8. Exam Essentials for Malicious Code and Application Attacks

Understand the propagation techniques used by viruses. File Inflection, service injection, boot sector infection, macro infection.

Most antivirus programs use signature-based detection algorithms to look for telltale patterns of known viruses. It’s essential to update virus definition files in order to maintain protection against newly authored viruses as they emerge.

Passwords are the most common access control mechanism in use today and it is essential that you understand how to protect against attackers who seek to undermine their security. Understand password crackers, dictionary attacks and social engineering and how they are used to defeat password security.

Application attacks are one of the greatest threats to modern computing. Attackers exploit buffer overflows, trap doors, time of check to time of use vulnerabilities and rootkits to gain illegitimate access to a system.

As applications move to the web, developers and security professionals must understand the new types of attacks that exist in this environment and how to protect against them. The most common are xss and sql injection attacks.

Before launching an attack, attackers use IP sweeps to search out active hosts on a network, then port scan, then vulnerability probe which they attack weaknesses found. Understand these attacks to limit the amount of information an attacker can get.

7. Exam Essentials for Software Development Security

Describe the functioning of viruses, worms, trojan horses and logic bombs.
Viruses: oldest form of malicious code objects.
Trojan Horses: Cover application with secret, usually malicious, payload.
Logic bombs: Dormant malicious code that awaits for an event to trigger.
Worms:A viruses designed to spread itself.

Understand the impact each type of threat may have on a system and the methods they use to propagate. Know the basic functioning of agents (aka bots) and the impact they may have on computer/network security.

Understand the functionality behind Java applets and ActiveX controls and be able to determine the appropriate security controls for a given computing environment.

Applets are code objects sent from a server to a client to perform some action (opposite of an agent/bot), like an online mortgage calculator. ActiveX is the Microsoft version of Java Applets.

Explain RDBMSs. Functions of tables/relations, rows/records/tuples, columns/degrees/fields/attributes. Know how relationships are defined between tables and roles of various types of keys. Describe database security threats posed by aggregation and inference.


Know storage:differences between primary memory and virtual memory, secondary storage and virtual storage, random access storage, sequential access storage, and volatile storage and nonvolatile storage.

Expert and neural networks function.
Expert has a knowledge base with if/then rules and an inference engine to draw conclusions based on it (like twenty questions)

Neural simulate the functioning of a human mind to a limited extent by arranging a series of layered calculations to solve problems. Neural networks require extensive training on a particular problem before they are able to offer solutions.

The different models of systems development:
Waterfall model describes a sequential development process that results in the development of a finished product.

The spiral model uses several iterations of the waterfall model to produce a number of fully specified and tested prototypes.

Agile development models place an emphasis on the needs of the customer and quickly developing new functionality that meets those needs in an iterative fashion.

Software maturity models help software organizations improve the maturity and quality of their software processes by implementing an evolutionary path from ad hoc, to mature software processes.

SW CMM: Software Capability Maturity Model
1: Initial
2: Repeatable
3: Defined
4: Managed
5: Optimizing

I: Initiating
D: Diagnosing
E: Establishing
A: Acting
L: Learning

To memorize, remember this “I, I Dr. Ed, AM LO”
then write it out in two columns

Acting Managed
Learning Optimizing

Know the 3 basic components of change control:
1: Request Control
2: Change Control
3: Release Control

The 4 rings of the ring protection scheme:
0: operating system itself resides here, processes running in this level are often said to be running in supervisory mode or privileged mode. Level 0 processes have full control of all system resources so its essential to ensure that they are fully verified and validated.
The kernel implements the reference monitor, an operating system component that validates all user requests for access to resources against an access control scheme.
1 & 2: device drivers and other operating system services. Most operating systems do not employ these rings.
3: user applications and processes reside here, usually called user mode or protected mode.

The security kernel is the core set of operating system services that handles user requests for access to system resources. the reference monitor is a portion of the security kernel that validates user requests against the system’s access control mechanisms.

Software testing should be designed as part of the development process. Testing should be used as a management tool to improve the design, development, and production process.

4 security modes approved by the DoD: compartmented security mode (all system users must have an appropriate clearance to access all information processed by the system but do not necessarily have a need to know of all information in the system), dedicated security mode (are authorized to process only a specific classification level at a time, all users must have clearance and a need to know that information), multilevel security mode (authorized to process information at more than one level of security even when all system users do not have appropriate clearances), and system-high security mode (authorized to process only information that all system users are cleared to read and have a valid need to know. not trusted to maintain separation between security levels and all information processed by these systems must be handled as if it were classified at the same level as the most highly classified information processed.).

6. Exam Essentials for Risk and Personnel Management

3rd party governance is the system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements.

Overall risk management is the process of identifying factors that could damage or disclose data, evaluating those factors in light or data value and countermeasure cost, and implementing a cost-effective solution for mitigating or reducing risk is knows as risk management. Risk management lays the foundation for reducing risk overall.

Risk analysis is the process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred, and which should be accepted. To do so, the following must be analyzed:
assets, asset valuation, threats, vulnerability, exposure, risk, realized risk, safeguards, countermeasures, attacks, and breaches.

Threats come from numerous sources, including IT, humans and nature. Threat assessment should be performed as a team effort to provide the widest range of perspectives.

Quantitative risk analysis focuses on hard values and percentages. A complete quantitative analysis is not possible because of the intangible aspects of risk. The process involves asset valuation and threat identification and then determining a threat’s potential frequency and the resulting damage; the result is a cost/benefit analysis of safeguards.

Exposure Factor (EF) is an element of quantitative risk analysis that represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.

(SLE) Single Loss Expectancy is an element of quantitative risk analysis that represents the cost associated with a single realized risk against a specific asset. SLE=AV*EF

(ARO) Annualized Rate of Occurrence is an element of quantitative risk analysis that represents the expected frequency with which a specific threat or risk will occur within a single year.

(ALE) Annualized Loss Expectancy is an element of quantitative risk analysis that represents the possibly yearly cost of all instances of a specific realized threat against a specific asset. ALE=SLE*ARO

Use the ALE formula before and after a safeguard is implemented, (ALE before – ALE after) – cost of safeguard = value of safeguard to company.

Qualitative risk analysis is based on scenarios than calculations. exact dollar amounts are not assigned in possible losses; instead, threats are ranked on a scale to evaluate their risks, costs, and effects.

The Delphi technique is simply an anonymous feedback-and-response process used to arrive at a consensus to properly evaluate risks and implement solutions.

Reducing risk, risk mitigation, implementing safeguards and countermeasures. Assigning risk or transferring a risk places the cost of loss a risk represents onto another entity or organization. Accepting risk means the management has evaluated the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk.

Total risk is the amount of risk an organization would face is no safeguards were implemented. To calculate total risk, use this formula: threats * vulnerabilities * asset value = total risk. residual risk is the risk that management has chosen to accept rather than mitigate. the difference between total risk and residual risk is the controls gap. to calculate residual risk: total risk = controls gap = residual risk.

To properly plan for security, you must have standards in place for job descriptions, job classification, work tasks, job responsibilities, preventing collusion, candidate screening, background checks, security clearances, employment agreements, and nondisclosure agreements. be developing these mechanisms, you ensure that new hires are aware of the required security standards.

Separation of duties is the security concept of dividing critical, significant, and sensitive work tasks among several individuals, ensuring no one person can compromise system security.

Least privilege, users are granted the minimum amount of access necessary to do their tasks/jobs. Limiting user access limits vulnerability of sensitive information.

Job rotation serves: knowledge redundancy, reduces risk of fraud, data modification, theft sabotage and misuse of information.

Mandatory vacations are used to audit and verify the work tasks and privileges of employees to detect abuse, fraud or negligence.

Vendor, consultant, and contractor controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization. These are usually called SLAs.

Termination policy defines the procedures for terminating employees. Right? It should include items such as always having a witness, disabling the employee’s network access, and performing an exit interview. A termination policy should also include escorting the terminated employee off the premises and requiring the return of security tokens and badges and company property.

Before training and education can take place, awareness of security as a recognized entity must be created, then can come training, teaching employees to perform their work tasks and to comply with the security policy. All new employees require some level of training so they will be able to comply with all standards, guidelines, and procedures mandated by the security policy.

In order to manage the security function, an organization must implement proper and sufficient security governance. the act of performing a risk assessment to drive the security policy is the clearest and most direct example of management of the security functio. this also relates to budget, metrics, resources, information security strategies, and assessing the completeness and effectiveness of the security program.

5. Exam Essentials for Security Governance Concepts, Principles and Policies

Primary goals are contained in the CIA. The three principles are considered the most important within the realm of security.

Confidentiality is the principle that objects are not disclosed to unauthorized subjects.

Integrity is the principle that objects retain their veracity and are intentionally modified by only authorized subjects.

Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects.

There are multiple meanings and definitions of privacy, why is it important to protect it and what are the issues surrounding it in the work environment and elsewhere?

Active prevention of unauthorized access to information that is personally identifiable.

Freedom from unauthorized access to information deemed personal or confidential

Freedom from being observed, monitored, or examined without consent or knowledge.

It can be hard to balance individual rights to privacy and the rights or activities of an organization.

Identification is the process by which a subject professes an identity and accountability is initiated. AAA.

The process of verifying or testing that a claimed identity is valid is authentication.

Once a subject is authenticated, its access must be authorized.

Security governance is the collection of practices related to supporting, defining and directing the security efforts of an organization.

Auditing, or monitoring is the programmatic means by which subjects are held accountable for their actions while authenticated on a system. It’s also the process by which unauthorized or abnormal activities are detected. Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution and produce problem reports and analysis.

An organization’s security policy can be properly enforced only if accountability is maintained. Security can only be maintained if subjects are held accountable for their actions.

Nonrepudiation ensures that the subject of an event or activity cannot deny said event or activity.

Security management planning is based on 3 basic plans. Strategic, Tactical and Operational.

Strategic plans are long-term plans that are fairly stable and they define the organization’s goals, mission and objectives.

Tactical plans are midterm plans developed to provide more details on accomplishing the goals set forth in the strategic plan.

Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.

The elements of a formalized security policy structure are security policy, standards, baselines, guidelines and procedures.

Key security roles are: the Senior Manager, organizational owner, upper management, security professional, user, data owner, data custodian, and auditor.

Know how to implement security awareness training. All new employees require some level of training so they will be able to comply with standards, guidelines, and procedures mandated by the security policy.

Layering simplifies security. Using a multilayered solution allows for numerous controls to guard against threats.

Abstraction is used to collect similar elements into groups, classes or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.

Data hiding is preventing data from being discovered or accessed by a subject.

Encryption is the art and science of hiding the meaning or intent of a communication from unintended recipients. It is an important element in security controls, especially in regards to transmissions between systems.

Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities.

Data is classified to simplify the process of assigning security controls to groups of objects rather than individual objects. There are two common classification schemes: government/military and commercial business/private sector.

Military/Government: Private:
Top Secret Restricted
Secret Confidential
Confidential Internal Use Only
Restricted Public

It’s important to have a declassification policy.

Cobit stands for control objectives for information and related technology. It’s a security concept infrastructure used to organize the complex security solutions of companies.

4. Exam Essentials for Secure Communications and Network Attacks

Remote access security management requires that security system designers address the hardware and software components of an implementation along with issues related to policy, work tasks, and encryption.

Protocols & mechanisms that may be used on LANS and WANS are:
skip, swipe, ssl, set, ppp, slip, chap, pap, eap, s-rpc, this can include the VPN, TLS/SSL, and VLAN.
Tunneling is the encapsulation of a protocol-deliverable message within a second protocol. The second protocol performs the encryption to protect the message contents.

VPNs are based on encrypted tunneling. they can offer authentication and data protection as a point-to-point solution. Common VPN protocols are PPTP, L2F, L2TP, and IPSec.

NAT protects the addressing scheme of a private network, allows the use of the private IP addresses and enables multiple internal clients to get Internet through a few public IPs. NAT is supported by many border devices like firewalls, routers, gateways and proxies.

In circuit switching, physical pathways are created between the 2 communicating parties. in packet switching, a message or communication is broken up into small segments and sent across the intermediary networks to the destination.
There are 2 communications paths (virtual circuits) in packet-switching systems called PVCs (permanent) or SVCs (switched).

Dedicated vs Non Dedicated links

An always on connection is dedicated, like T1, T3, E1, E3, and cable modems.
ISDN and DSL are examples of non dedicated links.

Most WAN technologies require a CSU/DSU (channel/data service unit) aka WAN switch. Carrier networks and WAN connection technologies, such as x.25, Frame Relay, ATM, and SMDS. Some WAN connection technologies require additional specialized protocols to support various types of specialized systems or devices. Three of these protocols are SDLC, HDLC, and HSSI.

PPP is point to point protocol, an encapsulation protocol to support the transmission of IP traffic over dial up or point to point links.
PPP includes assignment and management of IP addresses, management of synchronous communications, standardized encapsulation, multiplexing, link configuration, link quality testing error detection and feature or option negotiation, lik compression. PPP was designed to support CHAP and PAP for authentication, but later versions support MS-CHAP, EAP and SPAP.

SLIP was replaced with PPP. SLIP has no authentication , supports half duplex communications, has no error detection and required manual link establishment and teardown.

Security controls
Security controls should be transparent to users. hash totals and CRC checks can be used to verify message integrity. Record sequences are used to ensure sequence integrity of a transmission. transmission logging helps detect communications abuses.

Internet email is based on SMTP, POP3, IMAP which are insecure methods which can be secured (and must be addressed in policy) to use S/MIME, MOSS, PEM or PGP.

Fax security is primarily based on using encrypted transmissions or encrypted communication lines to protect the faxed materials. The goal is to prevent interception. Logs and reports can be used to detect anomalies in fax activity.

Countermeasures to PBX fraud and abuse include many of the same precautions you would employ to protect a typical computer network: logical or technical controls, administrative controls and physical controls.

VoIP is at risk for Caller ID spoofing, vishing, SPTI, call manager software/firmware attacks, phone hardware attacks, DoS, MitM, spoofing and switch hopping.

Phreaking is a specific type of attack in which various types of technology are used to circumvent the telephone system to make free long distance calls, alter function of telephone service, steal specialized services or even cause service disruptions. black, red, blue, and white boxes are common phreaker tools.

Voice communications are vulnerable to many attacks, you can use encryption to gain confidentiality.

Social engineering is a means by which an unknown person gains the trust of someone inside your organization by convincing employees that they are associated with support management or technical support, usually. The victim is often encouraged to make a change to their user account on the system like reset their password. To counter this, train users to identify and report this.

Communications systems are vulnerable to many attacks, including DDoS, eavesdropping, impersonation, replay, modification, spoofing, ARP and DNS attacks. Know the effective countermeasures for each.

3. Exam Essentials for Secure Network Architecture and Network Components

Know the OSI model layers AND the protocols under each.

Application: http, ftp, lpd, smtp, telnet, tftp, edi, pop3, imap, snmp, nntp, s-rpc, set

Presentation: ascii, ebcdicm, tiff, jpeg, mpeg, midi

Session: nfs, sql, rpc

Transport: spx, ssl, tls, tcp, udp

Network: icmp, rip, ospf, bgp, igmp, ip, ipsec, ipx, nat, skip

Data Link: slip, ppp, arp, rarp, l2f, l2tp, pptp, fddi, isdn

Physical: eia/tia-232, eia/tia-449, x.21, hssi, sonet, v.24, v.35

Know TCP/IP completely

What is the difference between tcp and udp? tcp is connection oriented and udp is connectionless

Know that the OSI model and the TCP/IP model.

Know well known ports

ports under 1023.

Know different cabling types and their lengths and max throughput rates.

stp: shielded twisted pair

10base-t utp

10base2 thinnet

10base5 thicknet




utp categories 1-7

Everything for this question can be answered by going here.

Be familiar with common LAN technologies

Ethernet: A system for connecting a number of computer systems to form a local area network, with protocols to control the passing of information and to avoid simultaneous transmission by two or more systems

Token Ring: A local area network in which a node can transmit only when in possession of a sequence of bits (called the token) that is passed to each node in turn

FDDI: Fiber-distributed data interface, a communications, cabling, and hardware standard for high-speed optical-fiber networks

Analog vs digital

Analog Versus Digital Transmission

Feature Analog Characteristics Digital Characteristics
Signal Continuously variable, in both amplitude and frequency Discrete signal, represented as either changes in voltage or changes in light levels
Traffic measurement Hz (for example, a telephone channel is 4KHz) Bits per second (for example, a T-1 line carries 1.544Mbps, and an E-1 line transports 2.048Mbps)
Bandwidth Low bandwidth (4KHz), which means low data transmission rates (up to 33.6Kbps) because of limited channel bandwidth High bandwidth that can support high-speed data and emerging applications that involve video and multimedia
Network capacity Low; one conversation per telephone channel High; multiplexers enable multiple conversations to share a communications channel and hence to achieve greater transmission efficiencies
Network manageability Poor; a lot of labor is needed for network maintenance and control because dumb analog devices do not provide management information streams that allow the device to be remotely managed Good; smart devices produce alerts, alarms, traffic statistics, and performance measurements, and technicians at a network control center (NCC) or network operations center (NOC) can remotely monitor and manage the various network elements
Power requirement High because the signal contains a wide range of frequencies and amplitudes Low because only two discrete signals—the one and the zero—need to be transmitted
Security Poor; when you tap into an analog circuit, you hear the voice stream in its native form, and it is difficult to detect an intrusion Good; encryption can be used
Error rates High; 10–5 bits (that is, 1 in 100,000 bits) is guaranteed to have an error Low; with twisted-pair, 10–7 (that, is 1 in 10 million bits per second) will have an error, with satellite, 10–9 (that is, 1 in 1 billion per second) will have an error, and with fiber, 10–11 (that is only 1 in 10 trillion bits per second) will have an error 

synchronous vs asynchronous

Asynchronous means “not synchronous”.Synchronous means “agreed timing for the sending of ones and zeroes (bits)”–that is, the transmit and receive sides of the communications circuit have bothered to coordinate (synchronize) their signal and have agreed just what a digital bit encoded into the signal looks like. All communications paths have carrier signals, the signals have a frequency, and encoding bits into the signal involves spacing them out at regular intervals, and carving out just how long it takes to transmit a bit

baseband vs broadband







token passing


2. Exam Essentials for Access Control Attacks and Monitoring

Understand basic risk elements

Risk is the likelihood that a threat can exploit a vulnerability and cause damage to assets.

Asset valuation identifies the value of assets

Threat modeling identifies threats against these assets

Vulnerability analysis identifies weaknesses in an organization’s valuable assets.

Access aggregation is a type of attack that combines, or aggregates, nonsensitive information to learn sensitive information that is used in reconnaissance attacks.

Brute vs dictionary attacks.

brute force uses keyboard combinations, dictionary uses a list.

Strong Passwords

Password policies ensure users make complex passwords, which make password crackers less successful.

Increase strength by adding one of the factors (see authentication factors here).


Spoofing is pretending to be someone or something else. Spoofing attacks can include email, phone, IP.


A packet capturing program reads and stores data that is sent over a network medium in cleartext.

Social Engineering

Convince someone to do something they wouldn’t normally do, usually by pretending to be someone else and asking for help.


Trying to get a user to give up personal information, spear phishing targets specific groups of users and whaling targets high-level executives. Vishing uses VoIP.

Log Types

Security Logs, System Logs, Application Logs, Firewall Logs, Proxy Logs and Change Management Logs. Logs should be protected and should be read only.


Basically, monitoring is a form of auditing that focuses on active review of log file data. It holds subjects accountable for their actions, and detects abnormal or malicious activities. IDSs and SIEMs automate monitoring and provide real-time analysis of events.


Accountability is maintained by auditing subjects. This promotes good user behavior and compliance.

Audit trails

Records created by recording information about events and occurrences into logs are used to reconstruct an event.


Sampling or data extraction, is extracting elements from a large body of data to construct a meaningful representation or summary of the whole. Statistical sampling uses precise mathematical functions to extract meaningful information from a large volume of data.

Clipping is a form of nonstatistical sampling that only records events that exceed a threshold. e.g. bad login attempts over 10 times.



1. Exam Essentials for Access Control

Know the difference between subject and objects and know common subject labels.

Subjects are active entities, like users.
Objects are passive, like files.


  • A user is a subject who accesses objects in the course of performing some action or accomplishing a work task.
  • An owner is the subject responsible for classifying and labeling objects and for protecting and storing data on any system.
  • A custodian has day to day responsibilities for protecting and storing objects.

Know types of access control.

Preventative: to stop unwanted or unauthorized activity from occurring.

Detective: to discover unwanted or unauthorized activity.

Corrective: to restore systems to normal after an unwanted or unauthorized activity occurred.

Deterrent: to discourage violation of security policy.

Recovery: to repair or restore resources, functions and capabilities after a violation of security policy has occurred.

Directive: to direct, confine, or control the action of subjects to force or encourage compliance with security policy.

Compensation: to provide various options to other existing controls to aid in enforcement and support of security policy.

Controls can be; administrative, policies or procedures to implement and enforce overall access control; logical/technical, hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems; and physical, barriers deployed to prevent direct contact with systems or areas within a facility.

Know the difference between identification, authentication, and authorization.

Subjects claim an identity, subjects prove their identity  by providing authentication credentials. Subjects are then granted authorization to objects based on their proven identity.

Understand the details of the three authentication factors.

  1. Something you know
  2. Something you have
  3. Something you are

Biometrics have Type 1 (false rejection rate) and Type 2 (false acceptance rate) errors.

Know the details about each of the access control techniques.

Discretionary: all objects have owners and the owners can modify permissions.

Non-discretionary: centrally managed, like a firewall.

Mandatory: use labels for subjects and objects and match the two.

Role-based: access controls use task based roles and users gain privileges when their accounts are placed within that role.

Identify common mechanisms, like implicit deny, access control matrices, access control lists, constrained interfaces, content/context dependent controls.

Know SSO

a subject can authenticate once and access multiple objects without authenticating again. Kerberos is most common and uses symmetric cryptography and tickets to prove id and auth. SPML is commonly used to share federated id info.

Other SSO methods are scripted access, sesame and kryptoknight.

Understand the purpose of AAA (authentication, authorization, accounting) protocols.

Radius uses udp and encrypts the password only.

Tacacs+ uses tcp and encrypts the entire session.

Diameter is based on radius.

Understand ID and access provisioning lifecycle.