Security Concepts
- Information security
- CIA triad
- Cybersecurity framework
- Gap analysis
- Access control
- IAM and AAA
Security Controls
- Security control categories
- Managerial, operational, technical, physical
- Security control functional types
- Preventive, detective, corrective plus directive, deterrent, compensating
- Information security roles and responsibilities
- Information security competencies
- Information security business units
- SOC, DevSecOps, and CIRT
Threat Actors
- Vulnerability, threat, and risk
- Attributes of threat actors
- Internal/external, level of sophistication/capability, resources/funding
- Motivations of threat actors
- Service disruption, data exfiltration, disinformation
- Chaotic, financial, political
- Hackers and hacktivists
- Nation-state actors and advanced persistent threats
- Organized crime and competitors
- Internal threat actors
Attack Surface
- Attack surface and vectors
- Vulnerable software
- Network vectors
- Remote versus local
- Direct access, wired, remote/wireless, cloud, Bluetooth, default credentials, open ports
- Lure-based vectors
- Devices, programs, documents, images
- Message-based vectors
- Email, SMS, IM, web/social media
- Supply chain attack surface
- Design, manufacture, distribution
Social Engineering
- Social engineering
- Human vectors
- Impersonation and pretexting
- Phishing and pharming
- Typosquatting
- Business email compromise
Cryptographic Algorithms
- Cryptographic concepts
- Symmetric encryption
- Same secret key encrypts and decrypts
- Key length
- Asymmetric encryption
- Public/private key pair
- Hashing
- Non-reversible
- Digital signatures
- Sign message hash with private key and validate with public key
Public Key Infrastructure
- Certificate authorities
- Digital certificates
- Root of trust
- Certificate signing requests
- Subject name attributes
- Certificate revocation
- Key management
- Cryptoprocessors and secure enclaves
- Key escrow
Cryptographic Solutions
- Encryption supporting confidentiality
- Disk and file encryption
- Database encryption
- Transport encryption and key exchange
- Perfect forward secrecy
- Salting and key stretching
- Blockchain
- Obfuscation
Authentication
- Authentication design
- Something you know/are/have
- Password concepts and password managers
- Multifactor authentication
- Biometric authentication
- Hard authentication tokens
- Smart cards, OTP generators, FIDO U2F
- Soft authentication tokens
- Two-step verification
- Passwordless authentication
Access Management
- Discretionary and mandatory access control
- Role-based and attribute-based access control
- Rule-based access control
- Least privilege permission assignments
- User account provisioning
- Identity proofing, secure credentials, asset allocation, policy/awareness training, permissions assignments
- Account attributes and access policies
- Account restrictions
- Location- and time-based
- Privileged access management
- Zero standing privileges and ephemeral/vaulted credentials
Enterprise Network Architecture
- Architecture and infrastructure concepts
- Media, applications/services, data supporting workflows
- Network infrastructure
- OSI layer model
- Switching and routing infrastructure considerations
- Security zones and attack surface
- Port security and physical isolation
- MAC filtering, 802.1X/EAP/RADIUS
- Architecture considerations
- Cost, compute/responsiveness, scalability/ease of deployment, availability, resilience/ease of recovery, power, patch availability, risk transference
Network Security Appliances
- Device placement
- Defense in depth plus use of preventive, detective, and corrective controls
- Device attributes
- Active versus passive, inline versus TAP/monitor, fail-open versus fail-closed
- Firewalls (layer 4/7)
- Proxy servers
- Intrusion detection systems
- Next-generation firewalls and unified threat management
- Load balancers
- Web application firewalls
- Remote access architecture
- Tunneling, client-to-site remote access VPN, site-to-site VPN
- Transport Layer Security (TLS) tunneling
- Internet Protocol Security (IPSec) tunneling
- Internet Key Exchange
- Remote Desktop
- Secure Shell
- Out-of-band management and jump servers
