Security+ Cert Exam Objectives SYO-601

Phishing - fraudulent attempt to obtain sensitive information or data, by disguising oneself as a trustworthy entity in an electronic communication. Smishing - When someone tries to trick you into giving them your private information via a text or SMS message. Vishing - Using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward Spam - irrelevant or unsolicited messages sent to a large number of Internet users, for illegitimate advertising, and other activities such as phishing, and spreading malware SPIM - Spam delivered through instant messaging (IM) instead of through e-mail messaging Spear Phishing - the act of sending emails to specific and well-researched targets while pretending to be a trusted sender Dumpster Diving - exploration of a system's trash bin for the purpose of finding details in order for a hacker to have a successful online assault. Shoulder Surfing - When someone watches over your shoulder to nab valuable information as you key it into an electronic device. Pharming - cyberattack intended to redirect a website's traffic to another, fake site. Tailgating - Social engineering attempt by cyber threat actors in which they trick employees into helping them gain unauthorized access into the company premises. Eliciting Information - Procedures or techniques involving interacting with and communicating with others that is designed to gather knowledge or inform Whaling - Spear phishing that focuses on one specific high level executive or influencer Prepending - Prepend is a word that means to attach content as a prefix. For example, a prepend command could be used in a scripting language that a programmer would enter into a certain function or code module. It would add certain characters of text to the beginning of some variable or object. Identity Fraud - identity fraud is the use of stolen information such as making fake ID's and fake bank accounts Invoice Scams - using fraudulent invoices to steal from a company Credential Harvesting - the use of MITM attacks, DNS poisoning, phishing, etc. to amass large numbers of credentials (username / password combinations) for reuse. Reconnaissance - - Information gathering about a target network Hoax - Cyber hoax scams are attacks that exploit unsuspecting users to provide valuable information, such as login credentials or money. Impersonation - typically involves an email that seems to come from a trusted source. Watering hole attack - security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to the network at the target's place of employment. Typo squatting - type of cybersquatting used by imposters that involve registering domains with intentionally misspelled names of popular web addresses to install malware on the user's system Pretexting - the practice of presenting oneself as someone else in order to obtain private information. Influence campaigns - Hybrid warfare - - Combining conventional warfare with cyberwarfare Social Media Campaign - Planned, coordinated marketing efforts using one or more social media platforms. Principles: - Authority: an attacker may try to appear to have a certain level authority. Intimidation: may try to make the victim think that something terrible is going to happen if they don't comply with the attacker's wishes. Consensus: An attacker may try to sway the mind of a victim using names they are familiar with, saying that such ones provided them information (they are fishing for) in the past and you should be able to do the same. Scarcity: An attacker may try to set a time limit on a victim so that they can comply with their wishes by a certain deadline. Familiarity: they make you familiar with them on the phone and make you want to do things for them. Trust: The attacker in this case can claim to be a friend or close associate of someone you may know very well and that's trusted. Urgency: When attackers want you to act and not think, they want you to do what they want as quickly as possible so that there's no time to spot all the red flags. Malware - a program or file designed to be disruptive, invasive and harmful to your computer. Ransomware - Software that encrypts programs and data until a ransom is paid to remove it. Worms - Independent computer programs that copy themselves from one computer to other computers over a network potentially unwanted program (PUP) - program that installs itself on a computer, typically without the user's informed consent Fileless virus - Software that uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove. command and control - A computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network Bots - self-propagating malware that infects its host and connects back to a central server(s). Cryptomalware - Malware to remain in place for as long as possible, quietly mining in the background. logic bomb - A computer program or part of a program that lies dormant until it is triggered by a specific logical event. Spyware - Type of malware that infects your PC or mobile device and gathers information about you, including the sites you visit, the things you download, your usernames and passwords, payment information, and the emails you send and receive. Keyloggers - software that tracks or logs the keys struck on your keyboard, typically in a covert manner so that you don't know that your actions are being monitored. Remote Access Trojan - type of malware that allows covert surveillance, a backdoor for administrative control and unfettered and unauthorized remote access to a victim's machine. Rootkit - software program, typically malicious, that provides privileged, root-level (i.e., administrative) access to a computer while concealing its presence on that machine Backdoor - refers to any method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network, or software application. Password Attack - Any type of attack in which the attacker attempts to obtain and make use of passwords illegitimately. Spraying password attack - Dictionary password attack - An attack method that takes all the words from a dictionary file and attempts to log on by entering each dictionary entry as a password. brute force password attack (offline and online) - an attempt to guess a password by attempting every possible combination of characters and numbers in it Rainbow Tables - an attack on a password that uses a large pregenerated data set of hashes from nearly every possible password Plaintext/unencrypted password attack - Malicious universal serial bus (USB) cable - Malicious flash drive - Card cloning - Skimming - Adversarial artificial intelligence (AI) - 1. Tainted training for machine learning (ML) 2. Security of machine learning algorithms Supply-chain attacks - Cloud-based vs. on-premises attacks - Cryptographic attacks - 1. Birthday: 2. Collision: 3. Downgrade: Privilege escalation - Cross-site scripting - Injections - Structured query language (SQL) - Dynamic link library - Lightweight directory access protocol (LDAP) - Extensible markup language (XML) - Pointer/object dereference - Directory traversal - Buffer overflows - Race conditions(Time of check/time of use) - Error handling - Improper input handling - Replay attack (session replays) - Integer overflow - Request forgeries - 1. Server-side 2. Cross-site Application programming interface (API) attacks - Resource exhaustion - Memory leak - Secure sockets layer (SSL) stripping - Driver manipulation - Shimming - Refactoring - Pass the hash - Wireless Evil Twin - Rogue access point - Bluesnarfing - Bluejacking - Some users with Bluetooth-enabled mobiles use this technology to send anonymous text messages to strangers. Disassociation - Jamming - Radio frequency identifier (RFID) - Near Field Communication (NFC) - A set of standards primarily for smartphones and smart cards that can be used to establish communication between devices in close proximity. Initialization Vector (IV) - A 24-bit value used in WEP that changes each time a packet is encrypted. On-path attack(Man-in-the-middle) - Layer 2 attacks - Address resolution protocol poisoning - Media access control flooding - MAC Cloning - Domain Name System (DNS) - A hierarchical system for naming resources on the Internet. Domain jacking - DNS poisoning - Technique used by criminals to alter DNS records and drive users to fake sites, to committing phishing. Universal resource locator redirection - Domain reputation - Distributed Denial of Service (DDoS) - An attack that uses many computers to perform a DoS attack. DDOS network - DDOS application - DDOS operational technology - Malicious code or script execution - Powershell - Python - Bash - Macros - Visual Basic for Applications (VBA) - programming language you can use to create macros Advanced Persistent Threat (APT) - a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments Insider threats - Current or former employee, contractor or other partner that has or had authorized access and intentionally misused that access State actors - Hacktivists - A protester seeking to make a political point by leveraging technology tools, often through system infiltration, defacement, or damage. Script kiddies - Individuals who want to break into computers to create damage, yet lack the advanced knowledge of computers and networks needed to do so. Criminal syndicates - Authorized Hackers - Unauthorized hackers - Semi-authorized hackers - Shadow IT - Competitors - Internal/external actors - Level of sophistication/capability in actors - Resources/funding (attributes of actors) - APTs, and nation states have a penchant for long-term attacks, which requires this which only major organizations or government can manage over time. Intent/motivation (attributes of actors) - This can be simple or multifold in nature. A script kiddie is just trying to make a technique work. A more skilled threat actor is usually pursuing a specific objective, such as trying to make a point as a hacktivist. At the top of the intent pyramid is the APT threat actor, whose intent or motivation is at least threefold. Vectors direct access - Wireless Vectors - Vector Email - Vector Supply Chain - Vector Social Media - Vector Removable Media - Vector Cloud - Threat intelligence sources - Open-Source Intelligence (OSINT) - Information from media (newspapers, television), public government reports, professional and academic publications, and other openly available. Closed/proprietary threat intelligence source - Vulnerability databases - Public/private information-sharing centers - Dark Web - Indicators of compromise - - unusual outbound traffic - anomalies in privileged account - geographic irregularities - login failures - swells in database read volume - large html responses - many requests for one file - mismatched port-applications - suspicious registry changes - spikes in dns requests from one host Automated Indicator Sharing (AIS) - system that enables the sharing of attack indicators between the US government and the private sector as soon as the treat is verified Structured Threat Information eXpression (STIX) - Trusted Automated eXchange of Indicator Information (TAXII) - Predictive analysis - the use of data warehouses and complex algorithms to forecast future events, based on historical trends and calculated probabilities Threat maps - File/code repositories - Vendor websites - Vulnerability feeds - Conferences - Academic journals - Request for Comments (RFC) - A document published by the IETF that details information about standardized Internet protocols and those in various development stages. Local industry groups - Social media research source - Threat feed research source - Adversary tactics, techniques, and procedures (TTP) - Cloud-based vs. on-premises vulnerabilities - Zero-day - Weak configurations - Open permissions - Unsecure root accounts - Errors in weak configurations - Weak encryption in weak configurations - Unsecure protocols in weak configurations - Default setting in weak configurations - Open ports and services in weak configurations - Third-party risks - Vendor management - 1. System integration 2. Lack of vendor support Third-part risks in supply chain - Third-party risks in outsourced code development - Third-party risks in data storage - Improper or weak patch management - Firmware: Operating system: Applications: Legacy platforms - Impacts of data loss - Impacts of data breaches - Impacts of data exfiltration - Impacts of identity theft - Impacts of financial - Impacts of reputation - Impacts of availability loss - Threat hunting - Intelligence fusion - Threat feeds - Advisories and bulletins - Maneuver - Vulnerability scans - False positives - False negatives - Log reviews - credentialed vs. non-credentialed (vulnerability scanning) - Intrusive vs. non-intrusive (scans) - Application vulnerability scanner - Technology used to scan applications for potential vulnerabilities and weaknesses. Web application vulnerability scan - Network vulnerability scanner - The application of vulnerability scanning to network devices to search for vulnerabilities at the network level. Common Vulnerabilities and Exposures (CVE) - Common Vulnerability Scoring System (CVSS) - Configuration review - Syslog/security information and event management (SIEM) - Review reports - Packet capture - Data inputs - User behavior analysis - Sentiment analysis - Security monitoring - Log aggregation - Log Collectors - Security orchestration, automation, and response (SOAR) - Known environment - Unknown Environment - Partially known environment - rules of engagement - Lateral movement - Privilege escalation - Persistence (Penetration testing) - Cleanup (Penetration testing) - Bug bounty (Penetration testing) - Pivoting(Penetration Testing) - Passive and active reconnaissance - Drones (reconnaissance) - War flying - War driving - Footprinting - OSINT - Exercise types - Red-Team: Blue-Team: White-Team: Purple-Team: Configuration management - Diagrams for Configuration management - Baseline configuration - Standard naming conventions - Internet protocol (IP) schema - Data sovereignty - Data protection - Data loss prevention (DLP) - Masking - Encryption in data protection - Data protection: at rest - Data protection: In transit/motion - Data protection: In processing - Data protection: Tokenization - Data protection: Rights management - Geographical considerations - Response and recovery controls - Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspection - Hashing - API considerations - Site resiliency - Hot site - Cold Site - Warm site - Deception and disruption - Honeypots - Honeyfiles - Honeynets - Fake telemetry - DNS Sinkhole - Cloud models - Infrastructure as a Service (IaaS) - Platform as a Service (PaaS) - Software as a Service (SaaS) - Anything as a Service (XaaS) - Public cloud model - Community Cloud Model - Private cloud model - Hybrid Cloud model - Cloud service providers - Managed service provider (MSP) - Managed security service provider (MSSP) - On-premises vs. off-premises - Fog Computing - Edge Computing - Thin Client - Containers - Microservices/API - Infrastructure as code - Software Defined Networking (SDN) - using a central control program separate from network devices to manage the flow of data on a network Software-defined visibility - Serverless architecture - Services integration - Resource policies - Transit gateway - Virtualization - Virtual machine (VM) sprawl avoidance - VM Escape Protection - Environment development - Environment Test - Environment Staging - Environment production - Environment Quality assurance (QA) - Provisioning and Deprovisioning - Commission/Decommission of assets from the time it is installed, until the time it is decommissioned and disposed. Integrity measurement - Secure Coding Techniques - Techniques used while coding to provide as much security as possible. Normalization - Stored procedures - Obfuscation/camouflage - Code reuse/dead code - Server-Side vs. Client-Side Execution and Validation - Memory management - Use of third-party libraries and software development kits (SDKS) - Open Web Application Security Project (OWASP) - An open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. Software diversity - Compiler - Binary - Automation/Scripting - Automated Courses of Action - Using technology to automate IT processes. Continuous monitoring - Continuous validation - Continuous integration - Continuous delivery - Continuous deployment - Elasticity - Scalability - Version Control - Authentication methods - Federation - Attestation - Time-based one-time password (TOTP) - HMAC-based one-time password (HOTP) - Short message service (SMS) - Token key - Static codes - Authentication applications - Push notifications - Phone call - smart card authentication - Biometrics - Fingerprints Biometrics - Retina Biometrics - Iris Biometrics - Facial Biometrics - Voice Biometrics - Vein Biometrics - Gait analysis Biometrics - Efficacy rates Biometrics - False acceptance Biometrics - False rejection Biometrics - False rejection Biometrics - Crossover error rate Biometrics - multifactor authentication (MFA) factors and attributes - Factors: - Something you know - Something you have - Something you are - Attributes: - Somewhere you are - Something you can do - Someone you know - - Authorization, authorization, and accounting (AAA) - Cloud vs. on-premises requirements - Redundancy - Geographic dispersal - Disk - Redundant array of inexpensive disks (RAID) levels - Multipath - Network: Load balancers - Network interface card teaming - Power: Uninterruptible power supply (UPS) - Power: Generator - Power: Dual supply - Managed power distribution units (PDUS) - Replication - Storage area network - VM - On-premises vs. cloud - Backup types - Backup types: Full - Backup types: Incremental - Backup types: Snapshot - Backup types: Differential - Backup types: Tape - Backup types: Disk - Backup types: Copy - Backup types: Network-attached storage (NAS) - Backup types: Storage area network - Backup types: Cloud - Backup types: Image - Backup types: Online vs. offline - Backup types: Offsite storage- Distance considerations - Non-persistence - Revert to known state - Last known-good configuration - Live boot media - High availability (Scalability) - Restoration order - Diversity: Technologies - Diversity: Vendors - Diversity: Crypto - Diversity: Controls - Embedded systems - Raspberry Pi - Field Programmable Gate Array (FPGA) - Arduino - Supervisory control and date acquisition (SCADA)/industrial control system (ICS) - Facilities - Industrial - Manufacturing - Energy - Logistics - Internet of Things (IoT) - Sensors - Smart devices - Wearables - Facility automation - Weak defaults - Specialized Medical systems - Specialized Vehicles - Specialized Aircraft - Specialized smart meters - Voice over IP (VoIP) - Heating, ventilation, air conditioning (HVAC) - Drones - Multifunction printer (MFP) - Real-time operating system (RTOS) - Surveillance systems - System on chip (SoC) - Communication considerations: 5G - Communication considerations: Narrow-band - Communication considerations: Baseband radio - Subscriber identity module (SIM) cards - Zigbee - Constraints: Power - Constraints: Compute - Constraints: Network - Constraints: Crypto - Constraints: Inability to patch - Constraints: Authentication - Constraints: Range - Constraints: Cost - Constraints: Implied trust - Bollards/barricades - Access control vestibules - Badges - Alarms - Signage - Cameras - Motion recognition and object detection - closed circuit television (CCTV) - Video cameras and receivers used for surveillance in areas that require security monitoring. Industrial camouflage - Personnel - Guards: Robot sentries: Reception: Two-person integrity/control Locks - Biometrics: Electronic: Physical: Cable Locks: USB data blocker - Lighting and fencing - Fire suppression - Sensors: Motion detection - Sensors: Noise detection - Sensors: Proximity Reader - Sensors: Moisture detection - Sensors: Cards - Sensors: Temperature - Drones - Visitor logs - Faraday cages - Air gap - Screened subnet - Protected cable distribution - Secure areas - Secure areas: Air Gap - Secure areas: Vault - Secure areas: Safe - Secure areas: Hot aisle - Secure areas: Cold aisle - Secure data destruction - Burning: Shredding: Pulping: Pulverizing: Degaussing: Third-party solutions : Digital signatures: - Key length - Key stretching - Salting - Hashing - Key exchange - Elliptic Curve Cryptography (ECC) - An algorithm that uses elliptic curves instead of prime numbers to compute keys. Perfect forward secrecy - Quantum communication - Quantum computing - Post-quantum - Ephemeral - Modes of operation - Authenticated: Unauthenticated: Counter: Blockchain and public ledgers - Cipher Suites - Stream: Block: Symmetric vs. asymmetric - Lightweight cryptography - Steganography - Audio: Video: Image: Homomorphic Encryption - Enables processing of encrypted data without the need to decrypt the data. It allows the cloud customer to upload data to a cloud service provider for processing without the requirement to decipher the data first. Common use cases - Low power devices - Low latency - High resiliency - Supporting confidentiality - Supporting integrity - Supporting Obfuscation - Modern malware tries to hide itself. Encrypted data hides the active malware code. Decryption occurs during execution. Supporting Authentication - Password hashing. Protect the original password. Add salts to randomize the stored password hash. Supporting Non-Repudiation - Confirm the authenticity of data. Digital signature provides both integrity and non-repudiation. Limitations: Speed - Limitations: Size - Limitations: Weak keys - Limitations: Time - Limitations: Longevity - Limitations: Predictability - Limitations: Reuse - Limitations: Entropy - Limitations: Computational overheads - Limitations: Resource vs. security constraints - Protocols - Domain Name System security extension (DNSSEC) - SSH - Secure/multipurpose Internet Mail Extensions (S/MIME) - Secure Real-time Protocol (SRTP) - Lightweight Directory Access Protocol over TLS/SSL (LDAPS) - File Transfer Protocol Secure (FTPS) - SSH File Transfer Protocol (SFTP) - Simple Network Management Protocol, version 3 (SNMPv3) - Hypertext transfer protocol over SSL/TLS (HTTPS) - IPSec - Authentication header (AH)/Encapsulating Security Payloads (ESP) - Tunnel/transport - Secure Post Office Protocol (POP)/ Internet Message Protocol (IMAP) - Use cases - Voice and video - Time synchronization - Email and web - File transfer - Directory services - Remote access - Domain Name resolution - Routing and switching - Network address allocation - Subscription services - Endpoint protection - Antivirus - Anti-malware - Endpoint detection and response (EDR) - DLP - Next-generation firewall (NGFW) - Host-based intrusion prevention system (HIPS) - Host-based intrusion detection system (HIDS) - Host-based firewall - Boot integrity - Boot security/ Unified Extensible Firmware Interface(UEFI) - Measured boot - Boot attestation - Database Tokenization - Database salting - Database hashing - Application security - Input validations - Secure cookies - Hypertext transfer Protocol (HTTP) headers - Code signing - Allow list - Block list/ deny list - Secure coding practices - Static code analysis - Manuel code review: Dynamic code analysis - Fuzzing - Hardening - Open ports and services - Registry - Disk encryption - OS - Patch management - Third-party updates: Auto-update: Self-encrypting drive (SED)/ full disk encryption (FDE) - Opal: Hardware root of trust - Trusted Platform Module (TPM) - Sandboxing - Load balancing: - Load balancing: Active/active - Load balancing: Active/passive - Load balancing: Scheduling - Load balancing: Virtual IP - Load balancing: Persistence - Network segmentation - Virtual local area network (VLAN) - Screened subnet - East-west traffic - Extranet - Intranet - Zero Trust - VPN: Always-on - VPN: Spilt tunnel tunnel - VPN: Remote access vs. site-to-site - VPN: IPSec - VPN: SSL/TLS - VPN: HTML5 - VPN: Layer 2 tunneling protocol (L2TP) - DNS - Network access control (NAC) - NAC: Agent and agentless - Out-of-band management - Port security - Broadcast storm prevention - Bridge Protocol Data Unit (BPDU) guard - Loop prevention - Dynamic Host configuration Protocol (DHCP) snooping - Media access control (MAC) filtering - Network appliances - Network appliances: Jump servers - Network appliances: Proxy servers - Forward: Reverse: Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS) - Signature-based - Heuristic/behavior - Anomaly - Inline vs. passive - HSM - Sensors - Collectors - Aggregators - Firewalls - Web application firewall (WAF) - NGFW - Stateful - Stateless - Unified threat management (UTM) - Network address translation (NAT) gateway - Firewalls: Content/URL filter - Firewalls: Open-source vs. proprietary - Firewalls: Hardware vs. software - Firewalls: Appliance vs. host-based vs. virtual - Access control list (ACL) - Route security - Quality of service (QoS) - Implications of IPv6 - Port spanning/port mirroring - Port taps: Monitoring services - File integrity monitors - Cryptographic protocols - Wifi Protected Access 2 (WPA2) - Wifi Protected Access 3 (WPA3) - Counter-mode/CBC-MAC protocol (CCMP) - Simultaneous Authentication of Equals (SAE) - Authentication protocols - Extensible Authentication Protocol (EAP) - Protected Extensible Application Protocol (PEAP) - EAP-FAST - EAP-TLS - EAP-TTLS - IEEE 802.1X - Remote Authentication Dial-in User Service (RADIUS) Federation - Methods - Pre-shared key (PSK) vs. Enterprise vs. Open - Wifi Protected Setup (WPS) - Captive portals (methods) - Installation considerations: - Site surveys - Heat maps - Wifi analyzers - Channel overlaps - Wireless access point (WAP) placement - Controller and access point security - Connection methods and receivers: - Connection methods and receivers: Cellular - Connection methods and receivers: Wifi - Connection methods and receivers: Bluetooth - Connection methods and receivers: NFC - Connection methods and receivers: Point-to-point - Connection methods and receivers: Point-to-multipoint - Connection methods and receivers: GPS - Connection methods and receivers: RFID - Mobile device management (MDM) - MDM: Application management - MDM: Content management - MDM: Remote wipe - MDM: Geofencing - MDM: Geolocation - MDM: Screen locks - Connection methods and receivers: Push notifications - Connection methods and receivers: Passwords and PINs - Connection methods and receivers: Biometrics - Connection methods and receivers: Context-aware authentication - Connection methods and receivers: Containerization - Connection methods and receivers: Storage segmentation - Connection methods and receivers: Full device encryption - Mobiles devices: MicroSD HSM - Mobiles devices: MDM/Unified Endpoint Management (UEM) - Mobiles devices: Mobile application management (MAM) - Mobiles devices: SEAndroid - Enforcement and monitoring of: Third-party application stores - Enforcement and monitoring of: Rooting/jailbreaking - Enforcement and monitoring of: Sideloading - Enforcement and monitoring of: Custom firmware - Enforcement and monitoring of: Carrier unlocking - Enforcement and monitoring of: Firmware over-the-air (OTA) updates - Enforcement and monitoring of: Camera use - Enforcement and monitoring of: SMS-Multimedia Messaging Service (MMS)/Rich communication services (RCS) - Enforcement and monitoring of: External media - Enforcement and monitoring of: USB On-The-Go (USB OTG) - Enforcement and monitoring of: Recording microphone - Enforcement and monitoring of: GPS tagging - Enforcement and monitoring of: Wifi direct/ad hoc - Enforcement and monitoring of: Tethering - Enforcement and monitoring of: Hotspot - Enforcement and monitoring of: Payment methods - Deployment models: Bring your own device (BYOD) - Deployment models: Corporate-owned personally enabled (COPE) - Deployment models: Choose your own device (CYOD) - Deployment models: Corporate-owned - Deployment models: Virtual desktop infrastructure (VDI) - Cloud security controls - Resource policies - Secrets management - Integration and auditing - Storage: Permissions - Storage: Encryption - Storage: Replication - Storage: High availability - Network: Virtual networks - Network: Public and private subnets - Network: Segmentation - Network: API inspection and integration - Compute: Security groups - Compute: Dynamic resource allocation - Compute: Instance awareness - Compute: Virtual private cloud (VPC) endpoint - Compute: Container security - Solutions: CASB - Solutions: Application security - Solutions: Next-generation Secure Web Gateway (SWG) - Firewall considerations in a cloud environment - Cost: Need for segmentation: Open systems Interconnection (OSI) Layers Cloud native controls vs. third-party solutions - Identity: Identity provider (IDP) - Identity: Attributes - Identity: Certificates - Identity: Tokens - Identity: SSH keys - Identity: Smart cards - Account types: User account - Account types: Shared and generic accounts/credentials - Account types: Guest accounts - Account types: Service accounts - Account policies: Password complexity - Account policies: Password history - Account policies: Password reuse - Account policies: Network location - Account policies: Geofencing - Account policies: Geotagging - Account policies: Geolocation - Account policies: Time-based logins - Account policies: Access policies - Account policies: Account audits - Account policies: Impossible travel time/risky login - Account policies: Lockout - Account policies: Disablement - Authentication management: Password keys - Authentication management: Password vaults - Authentication management: TPM - Authentication management: HSM - Authentication management: Knowledge-based authentication - Authentication/authorization - EAP - Challenge Handshake Authentication Protocol (CHAP) - Password Authentication Protocol (PAP) - 802.1X - RADIUS - Single sign-on (SSO) - Security Assertions Markup Language (SAML) - Terminal Access Controller Access Control System Plus (TACACS+) - OAuth - OpenID - Kerberos - Access control schemes - Attribute-based access control (ABAC) - Role-based access control - Rule-based access control - MAC - Discretionary access control (DAC) - Conditional access - Privilege access management - Filesystem permissions - Public Key Infrastructure (PKI) - Key management - Certificate authority (CA) - Intermediate CA - Registration authority (RA) - Certificate revocation list (CRL) - Certificate attributes - Online Certificate Status Protocol (OCSP) - Certificate signing request (CSR) - CN - Subject alternative name - Expiration - Types of certificates - Wildcard - Subject alternative name - Code signing - Self-signed - Machine/computer - Email - User - Root - Domain validation - Extended validation - Certificate formats - Distinguished encoding rules (DER) - Privacy enhanced mail (PEM) Personal information exchange (PFX) - .cer - p12 - P7B - Concepts - Online vs. offline CA: Stapling - Pinning - Trust model - Key escrow - Certificate chaining -