\documentclass[10pt,a4paper]{article}

% Packages
\usepackage{fancyhdr}           % For header and footer
\usepackage{multicol}           % Allows multicols in tables
\usepackage{tabularx}           % Intelligent column widths
\usepackage{tabulary}           % Used in header and footer
\usepackage{hhline}             % Border under tables
\usepackage{graphicx}           % For images
\usepackage{xcolor}             % For hex colours
%\usepackage[utf8x]{inputenc}    % For unicode character support
\usepackage[T1]{fontenc}        % Without this we get weird character replacements
\usepackage{colortbl}           % For coloured tables
\usepackage{setspace}           % For line height
\usepackage{lastpage}           % Needed for total page number
\usepackage{seqsplit}           % Splits long words.
%\usepackage{opensans}          % Can't make this work so far. Shame. Would be lovely.
\usepackage[normalem]{ulem}     % For underlining links
% Most of the following are not required for the majority
% of cheat sheets but are needed for some symbol support.
\usepackage{amsmath}            % Symbols
\usepackage{MnSymbol}           % Symbols
\usepackage{wasysym}            % Symbols
%\usepackage[english,german,french,spanish,italian]{babel}              % Languages

% Document Info
\author{xoulea}
\pdfinfo{
  /Title (gsec-overview.pdf)
  /Creator (Cheatography)
  /Author (xoulea)
  /Subject (GSEC OVERVIEW Cheat Sheet)
}

% Lengths and widths
\addtolength{\textwidth}{6cm}
\addtolength{\textheight}{-1cm}
\addtolength{\hoffset}{-3cm}
\addtolength{\voffset}{-2cm}
\setlength{\tabcolsep}{0.2cm} % Space between columns
\setlength{\headsep}{-12pt} % Reduce space between header and content
\setlength{\headheight}{85pt} % If less, LaTeX automatically increases it
\renewcommand{\footrulewidth}{0pt} % Remove footer line
\renewcommand{\headrulewidth}{0pt} % Remove header line
\renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit
% This two commands together give roughly
% the right line height in the tables
\renewcommand{\arraystretch}{1.3}
\onehalfspacing

% Commands
\newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour
\newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols
\newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns
\newcommand{\tn}{\tabularnewline} % Required as custom column type in use

% Font and Colours
\definecolor{HeadBackground}{HTML}{333333}
\definecolor{FootBackground}{HTML}{666666}
\definecolor{TextColor}{HTML}{333333}
\definecolor{DarkBackground}{HTML}{A3A3A3}
\definecolor{LightBackground}{HTML}{F3F3F3}
\renewcommand{\familydefault}{\sfdefault}
\color{TextColor}

% Header and Footer
\pagestyle{fancy}
\fancyhead{} % Set header to blank
\fancyfoot{} % Set footer to blank
\fancyhead[L]{
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{C}
    \SetRowColor{DarkBackground}
    \vspace{-7pt}
    {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent
        \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}}
    }
\end{tabulary}
\columnbreak
\begin{tabulary}{11cm}{L}
    \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{GSEC OVERVIEW Cheat Sheet}}}} \\
    \normalsize{by \textcolor{DarkBackground}{xoulea} via \textcolor{DarkBackground}{\uline{cheatography.com/198356/cs/43341/}}}
\end{tabulary}
\end{multicols}}

\fancyfoot[L]{ \footnotesize
\noindent
\begin{multicols}{3}
\begin{tabulary}{5.8cm}{LL}
  \SetRowColor{FootBackground}
  \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}}  \\
  \vspace{-2pt}xoulea \\
  \uline{cheatography.com/xoulea} \\
  \end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}}  \\
   \vspace{-2pt}Published 8th May, 2024.\\
   Updated 8th May, 2024.\\
   Page {\thepage} of \pageref{LastPage}.
\end{tabulary}
\vfill
\columnbreak
\begin{tabulary}{5.8cm}{L}
  \SetRowColor{FootBackground}
  \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}}  \\
  \SetRowColor{white}
  \vspace{-5pt}
  %\includegraphics[width=48px,height=48px]{dave.jpeg}
  Measure your website readability!\\
  www.readability-score.com
\end{tabulary}
\end{multicols}}




\begin{document}
\raggedright
\raggedcolumns

% Set font size to small. Switch to any value
% from this page to resize cheat sheet text:
% www.emerson.emory.edu/services/latex/latex_169.html
\footnotesize % Small font.


\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{WIFI}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Wi-Fi Protected Setup (WPS) is a non-proprietary and optional push-button configuration specification that is considered a security vulnerability and should not be used in the enterprise. It is commonly attacked either online or offline against the PIN generated by the Wireless Access Point (WAP) entered on the device. \newline % Row Count 7 (+ 7)
According to the Wi-Fi Alliance, Protected Management Frames offers protection for unicast and multicast management action frames. Unicast management action frames are protected from both eavesdropping and forging, and multicast management action frames are protected from forging. They augment privacy protections already in place for data frames with mechanisms to improve the resiliency of mission-critical networks.% Row Count 16 (+ 9)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{IOT}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Zigbee is an IEEE 802.15.4-based specification for a suite of high-level communication protocols used to create personal area networks with small, low-power digital radios, such as for home automation, medical device data collection, and other low-power low-bandwidth needs. \newline % Row Count 6 (+ 6)
The Internet of Things or IoT  is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people. These objects are enabled with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. An IoT ecosystem consists of web-enabled smart devices that use embedded systems, such as processors, sensors and communication hardware, to collect, send and act on data they acquire from their environments.% Row Count 17 (+ 11)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{IEEE802.1X}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{There are three components in the 802.1X architecture: supplicant (or client), network authorization device (NAD) or Authenticator, and authentication server. The client is the NAD and the server is usually a RADIUS or TACACS/TACACS+ server. The supplicant is a combination of the endpoint attempting to get on the network and the software agent running on the device.% Row Count 8 (+ 8)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{NETCAT}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Netcat is the Swiss army knife of networking tools and it can be run standalone or in an exploit kit. The most common cracking uses for Netcat are setting up reverse and bind shells, piping and redirecting network traffic, port listening, debugging programs and scripts and banner grabbing by making a raw connection to an FTP or Web server.% Row Count 7 (+ 7)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{AWS}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{At AWS, Security groups (SGs) are tied to an instance whereas Network Access Control Lists ACLs are tied to the subnet. While NACLs allow or deny traffic before it reaches an SG, the SG controls the traffic flow to and from the instance. \newline % Row Count 5 (+ 5)
The AWS Key Management System (KMS). It supports asymmetric keys. You can create, manage, and use public/private key pairs to protect your application data using the new APIs via the AWS SDK.% Row Count 9 (+ 4)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{CLOUD}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Auto-scaling is the cloud platform's capacity to react to the live traffic load on the application/workload by spinning up or down server instances on an ad-hoc basis. This ability to auto scale allows the provider to add or remove additional computing power to the instance cluster based on the demand and thus ensure the consistent handling of the traffic and optimize costs.% Row Count 8 (+ 8)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{AZURE}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{To create or delete management locks, you must have access to Microsoft.Authorization/{\emph{ or Microsoft.Authorization/locks/}} actions. Of the built-in roles, only Owner and User Access Administrator are granted those actions. \newline % Row Count 5 (+ 5)
An Availability Zone (AZ) is a high-availability offering that protects applications and data from data center failures. AZs are unique physical locations within an Azure region. Each zone is made up of one or more data centers equipped with independent power, cooling, and networking. To ensure resiliency, each enabled region has a minimum of three separate zones. The physical separation of Availability Zones within a region protects applications and data in the event of data center failures. \newline % Row Count 15 (+ 10)
Office 365 uses Azure Active Directory (Azure AD), a cloud-based user identity and authentication service that is included with your Office 365 subscription, to manage identities and authentication for Office 365. In fact, any person with an existing Microsoft email account has an instance of Azure AD just waiting for activation. \newline % Row Count 22 (+ 7)
Infrastructure as a service (IaaS) is an instant computing infrastructure, provisioned and managed over the internet. IaaS quickly scales up and down with demand, letting you pay only for what you use. It helps you avoid the expense and complexity of buying and managing your own physical servers and other datacenter infrastructure. Each resource is offered as a separate service component, and you only need to rent a particular one for as long as you need it.% Row Count 32 (+ 10)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{MAQUINA VIRTUAL}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Xen, Red Hat, KVM, VMware, and Hyper-V are examples of hypervisors. A hypervisor is software that creates and runs virtual machines or VMs. The hypervisor creates an abstraction of underlying hardware and the VMs that use its resources are guests. A hypervisor is sometimes also called a Virtual Machine Manager (VMM). \newline % Row Count 7 (+ 7)
A hypervisor is the software that generates and controls a virtual infrastructure allowing multiple OSs to run on a single physical machine my managing the finite resources of the system running the hypervisor called the "host" and the virtual machines running on the host called "guests". \newline % Row Count 13 (+ 6)
Containers isolate applications from each other on a shared OS. Containerized applications run on top of a container host that in turn runs on the OS (Linux or Windows). Containers therefore have a significantly smaller footprint than virtual machine (VM) images. Containerization is an approach to software development in which an application or service, its dependencies, and its configuration are packaged together as a container image.% Row Count 22 (+ 9)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{IAM}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Identity and Access Management (IAM) ensures that users are who they say they are (authentication) and that they can access the applications and resources they have permission to use (authorization). IAM solutions include single sign-on (SSO), multi-factor authentication (MFA) and access management, as well as directory for securely storing identity and profile data and data governance to ensure that only needed and relevant data is shared.% Row Count 9 (+ 9)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{CIS CONTROLS}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Center for Internet Security (CIS) is a forward-thinking nonprofit that harnesses the power of a global IT community to safeguard public and private organizations against cyber threats. Following are the foundational controls defined by CIS. \newline % Row Count 5 (+ 5)
Foundational CIS Controls: \newline % Row Count 6 (+ 1)
•	Email and Web Browser Protections \newline % Row Count 7 (+ 1)
•	Malware Defenses \newline % Row Count 8 (+ 1)
•	Limitation and Control of Network Ports, Protocols and Services \newline % Row Count 10 (+ 2)
•	Data Recovery Capabilities \newline % Row Count 11 (+ 1)
•	Secure Configuration for Network Devices, such as Firewalls, Routers and Switches \newline % Row Count 13 (+ 2)
•	Boundary Defense \newline % Row Count 14 (+ 1)
•	Data Protection \newline % Row Count 15 (+ 1)
•	Controlled Access Based on the Need to Know \newline % Row Count 16 (+ 1)
•	Wireless Access Control \newline % Row Count 17 (+ 1)
•	Account Monitoring and Control \newline % Row Count 18 (+ 1)
The CIS 20 organizational controls are as follows: \newline % Row Count 20 (+ 2)
•	Implement a Security Awareness and Training Program, \newline % Row Count 22 (+ 2)
•	Application Software Security, \newline % Row Count 23 (+ 1)
•	Incident Response and Management, and \newline % Row Count 24 (+ 1)
•	Penetration Tests and Red Team Exercises. \newline % Row Count 25 (+ 1)
Basic CIS Controls: \newline % Row Count 26 (+ 1)
•	Inventory and Control of Hardware Assets \newline % Row Count 27 (+ 1)
•	Inventory and Control of Software Assets \newline % Row Count 28 (+ 1)
•	Continuous Vulnerability Management \newline % Row Count 29 (+ 1)
•	Controlled Use of Administrative Privileges \newline % Row Count 30 (+ 1)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{CIS CONTROLS (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{•	Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \newline % Row Count 3 (+ 3)
•	Maintenance, Monitoring and Analysis of Audit Logs% Row Count 5 (+ 2)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{NFC}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{NFC stands for "Near Field Communication" and, as the name implies, it enables short-range communication between compatible devices. This requires at least one transmitting device, and another to receive the signal. A range of devices can use the NFC standard and will be considered either passive or active. NFC is a mainstream wireless technology. Passive NFC devices include tags, and other small transmitters, that can send information to other NFC devices without the need for a power source of their own. Active devices are able to both send and receive data and can communicate with each other as well as with passive devices.% Row Count 13 (+ 13)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{LOAD BALANCER}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Network Load Balancer (NLB) distributes traffic based on network variables, such as IP address and destination ports. It is layer 4 (TCP) and below and is not designed to take into consideration anything at the application layer such as content type, cookie data, custom headers, user location, or the application behavior. Application Load Balancer (ALB) on the other hand distributes requests based on multiple variables, from the network layer to the application layer. ALB is full-featured Layer-7 load balancer, HTTP and HTTPS listeners only.% Row Count 11 (+ 11)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{PHISHING}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{A whaling attack is a phishing variant that targets senior management in an attempt to steal sensitive data like financial information or personal employee information typically for malicious reasons. \newline % Row Count 5 (+ 5)
Typosquatting (also known as URL hijacking), is a form of cybersquatting targeting people that mistype an intended website address into their web browser. Cybersquatters register domain names that are a slight variation of the target URL, which is usually a common spelling error. Typosquatting is a form of social engineering attack that tries to lure users into visiting malicious sites with URLs that are common misspellings of legitimate sites. These sites can cause significant damage to the reputation of organizations that are victimized by these attackers and harm users who are tricked into entering sensitive details into fake sites. For example, gooogle, facebooj.% Row Count 19 (+ 14)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{RANSOMWARE}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Since ransomware encrypts files instead of exfiltrating files, a rigorous backup and restore policy involving snapshots and disk imaging will eliminate most of the impact of the malware attack. Anti-ransomware solutions enable organizations to fight against ransomware.% Row Count 6 (+ 6)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{RANSOMWARE}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Since ransomware encrypts files instead of exfiltrating files, a rigorous backup and restore policy involving snapshots and disk imaging will eliminate most of the impact of the malware attack. Anti-ransomware solutions enable organizations to fight against ransomware.% Row Count 6 (+ 6)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{DEFENSE IN DEPTH}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{The classification and labeling of all data assets is a combination of uniform protection and information-centric defense-in-depth. Vector-oriented defense in depth involves identifying all ingress and egress points and all probable threat agents and specific vectors. \newline % Row Count 6 (+ 6)
The defense-in-depth approach is a layered approach to security. By providing various layers of security or security controls, for example, physical security, policies and procedures, firewalls at perimeter, IPS/IDS at DMZ, antiviruses and anti-malwares at host and network level, a network can be better protected against threats than deploying just one security control. \newline % Row Count 14 (+ 8)
Defense in depth involves implementing multiple layers of security to defend property, facilities, systems, applications, and data. According to the SANS institute, there are four fundamental approaches to defense in depth, based on risk treatment: Uniform protection, Protected zoning, Information centric, and analyze threat vectors. \newline % Row Count 21 (+ 7)
Honey tokens (aka Honey pots) are placed on systems in reasonable locations but not where the average end users would find them. A honeypot is a computer or computer system intended to mimic likely targets of cyberattacks. It can be used to detect attacks or deflect them from a legitimate valuable target system or Honeypots can also be used to gain information about how cybercriminals operate. \newline % Row Count 29 (+ 8)
A honeypot is a computer or system intended to imitate the likely targets of cyberattacks. It can be used to detect attacks as well as deflect them from a legitimate target. It can also be used to gain information about how cybercriminals operate, getting logs of their operations. The basic principle behind them is simple i.e. to prepare something (honeypot) that would attract the attacker's interest and then wait for the attackers to show up. \newline % Row Count 38 (+ 9)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{DEFENSE IN DEPTH (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Security expert John Strand and his team developed the Active Directory Active Defense (ADAD) security initiative using tools from his Active Defense Harbinger Distribution (ADHD). \newline % Row Count 4 (+ 4)
The following are the three main attributes/mechanisms for active defense: \newline % Row Count 6 (+ 2)
•	Deception – The idea behind cyber deception follows the tactic of planting misinformation to deceive the attacker and take their focus away from the original target. Traps in the network, endpoints, and servers can be set up to reveal attackers or malicious insiders without them even knowing. \newline % Row Count 12 (+ 6)
•	Attribution – This is the process of tracking, identifying and laying blame on the perpetrator of a cyberattack or attempting a hacking exploit.  \newline % Row Count 16 (+ 4)
•	Counterattack – This is considered to be the most efficient means of forcing the attacker to abandon offensive plans. Cyber counter attacks are sometimes used as a means of self-defense to slow down or even stop cyber attacks \newline % Row Count 21 (+ 5)
An indicator of compromise (IoC) shows that there is an artifact or series of artifacts discovered on an endpoint indicating a breach with high confidence. IOCs artifacts enable information security professionals to detect intrusion attempts or other malicious activities. \newline % Row Count 27 (+ 6)
An elite team can find things your automated response systems may miss. It can learn from incidents that have taken place, aggregating crowdsourced data, and providing response guidance when malicious activity is discovered. Having expert hunters working 24/7 on your behalf matches the ingenuity of determined attackers like no automated technology can. \newline % Row Count 35 (+ 8)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{DEFENSE IN DEPTH (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{An Indicator of Attack (IoA) is a unique construction of unknown attributes that are leveraged for a proactive approach to security. An IoA can consist of: \newline % Row Count 4 (+ 4)
•	Stealth behavior \newline % Row Count 5 (+ 1)
•	Persistence \newline % Row Count 6 (+ 1)
•	Code execution \newline % Row Count 7 (+ 1)
•	Command and Control \newline % Row Count 8 (+ 1)
•	Lateral movement \newline % Row Count 9 (+ 1)
Indicators of Compromise (IOCs) are remnants, artifacts, and traces of a breach or attack on a system, network, application, or hosts. They can be precursors of a fully successful attack with all phases not being activated yet. Some practitioners call these indicators cyber observables or malware observances.% Row Count 16 (+ 7)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{ATTACKS}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Attribution as an active defense methodology that determines data about an attacker and their goals and targets.  It is a valuable activity for incident response team members although it may be ineffective since source addresses are likely spoofed. \newline % Row Count 5 (+ 5)
The attack back strategy involves information gathering, seek and disrupt, and seek and destroy actions yet is the most dangerous for the counter-attacker. \newline % Row Count 9 (+ 4)
Pivoting is a technique of using an instance (aka 'plant' or 'foothold') to be moved around inside of a network. It leverages the first compromise to assist in vertical or horizontal (N/S or E/W) movement to aid in the compromise of other otherwise unreachable systems. \newline % Row Count 15 (+ 6)
Cryptojacking is the unauthorized use of a personal device by cybercriminals to mine for cryptocurrency. Users can click on a malicious link in an email that loads cryptomining code on the computer or cloud based workloads. This is a common attack towards cloud platforms (public or private). \newline % Row Count 21 (+ 6)
Many attackers use botnets to launch DDoS attacks. A botnet is a collection of compromised machines that the attacker can manipulate from a command and control (C2 or CnC) system to participate in a DDoS, send spam emails, and perform other illicit activities. Figure 4-3 shows how a botnet is used by an attacker to launch a DDoS attack. The figure illustrates, the attacker sending instructions to the C2 server; subsequently, the command and control server sending instructions to the bots within the botnet to launch the DDoS attack against the victim.% Row Count 33 (+ 12)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{CRIPTOGRAFIA}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Transport Layer Security (TLS) is a protocol that provides authentication, privacy, and data integrity between two Internet applications. It is the most widely deployed security protocol used today and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS evolved from Netscape's Secure Sockets Layer (SSL) protocol and has superseded it for the most part. \newline % Row Count 9 (+ 9)
Monitoring the file size assumes that a malicious version of an application would have a different file size than the original. However, attackers can also change the size of any given file. It is better to use attributes such as digital signatures and cryptographic hashes e.g. Message Digest algorithm 5 (MD5) or Secure Hash Algorithm 1 (SHA). \newline % Row Count 16 (+ 7)
Key stretching attempts to make passwords based on one-way hashes much harder to compromise. It uses a key derivation process combined with a specialized function such as PBKDF2, bcrypt, or scrypt. \newline % Row Count 20 (+ 4)
RSA is one of the original public-key cryptosystems and is still commonly used for secure data transmission. The acronym RSA is the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who published the algorithm in 1977. \newline % Row Count 25 (+ 5)
With forward secrecy every TLS connection to the web server is individually protected. One of the biggest flaws of RSA is that it does not natively provide forward secrecy for TLS. \newline % Row Count 29 (+ 4)
Technically speaking, a hash collision is a situation when the resultant hashes for two or more data input elements in a data set map to the same location in the hash table. A trustworthy hash function must be highly collision resistant. This is a known vulnerability of MD5. \newline % Row Count 35 (+ 6)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{CRIPTOGRAFIA (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Asymmetric encryption (also known as public key cryptography) uses two unique keys, a public key and a private key. The data is encrypted with the public key and only the matching private key can decrypt it. The private key is kept secret, whereas the public key can be given to anyone. \newline % Row Count 6 (+ 6)
Message Digest 5 (MD5) algorithm is an example of a cryptographic hash function. The result of the hash is a fixed-length small string of data and is sometimes referred to as the digest, message digest, or simply the hash. Most software vendors publish the MD5 hash of the software package. This way the receiver of the software can run the same hash against the software and compare the results against the results the vendor published. If the hash generated matches the hash that was published, the software is intact from an integrity perspective. \newline % Row Count 18 (+ 12)
Digital signatures are based on public key cryptography (asymmetric cryptography). The most common is RSA and provides integrity, origin authentication, and non-repudiation of transactions. To achieve confidentiality however, the digitally signed entity should be sent over a TLS or IPsec secure communication channel (essentially an encrypted transmission medium). \newline % Row Count 26 (+ 8)
IPsec is an end-to-end security technology that allows two (or more) devices to communicate securely over a possibly unsecure medium. While the transport mode encrypts the data that is sent between peers, the tunnel mode encapsulates the entire packet and adds a new IP header.  \newline % Row Count 32 (+ 6)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{CRIPTOGRAFIA (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{TLS, SSL, and IPsec are various methods and protocols that can be used to protect data in transit. These protocols and secure data traversal mechanisms allow data payload and headers to be encrypted in such a way that an attacker cannot snoop into the data midway between sender and receiver. TLS is an improved version of SSL. \newline % Row Count 7 (+ 7)
Transport Layer Security (TLS) is arguably the most important protocol for global communication and one of the most secure key exchange mechanisms that two parties can use is Elliptic Curve Diffie-Hellman Ephemeral.% Row Count 12 (+ 5)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{CERTIFICATE}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{The following information is found in a typical X.509 certificate: \newline % Row Count 2 (+ 2)
•	Serial Number: Used to uniquely identify the certificate \newline % Row Count 4 (+ 2)
•	Subject: The person, or entity identified \newline % Row Count 5 (+ 1)
•	Signature Algorithm: The algorithm used to create the signature \newline % Row Count 7 (+ 2)
•	Signature: The actual signature to verify that it came from the issuer \newline % Row Count 9 (+ 2)
•	Issuer: The entity that verified the information and issued the certificate \newline % Row Count 11 (+ 2)
•	Valid-From: The date the certificate is first valid from \newline % Row Count 13 (+ 2)
•	Valid-To: The expiration date \newline % Row Count 14 (+ 1)
•	Key-Usage: Purpose of the public key, for example, certificate signing \newline % Row Count 16 (+ 2)
•	Public Key: The key used to encrypt information (The private key is kept secret as it is used to decrypt information, and once made public or leaked, the key-pair is unsafe to use.) \newline % Row Count 20 (+ 4)
•	Thumbprint Algorithm: The algorithm used to hash the public key certificate \newline % Row Count 22 (+ 2)
•	Thumbprint: The hash itself, used as an abbreviated form of the public key certificate \newline % Row Count 24 (+ 2)
The CA follows one of these validation processes: Domain Validated (DV), which is the most common, Organization Validated (OV), and Extended Validation (EV) which shows the green padlock. Upon validation, the CA issues the certificate and all intermediary certificates needed to chain to its root.% Row Count 30 (+ 6)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{FALSO POSITIVO}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{True positives: The security control, such as an IPS sensor, acted as a consequence of malicious activity. This represents normal and optimal operation. True negatives: The security control has not acted, because there was no malicious activity. This represents normal and optimal operation. False positives: The security control acted as a consequence of non-malicious activity. This represents an error, generally caused by too tight of proactive controls. False negatives: The security control has not acted, even though there was malicious activity. This represents an error, generally caused by too relaxed proactive controls (which permit more than just minimal legitimate traffic) or too specific reactive controls. \newline % Row Count 15 (+ 15)
False negatives is the term used to describe a network intrusion device's inability to detect true security events under certain circumstances—in other words, a malicious activity that is not detected by the security device. The broad term false positive describes a situation in which a security device triggers an alarm, but no malicious activity or actual attack is taking place. In other words, false positives are false alarms.% Row Count 24 (+ 9)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{POLICIES}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet. Many businesses and educational facilities require that employees or students sign an acceptable use policy before being granted network access. \newline % Row Count 7 (+ 7)
Guidelines are recommendations to users when specific standards do not apply. They are designed to streamline certain processes according to established best practices. Policies on the other hand are mandatory processes. \newline % Row Count 12 (+ 5)
Policies must be followed whereas guidelines are recommendations that may be followed. \newline % Row Count 14 (+ 2)
A written information security policy is the keystone of an Information Security Program. The policy should mirror the organization's mission, goals, and objectives based on how executive management positions and prioritizes security.% Row Count 19 (+ 5)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{SCANNER}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Some examples of popular vulnerability scanners include the following: \newline % Row Count 2 (+ 2)
•	Nessus from Tenable \newline % Row Count 3 (+ 1)
•	Retina from Beyond Trust \newline % Row Count 4 (+ 1)
•	Nexpose from Rapid7 \newline % Row Count 5 (+ 1)
•	AppScan from IBM \newline % Row Count 6 (+ 1)
•	Nmap \newline % Row Count 7 (+ 1)
•	SAINT% Row Count 8 (+ 1)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{IPV4 X IPV6}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{The IP header is a total of 32 bits. The version field is 4 bits. The version field is the first header field in an IP packet. \newline % Row Count 3 (+ 3)
Time-to-live (TTL) - designates the number of hops a packet can take before it reaches its destination - is a value in an Internet Protocol (IP) datagram that tells a network router whether or not the packet has been in the network too long and should be discarded. In IPv6 the TTL field in each packet has been renamed the hop limit. \newline % Row Count 10 (+ 7)
IPv4 Address Resolution Protocol (ARP) was replaced by the ICMPv6 Neighbor Discovery Protocol (NDP) in IP version 6. One of the functions of the IPv6 NDP is to resolve network layer (IP) addresses to link layer (for example, Ethernet) addresses. The Secure Neighbor Discovery (SEND) Protocol prevents an attacker who has access to the broadcast segment from abusing NDP or ARP to trick hosts into sending the attacker traffic destined for someone else, a technique known as ARP poisoning. \newline % Row Count 20 (+ 10)
ARP (Address Resolution Protocol) converts an internet protocol (IP) address to its corresponding physical network address. IP networks, including those that run on Ethernet and Wi-Fi, require ARP to function properly. \newline % Row Count 25 (+ 5)
Fragmentation is used to break up a datagram into smaller packets for a neighbor router that supports a smaller max transmission unit (MTU). This is accomplished using fields in the IP header. \newline % Row Count 29 (+ 4)
The Traffic Class field indicates class or priority of IPv6 packet which is similar to Service Field in IPv4 packet. It helps routers to handle the traffic based on priority of the packet. If congestion occurs on router then packets with least priority will be discarded. As of now only 4-bits are being used (and remaining bits are under research), in which 0 to 7 are assigned to Congestion controlled traffic and 8 to 15 are assigned to Uncontrolled traffic. \newline % Row Count 39 (+ 10)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{IPV4 X IPV6 (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Encapsulating Security Payload EH is similar in format and use to the IPv4 ESP header defined in RFC2406. All information following the Encapsulating Security Header (ESH) is encrypted and for that reason, it is inaccessible to intermediary network devices. The ESH can be followed by an additional Destination Options EH and the upper layer datagram.% Row Count 8 (+ 8)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{TCP}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{TCP (Transmission Control Protocol) is a layer 4 protocol. TCP works with the Internet Protocol (IP) at layer 4 of the OSI model. It is connection-oriented, ordered and should be used if your service needs a reliable transmission of datagrams. TCP is meant to provide error-free data transmission as it handles retransmission of dropped or garbled packets and acknowledges all packets that arrive. TCP provides multiplexing, demultiplexing, and error detection. TCP is connection-oriented because before one application process can begin to send data to another, the two must first establish a "handshake" with each other. UDP is connectionless, TTL is Time To Live – it  is a value in an Internet Protocol (IP) packet that tells a network router whether or not the packet has been in the network too long and should be discarded. Real-Time Protocol (RTP) is based on UDP and is connectionless as it is used for transmission of real time voice and/or video packets. \newline % Row Count 20 (+ 20)
TCP (Transmission Control Protocol) is a layer 4 protocol and a standard that defines how to establish and maintain a network conversation via which application programs can exchange data. TCP works with the Internet Protocol (IP) at layer 4 of the OSI model. It is connection-oriented, ordered and should be used if your service needs a reliable transmission of datagrams. TCP is meant to provide error-free data transmission as it handles retransmission of dropped or garbled packets and acknowledges all packets that arrive.% Row Count 31 (+ 11)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{PACKET ANALYZERS}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Wireshark and tcpdump are both examples of packet analyzers. Wireshark is a GUI-based free and open source packet analyzer. tcpdump is a CLI-based packet analyzer and is also free and open source (distributed under a BSD license). tcpdump, runs on Linux and Mac OS X systems. \newline % Row Count 6 (+ 6)
Tcpdump, written in C, is a data-network packet analyzer computer program that runs under a command line interface. It allows the user display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.% Row Count 11 (+ 5)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{RISK ASSESSMENT}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{ISO 31000:2009 involves risk management principles and guidelines. It offers principles, a framework, and a process for managing risk. It can be used by any organization regardless of its size, activity, or sector. The first phase will be to ascertain the purpose, context, and scope of the risk assessment and management program. \newline % Row Count 7 (+ 7)
Vulnerability Management begins with assessment and prioritization of assets so that you can better determine the Return on Security Investment (ROSI). The next step is to start building the risk register (log or ledger) based on semi-quantitative or quantitative approach if one does not already exist. \newline % Row Count 14 (+ 7)
Risk assessment can be done in two possible ways: quantitative and qualitative. Quantitative risk assessment involves dollar values and mathematical formulas and aims to determine tangible values. Qualitative risk assessment uses questioners and/or interviews. \newline % Row Count 20 (+ 6)
The acronym RACI is as follows: \newline % Row Count 21 (+ 1)
1.	responsible, \newline % Row Count 22 (+ 1)
2.	accountable, \newline % Row Count 23 (+ 1)
3.	consulted, and \newline % Row Count 24 (+ 1)
4.	informed. \newline % Row Count 25 (+ 1)
It is used for clarifying and defining roles and responsibilities typically in cross-functional projects and/or processes. \newline % Row Count 28 (+ 3)
The term "risk transfer" is often used in place of risk sharing, although in practice the transfer of risk to an insurance or outsourcing company may result in loss if the company goes out of business. \newline % Row Count 33 (+ 5)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{RISK ASSESSMENT (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Annualized Loss Expectancy (ALE) = Single Loss Expectancy ? Annualized Rate of Occurrence in classic quantitative analysis \newline % Row Count 3 (+ 3)
An incident is an established negative occurrence that affects the state of data, network, application, or system. An incident can cause damage or loss, either directly (primary) or indirectly (secondary). All incidents are made up of events, but not all events are categorized as incidents.% Row Count 9 (+ 6)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{Resposta à incidentes}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Incident response lifecycle consists of six phases: \newline % Row Count 2 (+ 2)
1.	Preparation \newline % Row Count 3 (+ 1)
2.	Identification \newline % Row Count 4 (+ 1)
3.	Containment \newline % Row Count 5 (+ 1)
4.	Eradication \newline % Row Count 6 (+ 1)
5.	Recovery \newline % Row Count 7 (+ 1)
6.	Lessons learned \newline % Row Count 8 (+ 1)
Business Continuity Planning (BCP) consists of Business Impact Analysis (BIA), Backups and Restoration, and Disaster Recovery Planning (DRP). The BIA is a key step in implementing the Continuity Planning controls in NIST SP 800 53 and in the contingency planning process overall. \newline % Row Count 14 (+ 6)
Two of the important parameters that define a Business Continuity Disaster Recovery (BCDR) plan are the Recovery Point Objective (RPO) and Recovery Time Objective (RTO). These are defined as follows: \newline % Row Count 18 (+ 4)
•	RPO is the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan's maximum allowable threshold or tolerance. \newline % Row Count 23 (+ 5)
•	RTO is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity. \newline % Row Count 28 (+ 5)
•	 \newline % Row Count 29 (+ 1)
Recovery time objective (RTO) is the maximum required amount of time allowed between an unforeseen failure or disaster and the resumption of regular operations and service levels. The RTO describes the point in time after a failure or disaster at which the consequences of the interruption become unacceptable. Recovery Time Objective (RPO) is the target time you set for the recovery of your IT and business activities after a disaster has struck. The goal here is to calculate how quickly you need to recover, which can then dictate the type or preparations you need to implement and the overall budget you should assign to business continuity. \newline % Row Count 42 (+ 13)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{Resposta à incidentes (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{A cold site is the least expensive disaster recovery option as there is practically nothing at the site except for electricity, HVAC, and utilities. It may have ethernet cable installed or may rely on a wireless network installation.% Row Count 5 (+ 5)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{BACKUP}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Incremental backups begin with a full backup. But once that initial full backup is taken, incremental backups only copy the parts of files that have changed since the previous backup. Once the incremental backup has run, it won't back up that file again until the next full backup, unless the file changes. \newline % Row Count 7 (+ 7)
A differential backup is a data backup that copies all of the files that have changed since the last full backup was performed. This includes any data that has been created, updated or altered in any way and does not copy all of the data every time. The term differential backup is based on the concept that only data that is "different" is copied. An incremental backup is a backup type that only copies data that has been changed or created since the previous backup activity was conducted. \newline % Row Count 17 (+ 10)
Snapshots and traditional backups essentially have a similar role. They both make copies of the data on your system which you can later restore. The first snapshot is a precise copy of the given virtual machine or data volume. Ensuing snapshots store data blocks (usually as object/blob storage) that have been changed or added in the meantime. It can perform versioning and fallback activities much faster than traditional backups.% Row Count 26 (+ 9)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{WINDOWS}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{When deploying a Windows Server Update Services (WSUS) implementation, it is important to realize that a single server can handle more than 10,000 client systems. \newline % Row Count 4 (+ 4)
A Windows network operating system domain controller is a server that handles network security, effectively functioning as the gatekeeper for user authentication and authorization. Domain controllers are especially important in Microsoft directory services terminology, and function as the primary mode for authenticating Windows user identities. \newline % Row Count 11 (+ 7)
In order to have a domain implemented, you will need to configure a domain controller to centrally authenticate users who wants to connect and provides them the resources that they need. The domain controllers are also essential in adding an extra layer of security for the system beyond the normal usual security from individual computers in workgroups. \newline % Row Count 19 (+ 8)
The user employs Remote Desktop Protocol (RDP) client software for this purpose, while the other computer must run RDP server software. This service should be disabled if not absolutely necessary as part of system hardening. \newline % Row Count 24 (+ 5)
There are three Servicing Channels in Windows: \newline % Row Count 25 (+ 1)
1.	Semi Annual \newline % Row Count 26 (+ 1)
2.	Windows Insider, and \newline % Row Count 27 (+ 1)
3.	The Long-Term Channel. \newline % Row Count 28 (+ 1)
Home edition users can defer quality (not feature) updates for up to 35 days. \newline % Row Count 30 (+ 2)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{WINDOWS (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{According to Microsoft, BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. Microsoft offers BitLocker as a built-in encryption with Windows OS.  \newline % Row Count 9 (+ 9)
BitLocker uses the Advanced Encryption Standard (AES) for protecting data at rest. BitLocker uses (AES) as its encryption algorithm with configurable key lengths of 128 or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy. \newline % Row Count 15 (+ 6)
The AGULP model goes as follows: Accounts \textgreater{} Global Groups \textgreater{} Universal Groups \textgreater{} Local Groups \textgreater{} Permissions and Rights.  \newline % Row Count 18 (+ 3)
The shared folder is made possible by the File and Print Sharing service and the SMB protocol. Share permissions are Full Control, Change, and Read. \newline % Row Count 21 (+ 3)
The Registry Key structure (registry hive) is similar to folders. A single folder stores all the information and data related to that folder. In a Registry Key, the highest-level folder is a Hive (or Registry Hive). Also, if you further classify any information then you create sub-folders. The sub-folder in Windows Registry Key is classified as a Key and any folder under a sub-folder is called a Sub Key. The following figure gives an insight to the Windows Registry Hive. \newline % Row Count 31 (+ 10)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{WINDOWS (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Windows AppLocker is applicable to Windows 10 and Windows Server only. AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. \newline % Row Count 6 (+ 6)
According to Microsoft, User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. \newline % Row Count 15 (+ 9)
Group Policy and Group Policy Objects is the strategy for centralized administration but works only in conjunction with Active Directory. Administrators can manage Group Policy using the Group Policy Management Console (GPMC). \newline % Row Count 20 (+ 5)
Azure PowerShell modules can be installed by using PowerShellGet on Windows, macOS, and Linux platforms. PowerShell 7.x and later are the recommended versions of PowerShell for use with Azure PowerShell on all platforms. \newline % Row Count 25 (+ 5)
According to Microsoft, PowerShell is a cross-platform task automation and configuration management framework, consisting of a command-line shell and scripting language. PowerShell is built on top of the .NET Common Language Runtime (CLR) and accepts and returns .NET objects. This fundamental change brings entirely new tools and methods for automation. \newline % Row Count 33 (+ 8)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{WINDOWS (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Windows Event Viewer displays the Windows event logs. This is the default application to view and navigate the logs, search and filter particular types of logs, export logs for analysis, and much more.% Row Count 5 (+ 5)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{SOFTWARE COMPOSITION ANALYSIS}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Before applying a security template using the SCA tool, you should always perform a full backup that includes the System State. There is no feature to revert back to a previous state or "undo" after applying the template. \newline % Row Count 5 (+ 5)
Since there is no fallback or undo feature in the SCA tool, you should make a backup of the production server that includes the system state.% Row Count 8 (+ 3)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{LINUX}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{You should always set the sticky bit on these directories so that only the owner can removed his own files, with the exception of the owner of the sticky bit directory (and the root user), who can delete all of the files in the directory. These directories are intended for storing temporary files that may be made by anyone.  \newline % Row Count 7 (+ 7)
You can add a new user in Linux using the command: \newline % Row Count 9 (+ 2)
\$ sudo useradd username \newline % Row Count 10 (+ 1)
To maintain a record of which files belong to which user and to enforce some security, Linux uses the concept of ownership. Every file belongs to an owner—a user—and to a group. On Unix-like operating systems, the chown command changes ownership of files and directories in a filesystem. \newline % Row Count 16 (+ 6)
The /dev directory holds device drivers; /usr is the primary read-only directory; /var contains log files, queues, and more; and /home has user home directories. \newline % Row Count 20 (+ 4)
Bash is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. First released in 1989, it has been used as the default login shell for most Linux distributions and all releases of Apple's macOS prior to macOS Catalina. \newline % Row Count 26 (+ 6)
Linux (and flavors of Unix) have following shells to offer: \newline % Row Count 28 (+ 2)
•	The Bourne Shell (sh): Developed at AT\&T Bell Labs by Steve Bourne, the Bourne shell is regarded as the first UNIX shell ever. It is denoted as sh. It gained popularity due to its compact nature and high speeds of operation. \newline % Row Count 33 (+ 5)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{LINUX (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{•	The GNU Bourne-Again Shell (bash): More popularly known as the Bash shell, the GNU Bourne-Again shell was designed to be compatible with the Bourne shell. \newline % Row Count 4 (+ 4)
•	The C Shell (csh): The C shell was created at the University of California by Bill Joy. It is denoted as csh. \newline % Row Count 7 (+ 3)
•	The Korn Shell (ksh): The Korn shell was developed at AT\&T Bell Labs by David Korn, to improve the Bourne shell. It is denoted as ksh. \newline % Row Count 10 (+ 3)
•	The Z Shell (zsh): The Z Shell or zsh is a sh shell extension that has all the features and more. \newline % Row Count 13 (+ 3)
•	 \newline % Row Count 14 (+ 1)
These are the traditional init runlevels: \newline % Row Count 15 (+ 1)
•	0 - Halt the system, \newline % Row Count 16 (+ 1)
•	1 - Single-user mode (for special administration), \newline % Row Count 18 (+ 2)
•	2 - Local Multiuser with Networking but without network service (like NFS), \newline % Row Count 20 (+ 2)
•	3 - Full Multiuser with Networking, \newline % Row Count 21 (+ 1)
•	4 - Not Used, \newline % Row Count 22 (+ 1)
•	5 - Full Multiuser with Networking and X Windows(GUI), \newline % Row Count 24 (+ 2)
•	6 - Reboot. \newline % Row Count 25 (+ 1)
iptables is an extremely flexible firewall utility built for Linux operating systems. iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. iptables almost always comes pre-installed on any Linux distribution and to update or install it, you can just retrieve the iptables package using the command: sudo apt-get install iptables \newline % Row Count 35 (+ 10)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{LINUX (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{SELinux was first introduced in CentOS 4 and significantly enhanced in later CentOS releases. SELinux follows the model of least-privilege more closely. By default under a strict enforcing setting, everything is denied and then a series of exceptions policies are written that give each element of the system (a service, program or user) only the access required to function. SELinux has three basic modes of operation as follows: \newline % Row Count 9 (+ 9)
1.	Enforcing \newline % Row Count 10 (+ 1)
2.	Permissive \newline % Row Count 11 (+ 1)
3.	Disabled \newline % Row Count 12 (+ 1)
Bastille is a hardening program that locks down a Linux, HP-UX, and MacOS operating system, proactively configuring the system for enhanced security and decreasing its susceptibility to compromisse. Bastille can also assess a system's current state of hardening and generate a granular report on each of the security settings with which it works. \newline % Row Count 19 (+ 7)
The recommended method to perform this hardening feature is to edit the /etc/sysctrl.conf file. Remember this fact for the exam as well as setting this to prevent source routing and two-way spoofed communications. \newline % Row Count 24 (+ 5)
Trusted Platform Module (TPM) offers hardware-based, security-related functions in the form of a secure crypto-processor chip that performs cryptographic operations. The chip includes several physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. \newline % Row Count 31 (+ 7)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{LINUX (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Ansible is an open-source automation tool, or platform, used for IT tasks such as configuration management, application deployment, intra-service orchestration, and provisioning. \newline % Row Count 4 (+ 4)
Auditd is an access monitoring and accounting for Linux developed and maintained by RedHat. It was designed to integrate tightly with the kernel and look for interesting system calls. Also, likely because of this level of integration and detail, it is the default logger in SELinux. \newline % Row Count 10 (+ 6)
Each Syslog message Priority also has a decimal Severity level indicator. Severity values MUST be in the range of 0 to 7 inclusive. Debug has the highest number 7, representing the lowest priority level. \newline % Row Count 15 (+ 5)
Linux builds have a native stateful firewall called iptables. Append this rule to the input chain (-A INPUT) to view ingress traffic; look for TCP (-p tcp); if so, does it go to the destination SSH port (-dport ssh)? If yes, then permit the traffic ( -j ACCEPT).% Row Count 21 (+ 6)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{NTFS}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Every NTFS (NT file system) file or folder has an owner assigned to it. As part of the discretionary access model (DACL), If a user is the owner of an object the only recourse for the administrator is to take ownership away from the user. Other objects include printers, AD containers, registry keys, processes, and threads. \newline % Row Count 7 (+ 7)
It is vital to understand that NTFS (NT file system) permissions are always enforced, regardless of how the files are being accessed. \newline % Row Count 10 (+ 3)
What happens if there is a conflict between an NTFS deny permission and an Allow permission when applied to a file? The user's final effective permission on the file will be deny since that always takes precedence.% Row Count 15 (+ 5)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{FORENSIC}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{A write-blocking is a tool is designed to avoid any write access to a hard disk when performing forensic investigations. It allows read-only access to a data storage device without compromising the integrity of the data. If used properly, it can deliver a high degree of confidence in the protection of the chain of custody.% Row Count 7 (+ 7)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{DNS}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Domain Name System (DNS) uses TCP port 53 for connection-oriented tasks such as database replication and UDP port 53 for unreliable activities like queries to DNS servers.% Row Count 4 (+ 4)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{IPV4 HEADER}}  \tn
\SetRowColor{LightBackground}
\mymulticolumn{1}{p{17.67cm}}{\vspace{1px}\centerline{\includegraphics[width=5.1cm]{/web/www.cheatography.com/public/uploads/xoulea_1715140892_IPV4.jpg}}} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{IPV6 HEADER}}  \tn
\SetRowColor{LightBackground}
\mymulticolumn{1}{p{17.67cm}}{\vspace{1px}\centerline{\includegraphics[width=5.1cm]{/web/www.cheatography.com/public/uploads/xoulea_1715140920_IPV6.png}}} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{PENTEST}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{White box penetration testing takes into account scenarios where almost all information is available to execute an attack. More often this type of pen testing produces very focused results. Black box approach is the opposite of white box, and the pen tester does not have any information about the system they are trying to breach. This is more accurate in simulating an external attack. Gray box, on the other hand, is halfway between a white box and a black box approach. In this approach, the pen tester has some information available, but not all.% Row Count 12 (+ 12)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{NIST}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{The five key aspects of NIST Cyber Security Framework are: \newline % Row Count 2 (+ 2)
1.	Identify \newline % Row Count 3 (+ 1)
2.	Protect \newline % Row Count 4 (+ 1)
3.	Detect \newline % Row Count 5 (+ 1)
4.	Respond \newline % Row Count 6 (+ 1)
5.	Recover \newline % Row Count 7 (+ 1)
The five steps of the NIST Enterprise Security Architecture (ESA) are identify \textgreater{} protect \textgreater{} detect \textgreater{} respond \textgreater{} recover. Other activities of the "protect" phase are awareness training and information protection and procedures. \newline % Row Count 12 (+ 5)
According to NIST, security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. Examples of operational controls would be configuration management, incident response, and system integrity. \newline % Row Count 20 (+ 8)
Examples of deterrent controls would be signage, bollards, banners, guards, dogs, lighting, and visible video surveillance. \newline % Row Count 23 (+ 3)
According to NIST Special Publication 800-61, a computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. An employee knowingly crashing the e-commerce server is an example of a computer security incident. The security administrator changing the permissions of a directory and an employee accessing a file do not relate to an incident. The intruder breaking into office premises does constitute a security incident, just not a computer security incident.% Row Count 35 (+ 12)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{TCP}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Assume Device A has completed its transmission and indicates this by sending a segment to Device B with the FIN bit set to 1. Device B will acknowledge the segment with an ACK. At this point in time, Device B will no longer accept data from Device A. Device B can continue to accept data from its application to transmit to Device A. If Device B does not have any more data to transmit, it will also terminate the connection by transmitting a segment to Device A with the FIN bit set to 1. Device A will then ACK that segment and terminates the connection.% Row Count 12 (+ 12)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{CIA TRIAD}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Confidentiality, Integrity, and Availability (also known as the CIA triad) are the cornerstones of Information Security. This is a model created to define security policies for organizations and it has everything to do with secure storage, transmission, retrieval, execution, and any action dealing with security of information. \newline % Row Count 7 (+ 7)
The Parkerian hexad is a group of six information security elements offered by Donn B. Parker in 1998. The hexad adds three additional attributes to the three classic security attributes of the CIA triad (confidentiality, integrity, availability). These elements are utility, authenticity, and possession (control). \newline % Row Count 14 (+ 7)
Digital signatures provide peer authentication, integrity, and non-repudiation. They do not offer confidentiality services or availability between peers. \newline % Row Count 18 (+ 4)
In the world of information security, integrity protects against unauthorized changes to data. Integrity can be implemented using various tools and mechanisms, for example, hashing algorithms. \newline % Row Count 22 (+ 4)
The least privilege principle involves granting just the right amount of access to data, applications, and systems that are necessary for the job role and no more.% Row Count 26 (+ 4)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{THREAT}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{Threat enumeration is defined as a process which establishes an active connection to the target hosts to discover potential attack vectors in the system, and the same can be used for further exploitation of the system. Enumeration is often considered as a critical phase in Penetration testing as the outcome of enumeration can be used directly for exploiting the system. \newline % Row Count 8 (+ 8)
Enumeration is defined as a process that establishes an active connection to the target hosts to discover potential attack vectors in the system. Enumeration can be used for further exploitation of the system. Enumeration is used to gather: Usernames, group names, Hostnames, Network shares and services, IP tables and routing tables, SNMP and DNS details.% Row Count 16 (+ 8)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{ACCESS CONTROLS}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{A mandatory access control (MAC) model, such a Bell-LaPadula and Biba, is a system of access control that assigns security labels or classifications to system resources and allows access only to principals with distinct levels of authorization or clearance. Mandatory Access Control (MAC) requires allocation of labels to provide resource access. The labels are, for example, Public, Confidential, Secret, and so on. The labels can be managed at organizational level. \newline % Row Count 10 (+ 10)
When the owner of a file makes the decisions about who has rights or access privileges to it, the owner is using discretionary access control or DAC. The Nondiscretionary access control on the other hand has a fixed set of rules that exist to manage access.% Row Count 16 (+ 6)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{FIREWALL/SIEM}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{A next generation firewall (NGFW) provides capabilities beyond that of a stateful network firewall. A stateful firewall is a network security device that filters incoming and outgoing network traffic based upon Internet Protocol (IP) port and IP addresses. By intelligently inspecting the payload of some packets, new connection requests can be associated with existing legitimate connections. An NGFW adds additional features such as application control, integrated intrusion prevention (IPS) and often more advanced threat prevention capabilities like sandboxing. \newline % Row Count 12 (+ 12)
A firewall is a network security device that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules. Ideally, a firewall should be placed at critical junctures in a network to provide segmentation between trusted and untrusted services or user access. Firewalls have been an integral part of security industry over the past 25 years. \newline % Row Count 20 (+ 8)
A firewall is a software or hardware device that work as a filtration system for the data attempting to enter your computer or network. A firewall monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Firewalls are typically used to segment network to filter traffic from unsecure (untrusted) to secure (trusted) zones and vice-versa. \newline % Row Count 29 (+ 9)
The intrusion prevention service (IPS) sensor is an inline, proactive, and preventative security control that can prevent the malicious payload from being delivered to the target. The IDS will take actions based on copies of the frame and is reactive. \newline % Row Count 35 (+ 6)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{FIREWALL/SIEM (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{A signature-based HIDS system is dependent entirely on availability (and timely updating) of signatures as it can only detect attacks that correspond to attack signatures present in its signature database. Hence, a signature-based HIDS system wouldn't be able to appropriately identify any zero-day attacks. \newline % Row Count 7 (+ 7)
Anomaly-based detection is form of intrusion detection that relies upon observing network occurrences and discerning anomalous traffic through heuristics and statistics measured against an established baseline of normal operations. \newline % Row Count 12 (+ 5)
Endpoint Detection and Response (EDR) are tools that are mainly dedicated to detection and investigation of suspicious activities and indicators of compromise (IoCs) on hosts/endpoints. McAfee, Norton, and CrowdStrike are examples of EDR solutions. \newline % Row Count 17 (+ 5)
A multi-phased logging analysis methodology would be Phase 1: Log Collection using tools like Kiwi and syslog ng; Phase 2: Log Storage using databases such as MySQL and PostgreSQL; Phase 3: Log Analysis using Splunk, grep, or LogParser; and Phase 4: Log Correlation and Alerting with tools like OSSEC (Open Source HIDS SECurity) and OSSIM (Open Source SIEM). \newline % Row Count 25 (+ 8)
All given examples are Security Information and Event Management (SIEM) solutions. A SIEM solution receives data from different sources, including IPS devices, firewalls, NetFlow generating devices, servers, endpoints, and syslogs from infrastructure devices. It provides a central view of logging and related security activities across network. \newline % Row Count 32 (+ 7)
} \tn 
\end{tabularx}
\par\addvspace{1.3em}

\begin{tabularx}{17.67cm}{X}
\SetRowColor{DarkBackground}
\mymulticolumn{1}{x{17.67cm}}{\bf\textcolor{white}{FIREWALL/SIEM (cont)}}  \tn
\SetRowColor{white}
\mymulticolumn{1}{x{17.67cm}}{SIEM has evolved from separate security event and security information monitoring. It is the primary centralized log correlation, aggregation, and normalization solution used in modern enterprises today. Common solutions would be SolarWinds Security Event  Manager, ManageEngine EventLog, and Azure Sentinel. \newline % Row Count 7 (+ 7)
Following are the most commonly used network security logging platforms: \newline % Row Count 9 (+ 2)
•	Kiwi Syslog – SolarWinds Kiwi Syslog Server is a syslog management tool. It can receive syslog messages and SNMP traps from network devices (routers, switches, firewalls, etc.), and Linux/Unix hosts \newline % Row Count 14 (+ 5)
•	syslog-ng – It is a free and open-source implementation of the syslog protocol for Unix and Unix-like systems \newline % Row Count 17 (+ 3)
Syslog messages include time stamps, event messages, severity levels (0-7), host IP addresses, and diagnostics. \newline % Row Count 20 (+ 3)
When using a SIEM system the Never Before Seen (NBS) analytics reporting is critical for identifying mew threats against systems.% Row Count 23 (+ 3)
} \tn 
\hhline{>{\arrayrulecolor{DarkBackground}}-}
\end{tabularx}
\par\addvspace{1.3em}



\end{document}