Cisco Certified Support Technician Cyber Security (CCST) Course

Cisco certified support technician cyber security ccst course by Keith eny essential security principles 1.1 Define essential security principles vulnerabilities threats exploits and risks attack vectors hardening defense in depth confidentiality integrity and availability CIA types of attackers reasons for attacks code of ethics vulnerabilities threats exploits and risk vulnerability a gap or weakness in a system threat something that can damage your Asset Risk threat probability and the impact of a vulnerability potential harm exploit is a program created to take advantage of a vulnerability in an application or computer system attack vectors the attack surface describes all the different points attack vectors where attackers could get into our system sometimes defined as the sum of all possible security risk exposures examples of attack vectors ransomware compromised passwords misconfigurations o d attacks D BD poor Security Solutions and protocols IO o t t hardening hardening is the process of increasing the resistance of a system to hacking by reconfiguration defense in depth defense in depth is a way of Designing it security it consists of the introduction of many independent layers of security confidentiality integrity and availability CIA confidentiality information is not disclosed to unauthorized individuals Integrity changes are allowed in a specified VAV authorized manner availability systems and applications are available for end users attackers types of attackers white hat hackers ethical hackers conducting security testing black hat hackers malicious intent engaging in illegal activities gray hat hackers operate with ambiguous ethics may break laws for perceived good other types script kitties inexperienced using existing tools activists political or social motives organized crime Financial gains state sponsored national interests insiders employees or affiliates with access reasons for attacks and code of ethics reason for attacks financial gain stealing money or information political motives influencing policy or opinion Revenge personal or professional grievances challenge or fun for the thrill or to prove ability Espionage Gathering intelligence code of ethics ethical hacking Integrity acting honestly not manipulating information confidentiality protecting sensitive information legality complying with laws and regulations respect recognizing rights and following consent competence keeping skills updated acting responsibly essential security principles 1.2 explain common threats and vulnerabilities malware ransomware denial of service botnets social engineering attacks tailgating spear fishing fishing smishing Etc physical attacks man in the middle iot vulnerabilities Insider threats advanced persistent threat AP malware malware or malicious software is an umbrella term that describes any malicious program or code that is harmful to systems hostile intrusive and intentionally nasty malware seeks to to invade damage or disable computers computer systems networks tablets and mobile devices Often by taking partial control over devices operations most common types of malware adware is unwanted software designed to throw advertisements up on your screen most often within a web browser typically it uses an underhanded method to either disguise itself as legitimate or piggyback on another program to trick you into installing it on your PC tablet or mobile device spyware is malware that secretly observes the computer user&#39;s activities without permission and reports it to the software&#39;s author a virus is malware that attaches to another program and when executed usually inadvertently by the user replicating Itself by modifying other computer programs and infecting them with its own bits of code worms are a type of malware similar to viruses like viruses worms are self-replicating the big difference is that worms can spread across systems on their own whereas viruses need some sort of action from a user in order to initiate the infection a Trojan or trojan horse is one of the most dangerous malware types it usually represents itself as something useful in order to trick you once it&#39;s on your system the attackers behind the Trojan gain unauthorized access to the affected computer from there Trojans can be used to steal financial information or install other forms of malware often ransomware r ransomware is a form of malware that locks you out of your device and or encrypts your files then forces you to pay a ransom to regain access ransomware has been called the Cyber criminal&#39;s weapon of choice because it Demands a quick profitable payment and hard to trace cryptocurrency the code behind ransomware is easy to obtain through online Criminal marketplaces and defending against it is very difficult while ransomware attacks ransomware r someware attacks happen when hackers get into a system and lock certain data in files demanding a payment to release the data denial of service a denial of service du atch is a malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations botn Net&#39;s botnet refers to a group of computers which have been infected by malware and have come under the control of a malicious actor social engineering attacks tailgating in a cyber security context tailgating refers to an unauthorized person following an authorized person into a secure area such as an employee using their key card to access a restricted server room spear fishing the CFO received a spear fishing email that appeared to come from the CEO requesting an urgent wire transfer a targeted attack aimed at the company&#39;s Financial assets fishing a general fishing attack hit several employees with emails disguised as updates from it leading to a malware infection within the company Network Vishing the support team was alerted to a Vishing attack where scammers were calling employees pretending to be from tech support in an attempt to gain remote access to their computers smishing employees were warned about a smishing campaign where text messages containing malicious links were sent to their work phones trying to lure them into revealing their credentials physical attacks physical attack is a security breach that impacts operations damages property or otherwise impacts the physical environment man in the middle attack an attack where the adversary positions himself in between the user and the system so that he can intercept and alter data traveling between them iot vulnerabilities iot service vulnerabilities can present new entry points to other devices connected to home networks such as laptop tops and computers Insider threats Insider threat is a perceived threat to an organization that comes from people within the organization such as employees former employees contractors or business associates who have inside information concerning the organization&#39;s security practices data and computer systems advanced persistent threat advanced persistent threat a is a prolonged and targeted Cyber attack in which an intruder gains access to a network and remains undetected for an extended period essential security principles 1.3 explain access management principles authentication authorization and accounting a a a a radius multiactor authentication MFA password policies authentication authorization and accounting a a a authentication who what are you authorization what are you allowed to do accounting what did you do authentication identifies users by asking for a username and password encryption can be added as well to make it more secure in many companies you find an active directory server as your database authorization tells a network device what you are allowed to do when you have authenticated we use radius or TX plus servers to achieve that on Cisco devices takx plus is much better as it offers more options and is more secure accounting collecting logs and information required to track all actions it is very important to implement this option in your network radius radius is a networking protocol call that authorizes and authenticates users who access a remote Network multifactor authentication something you know something you are something you have password policies password policies outline requirements such as minimum length composition and complexity expiration dates storage ET cation essential security principles 144 explain encryption methods and applications types of encryption hashing certificates public key infrastructure pki strong against weak encryption algorithms states of data and appropriate encryption data in transit data add rest data data in use protocols that use encryption encryption encryption means transforming information to make it unreadable and to prevent unauthorized access you need a secret key a decryption key or password to see what&#39;s inside used for data confidentiality hashing hashing is a data security technique used to convert data values into alternate unique identifiers called hashes for quick and secure access certificate a certificate is a digital certificate used to authenticate users network devices servers and other devices a certificate Authority CA is the entity that can issue trusted digital certificates public key infrastructure pki public key infrastructure pki is a system for the creation storage and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity strong versus weak encryption weak an encryption algorithm which can be broken within a time frame that would enable the breaker to take advantage of the information that has been encrypted strong strong encryption means encryption that meets then current industry standards for example nist relating to the strength of the algorithm the secrecy of the key the initialization vectors and how they all work together within the crypto system data in transit data at rest data in use data in transit protect data in transit by using secure protocols like https and by avoiding public or unsecured networks data at rest protect data at rest by encrypting it with strong and up-to-date encryption algorithms and by storing it in locations with limited access and reliable authentication mechanisms data in use protect data in use by implementing access controls and monitoring systems using endpoint protection and encryption Technologies and training employees to follow best practices for handling sensitive data protocol that use encryption triple D uses three individual keys with 56 bits each ass the advanced encryption standard AES is the algorithm trusted as the standard by the US government and numerous organizations and is also found in our serve unified data protection UDP software RSA is a public key encryption algorithm and the standard for encrypting data sent over the Internet Blowfish is yet another algorithm designed to replace days this symmetric Cipher splits messages into blocks of 64 bits and encrypts them individually TW fish is one of the fastest of its kind and ideal for use in hardware and software environments basic network security Concepts 2.1 describe tcpip protocol vulnerabilities TCP UD p i p n p d a p DNS TCP TCP protocol is vulnerable the SN flooding attacks which involves sending a large number of SN packets to a Target system overwhelming its resources and causing it to crash an to session hijacking attacks which allow an attacker to take control of a TCP session and steal or modify data UDP UDP protocol is vulnerable to UD flooding attacks which involve sending a large number of UDP packets to a Target system overwhelming its resources and causing it to crash and to UDP amplification attacks which exploit the fact that some UDP protocols return a larger response than the initial request allowing attacker to amplify the traffic and launch a larger dos UDP flood attch scale attack atpp protocol is vulnerable to man-in-the-middle attacks where an attacker intercepts the communication between a client and a server RP in an ARP spoofing attack also known as cash poisoning or poison routing an attacker sends false ARP messages to pass a Mac media Access Control address off as a legitimate IP address within the network EMP imp attacks exploit the capabilities of Internet control message protocol to overwhelm targeted networks and devices with requests causing the so-called bandwidth flooding a form of denial of service dos that aims to exhaust the victim&#39;s ability to handle incoming traffic DCP DHCP starvation attack this type of attack occurs when an attacker sends more requests for new IP addresses than the DHCP server can handle the result is that legitimate clients will not be assigned IP addresses due to the overload caused by malicious requests DHCP flood attack when this type of attack occurs it overwhelms the server with so many requests that it becomes unable to respond to legitimate ones or respond in a timely manner meaning long wait times because these types of attacks are extremely disruptive they&#39;re considered denial of service attacks those DNS DNS flood attacks involve using the DNS protocol to carry out a user datagram protocol UDP flood threat actors deploy valid but spoofed DNS request packets at an extremely high packet rate and then create a massive group of source IP addresses DNS spoofing or DNS cache poisoning involves using altered DNS records to redirect online traffic to a fraudulent site that impersonates the intended destination once users reach the fraudulent destination they are prompted to log in into their account basic network security Concepts 2.2 explain how Network addresses impact network security ip4 and IPv6 addresses Network segmentation cidr notation Nate i d notation in notation public against private networks ip4 and ipv six ip4 addresses are prone to address spoofing where attackers can forge The Source IP address of packets to disguise their origin and launch attacks like doas distributed denial of service the large address bace of IPv6 approximately 340 unilan addresses mitigates the need for Nat and provides better address uniqueness which simplifies network design and enhances security IPv6 includes built-in features like GPC Internet Protocol security as a fundamental part of the protocol Suite providing authentication integrity and confidentiality for network communications Mac addresses Mac addresses are essential for device identification Access Control monitoring and spoofing prevention contributing significantly to network security network segmentation Network segmentation is a fundamental security best practice that strengthens the overall security posture of an organization by limiting the impact of security incidents enhancing access control and facilitating compliance with regulatory requirements C notation cter notation plays a crucial role in enhancing network security by enabling efficient address allocation subnetting routing and traffic filtering ultimately helping organizations Better manage and secure their networks natnat offers the ability to access the internet with more security and privacy by hiding the device IP address from the public network even when sending and receiving traffic public versus private Network a private network is exclusive to a specific individual or organization meaning the general public cannot access it it a public network refers to any network that is open and accessible to the general public in other words anyone and everyone basic network security Concepts 2.3 describe Network infrastructure and Technologies network security architecture DMZ virtualization Cloud Honeypot proxy server IDs IPS network security architecture a network security architecture in includes both Network and security elements such as the following Network elements Network nodes computers routers Etc Communications protocols TCP ipit TP DNS Etc connection media wired Wireless and topologies busar mesh Etc virtualization virtualization is a technology that you can use to create virtual rep presentations of servers storage networks and other physical machines cloud cloud computing is the OnDemand availability of computer system resources especially data storage and computing power without direct active management by the user Honeypot a Honeypot is a cyber security mechanism that uses a manufactured attack Target to to lure cyber criminals away from legitimate targets they also gather intelligence about the identity methods and motivations of adversaries proxy server a proxy server is a system or router that provides a Gateway between users and the internet therefore it helps prevent cyber attackers from entering a private Network IPS IDs an intrusion detection system IDs is a security tool that monitors Network traffic for suspicious activity and alerts administrators when potential threats are detected it can be used to detect attacks assess the impact of security incidents and prevent data breaches IPS an intrusion prevention system IPS is a security tool that actively blocks malicious traffic in real time based on predefined rules or behavioral patterns it can be used to detect and prevent various types of attacks such as malware viruses and denial of service those attacks Wireless 82.1 one1 protocols 8001 X2 4 or five case 20 4080 106 Tims multi-user moo 24 GBP son 1801 on EK wave 25 J 20480 160 multi-user [Music] mumo 1.73 gbps2 80.1 on key wave 15 j8z 2040 18 H single user Su ammo 8667 MB 2000 1802.1 and 2.4 or 5 js20 14 hle user suo 450 MP3 802.1 1 82.4 jaas day a a a 54 MB site 2.1 on a FIV go and b2.1 and b2.1 onb 2.4 G20 mhds A1 MBP Legacy 800 2.12 and a24 20 mzn megabits per second basic network security Concepts 24 set up a secure Wireless Soho Network MAC address filtering encryption standards and protocols s Mac address filtering MAC address filtering is a security access control method whereby the MAC address assigned to each network interface controller is used to determine access to the network encryption standards and protocols AES the advanced encryption standard AES is the trusted standard algorithm used by the United States government as well as other organizations triple days triple D D is the successor to the original data encryption standard Dees algorithm created in response to hackers who figured out how to breach Des RSA is a public key encryption a symmetric algorithm and the standard for encrypting information transmitted via the Internet Blowfish is another algorithm that was designed to replace Dez this symmetric tool breaks messages into 64-bit blocks and encrypts them individually Sid what is the SSID for Wi-Fi Sid is an abbreviation for service set identifier which is an important identifier for wireless networks essentially an SID is the name assigned to a Wi-Fi network when a router is set up basic Network security Concepts 2.5 Implement secure access Technologies ACL firewall VPN NAC ACL Access Control list ACL is made up of rules that either allow access to a computer environment or deny it file system ACLS these work as filters managing access to directories or files a file system ACL gives the operating system instructions as to the users that are allowed to access the system as well as the privileges they are entitled to once they are inside networking aclas networking ACLS manage access to a network to do this they provide instructions to switches and routers as to the kinds of traffic that are allowed to interface with the network they also dictate what each user or device can do once they are inside firewall firewall is a network security device that monitors incoming and outgoing Network traffic and decides whether to allow or block specific traffic based on a defined set of security rules vpnvpn an arrangement whereby a secure apparently private network is achieved using encryption over a public network typically the internet Mac network access control meaning NSA ensures that only users who are are authenticated and devices that are authorized and compliant with security policies can enter the network endpoint security concept 3.1 describe operating system security Concepts windows maos and Linux security features including Windows Defender and host-based firewalls CLI and Powershell file and directory permissions privilege escalation Windows Mac and Linux OS Linux historically the most secure OS and more secure than Windows his is because the system has numerous built-in features to keep it secure including automatically assigning low user permissions maos a secure OS with great built-in security features all Mac systems built on the Apple One chip or with the Apple T2 security chip support activation lock just like your iPhone or iPad Windows a great operating system me but arguably less secure than the others Windows security continually scans for malware malicious software viruses and security threats Windows Defender Windows Defender is a good basic virus protection software but you may not find everything you want if you are extremely security focused host based firewall host based firewall need to be directly installed on individual computers although most consumer operating systems come with them built in for instance windows and maos systems already have firewall software allowing traffic filtering it&#39;s also an option to turn to thirdparty Providers CLI and Powershell Powershell is a task-based command line interface specifically designed for system admins and is based on the farmet framework CMD is the command line for the Microsoft Windows operating system with command-based features file and directory permission there are three permission types read write and execute read the capability to read contents this is expressed as either the number four or letter write the capability to write or modify this is expressed as either the number two or letter execute the capability to execute this is expressed as either the number one or letter X privilege escalation a privilege escalation attack is a Cyber attack designed to gain unauthorized privileged access into a system attackers exploit human behaviors design flaws or oversights in operating systems or web applications endpoint security concept 3.2 demonstrate familiarity with appropriate endpoint tools that gather security assessment information netstat ends look Lup TCP D net n slup and TCP dump the netstat command generates displays that show Network status and protocol statistics the N lookup command queries Internet domain name servers in two modes TCP dump is a packet analyzer that is launched from the command line it can be used to analyze Network traffic by intercepting and displaying packets that are being created or received by the computer it&#39;s running on endpoint security concept 33 verify that endpoint systems meet security policies and standards Hardware inventory asset management software inventory program deployment data backups Regulatory Compliance PCI DSS Hippa D2 bod device management data in encryption app distribution configuration management Hardware inventory asset management software inventory and program deployment Hardware inventory Asset Management a process of tracking and managing an organization&#39;s devices such as computers servers and mobile devices to ensure they are properly accounted for and secured software inventory a process of tracking and managing an organization&#39;s licenses and applications to ensure they are properly licensed and secure program deployment the process of installing and updating software applications across a company&#39;s Network to ensure they are upto-date and secure data backups Regulatory Compliance PCI DSS Hippa g a bio data backups the process of creating and storing copies of an organization&#39;s data to ensure it can be recovered in the event of data loss or a Cyber attack Regulatory Compliance the process of adhering to legal and regulatory requirements payment card industry data security standard pcss health insurance portability and accountability act hiaa General data protection regulation gdpr to ensure the security privacy of sensitive data bod the process of managing and securing personal devices used by employees to access an organization&#39;s Network including device management data encryption app distribution and configuration management endpoint security concept 344 Implement software and Hardware updates Windows update application updates device drivers firmware patching Windows update Windows update is a Microsoft service for the windows 9x and windows Nat families of the Microsoft Window Windows operating system which automates downloading and installing Microsoft Windows software updates over the internet application update application updates refers to the process of releasing new versions improvements or enhancing existing features of a digital application an application or application is a sort of software designed to perform precise functions for the end user or another application device drivers the device driver provides the the rest of the operating system with the software interface to a given device or device class firmware firmware is designed to be the interface between a computer&#39;s hardware and software it abstracts away many of the lowlevel hardware specific details of how the computer works making it easier to develop software and to run the same software on multiple systems patching anomalies patches are software an operating system or S updates that address security vulnerabilities within a program or product software vendors may choose to release updates to fix performance bugs as well as to provide enhanced security features endpoint security concept 3.5 interpret system logs Event Viewer audit log system and application log CIS log identification of anomalies Event Viewer Event Viewer is a tool in the Microsoft Windows operating system that provides a comprehensive log of system events to offer administrators the information required for system upkeep security and accountability audit logs audit logging is the process of documenting activity within the software systems used across your organization system and application logs application log records the progress of the execution of an application whereas the system log record system events CIS log CIS log is a protocol that computer systems use to send event data logs to a central for storage identification of anomalies anomaly detection also called outlier detection is the identification of unexpected events observations or items that differ significantly from the norm endpoint security concept 3.6 demonstrate familiarity with malware removal scanning systems reviewing scan logs malware remediation scanning system malware scan is the process of deep scanning the computer to prevent malware infection it is accomplished using an anti-malware software this process involves multiple tools and techniques to identify malware review scan logs antivirus logs contain stats about scanned objects the settings used for each task and a history of actions performed on individual files logs are recorded for realtime protection events antivirus database updates and more malware remediation it may be necessary or perhaps just easier to reimage or possibly replace the infected system s to ensure no remnants of the malware remain if those systems held critical data that was backed up already getting the data back onto the systems will be far easier and safer vulnerability assessment and risk management 4.1 explain vulnerability management vulnerability identification management and mitigation active and passive reconnaissance testing Port scanning automation vulnerability identification vulnerability identification process enables you to identify and understand weaknesses in your system underlying infrastructure support systems and major applications vulnerability mitigation it involves identifying potential vulnerabilities before they can be exploited and taking steps to reduce or eliminate the associated risk mitigation strategies can include things like implementing access controls using encryption and conducting regular vulnerability scans passive versus active reconnaissance passive reconnaissance is akin to reconnaissance through binoculars surveying the landscape without leaving a trace conversely active reconnaissance involves more direct interaction with the target albe it in a non-intrusive manner Port scanning the open port scanner checks if a specific port is open and accessible on a Target system for example if you want to see if a web server is reachable you would check if Port 80 HTP or Port 40043 https is open automation automated security testing is the process of scanning the application for vulnerabilities using automated tools this is important because it can help to prevent certain vulnerabilities from being exploited by hackers vulnerability assessment and risk management 4.2 use threat intelligence techniques to identify potential Network vulnerabilities uses and limitations of vulnerability databases industry standard tools used to assess vulnerabilities and make recommendations policies and reports common vulnerabilities and exposures CVS cyber security reports cyber security News subscription services and collective intelligence ad hoc and automated threat intelligence the importance of updating documentation and other forms of communication proactively before during during and after cyber security incidents how to secure share and update documentation vulnerability databases threat intelligence and cyber security reports vulnerability databases are useful in assessing and managing vulnerabilities but they also have limitations such as incomplete coverage delayed updates and false positives industry standard tools are used to assess vulnerabilities make recommend ations policies and reportes and reports including the common vulnerabilities and exposures CVS threat intelligence techniques are critical in identifying potential Network vulnerabilities by collecting analyzing and disseminating information about cyber threats and attacks to proactively identify and mitigate risks cyber security reports new subscription services and collective intelligence can provide valuable insights into emerging threats and trends ad hoc and automated threat intelligence are also useful in identifying potential Network vulnerabilities common vulnerabilities and exposures Keys common vulnerabilities and exposures and CVSs common vulnerability scoring system are two concepts in the field of cyber security kyv is a standardized identifier assigned to a specific vulnerability or exposure that has been publicly disclosed each cve entry includes a description of the vulnerability affected software and any known mitigations or workarounds cve enables consistent tracking and sharing of information about vulnerabilities across different systems and organizations cfss is a set of metrics such as exploitability impact and complexity it provides a standardized scoring system to help prioritize and communicate the severity of vulnerabilities to different stakeholders including security team system administrators and Business Leaders ad hoc at hoc refers to solutions that are developed specifically for a particular problem or task without considering broader applications for example ad hoc networks are created on the spot for a single session of communication between devices without the need for a central router or server proactive communication through documentation proactive communication through documentation and other forms of communication before during a and after cyber security incidents is critical to ensure that all stakeholders are informed and take appropriate action the security sharing sharing and updating of documentation are important to ensure that the information is accurate timely and relevant to the current threat landscape vulnerability assessment and risk management 4 three explain risk management vulnerability against risk ranking risks approaches to risk management risk mitigation strategies levels of risk low medium high extremely high risks associated with specific types of data and data classifications security assessments of its systems information security change management computer operations information assurance risk management risk management is the process of ident identifying assessing and prioritizing risks to a company&#39;s assets such as its information its systems or employees and implementing strategies to mitigate or manage those risks effectively vulnerability refers to a weakness or flaw in a system while risk is the potential for harm or loss associated with that vulnerability ranking risks involves evaluating the likelihood and impact of each risk to determine its priority and decide which ones to address first approaches to risk management include risk avoidance eliminating the risk altogether risk acceptance accepting the risk and its potential consequences risk transfer Shifting the risk to another party such as through insurance and risk mitigation reducing the likelihood or impact of the risk risk management ass settin risk mitigation strategies can include technical controls for example firewalls encryption administrative controls for example policies and procedures and physical controls for example access controls levels of risk can be classified as low medium high or extremely high based on the likelihood and impact of the risk the higher the risk level the greater the potential harm or loss associated with that risk risks associated with specific types of data and data classifications can vary depending on the sensitivity confidentiality and regulatory requirements of the data for example personally identifiable information pill or financial data may require more stringent security measures to protect them security assessments of its systems typically include evaluating various aspects of the system such as information security ensuring the confidentiality integrity and availability of data change management uring change are made in a controlled manner computer operations ensuring systems are operating as intended and information assurance ensuring the reliability and trustworthiness of information disaster recovery and business continuity planning disaster recovery and business continuity planning are critical for organizations to ensure they can recover from unexpected events and continue to operate their business natural disasters cyber attacks or human errors can disrupt an organization&#39;s operations causing Financial loss damage to reputation and potentially shutting down the business altogether Disaster Recovery plans DRP and business continuity plans BCP are designed to minimize the impact of disruptions on an organization&#39;s critical systems and processes DRP focuses on restoring it systems and data after a disaster while BCP aims to ensure essential business functions continue to operate during and after A disruption backup is a crucial component of disaster recovery and business continuity planning ensuring that critical data and systems can be restored in case of a disaster or disruption regular backups are necessary to ensure data is upto-date and accessible incident handling 5.1 monitor security events and know when escalation is required role of s and S a rering network data to identify security incidents packet captures various log file entries Etc identifying suspicious events as they occur role of s and sore monitoring security events is crucial for detecting and preventing cyber attacks security information and event management cem and security orchestration Automation and response s o a are tools used for this purpose they help in collecting analyzing and correlating security event data to identify potential security threats and respond to them in a timely manner cm is primarily focused on collecting analyzing and correlating security event data from various sources within a company&#39;s Network such as log file system events and network traffic this information is then used to detect potential security threats and respond to them quickly s on the other hand goes beyond the capabilities of CM it not only collects and analyzes security event data but also automates response actions and orchestrates incident response processes s o a integrates with various security tools and platforms such as s threat intelligence feeds and endpoint detection and response EDR Solutions monitoring network data to identify security incidence packet captures and log file analysis are essential components of network security monitoring providing valuable insights into Network traffic and system activities by leveraging these techniques and integrating them with other monitoring tools and processes organizations can effectively detect and respond to security incidents safeguarding their assets and maintaining the Integrity of their Networks identifying suspicious events as they occur realtime monitoring tools employ tools like EDS IPS and Siem systems to continuously monitor Network traffic and system logs alerting mechanisms configure alerts to notify security teams immediately upon detecting suspicious events behavioral analysis use behavioral analysis to detect deviations from normal patterns of behavior which may indicate potential security threats anomaly detection Implement algorithms to identify abnormal activities in real time by analyzing historical data and establishing Baseline Behavior integration with threat intelligence integrate monitoring tools with threat intelligence feeds to stay informed about the latest threats and attack techniques automated response Implement automated response mechanisms to mitigate threats in real time such as blocking suspicious IP addresses or isolating compromised systems continuous Improvement regularly review and refine detection capabilities based on incident investigations and threat intelligence analysis to enhance accuracy and efficiency incident handling 5.2 explain digital forensics and attack attribution processes cyber kill chain miter at and TK Matrix and Diamond model tactics techniques and procedures TT sources of evidence artifacts evidence handling preserving digital evidence chain of custody cyber kill chain Cyber attack sometimes referred to as the Cyber kill chain is a way to comprehend an external assault on an organization&#39;s computer system it helps the it security team in forming defenses that can hold or neutralize the attack at various points this model breaks down an external Cyber attack into seven stages 1.234 or 5.6 reconnaissance Intruder selects and researches a Target looking for vulnerabilities weaponization Intruder creates malware to exploit the vulnerability delivery Intruder sends malware through fishing email or other means exploitation malware executes on the targeted system installation malware creates a back door accessible to the attacker command and control Intruder gains lasting access to the victim system actions on objective Intruder carries out goals like data theft or destruction meter at and KK framework the miter at and take care framework focuses on a knowledge base containing tactics techniques and procedures used by by cyber adversaries organized into an attack Matrix or at tntk Matrix this Matrix is made up of 14 columns and under each column there are varying numbers of rows reconnaissance resource development initial access execution persistence privilege escalation defense evasion credential access Discovery lateral movement collection command and control exfiltration impact these headings indicate the tactics or technical goals that adversaries seek to achieve they are presented in the general order of how attacks usually progress mit&#39;s arrangement of these tactics was influenced by the latter stages of its seven-stage Cyber attack life cycle which was modeled after the kill chain chain the diamond model the diamond model of intrusion analysis serves as a framework for depicting cyber attacks it is composed of four key ke aspects adversary infrastructure capability and Target adversary this aspect answers questions like where the attack is are located who they are who supports them why they are attacking and the timeline and strategy of their activities infrastructure this includes details such as infected computers command and control c22 domain names C2 server locations types and structures as well as the mechanism of c22 data management and control and paths for data leakage capability this part focuses on the abilities the attackers possess including reconnaissance skills methods of delivering attacks exploitation of vulnerabilities deployment of remote controlled malware and backd doors and Tool development Target this refers to the identification of the attacks Focus be it a particular country region industry sector individual or specific data techniques and procedures TTP and source of evidence tactics techniques and procedures TTP tactics refer to the overall strategic goals an attacker aims to achieve techniques Encompass the methods used to accomplish these tactics procedures detail the specific step-by-step processes used within the techniques to achieve the end goal sources of evidence artifacts in a cyber security artifacts refers to the digital evidence Left Behind after a cyber event or incident these can include log files registry entries cached information and other residual data artifacts are vital for forensic analysis as they help investigators understand what occurred during an incident and how it happened evidence handling evidence handling preserving digital evidence chain of custody preserving digital evidence entails ensuring that electronic evidence remains unchanged from the time it is collected until the time it is used maintaining it Integrity ging of custody refers to the documented process that records the handling of evidence from collection through analysis and finally to presentation in court proper evidence handling is critical in legal proceedings as it ensures that the evidence is reliable and admissible protecting against possible tampering or mishandling incident handling 53 explain the impact of compliance Frameworks on incident handling compliance Frameworks GDP or Hipp PCI DSS fisma reporting and notification requirements 8 PR and Reporting and notification requirements what is gdpr in simple terms the gdpr is an acronym for the general data protection regulation and is a piece of European legislation that protects personal information it outlines several requirements businesses must follow to process that data legally notifications example GPR ah part 33 DPR notification of a personal data breach to the supervisory Authority 1 in the case of a personal data breach the controller shall without undue delay and we feasible not later than 72 hours after having become aware of it notify the personal data breach to the supervisory Authority competent in accordance with article 55 unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons two where the notification to the supervisory Authority is not made within 72 hours it shall be accompanied by reasons for the delay Hippa the health insurance portability and accountability Act of 1996 HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient consent or knowledge psse the pcids payment card industry data security standard is an information security standard designed to reduce payment card fraud by increasing security controls around card holder data farpa and fisma farpa family educational rights and Privacy Act is a US federal law that protects the privacy of student education records it gives parents and eligible students certain rights such as the right to review and request changes to their education records and require schools to obtain written consent before disclosing personally identifiable information from those records fsma Federal Information Security modernization Act is another US federal law that requires federal agencies to implement and maintain a comprehensive cyber security program to protect their information and information systems it established is a framework for managing and protecting federal information and requires agencies to conduct regular risk assessments and audits of their cyber Security Programs incident handling 544 describe the elements of cyber security incident response policy plan and procedure elements incident response life cycle stages n special publication 800 61 sections 23 3.4 nist special publication 861 2.3 incident response policy plan and procedure creation this section discusses policy&#39;s plans and procedures related to incident response with an emphasis on interactions with outside parties 3.1 preparation 3.2 detection and Analysis 3.3 de containment eradication and Recovery 3.34 eradication and Recovery preparation 3.1 preparation incident response methodologies typically emphasize preparation not only establishing an incident response capability so that the organization is ready to respond to incidents but also preventing incidents by ensuring that systems networks and applications are sufficiently secure although the incident response team is not typically responsible for incident prevention it is fundamental to the success of incident response programs this section provides basic advice on preparing to handle incidents and on preventing incidents 3.2 detection and Analysis the detection and Analysis phase is where the action begins to happen in our incident response process in this phase we will detect the occurrence of an issue and decide whether or not it is actually an incident so that we can respond to it appropriately 3.3 containment eradication and Recovery containment is important before an incident overwhelms resources or increases damage most incidents require containment so that is an important consideration early in the course of handling each incident containment provides time for developing a tailored remediation strategy an essential part of containment is decisionmaking for example shut down a system disconnected from a network disables certain functions such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident organizations should define acceptable risks in dealing with incidents and develop strategies accordingly after an incident has been contained eradication may be necessary to eliminate components of the incident such as deleting malware and disabling breached user account Su as well as identifying and mitigating all vulnerabilities that were exploited during eradication it is important to identify all affected hosts within the organization so that they can be remediated for some incidents eradication is either not necessary or is performed during recovery in recovery administrators restore systems to normal operation confirm that the systems are functioning normally and if applicable remediate vulnerabilities to prevent similar incidents recovery may involve such actions as restoring systems from clean backups rebuilding systems from scratch replacing compromis files with clean versions installing patches changing passwords and tightening Network perimeter security for example firewall ruler sets and Boundary router Access Control lists higher levels of system logging or network monitoring are often part of the recovery process once a resource is successfully attacked it is often attacked again or other resources within the organization are attacked similarly three the before eradication and Recovery eradication and Recovery should be done in a phased approach so that remediation steps are prioritized for large scale incidents recovery may take months the intent of the early phases should be to increase the overall security with relatively quick days to weeks high value changes to prevent future incidents the later phases should focus on longer term changes for example infrastructure changes and ongoing work to keep the Enterprise as secure as possible because eradication and Recovery actions are typically Os or application specific detailed recommendations and advice regarding them are outside the scope of this document

Cisco certified support technician cyber security ccst course by Keith eny essential security principles 1.1 Define essential security principles vulnerabilities threats exploits and risks attack vectors hardening defense in depth confidentiality integrity and availability CIA types of attackers reasons for attacks code of ethics vulnerabilities threats exploits and risk vulnerability a gap or weakness in a system threat something that can damage your Asset Risk threat probability and the impact of a vulnerability potential harm exploit is a program created to take advantage of a vulnerability in an application or computer system attack vectors the attack surface describes all the different points attack vectors where attackers could get into our system sometimes defined as the sum of all possible security risk exposures examples of attack vectors ransomware compromised passwords misconfigurations o d attacks D BD poor Security Solutions and protocols IO o t t hardening hardening is the process of increasing the resistance of a system to hacking by reconfiguration defense in depth defense in depth is a way of Designing it security it consists of the introduction of many independent layers of security confidentiality integrity and availability CIA confidentiality information is not disclosed to unauthorized individuals Integrity changes are allowed in a specified VAV authorized manner availability systems and applications are available for end users attackers types of attackers white hat hackers ethical hackers conducting security testing black hat hackers malicious intent engaging in illegal activities gray hat hackers operate with ambiguous ethics may break laws for perceived good other types script kitties inexperienced using existing tools activists political or social motives organized crime Financial gains state sponsored national interests insiders employees or affiliates with access reasons for attacks and code of ethics reason for attacks financial gain stealing money or information political motives influencing policy or opinion Revenge personal or professional grievances challenge or fun for the thrill or to prove ability Espionage Gathering intelligence code of ethics ethical hacking Integrity acting honestly not manipulating information confidentiality protecting sensitive information legality complying with laws and regulations respect recognizing rights and following consent competence keeping skills updated acting responsibly essential security principles 1.2 explain common threats and vulnerabilities malware ransomware denial of service botnets social engineering attacks tailgating spear fishing fishing smishing Etc physical attacks man in the middle iot vulnerabilities Insider threats advanced persistent threat AP malware malware or malicious software is an umbrella term that describes any malicious program or code that is harmful to systems hostile intrusive and intentionally nasty malware seeks to to invade damage or disable computers computer systems networks tablets and mobile devices Often by taking partial control over devices operations most common types of malware adware is unwanted software designed to throw advertisements up on your screen most often within a web browser typically it uses an underhanded method to either disguise itself as legitimate or piggyback on another program to trick you into installing it on your PC tablet or mobile device spyware is malware that secretly observes the computer user&amp;#39;s activities without permission and reports it to the software&amp;#39;s author a virus is malware that attaches to another program and when executed usually inadvertently by the user replicating Itself by modifying other computer programs and infecting them with its own bits of code worms are a type of malware similar to viruses like viruses worms are self-replicating the big difference is that worms can spread across systems on their own whereas viruses need some sort of action from a user in order to initiate the infection a Trojan or trojan horse is one of the most dangerous malware types it usually represents itself as something useful in order to trick you once it&amp;#39;s on your system the attackers behind the Trojan gain unauthorized access to the affected computer from there Trojans can be used to steal financial information or install other forms of malware often ransomware r ransomware is a form of malware that locks you out of your device and or encrypts your files then forces you to pay a ransom to regain access ransomware has been called the Cyber criminal&amp;#39;s weapon of choice because it Demands a quick profitable payment and hard to trace cryptocurrency the code behind ransomware is easy to obtain through online Criminal marketplaces and defending against it is very difficult while ransomware attacks ransomware r someware attacks happen when hackers get into a system and lock certain data in files demanding a payment to release the data denial of service a denial of service du atch is a malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations botn Net&amp;#39;s botnet refers to a group of computers which have been infected by malware and have come under the control of a malicious actor social engineering attacks tailgating in a cyber security context tailgating refers to an unauthorized person following an authorized person into a secure area such as an employee using their key card to access a restricted server room spear fishing the CFO received a spear fishing email that appeared to come from the CEO requesting an urgent wire transfer a targeted attack aimed at the company&amp;#39;s Financial assets fishing a general fishing attack hit several employees with emails disguised as updates from it leading to a malware infection within the company Network Vishing the support team was alerted to a Vishing attack where scammers were calling employees pretending to be from tech support in an attempt to gain remote access to their computers smishing employees were warned about a smishing campaign where text messages containing malicious links were sent to their work phones trying to lure them into revealing their credentials physical attacks physical attack is a security breach that impacts operations damages property or otherwise impacts the physical environment man in the middle attack an attack where the adversary positions himself in between the user and the system so that he can intercept and alter data traveling between them iot vulnerabilities iot service vulnerabilities can present new entry points to other devices connected to home networks such as laptop tops and computers Insider threats Insider threat is a perceived threat to an organization that comes from people within the organization such as employees former employees contractors or business associates who have inside information concerning the organization&amp;#39;s security practices data and computer systems advanced persistent threat advanced persistent threat a is a prolonged and targeted Cyber attack in which an intruder gains access to a network and remains undetected for an extended period essential security principles 1.3 explain access management principles authentication authorization and accounting a a a a radius multiactor authentication MFA password policies authentication authorization and accounting a a a authentication who what are you authorization what are you allowed to do accounting what did you do authentication identifies users by asking for a username and password encryption can be added as well to make it more secure in many companies you find an active directory server as your database authorization tells a network device what you are allowed to do when you have authenticated we use radius or TX plus servers to achieve that on Cisco devices takx plus is much better as it offers more options and is more secure accounting collecting logs and information required to track all actions it is very important to implement this option in your network radius radius is a networking protocol call that authorizes and authenticates users who access a remote Network multifactor authentication something you know something you are something you have password policies password policies outline requirements such as minimum length composition and complexity expiration dates storage ET cation essential security principles 144 explain encryption methods and applications types of encryption hashing certificates public key infrastructure pki strong against weak encryption algorithms states of data and appropriate encryption data in transit data add rest data data in use protocols that use encryption encryption encryption means transforming information to make it unreadable and to prevent unauthorized access you need a secret key a decryption key or password to see what&amp;#39;s inside used for data confidentiality hashing hashing is a data security technique used to convert data values into alternate unique identifiers called hashes for quick and secure access certificate a certificate is a digital certificate used to authenticate users network devices servers and other devices a certificate Authority CA is the entity that can issue trusted digital certificates public key infrastructure pki public key infrastructure pki is a system for the creation storage and distribution of digital certificates which are used to verify that a particular public key belongs to a certain entity strong versus weak encryption weak an encryption algorithm which can be broken within a time frame that would enable the breaker to take advantage of the information that has been encrypted strong strong encryption means encryption that meets then current industry standards for example nist relating to the strength of the algorithm the secrecy of the key the initialization vectors and how they all work together within the crypto system data in transit data at rest data in use data in transit protect data in transit by using secure protocols like https and by avoiding public or unsecured networks data at rest protect data at rest by encrypting it with strong and up-to-date encryption algorithms and by storing it in locations with limited access and reliable authentication mechanisms data in use protect data in use by implementing access controls and monitoring systems using endpoint protection and encryption Technologies and training employees to follow best practices for handling sensitive data protocol that use encryption triple D uses three individual keys with 56 bits each ass the advanced encryption standard AES is the algorithm trusted as the standard by the US government and numerous organizations and is also found in our serve unified data protection UDP software RSA is a public key encryption algorithm and the standard for encrypting data sent over the Internet Blowfish is yet another algorithm designed to replace days this symmetric Cipher splits messages into blocks of 64 bits and encrypts them individually TW fish is one of the fastest of its kind and ideal for use in hardware and software environments basic network security Concepts 2.1 describe tcpip protocol vulnerabilities TCP UD p i p n p d a p DNS TCP TCP protocol is vulnerable the SN flooding attacks which involves sending a large number of SN packets to a Target system overwhelming its resources and causing it to crash an to session hijacking attacks which allow an attacker to take control of a TCP session and steal or modify data UDP UDP protocol is vulnerable to UD flooding attacks which involve sending a large number of UDP packets to a Target system overwhelming its resources and causing it to crash and to UDP amplification attacks which exploit the fact that some UDP protocols return a larger response than the initial request allowing attacker to amplify the traffic and launch a larger dos UDP flood attch scale attack atpp protocol is vulnerable to man-in-the-middle attacks where an attacker intercepts the communication between a client and a server RP in an ARP spoofing attack also known as cash poisoning or poison routing an attacker sends false ARP messages to pass a Mac media Access Control address off as a legitimate IP address within the network EMP imp attacks exploit the capabilities of Internet control message protocol to overwhelm targeted networks and devices with requests causing the so-called bandwidth flooding a form of denial of service dos that aims to exhaust the victim&amp;#39;s ability to handle incoming traffic DCP DHCP starvation attack this type of attack occurs when an attacker sends more requests for new IP addresses than the DHCP server can handle the result is that legitimate clients will not be assigned IP addresses due to the overload caused by malicious requests DHCP flood attack when this type of attack occurs it overwhelms the server with so many requests that it becomes unable to respond to legitimate ones or respond in a timely manner meaning long wait times because these types of attacks are extremely disruptive they&amp;#39;re considered denial of service attacks those DNS DNS flood attacks involve using the DNS protocol to carry out a user datagram protocol UDP flood threat actors deploy valid but spoofed DNS request packets at an extremely high packet rate and then create a massive group of source IP addresses DNS spoofing or DNS cache poisoning involves using altered DNS records to redirect online traffic to a fraudulent site that impersonates the intended destination once users reach the fraudulent destination they are prompted to log in into their account basic network security Concepts 2.2 explain how Network addresses impact network security ip4 and IPv6 addresses Network segmentation cidr notation Nate i d notation in notation public against private networks ip4 and ipv six ip4 addresses are prone to address spoofing where attackers can forge The Source IP address of packets to disguise their origin and launch attacks like doas distributed denial of service the large address bace of IPv6 approximately 340 unilan addresses mitigates the need for Nat and provides better address uniqueness which simplifies network design and enhances security IPv6 includes built-in features like GPC Internet Protocol security as a fundamental part of the protocol Suite providing authentication integrity and confidentiality for network communications Mac addresses Mac addresses are essential for device identification Access Control monitoring and spoofing prevention contributing significantly to network security network segmentation Network segmentation is a fundamental security best practice that strengthens the overall security posture of an organization by limiting the impact of security incidents enhancing access control and facilitating compliance with regulatory requirements C notation cter notation plays a crucial role in enhancing network security by enabling efficient address allocation subnetting routing and traffic filtering ultimately helping organizations Better manage and secure their networks natnat offers the ability to access the internet with more security and privacy by hiding the device IP address from the public network even when sending and receiving traffic public versus private Network a private network is exclusive to a specific individual or organization meaning the general public cannot access it it a public network refers to any network that is open and accessible to the general public in other words anyone and everyone basic network security Concepts 2.3 describe Network infrastructure and Technologies network security architecture DMZ virtualization Cloud Honeypot proxy server IDs IPS network security architecture a network security architecture in includes both Network and security elements such as the following Network elements Network nodes computers routers Etc Communications protocols TCP ipit TP DNS Etc connection media wired Wireless and topologies busar mesh Etc virtualization virtualization is a technology that you can use to create virtual rep presentations of servers storage networks and other physical machines cloud cloud computing is the OnDemand availability of computer system resources especially data storage and computing power without direct active management by the user Honeypot a Honeypot is a cyber security mechanism that uses a manufactured attack Target to to lure cyber criminals away from legitimate targets they also gather intelligence about the identity methods and motivations of adversaries proxy server a proxy server is a system or router that provides a Gateway between users and the internet therefore it helps prevent cyber attackers from entering a private Network IPS IDs an intrusion detection system IDs is a security tool that monitors Network traffic for suspicious activity and alerts administrators when potential threats are detected it can be used to detect attacks assess the impact of security incidents and prevent data breaches IPS an intrusion prevention system IPS is a security tool that actively blocks malicious traffic in real time based on predefined rules or behavioral patterns it can be used to detect and prevent various types of attacks such as malware viruses and denial of service those attacks Wireless 82.1 one1 protocols 8001 X2 4 or five case 20 4080 106 Tims multi-user moo 24 GBP son 1801 on EK wave 25 J 20480 160 multi-user [Music] mumo 1.73 gbps2 80.1 on key wave 15 j8z 2040 18 H single user Su ammo 8667 MB 2000 1802.1 and 2.4 or 5 js20 14 hle user suo 450 MP3 802.1 1 82.4 jaas day a a a 54 MB site 2.1 on a FIV go and b2.1 and b2.1 onb 2.4 G20 mhds A1 MBP Legacy 800 2.12 and a24 20 mzn megabits per second basic network security Concepts 24 set up a secure Wireless Soho Network MAC address filtering encryption standards and protocols s Mac address filtering MAC address filtering is a security access control method whereby the MAC address assigned to each network interface controller is used to determine access to the network encryption standards and protocols AES the advanced encryption standard AES is the trusted standard algorithm used by the United States government as well as other organizations triple days triple D D is the successor to the original data encryption standard Dees algorithm created in response to hackers who figured out how to breach Des RSA is a public key encryption a symmetric algorithm and the standard for encrypting information transmitted via the Internet Blowfish is another algorithm that was designed to replace Dez this symmetric tool breaks messages into 64-bit blocks and encrypts them individually Sid what is the SSID for Wi-Fi Sid is an abbreviation for service set identifier which is an important identifier for wireless networks essentially an SID is the name assigned to a Wi-Fi network when a router is set up basic Network security Concepts 2.5 Implement secure access Technologies ACL firewall VPN NAC ACL Access Control list ACL is made up of rules that either allow access to a computer environment or deny it file system ACLS these work as filters managing access to directories or files a file system ACL gives the operating system instructions as to the users that are allowed to access the system as well as the privileges they are entitled to once they are inside networking aclas networking ACLS manage access to a network to do this they provide instructions to switches and routers as to the kinds of traffic that are allowed to interface with the network they also dictate what each user or device can do once they are inside firewall firewall is a network security device that monitors incoming and outgoing Network traffic and decides whether to allow or block specific traffic based on a defined set of security rules vpnvpn an arrangement whereby a secure apparently private network is achieved using encryption over a public network typically the internet Mac network access control meaning NSA ensures that only users who are are authenticated and devices that are authorized and compliant with security policies can enter the network endpoint security concept 3.1 describe operating system security Concepts windows maos and Linux security features including Windows Defender and host-based firewalls CLI and Powershell file and directory permissions privilege escalation Windows Mac and Linux OS Linux historically the most secure OS and more secure than Windows his is because the system has numerous built-in features to keep it secure including automatically assigning low user permissions maos a secure OS with great built-in security features all Mac systems built on the Apple One chip or with the Apple T2 security chip support activation lock just like your iPhone or iPad Windows a great operating system me but arguably less secure than the others Windows security continually scans for malware malicious software viruses and security threats Windows Defender Windows Defender is a good basic virus protection software but you may not find everything you want if you are extremely security focused host based firewall host based firewall need to be directly installed on individual computers although most consumer operating systems come with them built in for instance windows and maos systems already have firewall software allowing traffic filtering it&amp;#39;s also an option to turn to thirdparty Providers CLI and Powershell Powershell is a task-based command line interface specifically designed for system admins and is based on the farmet framework CMD is the command line for the Microsoft Windows operating system with command-based features file and directory permission there are three permission types read write and execute read the capability to read contents this is expressed as either the number four or letter write the capability to write or modify this is expressed as either the number two or letter execute the capability to execute this is expressed as either the number one or letter X privilege escalation a privilege escalation attack is a Cyber attack designed to gain unauthorized privileged access into a system attackers exploit human behaviors design flaws or oversights in operating systems or web applications endpoint security concept 3.2 demonstrate familiarity with appropriate endpoint tools that gather security assessment information netstat ends look Lup TCP D net n slup and TCP dump the netstat command generates displays that show Network status and protocol statistics the N lookup command queries Internet domain name servers in two modes TCP dump is a packet analyzer that is launched from the command line it can be used to analyze Network traffic by intercepting and displaying packets that are being created or received by the computer it&amp;#39;s running on endpoint security concept 33 verify that endpoint systems meet security policies and standards Hardware inventory asset management software inventory program deployment data backups Regulatory Compliance PCI DSS Hippa D2 bod device management data in encryption app distribution configuration management Hardware inventory asset management software inventory and program deployment Hardware inventory Asset Management a process of tracking and managing an organization&amp;#39;s devices such as computers servers and mobile devices to ensure they are properly accounted for and secured software inventory a process of tracking and managing an organization&amp;#39;s licenses and applications to ensure they are properly licensed and secure program deployment the process of installing and updating software applications across a company&amp;#39;s Network to ensure they are upto-date and secure data backups Regulatory Compliance PCI DSS Hippa g a bio data backups the process of creating and storing copies of an organization&amp;#39;s data to ensure it can be recovered in the event of data loss or a Cyber attack Regulatory Compliance the process of adhering to legal and regulatory requirements payment card industry data security standard pcss health insurance portability and accountability act hiaa General data protection regulation gdpr to ensure the security privacy of sensitive data bod the process of managing and securing personal devices used by employees to access an organization&amp;#39;s Network including device management data encryption app distribution and configuration management endpoint security concept 344 Implement software and Hardware updates Windows update application updates device drivers firmware patching Windows update Windows update is a Microsoft service for the windows 9x and windows Nat families of the Microsoft Window Windows operating system which automates downloading and installing Microsoft Windows software updates over the internet application update application updates refers to the process of releasing new versions improvements or enhancing existing features of a digital application an application or application is a sort of software designed to perform precise functions for the end user or another application device drivers the device driver provides the the rest of the operating system with the software interface to a given device or device class firmware firmware is designed to be the interface between a computer&amp;#39;s hardware and software it abstracts away many of the lowlevel hardware specific details of how the computer works making it easier to develop software and to run the same software on multiple systems patching anomalies patches are software an operating system or S updates that address security vulnerabilities within a program or product software vendors may choose to release updates to fix performance bugs as well as to provide enhanced security features endpoint security concept 3.5 interpret system logs Event Viewer audit log system and application log CIS log identification of anomalies Event Viewer Event Viewer is a tool in the Microsoft Windows operating system that provides a comprehensive log of system events to offer administrators the information required for system upkeep security and accountability audit logs audit logging is the process of documenting activity within the software systems used across your organization system and application logs application log records the progress of the execution of an application whereas the system log record system events CIS log CIS log is a protocol that computer systems use to send event data logs to a central for storage identification of anomalies anomaly detection also called outlier detection is the identification of unexpected events observations or items that differ significantly from the norm endpoint security concept 3.6 demonstrate familiarity with malware removal scanning systems reviewing scan logs malware remediation scanning system malware scan is the process of deep scanning the computer to prevent malware infection it is accomplished using an anti-malware software this process involves multiple tools and techniques to identify malware review scan logs antivirus logs contain stats about scanned objects the settings used for each task and a history of actions performed on individual files logs are recorded for realtime protection events antivirus database updates and more malware remediation it may be necessary or perhaps just easier to reimage or possibly replace the infected system s to ensure no remnants of the malware remain if those systems held critical data that was backed up already getting the data back onto the systems will be far easier and safer vulnerability assessment and risk management 4.1 explain vulnerability management vulnerability identification management and mitigation active and passive reconnaissance testing Port scanning automation vulnerability identification vulnerability identification process enables you to identify and understand weaknesses in your system underlying infrastructure support systems and major applications vulnerability mitigation it involves identifying potential vulnerabilities before they can be exploited and taking steps to reduce or eliminate the associated risk mitigation strategies can include things like implementing access controls using encryption and conducting regular vulnerability scans passive versus active reconnaissance passive reconnaissance is akin to reconnaissance through binoculars surveying the landscape without leaving a trace conversely active reconnaissance involves more direct interaction with the target albe it in a non-intrusive manner Port scanning the open port scanner checks if a specific port is open and accessible on a Target system for example if you want to see if a web server is reachable you would check if Port 80 HTP or Port 40043 https is open automation automated security testing is the process of scanning the application for vulnerabilities using automated tools this is important because it can help to prevent certain vulnerabilities from being exploited by hackers vulnerability assessment and risk management 4.2 use threat intelligence techniques to identify potential Network vulnerabilities uses and limitations of vulnerability databases industry standard tools used to assess vulnerabilities and make recommendations policies and reports common vulnerabilities and exposures CVS cyber security reports cyber security News subscription services and collective intelligence ad hoc and automated threat intelligence the importance of updating documentation and other forms of communication proactively before during during and after cyber security incidents how to secure share and update documentation vulnerability databases threat intelligence and cyber security reports vulnerability databases are useful in assessing and managing vulnerabilities but they also have limitations such as incomplete coverage delayed updates and false positives industry standard tools are used to assess vulnerabilities make recommend ations policies and reportes and reports including the common vulnerabilities and exposures CVS threat intelligence techniques are critical in identifying potential Network vulnerabilities by collecting analyzing and disseminating information about cyber threats and attacks to proactively identify and mitigate risks cyber security reports new subscription services and collective intelligence can provide valuable insights into emerging threats and trends ad hoc and automated threat intelligence are also useful in identifying potential Network vulnerabilities common vulnerabilities and exposures Keys common vulnerabilities and exposures and CVSs common vulnerability scoring system are two concepts in the field of cyber security kyv is a standardized identifier assigned to a specific vulnerability or exposure that has been publicly disclosed each cve entry includes a description of the vulnerability affected software and any known mitigations or workarounds cve enables consistent tracking and sharing of information about vulnerabilities across different systems and organizations cfss is a set of metrics such as exploitability impact and complexity it provides a standardized scoring system to help prioritize and communicate the severity of vulnerabilities to different stakeholders including security team system administrators and Business Leaders ad hoc at hoc refers to solutions that are developed specifically for a particular problem or task without considering broader applications for example ad hoc networks are created on the spot for a single session of communication between devices without the need for a central router or server proactive communication through documentation proactive communication through documentation and other forms of communication before during a and after cyber security incidents is critical to ensure that all stakeholders are informed and take appropriate action the security sharing sharing and updating of documentation are important to ensure that the information is accurate timely and relevant to the current threat landscape vulnerability assessment and risk management 4 three explain risk management vulnerability against risk ranking risks approaches to risk management risk mitigation strategies levels of risk low medium high extremely high risks associated with specific types of data and data classifications security assessments of its systems information security change management computer operations information assurance risk management risk management is the process of ident identifying assessing and prioritizing risks to a company&amp;#39;s assets such as its information its systems or employees and implementing strategies to mitigate or manage those risks effectively vulnerability refers to a weakness or flaw in a system while risk is the potential for harm or loss associated with that vulnerability ranking risks involves evaluating the likelihood and impact of each risk to determine its priority and decide which ones to address first approaches to risk management include risk avoidance eliminating the risk altogether risk acceptance accepting the risk and its potential consequences risk transfer Shifting the risk to another party such as through insurance and risk mitigation reducing the likelihood or impact of the risk risk management ass settin risk mitigation strategies can include technical controls for example firewalls encryption administrative controls for example policies and procedures and physical controls for example access controls levels of risk can be classified as low medium high or extremely high based on the likelihood and impact of the risk the higher the risk level the greater the potential harm or loss associated with that risk risks associated with specific types of data and data classifications can vary depending on the sensitivity confidentiality and regulatory requirements of the data for example personally identifiable information pill or financial data may require more stringent security measures to protect them security assessments of its systems typically include evaluating various aspects of the system such as information security ensuring the confidentiality integrity and availability of data change management uring change are made in a controlled manner computer operations ensuring systems are operating as intended and information assurance ensuring the reliability and trustworthiness of information disaster recovery and business continuity planning disaster recovery and business continuity planning are critical for organizations to ensure they can recover from unexpected events and continue to operate their business natural disasters cyber attacks or human errors can disrupt an organization&amp;#39;s operations causing Financial loss damage to reputation and potentially shutting down the business altogether Disaster Recovery plans DRP and business continuity plans BCP are designed to minimize the impact of disruptions on an organization&amp;#39;s critical systems and processes DRP focuses on restoring it systems and data after a disaster while BCP aims to ensure essential business functions continue to operate during and after A disruption backup is a crucial component of disaster recovery and business continuity planning ensuring that critical data and systems can be restored in case of a disaster or disruption regular backups are necessary to ensure data is upto-date and accessible incident handling 5.1 monitor security events and know when escalation is required role of s and S a rering network data to identify security incidents packet captures various log file entries Etc identifying suspicious events as they occur role of s and sore monitoring security events is crucial for detecting and preventing cyber attacks security information and event management cem and security orchestration Automation and response s o a are tools used for this purpose they help in collecting analyzing and correlating security event data to identify potential security threats and respond to them in a timely manner cm is primarily focused on collecting analyzing and correlating security event data from various sources within a company&amp;#39;s Network such as log file system events and network traffic this information is then used to detect potential security threats and respond to them quickly s on the other hand goes beyond the capabilities of CM it not only collects and analyzes security event data but also automates response actions and orchestrates incident response processes s o a integrates with various security tools and platforms such as s threat intelligence feeds and endpoint detection and response EDR Solutions monitoring network data to identify security incidence packet captures and log file analysis are essential components of network security monitoring providing valuable insights into Network traffic and system activities by leveraging these techniques and integrating them with other monitoring tools and processes organizations can effectively detect and respond to security incidents safeguarding their assets and maintaining the Integrity of their Networks identifying suspicious events as they occur realtime monitoring tools employ tools like EDS IPS and Siem systems to continuously monitor Network traffic and system logs alerting mechanisms configure alerts to notify security teams immediately upon detecting suspicious events behavioral analysis use behavioral analysis to detect deviations from normal patterns of behavior which may indicate potential security threats anomaly detection Implement algorithms to identify abnormal activities in real time by analyzing historical data and establishing Baseline Behavior integration with threat intelligence integrate monitoring tools with threat intelligence feeds to stay informed about the latest threats and attack techniques automated response Implement automated response mechanisms to mitigate threats in real time such as blocking suspicious IP addresses or isolating compromised systems continuous Improvement regularly review and refine detection capabilities based on incident investigations and threat intelligence analysis to enhance accuracy and efficiency incident handling 5.2 explain digital forensics and attack attribution processes cyber kill chain miter at and TK Matrix and Diamond model tactics techniques and procedures TT sources of evidence artifacts evidence handling preserving digital evidence chain of custody cyber kill chain Cyber attack sometimes referred to as the Cyber kill chain is a way to comprehend an external assault on an organization&amp;#39;s computer system it helps the it security team in forming defenses that can hold or neutralize the attack at various points this model breaks down an external Cyber attack into seven stages 1.234 or 5.6 reconnaissance Intruder selects and researches a Target looking for vulnerabilities weaponization Intruder creates malware to exploit the vulnerability delivery Intruder sends malware through fishing email or other means exploitation malware executes on the targeted system installation malware creates a back door accessible to the attacker command and control Intruder gains lasting access to the victim system actions on objective Intruder carries out goals like data theft or destruction meter at and KK framework the miter at and take care framework focuses on a knowledge base containing tactics techniques and procedures used by by cyber adversaries organized into an attack Matrix or at tntk Matrix this Matrix is made up of 14 columns and under each column there are varying numbers of rows reconnaissance resource development initial access execution persistence privilege escalation defense evasion credential access Discovery lateral movement collection command and control exfiltration impact these headings indicate the tactics or technical goals that adversaries seek to achieve they are presented in the general order of how attacks usually progress mit&amp;#39;s arrangement of these tactics was influenced by the latter stages of its seven-stage Cyber attack life cycle which was modeled after the kill chain chain the diamond model the diamond model of intrusion analysis serves as a framework for depicting cyber attacks it is composed of four key ke aspects adversary infrastructure capability and Target adversary this aspect answers questions like where the attack is are located who they are who supports them why they are attacking and the timeline and strategy of their activities infrastructure this includes details such as infected computers command and control c22 domain names C2 server locations types and structures as well as the mechanism of c22 data management and control and paths for data leakage capability this part focuses on the abilities the attackers possess including reconnaissance skills methods of delivering attacks exploitation of vulnerabilities deployment of remote controlled malware and backd doors and Tool development Target this refers to the identification of the attacks Focus be it a particular country region industry sector individual or specific data techniques and procedures TTP and source of evidence tactics techniques and procedures TTP tactics refer to the overall strategic goals an attacker aims to achieve techniques Encompass the methods used to accomplish these tactics procedures detail the specific step-by-step processes used within the techniques to achieve the end goal sources of evidence artifacts in a cyber security artifacts refers to the digital evidence Left Behind after a cyber event or incident these can include log files registry entries cached information and other residual data artifacts are vital for forensic analysis as they help investigators understand what occurred during an incident and how it happened evidence handling evidence handling preserving digital evidence chain of custody preserving digital evidence entails ensuring that electronic evidence remains unchanged from the time it is collected until the time it is used maintaining it Integrity ging of custody refers to the documented process that records the handling of evidence from collection through analysis and finally to presentation in court proper evidence handling is critical in legal proceedings as it ensures that the evidence is reliable and admissible protecting against possible tampering or mishandling incident handling 53 explain the impact of compliance Frameworks on incident handling compliance Frameworks GDP or Hipp PCI DSS fisma reporting and notification requirements 8 PR and Reporting and notification requirements what is gdpr in simple terms the gdpr is an acronym for the general data protection regulation and is a piece of European legislation that protects personal information it outlines several requirements businesses must follow to process that data legally notifications example GPR ah part 33 DPR notification of a personal data breach to the supervisory Authority 1 in the case of a personal data breach the controller shall without undue delay and we feasible not later than 72 hours after having become aware of it notify the personal data breach to the supervisory Authority competent in accordance with article 55 unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons two where the notification to the supervisory Authority is not made within 72 hours it shall be accompanied by reasons for the delay Hippa the health insurance portability and accountability Act of 1996 HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient consent or knowledge psse the pcids payment card industry data security standard is an information security standard designed to reduce payment card fraud by increasing security controls around card holder data farpa and fisma farpa family educational rights and Privacy Act is a US federal law that protects the privacy of student education records it gives parents and eligible students certain rights such as the right to review and request changes to their education records and require schools to obtain written consent before disclosing personally identifiable information from those records fsma Federal Information Security modernization Act is another US federal law that requires federal agencies to implement and maintain a comprehensive cyber security program to protect their information and information systems it established is a framework for managing and protecting federal information and requires agencies to conduct regular risk assessments and audits of their cyber Security Programs incident handling 544 describe the elements of cyber security incident response policy plan and procedure elements incident response life cycle stages n special publication 800 61 sections 23 3.4 nist special publication 861 2.3 incident response policy plan and procedure creation this section discusses policy&amp;#39;s plans and procedures related to incident response with an emphasis on interactions with outside parties 3.1 preparation 3.2 detection and Analysis 3.3 de containment eradication and Recovery 3.34 eradication and Recovery preparation 3.1 preparation incident response methodologies typically emphasize preparation not only establishing an incident response capability so that the organization is ready to respond to incidents but also preventing incidents by ensuring that systems networks and applications are sufficiently secure although the incident response team is not typically responsible for incident prevention it is fundamental to the success of incident response programs this section provides basic advice on preparing to handle incidents and on preventing incidents 3.2 detection and Analysis the detection and Analysis phase is where the action begins to happen in our incident response process in this phase we will detect the occurrence of an issue and decide whether or not it is actually an incident so that we can respond to it appropriately 3.3 containment eradication and Recovery containment is important before an incident overwhelms resources or increases damage most incidents require containment so that is an important consideration early in the course of handling each incident containment provides time for developing a tailored remediation strategy an essential part of containment is decisionmaking for example shut down a system disconnected from a network disables certain functions such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident organizations should define acceptable risks in dealing with incidents and develop strategies accordingly after an incident has been contained eradication may be necessary to eliminate components of the incident such as deleting malware and disabling breached user account Su as well as identifying and mitigating all vulnerabilities that were exploited during eradication it is important to identify all affected hosts within the organization so that they can be remediated for some incidents eradication is either not necessary or is performed during recovery in recovery administrators restore systems to normal operation confirm that the systems are functioning normally and if applicable remediate vulnerabilities to prevent similar incidents recovery may involve such actions as restoring systems from clean backups rebuilding systems from scratch replacing compromis files with clean versions installing patches changing passwords and tightening Network perimeter security for example firewall ruler sets and Boundary router Access Control lists higher levels of system logging or network monitoring are often part of the recovery process once a resource is successfully attacked it is often attacked again or other resources within the organization are attacked similarly three the before eradication and Recovery eradication and Recovery should be done in a phased approach so that remediation steps are prioritized for large scale incidents recovery may take months the intent of the early phases should be to increase the overall security with relatively quick days to weeks high value changes to prevent future incidents the later phases should focus on longer term changes for example infrastructure changes and ongoing work to keep the Enterprise as secure as possible because eradication and Recovery actions are typically Os or application specific detailed recommendations and advice regarding them are outside the scope of this document

Transcript for:Cisco Certified Support Technician Cyber Security (CCST) Course

Transcript for:
Cisco Certified Support Technician Cyber Security (CCST) Course