Module One:

1. The Cisco Talos Intelligence Group website provides comprehensive security and threat
intelligence.
2. The Cisco Product Security Incident Response Team (PSIRT), is responsible for investigating and
mitigating potential vulnerabilities in Cisco products.
3. An attack vector is a path by which a threat actor can gain access to a server, host, or network.
4. Passwords are the first line of defense.
5. A Cisco Email Security Appliance (ESA) and Web Security Appliance (WSA) provide advanced
threat defense, application visibility and control, reporting, and secure mobility to secure and
control email and web traffic.
6. An authentication, authorization, and accounting (AAA) server authenticates users, authorizes
what they are allowed to do, and tracks what they are doing.
7. Data center networks are typically housed in an off-site facility to store sensitive or proprietary
data.
8. Data center physical security can be divided into two areas: Outside perimeter security and
Inside perimeter security.
9. Virtualization is the foundation of cloud computing.
10. Cloud computing separates the application from the hardware.
11. Virtualization separates the operating system from the hardware.

12. VMs are prone to specific targeted attacks:

a. Hyperjacking: An attacker could hijack a VM hypervisor (VM controlling software) and
then use it as a launch point to attack other devices on the data center network.
b. Instant On Activation: When a VM that has not been used for a period of time is
brought online, it may have outdated security policies that deviate from the baseline
security and can introduce security vulnerabilities.
c. Antivirus Storms: This happens when all VMs attempt to download antivirus data files
at the same time.

13. In a Borderless Network, access to resources can be initiated by users from many locations, on
many types of end devices, using various connectivity methods.

14. Mobile Device Management (MDM) features:

a. Data Encryption.
b. PIN Enforcement.
c. Data Wipe: Lost or stolen devices can be remotely fully- or partially-wiped.
d. Data Loss Prevention (DLP).
e. Jailbreak/Root Detection: Jailbreaking (on Apple iOS devices) and rooting (on Android
devices) are a means to bypass the management of a device. MDM features can detect
such bypasses and immediately restrict a device’s access to the network or assets.
Module Two:
1. Four common ways to manage risk:
a. Risk Acceptance: This is when the cost of risk management options outweighs the cost
of the risk itself.
b. Risk Avoidance: This means avoiding any exposure to the risk by eliminating the activity
or device that presents the risk.
c. Risk Reduction: This reduces exposure to risk or reduces the impact of risk by taking
action to decrease the risk.
d. Risk Transfer: Some (or all) of the risk is transferred to a willing third party such as an
insurance company.

2. Vulnerability brokers are grey hat hackers who attempt to discover exploits and report them to
vendors, sometimes for prizes or rewards.
3. Hacktivists are grey hat hackers who rally and protest against different political and social ideas.
4. Many network attacks can be prevented by sharing information about indicators of
compromise (IOC).
5. Indicators of attack (IOA) focus more on the motivation behind an attack and the potential
means.
6. IOAs are concerned with the strategies that are used by attackers.
7. The US Cybersecurity Infrastructure and Security Agency (CISA) uses a system called
Automated Indicator Sharing (AIS). AIS enables the sharing of attack indicators between the US
government and the private sector as soon as threats are verified.
8. Packet crafting tools are used to probe and test a firewall’s robustness using specially crafted
forged packets.
9. A rootkit detector is a directory and file integrity checker used by white hat hackers to detect
installed root kits.
10. Fuzzers are tools used by threat actors when attempting to discover a computer system’s
security vulnerabilities.
11. White hat hackers use forensic tools to sniff out any trace of evidence existing in a particular
computer system.
12. Debugger tools are used by black hat hackers to reverse engineer binary files when writing
exploits. They are also used by white hat hackers when analyzing malware.
13. An eavesdropping attack is when a threat actor captures and listens to network traffic. This
attack is also referred to as sniffing or snooping.
14. Password-based attacks occur when a threat actor obtains the credentials for a valid user
account. Threat actors then use that account to obtain lists of other users and network
information. They could also change server and network configurations, and modify, reroute, or
delete data.
15. In spoofing attacks, the threat actor’s device attempts to pose as another device by falsifying
data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.
16. MiTM (Man-in-the-middle) Attack.
17. Trojan Horse Malware can use the victim's computer as the source device to launch attacks and
perform other illegal activities. This is known as proxy type.
18. Computer worms are like viruses because they replicate and can cause the same type of
damage. Specifically, worms replicate themselves by independently exploiting vulnerabilities in
networks.
19. SQL Slammer, known as the worm that ate the internet.

20. Most worm attacks consist of three components:

a. Enabling vulnerability: A worm installs itself using an exploit mechanism, such as an
email attachment, an executable file, or a Trojan horse, on a vulnerable system.
b. Propagation mechanism: After gaining access to a device, the worm replicates itself and
locates new targets.
c. Payload: Any malicious code that results in some action is a payload. Most often this is
used to create a backdoor that allows a threat actor access to the infected host or to
create a DoS attack.

21. Rootkits is installed on a compromised system. After it is installed, it continues to hide its
intrusion and provide privileged access to the threat actor.

22. Three major categories of network attacks:

a. Reconnaissance Attacks: Reconnaissance is information gathering. Threat actors use
reconnaissance (or recon) attacks to do unauthorized discovery and mapping of
systems, services, or vulnerabilities.
b. Access Attacks: Access attacks exploit known vulnerabilities in authentication services,
FTP services, and web services. The purpose of this type of attack is to gain entry to web
accounts, confidential databases, and other sensitive information.
c. DoS Attacks.

23. Social engineering is an access attack.

24. Some Social Engineering technics:

a. Pretexting: A threat actor pretends to need personal or financial data to confirm the
identity of the recipient
b. Something for Something: Sometimes called “Quid pro quo”, this is when a threat actor
requests personal information from a party in exchange for something such as a gift.
c. Baiting: A threat actor leaves a malware-infected flash drive in a public location. A
victim finds the drive and unsuspectingly inserts it into their laptop, unintentionally
installing malware.

25. Some terms in DoS attacks:

a. Zombies: This refers to a group of compromised hosts (i.e., agents
b. Bots: Are malware that is designed to infect a host and communicate with a handler
system. Bots can also log keystrokes, gather passwords, capture and analyze packets,
and more.
c. Botnet: This refers to a group of zombies that have been infected using self-propagating
malware (i.e., bots) and are controlled by handlers.
 d. Handlers: This refers to a master command-and-control (CnC or C2) server controlling
groups of zombies. The originator of a botnet can use Internet Relay Chat (IRC) or a web
server on the C2 server to remotely control the zombies.
e. Botmaster: This is the threat actor who is in control of the botnet and handlers.

Module Three:
1. The CIA Triad consists of three components of information security:
a. Confidentiality: Only authorized individuals, entities, or processes can access sensitive
information.
b. Integrity: This refers to the protection of data from unauthorized alteration.
c. Availability.

2. There are 14 network security domains specified by the International Organization for
Standardization (ISO)/International Electrotechnical Commission (IEC).
a. Operations Security: This describes the management of technical security controls in
systems and networks including malware defenses, data backup, logging and
monitoring, vulnerability management, and audit considerations. This domain is also
concerned with the integrity of software that is used in business operations.
b. System Acquisition, Development, and Maintenance: This ensures that information
security remains a central concern in an organization’s processes across the entire
lifecycle, in both private and public networks.
c. Information Security Incident Management: This describes how to anticipate and
respond to information security breaches.
d. Compliance: This describes the process of ensuring conformance with information
security policies, standards, and regulations.
e. …

3. Business policies are the guidelines that are developed by an organization to govern its actions.
4. Security policies are used to inform users, staff, and managers of an organization’s
requirements for protecting technology and information assets. A security policy also specifies
the mechanisms that are needed to meet security requirements and provides a baseline from
which to acquire, configure, and audit computer systems and networks for compliance.
5. Acceptable Use Policy (AUP): Identifies network applications and uses that are acceptable to
the organization. It may also identify ramifications if this policy is violated.
6. A common analogy used to describe a defense-in-depth approach is called “the security onion.”
7. The changing landscape of networking, such as the evolution of borderless networks, has
changed the security onion to the “security artichoke”, which benefits threat actors because
they no longer have to peel away each layer.
8. Data Security Platforms (DSP) are an integrated security solution that combines traditionally
independent tools into a suite of tools that are made to work together.
9. One such DSP is the Helix platform from FireEye.
10. Another integrated DSP is Cisco SecureX.

11. The response to a worm attack can be broken down into four phases:
a. Containment: The containment phase involves limiting the spread of a worm infection
to areas of the network that are already affected.
b. Inoculation: The inoculation phase runs parallel to or subsequent to the containment
phase. During the inoculation phase, all uninfected systems are patched with the
appropriate vendor patch.
c. Quarantine: The quarantine phase involves tracking down and identifying infected
machines within the contained areas and disconnecting, blocking, or removing them.
d. Treatment: The treatment phase involves actively disinfecting infected systems.

12. Reconnaissance attacks are typically the precursor to other attacks that are designed to gain
unauthorized access to a network or disrupt network functionality.

13. Reconnaissance attacks can be mitigated in several ways, including the following:
a. Implementing authentication to ensure proper access.
b. Using encryption to render packet sniffer attacks useless.
c. Using anti-sniffer tools to detect packet sniffer attacks.
d. Implementing a switched infrastructure.
e. Using a firewall and IPS.

14. It is impossible to mitigate port scanning. Using an IPS and firewall can limit the information that
can be discovered with a port scanner.
15. Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on edge routers;
however, when these services are turned off, network diagnostic data is lost.

16. Access attacks can be mitigated in several ways, including the following:
a. Use strong passwords.
b. Disable accounts after a specified number of unsuccessful logins has occurred.

17. Multifactor authentication (MFA).

18. The Cisco Network Foundation Protection (NFP) framework provides comprehensive guidelines
for protecting the network infrastructure.

19. NFP logically divides routers and switches into three functional areas:
a. Control plane - Responsible for routing data correctly.
b. Management plane - Responsible for managing network elements.
c. Data plane - Responsible for forwarding data.
20. Control plane security can be implemented using the following features:
a. Routing protocol authentication: Routing protocol authentication, or neighbor
authentication, prevents a router from accepting fraudulent routing updates.
b. Control Plane Policing (CoPP): CoPP is a Cisco IOS feature that lets users control the
flow of traffic that is handled by the route processor of a network device.
c. AutoSecure: This can lock down the management plane functions and the forwarding
plane services and functions of a router.

21. CoPP is designed to prevent unnecessary traffic from overwhelming the route processor.
22. Management plane traffic is generated either by network devices or network management
stations.