Cisco CCSA

  1. SObjectives:
    1. Exams pass and got certificates
    2. Learn something and got them to start with
    3. Knowledge transfer to your colleagues
  2. Course Structures
    1. Introduction to Cybersecurity (with Quizs)
    2. 210-250 SECFND (Understanding Cisco Cybersecurity Fundamentals)
    3. 210-255 SECOPS (Implementing Cisco Cybersecurity Operations)
  3. Contents (36 hours of lecturing in Systematic, assume other 72 hours self learning)
    1. Introduction to Cybersecurity
      1. Ch1 – The need for cybersecurity
        1. protection from unauthorized use of harm;
      2. Ch2 – Attacks, concepts and techniques
        1. Malicious software or malware, blended attack
          1. Types of malware
            1. Spyware
            2. Adware
            3. Bot: automatically perform action
            4. Ransomware: encryption until payment
            5. Scareware: persuade user to take action on fear
            6. Rootkit: modify OS to create backdoor, better reinstall OS;
            7. Virus (binds with executable files) / Trojan horse (binds with non-executable files, eg. jpg, videos) / Worm (self-replicate in network)
            8. Man-in-the-Middle
            9. Man-in-the-Mobile: take control of the mobile device
        2. Security vulnerabilities: defect
          1. Software security vulnerabilities:
            1. Buffer overflow: By changing data beyond the boundaries of a buffer; (?how to prevent in coding?)
            2. Non-validated input:
            3. Race conditions
            4. weakness in security practices: developers should use verified security library;
            5. access control problems: 1st prevent physical access;
          2. Hardware security vulnerabilities:
            1. RowHammer: repeat write to same address in RAM, then, retrieve data from address nearby;
        3. Exploit: a program that attempt to take advantage a vulnerabilities
        4. Social Engineering:
          1. pretexting
          2. tailgating
          3. Something for Something (Quid pro quo)
        5. Wifi password cracking
          1. social engineering / brute force attacks / network sniffing
        6. Phishing and spear phishing
        7. DoS (quantity and error packets) & DDoS
        8. SEO poisoning: malware to make fake website in higher ranking; redirect traffic to fake websites;
      3. Ch3 – Protecting your data and privacy
        1. Keep Firewall on;
        2. Use Antivirus and Anti-Spyware;
        3. Manage OS and browsers;
        4. Protect all your devices; especially IoT (better with isolated network);
        5. don’t use one password for all online account
        6. Use passphrases instead of passwords;
        7. Use password manager to store password master;
        8. Encryption: converting into a form that unauthorized one cannot read;
        9. Backup data on external disks or cloud-based storage; is the data erased at cloud-based after your deletion?
        10. Two factor authentication: least protection, but may be compromised by techniques such as social engineering;
        11. OAuth 2.0:
          1. access web app with your social media account (eg. Facebook);
          2. the web app must firstly registered with Facebook;
          3. You login the web app with Facebook, the web app will send a token to Facebook; then Facebook sends back a secret token to allow you login the web app and the app don’t know your credentials;
      4. Ch4 – Protecting the organization
        1. firewall: control and filter communication in and out;
          1. type: host based, network based, proxy, reverse proxy, network layer, transport layer, application layer, NAT, context aware;
        2. port scanning response: open / accept, closed / denied; dropped / filter;
        3. Security appliances: routers, firewalls, VPN, AMP, IPS
        4. Security best practices:
          1. perform risk assessment
          2. create security policy
          3. physical security measures
          4. HR security measures
          5. Perform and test backups
          6. Maintain security updates
          7. Employ access controls
          8. Regularly test incident response
          9. Implement a network monitoring, analytics and management tool;
          10. Implement network security devices;
          11. Use a comprehensive Enterprise Endpoint security solution: enterprise level anti-malware and antivirus software;
          12. Educate users
          13. Encrypt data
        5. Cyber kill chain
        6. Behavior-based security: context and patterns of behavior which could be used to detect anomalies; (eg. Netflow)
          1. honeypots & Cisco Cyber Threat Defense Solution Architecture
        7. Cisco Netflow technology – gather information of data flow in network; included in switch / router…;
        8. CSIRT – Computer Security Incident Response Team
        9. A Security Playbook – collection of repeated queries (report)
        10. Tools for Incident detection and prevention
          1. SIEM – Security Information and Event Management: collects and analyzes security alerts/logs;
          2. DLP – Data Loss Prevention software;
          3. Cisco ISE and TrustSec
        11. IDS – copy and mirror traffic for analysis to avoid traffic delay;
        12. IPS – open source as Snort
      5. Ch5 – Will your future be in Cybersecurity?
    2. SECFND
      1. Section1 – Understanding the TCP/IP Protocol Suite
        1. 1.1 Introduction
        2. 1.2 OSI Model
        3. 1.3 TCP/IP Model
        4. 1.4 Intro to the Internet Protocol:
          1. connectionless protocol (not guarantee delivery and recovery);
          2. IP header: 192 bits / 24 bytes
          3. Max. size of an IP packet: 65,535 Bytes ~ 64MB
          4. 4 bytes in header for Time to live to decrement in each node to prevent routing loop;
          5. IP address – Logical address; MAC address – Physical address;
        5. 1.5 IP Addressing: network address / host address / subnet mask
        6. 1.6 IP address classes
          1. Class A: 1-126
          2. Class B: 128-191; 65,534 hosts / network
          3. Class C: 192-223; 254 hosts / network
        7. Reserved IP addresses
          1. Network address, eg.
          2. Direct broadcast address, eg.
          3. Local broadcast address (never routed outside), eg.
          4. Local loopback address: 127.x.x.x
          5. Autoconfiguration IP addresses: DHCP / static IP
        8. Public and Private IP: in 3 classes and NAT;
        9. IPv6 addresses:
          1. headers
          2. 128 -bit value for IPv6 address;
          3. IPv6 address format: 16-bit hexadecimal field;
          4. Leading zeros for :: ;
          5. Unicast: one to one communication
          6. Multicast: one to many communication: FF01::1
          7. Loopback: ::1
          8. Unspecified (default route): ::
        10. Intro to the TCP:
          1. Layer 4, IP protocol No. 6; connections oriented (reliable); full duplex mode;
          2. TCP headers
            1. Window field: number of octets that the device is willing to accept;
        11. TCP three-way handshake (SYN & ACK bits in headers)
          1. Syn; Syn,Ack; Ack
          2. ISN: both senders and receivers generate sequence no.
        12. Intro to the UDP
          1. IP protocol no. 17; connectionless protocol
          2. TFTP / SNMP / DNS / NTP
        13. TCP and UDP ports
          1. well known port (1-1023); registered port (1024-49151); ephemeral ports (49152-65535);
        14. Address Resolution Protocol
          1. ARP: map IP addresses to MAC addres;
          2. 48 bit physical MAC address;
          3. operate at layer 2 and layer 3;
          4. Command: arp -a
          5. ARP messages are sent using Ethertype 0x0806;
        15. Host-to-host packet delivery using TCP
          1. ARP table
          2. ARP broadcast with FFFF:FFFF:FFFF
        16. Dynamic Host Configuration Protocol (UDP ports 67 & 68)
          1. DHCP attacks: Insertion of rogue DHCP servers (man-in-the-middle attack) & DHCP starvation;
          2. DHCP 4 steps (4 messages exchanged)
            1. DHCPDISCOVER
            2. DHCPOFFER
            3. DHCPREQUEST
            4. DHCPACK
        17. Domain Name System
          1. TCP and UDP 53
          2. Attacks: redirect to malicious system and DDoS;
        18. Internet Control Message Protocol
          1. ping utility sends ICMP echo request and receives ICMP echo reply packets;
          2. 4 types of message
            1. Network-unreachable
            2. Host-unreachable
            3. Protocol-unreachable
            4. Port-unreachable
          3. “ICMP time-exceeded” message is sent by the router if an IP packet’s TTL field reaches zero
        19. Packet Capture Using tcpdump
          1. SPAN in switch
          2. In Linux <tcpdump –help>
          3. “promiscuous mode” at network card to capture traffic;
        20. Wireshark
          1. use proprietary syntax option to display filter; tcpdump uses BPF;
        21. Lab
          1. Examine ARP and ICMP packets;
            1. Kali Linux: ifconfig; cat /etc/resolv.conf; netstat -r;
            2. Command to check MAC table: arp -a
            3. Two packets for ARP exchange (for source); Two packets for ARP exchange (for destination); 8 ICMP packets (4 echo request-echo reply pairs);
          2. Examine Ethernet headers
            1. Types in Ethernet header: pointer from this layer to the next layer. In today’s networking environments, three ethertypes are the most common: 0x0800 for IPv4, 0x86DD for IPv6, and 0x0806 for ARP;
            2. Validation of the frame check sequence is often offloaded to the NIC hardware which empty frame check sequence and forwards it up, but Wireshark is not aware of the hardware offload, thus, flags it as error;
          3. Examine IP header
          4. Examine ICMP header and data
            1. DNS queries for AAAA records which map hostnames to IPv6 addresses;
          5. Examine TCP connection
            1. Right click packet and select “Follow” in WireShark;
            2. Statistics > Conversations > TCP tab
      2. Section2
        1. Network infrastructures: interconnected group of hardware and software resource;
        2. Analyzing DHCP operations DORA (UPD 67 at server; UDP 68 at client)
          1. DHCPDISCOVER (broadcast)
          2. DHCPOFFER (unicast)
          3. DHCPREQUEST (broadcast)
          4. DHCP (unicast)
        3. IP Subnetting (subnets connected by routers)
          1.  easier management and better security;
          2. subnet mask
          3. VLSM (variable Length Subnet Masks): hierarchical networking, divide networks into subnetworks…
        4. Hubs, bridges, and layer 2 switches
          1. Hub: multiport repeater; single broadcast domain; single collision domain; OSI physical layer; half-duplex
          2. bridge: OSI datalink layer; limited ports
          3. Layer 2 switch: OSI datalink layer; multi-port bridges
            1.  Linux attack tool called macof
            2. flood switch mac address table like DoS attack; then capture flooded frames to obtain sensitive info;
        5. VLANs and Trunks
          1. VLAN: logical broadcast domain (layer 2) that can span multiple physical LAN segments; segmented logically by functions, project teams, and applications;  interconnect two different VLANs, you must use routers or Layer 3 switches;
          2. Trunks:  a conduit for VLANs between switches and routers to connect multiple VLANs together; does not belong to a specific VLAN;
            1. IEEE 802.1Q: 4-byte tagging field into the original Ethernet frame
            2. By default, one native VLAN, which is untagged (by default, VLAN 1)
        6. Spanning Tree Protocols (STP) in switch (IEEE 802.1D)
          1. Layer 2; locates and stops Loops;
          2. root bridge elected by STP;
        7. Standalone (Autonomous) and Lightweight Access Points
          1. 2 solutions: standalone or controller-based
            1. Standalone:
              1. configure autonomous APs one by one; BSS (Basic Service Set); BSSID (Basic Service Set Identifier; unique with MAC address ); SSID (human readable text string);
              2. for small deployments;
            2. Controller-based
              1. configure LWAPs (Light Weight Access Point – config. is done by central WLC) by WLAN controllers;
              2. CAPWAP (Control and Provisioning of Wireless Access Point): WLC and LWAP could be on different IP subnets, encapsulating the data between the LWAP and WLC;
              3. Light weight AP interacts clients at MAC layer;
          2. RF frequency
          3. WLAN controller & Light weight AP
        8. Routers (routing table)
          1. Functions
            1. path determination with administrative distance by routing protocols;
            2. packet forwarding between subnets;
          2. Types of routes
            1. default route (gateway);
            2. directly connected networks;
            3. static routes: for small network configurations;
            4. Dynamic routes
              1. IGP (eg. RIP…)
              2. EGP (eg. BGP…)
        9. Routing Protocols:
          1. Objective: exchange network reachability information between routers and dynamically adapt to network changes;
          2. Best Practices:
            1. use one IP routing protocol throughout the enterprise;
            2. for using 2 IP routing protocol, normal with BGP and OSPF/EIGRP;
          3. Grouping
            1. Within or between ASs: IGP (Interior Gateway Protocols) / EGP;
            2. How they operate:
              1. Distance Vector Protocols (EIGRP & RIPv2): distance and direction
              2. Link-state Protocols (OSPF & IS-IS): determine best path by SPF;
              3. Path Vector Protocols (BGP): path and direction
        10. Multilayer Switches (Layer 3 switches)
          1.  use ASIC (application-specific integrated circuit) hardware to perform header rewrites and forwarding; SVI;
          2. CAM (content-addressable memory) table (L2 forwarding table)
          3. FIB (forwarding information base) table, L3 forwarding table;
          4. TCAM table contains ACLs; QoS decision;
        11. NAT Fundamentals
          1. NAT: Inside local (RFC 1918), inside global, outside local, outside global;
          2. PAT
          3. types:
            1. static NAT (eg. DMZ)
            2. dynamic NAT
            3. static PAT (NAT overload, Hide NAT and Many to One NAT)
            4. dynamic PAT (port forwarding)
            5. Policy NAT
        12. Packet Filtering with ACLs
          1. ip access-group command
          2. explicitly denied (listed); implicitly denied (not listed);
        13. ACLs with the Established Option (stateful behavior)
          1. established keyword (originate state): eg. ACK or RST;
          2. established does not imply stateful inspection (established allows ACK scan (TCP ACK/TCPRST), while stateful packet filter will drop the packet);
          3. FTP active / passive mode
        14. Explore the Network infrastructure (Cisco IOS CLI: switches, routers, firwalls, NAT, DHCP)
          1. sh int status / show interface status
          2. sh mac address-table dynamic
          3. tcpdump at Linux; tcpdump -n not stp and not ether proto 0x90000
          4. (config-if)switchport access vlan 3
          5. (config-if)switchport trunk
          6. Win cmd > ncpc.cpl
          7. sh ip ospf neighbor
          8. sh ip route
          9. sh ip arp
          10. nmap @ linux for port scanning (Nmap doesn’t actually complete the three-way handshake (FIN) when it scans. It resets (RES) the connection before it completes)
          11. DHCP packets in Wireshark: View > Fitler > bootp
          12. firewall session logs provide the standard 5-tuple Protocol, IP Address:Port, IP Address:Port
        15. Challenge
          1. Concepts: Switches place each switch port into its own collision domain; while VLANs separate a large broadcast domain into smaller broadcast domains;
          2. link-state protocols = Each router determines the best path on its own;
          3. distance-vector protocols = does not have an actual map of the network topology;
          4. implicit ACL entry that is at the end of the ACL “deny ip any any
      3. Section 3 – Understanding Common TCP/IP attacks
        1. Legacy TCP/IP vulnerabilities
          1. Morris Worm 1988, gauge the size of ARPPNET;
          2. Main protocols in IP suites (IP, TCP, UDP, ICMP);
        2. IP vulnerabilities
          1. Man-in-the-middle attack (MITM): key: wait unit connection is established
          2. Session hijacking (eg. sniffing session cookies, ) (initiated by MITM)
          3. IP address spoofing (gratuitous ARP that I am someon)
            1. blind and nonblind (include ISN sequence number prediction/guess)
          4. DoS (faked IP with TCP SYN) and DDos (initiated by blind IP spoofing, multiple sources): prevent legitimate users from accessing information or services
            1. Such as packet floodsservice buffer overflow, teardrop;
          5. Smurf attack: ping
          6. Resource exhaustion attacks:
        3. ICMP vulnerabilities (connectionless protocol that does not use any port number and works in the network layer)
          1. reachability (ping / tracerout (ICMP TTL expired in transit))
          2. ICMP  query and error
          3. Attacks
            1. ICMP sweep attacks / network reconnaissance refers to the act of scanning the target network to gather information about the target (begins with Reconnaissance such as nmap)
            2. Traceroute (attacker sends packets with increasing TTL to learn topology)
              1. ICMP unreachables
              2. ICMP mask reply
              3. ICMP redirects (example of MITM)
              4. ICMP router discovery
              5. Firewalk attack
                1. techniques to analyze IP packet responses to determine the gateway ACL filters and map out the networks;
                2. sending out TCP or UDP packets with a TTL that is one greater than the targeted gateway;
            3. ICMP tunneling (ICMPTX)
              1. convert connection between two computers;
              2. LOKI could transfer message secretly by ICMP protocols; and could not be discovered with deep inspection;
            4. Inverse mapping attacks
            5. ICMP-based OS fingerprinting attacks
              1. TTL-128 is Windows; TTL-64 is Linux;
            6. DDoS
              1. flood target network services with spoofed ICMP echo request;
              2. Smurf attack: trigger ICMP echo replies in volume by spoofed ICMP requests to bring down target’s resources;
            7. ICMP informational message attacks
            8. ICMP router discovery message attacks
        4. TCP vulnerabilities (TCP: flow control, reliability, stateful connection)
          1. TCP SYN Flood
          2. TCP Session Hijacking
            1. Tools: Juggernaut, Hunt, TTY Watcher, T-Sight;
          3. TCP Reset Attack
            1. FIN > ACK > FIN > ACK
            2. an effective way to disrupt any TCP connection that an attacker can monitor;
            3. <connection established> is affected;
        5. UDP vulnerabilities
          1. less overhead as connectionless and no reliability
          2.  UDP header, SNMP, SQL slammer;
        6. Attack surface and attack vectors
          1. Attack surface: sum of all the vulnerabilities in a given computing device or network that are accessible to the attackers
            1. network: open ports, insecure protocols, users for admin, low bandwidth;
            2. software: improper coding, privacy, patch mgt;
            3. physical: internal employees, rogue devices, social engineering, passwords on sticky notes, phishing
          2. attacks are unstoppable;
          3. focus on high risk / high impact areas; analysis of attack surface; advanced techniques and technologies;
          4. Attack vectors: paths or means by which the attackers gain access to a resource (such as end-user hosts or servers) in order to deliver malicious software or malicious outcome
            1. eg. SQL injection; DDoS, Phishing, Eaves dropping, Malware injection
          5. Prevention
            1. honeypots, load balancers, advanced firewall protection, updated Antivirus, security policy enforcement, education, SIEM tools;
        7. Reconnaissance attacks
          1. learn more about the intended victim before attempting a more intrusive attack;
          2. techniques: wardriving; port scanning; password guessing;
          3. tools: nmap, Paratrace, OpenVAS, Nessus;
          4. Port scanning
          5. End user: properly trained;
          6. App: vetted by IT,
          7. Types:
            1. passive: Wireshark, keyloggers;
            2. active: Nmap, Nessus, OpenVAS;
          8. Mitigating by:
            1. tight security controls;
            2. SSH
            3. Obscure device names;
            4. strong encryption;
            5. VLANS and Private VLANs (promiscuous port)
            6. IDS / IPS;
            7. NAT / PAT;
          9. Shodan Search Engine
        8. Access attacks
          1. technique of accessing network / user devices and take control of them;
          2. Tools:
            1. Ncrack
            2. Aircrack-ng
            3. CeWL
            4. Crunch
            5. Medusa
            6. RainbowCrack
            7. John the Ripper: unshadow password file
          3. prevention:
            1. filter by ACLs
            2. Multifactor authentication when possible
              1. SMS
            3. WPA2 for wifi
            4. IDS/IPS
            5. Enforce AAA identity management (CISCO ISE)
        9. Man-in-the-middle attacks (eavesdropping attacks or connection hijacking attacks)
          1. clear text communication: telnet, HTTP;
          2. Tools: Ettercap, dsniff;
          3. ARP-based by ARP poisoning: poisons the ARP cache of two devices with the MAC address of the attacker’s NIC
          4. ICMP-based by ICMP redirection
          5. DNS-based by DNS spoofing
          6. DHCP-based
          7. Prevention:
            1. VPN: encrypted traffic
            2. Digital certificates
            3. Strong passwords
            4. Dynamic ARP inspection
            5. IP spoofing detection
            6. DHCP snooping
        10. DoS and DDoS
          1. Ping of Death (history): full packet size > 64MB;
          2. ICMP / UDP floods: flood out a network
          3. Botnet: CnC traffic is sent using either IRCP2PDNS, HTTP, and HTTPS
          4. DDoS Trends
            1. Use of cloud-based computing devices
            2. DarkSeoul
            3. Ransomware
            4. Cryptolocker
          5. Preventation
        11. Reflection and Amplification (type of DoS attack)
          1. others become reflectors / responders and flood targets
          2. Smurf attack
          3. mitigation
            1. no ip directed broadcast
          4. not a real attack method anymore
          5. March 2013, DNS amplification: killed websites, exploiting DNS open recursive resolvers; 300Gbps of traffic;
          6. Feb 2014, NTP Amplification attack: 400Gbps of traffic; monlist in NTP;
        12. Spoofing attacks (spoofing is not attack, but incorporated into various types of attacks)
          1. ARP spoofing
          2. Mitigation
            1. snort
            2. ARPwatch
            3. Dynamic ARP Inspection
          3. IP spoofing
            1. mitigation
              1. ACL over private IP
          4. DNS spoofing: guess the sequence number
            1. mitigation: DNSSEC and add digital certificates
          5. Email spoofing
            1. lacks of authentication features in SMTP protocol
            2. Mitigation
              1. spam filtering
              2. cross check email header from
              3. Do not click unknown sources
              4. digital certificates, strong passwords, signatures
          6. Land attack: file land.c
            1. sends a TCP SYN request using the same IP address and port as both the source and destination IP address and port, leads to a system crash if vulnerable;
        13. DHCP attacks
          1. DHCP starvation
          2. DHCP spoofing (lead MITM attack)
          3. Mitigation
            1. DHCP snooping by Cisco switch (rate limit and port control)
        14. Lab: Explore TCP/IP attacks
          1. footprinting techniques: profiling target and difficult to detect
            1. whois -H | more command: The -Hargument removes lengthy legal disclaimers from the output;
            2. nslookup
            3.  track information about public Internet presence
              1. What’s that site running?
            4. Google hacking:  “classified” filetype:pdf site:targetorgnization.domain
          2. Fingerprinting (scanning to clearer picture)
            1. slowing the rates of scanning and use other obfuscation techniques to limit attention;
            2. Zenmap Ping Scan: two types of probes – an ICMP echo request and crafted TCP ACK destined to TCP port 80. (
            3. Zenmap Quick Scan: list of opened ports
            4. Zenmap Intense Scan: noisy but could recognize app version
          3. Discrete OS Scanning
            1. TTL: IOS/255, Windows/128, Linux/255;
            2. Window size value
          4. Passive OS Fingerprinting (packet capture)
            1. reveal TTL values and initial TCP window sizes;
            2. Linux patches: IP Personality and Stealth Patch;
          5. Malicious Route Injection (work with other attacks)
            1. Loki is a security tool that was written to demonstrate weaknesses in routing protocols
            2. Loki negotiates with the Inside-Rtr, you should see the STATE start in Hello and cycle through 2WAY, EXSTART, EXCHANGE, and LOADING. It might also reach FULL after LOADING
            3. sh ip ospf neighbor
            4. sh ip route
          6. ARP Cache Poisoning
            1. Objective: MITM attack
            2. Tool dsniff suite;
            3. command: arp -a
            4. Linux cmd: arpspoof -t
            5. dsniff -ccommand to start dsniff in half duplex mode. Monitoring the traffic being sent through.
            6.  sysctl -w net.ipv4.ip_forward=1 command to enable IP forwarding on Inside-Kali
            7. fingerprinting on the gateway and saw that Telnet was enabled – Interesting for interception!
        15. Challenge: smurf
      4. Understanding Basic Cryptography Concepts
        1. Intro: Conficker, CIA triad
        2. Impact of Cryptography on Security Investigations
          1. attack the algorithms: target weakness
            1. eg. OpenSSL Heartbleed (CVE-2014-0160): get private data in server memory;
          2. to hide attack;
            1. Detection: TLS/SSL decryption and inspection, or using NetFlow to detect anomalous TLS/SSL flows;
        3. Cryptography Overviews
          1. Elements of cryptography (CDON)
            1. Confidentiality: only authorized on can read;
            2. Data integrity: any changes will be detected and rejected;
            3. Origin authentication: only sent from the perceived  origin;
            4. Non-repudiation: original cannot deny producing the message;
          2. Cryptanalysis: study of determining and exploiting weakness
          3. Types of Ciphers
            1. Substitution cipher: substitute one letter for another;
            2. Polyalphabetic cipher: multiple substitution alphabets;
            3. Transposition cipher: rearrange or permutate letters;
            4. One-time pad: XOR operation to plaintext with a random key;
        4. Hash Algorithms
          1. data integrity assurance: one-way mathematical function, difficult to reverse; defeats man-in-the-middle attacks and provides authentication of the data origin;
          2. hash code, hash value, hash sum;
          3. Challenge:
            1. Hash Collison: identical output for different inputs;
          4. Message Digests
          5. Types:
            1. MD5 (Message Digest 5): 128bit hash function, most susceptible for collision attacks;
            2. SHA-1 (Secure Hash Algorithm 1): US developed, NIST std, 160 bit hash function
            3. SHA-2:
            4. SHA-3
            5. Message rearranging
            6. Division reminder
        5. Encryption Overview: process of hiding message
          1. Plain text > Cypher;
          2. Encryption key & Encryption Algorithm;
          3. Types of Encryption
            1. Application – PGP (Pretty Good Privacy), SSL/TLS
            2. Internet – IPSec
            3. Data Link – MacSec
          4. Encryption Algorithms
            1. longer keys take longer to crack, but performance overhead;
            2. Symmetric
            3. Asymmetric: public key and private key
        6. Cryptoanalysis: practice of breaking the codes
          1. Brute-force attack: trying as many possible keys
            1. DES (cracked), AES
          2. Ciphertext-only attack: look into ciphertext to decrypt
            1. plain-text attack:
            2. chosen-ciphertext attack: analyze keys
          3. Birthday attackbrute-force attack against hash functions;
          4. Meet-in-the-middle: knows a portion of the plaintext and the corresponding ciphertext. store values of encrypted plaintext and decrypted ciphertext;
        7. Symmetric Encryption Algorithms
          1. same key for encryption and decryption;
            1. 40 bits to 256 bits, better larger than 80 bits;
          2. Challenge: key management
          3. Symmetric encryption algorithms
            1. DES: encrypts data in 64-bit blocks; with 64 bits key length in which 56 bits for encryption and 8 bits for parity;
              1. 2 standardized block cipher modes:
                1. ECB (Electronic CookBook): serially encrypts each block;
                2. CBC (Cipher Block Chaining): XORed and depend on previous block;
            2. 3DES – EDE (Encrypt – Decrypt – Encrypt)
            3. AES: replace 3EDS
            4. RC4: stream cipher used to secure web traffic in SSL and TLS
          4. Rotate keys often
        8. Asymmetric Encryption Algorithms
          1. Encrypt with the target public key;
          2. Decrypt with the private key;
          3. RSA (1024-4096 keys)
          4. rotate keys every few months
          5. PGP (Pretty Good Privacy)
            1. encrypt with private key
            2. then, encrypt with public key
        9. Diffie-Hellman Key Agreement (in protocols such as SSL/TLSSSH, and IKE);
          1. both agree on large prime number p and a generator g;
          2. Allowing the exchange of shared secrets over public medium without revealing the key;
          3. DH groups: higher group numbers are more secure;
        10. Use Case: SSH process of communication
          1. Command line application
          2. encryption, integrity, origin authentication
          3. SSHv1 (not secure): private / public key to encrypt symmetric key for session; clear text
          4. SSHv2: DH key
        11. Digital Signatures
          1. authenticity, integrity, nonrepudiation
          2. encrypt by private key of sender
          3. consist a Hash function and a encryption function
            1. encrypt (by RSA private key) the Hash fingerprint and attach to the data and send out;
        12. PKI Overview
          1. trusted 3rd party
          2. CA hierarchy: trusted third party
            1.  CA signs the certificate;
            2.  encrypts the hash using its private key;
            3. CA send signed certificate to Web server;
          3. Certificate: A document, which in essence binds together the name of the entity and its public key
          4. PKCS: Public Key Cryptography Standard
          5. X.509 is an ITU-T standard for PKI
        13. PKI Operations
          1. CA hierarchy
          2. pre-loaded CA public key (Root Certificate) in Internet browsers
            1. to authenticate other’s public keys
            2. manually,  use an out-of-band method to validate the certificate
          3. obtain identity certificate
            1. first step is to obtain the CA’s identity certificate;
            2. create a CSR (certificate signing request) (PKCS #10) (enrolling system’s public key is included)
            3. identity data from the CSR, and add in the CA-specified data, such as serial number, the dates, and the algorithm, to complete the X.509v3 structure
            4.  sign the certificate by hashing the certificate data and encrypting the hash with its private key
            5. all users use the root CA’s public key to validate the signature on any certificate they receive
            6. Send a message encrypted with the system’s peer’s public key to verify that the peer can decrypt the message with the private key
          4. Certificate Revocation (if keys are thought to be compromised)
            1. centralized function, providing “push” and “pull” methods to obtain a list of revoked certificates;
            2.  to check for certificate revocation
              1. CRL (certificate revocation list) (signed file with serial no. of revoked cert.)
                1. Poll CRL
                2. small time period when CRL has not yet propagated
              2. OCSP (Online certificate status protocol)
                1. immediate push to online database
                2. query anytime to check for validity
        14. Use case: SSL/TLS
        15. Cipher Suite
        16. Key Management
        17. NSA Suite B
        18. Explore Cryptographic Technologies
        19. Challenge
    3. SECOPS
  4. Practices:
    1. Cisco simulators:
      1. Cisco Packet Tracer 7.0
      2. NetSim
    2. Tools:
      1. tcpdump
      2. wireshark
      3. Packets editor: WireEdit / Packet Editor;
      4. Build asset inventory list
      5. Cisco CLI Analyzer
    3. My Tools
      1. WireShark
      2. Zenmap
      3. Loki
  5. References
    2. CCNA security (210-260) by Systematic.
    3. Google Security Research team (permanent):
    4. Search Engine of IoT device:
    5. Protection guidelines for wifi/bluetooth connections & passwords:
    6. password generator:
    7. Always read terms of services from your service providers:
    8. List of webs if they support 2Fauth:
    9. Online Port scanner:
    10. Cybersecurity of NIST:
    11. SANS Institute:
  6. Actions:
    1. How to detect bot and rootkit;
    2. Firewall requirements;
    3. Prepare Security Playbook – prepare, gather and analyze security events;
  7. Tasks in CY
    1. VLAN and routing
    2. secure switch ports
    3. MAC spoofing / ARP poisoning protection
    4. DHCP protection
    5. FW
      1. SYN flood protection
      2. stateful protection
      3. SMTP protection
Cisco CCSA

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s