Text Material Preview
SSCP Last Minute Review Guide CertMike Domain 1: Security Operations and Administration The three main goals of information security are: Law/Regulation Privacy Scope Confidentiality prevents unauthorized disclosure HIPAA/HITECH Health information Integrity prevents unauthorized alteration FERPA Educational records Availability ensures authorized access GLBA Financial services sector COPPA Information related to children under the age of 13 Privacy Act of 1974 Information held by federal agencies GDPR of European Union residents PIPEDA PII of Canadian residents APEC CPEA PII of residents of Asian-Pacific nations The four canons of the code of ethics are: 1.Protect society, the common good, necessary public trust and confidence, and the infrastructure. 2.Act honorably, honestly, justly, responsibly, and AVAILABILITY legally. 3.Provide diligent and competent service to principals. Accountability provides the ability to trace every action 4.Advance and protect the profession. taken on a system back to an individual user without any ambiguity and without allowing the user to deny We can categorize security controls in two ways: by responsibility for that action (non-repudiation). their purpose and by their mechanism of action. The table below shows classification of security controls by Personnel security principles include: purpose: Need to know requires a legitimate business need to access information. Control Type Purpose Least privilege grants individuals the minimum Deterrent Seek to dissuade an attacker from attempting to necessary permissions to perform their jobs. Controls violate a security policy in the first place. Examples Separation of duties blocks someone from having include warning signs and logon banners. two sensitive privileges in combination. Preventative Seek to block an attempt to violate a security Two-person control requires two people to perform Controls policy from succeeding. Examples include access a sensitive activity. control lists, firewalls, and fences. Mandatory vacations and job rotation seek Detective Seek to identify attack attempts that do occur. to prevent fraudulent activity by uncovering Controls Examples include burglar alarms, intrusion detection malfeasance. systems, and file integrity monitoring systems. Corrective Seek to restore normal service after a disruption. Controls Examples include backups and redundant sites. Compensating Seek to address a gap created by the absence of Controls another required control. Should go above and beyond other control requirements.SSCP Last Minute Review Guide CertMike Domain 1: Security Operations and Administration The next table shows the classification of security Security frameworks provide templates for security controls by their mechanism of action: activities. These include COBIT, NIST CSF, and ISO 27001/2. Control Type Mechanism of Action Due care is taking reasonable steps to protect the Technical Controls Use technological means to achieve control objectives. Examples include session timeout interest of the organization. Due diligence ensures and password aging. those steps are carried out. Physical Controls Use real-world physical means to achieve control objectives. Examples include Security governance is carried out through mantraps, cameras, and locks. Policies which state high-level objectives Administrative Use policy and procedure mechanisms to (mandatory compliance). Controls achieve control objectives. Examples include Standards which state detailed technical security policies and standards, procedures, requirements (mandatory compliance). and baselines. Procedures which provide step-by-step processes (mandatory compliance). Change and configuration management processes Guidelines which offer advice and best practices ensure that organizations have standardized processes (optional compliance). in place for requesting changes, implementing those changes, and releasing code to productions. Organizations are subject to a wide variety of legal and Request control manages, evaluates, and prioritizes regulatory compliance obligations from: inbound requests from customers Criminal laws that may involve prison or fines. Change control grants permission for developers to Civil laws that regulate non-criminal disputes. make changes to application code Administrative laws set by government agencies. Release control moves code from the development Regulations from industry bodies. environment into production Security professionals are responsible for assessing and In a well-managed environment, change processes ensuring the organization's compliance with internal are designed to enforce segregation of duties so policies and external laws, regulations, and contractual that developers cannot move their own code into obligations. production. Asset management systems track hardware, software, and data assets throughout their lifecycle. The stages of this lifecycle include: Process, planning, design, and initiation Development or acquisition of the asset Inventory and licensing Implementation and assessment Operation and maintenance Archiving and retention (per requirements) Disposal and destructionSSCP Last Minute Review Guide CertMike Domain 2: Access Controls The core activities of identity and access management are: Single sign-on allows the use of a single account Identification where a user makes a claim of identity. across multiple systems without requiring repeated logins. Authentication where the user proves the claim of Federation shares account information across systems identity. belonging to different service providers. Authorization where the system confirms that the user is permitted to perform the requested action. The Security Assertion Markup Language (SAML) allows browser-based single sign on across a variety of In access control systems, we seek to limit the access systems. There are three entities in a SAML that subjects (e.g. users, applications, processes) have The principal is the end user. to objects (e.g. information resources, systems). The identity provider is the organization providing the user's account that is used for authentication. Access controls work in three different fashions: The service provider is the organization offering the Technical (or logical) controls use hardware service requested by the end user. and software mechanisms, such as firewalls and intrusion prevention systems, to limit access. OAuth is an authorization standard that allows users to Physical controls, such as locks and keys, limit log into applications using credentials provided by other physical access to controlled spaces. identity providers without providing the application Administrative controls, such as account reviews, with those credentials. OpenID Connect is a consumer- provide management of personnel and business focused implementation of OAuth used by Google and practices. other cloud service providers. Multifactor authentication systems combine Access Control Type Defining Characteristics authentication technologies from two or more of the Discretionary (DAC) Access control decisions are delegated following categories: to the owners of objects who may Something you know (Type 1 factors) rely upon further delegate authority. secret information, such as a password. Mandatory (MAC) Non-discretionary. Access control Something you have (Type 2 factors) rely upon is determined by labels assigned to physical possession of an object, such as a smartphone. subjects and objects. Something you are (Type 3 factors) rely upon Role-based (RBAC) Users are assigned to roles based upon biometric characteristics of a person, such as a face their job duties. Roles are created using scan or fingerprint. attribute-based, subject-based, and object-based approaches. Permissions are then assigned to roles, rather than Authentication technologies may experience two types of directly to users. errors. False positive errors occur when a system accepts Attribute-based (ABAC) Access control decisions are based an invalid user as correct. It is measured using the false upon characteristics of the user's account. acceptance rate (FAR). False negative errors occur when Rule-based Grants or denies access based upon a a system rejects a valid user, measured using the false set of predefined rules. Firewalls use this rejection rate (FRR). We evaluate the effectiveness of an approach. authentication technology using the crossover error rate (CER), as shown in the diagram to the right:SSCP Last Minute Review Guide CertMike PRACTICE Domain 2: Access Controls FAR We can describe the trust relationships between FRR two domains based upon two characteristics: their direction and their transitivity. The direction of a trust can be one-way, with one domain trusting another domain, or two-way, with both domains trusting each CER other. The transitivity of a trust indicates whether trust relationships may be inferred from other relationships, as shown below. One-way Trust Two-way Trust Trusts Trusts Sensitivity Domain 1 Domain 2 Domain 1 Domain 2 The registration process for new users consists of four steps: Non-Transitive Trust Transitive Trust Trusts Trusts Request Domain 1 Domain 2 Domain 1 Domain 2 Domain 3 Domain 3 Issuance Approval Windows offers Active Directory as a centralized identity store. This facilitates logging into Windows Identity proofing systems and other services that support Active Directory authentication. Microsoft also offers Active Directory Federation Services (ADFS) to facilitate There are several different types of networks in most integration with other service providers, enabling a true organizations: single sign-on experience. Intranet networks are designed for use by employees and other internal users. They often Zero trust network access (ZTNA) uses strong identity contain sensitive information and resources. and access management controls to shift away from The Internet is a general-purpose network open trust relationships that depend upon network location to the public. Public-facing resources, such as and move toward user-based access controls. organization websites are placed on the Internet. Extranet networks are shared with trusted partners, such as vendors, contractors, and consultants. They contain only those resources that should be shared with partners.SSCP Last Minute Review Guide CertMike Domain 3: Risk Identification, Monitoring, and Analysis Risks are the combination of a threat and a corresponding Risk registers are centralized documents used to track vulnerability. information about the risks facing an organization and their current status. They contain a description of Quantitative risk assessment uses the following formulas: each risk, a categorization scheme, a risk assessment SingleLossExpectancy = (probability and impact), and risk mitigation actions. AssetValue ExposureFactor AnnualizedLossExpectancy = Threat intelligence shares risk information across AnnualizedRateofOccurence * SLE organizations and may be used strategically and/ or operationally. Threat intelligence often includes Risk reviews should consider all internal and external/ indicators of compromise (IOC) that are telltale signs supplier risks and their impact on the organization and of malicious activity. Threat modeling identifies and its architecture. prioritizes threats through a structured approach. Responses to a risk include: There are three major approaches to threat Avoid risk by changing business practices identification: Mitigate risk by implementing controls Asset focused approaches use the asset inventory Accept risk and continue operations as the basis for the analysis Transfer risk through insurance or contract Threat focused approaches identify how specific threats may affect each information system An organization's risk tolerance or risk appetite is the Service focused approaches identify the impact of level of risk that it is willing to accept without taking various threats on a specific service other risk management action. Security tests verify that a control is functioning The NIST Risk Management Framework is found in NIST properly. Security assessments are comprehensive SP 800-37 and is summarized in the diagram below: reviews of the security of a system, application, or other tested environment. Architectural Description Process Organizational Inputs Architecture Reference Models, Segment and Solution Overview Laws, Directives, Policy Guidance, Security audits use testing and assessment techniques Strategic Goals and Objectives, Architectures, Mission and Priorities and Resource but are performed by independent auditors. There are Business Processes, information Supply Chain Considerations System Boundaries three types of security audits: Starting point Repeat as necessary. Internal audits are performed by an organization's internal audit staff, normally led by a Chief Audit Step 1 Categorize Executive who reports directly to the CEO. Step 6 information system. Step 2 Monitor Select External audits are performed by an outside security controls. security controls. Risk auditing firm. Management Third-party audits are conducted by, or on behalf Step 5 Framework of, another organization, such as a regulator. Step 3 Authorise Implement information system. Step 4 security controls. Access security controls.SSCP Last Minute Review Guide CertMike Domain 3: Risk Identification, Monitoring, and Analysis Organizations that provide services to other The Security Content Automation Protocol (SCAP) organizations may conduct audits under SSAE 16. These provides a standard framework for vulnerability engagements produce two different types of reports: assessment. It includes the following components: Type I reports provide a description of the controls Common Vulnerabilities and Exposures (CVE) in place, as described by the audited organization, Common Vulnerability Scoring System (CVSS) and the auditor's opinion whether the controls Common Configuration Enumeration (CCE) described are sufficient. The auditor does not test Common Platform Enumeration (CPE) the controls. Extensible Configuration Checklist Description Type II reports document engagements where the Format (XCCDF) auditor actually tests the controls and provides an Open Vulnerability and Assessment Language (OVAL) opinion on their effectiveness. The 10-point CVSS scale is a good basis for prioritizing COBIT, ISO 27001, and ISO 27002 are commonly used vulnerabilities. This is helpful in deciding which standards for cybersecurity audits. vulnerabilities should be remediated first. After Developers and security professionals use a variety remediating a vulnerability, be sure to validate that of software testing techniques to verify that they are remediation to verify that the vulnerability no longer exists. building secure and effective software. Network discovery scanning uses tools like nmap to Technique Description check for active systems and open ports. Common scanning techniques include: Validation Ensures that software meets business requirements. It answers the question "Are we TCP SYN scans send a single packet with the SYN building the right software?" flag set. Verification Ensures that software functions correctly. It answers TCP Connect scans attempt to complete the three the question "Are we building the software right?" way handshake. Stress testing Uses automated scripts to verify system capacity. TCP ACK scans seek to impersonate an established connection. User Ensures that software will work for users by Acceptance allowing them to verify functionality. Xmas scans set the FIN, PSH, and URG flags. Testing (UAT) Regression Checks for unexpected side effects of software Network vulnerability scanning first discovers active testing changes. services on the network and then probes those services Fuzz testing Modifies inputs to an application to detect for known vulnerabilities. Web application vulnerability unexpected behavior. scans use tools that specialize in probing for web Misuse case Evaluates software from an attacker's perspective. application weaknesses. testing Interface Verifies that code modules will function together The vulnerability management lifecycle includes three testing correctly. basic steps: detection, remediation, and validation. Test coverage Determines the percentage of software that was analysis tested based upon the number of functions, number of lines of code, or by the number of conditional branches executed.SSCP Last Minute Review Guide CertMike Domain 3: Risk Identification, Monitoring, and Analysis Penetration testing goes beyond vulnerability scanning and attempts to exploit vulnerabilities. It includes five steps: Planning Information Reporting Gathering & Discovery Exploitation Vulnerability Scanning Logging creates event streams that provide invaluable information when troubleshooting systems and investigating security events. Logging programs should include all of the organization's applications, security appliances, network devices, and hosts. Syslog provides a standardized mechanism for the transmission of log events. Security information and event management (SIEM) systems provide a centralized point for event aggregation, correlation, and analysis.SSCP Last Minute Review Guide CertMike Domain 4: Incident Response and Recovery Security professionals are often called upon to Cybersecurity incident response efforts follow this process: participate in a variety of investigations: Criminal investigations look into the violation of a Detection criminal law and use the beyond a reasonable doubt standard of proof. Civil investigations examine potential violations of civil law and use the preponderance of the evidence Lessons standard. Learned Response Regulatory investigations examine the violation of a private or public regulatory standard. Administrative investigations are internal to an organization, supporting administrative activities. Remediation Mitigation Investigations may use several different types of evidence: Real evidence consists of tangible objects that may Recovery Reporting be brought into court. Documentary evidence consists of records and other written items and must be authenticated by testimony. Incident response programs should be based upon Testimonial evidence is evidence given by a industry standards, such as NIST 800-61 and ISO witness, either verbally or in writing. 27035. The best evidence rule states that, when using a Incident responders should follow carefully designed document as evidence, the original document must be communications procedures that ensure that all used unless there are exceptional circumstances. The stakeholders receive an appropriate level of information parol evidence rule states that a written agreement is and that reporting of incident response analysis work is assumed to be the complete agreement. clear, concise, and has controlled distribution. Forensic investigators must take steps to ensure that they do not accidentally tamper with evidence and that they preserve the chain of custody documenting evidence handling from collection until use in court. The disaster recovery process begins when operations are disrupted at the primary site and shifted to an alternate capability. The process only concludes when normal operations are restored.SSCP Last Minute Review Guide CertMike Domain 4: Incident Response and Recovery Tool Description Disaster recovery plans require testing. There are five Intrusion Detection Monitor a host or network for signs of major test types: System intrusion and report to administrators. Intrusion Prevention Monitor a host or network for signs of DR Test Type Description System intrusion and attempt to block malicious traffic automatically. Read-through/ Plan participants review the plan and their tabletop specific role, either as a group or individually. Security Information Aggregate and correlate security & Event Management information received from other systems. Walkthrough The DR team gathers to walk through the steps System in the DR plan and verify that it is current and matches expectations. Firewall Restricts network traffic to authorized connections. Simulation The DR team gathers to walk through the steps in the DR plan and verify that it is current and Application Limits applications to those on an matches expectations. Whitelisting approved list. Parallel DR team activates alternate processing Application Blocks applications on an unapproved list. capabilities without taking down the primary site. Blacklisting Full interruption DR team takes down the primary site to simulate Sandbox Provides a safe space to run potentially a disaster. malicious code. Honeypot System that serves as a decoy to attract Incident response, business continuity, and disaster attackers. recovery plans each contribute to the organization's Honeynet Unused network designed to capture information systems contingency plan. These plans probing traffic. should also integrate with other crisis management efforts, including those designed to respond to natural Backups provide an important disaster recovery control. disasters and pandemics. Remember that there are three major categories of backup: Backup Type Description Full Backup Copies all files on a system. Differential Backup Copies all files on a system that have changed since the most recent full backup. Incremental Backup Copies all files on a system that have changed since the most recent full or incremental backup. Disaster recovery sites fit into three major categories: Site Type Support Systems Configured Servers Real-time Data Cold Site Yes No No Warm Site Yes Yes No Hot Site Yes Yes YesSSCP Last Minute Review Guide CertMike Domain 5: Cryptography Encryption is often included as a requirement of Symmetric Cryptography Asymmetric Cryptography meeting legal and regulatory requirements. The Requires Requires Payment Card Industry Data Security Standard (PCI n(n-1) keys 2n keys DSS) requires encryption for cardholder data and 2 International Organization for Standardization (ISO) You can improve the security of a cryptographic standards suggest encryption as a best practice for all algorithm by increasing the key length, which sensitive information at rest and in transit. increases the key strength by making it more resilient against brute force attacks. Cryptography uses mathematical techniques to prevent unauthorized individuals from viewing data. It The Diffie-Hellman algorithm may be used for secure consists of two operations: exchange of symmetric keys. Encryption transforms plaintext into ciphertext using an encryption key Hashes are one-way functions that produce a unique Decryption transforms ciphertext back into value for every input and cannot be reversed. plaintext using a decryption key Common hashing algorithms include SHA, HMAC, and The goals of cryptography are: RIPEMD. The MD5 hashing algorithm is still widely used Confidentiality to protect information from but has significant security vulnerabilities. unauthorized access Integrity to protect information from unauthorized Transport Layer Security (TLS) is the replacement changes for Secure Sockets Layer (SSL) and uses public key Authentication to provide proof of identity claims cryptography to exchange a shared secret key used to Non-repudiation to provide the ability to prove the secure web traffic and other network communications. origin of a message to a third party. The Trusted Computing Base (TCB) is the secure core The two basic cryptographic operations are substitution of a system that has a secure perimeter with access which modifies characters and transposition, which enforced by a reference monitor. moves them around. Data State Description Symmetric encryption uses the same shared secret key Data at Rest Data stored on a system or media device for encryption and decryption. Data in Motion Data in transit over a network In asymmetric encryption, users each have their own Data in Use Data being actively processed in memory public/private keypair. Keys are used as follows: Confidentiality Digital Signature When configuring security for a wireless network, always use the WiFi Protected Access (WPA or WPA2) Sender Encrypts with Recipient's public key Sender's private key protocols. Both versions of this protocol are secure. The Recipient Decrypts with Recipient's private key Sender's public key Wired Equivalent Privacy (WEP) protocol is insecure. WPA uses the Temporal Key Integrity Protocol (TKIP) Anything encrypted with one key from a pair may only to rapidly change encryption keys while WPA2 uses the be decrypted with the other key from that same pair. CCM Mode Protocol (CCMP) to provide security.SSCP Last Minute Review Guide CertMike Domain 5: Cryptography Digital certificates use the X.509 standard and contain Blockchain technology uses encryption to create a copy of an entity's public key. They are digitally signed an immutable, distributed ledger that supports by a certificate authority (CA). cryptocurrency and other emerging applications. You request a digital certificate from a CA by generating Information should be classified based upon its a Certificate Signing Request (CSR). After the CA sensitivity to the organization. Common classes of validates your identity, they create a digital certificate sensitive information include: containing your public key and signed using the CA's Personally identifiable information (PII) which private key. Anyone wishing to validate the certificate uniquely identifies individuals. may do so using the CA's public key. Protected health information (PHI) which includes individual health records. Certificates may be revoked using two techniques. The Proprietary information which contains trade secrets. older technique is the inclusion of the certificate serial number on a certificate revocation list (CRL). The more modern technique is to provide certificate users with TOP SECRET HIGHLY SENSITIVE access to certificate status in real-time using the Online Certificate Status Protocol (OCSP). SECRET SENSITIVE Digital certificates issued by CAs come in three varieties. They differ in the amount of verification CONFIDENTIAL INTERNAL performed by the CA before issuing the certificate. Certificate Type Validation Performed UNCLASSIFIED PUBLIC Domain CA verifies that the certificate subject controls validation (DV) the domain name. Weakest form of validation. INFORMATION CLASSIFICATION Organization CA verifies the name of the business purchasing validation (OV) the certificate in addition to domain ownership. Information should be labeled with its classification and Extended CA performs additional checks to verify the physical validation (EV) presence of the organization at a registered address. security controls should be defined and appropriate for each classification level. Organizations not wishing to purchase a digital Collect only data that is necessary for legitimate certificate from a CA may create their own self-signed business purposes. This is known as data minimization. certificates. These certificates are fine for internal use but will not be trusted by external users. The major categories of intellectual property protection include: Quantum computing poses a serious future risk to Trademarks protect words and symbols. cryptography because it undermines the difficulty of the Copyrights protect creative works. mathematical operations used to strengthen encryption Patents protect inventions. algorithms. Trade secrets require maintaining secrecy but don't expire.SSCP Last Minute Review Guide CertMike Domain 6: Network and Communication Security OSI Model Cellular networks cover long-range distances, Layer Description providing wireless connections to smartphones and other devices over distances of many miles. Application Serves as the point of integration for user applications with the network Wireless networks should be secured using WPA2 or Presentation Transforms user-friendly data into machine-friendly data; encryption WPA3 encryption, not WEP or WPA. Enterprise wireless networks use the Extensible Authentication Protocol Session Establishes, maintains, and terminates sessions (EAP) to implement authentication for wireless clients Transport Manages connection integrity: TCP, UDP, SSL, TLS using the organization's identity and access management Network Routing packets over the IP, ICMP, BGP, system. IPsec, NAT Data Link Formats packets for transmission; Ethernet, ARP, Load balancers distribute connection requests among MAC addresses many identical servers. Physical Encodes data into bits for transmission over wire, fiber, or radio Network switches generally work at layer 2 and connect directly to endpoints or other switches. TCP is a connection-oriented protocol, while UDP is a Switches may also create virtual LANs (VLANs) to connectionless protocol that does not guarantee delivery. further segment internal networks at layer 2. Port(s) Service TCP Three-Way Handshake 20, 21 FTP 22 SSH SYN 23 Telnet SYN/ACK 25 SMTP ACK 53 DNS 80 HTTP DNS converts between IP addresses and domain names. 110 POP3 ARP converts between MAC addresses and IP addresses. 123 NTP NAT converts between public and private IP addresses. 135, 137-139, 445 Windows File Sharing 143 IMAP Devices may use many different wireless technologies to communicate with each other, including: 161/162 SNMP WiFi networks cover medium-range distances, such 443 HTTPS as connecting devices in a building. They are mainly 1433/1434 SQL Server used to connect a computer to a network. 1521 Oracle Bluetooth networks work over a range of approximately 30 feet (10 meters). They are mainly 1720 H.323 used to connect devices to their accessories. 1723 PPTP Near field communication (NFC) technology 3389 RDP works over very short distances (several inches/ 9100 centimeters). NFC is mainly used for payments. HP JetDirect PrintingSSCP Last Minute Review Guide CertMike Domain 6: Network and Communication Security Routers generally work at layer 3 and connect networks Virtual LANs (VLANs) can be used to segment network to each other. Firewalls are the primary network traffic at the switch level as an alternative to more security control used to separate networks of differing expensive physical segmentation. security levels. TLS should be used to secure network communications. SSL is no longer secure. The principle of defense-in-depth says that organizations should use a variety of overlapping Most Virtual Private Networks (VPN) use either TLS security controls to prevent against the failure of a or IPsec. IPsec uses Authentication Headers (AH) to single control. When designing overlapping controls, provide authentication, integrity and nonrepudiation strive for diversity of vendors and control types. and Encapsulating Security Payload (ESP) to provide confidentiality. The most common firewall deployment topology uses three zones: a trusted intranet, an untrusted Internet, Network topology describes the way that systems are and a demilitarized zone (DMZ) that houses publicly arranged on a network. You should be familiar with the accessible servers. These networks are often created five common network topologies shown below: using a triple-homed firewall. Request Issuance Bus Network Ring Network Approval Identity proofing Software-defined networking (SDN) separates the network control plane from the data plane, allowing networks to be dynamically reprogrammed. They Star Network Mesh Network are an element of the infrastructure-as-code (IAC) automation movement and make use of network virtualization and software-defined wide area networks (SD-WAN). SDN allows the extension of the firewall zone model to create very small zones for specific types of devices in a strategy known as micro-segmentation. Tree NetworkSSCP Last Minute Review Guide CertMike Domain 6: Network and Communication Security Split tunnel VPNs only send traffic destined for the Denial of Service (DoS) attacks seek to disrupt normal corporate network through the VPN while full tunnel use of a system by either overwhelming them with VPNs send all traffic through the VPN. traffic or disabling them in some other way. Distributed DoS (DDoS) attacks are DoS attacks that flood their Network Access Control (NAC) systems screen devices victim with traffic from many different sources. Content before allowing them to connect to the network. This delivery networks (CDNs) are an effective control screening may include both user authentication and against DDoS attacks. device health checking. Tool Description Brute force attacks against password systems try to guess all possible passwords. Dictionary attacks Intrusion Detection Monitor a host or network for signs of System intrusion and report to administrators. refine this approach by testing combinations and permutations of dictionary words. Rainbow table Intrusion Prevention Monitor a host or network for signs of System intrusion and attempt to block malicious attacks precompute hash values for use in comparison. traffic automatically. Salting passwords with a random value prior to hashing Security Information Aggregate and correlate security them reduces the effectiveness of rainbow table attacks. & Event Management information received from other systems. System Man-in-the-middle attacks intercept a client's initial Firewall Restricts network traffic to authorized request for a connection to a server and proxy that connections. connection to the real service. The client is unaware Web Application Firewall specifically designed to inspect that they are communicating through a proxy and the Firewall (WAF) web traffic at the application layer. Works attacker can on the communication and in conjunction with a network firewall. inject commands. Application Limits applications to those on an Whitelisting approved list. Replay attacks use stolen authentication credentials to Application Blocks applications on an unapproved list. Blacklisting take over a legitimate user's abandoned session. Sandbox Provides a safe space to run potentially malicious code. The Domain Name System (DNS) converts domain names into IP addresses. DNS poisoning attacks seek to Honeypot System that serves as a decoy to attract attackers. redirect legitimate traffic by inserting false DNS records into a DNS server. Honeynet Unused network designed to capture probing traffic. The Internet of Things (loT) involves the connection of VPN Concentrator Provides a central aggregation point for VPN connections. millions of consumer, industrial, and other automation devices to networks for monitoring and control purposes. Proxy Server Makes requests to other servers on behalf of an end user, providing anonymization and performance enhancement. Data Loss Prevention Blocks the exfiltration of sensitive information from an organization. Mail Gatevay Screen inbound messages for malicious content.SSCP Last Minute Review Guide CertMike Domain 7: Systems and Application Security Malware comes in many different forms. You should Endpoint Detection and Response (EDR) platforms be able to review a scenario and identify the type of provide a consistent and consolidated solution for malware involved. Major malware types include: detecting, containing, and responding to endpoint security incidents. Malware Type Description Zero day attacks exploit vulnerabilities that are not yet Virus Spreads between systems based upon some user action. known to the security community. They are often used by sophisticated advanced persistent threat (APT) Worm Spreads between systems by exploiting attackers. vulnerabilities; no user action required. Trojan Horse Masquerades as desirable software to trick user Social engineering attacks use phishing and other into installing it. communications techniques to trick users into Scareware Malware that tricks users into visiting malicious websites, often by threatening them that their revealing sensitive information or granting unauthorized system has been infected with malware. They access to systems. These attacks typically rely upon are typically web-based threats. impersonating someone with authority, such as a Fileless Malware that exists entirely in memory, usually senior executive or customer. written using a scripting language, such as Visual Basic for Applications. Code repositories provide collaborative development Spyware Monitors user activity, such as keystrokes tools and version control. They must be protected and web visits. against unauthorized access. Ransomware Encrypts user files and demands a ransom before releasing the key. Code signing uses digital signatures to demonstrate the Logic Bomb Waits until certain conditions are met before authenticity of code to users installing it on their systems. triggering a malicious action. When developing new systems, organizations move Rootkit Elevates privileges of a normal user to gain them through a four-stage process using different administrative rights. environments: Backdoor Provides an unauthorized mechanism for 1.Development environments are where developers accessing a system. create and modify the system. 2.Test environments are where the system is tested. If Anti-malware scanners serve as a defense against flaws are discovered, it is returned to development. malicious code by implementing signature detection 3.Staging environments are where approved code is to look for patterns of known malicious activity and placed, awaiting release to production. behavioral analytics to look for deviations from normal 4.Production environments contain systems that are system or user activity using machine learning, artificial currently serving customer needs. intelligence and data analytics techniques. Sandboxing provides a safe execution environment for testing suspicious code for signs of malicious activity.SSCP Last Minute Review Guide CertMike Domain 7: Systems and Application Security Enterprises may deploy mobile devices in a variety of models. In a strict corporate-owned model, devices are Deployment Model Description for business use only. Users mix personal and business Public Services offered to any customer in a shared use in a bring your own device (BYOD) or corporate environment. owned, personally enabled (COPE) model. Companies Private Services operated for a single customer in a should use mobile device management (MDM) and dedicated environment. mobile application management (MAM) tools to enforce a variety of mobile security controls, including: Hybrid Strategy mixing the use of public and private cloud resources. Restricting applications Community Services offered to members of a closed Remote wiping of lost/stolen devices group of customers. Geolocation and geofencing services Screen locking and password/PIN requirements Whole disk encryption Public cloud environments are built upon the principle of multitenancy meaning that many different customers When managing security of a system, keep in mind the may simultaneously use the same shared platform. The following operating system security principles: core design features of multitenancy are isolation, Disable unnecessary services and applications security, and performance. Close unneeded network ports Disable default accounts and passwords The primary mechanisms for delivering cloud compute Apply all security patches resources include virtual machines, serverless computing, and containers. Cloud computing is any case where computing services are being delivered to a customer at a remote location over Block storage provides virtual disk volumes for use by a network. The key characteristics of the cloud include: virtual machines. Object storage is less expensive and On-demand self-service computing allows us to store files as individual objects but can't be Broad network access directly mounted by an operating system. Multitenancy Rapid elasticity and scalability Cloud networks are highly virtualized and configurable, Resource pooling allowing customers to meet their unique business and Measured service security requirements. Virtual private clouds (VPCs) are similar to VLANs on a physical network. Cloud resources may be rapidly provisioned and released with minimal service provider interaction. Interoperability is the desire for compatibility of Service Category Description services between cloud service providers. Portability is the ability to move workloads between Infrastructure as a Cloud provider offers customers basic building Service (laaS) blocks of compute, storage, and networking. providers with minimal effort. Containerization supports portability by packaging Platform as a Cloud provider offers customers a platform workloads in a standardized manner. Service (PaaS) upon which they can execute their own code. Software as a Cloud provider offers customers a complete Resilency is the ability of a cloud service to withstand Service (SaaS) application, ready to use and delivered over the Internet. potentially disruptive events.SSCP Last Minute Review Guide CertMike Domain 7: Systems and Application Security When implementing a cloud database, designers have Availability is the percentage of the time that a service three options: is operating normally. Increased resiliency drives 1. Build their own database server on an laaS platform increased availability. Organizations may formalize 2. Use a managed PaaS database running a traditional availability requirements in written Service Level DBMS Agreements (SLAs). 3. Use a cloud-native database platform Virtual machines allow us to run multiple operating Cloud orchestration allows the automation of system instances on a single physical server. In a administrative tasks including the creation of virtualized environment, the hypervisor is responsible workloads, assignment of permissions, and provisioning for enforcing isolation. of accounts. This builds upon the concept of Infrastructure as Code. Type 1 Hypervisor Security in the cloud follows the shared responsibility model where vendors and customers have different responsibilities depending upon the category of cloud Guest Virtual Guest Virtual Guest Virtual service. Machine Machine Machine Hypervisor laaS PaaS SaaS Physical Hardware Data Data Data Application Application Application Type 2 Hypervisor os os os Guest Virtual Guest Virtual Guest Virtual Machine Machine Machine Hardware Hardware Hardware Other Applications Hypervisor Other Applications Data Center Data Center Data Center Host Operating System Customer Vendor Physical Hardware Responsibilities Responsibilities You can control access to cloud resources through ISO 27017 offers an international standard for cloud the use of network security groups which implement computing security that organizations may voluntarily firewall-like functionality. adopt. PCI DSS is a set of mandatory security requirements for organizations involved in credit card processing.SSCP Last Minute Review Guide CertMike Domain 7: Systems and Application Security Federal government agencies require that services they Master Service Agreements (MSA) are used use be certified under the Common Criteria and to create umbrella relationships with specific that encryption used to support them be compliant with engagements documented in Statements of Work FIPS 140-2. that refer to the MSA. When working with cloud vendors, ensure that vendor's Understand the overlapping jurisdictions that apply security policies and controls execute at least the same to a cloud relationship based upon the location of the degree of care that you would conduct internally. The customer, service provider, and information subjects. vendor management lifecycle follows vendors from selection through termination: Vendor Selection Offboarding Onboarding Monitoring Customers should document their vendor relationships using a variety of agreements: Service Level Requirements (SLR) document specific requirements that a customer has about any aspect of a vendor's service performance Service Level Agreements (SLA) document the SLRs in a written contract. Memorandums of Understanding (MOU) are used to document relationships in a less formal manner. Business Partnership Agreements (BPA) document the parameters of a business partnership.
