Copyright © 2018 by McGraw-Hill Education All rights reserved Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication ISBN: 978-1-26-001180-7 MHID: 1-26-001180-1 The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-001178-4, MHID: 1-26-001178-X eBook conversion by codeMantra Version 1.0 All trademarks are trademarks of their respective owners Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark Where such designations appear in this book, they have been printed with initial caps McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs To contact a representative, please visit the Contact Us page at www.mhprofessional.com Information has been obtained by McGraw-Hill Education from sources believed to be reliable However, because of the possibility of human or mechanical error by our sources, McGraw-Hill Education, or others, McGraw-Hill Education does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information TERMS OF USE This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work Use of this work is subject to these terms Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited Your right to use the work may be terminated if you fail to comply with these terms THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE McGraw-Hill Education and its licensors not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom McGraw-Hill Education has no responsibility for the content of any information accessed through the work Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise ABOUT THE AUTHORS Fernando J Maymí, Ph.D., CISSP, CSA+, is experienced in the research, development, and dissemination of innovative technical solutions, and currently leads Soar Technology’s efforts in researching and commercializing cyberspace operations products Prior to joining the company, Dr Maymí was the deputy director of the Army Cyber Institute (ACI), a government think tank he helped create for the Secretary of the Army in order to solve future cyberspace operations problems affecting the whole country While at the ACI, he led significant public-private partnerships involving government, industry, and academia, including the first NYC-wide cyber exercise, which involved 35 major organizations and hundreds of participants He has served as advisor to congressional leaders, corporate executives, and foreign governments on cyberspace issues Dr Maymí taught computer science and cybersecurity at the U.S Military Academy at West Point for 12 years He retired from the Army as a lieutenant colonel and is a senior member of the Institute of Electrical and Electronics Engineers He holds three patents and is the recipient of the Army’s Research and Development Achievement Award Dr Maymí has written extensively and is the co-author of the seventh edition of the bestselling CISSP All-in-One Exam Guide Brent Chapman, GCIH, GCFA, CISSP, CSA+, is a cyber operations officer in the United States Army, currently assigned as a project manager at the Secretary of Defense’s Defense Innovation Unit Experiment (DIUx) in Silicon Valley In this role, he works to accelerate the procurement of commercially derived disruptive capabilities to maintain global peace and improve U.S national security Prior to DIUx, Brent was researcher at the Army Cyber Institute (ACI), exploring emerging information security and cyber warfare issues with a focus on field-expedient solutions and countermeasures While at West Point, Brent also served as an instructor in the Department of Electrical Engineering and Computer Science He is a professional member of the Association of Computing Machinery, FCC Amateur Radio license holder, and contributor to several technical and maker-themed publications About the Technical Editor Bobby E Rogers is an information security engineer working as a contractor for Department of Defense agencies, helping to secure, certify, and accredit their information systems His duties include information system security engineering, risk management, and certification and accreditation efforts He retired after 21 years in the U.S Air Force, serving as a network security engineer and instructor, and has secured networks all over the world Bobby has a master’s degree in information assurance (IA) and is pursuing a doctoral degree in cybersecurity from Capitol Technology University in Maryland His many certifications include CISSP-ISSEP, CEH, and MCSE: Security, as well as the CompTIA A+, Network+, Security+, and Mobility+ certifications Becoming a CompTIA Certified IT Professional Is Easy It’s also the best way to reach greater professional opportunities and rewards Why Get CompTIA Certified? Growing Demand Labor estimates predict some technology fields will experience growth of more than 20% by the year 2020 (Source: CompTIA 9th Annual Information Security Trends study: 500 U.S IT and Business Executives Responsible for Security.) CompTIA certification qualifies the skills required to join this workforce Higher Salaries IT professionals with certifications on their resume command better jobs, earn higher salaries, and have more doors open to new multi-industry opportunities Verified Strengths 91% of hiring managers indicate CompTIA certifications are valuable in validating IT expertise, making certification the best way to demonstrate your competency and knowledge to employers (Source: CompTIA Employer Perceptions of IT Training and Certification.) Universal Skills CompTIA certifications are vendor neutral—which means that certified professionals can proficiently work with an extensive variety of hardware and software found in most organizations Learn More: Certification.CompTIA.org/certifications/cybersecurity-analyst CompTIA Disclaimer © 2016 CompTIA Properties, LLC, used under license by CompTIA Certifications, LLC All rights reserved All certification programs and education related to such programs are operated exclusively by CompTIA Certifications, LLC CompTIA is a registered trademark of CompTIA Properties, LLC in the U.S and internationally Other brands and company names mentioned herein may be trademarks or service marks of CompTIA Properties, LLC or of their respective owners Reproduction or dissemination of this courseware sheet is prohibited without written consent of CompTIA Properties, LLC Printed in the U.S 03288-Nov2016 The logo of the CompTIA Approved Quality Curriculum Program and the status of this or other training material as “Approved” under the CompTIA Approved Curriculum Program signifies that, in CompTIA’s opinion, such training material covers the content of CompTIA’s related certification exam CompTIA has not reviewed or approved the accuracy of the contents of this training material and specifically disclaims any warranties of merchantability or fitness for a particular purpose CompTIA makes no guarantee concerning the success of persons using any such “Approved” or other training material in order to prepare for any CompTIA certification exam Security Benchmarks Division, CIS, 309 Security by Design guide, CMMI-DEV, 307 Security Content Automation Protocol (SCAP), 112–113, 136 security data analytics data aggregation/correlation, 269–272 historical analysis, 272–273 manual See manual data analysis overview of, 279 trend analysis, 272 security frameworks COBIT, 226–228 ISO, 225–226 ITIL, 230 NIST, 223–225 overview of, 223 review Q & A, 245–248 SABSA, 228–229 TOGAF, 229–230 security information and event management See SIEM (security information and event management) Security Intelligence Platform (SIP) See Splunk tool Security Technical Implementation Guides (STIGs), 136, 309 security testing fuzzing, 304 interception proxies, 303–304 overview of, 302 resource starvation attacks, 305 stress testing, 304–305 web app vulnerability scanning, 302–303 segmentation See network segmentation segregation (separation) of duties, 283 SEI (Software Engineering Institute) best practices, 306–307 seizure, digital forensic, 184–187 selection criteria, security controls, 241 sensitive data, limit use of, 308 sensitive (proprietary) data classification level, 98 sensitivity levels, scanning criteria, 108–109 separation (segregation) of duties, 283 sequels, TTX cybersecurity exercises, 81 server-based vulnerability scanners, 110–111 servers assessing with Baseline Security Analyzer, 343 forensic analysis of, 186–187 identity security issues, 254–255 vulnerabilities of, 100 service discovery, port scanners, 10 Service Identity and Authentication, NET, 257 service level agreements (SLAs), 132, 230–231 service provider (SP), SAML, 261–262 services blocking unused, 60–61 common server vulnerabilities, 100 identity security issues, 256–257 investigating interruption of, 216 Security as a Service, 287 session hijacking attacks, authentication exploit, 263–264 session ID, TACACS+ vulnerability, 260 session tokens, testing with interception proxy, 303 severity codes, syslog, 277–278 SHA-1 hashing algorithm, forensic analysis, 190–191 sha1sum command, dd forensic duplicator, 190 shared secrets, RADIUS, 261 shashum hashing tool, 360 Sherwood Applied Business Security Architecture (SABSA), 228–229 SIEM (security information and event management) automated data analysis, 270–272 collective tools, 325–329 correlation analysis, 37 defending against reconnaissance, 17 improving AD security, 259 manual data analysis, 273–276 as quintessential tool for cybersecurity analyst, 40–42 trend analysis, 272 signals, reversing hardware with, 77 signature-based detection, 57, 167–168 Simple Network Management Protocol (SNMP), MRTG and, 346 Single Sign-On (SSO), security issues, 261–262 SIP (Security Intelligence Platform) See Splunk tool SLAs (service level agreements), 132, 230–231 Sleuth Kit, forensic analysis, 192–193 smartphones, location functions, 251 SNMP (Simple Network Management Protocol), MRTG and, 346 Snort tool IDS, 43–44, 319 social engineering, social media profiling, software CMMI maturity model for developing, 243–245 detecting unauthorized, 210–211 forensic acquisition of, 187 reverse engineering, 76–80 using nmap to inventory, 31 whitelisting/blacklisting unauthorized, 210–211 Software as a Service (SaaS), cloud, 17 software-defined networking (SDN), 16, 276 software development best practices, 306–309 Center for Internet Security, 309 lifecycle, 295–298 overview of, 295 review Q & A, 310–313 secure coding, 299–302 security testing, 302–305 Software Engineering Institute (SEI) best practices, 306–307 source authenticity, reverse engineering hardware, 73–74 source code, decomposition in reversing software/malware, 77–80 Sourcefire IPS, 319 SOX (Sarbanes-Oxley Act), 241, 289 SP (service provider), SAML, 261–262 SP (Special Publication) 800-53, NIST, 224 spatial trends, trend analysis, 39 Special Publication (SP) 800-53, NIST, 224 SPI (stateful packet inspection) firewalls, 316, 317 Splunk tool correlation analysis via, 37 features of, 41 overview of, 328–329 spoofing GPS, 252 SQLi (Structured Query Language) injection attacks, 299–300 SSL (Secure Socket Layer) man in the middle attacks, 263 OpenSSL, 335 proxies, 33 SSO (Single Sign-On), security issues, 261–262 staging base, detecting exfiltration, 211–212 stakeholders, 149–150, 162–163 stateful packet inspection (SPI) firewalls, 316, 317 stateless packet filtering, 316 static code analysis, 154, 300–301 statistics, security analytics, 37 STIGs (Security Technical Implementation Guides), 136, 309 stress testing, 304–305 Structured Query Language (SQLi) injection attacks, 299–300 succession planning, personnel, 284–285 summary report, incident response plan, 161 Supervisory Control and Data Acquisition (SCADA) devices, 105–106 Suricata tool, 44 sweeps, network mapping, 10 switches packet capture on wired networks, 13 port mirroring, 14 Sysinternals suite, 335 syslog analysis of, 277–278 Kiwi Syslog tool, 327 and reconnaissance, 18, 31 syslogd, Unix and Linux, 277 system isolation, 52 system libraries, unauthorized file changes, 211 system process criticality, incident severity/prioritization, 174 system-specific policy, corporate security, 97 T tabletop exercises (TTXs), training, 81, 82 TACACS+ (Terminal Access Controller Access Control System Plus), 259– 261 tactics, techniques, and procedures See TTPs (tactics, techniques, and procedures) of adversaries tamper-proof seals, forensic kits, 196–197 taps, packet capture, 10–13 Target stores vulnerability, 103 TCO (total cost of ownership), 298 tcpdump, 21, 332 technical constraints, vulnerability scans, 107–108 technical (logical) controls, 86, 239–240 technical staff role, incident respons, 146–147 technology, preventing catastrophic damage, 286 temporal trends, trend analysis, 39 Terminal Access Controller Access Control System Plus (TACACS+), 259– 261 testing control-testing, 238 patches, 131, 237–238 penetration See penetration testing secure coding and regression, 302 security, 302–306 user acceptance software, 298 TGS (Ticket Granting Server), Kerberos, 255–256 TGT (Ticket Granting Ticket) , Kerberos, 255–256 Open Group Architecture Framework (TOGAF), 229–230 third parties, NDAs/clearly defined policies for, 283 Threat Exchange, Unified Security Management, 325 threat intelligence value, 153 threat management analyzing reconnaissance See reconnaissance, analyzing reconnaissance See reconnaissance techniques threats, responding to network-based ACLs, 54–56 device hardening, 58–61 endpoint security, 56–58 group policies, 58 honeypots and honeynets, 54 Network Access Control, 61–63 network segmentation, 52–53 overview of, 51 review Q & A, 64–68 time-based NAC, 62 time parameter, context-based authentication, 250–251 time to live (TTL) field analyzing header captures, 30 traceroute utility, 333–334 time window, authentication process, 251 time zone differences, log analysis, 279 timelines, as forensic analysis tool, 188–189 timestamps, forensic analysis and, 189 timestomping, 189 timing considerations Kerberos, 256 penetration tests, 71 Titan Rain, advanced persistent threat, 169 TLS (Transport Layer Security), 103, 335 TOGAF (The Open Group Architecture Framework), 229–230 tool sets analytical tools See analytical tools collective tools See collective tools exploitative tools, 351–356 forensic tools See forensic tools overview of, 315 preventative tools See preventative tools review Q & A, 363–367 tools analyzing results of reconnaissance, 40–45 correlation analysis via, 36–40 incident response See incident response toolkit reconnaissance techniques, 18–22 vulnerability scanner configuration, 108–111 vulnerability scanner updates and plug-ins, 111–114 topology discovery, network mapping, 10 total cost of ownership (TCO), operation/maintenance, 298 traceroute feature, nmap, 10 traceroute utility, 333–334 tracert utility, 333–334 traffic analysis capturing with Netflow, 34–35 packet analysis as, 32–33 of reconnaissance data, 34–35 training corporate network security, 80–83 cross-training personnel, 283–284 personnel in security awareness, 282 personnel in security issues, 254 security analysts, 282 Transport Layer Security (TLS), 103, 335 trend analysis in correlation analysis, 38–39 predicting future events via, 272 vulnerability scan reports, 137–138 TrueCrypt tool, 190 trust, endpoint security and, 58 Trusted Foundry Program, DoD, 75 Trusted Purchasing Alliance, CIS, 309 TShark, 10, 22 TTL (time to live) field analyzing header captures, 30 traceroute utility, 333–334 TTPs (tactics, techniques, and procedures) of adversaries advanced persistent threat campaigns, 169–170 as focus of cybersecurity exercises, 81 forecasting via historical data analysis, 272–273 learning with honeypots/honeynets, 53 pen testing aligned with, 69 removal of hosts for threat intelligence value, 153 TTXs (tabletop exercises), cybersecurity training, 81, 82 Type (bare-metal) hypervisors, 15–16 Type hypervisors, 15–16 U UAC (user access control), unexpected pop-ups, 215–216 UBA (user behavior analysis), 327, 328 UFED (Universal Forensic Extraction Device), Cellebrite, 359 ufw (Uncomplicated Firewall) tool, Linux, 276–277 unauthorized changes, host incidents, 211 unauthorized software, host incidents, 210 unexpected output, application incidents, 215–216 Unified Security Management (USM) tool, 325–326 unknown vs known threats, 167–168 Untidy XML fuzzer, 356 updates Baseline Security Analyzer identifying missing, 344 endpoint vulnerability, 100 implementing response plan, 161 industrial control system vulnerabilities, 104 missing, 99 mobile device vulnerability, 100 patching in incident response, 158 VPN vulnerability, 103–104 vulnerability scanning tool, 111–114 URL (uniform resource locator), anomalous activity in, 214 U.S Bullion Depository, Fort Knox, 51 usability vs security hardening network and, 59 Network Access Control and, 62 user acceptance software testing, 298 user behavior analysis (UBA) ArcSight tool, 327 Splunk tool, 328 user training, 254 USM (Unified Security Management) tool, 325–326 V validation control-testing procedures, 238 fuzzing tools identifying flaws in, 303 incident response process, 158–159 secure coding with input, 299–300 secure coding with parameter, 300 security patch management, 237–238 of selected security controls, 241 Vega interception proxy, 351–352 VeraCrypt tool, 190–191 verification forensic acquisition, 188 and quality control, 242–245 vertical network scan, 329 vertical privilege escalation, 264 virtual hosts, vulnerabilities, 101 virtual infrastructure, vulnerabilities, 101–102 virtual local area networks See VLANs (virtual local area networks) virtual networks, vulnerabilities, 102 virtualization technologies containers, 16 honeynets, 54 hypervisors, 15–16 network function, 16 overview of, 15 security, 16–17 software-defined networking, 16 VirusTotal.com, 34, 76–78 VLANs (virtual local area networks), 53, 152–153 VM (virtual machine) vulnerabilities, 101 VPN (virtual private network) vulnerabilities, 103–104 vulnerabilities, common endpoints, 100 industrial control systems, 104–105 interconnected networks, 103 mobile devices, 102–103 network infrastructure, 100–101 overview of, 99 SCADA devices, 105–106 servers, 100 virtual infrastructure, 101–102 virtual private networks, 103–104 vulnerability feeds, scanning criteria, 109 vulnerability management processes asset inventory, 98–99 common vulnerabilities, 99–106 corporate security policy, 97 data classification, 97–98 frequency of vulnerability scans, 106–108 permissions and access, 113 regulatory environments, 95–97 review Q & A, 114–118 scanning criteria, 108–111 tool updates and plug-ins, 111–113 vulnerability scanners Microsoft Baseline Security Analyzer, 343–344 Nessus, 338–340 Nexpose, 340–342 Nikto, 342–343 OpenVAS, 340 Qualysguard, 336–338 tool updates and plug-ins, 111–113 web app, 302–303 ZAP, 20 vulnerability scanning analyze reports, 133–134 continuous monitoring/ongoing, 132–133 execute scanning, 120 frequency of, 106–108 generate reports, 128 Nessus, 20–21, 120–124 Nikto Web Scanner, 126–127 OpenVAS, 125–126 overview of, 119–120 remediation, 128–132 review Q & A, 138–142 server-based vs agent-based, 110–111 validate results/correlate other data points, 134–138 validation of systems after incident, 159 W WAPs (wireless access points), 36, 100–101 war dialing, 9–10 web application firewalls, 323–324 web application vulnerability scanner, 10–11, 302–303 web proxies, 321–322 well-known ports, TCP and UDP, 60 WEP (Wired Equivalent Privacy) vulnerability, 100 white-box (full knowledge) pen testing, 70 white team, cybersecurity training exercises, 83 whitelisting, software, 210–211, 299 WHOIS tool, used by attackers, 7–8 Wi-Fi Protected Access (WPA2), 100 Wildfire subscription service, Palo Alto Networks, 317 Windows Event Logs See event logs wiped removable media, forensic kits, 196 wired networks ARP poisoning, 13–14 hubs, 13 mirroring, 14 reconnaissance of, 12 switches, 13 taps, 12–13 wireless networks analysis, 36 forensic analysis with Registry Editor, 194 reconnaissance considerations, 14–15 Wireshark packet analyzer capturing wireless network traffic, 14 network protocol analyzer, 10 overview of, 331–332 reconnaissance via, 22 understanding, 42–43 WLAN (wireless local area network) analysis, 36 workflow, frequency of vulnerability scans, 108 WPA2 (Wi-Fi Protected Access 2), 100 X XML (Extensible Markup Language), 356–357 XSS (cross-site scripting), injection attack, 264 Y Yahoo user breach, 249 Z ZAP (Zed Attack Proxy), 20, 350 zero day exploits Operation Aurora breach, 178 patching in incident response, 158 preparation for, 169 threat classification, 168 zero knowledge (black-box) pen testing, 70 zero-trust environment, 58 ... training material as “Approved” under the CompTIA Approved Curriculum Program signifies that, in CompTIA s opinion, such training material covers the content of CompTIA s related certification exam. .. found in most organizations Learn More: Certification .CompTIA. org/certifications /cybersecurity- analyst CompTIA Disclaimer © 2016 CompTIA Properties, LLC, used under license by CompTIA Certifications,... missing elements you’d normally expect, but contain all the information you need to respond How to Use This Book Much effort has gone into putting all the necessary information into this book Now it’s