Musa Formazione

Home / Programmi Didattici / Development / Programma Didattico Corso Ethical Hacker & Security Manager Certificato | CompTIA Security+ e PenTest+

Programma Didattico Corso Ethical Hacker & Security Manager Certificato | CompTIA Security+ e PenTest+

MODULO A: Corso Sicurezza Informatica e Security Manager | Certificato CompTIA Security+ SY-701

1) Mastering security basic

Understanding core security goals
- Security scenarios
  - Ensure confidentiality
  - Provide integrity
  - Increase availability
- Resource availability versus security constraints
Introducing basic risk concepts
Selecting effective security controls
- Control categories
  - Technical controls
  - Managerial controls
  - Operational controls
  - Physical controls
- Control types
  - Preventive controls
  - Deterrent controls
  - Detective controls
  - Corrective controls
  - Directive controls
- Combining control categories and types
Logging and monitoring
- Operating system/endpoint logs
  - Windows logs
  - Linux logs
- Network logs
  - Firewall logs
  - IDS/IPS logs
  - Packet captures
- Application logs
  - Metadata
- Centralized logging and monitoring
  - SIEM system
  - Syslog

Objective covered:

Compare and contrast various types of security controls

Categories (technical, managerial, operational, physical)
Control types (preventive, deterrent, detective, corrective, compensating, directive)
- Summarize fundamental security concepts
Confidentiality, integrity, and availability (CIA)

2.5 Explain the purpose of mitigation techniques used to secure the enterprise

Monitoring
Least privilege

3.2 Given a scenario, apply security principles to secure enterprise infrastructure

Selection of effective controls

4.1 Given a scenario, apply common security techniques to computing resources

Monitoring
- Explain security alerting and monitoring concepts and tools
Monitoring computing resources (systems, applications, infrastructure)
Activities (log aggregation, alerting, scanning, reporting, archiving)
Alert tuning
Security Information and Event Management (SIEM)
- Given a scenario, modify enterprise capabilities to enhance security
User Behavior Analytics (UBA)

4.9 Given a scenario, use data sources to support an investigation

Log data(firewall logs, application logs, endpoint logs, os-specific security logs, IPS/IDS logs, network logs, metadata)
Data sources (automated reports, dashboards, packet captures)

2) Understanding identity and access management

Exploring authentication management
- Comparing identification and AAA
- Comparing authentication factors
  - Something you know
  - Something you have
  - Something you are
  - Two-factor and multifactor authentication
  - Passwordless authentication
- Authentication log files
Managing accounts
- Credential policies and account types
- Privileged access management
- Requiring administrators to use two accounts
- Prohibiting shared and generic accounts
- Deprovisioning
- Time-based logins
- Account audits
Comparing authentication services
- Single sign-on
- LDAP
- SSO and a federation
  - SAML
  - SAML and authorization
  - Oauth

Authorization models
- Role-based access control
  - Using roles based on jobs and functions
  - Documenting roles with a matrix
  - Establishing access with group-based privileges
- Role-based access control
- Discretionary access control
  - Filesystem permissions
  - SIDs and DACLs
- Mandatory access control
  - Labels and lattice
  - Establishing access
- Attribute-based access control
Analyzing authentication indicators

Objective covered:

1.2 Summarize fundamental security concepts

Authentication, authorization, and accounting (AAA) (Authenticating people, Authenticating systems, Authorization models)

2.4 Given a scenario, analyze indicators of malicious activity

Indicators (account lockout, concurrent session usage, blocked content, impossible travel, resource consumption, resource inaccessibility, out-of-cycle logging, published/documented, missing logs)

2.5 Explain the purpose of mitigation techniques used to secure the enterprise

Access control (Access Control List (ACL), permissions)

4.5 Given a scenario, modify enterprise capabilities to enhance security

Operating system security (SElinux)
- Given a scenario, implement and maintain identity and access management
Provisioning/de-provisioning user accounts
Permission assignments and implications
Identity proofing
Federation
Single sign-on (SSO) (open authorization (OAuth) , Security Assertions Markup Language, (SAML) )
Interoperability
Attestation
Access controls (mandatory, discretionary, role-based, rule-based, attribute-based, time-of-day restrictions, least privilege)
Multifactor authentication (implementations, biometrics, hard/soft authentication tokens, security keys)
Factors (something you know, something you have, something you are, somewhere you are)
Password concepts
Password best practices (length, complexity, reuse, expiration, age)
Password managers
Passwordless
Privileged access management tools (just-in-time permissions, password vaulting, ephemeral credentials)

3) Exploring network technologies and tools

Reviewing basic networking concepts
- OSI model
- Basic networking protocols
- Implementing protocols for use cases
  - Data in transit use cases
  - Email and web use cases
  - Directory use cases
  - Voice and video use cases
  - Remote access use cases
  - Time synchronization use cases
  - Network address allocation use cases
  - Domain name resolution use cases

Understanding basic network infrastructure
- Switches
  - Hardening switches
- Routers
  - Hardening routers
- Simple Network Management Protocol
- Firewalls
  - Host-based firewalls
  - Network-based firewalls
- Failure modes
Implementing network designs
- Security zones
  - Screened subnet
  - Network address translation gateway
  - Physical isolation and air gasp
  - Logical separation and segmentation
- Network appliances
- Proxy servers
  - Caching content for performance
  - Content filtering
  - Reverse proxy
- Unified threat management
- Jump server
Zero trust
- Control plane vs. Data plane
- Secure access service edge

Objective covered:

Summarize fundamental security concepts

Zero trust (control plane: adaptive identity, threat scope reduction, policy-driven access control, policy administrator, policy engine; data plane: implicit trust zones, subject/system, policy enforcement point )

2.5 Explain the purpose of mitigation techniques used to secure the enterprise

Isolation
Hardening techniques (host-based firewall)

3.1 Compare and contrast security implications of different architecture model

Network infrastructure (physical isolation, air-gapped, logical segmentation)

3.2 Given a scenario, apply security principles to secure enterprise infrastructure

Device placement
Security zones
Attack surface
Connectivity
Failure modes (fall-open, fall-closed)
Network appliances (jump server, proxy server, load balancer)
Firewall types (web application firewall (WAF), unified threat management (UTM), next-generation firewall (NGFW), layer 4/layer 7 )
Secure communication/access (Tunneling Transport Layer Security (TLS), Secure Access Service Edge (SASE))

3.3 Compare and contrast concepts and strategies to protect data

Methods to secure data (segmentation)

4.1 Given a scenario, apply common security techniques to computing resources.

Hardening targets (switches, routers)

4.4 Explain security alerting and monitoring concepts and tools

Simple Network Management Protocol (SNMP) traps

4.5 given a scenario, modify enterprise capabilities to enhance security

Firewall (rules, access lists, ports/protocols, screened subnets)
Web filter (agent based, centralized proxy, universal resource locator scanning, content categorization, block rules, repuration)
Operating system security (group policy chapter)
Implementation of secure protocols (protocol selection, port selection, transport met-hod)
Email security (domain-based message authentication reporting and conformance (dmarc), Domain Keys Identified Mail (dkim), Sender Policy Framework (SPF), gateway)

4) Securing your network

Exploring advanced security devices
- Understanding idss and ipss
  - HIDS
  - NIDS
  - Sensor and collector placement
  - Detection methods
  - Data sources and trends
  - Reporting based on rules
  - Alert response and validation
- IPS versus IDS in line versus passive
- Honeypots
- Honeynets
- Honeyfile
- Honeytokens
Securing wireless networks
- Reviewing wireless basics
  - Band selection and channel overlaps
  - MAC filtering
- Site surveys and heat maps
- Access point installation considerations
- Wireless cryptographic protocols
  - WAP2 and CCMP
  - Open, psk, and enterprise modes
  - WPA3 and simultaneous authentication of equals
- Authentication protocols
- IEEE 802.1x security
- Controller and access point security
- Captive portals
Understanding wireless attacks
- Disassociation attacks
- Wi-fi protected setup
- Rogue access point
- Evil twin
- Jamming attacks
- IV attacks
- Near field communication attacks
- RFID attacks
  - Wireless replay attacks
  - War driving and war flying

Using VPNs for remote access
- VPNs and VPN concentrators
- Remote access VPN
- IPSEC as a tunneling protocol
- SSL/TLS as a tunneling protocol
- Split tunnel versus full tunnel
- Site-to-site VPNs
- Always-on SPN
- L2TP as a tunneling protocol
- HTML5 VPN portal
Network access control
- Host health checks
- Agent versus agentless NAC
Authentication and authorization methods
- PAP
- CHAP
- RADIUS
- TACACS+
- AAA protocols

Objective covered:

1.2 Summarize fundamental security concepts

Deception and disruption technology (honeypot, honeynet, honeyfile, honeytoken)

2.3 Explain various types of vulnerabilities

Zero-day

2.4 Given a scenario, analyze indicators of malicious activity

Physical attacks (radio frequency identification (RFID) cloning)
Network attacks (wireless)

3.2 Given a scenario, apply security principles to secure enterprise infrastructure

Device attribute (active vs. Passive, inline vs. Tap/monitor)
Intrusion prevention system (IPD)/ intrusion detection system (IDS)
Sensors
Port security (802.1 x , extensible authentication protocol (EAP))
Secure communication/access (virtual private network (VPN), remote access chapter,

Tunneling (IPSEC)

4.0 given a scenario, apply common security techniques to computing resources

Wireless device (installation consideration: site surveys, heat maps)
Wireless security settings (WI-FI protected access 3 (WPA3), AAA/remote authentication dial-in user service (RADIUS), cryptographic protocols, authentication protocols)

4.4 Explain security alerting and monitoring concepts and tools

Agent / agentless
Alerting response and remediation / validation (quarantine)

4.5 Given a scenario, modify enterprise capabilities to enhance security

IDS/IPS (trends, signature)
Network Access Control (NAC)

5) Securing hosts and data

Virtualization
- Thin clients and virtual desktop infrastructure
- Containerization
- VM escape protection
- VM sprawl avoidance
- Resource reuse
- Replication
- Snapshots
Implementing secure system
- Endpoint security software
- Hardening workstations and servers
- Configuration enforcement
- Secure baseline and integrity measurements
- Using master images for baseline configurations
- Patching and patch management
- Change management
- Application allow and block lists
- Disk encryption
- Boot integrity
  - Boot security and uefi
  - Trusted platform module
  - Hardware security module
- Decommissioning and disposal
Protecting data
- Data loss prevention
- Removable media
- Protecting confidentiality with encryption
- Database security
- Protecting data in use
Summarizing cloud concepts
- Cloud delivery models
  - Software as a service
  - Platform as a service
  - Infrastructure as a service
- Cloud deployment models
  - Multi-cloud systems
- Application programming interfaces
- Microservices and apis
- Managed security service provider
- Cloud service provider responsabilities
- Cloud security considerations
- On-premises versus off-premises
  - On-premises
  - Off-premises
- Hardening cloud enviroments
  - Clooud access security broker
  - Cloud-based dlp
  - Next-generation secure web gateway
  - Cloud firewall considerations
  - Infrastructure as code
  - Software-defined networking
  - Edge and fog computing
- Deploying mobile devices securely
  - Mobile device deployment models
  - Connection methods and receivers
    - Mobile device management
  - Hardening mobile devices
    - Unauthorized software
    - Hardware control
    - Unauthorized connections
  - Exploring embedded systems
    - Understanding internet of things
    - Ics and scada systems
    - Embedded systems components
    - Hardening specialized systems
    - Embedded system constraints

Objective covered:

Explain the importance of using appropriate cryptographic solutions

Encryption (level: full-disk, partition, file, volume, database, record)
TPM (trusted platform module)
HSM (hardware security module)
Key Management System
Secure enclave

2.3 Explain various types of vulnerabilities

Operating systems (os)-based
Hardware (firmware, end-of-life, legacy)
Virtualization ( Virtual Machine (VM) escape, resource reuse)
Cloud-specific
Misconfiguration
Mobile device (side loading, jailbreaking)

2.5 Explain the purpose of mitigation techniques used to secure the enterprise

Segmentation
Application allow list
Patching
Encryption
Configuration enforcement
Decommissioning
Hardening techniques (encryption, installation of endpoint protection, host-based intrusion prevention system (hips), disabling ports/protocols, default password, removal of unnecessary software)

3.1 Compare and contrast security implications of different architecture models

Cloud (responsibility matrix, hybrid considerations, third-party vendors)
Infrastructure As Code (IAC)
Serverless
Microservices
Network infrastructure (Software-Defined Networking (SDN))
On-premises
Centralized vs. Decentralized
Containerization
Virtualization
IoT (Internet of things)
Industrial Control Systems (ICS) / Supervisory Control And Data Acquisition (SCADA)
Real-Time Operating System (RTOS)
Embedded systems
Considerations (availability, resilience, cost, responsiveness, scalability, ease of deployment, risk transference, ease of recovery, patch availability, inability to patch, power, compute

3.3 Compare and contrast concepts and strategies to protect data

Geolocation

4.1 Given a scenario, apply common security techniques to computing resources

Secure baselines (establish, deploy, maintain)
Hardening targets (mobile devices, workstation, cloud infrastructure, servers, ICS/SCADA, embedded systems, RTOS, IoT)
Mobile solutions (Mobile Device Management (MDM); deployment models: Bring Your Own Device (BYOD), Corporate Owned, Personally Enabled (COPE), Choose Your Own Device (CYOD); connection methods: cellular, wi-fi, bluetooth)

4.4 Explain security alerting and monitoring concept and tools

Antivirus
DLP (Data Loss Prevention)

4.5 Given a scenario, modify enteprise capabilities to enhance security

DLP
Endpoint Detection and Response (EDR)
eXtended Detection and Response (XDR)

6) Comparing threats, vulnerabilities and common attacks

Understanding threat actors
- Threat actor types
- Attacker attributes
- Threat actor motivations
- Threat vectors and attack surfaces
- Shadow it
Determining malware types
- Viruses
- Worms
- Logic bombs
- Trojans
- Remote access trojan
- Keyloggers
- Spyware
- Rootkit
- Ransomware
- Bloatware
- Potential indicators of a malware attack
Recognizing common attacks
- Social engineering and human vectors
  - Impersonation
  - Shoulder surfing
  - Disinformation
  - Tailgating and access control vestibules
  - Dumpster diving
  - Watering hole attacks
  - Business email compromise
  - Typosquatting
  - Brand impersonation
  - Eliciting information
  - Pretexting
- Message-based attacks
  - Spam
  - Spam over instant messaging
  - Phishing
  - Whaling
  - Vishing
  - Smishing
- One click lets them in
Blocking malware and other attacks
- Spam filters
- Antivirus and anti-malware software
  - Signature-based detection
  - Heuristic-based detection
  - File integrity monitors
- Why social engineering works
  - Authority
  - Intimidation
  - Consensus
  - Scarcity
  - Urgency
  - Familiarity
  - Trust
- Threat intelligence sources
- Research sources

Objective covered:

2.0 Compare and contrast common threat actors and motivations

Threat actors (nation-state, unskilled attacker, hacktivist, insider threat, organized crime, shadow it )
Attributes of actors (internal/external, resources/funding, level of sophistication/capability)
Motivations (data exfiltration, espionage, service disruption, blackmail, financial gain, philosophical/political beliefs, ethical revenge, disruption/chaos, war)

2.2 Explain common threat vectors and attack surfaces

Message-based (email, short message service (SMS), instant messaging (IM))
Image-based
File-based
Voice call
Removable device
Vulnerable software (client-based vs. Agentless)
Unsupported systems and applications
Unsecure networks (wireless, wired, bluetooth)
Open service ports
Default credentials
Supply chain (Managed Service Providers (MSP), vendors, suppliers)
Human vectors/social engineering (phishing, vishing, smishing, misinformation/disinformation, impersonation, business email compromise, pretexting: watering hole, brand impersonation, typosquatting )

2.4 Given a scenario, analyze indicators of malicious activity

Malware attacks (ransomware, trojan, worm, spyware, bloatware, virus, keylogger, logic bomb, rootkit )
Malicious code

4.2 Explain various activities associated with vulnerability management

Threat feed (Open Source INTelligence OSINT, proprietary/third-party, information-sharing organization, dark web)

4.5 Given a scenario, modify enterprise capabilities to enhance security

File integrity monitoring

7) Protecting against advanced attacks

Identifying network attacks
- Denial of Service attacks
  - Syn flood attacks
- Forgery
- On-path attacks
- Secure Sockets Layer stripping
- DNS attacks
  - DNS poisoning attacks
  - Pharming attacks
  - Url redirection
  - Domain hijacking
  - DNS filtering
  - DNS log files
- Replay attacks
Summarizing secure coding concepts
- Input validation
  - Client-side and server-side input validation
  - Other input validation techniques
- Avoiding race conditions
- Proper error handling
- Code obfuscation
- Software diversity
  - Outsourced code development
  - Data exposure
  - HTTP headers
  - Secure cookie
  - Code signing
- Analyzing and reviewing code
- Software version control
- Secure development enviroment
- Database concepts
  - SQL queries
- Web server logs
Other application attacks
- Memory vulnerabilities
  - Memory leak
  - Buffer overflows and buffer attacks
  - Integer overflow
- Other injection attacks
  - DLL injection
  - LDAP injection
  - XML injection
- Directory traversal
- Cross-site scripting
Automation and orchestration for secure operations
- Automation and scripting use cases
- Benefits of autmations and scripting

Objective covered:

2.3 Explain various types of vulnerabilities

Application (memory injection, buffer overflow, race conditions: Time-Of-Check (TOC), Time-Of-Use(TOU))
Malicious update
Web based (SQL injection, XSS)

2.4 Given a scenario, analyze indicators of malicious activity

Network attack (distributed denial of service (DDoS): amplified, reflected; domain name system attack; on-path; credential replay)
Application attack (injection, buffer overflow, replay, forgery, directory traversal)

4.1 Given a scenario, apply common security techniques to computing resources

Application security (input validation, secure cookies, static code analysis, code signing)
Sandboxing
- Explain the importance of automation and orchestration related to secure operations
Use cases of automation and scripting (user provisioning, resource provisioning, guard rails, security groups, ticket creation, escalation, enabling/disabling services and access, continuous integration and testing, integrations and application programming interfaces (API s) )
Benefits (efficiency/time saving, enforcing baselines, standard infrastructure configurations, scaling in a secure manner, employee retention, reaction time, workforce multiplier)
Other considerations (complexity, cost, single point of failure, technical debt, ongoing supportability)

8) Using risk management tools

Understanding risk management
- Threats
- Risk identification
- Risk types
- Vulnerabilities
- Risk managemnt strategies
  - Risk assessment types
  - Risk analysis
  - Supply
  - Chain risks

Comparing scanning and testing tools
- Checking for vulnerabilities
  - Network scanners
  - Vulnerability scanning
  - Credentialed vs. Non-credentialed scans
  - Configuration review
- Penetration testing
  - Rules of engagement
  - Reconnaissance
  - Footprinting versus fingerprinting
  - Initial exploitation
  - Persistence
  - Lateral movement
  - Privilege escalation
  - Pivoting
  - Known, unknown and partially known testing enviroments
  - Cleanup
- Responsible disclosure programs
- System and process audits
- Intrusive versus non-intrusive testing
- Responding to vulnerabilities
  - Remediating vulnerabilities
  - Validation of remediation

Capturing network traffic
- Packet capture and replay

TCPreplay and TCPdump
Netflow

Understanding frameworks and standards
- ISO standards
- Industry-specific frameworks
- NIST frameworks
  - NIST risk management framework
  - NIST cybersecurity framework
- Reference architecture
- Benchmarks and configuration guides
Audits and assessments

Objective covered:

1.2 Summarize fundamental security concepts

Gap analysis

2.3 Explain various type of vulnerabilities

Supply chain (service provider, hardware provider, software provider)

4.3 Eplain various activities associated with vulnerability management

Vulnerability scan
Penetration testing
Responsible disclosure program
Bug bounty program
System/process audit
Analysis (confirmation, false positive, false negative, prioritize, Common Vulnerability Scoring System (CVSS), Common Vulnerability Enumeration (CVE), vulnerability classification, Exposure Factor, environmental variables, industry/organizational impact, risk tolerance )
Vulnerability response and remediation (patching, insurance, segmentation, compensating controls, exceptions and exemptions)
Validation of remediation (rescanning, audit, verification)
Reporting

4.4 Explain security alerting and monitoring concepts and tools

Security Content Automation Protocol (SCAP)
Benchmarks
Netflow
Vulnerability scanners

5.2 Explain elements of the risk management process

Risk identification
Risk assessment (ad hoc, recurring, one-time, continuous)
Risk analysis (qualitative; quantitative; Single Loss Expectancy (SLE); Annualized Loss Expectancy (ALE); Annualized Rate of Occurrence (ARO); probability; likelihood; Exposure Factor; impact; risk register: key risk indicators, risk owners, risk threshold; risk tolerance; risk appetite: expansionary, conservative, neutral; risk management strategies: transfer, accept exemption, accept exception, avoid, mitigate)
Risk reporting

5.5 Explain types and purposes of audits and assessments

Attestation
Internal (compliance, audit committee, self-assessments)
External (regulatory, examinations, assessment, independent third-party audit)
Penetration testing (physical, offensive, defensive, integrated, known environment, partially known environment, unknown environment)
Reconnaissance (passive, active)

9) Implementing controls to protect assets

Comparing physical security controls
- Access badges
- Increasing security with personnel
- Monitoring areas with video surveillance
- Sensors
- Fencing, lighting and alarms
- Securing access with barricades
- Access control vestibules
- Asset management
  - Hardware asset management
  - Software asset management
  - Data asset management
- Platform diversity
- Physical attacks
  - Card skimming and card cloning
  - Brute force attacks
  - Enviromental attacks

Adding redundancy and fault tolerance
- Single Point of Failure
- Disk redundancies
  - Raid-0
  - Raid-1
  - Raid-5 and raid-6
  - Raid-10
- Server redundancy and high availability
  - Active/ active load balancers
  - Active/ passive load balancers
- NIC teaming
- Power redundancies
Protecting data with backups
- Backup media
- Online versus offline backups
  - Full backups
  - Recovering a full backup
  - Differential backups
  - Order of recovery for a full/differential backup set
  - Incremental backups
  - Order of recovery for a full/differential backup set
  - Snapshot and image backups
  - Replication and journaling
  - Backup frequency
  - Testing backups
- Backup and geographic considerations
Comparing business continuity elemnts
- Business impact analysis concepts
  - Site risk assessment
  - Impact
  - Recovery Time Objective
  - Recovery Point Objective
  - Comparing MTBF and MTTR
- Continuity of operations planning
  - Site resiliency
  - Restoration order
- Disaster recovery
- Testing plans with exercises
  - Tabletop exercises
  - Simulations
  - Parallel processing
  - Fail over tests

Capacity planning

Objective covered:

1.2 Summarize fundamental security concepts

Physical security (bollards, access control vestibule, fencing, video surveillance, security guard, access badge, lighting, sensors: infrared, pressure , microwave, ultrasonic)
Physical attack (brute force, environmental)

3.3 Compare and contrast concepts and strategies to protect data

General data considerations (data sovereignty)

3.4 Explain the importance of resilience and recovery in security architecture

High availability (load balancing vs. clustering)
Site considerations (hot, cold, warm, geographic dispersion)
Platform diversity
Continuity of operations
Capacity planning (people, technology, infrastructure)
Testing (tabletop exercises, fail over, simulation, parallel processing)
Backups (onsite/offsite, frequency, encryption, snapshots, recovery, replication, journaling)
Power (generators, uninterruptible power supply (ups))

4.2 Explain the security implications of proper hardware, software, and data asset management

Acquisition/procurement
Assignment/accounting (ownership, classification)
Monitoring/asset trasking (inventory / enumeration)

5.2 Explain elements of the risk management process

Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
Mean Time To Repair (MTTR)
Mean Time Between Failures (MTBF)

10) Understanding cryptography and PKI

Introducing cryptography concepts
Providing integrity with hashing
- Hash versus checksum
- MD5
- Secure hash algorithms
- Hmac
- Hashing files
- Hashing messages
- Using hmac
- Hashing passwords
- Undertanding hash collisions
Understanding password attacks
- Dictionary attacks
- Brute force attacks
- Password spraying attacks
  - Pass the hash attacks
- Birthday attacks
- Rainbow table attacks
- Salting passwords
- Key stretching
Providing confidentiality with encryption
- Symmetric encryption
- Block versus stream ciphers
- Common symmetric algorithms
  - AES
  - 3DES
  - Blowfish and twofish
- Asymmetric encryption
  - Key exchange
  - The reyburn box
- Certificates
- Ephemeral keys
- Elliptic curve cryptography
- Key lenght
- Obfuscation
  - Steganography
  - Tokenization
  - Masking

Using cryptographic protocols
- Protecting email
  - Signing email with digital signatures
  - Encrypting email
  - S/mime
- HTTPS transport encryption
  - TLS versus SSL
  - Encrypting HTTPS traffic with TLS
  - Downgrade attacks on weak implementations
- Blockchain
- Identifyng limitations
  - Resource versus security constraints
  - Speed and time
  - Size and computational overhead
  - Entropy
  - Predictability
  - Weak keys
  - Reuse
  - Plaintext attack

Exploring PKI components
- Certificate authority
- Certificate trust models
- Registration authority and CSRs
- Online versus offline CAs
- Updating and revoking certificates
- Certificate revocation list
- Validating a certificate
- Certificate pinning
- Key escrow
- Key management
- Comparing certificate types
- Comparing certificate formats

Objective covered:

1.2 Summarize fundamental security concepts

Non-repudation
- Explain the importance of using appropriate cryptography solutions
Public key infrastructure (PKI) (public key, private key, key escrow)
Encryption (transport/communication, asymmetric, symmetric, key exchange, algorithms, key length)
Obfuscation (steganography, tokenization, data masking)
Hashing
Salting
Digital signatures
Key stretching
Blockchain
Open public ledger
Certificates (Certificate Authorities, Certificate Revocation Lists (CRLs), Online Certificate Status Protocol (OCSP), self-signed, third-party, root of trust, Certificate Signing Request (CSR) generation, wildcard )

2.3 Explain various types of vulnerabilities

Cryptographic
Cryptographic attacks (downgrade, collision, birthday)
Password attacks (spraying, brute force)

3.3 Compare and contrast concepts and strategies to protect data

General data considerations (data states: at rest, in transit, in use)
Methods to secure data (encryption, hashing, masking, tokenization, obfuscation)

11) Implementing policies to mitigate risks

Change management
- Business processes
- Technical implications
- Documentation and version control
Protecting data
- Understanding data types
- Classifying data types
- Securing data
- Data retention
- Data sanitization
Incident response
- Incident response plan
  - Communication plan
- Incident response process
- Incident response training and testing
- Threat hunting
- Understanding digital forensics
  - Acquisition and preservation
  - Legal holds and electronic discovery
  - Admissibility of documentation and evidence
  - Reporting
- Understanding SOAR
  - Playbooks
  - Runbooks

Security governance
- Governance structures
- External considerations
- Security policies
- Security standards
- Security procedures
- Security guidelines
- Data governance
- Data roles
- Monitoring and revision
Third-party risk management
- Supply chain and vendors
- Vendor assessment
- Vendor selection
- Vendor agreements
Security compliance
- Compliance monitoring and reporting
- Privacy
- Data inventory and retention
Security awareness
- Computer-based training
- Phishing campaigns
- Recognizing anomalous behavior
- User guidance and training
- Awareness program development and execution

Objective covered:

Explain the importance of change management processes and the impact to security

Business processes impacting security operation (approval process, ownership, stakeholders, impact analysis, test results, backout plan, maintenance window, standard operating procedure)
Technical implications (allow lists/deny lists, restricted activities, downtime, service restart, application restart, legacy applications, dependencies)
Documentation (updating diagrams,updating policies / procedures)
Version control
- Compare and contrast concepts and strategies to protect data
Data types (regulated, trade secret, intellectual property, legal information, financial information, human-and non-human-readable)
Data classifications (sensitive, confidential, public, restricted, private, critical)

4.2 explain the security implications of proper hardware, software, and data asset management

Disposal/decommissioning (sanitization, destruction, certification, data retention)

4.3 explain various activities associated with vulnerability management

Application security (static analysis, dynamic analysis, package monitoring)
- Explain appropriate incident response activities
Process (preparation, detection, analysis, containment, eradication, recovery, lesson learned)
Training
Testing (tabletop exercise, simulation)
Root cause analysis
Threat hunting
Digital forensics (legal hold, chain of custody, acquisition, reporting, preservation, e-discovery)

5.1 summarize elements of effective security governance

Guidelines
Policies (Acceptable Use Policy (AUP),information security policies ,business continuity , disaster recovery, incident response , Software Development Lifecycle (SDLC), change management)
Standards (password, access control, physical security, encryption)
Procedures (change management, onboarding/offboarding, playbooks)
External considerations (regulatory, legal, industry, local/regional, national, global)
Monitoring and revision
Types of governance structures (boards, committees, government entities, centralized/decentralized)
Roles and responsibilities for systems and data (owners, controllers, processors, custodians/stewards)

5.3 Explain the processes associated with third-party risk assessment and management

Vendor assessment (penetration testing, right-to-audit clause, evidence of internal audits, independent assessments, supply chain analysis)
Vendor selection (due diligence, conflict of interest)
Agreement types (Service-Level Agreement (SLA), Memorandum Of Agreement (MOA), Memorandum Of Understanding (MOU), Master Service Agreement (MSA), Work Order (WO)/Statement Of Work (SOW), Non-Disclosure Agreement (NDA), Business Partners Agreement (BPA)
Vendor monitoring
Questionnaires
Rules of engagement

5.4 Summarize elements of effective security compliance

Compliance reporting (internal, external)
Consequences of non-compliance (fines, sanctions, reputational damage, loss of license, contractual impacts)
Compliance monitoring (due diligence/care, attestation and acknowledgement, internal and external, automation)
Privacy (legal implications, local/regional, national, global)
Data subject
Controller vs. Processor
Ownership
Data inventory and retention
Right to be forgotten

5.6 Given a scenario, implement security awareness practices

Phishing (campaigns, recognizing a phishing attempt, responding to reported suspicious messages)
Anomalous behavior recognition (risky, unexpected, unintentional)
User guidance and training (policy/handbooks, situational awareness, insider threat, password management, removable media and cables, social engineering, operational security, hybrid/remote work environment)
Reporting and monitoring (initial, recurring)
Development and Execution

MODULO B: Corso Penetration Test e Hacking Etico | Certificato CompTIA PenTest+

Unit 1 – Planning and Scoping

Module 1 – Compare and contrast governance, risk, and compliance concepts.

Regulatory compliance considerations
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
Location restrictions
- Country limitations
- Tool restrictions
- Local laws
- Local government requirements
- Privacy requirements
Legal concepts
- Service-level agreement (SLA)
- Confidentiality
- Statement of work
- Non-disclosure agreement (NDA)
- Master service agreement
Permission to attack

Module 2 – Explain the importance of scoping and organizational/customer requirements.

Standards and methodologies
- MITRE ATT&CK
- Open Web Application Security Project (OWASP)
- National Institute of Standards and Technology (NIST)
- Open-source Security Testing Methodology Manual (OSSTMM)
- Penetration Testing Execution Standard (PTES)
- Information Systems Security Assessment Framework (ISSAF)
Rules of engagement
- Time of day
- Types of allowed/disallowed tests
- Other restrictions
Environmental considerations
- Network
- Application
- Cloud
Target list/in-scope assets
- Wireless networks
- Internet Protocol (IP) ranges
- Domains
- Application programming interfaces (APIs)
- Physical locations
- Domain name system (DNS)
- External vs. internal targets
- First-party vs. third-party hosted
Validate scope of engagement
- Question the client/review contracts
- Time management
- Strategy
- Unknown-environment vs. known-environment testing

Module 3 – Given a scenario, demonstrate an ethical hacking mindset by maintaining professionalism and integrity.

Background checks of penetration testing team
Adhere to specific scope of engagement
Identify criminal activity
Immediately report breaches/ criminal activity
Limit the use of tools to a particular engagement
Limit invasiveness based on scope
Maintain confidentiality of data/information
Risks to the professional
- Fees/fines
- Criminal charges

Unit 2 – Information Gathering and Vulnerability Scanning

Module 1 – Given a scenario, perform passive reconnaissance.

DNS lookups
Identify technical contacts
Administrator contacts
Cloud vs. self-hosted
Social media scraping
- Key contacts/job responsibilities
- Job listing/technology stack
Cryptographic flaws
- Secure Sockets Layer (SSL) certificates
- Revocation
Company reputation/security posture
Data
Password dumps
File metadata
Strategic search engine analysis/enumeration
- Website archive/caching
- Public source-code repositories
Open-source intelligence (OSINT)
- Tools
  - Shodan
  - Recon-ng
- Sources
  - Common weakness enumeration (CWE)
  - Common vulnerabilities and exposures (CVE)

Module 2 – Given a scenario, perform active reconnaissance.

Enumeration
- Hosts
- Services
- Domains
- Users
- Uniform resource locators (URLs)
Website reconnaissance
- Crawling websites
- Scraping websites
- Manual inspection of web links
  - txt
- Packet crafting
  - Scapy
- Defense detection
  - Load balancer detection
  - Web application firewall (WAF) detection
  - Antivirus
  - Firewall
- Tokens
  - Scoping
  - Issuing
  - Revocation
- Wardriving
- Network traffic
  - Capture API requests and responses
  - Sniffing
- Cloud asset discovery
- Third-party hosted services
- Detection avoidance

Module 3 – Given a scenario, analyze the results of a reconnaissance exercise.

Fingerprinting
- Operating systems (OSs)
- Networks
- Network devices
- Software
Analyze output from:
- DNS lookups
- Crawling websites
- Network traffic
- Address Resolution Protocol (ARP) traffic
- Nmap scans
- Web logs

Module 4 – Given a scenario, perform vulnerability scanning.

Considerations of vulnerability scanning
- Time to run scans
- Protocols
- Network topology
- Bandwidth limitations
- Query throttling
- Fragile systems
- Non-traditional assets
Scan identified targets for vulnerabilities
Set scan settings to avoid detection
Scanning methods
- Stealth scan
- Transmission Control Protocol (TCP) connect scan
- Credentialed vs. non-credentialed
Nmap
- Nmap Scripting Engine (NSE) scripts
- Common options
  - A
  - sV
  - sT
  - Pn
  - O
  - sU
  - sS
  - T 1-5
  - script=vuln
  - p
- Vulnerability testing tools that facilitate automation

Unit 3 – Attacks and Exploits

Module 1 – Given a scenario, research attack vectors and perform network attacks.

Stress testing for availability
Exploit resources
- Exploit database (DB)
- Packet storm
Attacks
- ARP poisoning
- Exploit chaining
- Password attacks
  - Password spraying
  - Hash cracking
  - Brute force
  - Dictionary
- On-path (previously known as man-in-the-middle)
- Kerberoasting
- DNS cache poisoning
- Virtual local area network (VLAN) hopping
- Network access control (NAC) bypass
- Media access control (MAC) spoofing
- Link-Local Multicast Name Resolution (LLMNR)/NetBIOS- Name Service (NBT-NS) poisoning
- New Technology LAN Manager (NTLM) relay attacks
Tools
- Metasploit
- Netcat
- Nmap

Module 2 – Given a scenario, research attack vectors and perform wireless attacks.

Attack methods
- Eavesdropping
- Data modification
- Data corruption
- Relay attacks
- Spoofing
- Deauthentication
- Jamming
- Capture handshakes
- On-path
Attacks
- Evil twin
- Captive portal
- Bluejacking
- Bluesnarfing
- Radio-frequency identification (RFID) cloning
- Bluetooth Low Energy (BLE) attack
- Amplification attacks [Near-field communication (NFC)]
- WiFi protected setup (WPS) PIN attack
Tools
- Aircrack-ng suite
- Amplified antenna

Module 3 – Given a scenario, research attack vectors and perform application-based attacks.

OWASP Top 10
Server-side request forgery
Business logic flaws
Injection attacks
- Structured Query Language (SQL) injection
  - Blind SQL
  - Boolean SQL
  - Stacked queries
- Command injection
- Cross-site scripting
  - Persistent
  - Reflected
- Lightweight Directory Access Protocol (LDAP) injection
Application vulnerabilities
- Race conditions
- Lack of error handling
- Lack of code signing
- Insecure data transmission
- Session attacks
  - Session hijacking
  - Cross-site request forgery (CSRF)
  - Privilege escalation
  - Session replay
  - Session fixation
- API attacks
  - Restful
  - Extensible Markup Language- Remote Procedure Call (XML-RPC)
  - Soap
- Directory traversal
- Tools
  - Web proxies
    - OWASP Zed Attack Proxy (ZAP)
    - Burp Suite community edition
  - SQLmap
  - DirBuster
- Resources
  - Word lists

Module 4 – Given a scenario, research attack vectors and perform attacks on cloud technologies.

Attacks
- Credential harvesting
- Privilege escalation
- Account takeover
- Metadata service attack
- Misconfigured cloud assets
  - Identity and access management (IAM)
  - Federation misconfigurations
  - Object storage
  - Containerization technologies
- Resource exhaustion
- Cloud malware injection attacks
- Denial-of-service attacks
- Side-channel attacks
- Direct-to-origin attacks
Tools
- Software development kit (SDK)

Module 5 – Explain common attacks and vulnerabilities against specialized systems.

Mobile
- Attacks
  - Reverse engineering
  - Sandbox analysis
  - Spamming
- Vulnerabilities
  - Insecure storage
  - Passcode vulnerabilities
  - Certificate pinning
  - Using known vulnerable components (i) Dependency vulnerabilities (ii) Patching fragmentation
  - Execution of activities using root
  - Over-reach of permissions
  - Biometrics integrations
  - Business logic vulnerabilities
- Tools
  - Burp Suite
  - Drozer
  - Mobile Security Framework (MobSF)
  - Postman
  - Ettercap
  - Frida
  - Objection
  - Android SDK tools
  - ApkX
  - APK Studio
- Internet of Things (IoT) devices
  - BLE attacks
  - Special considerations
    - Fragile environment
    - Availability concerns
    - Data corruption
    - Data exfiltration
  - Vulnerabilities
    - Insecure defaults
    - Cleartext communication
    - Hard-coded configurations
    - Outdated firmware/hardware
    - Data leakage
    - Use of insecure or outdated components
  - Data storage system vulnerabilities
    - Misconfigurations—on-premises and cloud-based
      - Default/blank username/password
      - Network exposure
    - Lack of user input sanitization
    - Underlying software vulnerabilities
    - Error messages and debug handling
    - Injection vulnerabilities
      - Single quote method
    - Management interface vulnerabilities
      - Intelligent platform management interface (IPMI)
    - Vulnerabilities related to supervisory control and data acquisition (SCADA)/ Industrial Internet of Things (IIoT)/ industrial control system (ICS)
    - Vulnerabilities related to virtual environments
      - Virtual machine (VM) escape
      - Hypervisor vulnerabilities
      - VM repository vulnerabilities
    - Vulnerabilities related to containerized workloads

Module 6 – Given a scenario, perform a social engineering or physical attack.

Pretext for an approach
Social engineering attacks
- Email phishing
  - Whaling
  - Spear phishing
- Vishing
- Short message service (SMS) phishing
- Universal Serial Bus (USB) drop key
- Watering hole attack
Physical attacks
- Tailgating
- Dumpster diving
- Shoulder surfing
- Badge cloning
Impersonation
Tools
- Browser exploitation framework (BeEF)
- Social engineering toolkit
- Call spoofing tools
Methods of influence
- Authority
- Scarcity
- Social proof
- Urgency
- Likeness
- Fear

Module 7 – Given a scenario, perform post-exploitation techniques.

Post-exploitation tools
- Empire
- Mimikatz
- BloodHound
Lateral movement
- Pass the hash
Network segmentation testing
Privilege escalation
- Horizontal
- Vertical
Upgrading a restrictive shell
Creating a foothold/persistence
- Trojan
- Backdoor
  - Bind shell
  - Reverse shell
- Daemons
- Scheduled tasks
Detection avoidance
- Living-off-the-land techniques/fileless malware
  - PsExec
  - Windows Management Instrumentation (WMI)
  - PowerShell (PS) remoting/Windows Remote Management (WinRM)
- Data exfiltration
- Covering your tracks
- Steganography
- Establishing a covert channel
Enumeration
- Users
- Groups
- Forests
- Sensitive data
- Unencrypted files

Unit 4 – Reporting and Communication

Module 1 – Compare and contrast important components of written reports.

Report audience
- C-suite
- Third-party stakeholders
- Technical staff
- Developers
Report contents (** not in a particular order)
- Executive summary
- Scope details
- Methodology
  - Attack narrative
- Findings
  - Risk rating (reference framework)
  - Risk prioritization
  - Business impact analysis
- Metrics and measures
- Remediation
- Conclusion
- Appendix
Storage time for report
Secure distribution
Note taking
- Ongoing documentation during test
- Screenshots
Common themes/root causes
- Vulnerabilities
- Observations
- Lack of best practices

Module 2 – Given a scenario, analyze the findings and recommend the appropriate remediation within a report.

Technical controls
- System hardening
- Sanitize user input/parameterize queries
- Implemented multifactor authentication
- Encrypt passwords
- Process-level remediation
- Patch management
- Key rotation
- Certificate management
- Secrets management solution
- Network segmentation
Administrative controls
- Role-based access control
- Secure software development life cycle
- Minimum password requirements
- Policies and procedures
Operational controls
- Job rotation
- Time-of-day restrictions
- Mandatory vacations
- User training
Physical controls
- Access control vestibule
- Biometric controls
- Video surveillance

Module 3 – Explain the importance of communication during the penetration testing process.

Communication path
- Primary contact
- Technical contact
- Emergency contact
Communication triggers
- Critical findings
- Status reports
- Indicators of prior compromise
Reasons for communication
- Situational awareness
- De-escalation
- Deconfliction
- Identifying false positives
- Criminal activity
Goal reprioritization
Presentation of findings

Module 4 – Explain post-report delivery activities.

Post-engagement cleanup
- Removing shells
- Removing tester-created credentials
- Removing tools
Client acceptance
Lessons learned
Follow-up actions/retest
Attestation of findings Data destruction process

Unit 5 – Explain use cases of the following tools during the phases of a penetration test.

Scanners
- Nikto
- Open vulnerability assessment scanner (Open VAS)
- SQLmap
- Nessus
- Open Security Content Automation Protocol (SCAP)
- Wapiti
- WPScan
- Brakeman
- Scout Suite
Credential testing tools
- Hashcat
- Medusa
- Hydra
- CeWL
- John the Ripper
- Cain
- Mimikatz
- Patator
- DirBuster
Debuggers
- OllyDbg
- Immunity Debugger
- GNU Debugger (GDB)
- WinDbg
- Interactive Disassembler (IDA)
- Covenant
- SearchSploit
OSINT
- WHOIS
- Nslookup
- Fingerprinting Organization with Collected Archives (FOCA)
- theHarvester
- Shodan
- Maltego
- Recon-ng
- Censys
Wireless
- Aircrack-ng suite
- Kismet
- Wifite2
- Rogue access point
- EAPHammer
- mdk4
- Spooftooph
- Reaver
- Wireless Geographic Logging Engine (WiGLE)
- Fern
Web application tools
- OWASP ZAP
- Burp Suite
- Gobuster
- w3af
Social engineering tools
- Social Engineering Toolkit (SET)
- BeEF
Remote access tools
- Secure Shell (SSH)
- Ncat
- Netcat
- ProxyChains
Networking tools
- Wireshark
- Hping
- SearchSploit
- Responder
- Impacket tools
- Empire
- Metasploit
- mitm6
- CrackMapExec
- TruffleHog
- Censys
Steganography tools
- Openstego
- Steghide
- Snow
- Coagula
- Sonic Visualiser
- TinEye
Cloud tools
- Scout Suite
- CloudBrute
- Pacu
- Cloud Custodian

Vai alla pagina corso

Ti Aiutiamo Noi!

Compila il form e scopri tutti i vantaggi riservati a TE!

Lavora con noi Scopri il nostro network