3.0 Implementation

3.1 Given a scenario, implement secure protocols.

-- Simple Network Management Protocol, version 3 (SNMPv3)

--- Domain Name System

--- Voice and Video

--- Security Extensions (DNSSEC)

--- Time synchronization

--- SSH

--- Authentication Header (AH)/ Encapsulation Security Payloads (ESP)

--- Email and web

--- Secure/Multipurpose Internet Mail Extensions (S/MIME)

--- Tunnel/transport

--- File transfer

--- Secure Real-time Transport Protocol (SRTP)

--- Post Office Protocol (POP)/ Internet Message Access Protocol (IMAP)

--- Directory services

--- Lightweight Directory Access Protocol Over SSL (LDAPS)

--- Remote Access

--- File Transfer Protocol, Secure (FTPS)

--- Domain Name Resolution

--- SSH File Transfer Protocol (SFTP)

--- Routing and switching

--- Network address allocation

--- Subscription services

3.2 Given a scenario, implement host or application security solutions.

Endpoint protection

--- Tokenization

--- Open ports and services

--- Anti-malware

--- Endpoint detection and response (EDR)

--- Disk encryption

--- DLP

Application security

--- OS

--- Next-generation firewall (NGFW)

--- Input validations

--- Patch management

--- Host-based intrusion prevention system (HIPS)

--- Secure cookies

--- Third-party updates

--- Host-based intrusion detection system (HIDS)

--- Hypertext Transfer Protocol (HTTP) headers

--- Auto-update

--- Host-based firewall

--- Code signing

Self-encrypting drive (SED)/ full-disk encryption (FDE)

--- Opal

--- Boot security/Unified Extensible Firmware Interface (UEFI)

--- Block list/deny list

Hardware root of trust

--- Measured boot

--- Secure coding practices

Trusted Platform Module (TPM)

--- Boot attestation

--- Static code analysis

--- Manual code review

--- Dynamic code analysis

3.3 Given a scenario, implement secure network design.

Out-of-band management

--- Aggregators

--- Active/active

--- Active/passive

--- Broadcast storm prevention

--- Web-application firewall

--- Bridge Protocol Data Unit (BPDU) guard

--- NGFW

Loop prevention

--- Stateful

--- Persistence

--- Dynamic Host Configuration Protocol (DHCP) snooping

--- Unified threat management (UTM)

Network Segmentation

--- Media access control (MAC) filtering

--- Network address translation (NAT) gateway

--- Virtual local area network (VLAN)

Network appliances

--- Content/URL filter

--- Screened subnet (previously known as demilitarized zone)

--- Jump servers

--- Open-source vs. proprietary

--- East-west traffic

--- Proxy servers

--- Hardware vs. software

--- Forward

--- Appliance vs. host-based vs. virtual

--- Reverse

Access control list (ACL)

--- Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS)

Virtual private network (VPN)

--- Signature-based

Quality of service (QoS)

--- Heuristic

Implications of IPv6

--- Split tunnel vs full tunnel

--- Anomoly

Port spanning/port mirroring

--- Remote access vs. site-to-site

--- Inline vs. passive

--- HSM

Monitoring services

File integrity monitors

--- Layer 2 tunneling protocol (L2TP)

Network access control (NAC)

--- Agent and agentless

3.4 Given a scenario, install and configure wireless security settings.

Cryptographic protocols

--- IEEE 802.1X

--- Controller and access point security

--- WiFi Protected Access (WPA₂)

--- Remote Authentication Dial-in User Service (RADIUS) Federation

--- WiFi Protected Access (WPA₃)

--- Counter-mode/CMC-MAC Protocol (CCMP)

--- Pre-shared key (PSK) vs. Enterprise vs. Open

--- Simultaneous Authentication of Equals (SAE)

--- WiFi Protected Setup (WPS)

Authentication protocols

--- Captive portals

--- Extensible Authentication Protocol (EAP)

Installation considerations

--- Protected Extensible Authentication Protocol (PEAP)

--- Site surveys

--- WiFi analyzers

--- Channel overlaps

--- Wireless access point (WAP) placement

3.5 Given a scenario, implement secure mobile solutions.

Connection methods and receivers

--- Context-aware authentication

--- SMS/Multimedia Messaging Service (MMS)/Rich Communication Services (RCS)

--- WiFi

--- Containerization

--- External media

--- Storage segmentation

--- USB On-The-Go (USB OTG)

--- NFC

--- Full device encryption

--- Recording microphone

--- GPS tagging

--- USB

--- MicroSD hardware security module

--- WiFi direct/ad hoc

--- Point to point

--- MDM/Unified Endpoint Management (UEM)

--- Point to multipoint

--- Mobile application management (MAM)

--- Global positioning system (GPS)

--- Payment methods

--- RFID

Enforcement and monitoring of:

Deployment models

Mobile device management (MDM)

--- Third-party application stores

--- Bring your own device (BYOD)

--- Application management

--- Rooting/jailbreaking

--- Corporate-owned personally enabled (COPE)

--- Content management

--- Sideloading

--- Choose your own device (CYOD)

--- Remote wipe

--- Custom firmware

--- Virtual desktop infrastructure (VDI)

--- Carrier unlocking

--- Screen locks

--- Firmware over-the-air (OTA) updates

--- Push notifications

--- Passwords and pins

3.6 Given a scenario, apply cybersecurity solutions to the cloud.

Cloud security controls

--- High availability across zones

--- CASB

--- Resource policies

--- Application security

--- Secrets management

--- Next-generation secure web gateway (SWG)

--- Integration and auditing

--- Firewall considerations in a cloud environment

--- Cost

--- Permissions

--- Need for segmentation

--- Encryption

--- Open Systems Interconnection (OSI) layers

--- Replication

Cloud native controls vs. third-party solutions

--- High availability

--- Security groups

--- Dynamic resource allocation

--- Instance awareness

--- Virtual private cloud (VPC) endpoint

--- Container security

3.7 Given a scenario, implement identity and account management controls.

--- Guest accounts

--- Access policies

--- Identity provider (IdP)

--- Service accounts

--- Account permissions

Account policies

--- Account audits

--- Certifications

--- Password complexity

--- Impossible travel time/risky login

--- Password history

--- Password reuse

--- Disablement

--- Smart cards

--- Network location

--- User Account

--- Shared and generic accounts/credentials

--- Geolocation

--- Time-based logins

3.8 Given a scenario, implement authentication and authorization solutions.

Authentication management

--- Role-based access control

--- Password keys

--- Rule-based access control

--- TPM

--- Single sign-on (SSO)

--- Discretionary access control (DAC)

--- HSM

--- Security Assertion Markup Language (SAML)

--- Conditional access

--- Knowledge-based authentication

--- Terminal Access controller Access Control Sydtem Plus (TACAS+)

--- Privileged access management

Authentication/authorization

--- Filesystem permissions

--- EAP

--- Challenge-Handshake Authentication Protocol (CHAP)

--- Password Authentication Protocol (PAP)

Access control schemes

--- Attribute-based access control (ABAC)

3.9 Given a scenario, implement public key infrastructure.

Public key infrastructure (PKI)

Types of certificates

--- Privacy enhanced mail (PEM)

--- Key management

--- Personal information exchange (PFX)

--- Certificate authority (CA)

--- Subject alternative name

--- cer

--- Intermediate CA

--- Code signing

--- P12

--- Registration authority (RA)

--- Self-signed

--- P7B

--- Certificate attributes

--- Machine/computer

--- Certificate revocation list (CRL)

--- Online vs. offline CA

--- Online Certificate Status Protocol (OCSP)

--- User

--- Certificate signing request (CSR)

--- Root

--- CN

--- Domain validation

--- Trust model

--- Subject alternative name

--- Extended validation

Certificate formats

--- Certificate chaining

--- Distinguished encoding rules (DER)