Contents
Chapter 1 Cybersecurity and the Security Operations Center
Trade Secrets and Global Politics (1.1.2.4)
How Secure Is the Internet of Things? (1.1.2.5)
Lost Competitive Advantage (1.1.3.2)
Politics and National Security (1.1.3.3)
Fighters in the War Against Cybercrime (1.2)
The Modern Security Operations Center (1.2.1)
Technologies in the SOC (1.2.1.4)
Enterprise and Managed Security (1.2.1.5)
Security vs. Availability (1.2.1.6)
Sources of Career Information (1.2.2.3)
Chapter 2 Windows Operating System
Disk Operating System (2.1.1.1)
Operating System Vulnerabilities (2.1.1.4)
Windows Architecture and Operations (2.1.2)
Hardware Abstraction Layer (2.1.2.1)
User Mode and Kernel Mode (2.1.2.2)
Windows File Systems (2.1.2.3)
Windows Boot Process (2.1.2.4)
Windows Startup and Shutdown (2.1.2.5)
Processes, Threads, and Services (2.1.2.6)
Memory Allocation and Handles (2.1.2.7)
The Windows Registry (2.1.2.8)
Windows Configuration and Monitoring (2.2.1)
Run as Administrator (2.2.1.1)
Local Users and Domains (2.2.1.2)
Windows Management Instrumentation (2.2.1.4)
Task Manager and Resource Monitor (2.2.1.6)
Accessing Network Resources (2.2.1.8)
Windows Update Management (2.2.2.3)
Local Security Policy (2.2.2.4)
Chapter 3 Linux Operating System
Working in the Linux Shell (3.1.2)
File and Directory Commands (3.1.2.3)
Working with Text Files (3.1.2.4)
The Importance of Text Files in Linux (3.1.2.5)
Linux Servers and Clients (3.1.3)
An Introduction to Client-Server Communications (3.1.3.1)
Servers, Services, and Their Ports (3.1.3.2)
Basic Server Administration (3.2.1)
Service Configuration Files (3.2.1.1)
Monitoring Service Logs (3.2.1.3)
The File System Types in Linux (3.2.2.1)
Linux Roles and File Permissions (3.2.2.2)
Hard Links and Symbolic Links (3.2.2.3)
Working with the Linux GUI (3.3.1)
Working on a Linux Host (3.3.2)
Installing and Running Applications on a Linux Host (3.3.2.1)
Keeping the System Up to Date (3.3.2.2)
Malware on a Linux Host (3.3.2.4)
Chapter 4 Network Protocols and Services
Network Communications Process (4.1.1)
Views of the Network (4.1.1.1)
Client-Server Communications (4.1.1.2)
A Typical Session: Student (4.1.1.3)
A Typical Session: Gamer (4.1.1.4)
A Typical Session: Surgeon (4.1.1.5)
Communications Protocols (4.1.2)
Network Protocol Suites (4.1.2.2)
The TCP/IP Protocol Suite (4.1.2.3)
Format, Size, and Timing (4.1.2.4)
Unicast, Multicast, and Broadcast (4.1.2.5)
Scenario: Sending and Receiving a Web Page (4.1.2.9)
Ethernet and Internet Protocol (IP) (4.2)
The Ethernet Protocol (4.2.1.1)
IPv4 Characteristics (4.2.2.2)
IPv4 Addressing Basics (4.2.3)
IPv4 Address Notation (4.2.3.1)
IPv4 Host Address Structure (4.2.3.2)
IPv4 Subnet Mask and Network Address (4.2.3.3)
Subnetting Broadcast Domains (4.2.3.4)
Types of IPv4 Addresses (4.2.4)
IPv4 Address Classes and Default Subnet Masks (4.2.4.1)
Reserved Private Addresses (4.2.4.2)
Host Forwarding Decision (4.2.5.1)
Using the Default Gateway (4.2.5.3)
IPv6 Size and Representation (4.2.6.2)
IPv6 Address Formatting (4.2.6.3)
Connectivity Verification (4.3)
ICMPv6 RS and RA Messages (4.3.1.2)
Ping and Traceroute Utilities (4.3.2)
Ping: Testing the Local Stack (4.3.2.1)
Ping: Testing Connectivity to the Local LAN (4.3.2.2)
Ping: Testing Connectivity to Remote Host (4.3.2.3)
Traceroute: Testing the Path (4.3.2.4)
Address Resolution Protocol (4.4)
Destination on the Same Network (4.4.1.1)
Destination on a Remote Network (4.4.1.2)
Removing Entries from an ARP Table (4.4.2.6)
ARP Tables on Networking Devices (4.4.2.7)
Transport Layer Characteristics (4.5.1)
Transport Layer Protocol Role in Network Communication (4.5.1.1)
Transport Layer Mechanisms (4.5.1.2)
TCP Local and Remote Ports (4.5.1.3)
Transport Layer Operation (4.5.2)
A TCP Session Part I: Connection Establishment and Termination (4.5.2.2)
A TCP Session Part II: Data Transfer (4.5.2.6)
DHCPv4 Message Format (4.6.1.2)
The DNS Domain Hierarchy (4.6.2.2)
The DNS Lookup Process (4.6.2.3)
Port Address Translation (4.6.3.3)
File Transfer and Sharing Services (4.6.4)
Chapter 5 Network Infrastructure
Network Communication Devices (5.1)
Hubs, Bridges, LAN Switches (5.1.1.8)
Multilayer Switching (5.1.1.13)
Wireless Communications (5.1.2)
Protocols and Features (5.1.2.2)
Wireless Network Operations (5.1.2.3)
The Client to AP Association Process (5.1.2.4)
Wireless Devices: AP, LWAP, WLC (5.1.2.6)
Network Security Infrastructure (5.2)
Firewall Type Descriptions (5.2.1.3)
Packet Filtering Firewalls (5.2.1.4)
Next-Generation Firewalls (5.2.1.6)
Intrusion Protection and Detection Devices (5.2.1.8)
Advantages and Disadvantages of IDS and IPS (5.2.1.9)
Specialized Security Appliances (5.2.1.11)
Traffic Control with ACLs (5.2.2.2)
ACLs: Important Features (5.2.2.3)
Overview of Network Components (5.3.1.1)
Physical and Logical Topologies (5.3.1.2)
The Three-Layer Network Design Model (5.3.1.5)
Common Security Architectures (5.3.1.7)
Chapter 6 Principles of Network Security
Attackers and Their Tools (6.1)
Who Is Attacking Our Network (6.1.1)
Threat, Vulnerability, and Risk (6.1.1.1)
Hacker vs. Threat Actor (6.1.1.2)
Evolution of Threat Actors (6.1.1.3)
Cyber Threat Indicators (6.1.1.6)
Introduction of Attack Tools (6.1.2.1)
Evolution of Security Tools (6.1.2.2)
Categories of Attacks (6.1.2.3)
Common Threats and Attacks (6.2)
Trojan Horse Classification (6.2.1.4)
Common Malware Behaviors (6.2.1.9)
Common Network Attacks (6.2.2)
Types of Network Attacks (6.2.2.1)
Reconnaissance Attacks (6.2.2.2)
Sample Reconnaissance Attacks (6.2.2.3)
Types of Access Attacks (6.2.2.5)
Social Engineering Attacks (6.2.2.6)
Phishing Social Engineering Attacks (6.2.2.7)
Strengthening the Weakest Link (6.2.2.8)
Denial-of-Service Attacks (6.2.2.10)
Example DDoS Attack (6.2.2.12)
Buffer Overflow Attack (6.2.2.13)
Chapter 7 Network Attacks: A Deeper Look
Network Monitoring and Tools (7.1)
Introduction to Network Monitoring (7.1.1)
Network Security Topology (7.1.1.1)
Monitoring the Network (7.1.1.2)
Traffic Mirroring and SPAN (7.1.1.4)
Introduction to Network Monitoring Tools (7.1.2)
Network Security Monitoring Tools (7.1.2.1)
Network Protocol Analyzers (7.1.2.2)
Attacking the Foundation (7.2)
IP Vulnerabilities and Threats (7.2.1)
The IPv4 Packet Header (7.2.1.2)
The IPv6 Packet Header (7.2.1.3)
Amplification and Reflection Attacks (7.2.1.7)
Address Spoofing Attacks (7.2.1.9)
TCP and UDP Vulnerabilities (7.2.2)
Web-Exposed Databases (7.3.2.3)
Chapter 8 Protecting the Network
Assets, Vulnerabilities, Threats (8.1.1.1)
Identify Vulnerabilities (8.1.1.3)
Security Onion and Security Artichoke Approaches (8.1.1.5)
Regulatory and Standard Compliance (8.1.2.4)
Access Control Concepts (8.2.1)
Communications Security: CIA (8.2.1.1)
Access Control Models (8.2.1.2)
AAA Usage and Operation (8.2.2)
Network Intelligence Communities (8.3.1.1)
Cisco Cybersecurity Reports (8.3.1.2)
Security Blogs and Podcasts (8.3.1.3)
Threat Intelligence Services (8.3.2)
Automated Indicator Sharing (8.3.2.3)
Common Vulnerabilities and Exposures Database (8.3.2.4)
Threat Intelligence Communication Standards (8.3.2.5)
Check Your Understanding Questions
Chapter 9 Cryptography and the Public Key Infrastructure
Securing Communications (9.1.1.1)
Cryptography: Ciphers (9.1.1.3)
Cryptanalysis: Code Breaking (9.1.1.4)
Integrity and Authenticity (9.1.2)
Cryptographic Hash Functions (9.1.2.1)
Cryptographic Hash Operation (9.1.2.2)
Hash Message Authentication Code (9.1.2.4)
Symmetric Encryption (9.1.3.2)
Symmetric Encryption Algorithms (9.1.3.3)
Asymmetric Encryption Algorithms (9.1.3.4)
Asymmetric Encryption: Confidentiality (9.1.3.5)
Asymmetric Encryption: Authentication (9.1.3.6)
Asymmetric Encryption: Integrity (9.1.3.7)
Public Key Infrastructure (9.2)
Public Key Cryptography (9.2.1)
Using Digital Signatures (9.2.1.1)
Digital Signatures for Code Signing (9.2.1.2)
Digital Signatures for Digital Certificates (9.2.1.3)
Authorities and the PKI Trust System (9.2.2)
Public Key Management (9.2.2.1)
The Public Key Infrastructure (9.2.2.2)
The PKI Authorities System (9.2.2.3)
The PKI Trust System (9.2.2.4)
Interoperability of Different PKI Vendors (9.2.2.5)
Certificate Enrollment, Authentication, and Revocation (9.2.2.6)
Applications and Impacts of Cryptography (9.2.3)
Encrypting Network Transactions (9.2.3.2)
Encryption and Security Monitoring (9.2.3.3)
Chapter 10 Endpoint Security and Analysis
Antimalware Protection (10.1.1)
Host-Based Malware Protection (10.1.1.3)
Network-Based Malware Protection (10.1.1.4)
Cisco Advanced Malware Protection (AMP) (10.1.1.5)
Host-Based Intrusion Protection (10.1.2)
Host-Based Firewalls (10.1.2.1)
Host-Based Intrusion Detection (10.1.2.2)
Application Blacklisting and Whitelisting (10.1.3.2)
System-Based Sandboxing (10.1.3.3)
Endpoint Vulnerability Assessment (10.2)
Network and Server Profiling (10.2.1)
Network Anomaly Detection (10.2.1.3)
Network Vulnerability Testing (10.2.1.4)
Common Vulnerability Scoring System (CVSS) (10.2.2)
CVSS Base Metric Group (10.2.2.3)
Other Vulnerability Information Sources (10.2.2.6)
Compliance Frameworks (10.2.3)
Compliance Regulations (10.2.3.1)
Overview of Regulatory Standards (10.2.3.2)
Secure Device Management (10.2.4)
Vulnerability Management (10.2.4.3)
Mobile Device Management (10.2.4.5)
Configuration Management (10.2.4.6)
Enterprise Patch Management (10.2.4.7)
Patch Management Techniques (10.2.4.8)
Information Security Management Systems (10.2.5)
Security Management Systems (10.2.5.1)
NIST Cybersecurity Framework (10.2.5.3)
Chapter 11 Security Monitoring
Technologies and Protocols (11.1)
Monitoring Common Protocols (11.1.1)
Security Technologies (11.1.2)
Encryption, Encapsulation, and Tunneling (11.1.2.3)
Peer-to-Peer Networking and Tor (11.1.2.4)
Types of Security Data (11.2.1)
Session and Transaction Data (11.2.1.2)
Full Packet Captures (11.2.1.3)
Apache HTTP Server Access Logs (11.2.2.4)
SIEM and Log Collection (11.2.2.6)
Application Visibility and Control (11.2.3.3)
Content Filter Logs (11.2.3.4)
Logging from Cisco Devices (11.2.3.5)
Chapter 12 Intrusion Data Analysis
Detection Tools for Collecting Alert Data (12.1.1.2)
Snort Rule Structure (12.1.1.6)
Overview of Alert Evaluation (12.1.2)
The Need for Alert Evaluation (12.1.2.1)
Deterministic Analysis and Probabilistic Analysis (12.1.2.3)
Working with Network Security Data (12.2)
A Common Data Platform (12.2.1)
Investigating Network Data (12.2.2)
Pivoting from Sguil (12.2.2.3)
Event Handling in Sguil (12.2.2.4)
Investigating Process or API Calls (12.2.2.7)
Investigating File Details (12.2.2.8)
Enhancing the Work of the Cybersecurity Analyst (12.2.3)
Dashboards and Visualizations (12.2.3.1)
Workflow Management (12.2.3.2)
Evidence Handling and Attack Attribution (12.3.1)
The Digital Forensics Process (12.3.1.2)
Evidence Collection Order (12.3.1.4)
Data Integrity and Preservation (12.3.1.6)
Chapter 13 Incident Response and Handling
Incident Response Models (13.1)
Steps of the Cyber Kill Chain (13.1.1.1)
Command and Control (13.1.1.7)
Actions on Objectives (13.1.1.8)
The Diamond Model of Intrusion (13.1.2)
Diamond Model Overview (13.1.2.1)
Pivoting Across the Diamond Model (13.1.2.2)
The Diamond Model and the Cyber Kill Chain (13.1.2.3)
What Is the VERIS Schema? (13.1.3.1)
Create a VERIS Record (13.1.3.2)
Top-Level and Second-Level Elements (13.1.3.3)
The VERIS Community Database (13.1.3.4)
Establishing an Incident Response Capability (13.2.2.1)
Incident Response Stakeholders (13.2.2.2)
NIST Incident Response Life Cycle (13.2.2.3)
Detection and Analysis (13.2.2.5)
Containment, Eradication, and Recovery (13.2.2.6)
Post-Incident Activities (13.2.2.7)
Incident Data Collection and Retention (13.2.2.8)
Reporting Requirements and Information Sharing (13.2.2.9)
Appendix A Answers to the “Check Your Understanding” Questions