Implementation

Implementation

Rating
Average: 3.8 (4 votes)
Architecture and Design
Course
Course
Cybersecurity
Subjects
Subjects
Career & Technical Education
Cybersecurity
Robotics & Coding
Grade Levels
Grade Levels
10
11
12
Duration (hours)
Duration (Approx hours)
40
Overview
In this unit, students will learn how to implement security concepts, focusing on access management, PKI, wireless, and end-to-end security
Standards
CompTIA Security+ (SYO-601) Objectives 3.1 – 3.9
Cyber Connections
Threats and Vulnerabilities
Hardware and Software
Cyber Hygiene
Digital Citizenship
Networks and Internet
Section Title
Lessons
Accordion Items
Title
3.1 - Given a scenario, implement secure protocols
Content
  • Protocols - Domain Name System Security Extension (DNSSEC)
    • SSH
    • Secure/Multipurpose Internet Mail Extensions (S/MIME)
    • Secure Real-time Protocol (SRTP)
    • Lightweight Directory Access Protocol Over SSL (LDAPS)
    • File Transfer Protocol, Secure (FTPS)
    • SSH File Transfer Protocol (SFTP)
    • Simple Network Management Protocol, version 3 (SNMPv3)
    • Hypertext transfer protocol over SSL/TLS (HTTPS)
    • IPSec
    • Authentication header (AH)/ Encapsulating Security Payloads (ESP)
    • Tunnel/transport
    • Secure Post Office Protocol (POP)/ Internet Message Access Protocol (IMAP)
  • Use cases
    • Voice and video
    • Time synchronization
    • Email and web
    • File transfer
    • Directory services
    • Remote access
    • Domain name resolution
    • Routing and switching
    • Network address allocation
    • Subscription services
Title
3.2 - Given a scenario, implement host or application security solutions
Content
  • Endpoint protection
    • Antivirus - Anti-malware
    • Endpoint detection and response (EDR)
    • DLP
    • Next-generation firewall (NGFW)
    • Host-based intrusion prevention system (HIPS)
    • Host-based intrusion detection system (HIDS)
    • Host-based firewall
  • Boot integrity
    • Boot security/Unified Extensible Firmware Interface (UEFI)
    • Measured boot
    • Boot attestation
  • Database
    • Tokenization
    • Salting
    • Hashing
  • Application security
    • Input validations
    • Secure cookies
    • Hypertext Transfer Protocol (HTTP) headers
    • Code signing
    • Whitelisting
    • Blacklisting
    • Secure coding practices
    • Static code analysis
    • Manual code review
    • Dynamic code analysis
    • Fuzzing
  • Hardening
    • Open ports and services
    • Registry
    • Disk encryption
    • OS
    • Patch management
    • Third-party updates
    • Auto-update
  • Self-encrypting drive (SED)/ full-disk encryption (FDE)
    • Opal
  • Hardware root of trust
  • Trusted Platform Module (TPM)
  • Sandboxing
Title
3.3 - Given a scenario, implement secure network designs
Content
  • Load balancing
    • Active/active
    • Active/passive
    • Scheduling
    • Virtual IP
    • Persistence
  • Network segmentation
    • Virtual local area network (VLAN)
    • DMZ
    • East-west traffic
    • Extranet
    • Intranet
    • Zero Trust
  • Virtual private network (VPN)
    • Always-on
    • Split tunnel vs. full tunnel
    • Remote access vs. site-to-site
    • IPSec
    • SSL/TLS
    • HTML5
    • Layer 2 tunneling protocol (L2TP)
  • DNS
  • Network access control (NAC)
    • Agent and agentless
  • Out-of-band management
  • Port security
    • Broadcast storm prevention
    • Bridge Protocol Data Unit (BPDU) guard
    • Loop prevention
    • Dynamic Host Configuration Protocol (DHCP) snooping
    • Media access control (MAC) filtering
  • Network appliances
    • Jump servers
    • Proxy servers
    • Forward
    • Reverse
    • Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS)
    • Signature-based
    • Heuristic/behavior
    • Anomaly
    • Inline vs. passive
    • HSM
    • Sensors
    • Collectors
    • Aggregators
    • Firewalls
    • Web application firewall (WAF)
    • NGFW
    • Stateful
    • Stateless
    • Unified threat management (UTM)
    • Network address translation (NAT) gateway
    • Content/URL filter
    • Open-source vs. proprietary
    • Hardware vs. software
    • Appliance vs. host-based vs. virtual
  • Access control list (ACL)
  • Route security
  • Quality of service (QoS)
  • Implications of IPv6
  • Port spanning/port mirroring
    • Port taps
  • Monitoring services
  • File integrity monitors
Title
3.4 - Given a scenario, install and configure wireless security settings
Content
  • Cryptographic protocols
    • WiFi protected access II (WPA2)
    • WiFi protected access III (WPA3)
    • Counter-mode/CBC-MAC protocol (CCMP)
    • Simultaneous Authentication of Equals (SAE)
  • Authentication protocols
    • Extensible Authentication Protocol (EAP)
    • Protected Extensible Application Protocol (PEAP)
    • EAP-FAST
    • EAP-TLS
    • EAP-TTLS
    • IEEE 802.1X
    • Remote Authentication Dial-in User Service (RADIUS) Federation
  • Methods
    • Pre-shared key (PSK) vs. Enterprise vs. Open
    • WiFi Protected Setup (WPS)
    • Captive portals
  • Installation considerations
    • Site surveys
    • Heat maps
    • WiFi analyzers
    • Channel overlays
    • Wireless access point (WAP) placement
    • Controller and access point security
Title
3.5 - Given a scenario, implement secure mobile solutions
Content
  • Connection methods and receivers
    • Cellular
    • WiFi
    • Bluetooth
    • NFC
    • Infrared
    • USB
    • Point-to-point
    • Point-to-multipoint
    • Global Positioning System (GPS)
    • RFID
  • Mobile device management (MDM)  Application management
    • Content management
    • Remote wipe
    • Geofencing
    • Geolocation
    • Screen locks
    • Push notifications
    • Passwords and pins
    • Biometrics
    • Context-aware authentication
    • Containerization
    • Storage segmentation
    • Full device encryption
  • Mobile devices
    • MicroSD HSM
    • MDM/Unified Endpoint Management (UEM)
    • Mobile application management (MAM)
    • SEAndroid
  • Enforcement and monitoring of:
    • Third-party application stores
    • Rooting/jailbreaking
    • Sideloading
    • Custom firmware
    • Carrier unlocking
    • Firmware over-the-air (OTA) updates
    • Camera use
    • SMS/Multimedia Messaging Service (MMS)/Rich communication services (RCS)
    • External media
    • USB On-The-Go (USB OTG)
    • Recording microphone
    • GPS tagging
    • WiFi direct/ad hoc
    • Tethering
    • Hotspot
    • Payment methods
  • Deployment models
    • Bring your own device (BYOD)
    • Corporate-owned personally enabled (COPE)
    • Choose your own device (CYOD)
    • Corporate-owned
    • Virtual desktop infrastructure (VDI)
Title
3.6 - Given a scenario, apply cybersecurity solutions to the cloud
Content
  • Cloud security controls
    • High availability across zones
    • Resource policies
    • Secrets management
    • Integration and auditing
    • Storage
    • Permissions
    • Encryption
    • Replication
    • High availability
    • Network
    • Virtual networks
    • Public and private subnets
    • Segmentation
    • API inspection and integration
    • Compute
    • Security groups
    • Dynamic resource allocation
    • Instance awareness
    • Virtual private cloud (VPC) endpoint
    • Container security
  • Solutions
    • CASB
    • Application security
    • Next-generation Secure Web Gateway (SWG)
    • Firewall considerations in a cloud environment
    • Cost
    • Need for segmentation
    • Open Systems Interconnection (OSI) layers
  • Cloud native controls vs. third-party solutions
Title
3.7 - Given a scenario, implement identity and account management controls
Content
  • Identity - Identity provider (IdP)
    • Attributes
    • Certificates
    • Tokens
    • SSH keys
    • Smart cards
  • Account types
    • User account
    • Shared and generic accounts/credentials
    • Guest accounts
    • Service accounts
  • Account policies
  • Password complexity
    • Password history
    • Password reuse
    • Time of day
    • Network location
    • Geofencing
    • Geotagging
    • Geolocation
    • Time-based logins
    • Access policies
    • Account permissions
    • Account audits
    • Impossible travel time/risky login
    • Lockout
    • Disablement
Title
3.8 - Given a scenario, implement authentication and authorization solutions
Content
  • Authentication management
    • Password keys
    • Password vaults
    • TPM
    • HSM
    • Knowledge-based authentication
  • Authentication
    • EAP
    • Challenge Handshake Authentication Protocol (CHAP)
    • Password Authentication Protocol (PAP)
    • 802.1X
    • RADIUS
    • Single sign-on (SSO)
    • Security Assertions Markup Language (SAML)
    • Terminal Access Controller Access Control System Plus (TACACS+)
    • Oauth
    • OpenID
    • Kerberos
  • Access control schemes
    • Attribute-based access control (ABAC)
    • Role-based access control
    • Rule-based access control
    • MAC
    • Discretionary access control (DAC)
    • Conditional access
    • Privilege access management
    • Filesystem permissions
Title
3.9 - Given a scenario, implement public key infrastructure
Content
  • Public key infrastructure (PKI)
    • Key management Certificate authority (CA)
    • Intermediate CA
    • Registration authority (RA)
    • Certificate revocation list (CRL)
    • Certificate attributes
    • Online Certificate Status Protocol (OCSP)
    • Certificate signing request (CSR)
    • CN
    • Subject alternative name
    • Expiration
  • Types of certificates
    • Wildcard  Subject alternative name
    • Code signing
    • Self-signed
    • Machine/computer
    • Email
    • User
    • Root
    • Domain validation
    • Extended validation
  • Certificate formats
    • Distinguished encoding rules (DER)
    • Privacy enhanced mail (PEM)
    • Personal information exchange (PFX)
    • .cer
    • P12
    • P7B
  • Concepts
    • Online vs. offline
    • CA 
    • Stapling
    • Pinning
    • Trust model
    • Key escrow
    • Certificate chaining