SlideShare a Scribd company logo

501 ch 1 mastering security basics

Download as PPTX, PDF
G
gocybersec

The document discusses key topics in cybersecurity basics including the CIA triad of confidentiality, integrity and availability. It covers security controls like encryption that help achieve these goals. Risk concepts such as threats, vulnerabilities and risk mitigation are explained. The document also discusses virtualization, associated risks and benefits, as well as basic command line tools used in Windows and Linux systems.

Education
1 of 27
Proprietary & Confidential @GoCyberSec | January 2020 Chapter 1 Mastering Security Basics CompTIA Security +
Proprietary & Confidential @GoCyberSec | January 2020 Introduction • Understanding core security goals • Introducing basic risk concepts • Understanding control types • Implementing virtualization • Using command-line tools
Proprietary & Confidential @GoCyberSec | January 2020 CIA Triad • Confidentiality – Access to information, assets, etc. should be granted only on a need to know basis • Integrity – Integrity makes sure that the information is not tampered whenever it travels from source to destination or at rest (storage) • Availability – Availability concept is to make sure that the services of an organization are available at all times
Proprietary & Confidential @GoCyberSec | January 2020 Understanding Core Security Goals • Confidentiality –Encryption –Access Controls –Steganography
Proprietary & Confidential @GoCyberSec | January 2020 Understanding Core Security Goals • Integrity –Hashing –Digital Signatures –Certificates –Non-repudiation
Proprietary & Confidential @GoCyberSec | January 2020 Understanding Core Security Goals • Availability –Redundancy –Fault tolerance –Patching
Proprietary & Confidential @GoCyberSec | January 2020 Introducing Risk Concepts • Threats • Vulnerabilities –Any weakness • Risk is –The likelihood that a threat will exploit a vulnerability • Risk mitigation –Reduces the chances that a threat will exploit a vulnerability by implementing controls
Proprietary & Confidential @GoCyberSec | January 2020 Understanding Control Types Overview • Technical controls use technology. • Administrative controls use administrative or management methods. • Physical controls refer to controls you can physically touch.
Proprietary & Confidential @GoCyberSec | January 2020 Understanding Control Types Technical Controls • Use technology to reduce vulnerabilities • Examples – Encryption – Antivirus Software – Intrusion Detection Systems – Firewalls – Least Privilege.
Proprietary & Confidential @GoCyberSec | January 2020 Understanding Control Types Administrative Controls • Use administrative or management methods • Examples – Risk Assessment – Information Security Policies, Procedures and Standards – Awareness & Training – Configuration & Change Management – Contingency Planning
Proprietary & Confidential @GoCyberSec | January 2020 Understanding Control Types Physical Controls • Any controls that you can physically touch. • Examples – Light – Signs – Fences – Security Guards
Proprietary & Confidential @GoCyberSec | January 2020 Understanding Sub-Control Types • Preventive attempt to prevent an incident from occurring. • Detective controls attempt to detect incidents after they have occurred. • Corrective controls attempt to reverse the impact of an incident. • Deterrent controls attempt to discourage individuals from causing an incident. • Compensating controls are alternative controls used when a primary control is not feasible.
Proprietary & Confidential @GoCyberSec | January 2020 Preventive and Detective Controls Detective controls • Attempt to detect incidents after they have occurred • Log monitoring, trend analysis, security audit, video surveillance, motion detection • Cannot predict when an incident will occur • Cannot Prevent an incident • Used after an incident
Proprietary & Confidential @GoCyberSec | January 2020 Preventive and Detective Controls Preventive controls • Attempt to prevent an incident from occurring • Hardening, training, guards, change management, disabling accounts • Stops the incident before it occurs.
Proprietary & Confidential @GoCyberSec | January 2020 Corrective and Compensating Controls Corrective controls –Attempt to reverse the impact of an incident –Active IDS, backups, system recovery Compensating –Alternative controls used when a primary control is not feasible –TOTP instead of smart card
Proprietary & Confidential @GoCyberSec | January 2020 Deterrent Controls Deterrent controls –Attempt to discourage individuals from causing an Incident –Cable locks, hardware locks, fences Compare to prevention – Deterrent encourages people to decide not to take an undesirable action –Prevention stops them from taking an undesirable action –Security guard can be both
Proprietary & Confidential @GoCyberSec | January 2020 Implementing Virtualization • Terminology –Hypervisor –Host –Guest –Host elasticity –Host scalability One host appears as five systems on a network
Proprietary & Confidential @GoCyberSec | January 2020 Comparing Hypervisors • Type I (bare-metal) – Runs directly on hardware – No host operating system required • Type II – Runs as software within an operating system
Proprietary & Confidential @GoCyberSec | January 2020 Application Cell Virtualization • Runs services or applications within isolated application cells (or containers) • Also called container virtualization
Proprietary & Confidential @GoCyberSec | January 2020 Application Cell Virtualization • Runs services or applications within isolated application cells (or containers) • Also called container virtualization
Proprietary & Confidential @GoCyberSec | January 2020 Using Virtualization • Snapshots – Copy of a VM at a moment in time – Can revert to a snapshot if necessary • VDI/VDE – A user’s desktop – Persistent VDE – keeps user changes – Non-persistent VDE – doesn’t keep user changes
Proprietary & Confidential @GoCyberSec | January 2020 Risks Associated with Virtualization • VMs are files – Can be copied • VM escape – Allows attacker to access host from guest • VM sprawl – Uncontrolled VM creation (not managed) • Loss of confidentiality
Proprietary & Confidential @GoCyberSec | January 2020 Command- Line Tools • Windows – Launch Command Prompt – Launch Command Prompt (Admin)
Proprietary & Confidential @GoCyberSec | January 2020 Command- Line Tools • Linux – Launch terminal in Kali
Proprietary & Confidential @GoCyberSec | January 2020 Understanding Switches & Case • Windows switches typically use slash / – ipconfig /? • Linux systems typically use dash – – ifconfig -? • Windows commands rarely case sensitive • Linux commands are case sensitive
Proprietary & Confidential @GoCyberSec | January 2020 Command Demo • Windows – Ipconfig – ping – Netstat – Tracert – ARP – Systeminfo • Linux – ifconfig – cd – ls – grep – mkdir – mv
Proprietary & Confidential @GoCyberSec | January 2020 Chapter 1 Summary • Understanding core security goals • Introducing basic risk concepts • Understanding control types • Implementing virtualization • Using command-line tools

Recommended

501 ch 5 securing hosts and data
501 ch 5 securing hosts and data501 ch 5 securing hosts and data
501 ch 5 securing hosts and data
gocybersec
 
501 ch 6 threats vulnerabilities and common attacks
501 ch 6 threats vulnerabilities and common attacks501 ch 6 threats vulnerabilities and common attacks
501 ch 6 threats vulnerabilities and common attacks
gocybersec
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iam
gocybersec
 
501 ch 7 protecting against advanced attacks
501 ch 7 protecting against advanced attacks501 ch 7 protecting against advanced attacks
501 ch 7 protecting against advanced attacks
gocybersec
 
501 ch 8 risk managment tool
501 ch 8 risk managment tool501 ch 8 risk managment tool
501 ch 8 risk managment tool
gocybersec
 
501 ch 4 securing your network
501 ch 4 securing your network501 ch 4 securing your network
501 ch 4 securing your network
gocybersec
 
501 ch 10 understanding cryptography and pki
501 ch 10 understanding cryptography and pki501 ch 10 understanding cryptography and pki
501 ch 10 understanding cryptography and pki
gocybersec
 
501 ch 9 implementing controls to protect assets
501 ch 9 implementing controls to protect assets501 ch 9 implementing controls to protect assets
501 ch 9 implementing controls to protect assets
gocybersec
 

Recommended

501 ch 5 securing hosts and data
501 ch 5 securing hosts and data501 ch 5 securing hosts and data
501 ch 5 securing hosts and data
gocybersec
 
501 ch 6 threats vulnerabilities and common attacks
501 ch 6 threats vulnerabilities and common attacks501 ch 6 threats vulnerabilities and common attacks
501 ch 6 threats vulnerabilities and common attacks
gocybersec
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iam
gocybersec
 
501 ch 7 protecting against advanced attacks
501 ch 7 protecting against advanced attacks501 ch 7 protecting against advanced attacks
501 ch 7 protecting against advanced attacks
gocybersec
 
501 ch 8 risk managment tool
501 ch 8 risk managment tool501 ch 8 risk managment tool
501 ch 8 risk managment tool
gocybersec
 
501 ch 4 securing your network
501 ch 4 securing your network501 ch 4 securing your network
501 ch 4 securing your network
gocybersec
 
501 ch 10 understanding cryptography and pki
501 ch 10 understanding cryptography and pki501 ch 10 understanding cryptography and pki
501 ch 10 understanding cryptography and pki
gocybersec
 
501 ch 9 implementing controls to protect assets
501 ch 9 implementing controls to protect assets501 ch 9 implementing controls to protect assets
501 ch 9 implementing controls to protect assets
gocybersec
 
Ending the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New HopeEnding the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New Hope
Michele Chubirka
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
SecureAuth
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
Vishwas Manral
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance
Avi Networks
 
Plain talk about security public - ms1
Plain talk about security public - ms1Plain talk about security public - ms1
Plain talk about security public - ms1
Mike Stone
 
Threat Hunting at Scale
Threat Hunting at ScaleThreat Hunting at Scale
Threat Hunting at Scale
Panther Labs
 
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Jason Trost
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
Greg Foss
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project Managers
Joseph Wojowski
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
AlgoSec
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
Priyanka Aash
 
Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2
Vishwas Manral
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
Greg Foss
 
application security basics
application security basicsapplication security basics
application security basics
Aravindan A
 
The Key to Strong Cloud Security
The Key to Strong Cloud SecurityThe Key to Strong Cloud Security
The Key to Strong Cloud Security
Akeyless
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
AlgoSec
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat Intelligence
Jason Trost
 
IBM Secret Key management protoco
IBM Secret Key management protocoIBM Secret Key management protoco
IBM Secret Key management protoco
gori4
 
Zero Trust Best Practices for Kubernetes
Zero Trust Best Practices for KubernetesZero Trust Best Practices for Kubernetes
Zero Trust Best Practices for Kubernetes
NGINX, Inc.
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 

More Related Content

What's hot

Ending the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New HopeEnding the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New Hope
Michele Chubirka
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
Vishwas Manral
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
Perimeter 81
 
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
SecureAuth
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
Vishwas Manral
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance
Avi Networks
 
Plain talk about security public - ms1
Plain talk about security public - ms1Plain talk about security public - ms1
Plain talk about security public - ms1
Mike Stone
 
Threat Hunting at Scale
Threat Hunting at ScaleThreat Hunting at Scale
Threat Hunting at Scale
Panther Labs
 
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Jason Trost
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
Greg Foss
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project Managers
Joseph Wojowski
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
AlgoSec
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
Priyanka Aash
 
Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2
Vishwas Manral
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
Greg Foss
 
application security basics
application security basicsapplication security basics
application security basics
Aravindan A
 
The Key to Strong Cloud Security
The Key to Strong Cloud SecurityThe Key to Strong Cloud Security
The Key to Strong Cloud Security
Akeyless
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
AlgoSec
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat Intelligence
Jason Trost
 
IBM Secret Key management protoco
IBM Secret Key management protocoIBM Secret Key management protoco
IBM Secret Key management protoco
gori4
 

What's hot (20)

Ending the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New HopeEnding the Tyranny of Expensive Security Tools: A New Hope
Ending the Tyranny of Expensive Security Tools: A New Hope
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined Perimeter
 
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern WorkforceThe Software-Defined Perimeter: Securing Network Access for the Modern Workforce
The Software-Defined Perimeter: Securing Network Access for the Modern Workforce
 
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance
 
Plain talk about security public - ms1
Plain talk about security public - ms1Plain talk about security public - ms1
Plain talk about security public - ms1
 
Threat Hunting at Scale
Threat Hunting at ScaleThreat Hunting at Scale
Threat Hunting at Scale
 
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
Deploying, Managing, and Leveraging Honeypots in the Enterprise using Open So...
 
PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018PIE - BSides Vancouver 2018
PIE - BSides Vancouver 2018
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project Managers
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
 
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
(SACON) Sudarshan Pisupati & Sahir Hidayatullah - active deception sacon
 
Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2
 
Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17Phishing Intelligence Engine - BlueHat v17
Phishing Intelligence Engine - BlueHat v17
 
application security basics
application security basicsapplication security basics
application security basics
 
The Key to Strong Cloud Security
The Key to Strong Cloud SecurityThe Key to Strong Cloud Security
The Key to Strong Cloud Security
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
 
Anomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat IntelligenceAnomali Detect 2016 - Borderless Threat Intelligence
Anomali Detect 2016 - Borderless Threat Intelligence
 
IBM Secret Key management protoco
IBM Secret Key management protocoIBM Secret Key management protoco
IBM Secret Key management protoco
 

Similar to 501 ch 1 mastering security basics

Zero Trust Best Practices for Kubernetes
Zero Trust Best Practices for KubernetesZero Trust Best Practices for Kubernetes
Zero Trust Best Practices for Kubernetes
NGINX, Inc.
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
iuvo Technologies Business & IT Leadership Symposium 2019 - Michael Joseph
iuvo Technologies Business & IT Leadership Symposium 2019 - Michael Josephiuvo Technologies Business & IT Leadership Symposium 2019 - Michael Joseph
iuvo Technologies Business & IT Leadership Symposium 2019 - Michael Joseph
iuvoTechnologies
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
Appsecco
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project Management
Fernando Montenegro
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsMobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 Predictions
Skycure
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
Samuel Reed
 
Security by Design for Law Firms
Security by Design for Law FirmsSecurity by Design for Law Firms
Security by Design for Law Firms
Clio - Cloud-Based Legal Technology
 
gkkwqdqqndqw2121234Security essentials domain 4
gkkwqdqqndqw2121234Security essentials domain 4gkkwqdqqndqw2121234Security essentials domain 4
gkkwqdqqndqw2121234Security essentials domain 4
Anne Starr
 
Cisco Advanced Services
Cisco Advanced ServicesCisco Advanced Services
Cisco Advanced Services
Cisco do Brasil
 
Cybertopic_2security
Cybertopic_2securityCybertopic_2security
Cybertopic_2security
Anne Starr
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risks
Tim Mackey
 
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWSAWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
Amazon Web Services
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
Apigee | Google Cloud
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
SolarWinds
 
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan FinnDefending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
John Moran
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
Karl Ots
 
501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics
gocybersec
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
lior mazor
 

Similar to 501 ch 1 mastering security basics (20)

Zero Trust Best Practices for Kubernetes
Zero Trust Best Practices for KubernetesZero Trust Best Practices for Kubernetes
Zero Trust Best Practices for Kubernetes
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
iuvo Technologies Business & IT Leadership Symposium 2019 - Michael Joseph
iuvo Technologies Business & IT Leadership Symposium 2019 - Michael Josephiuvo Technologies Business & IT Leadership Symposium 2019 - Michael Joseph
iuvo Technologies Business & IT Leadership Symposium 2019 - Michael Joseph
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Cybersecurity & Project Management
Cybersecurity & Project ManagementCybersecurity & Project Management
Cybersecurity & Project Management
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 PredictionsMobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 Predictions
 
Cloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate OnCloud Security Zen: Principles to Meditate On
Cloud Security Zen: Principles to Meditate On
 
Security by Design for Law Firms
Security by Design for Law FirmsSecurity by Design for Law Firms
Security by Design for Law Firms
 
gkkwqdqqndqw2121234Security essentials domain 4
gkkwqdqqndqw2121234Security essentials domain 4gkkwqdqqndqw2121234Security essentials domain 4
gkkwqdqqndqw2121234Security essentials domain 4
 
Cisco Advanced Services
Cisco Advanced ServicesCisco Advanced Services
Cisco Advanced Services
 
Cybertopic_2security
Cybertopic_2securityCybertopic_2security
Cybertopic_2security
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risks
 
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWSAWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO Perspective
 
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software VendorsBecoming Secure By Design: Questions You Should Ask Your Software Vendors
Becoming Secure By Design: Questions You Should Ask Your Software Vendors
 
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan FinnDefending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
Defending Today's Threats with Tomorrow's Security by Microsoft by Aidan Finn
 
Top Azure security fails and how to avoid them
Top Azure security fails and how to avoid themTop Azure security fails and how to avoid them
Top Azure security fails and how to avoid them
 
501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 

More from gocybersec

501 ch 3 network technologies and tools
501 ch 3 network technologies and tools501 ch 3 network technologies and tools
501 ch 3 network technologies and tools
gocybersec
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies tools
gocybersec
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacks
gocybersec
 
501 ch 11 operational security
501 ch 11 operational security501 ch 11 operational security
501 ch 11 operational security
gocybersec
 
501 ch 9 implementing controls
501 ch 9 implementing controls501 ch 9 implementing controls
501 ch 9 implementing controls
gocybersec
 
501 ch 8 risk management tools
501 ch 8 risk management tools501 ch 8 risk management tools
501 ch 8 risk management tools
gocybersec
 
501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks
gocybersec
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacks
gocybersec
 
501 ch 5 securing hosts and data
501 ch 5 securing hosts and data501 ch 5 securing hosts and data
501 ch 5 securing hosts and data
gocybersec
 
501 ch 4 securing your network
501 ch 4 securing your network501 ch 4 securing your network
501 ch 4 securing your network
gocybersec
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies tools
gocybersec
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iam
gocybersec
 

More from gocybersec (12)

501 ch 3 network technologies and tools
501 ch 3 network technologies and tools501 ch 3 network technologies and tools
501 ch 3 network technologies and tools
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies tools
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacks
 
501 ch 11 operational security
501 ch 11 operational security501 ch 11 operational security
501 ch 11 operational security
 
501 ch 9 implementing controls
501 ch 9 implementing controls501 ch 9 implementing controls
501 ch 9 implementing controls
 
501 ch 8 risk management tools
501 ch 8 risk management tools501 ch 8 risk management tools
501 ch 8 risk management tools
 
501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacks
 
501 ch 5 securing hosts and data
501 ch 5 securing hosts and data501 ch 5 securing hosts and data
501 ch 5 securing hosts and data
 
501 ch 4 securing your network
501 ch 4 securing your network501 ch 4 securing your network
501 ch 4 securing your network
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies tools
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iam
 

Recently uploaded

World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
ak6969907
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
Jean Carlos Nunes Paixão
 
DRUGS AND ITS classification slide share
DRUGS AND ITS classification slide shareDRUGS AND ITS classification slide share
DRUGS AND ITS classification slide share
taiba qazi
 
Top five deadliest dog breeds in America
Top five deadliest dog breeds in AmericaTop five deadliest dog breeds in America
Top five deadliest dog breeds in America
Bisnar Chase Personal Injury Attorneys
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
Nicholas Montgomery
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Dr. Vinod Kumar Kanvaria
 
Digital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments UnitDigital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments Unit
chanes7
 
Advanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docxAdvanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docx
adhitya5119
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
Colégio Santa Teresinha
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
eBook.com.bd (প্রয়োজনীয় বাংলা বই)
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
Priyankaranawat4
 
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
RitikBhardwaj56
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
Scholarhat
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
How to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP ModuleHow to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP Module
Celine George
 
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingYour Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Excellence Foundation for South Sudan
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 

Recently uploaded (20)

World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024World environment day ppt For 5 June 2024
World environment day ppt For 5 June 2024
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
 
DRUGS AND ITS classification slide share
DRUGS AND ITS classification slide shareDRUGS AND ITS classification slide share
DRUGS AND ITS classification slide share
 
Top five deadliest dog breeds in America
Top five deadliest dog breeds in AmericaTop five deadliest dog breeds in America
Top five deadliest dog breeds in America
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
 
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...
 
Digital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments UnitDigital Artifact 1 - 10VCD Environments Unit
Digital Artifact 1 - 10VCD Environments Unit
 
Advanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docxAdvanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docx
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
 
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...The simplified electron and muon model, Oscillating Spacetime: The Foundation...
The simplified electron and muon model, Oscillating Spacetime: The Foundation...
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
How to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP ModuleHow to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP Module
 
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingYour Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 

501 ch 1 mastering security basics

  • 1. Proprietary & Confidential @GoCyberSec | January 2020 Chapter 1 Mastering Security Basics CompTIA Security +
  • 2. Proprietary & Confidential @GoCyberSec | January 2020 Introduction • Understanding core security goals • Introducing basic risk concepts • Understanding control types • Implementing virtualization • Using command-line tools
  • 3. Proprietary & Confidential @GoCyberSec | January 2020 CIA Triad • Confidentiality – Access to information, assets, etc. should be granted only on a need to know basis • Integrity – Integrity makes sure that the information is not tampered whenever it travels from source to destination or at rest (storage) • Availability – Availability concept is to make sure that the services of an organization are available at all times
  • 4. Proprietary & Confidential @GoCyberSec | January 2020 Understanding Core Security Goals • Confidentiality –Encryption –Access Controls –Steganography
  • 5. Proprietary & Confidential @GoCyberSec | January 2020 Understanding Core Security Goals • Integrity –Hashing –Digital Signatures –Certificates –Non-repudiation
  • 6. Proprietary & Confidential @GoCyberSec | January 2020 Understanding Core Security Goals • Availability –Redundancy –Fault tolerance –Patching
  • 7. Proprietary & Confidential @GoCyberSec | January 2020 Introducing Risk Concepts • Threats • Vulnerabilities –Any weakness • Risk is –The likelihood that a threat will exploit a vulnerability • Risk mitigation –Reduces the chances that a threat will exploit a vulnerability by implementing controls
  • 8. Proprietary & Confidential @GoCyberSec | January 2020 Understanding Control Types Overview • Technical controls use technology. • Administrative controls use administrative or management methods. • Physical controls refer to controls you can physically touch.
  • 9. Proprietary & Confidential @GoCyberSec | January 2020 Understanding Control Types Technical Controls • Use technology to reduce vulnerabilities • Examples – Encryption – Antivirus Software – Intrusion Detection Systems – Firewalls – Least Privilege.
  • 10. Proprietary & Confidential @GoCyberSec | January 2020 Understanding Control Types Administrative Controls • Use administrative or management methods • Examples – Risk Assessment – Information Security Policies, Procedures and Standards – Awareness & Training – Configuration & Change Management – Contingency Planning
  • 11. Proprietary & Confidential @GoCyberSec | January 2020 Understanding Control Types Physical Controls • Any controls that you can physically touch. • Examples – Light – Signs – Fences – Security Guards
  • 12. Proprietary & Confidential @GoCyberSec | January 2020 Understanding Sub-Control Types • Preventive attempt to prevent an incident from occurring. • Detective controls attempt to detect incidents after they have occurred. • Corrective controls attempt to reverse the impact of an incident. • Deterrent controls attempt to discourage individuals from causing an incident. • Compensating controls are alternative controls used when a primary control is not feasible.
  • 13. Proprietary & Confidential @GoCyberSec | January 2020 Preventive and Detective Controls Detective controls • Attempt to detect incidents after they have occurred • Log monitoring, trend analysis, security audit, video surveillance, motion detection • Cannot predict when an incident will occur • Cannot Prevent an incident • Used after an incident
  • 14. Proprietary & Confidential @GoCyberSec | January 2020 Preventive and Detective Controls Preventive controls • Attempt to prevent an incident from occurring • Hardening, training, guards, change management, disabling accounts • Stops the incident before it occurs.
  • 15. Proprietary & Confidential @GoCyberSec | January 2020 Corrective and Compensating Controls Corrective controls –Attempt to reverse the impact of an incident –Active IDS, backups, system recovery Compensating –Alternative controls used when a primary control is not feasible –TOTP instead of smart card
  • 16. Proprietary & Confidential @GoCyberSec | January 2020 Deterrent Controls Deterrent controls –Attempt to discourage individuals from causing an Incident –Cable locks, hardware locks, fences Compare to prevention – Deterrent encourages people to decide not to take an undesirable action –Prevention stops them from taking an undesirable action –Security guard can be both
  • 17. Proprietary & Confidential @GoCyberSec | January 2020 Implementing Virtualization • Terminology –Hypervisor –Host –Guest –Host elasticity –Host scalability One host appears as five systems on a network
  • 18. Proprietary & Confidential @GoCyberSec | January 2020 Comparing Hypervisors • Type I (bare-metal) – Runs directly on hardware – No host operating system required • Type II – Runs as software within an operating system
  • 19. Proprietary & Confidential @GoCyberSec | January 2020 Application Cell Virtualization • Runs services or applications within isolated application cells (or containers) • Also called container virtualization
  • 20. Proprietary & Confidential @GoCyberSec | January 2020 Application Cell Virtualization • Runs services or applications within isolated application cells (or containers) • Also called container virtualization
  • 21. Proprietary & Confidential @GoCyberSec | January 2020 Using Virtualization • Snapshots – Copy of a VM at a moment in time – Can revert to a snapshot if necessary • VDI/VDE – A user’s desktop – Persistent VDE – keeps user changes – Non-persistent VDE – doesn’t keep user changes
  • 22. Proprietary & Confidential @GoCyberSec | January 2020 Risks Associated with Virtualization • VMs are files – Can be copied • VM escape – Allows attacker to access host from guest • VM sprawl – Uncontrolled VM creation (not managed) • Loss of confidentiality
  • 23. Proprietary & Confidential @GoCyberSec | January 2020 Command- Line Tools • Windows – Launch Command Prompt – Launch Command Prompt (Admin)
  • 24. Proprietary & Confidential @GoCyberSec | January 2020 Command- Line Tools • Linux – Launch terminal in Kali
  • 25. Proprietary & Confidential @GoCyberSec | January 2020 Understanding Switches & Case • Windows switches typically use slash / – ipconfig /? • Linux systems typically use dash – – ifconfig -? • Windows commands rarely case sensitive • Linux commands are case sensitive
  • 26. Proprietary & Confidential @GoCyberSec | January 2020 Command Demo • Windows – Ipconfig – ping – Netstat – Tracert – ARP – Systeminfo • Linux – ifconfig – cd – ls – grep – mkdir – mv
  • 27. Proprietary & Confidential @GoCyberSec | January 2020 Chapter 1 Summary • Understanding core security goals • Introducing basic risk concepts • Understanding control types • Implementing virtualization • Using command-line tools