CompTIA Security+ SY0-601 - Objectives Notes

Queste sono le mie personali note prese durante lo studio per la CompTIA Security+. Sono quasi interamente definizioni e domande di pratica per testare la comprensione di alcuni termini e fare in modo ricordare anche i più complessi.

La maggior parte degli appunti sono stati presi guardando i video della CompTIA Security+ SY0-601 Training Course del Professor Messer. Lo ringrazio infinitamente per avermi aiutato a prendere questa certificazione. Spero che questi miei appunti ti siano utili.

Navigazione:

Per capitolo (codici 1.0, 1.1)
Per Titolo:
- 1.0 Threats, Attacks and Vulnerabilities
- 2.0 Architecture and Design
- 3.0 Implementation
- 4.0 Operations and Incident Response
- 5.0 Governance, Risk and Compliance

Qui una lista completa degli objectives.

1.0 - Threats, Attacks and Vulnerabilities

1.1 Terminology

Phishing
Social engineering combined with Spoofing.
- Delivered by email.
- Something not quite right.
Look the domain name, it could fool you.
✅ Pharming: Redirection of a legit website ro a bogus one. Harvest lagre groups of people.
Impersonation
Starts with a lie that set the scenario. There’s an actor and a story.
Attackers pretend to be someone they aren’t
It’s done to:
- Extracting informations
- identity fraud
To protect yourself:
Dumpster Diving
a way to gather information from someone in a silent way.
in a word, it is osint.
to protect you have to secure all you garbage documents.
Shoulder surfing
someone looking your screen behind you
Hoaxes (Uomini e Donne)
a situation that’s not real but seems like it could be.
Watering Hole Attacks
Third party where they want you to come in to infect you.
They search for vulnerabilities in the site they want to use as the Watering Hole.
To prevent it use layered defense
How to Avoid Spam?
Teach your Company and automatize the process of email filtering
Influencing Process consists in…
Social Engeneering
Tailgating
Someone that gains access with your credentials, for example someone you keep the door open for

1.2

Viruses and Worms

Name at least 5 types of malware
Differences between viruses and worms
Viruses requires human beings to start the process of replication
Worms don’t
Virus Types
Fileless Viruses
Never saves himself, it operates solely in the memory without writing the disk
Name a Famous 2017 Worm
WannaCry Ransomware

Ransomware and Crypto-malware

Features of Crypto-Malware
How to be protected against Ransomware

Trojan and RATs

Trojan
Software that pretends to be something else. You have to manually install it
What is a PUP? (potentially…)
Potentially Unwanted Program
Most common way to maintain access?
Backdoors
RAT stands for …
Remote Access Trojan
What can a RAT do?

Rootkit

What does a Rootkit do?
It modifies kernel parts and core system files. So it becomes invisible to anti-virus and a part of the OS itself.
How could an attacker combine a malware and a rootkit?
Using the rootkit to block the possibility of deleting the malware and terminates its processes

Spyware

How not to remove adware
Using adware affiliate ‘software uninstaller’. use antivirus or the prompt to remove them properly
What does a Spyware tries to do?

Bots and BotNets

Botnets
How to spot them
Monitor the network. Prevent for C&C (command and control) and block it at the firewall
How to prevent them
Prevent for C&C (command and control) and block it at the firewall

Logic Bombs

What is a Logic Bomb
A malicious piece of software that activates himself in a determined time or in other peculiar situations
How to spot a Logic Bomb
You can’t

Password Attacks

Spring
Makes around 3 tries for account
What’s more effective than Brute Force if you have the hash?
Rainbow Table Attacks
How to prevent Tables Attacks?
Adding Salt

Physical Attacks

Malicious USB cable
Just put something malicious on a cable
Malicious Flash drive
What does Skimming means?

Adversarial Artificial intelligence

Tell me one downside of Machine learning
Requires a lot of training data

Supply Chain Attacks

What does a supply chain is made of?
How does someone gain access thanks to Supply Chains?
People trust his supplies. If someone can get into you network and in the inside you ain’t got any protection (internal pentesting), your network is f**d up.
How to avoid it?
Put internal protections. Separate networks.

On-Premises vs Cloud Based Attacks

Upsides and Downsides of the on-premises Security
Upsides and Downsides of the Cloud Based choice

Cryptographic Attacks

Are hash digests supposed to be unique?
yes. do not let them collide
What is a Downgrade Attack

1.3

Privilege escalation

How can a normal user gain root access in a network?
Through privilege escalation, which is done by exploiting vulnerabilities.
This are the most important to patch. Do you remember how to mitigate it?

Cross-Site Scripting (XSS)

XSS
Non persistent (reflected) XSS process
Usually takes advantage of the search box or any user input
Persistent (stored) XSS
Everyone who accesses a malicious page runs a script
Subaru Hacked
Protect against XSS

Injection Attack

In what an injection attack consists of?
You basically add some informations into a data stream.
The most known protocols where we can inject data?
HTML, SQL, LDAP, XML …
SQL Injection
You modify an SQL request and gain access to the database
The shorter SQL Injection?
or ‘1’ = ‘1
XML Injection
You can modify XML Requests, and if they’re not validated you could do some serious damage
XML stands for Extensible Markup Language: a set of rules for data transfer and storage
LDAP stands for
Lightweight Directory Access Protocol
LDAP Injection
You modify the request to manipulate the results
DLL stand for
Dynamic Link Library
The 4 steps of a DLL Injection
1. A Malicious ‘process B’ attaches himself into ‘Process A’
2. Process B allocates some memory into Process A for the DLL library
3. Copies the DLL into Process A
4. Process A runs the DLL as part of himself
Why the last step is genius?
Because Process A could have more right and permissions than a malicious process B

Buffer Overflow

In what this attack consists?
Overwriting a buffer of memory.
Spilling over into other memory areas
What is a really useful Buffer Overflow?
One that the attacker can control and that doesn’t cause issues to the system

Replay Attacks

Replay Attack
You use the data of someone else and replay them to be him in the network
Hackers will take thin informations through Network tap, ARP Poisoning, a malware in your pc…
If the hacker gains access to the Network he could take some serious useful informations…
Pass the Hash principle
The attacker redirects Hash of username and password to himself and gains access to the server
How to prevent this types of attacks
Using encrypted tunneling like SSL or TLS
Salt the encryption
How can a cookie f**k you?
If the cookie stores the session ID someone who has access to that cookie could login in your session.
Ways an attacker could perform some sort of Replay Attack and useful tools

Request Forgeries

Cross site request explain
Cross site request forgery Acronym
XSRF
It’s also called one-click attack, it takes advantages of the trust that a web application has for the user
How to Prevent a one-click attack?
The application should have some sort of anti-forgery technique
Usually it’s used a cryptographic token to prevent forgery
What is a SSRF
Server site request forgery
The attacker will find a vulnerability in a web server and than send some sort of script
Capital One Attack

Driver Manipulation

Why is a driver a potential security issue if manipulated?
Because it has a very powerful interaction with the operative system, and because it often is trusted by the OS
What is a Shimmer?
Something that stays in the middle. usually something that fills gaps
In IT, what is a Shimmer?
In what ‘Malware refactoring’ consists?
It consists in a metamorphic version of some existing malware. This version could not match the AntiVirus Standard and could not be blocked
What could an hacker refactor?

SSL Stripping

In what an HTTP downgrade consists?
It consist in an attack where the hacker wants to see what’s in a Stream Flow. It uses ARP spoofing or a rogue access point, or somewhere like that.
You can see it’s a SSL stripping or HTTP downgrade because the page that normally would have been encrypted it’s not. (the term stripping means that the SSL protocol is stripped away)
Acronym SSL (… socket …)
Secure Socket Layers

Race Conditions

Consists in
Taking advantage of simultaneous events to alterate normal flow of a website

Other Application Attacks

Memory Vulnerabilities, 1 upside 1 downside
If you can write to the memory you have almost complete control over a system but at the same time is really difficult to find a memory vulnerability.
NULL Pointer Dereference
If an hacker can send the pointer to a NULL section it can cause a Denial of Service
Overflow Attacks
If you put something in the memory and causes an overflow you can actually manipulate memory in your advantage: you write into sections of memory that were intended not to be written in.
What is a Directory traversal
There are some vulnerabilities that can cause an attacker to move outside of the scope and access files in a server.
API Attack
Application program …
- API stand for
  Application Program Interface
An attacker would try to find vulnerabilities in the communication Path between the API communication path, that is very similar to the http GET one, except that the majority of the time API protocols are used in mobile applications
Resource Exhaustion
Any attack that causes a Denial of Service through the resource exhaustion.
An example is a zip bomb: compressed 4.2kB of data, if you try to open it becomes 4.5 PetaBytes that’ll exhaust your pc
DHCP Starvation

1.4

Wireless Common Attacks

BlueJacking
BlueSnarfing
Rogue AP
Evil Twin

Wireless Disassociation Attack

Wireless deauthentication
a Wireless DoS attack. The attacker forces you to disconnect from the Network
How does this attack works?
You send ACKS to denial of service. aireplay-ng

Wireless Jamming Attack

RF Jamming
Stands for Radio Frequency Jamming
The goal is to decrease the Signal to noise Ratio. It could happen even by turning on a Microwave
Wireless Jamming Attack
The attacker could send costant random bits in the same frequency of the Access Point (AP) and cause a DoS

RFID and NFC Attacks

RFID
Radio Frequency Identification
NFC (near…)
Near Field Communication
NFC Security concerns

Randomization of Cryptography

nonce
a pseudo-randomized number (for the nonce - per l’occasione
Initialization Vector (IV)
Salt used in WEP
Salt
Added to the password and then encrypted to differentiate hashes even for accounts with the same passwords

On-Path Attack

What is Spoofing
What’s APR and how it’s done
ARP Poisoning Routing
On-Path Browser Attack
Malware. It provides an on-path attack and let the attacker see all the data unencrypted.
If you just login into your bank the malware registers the credentials and sends them

MAC flooding and Cloning

MAC flooding
The attacker sends lots of MAC addresses to the switch, that fills up the MAC table and doesn’t know where to send datas anymore, so it forwards all the traffic in broadcast like an hub
MAC Cloning
Modify Source MAC address to match someone else’s

DNS Poisoning

DNS Spoofing / poisoning
If an attacker gets access to a DNS Server he could change the IP where a particular URL is related. That IP contains something malicious
What is most common than DNS Spoofing
Domain Hijacking
That an attacker gets access to the domain registration, so he can change everything without having actual physical access to the server
URL Hijacking
Domain Reputation

Denial of Service

DDoS
Distributed Denial of Service Attacks performed by BotNets
DDoS amplification

Malicious Scripts

Automated Attacks
- The script is as fast as the computer
- No typing or delays
- No human error
- Automate the attack
- The hacker is on borrowed time

1.5

Difference between threat actors and Attack Vectors and Attack Surface

Attack Vectors Examples

if the attacker has physical access
- Keyloggers
- Reset of the administrator password
- Connect USB and copy data
- Cause DoS by breaking something
Wireless Vectors
- It’s better to change default password from the router
- You can’t allow Rogue Access Points
- Especially Evil Twins
Email Vectors
- Phishing attacks
- Deliver the malware to the user
- Attach it to the message
- Social engineering attacks
- Invoice scam
Supply Chain Vectors
- Be secure by third parties
Cloud Based vectors
Publicly-facing applications and services Mistakes are made all the time Security misconfigurations Data permissions and public data stores Brute force attacks -Or phish the users of the cloud service Make the cloud build new application instances Denial of service Disable the cloud services for everyone

Threats Intelligence

Automated indicator sharing
Intelligence industry needs a standard way to share important threat data • Share information freely
Structured Threat Information eXpression (STIX)
- Describes cyber threat information
- Includes motivations, abilities, capabilities, and response information
Trusted Automated eXchange of Indicator Information (TAXII)
Securely shares STIX data
Indicators of Threats
Unusual amount of network activity Change to file hash values Irregular international traffic Changes to DNS data Uncommon login patterns Spikes of read requests to certain files

Threats Research

Governative Databases
National Vulnerability Database (https://nvd.nist.gov) CVE Data Feeds (https://cve.mitre.org)
RFC (request …)
Request for comments
RFC 3833 Threat Analysis of the Domain Name System -RFC 7624 Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement

1.6

Vulnerability Attacks

What are 0-day attacks
Unsecured root accounts
Error messages
Weak encryption
Insecure Protocols
Default Settings
Open Ports and services
Not up to date softwares

Third Party Risks

Supply Chain Risk

Vulnerability Impacts

Identity Theft
Billions of dollars
Financial Loss
Reputation Impact
Availability Loss

1.7

Threat Hunting

Threat hunt
Intelligence fusion
Data Fusion
Automation of cybersecurity process

Vulnerability Scans

Scans
We have to collect as much datas as possibile to find any possible vulnerability.
example: look at the terminal and tell me a possible vuln of 192.168.1.1
What Scan Types you know?
We could use powerful scanners to identify vulns or we could:
Scan log review
What do we mean by false positives and how we handle them

SIEM

What is a SIEM?
It stands for Security Information and Event Management
It’s a place where we store Logs aggregations and storage in long term
How do you make every device store logs in the same way?
Using the standard syslog format.
Usually it’s integrated into the SIEM
What to store in a SIEM
Data inputs Server authentication attempts VPN connections Firewall session logs Denied outbound traffic flows Network utilizations Packet captures Network packets Often associated with a critical alert Some organizations capture everything

2.0 - Architecture and Design

2.1 - Explain the importance of security concepts in an enterprise environment

What’s a network diagram?
a documentation of wires and devices
What’s baseline configuration and what do we mean by integrity measurement checks?
documentation of the environment to properly secure it
integrity measurement checks need to be updated often
How do you create standard naming conventions?
By standardizing names and making conventions easy to understand by anyone
example for a device
Why do we need an IP schema?
it’a standardization for network devices who need an IP.
we need it for organizational purposes

How does stored data is affected by data suvreignty?
data sovreignty indicates the laws and the regulations. Local Law could affect where data can be stored and how.
GDPR is the General Data Protection Regulation in the EU
What do we apply to data to protect PII?
Personal identification information could be protected by data masking or data obfuscation
Where could data at rest stored? How do we protect it?
SSDs, HDDs, flash drives etc… we protect it by providing encryption
How do we provide encryption to data in transit?
through transport encryption, maybe using protocols like TLS or IPSec
Why attackers could prefer attacking data in use?
data in processing is probably in plain text
What do we mean by tokenization
we use tokens to replace sensitive data with a non-sensitive placeholder
What’s IRM? What’s is purpose?
Information Rights management. We need it to control how data is used and to restrict access o unauthorized users. The purpose is to limit the attacker.
How could we define DLP?
Series of rules and systems to prevent data loss

Geographical considerations
What’s the most important thing we do to limit the impact of an attack?
A response and recovery control plan, where we define how to identify and contain an attack
What’s SSL and TLS inspection based on?
It’s based on trust. like the trusted CA list in our browser.
Why might we need TLS proxy?
To add a security layer. Also anything that’s going inside can be decrypted, analyzed and then send to the hosts in the network.
What does APIs do? We need to do some considerations about security?
Application program interface is used to communicate and control applications. We have to ensure that security is provided not only for the user but also for the application, in a way that attacker could not interfere with API messages
What’s WAF?
Web Application Firewall, filters API commuinication

Why is site resiliency necessary?
Becouse as an incident could occour at any time, having backups and sites where sensitive data is stored to provide redundancy is crucial.
What’s the difference between hot-site, cold-site and warm-site?
Hot-site: a place where you keeps an exact replica of your data that is constantly updated
Cold-site: empty building that you own
warm-site: Is usually a location that has racks ready and waiting
Difference between honeypots and honeyfiles
an honeypot is a part of the network set up as virtual trap to bait attackers and block them from accessing the real network. honeyfile is just a file ex: passwords.txt
What do we mean by fake telemetry
With machine learning computers are able to identify malicious code in a big chunk of data. fake telemetry is a tecnique used by attackers to trick the AI by using their own machine learning software and ensure that their code will not be identified by the software
What’s a DNS sinkhole?
A malicious attack where the DNS request from a host is responded with invalid or incorrect IP address to redirect us to an external server or to a malicious server.

2.2 - Cloud / Infrastructure as a code

https://www.youtube.com/watch?v=QNoQCZdWEOE&list=PLG49S3nxzAnkL2ulFS3132mOVKuzzBxA8&index=68

https://www.youtube.com/watch?v=GIgp6BGr4C8&list=PLG49S3nxzAnkL2ulFS3132mOVKuzzBxA8&index=69

2.3 - Summarize secure application development, deployment, and automation concepts

Why is sandboxing useful in secure deployments
Sandboxing provides an isolated testing environment with no connection to the production system etc
In the environment of secure development there are some stages that involves Testing, Staging, Production and QA. What does the last of this listed stages consists on?
Quality Assurance consists on verifying that anything works as intended
Staging?
It’s the final test of the data, and the last chance to test the application before it goes to production
Why for any application is good to have a security baseline?
To ensure security is provided as soon the application is deployed, and to review every instance in detail when software updates are made
Why is orchestration the key to cloud computing?
‘Cause provisioning and deprovisioning is made almost istantaneous thanks to automation. Orchestration is also moving things around to your needs.

When talking about Secure coding techniques, what does server-side vs client-side execution\validation stand for?
How could memory management be a security concern?
If you’re not mindful of how memory is used, without input validation the data could overflow to the crash of the app or worse. Always make sure your data matches the buffer sizes
Why SDKs could be a security concern?
Software development kits could contain programming lenguage that does almost all the work but still it’s application code written by someone else so it might not be as secure.
How does an application could risk Data exposure?
By not encrypting data when stored or by displaying informations on the screen
How we call it when an application binary is different for one machine to another, but has the same functionalities.
Software diversity

How can we have a set of automated responses

https://www.youtube.com/watch?v=f4ciE3zjKe4&list=PLG49S3nxzAnkL2ulFS3132mOVKuzzBxA8&index=75

2.4 - Summarize authentication and authorization design concepts

Auth-methods

biometrics

MFA

2.5 - Given a scenario, implement cybersecurity resilience

How do we call when you provide redundancy between multiple geographical areas
Geographic dispersal
What’s multi-path I/O and how it differs from RAID
continue

2.6 - Explain the security implications of embedded and specialized systems

Generally, what are embedded systems?
Very specific devices with a purpose that perform a function, like trffic lighters or wearables
If you think of a SoC embedded system, what three programmable devices come in your mind?
RPi
FPGA Field programmable gate array
Arduino
How would you use a SCADA?
I would use a Supervisory control and Data Acquisition System (like a multi-site Indutrial control System) to monitor my company embedded systems (like power generators, manifacturing equipment, logistics, …) and have distributed control that grants real time informations and system control.
You wouldn’t want to connect this to any external networks.
What’s the number $1^1$ concern about IoT devices?
They’re embedded systems connected to your network, and may not be secured well (weak default credentials, store personal data…)
What type of specialized embedded systems would you find in medical syst, vehicles, aircrafts and sensors watching our utility use? just imagine and find problems with each of those, especially if compromised

Difference between VoIP and POTS
Voice over IP uses internet communication systems whereas Plain old Telephone service used analog phone lines
HVAC stands for?
Heating, Ventilation and Air Conditioning. They provide availability expecially in large and fragile data centers
What type of license would you need to fly a Drone?
a federal license
How sophisticated is usually an MFD?
A multifunction device is usually very sophisticated and use complex firmwares, as they integrates multiple services in a device (ex: scanner and printer in a MF Printer)
What’s the main feature of a RTOS?
Real time operating system uses processes based on deterministic procedures, they also are sensitive to security issues and always need to be available.

What’s the connection speed over 5G?
up to 10gigabits per second, with real performance between 100-900 Mbit/s
How the 5G impacts the IoT world?
For the bandwidth and the more processing functionalities thanks to the speed
What’s a Subscriber identity module card? what’s is purpose? what’s International Mobile Subscriber Identity?
SIM, to connect the IoT device to wireless network providers. An unique number to identify the user (Authentication)
Difference between Narrow-band and baseband radio. Where do we find those?
Narrowband means longer distance and slower speed, where basebands use a single frequency to communicate (narrow use a more large variety of frequencies)
We find narrowbands where there is SCADA equipment or sensors where there is an oil field
Name the Zigbee standard and what ISM bands it uses
IEEE 802.15.4 PersonalAreaNetwork(PAN) to make the IoT devices communicate and It uses frequencies 900MHz and 2.4GHz in the US

Constrains like power source, compute power, network connectability, cryptographic obfuscation, inability to patch, no authentication of use, contained functionalities (often single function), low cost, no direct access to system or software.

3.0 - Implementation

3.1 - Given a scenario, implement secure protocols

3.2 - Given a scenario, implement host or applications security solutions

What does EDR has changed when attackers learned how to fool signature-based AV solutions?
Endpoint Detection and Rejection started to monitor behaviors of the machine, thanks to process monitoring, Machine learning and behavioral analysis
Why is DLP sometimes a very challenging solution to implement?
Data loss prevention often requires multiple solution to implement, becouse the sources and the destination of the data we want to protect are so many.
NGFW main features?
Next Generation firewall are network layer security implementation, often called as Application Layer Gateway, Stateful multilayer inspection or Deep Packet Inspection.
A NGFW has multiple features for security, such as malware and attacks detection of the upcoming packets through decryption, inspection and re-encryption
Is Host Based FW hardware or software? where does it run?
Host Based Firewall is a software solution that runs in every endpoint device. If you’re in a corporate network, you would manage them in a centralized way
What’s HIDS?
Host Based Intrusion Detection System.
How HIPS differs from HIDS?
HIDS uses log files to detect attacks, whereas Host Based Intrusion Prevention System stops the attack before it starts. It often is built in the application

What are the 3 different part of booting a system, regarding to security chain of trust? How could the boot sector be infected?
Secure boot, trusted boot and measured boot. Through rootkits (kernel level malwares)
How is Hardware Root of Trust is achieved?
Through Hardware Security Module and Trusted Security Module. In particular the TPM helps with cryptogragraphic processes.
How does the TPM protects the unique keys burnt into the chip?
There is some kind of dictionary attack protection
The Software Root of trust is achieved through?
Through UEFI BIOS secure boot. Secure boot means checking the integrity of the bootloader thanks to a digital certificate

How does the Unified Extensible Firmware Interface trusts updates to the Firmware?
BIO includes the manufacturer’s public key Digital signature is checked during a BIOS update BIOS prevents unauthorized writes to the flash
What comes after a UEFI Secure Boot ?
A phase called Trusted Boot.
Here the OS kernel is checked for manomissions and then the Kernel itself will verify other startup components.
What’s ELAM?
Early Launch Anti Malware
It will check every driver’s integrity and won’t load automatically the drivers who failed the test
What happens during Measured Boot?
Only happens if there’s a centralized control over multiple hosts
Hashes of drivers and firmware are stored into the TPM of each single endpoint, then encrypted and send to the Attestation Center for identification of any unexpected change.
What’s called the process of sending hashes from the TPM to the Attestation center?
Boot Attestation

How would you manage sensitive and temporary informations such as Credit Card numbers?
Through tokenization, in a way that the data isn’t even stored in the database
Salting and Hashing?

What function serves the QA team during the development of an application?
The quality assurance team tests if the application is secure
What’s the process of normalization?
Some sort of input validation, with cecks and corrections.
Why is fuzzing a type of dynamic analysis?
Fuzzing is sending test inputs, often random
Name a security concern with cookies?
If they contain sensitive informations and someone gets access to them. Cookies are not designed to store personal informations.
How does HTTP header prevent XSS attacks?
Headers are like an allow list, as they communicate with the browser sending instructions.
What authority involves Code Signing?
Certificate Authority to sign the code and provide integrity
What’s SAST and what’s an issue correlated to their processes?
Static Application Security Testing is automated code analysis and an issue could be false positives

Why would you backup registry?
Registry is a database of rules and settings. If you change critical informations you would want to roll back;
Difference between SED and FDE.
Self encrypting drive uses opal standard to encrypt informations. FDE totally encrypts a chosen drive.

3.3 - Given a scenario, implement secure network designs

When we say active / active we’re referring to __.
Servers
Round robin is a particular algorithm used to meet _______ necessities of the load balancer.
scheduling
Session persistence to review

What type of segmentation is being used if there’s an air gap?
Physical segmentation.
Other types of segmentation are logical (VLANs) and virtual.
The incoming connections to your network apps are being redirected from the firewall to a network designed to be separated from your actual internal network. What is this area of your network called?
It’s a demilitarized zone (DMZ) or screened subnet.
What’s the difference between extranet and intranet?
An extranet is some sort of DMZ that requires additional authentication, whereas the intranet is a particular area of our network that is accessible only from the inside (you being on the VLAN or connected to it through a VPN)
Explain the concept of East-West traffic and South-North traffic.
In a network environment like a data center, EW traffic refers to the operations between local devices in the same data center(so it has fast responces), SN traffic instaed refers to inbound and outbound traffic, that usually has more security put in place as the outbount connections are mostly untrusted.

What’s a VPN concentrator?
What protocol grants tunneling functions?
L2TP Layer 2 tunneling protocol
What two protocols comprehend IPSec?
AH: authenticated header. Used only during tunnel mode
ESP: encapsulated security payload used turing tunneling mode and transport mode
During transport mode the header is sent over the clear
Difference in the data path of Split vs Full tunnel in VPN.
During Split Tunnel the data is sent over the tunnel only when communicating with the internal network connected to the VPN, while using normal communication for connecting with other servers.
In Full tunnel The VPN concentrator is necessary, becouse it sends the data to the destination, whatever it might be.

Do some sort of broadcast storm control exists? Where can we find it?
Yes, on switches
How do loop prevention was implemented in 1990
With the Spanning Tree Protocol (STP)
Explain BPDU guard and why we use it.
To prevent loops the STP uses learning states and quite few time to determine if there are more switches being attached. If you set a port to be able only to listen traffic from devices that are not switches, you are limiting the STP work and using what Cisco calls ‘PortFast’.
The Bridge Protocol Data Unit guard shuts off the interface if a switch is attached to it.
Where could you encounter DHCP snooping? What’s its purpose?
DHCP snooping is the concept of monitoring a switch for preventing and real-time searching for unauthorized DHCP servers to be connected to the network. so DHCP snooping is some sort of protocol analyzer (most of the time default software in the switch) on a layer 2 device.
Why would we use Media Access Control Filtering?
You would use MAC filtering to control that only authorized MAC addresses can be connected to the network, the problem with this is that there is no security in level 2 that prevents MAC addresses to be spoofed and impersonated, so MAC filtering is more of an administrative tool than a security guard.

What’s a sinkhole address?
DNS can prevent end users to address known dangerous sites. A sinkhole address is the address we’re redirected to.
Out of band management REVIEW
What’s QoS?
Quality of Service, it refers to the quality we need to perform. We call the process of prioritizing some services over others “Prioritization”
Port taps are a security concern. How do they work?
Port taps sit in the middle of links and capture a copy of network traffic. They could be physical or sofware based.
A Port mirroring software in a Cisco switch would be called __
SPAN or Switched Port ANalyzer
What would be the benefits of using a Monitoring service for your network?
Organizations that provide Monitoring Service 24/7 for networks usually provide a staff of cybersecurity experts at a Security Operations Center (SoC).
They do constant monitoring and patching, they can respond to threats faster and they can also ensure your legal compliances like HIPAA, PCI DSS.
If you have some files that sould never change, how would you identify when changes occur?
through monitors of the file integrity (FIMonitoring tecnique)
like SFC (System File Checker) for Windows or Tripwire of Linux.

What’s WAF? Why is it needed when complying with PCI DSS?
Web application Firewall. It filters the web traffic for your web based applications.
PCI DSS is the payment card industry data security standard, and it applies to your website if you accept card payments. In this standars of rules there’s also the need of a WAF.
Name the main difference between traditional firelwalls and NGFW in traffic filtering.
Traditional firewalls filter traffic through port number, NGFW through the application being used and through traffic monitoring
What’s the difference between stateless and stateful firewalls?
Stateless FW do not keep track of traffic flows, and only specific rules are applied to traffic. They are now almost deprecated.
Stateful FW keep track of traffic flow through the creation of a session table, whenever a communication is set, and this session table remembers certain rules that can not be changed after the communication is set. so it’s much secure
Expecially for our source port of the communication, stored by the firewall the server would not be able to communicate with us if the destination port does not match
example: tcp/15442 → tcp/80 (us → server) … tcp/80 → tcp/15543 blocked !!!(server → us)
What security an UTM provides?
an Unified Threat management solution can provide all-in-one security appliances
It serves as a web security gateway that constantly looks for malwares, does spam filtering, URL filtering, Content inspection and whatever the manifacturer wants.
Why is a NGFW more intelligent than an UTM?
UTM are physical devices provided by vendors, they can not contain anything we need. A NGFW is based on the Application layer, being a software the capabilities are more.
What’s ACLs referring to Firewalls?
Access control lists that allow or disallow traffic based on tuples, rules gouped in categories.

What’s a posture assessment?
When device is connected to our corporate network we may want to perform healt-checks, like:
- Is it a trusted device? Is it running anti-virus? Which one? Is it updated? Are the corporate applications installed? Is it a mobile device? Is the disk encrypted? The type of device doesn’t matter Windows, Mac, Linux, iOS, Android
What’s the difference between NAC with agent and agentless NAC?
agented Network Access Controls run software on devices attached to the network to perform healt-check. in particular:
- Persistent agents are permanently installed onto a system
- Dissolvable agents run during the posture assessment and terminates when they’re no longer needed
agentless NAC are performed to systems that present operating system default NAC checks. Those often run during logon and logoff but to have specific and added functionalities you may want to implement an agent.
What are the main edge control you have to implement?
Firewall rules
Why is NAT a proxy? What type of proxy is it?
NAT is the network address translation, that operates at a network level and just like any other proxy, it collects the internal traffic of a network and after some operations, in this case the IP translation it forwards it to the outside internet. And viceversa.
It’s a network level proxies. Most proxies are application based.
What’s a forward proxy? also called internal proxy. And a reverse proxy?
Mbare un proxy interno al tuo network che controlla che non visiti siti p0 rno
A reverse proxy does the same but checks the requests of the web server instaes.
Why wouldn’t you send data to an Open Proxy?
It’s a third party, uncontrolled proxy. It might be malicious as they function like forward and reverse proxy at the same time, and they could modify the requests and the responses.

NIDS and NIPS, what are and their main difference.
Network intrusion detection system and prevention system are methods we use to secure our networks.
They watch the traffic and detect intrusions (alarm or alert) or prevent them to get into the network (real time stop)
inline and out-of-band monitoring(passive)? how do you stop intrusion in both cases?
If the IPS is inline with the other devices it’s able to stop the traffic being send.
If you’re using out-of-band-monitoring the IPS is external to the traffic and just analyzes a copy of the packets, but if it recognizes an intrusion it could sent a TCP reset to the hosts and reset the communication (blocking it). If the attacker uses UDP this won’t work
Identification Technology are diverse. Name 4 of them for an IPS.
- Signature based: exact same packet
- Anomaly based: something out of regular schemes
- Behavior based: it recognizes the possible behavior of attackers
- Heuristic: based on AI

How do we set a Jump Server
We secure a protected device and SSH/RDP/VPN to it. This is dangerous if you don’t secure that device well.
Why would you store your private keys in a HSM if you’re in a large data center?
Couse they are made to do it
Why would you use Sensors and collectors?
To aggregate informations from all your network devices and have them in one place.
SIEM, IPS and syslog servers are collectors.

3.4 - Given a scenario, implement and configure wireless security settings

What message should we send over a wireless network to provide integrity?
a MIC: message integrity check
Explain CCMP over WPA2
WPA2 uses CCMP (counter mode / CBC-MAC) → cyber block chaining, message authentication code protocol
CCMP provides confidentiality through AES and integrity (Message integrity check) with CBC-MAC
Explain GCMP over WPA3
only difference from WPA2 is the use of Galois / counter mode protocol, that provides GMAC (Galois Message authentication protocol) for the MIC
What’s the PSK problem with WPA2?
Someone could capture the pre-shared key and try to brute force that hash to retrieve the actual Password.
How does WPA3 solves the PSK problem?
They’ve added additional security features, no more 4handshakes and hashes. Mutual authentication and perfect forward secrecy (the session key is thrown away when done)
What does Simultaneous Authentication of Equals serves and when is it used?
Simultaneous Authentication of equals is used with WPA3 as a solution to the PSK problem and derives from the Diffie Hellman process to share session key. Sometimes this is referred to as the IEEE dragonfly handshake

What wireless authentication method would you implement in your house? and in a corporate network?
House: PSK or shared password
Corporate: Additional security with the 802.1x standard (Radius, Tacacs or Ldaps maybe)
What would you use a captive portal for?
To authenticate to a network and be able to use the internet
WPS enabled or disabled?
Disabled. It uses 8 digit pin.

Why EAP is called EAP?
The Extensible Authentication protocol serves to the wireless solutions in order to auhenticate users, and it’s extensible as often is used in conjunction with 802.1x or LDAPS, TACACS, RADIUS…
Tell the process of authentication through 802.1x and EAP
The supplicant asks the authenticator to gain access, the authenticator does not provide it but it sends back an EAP request, followed by a response by the supplicant with the username.
After, the authenticator provides the username to the server and enstablishes a secure connection to ask for the credentials, that if provided correctly are send in the backend (server) that ultimately authenticates the user
EAP-FAST stands for? what’s the shared secret name?
Extensible Authentication protocol - Flexible Authentication via Secure Tunneling. It sets a secure TLS tunnel to share a protected access credential (PAC)
This is often used with RADIUS
PEAP is created by Cisco, Microsoft and RSA. What it uses instead of PAC?
Protected EAP. It uses a digital certificate and it’s often used with MSCHAPv2 databases.
Users can also authenticate through Generic Token Card
EAP-TLS has something different from every other EAP. What’s that?
The authentication is mutual so the digital certificate are stored in both the supplicant and the server
EAP-TTLS
Tunneled EAP with TLS. Is used to use other authentication method through this tunnel
RADIUS Federation uses what protocol to authenticate?
Mostly EAP. Remote authentication dial in User service

What’s a site survey?
When implementing nad installing wireless solutions you need to plan layouts and identify wireless signal strenght (through heat maps)
What would you do if you had to analyze wifi?
I would use any packet analyzer that listens to all the informations send through the wireless.
How do you avoid interferences when installing multiple wifi access points?
Using different areas of the spectrum (using overlapping channels).
Placing them in places not near interferences
How do you manage wireless access point centrally?
Through a Wireless controllers.

3.5 - Given a scenario, implement secure mobile solutions

What are cells referring to cellular networks?
The coverage of the antennas, that operates in certain frequencies
What’s the security concerns someone could face by just connecting to a cellular tower?
someone could track your location or monitor the traffic being send to the tower
Name three local security problems with wifi
data capture (if you do not encrypt your data), on path attacks (middleman or rogue access attacks) and DoS attacks by interfering with the frequencies
What’s PAN referring to Bluethoot?
Personal area Network - high speed comunication over short distances
what’s RFID and what are its most common uses?
Radio frequencies identification is a small chip using radar tecnology (it’s powered using radio energy and this provides bidirectional communication). It’s used for everything that needs tracking.
What’s NFC and why is it related to RFID?
Near Field Communication it’s a two way wireless communication based on the closeness of the two devices. It’s commonly used for payments and it uses RFID technology.
How does GPS determine the position?
Using 4 satellites near you and comparing the timing difference between them. Sometimes also wifi and antennas help the process

What’s MDM? and BYOD?
Mobile device management - Bring your own device
What’s the best way to manage mobile applications centrally?
Using an allow list so that only approved application can be installed
What’s MCM and what’s the best way to manage it?
Mobile content management is the way of handling data in mobile devices. We’ll use DLP capabilities to prevent sensitive data loss, and we could also ensure all the data in the device is encrypted
Why would we want to implement remote wipe?
To delete everything even if you don’t know where the device is
What’s it called when you want to limit certain functionalities when device is in a certain area?
Geofencing
What’s a security concern with push notification?
That everyone can see them just by looking at your screen
What’s context-aware authentication and how it differs from 2FA?
It’s a type of authentication that builds a profile of the user who’s tryin to authenticate, like IP address, geolocation etc…
How do you separate personal data and corporate data when a BYOD policy is adopted?
By creating different partitions on the device with different types of data. This is called containerization.
This allows to manage the two portion of device in a separated way (storage segmentation)
FDE stands for? Where would the key stored in a corporate mobile device network?
Full disk / device encryption. The key is often stored by the MDM.

What’s the equivalent of an HSM in mobile devices?
Micro SD Hardware Security module, used for security services and secure storage
What’s the purpose of an UEM ?
an Unified Endpoint management solution is an evolution of MDM that incorporates mobile and non-mobile devices to provide the same security policies in an unified solution
What’s the best solution to manage applications in an enterprise?
Through a Mobile application management solution (MAM), that provides lots of features like remote data wipe and monitors application use
SEAndroid is an NSA project that makes sure security is provided in android devices. How the method of data access is changed since SEAndroid is used?
Android devices used to use DAC, now by default having MAC we found that every application is sandboxed and isolated. now access to sensitive low level datas are centralized to the manifacturer and the user has no access to them

In your corporation you want to make sure your corporates do not install applications out of the scope of the business. What would you implement?
Mobile Device Management
What’s a carrier locked phone?
When a phone’s firmware is locked to use only the provider who supplied the phone (Vodafone or Verizon for instance)
What’s OTA?
Over the air, it often refers to firmware updates.
How do you make sure the phone camera of your corporates is off in a certain area of the corporation?
Through MDM.
What’s OTG?
On the go USB connection features on mobile devices
When should you disable geotagging with your MDM?
When you don’t want location metadata to your corporates’ files.
What’s the mobile wireless standard?
IEEE 802.11
How do you make two IoT devices communicate directly?
Thanks to wifi ad hoc or WiFi Direct.
Why shouldn’t you allow Tethering in your corporate network?
To prevent someone get malicious access to the network through the insecure thetering of a mobile device, instead of keep the use of the corporate secure network.

What are we referring to if we say COPE? What’s a similar policy where you get to decide the device?
Corporate-owned personally enabled device. The organization keeps full control of the device.
CYOD Choose your own device.
What policy should you implement if you don’t want your corporate devices to be personally used?
You provide corporate owned devices.
What’s a VDI / VMI?
A virtual desktop infrastructure / virtual mobile infrastructure keeps data separated from the device. The VMI is generally a server and the device access data and application stored on it remotely.

4.0 - Operations and Incident Response

4.1 - Given a scenario, use the appropriate tool to assess organizational security

Command to determine the route of a packet
tracert:Windows
traceroute:Linux
takes advantage of TTL in the ICMP protocol
Command to gather informations from the DNS servers
nslookup (deprecated)
dig
Command to know your IP address and configurations
ipconfig: Windows ipconfig \all
ifconfig: Linux
Command to test reachability
pathping: Windows (both ping and traceroute
ping :Linux and Windows
Command to get Network statistics
netstat
netstat -a -b -n
-a: active -b: show binaries (Windows) -n: do not resolve names
Command to view the local ARP table
arp -a
Command to view the device’s routing table
route print: Windows
netstat -r: Linux and Unix

Command to retrieve data using URL
curl
Command to find and scan network devices
nmap
Command to craft a layer 3 packet / scan a network
hping / hping --scan p0-p
Command to gather OSINT on company or domain
theHarvester
Command to run many recon tool in a single framework
sn1per
Command to run a scan from a proxy to not be identified
scanless
-t URL
-s service
Command to enumerate DNS informations
dnsenum
Framework to scan vulnerabilities
Nessus
Framework to run an executable in a safe environment
Cuckoo

Command to concatenate a file to the standard output
cat: Linux
type: Windows
Command to view the top part of a file and command to view the last lines of a file
head
tail
-n number of lines
Command to find text in a file
grep
Command to change permissions for a file in Linux
chmod
Command to record informations and save them in the syslog file
logger

A file with a .ps1 is native of what OS?
Windows - script for Powershell
What is the purpose of OpenSSL
A toolkit for SSL/TLS libraries
You can build X.509 certificates and use OpenSSL for encryption and decryption and other

What’s the most utilized Packet Capture and replay framework?
WireShark
Command to capture packets and display traffic on display
tcpdump
Command to replay and edit packets, used to test security devices
tcpreplay
you can edit packets and send them over the network, and hopefully your intrusion prevention system will block it

You have to create a disk image for forensic analysis. What linux command will help?
dd
if=/input/path
of=/output/path
Command to copy in memory contents
memdump
You want to edit the Hexadecimal contents of a file/disk/RAM in Windows. Name the framework you would use.
WinHex.exe
What’s the FTK imager purpose?
Is a framework for forensic drive imaging used in Windows
What’s Autopsy purpose in forensics?
It’s a tool to view and recover data from storage devices, capable of extracting many different data types
Name two exploitation framework
Metasploit Framework
SET Social Engeneering Toolkit
What would you use if you had to brute force a password?
a Password Cracker
What’s called the process of completely remove data from a drive?
Data sanitization

4.2 - Summarize the importance of policies, processes, and procedures for incident response

What’s an IRP?
Incident Response Plan
What’s in the NIST SP800-61?
A computer security incident handling guide by the National Institute of Standards and Technology.
It comprehends the lifecycle of an incident response:
- Preparation
- Identification (Detection and Analysis)
- Containment
- Eradication and Recovery
- Post-Incident activities
Main processes of Preparation in IRP
Having policies and backups
Main processes of Identification in IRP
Detection and Analysis
Main processes of Containment in IRP
Isolation of threats in sandboxing environment
Main processes of Eradication and Recovery in IRP
Recovery from an incident, get things back to normal and recover of the system. Often you’ll need to patch the issues that permitted the exploit

What we mean by Exercises in IRP?
Exercises stand for tests to our system, tests that need to be done before an incident ever occurs
What’s a Tabletop exercise?
We get everyone in a meeting and talk through a simulated disaster
What’s an exercise that will test processes and procedures, involves all groups and helps identify missing steps and missing steps?
A Walkthrough
What’s called a test of a specific event?
Simulation

Who are Stakeholders? What do we mean by Stakeholders management?
Customers
We want to keep a good relationship with our Stakeholders.
Why is communication plan important?
Having good plans for organization of the communication between the people involved in processes and procedures is crucial.
You may want to have communication plans for Corporates like the CIO, CISO and other Internal non-IT personnel, like human resources or legal departments, or maybe external contacts like system-owners.
What’s DRP and what does it covers?
a Disaster recovery plan is a comprehensive plan with the informations needed to respond to a disaster. It is part of the Business Continuity plan
it covers the plan to provide continuity of the business if general disasters occur (natural disasters, system failures, human-created disasters, …)
What’s a Continuity of operations planning (COOP)?
A planning of how normal operation would change if disaster occurs
What does Retention policies cover?
Retention policies are policy on how to retrieve data when needed

What’s the diamond model of intrusion analysis
a scientific principle based structure to help analysts understand intrusions
Where would you search a specific attack vector?
In the MITRE ATT&CK framework
When we refer to the seven phases of a cyber attack, what’s this chain of phases called?
Cyber Kill Chain

4.3 - Given an incident, utilize appropriate data sources to support an investigation

You have been notified of a trend change from the SIEM. What has happened?
There has been a change of normal patterns during the SIEM monitoring.
Explain the concepts of Sensitivity and Correlation you see in a SIEM dashboard.
The sensitivity is the setting of what information are warnings, what are urgent and what informations are just informational.
Correlation is something you set to combine and compare data from multiple sources and verify everything’s normal
Where do you find application log files in Linux and Windows?
Linux: /var/log
Windows: Event Viewer → Application Log
You have a web server that stores lot of log files. How would you manage them?
Send them to a SIEM
What would you use dump log files for?
Dump file from an application serves mostly to address some problem that occurred with that specific application
In VoIP what protocol logs the initiation of the call and other useful informations?
SIP / Session Initiation protocol traffic logs informations such as call setup, inbound and outbound

In a Linux environment, what are the most popular syslog daemon?
- Rsyslog “Rocket-fast System for log processing”
- syslog-ng - syslog with filtering and storage options
- NXLogs - collects logs from many different types of log
In a Linux environment, some system logs are stored in a binary format for storage optimization. What is the tool that let us view this logs as plain text?
journalctl
Why do we need bandwidth monitors?
If the bandwidth is overly utilized, other resources may not work properly
What does SNMP, NetFlow, sFlow and IPFIX have in common?
They all have the capability of monitoring the bandwidth statistics
Where do we find metadata?
In lots of stored files like photos, emails and office files there are metadata with informations normally hidden.

What do we find in a NetFlow collector?
All the NetFlow data that this standard is capable to gather, normally all traffic flows and shared communication between devices.
What are the differences between NetFlow and IPFIX?
IPFIX is based on NetFlow v9, so they are not very different, other than the fact that IPFIX is newer
What data collector can gather accurate statistics from a portion of the actual network traffic, and can operate at level 2-7OSI?
sFlow
Name a protocol analyzer.
WireShark

4.4 - Given an incident, apply mitigation techniques or controls to secure an environment

How does an anti-virus application blocks a known malicious executable?
It would have hashes of the known malicious application and by finding something that matches it, the antivirus would block and quarantine it.
What’s the difference between Isolation and Containment concepts.
Isolation refers to infected devices
Containment refers to the sandboxing application policy of an OS
How do you prevent and mitigate an attacker from performing lateral movement in internal Networks?
Through segmentation of the internal network
What’s a SOAR? How is it linked to Runbooks and Playbooks?
Softwares for security that provides Orchestration, automation and response in order to make security teams more effective and efficient.
Runbooks and playbooks are standard procedures on witch the SOAR is set.

4.5 - Explain the key aspect of digital forensics

What document set guidelines for evidence collection and archiving?
RFC 3227
What data would you find in a Legal Hold?
Electronically stored informations (ESI) of different source and type, in ongoing preservation (an obligation to preserve data)
The main concern about admissibility of data would be
The legal authorization about holding that data
What’s the purpose of Chain of custody?
To maintain integrity
What would be your main concern about timeline sequence of events if you have both FAT and NTFS files?
FAT stores time in local time, whereas NTFS time is stored in GMT, so you would need to perform some time translation

What are order of volatility?
The first step you would perform when dealing with disks in forensic analysis.
Drive image preparation (power down and remove of storage drive) and the imaging of the drive itself
Than forensic bit-for-bit cloning
You’re investigating a ransomware infection in a device owned by the corporation. What OS data would be useful to the forensic analysis of that incident?
Users, Processes, open ports and attached devices
You’re investigating a rootkit. what should your attention focus on?
Firmware modifications
What’s an Artifact in digital forensics?
Digital traces left by contacts.

Why Right-to-audit clauses should be part of a contract with a CSP when performing digital forensics?
Right to audit clauses it’s a legal agreement that is put in place to have the option to perform a security audit at anytime;
this gives the ability to verify the security even before a data breach occurs, and also defines how data should be shared and managed agreeing to terms and conditions.
What’s the main concern about jurisdiction / regulation of data when dealing with cloud computing?
The location of the data and the different jurisdiction and regulation of each zone the data is placed
When are ‘Data breach notification’ laws applied?
If some customers’ data were leaked Data breach notification law defines who gets notified and when

If we have a documentation of authenticity and a chain of custody, what type of attribute defines the function of both documentations?
Provenance
To obtain preservation of a mobile drive what should we do?
We should copy and image the drive
When we need to gather data needed by a legal process, what’ the process of obtaining that data called?
e-discovery
When we have non-repudiation we are sure ___ and ____ are provided to our data.
Integrity … authentication
Name two methods of providing non repudiation. (hint: 1 peer to peer; 2 public)
MAC : message authentication code where two entities can verify non-repudiation
Digital signature can ensure non-repudiation to anyone who has the public key of the signature.
In what the counterintelligence (CI) consists on?
In trying to stop someone trying to gather information on us through OSINT.

5.0 - Governance, Risk and Compliance

5.1 - Compare and contrast various types of controls

Name the three main categories of security controls.
Managerial, Operational and Technical
What’s the difference between control category and control type?
Categories are three and describe the way the control is implemented. The control type instead define the purpose of the control.
What category of control a phishing training program would be?
Operational, control implemented by people
What category of control are security policies?
Managerial, control addressing implementation and standard procedures
An anti-virus would be a __ control.
Technical, controls implemented using systems

Difference between preventive and detective control types.
Preventive is a control type that prevents the intrusion, detective a control type that detects it.
A preventive control can’t always detect an intrusion and a detective control can’t always prevent access to the system.
What’s a corrective control designed for?
To mitigate potential damage.
example: a backup site could mitigate an incident, an IPS can identify and block an attacker …
What’s a deterrent control designed for?
To discourage an intrusion
example: warning sign, fake CCTV
What’s the difference between Compensating controls and physical controls?
Compensating controls are just restores of something you do not longer have (do not stop an intrusion), whereas physical controls are real world security like fences or mantraps

5.2 Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture.

Who addresses the GDPR?
The general data protection and regulation addresses every company that holds PII
Who addresses the PCI DSS? How many control objectives does it contains?
The payment card industry data security standard addresses every company that holds and uses credit card for protecting them.
This act has 6 objectives
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy

What’s the purpose of the CIS CSC?
The purpose of the Critical Security Controls by the Center for Internet Security are to explain implementation for cyber defenses.
It comprehends 20 key critical security controls, categorized in company sizes.
What’s the main framework utilized by federal agencies in the US?
The NIST (National institute of Standards and Technologies) $\darr$
RMF (Risk Management Framework)
It comprehends 6 main steps with processes to secure a set environment
Who does The CyberSecurity Framework (CSF) by NIST addresses?
CSF It’s a commercial framework for improving infrastructure security
you’re a commercial wanting to implement high level view of cybersecurity
Be able to tell the purpose of each ISO/IEC Standard: 27001, 27002, 27701, 31000.
ISO/IEC → International Organization for Standardization / International Electrotechnical Commission
The followings are standards by the ISO/IEC
- 27001 → ISMS (International security management system)
- 27002 → related to the previous, contains practice for information security controls
- 27701 → focus on privacy PIMS (Personal identification management system)
- 31000 → standard for international risk management practice
Be able to tell the difference between Type I and II in the Statement on Standard for Attestation Engagements number 18 (SSAE 18), and also the purpose of the SSAE 18.
This act comprehends a broad variety of audits that covers security controls.
- Type I audit → performed at a specific time
- Type II → performed for at least 6 month
The Cloud Security Alliance (CSA) published the CCM. What does this act covers?
The Cloud Control Matrix is a set of Cloud-specific security controls, divided in ‘standards’, ‘best practices’ and ‘regulations’ you need to follow in the coud.
What are secure configuration guidelines?
Guidelines that help you harden services you start that are not secure-by-design.
Services: Web servers, OS, Application servers, Networking devices

5.3 - Explain the importance of policies to organizational security

We have detailed documentation called AUP. Explain it’s functionality-
The Acceptable use policies covers lots of topics that address the company itself and restricts the use of IT according to legal liability
What does the Mandatory vacation policy tries to identify?
Frauds
Split Knowledge separates the details of some works in a way that is coherent with the ____ __ _______ policy.
Separation of duties
If you can’t ever leave your desk with some informations in your screen, how’s this policy called?
Clean desk policy
Who addresses an NDA?
A non disclosure agreement addresses a company and a third party entity
It’s purpose is to prevent use and dispersal of confidential information
How’s the set of standard procedures involved with hiring someone called? reversed?
Onboarding - Offbording
When talking about training programs, what’s CBT?
Computer based training, based on training at your own time with your own terms using your computer

SLA?
Service level agreement, minimum set of service terms (used between customers and service providers)
MOU?
Memorandum of understanding, informal letter with intents of parties. includes confidentiality informations. It’s not a contract but it lets both parties understand.
MSA?
Measurement system analysis,
If your company relies on measurements for the business, an MSA is used to test the quality of the measurement process and it serves also to address and calculate the uncertainty of the process
BPA?
Business partnership agreement, details of going into business together
EOL?
End of life for something. May continue to support the product
EOSL?
End of service life for something. Support is no longer available
NDA?
Non disclosure agreement - Accordo di riservatezza

Who’s the responsible of data privacy, accuracy and security?
The Data Steward
Difference between change management and change control
The change control is a formal process for managing change.