0%

Book Description

CCNA Cybersecurity Operations Companion Guide is the official supplemental textbook for the Cisco Networking Academy CCNA Cybersecurity Operations course.

The course emphasizes real-world practical application, while providing opportunities for you to gain the skills needed to successfully handle the tasks, duties, and responsibilities of an associate-level security analyst working in a security operations center (SOC).

The Companion Guide is designed as a portable desk reference to use anytime, anywhere to reinforce the material from the course and organize your time.

The book’s features help you focus on important concepts to succeed in this course:

  • Chapter Objectives—Review core concepts by answering the focus questions listed at the beginning of each chapter.
  • Key Terms—Refer to the lists of networking vocabulary introduced and highlighted in context in each chapter.
  • Glossary—Consult the comprehensive Glossary with more than 360 terms.
  • Summary of Activities and Labs—Maximize your study time with this complete list of all associated practice exercises at the end of each chapter.
  • Check Your Understanding—Evaluate your readiness with the end-of-chapter questions that match the style of questions you see in the online course quizzes. The answer key explains each answer.

How To—Look for this icon to study the steps you need to learn to perform certain tasks.

Interactive Activities—Reinforce your understanding of topics with dozens of exercises from the online course identified throughout the book with this icon.

Packet Tracer Activities—Explore and visualize networking concepts using Packet Tracer. There are exercises interspersed throughout the chapters and provided in the accompanying Lab Manual book.

Videos—Watch the videos embedded within the online course.

Hands-on Labs—Develop critical thinking and complex problem-solving skills by completing the labs and activities included in the course and published in the separate Lab Manual.

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. About the Contributing Author
  5. Contents at a Glance
  6. Contents
  7. Command Syntax Conventions
  8. Introduction
  9. Chapter 1 Cybersecurity and the Security Operations Center
    1. Objectives
    2. Key Terms
    3. Introduction (1.0)
    4. The Danger (1.1)
      1. War Stories (1.1.1)
        1. Hijacked People (1.1.1.1)
        2. Ransomed Companies (1.1.1.2)
        3. Nations (1.1.1.3)
      2. Threat Actors (1.1.2)
        1. Amateurs (1.1.2.1)
        2. Hacktivists (1.1.2.2)
        3. Financial Gain (1.1.2.3)
        4. Trade Secrets and Global Politics (1.1.2.4)
        5. How Secure Is the Internet of Things? (1.1.2.5)
      3. Threat Impact (1.1.3)
        1. PII and PHI (1.1.3.1)
        2. Lost Competitive Advantage (1.1.3.2)
        3. Politics and National Security (1.1.3.3)
    5. Fighters in the War Against Cybercrime (1.2)
      1. The Modern Security Operations Center (1.2.1)
        1. Elements of an SOC (1.2.1.1)
        2. People in the SOC (1.2.1.2)
        3. Process in the SOC (1.2.1.3)
        4. Technologies in the SOC (1.2.1.4)
        5. Enterprise and Managed Security (1.2.1.5)
        6. Security vs. Availability (1.2.1.6)
      2. Becoming a Defender (1.2.2)
        1. Certifications (1.2.2.1)
        2. Further Education (1.2.2.2)
        3. Sources of Career Information (1.2.2.3)
        4. Getting Experience (1.2.2.4)
    6. Summary (1.3)
    7. Practice
    8. Check Your Understanding
  10. Chapter 2 Windows Operating System
    1. Objectives
    2. Key Terms
    3. Introduction (2.0)
    4. Windows Overview (2.1)
      1. Windows History (2.1.1)
        1. Disk Operating System (2.1.1.1)
        2. Windows Versions (2.1.1.2)
        3. Windows GUI (2.1.1.3)
        4. Operating System Vulnerabilities (2.1.1.4)
      2. Windows Architecture and Operations (2.1.2)
        1. Hardware Abstraction Layer (2.1.2.1)
        2. User Mode and Kernel Mode (2.1.2.2)
        3. Windows File Systems (2.1.2.3)
        4. Windows Boot Process (2.1.2.4)
        5. Windows Startup and Shutdown (2.1.2.5)
        6. Processes, Threads, and Services (2.1.2.6)
        7. Memory Allocation and Handles (2.1.2.7)
        8. The Windows Registry (2.1.2.8)
    5. Windows Administration (2.2)
      1. Windows Configuration and Monitoring (2.2.1)
        1. Run as Administrator (2.2.1.1)
        2. Local Users and Domains (2.2.1.2)
        3. CLI and PowerShell (2.2.1.3)
        4. Windows Management Instrumentation (2.2.1.4)
        5. The net Command (2.2.1.5)
        6. Task Manager and Resource Monitor (2.2.1.6)
        7. Networking (2.2.1.7)
        8. Accessing Network Resources (2.2.1.8)
        9. Windows Server (2.2.1.9)
      2. Windows Security (2.2.2)
        1. The netstat Command (2.2.2.1)
        2. Event Viewer (2.2.2.2)
        3. Windows Update Management (2.2.2.3)
        4. Local Security Policy (2.2.2.4)
        5. Windows Defender (2.2.2.5)
        6. Windows Firewall (2.2.2.6)
    6. Summary (2.3)
    7. Practice
    8. Check Your Understanding
  11. Chapter 3 Linux Operating System
    1. Objectives
    2. Key Terms
    3. Introduction (3.0)
    4. Linux Overview (3.1)
      1. Linux Basics (3.1.1)
        1. What is Linux? (3.1.1.1)
        2. The Value of Linux (3.1.1.2)
        3. Linux in the SOC (3.1.1.3)
        4. Linux Tools (3.1.1.4)
      2. Working in the Linux Shell (3.1.2)
        1. The Linux Shell (3.1.2.1)
        2. Basic Commands (3.1.2.2)
        3. File and Directory Commands (3.1.2.3)
        4. Working with Text Files (3.1.2.4)
        5. The Importance of Text Files in Linux (3.1.2.5)
      3. Linux Servers and Clients (3.1.3)
        1. An Introduction to Client-Server Communications (3.1.3.1)
        2. Servers, Services, and Their Ports (3.1.3.2)
        3. Clients (3.1.3.3)
    5. Linux Administration (3.2)
      1. Basic Server Administration (3.2.1)
        1. Service Configuration Files (3.2.1.1)
        2. Hardening Devices (3.2.1.2)
        3. Monitoring Service Logs (3.2.1.3)
      2. The Linux File System (3.2.2)
        1. The File System Types in Linux (3.2.2.1)
        2. Linux Roles and File Permissions (3.2.2.2)
        3. Hard Links and Symbolic Links (3.2.2.3)
    6. Linux Hosts (3.3)
      1. Working with the Linux GUI (3.3.1)
        1. X Window System (3.3.1.1)
        2. The Linux GUI (3.3.1.2)
      2. Working on a Linux Host (3.3.2)
        1. Installing and Running Applications on a Linux Host (3.3.2.1)
        2. Keeping the System Up to Date (3.3.2.2)
        3. Processes and Forks (3.3.2.3)
        4. Malware on a Linux Host (3.3.2.4)
        5. Rootkit Check (3.3.2.5)
        6. Piping Commands (3.3.2.6)
    7. Summary (3.4)
    8. Practice
    9. Check Your Understanding
  12. Chapter 4 Network Protocols and Services
    1. Objectives
    2. Key Terms
    3. Introduction (4.0)
    4. Network Protocols (4.1)
      1. Network Communications Process (4.1.1)
        1. Views of the Network (4.1.1.1)
        2. Client-Server Communications (4.1.1.2)
        3. A Typical Session: Student (4.1.1.3)
        4. A Typical Session: Gamer (4.1.1.4)
        5. A Typical Session: Surgeon (4.1.1.5)
        6. Tracing the Path (4.1.1.6)
      2. Communications Protocols (4.1.2)
        1. What Are Protocols? (4.1.2.1)
        2. Network Protocol Suites (4.1.2.2)
        3. The TCP/IP Protocol Suite (4.1.2.3)
        4. Format, Size, and Timing (4.1.2.4)
        5. Unicast, Multicast, and Broadcast (4.1.2.5)
        6. Reference Models (4.1.2.6)
        7. Three Addresses (4.1.2.7)
        8. Encapsulation (4.1.2.8)
        9. Scenario: Sending and Receiving a Web Page (4.1.2.9)
    5. Ethernet and Internet Protocol (IP) (4.2)
      1. Ethernet (4.2.1)
        1. The Ethernet Protocol (4.2.1.1)
        2. The Ethernet Frame (4.2.1.2)
        3. MAC Address Format (4.2.1.3)
      2. IPv4 (4.2.2)
        1. IPv4 Encapsulation (4.2.2.1)
        2. IPv4 Characteristics (4.2.2.2)
        3. The IPv4 Packet (4.2.2.4)
      3. IPv4 Addressing Basics (4.2.3)
        1. IPv4 Address Notation (4.2.3.1)
        2. IPv4 Host Address Structure (4.2.3.2)
        3. IPv4 Subnet Mask and Network Address (4.2.3.3)
        4. Subnetting Broadcast Domains (4.2.3.4)
      4. Types of IPv4 Addresses (4.2.4)
        1. IPv4 Address Classes and Default Subnet Masks (4.2.4.1)
        2. Reserved Private Addresses (4.2.4.2)
      5. The Default Gateway (4.2.5)
        1. Host Forwarding Decision (4.2.5.1)
        2. Default Gateway (4.2.5.2)
        3. Using the Default Gateway (4.2.5.3)
      6. IPv6 (4.2.6)
        1. Need for IPv6 (4.2.6.1)
        2. IPv6 Size and Representation (4.2.6.2)
        3. IPv6 Address Formatting (4.2.6.3)
        4. IPv6 Prefix Length (4.2.6.4)
    6. Connectivity Verification (4.3)
      1. ICMP (4.3.1)
        1. ICMPv4 Messages (4.3.1.1)
        2. ICMPv6 RS and RA Messages (4.3.1.2)
      2. Ping and Traceroute Utilities (4.3.2)
        1. Ping: Testing the Local Stack (4.3.2.1)
        2. Ping: Testing Connectivity to the Local LAN (4.3.2.2)
        3. Ping: Testing Connectivity to Remote Host (4.3.2.3)
        4. Traceroute: Testing the Path (4.3.2.4)
        5. ICMP Packet Format (4.3.2.5)
    7. Address Resolution Protocol (4.4)
      1. MAC and IP (4.4.1)
        1. Destination on the Same Network (4.4.1.1)
        2. Destination on a Remote Network (4.4.1.2)
      2. ARP (4.4.2)
        1. Introduction to ARP (4.4.2.1)
        2. ARP Functions (4.4.2.2)
        3. Removing Entries from an ARP Table (4.4.2.6)
        4. ARP Tables on Networking Devices (4.4.2.7)
      3. ARP Issues (4.4.3)
        1. ARP Broadcasts (4.4.3.1)
        2. ARP Spoofing (4.4.3.2)
    8. The Transport Layer (4.5)
      1. Transport Layer Characteristics (4.5.1)
        1. Transport Layer Protocol Role in Network Communication (4.5.1.1)
        2. Transport Layer Mechanisms (4.5.1.2)
        3. TCP Local and Remote Ports (4.5.1.3)
        4. Socket Pairs (4.5.1.4)
        5. TCP vs. UDP (4.5.1.5)
        6. TCP and UDP Headers (4.5.1.6)
      2. Transport Layer Operation (4.5.2)
        1. TCP Port Allocation (4.5.2.1)
        2. A TCP Session Part I: Connection Establishment and Termination (4.5.2.2)
        3. A TCP Session Part II: Data Transfer (4.5.2.6)
        4. A UDP Session (4.5.2.9)
    9. Network Services (4.6)
      1. DHCP (4.6.1)
        1. DHCP Overview (4.6.1.1)
        2. DHCPv4 Message Format (4.6.1.2)
      2. DNS (4.6.2)
        1. DNS Overview (4.6.2.1)
        2. The DNS Domain Hierarchy (4.6.2.2)
        3. The DNS Lookup Process (4.6.2.3)
        4. DNS Message Format (4.6.2.4)
        5. Dynamic DNS (4.6.2.5)
        6. The WHOIS Protocol (4.6.2.6)
      3. NAT (4.6.3)
        1. NAT Overview (4.6.3.1)
        2. NAT-Enabled Routers (4.6.3.2)
        3. Port Address Translation (4.6.3.3)
      4. File Transfer and Sharing Services (4.6.4)
        1. FTP and TFTP (4.6.4.1)
        2. SMB (4.6.4.2)
      5. Email (4.6.5)
        1. Email Overview (4.6.5.1)
        2. SMTP (4.6.5.2)
        3. POP3 (4.6.5.3)
        4. IMAP (4.6.5.4)
      6. HTTP (4.6.6)
        1. HTTP Overview (4.6.6.1)
        2. The HTTP URL (4.6.6.2)
        3. The HTTP Protocol (4.6.6.3)
        4. HTTP Status Codes (4.6.6.4)
    10. Summary (4.7)
    11. Practice
    12. Check Your Understanding
  13. Chapter 5 Network Infrastructure
    1. Objectives
    2. Key Terms
    3. Introduction (5.0)
    4. Network Communication Devices (5.1)
      1. Network Devices (5.1.1)
        1. End Devices (5.1.1.1)
        2. Routers (5.1.1.3)
        3. Router Operation (5.1.1.5)
        4. Routing Information (5.1.1.6)
        5. Hubs, Bridges, LAN Switches (5.1.1.8)
        6. Switching Operation (5.1.1.9)
        7. VLANs (5.1.1.11)
        8. STP (5.1.1.12)
        9. Multilayer Switching (5.1.1.13)
      2. Wireless Communications (5.1.2)
        1. Protocols and Features (5.1.2.2)
        2. Wireless Network Operations (5.1.2.3)
        3. The Client to AP Association Process (5.1.2.4)
        4. Wireless Devices: AP, LWAP, WLC (5.1.2.6)
    5. Network Security Infrastructure (5.2)
      1. Security Devices (5.2.1)
        1. Firewalls (5.2.1.2)
        2. Firewall Type Descriptions (5.2.1.3)
        3. Packet Filtering Firewalls (5.2.1.4)
        4. Stateful Firewalls (5.2.1.5)
        5. Next-Generation Firewalls (5.2.1.6)
        6. Intrusion Protection and Detection Devices (5.2.1.8)
        7. Advantages and Disadvantages of IDS and IPS (5.2.1.9)
        8. Types of IPS (5.2.1.10)
        9. Specialized Security Appliances (5.2.1.11)
      2. Security Services (5.2.2)
        1. Traffic Control with ACLs (5.2.2.2)
        2. ACLs: Important Features (5.2.2.3)
        3. SNMP (5.2.2.5)
        4. NetFlow (5.2.2.6)
        5. Port Mirroring (5.2.2.7)
        6. Syslog Servers (5.2.2.8)
        7. NTP (5.2.2.9)
        8. AAA Servers (5.2.2.10)
        9. VPN (5.2.2.11)
    6. Network Representations (5.3)
      1. Network Topologies (5.3.1)
        1. Overview of Network Components (5.3.1.1)
        2. Physical and Logical Topologies (5.3.1.2)
        3. WAN Topologies (5.3.1.3)
        4. LAN Topologies (5.3.1.4)
        5. The Three-Layer Network Design Model (5.3.1.5)
        6. Common Security Architectures (5.3.1.7)
    7. Summary (5.4)
    8. Practice
    9. Check Your Understanding
  14. Chapter 6 Principles of Network Security
    1. Objectives
    2. Key Terms
    3. Introduction (6.0)
    4. Attackers and Their Tools (6.1)
      1. Who Is Attacking Our Network (6.1.1)
        1. Threat, Vulnerability, and Risk (6.1.1.1)
        2. Hacker vs. Threat Actor (6.1.1.2)
        3. Evolution of Threat Actors (6.1.1.3)
        4. Cybercriminals (6.1.1.4)
        5. Cybersecurity Tasks (6.1.1.5)
        6. Cyber Threat Indicators (6.1.1.6)
      2. Threat Actor Tools (6.1.2)
        1. Introduction of Attack Tools (6.1.2.1)
        2. Evolution of Security Tools (6.1.2.2)
        3. Categories of Attacks (6.1.2.3)
    5. Common Threats and Attacks (6.2)
      1. Malware (6.2.1)
        1. Types of Malware (6.2.1.1)
        2. Viruses (6.2.1.2)
        3. Trojan Horses (6.2.1.3)
        4. Trojan Horse Classification (6.2.1.4)
        5. Worms (6.2.1.5)
        6. Worm Components (6.2.1.6)
        7. Ransomware (6.2.1.7)
        8. Other Malware (6.2.1.8)
        9. Common Malware Behaviors (6.2.1.9)
      2. Common Network Attacks (6.2.2)
        1. Types of Network Attacks (6.2.2.1)
        2. Reconnaissance Attacks (6.2.2.2)
        3. Sample Reconnaissance Attacks (6.2.2.3)
        4. Access Attacks (6.2.2.4)
        5. Types of Access Attacks (6.2.2.5)
        6. Social Engineering Attacks (6.2.2.6)
        7. Phishing Social Engineering Attacks (6.2.2.7)
        8. Strengthening the Weakest Link (6.2.2.8)
        9. Denial-of-Service Attacks (6.2.2.10)
        10. DDoS Attacks (6.2.2.11)
        11. Example DDoS Attack (6.2.2.12)
        12. Buffer Overflow Attack (6.2.2.13)
        13. Evasion Methods (6.2.2.14)
    6. Summary (6.3)
    7. Practice
    8. Check Your Understanding
  15. Chapter 7 Network Attacks: A Deeper Look
    1. Objectives
    2. Key Terms
    3. Introduction (7.0)
    4. Network Monitoring and Tools (7.1)
      1. Introduction to Network Monitoring (7.1.1)
        1. Network Security Topology (7.1.1.1)
        2. Monitoring the Network (7.1.1.2)
        3. Network TAPs (7.1.1.3)
        4. Traffic Mirroring and SPAN (7.1.1.4)
      2. Introduction to Network Monitoring Tools (7.1.2)
        1. Network Security Monitoring Tools (7.1.2.1)
        2. Network Protocol Analyzers (7.1.2.2)
        3. NetFlow (7.1.2.3)
        4. SIEM (7.1.2.4)
        5. SIEM Systems (7.1.2.5)
    5. Attacking the Foundation (7.2)
      1. IP Vulnerabilities and Threats (7.2.1)
        1. IPv4 and IPv6 (7.2.1.1)
        2. The IPv4 Packet Header (7.2.1.2)
        3. The IPv6 Packet Header (7.2.1.3)
        4. IP Vulnerabilities (7.2.1.4)
        5. ICMP Attacks (7.2.1.5)
        6. DoS Attacks (7.2.1.6)
        7. Amplification and Reflection Attacks (7.2.1.7)
        8. DDoS Attacks (7.2.1.8)
        9. Address Spoofing Attacks (7.2.1.9)
      2. TCP and UDP Vulnerabilities (7.2.2)
        1. TCP (7.2.2.1)
        2. TCP Attacks (7.2.2.2)
        3. UDP and UDP Attacks (7.2.2.3)
    6. Attacking What We Do (7.3)
      1. IP Services (7.3.1)
        1. ARP Vulnerabilities (7.3.1.1)
        2. ARP Cache Poisoning (7.3.1.2)
        3. DNS Attacks (7.3.1.3)
        4. DNS Tunneling (7.3.1.4)
        5. DHCP (7.3.1.5)
      2. Enterprise Services (7.3.2)
        1. HTTP and HTTPS (7.3.2.1)
        2. Email (7.3.2.2)
        3. Web-Exposed Databases (7.3.2.3)
    7. Summary (7.4)
    8. Practice
    9. Check Your Understanding
  16. Chapter 8 Protecting the Network
    1. Objectives
    2. Key Terms
    3. Introduction (8.0)
    4. Understanding Defense (8.1)
      1. Defense-in-Depth (8.1.1)
        1. Assets, Vulnerabilities, Threats (8.1.1.1)
        2. Identify Assets (8.1.1.2)
        3. Identify Vulnerabilities (8.1.1.3)
        4. Identify Threats (8.1.1.4)
        5. Security Onion and Security Artichoke Approaches (8.1.1.5)
      2. Security Policies (8.1.2)
        1. Business Policies (8.1.2.1)
        2. Security Policy (8.1.2.2)
        3. BYOD Policies (8.1.2.3)
        4. Regulatory and Standard Compliance (8.1.2.4)
    5. Access Control (8.2)
      1. Access Control Concepts (8.2.1)
        1. Communications Security: CIA (8.2.1.1)
        2. Access Control Models (8.2.1.2)
      2. AAA Usage and Operation (8.2.2)
        1. AAA Operation (8.2.2.1)
        2. AAA Authentication (8.2.2.2)
        3. AAA Accounting Logs (8.2.2.3)
    6. Threat Intelligence (8.3)
      1. Information Sources (8.3.1)
        1. Network Intelligence Communities (8.3.1.1)
        2. Cisco Cybersecurity Reports (8.3.1.2)
        3. Security Blogs and Podcasts (8.3.1.3)
      2. Threat Intelligence Services (8.3.2)
        1. Cisco Talos (8.3.2.1)
        2. FireEye (8.3.2.2)
        3. Automated Indicator Sharing (8.3.2.3)
        4. Common Vulnerabilities and Exposures Database (8.3.2.4)
        5. Threat Intelligence Communication Standards (8.3.2.5)
    7. Summary (8.4)
    8. Practice
    9. Check Your Understanding Questions
  17. Chapter 9 Cryptography and the Public Key Infrastructure
    1. Objectives
    2. Key Terms
    3. Introduction (9.0)
    4. Cryptography (9.1)
      1. What Is Cryptography? (9.1.1)
        1. Securing Communications (9.1.1.1)
        2. Cryptology (9.1.1.2)
        3. Cryptography: Ciphers (9.1.1.3)
        4. Cryptanalysis: Code Breaking (9.1.1.4)
        5. Keys (9.1.1.5)
      2. Integrity and Authenticity (9.1.2)
        1. Cryptographic Hash Functions (9.1.2.1)
        2. Cryptographic Hash Operation (9.1.2.2)
        3. MD5 and SHA (9.1.2.3)
        4. Hash Message Authentication Code (9.1.2.4)
      3. Confidentiality (9.1.3)
        1. Encryption (9.1.3.1)
        2. Symmetric Encryption (9.1.3.2)
        3. Symmetric Encryption Algorithms (9.1.3.3)
        4. Asymmetric Encryption Algorithms (9.1.3.4)
        5. Asymmetric Encryption: Confidentiality (9.1.3.5)
        6. Asymmetric Encryption: Authentication (9.1.3.6)
        7. Asymmetric Encryption: Integrity (9.1.3.7)
        8. Diffie-Hellman (9.1.3.8)
    5. Public Key Infrastructure (9.2)
      1. Public Key Cryptography (9.2.1)
        1. Using Digital Signatures (9.2.1.1)
        2. Digital Signatures for Code Signing (9.2.1.2)
        3. Digital Signatures for Digital Certificates (9.2.1.3)
      2. Authorities and the PKI Trust System (9.2.2)
        1. Public Key Management (9.2.2.1)
        2. The Public Key Infrastructure (9.2.2.2)
        3. The PKI Authorities System (9.2.2.3)
        4. The PKI Trust System (9.2.2.4)
        5. Interoperability of Different PKI Vendors (9.2.2.5)
        6. Certificate Enrollment, Authentication, and Revocation (9.2.2.6)
      3. Applications and Impacts of Cryptography (9.2.3)
        1. PKI Applications (9.2.3.1)
        2. Encrypting Network Transactions (9.2.3.2)
        3. Encryption and Security Monitoring (9.2.3.3)
    6. Summary (9.3)
    7. Practice
    8. Check Your Understanding
  18. Chapter 10 Endpoint Security and Analysis
    1. Objectives
    2. Key Terms
    3. Introduction (10.0)
    4. Endpoint Protection (10.1)
      1. Antimalware Protection (10.1.1)
        1. Endpoint Threats (10.1.1.1)
        2. Endpoint Security (10.1.1.2)
        3. Host-Based Malware Protection (10.1.1.3)
        4. Network-Based Malware Protection (10.1.1.4)
        5. Cisco Advanced Malware Protection (AMP) (10.1.1.5)
      2. Host-Based Intrusion Protection (10.1.2)
        1. Host-Based Firewalls (10.1.2.1)
        2. Host-Based Intrusion Detection (10.1.2.2)
        3. HIDS Operation (10.1.2.3)
        4. HIDS Products (10.1.2.4)
      3. Application Security (10.1.3)
        1. Attack Surface (10.1.3.1)
        2. Application Blacklisting and Whitelisting (10.1.3.2)
        3. System-Based Sandboxing (10.1.3.3)
    5. Endpoint Vulnerability Assessment (10.2)
      1. Network and Server Profiling (10.2.1)
        1. Network Profiling (10.2.1.1)
        2. Server Profiling (10.2.1.2)
        3. Network Anomaly Detection (10.2.1.3)
        4. Network Vulnerability Testing (10.2.1.4)
      2. Common Vulnerability Scoring System (CVSS) (10.2.2)
        1. CVSS Overview (10.2.2.1)
        2. CVSS Metric Groups (10.2.2.2)
        3. CVSS Base Metric Group (10.2.2.3)
        4. The CVSS Process (10.2.2.4)
        5. CVSS Reports (10.2.2.5)
        6. Other Vulnerability Information Sources (10.2.2.6)
      3. Compliance Frameworks (10.2.3)
        1. Compliance Regulations (10.2.3.1)
        2. Overview of Regulatory Standards (10.2.3.2)
      4. Secure Device Management (10.2.4)
        1. Risk Management (10.2.4.1)
        2. Vulnerability Management (10.2.4.3)
        3. Asset Management (10.2.4.4)
        4. Mobile Device Management (10.2.4.5)
        5. Configuration Management (10.2.4.6)
        6. Enterprise Patch Management (10.2.4.7)
        7. Patch Management Techniques (10.2.4.8)
      5. Information Security Management Systems (10.2.5)
        1. Security Management Systems (10.2.5.1)
        2. ISO-27001 (10.2.5.2)
        3. NIST Cybersecurity Framework (10.2.5.3)
    6. Summary (10.3)
    7. Practice
    8. Check Your Understanding
  19. Chapter 11 Security Monitoring
    1. Objectives
    2. Key Terms
    3. Introduction (11.0)
    4. Technologies and Protocols (11.1)
      1. Monitoring Common Protocols (11.1.1)
        1. Syslog and NTP (11.1.1.1)
        2. NTP (11.1.1.2)
        3. DNS (11.1.1.3)
        4. HTTP and HTTPS (11.1.1.4)
        5. Email Protocols (11.1.1.5)
        6. ICMP (11.1.1.6)
      2. Security Technologies (11.1.2)
        1. ACLs (11.1.2.1)
        2. NAT and PAT (11.1.2.2)
        3. Encryption, Encapsulation, and Tunneling (11.1.2.3)
        4. Peer-to-Peer Networking and Tor (11.1.2.4)
        5. Load Balancing (11.1.2.5)
    5. Log Files (11.2)
      1. Types of Security Data (11.2.1)
        1. Alert Data (11.2.1.1)
        2. Session and Transaction Data (11.2.1.2)
        3. Full Packet Captures (11.2.1.3)
        4. Statistical Data (11.2.1.4)
      2. End Device Logs (11.2.2)
        1. Host Logs (11.2.2.1)
        2. Syslog (11.2.2.2)
        3. Server Logs (11.2.2.3)
        4. Apache HTTP Server Access Logs (11.2.2.4)
        5. IIS Access Logs (11.2.2.5)
        6. SIEM and Log Collection (11.2.2.6)
      3. Network Logs (11.2.3)
        1. Tcpdump (11.2.3.1)
        2. NetFlow (11.2.3.2)
        3. Application Visibility and Control (11.2.3.3)
        4. Content Filter Logs (11.2.3.4)
        5. Logging from Cisco Devices (11.2.3.5)
        6. Proxy Logs (11.2.3.6)
        7. NextGen IPS (11.2.3.7)
    6. Summary (11.3)
    7. Practice
    8. Check Your Understanding
  20. Chapter 12 Intrusion Data Analysis
    1. Objectives
    2. Key Terms
    3. Introduction (12.0)
    4. Evaluating Alerts (12.1)
      1. Sources of Alerts (12.1.1)
        1. Security Onion (12.1.1.1)
        2. Detection Tools for Collecting Alert Data (12.1.1.2)
        3. Analysis Tools (12.1.1.3)
        4. Alert Generation (12.1.1.4)
        5. Rules and Alerts (12.1.1.5)
        6. Snort Rule Structure (12.1.1.6)
      2. Overview of Alert Evaluation (12.1.2)
        1. The Need for Alert Evaluation (12.1.2.1)
        2. Evaluating Alerts (12.1.2.2)
        3. Deterministic Analysis and Probabilistic Analysis (12.1.2.3)
    5. Working with Network Security Data (12.2)
      1. A Common Data Platform (12.2.1)
        1. ELSA (12.2.1.1)
        2. Data Reduction (12.2.1.2)
        3. Data Normalization (12.2.1.3)
        4. Data Archiving (12.2.1.4)
      2. Investigating Network Data (12.2.2)
        1. Working in Sguil (12.2.2.1)
        2. Sguil Queries (12.2.2.2)
        3. Pivoting from Sguil (12.2.2.3)
        4. Event Handling in Sguil (12.2.2.4)
        5. Working in ELSA (12.2.2.5)
        6. Queries in ELSA (12.2.2.6)
        7. Investigating Process or API Calls (12.2.2.7)
        8. Investigating File Details (12.2.2.8)
      3. Enhancing the Work of the Cybersecurity Analyst (12.2.3)
        1. Dashboards and Visualizations (12.2.3.1)
        2. Workflow Management (12.2.3.2)
    6. Digital Forensics (12.3)
      1. Evidence Handling and Attack Attribution (12.3.1)
        1. Digital Forensics (12.3.1.1)
        2. The Digital Forensics Process (12.3.1.2)
        3. Types of Evidence (12.3.1.3)
        4. Evidence Collection Order (12.3.1.4)
        5. Chain of Custody (12.3.1.5)
        6. Data Integrity and Preservation (12.3.1.6)
        7. Attack Attribution (12.3.1.7)
    7. Summary (12.4)
    8. Practice
    9. Check Your Understanding
  21. Chapter 13 Incident Response and Handling
    1. Objectives
    2. Key Terms
    3. Introduction (13.0)
    4. Incident Response Models (13.1)
      1. The Cyber Kill Chain (13.1.1)
        1. Steps of the Cyber Kill Chain (13.1.1.1)
        2. Reconnaissance (13.1.1.2)
        3. Weaponization (13.1.1.3)
        4. Delivery (13.1.1.4)
        5. Exploitation (13.1.1.5)
        6. Installation (13.1.1.6)
        7. Command and Control (13.1.1.7)
        8. Actions on Objectives (13.1.1.8)
      2. The Diamond Model of Intrusion (13.1.2)
        1. Diamond Model Overview (13.1.2.1)
        2. Pivoting Across the Diamond Model (13.1.2.2)
        3. The Diamond Model and the Cyber Kill Chain (13.1.2.3)
      3. The VERIS Schema (13.1.3)
        1. What Is the VERIS Schema? (13.1.3.1)
        2. Create a VERIS Record (13.1.3.2)
        3. Top-Level and Second-Level Elements (13.1.3.3)
        4. The VERIS Community Database (13.1.3.4)
    5. Incident Handling (13.2)
      1. CSIRTs (13.2.1)
        1. CSIRT Overview (13.2.1.1)
        2. Types of CSIRTs (13.2.1.2)
        3. CERT (13.2.1.3)
      2. NIST 800-61r2 (13.2.2)
        1. Establishing an Incident Response Capability (13.2.2.1)
        2. Incident Response Stakeholders (13.2.2.2)
        3. NIST Incident Response Life Cycle (13.2.2.3)
        4. Preparation (13.2.2.4)
        5. Detection and Analysis (13.2.2.5)
        6. Containment, Eradication, and Recovery (13.2.2.6)
        7. Post-Incident Activities (13.2.2.7)
        8. Incident Data Collection and Retention (13.2.2.8)
        9. Reporting Requirements and Information Sharing (13.2.2.9)
    6. Summary (13.3)
    7. Practice
    8. Check Your Understanding
  22. Appendix A Answers to the “Check Your Understanding” Questions
  23. Glossary
  24. Index
  25. Code Snippets
44.221.43.88