# EC-Council CND 各章節重點
更新時間:2024/04/29
通過考試條件
---
- 考試科目:312-38 EC-Council Certified Network Defender
目前教材版本為 v2/v3
- 考試時間4小時,100題
- 單選題(有單選式多選題)、多選題
- 必須答對60%~85%題目才會PASS
- 目前考試支援的語系版本僅只有英文
- 考試地點:Pearson VUE考試中心(基本上建議就跟在恆逸上課、恆逸考試)
- 考試費用:有報課程會送考試券一張,沒有報課程單獨考要550美金,如果在恆逸重考有優惠價格
其他補充
---
今年有去上課 聽到一些消息
就是說EC-Council的考試科目陸續會通過ANSI 17024 驗證
如果在還沒通過之前的那些科目
考試就會有所謂的版號也就是 V1 V2 V3之類 以此類推
其他通過的幾本上證書不會有版號
但是課程有比如說 現在上CND課本版號是V2
如果這門已經通過ANSI那他出來證書上就是印
EC-Council Certified Network Defender
相反的如果是SOC因為他還沒有過ANSI 17024
所以目前SOC還是
EC-Council Certified SOC Analyst v1
證書上面也沒有ANSI的印記
考試大綱/章節比重
--
參考CND Exam Blueprint v3.0
CND-Blueprint-v3.0
https://cert.eccouncil.org/images/doc/CND-Blueprint-v3.0.pdf
領域 Network Defense Management
Network Attacks and Defense Strategies
Administrative Network Security
比重大概是10%,在考試比例約有10題
領域 Network Perimeter Protection
Technical Network Security
Network Perimeter Security
比重大概是16%,在考試比例約有16題
領域 Endpoint Protection
Endpoint Security Windows Systems
Endpoint Security Linux Systems
Endpoint Security Mobile Devices
Endpoint Security-IoT Devices
比重大概是15%,在考試比例約有15題
領域 Application and Data Protection
Administrative Application Security
Data Security
比重大概是13%,在考試比例約有13題
領域 Enterprise Virtual, Cloud, and Wireless Network Protection
Enterprise Virtual Network Security
Enterprise Cloud Network Security
Enterprise Wireless Network Security
比重大概是12%,在考試比例約有12題
領域 Incident Detection
Network Traffic Monitoring and Analysis
Network Logs Monitoring and Analysis
比重大概是14%,在考試比例約有14題
領域 Incident Response
Incident Response and Forensic Investigation
Business Continuity and Disaster Recovery
比重大概是10%,在考試比例約有10題
領域 Incident Prediction
Risk Anticipation with Risk Management
Threat Assessment with Attack Surface Analysis
Threat Prediction With Cyber Threat Intelligence
比重大概是10%,在考試比例約有10題
另外就是目前收到消息
2024/4/10之後會有新的CND V4 exam blueprint
上面的3.0 blueprint 在4/9前有效
4/10後發行的 CND V4 exam blueprint
https://cert.eccouncil.org/wp-content/uploads/2024/04/CND-Exam-Blueprint-v4.pdf
另外是 Handbook V6
https://cert.eccouncil.org/wp-content/uploads/2024/03/CND-Handbook-v6.pdf
4/10開始 考試各章節比重調整
領域Network Defense Management
Network Attacks and Defense Strategies
Administrative Network Security
比重大概是10%,在考試比例約有10題
(第一章、第二章各5題)
領域Network Perimeter Protection
Technical Network Security
Network Perimeter Security
比重大概是10%,在考試比例約有10題
(第三章、第四章各5題)
領域Endpoint Protection
Endpoint Security-Windows Systems
Endpoint Security-Linux Systems
Endpoint Security-Mobile Devices
Endpoint Security-IoT Devices
比重大概是20%,在考試比例約有20題
(第五章、第六章、第七章、第八章各5題)
領域Application and Data Protection
Administrative Application Security
Data Security
比重大概是10%,在考試比例約有10題
(第九章、第十章各5題)
領域Enterprise Virtual, Cloud, and Wireless Network Protection
Enterprise Virtual Network Security
Enterprise Cloud Network Security
Enterprise Wireless Network Security
比重大概是15%,在考試比例約有15題
(第十一、十二、十三章各5題)
領域Incident Detection
Network Traffic Monitoring and Analysis
Network Logs Monitoring and Analysis
比重大概是10%,在考試比例約有10題
(第十四、十五章各5題)
領域Incident Response
Incident Response and Forensic Investigation
Business Continuity and Disaster Recovery
比重大概是10%,在考試比例約有10題
(第十六、十七章各5題)
領域Incident Prediction
Risk Anticipation with Risk Management
Threat Assessment with Attack Surface Analysis
Threat Prediction With Cyber Threat Intelligence
比重大概是15%,在考試比例約有15題
(第十八、十九、二十章各5題)
各章節(內容敘述僅供參考)
---
**第一章 Network Attacks and Defense Strategies (網路攻擊與防禦策略)**
資產 Asset
威脅來源:
自然環境威脅
無心或無意造成的威脅
有心或者刻意造成的威脅
內部威脅
外部威脅
Unskilled administrators / Accidents / Lacy or untrained employees
Hacktivist 駭客激進份子/他的動機可能跟政治或宗教有關/小型或少量的群體為達到政治目的而未經允許侵入電腦系統的人
「激進駭客」採取資訊技術、駭客攻擊展開公民不服從運動,以期達到推動政治議程或社會變革的目標。
Individuals who promote a political agenda by hacking, especially by defacing or disabling websites
Cyber Terrorists 網路恐怖份子/較大的群體
Suicide Hackers 個人/可能是不開心的員工/自殺型的駭客
State Sponsored Hackers 跟政府有關係的/組織型駭客
Organized Hackers 組織型的駭客
Professional hackers who attack a system for profits
Script Kiddies 個人/沒技術沒技能腳本小子
弱點 Vulnerability
**風險 Risk = Asset + Threat + Vulnerability**
Asset = Value 不是我們來定
Threat = Source
Vulnerability = exploit
未知的弱點 Zero Day
Reputation 商譽/客戶的信任
**Attack = Motive(Goal) + Method (TTPs) + Vulnerability**
unknow 未知的
use case 使用案例 know 已知的
Method (TTPs) 攻擊手法
Tactics 戰術 從開始到結束
“Tactics” is defined as the strategy adopted by an attacker to perform the attack from the beginning to the end
Technique 技術
“Techniques” is defined as technical methods used by an attacker to achieve intermediate results during the attack
Procddures 程序
“Procedure” is defined as a systematic approach adopted by threat actors to launch an attack
Reconnaissance 偵查
---
常見網路攻擊活動
Man-in-the-Middle 中間人攻擊
Password Dictionary 字典密碼攻擊
DNS Poisoning Attack DNS 詐騙 / DNS快取中毒
ARP Poisoning Attack ARP 詐騙 / ARP快取中毒
DHCP Starvation attack 類似DHCP DOS 攻擊
MAC Spoofing Attack WIFI 也有
Floding - > DOS、DDOS 阻斷服務攻擊/分散式阻斷服務攻擊
Directory/Path Traverl 目錄遍歷/路徑遍歷
Cross-Site Request Forgery,CSRF/XSRF 跨站請求偽造
Cross-Site-Scripting,CSS/XSS 跨站腳本
Cross-Origin Resource Sharing,CORS 跨站資源共享
Server Side Request Forgery,SSRF 伺服器端請求偽造
應用層 有 dos 根據你的運算資源 導致 session time out
Session Hijacking Attack 連線劫持
Social engineering 社交工程
Piggybacking => 一般解釋為一個人跟著另一個有權限的人進入授權區域,而這個跟在別人後面的人可能有、或者沒有權限 (搭順風車)
Tailgating => 尾隨
電子郵件會搭配社交工程攻擊
電子郵件炸彈 對你的郵件信箱 視為 郵件的 dos
運用電子郵件做釣魚 Phishing
Spamming 垃圾郵件
SMSiShing 簡訊釣魚
android => rooting 破解
ios => jailbreaking 越獄
藍芽 Bluebugging
無線網路 Rogue War Driving Honeypot
無線網路阻斷攻擊 Jamming attack
--------------------------
Preventive Approach 預防性
Reactive Approach 被動/消極/事後
Retrospective Approach 回顧/檢討
Proactive Approach 積極主動
控制措施
管理面
實體面
技術面
Defense in depth 縱深防禦
多層次防護
supply chain attack 供應鏈攻擊
---
實體安全的補充
UPS (Uninterruptible Power Supply)
Standby UPS (Offline UPS)
後備式或者稱離線式不斷電系統
屬於備援性質UPS,市電直接供電給用電設備也同時為電池充電,一旦市電品質不穩或停電,市電迴路自動切斷電池的直流電會轉換成交流點接手供電任務,直到市電恢復正常
Line-Interactive UPS
線上交錯式又稱線上互動式或在線互動式不斷電系統,基本運作方式和離線式一樣,不同之處在於線上交錯式雖不像在線式全程介入供電,但隨時都在監視市電的供電狀況,本身具備升壓和減壓補償電路,在市電供電不理想時,即時校正減少不必要的切換
Online UPS (Double Conversion UPS)
在線式不斷電系統的運作模式為市電和用電設備本身隔離,市電不會直接供電給用電設備,而是到了UPS就被轉換成直流電,之後再分兩路,一路給電池充電另一路轉回交流電,供電給用電設備,市電品質不穩或者停電時,電池從充電轉為供電,直到市電恢復正常時才轉回充電,UPS在用電的整個過程式全程介入的,優點是輸出的波型和市電一樣是正弦波,而且純淨無雜訊不受市電不穩定影響,可供電給電感型負載
---
**第二章 Administrative Network Security (網路安全管理)**
相關的管理框架跟法規
金字塔由上而下
Regulatory Frameworks -> Polices -> Standards -> Procedures,Practices,Guidelines
Compliance 合規
常見相關的法規
HIPPA (Health Insurance Portability and Accountability Act,1996) 美國健康保險可攜與責任法 醫療 資料安全
SOX (Sarbanes Oxley Act,2002) 美國沙班氏/歐克斯利法案 沙賓法案 美國上市上櫃公司 公開的財報上要簽署
FISMA (Federal Information Security Modernization Act,2014) 美國聯邦資訊安全管理法案
DMCA (Digital Millennium Copyright Act,DMCA,1998) 美國數位千禧年著作權法 智慧財產
GLBA (Financial Services Modernization Act,1999) 美國金融服務法現代化法案 個人 金融資訊
PCI-DSS (Payment Card Industry Data Security Standard) 支付卡產業資料安全標準
DPA (Data Protection Act,2018) 英國資料保護 (改寫1998版本)
GDPR (General Data Protection Regulation,(EU) 2016/679)歐盟個資法 歐盟通用資料保護規則
ISO/IEC 國際標準(International Organization for Standardization)
USA Patriot Act,2001 美國愛國者法案
The Human Right Act,1998 英國人權法案
FOIA (Freedom of Information Act,1967)美國資訊自由法案
Freedom of Information Act,2000 美國資訊自由法案
Electronic Communications Privacy Act,1986 美國電子通訊隱私法
Computer Fraud and Abuse Act,1986 美國電腦詐欺與濫用法案
安全政策的管理 你必須要強制 Enforce
資通安全政策
資產的盤點、安全控制措施、通訊安全、憑證、系統開發、
供應商、事故處理、持續營運、適度的稽核、風險管理、
修正
對外的承諾 對內的要求
Policy Statements
Baseline 基準線
Step to Creat and Implement Security Policies 9 個
Design of a Security Policy
因產業 因公司 因性質會有所不同
安全政策分三大類
**Enterprise Information Security Policy (EISP) **
These policies support organizations by offering ideology, purpose, and methods to create a secure environment for enterprises. It establishes a method for development, implementation, and management of security programs. These policies also ensure the proposed information security framework requirements are met.
**Issue-Specific Security Policy (ISSP)**
These policies address specific security issues in an organization. The scope and applicability of these security policies are completely dependent on the type of issue and the methods used by them. It specifies the necessary technologies along with preventive measures such as authorization of user access, privacy protection, and fair and responsible use of technologies
**System-Specific Security Policy (SysSP)**
The implementation of these policies focuses on the overall security of a particular system in an organization. An organization often develops and manages this type of policy, including the procedures and standards, for system maintenance. The technologies used by an organization should also be included in system-specific policies. It addresses the implementation and configuration of technology and user behavior.
Internet Access Policies
Promiscuius Policy
no rule no restrictions
Permissive Policy black-list rule
Prudent Policy White-list rule 較嚴謹安全 但有需要開放
Paranoid Policy 偏執政策 全部不准去
Acceptable Use Policy read and copy 針對組織資產 定義你的使用
User Account Policy 使用者帳戶政策
Remote Access Policy 遠端存取的政策
Information Protection Policy processing stroing transmitting state
Firewall Management Policy 防火牆政策
Special Access Policy 例外
Network Connection Policy 避免 Rogue device
Business Partner Policy
Email Security Policy
Password Policy
Physical Security
Information System Security Policy
BYOD
Mobile 有四個
Software / Application Security
Data Classification 分三大類 至少 對外 對內 機密嚴謹的 限制更多
UAC
Policy checklist
政策落實 awareness training
Employee
Primary asset
組織的安全政策
實體安全政策
資料分級
員工訓練 社交工程演練
離職員工 員工的監控 需要合法
**第三章 Technical Network Security (網路安全技術)**
存取控制 跟 模型
職務區隔 Separation of Duties (SoD)
可知原則 Need-to-know
最小權限 Principle of Least Privilege (POLP)
存取控制模型
Mandatory Access Control (MAC)
=>Bell-LaPadula Model(BLM)
=>Biba Integrity Model
Discretionary Access Control (DAC)
=>Access Control Matrix
Role-based Access Control (RBAC)
Rule-based Access Control (RB-RBAC)
Castle-and-Moat Model
Zero Trust Model 零信任模型
Identity and Access Management (IAM)
User Identity Management (IDM)
User Access Management (AM)
Encryption 加密
Symmetric Encryption 對稱式加密
Asymmetric Encryption 非對稱式加密
Hashing 雜湊
Digital Signatures 數位簽章
Public Key Infrastructure (PKI) 公開金鑰基礎設施
加解密演算法
Data Encryption Standard (DES)
Triple Data Encryption Standard (3DES)
Advanced Encryption Standard (AES)
=> 128bit
Rivest Cipher 4 (RC4)
Rivest Cipher 5 (RC5)
Rivest Cipher 6 (RC6)
Digital Signature Algorithm (DSA)
Rivest Shamir Adleman(RSA)
Message Digest Algorithm 5 (MD5)
Secure hash algorithm (SHA)
(sha1)(sha2)(sha3)(sha256)
Hash-based Message Authentication Code (HMAC)
Network Segmentation
Demilitarized Zone(DMZ)
Firewall (pFsense)
Intrusion Detection and Prevention System(IDS/IPS) (snort)
Honeypot (KFSenor)
Proxy Server
(squid proxy)
(Protoport Proxy Chain)
(ProxyCap)
(CCProxy)
Network Protocal Analyzer (Wireshark)
Web Content Filter
(OpenDNS)
(Netsentron)
(Net Nanny)
Load Blancer
Unified Threat Management (UTM)
(Endian Unified Threat Management)
(Sophos Essential UTM Firewall)
Security Information and Event Management(SIEM)
(splunk)
Network Access Control(NAC)
Virtual Private Network(VPN)
(OpenVPN)
Network Security Protocols
RADIS ->網路設備連線模式
TACAS+ ->網路設備連線身分驗證模式
HTTPS ->連線加密
TLS -> 連線加密/通道加密
SSL -> 連線加密模式 常用於網頁交易
IPsec -> 連線加密模式用於VPN
PGP ->檔案加解密
S/MIME ->郵件加密
Kerberos -> Windows身分驗證模式
**第四章 Network Perimeter Security (周邊網路安全)**
防火牆的政策 跟 相關的設定
邊界層(Perimeter Layer)
OSI 7 Layer
Physical Layer
Data Link Layer
Network Layer
Transport Layer
Session Layer
Presentation Layer
Application Layer
TCP/IP 4 Layer
Link Layer
Internet Layer
Transport Layer
Application Layer
Bypass的規則
防火牆的功能和局限
防火牆的發展 (NGFW) 各種型態的防火牆
**Packet Filtering Firewall 封包過濾型**
網路層(Network Layer)
這種防火牆會檢查封包標頭的接收端和發送端IP位址、封包類型、埠號和其他網路資訊,並允許符合規則的封包通過,但不會檢查封包內的資料內容,**作用於網路層。使用ACL監控**。
**Circuit-Level Gateway 電路閘道器**
電路閘道器不需要大量的運算能力和資源。**它工作在 OSI 模型的會話層Session Layer(或TCP/IP的應用層和傳輸層之間)**。它監視數據包之間的 TCP 握手以確定請求的會話是否合法。但它不會檢查封包內的資料內容,只檢查封包來源。不過這種作法無法保證安全性,因為惡意程式仍可能隱藏在封包中。
Application Level Gateways 應用層閘道器
應用層防火牆也稱為代理防火牆,這種防火牆在應用層運作,會檢查內部網路和流量來源之間的流量。它先經由代理伺服器傳遞流量,並檢查傳入的流量,然後才允許流量進入內部網路中。
應用層防火牆有點類似狀態檢查,會同時檢查封包和 TCP 三向交握。兩者之間的主要差異是,狀態檢查防火牆只會檢查封包來源,應用層防火牆則會檢查封包內容,並進行深度封包檢查(DPI)。
**Stateful Multilayer Inspection Firewall
狀態檢視防火牆**
一種能夠提供狀態封包檢查(stateful packet inspection,縮寫為SPI)或狀態檢視(stateful inspection)功能的防火牆,能持續追蹤穿過這個防火牆的各種網路連線(例如TCP與UDP連線)的狀態。這種防火牆被設計來區分不同連線種類下的合法封包。只有符合主動連線的封包才能夠被允許穿過防火牆,其他的封包都會被拒絕。但因為狀態檢查防火牆執行較多的處理,因此效能比封包過濾防火牆較差。
**network and the transport layers **
Next Generation Firewall(NGFW)次世代防火牆
Application Proxy 應用代理
Network Address Translation (NAT)網路轉址
Virtual Private Network (VPN)虛擬私人網路
防火牆拓樸
硬體式防火牆
軟體式防火牆
主機型防火牆
網路型防火牆
內部防火牆
外部防火牆
防火牆的管理
Intrusion Detection Systems(IDS)
Approach-based IDS
Behavior-based IDS
Protection-based IDS
Structure-based IDS
Analysis Timing-based IDS
Source Data Analysis-based IDS
Zero-Trust Model Security
Software-Defined Perimeter (SDP)
**第五章 Endpoint Security-Windows Systems (端點安全之視窗系統)**
Windows 作業系統 各版本差異及發展
Windows 作業系統架構
Hardware abstraction layer
Kernel/micro kernel
Executive services
Environment subsystem
Integral subsystem
User Mode Has limited access to resources
Kernel Mode
Unrestricted access to system memory and external devices Kernel
Windows 安全元件
Security reference monitor (SRM)
Local Security Authority Subsystem (LSASS)
LSASS policy database
Security Accounts Manager (SAM)
SAM database
Active Directory (AD)
Authentication packages
Windows logon application (Winlogon)
Logon user interface (LogonUI)
Credential providers (CPs)
Network logon service (NetLogon)
Kernel Security Device Driver (KSecDD)
Windows 安全基準
Windows Security Baseline Configurations
Windows Security Baseline Configuration Using Security Compliance Toolkit (SCT)
Windows 使用者帳號管理
關閉無使用的帳號
檢視有特權權限帳號
Enforce Password Policy
Password Length 密碼長度原則
Password Protection Using Credential Guard
Credential
常用指令 net user
Windows 存取控制
Windows Access Checks: Security Identifier (SID)
Windows Integrity Control
Virtual Service Accounts
Secure File Sharing
Restricting Access to Files and Folders
Prevent Unauthorized Changes in System
User Account Control (UAC)
Administrative Access Management Using Just Enough Administration (JEA)
微軟安全性技術,類似 Linux capabilities,可透過 PowerShell 管理受允許委派管理的項目
Windows 修補管理
Enable Automatic Updates
Disable Force System Restarts
Windows 防毒軟體與防火牆 Defender
Windows Defender Firewall
Windows 登錄編輯器
HKEY_CLASS_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HEKY_USER
HEKY_CURRENT_CONFIG
Windows 網域管理
Windows Hardening 設定
Windows 遠端桌面服務
Windows 網路芳鄰
**第六章 Endpoint Security-Linux Systems (端點安全之 Linux 系統)**
Linux 作業系統架構
Linux 作業系統安裝及修補
Linux OS Hardening 設定
Linux 檔案權限控管
Linux 防火牆 iptable 設定
Security-Enhanced Linux (SELinux)
**第七章 Endpoint Security-Mobile Devices (端點安全之行動裝置)**
BYOD (Bring Your Own Device)
COBO (Company Owned , Business Only)
COPE (Company Owned , Personally Enabled)
CYOD (Choose Your Own Device)
Security Guidelines
MDM (Mobile Device Management)=>管整台設備
MAM (Mobile Application Management) =>管應用程式
MCM (Mobile Content Management) =>管內容
MEM (Mobile Email Management)=>管email
MTD (Mobile Threat Defense)
UEM (Unified endpoint management)
SMS Phishing 簡訊釣魚
Android and ios Security
**第八章 Endpoint Security-IoT Devices (端點安全之物聯網裝置)**
Internet of Things (IoT)
Internet of Everything (IoE)
IoT-enabled Environments
Connect anytime 任何時間都在連都可連線
Connect anything 任何裝置的可以連
Connect any place 任何情況下(地方)都可以連
Sensing technology 偵測技術
IOT gateways 閘道
Cloud server/data storage 雲端伺服器跟儲存
Remote control using mobile apps 遠端控制程式
Layers of the IOT Architecture
User / Devices / Gateway / Connection / Cloud
Applications (CRM ERP SCM PLM)
Processes Practices and Polices
四層Device Layer、Communication Layer、Cloud Platform Layer、Process Layer
IOT 通訊模型
Device-to-Device Model
Device-to-Cloud Model
Device-to-Gateway Model
Cloud-to-Cloud(Back-end Data-sharing Model)
IOT-enable IT Environment
Attack Vectors in IOT Architecture
DDoS Attack from Hacked IOT Devices
OWASP TOP 10 IOT Vulnerabilities
Stack-wise IOT Security Principles
Traffic Analysis Attack
RFID Cloning
Malicious Code Inject
Sleep Deprivation Attack
RFID Spoofing
Sinkhole Attack
Use Proper Network Segmentation to Isolate IOT Device 網段隔離
Scan IOT Devices for known Vulnerabilitess
-> beSTORM IOTsploit IOTSeeker
Bitdefender Home Scanner
IOTInspector
更新IOT韌體及修補弱點
配置點對點IOT裝置的傳輸加密機制
強化使用者驗證
Isolate IOT Devices 當有連線到無線網路時
監控IOT設備的活動及記錄還有風險管理
IOT安全工具
SeaCat.io
AIOTI WG03 IOT標準
NIST Security Feature Recommendations for IOT Devices
US DHS Strategic Priciples for Securing IOT
GSMA IOT Security Guidelines and Assessment
**第九章 Administrative Application Security (應用程式安全管理)**
應用程式安全
應用程式 白名單/黑名單/沙箱/修補管理/防火牆
使用者軟體限制規則 / 應用程式白名單
Windows Potentially Unwanted Application Protection Feature
群組原則管理/本機安全性設定
應用程式白名單管理工具
應用程式沙箱
Windows 沙箱
Windows Defender Application Guard Microsoft Edge
Linux 沙箱 Firejail
Sandboxie
應用程式的修補管理
網站應用程式防火牆 WAF
Reverse proxy / Layer-2 brige / Out of band
Server resident / Internet hosted cloud
WAF的限制性
IIS Server的WAF套件 URLScan
其他常用WAF 或工具
**第十章 Data Security (資料安全)**
資料安全首要應該是 識別、分類、分級、盤點 機敏資料
Data at Rest、Data in Use、Data in Teansit
資料安全涵蓋資料的存取控制、資料加密、資料標記、資料的韌性及備份、資料的破壞、資料的保存
存取控制通常有(MAC、RBAC、DAC、RB-RBAC、ACLs、群組原則、帳號導向、密碼存取金鑰
資料的加密 大概有幾種方式(磁碟加密、檔案層級加密、可移除式儲存媒體加密、資料庫加密)
Windwos內建支援的磁碟加密 BitLocker
先決條件 TPM模組、UEFI
MacOS系統內建支援的磁碟加密 FileVault
Linux系統內建支援的磁碟加密 dm-crypt
LUKS Extension
LUSK device header
(Linux Kernel v2.6以後版本支援)
Android系統內建支援的磁碟加密 dm-crypt
ios系統支援磁碟加密 Passwordcode
第三方磁碟加密軟體 VeraCrypt / Symantec Driver Encryption
Windows上檔案層級的加密 Encrypting File System (EFS)
第三方檔案層級的加密軟體 For Windows AxCrypt
MacOS 檔案層級的加密 Disk Utility
第三方檔案層級加密軟體 for Linux
GnuPrivacy(GPG)/OpenPGP
傳輸加密/MS-SQL 資料庫加密
Transparent Database Encryption in MS SQL Server(TDE) encrypts
Clumn-level Encryption in MS SQL Server
Cell-level Encryption Methods
Passphrase to encrypt and decrypt the data
Asymmetric
Symmetric
Certificates
Always Encrypted in MS SQL Server
Randomized Encryption
Deterministic Encryption
Transparent Data Encryption in Oracle
Transparent data encryption (TDE)
資料傳輸加密
Secure HTTP Connection using Digital Certificate
資料庫傳輸加密 MS SQL
Enable TLS encryption to secure the data transmitted between instances of SQL Server and SQL clients/application
Enable SSL/TLS Encryption in Oracle Server
Email Encryption
MS Outlook
S/MIME、using Digital Certificate
Gmail support S/MIME
SecureGmail and Google Chrome extension
資料遮罩
Static data Masking(SDM)
Dynamic data Masking(DDM)
On-the-fly data masking
Data masking and the cloud
Dynamic Data Masking in SQL Server 2019
Data Masking in Oracle Database
八種技術
Encryption
Character scrambling
Lookup substitution
Nulling out or delection
Shuffling
Number and data variance
Masking out
資料備份跟還原
備份的策略(儲存媒體、備份技術、RAID Level、備份方式、備份型態)
RAID Level (0、1、3、5、10、50)
HardWare and Software RAID
Storage Area Nerwork(SAN)
Network Attached Storage(NAS)
備份的型態
Full backup
Incremental backup
Differential backup
Linux備份工具
Gnome Disk Utility
DD Command
MacOS Time Machine
Database Backup
MS SQL Server
Full database backup
Differntial backup
Transaction Log backup
Oracle
Offline (Cold) Backup
Online (Hot) Backup
Email backup
POP3 IMAP data
Gmail Google Drive
Web Server Configuration Backup (IIS)
資料銷毀 data destruction
delete and destroyed
Delete/Reformat
Wipe
Overwriting data
Erasure
Degaussing
Physical destruction
Electronic shredding
Solid-state shredding
clean desktop 清空你的桌面
行動裝置 贈與 轉售 折讓 設備還原的動作
CD DVD 的破壞 實體破壞
重複使用的 銷毀 用 覆蓋的方式
三個技術
Cleaning 清除 Overwriting Wiping Erasure
Purging 消磁 Degaussing
Destroying 實體破壞 Disintegration incineration pulverizing and melting Shredding
Disk Wipe
Windows Diskpart Utility
sp800-88
Data Loss Prevention (DLP)
Endpoint DLP
Network DLP
Storage DLP
Windows Information Protection(WIP)
MyDLP
**第十一章 Enterprise Virtual Network Security (企業虛擬網路安全)**
虛擬化架構與傳統架構
虛擬化架構下的元件
Hypervisor / Virtual Machine Mointor
Gust Machine / Virtual Machine
Host Machine
Management Server
Management Console
Network Virtualization(NV) 網路虛擬化
通常類似Hypervisor的網路介面
abstraction layer 抽象層
常見Hypervisor
VMware ESXi
Citrix XenServer
Hyper-V
VirtualBox
Virtual Network VLANS 虛擬化網路
虛擬化網路可能有的風險跟威脅
MAC Flooding Attack
ARP Attack
VLAN Hopping Attack
STP Attack
DHCP Starvation Attack
Multi Brute-Force Attack
Hyper-V Security
同步問題
存取權限問題
Isolated User Mode(IUM)
VMware Security
Time Synchronization
Restrict User Access
Encrypting Gust Virtual Machines
VirtualBox Security
Disable Nestd Paging
Disable Hyperthreading
Flush Level 1 Cache Data
geographically limited 地理限制
expansion
Software Defined Network (SDN) 軟體定義網路 Security
Data Plane
Control Plane
Application Plane
Northbound API
Southbound API
Open flow
SDN 的安全原則
Clearly Define Security Dependencies and Trust Boundaries
Build Security based on Open Standards
Protect Operational Reference Data
Provide Accountability and Tranceability
Ansure robust identity
Protect the information Security Triad
Make Systems Secure by Default
Consider properties of Manageable Controls
SDN可能被攻擊的風險
DDoS Attacks
Malicious Application Attacks
Misconfiguration Attacks
Control Chanel Attacks
Network Manipulation Attack
Traffic Dirversion Attack
Side Channel Attack
App Mainpulation
ARP Spoofing Attack
API Exploitation
Traffic Sniffing
Password Gussing or Brute Force
Network Function Virtualization (NFV) 網路功能虛擬化 Security
NFV元件
NFV Infrastructure (NFVI)
Hardware resources
Virtualization layer
Virtual resources
Virtualized Network Functions(VNFs)
Virtual Network Function(VNF)
Element Management System(EMS)
NFV Management and Orchestration(MANO)
management system for NFVI
硬體跟軟體分開
NFV Hardware/ Software
SDN Controll / Forward
Container
Container Engine
Container Orchestration
Container Orchestration Software
Container 跟 VM的差異
Docker
Docker Engine
Docker Architecture
Docker Networking
Kuvernetes (K8s)
NIST 800-190
isolated 隔離
注意到沙箱逃逸問題
**第十二章 Enterprise Cloud Network Security (企業雲端網路安全)**
雲端運算的定義
雲端運算八個特性
On-demand self-service
Distributed storage
Rapid elasticity
Automated management
Broad network access
Resource pooling
Measured service
Virtualization technology
雲端網路安全
訂閱制度 on-demand
Broad network access
Distributed storage
Rapid elasticity
自動化管理 Automated management
資源池 Resource pooling
測量 Measured service
Virtualization technology
IaaS,Infrastructure as a Service,基礎設施即服務
如:Amazon EC2、Azure Virtual Machines
PaaS,Platform as a Service,平臺即服務
如:Google App Engine、AWS Elastic BeanStalk、AWS Lambda、SAP Cloud Platform
SaaS,Software as a Service,軟體即服務
如:Microsoft Office 365、Webmail service(Gmail、Outlook)
FWaaS,Firewall as a service 防火牆即服務
雲的責任劃分 根據 SLA
Public Cloud 公有雲
Private Cloud 私有雲
Community Cloud 社區雲
Hybrid Cloud 混和雲
5大角色
Cloud Consumer
Cloud Provider
Cloud Carrier
Cloud Auditor
Cloud Broker
NIST Cloud Deployment Reference Architecture
Identity and Access Management (IAM)
Data Stroage Security
Amazon AWS
AWS Relational Database Servive(RDS)
AWS Elastic Map Reduce(EMR)
AWS Elastic Beanstalk
Simple Storage Service(S3)
DynamoDB
Amazon Glacier
SQS
Amazon EC2
Amazon S3 bucket Storage
Amazon EBS
Amazon VP3
AWS CloudTrail
Microsoft Azure
Azure AD
Azure AD Self-service password reset(SSPR)
Azure MFA
Azure AD Privileged Identity Management
Azure AD Connect Sync
Azure Storage Service Encryption(SSE)
Transparent Data Encryption(TDE)
Azure Key Vault
Azure Site-to-Site VPN
Azure Network Security:Disable RDP/SSH Access to Virtual Machine / Optimize Uptime and Performance Load Balancing
Microsoft Antimalware
Active Geo-replication
Azure Security Center
Azure Management Portal
Google GCP
GCP Identity and Access Management
Grant Pre-define Roles
Google's default encryption
GCP Key Management:Cloud KMS
GCP Logging:Stackdriver
ZTNA,Zero Trust Network Access 零信任網路存取
CSP,Cloud Service Provider 雲端服務提供者
Cloud Access Security Broker(CASB) 雲端存取安全代理
Cloud Workload Protection Platforms (CWPP) 雲端工作負載保護平台
Cloud Security Posture Management (CSPM) 雲安全狀態管理/雲端安全勢態管理
SSPM,SaaS Security Posture Management SaaS安全狀況管理
CNAPP,Cloud-Native Application Protection Platform 雲原生應用程式防護平台
CIEM,Cloud Infrastructure Entitlements Management 雲端基礎結構權限管理
KSPM,Kubernetes Security Posture Management
SSE,Secure Service Edge 安全服務邊界
SASE,Secure Access Service Edge 雲端原生安全服務框架
SWG,Secure Web Gateway,安全網站閘道
**第十三章 Enterprise Wireless Network Security (企業無線網路安全)**
Wi-Fi/Bluetooth/WiMax
802.11 2.4G DSSS/FHSS
802.11a 5G/3.7G OFDM
802.11b 2.4G DSSS
802.11e Qos
802.11g 2.4G OFDM
802.11n 5G/2.4G MIMO-OFDM
802.11ac 5G MIMO-OFDM
802.11az 2.4G/5G/6G MIMO-OFDM
Standakone Architecture (Ad-hoc Mode)
Centrally Coordinated Archiecture(Infrastructure Mode)
Lightweight Extensible Authentication Protocol,LEAP
Extensible Authentication Protocol,EAP
Point-to-Point Protocol,PPP
(EAP-SIM)(EAP-TLS)(EAP-AKA)(EAP-TTLS)
驗證 LEAP EAP
TKIP WEP WPA WPA2 WPA3
WPA-Personal / WPA2-Personal / WPA3-Personal
WPA-Enterprise / WPA2-Enterprise / WPA3-Enterprise
注意那張比較表
天線
Parabolic Grid Antenna 網狀拋物面天線
Yagi Antenna 八木天線
Dipole Antenna 偶極子天線
Reflector Antenna 反射面天線
加密 802.11 802.11E
802.11 a/b/g/n/ac/ax
Shared Key Authentication
WEP RC4 40/104-bits CRC32
WPA RC4,TKIP 128-bits Michael algorithm CRC32
WPA2 AES-CCMP 128-bits CBC-MAC
WPA3 AES-GCMP256 192-bits BIG-GMAC-256
WWAN / WPAN / WMAN
RADIS
Rogue 設備
無線網路的安全性設定建議
無線網路的攻擊防護
**第十四章 Network Traffic Monitoring and Analysis (網路流量監控與分析)**
抓取封包工具
Wireshark / tcpdump / WinDump /dsniff
ManageEngine NetFlow Analyzer
NetworkMiner
network interface card (NIC)
promiscuous mode (snifer)
Switched Port Analyzer (SPAN) Port--Cisco
Roving Anakysis Port(RAP)--3COM
Packet
TCP/IP 3 WAY handshake
Unusual/Suspicious Information in the Header 封包標頭
Content-based signature
Context-based signature
Atomic signature
Composite signature
Suspicious Data in the Payload
FTP Traffic TCP port 21
To check for unsuccessful FTP password cracking attempts, apply the filter
ftp.response.code==530
To check for successful FTP password cracking attempts, apply the filter
ftp.response.cdoe==230
Telnet Traffic TCP port 23
HTTP Traffic TCP port 80
Traffic for Passive OS Fingerprinting Attempt
ICMP-Based and TCP-Based OS Fingerprinting
PING sweep
(icmp.type==8 && (!(icmp.code==8))
(icmp.type==13) ||
(icmp.type==15||(icmp.type==17)
(tcp.flags==0x02) && (tcp.window_size <1025) tcp.flags==0x2b tcp.flags==0x00 tcp.options.wscale_val==10
TCP OS fingerprinting attempt
tcp.options.mss_val<1460
Use the filter icmp.type==8 or icmp.type==0 to detect an ICMP ping sweep attempt
Use the filter tcp.dstport==7 to detect a TCP ping sweep attempt
Use the filter udp.dstport==7 to detect an UDP ping sweep attempt
SYN+ACK, RST, and RST+ACK packets or ICMP type 3
TCP Null Scan Attempts
TCP.flags==0x000
to detect SYN/FIN DDoS attempt
tcp.flags==0X029
SYN/FIN DDoS Attempts
Use the filter tcp.flags==0x003 to detect a SYN/FIN attack.
the following filter is used to detect a SYN/FIN attack
tcp.flags==0x001
UDP Scan Attempts
ICMP Type-3 Code-3 response
ICMP Type 3 Code 3, then the port is unavailable. This is a sign of a UDP port scan on the network
icmp.type==3 and icmp.code==3
ARP Poisoning Attempts
Check for “duplicate IP address configured” messages in the Warnings tab in Wireshark To locate duplicate IP address traffic, use the following filter:
arp.duplicate-address-detected
SQL Injection Attempts
SQL injection such as OR, --, ‘, and =.
**第十五章 Network Logs Monitoring and Analysis (網路日誌監控與分析)**
Log is a collection of information/data on events
Logging is the process of recording and storing logs of the events that occur in the network
Log file contains various types of information that helps provide valuable and actionable information
To identify actionable information from the logs, proper log analysis and monitoring is required
Local Logging / Centralized Logging
Windows Logs
Windows event logs, consisting of a header and a series of event records
Windows Event log audit configurations (i.e., log retention, log size, etc.) are recorded based on the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\<Event Log>
file named Security.evtx, and the databases related to applications are stored in a file named Application.evtx. These Windows event log files are stored in C:\Windows\System32\winevt\Logs folder
Linux Logs
Most Linux logs are located at /var/log directory in plain ASCII text format
/var/log/httpd/ Apache access and error logs directory
/var/log/auth.log Authentication logs
var/log/utmp or /var/log/wtmp Login records file
Severity Level and Value of Linux Logs
Level 0—Emergency: This level represents emergency conditions where the system comes unusable; for example, imminent system crash.
Level 1—Alert: This level represents those conditions that require immediate actions; for example, a corrupted system database.
Level 2—Critical: This level represents critical conditions such as a hardware error.
Level 3—Error: This level represents error messages.
Level 4—Warning: This level represents warning messages.
Level 5—Notice: This level represents those messages that are not an error but require special attention.
Level 6—Information: This level represents informational messages.
Level 7—Debug: This level represents those messages that are required during debugging programs.
cat command/less command/tail command/more command /grep command
Log Format
Mac Logs
Mac security-related log information is saved in secure.log file and found in /private/var/log directory
Firewall log data is stored in appfirewall.log file and found at /private/var/log/appfirewall.log
AccessLog
/var/log/cups/access_log-%s
ErrorLog
/var/log/cups/error_log-%s
Log Format
Syntax: MMM DD HH:MM:SS Host Service: Message
Firewall Logging
Windows Defender Firewall Log
Location of Windows Defender Firewall log Default firewall log location in windows is C:\Windows\System32\LogFiles\Firewall Open the file named as pfirewall.log
Mac OS X Firewall Logs
Default location of the firewall log file in Mac is /private/var/log/ Log file is saved as appfirewall.log, open the recent log file
Linux Firewall: iptables
iptables is a rule-based inbuilt firewall in different versions of Linux OS iptables log messages to a /var/log/messages file through Linux syslogd daemon
Cisco ASA Firewall
Check Point Firewall
fw log command is used to display the log file content
Cisco Router Log
seq no:timestamp: %facility-severity-MNEMONIC:description
Internet Information Services (IIS) Logs
IIS 6.0 %system32%\LogFiles\W3SVCN
IIS 7.0 %SystemDrive%\Inetpub\Logs\LogFiles\W3SVCN
IIS 8.0 %SystemDrive%\inetpub\logs\LogFiles
IIS 10.0 %SystemDrive%\inetpub\logs\LogFiles
Apache Logs
Apache access log
In RHEL/Red Hat/CentOS/Fedora Linux, Apache access log files are stored at /var/log/httpd/access_log
In Debian/Ubuntu Linux, Apache access log files are stored at /var/log/apache2/access.log
In FreeBSD, Apache access log files are stored at /var/log/httpd-access.log
If the server is running on RHEL/Red Hat/CentOS/Fedora Linux OS: sudo tail -100 /etc/httpd/logs/access_log
If the server is running on Debian/Ubuntu Linux OS: sudo tail -100 /var/log/apache2/access.log
Apache error log file
In RHEL/Red Hat/CentOS/Fedora Linux, Apache error log file is stored at /var/log/httpd/error_log
In Debian/Ubuntu Linux, Apache error log file is stored at /var/log/apache2/error.log
In FreeBSD, Apache error log file is stored at /var/log/httpd-error.log
If the server is running on RHEL/Red Hat/CentOS/Fedora Linux OS: sudo tail -100 /etc/httpd/logs/error_log
If the server is running on Debian/Ubuntu Linux OS: sudo tail -100 /var/log/apache2/error.log
Apache common log format
LogFormat "%h %l %u %t \"%r\" %>s %b" common
Apache combined log format
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
Centralized Logging
Collection Server
Storage Server
Log Transmission
Syslog UDP/Syslog TCP/Encrypted syslog/HTTP/HTTPS/SOAP over HTTP
Log Normalization 日誌正規化
**第十六章 Incident Response and Forensic Investigation (資安事故應變與鑑識調查)**
九大程序 Preparation for IR Incident
Incident Recording and Assignment
Incident Triage
Notification
Containment Incident
Evidence Gathering and Forensic Analysis
Eradication
Recovery
Post-Incident Activities
First Response 第一發現者
注意到 第六個程序 數位鑑識
Event 跟 Incident 的差別
Incident Response Team(IRT)
Incident Response Plan
business and operating environment
BIA / CBF
in-house(內部團隊)
external IRT team (外部團隊)
角色 / 責任
containing (隔開) 不要讓他傷害擴大
Attorney 法律 律師
Incident Response Plan (mission and Vision)
first responder
Reporting
Alerting
Containing
Identifying
Collecting
Protecting
Documenting
Preserving
Packaging
Fear, Uncertainty, and Doubt (FUD)
False Positive 偽陽性
True Positive 真陽性
False Negative 偽陰性
True Negative 真陰性
六大類事件
未經授權存取 High C
阻斷服務 High A
惡意代碼
合法不合理(政策有關/AUP)
掃描刺探 Low
Multiple Conponent (以上五種的結合)
Avoid Futher Harm
Control Access to Suspected Devices
Record Your Action
Witnessess to support
Do Not Change the State of Suspected Decice
Disable Virus Protection
Preparation for IR
Incident Recording and Assignment / NOC/SOC
Incident Triage
Notification inside/outside stakeholder
Containment / Control / authorization
Evidence Gathering and Forensic Analysis
Eradication / Root Cause 第七
Recovery / Backup / Restore
Post-Incident Activities / follow up / Compliant
Incident Triage
Incident Containment (控制措施)
Eradication
improve the response
第六大程序 用數位件事的方法 如何收 如何處理
Expert Witness 專家證人
Evidence Manager
Evidence Documenter
證據保存鏈 Chain of Custody
**第十七章 Business Continuity and Disaster Recovery (持續營運與災難復原)**
Business Continuity (BC)
Critical Business Functions (CBF)
ISO standard
BC business-centric
acceptable predefined levels 可接受
disruptive incident
Minimize the effects of the disaster
Provide compliance benefits
Mitigate business risks and minimize financial losses
Disaster Recovery (DR) 災難復原
data-centric
restore business data and applications
https://uptime.is
downtime
Business Continuity Management,BCM 營運持續管理
Business Impact Analysis,BIA 營運衝擊分析
Recovery time objective (RTO)
Recovery point objective (RPO)
活動/步驟/step
Prevent/Response/Resumption/Recovery/Restoration
Business Continuity Plan (BCP)
document
resilience against potential threats
potential risks
risk management
Disaster Recovery Plan (DRP)
recover from a disaster (specific departments)
標準 ISO 22301:2019 Requirements
標準 ISO 22313:2012 Guidance
標準 ISO/IEC 27031:2011 基礎架構
setting up and managing
**第十八章 Risk Anticipation with Risk Management (風險管理之風險預測)**
Risk Management Frameworks 風險管理框架
pro-active
acceptable level 可接受
Key Risk Indicators (KRI) 風險指標
Risk Analysis 風險分析
Risk Identification 風險識別/盤點
Risk Assessment Matrix 風險矩陣 probability / likelihood / consequence / impact
quantitative 定量分析 $$
qualitative 定性分析 百分比率/高中低
風險等級
Risk Assessment 風險評鑑
Risk Treatment & Control 風險處理與控制
Risk Tracking & Review 風險追蹤
Risk Avoidance 風險避免
Risk Acceptance 風險接受
NIST Risk Management Framework 風險管理框架
6 個 RMF 目前有新的版本
Categorize 盤點
Select 選擇控制措施
Implement 實施控制措施
Access / Authorize / Mointor
COBIT Framework IT治理框架 = > ISACA
弱點管理
弱點管控六個流程
Disccovery -> Asset Prioritization -> Accessment -> Reporting -> Remediation -> Verification
弱點掃描 / 修補 / 驗證
外部掃描 / 外部弱點
nmap -sV -T4 -f www.certifiedhacker.com
內部弱點掃描 常見工具
Tenable Nessus
OpenVas
**第十九章 Threat Assessment with Attack Surface Analysis (可攻擊面積分析之威脅評估)**
attack surface analysis 攻擊面分析
known, unknown, and potential
Decrease in vulnerabilities deceases the attack surface
5大分類 (Network、Software、Physical、Human、System)
4個步驟做分析
Understand、Identify、Simulte、Reduce
Visualization 視覺化出現
asset、topologies、Policies
Visualization using securiCAD / Skybox / Threatpath
Indicators of Exposures (IoEs) 曝險指標
potential risk exposures 已知的 攻擊者直接利用 進行攻擊
OWASP Attack Surface Detector
Burp Suit
AttackSurfaceMapper
Attack Simulation
virtual penetration testing
Breach and attack simulation (BAS)
Infection Monkey / Cymulate
Apply vulnerability patch to the identified risk exposures
Retest the vulnerabilities to analyze the effects of a given fix
Cloud Attack Surface
Attack Surface of IOT
**第二十章 Threat Prediction with Cyber Threat Intelligence (網路威脅情資之威脅預測)**
collection and analysis of information about threats and adversaries
Cyber threat intelligence (CTI)
Indicators of compromise (IoCs)
Indicators of attack (IoAs)
unknown threats into known threats 未知轉成已知
Strategic Threat Intelligence 策略型的威脅情報 / 看風險
執行面/長期觀察
Tactical Threat Intelligence 戰術型
技術面 / 攻擊的技術能量 / 長期觀察
Tactics, Techniques, Procedures (TTPs)
Operational Threat Intelligence
Indicators of Compromise 入侵指標
技術的指標
Indicators of Attack
策略指標
new and modified threats
Threat Intelligence feeds (TI feeds)
https://threatfeeds.io
Reference
---
藍隊資安防禦通識-EC-Council CND認證課程
https://www.uuu.com.tw/Course/Show/1249/%E8%97%8D%E9%9A%8A%E8%B3%87%E5%AE%89%E9%98%B2%E7%A6%A6%E9%80%9A%E8%AD%98-EC-Council-CND%E8%AA%8D%E8%AD%89%E8%AA%B2%E7%A8%8B
Network Security Certification | Certified Network Defender
https://www.eccouncil.org/train-certify/certified-network-security-course/
Certified Network Defender
https://cert.eccouncil.org/certified-network-defender.html
CND Candidate Handbook
https://cert.eccouncil.org/images/doc/CND%20Handbook%20v1B.pdf
ECCouncil-312-38-Exam-Practice-Test
https://github.com/paulettebrown1/Eccouncil-312-38-Exam-Practice-Test
Exam Prep Session – CND (Certified Network Defense) | Koenig Solutions
https://www.youtube.com/watch?v=juTuWG0uw3I
Certified Network Defender Practice Exams 2024 (UNOFFICIAL)
https://www.udemy.com/courses/search/?src=ukw&q=ECcouncul+CND
Network-Defense-Essentials-Notes
https://github.com/Twavesx/Network-Defense-Essentials-Notes
NDE
https://github.com/kaio6fellipe/NDE
###### tags: `EC-Council` `CND`
Sign in with Wallet
Connect another wallet