Nicht aus der Schweiz? Besuchen Sie lehmanns.de
CCNA Cybersecurity Operations Course Booklet -  Cisco Networking Academy

CCNA Cybersecurity Operations Course Booklet

Buch | Softcover
336 Seiten
2018
Cisco Press (Verlag)
978-1-58713-437-1 (ISBN)
CHF 49,95 inkl. MwSt
Your Cisco Networking Academy Course Booklet is designed as a study resource you can easily read, highlight, and review on the go, wherever the Internet is not available or practical:
- The text is extracted directly, word-for-word, from the online course so you can highlight important points and take notes in the “Your Chapter Notes” section.
- Headings with the exact page correlations provide a quick reference to the online course for your classroom discussions and exam preparation.
- An icon system directs you to the online curriculum to take full advantage of the images embedded within the Networking Academy online course interface and reminds you to perform the labs, Class Activities, interactive activities, Packet Tracer activities, watch videos, and take the chapter quizzes and exams.

The Course Booklet is a basic, economical paper-based resource to help you succeed with the Cisco Networking Academy online course.

Cisco Networking Academy is an innovative Cisco education initiative that delivers information and communication technology skills to improve career and economic opportunities around the world. The Academy provides online courses, interactive tools, and lab activities to prepare individuals for information technology and networking careers in virtually every industry.

Chapter 0 Course Introduction 1

0.0 Welcome to CCNA: Cybersecurity Operations 1

0.0.1 Message to the Student 1

Chapter 1 Cybersecurity and the Security Operations Center 5

1.0 Introduction 5

1.1 The Danger 5

1.1.1 War Stories 5

1.1.1.1 Hijacked People 5

1.1.1.2 Ransomed Companies 5

1.1.1.3 Targeted Nations 6

1.1.1.4 Lab - Installing the CyberOps Workstation Virtual Machine 6

1.1.1.5 Lab - Cybersecurity Case Studies 6

1.1.2 Threat Actors 6

1.1.2.1 Amateurs 6

1.1.2.2 Hacktivists 7

1.1.2.3 Financial Gain 7

1.1.2.4 Trade Secrets and Global Politics 7

1.1.2.5 How Secure is the Internet of Things? 7

1.1.2.6 Lab - Learning the Details of Attacks 7

1.1.3 Threat Impact 8

1.1.3.1 PII and PHI 8

1.1.3.2 Lost Competitive Advantage 8

1.1.3.3 Politics and National Security 8

1.1.3.4 Lab - Visualizing the Black Hats 9

1.2 Fighters in the War Against Cybercrime 9

1.2.1 The Modern Security Operations Center 9

1.2.1.1 Elements of a SOC 9

1.2.1.2 People in the SOC 9

1.2.1.3 Process in the SOC 10

1.2.1.4 Technologies in the SOC 10

1.2.1.5 Enterprise and Managed Security 10

1.2.1.6 Security vs. Availability 11

1.2.1.7 Activity - Identify the SOC Terminology 11

1.2.2 Becoming a Defender 11

1.2.2.1 Certifications 11

1.2.2.2 Further Education 12

1.2.2.3 Sources of Career Information 12

1.2.2.4 Getting Experience 13

1.2.2.5 Lab - Becoming a Defender 13

1.3 Summary 13

Chapter 2 Windows Operating System 17

2.0 Introduction 17

2.1 Windows Overview 17

2.1.1 Windows History 17

2.1.1.1 Disk Operating System 17

2.1.1.2 Windows Versions 18

2.1.1.3 Windows GUI 19

2.1.1.4 Operating System Vulnerabilities 19

2.1.2 Windows Architecture and Operations 20

2.1.2.1 Hardware Abstraction Layer 20

2.1.2.2 User Mode and Kernel Mode 21

2.1.2.3 Windows File Systems 21

2.1.2.4 Windows Boot Process 23

2.1.2.5 Windows Startup and Shutdown 24

2.1.2.6 Processes, Threads, and Services 25

2.1.2.7 Memory Allocation and Handles 25

2.1.2.8 The Windows Registry 26

2.1.2.9 Activity - Identify the Windows Registry Hive 27

2.1.2.10 Lab - Exploring Processes, Threads, Handles, and Windows Registry 27

2.2 Windows Administration 27

2.2.1 Windows Configuration and Monitoring 27

2.2.1.1 Run as Administrator 27

2.2.1.2 Local Users and Domains 27

2.2.1.3 CLI and PowerShell 28

2.2.1.4 Windows Management Instrumentation 29

2.2.1.5 The net Command 30

2.2.1.6 Task Manager and Resource Monitor 30

2.2.1.7 Networking 31

2.2.1.8 Accessing Network Resources 33

2.2.1.9 Windows Server 33

2.2.1.10 Lab - Create User Accounts 34

2.2.1.11 Lab - Using Windows PowerShell 34

2.2.1.12 Lab - Windows Task Manager 34

2.2.1.13 Lab - Monitor and Manage System Resources in Windows 34

2.2.2 Windows Security 34

2.2.2.1 The netstat Command 34

2.2.2.2 Event Viewer 35

2.2.2.3 Windows Update Management 35

2.2.2.4 Local Security Policy 35

2.2.2.5 Windows Defender 36

2.2.2.6 Windows Firewall 37

2.2.2.7 Activity - Identify the Windows Command 37

2.2.2.8 Activity - Identify the Windows Tool 37

2.3 Summary 37

Chapter 3 Linux Operating System 41

3.0 Introduction 41

3.1 Linux Overview 41

3.1.1 Linux Basics 41

3.1.1.1 What is Linux? 41

3.1.1.2 The Value of Linux 42

3.1.1.3 Linux in the SOC 42

3.1.1.4 Linux Tools 43

3.1.2 Working in the Linux Shell 43

3.1.2.1 The Linux Shell 43

3.1.2.2 Basic Commands 43

3.1.2.3 File and Directory Commands 44

3.1.2.4 Working with Text Files 44

3.1.2.5 The Importance of Text Files in Linux 44

3.1.2.6 Lab - Working with Text Files in the CLI 45

3.1.2.7 Lab - Getting Familiar with the Linux Shell 45

3.1.3 Linux Servers and Clients 45

3.1.3.1 An Introduction to Client-Server Communications 45

3.1.3.2 Servers, Services, and Their Ports 45

3.1.3.3 Clients 45

3.1.3.4 Lab - Linux Servers 45

3.2 Linux Administration 46

3.2.1 Basic Server Administration 46

3.2.1.1 Service Configuration Files 46

3.2.1.2 Hardening Devices 46

3.2.1.3 Monitoring Service Logs 47

3.2.1.4 Lab - Locating Log Files 48

3.2.2 The Linux File System 48

3.2.2.1 The File System Types in Linux 48

3.2.2.2 Linux Roles and File Permissions 49

3.2.2.3 Hard Links and Symbolic Links 50

3.2.2.4 Lab - Navigating the Linux Filesystem and Permission Settings 50

3.3 Linux Hosts 51

3.3.1 Working with the Linux GUI 51

3.3.1.1 X Window System 51

3.3.1.2 The Linux GUI 51

3.3.2 Working on a Linux Host 52

3.3.2.1 Installing and Running Applications on a Linux Host 52

3.3.2.2 Keeping the System Up To Date 52

3.3.2.3 Processes and Forks 52

3.3.2.4 Malware on a Linux Host 53

3.3.2.5 Rootkit Check 54

3.3.2.6 Piping Commands 54

3.3.2.7 Video Demonstration - Applications, Rootkits, and Piping Commands 55

3.4 Summary 55

Chapter 4 Network Protocols and Services 59

4.0 Introduction 59

4.1 Network Protocols 59

4.1.1 Network Communications Process 59

4.1.1.1 Views of the Network 59

4.1.1.2 Client-Server Communications 60

4.1.1.3 A Typical Session: Student 60

4.1.1.4 A Typical Session: Gamer 61

4.1.1.5 A Typical Session: Surgeon 61

4.1.1.6 Tracing the Path 62

4.1.1.7 Lab - Tracing a Route 62

4.1.2 Communications Protocols 62

4.1.2.1 What are Protocols? 62

4.1.2.2 Network Protocol Suites 63

4.1.2.3 The TCP/IP Protocol Suite 63

4.1.2.4 Format, Size, and Timing 64

4.1.2.5 Unicast, Multicast, and Broadcast 64

4.1.2.6 Reference Models 65

4.1.2.7 Three Addresses 65

4.1.2.8 Encapsulation 65

4.1.2.9 Scenario: Sending and Receiving a Web Page 66

4.1.2.10 Lab - Introduction to Wireshark 67

4.2 Ethernet and Internet Protocol (IP) 67

4.2.1 Ethernet 67

4.2.1.1 The Ethernet Protocol 67

4.2.1.2 The Ethernet Frame 68

4.2.1.3 MAC Address Format 68

4.2.1.4 Activity - Ethernet Frame Fields 68

4.2.2 IPv4 68

4.2.2.1 IPv4 Encapsulation 68

4.2.2.2 IPv4 Characteristics 69

4.2.2.3 Activity - IPv4 Characteristics 70

4.2.2.4 The IPv4 Packet 70

4.2.2.5 Video Demonstration - Sample IPv4 Headers in Wireshark 70

4.2.3 IPv4 Addressing Basics 70

4.2.3.1 IPv4 Address Notation 70

4.2.3.2 IPv4 Host Address Structure 70

4.2.3.3 IPv4 Subnet Mask and Network Address 71

4.2.3.4 Subnetting Broadcast Domains 71

4.2.3.5 Video Demonstration - Network, Host, and Broadcast Addresses 72

4.2.4 Types of IPv4 Addresses 72

4.2.4.1 IPv4 Address Classes and Default Subnet Masks 72

4.2.4.2 Reserved Private Addresses 73

4.2.5 The Default Gateway 73

4.2.5.1 Host Forwarding Decision 73

4.2.5.2 Default Gateway 74

4.2.5.3 Using the Default Gateway 74

4.2.6 IPv6 75

4.2.6.1 Need for IPv6 75

4.2.6.2 IPv6 Size and Representation 75

4.2.6.3 IPv6 Address Formatting 75

4.2.6.4 IPv6 Prefix Length 76

4.2.6.5 Activity - IPv6 Address Notation 76

4.2.6.6 Video Tutorial - Layer 2 and Layer 3 Addressing 76

4.3 Connectivity Verification 76

4.3.1 ICMP 76

4.3.1.1 ICMPv4 Messages 76

4.3.1.2 ICMPv6 RS and RA Messages 77

4.3.2 Ping and Traceroute Utilities 78

4.3.2.1 Ping - Testing the Local Stack 78

4.3.2.2 Ping - Testing Connectivity to the Local LAN 79

4.3.2.3 Ping - Testing Connectivity to Remote Host 79

4.3.2.4 Traceroute - Testing the Path 80

4.3.2.5 ICMP Packet Format 80

4.4 Address Resolution Protocol 81

4.4.1 MAC and IP 81

4.4.1.1 Destination on Same Network 81

4.4.1.2 Destination on Remote Network 82

4.4.2 ARP 82

4.4.2.1 Introduction to ARP 82

4.4.2.2 ARP Functions 82

4.4.2.3 Video - ARP Operation - ARP Request 83

4.4.2.4 Video - ARP Operation - ARP Reply 84

4.4.2.5 Video - ARP Role in Remote Communication 84

4.4.2.6 Removing Entries from an ARP Table 85

4.4.2.7 ARP Tables on Networking Devices 85

4.4.2.8 Lab - Using Wireshark to Examine Ethernet Frames 85

4.4.3 ARP Issues 85

4.4.3.1 ARP Broadcasts 85

4.4.3.2 ARP Spoofing 86

4.5 The Transport Layer 86

4.5.1 Transport Layer Characteristics 86

4.5.1.1 Transport Layer Protocol Role in Network Communication 86

4.5.1.2 Transport Layer Mechanisms 87

4.5.1.3 TCP Local and Remote Ports 87

4.5.1.4 Socket Pairs 88

4.5.1.5 TCP vs UDP 88

4.5.1.6 TCP and UDP Headers 89

4.5.1.7 Activity - Compare TCP and UDP Characteristics 90

4.5.2 Transport Layer Operation 90

4.5.2.1 TCP Port Allocation 90

4.5.2.2 A TCP Session Part I: Connection Establishment and Termination 91

4.5.2.3 Video Demonstration - TCP 3-Way Handshake 92

4.5.2.4 Lab - Using Wireshark to Observe the TCP 3-Way Handshake 92

4.5.2.5 Activity - TCP Connection and Termination Process 92

4.5.2.6 A TCP Session Part II: Data Transfer 92

4.5.2.7 Video Demonstration - Sequence Numbers and Acknowledgments 94

4.5.2.8 Video Demonstration - Data Loss and Retransmission 94

4.5.2.9 A UDP Session 94

4.5.2.10 Lab - Exploring Nmap 95

4.6 Network Services 95

4.6.1 DHCP 95

4.6.1.1 DHCP Overview 95

4.6.1.2 DHCPv4 Message Format 96

4.6.2 DNS 97

4.6.2.1 DNS Overview 97

4.6.2.2 The DNS Domain Hierarchy 97

4.6.2.3 The DNS Lookup Process 97

4.6.2.4 DNS Message Format 98

4.6.2.5 Dynamic DNS 99

4.6.2.6 The WHOIS Protocol 99

4.6.2.7 Lab - Using Wireshark to Examine a UDP DNS Capture 100

4.6.3 NAT 100

4.6.3.1 NAT Overview 100

4.6.3.2 NAT-Enabled Routers 100

4.6.3.3 Port Address Translation 100

4.6.4 File Transfer and Sharing Services 101

4.6.4.1 FTP and TFTP 101

4.6.4.2 SMB 102

4.6.4.3 Lab - Using Wireshark to Examine TCP and UDP Captures 102

4.6.5 Email 102

4.6.5.1 Email Overview 102

4.6.5.2 SMTP 102

4.6.5.3 POP3 103

4.6.5.4 IMAP 103

4.6.6 HTTP 103

4.6.6.1 HTTP Overview 103

4.6.6.2 The HTTP URL 104

4.6.6.3 The HTTP Protocol 104

4.6.6.4 HTTP Status Codes 105

4.6.6.5 Lab - Using Wireshark to Examine HTTP and HTTPS Traffic 105

4.7 Summary 105

Chapter 5 Network Infrastructure 109

5.0 Introduction 109

5.1 Network Communication Devices 109

5.1.1 Network Devices 109

5.1.1.1 End Devices 109

5.1.1.2 Video Tutorial - End Devices 109

5.1.1.3 Routers 110

5.1.1.4 Activity - Match Layer 2 and Layer 3 Addressing 110

5.1.1.5 Router Operation 110

5.1.1.6 Routing Information 111

5.1.1.7 Video Tutorial - Static and Dynamic Routing 112

5.1.1.8 Hubs, Bridges, LAN Switches 112

5.1.1.9 Switching Operation 113

5.1.1.10 Video Tutorial - MAC Address Tables on Connected Switches 114

5.1.1.11 VLANs 114

5.1.1.12 STP 114

5.1.1.13 Multilayer Switching 115

5.1.2 Wireless Communications 116

5.1.2.1 Video Tutorial - Wireless Communications 116

5.1.2.2 Protocols and Features 116

5.1.2.3 Wireless Network Operations 117

5.1.2.4 The Client to AP Association Process 118

5.1.2.5 Activity - Order the Steps in the Client and AP Association Process 119

5.1.2.6 Wireless Devices - AP, LWAP, WLC 119

5.1.2.7 Activity - Identify the LAN Device 119

5.2 Network Security Infrastructure 120

5.2.1 Security Devices 120

5.2.1.1 Video Tutorial - Security Devices 120

5.2.1.2 Firewalls 120

5.2.1.3 Firewall Type Descriptions 120

5.2.1.4 Packet Filtering Firewalls 121

5.2.1.5 Stateful Firewalls 121

5.2.1.6 Next-Generation Firewalls 121

5.2.1.7 Activity - Identify the Type of Firewall 122

5.2.1.8 Intrusion Protection and Detection Devices 122

5.2.1.9 Advantages and Disadvantages of IDS and IPS 122

5.2.1.10 Types of IPS 123

5.2.1.11 Specialized Security Appliances 124

5.2.1.12 Activity - Compare IDS and IPS Characteristics 125

5.2.2 Security Services 125

5.2.2.1 Video Tutorial - Security Services 125

5.2.2.2 Traffic Control with ACLs 125

5.2.2.3 ACLs: Important Features 126

5.2.2.4 Packet Tracer - ACL Demonstration 126

5.2.2.5 SNMP 126

5.2.2.6 NetFlow 127

5.2.2.7 Port Mirroring 127

5.2.2.8 Syslog Servers 128

5.2.2.9 NTP 128

5.2.2.10 AAA Servers 129

5.2.2.11 VPN 130

5.2.2.12 Activity - Identify the Network Security Device or Service 130

5.3 Network Representations 130

5.3.1 Network Topologies 130

5.3.1.1 Overview of Network Components 130

5.3.1.2 Physical and Logical Topologies 131

5.3.1.3 WAN Topologies 131

5.3.1.4 LAN Topologies 131

5.3.1.5 The Three-Layer Network Design Model 132

5.3.1.6 Video Tutorial - Three-Layer Network Design 132

5.3.1.7 Common Security Architectures 133

5.3.1.8 Activity - Identify the Network Topology 134

5.3.1.9 Activity - Identify the Network Design Terminology 134

5.3.1.10 Packet Tracer - Identify Packet Flow 134

5.4 Summary 134

Chapter 6 Principles of Network Security 137

6.0 Introduction 137

6.1 Attackers and Their Tools 137

6.1.1 Who is Attacking Our Network? 137

6.1.1.1 Threat, Vulnerability, and Risk 137

6.1.1.2 Hacker vs. Threat Actor 138

6.1.1.3 Evolution of Threat Actors 138

6.1.1.4 Cybercriminals 139

6.1.1.5 Cybersecurity Tasks 139

6.1.1.6 Cyber Threat Indicators 139

6.1.1.7 Activity - What Color is my Hat? 140

6.1.2 Threat Actor Tools 140

6.1.2.1 Introduction of Attack Tools 140

6.1.2.2 Evolution of Security Tools 140

6.1.2.3 Categories of Attacks 141

6.1.2.4 Activity - Classify Hacking Tools 141

6.2 Common Threats and Attacks 141

6.2.1 Malware 141

6.2.1.1 Types of Malware 141

6.2.1.2 Viruses 141

6.2.1.3 Trojan Horses 141

6.2.1.4 Trojan Horse Classification 142

6.2.1.5 Worms 142

6.2.1.6 Worm Components 143

6.2.1.7 Ransomware 143

6.2.1.8 Other Malware 144

6.2.1.9 Common Malware Behaviors 144

6.2.1.10 Activity - Identify the Malware Type 145

6.2.1.11 Lab - Anatomy of Malware 145

6.2.2 Common Network Attacks 145

6.2.2.1 Types of Network Attacks 145

6.2.2.2 Reconnaissance Attacks 145

6.2.2.3 Sample Reconnaissance Attacks 146

6.2.2.4 Access Attacks 146

6.2.2.5 Types of Access Attacks 147

6.2.2.6 Social Engineering Attacks 147

6.2.2.7 Phishing Social Engineering Attacks 148

6.2.2.8 Strengthening the Weakest Link 149

6.2.2.9 Lab - Social Engineering 149

6.2.2.10 Denial of Service Attacks 149

6.2.2.11 DDoS Attacks 149

6.2.2.12 Example DDoS Attack 150

6.2.2.13 Buffer Overflow Attack 150

6.2.2.14 Evasion Methods 151

6.2.2.15 Activity - Identify the Types of Network Attack 151

6.2.2.16 Activity - Components of a DDoS Attack 151

6.3 Summary 152

Chapter 7 Network Attacks: A Deeper Look 155

7.0 Introduction 155

7.1 Attackers and Their Tools 155

7.1.1 Who is Attacking Our Network? 155

7.1.1.1 Network Security Topology 155

7.1.1.2 Monitoring the Network 156

7.1.1.3 Network Taps 156

7.1.1.4 Traffic Mirroring and SPAN 156

7.1.2 Introduction to Network Monitoring Tools 157

7.1.2.1 Network Security Monitoring Tools 157

7.1.2.2 Network Protocol Analyzers 157

7.1.2.3 NetFlow 158

7.1.2.4 SIEM 159

7.1.2.5 SIEM Systems 159

7.1.2.6 Activity - Identify the Network Monitoring Tool 159

7.1.2.7 Packet Tracer - Logging Network Activity 159

7.2 Attacking the Foundation 160

7.2.1 IP Vulnerabilities and Threats 160

7.2.1.1 IPv4 and IPv6 160

7.2.1.2 The IPv4 Packet Header 160

7.2.1.3 The IPv6 Packet Header 161

7.2.1.4 IP Vulnerabilities 161

7.2.1.5 ICMP Attacks 162

7.2.1.6 DoS Attacks 163

7.2.1.7 Amplification and Reflection Attacks 163

7.2.1.8 DDoS Attacks 163

7.2.1.9 Address Spoofing Attacks 164

7.2.1.10 Activity - Identify the IP Vulnerability 164

7.2.1.11 Lab - Observing a DDoS Attack 164

7.2.2 TCP and UDP Vulnerabilities 165

7.2.2.1 TCP 165

7.2.2.2 TCP Attacks 165

7.2.2.3 UDP and UDP Attacks 166

7.2.2.4 Lab - Observing TCP Anomalies 166

7.3 Attacking What We Do 167

7.3.1 IP Services 167

7.3.1.1 ARP Vulnerabilities 167

7.3.1.2 ARP Cache Poisoning 167

7.3.1.3 DNS Attacks 168

7.3.1.4 DNS Tunneling 169

7.3.1.5 DHCP 169

7.3.1.6 Lab - Exploring DNS Traffic 170

7.3.2 Enterprise Services 170

7.3.2.1 HTTP and HTTPS 170

7.3.2.2 Email 173

7.3.2.3 Web-Exposed Databases 174

7.3.2.4 Lab - Attacking a MySQL Database 176

7.3.2.5 Lab - Reading Server Logs 176

7.3.2.6 Lab - Reading Server Logs 176

7.4 Summary 176

Chapter 8 Protecting the Network 179

8.0 Introduction 179

8.1 Understanding Defense 179

8.1.1 Defense-in-Depth 179

8.1.1.1 Assets, Vulnerabilities, Threats 179

8.1.1.2 Identify Assets 179

8.1.1.3 Identify Vulnerabilities 180

8.1.1.4 Identify Threats 181

8.1.1.5 Security Onion and Security Artichoke Approaches 181

8.1.2 Security Policies 182

8.1.2.1 Business Policies 182

8.1.2.2 Security Policy 182

8.1.2.3 BYOD Policies 183

8.1.2.4 Regulatory and Standard Compliance 184

8.2 Access Control 184

8.2.1 Access Control Concepts 184

8.2.1.1 Communications Security: CIA 184

8.2.1.2 Access Control Models 185

8.2.1.3 Activity - Identify the Access Control Model 185

8.2.2 AAA Usage and Operation 185

8.2.2.1 AAA Operation 185

8.2.2.2 AAA Authentication 186

8.2.2.3 AAA Accounting Logs 187

8.2.2.4 Activity - Identify the Characteristic of AAA 187

8.3 Threat Intelligence 187

8.3.1 Information Sources 187

8.3.1.1 Network Intelligence Communities 187

8.3.1.2 Cisco Cybersecurity Reports 188

8.3.1.3 Security Blogs and Podcasts 188

8.3.2 Threat Intelligence Services 188

8.3.2.1 Cisco Talos 188

8.3.2.2 FireEye 189

8.3.2.3 Automated Indicator Sharing 189

8.3.2.4 Common Vulnerabilities and Exposures Database 189

8.3.2.5 Threat Intelligence Communication Standards 189

8.3.2.6 Activity - Identify the Threat Intelligence Information Source 190

8.4 Summary 190

Chapter 9 Cryptography and the Public Key Infrastructure 193

9.0 Introduction 193

9.1 Cryptography 193

9.1.1 What is Cryptography? 193

9.1.1.1 Securing Communications 193

9.1.1.2 Cryptology 194

9.1.1.3 Cryptography - Ciphers 195

9.1.1.4 Cryptanalysis - Code Breaking 195

9.1.1.5 Keys 196

9.1.1.6 Lab - Encrypting and Decrypting Data Using OpenSSL 197

9.1.1.7 Lab - Encrypting and Decrypting Data Using a Hacker Tool 197

9.1.1.8 Lab - Examining Telnet and SSH in Wireshark 197

9.1.2 Integrity and Authenticity 197

9.1.2.1 Cryptographic Hash Functions 197

9.1.2.2 Cryptographic Hash Operation 198

9.1.2.3 MD5 and SHA 198

9.1.2.4 Hash Message Authentication Code 199

9.1.2.5 Lab - Hashing Things Out 200

9.1.3 Confidentiality 200

9.1.3.1 Encryption 200

9.1.3.2 Symmetric Encryption 200

9.1.3.3 Symmetric Encryption Algorithms 201

9.1.3.4 Asymmetric Encryption Algorithms 202

9.1.3.5 Asymmetric Encryption - Confidentiality 202

9.1.3.6 Asymmetric Encryption - Authentication 203

9.1.3.7 Asymmetric Encryption - Integrity 203

9.1.3.8 Diffie-Hellman 204

9.1.3.9 Activity - Classify the Encryption Algorithms 204

9.2 Public Key Infrastructure 204

9.2.1 Public Key Cryptography 204

9.2.1.1 Using Digital Signatures 204

9.2.1.2 Digital Signatures for Code Signing 206

9.2.1.3 Digital Signatures for Digital Certificates 206

9.2.1.4 Lab - Create a Linux Playground 206

9.2.2 Authorities and the PKI Trust System 206

9.2.2.1 Public Key Management 206

9.2.2.2 The Public Key Infrastructure 207

9.2.2.3 The PKI Authorities System 207

9.2.2.4 The PKI Trust System 208

9.2.2.5 Interoperability of Different PKI Vendors 208

9.2.2.6 Certificate Enrollment, Authentication, and Revocation 209

9.2.2.7 Lab - Certificate Authority Stores 209

9.2.3 Applications and Impacts of Cryptography 210

9.2.3.1 PKI Applications 210

9.2.3.2 Encrypting Network Transactions 210

9.2.3.3 Encryption and Security Monitoring 211

9.3 Summary 212

Chapter 10 Endpoint Security and Analysis 215

10.0 Introduction 215

10.1 Endpoint Protection 215

10.1.1 Antimalware Protection 215

10.1.1.1 Endpoint Threats 215

10.1.1.2 Endpoint Security 216

10.1.1.3 Host-Based Malware Protection 216

10.1.1.4 Network-Based Malware Protection 217

10.1.1.5 Cisco Advanced Malware Protection (AMP) 218

10.1.1.6 Activity - Identify Antimalware Terms and Concepts 218

10.1.2 Host-Based Intrusion Protection 218

10.1.2.1 Host-Based Firewalls 218

10.1.2.2 Host-Based Intrusion Detection 219

10.1.2.3 HIDS Operation 220

10.1.2.4 HIDS Products 220

10.1.2.5 Activity - Identify the Host-Based Intrusion Protection Terminology 220

10.1.3 Application Security 221

10.1.3.1 Attack Surface 221

10.1.3.2 Application Blacklisting and Whitelisting 221

10.1.3.3 System-Based Sandboxing 222

10.1.3.4 Video Demonstration - Using a Sandbox to Launch Malware 222

10.2 Endpoint Vulnerability Assessment 222

10.2.1 Network and Server Profiling 222

10.2.1.1 Network Profiling 222

10.2.1.2 Server Profiling 223

10.2.1.3 Network Anomaly Detection 223

10.2.1.4 Network Vulnerability Testing 224

10.2.1.5 Activity - Identify the Elements of Network Profiling 225

10.2.2 Common Vulnerability Scoring System (CVSS) 225

10.2.2.1 CVSS Overview 225

10.2.2.2 CVSS Metric Groups 225

10.2.2.3 CVSS Base Metric Group 226

10.2.2.4 The CVSS Process 226

10.2.2.5 CVSS Reports 227

10.2.2.6 Other Vulnerability Information Sources 227

10.2.2.7 Activity - Identify CVSS Metrics 228

10.2.3 Compliance Frameworks 228

10.2.3.1 Compliance Regulations 228

10.2.3.2 Overview of Regulatory Standards 228

10.2.3.3 Activity - Identify Regulatory Standards 229

10.2.4 Secure Device Management 230

10.2.4.1 Risk Management 230

10.2.4.2 Activity - Identify the Risk Response 231

10.2.4.3 Vulnerability Management 231

10.2.4.4 Asset Management 231

10.2.4.5 Mobile Device Management 232

10.2.4.6 Configuration Management 232

10.2.4.7 Enterprise Patch Management 233

10.2.4.8 Patch Management Techniques 233

10.2.4.9 Activity - Identify Device Management Activities 234

10.2.5 Information Security Management Systems 234

10.2.5.1 Security Management Systems 234

10.2.5.2 ISO-27001 234

10.2.5.3 NIST Cybersecurity Framework 234

10.2.5.4 Activity - Identify the ISO 27001 Activity Cycle 235

10.2.5.5 Activity - Identify the Stages in the NIST Cybersecurity Framework 235

10.3 Summary 235

Chapter 11 Security Monitoring 239

11.0 Introduction 239

11.1 Technologies and Protocols 239

11.1.1 Monitoring Common Protocols 239

11.1.1.1 Syslog and NTP 239

11.1.1.2 NTP 240

11.1.1.3 DNS 240

11.1.1.4 HTTP and HTTPS 241

11.1.1.5 Email Protocols 241

11.1.1.6 ICMP 242

11.1.1.7 Activity - Identify the Monitored Protocol 242

11.1.2 Security Technologies 242

11.1.2.1 ACLs 242

11.1.2.2 NAT and PAT 242

11.1.2.3 Encryption, Encapsulation, and Tunneling 243

11.1.2.4 Peer-to-Peer Networking and Tor 243

11.1.2.5 Load Balancing 244

11.1.2.6 Activity - Identify the Impact of the Technology on Security and Monitoring 244

11.2 Log Files 244

11.2.1 Types of Security Data 244

11.2.1.1 Alert Data 244

11.2.1.2 Session and Transaction Data 245

11.2.1.3 Full Packet Captures 245

11.2.1.4 Statistical Data 246

11.2.1.5 Activity - Identify Types of Network Monitoring Data 246

11.2.2 End Device Logs 246

11.2.2.1 Host Logs 246

11.2.2.2 Syslog 247

11.2.2.3 Server Logs 248

11.2.2.4 Apache Webserver Access Logs 248

11.2.2.5 IIS Access Logs 249

11.2.2.6 SIEM and Log Collection 249

11.2.2.7 Activity - Identify Information in Logged Events 250

11.2.3 Network Logs 250

11.2.3.1 Tcpdump 250

11.2.3.2 NetFlow 250

11.2.3.3 Application Visibility and Control 251

11.2.3.4 Content Filter Logs 251

11.2.3.5 Logging from Cisco Devices 252

11.2.3.6 Proxy Logs 252

11.2.3.7 NextGen IPS 253

11.2.3.8 Activity - Identify the Security Technology from the Data Description 254

11.2.3.9 Activity - Identify the NextGen IPS Event Type 254

11.2.3.10 Packet Tracer - Explore a NetFlow Implementation 254

11.2.3.11 Packet Tracer - Logging from Multiple Sources 254

11.3 Summary 254

Chapter 12 Intrusion Data Analysis 257

12.0 Introduction 257

12.1 Evaluating Alerts 257

12.1.1 Sources of Alerts 257

12.1.1.1 Security Onion 257

12.1.1.2 Detection Tools for Collecting Alert Data 257

12.1.1.3 Analysis Tools 258

12.1.1.4 Alert Generation 259

12.1.1.5 Rules and Alerts 260

12.1.1.6 Snort Rule Structure 260

12.1.1.7 Lab - Snort and Firewall Rules 261

12.1.2 Overview of Alert Evaluation 262

12.1.2.1 The Need for Alert Evaluation 262

12.1.2.2 Evaluating Alerts 262

12.1.2.3 Deterministic Analysis and Probabilistic Analysis 263

12.1.2.4 Activity - Identify Deterministic and Probabilistic Scenarios 264

12.1.2.5 Activity - Identify the Alert Classification 264

12.2 Working with Network Security Data 264

12.2.1 A Common Data Platform 264

12.2.1.1 ELSA 264

12.2.1.2 Data Reduction 264

12.2.1.3 Data Normalization 265

12.2.1.4 Data Archiving 265

12.2.1.5 Lab - Convert Data into a Universal Format 266

12.2.1.6 Investigating Process or API Calls 266

12.2.2 Investigating Network Data 266

12.2.2.1 Working in Sguil 266

12.2.2.2 Sguil Queries 267

12.2.2.3 Pivoting from Sguil 267

12.2.2.4 Event Handling in Sguil 268

12.2.2.5 Working in ELSA 268

12.2.2.6 Queries in ELSA 269

12.2.2.7 Investigating Process or API Calls 269

12.2.2.8 Investigating File Details 270

12.2.2.9 Lab - Regular Expression Tutorial 270

12.2.2.10 Lab - Extract an Executable from a PCAP 270

12.2.3 Enhancing the Work of the Cybersecurity Analyst 270

12.2.3.1 Dashboards and Visualizations 270

12.2.3.2 Workflow Management 271

12.3 Digital Forensics 271

12.3.1 Evidence Handling and Attack Attribution 271

12.3.1.1 Digital Forensics 271

12.3.1.2 The Digital Forensics Process 272

12.3.1.3 Types of Evidence 272

12.3.1.4 Evidence Collection Order 273

12.3.1.5 Chain of Custody 273

12.3.1.6 Data Integrity and Preservation 274

12.3.1.7 Attack Attribution 274

12.3.1.8 Activity - Identify the Type of Evidence 275

12.3.1.9 Activity - Identify the Forensic Technique Terminology 275

12.4 Summary 275

Chapter 13 Incident Response and Handling 277

13.0 Introduction 277

13.1 Incident Response Models 277

13.1.1 The Cyber Kill Chain 277

13.1.1.1 Steps of the Cyber Kill Chain 277

13.1.1.2 Reconnaissance 278

13.1.1.3 Weaponization 278

13.1.1.4 Delivery 278

13.1.1.5 Exploitation 279

13.1.1.6 Installation 279

13.1.1.7 Command and Control 279

13.1.1.8 Actions on Objectives 279

13.1.1.9 Activity - Identify the Kill Chain Step 279

13.1.2 The Diamond Model of Intrusion 280

13.1.2.1 Diamond Model Overview 280

13.1.2.2 Pivoting Across the Diamond Model 280

13.1.2.3 The Diamond Model and the Cyber Kill Chain 281

13.1.2.4 Activity - Identify the Diamond Model Features 282

13.1.3 The VERIS Schema 282

13.1.3.1 What is the VERIS Schema? 282

13.1.3.2 Create a VERIS Record 282

13.1.3.3 Top-Level and Second-Level Elements 283

13.1.3.4 The VERIS Community Database 285

13.1.3.5 Activity - Apply the VERIS Schema to an Incident 285

13.2 Incident Handling 285

13.2.1 CSIRTs 285

13.2.1.1 CSIRT Overview 285

13.2.1.2 Types of CSIRTs 286

13.2.1.3 CERT 286

13.2.1.4 Activity - Match the CSIRT with the CSIRT Goal 287

13.2.2 NIST 800-61r2 287

13.2.2.1 Establishing an Incident Response Capability 287

13.2.2.2 Incident Response Stakeholders 288

13.2.2.3 NIST Incident Response Life Cycle 288

13.2.2.4 Preparation 289

13.2.2.5 Detection and Analysis 290

13.2.2.6 Containment, Eradication, and Recovery 291

13.2.2.7 Post-Incident Activities 293

13.2.2.8 Incident Data Collection and Retention 294

13.2.2.9 Reporting Requirements and Information Sharing 295

13.2.2.10 Activity - Identify the Incident Response Plan Elements 296

13.2.2.11 Activity - Identify the Incident Handling Term 296

13.2.2.12 Activity - Identify the Incident Handling Step 296

13.2.2.13 Lab - Incident Handling 296

13.3 Summary 296



9781587134371 TOC 3/7/2018

Erscheinungsdatum
Reihe/Serie Course Booklets
Verlagsort Indianapolis
Sprache englisch
Maße 216 x 276 mm
Gewicht 705 g
Themenwelt Mathematik / Informatik Informatik Datenbanken
Mathematik / Informatik Informatik Netzwerke
Informatik Weitere Themen Zertifizierung
ISBN-10 1-58713-437-3 / 1587134373
ISBN-13 978-1-58713-437-1 / 9781587134371
Zustand Neuware
Haben Sie eine Frage zum Produkt?
Mehr entdecken
aus dem Bereich