SEC401: Security Essentials - Network, Endpoint, and Cloud™

Overview

In the first section, we explore the reality that while organizations strive to prevent as many attacks as possible, not all threats will be stopped. Therefore, timely detection becomes critical. Understanding how to construct a defensible network architecture—along with the various network designs and communication flows—is essential to responding effectively.

Next, we examine how, within any organization, not all data holds equal value. Some information may be routine, while other data is highly sensitive and critical, with its loss potentially causing irreparable damage. It’s crucial to understand how network-based attacks introduce risk to this critical data and where vulnerabilities lie within an organization’s infrastructure. This requires a thorough understanding of modern network communication protocols.

Cloud computing naturally comes into focus as part of modern public and private network discussions. No conversation about defensible networking would be complete without addressing the cloud—its security features, capabilities, and associated concerns. Additionally, we explore artificial intelligence (AI) in this context, discussing its fundamentals and what AI truly means versus common misconceptions. Understanding AI’s role in the cloud is essential, as many AI-driven solutions operate within cloud environments, further intertwining these two critical topics in modern cybersecurity.

As we delve deeper, it becomes clear that adversaries rely on our networks as much as we do. They pivot relentlessly from system to system, exploiting our infrastructure to reach their objectives. By learning how our networks function in relation to our unique needs, we can better detect and mitigate adversarial activity.

By the end of this section, you will have a solid understanding of defensible network architecture, protocols and packet analysis, virtualization and cloud fundamentals (including AI), and wireless network security.

Exercises

• Sniffing and analysis of network traffic including tcpdump
• Sniffing, protocol decoding, and extraction of network traffic using Wireshark
• Examination and interpretation of Amazon Web Services (AWS) VPC Flow Logs

Topics

Module: Defensible Network Architecture

To properly secure and defend a network, you must first have a clear and strong understanding of both the logical and physical components of network architecture. Above and beyond an understanding of network architecture, however, properly securing and defending a network will further require an understanding of how adversaries abuse the information systems of our network to achieve their goals.

• Network Architecture
• Attacks Against Network Devices
• Network Topologies
• Network Design

Module: Protocols and Packet Analysis

A solid understanding of the interworking of networks enables you to more effectively recognize, analyze, and respond to the latest (perhaps unpublished) attacks. This module introduces the core concepts of computer networks and protocols.

• Network Protocols Overview
• Internet Protocol (IP)
• Internet Control Message Protocol (ICMP)
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
• tcpdump

Module: Virtualization, Cloud, and AI Essentials

The module begins with an examination of what virtualization is, the security benefits and the risks of a virtualized environment, and the differences found in different types of virtualization architecture. Because cloud computing is architected on virtualization, the module contains an extensive discussion of what the public and private cloud is, how it works, the services made available by the public cloud (including security offerings), and related security concepts. Last, but not least, because much of our current AI functionality operates in the cloud, it makes sense to discuss in this module exactly what AI is, whether the hype is warranted (or not), and what AI currently means versus what it might mean in the future.

• Virtualization Overview
• Virtualization Security
• Cloud Overview
• Cloud Security
• AI Overview
• AI Security

Module: Securing Wireless Networks

This module helps the student to understand the differences of the various types of wireless communication technologies available today, the insecurities present in those communications, and approaches to reduce the risk of those insecurities to a more acceptable level.

• The Pervasiveness of Wireless Communications
• Traditional Wireless: IEEE 802.11 and its Continual Evolution
• Personal Area Networks
• 5G Cellular (Mobile) Communications
• The Internet of Things

Overview

This section of the course explores large-scale threats to our systems and the strategies for defending against them, emphasizing the need for layered protection, known as defense-in-depth. We begin by laying the groundwork for information assurance, examining how security threats impact the confidentiality, integrity, and availability of our systems.

Since access controls are a fundamental component of defense-in-depth, we dive into the core aspects of identity and access management (IAM). Despite efforts to deprecate passwords as the primary authentication factor, they remain prevalent today, and many security breaches still stem from credential theft. This leads to an in-depth discussion on modern authentication methods and password security, particularly in the context of cloud computing. IAM is increasingly considered the new security perimeter for cloud-based systems, and its proper implementation is crucial for strong defense.

Midway through this section, we shift focus to contemporary security controls that are effective against today's adversaries. We do this by examining frameworks such as the Center for Internet Security (CIS) Controls, the NIST Cybersecurity Framework, and the MITRE ATT&CK knowledge base.

As we revisit earlier discussions on network architecture, we naturally explore additional ways to bolster network defensibility. This brings us to a broader environmental approach, emphasizing how best to secure data both in transit and at rest, leading to an in-depth conversation on data loss prevention (DLP) techniques.

Finally, no discussion on defense-in-depth would be complete without addressing one of the most critical technologies in use today--mobile devices. We conclude this section with a dedicated module on mobile devices, examining both the benefits and the security risks they present. Topics such as Bring Your Own Device (BYOD) and Mobile Device Management (MDM) are explored in detail to round out the discussion.

Exercises

• Password Auditing
• Investigative techniques using Data Loss Prevention capabilities
• Investigation of artifacts found in mobile device backups

Topics

Module: Defense-in-Depth

This module examines threats to our systems and takes a big picture look at how to defend against them. We will learn that protections need to be layered, a principle called defense-in-depth. We will also evaluate related principles (such as Zero Trust) that will further serve you well in protecting your systems.

• Defense-in-Depth Overview
• Constituents of Risk: Confidentiality, Integrity and Availability
• Strategies for Defense-in-Depth
• Core Security Strategies
• Defense-in-Depth in the Cloud
• Zero Trust Methodology
• Variable Trust

Module: IAM, Authentication, and Password Security

This module discusses the principles of identity management and access control. As access control models vary in their approaches to security, we will explore their underlying principles, strengths, and weaknesses. The module also includes a brief discussion on authentication and authorization protocols and control. A discussion of identity and access management naturally leads to a conversation on authentication and password security. We will spend time discussing the various factors of authentication: something you know, something you have, and something you are. We conclude the module by focusing specifically on the most common (and problematic) example of something you know: the password.

• IAAA: Identification, Authentication, Authorization, Accountability
• Single Sign On (SSO): Traditional On-Premise and Cloud (SAML and OAuth)
• Password Management
• Password Techniques
• Password (Passphrase) Policies
• Password Storage
• Key Derivation Functions
• How Password Assessment Works
• Password Attack Tools (Hashcat and Mimikatz)
• Multi-Factor Authentication
• Adaptive Authentication
• Privileged Access Management: On-Premise and Cloud

Module: Security Frameworks

In implementing security, it is important to have a framework that includes proper metrics. As is often said, you cannot manage what you cannot measure. This module focuses on three frameworks: The Center for Internet Security (CIS) Controls (created to help organizations prioritize the most critical risks they face); the NIST Cybersecurity Framework (standards, guidelines, and best practices that can assist in managing overall cybersecurity risk); and the MITRE ATT&CK knowledge base (adversary tactics and techniques). Combining the prioritized actions of the CIS Controls with the understanding of overall risk from the NIST Cybersecurity Framework, all in consideration of adversarial tactics and techniques, will help put us on solid footing in defending against the modern adversary.

• Introduction to the CIS Controls
• CIS Controls Guiding Principles
• Case Study: Sample CIS Control
• NIST Cybersecurity Framework
• MITRE ATT&CK (TTP and Mapping to Known Adversaries)

Module: Data Loss Prevention

Loss or leakage?

In essence, data loss is any condition that results in data being corrupted, deleted, or made unreadable in any way. A data breach is an incident that can lead to, among other things, unintentional information disclosure and data leakage. This module covers exactly what constitutes data loss or leakage, and the methodologies that can be leveraged to implement an appropriate data-loss prevention capability.

• Loss or Leakage
• Data Loss
• Data Leakage
• Ransomware
• Preventative Strategies
• Redundancy (On-Premise and Cloud)
• Data Recovery
• Related Regulatory Requirements (GDPR and CCPA)
• Data Loss Prevention Tools
• Defending Against Data Exfiltration
• User Activity Monitoring

Module: Mobile Device Security

The first part of the module gives a comparison of the Android and iOS mobile operating systems and what makes them so different. The module concludes with a brief discussion of the security features of both mobile operating systems, along with the potential of damaging attacks from malware.

• Android versus iOS
• Android Security
• Android Security Features
• What You Need to Know About Android
• Android Fragmentation
• Android Security Fix Process
• Apple iOS Security
• Apple iOS Security Features
• What to Know About iOS
• iOS Updates
• Mobile Problems and Opportunities
• Mobile Device Management
• Unlocking, Rooting, and Jailbreaking
• Mitigating Mobile Malware
• Android Malware
• iOS Malware

Overview

In this section, we turn our attention to the various areas within our environment where vulnerabilities can emerge. We begin by defining what constitutes a vulnerability and how to establish an effective vulnerability assessment program.

Since vulnerabilities represent the weaknesses that adversaries exploit, a discussion on this topic must also include an in-depth examination of modern attack methodologies, with real-world examples of compromises. Among the potential areas for vulnerabilities, web applications pose some of the greatest risks, often leading to the most severe consequences. Due to the extensive vulnerabilities associated with web applications, an entire module is dedicated to exploring web application security concepts.

While vulnerabilities may provide adversaries with easy access to systems, it's important to remember that their actions post-compromise can often be detected. By effectively leveraging the logging capabilities of hardware and software, we can detect adversarial activity more quickly. This capability is covered in our penultimate module, which focuses on Security Operations and Log Management.

Finally, it's crucial to have a well-structured response plan for handling any compromises. The methodology for an appropriate incident response is the focus of the final module in this section.

Exercises

• System, Port, and Vulnerability Discovery with Nmap
• Malware Analysis
• Abusing Web Application Vulnerabilities for Exploitation
• Leveraging SIEM Logs for Incident Response and Investigation

Topics

Module: Vulnerability Assessments

This module covers the tools, technology, and techniques used for the mapping of networks and scanning of vulnerabilities, all within the scope of a proper vulnerability framework.

• Introduction to Vulnerability Assessments
• Steps to Perform a Vulnerability Assessment
• Criticality and Risks

Module: Penetration Testing

The role of penetration testing, which is well understood by most organizations, gave rise to newer testing techniques such as red and purple teaming and adversary emulation. Often, penetration testing is limited in scope to where the testers are not truly able to emulate and mimic the behaviors of adversaries. This is where the red teaming and adversary emulation functions come into play. Furthermore, a methodical and meticulous approach to penetration testing is needed to provide value to your organization.

• The What and Why of Penetration Testing
• Red Team
• Adversary Emulation
• Purple Team
• External and Internal Penetration Testing
• Web Application Penetration Testing
• Social Engineering
• Mobile Device Testing
• Internet of Things Testing
• Penetration Testing Process
• Penetration Testing Tools (Nmap, Metasploit, Meterpreter)
• Password Compromise, Reuse, Stuffing, and Spraying

Module: Attacks and Malicious Software

This module will examine commonalities of well-known breaches as well as ransomware attacks that continue to cripple hundreds of thousands of systems across different industries. We will describe the attacks in detail, discussing not only the conditions that made them possible, but also strategies that can be used to help manage the risks associated with such attacks.

• High-Profile Breaches and Ransomware
• Ransomware as a Service
• Common Attack Techniques
• Malware and Analysis

Module: Web Application Security

This module looks at some of the most important things to know about designing and deploying secure web applications. We start with an examination of the basics of web communications, then move on to cover HTTP, HTTPS, HTML, cookies, authentication, and maintaining state. We conclude by looking at how to identify and fix vulnerabilities in web applications.

• Web Communication Fundamentals
• Cookies
• HTTPS
• Developing Secure Web Apps
• OWASP Top Ten
• Basics of Secure Coding
• Web Application Vulnerabilities
• Web Application Monitoring
• Web Application Firewall (WAF)

Module: Security Operations and Log Management

This module covers the essential components of logging, how to properly manage logging, and the considerations that factor into leveraging logging to its fullest potential during incident response.

• Logging Overview
• Log Collection Architecture
• Log Filtering
• Problems with Logging Standards
• Setting Up and Configuring Logging
• Log Analysis Tools
• Log Aggregation and SIEM
• Key Logging Activities

Module: Digital Forensics and Incident Response

This module explores the fundamentals of incident handling and why it is important to an organization. We will outline a multi-step process to create our own incident handling procedures and response plans. Being able to leverage digital forensic methodologies to ensure that processes are repeatable and verifiable will also be a key focus of the material.

• Introduction to Digital Forensics
• What is Digital Forensics?
• Digital Forensics in Practice
• The Investigative Process
• Remaining Forensically Sound
• Examples of Examining Forensics Artifacts
• DFIR (Digital Forensics and Incident Response) Subdisciplines
• Digital Forensics Tools
• Incident Handling Fundamentals
• Multi-Step Process for Handling an Incident
• Threat Hunting

Overview

There is no single solution that guarantees complete security, but one technology that can address many security challenges--though often improperly deployed--is cryptography. In the first half of this section, we will delve into various cryptographic concepts and explore how they can be effectively used to safeguard an organization's assets.

In the second half, our focus shifts to prevention technologies that can stop adversaries from gaining access to your organization. This includes the use of firewalls and intrusion prevention systems. We will also examine detection technologies, such as intrusion detection systems, which can identify the presence of an adversary. These prevention and detection methods can be deployed at both the network and endpoint levels, and we will discuss the similarities and differences in their implementation.

Exercises

• Hashing and Cryptographic Validation
• Encryption, Decryption, and Digital Signature Techniques
• Incident Detection Leveraging the Snort and Zeek Intrusion Detection Systems

Topics

Module: Cryptography

Cryptography can provide the functional capabilities needed to achieve confidentiality, integrity, authentication, and non-repudiation. There are three general types of cryptographic systems: symmetric, asymmetric, and hashing. These systems are usually distinguished from one another by the number of keys employed, as well as the security goals they achieve. This module discusses these different types of cryptographic systems and how each type is used to provide a specific security function.

• Cryptosystem Fundamentals
• Cryptography
• Cryptanalysis
• General Types of Cryptosystems (Symmetric, Asymmetric, Hashing)
• Digital Signatures

Module: Cryptography Algorithms and Deployment

The content of this module will help us gain a high-level understanding of the mathematical concepts that contribute to modern cryptography. We'll also identify common attacks used to subvert cryptographic defenses.

• Mathematical Features of Strong Cryptography
• AES
• RSA
• ECC
• Cryptography Attacks (Cryptanalysis)

Module: Applying Cryptography

This module will discuss the practical applications of cryptography in terms of protection of data in transit and protection of data at rest. We conclude with an important discussion on the management of public keys (and the related concepts of certificates), all in terms of a Public Key Infrastructure.

• Data in Transit
• Virtual Private Networks (VPN), IPsec and SSL-based
• Data at Rest
• File/Folder Level Encryption
• Full Disk Encryption
• GNU Privacy Guard (GPG)
• Key Management
• Public Key Infrastructure (PKI)
• Digital Certificates
• Certificate Authorities

Module: Network Security Devices

Three main categories of network security devices will be discussed in this module: Firewalls, Network Intrusion Detection Systems (NIDS), and Network Intrusion Prevention Systems (NIPS). Together, they provide a complement of prevention and detection capabilities.

• Overview of Firewalls
• Types of Firewalls
• Firewall Configuration and Deployment Considerations
• NIDS
• Types of NIDS
• Snort as a NIDS
• NIPS
• Methods for NIPS Deployment
• NIPS Security and Productivity Risk Considerations

Module: Endpoint Security

In this final module of the section, we examine some of the key components, strategies, and solutions for implementing security from an endpoint perspective. This includes general approaches to endpoint security, strategies for baselining activity, and solutions like Host-based IDS (HIDS) and Host-based IPS (HIPS).

• Endpoint Security Overview
• Core Components of Endpoint Security
• Enhancing Endpoint Security
• Endpoint Security Solutions
• Anti-malware
• Endpoint Firewalls
• Integrity Checking
• HIDS, HIPS, and EDR

Overview

Remember when Windows was simple? Back in the days of Windows XP desktops in small workgroups, things seemed straightforward. But much has changed. Today, we manage Windows tablets, Azure, Active Directory, PowerShell, Microsoft 365 (formerly Office 365), Hyper-V, Virtual Desktop Infrastructure, and more. As Microsoft competes with cloud giants like Google and Amazon, securing the cloud has become a critical challenge.

Windows remains the most widely used and targeted desktop operating system globally. At the same time, the complexities of Active Directory, Public Key Infrastructure (PKI), BitLocker, endpoint security, and user access control present both challenges and opportunities. This course section will guide you through mastering the essentials of Windows security while introducing tools that can streamline and automate your work, whether on-premises or in the cloud with Microsoft Azure. By the end of this section, you'll have a solid foundation in Windows security, including automation and auditing within the Windows ecosystem.

Exercises

• Process Observation and Analysis
• NTFS File System Permissions Analysis as Part of Incident Response
• Auditing and Enforcement of System Baseline Configurations with Security Templates
• PowerShell Scripting and Automation Techniques for Speed and Scale

Topics

Module: Windows Security Infrastructure

This module discusses the infrastructure that supports Windows security. This is a big picture overview of the Windows security model. It provides the background concepts necessary to understand everything else that follows.

• Windows Family of Products
• Windows Workgroups and Accounts
• Windows Active Directory and Group Policy

Module: Windows as a Service

This module discusses techniques for managing Windows systems as it applies to updates (patches) as well as new cloud-based deployment methodology (Windows Autopilot, Windows Virtual Desktop and Windows 365).

• End of Support
• Servicing Channels
• Windows Update
• Windows Server Update Services
• Windows Autopilot
• Windows Virtual Desktop
• Windows 365

Module: Windows Access Controls

This module focuses on understanding how permissions are applied in the Windows NT File System (NTFS), Shared Folders, Active Directory, and Privileges. BitLocker is discussed as another form of access control (encryption), and as a tool to help maintain the integrity of the boot-up process if you have a Trusted Platform Module (TPM).

• NTFS Permissions
• Shared Folder Permissions
• Active Directory
• Permissions
• Privileges
• BitLocker Drive Encryption
• Personal Data Encryption (PDE)
• Hardware-based security (Microsoft Pluton)

Module: Enforcing Security Configurations

This module discusses one of the best tools for automating security configuration changes, SecEdit.exe, which is the command-line version of Microsoft's Security Configuration and Analysis snap-in. We'll look at some of the most important changes that can be made by this tool, such as password and auditing policies. We'll also briefly discuss Group Policy Objects (GPOs) and the many best practice security configuration changes that they can help enforce throughout the domain.

• Applying Security Templates
• Employing the Security Configuration and Analysis Snap-in
• Understanding Local Group Policy Objects
• Understanding Domain Group Policy Objects
• Administrative Users
• Privileged Account Management
• Reduction of Administrative Privileges
• AppLocker
• User Account Control
• Windows Firewall
• IPsec Authentication and Encryption
• Remote Desktop Services
• Recommended GPO Settings

Module: Microsoft Cloud Computing

Inside your LAN as well as in the cloud, you will likely have a mixture of servers. Microsoft's cloud is known as Azure. On top of Azure, Microsoft has implemented services such as Microsoft 365, Exchange Online, OneDrive, Intune, and many others. Microsoft has designed Windows 10 and Windows 11 for integration with Azure, so Windows security includes not just Windows alone, but also Azure. It's important for your career as a security professional to understand the essential concepts of Microsoft Azure.

• Microsoft All-In Bet on Cloud Computing
• Microsoft Cloud Types: IaaS, PaaS, SaaS, and DaaS
• Microsoft Azure
• Entra ID (Azure Active Directory)
• Entra ID Single Sign-On
• Multi-Factor Authentication
• Administrative Role Reduction
• Endpoint Security Enforcement
• Microsoft Intune
• Azure Conditional Access
• Azure Monitor
• Azure Sentinel (SIEM and SOAR)
• Azure Policy
• Azure Security Center

Module: Automation, Logging, and Auditing

Automation, logging, and auditing go together because if we can't automate our work, the auditing work doesn't get done at all (or is done only sporadically). Also, if we can't automate our work, we can't make our work scale beyond the small number of machines that we can physically touch. Thankfully, modern Windows systems come with a very powerful automation capability: PowerShell. We will learn what PowerShell is and how to leverage it in our pursuit of deployment consistency, detection of change, remediation of systems, and even threat hunting!

• What Is Windows PowerShell?
• Windows PowerShell versus PowerShell Core
• Windows Subsystem for Linux (WSL)
• Automation and Command-Line Capability in Azure (PowerShell Az Module and Azure CLI)
• Azure Cloud Shell
• Runbooks
• Gathering Ongoing Operational Data Employing Change Detection and Analysis

Overview

While organizations may not have a large number of Linux systems, those they do have are often the most critical and require the highest levels of protection. This course section focuses on providing practical guidance to enhance the security of any Linux system. It offers step-by-step instructions with foundational background for Linux beginners, as well as advanced security advice and best practices for administrators of varying expertise levels.

Given Linux's reputation as a free and open-source operating system, it's no surprise that many advanced security concepts are first developed for Linux. One notable example is containers, which offer powerful and flexible capabilities for cloud computing deployments. Although containers weren't initially designed for security purposes, they are built on the principle of minimization, which can be leveraged as part of a defense-in-depth security strategy. We will explore what containers represent for information security, what they do not, and best practices for their management.

Finally, we conclude this section with a review of Apple's macOS, which is built on a UNIX foundation. Despite its robust hardware and software security features, macOS is often misunderstood regarding what it can and cannot achieve in terms of security.

Exercises

• Linux Permissions
• Containers and Logging Concepts
• Linux Logging and Auditing Capabilities

Topics

Module: Linux Fundamentals

This module discusses the foundational items that are needed to understand how to configure and secure a Linux system.

• Operating System Comparison
• Linux Vulnerabilities
• Linux Operating System
• Shells
• Linux Kernel
• Linux Filesystem and Intrinsic Security Capabilities
• Encryption at Rest
• Permissions
• User Accounts
• PAM Subsystem
• Command-Line Capabilities
• Service Hardening
• Package Management

Module: Containerized Security

The importance of segmentation and isolation techniques cannot be understated. Isolation techniques can help mitigate the initial damage caused by an adversary, giving us more time for detection. In this module, we will discuss various types of isolation techniques, including virtualization and containers. Containers are a relatively new concept (as applied to information security perspectives). There can be a lot of misunderstanding as to what security benefits are truly afforded by containers, and the potential security issues that may arise within containers themselves. We will discuss what containers are, best practices to deploy them, and how to secure them.

• Virtualization
• Containers versus VMs
• Containers and Orchestration
• LXC
• Cgroups and Namespaces
• Docker
• Docker Images
• Kubernetes
• Container Security
• Docker Best Practices
• Vulnerability Management and Secure Configuration Baselines

Module: Linux Security Enhancements and Infrastructure

This module discusses security enhancement utilities that provide additional security and lockdown capabilities for modern Linux systems. As discussed earlier in the course, taking advantage of logging capabilities is an incredibly important aspect of our modern cyber defense. Linux supports the well-known Syslog logging standard (and its related features) and will be discussed in this module. As Syslog continues to age, it may end up being unable to provide the logging features that modern day cyber defense demands. Because of this, we will also explore additional logging enhancements ranging from Syslog-ng to Auditd.

• Operating System Enhancements
• SELinux
• AppArmor
• Linux Hardening
• Kernel Module Security
• SSH Hardening
• CIS Hardening Guides and Utilities
• Log Files
• Syslog
• Syslog Security
• Log Rotation
• Auditd
• Firewalls: Network and Endpoint

Module: macOS Security

This module focuses on the security features that are built into macOS systems. Although macOS is a relatively secure system that provides many different features, it can also be flawed just like any other operating system.

• What is macOS?
• Privacy Controls
• Keychain
• Strong Passwords
• Gatekeeper
• Anti-Phishing and Download Protection
• XProtect
• Firewall Capabilities
• FileVault
• Sandboxing and Runtime Protection
• Security Enclaves
• macOS Vulnerabilities and Malware