Threats, Attacks, and Vulnerabilities - 24%

• Hybrid warfare
• Social media

24. Principles (reasons for effectiveness)

• Authority
• Intimidation
• Consensus
• Scarcity
• Familiarity
• Trust
• ​Urgency

• Ransomware
• Trojans
• Worms
• Potentially unwanted programs (PUPs)
• Fileless virus
• Command and control
• Bots
• Cryptomalware
• ​Logic bombs
• Spyware
• Keyloggers
• ​Remote access Trojan (RAT)
• Rootkit
• Backdoor

• Spraying
• Dictionary
• Brute force
  - Offline
  - Online
• Rainbow table
• Plaintext/unencrypted

3. Physical attacks

• Malicious Universal Serial Bus (USB) cable
• Malicious flash drive
• Card cloning
• Skimming

4. Adversarial artificial intelligence (AI)

• Tainted training data for machine learning (ML)
• ​Security of machine learning algorithms

• Birthday
• Collision
• Downgrade

• Structured query language (SQL)
• Dynamic-link library (DLL)
• Lightweight Director Access Protocol (LDAP)
• Extensible Markup Language (XML)

4. Pointer/object dereference
5. Directory traversal
6. Buffer overflows
7. Race conditions

• Time of check/time of use

8. Error handling
9. Improper input handling
10. Replay attack

• Session replays

11. Integer overflow
12. Request forgeries

• Server-side
• Cross-site

13. Application programming interface (API) attacks
14. Resource exhaustion
15. Memory leak
16. Secure Sockets Layer (SSL) stripping
17. Driver manipulation

• Shimming
• Refactoring

18. Pass the hash

• Evil twin
• Rogue access point
• Bluesnarfing
• Bluejacking
• Disassociation
• Jamming
• Radio frequency identification (RFID)
• Near-field communication (NFC)
• Initialization vector (IV)

2. On-path attack (previously known as man-in-the-middle attack/man-in-the-browser attack)
3. Layer 2 attacks

• Address Resolution Protocol (ARP) poisoning
• Media access control (MAC) flooding
• MAC cloning

4. Domain name system (DNS)

• Domain hijacking
• DNS poisoning
• Uniform Resource Locator (URL) redirection
• Domain reputation

5. Distributed denial-of-service (DDoS)

• Network
• Application
• Operational technology (OT)

6. Malicious code or script execution

• PowerShell
• Python
• Bash
• Macros
• ​Visual Basic for Applications (VBA)

• Advanced persistent threat (APT)
• Insider threats
• State actors
• Hacktivists
• Script kiddies
• Criminal syndicates
• Hackers
  - Authorized
  - Unauthorized
  - Semi-authorized
• Shadow IT
• Competitors

2. Attributes of actors

• Internal/external
• Level of sophistication/capability
• Resources/funding
• Intent/motivation

3. Vectors

• Direct access
• Wireless
• Email
• Supply chain
• Social media
• Removable media
• Cloud

4. Threat intelligence sources

• Open-source intelligence (OSINT)
• Closed/proprietary
• Vulnerability databases
• Public/private information-sharing centers
• Dark web
• Indicators of compromise
• Automated Indicator Sharing (AIS)
  - Structured Threat Information eXpression (STIX)/Trusted Automated eXchange of Intelligence Information (TAXII)
• Predictive analysis
• Threat maps
• File/code repositories

5. Research sources

• Vendor websites
• Vulnerability feeds
• Conferences
• Academic journals
• Request for comments (RFC)
• Local industry groups
• Social media
• Threat feeds
• ​Adversary tactics, techniques, and procedures (TTP)

• Open permissions
• Unsecure root accounts
• Errors
• Weak encryption
• Unsecure protocols
• Default settings
• ​Open ports and services

• Vendor management
  - System integration
  - Lack of vendor support
• Supply chain
• Outsourced code development
• Data storage

• Firmware
• Operating system (OS)
• Applications

6. Legacy platforms
7. Impacts

• Data loss
• Data breaches
• Data exfiltration
• Identity theft
• Financial
• Reputation
• ​Availability loss

• Intelligence fusion
• Threat feeds
• Advisories and bulletins
• Maneuver

2. Vulnerability scans

• False positives
• False negatives
• Log reviews
• Credentialed vs. non-credentialed
• Intrusive vs. non-intrusive
• Application
• Web application
• Network
• Common Vulnerabilities and Exposures (CVE)/Common Vulnerability Scoring System (CVSS)
• Configuration review

3. Syslog/Security information and event management (SIEM)

• Review reports
• Packet capture
• Data inputs
• User behavior analysis
• Sentiment analysis
• Security monitoring
• Log aggregation
• ​Log collectors

• Known environment
• Unknown environment
• ​Partially known environment
• Rules of engagement
• Lateral movement
• Privilege escalation
• Persistence
• Cleanup
• Bug bounty
• ​Pivoting

• Drones
• War flying
• War driving
• Footprinting
• OSINT

3. Exercise types

• Red-team
• Blue-team
• White-team
• ​Purple-team

Architecture and Design - 21%

• Diagrams
• Baseline configuration
• Standard naming conventions
• Internet protocol (IP) schema

2. Data sovereignty
3. Data protection

• Data loss prevention (DLP)
• Masking
• Encryption
• At rest
• In transit/motion
• In processing
• Tokenization
• Rights management

4. Geographical considerations
5. Response and recovery controls
6. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspection
7. Hashing
8. API considerations
9. Site resiliency

• Hot site
• Cold site
• Warm site

10. Deception and disruption

• Honeypots
• Honeyfiles
• Honeynets
• Fake telemetry
• ​DNS sinkhole

• Infrastructure as a service (IaaS)
• Platform as a service (PaaS)
• Software as a service (SaaS)
• Anything as a service (XaaS)
• Public
• Community
• Private
• ​Hybrid

2. Cloud service providers
3. Managed service provider (MSP)/managed security service provider (MSSP)
4. On-premises vs. off-premises
5. Fog computing
6. Edge computing
7. Thin client
8. Containers
9. Microservices/API
10. Infrastructure as code

• Software-defined networking (SDN)
• Software-defined visibility (SDV)

11. Serverless architecture
12. Services integration
13. Resource policies
14. Transit gateway
15. Virtualization

• Virtual machine (VM) sprawl avoidance
• VM escape protection

• Development
• Test
• Staging
• Production
• Quality assurance (QA)

2. Provisioning and deprovisioning
3. Integrity measurement
4. Secure coding techniques

• Normalization
• Stored procedures
• Obfuscation/camouflage
• Code reuse/dead code
• Server-side vs. client-side execution and validation
• Memory management
• Use of third-party libraries and software development kits (SDKs)
• Data exposure

5. Open Web Application Security Project (OWASP)
6. Software diversity

• Compiler
• Binary

7. Automation/scripting

• Automated courses of action
• Continuous monitoring
• Continuous validation
• Continuous integration
• Continuous delivery
• Continuous deployment

8. Elasticity
9. Scalability
10. Version control

• Directory services
• Federation
• Attestation
• Technologies
  - Time-based one-time password (TOTP)
  - HMAC-based one-time password (HOTP)
  - Short message service (SMS)
  - Token key
  - Static codes
  - Authentication applications
  - Push notifications
  - Phone call
• Smart card authentication

• Fingerprint
• Retina
• Iris
• Facial
• Voice
• Vein
• Gait analysis
• Efficacy rates
• False acceptance
• False rejection
• Crossover error rate

• Factors
  - Something you know
  - Something you have
  - Something you are
• Attributes
  - Somewhere you are
  -Something you can do
  -Something you exhibit
  - Someone you know

• Geographic dispersal
• Disk
  -Redundant array of inexpensive disks (RAID) levels
  -Multipath
• Network
  -Load balancers
  -Network interface card (NIC) teaming
• Power
  -Uninterruptible power supply (UPS)
  -Generator
  -Dual supply
  -Managed power distribution units (PDUs)

2. Replication

• Storage area network
• VM

3. On-premises vs. cloud
4. Backup types

• Full
• Incremental
• Snapshot
• Differential
• Tape
• Disk
• Copy
• Network-attached storage (NAS)
• Storage area network
• Cloud
• Image
• Online vs. offline
• Offsite storage
  -Distance considerations

5. Non-persistence

• Revert to known state
• Last known-good configuration
• Live boot media

6. High availability

• Scalability

7. Restoration order
8. Diversity

• Technologies
• Vendors
• copyright
• ​Controls

• Raspberry Pi
• Field-programmable gate array (FPGA)
• Arduino

2. Supervisory control and data acquisition (SCADA)/industrial control system (ICS)

• Facilities
• Industrial
• Manufacturing
• Energy
• Logistics

3. Internet of Things (IoT)

• Sensors
• Smart devices
• Wearables
• Facility automation
• Weak defaults

4. Specialized

• Medical systems
• Vehicles
• Aircraft
• Smart meters

5. Voice over IP (VoIP)
6. Heating, ventilation, air conditioning (HVAC)
7. Drones
8. Multifunction printer (MFP)
9. Real-time operating system (RTOS)
10. Surveillance systems
11. System on chip (SoC)
12. Communication considerations

• 5G
• Narrow-band
• Baseband radio
• Subscriber identity module (SIM) cards
• Zigbee

13. Constraints

• Power
• Compute
• Network
• copyright
• Inability to patch
• Authentication
• Range
• Cost
• ​Implied trust

• Motion recognition
• Object detection

7. Closed-circuit television (CCTV)
8. Industrial camouflage
9. Personnel

• Guards
• Robot sentries
• Reception
• Two-person integrity/control

10. Locks

• Biometrics
• Electronic
• Physical
• Cable locks

10. USB data blocker
11. Lighting
12. Fencing
13. Fire suppression
14. Sensors

• Motion detection
• Noise detection
• Proximity reader
• Moisture detection
• Cards
• Temperature

15. Drones
16. Visitor logs
17. Faraday cages
18. Air gap
19. Screened subnet (previously known as demilitarized zone)
20. Protected cable distribution
21. Secure areas

• Air gap
• Vault
• Safe
• Hot aisle
• Cold aisle

22. Secure data destruction

• Burning
• Shredding
• Pulping
• Pulverizing
• Degaussing
• ​Third-party solutions

• Communications
• Computing

10. Post-quantum
11. Ephemeral
12. Modes of operation

• Authenticated
• Unauthenticated
• Counter

13. Blockchain

• Public ledgers

14. Cipher suites

• Stream
• Block

15. Symmetric vs. asymmetric
16. Lightweight cryptography
17. Steganography

• Audio
• Video
• Image

18. Homomorphic encryption
19. Common use cases

• Low power devices
• Low latency
• High resiliency
• Supporting confidentiality
• Supporting integrity
• Supporting obfuscation
• Supporting authentication
• Supporting non-repudiation

20. Limitations

• Speed
• Size
• Weak keys
• Time
• Longevity
• Predictability
• Reuse
• Entropy
• Computational overheads
• ​Resource vs. security constraints

Implementation - 25%

• Domain Name System Security Extensions (DNSSEC)
• SSH
• Secure/Multipurpose Internet Mail Extensions (S/MIME)
• Secure Real-time Transport Protocol (SRTP)
• Lightweight Directory Access Protocol Over SSL (LDAPS)
• File Transfer Protocol, Secure (FTPS)
• SSH File Transfer Protocol (SFTP)
• Simple Network Management Protocol, version 3 (SNMPv3
• Hypertext transfer protocol over SSL/TLS (HTTPS)
• IPSec
  -Authentication header (AH)/Encapsulating Security Payloads (ESP)
  -Tunnel/transport
• Post Office Protocol (POP)/Internet Message Access Protocol (IMAP)

2. Use cases

• Voice and video
• Time synchronization
• Email and web
• File transfer
• Directory services
• Remote access
• Domain name resolution
• Routing and switching
• Network address allocation
• ​Subscription services

• Antivirus
• Anti-malware
• Endpoint detection and response (EDR)
• DLP
• Next-generation firewall (NGFW)
• Host-based intrusion prevention system (HIPS)
• Host-based intrusion detection system (HIDS)
• Host-based firewall

2. Boot integrity

• Boot security/Unified Extensible Firmware Interface (UEFI)
• Measured boot
• Boot attestation

3. Database

• Tokenization
• Salting
• Hashing

4. Application security

• Input validations
• Secure cookies
• Hypertext Transfer Protocol (HTTP) headers
• Code signing
• Allow list
• Block list/deny list
• Secure coding practices
• ​Static code analysis
  - Manual code review
• Dynamic code analysis
• Fuzzing

5. Hardening

• Open ports and services
• Registry
• Disk encryption
• OS
• ​Patch management
  - Third-party updates
  - Auto-update

6. Self-encrypting drive (SED)/full-disk encryption (FDE)

• Opal

7. Hardware root of trust
8. Trusted Platform Module (TPM)
9. Sandboxing

• Active/active
• Active/passive
• Scheduling
• Virtual IP
• Persistence

• Virtual local area network (VLAN)
• Screened subnet (previously known as demilitarized zone)
• East-west traffic
• Extranet
• Intranet
• Zero Trust

• Always-on
• Split tunnel vs. full tunnel
• Remote access vs. site-to-site
• IPSec
• SSL/TLS
• HTML5
• Layer 2 tunneling protocol (L2TP)

• Agent and agentless

• Broadcast storm prevention
• Bridge Protocol Data Unit (BPDU) guard
• Loop prevention
• Dynamic Host Configuration Protocol (DHCP) snooping
• Media access control (MAC) filtering

• Jump servers
• Proxy servers
  -Forward
  -Reverse
• Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS)
  -Signature-based
  -Heuristic/behavior
  -Anomaly
  -Inline vs. passive
• HSM
• Sensors
• Collectors
• Aggregators
• Firewalls
  -Web application firewall (WAF)
  -NGFW
  -Stateful
  -Stateless
  -Unified threat management (UTM)
  -Network address translation (NAT) gateway
  -Content/URL filter
  -Open-source vs. proprietary
  -Hardware vs. software
  -Appliance vs. host-based vs. virtual

• Port taps

• WiFi Protected Access 2 (WPA2)
• WiFi Protected Access 3 (WPA3)
• Counter-mode/CBC-MAC Protocol (CCMP)
• Simultaneous Authentication of Equals (SAE)

2. Authentication protocols

• Extensible Authentication Protocol (EAP)
• Protected Extensible Authentication Protocol (PEAP)
• EAP-FAST
• EAP-TLS
• EAP-TTLS
• IEEE 802.1X
• Remote Authentication Dial-in User Service (RADIUS) Federation

3. Methods

• Pre-shared key (PSK) vs. Enterprise vs. Open
• WiFi Protected Setup (WPS)
• Captive portals

4. Installation considerations

• Site surveys
• Heat maps
• WiFi analyzers
• Channel overlaps
• Wireless access point (WAP) placement
• ​Controller and access point security

• Cellular
• WiFi
• Bluetooth
• NFC
• Infrared
• USB
• Point-to-point
• Point-to-multipoint
• Global Positioning System (GPS)
• RFID

2. Mobile device management (MDM)

• Application management
• Content management
• Remote wipe
• Geofencing
• Geolocation
• Screen locks
• Push notifications
• Passwords and PINs
• Biometrics
• Context-aware authentication
• Containerization
• Storage segmentation
• ​Full device encryption

• MicroSD hardware security module (HSM)
• MDM/Unified Endpoint Management (UEM)
• Mobile application management (MAM)
• SEAndroid

4. Enforcement and monitoring of:

• Third-party application stores
• Rooting/jailbreaking
• Sideloading
• Custom firmware
• copyright unlocking
• Firmware over-the-air (OTA) updates
• Camera use
• SMS/Multimedia Messaging Service (MMS)/Rich Communication Services (RCS)
• External media
• USB On-The-Go (USB OTG)
• Recording microphone
• GPS tagging
• WiFi direct/ad hoc
• Tethering
• Hotspot
• ​Payment methods

• Bring your own device (BYOD)
• Corporate-owned personally enabled (COPE)
• Choose your own device (CYOD)
• Corporate-owned
• Virtual desktop infrastructure (VDI)

• High availability across zones
• Resource policies
• Secrets management
• Integration and auditing
• Storage
  -Permissions
  -Encryption
  -Replication
  -High availability
• Network
  -Virtual networks
  -Public and private subnets
  -Segmentation
  -API inspection and integration
• Compute
  -Security groups
  -Dynamic resource allocation
  -Instance awareness
  -Virtual private cloud (VPC) endpoint
  -Container security

2. Solutions

• CASB
• Application security
• Next-generation secure web gateway (SWG)
• Firewall considerations in a cloud environment
  -Cost
  -Need for segmentation
  -Open Systems Interconnection (OSI) layers

3. Cloud native controls vs. third-party solutions

• Identity provider (IdP)
• Attributes
• Certificates
• Tokens
• SSH keys
• Smart cards

2. Account types

• User account
• Shared and generic accounts/credentials
• Guest accounts
• Service accounts

3. Account policies

• Password complexity
• Password history
• Password reuse
• Network location
• Geofencing
• Geotagging
• Geolocation
• Time-based logins
• Access policies
• Account permissions
• Account audits
• Impossible travel time/risky login
• Lockout
• ​Disablement

• Password keys
• Password vaults
• TPM
• HSM
• Knowledge-based authentication

2. Authentication/authorization

• EAP
• Challenge-Handshake Authentication Protocol (CHAP)
• Password Authentication Protocol (PAP)
• 802.1X
• RADIUS
• Single sign-on (SSO)
• Security Assertion Markup Language (SAML)
• Terminal Access Controller Access Control System Plus (TACACS+)
• OAuth
• OpenID
• Kerberos

3. Access control schemes

• Attribute-based access control (ABAC)
• Role-based access control
• Rule-based access control
• MAC
• Discretionary access control (DAC)
• Conditional access
• Privileged access management
• ​Filesystem permissions

• Key management
• Certificate authority (CA)
• Intermediate CA
• Registration authority (RA)
• Certificate revocation list (CRL)
• Certificate attributes
• Online Certificate Status Protocol (OCSP)
• Certificate signing request (CSR)
• CN
• Subject alternative name
• Expiration

2. Types of certificates

• Wildcard
• Subject alternative name
• Code signing
• Self-signed
• Machine/computer
• Email
• User
• Root
• Domain validation
• Extended validation

3. Certificate formats

• Distinguished encoding rules (DER)
• Privacy enhanced mail (PEM)
• Personal information exchange (PFX)
• .cer
• P12
• ​P7B

• Online vs. offline CA
• Stapling
• Pinning
• Trust model
• Key escrow
• Certificate chaining