Security Architecture 29%

• Load balancer
• Intrusion detection system (IDS)/network intrusion detection system (NIDS)/wireless intrusion detection system (WIDS)
• Intrusion prevention system (IPS)/network intrusion prevention system (NIPS)/wireless intrusion prevention system (WIPS)
• Web application firewall (WAF)
• Network access control (NAC)
• Virtual private network (VPN)
• Domain Name System Security Extensions (DNSSEC)
• Firewall/unified threat management (UTM)/next-generation firewall (NGFW)
• Network address translation (NAT) gateway
• Internet gateway
• Forward/transparent proxy
• Reverse proxy
• Distributed denial-of-service (DDoS) protection
• Routers
• Mail security
• Application programming interface (API) gateway/Extensible Markup Language (XML) gateway
• Traffic mirroring
  -Switched port analyzer (SPAN) ports
  -Port mirroring
  - Virtual private cloud (VPC)
  -Network tap
• Sensors
  -Security information and event management (SIEM)
  -File integrity monitoring (FIM)
  -Simple Network Management Protocol (SNMP) traps
  -NetFlow
  -Data loss prevention (DLP)
  -Antivirus

• Microsegmentation
• Local area network (LAN)/virtual local area network (VLAN)
• Jump box
• Screened subnet
• Data zones
• Staging environments
• Guest environments
• VPC/virtual network (VNET)
• Availability zone
• NAC lists
• Policies/security groups
• Regions
• Access control lists (ACLs)
• Peer-to-peer
• Air gap

• Cloud
• Remote work
• Mobile
• Outsourcing and contracting
• Wireless/radio frequency (RF) networks

• Peering
• Cloud to on premises
• Data sensitivity levels
• Mergers and acquisitions
• Cross-domain
• Federation
• Directory services

• Open SDN
• Hybrid SDN
• SDN overlay

• Vertically
• Horizontally

- Resiliency

• High availability
• Diversity/heterogeneity
• Course of action orchestration
• Distributed allocation
• Redundancy
• Replication
• Clustering

- Automation

• Autoscaling
• Security Orchestration, Automation, and Response (SOAR)
• Bootstrapping

• Secure design patterns/ types of web technologies
  -Storage design patterns
• Container APIs
• Secure coding standards
• Application vetting processes
• API management
• Middleware

• Sandboxing/development environment
• Validating third-party libraries
• Defined DevOps pipeline
• Code signing
• Interactive application security testing (IAST) vs. dynamic application security testing (DAST) vs. static application security testing (SAST)

• Customer relationship management (CRM)
• Enterprise resource planning (ERP)
• Configuration management database (CMDB)
• Content management system (CMS)
• Integration enablers
  -Directory services
  -Domain name system (DNS)
  -Service-oriented architecture (SOA)
  -Enterprise service bus (ESB)

• Formal methods
• Requirements
• Fielding
• Insertions and upgrades
• Disposal and reuse
• Testing
  -Regression
  -Unit testing
  -Integration testing
• Development approaches
  -SecDevOps
  -Agile
  -Waterfall
  -Spiral
  -Versioning
  -Continuous integration/continuous delivery (CI/CD) pipelines
• Best practices
  -Open Web Application Security Project (OWASP)
  -Proper Hypertext Transfer Protocol (HTTP) headers

• Blocking use of external media
• Print blocking
• Remote Desktop Protocol (RDP) blocking
• Clipboard privacy controls
• Restricted virtual desktop infrastructure (VDI) implementation
• Data classification blocking

• Watermarking
• Digital rights management (DRM)
• Network traffic decryption/deep packet inspection
• Network traffic analysis

• Metadata/attributes

• Tokenization
• Scrubbing
• Masking

• Create
• Use
• Share
• Store
• Archive
• Destroy

• Redundant array of inexpensive disks (RAID)

• Password repository application
  -End-user password storage
  -On premises vs. cloud repository
• Hardware key manager
• Privileged access management

- Password policies

• Complexity
• Length
• Character classes
• History
• Maximum/minimum age
• Auditing
• Reversable encryption

- Federation

• Transitive trust
• OpenID
• Security Assertion Markup Language (SAML)
• Shibboleth

• Mandatory access control (MAC)
• Discretionary access control (DAC)
• Role-based access control
• Rule-based access control
• Attribute-based access control

• Remote Authentication Dial-in User Server (RADIUS)
• Terminal Access Controller Access Control System (TACACS)
• Diameter
• Lightweight Directory Access Protocol (LDAP)
• Kerberos
• OAuth
• 802.1X
• Extensible Authentication Protocol (EAP)

• Two-factor authentication (2FA)
• 2-Step Verification
• In-band
• Out-of-band

- One-time password (OTP)

• HMAC-based one-time password (HOTP)
• Time-based one-time password (TOTP)

• Type 1 vs. Type 2 hypervisors
• Containers
• Emulation
• Application virtualization
• VDI

• Business directives
  -Cost
  -Scalability
  -Resources
  -Location
  -Data protection
• Cloud deployment models
  -Private
  -Public
  -Hybrid
  -Community

• Multitenant
• Single-tenant

- Service models

• Software as a service (SaaS)
• Platform as a service (PaaS)
• Infrastructure as a service (IaaS)

- Cloud provider limitations

• Internet Protocol (IP) address scheme
• VPC peering

• Object storage/file-based storage
• Database storage
• Block storage
• Blob storage
• Key-value pairs

• Data at rest
• Data in transit
• Data in process/data in use
• Protection of web services
• Embedded systems
• Key escrow/management
• Mobile security
• Secure authentication
• Smart card

- Common PKI use cases

• Web services
• Email
• Code signing
• Federation
• Trust models
• VPN
• Enterprise and security automation/orchestration

• Private information retrieval
• Secure function evaluation
• Private function evaluation

- Secure multiparty computation
- Distributed consensus
- Big Data
- Virtual/augmented reality
- 3-D printing
- Passwordless authentication
- Nano technology
- Deep learning

• Natural language processing
• Deep fakes

-Biometric impersonation

Security Operations 30%

• Tactical
  -Commodity malware
• Strategic
  -Targeted attacks
• Operational
  -Threat hunting
  -Threat emulation

- Actor types

• Advanced persistent threat (APT)/nation-state
• Insider threat
• Competitor
• Hacktivist
• Script kiddie
• Organized crime

- Threat actor properties

• Resource
  -Time
  -Money
• Supply chain access
• Create vulnerabilities
• Capabilities/sophistication
• Identifying techniques

- Intelligence collection methods

• Intelligence feeds
• Deep web
• Proprietary
• Open-source intelligence (OSINT)
• Human intelligence (HUMINT)

• MITRE Adversarial Tactics, Techniques, & Common knowledge (ATT&CK)
  -ATT&CK for industrial control system (ICS)
• Diamond Model of Intrusion Analysis
• Cyber Kill Chain

• Packet capture (PCAP)
• Logs
  -Network logs
  -Vulnerability logs
  -Operating system logs
  -Access logs
  -NetFlow logs
• Notifications
  -FIM alerts
  -SIEM alerts
  -DLP alerts
  -IDS/IPS alerts
  -Antivirus alerts
• Notification severity/priorities
• Unusual process activity

- Response

• Firewall rules
• IPS/IDS rules
• ACL rules
• Signature rules
• Behavior rules
• DLP rules
• Scripts/regular expressions

• Credentialed vs. non-credentialed
• Agent-based/server-based
• Criticality ranking
• Active vs. passive

• Extensible Configuration Checklist Description Format (XCCDF)
• Open Vulnerability and Assessment Language (OVAL)
• Common Platform Enumeration (CPE)
• Common Vulnerabilities and Exposures (CVE)
• Common Vulnerability Scoring System (CVSS)
• Common Configuration Enumeration (CCE)
• Asset Reporting Format (ARF)

• Advisories
• Bulletins
• Vendor websites
• Information Sharing and Analysis Centers (ISACs)
• News reports

• Static analysis
• Dynamic analysis
• Side-channel analysis
• Reverse engineering
  -Software
  -Hardware
• Wireless vulnerability scan
• Software composition analysis
• Fuzz testing
• ivoting
• Post-exploitation
• Persistence

- Tools

• SCAP scanner
• Network traffic analyzer
• Vulnerability scanner
• Protocol analyzer
• Port scanner
• HTTP interceptor
• Exploit framework
• Password cracker

- Dependency management
- Requirements

• Scope of work
• Rules of engagement
• Invasive vs. non-invasive
• Asset inventory
• Permissions and access
• Corporate policy considerations
• Facility considerations
• Physical security considerations
• Rescan for corrections/changes

• Race conditions
• Overflows
  -Buffer
  -Integer
• Broken authentication
• Unsecure references
• Poor exception handling
• Security misconfiguration
• Improper headers
• Information disclosure
• Certificate errors
• Weak cryptography implementations
• Weak ciphers
• Weak cipher suite implementations
• Software composition analysis
• Use of vulnerable frameworks and software modules
• Use of unsafe functions
• Third-party libraries
  -Dependencies
  -Code injections/malicious changes
  -End of support/end of life
  -Regression issues

- Inherently vulnerable system/application

• Client-side processing vs. server-side processing
• JSON/representational state transfer (REST)
• Browser extensions
  -Flash
  -ActiveX
• Hypertext Markup Language 5 (HTML5)
• Asynchronous JavaScript and XML (AJAX)
• Simple Object Access Protocol (SOAP)
• Machine code vs. bytecode or interpreted vs. emulated

• Directory traversal
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Injection
  -XML
  -LDAP
  -Structured Query Language (SQL)
  -Command
  -Process
• Sandbox escape
• Virtual machine (VM) hopping
• VM escape
• Border Gateway Protocol (BGP)/route hijacking
• Interception attacks
• Denial-of-service (DoS)/DDoS
• Authentication bypass
• Social engineering
• VLAN hopping

• Hunts
• Developing countermeasures
• Deceptive technologies
  -Honeynet
  -Honeypot
  -Decoy files
  -Simulators
  -Dynamic network configurations

- Security data analytics

• Processing pipelines
  -Data
  -Stream
• Indexing and search
• Log collection and curation
• Database activity monitoring

- Preventive

• Antivirus
• Immutable systems
• Hardening
• Sandbox detonation

• License technologies
• Allow list vs. block list
• Time of check vs. time of use
• Atomic execution

• Cron/scheduled tasks
• Bash
• PowerShell
• Python

• Review of lighting
• Review of visitor logs
• Camera reviews
• Open spaces vs. confined spaces

• False positive
• False negative
• True positive
• True negative

• Preparation
• Detection
• Analysis
• Containment
• Recovery
• Lessons learned

• Scenarios
  -Ransomware
  -Data exfiltration
  -Social engineering
• Non-automated response methods
• Automated response methods
  -Runbooks
  -SOAR

• Identification
• Evidence collection
  -Chain of custody
  -Order of volatility
  1. Memory snapshots
  2. Images
  -Cloning
• Evidence preservation
  -Secure storage
  -Backups
• Analysis
  -Forensics tools
• Verification
• Presentation

• Hashing

- Cryptanalysis

• Foremost
• Strings

- Binary analysis tools

• Hex dump
• Binwalk
• Ghidra
• GNU Project debugger (GDB)
• OllyDbg
• readelf
• objdump
• strace
• ldd
• file

- Analysis tools

• ExifTool
• Nmap
• Aircrack-ng
• Volatility
• The Sleuth Kit
• Dynamically vs. statically linked

• Forensic Toolkit (FTK) Imager
• dd

• sha256sum
• ssdeep

• netstat
• ps
• vmstat
• ldd
• lsof
• netcat
• tcpdump
• conntrack
• Wireshark

Security Engineering and Cryptography 26%

• Application control
• Password
• MFA requirements
• Token-based access
• Patch repository
• Firmware Over-the-Air
• Remote wipe
• WiFi
  -WiFi Protected Access (WPA2/3)
  -Device certificates
• Profiles
• Bluetooth
• Near-field communication (NFC)
• Peripherals
• Geofencing
• VPN settings
• Geotagging
• Certificate management
• Full device encryption
• Tethering
• Airplane mode
• Location services
• DNS over HTTPS (DoH)
• Custom DNS

• Bring your own device (BYOD)
• Corporate-owned
• Corporate owned, personally enabled (COPE)
• Choose your own device (CYOD)

• Unauthorized remote activation/deactivation of devices or features
• Encrypted and unencrypted communication concerns
• Physical reconnaissance
• Personal data theft
• Health privacy
• Implications of wearable devices
• Digital forensics of collected data
• Unauthorized application stores
• Jailbreaking/rooting
• Side loading
• Containerization
• Original equipment manufacturer (OEM) and carrier differences
• Supply chain issues
• eFuse

• Removing unneeded services
• Disabling unused accounts
• Images/templates
• Remove end-of-life devices
• Remove end-of-support devices
• Local drive encryption
• Enable no execute (NX)/execute never (XN) bit
• Disabling central processing unit (CPU) virtualization support
• Secure encrypted enclaves/memory encryption
• Shell restrictions
• Address space layout randomization (ASLR)

• Patching
• Firmware
• Application
• Logging
• Monitoring

• Security-Enhanced Linux (SELinux)/Security-Enhanced Android (SEAndroid)
• Kernel vs. middleware

• Trusted Platform Module (TPM)
• Secure Boot
• Unified Extensible Firmware Interface (UEFI)/basic input/output system (BIOS) protection
• Attestation services
• Hardware security module (HSM)
• Measured boot
• Self-encrypting drives (SEDs)

• Antivirus
• Application controls
• Host-based intrusion detection system (HIDS)/Host-based intrusion prevention system (HIPS)
• Host-based firewall
• Endpoint detection and response (EDR)
• Redundant hardware
• Self-healing hardware
• User and entity behavior analytics (UEBA)

• Internet of Things (IoT)
• System on a chip (SoC)
• Application-specific integrated circuit (ASIC)
• Field-programmable gate array (FPGA)

• Programmable logic controller (PLC)
• Historian
• Ladder logic
• Safety instrumented system
• Heating, ventilation, and air conditioning (HVAC)

• Controller Area Network (CAN) bus
• Modbus
• Distributed Network Protocol 3 (DNP3)
• Zigbee
• Common Industrial Protocol (CIP)
• Data distribution service

• Energy
• Manufacturing
• Healthcare
• Public utilities
• Public services
• Facility services

• Availability
• Collection
• Monitoring
• Configuration
• Alerting

- Monitoring configurations
- Key ownership and location
- Key life-cycle management
- Backup and recovery methods

• Cloud as business continuity and disaster recovery (BCDR)
• Primary provider BCDR
• Alternative provider BCDR

• Bit splitting
• Data dispersion

• Certificate authority (CA)
• Subordinate/intermediate CA
• Registration authority (RA)

- Certificate types

• Wildcard certificate
• Extended validation
• Multidomain
• General purpose

- Certificate usages/profiles/templates

• Client authentication
• Server authentication
• Digital signatures
• Code signing

- Extensions

• Common name (CN)
• Subject alternate name (SAN)

• Secure Hashing Algorithm (SHA)
• Hash-based message authentication code (HMAC)
• Message digest (MD)
• RACE integrity primitives evaluation message digest (RIPEMD)
• Poly1305

• Modes of operation
  -Galois/Counter Mode (GCM)
  -Electronic codebook (ECB)
  -Cipher block chaining (CBC)
  -Counter (CTR)
  -Output feedback (OFB)
• Stream and block
  -Advanced Encryption Standard (AES)
  -Triple digital encryption standard (3DES)
  -ChaCha
  -Salsa20

• Key agreement
  -Diffie-Hellman
  -Elliptic-curve Diffie-Hellman (ECDH)
• Signing
  -Digital signature algorithm (DSA)
  -Rivest, Shamir, and Adleman (RSA)
  -Elliptic-curve digital signature algorithm (ECDSA)

• Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
• Secure/Multipurpose Internet Mail Extensions (S/MIME)
• Internet Protocol Security (IPSec)
• Secure Shell (SSH)
• EAP

• P256
• P384

- Forward secrecy

• Password-based key derivation function 2 (PBKDF2)
• Bcrypt

• Validity dates
• Wrong certificate type
• Revoked certificates
• Incorrect name
• Chain issues
  -Invalid root or intermediate CAs
  -Self-signed
• Weak signing algorithm
• Weak cipher suite
• Incorrect permissions
• Cipher mismatches
• Downgrade

• Mismatched
• Improper key handling
• Embedded keys
• Rekeying
• Exposed private keys
• Crypto shredding
• Cryptographic obfuscation
• Key rotation
• Compromised keys

Governance, Risk, and Compliance 15%

• Likelihood
• Impact
• Qualitative vs. quantitative
• Exposure factor
• Asset value
• Total cost of ownership (TCO)
• Return on investment (ROI)
• Mean time to recovery (MTTR)
• Mean time between failure (MTBF)
• Annualized loss expectancy (ALE)
• Annualized rate of occurrence (ARO)
• Single loss expectancy (SLE)
• Gap analysis

- Risk handling techniques

• Transfer
• Accept
• Avoid
• Mitigate

- Risk types

• Inherent
• Residual
• Exceptions

- Risk management life cycle

• Identify
• Assess
• Control
  -People
  -Process
  -Technology
  -Protect
  -Detect
  -Respond
  -Restore
• Review
• Frameworks

- Risk tracking

• Risk register
• Key performance indicators
  -Scalability
  Reliability
  -Availability
• Key risk indicators

- Risk appetite vs. risk tolerance

• Tradeoff analysis
• Usability vs. security requirements

• Separation of duties
• Job rotation
• Mandatory vacation
• Least privilege
• Employment and termination procedures
• Training and awareness for users
• Auditing requirements and frequency

• Cloud service provider (CSP)
  -Geographic location
  -Infrastructure
  -Compute
  -Storage
  -Networking
  -Services
• Client
  -Encryption
  -Operating systems
  -Applications
  -Data

• Financial risk
• Merger or acquisition risk

• Legal
• Change management
• Staff turnover
• Device and technical configurations

• Code
• Hardware
• Modules

• Technical testing
• Network segmentation
• Transmission control
• Shared credentials

• Data sovereignty
• Data ownership
• Data classifications
• Data retention
• Data types
  -Health
  -Financial
  -Intellectual property
• Personally identifiable information (PII)
• Data removal, destruction, and sanitization

• Location of data
• Location of data subject
• Location of cloud provider

• Payment Card Industry Data Security Standard (PCI DSS)
• General Data Protection Regulation (GDPR)
• International Organization for Standardization (ISO)
• Capability Maturity Model Integration (CMMI)
• National Institute of Standards and Technology (NIST)
• Children’s Online Privacy Protection Act (COPPA)
• Common Criteria
• Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR)

• Due diligence
• Due care
• Export controls
• Legal holds
• E-discovery

• Service-level agreement (SLA)
• Master service agreement (MSA)
• Non-disclosure agreement (NDA)
• Memorandum of understanding (MOU)
• Interconnection security agreement (ISA)
• Operational-level agreement
• Privacy-level agreement

• Recovery point objective
• Recovery time objective
• Recovery service level
• Mission essential functions

- Privacy impact assessment

• Cold site
• Warm site
• Hot site
• Mobile site

• Roles/responsibilities
• After-action reports

• Checklist
• Walk-through
• Tabletop exercises
• Full interruption test
• Parallel test/simulation test