4. Security Operations

4.1 Given a scenario, apply common security techniques to computing resources.

Secure Baselines:

  • Establish: Develop comprehensive security configurations and policies based on industry best practices and organizational requirements.
  • Deploy: Implement the established secure baselines across all relevant systems, devices, and infrastructure components.
  • Maintain: Regularly update and review secure baselines to address emerging threats, vulnerabilities, and changes in technology or business needs.

Hardening Targets:

  • Mobile Devices
  • Workstations
  • Switches
  • Routers
  • Cloud Infrastructure Servers
  • ICS/SCADA
  • Embedded Systems
  • RTOS
  • IoT Devices Wireless Devices:
  • Installation Considerations:
    • Conduct site surveys and use heat maps to optimize wireless coverage and performance.

Mobile Solutions:

  • Mobile Device Management (MDM): Implement MDM solutions to centrally manage and secure mobile devices, applications, and data.

Deployment Models:

  • Bring Your Own Device (BYOD)
  • Corporate-Owned, Personally Enabled (COPE) Choose Your Own Device (CYOD)

Connection Methods:

  • Cellular
  • Wi-Fi
  • Bluetooth

Wireless Security Settings:

  • Implement robust security measures such as: Wi-Fi Protected Access 3 (WPA3)
  • AAA/RADIUS
  • Cryptographic and authentication protocols

Application Security:

  • Ensure application security through: Input validation
  • Secure cookie handling
  • Static code analysis Code signing

Sandboxing:

  • Isolate applications from the rest of the system to prevent unauthorized access and mitigate the impact of potential security breaches.

Monitoring:

  • Continuously monitor systems, networks, and applications for suspicious activities, anomalies, and security incidents to detect and respond to threats effectively.

4.2 Explain the security implications of proper hardware, software, and data asset management.

    Acquisition/Procurement Process:

    • Assignment/Accounting:
      • Ownership: Clearly define ownership of acquired assets to establish accountability and responsibility.
      • Classification: Classify assets based on their importance, sensitivity, and criticality to ensure appropriate security measures.

    Monitoring/Asset Tracking:

    • Inventory: Maintain an inventory of all acquired assets, including hardware, software, and data, to facilitate efficient tracking and management.
    • Enumeration: Enumerate assets by assigning unique identifiers to track their lifecycle, usage, and status accurately.

    Disposal/Decommissioning:

    • Sanitization: Implement proper data sanitization methods to securely remove sensitive information from decommissioned assets.
    • Destruction: Physically destroy assets beyond recovery to prevent unauthorized access to confidential data.
    • Certification: Obtain certifications or compliance documentation to validate the proper disposal of assets and adherence to regulatory requirements.
    • Data Retention: Establish policies and procedures for data retention to determine the appropriate duration for storing and disposing of data securely

    4.3 Explain various activities associated with vulnerability management.

      Identification Methods:

      • Vulnerability Scan: Utilize automated tools to identify weaknesses and vulnerabilities in systems, networks, and applications.

      Application Security:

      • Static Analysis: Analyze source code or binary files without execution to identify security vulnerabilities.
      • Dynamic Analysis: Assess applications during runtime to detect security flaws and vulnerabilities.
      • Package Monitoring: Monitor software dependencies for known vulnerabilities and security issues.

      Threat Feed:

      • Open-Source Intelligence (OSINT): Gather intelligence from publicly available sources to identify potential threats and vulnerabilities.
      • Proprietary/Third-Party: Subscribe to threat intelligence services or utilize proprietary feeds to stay updated on emerging threats.
      • Information-Sharing Organization: Collaborate with industry peers to share threat intelligence and enhance collective security.
      • Dark Web: Monitor underground forums and marketplaces to identify potential threats and indicators of compromise.
      • Penetration Testing: Simulate real-world attacks to identify vulnerabilities and assess the security posture of systems and networks.

      Responsible Disclosure Program:

      • Bug Bounty Program: Incentivize ethical hackers to report security vulnerabilities by offering rewards for valid submissions.
      • System/Process Audit: Conduct comprehensive reviews of systems, processes, and controls to identify security gaps and compliance issues.

      Analysis:

      • Confirmation:
        • False Positive: Identify instances where a reported vulnerability does not pose an actual threat.
        • False Negative: Recognize undetected vulnerabilities that represent genuine security risks.
        • Prioritize: Assess and prioritize identified vulnerabilities based on their severity, impact, and exploitability.
      • Common Vulnerability Scoring System (CVSS): Utilize a standardized framework to assess and score the severity of vulnerabilities.
      • Common Vulnerability Enumeration (CVE): Reference unique identifiers assigned to vulnerabilities for tracking and management.
      • Vulnerability Classification: Categorize vulnerabilities based on their nature, impact, and affected assets.
      • Exposure Factor: Evaluate the potential impact of a vulnerability based on the percentage of assets or data exposed.
      • Environmental Variables: Consider contextual factors such as network architecture, system configurations, and user behavior.
      • Industry/Organizational Impact: Assess the potential consequences of a vulnerability within specific industry sectors or organizational contexts.
      • Risk Tolerance: Determine the level of risk that an organization is willing to accept or tolerate.

      Vulnerability Response and Remediation:

      • Patching: Apply security patches and updates to remediate identified vulnerabilities promptly.
      • Insurance: Transfer residual risk through insurance coverage against potential financial losses resulting from security incidents.
      • Segmentation: Implement network segmentation to isolate vulnerable assets and contain potential threats.
      • Compensating Controls: Implement alternative security measures to mitigate risks in the absence of direct remediation.
      • Exceptions and Exemptions: Document and manage exceptions or exemptions to standard security policies or controls.

      Validation of Remediation:

      • Rescanning: Reassess systems and networks after applying remediation measures to verify effectiveness.
      • Audit: Conduct audits and reviews to ensure compliance with security policies, standards, and regulatory requirements.
      • Verification: Validate that identified vulnerabilities have been adequately addressed and mitigated.
      • Reporting: Document and communicate findings, remediation efforts, and risk status to relevant stakeholders, management, and regulatory authorities.

      4.4  Explain security alerting and monitoring concepts and tools.

      Monitoring Computing Resources:

      • Systems: Continuously monitor the health, performance, and security of servers, endpoints, and devices within the network infrastructure.
      • Applications: Monitor the availability, functionality, and security of software applications deployed across the network.
      • Infrastructure: Monitor the underlying network infrastructure components such as routers, switches, firewalls, and other network devices to ensure proper functioning and security.

      Activities:

      • Log Aggregation: Collect and consolidate logs from various sources, including systems, applications, and network devices, for centralized analysis and monitoring.
      • Alerting: Set up alerts and notifications to promptly identify and respond to security incidents, anomalies, or deviations from established baselines.
      • Scanning: Conduct regular scans of systems and networks to identify vulnerabilities, misconfigurations, and security weaknesses.
      • Reporting: Generate reports and dashboards to provide insights into system performance, security posture, and compliance status.
      • Archiving: Archive logs, reports, and other relevant data for historical analysis, compliance requirements, and forensic investigations.

      Alert Response and Remediation/Validation:

      • Quarantine: Isolate compromised systems or devices to prevent further spread of malware or unauthorized access.
      • Alert Tuning: Fine-tune alerting thresholds and criteria to reduce false positives and focus on actionable alerts.

      Tools:

      • Security Content Automation Protocol (SCAP): Standardized protocol for automating vulnerability management, security measurement, and policy compliance evaluation.
      • Benchmarks: Use security benchmarks and best practices to assess and measure the security configuration of systems and applications.
      • Agents/Agentless: Employ monitoring agents or agentless solutions to collect and transmit data for analysis and reporting.
      • Security Information and Event Management (SIEM): Centralized platform for collecting, correlating, and analyzing security event data from various sources for threat detection and response.
      • Antivirus: Deploy antivirus software to detect, prevent, and remove malicious software and threats from systems and networks.
      • Data Loss Prevention (DLP): Implement DLP solutions to monitor and prevent unauthorized access, use, or transmission of sensitive data.
      • Simple Network Management Protocol (SNMP) Traps: Utilize SNMP traps to monitor and manage network devices and receive notifications about significant events or conditions.
      • NetFlow: Analyze NetFlow data to monitor network traffic patterns, identify anomalies, and detect potential security threats.
      • Vulnerability Scanners: Use automated vulnerability scanning tools to identify security vulnerabilities and weaknesses within systems, applications, and networks.

      4.5 Given a scenario, modify enterprise capabilities to enhance security.

      Firewall:

      • Rules: Define policies and regulations governing traffic flow between networks, specifying what is allowed or denied based on predefined criteria.
      • Access Lists: Lists of rules that determine which traffic is permitted or denied based on source and destination IP addresses, ports, and protocols.
      • Ports/Protocols: Manage network traffic by controlling access to specific ports and protocols, preventing unauthorized communication.
      • Screened Subnets: Implement security zones with layered defenses, typically consisting of a screening router or firewall between internal and external networks.

      IDS/IPS (Intrusion Detection/Prevention Systems):

      • Trends: Analyze patterns and behaviors to detect and prevent potential security threats and attacks in real-time.
      • Signatures: Use predefined patterns or signatures to identify known threats and malicious activities within network traffic.

      Web Filter:

      • Agent-Based: Deploy software agents on endpoints to monitor and filter web traffic based on predefined policies and rules.
      • Centralized Proxy: Route web traffic through a central proxy server to enforce web filtering policies, content categorization, and access control.
      • URL Scanning: Inspect URLs in web traffic to identify and block malicious or suspicious websites based on reputation and content.
      • Content Categorization: Classify web content into categories to enforce browsing policies and restrict access to inappropriate or unauthorized sites.
      • Block Rules: Define rules to block access to specific websites, web applications, or content categories based on policy requirements.
      • Reputation: Evaluate the reputation of websites and URLs to determine the risk level associated with accessing them.

      Operating System Security:

      • Group Policy: Use Group Policy to enforce security settings, configurations, and restrictions across Windows-based systems within a network.
      • SELinux (Security-Enhanced Linux): Implement mandatory access control policies to confine processes and enforce security policies on Linux-based systems.

      Implementation of Secure Protocols:

      • Protocol Selection: Choose secure communication protocols (e.g., HTTPS, SSH) to encrypt data in transit and authenticate communication channels.
      • Port Selection: Configure firewall rules to allow only essential ports for secure protocols, blocking unnecessary or vulnerable ports.
      • Transport Method: Ensure secure transport methods (e.g., TLS/SSL) are used to encrypt data transmission and protect against interception and tampering.
      • DNS Filtering: Filter and block malicious or unauthorized DNS requests to prevent access to malicious domains and mitigate DNS-related threats.

      Email Security:

      • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Protocol for email authentication and reporting to detect and prevent email spoofing and phishing attacks.
      • DKIM (DomainKeys Identified Mail): Mechanism to verify the authenticity of email messages by adding digital signatures to email headers.
      • SPF (Sender Policy Framework): Authentication method that verifies the sender’s domain and prevents email spoofing by defining authorized mail servers.
      • File Integrity Monitoring: Monitor and detect unauthorized changes or modifications to files and system configurations to prevent tampering and unauthorized access.
      • DLP (Data Loss Prevention): Implement policies and controls to prevent unauthorized access, use, or transmission of sensitive data across networks and endpoints.
      • NAC (Network Access Control): Enforce security policies and controls to regulate access to network resources based on the identity and compliance status of endpoints and users.

      EDR/XDR (Endpoint Detection and Response/Extended Detection and

      • Response): Continuously monitor and respond to security threats and suspicious activities on endpoints, providing advanced threat detection, investigation, and response capabilities.
      • User Behavior Analytics: Analyze user behavior patterns and activities to detect anomalies, identify insider threats, and mitigate security risks associated with user actions.

      4.6 Given a scenario, implement and maintain identity and access management.

      Provisioning/De-provisioning User Accounts:

      • Permission Assignments and Implications: Define user permissions and access rights based on job roles and responsibilities, ensuring users have the appropriate level of access to resources.
      • Identity Proofing: Verify the identity of users before granting access to sensitive systems or data, typically through methods such as identity verification questions or biometric authentication.
      • Federation: Enable single sign-on (SSO) across multiple domains or organizations by allowing users to access resources using their credentials from a trusted identity provider.
      • Single Sign-On (SSO): Provide users with seamless access to multiple applications and services using a single set of login credentials, reducing the need for multiple passwords.
      • LDAP (Lightweight Directory Access Protocol): Protocol used for accessing and managing directory information services, often used for centralized user authentication.
      • OAuth (Open Authorization): Protocol for authorization, allowing users to grant third-party applications limited access to their resources without revealing their credentials.
      • SAML (Security Assertion Markup Language): XML-based standard for exchanging authentication and authorization data between identity providers and service providers.
      • Interoperability: Ensure compatibility and seamless integration between different identity and access management systems and protocols.
      • Attestation: Verify the accuracy and validity of user permissions and access rights through regular reviews and audits.

      Access Controls:

      • Mandatory Access Control: Enforce access restrictions based on security labels assigned to users and resources, typically used in highly secure environments.
      • Discretionary Access Control: Allow resource owners to determine access permissions for users based on their discretion.
      • Role-Based Access Control: Assign access rights to users based on their roles within an organization, streamlining access management and ensuring least privilege.
      • Rule-Based Access Control: Define access rules and policies based on specific conditions or criteria.
      • Attribute-Based Access Control: Determine access rights based on user attributes such as job title, department, or location.
      • Time-of-Day Restrictions: Restrict user access to resources based on specific time periods or schedules.
      • Least Privilege: Grant users the minimum level of access required to perform their job functions, reducing the risk of unauthorized access and privilege escalation.

      Multifactor Authentication (MFA):

      • Implementations: Enhance authentication security by requiring users to provide multiple forms of verification before accessing resources.
      • Biometrics: Authenticate users based on unique biological characteristics such as fingerprints, iris patterns, or facial recognition.
      • Hard/Soft Authentication Tokens: Generate one-time passwords or cryptographic keys to verify user identity.
      • Security Keys: Physical devices used for authentication, such as USB tokens or smart cards.
      • Factors: Utilize different factors to verify user identity, including something you know (e.g., password), something you have (e.g., smartphone), something you are (e.g., fingerprint), and somewhere you are (e.g., geolocation).

      Password Concepts:

      • Password Best Practices: Implement password policies to ensure strong passwords, including requirements for length, complexity, expiration, and prevention of password reuse.
      • Password Managers: Tools that securely store and manage passwords, providing users with a convenient and secure way to access their credentials.
      • Passwordless: Authentication methods that eliminate the need for traditional passwords, such as biometric authentication or hardware tokens.

      Privileged Access Management Tools:

      • Just-in-Time Permissions: Grant temporary access to privileged accounts only when needed, reducing the risk of misuse or unauthorized access.
      • Password Vaulting: Securely store and manage privileged account passwords, allowing authorized users to access them when necessary.
      • Ephemeral Credentials: Dynamically generate and assign temporary credentials to users for specific tasks or sessions, reducing the risk of credential theft or misuse.

      4.7 Explain the importance of automation and orchestration related to secure operations.

      Use Cases of Automation and Scripting:

      • User Provisioning: Automate the process of creating and configuring user accounts, including permissions and access rights.
      • Resource Provisioning: Automatically provision resources such as virtual machines, storage, and networking components based on predefined templates or scripts.
      • Guard Rails: Implement automated controls and policies to ensure compliance with security standards and prevent unauthorized actions.
      • Security Groups: Automate the management of security groups and access controls to enforce least privilege and segmentation.
      • Ticket Creation: Automatically generate tickets for incidents, requests, or changes, streamlining the workflow for IT operations and support teams.
      • Escalation: Automatically escalate alerts or incidents to the appropriate personnel or teams based on predefined criteria.
      • Enabling/Disabling Services and Access: Automate the process of enabling or disabling services, features, or access rights based on user roles, events, or policies.
      • Continuous Integration and Testing: Automate the build, integration, and testing processes for software development, ensuring rapid and reliable delivery of updates and improvements.
      • Integrations and APIs: Use automation and scripting to integrate different systems and applications through APIs, enabling seamless data exchange and communication.

      Benefits:

      • Efficiency/Time Saving: Automation reduces manual effort and human error, allowing tasks to be completed faster and more reliably.
      • Enforcing Baselines: Automation helps enforce standardized configurations and security baselines across the infrastructure, reducing the risk of misconfigurations and vulnerabilities.
      • Standard Infrastructure Configurations: Automation ensures consistency in infrastructure deployment and configuration, facilitating management and troubleshooting.
      • Scaling in a Secure Manner: Automated scaling enables the infrastructure to adapt to changing demand while maintaining security and compliance requirements.
      • Employee Retention: Automation reduces repetitive and mundane tasks, improving job satisfaction and retention among IT personnel.
      • Reaction Time: Automated responses to security incidents or events can significantly reduce the time between detection and response, enhancing overall security posture.
      • Workforce Multiplier: Automation allows organizations to achieve more with existing resources by automating routine tasks and freeing up personnel for higher-value activities.

      Other Considerations:

      • Complexity: Automation introduces complexity, requiring careful planning and management to ensure reliability and maintainability.
      • Cost: While automation can lead to cost savings in the long run, there may be initial investments in tools, training, and infrastructure.
      • Single Point of Failure: Overreliance on automation systems can create single points of failure, necessitating redundancy and failover mechanisms.
      • Technical Debt: Poorly designed or implemented automation solutions can lead to technical debt, requiring ongoing maintenance and refactoring.
      • Ongoing Supportability: Automation systems require ongoing monitoring, maintenance, and updates to remain effective and secure over time.

      4.8  Explain appropriate incident response activities.

      Process:

      • Preparation: Establishing policies, procedures, and resources to effectively respond to security incidents. This includes developing incident response plans, assembling response teams, and implementing necessary tools and technologies.
      • Detection: Identifying and detecting security incidents through various means such as intrusion detection systems (IDS), security information and event management (SIEM) tools, and user reports.
      • Analysis: Investigating and analyzing the nature and scope of security incidents to understand their impact, determine the root cause, and assess the severity of the situation.
      • Containment: Implementing measures to contain and prevent further spread or damage caused by the security incident. This may involve isolating affected systems, disabling compromised accounts, or blocking malicious network traffic.
      • Eradication: Removing the root cause of the security incident from the affected systems and networks. This may involve patching vulnerabilities, removing malware, or restoring affected data from backups.
      • Recovery: Restoring affected systems, data, and services to normal operation following a security incident. This includes verifying the integrity of restored assets and ensuring that any residual risks are mitigated.
      • Lessons Learned: Conducting post-incident reviews to identify areas for improvement, update incident response plans, and share insights with relevant stakeholders to enhance future incident response efforts.

      Training:

      Providing ongoing training and awareness programs to ensure that personnel are prepared to respond effectively to security incidents and adhere to established incident response procedures.

      Testing:

      • Tabletop Exercise: Simulated scenarios where incident response team members discuss and walk through their responses to hypothetical security incidents in a collaborative and interactive manner.
      • Simulation: Realistic simulations of security incidents to evaluate the effectiveness of incident response plans, procedures, and personnel under simulated conditions.

      Root Cause Analysis:

      Investigating the underlying causes of security incidents to identify systemic issues, vulnerabilities, or weaknesses in the organization’s security posture and implement corrective actions to prevent similar incidents in the future.

      Threat Hunting:

      Proactively searching for signs of malicious activity or security threats within the organization’s networks and systems using various tools, techniques, and data analysis methods.

      Digital Forensics:

      • Legal Hold: Implementing measures to preserve potential evidence related to a security incident to ensure its integrity and admissibility in legal proceedings.
      • Chain of Custody: Documenting the chronological history of evidence from the time it is collected until it is presented in court, ensuring its integrity and authenticity.
      • Acquisition: Gathering and collecting digital evidence from various sources, including systems, networks, and storage devices, using forensically sound methods.
      • Reporting: Documenting findings, analysis, and conclusions from digital forensic investigations in comprehensive reports suitable for internal review and legal purposes.
      • Preservation: Ensuring the integrity and security of digital evidence throughout the forensic investigation process to prevent tampering, alteration, or loss.
      • E-discovery: Identifying, collecting, and preparing electronically stored information (ESI) for legal proceedings, including litigation, regulatory inquiries, and internal investigations.

      4.9 Given a scenario, use data sources to support an investigation.

      Log Data:

      • Firewall Logs: Records of activities and events related to network traffic passing through a firewall, including allowed and denied connections, intrusion attempts, and policy violations.
      • Application Logs: Records generated by applications detailing their activities, errors, and user interactions, providing insights into application behavior and performance.
      • Endpoint Logs: Records generated by endpoints (e.g., desktops, laptops, servers) detailing user activities, system events, and security-related events such as login attempts, file access, and malware detection.
      • OS-Specific Security Logs: Logs generated by operating systems containing security-related events such as authentication events, privilege changes, system file modifications, and audit trail records.
      • IPS/IDS Logs: Logs generated by Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) containing information about detected threats, attack signatures, and alerts triggered by suspicious network activities.
      • Network Logs: Logs generated by network devices such as routers, switches, and proxies, containing information about network traffic, connections, bandwidth usage, and network security events.
      • Metadata: Additional information associated with log entries, such as timestamps, source and destination IP addresses, user identifiers, event IDs, and severity levels, enhancing the context and analysis of log data.

      Data Sources:

      • Vulnerability Scans: Results and reports generated by vulnerability scanning tools, identifying security vulnerabilities, misconfigurations, and potential weaknesses within systems and networks.
      • Automated Reports: Scheduled or automated reports generated by security tools, systems, and monitoring solutions, providing summaries, trends, and analysis of security events and activities.
      • Dashboards: Visual representations of log data, metrics, and key performance indicators (KPIs) displayed in real-time or near real-time, enabling security analysts to monitor and analyze security posture and trends.
      • Packet Captures: Records of network traffic captured and stored for analysis, allowing security analysts to inspect packet contents, detect anomalies, and investigate network security incidents.
      Previous Next
      Subscribe To Our Newsletter

      We’ll share with you test preparation tips, exam updates, and exclusive deals.

      About Us
      Contact Us
      Blog
      Privacy Policy
      FAQs
      Terms of Use