packet Capture and Analysis Overview

Techniques in getting the packets:  

  1. Local computer with packet capture and analysis software running and all traffic that the NIC can see will be analyzed
  2. Mirror traffic on a switchport and send it to a management station where analysis software and look at the packets after the fact
  3. Mirror traffic from a VLAN to a management computer and run the protocol analysis software against those packets
  4. Use a network tap

In Wireshark you can go to the display filter and type “arp” to show from capture just collection of ARP.

  • This could be reconnaissance
  • The sender is the source
  • If you type “dns” you will get the DNS activity
  • You can drill down by layer
    • Layer 2 ethernet header
    • Layer 3 IP header
    • Layer 4 protocol information (UDP)
    • Payload (query)
  • Here you can also see the packet number with the response to the request

21. Practicing Packet Capture and Protocol Analysis: VLab

  • By using a display filter in Wireshark, the protocol analyzer can show you specific types of packets, or a subset of packets, from the current capture being analyzed
  • If you see a broadcast (a bunch of ARP requests) sent to all IPs on subnet you’ll know a scan is happening against our network
  • If you want to have Wireshark help you with a filter, you can use the Prepare a Filter option
    • In looking for HTTP traffic for example, you can expand the TCP information section and right-click the Destination Port: 80 line, then select Selected under Prepare a Filter
    • The display filter will now be more customized without having to type anything
    • From here, you can drill down further by expanding the IP section and selecting Destination: IP, right-click, and Prepare a Filter and select …and selected
    • The number of returned packets by a display filter will also be reflected compared to total packets in the bottom right corner
    • You can right-click a result and click on Follow -> HTTP Stream to see results of a specific conversation
    • The HTTP Stream will show the client packets, server packets and it puts it in a nice, convenient play-by-play
  • DNS has a similar display filter process
  • You can search for DNS and from here, go to the payload (query) part and expand the Queries section
  • From here, you can right-click the PoinTeR record (request type 12) and select Prepare a Filter -> … and selected to find the host requesting a reverse lookup from DNS
  • The packet number that contains the response will show under the query drop down as well
  • NMAP/Zenmap scan will do a DNS reverse lookup to obtain the host-name information

22. Logging Overview

  • Collection of information so we can find out what’s going on
  • Without logging, we may never know when attacks have taken place
  • Sources:
    • Computing devices or workstations
    • Operating systems and software
    • Servers, regardless of where they lie
    • Network devices like switches and IDS/IPS
  • A Syslog server is commonly used to centrally collect log files on the network
    • This is a central device so you only need to go to one place to review logs
    • One of the potential problems with collecting logs is the shear amount of information that can be collected
  • Automated tools are crucial for sorting through logs to look for different levels of alerts
    • Critical
    • Warning
    • Informational
  • Looking at server or hardware firewall logs or captured packets (Host or IDS/IPS) one of the giveaways of malicious activity is different ports
    • Varying port numbers may reveal a port scan
  • Logs can alert on when a device or server has a new port opened or a critical port disabled
  • A firewall log on the server and packet capturing are the best at identifying a port scan that is happening against a host
  • Protect those logs!
    • Avoid the same administrator being able to log into devices can log into the Syslog server as well
    • Have separation of duties
    • People with privileged access will be held more accountable

23. Firewall/Router ACL Review

  • Regardless of vendor, the ACL is a set of rules that is processed from top to bottom
    • Each entry will specify what we want to permit or deny
  • The flow of an ACL is in the table format below:
Permit or DenyProtocolSource IPSource PortDestination IPDestination Port
  • At the end will be an implicit Deny All
  • Access Control List (ACL) entry to allow HTTPS traffic from a computer at to a server at
    • Permit tcp any 443

24. Trend Awareness

  • The goal is to look at accurate data with the right tools
    • This helps identify issues and correct problems
  • Trends can help identify an Advanced Persistent Threat (APT)
  • In looking for where to collect data from consider the following location and devices as variables:
    1. Connected devices like wired and wireless computers
    2. Physical and virtual machines – a physical box can host multiple virtual machines
    3. Cloud environments if it’s part of your computing landscape and resources you are actually using like IaaS
    4. Partners or remote work sites
    5. Tools like IDS/IPS
    6. Network infrastructure like firewalls, routers, and switches
    7. Resource monitors – see if a system is available and monitor capacity and availability of a system
  • It’s not realistic to capture and keep all available information
    • You can still know what’s going on without capturing and keeping all data is using a tool called Netflow
    • It’s typically implemented on industrial routers and multi-layer switches
    • It can keep track of the overall traffic
    • It’s not keeping copies but notices the type of traffic and where it’s going
    • This information can be sent to a Netflow collector
    • A Netflow analyzer gives a nice display of what’s happening
  • The best tool to collect, correlate, and analyze events, messages, and alarms from a wide range of devices and systems is a Security Information and Event Management (SIEM) system
    • Using a SIEM can point you to a location so you can help narrow down an issue
    • Say for instance a VLAN has abnormally high traffic, you can narrow it down by looking at devices on this particular VLAN
    • You can use netstat -a on one of the computers

25. Hardening and Other Best Practices

  • Using best practices and hardening techniques upfront saves pain and anguish in having to pick up all the pieces after a security breach
  • Methods in best practice when protecting the network infrastructure devices, such as routers and switches:
    • Don’t use default passwords
    • Disable and/or block ports and services that are not being used
    • Don’t use the same network for both management and end-user traffic
    • Use a whitelist of IP addresses that are allowed to connect to network devices
  • Use compensating controls where fixes can’t be done

26. Whitelisting and Access Control

  • Best practices for security:
    • Whitelisting specific applications that are allowed to run
    • Use the rule of “least privilege” – just enough to do their job
      • DAC – give rights away as admin sees fit (discretionary)
        • This is the most common
      • MAC – clearance level and sensitivity level (mandatory)
    • 2FA – maintains account authenticity

27. Evaluating Risk

  • The probability of a threat causing loss
  • You can have a risk head map with the likelihood of compromise as the y axis and the severity of the compromise as the x axis
  • The colors or heat will correspond to the ranking of what should be worked on first
    • Typically quantified in low, medium, high
  • Threat agent that would act on the vulnerability
  • The risk is the likelihood of this happening and the impact it would happen
  • The exposure is the loss that would happen
  • A control can be implemented to mitigate vulnerabilities
  • Quantitative involves evidence with numbers or math
  • Other school of thought is qualitative
    • This would involve the subjection of an expert
  • Other items to find risk is to find vulnerabilities through a penetration test
    • The management objectives are important
    • Outsourcing pen testing is a great idea with specific guidelines
    • Never modify or manipulate data
    • The goal is to find vulnerabilities and not bring down the network
    • All parties should agree on the scope (in a statement of work, SOW) and the rules of the penetration testing, before it happens
    • Excessive scanning may accidentally cause a denial of service (DoS) attack
  • Sample compromise severity chart:
    • Likelihood: Unlikely, Severity: Major – Medium
    • Likelihood: Likely, Severity: Extreme – High
    • Likelihood: Unlikely, Severity: Minor – Low

28. Network Access Control (NAC)

  • There could be all kinds of stuff an outside computer can bring into a network
  • If a computer doesn’t meet the NAC standards, the computer can be connected to a logical remediation network with limited access
  • Can be used in conjunction with 802.1x for authentication
  • NAC could require the following before allowing a device on the network:
    1. Antivirus software present and current
    2. Specific version of an application present
    3. Specific version or patch level of an operation system
  • Network isolation and segmentation are good security practices
  • Time window can be specified for VPN access

29. Uncovering Vulnerabilities

  • Pen testing is a great way to discover vulnerabilities but you’ll need an agreement with timing, scope, rules regarding exploitation, and communicate what is found, regardless of who looks bad
  • Whitebox testing we have information about it
    • Complete/full knowledge
  • Blackbox testing we know nothing about it, say from maybe an ARP response
    • None knowledge
  • Graybox testing we know some information about it
    • Limited/basic knowledge
  • In referring to security exercises, a white team acts as a referee and assists with the communications between the other teams
  • We want to validate the authenticity of any chips we put into our systems and validate they come from trusted vendors
  • A Trusted Foundry Program is a type of program that helps to confirm the integrity and confidentiality of integrated circuits
  • With software, a hash is usually created by the developer to verify our generated hash matches the published hash
    • This confirms the software you now have hasn’t been tampered with
    • Antivirus vendors use this technique

2. Vulnerability Management

30. Why vulnerability scan? Motivators

  1. Reduce risk
  2. They have to (regulation)
  • Sectools.org
  • Scanners have plugins and updates available
  • You may wish to use a script to automate this
  • Either way, update before scanning

31. Security Content Automation Protocol (SCAP)

  • Automate vulnerability management, measurement, and policy compliance in a system or on a network
  • Includes:
    • Common Vulnerabilities and Exposures (CVE)r, cve.mitre.org
    • Common Configuration Enumeration (CCE)tm
    • Common Platform Enumeration (CPE)tm
    • Extensible Configuration Checklist Description Format (XCCDF)
    • Open Vulnerability and Assessment Language (OVAL)tm
    • Common Vulnerability Scoring System (CVSS)
  • Greenbone Security Manager
  • Run scan with SCAP against the host or network (Network Vulnerability Tests) to see criticality of vulnerabilities
  • National Vulnerability Database

32. Focused Vulnerability Scanning

Questions to ask

  1. What is your risk tolerance for risk
    1. Risk appetite
    2. Determines what scanner to use
    3. Less risk they’re willing to take, the more time, effort, and money they’ll have to spend
  2. Are they’re technical constraints?
    1. Do we have licensing in place and in sufficient quantity to support all systems we want to scan?
    2. Do we have enough manpower to analyze the results?
    3. Will this scan be server based or agent based?
    4. Usually technology is just good enough to perform business tasks
      • Do we have enough bandwidth?
      • We don’t want to interrupt business function
  3. Sensitivity levels
    1. We don’t know all technology onsite or there isn’t sufficient documentation.
    2. Discovery scan first?
      • What devices and operating systems are we dealing with?
    3. Assessment Scan second?
  4. Are we legal?
    1. Do we have permissions?
    2. An admin can’t just go scanning crazy
      • They need permission with change control
    3. Scope and detail of scan
      • What types of data are we looking for and what don’t we care about?
    4. Credentialed (login access rights, versions and files) versus non-credentialed (can’t login and get as much detail)
  • Make sure scanner and plugins are updated (vulnerability feeds)

33. Remediation Considerations

  • Build a vulnerability management program
  • Automatic scans of both physical and virtual hosts
  • Automate reporting such as emailing the results
  • Make sure someone looks at and analyze the reports
  • Priority correction
    1. Take care of anything critical
      • You can’t rush in and get all results fixed
      • There may be too many to tackle
    2. You have SLA / Business Interruption / MOU – consider this before you implement solutions
    3. Organizational governance or red tape could also slow you down
    4. Possible degradation of functionality
  • Test changes were possible
    • What network calls are being done, what files are being written by the system
    • Once we’re confident submit the recommendations through the change control process
    • What is our backout process?
    • Implement changes and document them
    • Prevent significant losses to the company

34. Review and Interpret output: Web server version, Analyzing Vulnerability scan output: IIS

  • Using Zenmap, run intense scan of destination IP
    • Shows open ports and versions of software running
  • Using Kali Linux, use curl –I IP, to pull up header
  • We don’t have to fix the issues; we have to report they exist
    • It’s up to the technical and change control staff to implement the fix
  • Turn off IIS banner
    • Edit urlscan.ini file for IIS, edit httpd.conf file for apache, and edit nginx.conf for nginx

35. Analyzing vulnerability scan output; Enumeration of shares

  • False positive – alarm or alert that comes up but is not really a vulnerability
    • Note exceptions and filters so you don’t get normal results clouding your results
    • Get a second opinion – check system logs to verify if it’s legitimate
  • Identify trends
    • The best resource you can have when analyzing results reports is the vendor’s documentation
  • Check whether there is a known CVE or Bug
    • The QID may provide additional information (vendor ID designation)
    • An anonymous connection (or null session) may allow enumeration of shares

36. Vulnerabilities in servers (due to lack of proper controls and countermeasures)

  • A local firewall may be used, along with network segmentation and isolation to help protect
  • Using a web application firewall in front of a server isn’t always justifiable
    • If it’s a DNS server or any other server besides web then you wouldn’t need a WAF
  • You can also protect using network based IPS/IDS or NIPS/NIDS
    • Host based IDS (HIDS) may also be used
  • Application Whitelisting can also be used
  • Whitelist management addresses
  • Number of failed login attempts
  • Whenever possible use TLS/SSL and use a certificate signed by a trusted CA to avoid the valid certificate warning
  • Follow best practices when writing in house applications
    • Remove back door / maintenance hook after application is in production
    • When processing input, have application do server-side validation and sanitation
    • Secure coding practices and set security attribute on cookies so they aren’t disclosing sensitive information
    • Search for OWASP top 10 secure development application

37. Vulnerabilities in Endpoints

  • What system would an attacker want to spend the most time on?
  • Are there any systems giving anonymous access?
    • This is a huge risk, especially if this wasn’t intended
  • Another huge vulnerability is social engineering
    • There is an expected compromise that comes from the back of a phishing attack
  • Poor authentication practices also contribute to compromise
  • Printer defense – if your printer has a caching mechanism your attacker could potentially see documents printed (copy of print jobs), especially if this printer prints checks
  • Malicious software (malware) is vulnerability
    • It is surprising how much access malware can give an attacker
  • Ways to combat these vulnerabilities – user security awareness training
    • This helps present risks and who they should contact
    • Review acceptable use policy (aup) and sign it, at least annually
  • They should be running anti-virus/malware software
    • Keep it up to date automatically
  • Limited local rights, through technical controls, act as a defense mechanism for bad software
  • Network based IDS/IPS or HIDS
  • Lock screen when leave or period of inactivity

38. Vulnerabilities in infrastructure Devices

  • Both physical and virtual
  • Physical security
    • Wiring closet
    • Temperature control
    • Access
  • Poor authentication – default accounts and passwords
  • Remote management tool since Telnet is insecure, eavesdroppers can see passwords
  • Use SSH instead since it encrypts the entire session
  • Packet capture – grab a packet involved with TCP conversation
    • Right-Click – Follow –> TCP Stream, command may show duplicate characters since the command is echoed back as you type it (in telnet)
    • Scroll down to see your password in cleartext!
  • Don’t use the same network for management traffic as you do with user traffic
  • Different logical network is sufficient
    • Set limit of failed login attempts
  • IP address whitelist

39. Vulnerabilities in Mobile Devices: Weak Policy

  • Policies have details on best practices and expected use of devices
    • An acceptable usage policy is good even if you don’t have a regulatory requirement
  • Device requires authentication
    • When you’re done with it, have it automatically lock
    • Lock before you leave it and have a short timeout period
  • Encrypt data on mobile device
    • Attackers can’t read the data, even with removing storage
    • Apple does encryption by default
    • Use option if you have it
  • Synchronization can potentially be an issue
    • We need to be aware that it’s happening, and make sure the target location is safe too
    • Otherwise turn off this feature
  • Only want to use trusted app stores and trusted apps to avoid malware
    • Look at reviews and permissions required to use app
    • Removing bad apps, you remove the risk associated with it
    • The same goes with a feature you aren’t currently using
    • Turn off to make device more secure (hardening)

40. Vulnerabilities in Mobile Devices: Traveling

  • If an update is released, maybe check out forums to see if anyone has an issue with the update
    • Then when you feel it’s safe to do so, upgrade the version if your corporate policy allows it
  • It’s conceivable that you will use multiple wireless locations during your ownership of your device
    • Especially if you use public wireless
    • Go through and forget these networks you will no longer use
    • You could potentially automatically connect to a hacker’s network if you leave well known networks
  • Beware of suspicious messages, even from people you know
  • Losing phone while traveling
    • Setting them down somewhere, even for a moment
    • Beware of physical security at all times
    • If it’s not on you, keep it in a secure place
    • Keep them hidden out of sight and out of direct heat
  • It’s never ok to plug your mobile device in to another person’s computer
    • It’s also not ok to plug into a public or community device
    • There could be software or hardware loaded inside that could push software or pull data
  • It’s also important to beware of public wireless networks
    • Use a VPN over public wireless
    • Look at NordVPN
    • Get at least 3 inputs and make your own decision
    • If it’s your corporate VPN, ask your IT department

41. Vulnerabilities in Mobile Devices: Remote Wipe

  • Setup with a certain number of consecutive failed login attempts
  • If we have location services and functions enabled we might be able to find it
    • If we think we can’t get our phone back we may wish to remote wipe
    • This is used for if we think we may not get our phone back
    • Location services cannot be used after a remote wipe
  • When we remote wipe, we want to restore data from a backup solution to a new phone so we can get up and running quickly
    • Regularly back up device
    • Test backups and make sure they function
  • You may wish to have 2 or more smart devices with the correct entries in the one-time-password authentication apps so if we lose a smart device, we can still have access to our passwords
    • There are services that back up OTP codes but mileage will vary based on services used
    • Test it and practice it before you need it
  • Be aware of your surroundings in general
    • Pay attention to where you are going and who is around you
    • Attackers are looking for the easiest victim
    • They could run up to you and swipe your phone from your hands and since you were using the phone, it would be unlocked!
    • Pay attention to your peripherals, watch their speed and cadence

42. Vulnerabilities Regarding Interconnected Networks

  • Security and protection via isolation
    • Think of SCADA and industrial control systems, legacy systems, and separate private/public networks
  • It’s important that these SCADA systems are able to collect the data and report them appropriately
  • Legacy systems are working, they’re generating revenue, and they’re reliable
  • Public and private networks need to be separated
  • There may be guest wireless and what we hope is happening is the public networks customers are separate from the corporate private network
  • We do not want to allow access to our private network from the outside
  • Use a firewall to enforce policy that should never be allowed between these two
  • This is more secure and will make the network perform better
  • Not every network has the same level of importance

43. Physical and Virtual Device Vulnerabilities

  • We want both physical and virtual machines to be secure
    • Use HTTPS/SSL
    • Force proper authentication
    • OS security patches and updates
    • Application patches
    • Web application firewall for web servers
  • Network based intrusion detection system in front of it to find and stop potential attacks on this server
  • The problem with virtual devices is sometimes we forget about them
  • Sometimes we fail to include IP subnets our virtual machines use
  • The final vulnerability report could potentially miss these virtual machines
  • ESXi hosts with sample IP ranges:
    1. Mgmt
    2. Storage
    3. vMotion
    4. VM Network
  • Vulnerabilities common to both environments include:
    • Insecure protocols
    • Applications with bugs or backdoors
    • Attacks based on TCP/IP
    • Operating systems that are not patched
  • What is the best way to ensure logs won’t get deleted?
    • Have copies of log in some location but the main point is separation of duties
    • Auditing department can view logs but server admins can’t
  • Separation of duties administrative control offers a security advanced by the same person generating logging events can’t also delete those logs
  • Consider the security implications (network based) of moving VMs around a host
    • This could be an additional vulnerability

44. Using ACLs and VPNs to Reduce Vulnerabilities

  • RDP used TCP 3389 so if we wanted to use that on a server, the firewall would need to allow this TCP connection
    • Alternatively, we can set a firewall to reject all RDP requests to certain servers
  • Access control list entries on a firewall that could deny TCP traffic destined to port 23 from being delivered to a host at
    • Deny TCP any host 23 (general flow – action, protocol, source IP, destination IP, destination port number)
    • Have this entry before permitting any traffic to prevent the RDP connection request and still allow other connections
  • HTTP is not encrypting the session
    • Attackers can discover credentials!
    • Plain text protocols can lead to eavesdropping, even piece together VOIP conversations
  • Common and current technologies used to implement VPNs are IPSec and SSL/TLS
  • Connects logically
    • You can use a site to site connection for offices in different locations
    • Outside can be a remote access VPN

3. Cyber Incident Response

45. Threat Classification

  • SPR
    1. Stimulus
    2. Pause
    3. Response
  • Netstat to see open ports and current connections
  • Zero day is when up to date security software is not able to detect it
  • Known threats and Unknown threats
    • Known threats could be foreign addresses
    • Known threats can be leveraged with SIEMs to correlate and present data
  • TTP – Tactics, Techniques, and Procedures
  • APT – Advanced Persistent Threats
  • Insiders can also be caught with data from SIEMs

46. Factors Contributing to Incident Severity and Prioritization

  • Scope of impact
    • How much downtime are we expecting?
    • What is the recovery time to have the services back online?
    • Does the data still have integrity?
    • What is the economic impact of our data getting out?
    • The criticality of system process
  • Types of data
    • Personally Identifiable Information (PII)
    • Personal Health Information (PHI)
    • Payment Card Information (PCI)
    • Intellectual Property (IP)
    • Corporate confidential (like accounting data, mergers and acquisitions)

47. Building a Forensic Tool Kit

  • When an incident occurs – our plan should include:
    • Detect
    • Respond
    • Report
    • Recover
    • Remediate
    • Review
  • Digital forensics workstation
    • Either pre-built or build one yourself
    • Digital intelligence has a VPER
    • Ultrablock bridges (write blockers to keep data secure)
    • Create a bit for bit image using a digital drive (DD)
    • Verify image with MD5 hash
  • Have wiped removable media
  • Have a high resolution camera for taking pictures of assets
  • Use crime tape to block of area
  • Use tamper-proof seals to keep data secure (chain of custody)
  • Use forms
    • Use incident response plan
    • Incident form
    • Call list and escalation list

48. Tool Categories in a Forensic Investigation Suite

  • Imaging utilities
    • Have copy of hard drive (you don’t touch) and a read only image
    • DD – Data Duplicator or Disk Dump
  • Analysis utilities
  • Chain of custody tools
    • Containers
    • Labels
  • Hashing utilities
  • OS and process analysis tools
  • Mobile device forensics and tools
  • Password crackers
  • Cryptography tools
  • Log viewers
  • Do I have a tool in these categories and do I know how to use it?

49. Communication During an Incident Response

  • First group responsible is senior management
  • Legal is important with knowing regulations
    • Staying compliant
  • HR is important so that every employee has received and understand response plans
    • Social media is an inappropriate channel for employees to disclose plans and actions as they’re happening
  • You can type history in command prompt to see last 10 commands
    • NC (netcat) opening a shell to another computer could be indicator of compromise
    • ARP cache would show IPs as well
    • A cool little command for a ping sweep is for i in 'seq 1 254'; do ping -W1 -c 1 172.20.0.$1; done > results.txt
    • An end user would have no business in doing these things
  • Having policies in place to the types of malicious behavior will allow techs and analysts to follow instructions and to follow the policy and report it
    • If a DDoS attack is against the network, you would want to report that
  • In the case of a cyber incident, one of those reasons for reporting is being timely, especially in the case of phishing emails
    • Sending an email to everyone warning them of the attack would be beneficial
  • Limit communication of cyber incidents to trusted parties
  • Disclose incidents based on requirements or legislation
  • Regular and effective security awareness training to prevent inadvertent release
  • Secure methods of communications
  • Responsibility lies with tech to report to manager
    • Manager is usually the one who interacts with law enforcement
    • The tech or analyst will be brought in as necessary
  • Some places do not have the in-house resources to properly deal with incident response
    • We may want to consider outsourcing this critical process

50. Abnormal Traffic Patterns that May Indicate a Cyber Incident

  • Network related symptoms
  • Has bandwidth consumption changed?
  • What is normal bandwidth consumption?
    • Google Free bandwidth tools to build the baseline
  • Has there been unusual traffic spikes?
    • Updates are one thing but what about access during strange times from someone’s computer?
    • Information could be leaked out to an unauthorized computer.
    • You can use a SIEM to correlate that and get more info
  • Are there irregular or unauthorized Peer to Peer communications?
    • Botnets or file shares, malware, and so on
  • Beaconing, not referring to wireless networks
    • System that’s sending a strange message out to an external address
    • Calling out to command and control centers
    • IDS/IPS and Firewalls should identify and mitigate that traffic
  • Systems on inside are protected by NAT so they’ll be harder to see
    • Port 6783 could be blocked and ACLs updated

51. Network Scans as a Symptom of a Cyber Incident

  • Rogue devices – not company authorized, we want to find it and remove it
    • Triangulate the device if it’s on the wireless
    • Address behavior of someone who put this on the network
  • Scan sweep – unauthorized scans could be classified as a cyber incident
  • TCP SYN packets going from the host at to the host at, with the TCP destination port-number being incremented with each new packet is a host port scan
  • Specific port or service scan – could raise alarms as well
  • Internal computer doing reconnaissance on another subnet is another red flag
  • Identify and stop malicious activity before it interferes with official business

52. Host-Related Cybersecurity Symptoms

  • If a host is slow that doesn’t mean there’s a cyber incident
    • However, degradation of services causing the slowness could potentially mean there is one
  • Processor consumption abnormally high for a long period of time
  • High memory consumption is no longer normal
    • In the old days you just needed to restart the application or the computer and be done
    • Now, high ram consumption isn’t something to brush off
  • Unexplained drive capacity consumption
    • Visual tools are very helpful here
    • Daisy disk is very useful for macs
  • Only install authorized software
  • Unexplained or unauthorized user access or rights (privileges)
    • Privilege escalation is a signal of compromise
  • Malicious processes
  • Data exfiltration
  • Unauthorized changes
    • Hopefully there is systems in place to warn of changes
  • Rootkits could modify BIOS
    • TPM helps with integrity with CRTM (Core Root of Trust)
    • Validate every step of the boot process

53. Application-Related Cyber Incident Symptoms

  • Service interruption
  • Memory overflows
  • Unexpected output
  • Anomalous activity
  • Unexpected outbound communication
  • Use tools like netstat to take a look
  • Some applications create a new service account

54. Containment and Eradication Techniques

  • Segmentation and isolation by VLANs
  • ACLs on routers
  • Servers that are airgapped
  • Separation of management and user network
  • Lessons learned report is a helpful review
  • Removal
  • Reverse engineering
    • Logs
    • SIEM
  • Eradication
    • Sanitization
    • Reconstruction or reimage
    • Secure disposal

55. Validation of Post-Incident Remediation

  • If we have a good inventory and a good scanner, it’s time to test the fix in a test environment
  • Use change management to apply and validate
  • Scan -> Correct -> Scan again in both test and production
  • If clients don’t know what servers they have, we can scan and fingerprint to find what’s on the network
  • Do triage by focusing on the most important issue first and go to the next issue and so on
  • Look for additional accounts and accounts with excessive permissions
    • Attackers want to get access and maintain that access
  • Verify logging communication to security monitoring system
    • Syslog or SIEM
    • Attackers may try to delete logs as they attack
    • shipping logs as they happen are important
    • Changes being made can be a tipoff

56. Corrective Actions, Updates, and Reports

  • Meet as a group to discuss what went well and what can be improved
    • The intent is not to shame but to improve
  • Lessons learned report(s)
    • When things happened
    • What the impact was
    • What the shortfalls were
    • What should we update
  • Update change control process
    • The accurate the update is, the better
  • Incident summary report(s)
    • The key here is summary
    • How and when the incident was detected
    • What the scope is
    • How and when the incident was corrected
    • What worked and what didn’t work
    • What can be improved
    • For details, go back to the lessons learned report

4. Security Architecture and Tool Sets

57. Security Frameworks for IT

  • NIST – National Institute of Standards and Technology from US Department of Commerce
    • Cybersecurity framework: identify, protect, detect, respond, and recover
  • ISO – International Organization for Standardization
    • In collaboration with the IEC which is the International Electro Technical Commission
    • They have a 27000 series of documents about information security management
  • COBIT – Control Objectives for Information and related Technology or at least that’s how it was started
    • Some people may refer to it as control objectives for IT
    • Governance and management of IT
    • Has 4 main domains: Plan and organize (PO), acquire and implement (AI), deliver and support (DS), monitor and evaluate (ME)
    • Behind that is 5 core principles: meeting stakeholder needs, covering the enterprise end to end, applying a single integrated framework, enabling a holistic approach, and separating governance from management
  • SABSA – Sherwood Applied Business Security Architecture
    • Enterprise security architecture framework
    • Around the 6 basic questions of what, where, when, why, who, and how?
    • There are 6 layers in their matrix: operational, component, physical, logical, conceptual, and contextual
  • TOGAF – The Open Group Architecture Framework
    • Framework for designing, planning, implementation, and governance of IT
    • There are 4 primary domains for architecture including business, applications, data, and technical
  • ITIL – Information Technology Infrastructure Library
    • There are 5 core publications, all of which are focused on aligning IT with the needs of the business
    • The 5 core publications regarding services in IT are strategy, design, transition, operation, and continual service improvement
    • Behind that there are dozens of processes associated with each of those publications
  • You don’t have to do all or nothing, you can pick and choose which pieces work well for your security program
    • There’s a good chance an organization that you’ll work with will be using one or more of these frameworks
    • Or if they’re not, we may want to get them familiar with one or more of them so they start integrating the principles in order to help them with IT governance, including security of sensitive data

58. Regulatory Compliance and Control Types

  • Some have very specific actions required
  • Never send information in clear text over the network
  • Use certificates on web server from a CA and use HTTPS or SSL
  • Controls
    • Selected based on criteria
    • These could be in addition to what’s required externally
    • Purpose of controls:
      • Detection
      • Deterrent
      • Preventive
      • Corrective
      • Compensative
  • 3 basic types:
    • Physical
    • Logical (technical)
    • Administrative (duties, checks, training)
  • Verification and quality control

59. Verification and Validation of Controls

  • Validate the capacity of what you’ve done
  • Assessments
    • Identify assets
  • Evaluations
    • Fuzzing
  • Audits
    • Unbiased opinion
    • Check and validate issue is corrected
    • A follow up audit may be required
  • Maturity model
    •   Big environments
  • Certification

60. Having Policies to Improve Security

  • Policies – what we want to have happen
    • Passphrase policy (login attempts)
    • Acceptable use policy
    • Data ownership
      • Senior management is ultimately responsible
      • It should be spelled out in a policy
    • Data retention policy
      • Legal requirements
      • Where it’s stored
    • Account management policy
      • Unused accounts
      • Inactive accounts
    • Data classification policy
      • Labels
      • MAC
  • Procedures – specifics on how to make it happen

61. Having Procedures to Improve Security

  • Individual steps to carry out the policies
  • Continuous monitoring
  • Audits
  • Scanning
  • Preserving and protecting evidence (production)
  • Patching (change control)
  • Compensating control development
  • Control testing procedures (up to date)
  • Managing exceptions (not right away, managing at a later time)
  • Remediation plans (incident response covers gaps in actions)

62. Identity Context and Repositories

  • Cover our assets
  • Context-based authentication and authorization:
    • Time period or range, like working hours
    • Location or traveling, think of your credit cards
    • Frequency of actions like logging into to many machines or based on time
  • This can be based on machine learning or heuristics
  • Identities:
    • Users
    • Devices
    • Access points
    • Servers
    • Services
    • Logical objects like groups
  • Identity repositories:
    • Services through LDAP
    • RADIUS server
    • Cisco shops using TACACS+ to authenticate administrators

63. SSO and Federations

  • Reduces the number of times a user has to login
  • Active directory services is a good example
  • Federation is a cooperation between 2 organizations
  • SAML 2.0 helps automate the process, including provisioning and deprovisioning
  • Use a password reset self service and two-factor authentication

64. Exploits Related to Identity and Access

  • Impersonation of IT staff
  • Man in the middle attack (MITM)
    • Attacker lies or appears to be a device like a layer 2 address of a default gateway
  • Session hijack through denial of service and then jumping in on the session
  • Cross-site scripting (XSS)
    • Inject a script that an unsuspecting user unintentionally runs
  • Privilege escalation raises the privileges above what is intended
  • Rootkits is software that runs so low that it’s hard to detect
    • Limited local rights to install software
    • Use chips on motherboard to verify code, including BIOS

65. Recommending Compensating Controls

  • Having good tools and good data
    • SIEMS are awesome
  • Security data analytics:
    • SIEMS
    • Maybe Syslog server
  • Defense in Depth: Personnel
    • Training
    • Dual control
    • Separation of duties
    • 3rd parties
    • Consultants
    • Cross train
    • Mandatory vacation
    • Succession planning
  • Defense in Depth: Processes
    • Constantly improving
    • Updating
  • Defense in Depth: Technologies
    • Automated reporting
    • Correct complement of security devices
    • Endpoint security suites
    • Outsourcing (security as a service)
    • Using cryptography appropriately (PKI, remote management)
    • Network design and segmentation

66. Best Practices During Software Development

  • Define security requirements
  • Security testing phases:
    • Static code analysis, reviewed line by line
    • Web app vulnerability scanning
    • Fuzzing
      • Auto generate and input different and random datasets
    • Interception proxy like burp
      • Interact with a website step by step
    • Manual peer reviews
      • Keeping programmers honest (no back doors)
    • User acceptance testing
    • Stress testing
      • Find the tipping point to avoid future interruptions
    • Security regression testing
      • Verify updates don’t break functionality
    • Input validation
      1. Sanitize data
      2. Validation
        • This helps avoid things like SQL injection

67. Secure Coding Best Practices

  • SANS
  • CIS
    • OWASP Top 10 Project

68. Identifying Preventive Tools and Technologies

  • IDS / IPS (network or host based)
  • Firewalls
  • Anti-x (virus, malware, etc.)
  • Web proxy
  • Web application firewalls
  • Get lots of info regarding products
    • Look at Gartner
  • Snort and Bro for network security monitoring
  • Review best product articles from credible sources
  • ModSecurity, NAXSI, Imperva for web app firewalls

69. Selecting and Applying Appropriate Preventive Tools

  • Solutions:
    • Firewall
    • WAF
    • NIPS / HIPS
    • App whitelisting
    • Input validation
    • Secure coding
  • Keeping software up to date and have limited rights when able
  • 2FA
  • Isolation and separation of networks
  • Use ACL in routers and firewalls
  • Leverage WAF for any device with a web based presence, like an IDS
  • Identify malicious traffic and take appropriate action
  • Use HIPS on workstations and servers where appropriate
  • Only authorize official applications
  • Best practices with web server especially

70. Tools and Technologies for Information Collection

  • Security information and event management (SIEM) is a great collection point for multiple devices on the network to look for trends or indicators (like APT) to analyze and correlate log information
    • HP Arcsight
    • IBM QRadar
    • Splunk
    • AlienVault
    • Kiwi Syslog
  • Network and vulnerability scanning
    • Qualys
    • Nessus
    • Nexpose
    • OpenVAS
    • Nikto
    • Microsoft Baseline Security Analyzer
    • OWASP
    • Retina
    • Secure Cheq
    • Core Impact
    • SAINT
    • Kali Linux Distribution
  • Packet capture
    • Wireshark
    • tcpdump -i eth0
    • Maybe ping
    • Aircrack – ng
  • Command line utilities
    • NMAP
    • Netstat
    • Traceroute / tracert
    • Ipconfig / ifconfig
    • Ping
    • Nslookup / dig
    • Sysinternals utilities
  • Network or host IDS/IPS
    • Bro

71. Tools and Tech for Analysis, Exploits, and Forensics

  • Analytical
    • Vulnerability scanning
      • Qualys
      • Nessus
      • OpenVAS
      • Nexpose
      • Nikto
      • Microsoft BSA
    • Monitoring tools
      • MRTG
      • Nagios
      • SolarWinds
      • Cacti
      • NetFlow Analyzer
    • Interception proxy
      • Burp Suite
      • Zap
      • Vega
  • Exploit
    • Interception proxy
      • Burp Suite
      • Zap
      • Vega
    • Exploit framework
      • Metasploit
      • Nexpose
    • Fuzzers
      • Untidy
      • Peach Fuzzer
      • Microsoft SDL File/ Regex Fuzzer
  • Forensics
    • Forensic suites
      • EnCase
      • FTK
      • Helix
      • Sysinternals
      • Cellebrite
    • Hashing
      • MD5sum
      • SHAsum
    • Password cracking
      • John the Ripper
      • Cain & Abel
    • Imaging
      • DD
  • Usually considered a security violation to scan or analyze the corporate network
  • Favorite tool is Kali Linux
    • The tool is super easy to use
    • SPARTA is pretty fun to fingerprint services
      • Uses NMAP
  • Raspberry Pi installs can happen within the network, you don’t just have to worry about the outside


YEAH. We did it. Almost 10K words of CompTIA CySA+ CS0-001 goodness. Let me know what was easy for your and of course, what you had trouble with.

If anything needs to be corrected or added, please sound off in the comments below.

Thanks and good luck on the exam!

Update: I intend to take the CASP at some point but that probably won’t be the next exam I sit for. The next exam will most likely be from a different vendor – the CISSP!

Update 2: Yes indeed, the next exam on the list is to tackle the CISSP. I publicly committed to taking it and passing it. Here’s the CISSP exam overview and the CISSP study notes.

Pin It on Pinterest